1 diff -urNp linux-2.6.33.1/arch/alpha/include/asm/elf.h linux-2.6.33.1/arch/alpha/include/asm/elf.h
2 --- linux-2.6.33.1/arch/alpha/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
3 +++ linux-2.6.33.1/arch/alpha/include/asm/elf.h 2010-03-20 16:58:38.417757561 -0400
4 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.33.1/arch/alpha/include/asm/pgtable.h linux-2.6.33.1/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.33.1/arch/alpha/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
20 +++ linux-2.6.33.1/arch/alpha/include/asm/pgtable.h 2010-03-20 16:58:38.417757561 -0400
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.33.1/arch/alpha/kernel/module.c linux-2.6.33.1/arch/alpha/kernel/module.c
40 --- linux-2.6.33.1/arch/alpha/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
41 +++ linux-2.6.33.1/arch/alpha/kernel/module.c 2010-03-20 16:58:38.417757561 -0400
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.33.1/arch/alpha/kernel/osf_sys.c linux-2.6.33.1/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.33.1/arch/alpha/kernel/osf_sys.c 2010-03-15 12:09:39.000000000 -0400
53 +++ linux-2.6.33.1/arch/alpha/kernel/osf_sys.c 2010-03-20 16:58:38.417757561 -0400
54 @@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp
55 merely specific addresses, but regions of memory -- perhaps
56 this feature should be incorporated into all ports? */
58 +#ifdef CONFIG_PAX_RANDMMAP
59 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
63 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
64 if (addr != (unsigned long) -ENOMEM)
65 @@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp
68 /* Next, try allocating at TASK_UNMAPPED_BASE. */
69 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
71 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
76 diff -urNp linux-2.6.33.1/arch/alpha/mm/fault.c linux-2.6.33.1/arch/alpha/mm/fault.c
77 --- linux-2.6.33.1/arch/alpha/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
78 +++ linux-2.6.33.1/arch/alpha/mm/fault.c 2010-03-20 16:58:38.420782159 -0400
79 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
83 +#ifdef CONFIG_PAX_PAGEEXEC
85 + * PaX: decide what to do with offenders (regs->pc = fault address)
87 + * returns 1 when task should be killed
88 + * 2 when patched PLT trampoline was detected
89 + * 3 when unpatched PLT trampoline was detected
91 +static int pax_handle_fetch_fault(struct pt_regs *regs)
94 +#ifdef CONFIG_PAX_EMUPLT
97 + do { /* PaX: patched PLT emulation #1 */
98 + unsigned int ldah, ldq, jmp;
100 + err = get_user(ldah, (unsigned int *)regs->pc);
101 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
102 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
107 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
108 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
109 + jmp == 0x6BFB0000U)
111 + unsigned long r27, addr;
112 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
113 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
115 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
116 + err = get_user(r27, (unsigned long *)addr);
126 + do { /* PaX: patched PLT emulation #2 */
127 + unsigned int ldah, lda, br;
129 + err = get_user(ldah, (unsigned int *)regs->pc);
130 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
131 + err |= get_user(br, (unsigned int *)(regs->pc+8));
136 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
137 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
138 + (br & 0xFFE00000U) == 0xC3E00000U)
140 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
141 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
142 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
144 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
145 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
150 + do { /* PaX: unpatched PLT emulation */
153 + err = get_user(br, (unsigned int *)regs->pc);
155 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
156 + unsigned int br2, ldq, nop, jmp;
157 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
159 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
160 + err = get_user(br2, (unsigned int *)addr);
161 + err |= get_user(ldq, (unsigned int *)(addr+4));
162 + err |= get_user(nop, (unsigned int *)(addr+8));
163 + err |= get_user(jmp, (unsigned int *)(addr+12));
164 + err |= get_user(resolver, (unsigned long *)(addr+16));
169 + if (br2 == 0xC3600000U &&
170 + ldq == 0xA77B000CU &&
171 + nop == 0x47FF041FU &&
172 + jmp == 0x6B7B0000U)
174 + regs->r28 = regs->pc+4;
175 + regs->r27 = addr+16;
176 + regs->pc = resolver;
186 +void pax_report_insns(void *pc, void *sp)
190 + printk(KERN_ERR "PAX: bytes at PC: ");
191 + for (i = 0; i < 5; i++) {
193 + if (get_user(c, (unsigned int *)pc+i))
194 + printk(KERN_CONT "???????? ");
196 + printk(KERN_CONT "%08x ", c);
203 * This routine handles page faults. It determines the address,
204 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
206 si_code = SEGV_ACCERR;
208 - if (!(vma->vm_flags & VM_EXEC))
209 + if (!(vma->vm_flags & VM_EXEC)) {
211 +#ifdef CONFIG_PAX_PAGEEXEC
212 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
215 + up_read(&mm->mmap_sem);
216 + switch (pax_handle_fetch_fault(regs)) {
218 +#ifdef CONFIG_PAX_EMUPLT
225 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
226 + do_group_exit(SIGKILL);
233 /* Allow reads even for write-only mappings */
234 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
235 diff -urNp linux-2.6.33.1/arch/arm/include/asm/elf.h linux-2.6.33.1/arch/arm/include/asm/elf.h
236 --- linux-2.6.33.1/arch/arm/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
237 +++ linux-2.6.33.1/arch/arm/include/asm/elf.h 2010-03-20 16:58:38.440745685 -0400
238 @@ -108,7 +108,14 @@ int dump_task_regs(struct task_struct *t
239 the loader. We need to make sure that it is out of the way of the program
240 that it will "exec", and that there is sufficient room for the brk. */
242 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
243 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
245 +#ifdef CONFIG_PAX_ASLR
246 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
248 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
249 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
252 /* When the program starts, a1 contains a pointer to a function to be
253 registered with atexit, as per the SVR4 ABI. A value of 0 means we
254 diff -urNp linux-2.6.33.1/arch/arm/include/asm/kmap_types.h linux-2.6.33.1/arch/arm/include/asm/kmap_types.h
255 --- linux-2.6.33.1/arch/arm/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
256 +++ linux-2.6.33.1/arch/arm/include/asm/kmap_types.h 2010-03-20 16:58:38.444581130 -0400
257 @@ -19,6 +19,7 @@ enum km_type {
265 diff -urNp linux-2.6.33.1/arch/arm/include/asm/uaccess.h linux-2.6.33.1/arch/arm/include/asm/uaccess.h
266 --- linux-2.6.33.1/arch/arm/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
267 +++ linux-2.6.33.1/arch/arm/include/asm/uaccess.h 2010-03-20 16:58:38.444581130 -0400
268 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
270 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
275 if (access_ok(VERIFY_READ, from, n))
276 n = __copy_from_user(to, from, n);
277 else /* security hole - plug it */
278 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
280 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
285 if (access_ok(VERIFY_WRITE, to, n))
286 n = __copy_to_user(to, from, n);
288 diff -urNp linux-2.6.33.1/arch/arm/kernel/kgdb.c linux-2.6.33.1/arch/arm/kernel/kgdb.c
289 --- linux-2.6.33.1/arch/arm/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
290 +++ linux-2.6.33.1/arch/arm/kernel/kgdb.c 2010-03-20 16:58:38.468885430 -0400
291 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
292 * and we handle the normal undef case within the do_undefinstr
295 -struct kgdb_arch arch_kgdb_ops = {
296 +const struct kgdb_arch arch_kgdb_ops = {
298 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
299 #else /* ! __ARMEB__ */
300 diff -urNp linux-2.6.33.1/arch/arm/mach-at91/pm.c linux-2.6.33.1/arch/arm/mach-at91/pm.c
301 --- linux-2.6.33.1/arch/arm/mach-at91/pm.c 2010-03-15 12:09:39.000000000 -0400
302 +++ linux-2.6.33.1/arch/arm/mach-at91/pm.c 2010-03-20 16:58:38.468885430 -0400
303 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
307 -static struct platform_suspend_ops at91_pm_ops ={
308 +static const struct platform_suspend_ops at91_pm_ops ={
309 .valid = at91_pm_valid_state,
310 .begin = at91_pm_begin,
311 .enter = at91_pm_enter,
312 diff -urNp linux-2.6.33.1/arch/arm/mach-omap1/pm.c linux-2.6.33.1/arch/arm/mach-omap1/pm.c
313 --- linux-2.6.33.1/arch/arm/mach-omap1/pm.c 2010-03-15 12:09:39.000000000 -0400
314 +++ linux-2.6.33.1/arch/arm/mach-omap1/pm.c 2010-03-20 16:58:38.472778666 -0400
315 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
319 -static struct platform_suspend_ops omap_pm_ops ={
320 +static const struct platform_suspend_ops omap_pm_ops ={
321 .prepare = omap_pm_prepare,
322 .enter = omap_pm_enter,
323 .finish = omap_pm_finish,
324 diff -urNp linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c
325 --- linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c 2010-03-15 12:09:39.000000000 -0400
326 +++ linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c 2010-03-20 16:58:38.476775080 -0400
327 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
331 -static struct platform_suspend_ops omap_pm_ops = {
332 +static const struct platform_suspend_ops omap_pm_ops = {
333 .prepare = omap2_pm_prepare,
334 .enter = omap2_pm_enter,
335 .finish = omap2_pm_finish,
336 diff -urNp linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c
337 --- linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c 2010-03-15 12:09:39.000000000 -0400
338 +++ linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c 2010-03-20 16:58:38.484767476 -0400
339 @@ -650,7 +650,7 @@ static void omap3_pm_end(void)
343 -static struct platform_suspend_ops omap_pm_ops = {
344 +static const struct platform_suspend_ops omap_pm_ops = {
345 .begin = omap3_pm_begin,
347 .prepare = omap3_pm_prepare,
348 diff -urNp linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c
349 --- linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c 2010-03-15 12:09:39.000000000 -0400
350 +++ linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c 2010-03-20 16:58:38.488749331 -0400
351 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
352 (state == PM_SUSPEND_MEM);
355 -static struct platform_suspend_ops pnx4008_pm_ops = {
356 +static const struct platform_suspend_ops pnx4008_pm_ops = {
357 .enter = pnx4008_pm_enter,
358 .valid = pnx4008_pm_valid,
360 diff -urNp linux-2.6.33.1/arch/arm/mach-pxa/pm.c linux-2.6.33.1/arch/arm/mach-pxa/pm.c
361 --- linux-2.6.33.1/arch/arm/mach-pxa/pm.c 2010-03-15 12:09:39.000000000 -0400
362 +++ linux-2.6.33.1/arch/arm/mach-pxa/pm.c 2010-03-20 16:58:38.492744784 -0400
363 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
364 pxa_cpu_pm_fns->finish();
367 -static struct platform_suspend_ops pxa_pm_ops = {
368 +static const struct platform_suspend_ops pxa_pm_ops = {
369 .valid = pxa_pm_valid,
370 .enter = pxa_pm_enter,
371 .prepare = pxa_pm_prepare,
372 diff -urNp linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c
373 --- linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-03-15 12:09:39.000000000 -0400
374 +++ linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-03-20 16:58:38.500761827 -0400
375 @@ -892,7 +892,7 @@ static void sharpsl_apm_get_power_status
379 -static struct platform_suspend_ops sharpsl_pm_ops = {
380 +static const struct platform_suspend_ops sharpsl_pm_ops = {
381 .prepare = pxa_pm_prepare,
382 .finish = pxa_pm_finish,
383 .enter = corgi_pxa_pm_enter,
384 diff -urNp linux-2.6.33.1/arch/arm/mach-sa1100/pm.c linux-2.6.33.1/arch/arm/mach-sa1100/pm.c
385 --- linux-2.6.33.1/arch/arm/mach-sa1100/pm.c 2010-03-15 12:09:39.000000000 -0400
386 +++ linux-2.6.33.1/arch/arm/mach-sa1100/pm.c 2010-03-20 16:58:38.504745508 -0400
387 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
388 return virt_to_phys(sp);
391 -static struct platform_suspend_ops sa11x0_pm_ops = {
392 +static const struct platform_suspend_ops sa11x0_pm_ops = {
393 .enter = sa11x0_pm_enter,
394 .valid = suspend_valid_only_mem,
396 diff -urNp linux-2.6.33.1/arch/arm/mm/fault.c linux-2.6.33.1/arch/arm/mm/fault.c
397 --- linux-2.6.33.1/arch/arm/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
398 +++ linux-2.6.33.1/arch/arm/mm/fault.c 2010-03-20 16:58:38.512762145 -0400
399 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
403 +#ifdef CONFIG_PAX_PAGEEXEC
404 + if (fsr & FSR_LNX_PF) {
405 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
406 + do_group_exit(SIGKILL);
410 tsk->thread.address = addr;
411 tsk->thread.error_code = fsr;
412 tsk->thread.trap_no = 14;
413 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
415 #endif /* CONFIG_MMU */
417 +#ifdef CONFIG_PAX_PAGEEXEC
418 +void pax_report_insns(void *pc, void *sp)
422 + printk(KERN_ERR "PAX: bytes at PC: ");
423 + for (i = 0; i < 20; i++) {
425 + if (get_user(c, (__force unsigned char __user *)pc+i))
426 + printk(KERN_CONT "?? ");
428 + printk(KERN_CONT "%02x ", c);
432 + printk(KERN_ERR "PAX: bytes at SP-4: ");
433 + for (i = -1; i < 20; i++) {
435 + if (get_user(c, (__force unsigned long __user *)sp+i))
436 + printk(KERN_CONT "???????? ");
438 + printk(KERN_CONT "%08lx ", c);
445 * First Level Translation Fault Handler
447 diff -urNp linux-2.6.33.1/arch/arm/mm/mmap.c linux-2.6.33.1/arch/arm/mm/mmap.c
448 --- linux-2.6.33.1/arch/arm/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
449 +++ linux-2.6.33.1/arch/arm/mm/mmap.c 2010-03-20 16:58:38.512762145 -0400
450 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
454 +#ifdef CONFIG_PAX_RANDMMAP
455 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
460 addr = COLOUR_ALIGN(addr, pgoff);
461 @@ -75,10 +79,10 @@ arch_get_unmapped_area(struct file *filp
464 if (len > mm->cached_hole_size) {
465 - start_addr = addr = mm->free_area_cache;
466 + start_addr = addr = mm->free_area_cache;
468 - start_addr = addr = TASK_UNMAPPED_BASE;
469 - mm->cached_hole_size = 0;
470 + start_addr = addr = mm->mmap_base;
471 + mm->cached_hole_size = 0;
475 @@ -94,8 +98,8 @@ full_search:
476 * Start a new search - just in case we missed
479 - if (start_addr != TASK_UNMAPPED_BASE) {
480 - start_addr = addr = TASK_UNMAPPED_BASE;
481 + if (start_addr != mm->mmap_base) {
482 + start_addr = addr = mm->mmap_base;
483 mm->cached_hole_size = 0;
486 diff -urNp linux-2.6.33.1/arch/arm/plat-s3c/pm.c linux-2.6.33.1/arch/arm/plat-s3c/pm.c
487 --- linux-2.6.33.1/arch/arm/plat-s3c/pm.c 2010-03-15 12:09:39.000000000 -0400
488 +++ linux-2.6.33.1/arch/arm/plat-s3c/pm.c 2010-03-20 16:58:38.533259132 -0400
489 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
490 s3c_pm_check_cleanup();
493 -static struct platform_suspend_ops s3c_pm_ops = {
494 +static const struct platform_suspend_ops s3c_pm_ops = {
495 .enter = s3c_pm_enter,
496 .prepare = s3c_pm_prepare,
497 .finish = s3c_pm_finish,
498 diff -urNp linux-2.6.33.1/arch/avr32/include/asm/elf.h linux-2.6.33.1/arch/avr32/include/asm/elf.h
499 --- linux-2.6.33.1/arch/avr32/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
500 +++ linux-2.6.33.1/arch/avr32/include/asm/elf.h 2010-03-20 16:58:38.533259132 -0400
501 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
502 the loader. We need to make sure that it is out of the way of the program
503 that it will "exec", and that there is sufficient room for the brk. */
505 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
506 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
508 +#ifdef CONFIG_PAX_ASLR
509 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
511 +#define PAX_DELTA_MMAP_LEN 15
512 +#define PAX_DELTA_STACK_LEN 15
515 /* This yields a mask that user programs can use to figure out what
516 instruction set this CPU supports. This could be done in user space,
517 diff -urNp linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h
518 --- linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
519 +++ linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h 2010-03-20 16:58:38.533259132 -0400
520 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
530 diff -urNp linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c
531 --- linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c 2010-03-15 12:09:39.000000000 -0400
532 +++ linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c 2010-03-20 16:58:38.533259132 -0400
533 @@ -176,7 +176,7 @@ out:
537 -static struct platform_suspend_ops avr32_pm_ops = {
538 +static const struct platform_suspend_ops avr32_pm_ops = {
539 .valid = avr32_pm_valid_state,
540 .enter = avr32_pm_enter,
542 diff -urNp linux-2.6.33.1/arch/avr32/mm/fault.c linux-2.6.33.1/arch/avr32/mm/fault.c
543 --- linux-2.6.33.1/arch/avr32/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
544 +++ linux-2.6.33.1/arch/avr32/mm/fault.c 2010-03-20 16:58:38.533259132 -0400
545 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
547 int exception_trace = 1;
549 +#ifdef CONFIG_PAX_PAGEEXEC
550 +void pax_report_insns(void *pc, void *sp)
554 + printk(KERN_ERR "PAX: bytes at PC: ");
555 + for (i = 0; i < 20; i++) {
557 + if (get_user(c, (unsigned char *)pc+i))
558 + printk(KERN_CONT "???????? ");
560 + printk(KERN_CONT "%02x ", c);
567 * This routine handles page faults. It determines the address and the
568 * problem, and then passes it off to one of the appropriate routines.
569 @@ -157,6 +174,16 @@ bad_area:
570 up_read(&mm->mmap_sem);
572 if (user_mode(regs)) {
574 +#ifdef CONFIG_PAX_PAGEEXEC
575 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
576 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
577 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
578 + do_group_exit(SIGKILL);
583 if (exception_trace && printk_ratelimit())
584 printk("%s%s[%d]: segfault at %08lx pc %08lx "
585 "sp %08lx ecr %lu\n",
586 diff -urNp linux-2.6.33.1/arch/blackfin/kernel/kgdb.c linux-2.6.33.1/arch/blackfin/kernel/kgdb.c
587 --- linux-2.6.33.1/arch/blackfin/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
588 +++ linux-2.6.33.1/arch/blackfin/kernel/kgdb.c 2010-03-20 16:58:38.533259132 -0400
589 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
590 return -1; /* this means that we do not want to exit from the handler */
593 -struct kgdb_arch arch_kgdb_ops = {
594 +const struct kgdb_arch arch_kgdb_ops = {
595 .gdb_bpt_instr = {0xa1},
597 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
598 diff -urNp linux-2.6.33.1/arch/blackfin/mach-common/pm.c linux-2.6.33.1/arch/blackfin/mach-common/pm.c
599 --- linux-2.6.33.1/arch/blackfin/mach-common/pm.c 2010-03-15 12:09:39.000000000 -0400
600 +++ linux-2.6.33.1/arch/blackfin/mach-common/pm.c 2010-03-20 16:58:38.533259132 -0400
601 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
605 -struct platform_suspend_ops bfin_pm_ops = {
606 +const struct platform_suspend_ops bfin_pm_ops = {
607 .enter = bfin_pm_enter,
608 .valid = bfin_pm_valid,
610 diff -urNp linux-2.6.33.1/arch/blackfin/mm/maccess.c linux-2.6.33.1/arch/blackfin/mm/maccess.c
611 --- linux-2.6.33.1/arch/blackfin/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
612 +++ linux-2.6.33.1/arch/blackfin/mm/maccess.c 2010-03-20 16:58:38.536529376 -0400
613 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
614 return bfin_mem_access_type(addr, size);
617 -long probe_kernel_read(void *dst, void *src, size_t size)
618 +long probe_kernel_read(void *dst, const void *src, size_t size)
620 unsigned long lsrc = (unsigned long)src;
622 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
626 -long probe_kernel_write(void *dst, void *src, size_t size)
627 +long probe_kernel_write(void *dst, const void *src, size_t size)
629 unsigned long ldst = (unsigned long)dst;
631 diff -urNp linux-2.6.33.1/arch/frv/include/asm/kmap_types.h linux-2.6.33.1/arch/frv/include/asm/kmap_types.h
632 --- linux-2.6.33.1/arch/frv/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
633 +++ linux-2.6.33.1/arch/frv/include/asm/kmap_types.h 2010-03-20 16:58:38.536529376 -0400
634 @@ -23,6 +23,7 @@ enum km_type {
642 diff -urNp linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c
643 --- linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c 2010-03-15 12:09:39.000000000 -0400
644 +++ linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c 2010-03-20 16:58:38.544753181 -0400
646 #include <linux/swiotlb.h>
647 #include <asm/machvec.h>
649 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
650 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
652 /* swiotlb declarations & definitions: */
653 extern int swiotlb_late_init_with_default_size (size_t size);
654 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
655 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
658 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
659 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
661 if (use_swiotlb(dev))
662 return &swiotlb_dma_ops;
663 diff -urNp linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c
664 --- linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c 2010-03-15 12:09:39.000000000 -0400
665 +++ linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c 2010-03-20 16:58:38.552757823 -0400
666 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
670 -extern struct dma_map_ops swiotlb_dma_ops;
671 +extern const struct dma_map_ops swiotlb_dma_ops;
675 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
677 __setup("sbapagesize=",sba_page_override);
679 -struct dma_map_ops sba_dma_ops = {
680 +const struct dma_map_ops sba_dma_ops = {
681 .alloc_coherent = sba_alloc_coherent,
682 .free_coherent = sba_free_coherent,
683 .map_page = sba_map_page,
684 diff -urNp linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c
685 --- linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c 2010-03-15 12:09:39.000000000 -0400
686 +++ linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c 2010-03-20 16:58:38.556766787 -0400
687 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
689 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
691 +#ifdef CONFIG_PAX_ASLR
692 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
694 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
695 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
698 /* Ugly but avoids duplication */
699 #include "../../../fs/binfmt_elf.c"
701 diff -urNp linux-2.6.33.1/arch/ia64/ia32/ia32priv.h linux-2.6.33.1/arch/ia64/ia32/ia32priv.h
702 --- linux-2.6.33.1/arch/ia64/ia32/ia32priv.h 2010-03-15 12:09:39.000000000 -0400
703 +++ linux-2.6.33.1/arch/ia64/ia32/ia32priv.h 2010-03-20 16:58:38.556766787 -0400
704 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
705 #define ELF_DATA ELFDATA2LSB
706 #define ELF_ARCH EM_386
708 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
709 +#ifdef CONFIG_PAX_RANDUSTACK
710 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
712 +#define __IA32_DELTA_STACK 0UL
715 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
717 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
718 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
720 diff -urNp linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h
721 --- linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
722 +++ linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h 2010-03-20 16:58:38.564763179 -0400
725 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
727 -extern struct dma_map_ops *dma_ops;
728 +extern const struct dma_map_ops *dma_ops;
729 extern struct ia64_machine_vector ia64_mv;
730 extern void set_iommu_machvec(void);
732 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
733 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
734 dma_addr_t *daddr, gfp_t gfp)
736 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
737 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
740 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
741 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
742 static inline void dma_free_coherent(struct device *dev, size_t size,
743 void *caddr, dma_addr_t daddr)
745 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
747 debug_dma_free_coherent(dev, size, caddr, daddr);
748 ops->free_coherent(dev, size, caddr, daddr);
750 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
752 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
754 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
756 return ops->mapping_error(dev, daddr);
759 static inline int dma_supported(struct device *dev, u64 mask)
761 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
763 return ops->dma_supported(dev, mask);
766 diff -urNp linux-2.6.33.1/arch/ia64/include/asm/elf.h linux-2.6.33.1/arch/ia64/include/asm/elf.h
767 --- linux-2.6.33.1/arch/ia64/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
768 +++ linux-2.6.33.1/arch/ia64/include/asm/elf.h 2010-03-20 16:58:38.564763179 -0400
771 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
773 +#ifdef CONFIG_PAX_ASLR
774 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
776 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
777 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
780 #define PT_IA_64_UNWIND 0x70000001
782 /* IA-64 relocations: */
783 diff -urNp linux-2.6.33.1/arch/ia64/include/asm/machvec.h linux-2.6.33.1/arch/ia64/include/asm/machvec.h
784 --- linux-2.6.33.1/arch/ia64/include/asm/machvec.h 2010-03-15 12:09:39.000000000 -0400
785 +++ linux-2.6.33.1/arch/ia64/include/asm/machvec.h 2010-03-20 16:58:38.568641931 -0400
786 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
787 /* DMA-mapping interface: */
788 typedef void ia64_mv_dma_init (void);
789 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
790 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
791 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
794 * WARNING: The legacy I/O space is _architected_. Platforms are
795 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
796 # endif /* CONFIG_IA64_GENERIC */
798 extern void swiotlb_dma_init(void);
799 -extern struct dma_map_ops *dma_get_ops(struct device *);
800 +extern const struct dma_map_ops *dma_get_ops(struct device *);
803 * Define default versions so we can extend machvec for new platforms without having
804 diff -urNp linux-2.6.33.1/arch/ia64/include/asm/pgtable.h linux-2.6.33.1/arch/ia64/include/asm/pgtable.h
805 --- linux-2.6.33.1/arch/ia64/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
806 +++ linux-2.6.33.1/arch/ia64/include/asm/pgtable.h 2010-03-20 16:58:38.568641931 -0400
808 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
809 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
810 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
812 +#ifdef CONFIG_PAX_PAGEEXEC
813 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
814 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
815 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
818 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
819 +# define PAGE_COPY_NOEXEC PAGE_COPY
822 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
823 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
824 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
825 diff -urNp linux-2.6.33.1/arch/ia64/include/asm/uaccess.h linux-2.6.33.1/arch/ia64/include/asm/uaccess.h
826 --- linux-2.6.33.1/arch/ia64/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
827 +++ linux-2.6.33.1/arch/ia64/include/asm/uaccess.h 2010-03-20 16:58:38.568641931 -0400
828 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
829 const void *__cu_from = (from); \
830 long __cu_len = (n); \
832 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
833 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
834 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
837 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
838 long __cu_len = (n); \
840 __chk_user_ptr(__cu_from); \
841 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
842 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
843 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
846 diff -urNp linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c
847 --- linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c 2010-03-15 12:09:39.000000000 -0400
848 +++ linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c 2010-03-20 16:58:38.568641931 -0400
850 /* Set this to 1 if there is a HW IOMMU in the system */
851 int iommu_detected __read_mostly;
853 -struct dma_map_ops *dma_ops;
854 +const struct dma_map_ops *dma_ops;
855 EXPORT_SYMBOL(dma_ops);
857 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
858 @@ -16,7 +16,7 @@ static int __init dma_init(void)
860 fs_initcall(dma_init);
862 -struct dma_map_ops *dma_get_ops(struct device *dev)
863 +const struct dma_map_ops *dma_get_ops(struct device *dev)
867 diff -urNp linux-2.6.33.1/arch/ia64/kernel/module.c linux-2.6.33.1/arch/ia64/kernel/module.c
868 --- linux-2.6.33.1/arch/ia64/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
869 +++ linux-2.6.33.1/arch/ia64/kernel/module.c 2010-03-20 16:58:38.576761283 -0400
870 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
872 module_free (struct module *mod, void *module_region)
874 - if (mod && mod->arch.init_unw_table &&
875 - module_region == mod->module_init) {
876 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
877 unw_remove_unwind_table(mod->arch.init_unw_table);
878 mod->arch.init_unw_table = NULL;
880 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
884 +in_init_rx (const struct module *mod, uint64_t addr)
886 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
890 +in_init_rw (const struct module *mod, uint64_t addr)
892 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
896 in_init (const struct module *mod, uint64_t addr)
898 - return addr - (uint64_t) mod->module_init < mod->init_size;
899 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
903 +in_core_rx (const struct module *mod, uint64_t addr)
905 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
909 +in_core_rw (const struct module *mod, uint64_t addr)
911 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
915 in_core (const struct module *mod, uint64_t addr)
917 - return addr - (uint64_t) mod->module_core < mod->core_size;
918 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
922 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
926 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
927 + if (in_init_rx(mod, val))
928 + val -= (uint64_t) mod->module_init_rx;
929 + else if (in_init_rw(mod, val))
930 + val -= (uint64_t) mod->module_init_rw;
931 + else if (in_core_rx(mod, val))
932 + val -= (uint64_t) mod->module_core_rx;
933 + else if (in_core_rw(mod, val))
934 + val -= (uint64_t) mod->module_core_rw;
938 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
939 * addresses have been selected...
942 - if (mod->core_size > MAX_LTOFF)
943 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
945 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
946 * at the end of the module.
948 - gp = mod->core_size - MAX_LTOFF / 2;
949 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
951 - gp = mod->core_size / 2;
952 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
953 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
954 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
956 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
958 diff -urNp linux-2.6.33.1/arch/ia64/kernel/pci-dma.c linux-2.6.33.1/arch/ia64/kernel/pci-dma.c
959 --- linux-2.6.33.1/arch/ia64/kernel/pci-dma.c 2010-03-15 12:09:39.000000000 -0400
960 +++ linux-2.6.33.1/arch/ia64/kernel/pci-dma.c 2010-03-20 16:58:38.576761283 -0400
961 @@ -43,7 +43,7 @@ struct device fallback_dev = {
962 .dma_mask = &fallback_dev.coherent_dma_mask,
965 -extern struct dma_map_ops intel_dma_ops;
966 +extern const struct dma_map_ops intel_dma_ops;
968 static int __init pci_iommu_init(void)
970 diff -urNp linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c
971 --- linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
972 +++ linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c 2010-03-20 16:58:38.576761283 -0400
973 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
974 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
977 -struct dma_map_ops swiotlb_dma_ops = {
978 +const struct dma_map_ops swiotlb_dma_ops = {
979 .alloc_coherent = ia64_swiotlb_alloc_coherent,
980 .free_coherent = swiotlb_free_coherent,
981 .map_page = swiotlb_map_page,
982 diff -urNp linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c
983 --- linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c 2010-03-15 12:09:39.000000000 -0400
984 +++ linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c 2010-03-20 16:58:38.584549337 -0400
985 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
986 if (REGION_NUMBER(addr) == RGN_HPAGE)
990 +#ifdef CONFIG_PAX_RANDMMAP
991 + if (mm->pax_flags & MF_PAX_RANDMMAP)
992 + addr = mm->free_area_cache;
997 addr = mm->free_area_cache;
999 @@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
1000 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1001 /* At this point: (!vma || addr < vma->vm_end). */
1002 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1003 - if (start_addr != TASK_UNMAPPED_BASE) {
1004 + if (start_addr != mm->mmap_base) {
1005 /* Start a new search --- just in case we missed some holes. */
1006 - addr = TASK_UNMAPPED_BASE;
1007 + addr = mm->mmap_base;
1011 diff -urNp linux-2.6.33.1/arch/ia64/kernel/topology.c linux-2.6.33.1/arch/ia64/kernel/topology.c
1012 --- linux-2.6.33.1/arch/ia64/kernel/topology.c 2010-03-15 12:09:39.000000000 -0400
1013 +++ linux-2.6.33.1/arch/ia64/kernel/topology.c 2010-03-20 16:58:38.584549337 -0400
1014 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1018 -static struct sysfs_ops cache_sysfs_ops = {
1019 +static const struct sysfs_ops cache_sysfs_ops = {
1023 diff -urNp linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S
1024 --- linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S 2010-03-15 12:09:39.000000000 -0400
1025 +++ linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S 2010-03-20 16:58:38.584549337 -0400
1026 @@ -196,7 +196,7 @@ SECTIONS
1028 . = ALIGN(PERCPU_PAGE_SIZE);
1029 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1030 - __phys_per_cpu_start = __per_cpu_load;
1031 + __phys_per_cpu_start = per_cpu_load;
1032 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1033 * into percpu page size
1035 diff -urNp linux-2.6.33.1/arch/ia64/mm/fault.c linux-2.6.33.1/arch/ia64/mm/fault.c
1036 --- linux-2.6.33.1/arch/ia64/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1037 +++ linux-2.6.33.1/arch/ia64/mm/fault.c 2010-03-20 16:58:38.584549337 -0400
1038 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1039 return pte_present(pte);
1042 +#ifdef CONFIG_PAX_PAGEEXEC
1043 +void pax_report_insns(void *pc, void *sp)
1047 + printk(KERN_ERR "PAX: bytes at PC: ");
1048 + for (i = 0; i < 8; i++) {
1050 + if (get_user(c, (unsigned int *)pc+i))
1051 + printk(KERN_CONT "???????? ");
1053 + printk(KERN_CONT "%08x ", c);
1060 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1062 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1063 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1064 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1066 - if ((vma->vm_flags & mask) != mask)
1067 + if ((vma->vm_flags & mask) != mask) {
1069 +#ifdef CONFIG_PAX_PAGEEXEC
1070 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1071 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1074 + up_read(&mm->mmap_sem);
1075 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1076 + do_group_exit(SIGKILL);
1086 * If for any reason at all we couldn't handle the fault, make
1087 diff -urNp linux-2.6.33.1/arch/ia64/mm/init.c linux-2.6.33.1/arch/ia64/mm/init.c
1088 --- linux-2.6.33.1/arch/ia64/mm/init.c 2010-03-15 12:09:39.000000000 -0400
1089 +++ linux-2.6.33.1/arch/ia64/mm/init.c 2010-03-20 16:58:38.584549337 -0400
1090 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1091 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1092 vma->vm_end = vma->vm_start + PAGE_SIZE;
1093 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1095 +#ifdef CONFIG_PAX_PAGEEXEC
1096 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1097 + vma->vm_flags &= ~VM_EXEC;
1099 +#ifdef CONFIG_PAX_MPROTECT
1100 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1101 + vma->vm_flags &= ~VM_MAYEXEC;
1107 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1108 down_write(¤t->mm->mmap_sem);
1109 if (insert_vm_struct(current->mm, vma)) {
1110 diff -urNp linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c
1111 --- linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c 2010-03-15 12:09:39.000000000 -0400
1112 +++ linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c 2010-03-20 16:58:38.584549337 -0400
1113 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1117 -static struct dma_map_ops sn_dma_ops = {
1118 +static const struct dma_map_ops sn_dma_ops = {
1119 .alloc_coherent = sn_dma_alloc_coherent,
1120 .free_coherent = sn_dma_free_coherent,
1121 .map_page = sn_dma_map_page,
1122 diff -urNp linux-2.6.33.1/arch/m32r/lib/usercopy.c linux-2.6.33.1/arch/m32r/lib/usercopy.c
1123 --- linux-2.6.33.1/arch/m32r/lib/usercopy.c 2010-03-15 12:09:39.000000000 -0400
1124 +++ linux-2.6.33.1/arch/m32r/lib/usercopy.c 2010-03-20 16:58:38.584549337 -0400
1127 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1133 if (access_ok(VERIFY_WRITE, to, n))
1134 __copy_user(to,from,n);
1135 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1137 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1143 if (access_ok(VERIFY_READ, from, n))
1144 __copy_user_zeroing(to,from,n);
1145 diff -urNp linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c
1146 --- linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c 2010-03-15 12:09:39.000000000 -0400
1147 +++ linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c 2010-03-20 16:58:38.588679980 -0400
1148 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1152 -static struct platform_suspend_ops db1x_pm_ops = {
1153 +static const struct platform_suspend_ops db1x_pm_ops = {
1154 .valid = suspend_valid_only_mem,
1155 .begin = db1x_pm_begin,
1156 .enter = db1x_pm_enter,
1157 diff -urNp linux-2.6.33.1/arch/mips/include/asm/elf.h linux-2.6.33.1/arch/mips/include/asm/elf.h
1158 --- linux-2.6.33.1/arch/mips/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1159 +++ linux-2.6.33.1/arch/mips/include/asm/elf.h 2010-03-20 16:58:38.588679980 -0400
1160 @@ -367,4 +367,11 @@ extern int dump_task_fpu(struct task_str
1161 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1164 +#ifdef CONFIG_PAX_ASLR
1165 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1167 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1168 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1171 #endif /* _ASM_ELF_H */
1172 diff -urNp linux-2.6.33.1/arch/mips/include/asm/page.h linux-2.6.33.1/arch/mips/include/asm/page.h
1173 --- linux-2.6.33.1/arch/mips/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
1174 +++ linux-2.6.33.1/arch/mips/include/asm/page.h 2010-03-20 16:58:38.592758361 -0400
1175 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1176 #ifdef CONFIG_CPU_MIPS32
1177 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1178 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1179 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1180 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1182 typedef struct { unsigned long long pte; } pte_t;
1183 #define pte_val(x) ((x).pte)
1184 diff -urNp linux-2.6.33.1/arch/mips/include/asm/system.h linux-2.6.33.1/arch/mips/include/asm/system.h
1185 --- linux-2.6.33.1/arch/mips/include/asm/system.h 2010-03-15 12:09:39.000000000 -0400
1186 +++ linux-2.6.33.1/arch/mips/include/asm/system.h 2010-03-20 16:58:38.592758361 -0400
1187 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1189 #define __ARCH_WANT_UNLOCKED_CTXSW
1191 -extern unsigned long arch_align_stack(unsigned long sp);
1192 +#define arch_align_stack(x) ((x) & ALMASK)
1194 #endif /* _ASM_SYSTEM_H */
1195 diff -urNp linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c
1196 --- linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c 2010-03-15 12:09:39.000000000 -0400
1197 +++ linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c 2010-03-20 16:58:38.592758361 -0400
1198 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1199 #undef ELF_ET_DYN_BASE
1200 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1202 +#ifdef CONFIG_PAX_ASLR
1203 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1205 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1206 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1209 #include <asm/processor.h>
1210 #include <linux/module.h>
1211 #include <linux/elfcore.h>
1212 diff -urNp linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c
1213 --- linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c 2010-03-15 12:09:39.000000000 -0400
1214 +++ linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c 2010-03-20 16:58:38.592758361 -0400
1215 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1216 #undef ELF_ET_DYN_BASE
1217 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1219 +#ifdef CONFIG_PAX_ASLR
1220 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1222 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1223 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1226 #include <asm/processor.h>
1229 diff -urNp linux-2.6.33.1/arch/mips/kernel/kgdb.c linux-2.6.33.1/arch/mips/kernel/kgdb.c
1230 --- linux-2.6.33.1/arch/mips/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
1231 +++ linux-2.6.33.1/arch/mips/kernel/kgdb.c 2010-03-20 16:58:38.592758361 -0400
1232 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1236 +/* cannot be const */
1237 struct kgdb_arch arch_kgdb_ops;
1240 diff -urNp linux-2.6.33.1/arch/mips/kernel/process.c linux-2.6.33.1/arch/mips/kernel/process.c
1241 --- linux-2.6.33.1/arch/mips/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
1242 +++ linux-2.6.33.1/arch/mips/kernel/process.c 2010-03-20 16:58:38.592758361 -0400
1243 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1249 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1250 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1252 -unsigned long arch_align_stack(unsigned long sp)
1254 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1255 - sp -= get_random_int() & ~PAGE_MASK;
1257 - return sp & ALMASK;
1259 diff -urNp linux-2.6.33.1/arch/mips/kernel/syscall.c linux-2.6.33.1/arch/mips/kernel/syscall.c
1260 --- linux-2.6.33.1/arch/mips/kernel/syscall.c 2010-03-15 12:09:39.000000000 -0400
1261 +++ linux-2.6.33.1/arch/mips/kernel/syscall.c 2010-03-20 16:58:38.592758361 -0400
1262 @@ -102,6 +102,11 @@ unsigned long arch_get_unmapped_area(str
1264 if (filp || (flags & MAP_SHARED))
1267 +#ifdef CONFIG_PAX_RANDMMAP
1268 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1273 addr = COLOUR_ALIGN(addr, pgoff);
1274 @@ -112,7 +117,7 @@ unsigned long arch_get_unmapped_area(str
1275 (!vmm || addr + len <= vmm->vm_start))
1278 - addr = TASK_UNMAPPED_BASE;
1279 + addr = current->mm->mmap_base;
1281 addr = COLOUR_ALIGN(addr, pgoff);
1283 diff -urNp linux-2.6.33.1/arch/mips/loongson/common/pm.c linux-2.6.33.1/arch/mips/loongson/common/pm.c
1284 --- linux-2.6.33.1/arch/mips/loongson/common/pm.c 2010-03-15 12:09:39.000000000 -0400
1285 +++ linux-2.6.33.1/arch/mips/loongson/common/pm.c 2010-03-20 16:58:38.608773091 -0400
1286 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1290 -static struct platform_suspend_ops loongson_pm_ops = {
1291 +static const struct platform_suspend_ops loongson_pm_ops = {
1292 .valid = loongson_pm_valid_state,
1293 .enter = loongson_pm_enter,
1295 diff -urNp linux-2.6.33.1/arch/mips/mm/fault.c linux-2.6.33.1/arch/mips/mm/fault.c
1296 --- linux-2.6.33.1/arch/mips/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1297 +++ linux-2.6.33.1/arch/mips/mm/fault.c 2010-03-20 16:58:38.612819864 -0400
1299 #include <asm/ptrace.h>
1300 #include <asm/highmem.h> /* For VMALLOC_END */
1302 +#ifdef CONFIG_PAX_PAGEEXEC
1303 +void pax_report_insns(void *pc)
1307 + printk(KERN_ERR "PAX: bytes at PC: ");
1308 + for (i = 0; i < 5; i++) {
1310 + if (get_user(c, (unsigned int *)pc+i))
1311 + printk(KERN_CONT "???????? ");
1313 + printk(KERN_CONT "%08x ", c);
1320 * This routine handles page faults. It determines the address,
1321 * and the problem, and then passes it off to one of the appropriate
1322 diff -urNp linux-2.6.33.1/arch/parisc/include/asm/elf.h linux-2.6.33.1/arch/parisc/include/asm/elf.h
1323 --- linux-2.6.33.1/arch/parisc/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1324 +++ linux-2.6.33.1/arch/parisc/include/asm/elf.h 2010-03-20 16:58:38.624763350 -0400
1325 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1327 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1329 +#ifdef CONFIG_PAX_ASLR
1330 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1332 +#define PAX_DELTA_MMAP_LEN 16
1333 +#define PAX_DELTA_STACK_LEN 16
1336 /* This yields a mask that user programs can use to figure out what
1337 instruction set this CPU supports. This could be done in user space,
1338 but it's not easy, and we've already done it here. */
1339 diff -urNp linux-2.6.33.1/arch/parisc/include/asm/pgtable.h linux-2.6.33.1/arch/parisc/include/asm/pgtable.h
1340 --- linux-2.6.33.1/arch/parisc/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
1341 +++ linux-2.6.33.1/arch/parisc/include/asm/pgtable.h 2010-03-20 16:58:38.628643492 -0400
1342 @@ -207,6 +207,17 @@
1343 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1344 #define PAGE_COPY PAGE_EXECREAD
1345 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1347 +#ifdef CONFIG_PAX_PAGEEXEC
1348 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1349 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1350 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1352 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1353 +# define PAGE_COPY_NOEXEC PAGE_COPY
1354 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1357 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1358 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1359 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1360 diff -urNp linux-2.6.33.1/arch/parisc/kernel/module.c linux-2.6.33.1/arch/parisc/kernel/module.c
1361 --- linux-2.6.33.1/arch/parisc/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
1362 +++ linux-2.6.33.1/arch/parisc/kernel/module.c 2010-03-20 16:58:38.636778509 -0400
1365 /* three functions to determine where in the module core
1366 * or init pieces the location is */
1367 +static inline int in_init_rx(struct module *me, void *loc)
1369 + return (loc >= me->module_init_rx &&
1370 + loc < (me->module_init_rx + me->init_size_rx));
1373 +static inline int in_init_rw(struct module *me, void *loc)
1375 + return (loc >= me->module_init_rw &&
1376 + loc < (me->module_init_rw + me->init_size_rw));
1379 static inline int in_init(struct module *me, void *loc)
1381 - return (loc >= me->module_init &&
1382 - loc <= (me->module_init + me->init_size));
1383 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1386 +static inline int in_core_rx(struct module *me, void *loc)
1388 + return (loc >= me->module_core_rx &&
1389 + loc < (me->module_core_rx + me->core_size_rx));
1392 +static inline int in_core_rw(struct module *me, void *loc)
1394 + return (loc >= me->module_core_rw &&
1395 + loc < (me->module_core_rw + me->core_size_rw));
1398 static inline int in_core(struct module *me, void *loc)
1400 - return (loc >= me->module_core &&
1401 - loc <= (me->module_core + me->core_size));
1402 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1405 static inline int in_local(struct module *me, void *loc)
1406 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1409 /* align things a bit */
1410 - me->core_size = ALIGN(me->core_size, 16);
1411 - me->arch.got_offset = me->core_size;
1412 - me->core_size += gots * sizeof(struct got_entry);
1414 - me->core_size = ALIGN(me->core_size, 16);
1415 - me->arch.fdesc_offset = me->core_size;
1416 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1417 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1418 + me->arch.got_offset = me->core_size_rw;
1419 + me->core_size_rw += gots * sizeof(struct got_entry);
1421 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1422 + me->arch.fdesc_offset = me->core_size_rw;
1423 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1425 me->arch.got_max = gots;
1426 me->arch.fdesc_max = fdescs;
1427 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1431 - got = me->module_core + me->arch.got_offset;
1432 + got = me->module_core_rw + me->arch.got_offset;
1433 for (i = 0; got[i].addr; i++)
1434 if (got[i].addr == value)
1436 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1438 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1440 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1441 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1444 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1445 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1447 /* Create new one */
1448 fdesc->addr = value;
1449 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1450 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1451 return (Elf_Addr)fdesc;
1453 #endif /* CONFIG_64BIT */
1454 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1456 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1457 end = table + sechdrs[me->arch.unwind_section].sh_size;
1458 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1459 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1461 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1462 me->arch.unwind_section, table, end, gp);
1463 diff -urNp linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c
1464 --- linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c 2010-03-15 12:09:39.000000000 -0400
1465 +++ linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c 2010-03-20 16:58:38.636778509 -0400
1466 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1467 if (flags & MAP_FIXED)
1470 - addr = TASK_UNMAPPED_BASE;
1471 + addr = current->mm->mmap_base;
1474 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1475 diff -urNp linux-2.6.33.1/arch/parisc/kernel/traps.c linux-2.6.33.1/arch/parisc/kernel/traps.c
1476 --- linux-2.6.33.1/arch/parisc/kernel/traps.c 2010-03-15 12:09:39.000000000 -0400
1477 +++ linux-2.6.33.1/arch/parisc/kernel/traps.c 2010-03-20 16:58:38.644755446 -0400
1478 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1480 down_read(¤t->mm->mmap_sem);
1481 vma = find_vma(current->mm,regs->iaoq[0]);
1482 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1483 - && (vma->vm_flags & VM_EXEC)) {
1485 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1486 fault_address = regs->iaoq[0];
1487 fault_space = regs->iasq[0];
1489 diff -urNp linux-2.6.33.1/arch/parisc/mm/fault.c linux-2.6.33.1/arch/parisc/mm/fault.c
1490 --- linux-2.6.33.1/arch/parisc/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1491 +++ linux-2.6.33.1/arch/parisc/mm/fault.c 2010-03-20 16:58:38.644755446 -0400
1493 #include <linux/sched.h>
1494 #include <linux/interrupt.h>
1495 #include <linux/module.h>
1496 +#include <linux/unistd.h>
1498 #include <asm/uaccess.h>
1499 #include <asm/traps.h>
1500 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1501 static unsigned long
1502 parisc_acctyp(unsigned long code, unsigned int inst)
1504 - if (code == 6 || code == 16)
1505 + if (code == 6 || code == 7 || code == 16)
1508 switch (inst & 0xf0000000) {
1509 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1513 +#ifdef CONFIG_PAX_PAGEEXEC
1515 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1517 + * returns 1 when task should be killed
1518 + * 2 when rt_sigreturn trampoline was detected
1519 + * 3 when unpatched PLT trampoline was detected
1521 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1524 +#ifdef CONFIG_PAX_EMUPLT
1527 + do { /* PaX: unpatched PLT emulation */
1528 + unsigned int bl, depwi;
1530 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1531 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1536 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1537 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1539 + err = get_user(ldw, (unsigned int *)addr);
1540 + err |= get_user(bv, (unsigned int *)(addr+4));
1541 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1546 + if (ldw == 0x0E801096U &&
1547 + bv == 0xEAC0C000U &&
1548 + ldw2 == 0x0E881095U)
1550 + unsigned int resolver, map;
1552 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1553 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1557 + regs->gr[20] = instruction_pointer(regs)+8;
1558 + regs->gr[21] = map;
1559 + regs->gr[22] = resolver;
1560 + regs->iaoq[0] = resolver | 3UL;
1561 + regs->iaoq[1] = regs->iaoq[0] + 4;
1568 +#ifdef CONFIG_PAX_EMUTRAMP
1570 +#ifndef CONFIG_PAX_EMUSIGRT
1571 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1575 + do { /* PaX: rt_sigreturn emulation */
1576 + unsigned int ldi1, ldi2, bel, nop;
1578 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1579 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1580 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1581 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1586 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1587 + ldi2 == 0x3414015AU &&
1588 + bel == 0xE4008200U &&
1589 + nop == 0x08000240U)
1591 + regs->gr[25] = (ldi1 & 2) >> 1;
1592 + regs->gr[20] = __NR_rt_sigreturn;
1593 + regs->gr[31] = regs->iaoq[1] + 16;
1594 + regs->sr[0] = regs->iasq[1];
1595 + regs->iaoq[0] = 0x100UL;
1596 + regs->iaoq[1] = regs->iaoq[0] + 4;
1597 + regs->iasq[0] = regs->sr[2];
1598 + regs->iasq[1] = regs->sr[2];
1607 +void pax_report_insns(void *pc, void *sp)
1611 + printk(KERN_ERR "PAX: bytes at PC: ");
1612 + for (i = 0; i < 5; i++) {
1614 + if (get_user(c, (unsigned int *)pc+i))
1615 + printk(KERN_CONT "???????? ");
1617 + printk(KERN_CONT "%08x ", c);
1623 int fixup_exception(struct pt_regs *regs)
1625 const struct exception_table_entry *fix;
1626 @@ -192,8 +303,33 @@ good_area:
1628 acc_type = parisc_acctyp(code,regs->iir);
1630 - if ((vma->vm_flags & acc_type) != acc_type)
1631 + if ((vma->vm_flags & acc_type) != acc_type) {
1633 +#ifdef CONFIG_PAX_PAGEEXEC
1634 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1635 + (address & ~3UL) == instruction_pointer(regs))
1637 + up_read(&mm->mmap_sem);
1638 + switch (pax_handle_fetch_fault(regs)) {
1640 +#ifdef CONFIG_PAX_EMUPLT
1645 +#ifdef CONFIG_PAX_EMUTRAMP
1651 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1652 + do_group_exit(SIGKILL);
1660 * If for any reason at all we couldn't handle the fault, make
1661 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/device.h linux-2.6.33.1/arch/powerpc/include/asm/device.h
1662 --- linux-2.6.33.1/arch/powerpc/include/asm/device.h 2010-03-15 12:09:39.000000000 -0400
1663 +++ linux-2.6.33.1/arch/powerpc/include/asm/device.h 2010-03-20 16:58:38.652757516 -0400
1664 @@ -14,7 +14,7 @@ struct dev_archdata {
1665 struct device_node *of_node;
1667 /* DMA operations on that device */
1668 - struct dma_map_ops *dma_ops;
1669 + const struct dma_map_ops *dma_ops;
1672 * When an iommu is in use, dma_data is used as a ptr to the base of the
1673 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h
1674 --- linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
1675 +++ linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h 2010-03-20 16:58:38.664764295 -0400
1676 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
1678 extern struct dma_map_ops dma_iommu_ops;
1680 -extern struct dma_map_ops dma_direct_ops;
1681 +extern const struct dma_map_ops dma_direct_ops;
1683 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1684 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1686 /* We don't handle the NULL dev case for ISA for now. We could
1687 * do it via an out of line call but it is not needed for now. The
1688 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
1689 return dev->archdata.dma_ops;
1692 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1693 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1695 dev->archdata.dma_ops = ops;
1697 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
1699 static inline int dma_supported(struct device *dev, u64 mask)
1701 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1702 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1704 if (unlikely(dma_ops == NULL))
1706 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
1708 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1710 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1711 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1713 if (unlikely(dma_ops == NULL))
1715 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
1716 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1717 dma_addr_t *dma_handle, gfp_t flag)
1719 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1720 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1724 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
1725 static inline void dma_free_coherent(struct device *dev, size_t size,
1726 void *cpu_addr, dma_addr_t dma_handle)
1728 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1729 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1733 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
1735 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1737 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1738 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1740 if (dma_ops->mapping_error)
1741 return dma_ops->mapping_error(dev, dma_addr);
1742 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/elf.h linux-2.6.33.1/arch/powerpc/include/asm/elf.h
1743 --- linux-2.6.33.1/arch/powerpc/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1744 +++ linux-2.6.33.1/arch/powerpc/include/asm/elf.h 2010-03-20 16:58:38.664764295 -0400
1745 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1746 the loader. We need to make sure that it is out of the way of the program
1747 that it will "exec", and that there is sufficient room for the brk. */
1749 -extern unsigned long randomize_et_dyn(unsigned long base);
1750 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1751 +#define ELF_ET_DYN_BASE (0x20000000)
1753 +#ifdef CONFIG_PAX_ASLR
1754 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1756 +#ifdef __powerpc64__
1757 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1758 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1760 +#define PAX_DELTA_MMAP_LEN 15
1761 +#define PAX_DELTA_STACK_LEN 15
1766 * Our registers are always unsigned longs, whether we're a 32 bit
1767 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1768 (0x7ff >> (PAGE_SHIFT - 12)) : \
1769 (0x3ffff >> (PAGE_SHIFT - 12)))
1771 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1772 -#define arch_randomize_brk arch_randomize_brk
1774 #endif /* __KERNEL__ */
1777 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/iommu.h linux-2.6.33.1/arch/powerpc/include/asm/iommu.h
1778 --- linux-2.6.33.1/arch/powerpc/include/asm/iommu.h 2010-03-15 12:09:39.000000000 -0400
1779 +++ linux-2.6.33.1/arch/powerpc/include/asm/iommu.h 2010-03-20 16:58:38.664764295 -0400
1780 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
1781 extern void iommu_init_early_dart(void);
1782 extern void iommu_init_early_pasemi(void);
1785 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
1788 extern void pci_iommu_init(void);
1789 extern void pci_direct_iommu_init(void);
1790 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h
1791 --- linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
1792 +++ linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h 2010-03-20 16:58:38.664764295 -0400
1793 @@ -26,6 +26,7 @@ enum km_type {
1801 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/page_64.h linux-2.6.33.1/arch/powerpc/include/asm/page_64.h
1802 --- linux-2.6.33.1/arch/powerpc/include/asm/page_64.h 2010-03-15 12:09:39.000000000 -0400
1803 +++ linux-2.6.33.1/arch/powerpc/include/asm/page_64.h 2010-03-20 16:58:38.664764295 -0400
1804 @@ -180,15 +180,18 @@ do { \
1805 * stack by default, so in the absense of a PT_GNU_STACK program header
1806 * we turn execute permission off.
1808 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1809 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1810 +#define VM_STACK_DEFAULT_FLAGS32 \
1811 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1812 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1814 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1815 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1817 +#ifndef CONFIG_PAX_PAGEEXEC
1818 #define VM_STACK_DEFAULT_FLAGS \
1819 (test_thread_flag(TIF_32BIT) ? \
1820 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1823 #include <asm-generic/getorder.h>
1825 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/page.h linux-2.6.33.1/arch/powerpc/include/asm/page.h
1826 --- linux-2.6.33.1/arch/powerpc/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
1827 +++ linux-2.6.33.1/arch/powerpc/include/asm/page.h 2010-03-20 16:58:38.668753880 -0400
1828 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
1829 * and needs to be executable. This means the whole heap ends
1830 * up being executable.
1832 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1833 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1834 +#define VM_DATA_DEFAULT_FLAGS32 \
1835 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1836 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1838 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1839 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1840 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
1841 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1844 +#define ktla_ktva(addr) (addr)
1845 +#define ktva_ktla(addr) (addr)
1847 #ifndef __ASSEMBLY__
1849 #undef STRICT_MM_TYPECHECKS
1850 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/pci.h linux-2.6.33.1/arch/powerpc/include/asm/pci.h
1851 --- linux-2.6.33.1/arch/powerpc/include/asm/pci.h 2010-03-15 12:09:39.000000000 -0400
1852 +++ linux-2.6.33.1/arch/powerpc/include/asm/pci.h 2010-03-20 16:58:38.668753880 -0400
1853 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
1857 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1858 -extern struct dma_map_ops *get_pci_dma_ops(void);
1859 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1860 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1861 #else /* CONFIG_PCI */
1862 #define set_pci_dma_ops(d)
1863 #define get_pci_dma_ops() NULL
1864 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h
1865 --- linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h 2010-03-15 12:09:39.000000000 -0400
1866 +++ linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h 2010-03-20 16:58:38.668753880 -0400
1868 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1869 #define _PAGE_USER 0x004 /* usermode access allowed */
1870 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1871 +#define _PAGE_EXEC _PAGE_GUARDED
1872 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1873 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1874 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1875 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/reg.h linux-2.6.33.1/arch/powerpc/include/asm/reg.h
1876 --- linux-2.6.33.1/arch/powerpc/include/asm/reg.h 2010-03-15 12:09:39.000000000 -0400
1877 +++ linux-2.6.33.1/arch/powerpc/include/asm/reg.h 2010-03-20 16:58:38.672753614 -0400
1879 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1880 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1881 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1882 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1883 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1884 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1885 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1886 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h
1887 --- linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h 2010-03-15 12:09:39.000000000 -0400
1888 +++ linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h 2010-03-20 16:58:38.672753614 -0400
1891 #include <linux/swiotlb.h>
1893 -extern struct dma_map_ops swiotlb_dma_ops;
1894 +extern const struct dma_map_ops swiotlb_dma_ops;
1896 static inline void dma_mark_clean(void *addr, size_t size) {}
1898 diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h
1899 --- linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
1900 +++ linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h 2010-03-20 16:58:38.676578811 -0400
1901 @@ -327,52 +327,6 @@ do { \
1902 extern unsigned long __copy_tofrom_user(void __user *to,
1903 const void __user *from, unsigned long size);
1905 -#ifndef __powerpc64__
1907 -static inline unsigned long copy_from_user(void *to,
1908 - const void __user *from, unsigned long n)
1910 - unsigned long over;
1912 - if (access_ok(VERIFY_READ, from, n))
1913 - return __copy_tofrom_user((__force void __user *)to, from, n);
1914 - if ((unsigned long)from < TASK_SIZE) {
1915 - over = (unsigned long)from + n - TASK_SIZE;
1916 - return __copy_tofrom_user((__force void __user *)to, from,
1922 -static inline unsigned long copy_to_user(void __user *to,
1923 - const void *from, unsigned long n)
1925 - unsigned long over;
1927 - if (access_ok(VERIFY_WRITE, to, n))
1928 - return __copy_tofrom_user(to, (__force void __user *)from, n);
1929 - if ((unsigned long)to < TASK_SIZE) {
1930 - over = (unsigned long)to + n - TASK_SIZE;
1931 - return __copy_tofrom_user(to, (__force void __user *)from,
1937 -#else /* __powerpc64__ */
1939 -#define __copy_in_user(to, from, size) \
1940 - __copy_tofrom_user((to), (from), (size))
1942 -extern unsigned long copy_from_user(void *to, const void __user *from,
1944 -extern unsigned long copy_to_user(void __user *to, const void *from,
1946 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
1949 -#endif /* __powerpc64__ */
1951 static inline unsigned long __copy_from_user_inatomic(void *to,
1952 const void __user *from, unsigned long n)
1954 @@ -396,6 +350,10 @@ static inline unsigned long __copy_from_
1959 + if (!__builtin_constant_p(n))
1960 + check_object_size(to, n, false);
1962 return __copy_tofrom_user((__force void __user *)to, from, n);
1965 @@ -422,6 +380,10 @@ static inline unsigned long __copy_to_us
1970 + if (!__builtin_constant_p(n))
1971 + check_object_size(from, n, true);
1973 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1976 @@ -439,6 +401,92 @@ static inline unsigned long __copy_to_us
1977 return __copy_to_user_inatomic(to, from, size);
1980 +#ifndef __powerpc64__
1982 +static inline unsigned long __must_check copy_from_user(void *to,
1983 + const void __user *from, unsigned long n)
1985 + unsigned long over;
1990 + if (access_ok(VERIFY_READ, from, n)) {
1991 + if (!__builtin_constant_p(n))
1992 + check_object_size(to, n, false);
1993 + return __copy_tofrom_user((__force void __user *)to, from, n);
1995 + if ((unsigned long)from < TASK_SIZE) {
1996 + over = (unsigned long)from + n - TASK_SIZE;
1997 + if (!__builtin_constant_p(n - over))
1998 + check_object_size(to, n - over, false);
1999 + return __copy_tofrom_user((__force void __user *)to, from,
2005 +static inline unsigned long __must_check copy_to_user(void __user *to,
2006 + const void *from, unsigned long n)
2008 + unsigned long over;
2013 + if (access_ok(VERIFY_WRITE, to, n)) {
2014 + if (!__builtin_constant_p(n))
2015 + check_object_size(from, n, true);
2016 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2018 + if ((unsigned long)to < TASK_SIZE) {
2019 + over = (unsigned long)to + n - TASK_SIZE;
2020 + if (!__builtin_constant_p(n))
2021 + check_object_size(from, n - over, true);
2022 + return __copy_tofrom_user(to, (__force void __user *)from,
2028 +#else /* __powerpc64__ */
2030 +#define __copy_in_user(to, from, size) \
2031 + __copy_tofrom_user((to), (from), (size))
2033 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2035 + if ((long)n < 0 || n > INT_MAX)
2038 + if (!__builtin_constant_p(n))
2039 + check_object_size(to, n, false);
2041 + if (likely(access_ok(VERIFY_READ, from, n)))
2042 + n = __copy_from_user(to, from, n);
2048 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2050 + if ((long)n < 0 || n > INT_MAX)
2053 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2054 + if (!__builtin_constant_p(n))
2055 + check_object_size(from, n, true);
2056 + n = __copy_to_user(to, from, n);
2061 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2064 +#endif /* __powerpc64__ */
2066 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2068 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2069 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c
2070 --- linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c 2010-03-15 12:09:39.000000000 -0400
2071 +++ linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c 2010-03-20 16:58:38.684761974 -0400
2072 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2076 -static struct sysfs_ops cache_index_ops = {
2077 +static const struct sysfs_ops cache_index_ops = {
2078 .show = cache_index_show,
2081 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma.c linux-2.6.33.1/arch/powerpc/kernel/dma.c
2082 --- linux-2.6.33.1/arch/powerpc/kernel/dma.c 2010-03-15 12:09:39.000000000 -0400
2083 +++ linux-2.6.33.1/arch/powerpc/kernel/dma.c 2010-03-20 16:58:38.700769723 -0400
2084 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2088 -struct dma_map_ops dma_direct_ops = {
2089 +const struct dma_map_ops dma_direct_ops = {
2090 .alloc_coherent = dma_direct_alloc_coherent,
2091 .free_coherent = dma_direct_free_coherent,
2092 .map_sg = dma_direct_map_sg,
2093 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c
2094 --- linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c 2010-03-15 12:09:39.000000000 -0400
2095 +++ linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c 2010-03-20 16:58:38.708797745 -0400
2096 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2099 /* We support DMA to/from any memory page via the iommu */
2100 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2101 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2103 struct iommu_table *tbl = get_iommu_table_base(dev);
2105 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c
2106 --- linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
2107 +++ linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c 2010-03-20 16:58:38.720772371 -0400
2108 @@ -30,7 +30,7 @@ unsigned int ppc_swiotlb_enable;
2109 * map_page, and unmap_page on highmem, use normal dma_ops
2110 * for everything else.
2112 -struct dma_map_ops swiotlb_dma_ops = {
2113 +const struct dma_map_ops swiotlb_dma_ops = {
2114 .alloc_coherent = dma_direct_alloc_coherent,
2115 .free_coherent = dma_direct_free_coherent,
2116 .map_sg = swiotlb_map_sg_attrs,
2117 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S
2118 --- linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S 2010-03-15 12:09:39.000000000 -0400
2119 +++ linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S 2010-03-20 16:58:38.720772371 -0400
2120 @@ -455,6 +455,7 @@ storage_fault_common:
2123 addi r3,r1,STACK_FRAME_OVERHEAD
2127 ld r14,PACA_EXGEN+EX_R14(r13)
2128 @@ -464,8 +465,7 @@ storage_fault_common:
2131 b .ret_from_except_lite
2135 addi r3,r1,STACK_FRAME_OVERHEAD
2138 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S
2139 --- linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S 2010-03-15 12:09:39.000000000 -0400
2140 +++ linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S 2010-03-20 16:58:38.720772371 -0400
2141 @@ -829,10 +829,10 @@ handle_page_fault:
2144 addi r3,r1,STACK_FRAME_OVERHEAD
2151 addi r3,r1,STACK_FRAME_OVERHEAD
2153 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c
2154 --- linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c 2010-03-15 12:09:39.000000000 -0400
2155 +++ linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c 2010-03-20 16:58:38.720772371 -0400
2156 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2160 -static struct dma_map_ops ibmebus_dma_ops = {
2161 +static const struct dma_map_ops ibmebus_dma_ops = {
2162 .alloc_coherent = ibmebus_alloc_coherent,
2163 .free_coherent = ibmebus_free_coherent,
2164 .map_sg = ibmebus_map_sg,
2165 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/kgdb.c linux-2.6.33.1/arch/powerpc/kernel/kgdb.c
2166 --- linux-2.6.33.1/arch/powerpc/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
2167 +++ linux-2.6.33.1/arch/powerpc/kernel/kgdb.c 2010-03-20 16:58:38.720772371 -0400
2168 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2169 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2172 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2173 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2177 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2181 -struct kgdb_arch arch_kgdb_ops = {
2182 +const struct kgdb_arch arch_kgdb_ops = {
2183 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2186 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/module_32.c linux-2.6.33.1/arch/powerpc/kernel/module_32.c
2187 --- linux-2.6.33.1/arch/powerpc/kernel/module_32.c 2010-03-15 12:09:39.000000000 -0400
2188 +++ linux-2.6.33.1/arch/powerpc/kernel/module_32.c 2010-03-20 16:58:38.724667855 -0400
2189 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2190 me->arch.core_plt_section = i;
2192 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2193 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2194 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2198 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2200 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2201 /* Init, or core PLT? */
2202 - if (location >= mod->module_core
2203 - && location < mod->module_core + mod->core_size)
2204 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2205 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2206 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2208 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2209 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2210 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2212 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2216 /* Find this entry, or if that fails, the next avail. entry */
2217 while (entry->jump[0]) {
2218 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/module.c linux-2.6.33.1/arch/powerpc/kernel/module.c
2219 --- linux-2.6.33.1/arch/powerpc/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
2220 +++ linux-2.6.33.1/arch/powerpc/kernel/module.c 2010-03-20 16:58:38.724667855 -0400
2223 LIST_HEAD(module_bug_list);
2225 +#ifdef CONFIG_PAX_KERNEXEC
2226 void *module_alloc(unsigned long size)
2231 + return vmalloc(size);
2234 +void *module_alloc_exec(unsigned long size)
2236 +void *module_alloc(unsigned long size)
2243 return vmalloc_exec(size);
2246 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2247 vfree(module_region);
2250 +#ifdef CONFIG_PAX_KERNEXEC
2251 +void module_free_exec(struct module *mod, void *module_region)
2253 + module_free(mod, module_region);
2257 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2258 const Elf_Shdr *sechdrs,
2260 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/pci-common.c linux-2.6.33.1/arch/powerpc/kernel/pci-common.c
2261 --- linux-2.6.33.1/arch/powerpc/kernel/pci-common.c 2010-03-15 12:09:39.000000000 -0400
2262 +++ linux-2.6.33.1/arch/powerpc/kernel/pci-common.c 2010-03-20 16:58:38.736620382 -0400
2263 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2264 unsigned int ppc_pci_flags = 0;
2267 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2268 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2270 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2271 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2273 pci_dma_ops = dma_ops;
2276 -struct dma_map_ops *get_pci_dma_ops(void)
2277 +const struct dma_map_ops *get_pci_dma_ops(void)
2281 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/process.c linux-2.6.33.1/arch/powerpc/kernel/process.c
2282 --- linux-2.6.33.1/arch/powerpc/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
2283 +++ linux-2.6.33.1/arch/powerpc/kernel/process.c 2010-03-20 16:58:38.740772809 -0400
2284 @@ -1141,51 +1141,3 @@ unsigned long arch_align_stack(unsigned
2285 sp -= get_random_int() & ~PAGE_MASK;
2289 -static inline unsigned long brk_rnd(void)
2291 - unsigned long rnd = 0;
2293 - /* 8MB for 32bit, 1GB for 64bit */
2294 - if (is_32bit_task())
2295 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2297 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2299 - return rnd << PAGE_SHIFT;
2302 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2304 - unsigned long base = mm->brk;
2305 - unsigned long ret;
2307 -#ifdef CONFIG_PPC_STD_MMU_64
2309 - * If we are using 1TB segments and we are allowed to randomise
2310 - * the heap, we can put it above 1TB so it is backed by a 1TB
2311 - * segment. Otherwise the heap will be in the bottom 1TB
2312 - * which always uses 256MB segments and this may result in a
2313 - * performance penalty.
2315 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2316 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2319 - ret = PAGE_ALIGN(base + brk_rnd());
2321 - if (ret < mm->brk)
2327 -unsigned long randomize_et_dyn(unsigned long base)
2329 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2336 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/signal_32.c linux-2.6.33.1/arch/powerpc/kernel/signal_32.c
2337 --- linux-2.6.33.1/arch/powerpc/kernel/signal_32.c 2010-03-15 12:09:39.000000000 -0400
2338 +++ linux-2.6.33.1/arch/powerpc/kernel/signal_32.c 2010-03-20 16:58:38.740772809 -0400
2339 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2340 /* Save user registers on the stack */
2341 frame = &rt_sf->uc.uc_mcontext;
2343 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2344 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2345 if (save_user_regs(regs, frame, 0, 1))
2347 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2348 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/signal_64.c linux-2.6.33.1/arch/powerpc/kernel/signal_64.c
2349 --- linux-2.6.33.1/arch/powerpc/kernel/signal_64.c 2010-03-15 12:09:39.000000000 -0400
2350 +++ linux-2.6.33.1/arch/powerpc/kernel/signal_64.c 2010-03-20 16:58:38.740772809 -0400
2351 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2352 current->thread.fpscr.val = 0;
2354 /* Set up to return from userspace. */
2355 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2356 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2357 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2359 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2360 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/vdso.c linux-2.6.33.1/arch/powerpc/kernel/vdso.c
2361 --- linux-2.6.33.1/arch/powerpc/kernel/vdso.c 2010-03-15 12:09:39.000000000 -0400
2362 +++ linux-2.6.33.1/arch/powerpc/kernel/vdso.c 2010-03-20 16:58:38.740772809 -0400
2364 #include <asm/firmware.h>
2365 #include <asm/vdso.h>
2366 #include <asm/vdso_datapage.h>
2367 +#include <asm/mman.h>
2371 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2372 vdso_base = VDSO32_MBASE;
2375 - current->mm->context.vdso_base = 0;
2376 + current->mm->context.vdso_base = ~0UL;
2378 /* vDSO has a problem and was disabled, just don't "enable" it for the
2380 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2381 vdso_base = get_unmapped_area(NULL, vdso_base,
2382 (vdso_pages << PAGE_SHIFT) +
2383 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2385 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2386 if (IS_ERR_VALUE(vdso_base)) {
2389 diff -urNp linux-2.6.33.1/arch/powerpc/kernel/vio.c linux-2.6.33.1/arch/powerpc/kernel/vio.c
2390 --- linux-2.6.33.1/arch/powerpc/kernel/vio.c 2010-03-15 12:09:39.000000000 -0400
2391 +++ linux-2.6.33.1/arch/powerpc/kernel/vio.c 2010-03-20 16:58:38.744562669 -0400
2392 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2393 vio_cmo_dealloc(viodev, alloc_size);
2396 -struct dma_map_ops vio_dma_mapping_ops = {
2397 +static const struct dma_map_ops vio_dma_mapping_ops = {
2398 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2399 .free_coherent = vio_dma_iommu_free_coherent,
2400 .map_sg = vio_dma_iommu_map_sg,
2401 .unmap_sg = vio_dma_iommu_unmap_sg,
2402 + .dma_supported = dma_iommu_dma_supported,
2403 .map_page = vio_dma_iommu_map_page,
2404 .unmap_page = vio_dma_iommu_unmap_page,
2406 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2408 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2410 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2411 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2414 diff -urNp linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c
2415 --- linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c 2010-03-15 12:09:39.000000000 -0400
2416 +++ linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c 2010-03-20 16:58:38.748775088 -0400
2418 #include <linux/module.h>
2419 #include <asm/uaccess.h>
2421 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2423 - if (likely(access_ok(VERIFY_READ, from, n)))
2424 - n = __copy_from_user(to, from, n);
2430 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2432 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2433 - n = __copy_to_user(to, from, n);
2437 unsigned long copy_in_user(void __user *to, const void __user *from,
2440 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2444 -EXPORT_SYMBOL(copy_from_user);
2445 -EXPORT_SYMBOL(copy_to_user);
2446 EXPORT_SYMBOL(copy_in_user);
2448 diff -urNp linux-2.6.33.1/arch/powerpc/mm/fault.c linux-2.6.33.1/arch/powerpc/mm/fault.c
2449 --- linux-2.6.33.1/arch/powerpc/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
2450 +++ linux-2.6.33.1/arch/powerpc/mm/fault.c 2010-03-20 16:58:38.748775088 -0400
2452 #include <linux/kprobes.h>
2453 #include <linux/kdebug.h>
2454 #include <linux/perf_event.h>
2455 +#include <linux/slab.h>
2456 +#include <linux/pagemap.h>
2457 +#include <linux/compiler.h>
2458 +#include <linux/unistd.h>
2460 #include <asm/firmware.h>
2461 #include <asm/page.h>
2463 #include <asm/tlbflush.h>
2464 #include <asm/siginfo.h>
2465 #include <mm/mmu_decl.h>
2466 +#include <asm/ptrace.h>
2468 #ifdef CONFIG_KPROBES
2469 static inline int notify_page_fault(struct pt_regs *regs)
2470 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2474 +#ifdef CONFIG_PAX_PAGEEXEC
2476 + * PaX: decide what to do with offenders (regs->nip = fault address)
2478 + * returns 1 when task should be killed
2480 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2485 +void pax_report_insns(void *pc, void *sp)
2489 + printk(KERN_ERR "PAX: bytes at PC: ");
2490 + for (i = 0; i < 5; i++) {
2492 + if (get_user(c, (unsigned int __user *)pc+i))
2493 + printk(KERN_CONT "???????? ");
2495 + printk(KERN_CONT "%08x ", c);
2502 * Check whether the instruction at regs->nip is a store using
2503 * an update addressing form which will update r1.
2504 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2505 * indicate errors in DSISR but can validly be set in SRR1.
2508 - error_code &= 0x48200000;
2509 + error_code &= 0x58200000;
2511 is_write = error_code & DSISR_ISSTORE;
2513 @@ -256,7 +288,7 @@ good_area:
2514 * "undefined". Of those that can be set, this is the only
2515 * one which seems bad.
2517 - if (error_code & 0x10000000)
2518 + if (error_code & DSISR_GUARDED)
2519 /* Guarded storage error. */
2521 #endif /* CONFIG_8xx */
2522 @@ -271,7 +303,7 @@ good_area:
2523 * processors use the same I/D cache coherency mechanism
2526 - if (error_code & DSISR_PROTFAULT)
2527 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2529 #endif /* CONFIG_PPC_STD_MMU */
2531 @@ -341,6 +373,23 @@ bad_area:
2532 bad_area_nosemaphore:
2533 /* User mode accesses cause a SIGSEGV */
2534 if (user_mode(regs)) {
2536 +#ifdef CONFIG_PAX_PAGEEXEC
2537 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2538 +#ifdef CONFIG_PPC_STD_MMU
2539 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2541 + if (is_exec && regs->nip == address) {
2543 + switch (pax_handle_fetch_fault(regs)) {
2546 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2547 + do_group_exit(SIGKILL);
2552 _exception(SIGSEGV, regs, code, address);
2555 diff -urNp linux-2.6.33.1/arch/powerpc/mm/mmap_64.c linux-2.6.33.1/arch/powerpc/mm/mmap_64.c
2556 --- linux-2.6.33.1/arch/powerpc/mm/mmap_64.c 2010-03-15 12:09:39.000000000 -0400
2557 +++ linux-2.6.33.1/arch/powerpc/mm/mmap_64.c 2010-03-20 16:58:38.748775088 -0400
2558 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2560 if (mmap_is_legacy()) {
2561 mm->mmap_base = TASK_UNMAPPED_BASE;
2563 +#ifdef CONFIG_PAX_RANDMMAP
2564 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2565 + mm->mmap_base += mm->delta_mmap;
2568 mm->get_unmapped_area = arch_get_unmapped_area;
2569 mm->unmap_area = arch_unmap_area;
2571 mm->mmap_base = mmap_base();
2573 +#ifdef CONFIG_PAX_RANDMMAP
2574 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2575 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2578 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2579 mm->unmap_area = arch_unmap_area_topdown;
2581 diff -urNp linux-2.6.33.1/arch/powerpc/mm/slice.c linux-2.6.33.1/arch/powerpc/mm/slice.c
2582 --- linux-2.6.33.1/arch/powerpc/mm/slice.c 2010-03-15 12:09:39.000000000 -0400
2583 +++ linux-2.6.33.1/arch/powerpc/mm/slice.c 2010-03-20 16:58:38.764771645 -0400
2584 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
2585 if (fixed && addr > (mm->task_size - len))
2588 +#ifdef CONFIG_PAX_RANDMMAP
2589 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2593 /* If hint, make sure it matches our alignment restrictions */
2594 if (!fixed && addr) {
2595 addr = _ALIGN_UP(addr, 1ul << pshift);
2596 diff -urNp linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c
2597 --- linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-03-15 12:09:39.000000000 -0400
2598 +++ linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-03-20 16:58:38.776769493 -0400
2599 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2600 lite5200_pm_target_state = PM_SUSPEND_ON;
2603 -static struct platform_suspend_ops lite5200_pm_ops = {
2604 +static const struct platform_suspend_ops lite5200_pm_ops = {
2605 .valid = lite5200_pm_valid,
2606 .begin = lite5200_pm_begin,
2607 .prepare = lite5200_pm_prepare,
2608 diff -urNp linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2609 --- linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-03-15 12:09:39.000000000 -0400
2610 +++ linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-03-20 16:58:38.776769493 -0400
2611 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
2615 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2616 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2617 .valid = mpc52xx_pm_valid,
2618 .prepare = mpc52xx_pm_prepare,
2619 .enter = mpc52xx_pm_enter,
2620 diff -urNp linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c
2621 --- linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c 2010-03-15 12:09:39.000000000 -0400
2622 +++ linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c 2010-03-20 16:58:38.776769493 -0400
2623 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2627 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2628 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2629 .valid = mpc83xx_suspend_valid,
2630 .begin = mpc83xx_suspend_begin,
2631 .enter = mpc83xx_suspend_enter,
2632 diff -urNp linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c
2633 --- linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c 2010-03-15 12:09:39.000000000 -0400
2634 +++ linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c 2010-03-20 16:58:38.776769493 -0400
2635 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2637 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2639 -struct dma_map_ops dma_iommu_fixed_ops = {
2640 +const struct dma_map_ops dma_iommu_fixed_ops = {
2641 .alloc_coherent = dma_fixed_alloc_coherent,
2642 .free_coherent = dma_fixed_free_coherent,
2643 .map_sg = dma_fixed_map_sg,
2644 diff -urNp linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c
2645 --- linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c 2010-03-15 12:09:39.000000000 -0400
2646 +++ linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c 2010-03-20 16:58:38.776769493 -0400
2647 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
2648 return mask >= DMA_BIT_MASK(32);
2651 -static struct dma_map_ops ps3_sb_dma_ops = {
2652 +static const struct dma_map_ops ps3_sb_dma_ops = {
2653 .alloc_coherent = ps3_alloc_coherent,
2654 .free_coherent = ps3_free_coherent,
2655 .map_sg = ps3_sb_map_sg,
2656 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2657 .unmap_page = ps3_unmap_page,
2660 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2661 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2662 .alloc_coherent = ps3_alloc_coherent,
2663 .free_coherent = ps3_free_coherent,
2664 .map_sg = ps3_ioc0_map_sg,
2665 diff -urNp linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c
2666 --- linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c 2010-03-15 12:09:39.000000000 -0400
2667 +++ linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c 2010-03-20 16:58:38.784767469 -0400
2668 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2672 -static struct platform_suspend_ops pmc_suspend_ops = {
2673 +static const struct platform_suspend_ops pmc_suspend_ops = {
2674 .valid = pmc_suspend_valid,
2675 .enter = pmc_suspend_enter,
2677 diff -urNp linux-2.6.33.1/arch/s390/include/asm/elf.h linux-2.6.33.1/arch/s390/include/asm/elf.h
2678 --- linux-2.6.33.1/arch/s390/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
2679 +++ linux-2.6.33.1/arch/s390/include/asm/elf.h 2010-03-20 16:58:38.792763717 -0400
2680 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2681 that it will "exec", and that there is sufficient room for the brk. */
2682 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2684 +#ifdef CONFIG_PAX_ASLR
2685 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2687 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2688 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2691 /* This yields a mask that user programs can use to figure out what
2692 instruction set this CPU supports. */
2694 diff -urNp linux-2.6.33.1/arch/s390/include/asm/uaccess.h linux-2.6.33.1/arch/s390/include/asm/uaccess.h
2695 --- linux-2.6.33.1/arch/s390/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
2696 +++ linux-2.6.33.1/arch/s390/include/asm/uaccess.h 2010-03-20 16:58:38.800777709 -0400
2697 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
2698 copy_to_user(void __user *to, const void *from, unsigned long n)
2705 if (access_ok(VERIFY_WRITE, to, n))
2706 n = __copy_to_user(to, from, n);
2708 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
2709 static inline unsigned long __must_check
2710 __copy_from_user(void *to, const void __user *from, unsigned long n)
2715 if (__builtin_constant_p(n) && (n <= 256))
2716 return uaccess.copy_from_user_small(n, from, to);
2718 @@ -285,6 +292,10 @@ static inline unsigned long __must_check
2719 copy_from_user(void *to, const void __user *from, unsigned long n)
2726 if (access_ok(VERIFY_READ, from, n))
2727 n = __copy_from_user(to, from, n);
2729 diff -urNp linux-2.6.33.1/arch/s390/Kconfig linux-2.6.33.1/arch/s390/Kconfig
2730 --- linux-2.6.33.1/arch/s390/Kconfig 2010-03-15 12:09:39.000000000 -0400
2731 +++ linux-2.6.33.1/arch/s390/Kconfig 2010-03-20 16:58:38.812766228 -0400
2732 @@ -222,13 +222,12 @@ config AUDIT_ARCH
2734 config S390_EXEC_PROTECT
2735 bool "Data execute protection"
2738 This option allows to enable a buffer overflow protection for user
2739 - space programs and it also selects the addressing mode option above.
2740 - The kernel parameter noexec=on will enable this feature and also
2741 - switch the addressing modes, default is disabled. Enabling this (via
2742 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
2743 - will reduce system performance.
2745 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
2746 + reduce system performance.
2748 comment "Code generation options"
2750 diff -urNp linux-2.6.33.1/arch/s390/kernel/module.c linux-2.6.33.1/arch/s390/kernel/module.c
2751 --- linux-2.6.33.1/arch/s390/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
2752 +++ linux-2.6.33.1/arch/s390/kernel/module.c 2010-03-20 16:58:38.824764313 -0400
2753 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2755 /* Increase core size by size of got & plt and set start
2756 offsets for got and plt. */
2757 - me->core_size = ALIGN(me->core_size, 4);
2758 - me->arch.got_offset = me->core_size;
2759 - me->core_size += me->arch.got_size;
2760 - me->arch.plt_offset = me->core_size;
2761 - me->core_size += me->arch.plt_size;
2762 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
2763 + me->arch.got_offset = me->core_size_rw;
2764 + me->core_size_rw += me->arch.got_size;
2765 + me->arch.plt_offset = me->core_size_rx;
2766 + me->core_size_rx += me->arch.plt_size;
2770 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2771 if (info->got_initialized == 0) {
2774 - gotent = me->module_core + me->arch.got_offset +
2775 + gotent = me->module_core_rw + me->arch.got_offset +
2778 info->got_initialized = 1;
2779 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2780 else if (r_type == R_390_GOTENT ||
2781 r_type == R_390_GOTPLTENT)
2782 *(unsigned int *) loc =
2783 - (val + (Elf_Addr) me->module_core - loc) >> 1;
2784 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2785 else if (r_type == R_390_GOT64 ||
2786 r_type == R_390_GOTPLT64)
2787 *(unsigned long *) loc = val;
2788 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2789 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2790 if (info->plt_initialized == 0) {
2792 - ip = me->module_core + me->arch.plt_offset +
2793 + ip = me->module_core_rx + me->arch.plt_offset +
2795 #ifndef CONFIG_64BIT
2796 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2797 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2798 val - loc + 0xffffUL < 0x1ffffeUL) ||
2799 (r_type == R_390_PLT32DBL &&
2800 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2801 - val = (Elf_Addr) me->module_core +
2802 + val = (Elf_Addr) me->module_core_rx +
2803 me->arch.plt_offset +
2805 val += rela->r_addend - loc;
2806 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2807 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2808 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2809 val = val + rela->r_addend -
2810 - ((Elf_Addr) me->module_core + me->arch.got_offset);
2811 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2812 if (r_type == R_390_GOTOFF16)
2813 *(unsigned short *) loc = val;
2814 else if (r_type == R_390_GOTOFF32)
2815 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2817 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2818 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2819 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
2820 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2821 rela->r_addend - loc;
2822 if (r_type == R_390_GOTPC)
2823 *(unsigned int *) loc = val;
2824 diff -urNp linux-2.6.33.1/arch/s390/kernel/setup.c linux-2.6.33.1/arch/s390/kernel/setup.c
2825 --- linux-2.6.33.1/arch/s390/kernel/setup.c 2010-03-15 12:09:39.000000000 -0400
2826 +++ linux-2.6.33.1/arch/s390/kernel/setup.c 2010-03-20 16:58:38.824764313 -0400
2827 @@ -298,7 +298,7 @@ static int __init early_parse_mem(char *
2829 early_param("mem", early_parse_mem);
2831 -unsigned int user_mode = HOME_SPACE_MODE;
2832 +unsigned int user_mode = SECONDARY_SPACE_MODE;
2833 EXPORT_SYMBOL_GPL(user_mode);
2835 static int set_amode_and_uaccess(unsigned long user_amode,
2836 @@ -327,17 +327,6 @@ static int set_amode_and_uaccess(unsigne
2841 - * Switch kernel/user addressing modes?
2843 -static int __init early_parse_switch_amode(char *p)
2845 - if (user_mode != SECONDARY_SPACE_MODE)
2846 - user_mode = PRIMARY_SPACE_MODE;
2849 -early_param("switch_amode", early_parse_switch_amode);
2851 static int __init early_parse_user_mode(char *p)
2853 if (p && strcmp(p, "primary") == 0)
2854 @@ -354,20 +343,6 @@ static int __init early_parse_user_mode(
2856 early_param("user_mode", early_parse_user_mode);
2858 -#ifdef CONFIG_S390_EXEC_PROTECT
2860 - * Enable execute protection?
2862 -static int __init early_parse_noexec(char *p)
2864 - if (!strncmp(p, "off", 3))
2866 - user_mode = SECONDARY_SPACE_MODE;
2869 -early_param("noexec", early_parse_noexec);
2870 -#endif /* CONFIG_S390_EXEC_PROTECT */
2872 static void setup_addressing_mode(void)
2874 if (user_mode == SECONDARY_SPACE_MODE) {
2875 diff -urNp linux-2.6.33.1/arch/s390/mm/maccess.c linux-2.6.33.1/arch/s390/mm/maccess.c
2876 --- linux-2.6.33.1/arch/s390/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
2877 +++ linux-2.6.33.1/arch/s390/mm/maccess.c 2010-03-20 16:58:38.828581240 -0400
2878 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
2879 return rc ? rc : count;
2882 -long probe_kernel_write(void *dst, void *src, size_t size)
2883 +long probe_kernel_write(void *dst, const void *src, size_t size)
2887 diff -urNp linux-2.6.33.1/arch/s390/mm/mmap.c linux-2.6.33.1/arch/s390/mm/mmap.c
2888 --- linux-2.6.33.1/arch/s390/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
2889 +++ linux-2.6.33.1/arch/s390/mm/mmap.c 2010-03-20 16:58:38.828581240 -0400
2890 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
2892 if (mmap_is_legacy()) {
2893 mm->mmap_base = TASK_UNMAPPED_BASE;
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2897 + mm->mmap_base += mm->delta_mmap;
2900 mm->get_unmapped_area = arch_get_unmapped_area;
2901 mm->unmap_area = arch_unmap_area;
2903 mm->mmap_base = mmap_base();
2905 +#ifdef CONFIG_PAX_RANDMMAP
2906 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2907 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2910 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2911 mm->unmap_area = arch_unmap_area_topdown;
2913 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
2915 if (mmap_is_legacy()) {
2916 mm->mmap_base = TASK_UNMAPPED_BASE;
2918 +#ifdef CONFIG_PAX_RANDMMAP
2919 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2920 + mm->mmap_base += mm->delta_mmap;
2923 mm->get_unmapped_area = s390_get_unmapped_area;
2924 mm->unmap_area = arch_unmap_area;
2926 mm->mmap_base = mmap_base();
2928 +#ifdef CONFIG_PAX_RANDMMAP
2929 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2930 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2933 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2934 mm->unmap_area = arch_unmap_area_topdown;
2936 diff -urNp linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c
2937 --- linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c 2010-03-15 12:09:39.000000000 -0400
2938 +++ linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c 2010-03-20 16:58:38.840778404 -0400
2939 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
2943 -static struct platform_suspend_ops hp6x0_pm_ops = {
2944 +static const struct platform_suspend_ops hp6x0_pm_ops = {
2945 .enter = hp6x0_pm_enter,
2946 .valid = suspend_valid_only_mem,
2948 diff -urNp linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h
2949 --- linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
2950 +++ linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h 2010-03-20 16:58:38.844777279 -0400
2952 #ifndef __ASM_SH_DMA_MAPPING_H
2953 #define __ASM_SH_DMA_MAPPING_H
2955 -extern struct dma_map_ops *dma_ops;
2956 +extern const struct dma_map_ops *dma_ops;
2957 extern void no_iommu_init(void);
2959 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2960 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2964 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
2966 static inline int dma_supported(struct device *dev, u64 mask)
2968 - struct dma_map_ops *ops = get_dma_ops(dev);
2969 + const struct dma_map_ops *ops = get_dma_ops(dev);
2971 if (ops->dma_supported)
2972 return ops->dma_supported(dev, mask);
2973 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
2975 static inline int dma_set_mask(struct device *dev, u64 mask)
2977 - struct dma_map_ops *ops = get_dma_ops(dev);
2978 + const struct dma_map_ops *ops = get_dma_ops(dev);
2980 if (!dev->dma_mask || !dma_supported(dev, mask))
2982 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
2984 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2986 - struct dma_map_ops *ops = get_dma_ops(dev);
2987 + const struct dma_map_ops *ops = get_dma_ops(dev);
2989 if (ops->mapping_error)
2990 return ops->mapping_error(dev, dma_addr);
2991 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
2992 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2993 dma_addr_t *dma_handle, gfp_t gfp)
2995 - struct dma_map_ops *ops = get_dma_ops(dev);
2996 + const struct dma_map_ops *ops = get_dma_ops(dev);
2999 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3000 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3001 static inline void dma_free_coherent(struct device *dev, size_t size,
3002 void *vaddr, dma_addr_t dma_handle)
3004 - struct dma_map_ops *ops = get_dma_ops(dev);
3005 + const struct dma_map_ops *ops = get_dma_ops(dev);
3007 WARN_ON(irqs_disabled()); /* for portability */
3009 diff -urNp linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c
3010 --- linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c 2010-03-15 12:09:39.000000000 -0400
3011 +++ linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c 2010-03-20 16:58:38.848768890 -0400
3012 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3016 -static struct sysfs_ops sq_sysfs_ops = {
3017 +static const struct sysfs_ops sq_sysfs_ops = {
3018 .show = sq_sysfs_show,
3019 .store = sq_sysfs_store,
3021 diff -urNp linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c
3022 --- linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-03-15 12:09:39.000000000 -0400
3023 +++ linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-03-20 16:58:38.852765354 -0400
3024 @@ -140,7 +140,7 @@ static int sh_pm_enter(suspend_state_t s
3028 -static struct platform_suspend_ops sh_pm_ops = {
3029 +static const struct platform_suspend_ops sh_pm_ops = {
3030 .enter = sh_pm_enter,
3031 .valid = suspend_valid_only_mem,
3033 diff -urNp linux-2.6.33.1/arch/sh/kernel/dma-nommu.c linux-2.6.33.1/arch/sh/kernel/dma-nommu.c
3034 --- linux-2.6.33.1/arch/sh/kernel/dma-nommu.c 2010-03-15 12:09:39.000000000 -0400
3035 +++ linux-2.6.33.1/arch/sh/kernel/dma-nommu.c 2010-03-20 16:58:38.852765354 -0400
3036 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3040 -struct dma_map_ops nommu_dma_ops = {
3041 +const struct dma_map_ops nommu_dma_ops = {
3042 .alloc_coherent = dma_generic_alloc_coherent,
3043 .free_coherent = dma_generic_free_coherent,
3044 .map_page = nommu_map_page,
3045 diff -urNp linux-2.6.33.1/arch/sh/kernel/kgdb.c linux-2.6.33.1/arch/sh/kernel/kgdb.c
3046 --- linux-2.6.33.1/arch/sh/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
3047 +++ linux-2.6.33.1/arch/sh/kernel/kgdb.c 2010-03-20 16:58:38.856769610 -0400
3048 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3052 -struct kgdb_arch arch_kgdb_ops = {
3053 +const struct kgdb_arch arch_kgdb_ops = {
3054 /* Breakpoint instruction: trapa #0x3c */
3055 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3056 .gdb_bpt_instr = { 0x3c, 0xc3 },
3057 diff -urNp linux-2.6.33.1/arch/sh/mm/consistent.c linux-2.6.33.1/arch/sh/mm/consistent.c
3058 --- linux-2.6.33.1/arch/sh/mm/consistent.c 2010-03-15 12:09:39.000000000 -0400
3059 +++ linux-2.6.33.1/arch/sh/mm/consistent.c 2010-03-20 16:58:38.860748595 -0400
3062 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3064 -struct dma_map_ops *dma_ops;
3065 +const struct dma_map_ops *dma_ops;
3066 EXPORT_SYMBOL(dma_ops);
3068 static int __init dma_init(void)
3069 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h
3070 --- linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h 2010-03-15 12:09:39.000000000 -0400
3071 +++ linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h 2010-03-20 16:58:38.860748595 -0400
3073 #define ATOMIC64_INIT(i) { (i) }
3075 #define atomic_read(v) ((v)->counter)
3076 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3078 + return v->counter;
3080 #define atomic64_read(v) ((v)->counter)
3081 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3083 + return v->counter;
3086 #define atomic_set(v, i) (((v)->counter) = i)
3087 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3091 #define atomic64_set(v, i) (((v)->counter) = i)
3092 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3097 extern void atomic_add(int, atomic_t *);
3098 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3099 extern void atomic64_add(int, atomic64_t *);
3100 +extern void atomic64_add_unchecked(int, atomic64_unchecked_t *);
3101 extern void atomic_sub(int, atomic_t *);
3102 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3103 extern void atomic64_sub(int, atomic64_t *);
3105 extern int atomic_add_ret(int, atomic_t *);
3106 extern int atomic64_add_ret(int, atomic64_t *);
3107 +extern int atomic64_add_ret_unchecked(int, atomic64_unchecked_t *);
3108 extern int atomic_sub_ret(int, atomic_t *);
3109 extern int atomic64_sub_ret(int, atomic64_t *);
3111 @@ -34,6 +54,7 @@ extern int atomic64_sub_ret(int, atomic6
3113 #define atomic_inc_return(v) atomic_add_ret(1, v)
3114 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3115 +#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v)
3117 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3118 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3119 @@ -59,7 +80,15 @@ extern int atomic64_sub_ret(int, atomic6
3120 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3122 #define atomic_inc(v) atomic_add(1, v)
3123 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3125 + atomic_add_unchecked(1, v);
3127 #define atomic64_inc(v) atomic64_add(1, v)
3128 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3130 + atomic64_add_unchecked(1, v);
3133 #define atomic_dec(v) atomic_sub(1, v)
3134 #define atomic64_dec(v) atomic64_sub(1, v)
3135 @@ -72,17 +101,28 @@ extern int atomic64_sub_ret(int, atomic6
3137 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3143 - if (unlikely(c == (u)))
3144 + if (unlikely(c == u))
3146 - old = atomic_cmpxchg((v), c, c + (a));
3148 + asm volatile("addcc %2, %0, %0\n"
3150 +#ifdef CONFIG_PAX_REFCOUNT
3155 + : "0" (c), "ir" (a)
3158 + old = atomic_cmpxchg(v, c, new);
3159 if (likely(old == c))
3167 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3168 @@ -93,17 +133,28 @@ static inline int atomic_add_unless(atom
3170 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
3174 c = atomic64_read(v);
3176 - if (unlikely(c == (u)))
3177 + if (unlikely(c == u))
3179 - old = atomic64_cmpxchg((v), c, c + (a));
3181 + asm volatile("addcc %2, %0, %0\n"
3183 +#ifdef CONFIG_PAX_REFCOUNT
3188 + : "0" (c), "ir" (a)
3191 + old = atomic64_cmpxchg(v, c, new);
3192 if (likely(old == c))
3200 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3201 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h
3202 --- linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
3203 +++ linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h 2010-03-20 16:58:38.881211488 -0400
3204 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3205 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3206 #define dma_is_consistent(d, h) (1)
3208 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3209 +extern struct const dma_map_ops *dma_ops, pci32_dma_ops;
3210 extern struct bus_type pci_bus_type;
3212 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3213 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3215 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3216 if (dev->bus == &pci_bus_type)
3217 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3218 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3219 dma_addr_t *dma_handle, gfp_t flag)
3221 - struct dma_map_ops *ops = get_dma_ops(dev);
3222 + const struct dma_map_ops *ops = get_dma_ops(dev);
3225 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3226 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3227 static inline void dma_free_coherent(struct device *dev, size_t size,
3228 void *cpu_addr, dma_addr_t dma_handle)
3230 - struct dma_map_ops *ops = get_dma_ops(dev);
3231 + const struct dma_map_ops *ops = get_dma_ops(dev);
3233 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3234 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3235 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/elf_32.h linux-2.6.33.1/arch/sparc/include/asm/elf_32.h
3236 --- linux-2.6.33.1/arch/sparc/include/asm/elf_32.h 2010-03-15 12:09:39.000000000 -0400
3237 +++ linux-2.6.33.1/arch/sparc/include/asm/elf_32.h 2010-03-20 16:58:38.884769570 -0400
3238 @@ -114,6 +114,13 @@ typedef struct {
3240 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3242 +#ifdef CONFIG_PAX_ASLR
3243 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3245 +#define PAX_DELTA_MMAP_LEN 16
3246 +#define PAX_DELTA_STACK_LEN 16
3249 /* This yields a mask that user programs can use to figure out what
3250 instruction set this cpu supports. This can NOT be done in userspace
3252 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/elf_64.h linux-2.6.33.1/arch/sparc/include/asm/elf_64.h
3253 --- linux-2.6.33.1/arch/sparc/include/asm/elf_64.h 2010-03-15 12:09:39.000000000 -0400
3254 +++ linux-2.6.33.1/arch/sparc/include/asm/elf_64.h 2010-03-20 16:58:38.892779813 -0400
3255 @@ -162,6 +162,12 @@ typedef struct {
3256 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3257 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3259 +#ifdef CONFIG_PAX_ASLR
3260 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3262 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3263 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3266 /* This yields a mask that user programs can use to figure out what
3267 instruction set this cpu supports. */
3268 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h
3269 --- linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h 2010-03-15 12:09:39.000000000 -0400
3270 +++ linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h 2010-03-20 16:58:38.892779813 -0400
3271 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3272 BTFIXUPDEF_INT(page_none)
3273 BTFIXUPDEF_INT(page_copy)
3274 BTFIXUPDEF_INT(page_readonly)
3276 +#ifdef CONFIG_PAX_PAGEEXEC
3277 +BTFIXUPDEF_INT(page_shared_noexec)
3278 +BTFIXUPDEF_INT(page_copy_noexec)
3279 +BTFIXUPDEF_INT(page_readonly_noexec)
3282 BTFIXUPDEF_INT(page_kernel)
3284 #define PMD_SHIFT SUN4C_PMD_SHIFT
3285 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3286 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3287 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3289 +#ifdef CONFIG_PAX_PAGEEXEC
3290 +extern pgprot_t PAGE_SHARED_NOEXEC;
3291 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3292 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3294 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3295 +# define PAGE_COPY_NOEXEC PAGE_COPY
3296 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3299 extern unsigned long page_kernel;
3302 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h
3303 --- linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h 2010-03-15 12:09:39.000000000 -0400
3304 +++ linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h 2010-03-20 16:58:38.917006269 -0400
3305 @@ -115,6 +115,13 @@
3306 SRMMU_EXEC | SRMMU_REF)
3307 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3308 SRMMU_EXEC | SRMMU_REF)
3310 +#ifdef CONFIG_PAX_PAGEEXEC
3311 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3312 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3313 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3316 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3317 SRMMU_DIRTY | SRMMU_REF)
3319 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h
3320 --- linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h 2010-03-15 12:09:39.000000000 -0400
3321 +++ linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h 2010-03-20 16:58:38.917006269 -0400
3322 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3323 __asm__ __volatile__ (
3324 "1: ldsw [%2], %0\n"
3326 -"4: add %0, 1, %1\n"
3327 +"4: addcc %0, 1, %1\n"
3329 +#ifdef CONFIG_PAX_REFCOUNT
3333 " cas [%2], %0, %1\n"
3335 " bne,pn %%icc, 1b\n"
3336 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3338 : "=&r" (tmp1), "=&r" (tmp2)
3341 + : "memory", "cc");
3344 static int inline arch_read_trylock(arch_rwlock_t *lock)
3345 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3346 "1: ldsw [%2], %0\n"
3347 " brlz,a,pn %0, 2f\n"
3350 +" addcc %0, 1, %1\n"
3352 +#ifdef CONFIG_PAX_REFCOUNT
3356 " cas [%2], %0, %1\n"
3358 " bne,pn %%icc, 1b\n"
3359 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3361 __asm__ __volatile__(
3362 "1: lduw [%2], %0\n"
3364 +" subcc %0, 1, %1\n"
3366 +#ifdef CONFIG_PAX_REFCOUNT
3370 " cas [%2], %0, %1\n"
3372 " bne,pn %%xcc, 1b\n"
3373 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h
3374 --- linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h 2010-03-15 12:09:39.000000000 -0400
3375 +++ linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h 2010-03-20 16:58:38.917006269 -0400
3376 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3378 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3380 - if (n && __access_ok((unsigned long) to, n))
3384 + if (n && __access_ok((unsigned long) to, n)) {
3385 + if (!__builtin_constant_p(n))
3386 + check_object_size(from, n, true);
3387 return __copy_user(to, (__force void __user *) from, n);
3393 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3398 + if (!__builtin_constant_p(n))
3399 + check_object_size(from, n, true);
3401 return __copy_user(to, (__force void __user *) from, n);
3404 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3406 int sz = __compiletime_object_size(to);
3411 if (unlikely(sz != -1 && sz < n)) {
3412 copy_from_user_overflow();
3416 - if (n && __access_ok((unsigned long) from, n))
3417 + if (n && __access_ok((unsigned long) from, n)) {
3418 + if (!__builtin_constant_p(n))
3419 + check_object_size(to, n, false);
3420 return __copy_user((__force void __user *) to, from, n);
3426 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3431 return __copy_user((__force void __user *) to, from, n);
3434 diff -urNp linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h
3435 --- linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h 2010-03-15 12:09:39.000000000 -0400
3436 +++ linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h 2010-03-20 16:58:38.924784570 -0400
3438 #include <linux/compiler.h>
3439 #include <linux/string.h>
3440 #include <linux/thread_info.h>
3441 +#include <linux/kernel.h>
3442 #include <asm/asi.h>
3443 #include <asm/system.h>
3444 #include <asm/spitfire.h>
3445 @@ -204,6 +205,7 @@ __asm__ __volatile__( \
3446 : "=r" (x) : "r" (__m(addr)), "i" (retval))
3448 extern int __get_user_bad(void);
3449 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3451 extern void copy_from_user_overflow(void)
3452 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
3453 @@ -224,6 +226,12 @@ copy_from_user(void *to, const void __us
3454 int sz = __compiletime_object_size(to);
3455 unsigned long ret = size;
3457 + if ((long)size < 0 || size > INT_MAX)
3460 + if (!__builtin_constant_p(size))
3461 + check_object_size(to, size, false);
3463 if (likely(sz == -1 || sz >= size)) {
3464 ret = ___copy_from_user(to, from, size);
3466 @@ -243,8 +251,15 @@ extern unsigned long copy_to_user_fixup(
3467 static inline unsigned long __must_check
3468 copy_to_user(void __user *to, const void *from, unsigned long size)
3470 - unsigned long ret = ___copy_to_user(to, from, size);
3471 + unsigned long ret;
3473 + if ((long)size < 0 || size > INT_MAX)
3476 + if (!__builtin_constant_p(size))
3477 + check_object_size(from, size, true);
3479 + ret = ___copy_to_user(to, from, size);
3481 ret = copy_to_user_fixup(to, from, size);
3483 diff -urNp linux-2.6.33.1/arch/sparc/kernel/iommu.c linux-2.6.33.1/arch/sparc/kernel/iommu.c
3484 --- linux-2.6.33.1/arch/sparc/kernel/iommu.c 2010-03-15 12:09:39.000000000 -0400
3485 +++ linux-2.6.33.1/arch/sparc/kernel/iommu.c 2010-03-20 16:58:38.928788728 -0400
3486 @@ -827,7 +827,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3487 spin_unlock_irqrestore(&iommu->lock, flags);
3490 -static struct dma_map_ops sun4u_dma_ops = {
3491 +static const struct dma_map_ops sun4u_dma_ops = {
3492 .alloc_coherent = dma_4u_alloc_coherent,
3493 .free_coherent = dma_4u_free_coherent,
3494 .map_page = dma_4u_map_page,
3495 @@ -838,7 +838,7 @@ static struct dma_map_ops sun4u_dma_ops
3496 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3499 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3500 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3501 EXPORT_SYMBOL(dma_ops);
3503 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3504 diff -urNp linux-2.6.33.1/arch/sparc/kernel/ioport.c linux-2.6.33.1/arch/sparc/kernel/ioport.c
3505 --- linux-2.6.33.1/arch/sparc/kernel/ioport.c 2010-03-15 12:09:39.000000000 -0400
3506 +++ linux-2.6.33.1/arch/sparc/kernel/ioport.c 2010-03-20 16:58:38.940791948 -0400
3507 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3511 -struct dma_map_ops sbus_dma_ops = {
3512 +const struct dma_map_ops sbus_dma_ops = {
3513 .alloc_coherent = sbus_alloc_coherent,
3514 .free_coherent = sbus_free_coherent,
3515 .map_page = sbus_map_page,
3516 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3517 .sync_sg_for_device = sbus_sync_sg_for_device,
3520 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3521 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3522 EXPORT_SYMBOL(dma_ops);
3524 static int __init sparc_register_ioport(void)
3525 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3529 -struct dma_map_ops pci32_dma_ops = {
3530 +const struct dma_map_ops pci32_dma_ops = {
3531 .alloc_coherent = pci32_alloc_coherent,
3532 .free_coherent = pci32_free_coherent,
3533 .map_page = pci32_map_page,
3534 diff -urNp linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c
3535 --- linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c 2010-03-15 12:09:39.000000000 -0400
3536 +++ linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c 2010-03-20 16:58:38.940791948 -0400
3537 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
3541 -struct kgdb_arch arch_kgdb_ops = {
3542 +const struct kgdb_arch arch_kgdb_ops = {
3543 /* Breakpoint instruction: ta 0x7d */
3544 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3546 diff -urNp linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c
3547 --- linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c 2010-03-15 12:09:39.000000000 -0400
3548 +++ linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c 2010-03-20 16:58:38.940791948 -0400
3549 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
3553 -struct kgdb_arch arch_kgdb_ops = {
3554 +const struct kgdb_arch arch_kgdb_ops = {
3555 /* Breakpoint instruction: ta 0x72 */
3556 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3558 diff -urNp linux-2.6.33.1/arch/sparc/kernel/Makefile linux-2.6.33.1/arch/sparc/kernel/Makefile
3559 --- linux-2.6.33.1/arch/sparc/kernel/Makefile 2010-03-15 12:09:39.000000000 -0400
3560 +++ linux-2.6.33.1/arch/sparc/kernel/Makefile 2010-03-20 16:58:38.944776638 -0400
3565 -ccflags-y := -Werror
3566 +#ccflags-y := -Werror
3568 extra-y := head_$(BITS).o
3569 extra-y += init_task.o
3570 diff -urNp linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c
3571 --- linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c 2010-03-15 12:09:39.000000000 -0400
3572 +++ linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c 2010-03-20 16:58:38.944776638 -0400
3573 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3574 spin_unlock_irqrestore(&iommu->lock, flags);
3577 -static struct dma_map_ops sun4v_dma_ops = {
3578 +static const struct dma_map_ops sun4v_dma_ops = {
3579 .alloc_coherent = dma_4v_alloc_coherent,
3580 .free_coherent = dma_4v_free_coherent,
3581 .map_page = dma_4v_map_page,
3582 diff -urNp linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c
3583 --- linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c 2010-03-15 12:09:39.000000000 -0400
3584 +++ linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c 2010-03-20 16:58:38.944776638 -0400
3585 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3586 if (ARCH_SUN4C && len > 0x20000000)
3589 - addr = TASK_UNMAPPED_BASE;
3590 + addr = current->mm->mmap_base;
3592 if (flags & MAP_SHARED)
3593 addr = COLOUR_ALIGN(addr);
3594 diff -urNp linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c
3595 --- linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c 2010-03-15 12:09:39.000000000 -0400
3596 +++ linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c 2010-03-20 16:58:38.948763345 -0400
3597 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
3598 /* We do not accept a shared mapping if it would violate
3599 * cache aliasing constraints.
3601 - if ((flags & MAP_SHARED) &&
3602 + if ((filp || (flags & MAP_SHARED)) &&
3603 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3606 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
3607 if (filp || (flags & MAP_SHARED))
3610 +#ifdef CONFIG_PAX_RANDMMAP
3611 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3616 addr = COLOUR_ALIGN(addr, pgoff);
3617 @@ -153,9 +157,9 @@ unsigned long arch_get_unmapped_area(str
3620 if (len > mm->cached_hole_size) {
3621 - start_addr = addr = mm->free_area_cache;
3622 + start_addr = addr = mm->free_area_cache;
3624 - start_addr = addr = TASK_UNMAPPED_BASE;
3625 + start_addr = addr = mm->mmap_base;
3626 mm->cached_hole_size = 0;
3629 @@ -175,8 +179,8 @@ full_search:
3630 vma = find_vma(mm, VA_EXCLUDE_END);
3632 if (unlikely(task_size < addr)) {
3633 - if (start_addr != TASK_UNMAPPED_BASE) {
3634 - start_addr = addr = TASK_UNMAPPED_BASE;
3635 + if (start_addr != mm->mmap_base) {
3636 + start_addr = addr = mm->mmap_base;
3637 mm->cached_hole_size = 0;
3640 @@ -216,7 +220,7 @@ arch_get_unmapped_area_topdown(struct fi
3641 /* We do not accept a shared mapping if it would violate
3642 * cache aliasing constraints.
3644 - if ((flags & MAP_SHARED) &&
3645 + if ((filp || (flags & MAP_SHARED)) &&
3646 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3649 @@ -386,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3650 gap == RLIM_INFINITY ||
3651 sysctl_legacy_va_layout) {
3652 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3654 +#ifdef CONFIG_PAX_RANDMMAP
3655 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3656 + mm->mmap_base += mm->delta_mmap;
3659 mm->get_unmapped_area = arch_get_unmapped_area;
3660 mm->unmap_area = arch_unmap_area;
3662 @@ -398,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3663 gap = (task_size / 6 * 5);
3665 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3667 +#ifdef CONFIG_PAX_RANDMMAP
3668 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3669 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3672 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3673 mm->unmap_area = arch_unmap_area_topdown;
3675 diff -urNp linux-2.6.33.1/arch/sparc/kernel/traps_64.c linux-2.6.33.1/arch/sparc/kernel/traps_64.c
3676 --- linux-2.6.33.1/arch/sparc/kernel/traps_64.c 2010-03-15 12:09:39.000000000 -0400
3677 +++ linux-2.6.33.1/arch/sparc/kernel/traps_64.c 2010-03-20 16:58:38.948763345 -0400
3678 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
3681 if (regs->tstate & TSTATE_PRIV) {
3683 +#ifdef CONFIG_PAX_REFCOUNT
3685 + pax_report_refcount_overflow(regs);
3688 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3689 die_if_kernel(buffer, regs);
3691 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
3692 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3697 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3698 0, lvl, SIGTRAP) == NOTIFY_STOP)
3701 +#ifdef CONFIG_PAX_REFCOUNT
3703 + pax_report_refcount_overflow(regs);
3706 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3708 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3709 diff -urNp linux-2.6.33.1/arch/sparc/lib/atomic_64.S linux-2.6.33.1/arch/sparc/lib/atomic_64.S
3710 --- linux-2.6.33.1/arch/sparc/lib/atomic_64.S 2010-03-15 12:09:39.000000000 -0400
3711 +++ linux-2.6.33.1/arch/sparc/lib/atomic_64.S 2010-03-20 16:58:38.952780321 -0400
3713 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3717 + addcc %g1, %o0, %g7
3719 +#ifdef CONFIG_PAX_REFCOUNT
3726 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3727 2: BACKOFF_SPIN(%o2, %o3, 1b)
3728 .size atomic_add, .-atomic_add
3730 + .globl atomic_add_unchecked
3731 + .type atomic_add_unchecked,#function
3732 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3733 + BACKOFF_SETUP(%o2)
3736 + cas [%o1], %g1, %g7
3742 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3743 + .size atomic_add_unchecked, .-atomic_add_unchecked
3746 .type atomic_sub,#function
3747 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3751 + subcc %g1, %o0, %g7
3753 +#ifdef CONFIG_PAX_REFCOUNT
3760 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3761 2: BACKOFF_SPIN(%o2, %o3, 1b)
3762 .size atomic_sub, .-atomic_sub
3764 + .globl atomic_sub_unchecked
3765 + .type atomic_sub_unchecked,#function
3766 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3767 + BACKOFF_SETUP(%o2)
3770 + cas [%o1], %g1, %g7
3776 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3777 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
3779 .globl atomic_add_ret
3780 .type atomic_add_ret,#function
3781 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3785 + addcc %g1, %o0, %g7
3787 +#ifdef CONFIG_PAX_REFCOUNT
3794 @@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1
3795 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3799 + subcc %g1, %o0, %g7
3801 +#ifdef CONFIG_PAX_REFCOUNT
3808 @@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3809 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3813 + addcc %g1, %o0, %g7
3815 +#ifdef CONFIG_PAX_REFCOUNT
3819 casx [%o1], %g1, %g7
3822 @@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3823 2: BACKOFF_SPIN(%o2, %o3, 1b)
3824 .size atomic64_add, .-atomic64_add
3826 + .globl atomic64_add_unchecked
3827 + .type atomic64_add_unchecked,#function
3828 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3829 + BACKOFF_SETUP(%o2)
3831 + addcc %g1, %o0, %g7
3832 + casx [%o1], %g1, %g7
3838 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3839 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
3842 .type atomic64_sub,#function
3843 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3847 + subcc %g1, %o0, %g7
3849 +#ifdef CONFIG_PAX_REFCOUNT
3853 casx [%o1], %g1, %g7
3856 @@ -110,7 +185,12 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3857 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3861 + addcc %g1, %o0, %g7
3863 +#ifdef CONFIG_PAX_REFCOUNT
3867 casx [%o1], %g1, %g7
3870 @@ -121,12 +201,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3871 2: BACKOFF_SPIN(%o2, %o3, 1b)
3872 .size atomic64_add_ret, .-atomic64_add_ret
3874 + .globl atomic64_add_ret_unchecked
3875 + .type atomic64_add_ret_unchecked,#function
3876 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3877 + BACKOFF_SETUP(%o2)
3879 + addcc %g1, %o0, %g7
3880 + casx [%o1], %g1, %g7
3887 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3888 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
3890 .globl atomic64_sub_ret
3891 .type atomic64_sub_ret,#function
3892 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3896 + subcc %g1, %o0, %g7
3898 +#ifdef CONFIG_PAX_REFCOUNT
3902 casx [%o1], %g1, %g7
3905 diff -urNp linux-2.6.33.1/arch/sparc/lib/ksyms.c linux-2.6.33.1/arch/sparc/lib/ksyms.c
3906 --- linux-2.6.33.1/arch/sparc/lib/ksyms.c 2010-03-15 12:09:39.000000000 -0400
3907 +++ linux-2.6.33.1/arch/sparc/lib/ksyms.c 2010-03-20 16:58:38.956579787 -0400
3908 @@ -142,8 +142,10 @@ EXPORT_SYMBOL(__downgrade_write);
3910 /* Atomic counter implementation. */
3911 EXPORT_SYMBOL(atomic_add);
3912 +EXPORT_SYMBOL(atomic_add_unchecked);
3913 EXPORT_SYMBOL(atomic_add_ret);
3914 EXPORT_SYMBOL(atomic_sub);
3915 +EXPORT_SYMBOL(atomic_sub_unchecked);
3916 EXPORT_SYMBOL(atomic_sub_ret);
3917 EXPORT_SYMBOL(atomic64_add);
3918 EXPORT_SYMBOL(atomic64_add_ret);
3919 diff -urNp linux-2.6.33.1/arch/sparc/lib/rwsem_64.S linux-2.6.33.1/arch/sparc/lib/rwsem_64.S
3920 --- linux-2.6.33.1/arch/sparc/lib/rwsem_64.S 2010-03-15 12:09:39.000000000 -0400
3921 +++ linux-2.6.33.1/arch/sparc/lib/rwsem_64.S 2010-03-20 16:58:38.956579787 -0400
3929 +#ifdef CONFIG_PAX_REFCOUNT
3936 @@ -33,7 +38,12 @@ __down_read:
3937 .globl __down_read_trylock
3938 __down_read_trylock:
3943 +#ifdef CONFIG_PAX_REFCOUNT
3950 @@ -51,7 +61,12 @@ __down_write:
3951 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3955 + addcc %g3, %g1, %g7
3957 +#ifdef CONFIG_PAX_REFCOUNT
3964 @@ -77,7 +92,12 @@ __down_write_trylock:
3969 + addcc %g3, %g1, %g7
3971 +#ifdef CONFIG_PAX_REFCOUNT
3978 @@ -90,7 +110,12 @@ __down_write_trylock:
3985 +#ifdef CONFIG_PAX_REFCOUNT
3992 @@ -118,7 +143,12 @@ __up_write:
3993 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3997 + subcc %g3, %g1, %g7
3999 +#ifdef CONFIG_PAX_REFCOUNT
4006 @@ -143,7 +173,12 @@ __downgrade_write:
4007 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4011 + subcc %g3, %g1, %g7
4013 +#ifdef CONFIG_PAX_REFCOUNT
4020 diff -urNp linux-2.6.33.1/arch/sparc/Makefile linux-2.6.33.1/arch/sparc/Makefile
4021 --- linux-2.6.33.1/arch/sparc/Makefile 2010-03-15 12:09:39.000000000 -0400
4022 +++ linux-2.6.33.1/arch/sparc/Makefile 2010-03-20 16:58:38.956579787 -0400
4023 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4024 # Export what is needed by arch/sparc/boot/Makefile
4025 export VMLINUX_INIT VMLINUX_MAIN
4026 VMLINUX_INIT := $(head-y) $(init-y)
4027 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4028 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4029 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4030 VMLINUX_MAIN += $(drivers-y) $(net-y)
4032 diff -urNp linux-2.6.33.1/arch/sparc/mm/fault_32.c linux-2.6.33.1/arch/sparc/mm/fault_32.c
4033 --- linux-2.6.33.1/arch/sparc/mm/fault_32.c 2010-03-15 12:09:39.000000000 -0400
4034 +++ linux-2.6.33.1/arch/sparc/mm/fault_32.c 2010-03-20 16:58:38.956579787 -0400
4036 #include <linux/interrupt.h>
4037 #include <linux/module.h>
4038 #include <linux/kdebug.h>
4039 +#include <linux/slab.h>
4040 +#include <linux/pagemap.h>
4041 +#include <linux/compiler.h>
4043 #include <asm/system.h>
4044 #include <asm/page.h>
4045 @@ -168,6 +171,267 @@ static unsigned long compute_si_addr(str
4046 return safe_compute_effective_address(regs, insn);
4049 +#ifdef CONFIG_PAX_PAGEEXEC
4050 +#ifdef CONFIG_PAX_DLRESOLVE
4051 +static void pax_emuplt_close(struct vm_area_struct *vma)
4053 + vma->vm_mm->call_dl_resolve = 0UL;
4056 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4058 + unsigned int *kaddr;
4060 + vmf->page = alloc_page(GFP_HIGHUSER);
4062 + return VM_FAULT_OOM;
4064 + kaddr = kmap(vmf->page);
4065 + memset(kaddr, 0, PAGE_SIZE);
4066 + kaddr[0] = 0x9DE3BFA8U; /* save */
4067 + flush_dcache_page(vmf->page);
4068 + kunmap(vmf->page);
4069 + return VM_FAULT_MAJOR;
4072 +static const struct vm_operations_struct pax_vm_ops = {
4073 + .close = pax_emuplt_close,
4074 + .fault = pax_emuplt_fault
4077 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4081 + vma->vm_mm = current->mm;
4082 + vma->vm_start = addr;
4083 + vma->vm_end = addr + PAGE_SIZE;
4084 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4085 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4086 + vma->vm_ops = &pax_vm_ops;
4088 + ret = insert_vm_struct(current->mm, vma);
4092 + ++current->mm->total_vm;
4098 + * PaX: decide what to do with offenders (regs->pc = fault address)
4100 + * returns 1 when task should be killed
4101 + * 2 when patched PLT trampoline was detected
4102 + * 3 when unpatched PLT trampoline was detected
4104 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4107 +#ifdef CONFIG_PAX_EMUPLT
4110 + do { /* PaX: patched PLT emulation #1 */
4111 + unsigned int sethi1, sethi2, jmpl;
4113 + err = get_user(sethi1, (unsigned int *)regs->pc);
4114 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4115 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4120 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4121 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4122 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4124 + unsigned int addr;
4126 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4127 + addr = regs->u_regs[UREG_G1];
4128 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4130 + regs->npc = addr+4;
4135 + { /* PaX: patched PLT emulation #2 */
4138 + err = get_user(ba, (unsigned int *)regs->pc);
4140 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4141 + unsigned int addr;
4143 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4145 + regs->npc = addr+4;
4150 + do { /* PaX: patched PLT emulation #3 */
4151 + unsigned int sethi, jmpl, nop;
4153 + err = get_user(sethi, (unsigned int *)regs->pc);
4154 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4155 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4160 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4161 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4162 + nop == 0x01000000U)
4164 + unsigned int addr;
4166 + addr = (sethi & 0x003FFFFFU) << 10;
4167 + regs->u_regs[UREG_G1] = addr;
4168 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4170 + regs->npc = addr+4;
4175 + do { /* PaX: unpatched PLT emulation step 1 */
4176 + unsigned int sethi, ba, nop;
4178 + err = get_user(sethi, (unsigned int *)regs->pc);
4179 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4180 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4185 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4186 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4187 + nop == 0x01000000U)
4189 + unsigned int addr, save, call;
4191 + if ((ba & 0xFFC00000U) == 0x30800000U)
4192 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4194 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4196 + err = get_user(save, (unsigned int *)addr);
4197 + err |= get_user(call, (unsigned int *)(addr+4));
4198 + err |= get_user(nop, (unsigned int *)(addr+8));
4202 +#ifdef CONFIG_PAX_DLRESOLVE
4203 + if (save == 0x9DE3BFA8U &&
4204 + (call & 0xC0000000U) == 0x40000000U &&
4205 + nop == 0x01000000U)
4207 + struct vm_area_struct *vma;
4208 + unsigned long call_dl_resolve;
4210 + down_read(¤t->mm->mmap_sem);
4211 + call_dl_resolve = current->mm->call_dl_resolve;
4212 + up_read(¤t->mm->mmap_sem);
4213 + if (likely(call_dl_resolve))
4216 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4218 + down_write(¤t->mm->mmap_sem);
4219 + if (current->mm->call_dl_resolve) {
4220 + call_dl_resolve = current->mm->call_dl_resolve;
4221 + up_write(¤t->mm->mmap_sem);
4223 + kmem_cache_free(vm_area_cachep, vma);
4227 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4228 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4229 + up_write(¤t->mm->mmap_sem);
4231 + kmem_cache_free(vm_area_cachep, vma);
4235 + if (pax_insert_vma(vma, call_dl_resolve)) {
4236 + up_write(¤t->mm->mmap_sem);
4237 + kmem_cache_free(vm_area_cachep, vma);
4241 + current->mm->call_dl_resolve = call_dl_resolve;
4242 + up_write(¤t->mm->mmap_sem);
4245 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4246 + regs->pc = call_dl_resolve;
4247 + regs->npc = addr+4;
4252 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4253 + if ((save & 0xFFC00000U) == 0x05000000U &&
4254 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4255 + nop == 0x01000000U)
4257 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4258 + regs->u_regs[UREG_G2] = addr + 4;
4259 + addr = (save & 0x003FFFFFU) << 10;
4260 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4262 + regs->npc = addr+4;
4268 + do { /* PaX: unpatched PLT emulation step 2 */
4269 + unsigned int save, call, nop;
4271 + err = get_user(save, (unsigned int *)(regs->pc-4));
4272 + err |= get_user(call, (unsigned int *)regs->pc);
4273 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4277 + if (save == 0x9DE3BFA8U &&
4278 + (call & 0xC0000000U) == 0x40000000U &&
4279 + nop == 0x01000000U)
4281 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4283 + regs->u_regs[UREG_RETPC] = regs->pc;
4284 + regs->pc = dl_resolve;
4285 + regs->npc = dl_resolve+4;
4294 +void pax_report_insns(void *pc, void *sp)
4298 + printk(KERN_ERR "PAX: bytes at PC: ");
4299 + for (i = 0; i < 8; i++) {
4301 + if (get_user(c, (unsigned int *)pc+i))
4302 + printk(KERN_CONT "???????? ");
4304 + printk(KERN_CONT "%08x ", c);
4310 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
4311 unsigned long address)
4313 @@ -234,6 +498,24 @@ good_area:
4314 if(!(vma->vm_flags & VM_WRITE))
4318 +#ifdef CONFIG_PAX_PAGEEXEC
4319 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4320 + up_read(&mm->mmap_sem);
4321 + switch (pax_handle_fetch_fault(regs)) {
4323 +#ifdef CONFIG_PAX_EMUPLT
4330 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4331 + do_group_exit(SIGKILL);
4335 /* Allow reads even for write-only mappings */
4336 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4338 diff -urNp linux-2.6.33.1/arch/sparc/mm/fault_64.c linux-2.6.33.1/arch/sparc/mm/fault_64.c
4339 --- linux-2.6.33.1/arch/sparc/mm/fault_64.c 2010-03-15 12:09:39.000000000 -0400
4340 +++ linux-2.6.33.1/arch/sparc/mm/fault_64.c 2010-03-20 16:58:38.956579787 -0400
4342 #include <linux/kprobes.h>
4343 #include <linux/kdebug.h>
4344 #include <linux/percpu.h>
4345 +#include <linux/slab.h>
4346 +#include <linux/pagemap.h>
4347 +#include <linux/compiler.h>
4349 #include <asm/page.h>
4350 #include <asm/pgtable.h>
4351 @@ -244,6 +247,456 @@ static void noinline __kprobes bogus_32b
4355 +#ifdef CONFIG_PAX_PAGEEXEC
4356 +#ifdef CONFIG_PAX_DLRESOLVE
4357 +static void pax_emuplt_close(struct vm_area_struct *vma)
4359 + vma->vm_mm->call_dl_resolve = 0UL;
4362 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4364 + unsigned int *kaddr;
4366 + vmf->page = alloc_page(GFP_HIGHUSER);
4368 + return VM_FAULT_OOM;
4370 + kaddr = kmap(vmf->page);
4371 + memset(kaddr, 0, PAGE_SIZE);
4372 + kaddr[0] = 0x9DE3BFA8U; /* save */
4373 + flush_dcache_page(vmf->page);
4374 + kunmap(vmf->page);
4375 + return VM_FAULT_MAJOR;
4378 +static const struct vm_operations_struct pax_vm_ops = {
4379 + .close = pax_emuplt_close,
4380 + .fault = pax_emuplt_fault
4383 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4387 + vma->vm_mm = current->mm;
4388 + vma->vm_start = addr;
4389 + vma->vm_end = addr + PAGE_SIZE;
4390 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4391 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4392 + vma->vm_ops = &pax_vm_ops;
4394 + ret = insert_vm_struct(current->mm, vma);
4398 + ++current->mm->total_vm;
4404 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4406 + * returns 1 when task should be killed
4407 + * 2 when patched PLT trampoline was detected
4408 + * 3 when unpatched PLT trampoline was detected
4410 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4413 +#ifdef CONFIG_PAX_EMUPLT
4416 + do { /* PaX: patched PLT emulation #1 */
4417 + unsigned int sethi1, sethi2, jmpl;
4419 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4420 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4421 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4426 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4427 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4428 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4430 + unsigned long addr;
4432 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4433 + addr = regs->u_regs[UREG_G1];
4434 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4436 + if (test_thread_flag(TIF_32BIT))
4437 + addr &= 0xFFFFFFFFUL;
4440 + regs->tnpc = addr+4;
4445 + { /* PaX: patched PLT emulation #2 */
4448 + err = get_user(ba, (unsigned int *)regs->tpc);
4450 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4451 + unsigned long addr;
4453 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4455 + if (test_thread_flag(TIF_32BIT))
4456 + addr &= 0xFFFFFFFFUL;
4459 + regs->tnpc = addr+4;
4464 + do { /* PaX: patched PLT emulation #3 */
4465 + unsigned int sethi, jmpl, nop;
4467 + err = get_user(sethi, (unsigned int *)regs->tpc);
4468 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4469 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4474 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4475 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4476 + nop == 0x01000000U)
4478 + unsigned long addr;
4480 + addr = (sethi & 0x003FFFFFU) << 10;
4481 + regs->u_regs[UREG_G1] = addr;
4482 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4484 + if (test_thread_flag(TIF_32BIT))
4485 + addr &= 0xFFFFFFFFUL;
4488 + regs->tnpc = addr+4;
4493 + do { /* PaX: patched PLT emulation #4 */
4494 + unsigned int sethi, mov1, call, mov2;
4496 + err = get_user(sethi, (unsigned int *)regs->tpc);
4497 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4498 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4499 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4504 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4505 + mov1 == 0x8210000FU &&
4506 + (call & 0xC0000000U) == 0x40000000U &&
4507 + mov2 == 0x9E100001U)
4509 + unsigned long addr;
4511 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4512 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4514 + if (test_thread_flag(TIF_32BIT))
4515 + addr &= 0xFFFFFFFFUL;
4518 + regs->tnpc = addr+4;
4523 + do { /* PaX: patched PLT emulation #5 */
4524 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4526 + err = get_user(sethi, (unsigned int *)regs->tpc);
4527 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4528 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4529 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4530 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4531 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4532 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4533 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4538 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4539 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4540 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4541 + (or1 & 0xFFFFE000U) == 0x82106000U &&
4542 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4543 + sllx == 0x83287020U &&
4544 + jmpl == 0x81C04005U &&
4545 + nop == 0x01000000U)
4547 + unsigned long addr;
4549 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4550 + regs->u_regs[UREG_G1] <<= 32;
4551 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4552 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4554 + regs->tnpc = addr+4;
4559 + do { /* PaX: patched PLT emulation #6 */
4560 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4562 + err = get_user(sethi, (unsigned int *)regs->tpc);
4563 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4564 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4565 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4566 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
4567 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4568 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4573 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4574 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4575 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4576 + sllx == 0x83287020U &&
4577 + (or & 0xFFFFE000U) == 0x8A116000U &&
4578 + jmpl == 0x81C04005U &&
4579 + nop == 0x01000000U)
4581 + unsigned long addr;
4583 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4584 + regs->u_regs[UREG_G1] <<= 32;
4585 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4586 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4588 + regs->tnpc = addr+4;
4593 + do { /* PaX: unpatched PLT emulation step 1 */
4594 + unsigned int sethi, ba, nop;
4596 + err = get_user(sethi, (unsigned int *)regs->tpc);
4597 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4598 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4603 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4604 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4605 + nop == 0x01000000U)
4607 + unsigned long addr;
4608 + unsigned int save, call;
4609 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4611 + if ((ba & 0xFFC00000U) == 0x30800000U)
4612 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4614 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4616 + if (test_thread_flag(TIF_32BIT))
4617 + addr &= 0xFFFFFFFFUL;
4619 + err = get_user(save, (unsigned int *)addr);
4620 + err |= get_user(call, (unsigned int *)(addr+4));
4621 + err |= get_user(nop, (unsigned int *)(addr+8));
4625 +#ifdef CONFIG_PAX_DLRESOLVE
4626 + if (save == 0x9DE3BFA8U &&
4627 + (call & 0xC0000000U) == 0x40000000U &&
4628 + nop == 0x01000000U)
4630 + struct vm_area_struct *vma;
4631 + unsigned long call_dl_resolve;
4633 + down_read(¤t->mm->mmap_sem);
4634 + call_dl_resolve = current->mm->call_dl_resolve;
4635 + up_read(¤t->mm->mmap_sem);
4636 + if (likely(call_dl_resolve))
4639 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4641 + down_write(¤t->mm->mmap_sem);
4642 + if (current->mm->call_dl_resolve) {
4643 + call_dl_resolve = current->mm->call_dl_resolve;
4644 + up_write(¤t->mm->mmap_sem);
4646 + kmem_cache_free(vm_area_cachep, vma);
4650 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4651 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4652 + up_write(¤t->mm->mmap_sem);
4654 + kmem_cache_free(vm_area_cachep, vma);
4658 + if (pax_insert_vma(vma, call_dl_resolve)) {
4659 + up_write(¤t->mm->mmap_sem);
4660 + kmem_cache_free(vm_area_cachep, vma);
4664 + current->mm->call_dl_resolve = call_dl_resolve;
4665 + up_write(¤t->mm->mmap_sem);
4668 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4669 + regs->tpc = call_dl_resolve;
4670 + regs->tnpc = addr+4;
4675 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4676 + if ((save & 0xFFC00000U) == 0x05000000U &&
4677 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4678 + nop == 0x01000000U)
4680 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4681 + regs->u_regs[UREG_G2] = addr + 4;
4682 + addr = (save & 0x003FFFFFU) << 10;
4683 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4685 + if (test_thread_flag(TIF_32BIT))
4686 + addr &= 0xFFFFFFFFUL;
4689 + regs->tnpc = addr+4;
4693 + /* PaX: 64-bit PLT stub */
4694 + err = get_user(sethi1, (unsigned int *)addr);
4695 + err |= get_user(sethi2, (unsigned int *)(addr+4));
4696 + err |= get_user(or1, (unsigned int *)(addr+8));
4697 + err |= get_user(or2, (unsigned int *)(addr+12));
4698 + err |= get_user(sllx, (unsigned int *)(addr+16));
4699 + err |= get_user(add, (unsigned int *)(addr+20));
4700 + err |= get_user(jmpl, (unsigned int *)(addr+24));
4701 + err |= get_user(nop, (unsigned int *)(addr+28));
4705 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4706 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4707 + (or1 & 0xFFFFE000U) == 0x88112000U &&
4708 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4709 + sllx == 0x89293020U &&
4710 + add == 0x8A010005U &&
4711 + jmpl == 0x89C14000U &&
4712 + nop == 0x01000000U)
4714 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4715 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4716 + regs->u_regs[UREG_G4] <<= 32;
4717 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4718 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4719 + regs->u_regs[UREG_G4] = addr + 24;
4720 + addr = regs->u_regs[UREG_G5];
4722 + regs->tnpc = addr+4;
4728 +#ifdef CONFIG_PAX_DLRESOLVE
4729 + do { /* PaX: unpatched PLT emulation step 2 */
4730 + unsigned int save, call, nop;
4732 + err = get_user(save, (unsigned int *)(regs->tpc-4));
4733 + err |= get_user(call, (unsigned int *)regs->tpc);
4734 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4738 + if (save == 0x9DE3BFA8U &&
4739 + (call & 0xC0000000U) == 0x40000000U &&
4740 + nop == 0x01000000U)
4742 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4744 + if (test_thread_flag(TIF_32BIT))
4745 + dl_resolve &= 0xFFFFFFFFUL;
4747 + regs->u_regs[UREG_RETPC] = regs->tpc;
4748 + regs->tpc = dl_resolve;
4749 + regs->tnpc = dl_resolve+4;
4755 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4756 + unsigned int sethi, ba, nop;
4758 + err = get_user(sethi, (unsigned int *)regs->tpc);
4759 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4760 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4765 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4766 + (ba & 0xFFF00000U) == 0x30600000U &&
4767 + nop == 0x01000000U)
4769 + unsigned long addr;
4771 + addr = (sethi & 0x003FFFFFU) << 10;
4772 + regs->u_regs[UREG_G1] = addr;
4773 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4775 + if (test_thread_flag(TIF_32BIT))
4776 + addr &= 0xFFFFFFFFUL;
4779 + regs->tnpc = addr+4;
4789 +void pax_report_insns(void *pc, void *sp)
4793 + printk(KERN_ERR "PAX: bytes at PC: ");
4794 + for (i = 0; i < 8; i++) {
4796 + if (get_user(c, (unsigned int *)pc+i))
4797 + printk(KERN_CONT "???????? ");
4799 + printk(KERN_CONT "%08x ", c);
4805 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4807 struct mm_struct *mm = current->mm;
4808 @@ -312,6 +765,29 @@ asmlinkage void __kprobes do_sparc64_fau
4812 +#ifdef CONFIG_PAX_PAGEEXEC
4813 + /* PaX: detect ITLB misses on non-exec pages */
4814 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4815 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4817 + if (address != regs->tpc)
4820 + up_read(&mm->mmap_sem);
4821 + switch (pax_handle_fetch_fault(regs)) {
4823 +#ifdef CONFIG_PAX_EMUPLT
4830 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4831 + do_group_exit(SIGKILL);
4835 /* Pure DTLB misses do not tell us whether the fault causing
4836 * load/store/atomic was a write or not, it only says that there
4837 * was no match. So in such a case we (carefully) read the
4838 diff -urNp linux-2.6.33.1/arch/sparc/mm/init_32.c linux-2.6.33.1/arch/sparc/mm/init_32.c
4839 --- linux-2.6.33.1/arch/sparc/mm/init_32.c 2010-03-15 12:09:39.000000000 -0400
4840 +++ linux-2.6.33.1/arch/sparc/mm/init_32.c 2010-03-20 16:58:38.956579787 -0400
4841 @@ -317,6 +317,9 @@ extern void device_scan(void);
4842 pgprot_t PAGE_SHARED __read_mostly;
4843 EXPORT_SYMBOL(PAGE_SHARED);
4845 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4846 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4848 void __init paging_init(void)
4850 switch(sparc_cpu_model) {
4851 @@ -345,17 +348,17 @@ void __init paging_init(void)
4853 /* Initialize the protection map with non-constant, MMU dependent values. */
4854 protection_map[0] = PAGE_NONE;
4855 - protection_map[1] = PAGE_READONLY;
4856 - protection_map[2] = PAGE_COPY;
4857 - protection_map[3] = PAGE_COPY;
4858 + protection_map[1] = PAGE_READONLY_NOEXEC;
4859 + protection_map[2] = PAGE_COPY_NOEXEC;
4860 + protection_map[3] = PAGE_COPY_NOEXEC;
4861 protection_map[4] = PAGE_READONLY;
4862 protection_map[5] = PAGE_READONLY;
4863 protection_map[6] = PAGE_COPY;
4864 protection_map[7] = PAGE_COPY;
4865 protection_map[8] = PAGE_NONE;
4866 - protection_map[9] = PAGE_READONLY;
4867 - protection_map[10] = PAGE_SHARED;
4868 - protection_map[11] = PAGE_SHARED;
4869 + protection_map[9] = PAGE_READONLY_NOEXEC;
4870 + protection_map[10] = PAGE_SHARED_NOEXEC;
4871 + protection_map[11] = PAGE_SHARED_NOEXEC;
4872 protection_map[12] = PAGE_READONLY;
4873 protection_map[13] = PAGE_READONLY;
4874 protection_map[14] = PAGE_SHARED;
4875 diff -urNp linux-2.6.33.1/arch/sparc/mm/Makefile linux-2.6.33.1/arch/sparc/mm/Makefile
4876 --- linux-2.6.33.1/arch/sparc/mm/Makefile 2010-03-15 12:09:39.000000000 -0400
4877 +++ linux-2.6.33.1/arch/sparc/mm/Makefile 2010-03-20 16:58:38.968781407 -0400
4882 -ccflags-y := -Werror
4883 +#ccflags-y := -Werror
4885 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4886 obj-y += fault_$(BITS).o
4887 diff -urNp linux-2.6.33.1/arch/sparc/mm/srmmu.c linux-2.6.33.1/arch/sparc/mm/srmmu.c
4888 --- linux-2.6.33.1/arch/sparc/mm/srmmu.c 2010-03-15 12:09:39.000000000 -0400
4889 +++ linux-2.6.33.1/arch/sparc/mm/srmmu.c 2010-03-20 16:58:38.968781407 -0400
4890 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
4891 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4892 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4893 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4895 +#ifdef CONFIG_PAX_PAGEEXEC
4896 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
4897 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
4898 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
4901 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
4902 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
4904 diff -urNp linux-2.6.33.1/arch/um/include/asm/kmap_types.h linux-2.6.33.1/arch/um/include/asm/kmap_types.h
4905 --- linux-2.6.33.1/arch/um/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
4906 +++ linux-2.6.33.1/arch/um/include/asm/kmap_types.h 2010-03-20 16:58:38.968781407 -0400
4907 @@ -23,6 +23,7 @@ enum km_type {
4915 diff -urNp linux-2.6.33.1/arch/um/include/asm/page.h linux-2.6.33.1/arch/um/include/asm/page.h
4916 --- linux-2.6.33.1/arch/um/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
4917 +++ linux-2.6.33.1/arch/um/include/asm/page.h 2010-03-20 16:58:38.968781407 -0400
4919 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
4920 #define PAGE_MASK (~(PAGE_SIZE-1))
4922 +#define ktla_ktva(addr) (addr)
4923 +#define ktva_ktla(addr) (addr)
4925 #ifndef __ASSEMBLY__
4928 diff -urNp linux-2.6.33.1/arch/um/sys-i386/syscalls.c linux-2.6.33.1/arch/um/sys-i386/syscalls.c
4929 --- linux-2.6.33.1/arch/um/sys-i386/syscalls.c 2010-03-15 12:09:39.000000000 -0400
4930 +++ linux-2.6.33.1/arch/um/sys-i386/syscalls.c 2010-03-20 16:58:38.968781407 -0400
4932 #include "asm/uaccess.h"
4933 #include "asm/unistd.h"
4935 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
4937 + unsigned long pax_task_size = TASK_SIZE;
4939 +#ifdef CONFIG_PAX_SEGMEXEC
4940 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
4941 + pax_task_size = SEGMEXEC_TASK_SIZE;
4944 + if (len > pax_task_size || addr > pax_task_size - len)
4951 * Perform the select(nd, in, out, ex, tv) and mmap() system
4952 * calls. Linux/i386 didn't use to be able to handle more than
4953 diff -urNp linux-2.6.33.1/arch/x86/boot/bitops.h linux-2.6.33.1/arch/x86/boot/bitops.h
4954 --- linux-2.6.33.1/arch/x86/boot/bitops.h 2010-03-15 12:09:39.000000000 -0400
4955 +++ linux-2.6.33.1/arch/x86/boot/bitops.h 2010-03-20 16:58:38.968781407 -0400
4956 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
4958 const u32 *p = (const u32 *)addr;
4960 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4961 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4965 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
4967 static inline void set_bit(int nr, void *addr)
4969 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4970 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4973 #endif /* BOOT_BITOPS_H */
4974 diff -urNp linux-2.6.33.1/arch/x86/boot/boot.h linux-2.6.33.1/arch/x86/boot/boot.h
4975 --- linux-2.6.33.1/arch/x86/boot/boot.h 2010-03-15 12:09:39.000000000 -0400
4976 +++ linux-2.6.33.1/arch/x86/boot/boot.h 2010-03-20 16:58:38.972657826 -0400
4977 @@ -82,7 +82,7 @@ static inline void io_delay(void)
4978 static inline u16 ds(void)
4981 - asm("movw %%ds,%0" : "=rm" (seg));
4982 + asm volatile("movw %%ds,%0" : "=rm" (seg));
4986 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
4987 static inline int memcmp(const void *s1, const void *s2, size_t len)
4990 - asm("repe; cmpsb; setnz %0"
4991 + asm volatile("repe; cmpsb; setnz %0"
4992 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
4995 diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/head_32.S linux-2.6.33.1/arch/x86/boot/compressed/head_32.S
4996 --- linux-2.6.33.1/arch/x86/boot/compressed/head_32.S 2010-03-15 12:09:39.000000000 -0400
4997 +++ linux-2.6.33.1/arch/x86/boot/compressed/head_32.S 2010-03-20 16:58:38.972657826 -0400
4998 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5002 - movl $LOAD_PHYSICAL_ADDR, %ebx
5003 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5006 /* Target address to relocate to for decompression */
5007 @@ -149,7 +149,7 @@ relocated:
5008 * and where it was actually loaded.
5011 - subl $LOAD_PHYSICAL_ADDR, %ebx
5012 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5013 jz 2f /* Nothing to be done if loaded at compiled addr. */
5015 * Process relocations.
5016 @@ -157,8 +157,7 @@ relocated:
5023 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5026 diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/head_64.S linux-2.6.33.1/arch/x86/boot/compressed/head_64.S
5027 --- linux-2.6.33.1/arch/x86/boot/compressed/head_64.S 2010-03-15 12:09:39.000000000 -0400
5028 +++ linux-2.6.33.1/arch/x86/boot/compressed/head_64.S 2010-03-20 16:58:38.972657826 -0400
5029 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5033 - movl $LOAD_PHYSICAL_ADDR, %ebx
5034 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5037 /* Target address to relocate to for decompression */
5038 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5042 - movq $LOAD_PHYSICAL_ADDR, %rbp
5043 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5046 /* Target address to relocate to for decompression */
5047 diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/misc.c linux-2.6.33.1/arch/x86/boot/compressed/misc.c
5048 --- linux-2.6.33.1/arch/x86/boot/compressed/misc.c 2010-03-15 12:09:39.000000000 -0400
5049 +++ linux-2.6.33.1/arch/x86/boot/compressed/misc.c 2010-03-20 16:58:38.972657826 -0400
5050 @@ -292,7 +292,7 @@ static void parse_elf(void *output)
5052 #ifdef CONFIG_RELOCATABLE
5054 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5055 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5057 dest = (void *)(phdr->p_paddr);
5059 @@ -339,7 +339,7 @@ asmlinkage void decompress_kernel(void *
5060 error("Destination address too large");
5062 #ifndef CONFIG_RELOCATABLE
5063 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5064 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5065 error("Wrong destination address");
5068 diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c
5069 --- linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c 2010-03-15 12:09:39.000000000 -0400
5070 +++ linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c 2010-03-20 16:58:38.972657826 -0400
5071 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5073 offs = (olen > ilen) ? olen - ilen : 0;
5074 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5075 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5076 + offs += 64*1024; /* Add 64K bytes slack */
5077 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5079 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
5080 diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/relocs.c linux-2.6.33.1/arch/x86/boot/compressed/relocs.c
5081 --- linux-2.6.33.1/arch/x86/boot/compressed/relocs.c 2010-03-15 12:09:39.000000000 -0400
5082 +++ linux-2.6.33.1/arch/x86/boot/compressed/relocs.c 2010-03-20 16:58:38.972657826 -0400
5085 static void die(char *fmt, ...);
5087 +#include "../../../../include/generated/autoconf.h"
5089 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5090 static Elf32_Ehdr ehdr;
5091 +static Elf32_Phdr *phdr;
5092 static unsigned long reloc_count, reloc_idx;
5093 static unsigned long *relocs;
5095 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5099 +static void read_phdrs(FILE *fp)
5103 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5105 + die("Unable to allocate %d program headers\n",
5108 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5109 + die("Seek to %d failed: %s\n",
5110 + ehdr.e_phoff, strerror(errno));
5112 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5113 + die("Cannot read ELF program headers: %s\n",
5116 + for(i = 0; i < ehdr.e_phnum; i++) {
5117 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5118 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5119 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5120 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5121 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5122 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5123 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5124 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5129 static void read_shdrs(FILE *fp)
5135 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5136 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5138 static void read_strtabs(FILE *fp)
5142 for (i = 0; i < ehdr.e_shnum; i++) {
5143 struct section *sec = &secs[i];
5144 if (sec->shdr.sh_type != SHT_STRTAB) {
5145 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5147 static void read_symtabs(FILE *fp)
5151 for (i = 0; i < ehdr.e_shnum; i++) {
5152 struct section *sec = &secs[i];
5153 if (sec->shdr.sh_type != SHT_SYMTAB) {
5154 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5156 static void read_relocs(FILE *fp)
5162 for (i = 0; i < ehdr.e_shnum; i++) {
5163 struct section *sec = &secs[i];
5164 if (sec->shdr.sh_type != SHT_REL) {
5165 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5166 die("Cannot read symbol table: %s\n",
5170 + for (j = 0; j < ehdr.e_phnum; j++) {
5171 + if (phdr[j].p_type != PT_LOAD )
5173 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5175 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5178 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5179 Elf32_Rel *rel = &sec->reltab[j];
5180 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5181 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5182 rel->r_info = elf32_to_cpu(rel->r_info);
5185 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5187 static void print_absolute_symbols(void)
5191 printf("Absolute symbols\n");
5192 printf(" Num: Value Size Type Bind Visibility Name\n");
5193 for (i = 0; i < ehdr.e_shnum; i++) {
5194 struct section *sec = &secs[i];
5196 Elf32_Sym *sh_symtab;
5200 if (sec->shdr.sh_type != SHT_SYMTAB) {
5202 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5204 static void print_absolute_relocs(void)
5206 - int i, printed = 0;
5207 + unsigned int i, printed = 0;
5209 for (i = 0; i < ehdr.e_shnum; i++) {
5210 struct section *sec = &secs[i];
5211 struct section *sec_applies, *sec_symtab;
5213 Elf32_Sym *sh_symtab;
5216 if (sec->shdr.sh_type != SHT_REL) {
5219 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5221 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5225 /* Walk through the relocations */
5226 for (i = 0; i < ehdr.e_shnum; i++) {
5228 Elf32_Sym *sh_symtab;
5229 struct section *sec_applies, *sec_symtab;
5232 struct section *sec = &secs[i];
5234 if (sec->shdr.sh_type != SHT_REL) {
5235 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5236 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5239 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5240 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5243 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5244 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5245 + if (!strcmp(sec_name(sym->st_shndx), ".data") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5247 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5249 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5251 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5258 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5260 static void emit_relocs(int as_text)
5264 /* Count how many relocations I have and allocate space for them. */
5266 walk_relocs(count_reloc);
5267 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5268 fname, strerror(errno));
5275 diff -urNp linux-2.6.33.1/arch/x86/boot/cpucheck.c linux-2.6.33.1/arch/x86/boot/cpucheck.c
5276 --- linux-2.6.33.1/arch/x86/boot/cpucheck.c 2010-03-15 12:09:39.000000000 -0400
5277 +++ linux-2.6.33.1/arch/x86/boot/cpucheck.c 2010-03-20 16:58:38.972657826 -0400
5278 @@ -74,7 +74,7 @@ static int has_fpu(void)
5279 u16 fcw = -1, fsw = -1;
5282 - asm("movl %%cr0,%0" : "=r" (cr0));
5283 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5284 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5285 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5286 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5287 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5292 + asm volatile("pushfl ; "
5296 @@ -115,7 +115,7 @@ static void get_flags(void)
5297 set_bit(X86_FEATURE_FPU, cpu.flags);
5299 if (has_eflag(X86_EFLAGS_ID)) {
5301 + asm volatile("cpuid"
5302 : "=a" (max_intel_level),
5303 "=b" (cpu_vendor[0]),
5304 "=d" (cpu_vendor[1]),
5305 @@ -124,7 +124,7 @@ static void get_flags(void)
5307 if (max_intel_level >= 0x00000001 &&
5308 max_intel_level <= 0x0000ffff) {
5310 + asm volatile("cpuid"
5312 "=c" (cpu.flags[4]),
5314 @@ -136,7 +136,7 @@ static void get_flags(void)
5315 cpu.model += ((tfms >> 16) & 0xf) << 4;
5319 + asm volatile("cpuid"
5320 : "=a" (max_amd_level)
5322 : "ebx", "ecx", "edx");
5323 @@ -144,7 +144,7 @@ static void get_flags(void)
5324 if (max_amd_level >= 0x80000001 &&
5325 max_amd_level <= 0x8000ffff) {
5326 u32 eax = 0x80000001;
5328 + asm volatile("cpuid"
5330 "=c" (cpu.flags[6]),
5332 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5333 u32 ecx = MSR_K7_HWCR;
5336 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5337 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5339 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5340 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5342 get_flags(); /* Make sure it really did something */
5343 err = check_flags();
5344 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5345 u32 ecx = MSR_VIA_FCR;
5348 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5349 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5350 eax |= (1<<1)|(1<<7);
5351 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5352 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5354 set_bit(X86_FEATURE_CX8, cpu.flags);
5355 err = check_flags();
5356 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5360 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5361 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5363 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5364 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5365 + asm volatile("cpuid"
5366 : "+a" (level), "=d" (cpu.flags[0])
5368 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5369 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5371 err = check_flags();
5373 diff -urNp linux-2.6.33.1/arch/x86/boot/header.S linux-2.6.33.1/arch/x86/boot/header.S
5374 --- linux-2.6.33.1/arch/x86/boot/header.S 2010-03-15 12:09:39.000000000 -0400
5375 +++ linux-2.6.33.1/arch/x86/boot/header.S 2010-03-20 16:58:38.972657826 -0400
5376 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5377 # single linked list of
5380 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5381 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5383 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5384 #define VO_INIT_SIZE (VO__end - VO__text)
5385 diff -urNp linux-2.6.33.1/arch/x86/boot/video-vesa.c linux-2.6.33.1/arch/x86/boot/video-vesa.c
5386 --- linux-2.6.33.1/arch/x86/boot/video-vesa.c 2010-03-15 12:09:39.000000000 -0400
5387 +++ linux-2.6.33.1/arch/x86/boot/video-vesa.c 2010-03-20 16:58:38.972657826 -0400
5388 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5390 boot_params.screen_info.vesapm_seg = oreg.es;
5391 boot_params.screen_info.vesapm_off = oreg.di;
5392 + boot_params.screen_info.vesapm_size = oreg.cx;
5396 diff -urNp linux-2.6.33.1/arch/x86/ia32/ia32_signal.c linux-2.6.33.1/arch/x86/ia32/ia32_signal.c
5397 --- linux-2.6.33.1/arch/x86/ia32/ia32_signal.c 2010-03-15 12:09:39.000000000 -0400
5398 +++ linux-2.6.33.1/arch/x86/ia32/ia32_signal.c 2010-03-20 16:58:38.972657826 -0400
5399 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
5401 /* Align the stack pointer according to the i386 ABI,
5402 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5403 - sp = ((sp + 4) & -16ul) - 4;
5404 + sp = ((sp - 12) & -16ul) - 4;
5405 return (void __user *) sp;
5408 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
5410 __NR_ia32_rt_sigreturn,
5416 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5417 diff -urNp linux-2.6.33.1/arch/x86/include/asm/alternative.h linux-2.6.33.1/arch/x86/include/asm/alternative.h
5418 --- linux-2.6.33.1/arch/x86/include/asm/alternative.h 2010-03-15 12:09:39.000000000 -0400
5419 +++ linux-2.6.33.1/arch/x86/include/asm/alternative.h 2010-03-20 16:58:38.972657826 -0400
5420 @@ -86,7 +86,7 @@ static inline void alternatives_smp_swit
5421 " .byte 664f-663f\n" /* replacementlen */ \
5422 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
5424 - ".section .altinstr_replacement, \"ax\"\n" \
5425 + ".section .altinstr_replacement, \"a\"\n" \
5426 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
5429 diff -urNp linux-2.6.33.1/arch/x86/include/asm/apm.h linux-2.6.33.1/arch/x86/include/asm/apm.h
5430 --- linux-2.6.33.1/arch/x86/include/asm/apm.h 2010-03-15 12:09:39.000000000 -0400
5431 +++ linux-2.6.33.1/arch/x86/include/asm/apm.h 2010-03-20 16:58:38.972657826 -0400
5432 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
5433 __asm__ __volatile__(APM_DO_ZERO_SEGS
5436 - "lcall *%%cs:apm_bios_entry\n\t"
5437 + "lcall *%%ss:apm_bios_entry\n\t"
5441 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
5442 __asm__ __volatile__(APM_DO_ZERO_SEGS
5445 - "lcall *%%cs:apm_bios_entry\n\t"
5446 + "lcall *%%ss:apm_bios_entry\n\t"
5450 diff -urNp linux-2.6.33.1/arch/x86/include/asm/atomic_32.h linux-2.6.33.1/arch/x86/include/asm/atomic_32.h
5451 --- linux-2.6.33.1/arch/x86/include/asm/atomic_32.h 2010-03-15 12:09:39.000000000 -0400
5452 +++ linux-2.6.33.1/arch/x86/include/asm/atomic_32.h 2010-03-20 16:58:38.972657826 -0400
5453 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
5457 + * atomic_read_unchecked - read atomic variable
5458 + * @v: pointer of type atomic_unchecked_t
5460 + * Atomically reads the value of @v.
5462 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5464 + return v->counter;
5468 * atomic_set - set atomic variable
5469 * @v: pointer of type atomic_t
5470 * @i: required value
5471 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
5475 + * atomic_set_unchecked - set atomic variable
5476 + * @v: pointer of type atomic_unchecked_t
5477 + * @i: required value
5479 + * Atomically sets the value of @v to @i.
5481 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5487 * atomic_add - add integer to atomic variable
5488 * @i: integer value to add
5489 * @v: pointer of type atomic_t
5490 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
5492 static inline void atomic_add(int i, atomic_t *v)
5494 - asm volatile(LOCK_PREFIX "addl %1,%0"
5495 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5497 +#ifdef CONFIG_PAX_REFCOUNT
5499 + LOCK_PREFIX "subl %1,%0\n"
5501 + _ASM_EXTABLE(0b, 0b)
5504 + : "+m" (v->counter)
5509 + * atomic_add_unchecked - add integer to atomic variable
5510 + * @i: integer value to add
5511 + * @v: pointer of type atomic_unchecked_t
5513 + * Atomically adds @i to @v.
5515 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5517 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5521 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
5523 static inline void atomic_sub(int i, atomic_t *v)
5525 - asm volatile(LOCK_PREFIX "subl %1,%0"
5526 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5528 +#ifdef CONFIG_PAX_REFCOUNT
5530 + LOCK_PREFIX "addl %1,%0\n"
5532 + _ASM_EXTABLE(0b, 0b)
5535 + : "+m" (v->counter)
5540 + * atomic_sub_unchecked - subtract integer from atomic variable
5541 + * @i: integer value to subtract
5542 + * @v: pointer of type atomic_t
5544 + * Atomically subtracts @i from @v.
5546 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5548 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5552 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
5556 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5557 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
5559 +#ifdef CONFIG_PAX_REFCOUNT
5561 + LOCK_PREFIX "addl %2,%0\n"
5563 + _ASM_EXTABLE(0b, 0b)
5567 : "+m" (v->counter), "=qm" (c)
5568 : "ir" (i) : "memory");
5570 @@ -91,7 +167,30 @@ static inline int atomic_sub_and_test(in
5572 static inline void atomic_inc(atomic_t *v)
5574 - asm volatile(LOCK_PREFIX "incl %0"
5575 + asm volatile(LOCK_PREFIX "incl %0\n"
5577 +#ifdef CONFIG_PAX_REFCOUNT
5579 + ".pushsection .fixup,\"ax\"\n"
5581 + LOCK_PREFIX "decl %0\n"
5584 + _ASM_EXTABLE(0b, 1b)
5587 + : "+m" (v->counter));
5591 + * atomic_inc_unchecked - increment atomic variable
5592 + * @v: pointer of type atomic_unchecked_t
5594 + * Atomically increments @v by 1.
5596 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5598 + asm volatile(LOCK_PREFIX "incl %0\n"
5599 : "+m" (v->counter));
5602 @@ -103,7 +202,18 @@ static inline void atomic_inc(atomic_t *
5604 static inline void atomic_dec(atomic_t *v)
5606 - asm volatile(LOCK_PREFIX "decl %0"
5607 + asm volatile(LOCK_PREFIX "decl %0\n"
5609 +#ifdef CONFIG_PAX_REFCOUNT
5611 + ".pushsection .fixup,\"ax\"\n"
5613 + LOCK_PREFIX "incl %0\n"
5616 + _ASM_EXTABLE(0b, 1b)
5619 : "+m" (v->counter));
5622 @@ -119,7 +229,19 @@ static inline int atomic_dec_and_test(at
5626 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
5627 + asm volatile(LOCK_PREFIX "decl %0\n"
5629 +#ifdef CONFIG_PAX_REFCOUNT
5631 + ".pushsection .fixup,\"ax\"\n"
5633 + LOCK_PREFIX "incl %0\n"
5636 + _ASM_EXTABLE(0b, 1b)
5640 : "+m" (v->counter), "=qm" (c)
5643 @@ -137,7 +259,19 @@ static inline int atomic_inc_and_test(at
5647 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
5648 + asm volatile(LOCK_PREFIX "incl %0\n"
5650 +#ifdef CONFIG_PAX_REFCOUNT
5652 + ".pushsection .fixup,\"ax\"\n"
5654 + LOCK_PREFIX "decl %0\n"
5657 + _ASM_EXTABLE(0b, 1b)
5661 : "+m" (v->counter), "=qm" (c)
5664 @@ -156,7 +290,16 @@ static inline int atomic_add_negative(in
5668 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5669 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
5671 +#ifdef CONFIG_PAX_REFCOUNT
5673 + LOCK_PREFIX "subl %2,%0\n"
5675 + _ASM_EXTABLE(0b, 0b)
5679 : "+m" (v->counter), "=qm" (c)
5680 : "ir" (i) : "memory");
5682 @@ -179,6 +322,46 @@ static inline int atomic_add_return(int
5684 /* Modern 486+ processor */
5686 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5688 +#ifdef CONFIG_PAX_REFCOUNT
5692 + _ASM_EXTABLE(0b, 0b)
5695 + : "+r" (i), "+m" (v->counter)
5700 +no_xadd: /* Legacy 386 processor */
5701 + local_irq_save(flags);
5702 + __i = atomic_read(v);
5703 + atomic_set(v, i + __i);
5704 + local_irq_restore(flags);
5710 + * atomic_add_return_unchecked - add integer and return
5711 + * @v: pointer of type atomic_unchecked_t
5712 + * @i: integer value to add
5714 + * Atomically adds @i to @v and returns @i + @v
5716 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5720 + unsigned long flags;
5721 + if (unlikely(boot_cpu_data.x86 <= 3))
5724 + /* Modern 486+ processor */
5726 asm volatile(LOCK_PREFIX "xaddl %0, %1"
5727 : "+r" (i), "+m" (v->counter)
5729 @@ -227,22 +410,34 @@ static inline int atomic_xchg(atomic_t *
5731 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5737 - if (unlikely(c == (u)))
5738 + if (unlikely(c == u))
5740 - old = atomic_cmpxchg((v), c, c + (a));
5742 + asm volatile("addl %2,%0\n"
5744 +#ifdef CONFIG_PAX_REFCOUNT
5746 + _ASM_EXTABLE(0b, 0b)
5750 + : "0" (c), "ir" (a));
5752 + old = atomic_cmpxchg(v, c, new);
5753 if (likely(old == c))
5761 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5763 #define atomic_inc_return(v) (atomic_add_return(1, v))
5764 +#define atomic_inc_return_unchecked(v) (atomic_add_return_unchecked(1, v))
5765 #define atomic_dec_return(v) (atomic_sub_return(1, v))
5767 /* These are x86-specific, used by some header files */
5768 @@ -266,6 +461,14 @@ typedef struct {
5769 u64 __aligned(8) counter;
5772 +#ifdef CONFIG_PAX_REFCOUNT
5774 + u64 __aligned(8) counter;
5775 +} atomic64_unchecked_t;
5777 +typedef atomic64_t atomic64_unchecked_t;
5780 #define ATOMIC64_INIT(val) { (val) }
5782 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
5783 diff -urNp linux-2.6.33.1/arch/x86/include/asm/atomic_64.h linux-2.6.33.1/arch/x86/include/asm/atomic_64.h
5784 --- linux-2.6.33.1/arch/x86/include/asm/atomic_64.h 2010-03-15 12:09:39.000000000 -0400
5785 +++ linux-2.6.33.1/arch/x86/include/asm/atomic_64.h 2010-03-20 16:58:38.972657826 -0400
5786 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
5790 + * atomic_read_unchecked - read atomic variable
5791 + * @v: pointer of type atomic_unchecked_t
5793 + * Atomically reads the value of @v.
5795 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5797 + return v->counter;
5801 * atomic_set - set atomic variable
5802 * @v: pointer of type atomic_t
5803 * @i: required value
5804 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
5808 + * atomic_set_unchecked - set atomic variable
5809 + * @v: pointer of type atomic_unchecked_t
5810 + * @i: required value
5812 + * Atomically sets the value of @v to @i.
5814 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5820 * atomic_add - add integer to atomic variable
5821 * @i: integer value to add
5822 * @v: pointer of type atomic_t
5823 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
5825 static inline void atomic_add(int i, atomic_t *v)
5827 - asm volatile(LOCK_PREFIX "addl %1,%0"
5828 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5830 +#ifdef CONFIG_PAX_REFCOUNT
5832 + LOCK_PREFIX "subl %1,%0\n"
5834 + _ASM_EXTABLE(0b, 0b)
5837 + : "=m" (v->counter)
5838 + : "ir" (i), "m" (v->counter));
5842 + * atomic_add_unchecked - add integer to atomic variable
5843 + * @i: integer value to add
5844 + * @v: pointer of type atomic_unchecked_t
5846 + * Atomically adds @i to @v.
5848 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5850 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5852 : "ir" (i), "m" (v->counter));
5854 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
5856 static inline void atomic_sub(int i, atomic_t *v)
5858 - asm volatile(LOCK_PREFIX "subl %1,%0"
5859 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5861 +#ifdef CONFIG_PAX_REFCOUNT
5863 + LOCK_PREFIX "addl %1,%0\n"
5865 + _ASM_EXTABLE(0b, 0b)
5868 + : "=m" (v->counter)
5869 + : "ir" (i), "m" (v->counter));
5873 + * atomic_sub_unchecked - subtract the atomic variable
5874 + * @i: integer value to subtract
5875 + * @v: pointer of type atomic_unchecked_t
5877 + * Atomically subtracts @i from @v.
5879 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5881 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5883 : "ir" (i), "m" (v->counter));
5885 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
5889 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5890 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
5892 +#ifdef CONFIG_PAX_REFCOUNT
5894 + LOCK_PREFIX "addl %2,%0\n"
5896 + _ASM_EXTABLE(0b, 0b)
5900 : "=m" (v->counter), "=qm" (c)
5901 : "ir" (i), "m" (v->counter) : "memory");
5903 @@ -90,7 +166,32 @@ static inline int atomic_sub_and_test(in
5905 static inline void atomic_inc(atomic_t *v)
5907 - asm volatile(LOCK_PREFIX "incl %0"
5908 + asm volatile(LOCK_PREFIX "incl %0\n"
5910 +#ifdef CONFIG_PAX_REFCOUNT
5913 + ".pushsection .fixup,\"ax\"\n"
5915 + LOCK_PREFIX "decl %0\n"
5918 + _ASM_EXTABLE(0b, 1b)
5921 + : "=m" (v->counter)
5922 + : "m" (v->counter));
5926 + * atomic_inc_unchecked - increment atomic variable
5927 + * @v: pointer of type atomic_unchecked_t
5929 + * Atomically increments @v by 1.
5931 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5933 + asm volatile(LOCK_PREFIX "incl %0\n"
5935 : "m" (v->counter));
5937 @@ -103,7 +204,19 @@ static inline void atomic_inc(atomic_t *
5939 static inline void atomic_dec(atomic_t *v)
5941 - asm volatile(LOCK_PREFIX "decl %0"
5942 + asm volatile(LOCK_PREFIX "decl %0\n"
5944 +#ifdef CONFIG_PAX_REFCOUNT
5947 + ".pushsection .fixup,\"ax\"\n"
5949 + LOCK_PREFIX "incl %0\n"
5952 + _ASM_EXTABLE(0b, 1b)
5956 : "m" (v->counter));
5958 @@ -120,7 +233,20 @@ static inline int atomic_dec_and_test(at
5962 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
5963 + asm volatile(LOCK_PREFIX "decl %0\n"
5965 +#ifdef CONFIG_PAX_REFCOUNT
5968 + ".pushsection .fixup,\"ax\"\n"
5970 + LOCK_PREFIX "incl %0\n"
5973 + _ASM_EXTABLE(0b, 1b)
5977 : "=m" (v->counter), "=qm" (c)
5978 : "m" (v->counter) : "memory");
5980 @@ -138,7 +264,20 @@ static inline int atomic_inc_and_test(at
5984 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
5985 + asm volatile(LOCK_PREFIX "incl %0\n"
5987 +#ifdef CONFIG_PAX_REFCOUNT
5990 + ".pushsection .fixup,\"ax\"\n"
5992 + LOCK_PREFIX "decl %0\n"
5995 + _ASM_EXTABLE(0b, 1b)
5999 : "=m" (v->counter), "=qm" (c)
6000 : "m" (v->counter) : "memory");
6002 @@ -157,7 +296,16 @@ static inline int atomic_add_negative(in
6006 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6007 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6009 +#ifdef CONFIG_PAX_REFCOUNT
6011 + LOCK_PREFIX "subl %2,%0\n"
6013 + _ASM_EXTABLE(0b, 0b)
6017 : "=m" (v->counter), "=qm" (c)
6018 : "ir" (i), "m" (v->counter) : "memory");
6020 @@ -173,7 +321,15 @@ static inline int atomic_add_negative(in
6021 static inline int atomic_add_return(int i, atomic_t *v)
6024 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
6025 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6027 +#ifdef CONFIG_PAX_REFCOUNT
6031 + _ASM_EXTABLE(0b, 0b)
6034 : "+r" (i), "+m" (v->counter)
6037 @@ -204,6 +360,18 @@ static inline long atomic64_read(const a
6041 + * atomic64_read_unchecked - read atomic64 variable
6042 + * @v: pointer of type atomic64_unchecked_t
6044 + * Atomically reads the value of @v.
6045 + * Doesn't imply a read memory barrier.
6047 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6049 + return v->counter;
6053 * atomic64_set - set atomic64 variable
6054 * @v: pointer to type atomic64_t
6055 * @i: required value
6056 @@ -216,6 +384,18 @@ static inline void atomic64_set(atomic64
6060 + * atomic64_set_unchecked - set atomic64 variable
6061 + * @v: pointer to type atomic64_unchecked_t
6062 + * @i: required value
6064 + * Atomically sets the value of @v to @i.
6066 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6072 * atomic64_add - add integer to atomic64 variable
6073 * @i: integer value to add
6074 * @v: pointer to type atomic64_t
6075 @@ -224,6 +404,28 @@ static inline void atomic64_set(atomic64
6077 static inline void atomic64_add(long i, atomic64_t *v)
6079 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6081 +#ifdef CONFIG_PAX_REFCOUNT
6083 + LOCK_PREFIX "subq %1,%0\n"
6085 + _ASM_EXTABLE(0b, 0b)
6088 + : "=m" (v->counter)
6089 + : "er" (i), "m" (v->counter));
6093 + * atomic64_add_unchecked - add integer to atomic64 variable
6094 + * @i: integer value to add
6095 + * @v: pointer to type atomic64_unchecked_t
6097 + * Atomically adds @i to @v.
6099 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6101 asm volatile(LOCK_PREFIX "addq %1,%0"
6103 : "er" (i), "m" (v->counter));
6104 @@ -238,7 +440,15 @@ static inline void atomic64_add(long i,
6106 static inline void atomic64_sub(long i, atomic64_t *v)
6108 - asm volatile(LOCK_PREFIX "subq %1,%0"
6109 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6111 +#ifdef CONFIG_PAX_REFCOUNT
6113 + LOCK_PREFIX "addq %1,%0\n"
6115 + _ASM_EXTABLE(0b, 0b)
6119 : "er" (i), "m" (v->counter));
6121 @@ -256,7 +466,16 @@ static inline int atomic64_sub_and_test(
6125 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6126 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6128 +#ifdef CONFIG_PAX_REFCOUNT
6130 + LOCK_PREFIX "addq %2,%0\n"
6132 + _ASM_EXTABLE(0b, 0b)
6136 : "=m" (v->counter), "=qm" (c)
6137 : "er" (i), "m" (v->counter) : "memory");
6139 @@ -270,6 +489,31 @@ static inline int atomic64_sub_and_test(
6141 static inline void atomic64_inc(atomic64_t *v)
6143 + asm volatile(LOCK_PREFIX "incq %0\n"
6145 +#ifdef CONFIG_PAX_REFCOUNT
6148 + ".pushsection .fixup,\"ax\"\n"
6150 + LOCK_PREFIX "decq %0\n"
6153 + _ASM_EXTABLE(0b, 1b)
6156 + : "=m" (v->counter)
6157 + : "m" (v->counter));
6161 + * atomic64_inc_unchecked - increment atomic64 variable
6162 + * @v: pointer to type atomic64_unchecked_t
6164 + * Atomically increments @v by 1.
6166 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6168 asm volatile(LOCK_PREFIX "incq %0"
6170 : "m" (v->counter));
6171 @@ -283,7 +527,19 @@ static inline void atomic64_inc(atomic64
6173 static inline void atomic64_dec(atomic64_t *v)
6175 - asm volatile(LOCK_PREFIX "decq %0"
6176 + asm volatile(LOCK_PREFIX "decq %0\n"
6178 +#ifdef CONFIG_PAX_REFCOUNT
6181 + ".pushsection .fixup,\"ax\"\n"
6183 + LOCK_PREFIX "incq %0\n"
6186 + _ASM_EXTABLE(0b, 1b)
6190 : "m" (v->counter));
6192 @@ -300,7 +556,20 @@ static inline int atomic64_dec_and_test(
6196 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6197 + asm volatile(LOCK_PREFIX "decq %0\n"
6199 +#ifdef CONFIG_PAX_REFCOUNT
6202 + ".pushsection .fixup,\"ax\"\n"
6204 + LOCK_PREFIX "incq %0\n"
6207 + _ASM_EXTABLE(0b, 1b)
6211 : "=m" (v->counter), "=qm" (c)
6212 : "m" (v->counter) : "memory");
6214 @@ -318,7 +587,20 @@ static inline int atomic64_inc_and_test(
6218 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6219 + asm volatile(LOCK_PREFIX "incq %0\n"
6221 +#ifdef CONFIG_PAX_REFCOUNT
6224 + ".pushsection .fixup,\"ax\"\n"
6226 + LOCK_PREFIX "decq %0\n"
6229 + _ASM_EXTABLE(0b, 1b)
6233 : "=m" (v->counter), "=qm" (c)
6234 : "m" (v->counter) : "memory");
6236 @@ -337,7 +619,16 @@ static inline int atomic64_add_negative(
6240 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6241 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6243 +#ifdef CONFIG_PAX_REFCOUNT
6245 + LOCK_PREFIX "subq %2,%0\n"
6247 + _ASM_EXTABLE(0b, 0b)
6251 : "=m" (v->counter), "=qm" (c)
6252 : "er" (i), "m" (v->counter) : "memory");
6254 @@ -353,7 +644,31 @@ static inline int atomic64_add_negative(
6255 static inline long atomic64_add_return(long i, atomic64_t *v)
6258 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6259 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6261 +#ifdef CONFIG_PAX_REFCOUNT
6265 + _ASM_EXTABLE(0b, 0b)
6268 + : "+r" (i), "+m" (v->counter)
6274 + * atomic64_add_return_unchecked - add and return
6275 + * @i: integer value to add
6276 + * @v: pointer to type atomic64_unchecked_t
6278 + * Atomically adds @i to @v and returns @i + @v
6280 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6283 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6284 : "+r" (i), "+m" (v->counter)
6287 @@ -365,6 +680,7 @@ static inline long atomic64_sub_return(l
6290 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6291 +#define atomic64_inc_return_unchecked(v) (atomic64_add_return_unchecked(1, (v)))
6292 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6294 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6295 @@ -398,17 +714,29 @@ static inline long atomic_xchg(atomic_t
6297 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6303 - if (unlikely(c == (u)))
6304 + if (unlikely(c == u))
6306 - old = atomic_cmpxchg((v), c, c + (a));
6308 + asm volatile("addl %2,%0\n"
6310 +#ifdef CONFIG_PAX_REFCOUNT
6313 + _ASM_EXTABLE(0b, 0b)
6317 + : "0" (c), "ir" (a));
6319 + old = atomic_cmpxchg(v, c, new);
6320 if (likely(old == c))
6328 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6329 @@ -424,17 +752,29 @@ static inline int atomic_add_unless(atom
6331 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6335 c = atomic64_read(v);
6337 - if (unlikely(c == (u)))
6338 + if (unlikely(c == u))
6340 - old = atomic64_cmpxchg((v), c, c + (a));
6342 + asm volatile("addq %2,%0\n"
6344 +#ifdef CONFIG_PAX_REFCOUNT
6347 + _ASM_EXTABLE(0b, 0b)
6351 + : "0" (c), "er" (a));
6353 + old = atomic64_cmpxchg((v), c, new);
6354 if (likely(old == c))
6363 diff -urNp linux-2.6.33.1/arch/x86/include/asm/boot.h linux-2.6.33.1/arch/x86/include/asm/boot.h
6364 --- linux-2.6.33.1/arch/x86/include/asm/boot.h 2010-03-15 12:09:39.000000000 -0400
6365 +++ linux-2.6.33.1/arch/x86/include/asm/boot.h 2010-03-20 16:58:38.972657826 -0400
6367 #include <asm/pgtable_types.h>
6369 /* Physical address where kernel should be loaded. */
6370 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6371 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6372 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6373 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6375 +#ifndef __ASSEMBLY__
6376 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6377 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6380 /* Minimum kernel alignment, as a power of two */
6381 #ifdef CONFIG_X86_64
6382 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6383 diff -urNp linux-2.6.33.1/arch/x86/include/asm/cache.h linux-2.6.33.1/arch/x86/include/asm/cache.h
6384 --- linux-2.6.33.1/arch/x86/include/asm/cache.h 2010-03-15 12:09:39.000000000 -0400
6385 +++ linux-2.6.33.1/arch/x86/include/asm/cache.h 2010-03-20 16:58:38.976510592 -0400
6387 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6389 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
6390 +#define __read_only __attribute__((__section__(".data.read_only")))
6392 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6393 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6394 diff -urNp linux-2.6.33.1/arch/x86/include/asm/checksum_32.h linux-2.6.33.1/arch/x86/include/asm/checksum_32.h
6395 --- linux-2.6.33.1/arch/x86/include/asm/checksum_32.h 2010-03-15 12:09:39.000000000 -0400
6396 +++ linux-2.6.33.1/arch/x86/include/asm/checksum_32.h 2010-03-20 16:58:38.976510592 -0400
6397 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6398 int len, __wsum sum,
6399 int *src_err_ptr, int *dst_err_ptr);
6401 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6402 + int len, __wsum sum,
6403 + int *src_err_ptr, int *dst_err_ptr);
6405 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6406 + int len, __wsum sum,
6407 + int *src_err_ptr, int *dst_err_ptr);
6410 * Note: when you get a NULL pointer exception here this means someone
6411 * passed in an incorrect kernel address to one of these functions.
6412 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6416 - return csum_partial_copy_generic((__force void *)src, dst,
6417 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6418 len, sum, err_ptr, NULL);
6421 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6424 if (access_ok(VERIFY_WRITE, dst, len))
6425 - return csum_partial_copy_generic(src, (__force void *)dst,
6426 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6427 len, sum, NULL, err_ptr);
6430 diff -urNp linux-2.6.33.1/arch/x86/include/asm/desc.h linux-2.6.33.1/arch/x86/include/asm/desc.h
6431 --- linux-2.6.33.1/arch/x86/include/asm/desc.h 2010-03-15 12:09:39.000000000 -0400
6432 +++ linux-2.6.33.1/arch/x86/include/asm/desc.h 2010-03-20 16:58:38.976510592 -0400
6434 #include <asm/desc_defs.h>
6435 #include <asm/ldt.h>
6436 #include <asm/mmu.h>
6437 +#include <asm/pgtable.h>
6438 #include <linux/smp.h>
6440 static inline void fill_ldt(struct desc_struct *desc,
6441 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6442 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6443 desc->type = (info->read_exec_only ^ 1) << 1;
6444 desc->type |= info->contents << 2;
6445 + desc->type |= info->seg_not_present ^ 1;
6448 desc->p = info->seg_not_present ^ 1;
6449 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6452 extern struct desc_ptr idt_descr;
6453 -extern gate_desc idt_table[];
6456 - struct desc_struct gdt[GDT_ENTRIES];
6457 -} __attribute__((aligned(PAGE_SIZE)));
6458 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6459 +extern gate_desc idt_table[256];
6461 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6462 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6464 - return per_cpu(gdt_page, cpu).gdt;
6465 + return cpu_gdt_table[cpu];
6468 #ifdef CONFIG_X86_64
6469 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6470 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6471 const gate_desc *gate)
6473 + pax_open_kernel();
6474 memcpy(&idt[entry], gate, sizeof(*gate));
6475 + pax_close_kernel();
6478 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6481 + pax_open_kernel();
6482 memcpy(&ldt[entry], desc, 8);
6483 + pax_close_kernel();
6486 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6487 const void *desc, int type)
6493 size = sizeof(tss_desc);
6494 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6495 size = sizeof(struct desc_struct);
6499 + pax_open_kernel();
6500 memcpy(&gdt[entry], desc, size);
6501 + pax_close_kernel();
6504 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6505 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6507 static inline void native_load_tr_desc(void)
6509 + pax_open_kernel();
6510 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6511 + pax_close_kernel();
6514 static inline void native_load_gdt(const struct desc_ptr *dtr)
6515 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6517 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6519 + pax_open_kernel();
6520 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6521 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6522 + pax_close_kernel();
6525 #define _LDT_empty(info) \
6526 @@ -392,4 +402,16 @@ static inline void set_system_intr_gate_
6527 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
6530 +#ifdef CONFIG_X86_32
6531 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
6533 + struct desc_struct d;
6535 + if (likely(limit))
6536 + limit = (limit - 1UL) >> PAGE_SHIFT;
6537 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
6538 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
6542 #endif /* _ASM_X86_DESC_H */
6543 diff -urNp linux-2.6.33.1/arch/x86/include/asm/device.h linux-2.6.33.1/arch/x86/include/asm/device.h
6544 --- linux-2.6.33.1/arch/x86/include/asm/device.h 2010-03-15 12:09:39.000000000 -0400
6545 +++ linux-2.6.33.1/arch/x86/include/asm/device.h 2010-03-20 16:58:38.976510592 -0400
6546 @@ -6,7 +6,7 @@ struct dev_archdata {
6549 #ifdef CONFIG_X86_64
6550 -struct dma_map_ops *dma_ops;
6551 + const struct dma_map_ops *dma_ops;
6553 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
6554 void *iommu; /* hook for IOMMU specific extension */
6555 diff -urNp linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h
6556 --- linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
6557 +++ linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h 2010-03-20 16:58:38.976510592 -0400
6558 @@ -26,9 +26,9 @@ extern int iommu_merge;
6559 extern struct device x86_dma_fallback_dev;
6560 extern int panic_on_overflow;
6562 -extern struct dma_map_ops *dma_ops;
6563 +extern const struct dma_map_ops *dma_ops;
6565 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
6566 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
6568 #ifdef CONFIG_X86_32
6570 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
6571 /* Make sure we keep the same behaviour */
6572 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
6574 - struct dma_map_ops *ops = get_dma_ops(dev);
6575 + const struct dma_map_ops *ops = get_dma_ops(dev);
6576 if (ops->mapping_error)
6577 return ops->mapping_error(dev, dma_addr);
6579 @@ -123,7 +123,7 @@ static inline void *
6580 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
6583 - struct dma_map_ops *ops = get_dma_ops(dev);
6584 + const struct dma_map_ops *ops = get_dma_ops(dev);
6587 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
6588 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
6589 static inline void dma_free_coherent(struct device *dev, size_t size,
6590 void *vaddr, dma_addr_t bus)
6592 - struct dma_map_ops *ops = get_dma_ops(dev);
6593 + const struct dma_map_ops *ops = get_dma_ops(dev);
6595 WARN_ON(irqs_disabled()); /* for portability */
6597 diff -urNp linux-2.6.33.1/arch/x86/include/asm/e820.h linux-2.6.33.1/arch/x86/include/asm/e820.h
6598 --- linux-2.6.33.1/arch/x86/include/asm/e820.h 2010-03-15 12:09:39.000000000 -0400
6599 +++ linux-2.6.33.1/arch/x86/include/asm/e820.h 2010-03-20 16:58:38.976510592 -0400
6600 @@ -64,7 +64,7 @@ struct e820map {
6601 #define ISA_START_ADDRESS 0xa0000
6602 #define ISA_END_ADDRESS 0x100000
6604 -#define BIOS_BEGIN 0x000a0000
6605 +#define BIOS_BEGIN 0x000c0000
6606 #define BIOS_END 0x00100000
6609 diff -urNp linux-2.6.33.1/arch/x86/include/asm/elf.h linux-2.6.33.1/arch/x86/include/asm/elf.h
6610 --- linux-2.6.33.1/arch/x86/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
6611 +++ linux-2.6.33.1/arch/x86/include/asm/elf.h 2010-03-20 16:58:38.976510592 -0400
6612 @@ -237,7 +237,25 @@ extern int force_personality32;
6613 the loader. We need to make sure that it is out of the way of the program
6614 that it will "exec", and that there is sufficient room for the brk. */
6616 +#ifdef CONFIG_PAX_SEGMEXEC
6617 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
6619 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6622 +#ifdef CONFIG_PAX_ASLR
6623 +#ifdef CONFIG_X86_32
6624 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
6626 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6627 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6629 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
6631 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6632 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6636 /* This yields a mask that user programs can use to figure out what
6637 instruction set this CPU supports. This could be done in user space,
6638 @@ -291,8 +309,7 @@ do { \
6639 #define ARCH_DLINFO \
6642 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
6643 - (unsigned long)current->mm->context.vdso); \
6644 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
6647 #define AT_SYSINFO 32
6648 @@ -303,7 +320,7 @@ do { \
6650 #endif /* !CONFIG_X86_32 */
6652 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
6653 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
6655 #define VDSO_ENTRY \
6656 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
6657 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
6658 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
6659 #define compat_arch_setup_additional_pages syscall32_setup_pages
6661 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
6662 -#define arch_randomize_brk arch_randomize_brk
6664 #endif /* _ASM_X86_ELF_H */
6665 diff -urNp linux-2.6.33.1/arch/x86/include/asm/futex.h linux-2.6.33.1/arch/x86/include/asm/futex.h
6666 --- linux-2.6.33.1/arch/x86/include/asm/futex.h 2010-03-15 12:09:39.000000000 -0400
6667 +++ linux-2.6.33.1/arch/x86/include/asm/futex.h 2010-03-20 16:58:38.976510592 -0400
6669 #include <asm/processor.h>
6670 #include <asm/system.h>
6672 +#ifdef CONFIG_X86_32
6673 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6675 + "movw\t%w6, %%ds\n" \
6676 + "1:\t" insn "\n" \
6677 + "2:\tpushl\t%%ss\n" \
6678 + "\tpopl\t%%ds\n" \
6679 + "\t.section .fixup,\"ax\"\n" \
6680 + "3:\tmov\t%3, %1\n" \
6683 + _ASM_EXTABLE(1b, 3b) \
6684 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
6685 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
6687 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
6688 + asm volatile("movw\t%w7, %%es\n" \
6689 + "1:\tmovl\t%%es:%2, %0\n" \
6690 + "\tmovl\t%0, %3\n" \
6692 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
6694 + "3:\tpushl\t%%ss\n" \
6695 + "\tpopl\t%%es\n" \
6696 + "\t.section .fixup,\"ax\"\n" \
6697 + "4:\tmov\t%5, %1\n" \
6700 + _ASM_EXTABLE(1b, 4b) \
6701 + _ASM_EXTABLE(2b, 4b) \
6702 + : "=&a" (oldval), "=&r" (ret), \
6703 + "+m" (*uaddr), "=&r" (tem) \
6704 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
6706 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6707 asm volatile("1:\t" insn "\n" \
6708 "2:\t.section .fixup,\"ax\"\n" \
6710 : "=&a" (oldval), "=&r" (ret), \
6711 "+m" (*uaddr), "=&r" (tem) \
6712 : "r" (oparg), "i" (-EFAULT), "1" (0))
6715 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
6716 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
6718 int op = (encoded_op >> 28) & 7;
6719 int cmp = (encoded_op >> 24) & 15;
6720 @@ -61,11 +96,20 @@ static inline int futex_atomic_op_inuser
6724 +#ifdef CONFIG_X86_32
6725 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
6727 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
6731 +#ifdef CONFIG_X86_32
6732 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
6735 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
6740 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
6741 @@ -109,7 +153,7 @@ static inline int futex_atomic_op_inuser
6745 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
6746 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
6750 @@ -122,14 +166,27 @@ static inline int futex_atomic_cmpxchg_i
6751 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
6754 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6756 +#ifdef CONFIG_X86_32
6757 + "\tmovw %w5, %%ds\n"
6758 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6759 + "2:\tpushl %%ss\n"
6761 + "\t.section .fixup, \"ax\"\n"
6763 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6764 "2:\t.section .fixup, \"ax\"\n"
6769 _ASM_EXTABLE(1b, 3b)
6770 : "=a" (oldval), "+m" (*uaddr)
6771 +#ifdef CONFIG_X86_32
6772 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
6774 : "i" (-EFAULT), "r" (newval), "0" (oldval)
6779 diff -urNp linux-2.6.33.1/arch/x86/include/asm/i387.h linux-2.6.33.1/arch/x86/include/asm/i387.h
6780 --- linux-2.6.33.1/arch/x86/include/asm/i387.h 2010-03-15 12:09:39.000000000 -0400
6781 +++ linux-2.6.33.1/arch/x86/include/asm/i387.h 2010-03-20 16:58:38.976510592 -0400
6782 @@ -197,13 +197,8 @@ static inline int fxrstor_checking(struc
6785 /* We need a safe address that is cheap to find and that is already
6786 - in L1 during context switch. The best choices are unfortunately
6787 - different for UP and SMP */
6789 -#define safe_address (__per_cpu_offset[0])
6791 -#define safe_address (kstat_cpu(0).cpustat.user)
6793 + in L1 during context switch. */
6794 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
6797 * These must be called with preempt disabled
6798 diff -urNp linux-2.6.33.1/arch/x86/include/asm/io_64.h linux-2.6.33.1/arch/x86/include/asm/io_64.h
6799 --- linux-2.6.33.1/arch/x86/include/asm/io_64.h 2010-03-15 12:09:39.000000000 -0400
6800 +++ linux-2.6.33.1/arch/x86/include/asm/io_64.h 2010-03-20 16:58:38.976510592 -0400
6801 @@ -140,6 +140,17 @@ __OUTS(l)
6803 #include <linux/vmalloc.h>
6805 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
6806 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
6808 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6811 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
6813 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6816 #include <asm-generic/iomap.h>
6818 void __memcpy_fromio(void *, unsigned long, unsigned);
6819 diff -urNp linux-2.6.33.1/arch/x86/include/asm/iommu.h linux-2.6.33.1/arch/x86/include/asm/iommu.h
6820 --- linux-2.6.33.1/arch/x86/include/asm/iommu.h 2010-03-15 12:09:39.000000000 -0400
6821 +++ linux-2.6.33.1/arch/x86/include/asm/iommu.h 2010-03-20 16:58:38.976510592 -0400
6823 #ifndef _ASM_X86_IOMMU_H
6824 #define _ASM_X86_IOMMU_H
6826 -extern struct dma_map_ops nommu_dma_ops;
6827 +extern const struct dma_map_ops nommu_dma_ops;
6828 extern int force_iommu, no_iommu;
6829 extern int iommu_detected;
6830 extern int iommu_pass_through;
6831 diff -urNp linux-2.6.33.1/arch/x86/include/asm/irqflags.h linux-2.6.33.1/arch/x86/include/asm/irqflags.h
6832 --- linux-2.6.33.1/arch/x86/include/asm/irqflags.h 2010-03-15 12:09:39.000000000 -0400
6833 +++ linux-2.6.33.1/arch/x86/include/asm/irqflags.h 2010-03-20 17:06:47.204705877 -0400
6834 @@ -142,10 +142,77 @@ static inline unsigned long __raw_local_
6838 +/* PaX: special register usage in entry_64.S, beware */
6839 +#ifdef CONFIG_PAX_KERNEXEC
6840 + .macro ljmpq sel, off
6841 + .byte 0x48; ljmp *1234f(%rip)
6842 + .pushsection .rodata
6844 + 1234: .quad \off; .word \sel
6848 +#define PAX_EXIT_KERNEL \
6851 + cmp $__KERNEXEC_KERNEL_CS, %esi;\
6855 + ljmpq __KERNEL_CS, 1f; \
6856 +1: mov %rsi, %cr0; \
6859 +#define PAX_ENTER_KERNEL \
6865 + cmp $__KERNEL_CS, %esi; \
6867 + ljmpq __KERNEL_CS, 3f; \
6868 +1: ljmpq __KERNEXEC_KERNEL_CS, 2f; \
6869 +2: mov %rsi, %cr0; \
6872 +#define PAX_EXIT_KERNEL
6873 +#define PAX_ENTER_KERNEL
6877 #define INTERRUPT_RETURN iret
6878 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
6879 #define GET_CR0_INTO_EAX movl %cr0, %eax
6881 +/* PaX: special register usage in entry_32.S, beware */
6882 +#ifdef CONFIG_PAX_KERNEXEC
6883 +#define PAX_EXIT_KERNEL \
6885 + cmp $__KERNEXEC_KERNEL_CS, %esi;\
6889 + ljmp $__KERNEL_CS, $1f; \
6890 +1: mov %esi, %cr0; \
6893 +#define PAX_ENTER_KERNEL \
6898 + cmp $__KERNEL_CS, %esi; \
6900 + ljmp $__KERNEL_CS, $3f; \
6901 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f;\
6902 +2: mov %esi, %cr0; \
6905 +#define PAX_EXIT_KERNEL
6906 +#define PAX_ENTER_KERNEL
6912 diff -urNp linux-2.6.33.1/arch/x86/include/asm/kvm_host.h linux-2.6.33.1/arch/x86/include/asm/kvm_host.h
6913 --- linux-2.6.33.1/arch/x86/include/asm/kvm_host.h 2010-03-15 12:09:39.000000000 -0400
6914 +++ linux-2.6.33.1/arch/x86/include/asm/kvm_host.h 2010-03-20 16:58:38.976510592 -0400
6915 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
6916 const struct trace_print_flags *exit_reasons_str;
6919 -extern struct kvm_x86_ops *kvm_x86_ops;
6920 +extern const struct kvm_x86_ops *kvm_x86_ops;
6922 int kvm_mmu_module_init(void);
6923 void kvm_mmu_module_exit(void);
6924 diff -urNp linux-2.6.33.1/arch/x86/include/asm/local.h linux-2.6.33.1/arch/x86/include/asm/local.h
6925 --- linux-2.6.33.1/arch/x86/include/asm/local.h 2010-03-15 12:09:39.000000000 -0400
6926 +++ linux-2.6.33.1/arch/x86/include/asm/local.h 2010-03-20 16:58:38.976510592 -0400
6927 @@ -18,26 +18,90 @@ typedef struct {
6929 static inline void local_inc(local_t *l)
6931 - asm volatile(_ASM_INC "%0"
6932 + asm volatile(_ASM_INC "%0\n"
6934 +#ifdef CONFIG_PAX_REFCOUNT
6935 +#ifdef CONFIG_X86_32
6941 + ".pushsection .fixup,\"ax\"\n"
6946 + _ASM_EXTABLE(0b, 1b)
6949 : "+m" (l->a.counter));
6952 static inline void local_dec(local_t *l)
6954 - asm volatile(_ASM_DEC "%0"
6955 + asm volatile(_ASM_DEC "%0\n"
6957 +#ifdef CONFIG_PAX_REFCOUNT
6958 +#ifdef CONFIG_X86_32
6964 + ".pushsection .fixup,\"ax\"\n"
6969 + _ASM_EXTABLE(0b, 1b)
6972 : "+m" (l->a.counter));
6975 static inline void local_add(long i, local_t *l)
6977 - asm volatile(_ASM_ADD "%1,%0"
6978 + asm volatile(_ASM_ADD "%1,%0\n"
6980 +#ifdef CONFIG_PAX_REFCOUNT
6981 +#ifdef CONFIG_X86_32
6987 + ".pushsection .fixup,\"ax\"\n"
6989 + _ASM_SUB "%1,%0\n"
6992 + _ASM_EXTABLE(0b, 1b)
6995 : "+m" (l->a.counter)
6999 static inline void local_sub(long i, local_t *l)
7001 - asm volatile(_ASM_SUB "%1,%0"
7002 + asm volatile(_ASM_SUB "%1,%0\n"
7004 +#ifdef CONFIG_PAX_REFCOUNT
7005 +#ifdef CONFIG_X86_32
7011 + ".pushsection .fixup,\"ax\"\n"
7013 + _ASM_ADD "%1,%0\n"
7016 + _ASM_EXTABLE(0b, 1b)
7019 : "+m" (l->a.counter)
7022 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7026 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7027 + asm volatile(_ASM_SUB "%2,%0\n"
7029 +#ifdef CONFIG_PAX_REFCOUNT
7030 +#ifdef CONFIG_X86_32
7036 + ".pushsection .fixup,\"ax\"\n"
7038 + _ASM_ADD "%2,%0\n"
7041 + _ASM_EXTABLE(0b, 1b)
7045 : "+m" (l->a.counter), "=qm" (c)
7046 : "ir" (i) : "memory");
7048 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7052 - asm volatile(_ASM_DEC "%0; sete %1"
7053 + asm volatile(_ASM_DEC "%0\n"
7055 +#ifdef CONFIG_PAX_REFCOUNT
7056 +#ifdef CONFIG_X86_32
7062 + ".pushsection .fixup,\"ax\"\n"
7067 + _ASM_EXTABLE(0b, 1b)
7071 : "+m" (l->a.counter), "=qm" (c)
7074 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7078 - asm volatile(_ASM_INC "%0; sete %1"
7079 + asm volatile(_ASM_INC "%0\n"
7081 +#ifdef CONFIG_PAX_REFCOUNT
7082 +#ifdef CONFIG_X86_32
7088 + ".pushsection .fixup,\"ax\"\n"
7093 + _ASM_EXTABLE(0b, 1b)
7097 : "+m" (l->a.counter), "=qm" (c)
7100 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7104 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7105 + asm volatile(_ASM_ADD "%2,%0\n"
7107 +#ifdef CONFIG_PAX_REFCOUNT
7108 +#ifdef CONFIG_X86_32
7114 + ".pushsection .fixup,\"ax\"\n"
7116 + _ASM_SUB "%2,%0\n"
7119 + _ASM_EXTABLE(0b, 1b)
7123 : "+m" (l->a.counter), "=qm" (c)
7124 : "ir" (i) : "memory");
7126 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7128 /* Modern 486+ processor */
7130 - asm volatile(_ASM_XADD "%0, %1;"
7131 + asm volatile(_ASM_XADD "%0, %1\n"
7133 +#ifdef CONFIG_PAX_REFCOUNT
7134 +#ifdef CONFIG_X86_32
7140 + ".pushsection .fixup,\"ax\"\n"
7142 + _ASM_MOV "%0,%1\n"
7145 + _ASM_EXTABLE(0b, 1b)
7148 : "+r" (i), "+m" (l->a.counter)
7151 diff -urNp linux-2.6.33.1/arch/x86/include/asm/microcode.h linux-2.6.33.1/arch/x86/include/asm/microcode.h
7152 --- linux-2.6.33.1/arch/x86/include/asm/microcode.h 2010-03-15 12:09:39.000000000 -0400
7153 +++ linux-2.6.33.1/arch/x86/include/asm/microcode.h 2010-03-20 16:58:38.976510592 -0400
7154 @@ -12,13 +12,13 @@ struct device;
7155 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7157 struct microcode_ops {
7158 - enum ucode_state (*request_microcode_user) (int cpu,
7159 + enum ucode_state (* const request_microcode_user) (int cpu,
7160 const void __user *buf, size_t size);
7162 - enum ucode_state (*request_microcode_fw) (int cpu,
7163 + enum ucode_state (* const request_microcode_fw) (int cpu,
7164 struct device *device);
7166 - void (*microcode_fini_cpu) (int cpu);
7167 + void (* const microcode_fini_cpu) (int cpu);
7170 * The generic 'microcode_core' part guarantees that
7171 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7172 extern struct ucode_cpu_info ucode_cpu_info[];
7174 #ifdef CONFIG_MICROCODE_INTEL
7175 -extern struct microcode_ops * __init init_intel_microcode(void);
7176 +extern const struct microcode_ops * __init init_intel_microcode(void);
7178 -static inline struct microcode_ops * __init init_intel_microcode(void)
7179 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7183 #endif /* CONFIG_MICROCODE_INTEL */
7185 #ifdef CONFIG_MICROCODE_AMD
7186 -extern struct microcode_ops * __init init_amd_microcode(void);
7187 +extern const struct microcode_ops * __init init_amd_microcode(void);
7189 -static inline struct microcode_ops * __init init_amd_microcode(void)
7190 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7194 diff -urNp linux-2.6.33.1/arch/x86/include/asm/mman.h linux-2.6.33.1/arch/x86/include/asm/mman.h
7195 --- linux-2.6.33.1/arch/x86/include/asm/mman.h 2010-03-15 12:09:39.000000000 -0400
7196 +++ linux-2.6.33.1/arch/x86/include/asm/mman.h 2010-03-20 16:58:38.976510592 -0400
7199 #include <asm-generic/mman.h>
7202 +#ifndef __ASSEMBLY__
7203 +#ifdef CONFIG_X86_32
7204 +#define arch_mmap_check i386_mmap_check
7205 +int i386_mmap_check(unsigned long addr, unsigned long len,
7206 + unsigned long flags);
7211 #endif /* _ASM_X86_MMAN_H */
7212 diff -urNp linux-2.6.33.1/arch/x86/include/asm/mmu_context.h linux-2.6.33.1/arch/x86/include/asm/mmu_context.h
7213 --- linux-2.6.33.1/arch/x86/include/asm/mmu_context.h 2010-03-15 12:09:39.000000000 -0400
7214 +++ linux-2.6.33.1/arch/x86/include/asm/mmu_context.h 2010-03-20 16:58:38.976510592 -0400
7215 @@ -34,11 +34,17 @@ static inline void switch_mm(struct mm_s
7216 struct task_struct *tsk)
7218 unsigned cpu = smp_processor_id();
7219 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7220 + int tlbstate = TLBSTATE_OK;
7223 if (likely(prev != next)) {
7224 /* stop flush ipis for the previous mm */
7225 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7227 +#ifdef CONFIG_X86_32
7228 + tlbstate = percpu_read(cpu_tlbstate.state);
7230 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7231 percpu_write(cpu_tlbstate.active_mm, next);
7233 @@ -52,6 +58,26 @@ static inline void switch_mm(struct mm_s
7235 if (unlikely(prev->context.ldt != next->context.ldt))
7236 load_LDT_nolock(&next->context);
7238 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7239 + if (!(__supported_pte_mask & _PAGE_NX)) {
7240 + smp_mb__before_clear_bit();
7241 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7242 + smp_mb__after_clear_bit();
7243 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7247 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7248 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7249 + prev->context.user_cs_limit != next->context.user_cs_limit))
7250 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7252 + else if (unlikely(tlbstate != TLBSTATE_OK))
7253 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7260 @@ -65,6 +91,19 @@ static inline void switch_mm(struct mm_s
7262 load_cr3(next->pgd);
7263 load_LDT_nolock(&next->context);
7265 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7266 + if (!(__supported_pte_mask & _PAGE_NX))
7267 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7270 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7271 +#ifdef CONFIG_PAX_PAGEEXEC
7272 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7274 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7280 diff -urNp linux-2.6.33.1/arch/x86/include/asm/mmu.h linux-2.6.33.1/arch/x86/include/asm/mmu.h
7281 --- linux-2.6.33.1/arch/x86/include/asm/mmu.h 2010-03-15 12:09:39.000000000 -0400
7282 +++ linux-2.6.33.1/arch/x86/include/asm/mmu.h 2010-03-20 16:58:38.976510592 -0400
7284 * we put the segment information here.
7288 + struct desc_struct *ldt;
7292 + unsigned long vdso;
7294 +#ifdef CONFIG_X86_32
7295 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7296 + unsigned long user_cs_base;
7297 + unsigned long user_cs_limit;
7299 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7300 + cpumask_t cpu_user_cs_mask;
7309 diff -urNp linux-2.6.33.1/arch/x86/include/asm/module.h linux-2.6.33.1/arch/x86/include/asm/module.h
7310 --- linux-2.6.33.1/arch/x86/include/asm/module.h 2010-03-15 12:09:39.000000000 -0400
7311 +++ linux-2.6.33.1/arch/x86/include/asm/module.h 2010-03-20 16:58:38.976510592 -0400
7314 # define MODULE_STACKSIZE ""
7316 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7317 +# ifdef CONFIG_GRKERNSEC
7318 +# define MODULE_GRSEC "GRSECURITY "
7320 +# define MODULE_GRSEC ""
7322 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
7325 #endif /* _ASM_X86_MODULE_H */
7326 diff -urNp linux-2.6.33.1/arch/x86/include/asm/page_32_types.h linux-2.6.33.1/arch/x86/include/asm/page_32_types.h
7327 --- linux-2.6.33.1/arch/x86/include/asm/page_32_types.h 2010-03-15 12:09:39.000000000 -0400
7328 +++ linux-2.6.33.1/arch/x86/include/asm/page_32_types.h 2010-03-20 16:58:38.976510592 -0400
7331 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7333 +#ifdef CONFIG_PAX_PAGEEXEC
7334 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7337 #ifdef CONFIG_4KSTACKS
7338 #define THREAD_ORDER 0
7340 diff -urNp linux-2.6.33.1/arch/x86/include/asm/page_64_types.h linux-2.6.33.1/arch/x86/include/asm/page_64_types.h
7341 --- linux-2.6.33.1/arch/x86/include/asm/page_64_types.h 2010-03-15 12:09:39.000000000 -0400
7342 +++ linux-2.6.33.1/arch/x86/include/asm/page_64_types.h 2010-03-20 16:58:38.980670389 -0400
7344 #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START)
7345 #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
7347 +#define ktla_ktva(addr) (addr)
7348 +#define ktva_ktla(addr) (addr)
7350 /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
7351 #define __PHYSICAL_MASK_SHIFT 46
7352 #define __VIRTUAL_MASK_SHIFT 47
7353 diff -urNp linux-2.6.33.1/arch/x86/include/asm/paravirt.h linux-2.6.33.1/arch/x86/include/asm/paravirt.h
7354 --- linux-2.6.33.1/arch/x86/include/asm/paravirt.h 2010-03-15 12:09:39.000000000 -0400
7355 +++ linux-2.6.33.1/arch/x86/include/asm/paravirt.h 2010-03-20 16:58:38.980670389 -0400
7356 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
7357 pv_mmu_ops.set_fixmap(idx, phys, flags);
7360 +#ifdef CONFIG_PAX_KERNEXEC
7361 +static inline unsigned long pax_open_kernel(void)
7363 + return pv_mmu_ops.pax_open_kernel();
7366 +static inline unsigned long pax_close_kernel(void)
7368 + return pv_mmu_ops.pax_close_kernel();
7371 +static inline unsigned long pax_open_kernel(void) { return 0; }
7372 +static inline unsigned long pax_close_kernel(void) { return 0; }
7375 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7377 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7378 @@ -945,7 +960,7 @@ extern void default_banner(void);
7380 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7381 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7382 -#define PARA_INDIRECT(addr) *%cs:addr
7383 +#define PARA_INDIRECT(addr) *%ss:addr
7386 #define INTERRUPT_RETURN \
7387 @@ -980,6 +995,34 @@ extern void default_banner(void);
7389 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7391 +#ifdef CONFIG_PAX_KERNEXEC
7392 +#define PAX_EXIT_KERNEL \
7393 + push %eax; push %ecx; \
7395 + cmp $__KERNEXEC_KERNEL_CS, %eax; \
7397 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7399 + ljmp $__KERNEL_CS, $1f; \
7400 +1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7401 +2: pop %ecx; pop %eax; \
7403 +#define PAX_ENTER_KERNEL \
7404 + push %eax; push %ecx; \
7405 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7409 + cmp $__KERNEL_CS, %ecx; \
7411 + ljmp $__KERNEL_CS, $3f; \
7412 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f; \
7413 +2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7414 +3: pop %ecx; pop %eax;
7416 +#define PAX_EXIT_KERNEL
7417 +#define PAX_ENTER_KERNEL
7420 #else /* !CONFIG_X86_32 */
7422 @@ -1022,6 +1065,46 @@ extern void default_banner(void);
7423 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7425 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7427 +#ifdef CONFIG_PAX_KERNEXEC
7428 + .macro ljmpq sel, off
7429 + .byte 0x48; ljmp *1234f(%rip)
7430 + .pushsection .rodata
7432 + 1234: .quad \off; .word \sel
7436 +#define PAX_EXIT_KERNEL \
7437 + PV_SAVE_REGS(CLBR_NONE); \
7439 + cmp $__KERNEXEC_KERNEL_CS, %eax; \
7441 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7444 + ljmpq __KERNEL_CS, 1f; \
7445 +1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7446 +2: PV_RESTORE_REGS(CLBR_NONE);
7448 +#define PAX_ENTER_KERNEL \
7449 + PV_SAVE_REGS(CLBR_NONE); \
7450 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7454 + cmp $__KERNEL_CS, %eax; \
7456 + ljmpq __KERNEL_CS, 3f; \
7457 +1: mov %rax, %rdi; \
7458 + ljmpq __KERNEXEC_KERNEL_CS, 2f; \
7459 +2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7460 +3: PV_RESTORE_REGS(CLBR_NONE);
7462 +#define PAX_EXIT_KERNEL
7463 +#define PAX_ENTER_KERNEL
7466 #endif /* CONFIG_X86_32 */
7468 #endif /* __ASSEMBLY__ */
7469 diff -urNp linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h
7470 --- linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h 2010-03-15 12:09:39.000000000 -0400
7471 +++ linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h 2010-03-20 16:58:38.980670389 -0400
7472 @@ -316,6 +316,12 @@ struct pv_mmu_ops {
7473 an mfn. We can tell which is which from the index. */
7474 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7475 phys_addr_t phys, pgprot_t flags);
7477 +#ifdef CONFIG_PAX_KERNEXEC
7478 + unsigned long (*pax_open_kernel)(void);
7479 + unsigned long (*pax_close_kernel)(void);
7484 struct arch_spinlock;
7485 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pci_x86.h linux-2.6.33.1/arch/x86/include/asm/pci_x86.h
7486 --- linux-2.6.33.1/arch/x86/include/asm/pci_x86.h 2010-03-15 12:09:39.000000000 -0400
7487 +++ linux-2.6.33.1/arch/x86/include/asm/pci_x86.h 2010-03-20 16:58:38.980670389 -0400
7488 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
7489 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7491 struct pci_raw_ops {
7492 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7493 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7494 int reg, int len, u32 *val);
7495 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7496 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7497 int reg, int len, u32 val);
7500 -extern struct pci_raw_ops *raw_pci_ops;
7501 -extern struct pci_raw_ops *raw_pci_ext_ops;
7502 +extern const struct pci_raw_ops *raw_pci_ops;
7503 +extern const struct pci_raw_ops *raw_pci_ext_ops;
7505 -extern struct pci_raw_ops pci_direct_conf1;
7506 +extern const struct pci_raw_ops pci_direct_conf1;
7507 extern bool port_cf9_safe;
7509 /* arch_initcall level */
7510 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgalloc.h linux-2.6.33.1/arch/x86/include/asm/pgalloc.h
7511 --- linux-2.6.33.1/arch/x86/include/asm/pgalloc.h 2010-03-15 12:09:39.000000000 -0400
7512 +++ linux-2.6.33.1/arch/x86/include/asm/pgalloc.h 2010-03-20 16:58:38.980670389 -0400
7513 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
7514 pmd_t *pmd, pte_t *pte)
7516 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7517 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
7520 +static inline void pmd_populate_user(struct mm_struct *mm,
7521 + pmd_t *pmd, pte_t *pte)
7523 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7524 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
7527 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h
7528 --- linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h 2010-03-15 12:09:39.000000000 -0400
7529 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h 2010-03-20 16:58:38.980670389 -0400
7530 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
7532 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7534 + pax_open_kernel();
7536 + pax_close_kernel();
7539 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
7540 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h
7541 --- linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h 2010-03-15 12:09:39.000000000 -0400
7542 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h 2010-03-20 16:58:38.980670389 -0400
7545 struct vm_area_struct;
7547 -extern pgd_t swapper_pg_dir[1024];
7549 static inline void pgtable_cache_init(void) { }
7550 static inline void check_pgt_cache(void) { }
7551 void paging_init(void);
7552 @@ -48,6 +46,11 @@ extern void set_pmd_pfn(unsigned long, u
7553 # include <asm/pgtable-2level.h>
7556 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
7557 +#ifdef CONFIG_X86_PAE
7558 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
7561 #if defined(CONFIG_HIGHPTE)
7563 (in_nmi() ? KM_NMI_PTE : \
7564 @@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
7565 /* Clear a kernel PTE and flush it from the TLB */
7566 #define kpte_clear_flush(ptep, vaddr) \
7568 + pax_open_kernel(); \
7569 pte_clear(&init_mm, (vaddr), (ptep)); \
7570 + pax_close_kernel(); \
7571 __flush_tlb_one((vaddr)); \
7574 @@ -84,6 +89,9 @@ do { \
7576 #endif /* !__ASSEMBLY__ */
7578 +#define HAVE_ARCH_UNMAPPED_AREA
7579 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
7582 * kern_addr_valid() is (1) for FLATMEM and (0) for
7583 * SPARSEMEM and DISCONTIGMEM
7584 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h
7585 --- linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h 2010-03-15 12:09:39.000000000 -0400
7586 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h 2010-03-20 16:58:38.980670389 -0400
7589 #ifdef CONFIG_X86_PAE
7590 # include <asm/pgtable-3level_types.h>
7591 -# define PMD_SIZE (1UL << PMD_SHIFT)
7592 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
7593 # define PMD_MASK (~(PMD_SIZE - 1))
7595 # include <asm/pgtable-2level_types.h>
7596 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
7597 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
7600 +#ifdef CONFIG_PAX_KERNEXEC
7601 +#ifndef __ASSEMBLY__
7602 +extern unsigned char MODULES_EXEC_VADDR[];
7603 +extern unsigned char MODULES_EXEC_END[];
7605 +#include <asm/boot.h>
7606 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
7607 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
7609 +#define ktla_ktva(addr) (addr)
7610 +#define ktva_ktla(addr) (addr)
7613 #define MODULES_VADDR VMALLOC_START
7614 #define MODULES_END VMALLOC_END
7615 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
7616 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h
7617 --- linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h 2010-03-15 12:09:39.000000000 -0400
7618 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h 2010-03-20 16:58:38.980670389 -0400
7619 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
7621 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7623 + pax_open_kernel();
7624 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
7625 + pax_close_kernel();
7628 static inline void native_set_pud(pud_t *pudp, pud_t pud)
7630 + pax_open_kernel();
7631 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
7632 + pax_close_kernel();
7636 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h
7637 --- linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h 2010-03-15 12:09:39.000000000 -0400
7638 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h 2010-03-20 16:58:38.980670389 -0400
7641 extern pud_t level3_kernel_pgt[512];
7642 extern pud_t level3_ident_pgt[512];
7643 +extern pud_t level3_vmalloc_pgt[512];
7644 +extern pud_t level3_vmemmap_pgt[512];
7645 +extern pud_t level2_vmemmap_pgt[512];
7646 extern pmd_t level2_kernel_pgt[512];
7647 extern pmd_t level2_fixmap_pgt[512];
7648 -extern pmd_t level2_ident_pgt[512];
7649 +extern pmd_t level2_ident_pgt[512*2];
7650 extern pgd_t init_level4_pgt[];
7652 #define swapper_pg_dir init_level4_pgt
7653 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
7655 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7657 + pax_open_kernel();
7659 + pax_close_kernel();
7662 static inline void native_pmd_clear(pmd_t *pmd)
7663 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
7665 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
7667 + pax_open_kernel();
7669 + pax_close_kernel();
7672 static inline void native_pgd_clear(pgd_t *pgd)
7673 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable.h linux-2.6.33.1/arch/x86/include/asm/pgtable.h
7674 --- linux-2.6.33.1/arch/x86/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
7675 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable.h 2010-03-20 16:58:38.980670389 -0400
7676 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
7678 #define arch_end_context_switch(prev) do {} while(0)
7680 +#define pax_open_kernel() native_pax_open_kernel()
7681 +#define pax_close_kernel() native_pax_close_kernel()
7682 #endif /* CONFIG_PARAVIRT */
7684 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
7685 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
7687 +#ifdef CONFIG_PAX_KERNEXEC
7688 +static inline unsigned long native_pax_open_kernel(void)
7690 + unsigned long cr0;
7692 + preempt_disable();
7694 + cr0 = read_cr0() ^ X86_CR0_WP;
7695 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
7697 + return cr0 ^ X86_CR0_WP;
7700 +static inline unsigned long native_pax_close_kernel(void)
7702 + unsigned long cr0;
7704 + cr0 = read_cr0() ^ X86_CR0_WP;
7705 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
7708 + preempt_enable_no_resched();
7709 + return cr0 ^ X86_CR0_WP;
7712 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
7713 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
7717 * The following only work if pte_present() is true.
7718 * Undefined behaviour if not..
7720 +static inline int pte_user(pte_t pte)
7722 + return pte_val(pte) & _PAGE_USER;
7725 static inline int pte_dirty(pte_t pte)
7727 return pte_flags(pte) & _PAGE_DIRTY;
7728 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
7729 return pte_clear_flags(pte, _PAGE_RW);
7732 +static inline pte_t pte_mkread(pte_t pte)
7734 + return __pte(pte_val(pte) | _PAGE_USER);
7737 static inline pte_t pte_mkexec(pte_t pte)
7739 - return pte_clear_flags(pte, _PAGE_NX);
7740 +#ifdef CONFIG_X86_PAE
7741 + if (__supported_pte_mask & _PAGE_NX)
7742 + return pte_clear_flags(pte, _PAGE_NX);
7745 + return pte_set_flags(pte, _PAGE_USER);
7748 +static inline pte_t pte_exprotect(pte_t pte)
7750 +#ifdef CONFIG_X86_PAE
7751 + if (__supported_pte_mask & _PAGE_NX)
7752 + return pte_set_flags(pte, _PAGE_NX);
7755 + return pte_clear_flags(pte, _PAGE_USER);
7758 static inline pte_t pte_mkdirty(pte_t pte)
7759 @@ -474,7 +533,7 @@ static inline pud_t *pud_offset(pgd_t *p
7761 static inline int pgd_bad(pgd_t pgd)
7763 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
7764 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
7767 static inline int pgd_none(pgd_t pgd)
7768 @@ -613,9 +672,12 @@ static inline void ptep_set_wrprotect(st
7769 * dst and src can be on the same page, but the range must not overlap,
7770 * and must not cross a page boundary.
7772 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
7773 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
7775 - memcpy(dst, src, count * sizeof(pgd_t));
7776 + pax_open_kernel();
7779 + pax_close_kernel();
7783 diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h
7784 --- linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h 2010-03-15 12:09:39.000000000 -0400
7785 +++ linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h 2010-03-20 16:58:38.980670389 -0400
7787 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
7788 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
7789 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
7790 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
7791 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
7792 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
7793 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
7794 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
7795 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
7796 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
7797 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
7798 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
7800 /* If _PAGE_BIT_PRESENT is clear, we use these: */
7802 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
7803 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
7804 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
7805 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
7806 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
7807 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
7808 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
7811 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
7812 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
7814 +#elif defined(CONFIG_KMEMCHECK)
7815 #define _PAGE_NX (_AT(pteval_t, 0))
7817 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
7820 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
7822 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
7825 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
7826 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
7828 #define __PAGE_KERNEL_EXEC \
7829 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
7830 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
7832 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
7833 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
7834 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
7835 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
7836 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
7837 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
7838 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
7839 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
7840 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
7841 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
7843 * bits are combined, this will alow user to access the high address mapped
7844 * VDSO in the presence of CONFIG_COMPAT_VDSO
7846 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
7847 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
7848 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7849 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7850 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
7853 @@ -278,7 +281,6 @@ typedef struct page *pgtable_t;
7855 extern pteval_t __supported_pte_mask;
7856 extern void set_nx(void);
7857 -extern int nx_enabled;
7859 #define pgprot_writecombine pgprot_writecombine
7860 extern pgprot_t pgprot_writecombine(pgprot_t prot);
7861 diff -urNp linux-2.6.33.1/arch/x86/include/asm/processor.h linux-2.6.33.1/arch/x86/include/asm/processor.h
7862 --- linux-2.6.33.1/arch/x86/include/asm/processor.h 2010-03-15 12:09:39.000000000 -0400
7863 +++ linux-2.6.33.1/arch/x86/include/asm/processor.h 2010-03-20 16:58:38.980670389 -0400
7864 @@ -273,7 +273,7 @@ struct tss_struct {
7866 } ____cacheline_aligned;
7868 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
7869 +extern struct tss_struct init_tss[NR_CPUS];
7872 * Save the original ist values for checking stack pointers during debugging
7873 @@ -913,8 +913,15 @@ static inline void spin_lock_prefetch(co
7875 #define TASK_SIZE PAGE_OFFSET
7876 #define TASK_SIZE_MAX TASK_SIZE
7878 +#ifdef CONFIG_PAX_SEGMEXEC
7879 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
7880 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
7882 #define STACK_TOP TASK_SIZE
7883 -#define STACK_TOP_MAX STACK_TOP
7886 +#define STACK_TOP_MAX TASK_SIZE
7888 #define INIT_THREAD { \
7889 .sp0 = sizeof(init_stack) + (long)&init_stack, \
7890 @@ -931,7 +938,7 @@ static inline void spin_lock_prefetch(co
7892 #define INIT_TSS { \
7894 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
7895 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
7896 .ss0 = __KERNEL_DS, \
7897 .ss1 = __KERNEL_CS, \
7898 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
7899 @@ -942,11 +949,7 @@ static inline void spin_lock_prefetch(co
7900 extern unsigned long thread_saved_pc(struct task_struct *tsk);
7902 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
7903 -#define KSTK_TOP(info) \
7905 - unsigned long *__ptr = (unsigned long *)(info); \
7906 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
7908 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
7911 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
7912 @@ -961,7 +964,7 @@ extern unsigned long thread_saved_pc(str
7913 #define task_pt_regs(task) \
7915 struct pt_regs *__regs__; \
7916 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
7917 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
7921 @@ -977,7 +980,7 @@ extern unsigned long thread_saved_pc(str
7922 * space during mmap's.
7924 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
7925 - 0xc0000000 : 0xFFFFe000)
7926 + 0xc0000000 : 0xFFFFf000)
7928 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
7929 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
7930 @@ -1014,6 +1017,10 @@ extern void start_thread(struct pt_regs
7932 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
7934 +#ifdef CONFIG_PAX_SEGMEXEC
7935 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
7938 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
7940 /* Get/set a process' ability to use the timestamp counter instruction */
7941 diff -urNp linux-2.6.33.1/arch/x86/include/asm/ptrace.h linux-2.6.33.1/arch/x86/include/asm/ptrace.h
7942 --- linux-2.6.33.1/arch/x86/include/asm/ptrace.h 2010-03-15 12:09:39.000000000 -0400
7943 +++ linux-2.6.33.1/arch/x86/include/asm/ptrace.h 2010-03-20 16:58:38.984539447 -0400
7944 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
7948 - * user_mode_vm(regs) determines whether a register set came from user mode.
7949 + * user_mode(regs) determines whether a register set came from user mode.
7950 * This is true if V8086 mode was enabled OR if the register set was from
7951 * protected mode with RPL-3 CS value. This tricky test checks that with
7952 * one comparison. Many places in the kernel can bypass this full check
7953 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
7954 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
7957 -static inline int user_mode(struct pt_regs *regs)
7958 +static inline int user_mode_novm(struct pt_regs *regs)
7960 #ifdef CONFIG_X86_32
7961 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
7963 - return !!(regs->cs & 3);
7964 + return !!(regs->cs & SEGMENT_RPL_MASK);
7968 -static inline int user_mode_vm(struct pt_regs *regs)
7969 +static inline int user_mode(struct pt_regs *regs)
7971 #ifdef CONFIG_X86_32
7972 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
7975 - return user_mode(regs);
7976 + return user_mode_novm(regs);
7980 diff -urNp linux-2.6.33.1/arch/x86/include/asm/reboot.h linux-2.6.33.1/arch/x86/include/asm/reboot.h
7981 --- linux-2.6.33.1/arch/x86/include/asm/reboot.h 2010-03-15 12:09:39.000000000 -0400
7982 +++ linux-2.6.33.1/arch/x86/include/asm/reboot.h 2010-03-20 16:58:38.984539447 -0400
7983 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
7985 void native_machine_crash_shutdown(struct pt_regs *regs);
7986 void native_machine_shutdown(void);
7987 -void machine_real_restart(const unsigned char *code, int length);
7988 +void machine_real_restart(const unsigned char *code, unsigned int length);
7990 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
7991 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
7992 diff -urNp linux-2.6.33.1/arch/x86/include/asm/rwsem.h linux-2.6.33.1/arch/x86/include/asm/rwsem.h
7993 --- linux-2.6.33.1/arch/x86/include/asm/rwsem.h 2010-03-15 12:09:39.000000000 -0400
7994 +++ linux-2.6.33.1/arch/x86/include/asm/rwsem.h 2010-03-20 16:58:38.984539447 -0400
7995 @@ -106,10 +106,26 @@ static inline void __down_read(struct rw
7997 asm volatile("# beginning down_read\n\t"
7998 LOCK_PREFIX " incl (%%eax)\n\t"
8000 +#ifdef CONFIG_PAX_REFCOUNT
8001 +#ifdef CONFIG_X86_32
8007 + ".pushsection .fixup,\"ax\"\n"
8009 + LOCK_PREFIX "decl (%%eax)\n"
8012 + _ASM_EXTABLE(0b, 1b)
8015 /* adds 0x00000001, returns the old value */
8018 " call call_rwsem_down_read_failed\n"
8021 "# ending down_read\n\t"
8024 @@ -124,13 +140,29 @@ static inline int __down_read_trylock(st
8026 asm volatile("# beginning __down_read_trylock\n\t"
8034 +#ifdef CONFIG_PAX_REFCOUNT
8035 +#ifdef CONFIG_X86_32
8041 + ".pushsection .fixup,\"ax\"\n"
8046 + _ASM_EXTABLE(0b, 1b)
8050 LOCK_PREFIX " cmpxchgl %2,%0\n\t"
8055 "# ending __down_read_trylock\n\t"
8056 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8057 : "i" (RWSEM_ACTIVE_READ_BIAS)
8058 @@ -148,12 +180,28 @@ static inline void __down_write_nested(s
8059 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8060 asm volatile("# beginning down_write\n\t"
8061 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8063 +#ifdef CONFIG_PAX_REFCOUNT
8064 +#ifdef CONFIG_X86_32
8070 + ".pushsection .fixup,\"ax\"\n"
8072 + "movl %%edx,(%%eax)\n"
8075 + _ASM_EXTABLE(0b, 1b)
8078 /* subtract 0x0000ffff, returns the old value */
8079 " testl %%edx,%%edx\n\t"
8080 /* was the count 0 before? */
8083 " call call_rwsem_down_write_failed\n"
8086 "# ending down_write"
8087 : "+m" (sem->count), "=d" (tmp)
8088 : "a" (sem), "1" (tmp)
8089 @@ -186,10 +234,26 @@ static inline void __up_read(struct rw_s
8090 __s32 tmp = -RWSEM_ACTIVE_READ_BIAS;
8091 asm volatile("# beginning __up_read\n\t"
8092 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8094 +#ifdef CONFIG_PAX_REFCOUNT
8095 +#ifdef CONFIG_X86_32
8101 + ".pushsection .fixup,\"ax\"\n"
8103 + "movl %%edx,(%%eax)\n"
8106 + _ASM_EXTABLE(0b, 1b)
8109 /* subtracts 1, returns the old value */
8112 " call call_rwsem_wake\n"
8115 "# ending __up_read\n"
8116 : "+m" (sem->count), "=d" (tmp)
8117 : "a" (sem), "1" (tmp)
8118 @@ -204,11 +268,27 @@ static inline void __up_write(struct rw_
8119 asm volatile("# beginning __up_write\n\t"
8120 " movl %2,%%edx\n\t"
8121 LOCK_PREFIX " xaddl %%edx,(%%eax)\n\t"
8123 +#ifdef CONFIG_PAX_REFCOUNT
8124 +#ifdef CONFIG_X86_32
8130 + ".pushsection .fixup,\"ax\"\n"
8132 + "movl %%edx,(%%eax)\n"
8135 + _ASM_EXTABLE(0b, 1b)
8138 /* tries to transition
8139 0xffff0001 -> 0x00000000 */
8142 " call call_rwsem_wake\n"
8145 "# ending __up_write\n"
8147 : "a" (sem), "i" (-RWSEM_ACTIVE_WRITE_BIAS)
8148 @@ -222,10 +302,26 @@ static inline void __downgrade_write(str
8150 asm volatile("# beginning __downgrade_write\n\t"
8151 LOCK_PREFIX " addl %2,(%%eax)\n\t"
8153 +#ifdef CONFIG_PAX_REFCOUNT
8154 +#ifdef CONFIG_X86_32
8160 + ".pushsection .fixup,\"ax\"\n"
8162 + LOCK_PREFIX "subl %2,(%%eax)\n"
8165 + _ASM_EXTABLE(0b, 1b)
8168 /* transitions 0xZZZZ0001 -> 0xYYYY0001 */
8171 " call call_rwsem_downgrade_wake\n"
8174 "# ending __downgrade_write\n"
8176 : "a" (sem), "i" (-RWSEM_WAITING_BIAS)
8177 @@ -237,7 +333,23 @@ static inline void __downgrade_write(str
8179 static inline void rwsem_atomic_add(int delta, struct rw_semaphore *sem)
8181 - asm volatile(LOCK_PREFIX "addl %1,%0"
8182 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
8184 +#ifdef CONFIG_PAX_REFCOUNT
8185 +#ifdef CONFIG_X86_32
8191 + ".pushsection .fixup,\"ax\"\n"
8193 + LOCK_PREFIX "subl %1,%0\n"
8196 + _ASM_EXTABLE(0b, 1b)
8202 @@ -249,7 +361,23 @@ static inline int rwsem_atomic_update(in
8206 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8207 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8209 +#ifdef CONFIG_PAX_REFCOUNT
8210 +#ifdef CONFIG_X86_32
8216 + ".pushsection .fixup,\"ax\"\n"
8221 + _ASM_EXTABLE(0b, 1b)
8224 : "+r" (tmp), "+m" (sem->count)
8227 diff -urNp linux-2.6.33.1/arch/x86/include/asm/segment.h linux-2.6.33.1/arch/x86/include/asm/segment.h
8228 --- linux-2.6.33.1/arch/x86/include/asm/segment.h 2010-03-15 12:09:39.000000000 -0400
8229 +++ linux-2.6.33.1/arch/x86/include/asm/segment.h 2010-03-20 16:58:38.984539447 -0400
8231 * 26 - ESPFIX small SS
8232 * 27 - per-cpu [ offset to per-cpu data area ]
8233 * 28 - stack_canary-20 [ for stack protector ]
8236 + * 29 - PCI BIOS CS
8237 + * 30 - PCI BIOS DS
8238 * 31 - TSS for double fault handler
8240 #define GDT_ENTRY_TLS_MIN 6
8243 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8245 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8247 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8249 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8251 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8252 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8254 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8255 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8257 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8259 @@ -102,6 +104,12 @@
8260 #define __KERNEL_STACK_CANARY 0
8263 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8264 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8266 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8267 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8269 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8275 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8276 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8277 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8282 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8283 #define __USER32_DS __USER_DS
8285 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8287 #define GDT_ENTRY_TSS 8 /* needs two entries */
8288 #define GDT_ENTRY_LDT 10 /* needs two entries */
8289 #define GDT_ENTRY_TLS_MIN 12
8293 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8294 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8295 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8296 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8297 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8298 diff -urNp linux-2.6.33.1/arch/x86/include/asm/spinlock.h linux-2.6.33.1/arch/x86/include/asm/spinlock.h
8299 --- linux-2.6.33.1/arch/x86/include/asm/spinlock.h 2010-03-15 12:09:39.000000000 -0400
8300 +++ linux-2.6.33.1/arch/x86/include/asm/spinlock.h 2010-03-20 16:58:38.984539447 -0400
8301 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8302 static inline void arch_read_lock(arch_rwlock_t *rw)
8304 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8306 - "call __read_lock_failed\n\t"
8308 +#ifdef CONFIG_PAX_REFCOUNT
8309 +#ifdef CONFIG_X86_32
8315 + ".pushsection .fixup,\"ax\"\n"
8317 + LOCK_PREFIX " addl $1,(%0)\n"
8320 + _ASM_EXTABLE(0b, 1b)
8324 + "call __read_lock_failed\n\t"
8326 ::LOCK_PTR_REG (rw) : "memory");
8329 static inline void arch_write_lock(arch_rwlock_t *rw)
8331 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8333 - "call __write_lock_failed\n\t"
8335 +#ifdef CONFIG_PAX_REFCOUNT
8336 +#ifdef CONFIG_X86_32
8342 + ".pushsection .fixup,\"ax\"\n"
8344 + LOCK_PREFIX " addl %1,(%0)\n"
8347 + _ASM_EXTABLE(0b, 1b)
8351 + "call __write_lock_failed\n\t"
8353 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8356 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
8358 static inline void arch_read_unlock(arch_rwlock_t *rw)
8360 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8361 + asm volatile(LOCK_PREFIX "incl %0\n"
8363 +#ifdef CONFIG_PAX_REFCOUNT
8364 +#ifdef CONFIG_X86_32
8370 + ".pushsection .fixup,\"ax\"\n"
8372 + LOCK_PREFIX "decl %0\n"
8375 + _ASM_EXTABLE(0b, 1b)
8378 + :"+m" (rw->lock) : : "memory");
8381 static inline void arch_write_unlock(arch_rwlock_t *rw)
8383 - asm volatile(LOCK_PREFIX "addl %1, %0"
8384 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
8386 +#ifdef CONFIG_PAX_REFCOUNT
8387 +#ifdef CONFIG_X86_32
8393 + ".pushsection .fixup,\"ax\"\n"
8395 + LOCK_PREFIX "subl %1,%0\n"
8398 + _ASM_EXTABLE(0b, 1b)
8401 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
8404 diff -urNp linux-2.6.33.1/arch/x86/include/asm/system.h linux-2.6.33.1/arch/x86/include/asm/system.h
8405 --- linux-2.6.33.1/arch/x86/include/asm/system.h 2010-03-15 12:09:39.000000000 -0400
8406 +++ linux-2.6.33.1/arch/x86/include/asm/system.h 2010-03-20 16:58:38.984539447 -0400
8407 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
8409 unsigned long __limit;
8410 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
8411 - return __limit + 1;
8415 static inline void native_clts(void)
8416 @@ -342,7 +342,7 @@ void enable_hlt(void);
8418 void cpu_idle_wait(void);
8420 -extern unsigned long arch_align_stack(unsigned long sp);
8421 +#define arch_align_stack(x) ((x) & ~0xfUL)
8422 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
8424 void default_idle(void);
8425 diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h
8426 --- linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h 2010-03-15 12:09:39.000000000 -0400
8427 +++ linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h 2010-03-20 16:58:38.984539447 -0400
8428 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
8429 static __always_inline unsigned long __must_check
8430 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
8435 if (__builtin_constant_p(n)) {
8438 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
8442 + if (!__builtin_constant_p(n))
8443 + check_object_size(from, n, true);
8444 return __copy_to_user_ll(to, from, n);
8447 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
8448 static __always_inline unsigned long
8449 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
8454 /* Avoid zeroing the tail if the copy fails..
8455 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
8456 * but as the zeroing behaviour is only significant when n is not
8457 @@ -138,6 +146,10 @@ static __always_inline unsigned long
8458 __copy_from_user(void *to, const void __user *from, unsigned long n)
8465 if (__builtin_constant_p(n)) {
8468 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
8472 + if (!__builtin_constant_p(n))
8473 + check_object_size(to, n, false);
8474 return __copy_from_user_ll(to, from, n);
8477 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
8478 const void __user *from, unsigned long n)
8485 if (__builtin_constant_p(n)) {
8488 @@ -182,15 +200,19 @@ static __always_inline unsigned long
8489 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
8492 - return __copy_from_user_ll_nocache_nozero(to, from, n);
8497 -unsigned long __must_check copy_to_user(void __user *to,
8498 - const void *from, unsigned long n);
8499 -unsigned long __must_check _copy_from_user(void *to,
8500 - const void __user *from,
8502 + return __copy_from_user_ll_nocache_nozero(to, from, n);
8505 +extern void copy_to_user_overflow(void)
8506 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8507 + __compiletime_error("copy_to_user() buffer size is not provably correct")
8509 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
8513 extern void copy_from_user_overflow(void)
8514 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8515 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
8519 -static inline unsigned long __must_check copy_from_user(void *to,
8520 - const void __user *from,
8523 + * copy_to_user: - Copy a block of data into user space.
8524 + * @to: Destination address, in user space.
8525 + * @from: Source address, in kernel space.
8526 + * @n: Number of bytes to copy.
8528 + * Context: User context only. This function may sleep.
8530 + * Copy data from kernel space to user space.
8532 + * Returns number of bytes that could not be copied.
8533 + * On success, this will be zero.
8535 +static inline unsigned long __must_check
8536 +copy_to_user(void __user *to, const void *from, unsigned long n)
8538 + int sz = __compiletime_object_size(from);
8540 + if (unlikely(sz != -1 && sz < n))
8541 + copy_to_user_overflow();
8542 + else if (access_ok(VERIFY_WRITE, to, n))
8543 + n = __copy_to_user(to, from, n);
8548 + * copy_from_user: - Copy a block of data from user space.
8549 + * @to: Destination address, in kernel space.
8550 + * @from: Source address, in user space.
8551 + * @n: Number of bytes to copy.
8553 + * Context: User context only. This function may sleep.
8555 + * Copy data from user space to kernel space.
8557 + * Returns number of bytes that could not be copied.
8558 + * On success, this will be zero.
8560 + * If some data could not be copied, this function will pad the copied
8561 + * data to the requested size using zero bytes.
8563 +static inline unsigned long __must_check
8564 +copy_from_user(void *to, const void __user *from, unsigned long n)
8566 int sz = __compiletime_object_size(to);
8568 - if (likely(sz == -1 || sz >= n))
8569 - n = _copy_from_user(to, from, n);
8571 + if (unlikely(sz != -1 && sz < n))
8572 copy_from_user_overflow();
8574 + else if (access_ok(VERIFY_READ, from, n))
8575 + n = __copy_from_user(to, from, n);
8576 + else if ((long)n > 0) {
8577 + if (!__builtin_constant_p(n))
8578 + check_object_size(to, n, false);
8584 diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h
8585 --- linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h 2010-03-15 12:09:39.000000000 -0400
8586 +++ linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h 2010-03-20 16:58:38.984539447 -0400
8588 #include <linux/lockdep.h>
8589 #include <asm/page.h>
8591 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
8594 * Copy To/From Userspace
8597 /* Handles exceptions in both to and from, but doesn't do access_ok */
8598 __must_check unsigned long
8599 copy_user_generic(void *to, const void *from, unsigned len);
8601 -__must_check unsigned long
8602 -_copy_to_user(void __user *to, const void *from, unsigned len);
8603 -__must_check unsigned long
8604 -_copy_from_user(void *to, const void __user *from, unsigned len);
8605 +static __always_inline __must_check unsigned long
8606 +__copy_to_user(void __user *to, const void *from, unsigned len);
8607 +static __always_inline __must_check unsigned long
8608 +__copy_from_user(void *to, const void __user *from, unsigned len);
8609 __must_check unsigned long
8610 copy_in_user(void __user *to, const void __user *from, unsigned len);
8612 static inline unsigned long __must_check copy_from_user(void *to,
8613 const void __user *from,
8617 - int sz = __compiletime_object_size(to);
8620 - if (likely(sz == -1 || sz >= n))
8621 - n = _copy_from_user(to, from, n);
8622 -#ifdef CONFIG_DEBUG_VM
8624 - WARN(1, "Buffer overflow detected!\n");
8627 + if (access_ok(VERIFY_READ, from, n))
8628 + n = __copy_from_user(to, from, n);
8629 + else if ((int)n > 0) {
8630 + if (!__builtin_constant_p(n))
8631 + check_object_size(to, n, false);
8637 @@ -46,17 +47,33 @@ int copy_to_user(void __user *dst, const
8641 - return _copy_to_user(dst, src, size);
8642 + if (access_ok(VERIFY_WRITE, dst, size))
8643 + size = __copy_to_user(dst, src, size);
8647 static __always_inline __must_check
8648 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
8649 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
8652 + int sz = __compiletime_object_size(dst);
8656 - if (!__builtin_constant_p(size))
8658 + if ((int)size < 0)
8661 + if (unlikely(sz != -1 && sz < size)) {
8662 +#ifdef CONFIG_DEBUG_VM
8663 + WARN(1, "Buffer overflow detected!\n");
8668 + if (!__builtin_constant_p(size)) {
8669 + check_object_size(dst, size, false);
8670 return copy_user_generic(dst, (__force void *)src, size);
8673 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
8674 ret, "b", "b", "=q", 1);
8675 @@ -94,13 +111,27 @@ int __copy_from_user(void *dst, const vo
8678 static __always_inline __must_check
8679 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
8680 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
8683 + int sz = __compiletime_object_size(src);
8687 - if (!__builtin_constant_p(size))
8689 + if ((int)size < 0)
8692 + if (unlikely(sz != -1 && sz < size)) {
8693 +#ifdef CONFIG_DEBUG_VM
8694 + WARN(1, "Buffer overflow detected!\n");
8699 + if (!__builtin_constant_p(size)) {
8700 + check_object_size(src, size, true);
8701 return copy_user_generic((__force void *)dst, src, size);
8704 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
8705 ret, "b", "b", "iq", 1);
8706 @@ -138,11 +169,15 @@ int __copy_to_user(void __user *dst, con
8709 static __always_inline __must_check
8710 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8711 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8718 + if ((int)size < 0)
8721 if (!__builtin_constant_p(size))
8722 return copy_user_generic((__force void *)dst,
8723 (__force void *)src, size);
8724 @@ -206,30 +241,38 @@ __copy_from_user_inatomic(void *dst, con
8725 return copy_user_generic(dst, (__force const void *)src, size);
8728 -static __must_check __always_inline int
8729 +static __must_check __always_inline unsigned long
8730 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
8732 + if ((int)size < 0)
8735 return copy_user_generic((__force void *)dst, src, size);
8738 -extern long __copy_user_nocache(void *dst, const void __user *src,
8739 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
8740 unsigned size, int zerorest);
8743 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8744 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8748 + if ((int)size < 0)
8751 return __copy_user_nocache(dst, src, size, 1);
8755 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8756 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8759 + if ((int)size < 0)
8762 return __copy_user_nocache(dst, src, size, 0);
8766 +extern unsigned long
8767 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
8769 #endif /* _ASM_X86_UACCESS_64_H */
8770 diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess.h linux-2.6.33.1/arch/x86/include/asm/uaccess.h
8771 --- linux-2.6.33.1/arch/x86/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
8772 +++ linux-2.6.33.1/arch/x86/include/asm/uaccess.h 2010-03-20 16:58:38.984539447 -0400
8774 #include <linux/thread_info.h>
8775 #include <linux/prefetch.h>
8776 #include <linux/string.h>
8777 +#include <linux/sched.h>
8778 +#include <linux/slab.h>
8779 #include <asm/asm.h>
8780 #include <asm/page.h>
8781 +#include <asm/segment.h>
8783 #define VERIFY_READ 0
8784 #define VERIFY_WRITE 1
8787 #define get_ds() (KERNEL_DS)
8788 #define get_fs() (current_thread_info()->addr_limit)
8789 +#ifdef CONFIG_X86_32
8790 +void __set_fs(mm_segment_t x, int cpu);
8791 +void set_fs(mm_segment_t x);
8793 #define set_fs(x) (current_thread_info()->addr_limit = (x))
8796 #define segment_eq(a, b) ((a).seg == (b).seg)
8799 * checks that the pointer is in the user space range - after calling
8800 * this function, memory access functions may still return -EFAULT.
8802 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8803 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8804 +#define access_ok(type, addr, size) \
8806 + long __size = size; \
8807 + unsigned long __addr = (unsigned long)addr; \
8808 + unsigned long __addr_ao = __addr & PAGE_MASK; \
8809 + unsigned long __end_ao = __addr + __size - 1; \
8810 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
8811 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
8812 + while(__addr_ao <= __end_ao) { \
8814 + __addr_ao += PAGE_SIZE; \
8815 + if (__size > PAGE_SIZE) \
8817 + if (__get_user(__c_ao, (char __user *)__addr)) \
8819 + if (type != VERIFY_WRITE) { \
8820 + __addr = __addr_ao; \
8823 + if (__put_user(__c_ao, (char __user *)__addr)) \
8825 + __addr = __addr_ao; \
8832 * The exception table consists of pairs of addresses: the first is the
8833 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
8834 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
8835 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
8838 +#ifdef CONFIG_X86_32
8839 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
8840 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
8842 +#define _ASM_LOAD_USER_DS(ds)
8843 +#define _ASM_LOAD_KERNEL_DS
8846 #ifdef CONFIG_X86_32
8847 #define __put_user_asm_u64(x, addr, err, errret) \
8848 - asm volatile("1: movl %%eax,0(%2)\n" \
8849 - "2: movl %%edx,4(%2)\n" \
8850 + asm volatile(_ASM_LOAD_USER_DS(5) \
8851 + "1: movl %%eax,%%ds:0(%2)\n" \
8852 + "2: movl %%edx,%%ds:4(%2)\n" \
8854 + _ASM_LOAD_KERNEL_DS \
8855 ".section .fixup,\"ax\"\n" \
8858 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
8859 _ASM_EXTABLE(1b, 4b) \
8860 _ASM_EXTABLE(2b, 4b) \
8862 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
8863 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
8866 #define __put_user_asm_ex_u64(x, addr) \
8867 - asm volatile("1: movl %%eax,0(%1)\n" \
8868 - "2: movl %%edx,4(%1)\n" \
8869 + asm volatile(_ASM_LOAD_USER_DS(2) \
8870 + "1: movl %%eax,%%ds:0(%1)\n" \
8871 + "2: movl %%edx,%%ds:4(%1)\n" \
8873 + _ASM_LOAD_KERNEL_DS \
8874 _ASM_EXTABLE(1b, 2b - 1b) \
8875 _ASM_EXTABLE(2b, 3b - 2b) \
8876 - : : "A" (x), "r" (addr))
8877 + : : "A" (x), "r" (addr), "r"(__USER_DS))
8879 #define __put_user_x8(x, ptr, __ret_pu) \
8880 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
8881 @@ -374,16 +419,18 @@ do { \
8884 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8885 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
8886 + asm volatile(_ASM_LOAD_USER_DS(5) \
8887 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
8889 + _ASM_LOAD_KERNEL_DS \
8890 ".section .fixup,\"ax\"\n" \
8892 " xor"itype" %"rtype"1,%"rtype"1\n" \
8895 _ASM_EXTABLE(1b, 3b) \
8896 - : "=r" (err), ltype(x) \
8897 - : "m" (__m(addr)), "i" (errret), "0" (err))
8898 + : "=r" (err), ltype (x) \
8899 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
8901 #define __get_user_size_ex(x, ptr, size) \
8903 @@ -407,10 +454,12 @@ do { \
8906 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
8907 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
8908 + asm volatile(_ASM_LOAD_USER_DS(2) \
8909 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
8911 + _ASM_LOAD_KERNEL_DS \
8912 _ASM_EXTABLE(1b, 2b - 1b) \
8913 - : ltype(x) : "m" (__m(addr)))
8914 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
8916 #define __put_user_nocheck(x, ptr, size) \
8918 @@ -424,7 +473,7 @@ do { \
8920 unsigned long __gu_val; \
8921 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
8922 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
8923 + (x) = (__typeof__(*(ptr)))__gu_val; \
8927 @@ -438,21 +487,26 @@ struct __large_struct { unsigned long bu
8930 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8931 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
8932 + asm volatile(_ASM_LOAD_USER_DS(5) \
8933 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
8935 + _ASM_LOAD_KERNEL_DS \
8936 ".section .fixup,\"ax\"\n" \
8940 _ASM_EXTABLE(1b, 3b) \
8942 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
8943 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
8946 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
8947 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
8948 + asm volatile(_ASM_LOAD_USER_DS(2) \
8949 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
8951 + _ASM_LOAD_KERNEL_DS \
8952 _ASM_EXTABLE(1b, 2b - 1b) \
8953 - : : ltype(x), "m" (__m(addr)))
8954 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
8957 * uaccess_try and catch
8958 @@ -530,7 +584,7 @@ struct __large_struct { unsigned long bu
8959 #define get_user_ex(x, ptr) do { \
8960 unsigned long __gue_val; \
8961 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
8962 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
8963 + (x) = (__typeof__(*(ptr)))__gue_val; \
8966 #ifdef CONFIG_X86_WP_WORKS_OK
8967 @@ -567,6 +621,7 @@ extern struct movsl_mask {
8969 #define ARCH_HAS_NOCACHE_UACCESS 1
8971 +#define ARCH_HAS_SORT_EXTABLE
8972 #ifdef CONFIG_X86_32
8973 # include "uaccess_32.h"
8975 diff -urNp linux-2.6.33.1/arch/x86/include/asm/vgtod.h linux-2.6.33.1/arch/x86/include/asm/vgtod.h
8976 --- linux-2.6.33.1/arch/x86/include/asm/vgtod.h 2010-03-15 12:09:39.000000000 -0400
8977 +++ linux-2.6.33.1/arch/x86/include/asm/vgtod.h 2010-03-20 16:58:38.984539447 -0400
8978 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
8980 struct timezone sys_tz;
8981 struct { /* extract of a clocksource struct */
8983 cycle_t (*vread)(void);
8986 diff -urNp linux-2.6.33.1/arch/x86/include/asm/vmi.h linux-2.6.33.1/arch/x86/include/asm/vmi.h
8987 --- linux-2.6.33.1/arch/x86/include/asm/vmi.h 2010-03-15 12:09:39.000000000 -0400
8988 +++ linux-2.6.33.1/arch/x86/include/asm/vmi.h 2010-03-20 16:58:38.984539447 -0400
8989 @@ -191,6 +191,7 @@ struct vrom_header {
8990 u8 reserved[96]; /* Reserved for headers */
8991 char vmi_init[8]; /* VMI_Init jump point */
8992 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
8993 + char rom_data[8048]; /* rest of the option ROM */
8994 } __attribute__((packed));
8997 diff -urNp linux-2.6.33.1/arch/x86/include/asm/vsyscall.h linux-2.6.33.1/arch/x86/include/asm/vsyscall.h
8998 --- linux-2.6.33.1/arch/x86/include/asm/vsyscall.h 2010-03-15 12:09:39.000000000 -0400
8999 +++ linux-2.6.33.1/arch/x86/include/asm/vsyscall.h 2010-03-20 16:58:38.984539447 -0400
9000 @@ -15,9 +15,10 @@ enum vsyscall_num {
9003 #include <linux/seqlock.h>
9004 +#include <linux/getcpu.h>
9005 +#include <linux/time.h>
9007 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9008 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9010 /* Definitions for CONFIG_GENERIC_TIME definitions */
9011 #define __section_vsyscall_gtod_data __attribute__ \
9012 @@ -31,7 +32,6 @@ enum vsyscall_num {
9013 #define VGETCPU_LSL 2
9015 extern int __vgetcpu_mode;
9016 -extern volatile unsigned long __jiffies;
9018 /* kernel space (writeable) */
9019 extern int vgetcpu_mode;
9020 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9022 extern void map_vsyscall(void);
9024 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9025 +extern time_t vtime(time_t *t);
9026 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9027 #endif /* __KERNEL__ */
9029 #endif /* _ASM_X86_VSYSCALL_H */
9030 diff -urNp linux-2.6.33.1/arch/x86/Kconfig linux-2.6.33.1/arch/x86/Kconfig
9031 --- linux-2.6.33.1/arch/x86/Kconfig 2010-03-15 12:09:39.000000000 -0400
9032 +++ linux-2.6.33.1/arch/x86/Kconfig 2010-03-20 16:58:38.984539447 -0400
9033 @@ -1088,7 +1088,7 @@ config PAGE_OFFSET
9035 default 0xB0000000 if VMSPLIT_3G_OPT
9036 default 0x80000000 if VMSPLIT_2G
9037 - default 0x78000000 if VMSPLIT_2G_OPT
9038 + default 0x70000000 if VMSPLIT_2G_OPT
9039 default 0x40000000 if VMSPLIT_1G
9042 @@ -1422,7 +1422,7 @@ config ARCH_USES_PG_UNCACHED
9045 bool "EFI runtime service support"
9047 + depends on ACPI && !PAX_KERNEXEC
9049 This enables the kernel to use EFI runtime services that are
9050 available (such as the EFI variable services).
9051 @@ -1509,6 +1509,7 @@ config KEXEC_JUMP
9052 config PHYSICAL_START
9053 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9055 + range 0x400000 0x40000000
9057 This gives the physical address where the kernel is loaded.
9059 @@ -1573,6 +1574,7 @@ config PHYSICAL_ALIGN
9061 prompt "Alignment value to which kernel should be aligned" if X86_32
9063 + range 0x400000 0x1000000 if PAX_KERNEXEC
9064 range 0x2000 0x1000000
9066 This value puts the alignment restrictions on physical address
9067 @@ -1604,9 +1606,10 @@ config HOTPLUG_CPU
9068 Say N if you want to disable CPU hotplug.
9073 prompt "Compat VDSO support"
9074 depends on X86_32 || IA32_EMULATION
9075 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9077 Map the 32-bit VDSO to the predictable old-style address too.
9079 diff -urNp linux-2.6.33.1/arch/x86/Kconfig.cpu linux-2.6.33.1/arch/x86/Kconfig.cpu
9080 --- linux-2.6.33.1/arch/x86/Kconfig.cpu 2010-03-15 12:09:39.000000000 -0400
9081 +++ linux-2.6.33.1/arch/x86/Kconfig.cpu 2010-03-20 16:58:38.984539447 -0400
9082 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9086 - depends on M586MMX || M586TSC || M586 || M486 || M386
9087 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9089 config X86_WP_WORKS_OK
9091 @@ -356,7 +356,7 @@ config X86_POPAD_OK
9093 config X86_ALIGNMENT_16
9095 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9096 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9098 config X86_INTEL_USERCOPY
9100 @@ -402,7 +402,7 @@ config X86_CMPXCHG64
9104 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9105 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9107 config X86_MINIMUM_CPU_FAMILY
9109 diff -urNp linux-2.6.33.1/arch/x86/Kconfig.debug linux-2.6.33.1/arch/x86/Kconfig.debug
9110 --- linux-2.6.33.1/arch/x86/Kconfig.debug 2010-03-15 12:09:39.000000000 -0400
9111 +++ linux-2.6.33.1/arch/x86/Kconfig.debug 2010-03-20 16:58:38.984539447 -0400
9112 @@ -99,7 +99,7 @@ config X86_PTDUMP
9114 bool "Write protect kernel read-only data structures"
9116 - depends on DEBUG_KERNEL
9117 + depends on DEBUG_KERNEL && BROKEN
9119 Mark the kernel read-only data as write-protected in the pagetables,
9120 in order to catch accidental (and incorrect) writes to such const
9121 diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/boot.c linux-2.6.33.1/arch/x86/kernel/acpi/boot.c
9122 --- linux-2.6.33.1/arch/x86/kernel/acpi/boot.c 2010-03-15 12:09:39.000000000 -0400
9123 +++ linux-2.6.33.1/arch/x86/kernel/acpi/boot.c 2010-03-20 16:58:38.988525305 -0400
9124 @@ -1503,7 +1503,7 @@ static struct dmi_system_id __initdata a
9125 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9129 + { NULL, NULL, {{0, {0}}}, NULL}
9133 diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S
9134 --- linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S 2010-03-15 12:09:39.000000000 -0400
9135 +++ linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S 2010-03-20 16:58:38.988525305 -0400
9136 @@ -104,7 +104,7 @@ _start:
9140 - movl $0xc0000080, %ecx
9141 + mov $MSR_EFER, %ecx
9145 diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c
9146 --- linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c 2010-03-15 12:09:39.000000000 -0400
9147 +++ linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c 2010-03-20 16:58:38.988525305 -0400
9149 #include <linux/cpumask.h>
9150 #include <asm/segment.h>
9151 #include <asm/desc.h>
9152 +#include <asm/e820.h>
9154 #include "realmode/wakeup.h"
9157 -unsigned long acpi_wakeup_address;
9158 +unsigned long acpi_wakeup_address = 0x2000;
9159 unsigned long acpi_realmode_flags;
9161 /* address in low memory of the wakeup routine. */
9162 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9163 header->trampoline_segment = setup_trampoline() >> 4;
9165 stack_start.sp = temp_stack + sizeof(temp_stack);
9167 + pax_open_kernel();
9168 early_gdt_descr.address =
9169 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9170 + pax_close_kernel();
9172 initial_gs = per_cpu_offset(smp_processor_id());
9174 initial_code = (unsigned long)wakeup_long64;
9175 diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S
9176 --- linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S 2010-03-15 12:09:39.000000000 -0400
9177 +++ linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S 2010-03-20 16:58:38.988525305 -0400
9178 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9179 # and restore the stack ... but you need gdt for this to work
9180 movl saved_context_esp, %esp
9182 - movl %cs:saved_magic, %eax
9183 - cmpl $0x12345678, %eax
9184 + cmpl $0x12345678, saved_magic
9187 # jump to place where we left off
9188 - movl saved_eip, %eax
9194 diff -urNp linux-2.6.33.1/arch/x86/kernel/alternative.c linux-2.6.33.1/arch/x86/kernel/alternative.c
9195 --- linux-2.6.33.1/arch/x86/kernel/alternative.c 2010-03-15 12:09:39.000000000 -0400
9196 +++ linux-2.6.33.1/arch/x86/kernel/alternative.c 2010-03-20 16:58:38.988525305 -0400
9197 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
9199 BUG_ON(p->len > MAX_PATCH_LEN);
9200 /* prep the buffer with the original instructions */
9201 - memcpy(insnbuf, p->instr, p->len);
9202 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9203 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9204 (unsigned long)p->instr, p->len);
9206 @@ -492,12 +492,16 @@ void __init alternative_instructions(voi
9207 * instructions. And on the local CPU you need to be protected again NMI or MCE
9208 * handlers seeing an inconsistent instruction while you patch.
9210 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9211 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
9214 unsigned long flags;
9215 local_irq_save(flags);
9216 - memcpy(addr, opcode, len);
9218 + pax_open_kernel();
9219 + memcpy(ktla_ktva(addr), opcode, len);
9220 + pax_close_kernel();
9223 local_irq_restore(flags);
9224 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9225 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
9227 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9229 - unsigned long flags;
9231 + unsigned char *vaddr = ktla_ktva(addr);
9232 struct page *pages[2];
9236 if (!core_kernel_text((unsigned long)addr)) {
9237 - pages[0] = vmalloc_to_page(addr);
9238 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
9239 + pages[0] = vmalloc_to_page(vaddr);
9240 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
9242 - pages[0] = virt_to_page(addr);
9243 + pages[0] = virt_to_page(vaddr);
9244 WARN_ON(!PageReserved(pages[0]));
9245 - pages[1] = virt_to_page(addr + PAGE_SIZE);
9246 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
9249 - local_irq_save(flags);
9250 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
9252 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
9253 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
9254 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
9255 - clear_fixmap(FIX_TEXT_POKE0);
9257 - clear_fixmap(FIX_TEXT_POKE1);
9258 - local_flush_tlb();
9260 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
9261 - that causes hangs on some VIA CPUs. */
9262 + text_poke_early(addr, opcode, len);
9263 for (i = 0; i < len; i++)
9264 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
9265 - local_irq_restore(flags);
9266 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
9269 diff -urNp linux-2.6.33.1/arch/x86/kernel/amd_iommu.c linux-2.6.33.1/arch/x86/kernel/amd_iommu.c
9270 --- linux-2.6.33.1/arch/x86/kernel/amd_iommu.c 2010-03-15 12:09:39.000000000 -0400
9271 +++ linux-2.6.33.1/arch/x86/kernel/amd_iommu.c 2010-03-20 16:58:38.988525305 -0400
9272 @@ -2210,7 +2210,7 @@ static void prealloc_protection_domains(
9276 -static struct dma_map_ops amd_iommu_dma_ops = {
9277 +static const struct dma_map_ops amd_iommu_dma_ops = {
9278 .alloc_coherent = alloc_coherent,
9279 .free_coherent = free_coherent,
9280 .map_page = map_page,
9281 diff -urNp linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c
9282 --- linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c 2010-03-15 12:09:39.000000000 -0400
9283 +++ linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c 2010-03-20 16:58:38.988525305 -0400
9284 @@ -701,7 +701,7 @@ struct IO_APIC_route_entry **alloc_ioapi
9285 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
9287 if (!ioapic_entries)
9291 for (apic = 0; apic < nr_ioapics; apic++) {
9292 ioapic_entries[apic] =
9293 @@ -718,7 +718,7 @@ nomem:
9294 kfree(ioapic_entries[apic]);
9295 kfree(ioapic_entries);
9302 @@ -1135,7 +1135,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
9304 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
9306 -void lock_vector_lock(void)
9307 +void lock_vector_lock(void) __acquires(vector_lock)
9309 /* Used to the online set of cpus does not change
9310 * during assign_irq_vector.
9311 @@ -1143,7 +1143,7 @@ void lock_vector_lock(void)
9312 spin_lock(&vector_lock);
9315 -void unlock_vector_lock(void)
9316 +void unlock_vector_lock(void) __releases(vector_lock)
9318 spin_unlock(&vector_lock);
9320 diff -urNp linux-2.6.33.1/arch/x86/kernel/apm_32.c linux-2.6.33.1/arch/x86/kernel/apm_32.c
9321 --- linux-2.6.33.1/arch/x86/kernel/apm_32.c 2010-03-15 12:09:39.000000000 -0400
9322 +++ linux-2.6.33.1/arch/x86/kernel/apm_32.c 2010-03-20 16:58:38.988525305 -0400
9323 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
9324 * This is for buggy BIOS's that refer to (real mode) segment 0x40
9325 * even though they are called in protected mode.
9327 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
9328 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
9329 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
9331 static const char driver_version[] = "1.16ac"; /* no spaces */
9332 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
9334 gdt = get_cpu_gdt_table(cpu);
9335 save_desc_40 = gdt[0x40 / 8];
9337 + pax_open_kernel();
9338 gdt[0x40 / 8] = bad_bios_desc;
9339 + pax_close_kernel();
9341 apm_irq_save(flags);
9343 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
9345 APM_DO_RESTORE_SEGS;
9346 apm_irq_restore(flags);
9348 + pax_open_kernel();
9349 gdt[0x40 / 8] = save_desc_40;
9350 + pax_close_kernel();
9354 return call->eax & 0xff;
9355 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
9357 gdt = get_cpu_gdt_table(cpu);
9358 save_desc_40 = gdt[0x40 / 8];
9360 + pax_open_kernel();
9361 gdt[0x40 / 8] = bad_bios_desc;
9362 + pax_close_kernel();
9364 apm_irq_save(flags);
9366 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
9368 APM_DO_RESTORE_SEGS;
9369 apm_irq_restore(flags);
9371 + pax_open_kernel();
9372 gdt[0x40 / 8] = save_desc_40;
9373 + pax_close_kernel();
9378 @@ -975,7 +989,7 @@ recalc:
9380 static void apm_power_off(void)
9382 - unsigned char po_bios_call[] = {
9383 + const unsigned char po_bios_call[] = {
9384 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
9385 0x8e, 0xd0, /* movw ax,ss */
9386 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
9387 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
9388 static struct miscdevice apm_device = {
9399 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
9400 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
9404 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
9408 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
9411 gdt = get_cpu_gdt_table(0);
9413 + pax_open_kernel();
9414 set_desc_base(&gdt[APM_CS >> 3],
9415 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
9416 set_desc_base(&gdt[APM_CS_16 >> 3],
9417 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
9418 set_desc_base(&gdt[APM_DS >> 3],
9419 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
9420 + pax_close_kernel();
9422 proc_create("apm", 0, NULL, &apm_file_ops);
9424 diff -urNp linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c
9425 --- linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c 2010-03-15 12:09:39.000000000 -0400
9426 +++ linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c 2010-03-20 16:58:38.988525305 -0400
9427 @@ -115,6 +115,11 @@ void foo(void)
9428 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
9429 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9430 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9432 +#ifdef CONFIG_PAX_KERNEXEC
9433 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9439 diff -urNp linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c
9440 --- linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c 2010-03-15 12:09:39.000000000 -0400
9441 +++ linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c 2010-03-20 16:58:38.988525305 -0400
9442 @@ -63,6 +63,12 @@ int main(void)
9443 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9444 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
9445 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
9447 +#ifdef CONFIG_PAX_KERNEXEC
9448 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9449 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9455 @@ -115,6 +121,7 @@ int main(void)
9459 + DEFINE(TSS_size, sizeof(struct tss_struct));
9460 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
9462 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
9463 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/common.c linux-2.6.33.1/arch/x86/kernel/cpu/common.c
9464 --- linux-2.6.33.1/arch/x86/kernel/cpu/common.c 2010-03-15 12:09:39.000000000 -0400
9465 +++ linux-2.6.33.1/arch/x86/kernel/cpu/common.c 2010-03-20 16:58:38.992510812 -0400
9466 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
9468 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
9470 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
9471 -#ifdef CONFIG_X86_64
9473 - * We need valid kernel segments for data and code in long mode too
9474 - * IRET will check the segment types kkeil 2000/10/28
9475 - * Also sysret mandates a special GDT layout
9477 - * TLS descriptors are currently at a different place compared to i386.
9478 - * Hopefully nobody expects them at a fixed place (Wine?)
9480 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
9481 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
9482 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
9483 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
9484 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
9485 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
9487 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
9488 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9489 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
9490 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
9492 - * Segments used for calling PnP BIOS have byte granularity.
9493 - * They code segments and data segments have fixed 64k limits,
9494 - * the transfer segment sizes are set at run time.
9497 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9499 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9501 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
9503 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
9505 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
9507 - * The APM segments have byte granularity and their bases
9508 - * are set at run time. All have 64k limits.
9511 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9513 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9515 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
9517 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9518 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9519 - GDT_STACK_CANARY_INIT
9522 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
9524 static int __init x86_xsave_setup(char *s)
9526 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
9527 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
9529 struct desc_ptr gdt_descr;
9531 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
9532 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
9533 gdt_descr.size = GDT_SIZE - 1;
9534 load_gdt(&gdt_descr);
9535 /* Reload the per-cpu base */
9536 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
9537 /* Filter out anything that depends on CPUID levels we don't have */
9538 filter_cpuid_features(c, true);
9540 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
9541 + setup_clear_cpu_cap(X86_FEATURE_SEP);
9544 /* If the model name is still unset, do table lookup. */
9545 if (!c->x86_model_id[0]) {
9547 @@ -1103,7 +1053,7 @@ void __cpuinit cpu_init(void)
9550 cpu = stack_smp_processor_id();
9551 - t = &per_cpu(init_tss, cpu);
9552 + t = init_tss + cpu;
9553 oist = &per_cpu(orig_ist, cpu);
9556 @@ -1201,7 +1151,7 @@ void __cpuinit cpu_init(void)
9558 int cpu = smp_processor_id();
9559 struct task_struct *curr = current;
9560 - struct tss_struct *t = &per_cpu(init_tss, cpu);
9561 + struct tss_struct *t = init_tss + cpu;
9562 struct thread_struct *thread = &curr->thread;
9564 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
9565 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
9566 --- linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-03-15 12:09:39.000000000 -0400
9567 +++ linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-03-20 16:58:38.992510812 -0400
9568 @@ -523,7 +523,7 @@ static const struct dmi_system_id sw_any
9569 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
9573 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
9576 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
9577 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
9578 --- linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-03-15 12:09:39.000000000 -0400
9579 +++ linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-03-20 16:58:38.992510812 -0400
9580 @@ -225,7 +225,7 @@ static struct cpu_model models[] =
9581 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
9582 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
9585 + { NULL, NULL, 0, NULL}
9589 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/intel.c linux-2.6.33.1/arch/x86/kernel/cpu/intel.c
9590 --- linux-2.6.33.1/arch/x86/kernel/cpu/intel.c 2010-03-15 12:09:39.000000000 -0400
9591 +++ linux-2.6.33.1/arch/x86/kernel/cpu/intel.c 2010-03-20 16:58:38.992510812 -0400
9592 @@ -139,7 +139,7 @@ static void __cpuinit trap_init_f00f_bug
9593 * Update the IDT descriptor and reload the IDT so that
9594 * it uses the read-only mapped virtual address.
9596 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
9597 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
9598 load_idt(&idt_descr);
9601 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c
9602 --- linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-03-15 12:09:39.000000000 -0400
9603 +++ linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-03-20 16:58:38.992510812 -0400
9604 @@ -848,7 +848,7 @@ static ssize_t store(struct kobject *kob
9608 -static struct sysfs_ops sysfs_ops = {
9609 +static const struct sysfs_ops sysfs_ops = {
9613 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/Makefile linux-2.6.33.1/arch/x86/kernel/cpu/Makefile
9614 --- linux-2.6.33.1/arch/x86/kernel/cpu/Makefile 2010-03-15 12:09:39.000000000 -0400
9615 +++ linux-2.6.33.1/arch/x86/kernel/cpu/Makefile 2010-03-20 16:58:38.992510812 -0400
9616 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
9617 CFLAGS_REMOVE_perf_event.o = -pg
9620 -# Make sure load_percpu_segment has no stackprotector
9621 -nostackp := $(call cc-option, -fno-stack-protector)
9622 -CFLAGS_common.o := $(nostackp)
9624 obj-y := intel_cacheinfo.o addon_cpuid_features.o
9625 obj-y += proc.o capflags.o powerflags.o common.o
9626 obj-y += vmware.o hypervisor.o sched.o
9627 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c
9628 --- linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-03-15 12:09:39.000000000 -0400
9629 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-03-20 16:58:38.992510812 -0400
9630 @@ -388,7 +388,7 @@ static ssize_t store(struct kobject *kob
9634 -static struct sysfs_ops threshold_ops = {
9635 +static const struct sysfs_ops threshold_ops = {
9639 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c
9640 --- linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-03-15 12:09:39.000000000 -0400
9641 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-03-20 16:58:38.992510812 -0400
9642 @@ -201,7 +201,7 @@ static void print_mce(struct mce *m)
9643 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
9646 - if (m->cs == __KERNEL_CS)
9647 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
9648 print_symbol("{%s}", m->ip);
9651 @@ -1444,14 +1444,14 @@ void __cpuinit mcheck_cpu_init(struct cp
9654 static DEFINE_SPINLOCK(mce_state_lock);
9655 -static int open_count; /* #times opened */
9656 +static atomic_t open_count; /* #times opened */
9657 static int open_exclu; /* already open exclusive? */
9659 static int mce_open(struct inode *inode, struct file *file)
9661 spin_lock(&mce_state_lock);
9663 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
9664 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
9665 spin_unlock(&mce_state_lock);
9668 @@ -1459,7 +1459,7 @@ static int mce_open(struct inode *inode,
9670 if (file->f_flags & O_EXCL)
9673 + atomic_inc(&open_count);
9675 spin_unlock(&mce_state_lock);
9677 @@ -1470,7 +1470,7 @@ static int mce_release(struct inode *ino
9679 spin_lock(&mce_state_lock);
9682 + atomic_dec(&open_count);
9685 spin_unlock(&mce_state_lock);
9686 @@ -1610,6 +1610,7 @@ static struct miscdevice mce_log_device
9690 + {NULL, NULL}, NULL, NULL
9694 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c
9695 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c 2010-03-15 12:09:39.000000000 -0400
9696 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c 2010-03-20 16:58:38.992510812 -0400
9697 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
9701 -static struct mtrr_ops amd_mtrr_ops = {
9702 +static const struct mtrr_ops amd_mtrr_ops = {
9703 .vendor = X86_VENDOR_AMD,
9704 .set = amd_set_mtrr,
9705 .get = amd_get_mtrr,
9706 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c
9707 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c 2010-03-15 12:09:39.000000000 -0400
9708 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c 2010-03-20 16:58:38.992510812 -0400
9709 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
9713 -static struct mtrr_ops centaur_mtrr_ops = {
9714 +static const struct mtrr_ops centaur_mtrr_ops = {
9715 .vendor = X86_VENDOR_CENTAUR,
9716 .set = centaur_set_mcr,
9717 .get = centaur_get_mcr,
9718 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c
9719 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-03-15 12:09:39.000000000 -0400
9720 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-03-20 16:58:38.992510812 -0400
9721 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
9725 -static struct mtrr_ops cyrix_mtrr_ops = {
9726 +static const struct mtrr_ops cyrix_mtrr_ops = {
9727 .vendor = X86_VENDOR_CYRIX,
9728 .set_all = cyrix_set_all,
9729 .set = cyrix_set_arr,
9730 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c
9731 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-03-15 12:09:39.000000000 -0400
9732 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-03-20 16:58:38.992510812 -0400
9733 @@ -29,7 +29,7 @@ static struct fixed_range_block fixed_ra
9734 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
9735 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
9736 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
9741 static unsigned long smp_changes_mask;
9742 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
9744 * Generic structure...
9746 -struct mtrr_ops generic_mtrr_ops = {
9747 +const struct mtrr_ops generic_mtrr_ops = {
9749 .set_all = generic_set_all,
9750 .get = generic_get_mtrr,
9751 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c
9752 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c 2010-03-15 12:09:39.000000000 -0400
9753 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c 2010-03-20 16:58:38.996547732 -0400
9754 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
9755 u64 size_or_mask, size_and_mask;
9756 static bool mtrr_aps_delayed_init;
9758 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
9759 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
9761 -struct mtrr_ops *mtrr_if;
9762 +const struct mtrr_ops *mtrr_if;
9764 static void set_mtrr(unsigned int reg, unsigned long base,
9765 unsigned long size, mtrr_type type);
9767 -void set_mtrr_ops(struct mtrr_ops *ops)
9768 +void set_mtrr_ops(const struct mtrr_ops *ops)
9770 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
9771 mtrr_ops[ops->vendor] = ops;
9772 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h
9773 --- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-03-15 12:09:39.000000000 -0400
9774 +++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-03-20 16:58:38.996547732 -0400
9776 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
9781 - void (*set)(unsigned int reg, unsigned long base,
9783 + const u32 use_intel_if;
9784 + void (* const set)(unsigned int reg, unsigned long base,
9785 unsigned long size, mtrr_type type);
9786 - void (*set_all)(void);
9787 + void (* const set_all)(void);
9789 - void (*get)(unsigned int reg, unsigned long *base,
9790 + void (* const get)(unsigned int reg, unsigned long *base,
9791 unsigned long *size, mtrr_type *type);
9792 - int (*get_free_region)(unsigned long base, unsigned long size,
9793 + int (* const get_free_region)(unsigned long base, unsigned long size,
9795 - int (*validate_add_page)(unsigned long base, unsigned long size,
9796 + int (* const validate_add_page)(unsigned long base, unsigned long size,
9798 - int (*have_wrcomb)(void);
9799 + int (* const have_wrcomb)(void);
9802 extern int generic_get_free_region(unsigned long base, unsigned long size,
9803 @@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
9804 extern int generic_validate_add_page(unsigned long base, unsigned long size,
9807 -extern struct mtrr_ops generic_mtrr_ops;
9808 +extern const struct mtrr_ops generic_mtrr_ops;
9810 extern int positive_have_wrcomb(void);
9812 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
9813 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
9814 void get_mtrr_state(void);
9816 -extern void set_mtrr_ops(struct mtrr_ops *ops);
9817 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
9819 extern u64 size_or_mask, size_and_mask;
9820 -extern struct mtrr_ops *mtrr_if;
9821 +extern const struct mtrr_ops *mtrr_if;
9823 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
9824 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
9825 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c
9826 --- linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-03-15 12:09:39.000000000 -0400
9827 +++ linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-03-20 16:58:38.996547732 -0400
9828 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
9830 /* Interface defining a CPU specific perfctr watchdog */
9832 - int (*reserve)(void);
9833 - void (*unreserve)(void);
9834 - int (*setup)(unsigned nmi_hz);
9835 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9836 - void (*stop)(void);
9837 + int (* const reserve)(void);
9838 + void (* const unreserve)(void);
9839 + int (* const setup)(unsigned nmi_hz);
9840 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9841 + void (* const stop)(void);
9845 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
9846 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
9847 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
9849 +/* cannot be const */
9850 static struct wd_ops intel_arch_wd_ops;
9852 static int setup_intel_arch_watchdog(unsigned nmi_hz)
9853 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
9857 +/* cannot be const */
9858 static struct wd_ops intel_arch_wd_ops __read_mostly = {
9859 .reserve = single_msr_reserve,
9860 .unreserve = single_msr_unreserve,
9861 diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c
9862 --- linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c 2010-03-15 12:09:39.000000000 -0400
9863 +++ linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c 2010-03-20 16:58:38.996547732 -0400
9864 @@ -2426,7 +2426,7 @@ perf_callchain_user(struct pt_regs *regs
9867 callchain_store(entry, frame.return_address);
9868 - fp = frame.next_frame;
9869 + fp = (__force const void __user *)frame.next_frame;
9873 diff -urNp linux-2.6.33.1/arch/x86/kernel/crash.c linux-2.6.33.1/arch/x86/kernel/crash.c
9874 --- linux-2.6.33.1/arch/x86/kernel/crash.c 2010-03-15 12:09:39.000000000 -0400
9875 +++ linux-2.6.33.1/arch/x86/kernel/crash.c 2010-03-20 16:58:38.996547732 -0400
9876 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
9879 #ifdef CONFIG_X86_32
9880 - if (!user_mode_vm(regs)) {
9881 + if (!user_mode(regs)) {
9882 crash_fixup_ss_esp(&fixed_regs, regs);
9885 diff -urNp linux-2.6.33.1/arch/x86/kernel/doublefault_32.c linux-2.6.33.1/arch/x86/kernel/doublefault_32.c
9886 --- linux-2.6.33.1/arch/x86/kernel/doublefault_32.c 2010-03-15 12:09:39.000000000 -0400
9887 +++ linux-2.6.33.1/arch/x86/kernel/doublefault_32.c 2010-03-20 16:58:38.996547732 -0400
9890 #define DOUBLEFAULT_STACKSIZE (1024)
9891 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
9892 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
9893 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
9895 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
9897 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
9898 unsigned long gdt, tss;
9900 store_gdt(&gdt_desc);
9901 - gdt = gdt_desc.address;
9902 + gdt = (unsigned long)gdt_desc.address;
9904 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
9906 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
9907 /* 0x2 bit is always set */
9908 .flags = X86_EFLAGS_SF | 0x2,
9911 + .es = __KERNEL_DS,
9915 + .ds = __KERNEL_DS,
9916 .fs = __KERNEL_PERCPU,
9918 .__cr3 = __pa_nodebug(swapper_pg_dir),
9919 diff -urNp linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c
9920 --- linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c 2010-03-15 12:09:39.000000000 -0400
9921 +++ linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c 2010-03-20 16:58:38.996547732 -0400
9922 @@ -112,11 +112,12 @@ void show_registers(struct pt_regs *regs
9923 * When in-kernel, we also print out the stack and code at the
9924 * time of the fault..
9926 - if (!user_mode_vm(regs)) {
9927 + if (!user_mode(regs)) {
9928 unsigned int code_prologue = code_bytes * 43 / 64;
9929 unsigned int code_len = code_bytes;
9932 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
9934 printk(KERN_EMERG "Stack:\n");
9935 show_stack_log_lvl(NULL, regs, ®s->sp,
9936 @@ -124,10 +125,10 @@ void show_registers(struct pt_regs *regs
9938 printk(KERN_EMERG "Code: ");
9940 - ip = (u8 *)regs->ip - code_prologue;
9941 + ip = (u8 *)regs->ip - code_prologue + cs_base;
9942 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
9943 /* try starting at IP */
9944 - ip = (u8 *)regs->ip;
9945 + ip = (u8 *)regs->ip + cs_base;
9946 code_len = code_len - code_prologue + 1;
9948 for (i = 0; i < code_len; i++, ip++) {
9949 @@ -136,7 +137,7 @@ void show_registers(struct pt_regs *regs
9950 printk(" Bad EIP value.");
9953 - if (ip == (u8 *)regs->ip)
9954 + if (ip == (u8 *)regs->ip + cs_base)
9955 printk("<%02x> ", c);
9958 @@ -149,6 +150,7 @@ int is_valid_bugaddr(unsigned long ip)
9962 + ip = ktla_ktva(ip);
9963 if (ip < PAGE_OFFSET)
9965 if (probe_kernel_address((unsigned short *)ip, ud2))
9966 diff -urNp linux-2.6.33.1/arch/x86/kernel/dumpstack.c linux-2.6.33.1/arch/x86/kernel/dumpstack.c
9967 --- linux-2.6.33.1/arch/x86/kernel/dumpstack.c 2010-03-15 12:09:39.000000000 -0400
9968 +++ linux-2.6.33.1/arch/x86/kernel/dumpstack.c 2010-03-20 16:58:38.996547732 -0400
9969 @@ -207,7 +207,7 @@ void dump_stack(void)
9972 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
9973 - current->pid, current->comm, print_tainted(),
9974 + task_pid_nr(current), current->comm, print_tainted(),
9975 init_utsname()->release,
9976 (int)strcspn(init_utsname()->version, " "),
9977 init_utsname()->version);
9978 @@ -268,7 +268,7 @@ void __kprobes oops_end(unsigned long fl
9979 panic("Fatal exception in interrupt");
9981 panic("Fatal exception");
9983 + do_group_exit(signr);
9986 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
9987 @@ -295,7 +295,7 @@ int __kprobes __die(const char *str, str
9989 show_registers(regs);
9990 #ifdef CONFIG_X86_32
9991 - if (user_mode_vm(regs)) {
9992 + if (user_mode(regs)) {
9994 ss = regs->ss & 0xffff;
9996 @@ -323,7 +323,7 @@ void die(const char *str, struct pt_regs
9997 unsigned long flags = oops_begin();
10000 - if (!user_mode_vm(regs))
10001 + if (!user_mode(regs))
10002 report_bug(regs->ip, regs);
10004 if (__die(str, regs, err))
10005 diff -urNp linux-2.6.33.1/arch/x86/kernel/e820.c linux-2.6.33.1/arch/x86/kernel/e820.c
10006 --- linux-2.6.33.1/arch/x86/kernel/e820.c 2010-03-15 12:09:39.000000000 -0400
10007 +++ linux-2.6.33.1/arch/x86/kernel/e820.c 2010-03-20 16:58:38.996547732 -0400
10009 #include <asm/setup.h>
10010 #include <asm/trampoline.h>
10012 +#include "acpi/realmode/wakeup.h"
10015 * The e820 map is the map that gets modified e.g. with command line parameters
10016 * and that is also registered with modifications in the kernel resource tree
10017 @@ -741,8 +743,7 @@ static struct early_res early_res[MAX_EA
10019 { PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE", 1 },
10026 static int __init find_overlapped_early(u64 start, u64 end)
10027 diff -urNp linux-2.6.33.1/arch/x86/kernel/efi_32.c linux-2.6.33.1/arch/x86/kernel/efi_32.c
10028 --- linux-2.6.33.1/arch/x86/kernel/efi_32.c 2010-03-15 12:09:39.000000000 -0400
10029 +++ linux-2.6.33.1/arch/x86/kernel/efi_32.c 2010-03-20 16:58:38.996547732 -0400
10030 @@ -38,70 +38,38 @@
10033 static unsigned long efi_rt_eflags;
10034 -static pgd_t efi_bak_pg_dir_pointer[2];
10035 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10037 -void efi_call_phys_prelog(void)
10038 +void __init efi_call_phys_prelog(void)
10040 - unsigned long cr4;
10041 - unsigned long temp;
10042 struct desc_ptr gdt_descr;
10044 local_irq_save(efi_rt_eflags);
10047 - * If I don't have PAE, I should just duplicate two entries in page
10048 - * directory. If I have PAE, I just need to duplicate one entry in
10049 - * page directory.
10051 - cr4 = read_cr4_safe();
10053 - if (cr4 & X86_CR4_PAE) {
10054 - efi_bak_pg_dir_pointer[0].pgd =
10055 - swapper_pg_dir[pgd_index(0)].pgd;
10056 - swapper_pg_dir[0].pgd =
10057 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10059 - efi_bak_pg_dir_pointer[0].pgd =
10060 - swapper_pg_dir[pgd_index(0)].pgd;
10061 - efi_bak_pg_dir_pointer[1].pgd =
10062 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10063 - swapper_pg_dir[pgd_index(0)].pgd =
10064 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10065 - temp = PAGE_OFFSET + 0x400000;
10066 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10067 - swapper_pg_dir[pgd_index(temp)].pgd;
10069 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10070 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10071 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10074 * After the lock is released, the original page table is restored.
10078 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10079 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10080 gdt_descr.size = GDT_SIZE - 1;
10081 load_gdt(&gdt_descr);
10084 -void efi_call_phys_epilog(void)
10085 +void __init efi_call_phys_epilog(void)
10087 - unsigned long cr4;
10088 struct desc_ptr gdt_descr;
10090 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10091 + gdt_descr.address = get_cpu_gdt_table(0);
10092 gdt_descr.size = GDT_SIZE - 1;
10093 load_gdt(&gdt_descr);
10095 - cr4 = read_cr4_safe();
10097 - if (cr4 & X86_CR4_PAE) {
10098 - swapper_pg_dir[pgd_index(0)].pgd =
10099 - efi_bak_pg_dir_pointer[0].pgd;
10101 - swapper_pg_dir[pgd_index(0)].pgd =
10102 - efi_bak_pg_dir_pointer[0].pgd;
10103 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10104 - efi_bak_pg_dir_pointer[1].pgd;
10106 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10109 * After the lock is released, the original page table is restored.
10110 diff -urNp linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S
10111 --- linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S 2010-03-15 12:09:39.000000000 -0400
10112 +++ linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S 2010-03-20 16:58:38.996547732 -0400
10116 #include <linux/linkage.h>
10117 +#include <linux/init.h>
10118 #include <asm/page_types.h>
10122 * service functions will comply with gcc calling convention, too.
10127 ENTRY(efi_call_phys)
10129 * 0. The function can only be called in Linux kernel. So CS has been
10130 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10131 * The mapping of lower virtual memory has been created in prelog and
10135 - subl $__PAGE_OFFSET, %edx
10137 + jmp 1f-__PAGE_OFFSET
10141 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10142 * parameter 2, ..., param n. To make things easy, we save the return
10143 * address of efi_call_phys in a global variable.
10146 - movl %edx, saved_return_addr
10147 - /* get the function pointer into ECX*/
10149 - movl %ecx, efi_rt_function_ptr
10151 - subl $__PAGE_OFFSET, %edx
10153 + popl (saved_return_addr)
10154 + popl (efi_rt_function_ptr)
10157 * 3. Clear PG bit in %CR0.
10158 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10160 * 5. Call the physical function.
10163 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10167 * 6. After EFI runtime service returns, control will return to
10168 * following instruction. We'd better readjust stack pointer first.
10169 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10171 orl $0x80000000, %edx
10177 * 8. Now restore the virtual mode from flat mode by
10178 * adding EIP with PAGE_OFFSET.
10182 + jmp 1f+__PAGE_OFFSET
10186 * 9. Balance the stack. And because EAX contain the return value,
10187 * we'd better not clobber it.
10189 - leal efi_rt_function_ptr, %edx
10190 - movl (%edx), %ecx
10192 + pushl (efi_rt_function_ptr)
10195 - * 10. Push the saved return address onto the stack and return.
10196 + * 10. Return to the saved return address.
10198 - leal saved_return_addr, %edx
10199 - movl (%edx), %ecx
10202 + jmpl *(saved_return_addr)
10203 ENDPROC(efi_call_phys)
10210 efi_rt_function_ptr:
10211 diff -urNp linux-2.6.33.1/arch/x86/kernel/entry_32.S linux-2.6.33.1/arch/x86/kernel/entry_32.S
10212 --- linux-2.6.33.1/arch/x86/kernel/entry_32.S 2010-03-15 12:09:39.000000000 -0400
10213 +++ linux-2.6.33.1/arch/x86/kernel/entry_32.S 2010-03-20 16:58:39.000574964 -0400
10214 @@ -191,7 +191,7 @@
10216 #endif /* CONFIG_X86_32_LAZY_GS */
10219 +.macro __SAVE_ALL _DS
10223 @@ -224,7 +224,7 @@
10225 CFI_ADJUST_CFA_OFFSET 4
10226 CFI_REL_OFFSET ebx, 0
10227 - movl $(__USER_DS), %edx
10231 movl $(__KERNEL_PERCPU), %edx
10232 @@ -232,6 +232,15 @@
10237 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10238 + __SAVE_ALL __KERNEL_DS
10241 + __SAVE_ALL __USER_DS
10245 .macro RESTORE_INT_REGS
10247 CFI_ADJUST_CFA_OFFSET -4
10248 @@ -356,7 +365,15 @@ check_userspace:
10249 movb PT_CS(%esp), %al
10250 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10251 cmpl $USER_RPL, %eax
10253 +#ifdef CONFIG_PAX_KERNEXEC
10254 + jae resume_userspace
10257 + jmp resume_kernel
10259 jb resume_kernel # not returning to v8086 or userspace
10262 ENTRY(resume_userspace)
10264 @@ -422,10 +439,9 @@ sysenter_past_esp:
10265 /*CFI_REL_OFFSET cs, 0*/
10267 * Push current_thread_info()->sysenter_return to the stack.
10268 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10269 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
10271 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10272 + GET_THREAD_INFO(%ebp)
10273 + pushl TI_sysenter_return(%ebp)
10274 CFI_ADJUST_CFA_OFFSET 4
10275 CFI_REL_OFFSET eip, 0
10277 @@ -438,9 +454,19 @@ sysenter_past_esp:
10278 * Load the potential sixth argument from user stack.
10279 * Careful about security.
10281 + movl PT_OLDESP(%esp),%ebp
10283 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10284 + mov PT_OLDSS(%esp),%ds
10285 +1: movl %ds:(%ebp),%ebp
10289 cmpl $__PAGE_OFFSET-3,%ebp
10291 1: movl (%ebp),%ebp
10294 movl %ebp,PT_EBP(%esp)
10295 .section __ex_table,"a"
10297 @@ -463,12 +489,23 @@ sysenter_do_call:
10298 testl $_TIF_ALLWORK_MASK, %ecx
10302 +#ifdef CONFIG_PAX_RANDKSTACK
10304 + CFI_ADJUST_CFA_OFFSET 4
10305 + call pax_randomize_kstack
10307 + CFI_ADJUST_CFA_OFFSET -4
10310 /* if something modifies registers it must also disable sysexit */
10311 movl PT_EIP(%esp), %edx
10312 movl PT_OLDESP(%esp), %ecx
10315 1: mov PT_FS(%esp), %fs
10316 +2: mov PT_DS(%esp), %ds
10317 +3: mov PT_ES(%esp), %es
10319 ENABLE_INTERRUPTS_SYSEXIT
10321 @@ -512,11 +549,17 @@ sysexit_audit:
10324 .pushsection .fixup,"ax"
10325 -2: movl $0,PT_FS(%esp)
10326 +4: movl $0,PT_FS(%esp)
10328 +5: movl $0,PT_DS(%esp)
10330 +6: movl $0,PT_ES(%esp)
10332 .section __ex_table,"a"
10340 ENDPROC(ia32_sysenter_target)
10341 @@ -550,6 +593,10 @@ syscall_exit:
10342 testl $_TIF_ALLWORK_MASK, %ecx # current->work
10343 jne syscall_exit_work
10345 +#ifdef CONFIG_PAX_RANDKSTACK
10346 + call pax_randomize_kstack
10351 restore_all_notrace:
10352 @@ -614,7 +661,13 @@ ldt_ss:
10353 mov PT_OLDESP(%esp), %eax /* load userspace esp */
10354 mov %dx, %ax /* eax: new kernel esp */
10355 sub %eax, %edx /* offset (low word is 0) */
10356 - PER_CPU(gdt_page, %ebx)
10358 + movl PER_CPU_VAR(cpu_number), %ebx
10359 + shll $PAGE_SHIFT_asm, %ebx
10360 + addl $cpu_gdt_table, %ebx
10362 + movl $cpu_gdt_table, %ebx
10365 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
10366 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
10367 @@ -654,25 +707,19 @@ work_resched:
10369 work_notifysig: # deal with pending signals and
10370 # notify-resume requests
10373 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
10375 - jne work_notifysig_v86 # returning to kernel-space or
10376 + jz 1f # returning to kernel-space or
10379 - call do_notify_resume
10380 - jmp resume_userspace_sig
10383 -work_notifysig_v86:
10384 pushl %ecx # save ti_flags for do_notify_resume
10385 CFI_ADJUST_CFA_OFFSET 4
10386 call save_v86_state # %eax contains pt_regs pointer
10388 CFI_ADJUST_CFA_OFFSET -4
10395 call do_notify_resume
10396 @@ -707,6 +754,10 @@ END(syscall_exit_work)
10398 RING0_INT_FRAME # can't unwind into user space anyway
10400 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10404 GET_THREAD_INFO(%ebp)
10405 movl $-EFAULT,PT_EAX(%esp)
10406 jmp resume_userspace
10407 @@ -790,7 +841,13 @@ ptregs_clone:
10408 * normal stack and adjusts ESP with the matching offset.
10410 /* fixup the stack */
10411 - PER_CPU(gdt_page, %ebx)
10413 + movl PER_CPU_VAR(cpu_number), %ebx
10414 + shll $PAGE_SHIFT_asm, %ebx
10415 + addl $cpu_gdt_table, %ebx
10417 + movl $cpu_gdt_table, %ebx
10419 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
10420 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
10422 @@ -1254,7 +1311,6 @@ return_to_handler:
10426 -.section .rodata,"a"
10427 #include "syscall_table_32.S"
10429 syscall_table_size=(.-sys_call_table)
10430 @@ -1306,12 +1362,15 @@ error_code:
10432 UNWIND_ESPFIX_STACK
10437 movl PT_GS(%esp), %edi # get the function address
10438 movl PT_ORIG_EAX(%esp), %edx # get the error code
10439 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
10442 - movl $(__USER_DS), %ecx
10443 + movl $(__KERNEL_DS), %ecx
10447 @@ -1407,6 +1466,9 @@ nmi_stack_correct:
10448 xorl %edx,%edx # zero error code
10449 movl %esp,%eax # pt_regs pointer
10454 jmp restore_all_notrace
10457 @@ -1447,6 +1509,9 @@ nmi_espfix_stack:
10458 FIXUP_ESPFIX_STACK # %eax == %esp
10459 xorl %edx,%edx # zero error code
10465 lss 12+4(%esp), %esp # back to espfix stack
10466 CFI_ADJUST_CFA_OFFSET -24
10467 diff -urNp linux-2.6.33.1/arch/x86/kernel/entry_64.S linux-2.6.33.1/arch/x86/kernel/entry_64.S
10468 --- linux-2.6.33.1/arch/x86/kernel/entry_64.S 2010-03-15 12:09:39.000000000 -0400
10469 +++ linux-2.6.33.1/arch/x86/kernel/entry_64.S 2010-03-20 16:58:39.000574964 -0400
10471 #include <asm/paravirt.h>
10472 #include <asm/ftrace.h>
10473 #include <asm/percpu.h>
10474 +#include <asm/pgtable.h>
10476 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
10477 #include <linux/elf-em.h>
10478 @@ -800,6 +801,7 @@ END(interrupt)
10479 CFI_ADJUST_CFA_OFFSET 10*8
10486 @@ -825,6 +827,7 @@ ret_from_intr:
10487 CFI_DEF_CFA_REGISTER rsp
10488 CFI_ADJUST_CFA_OFFSET -8
10491 GET_THREAD_INFO(%rcx)
10492 testl $3,CS-ARGOFFSET(%rsp)
10494 @@ -1040,6 +1043,7 @@ ENTRY(\sym)
10495 CFI_ADJUST_CFA_OFFSET 15*8
10499 movq %rsp,%rdi /* pt_regs pointer */
10500 xorl %esi,%esi /* no error code */
10502 @@ -1057,6 +1061,7 @@ ENTRY(\sym)
10507 movq %rsp,%rdi /* pt_regs pointer */
10508 xorl %esi,%esi /* no error code */
10510 @@ -1074,9 +1079,15 @@ ENTRY(\sym)
10515 movq %rsp,%rdi /* pt_regs pointer */
10516 xorl %esi,%esi /* no error code */
10517 - PER_CPU(init_tss, %r12)
10519 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
10520 + lea init_tss(%r12), %r12
10522 + lea init_tss(%rip), %r12
10524 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
10526 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
10527 @@ -1093,6 +1104,7 @@ ENTRY(\sym)
10528 CFI_ADJUST_CFA_OFFSET 15*8
10532 movq %rsp,%rdi /* pt_regs pointer */
10533 movq ORIG_RAX(%rsp),%rsi /* get error code */
10534 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10535 @@ -1112,6 +1124,7 @@ ENTRY(\sym)
10540 movq %rsp,%rdi /* pt_regs pointer */
10541 movq ORIG_RAX(%rsp),%rsi /* get error code */
10542 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10543 @@ -1373,11 +1386,13 @@ ENTRY(paranoid_exit)
10545 jnz paranoid_userspace
10549 SWAPGS_UNSAFE_STACK
10557 @@ -1499,6 +1514,7 @@ ENTRY(nmi)
10558 CFI_ADJUST_CFA_OFFSET 15*8
10562 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
10565 @@ -1514,6 +1530,7 @@ ENTRY(nmi)
10567 SWAPGS_UNSAFE_STACK
10573 diff -urNp linux-2.6.33.1/arch/x86/kernel/ftrace.c linux-2.6.33.1/arch/x86/kernel/ftrace.c
10574 --- linux-2.6.33.1/arch/x86/kernel/ftrace.c 2010-03-15 12:09:39.000000000 -0400
10575 +++ linux-2.6.33.1/arch/x86/kernel/ftrace.c 2010-03-20 16:58:39.000574964 -0400
10576 @@ -151,7 +151,9 @@ void ftrace_nmi_enter(void)
10578 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
10580 + pax_open_kernel();
10582 + pax_close_kernel();
10583 atomic_inc(&nmi_update_count);
10585 /* Must have previous changes seen before executions */
10586 @@ -234,7 +236,7 @@ do_ftrace_mod_code(unsigned long ip, voi
10590 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
10591 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
10593 static unsigned char *ftrace_nop_replace(void)
10595 @@ -247,6 +249,8 @@ ftrace_modify_code(unsigned long ip, uns
10597 unsigned char replaced[MCOUNT_INSN_SIZE];
10599 + ip = ktla_ktva(ip);
10602 * Note: Due to modules and __init, code can
10603 * disappear and change, we need to protect against faulting
10604 @@ -303,7 +307,7 @@ int ftrace_update_ftrace_func(ftrace_fun
10605 unsigned char old[MCOUNT_INSN_SIZE], *new;
10608 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
10609 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
10610 new = ftrace_call_replace(ip, (unsigned long)func);
10611 ret = ftrace_modify_code(ip, old, new);
10613 @@ -356,15 +360,15 @@ int __init ftrace_dyn_arch_init(void *da
10616 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
10617 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
10618 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
10621 pr_info("converting mcount calls to 66 66 66 66 90\n");
10622 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
10623 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
10626 pr_info("converting mcount calls to jmp . + 5\n");
10627 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
10628 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
10632 @@ -385,6 +389,8 @@ static int ftrace_mod_jmp(unsigned long
10634 unsigned char code[MCOUNT_INSN_SIZE];
10636 + ip = ktla_ktva(ip);
10638 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
10641 diff -urNp linux-2.6.33.1/arch/x86/kernel/head32.c linux-2.6.33.1/arch/x86/kernel/head32.c
10642 --- linux-2.6.33.1/arch/x86/kernel/head32.c 2010-03-15 12:09:39.000000000 -0400
10643 +++ linux-2.6.33.1/arch/x86/kernel/head32.c 2010-03-20 16:58:39.000574964 -0400
10645 #include <asm/apic.h>
10646 #include <asm/io_apic.h>
10647 #include <asm/bios_ebda.h>
10648 +#include <asm/boot.h>
10650 static void __init i386_default_early_setup(void)
10652 @@ -29,7 +30,7 @@ static void __init i386_default_early_se
10654 void __init i386_start_kernel(void)
10656 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10657 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10659 #ifdef CONFIG_BLK_DEV_INITRD
10660 /* Reserve INITRD */
10661 diff -urNp linux-2.6.33.1/arch/x86/kernel/head_32.S linux-2.6.33.1/arch/x86/kernel/head_32.S
10662 --- linux-2.6.33.1/arch/x86/kernel/head_32.S 2010-03-15 12:09:39.000000000 -0400
10663 +++ linux-2.6.33.1/arch/x86/kernel/head_32.S 2010-03-20 16:58:39.000574964 -0400
10664 @@ -21,10 +21,17 @@
10665 #include <asm/msr-index.h>
10666 #include <asm/cpufeature.h>
10667 #include <asm/percpu.h>
10668 +#include <asm/msr-index.h>
10670 /* Physical address */
10671 #define pa(X) ((X) - __PAGE_OFFSET)
10673 +#ifdef CONFIG_PAX_KERNEXEC
10676 +#define ta(X) ((X) - __PAGE_OFFSET)
10680 * References to members of the new_cpu_data structure.
10683 * and small than max_low_pfn, otherwise will waste some page table entries
10686 -#if PTRS_PER_PMD > 1
10687 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
10689 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
10691 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
10693 /* Enough space to fit pagetables for the low memory linear map */
10694 MAPPING_BEYOND_END = \
10695 @@ -75,6 +78,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
10696 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10699 + * Real beginning of normal "text" segment
10705 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
10706 * %esi points to the real-mode code as a 32-bit pointer.
10707 * CS and DS must be 4 GB flat segments, but we don't depend on
10708 @@ -82,6 +91,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10713 +#ifdef CONFIG_PAX_KERNEXEC
10715 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
10716 +.fill PAGE_SIZE-5,1,0xcc
10720 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
10721 us to not reload segments */
10722 @@ -99,6 +115,55 @@ ENTRY(startup_32)
10727 + movl $pa(cpu_gdt_table),%edi
10728 + movl $__per_cpu_load,%eax
10729 + movw %ax,__KERNEL_PERCPU + 2(%edi)
10731 + movb %al,__KERNEL_PERCPU + 4(%edi)
10732 + movb %ah,__KERNEL_PERCPU + 7(%edi)
10733 + movl $__per_cpu_end - 1,%eax
10734 + subl $__per_cpu_start,%eax
10735 + movw %ax,__KERNEL_PERCPU + 0(%edi)
10738 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10739 + movl $NR_CPUS,%ecx
10740 + movl $pa(cpu_gdt_table),%edi
10742 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
10743 + addl $PAGE_SIZE_asm,%edi
10747 +#ifdef CONFIG_PAX_KERNEXEC
10748 + movl $pa(boot_gdt),%edi
10749 + movl $__LOAD_PHYSICAL_ADDR,%eax
10750 + movw %ax,__BOOT_CS + 2(%edi)
10752 + movb %al,__BOOT_CS + 4(%edi)
10753 + movb %ah,__BOOT_CS + 7(%edi)
10756 + ljmp $(__BOOT_CS),$1f
10759 + movl $NR_CPUS,%ecx
10760 + movl $pa(cpu_gdt_table),%edi
10761 + addl $__PAGE_OFFSET,%eax
10763 + movw %ax,__KERNEL_CS + 2(%edi)
10764 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
10766 + movb %al,__KERNEL_CS + 4(%edi)
10767 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
10768 + movb %ah,__KERNEL_CS + 7(%edi)
10769 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
10771 + addl $PAGE_SIZE_asm,%edi
10776 * Clear BSS first so that there are no surprises...
10778 @@ -142,9 +207,7 @@ ENTRY(startup_32)
10779 cmpl $num_subarch_entries, %eax
10782 - movl pa(subarch_entries)(,%eax,4), %eax
10783 - subl $__PAGE_OFFSET, %eax
10785 + jmp *pa(subarch_entries)(,%eax,4)
10789 @@ -156,10 +219,10 @@ WEAK(xen_entry)
10793 - .long default_entry /* normal x86/PC */
10794 - .long lguest_entry /* lguest hypervisor */
10795 - .long xen_entry /* Xen hypervisor */
10796 - .long default_entry /* Moorestown MID */
10797 + .long ta(default_entry) /* normal x86/PC */
10798 + .long ta(lguest_entry) /* lguest hypervisor */
10799 + .long ta(xen_entry) /* Xen hypervisor */
10800 + .long ta(default_entry) /* Moorestown MID */
10801 num_subarch_entries = (. - subarch_entries) / 4
10803 #endif /* CONFIG_PARAVIRT */
10804 @@ -220,8 +283,11 @@ default_entry:
10805 movl %eax, pa(max_pfn_mapped)
10807 /* Do early initialization of the fixmap area */
10808 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10809 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10810 +#ifdef CONFIG_COMPAT_VDSO
10811 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10813 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10815 #else /* Not PAE */
10817 page_pde_offset = (__PAGE_OFFSET >> 20);
10818 @@ -251,8 +317,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
10819 movl %eax, pa(max_pfn_mapped)
10821 /* Do early initialization of the fixmap area */
10822 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10823 - movl %eax,pa(swapper_pg_dir+0xffc)
10824 +#ifdef CONFIG_COMPAT_VDSO
10825 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
10827 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
10832 @@ -299,6 +368,7 @@ ENTRY(startup_32_smp)
10836 +#ifdef CONFIG_X86_PAE
10837 testb $X86_CR4_PAE, %al # check if PAE is enabled
10840 @@ -323,6 +393,9 @@ ENTRY(startup_32_smp)
10841 /* Make changes effective */
10844 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
10850 @@ -348,9 +421,7 @@ ENTRY(startup_32_smp)
10854 - jz 1f /* Initial CPU cleans BSS */
10857 + jnz checkCPUtype /* Initial CPU cleans BSS */
10858 #endif /* CONFIG_SMP */
10861 @@ -428,7 +499,7 @@ is386: movl $2,%ecx # set MP
10862 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
10863 movl %eax,%ss # after changing gdt.
10865 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
10866 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
10870 @@ -442,8 +513,11 @@ is386: movl $2,%ecx # set MP
10874 - movl $per_cpu__gdt_page,%eax
10875 + movl $cpu_gdt_table,%eax
10876 movl $per_cpu__stack_canary,%ecx
10878 + addl $__per_cpu_load,%ecx
10880 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
10882 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
10883 @@ -461,10 +535,6 @@ is386: movl $2,%ecx # set MP
10887 - cmpb $0,%cl # the first CPU calls start_kernel
10889 - movl (stack_start), %esp
10891 #endif /* CONFIG_SMP */
10892 jmp *(initial_code)
10894 @@ -550,22 +620,22 @@ early_page_fault:
10899 #ifdef CONFIG_PRINTK
10900 + cmpl $1,%ss:early_recursion_flag
10902 + incl %ss:early_recursion_flag
10905 movl $(__KERNEL_DS),%eax
10908 - cmpl $2,early_recursion_flag
10910 - incl early_recursion_flag
10913 pushl %edx /* trapno */
10922 @@ -573,8 +643,11 @@ hlt_loop:
10923 /* This is the default interrupt "handler" :-) */
10927 #ifdef CONFIG_PRINTK
10928 + cmpl $2,%ss:early_recursion_flag
10930 + incl %ss:early_recursion_flag
10935 @@ -583,9 +656,6 @@ ignore_int:
10936 movl $(__KERNEL_DS),%eax
10939 - cmpl $2,early_recursion_flag
10941 - incl early_recursion_flag
10945 @@ -612,27 +682,37 @@ ENTRY(initial_code)
10949 -__PAGE_ALIGNED_BSS
10950 - .align PAGE_SIZE_asm
10951 #ifdef CONFIG_X86_PAE
10952 +.section .swapper_pg_pmd,"a",@progbits
10954 .fill 1024*KPMDS,4,0
10956 +.section .swapper_pg_dir,"a",@progbits
10957 ENTRY(swapper_pg_dir)
10964 +.section .empty_zero_page,"a",@progbits
10965 ENTRY(empty_zero_page)
10969 + * The IDT has to be page-aligned to simplify the Pentium
10970 + * F0 0F bug workaround.. We have a special link segment
10973 +.section .idt,"a",@progbits
10978 * This starts the data section.
10980 #ifdef CONFIG_X86_PAE
10981 -__PAGE_ALIGNED_DATA
10982 - /* Page-aligned for the benefit of paravirt? */
10983 - .align PAGE_SIZE_asm
10984 +.section .swapper_pg_dir,"a",@progbits
10985 ENTRY(swapper_pg_dir)
10986 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
10988 @@ -655,11 +735,12 @@ ENTRY(swapper_pg_dir)
10992 - .long init_thread_union+THREAD_SIZE
10993 + .long init_thread_union+THREAD_SIZE-8
10998 +.section .rodata,"a",@progbits
10999 early_recursion_flag:
11002 @@ -695,7 +776,7 @@ fault_msg:
11003 .word 0 # 32 bit align gdt_desc.address
11006 - .long boot_gdt - __PAGE_OFFSET
11007 + .long pa(boot_gdt)
11009 .word 0 # 32-bit align idt_desc.address
11011 @@ -706,7 +787,7 @@ idt_descr:
11012 .word 0 # 32 bit align gdt_desc.address
11013 ENTRY(early_gdt_descr)
11014 .word GDT_ENTRIES*8-1
11015 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
11016 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
11019 * The boot_gdt must mirror the equivalent in setup.S and is
11020 @@ -715,5 +796,65 @@ ENTRY(early_gdt_descr)
11021 .align L1_CACHE_BYTES
11023 .fill GDT_ENTRY_BOOT_CS,8,0
11024 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
11025 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
11026 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
11027 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
11029 + .align PAGE_SIZE_asm
11030 +ENTRY(cpu_gdt_table)
11032 + .quad 0x0000000000000000 /* NULL descriptor */
11033 + .quad 0x0000000000000000 /* 0x0b reserved */
11034 + .quad 0x0000000000000000 /* 0x13 reserved */
11035 + .quad 0x0000000000000000 /* 0x1b reserved */
11037 +#ifdef CONFIG_PAX_KERNEXEC
11038 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
11040 + .quad 0x0000000000000000 /* 0x20 unused */
11043 + .quad 0x0000000000000000 /* 0x28 unused */
11044 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
11045 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
11046 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
11047 + .quad 0x0000000000000000 /* 0x4b reserved */
11048 + .quad 0x0000000000000000 /* 0x53 reserved */
11049 + .quad 0x0000000000000000 /* 0x5b reserved */
11051 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
11052 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
11053 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
11054 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
11056 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
11057 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
11060 + * Segments used for calling PnP BIOS have byte granularity.
11061 + * The code segments and data segments have fixed 64k limits,
11062 + * the transfer segment sizes are set at run time.
11064 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
11065 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
11066 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
11067 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
11068 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
11071 + * The APM segments have byte granularity and their bases
11072 + * are set at run time. All have 64k limits.
11074 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
11075 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
11076 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
11078 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
11079 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
11080 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
11081 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
11082 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
11083 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
11085 + /* Be sure this is zeroed to avoid false validations in Xen */
11086 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
11088 diff -urNp linux-2.6.33.1/arch/x86/kernel/head_64.S linux-2.6.33.1/arch/x86/kernel/head_64.S
11089 --- linux-2.6.33.1/arch/x86/kernel/head_64.S 2010-03-15 12:09:39.000000000 -0400
11090 +++ linux-2.6.33.1/arch/x86/kernel/head_64.S 2010-03-20 16:58:39.000574964 -0400
11092 #include <asm/cache.h>
11093 #include <asm/processor-flags.h>
11094 #include <asm/percpu.h>
11095 +#include <asm/cpufeature.h>
11097 #ifdef CONFIG_PARAVIRT
11098 #include <asm/asm-offsets.h>
11099 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
11100 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
11101 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
11102 L3_START_KERNEL = pud_index(__START_KERNEL_map)
11103 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
11104 +L3_VMALLOC_START = pud_index(VMALLOC_START)
11105 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
11106 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
11110 @@ -85,35 +90,22 @@ startup_64:
11112 addq %rbp, init_level4_pgt + 0(%rip)
11113 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
11114 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
11115 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
11116 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
11118 addq %rbp, level3_ident_pgt + 0(%rip)
11119 +#ifndef CONFIG_XEN
11120 + addq %rbp, level3_ident_pgt + 8(%rip)
11123 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
11124 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
11125 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
11127 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11128 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
11129 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
11131 - /* Add an Identity mapping if I am above 1G */
11132 - leaq _text(%rip), %rdi
11133 - andq $PMD_PAGE_MASK, %rdi
11136 - shrq $PUD_SHIFT, %rax
11137 - andq $(PTRS_PER_PUD - 1), %rax
11138 - jz ident_complete
11140 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
11141 - leaq level3_ident_pgt(%rip), %rbx
11142 - movq %rdx, 0(%rbx, %rax, 8)
11145 - shrq $PMD_SHIFT, %rax
11146 - andq $(PTRS_PER_PMD - 1), %rax
11147 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
11148 - leaq level2_spare_pgt(%rip), %rbx
11149 - movq %rdx, 0(%rbx, %rax, 8)
11151 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11152 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
11155 * Fixup the kernel text+data virtual addresses. Note that
11156 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
11157 movl $MSR_EFER, %ecx
11159 btsl $_EFER_SCE, %eax /* Enable System Call */
11160 - btl $20,%edi /* No Execute supported? */
11161 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
11163 btsl $_EFER_NX, %eax
11164 + leaq init_level4_pgt(%rip), %rdi
11165 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
11166 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
11167 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
11168 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
11169 1: wrmsr /* Make changes effective */
11172 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
11176 - .section ".init.text","ax"
11178 #ifdef CONFIG_EARLY_PRINTK
11179 .globl early_idt_handlers
11180 early_idt_handlers:
11181 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
11182 #endif /* EARLY_PRINTK */
11187 #ifdef CONFIG_EARLY_PRINTK
11189 early_recursion_flag:
11193 + .section .rodata,"a",@progbits
11195 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
11198 -#endif /* CONFIG_EARLY_PRINTK */
11200 +#endif /* CONFIG_EARLY_PRINTK */
11202 + .section .rodata,"a",@progbits
11203 #define NEXT_PAGE(name) \
11204 .balign PAGE_SIZE; \
11206 @@ -351,13 +353,29 @@ NEXT_PAGE(init_level4_pgt)
11207 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11208 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
11209 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11210 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
11211 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
11212 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
11213 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11214 .org init_level4_pgt + L4_START_KERNEL*8, 0
11215 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
11216 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
11218 NEXT_PAGE(level3_ident_pgt)
11219 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11223 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
11227 +NEXT_PAGE(level3_vmalloc_pgt)
11230 +NEXT_PAGE(level3_vmemmap_pgt)
11231 + .fill L3_VMEMMAP_START,8,0
11232 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11234 NEXT_PAGE(level3_kernel_pgt)
11235 .fill L3_START_KERNEL,8,0
11236 @@ -365,20 +383,23 @@ NEXT_PAGE(level3_kernel_pgt)
11237 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
11238 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11240 +NEXT_PAGE(level2_vmemmap_pgt)
11243 NEXT_PAGE(level2_fixmap_pgt)
11245 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11246 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
11249 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
11250 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
11253 -NEXT_PAGE(level1_fixmap_pgt)
11254 +NEXT_PAGE(level1_vsyscall_pgt)
11257 -NEXT_PAGE(level2_ident_pgt)
11258 - /* Since I easily can, map the first 1G.
11259 + /* Since I easily can, map the first 2G.
11260 * Don't set NX because code runs from these pages.
11262 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
11263 +NEXT_PAGE(level2_ident_pgt)
11264 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
11266 NEXT_PAGE(level2_kernel_pgt)
11268 @@ -391,33 +412,55 @@ NEXT_PAGE(level2_kernel_pgt)
11269 * If you want to increase this then increase MODULES_VADDR
11272 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
11273 - KERNEL_IMAGE_SIZE/PMD_SIZE)
11275 -NEXT_PAGE(level2_spare_pgt)
11277 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
11284 +ENTRY(cpu_gdt_table)
11286 + .quad 0x0000000000000000 /* NULL descriptor */
11287 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
11288 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
11289 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
11290 + .quad 0x00cffb000000ffff /* __USER32_CS */
11291 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
11292 + .quad 0x00affb000000ffff /* __USER_CS */
11294 +#ifdef CONFIG_PAX_KERNEXEC
11295 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
11297 + .quad 0x0 /* unused */
11300 + .quad 0,0 /* TSS */
11301 + .quad 0,0 /* LDT */
11302 + .quad 0,0,0 /* three TLS descriptors */
11303 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
11304 + /* asm/segment.h:GDT_ENTRIES must match this */
11306 + /* zero the remaining page */
11307 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
11311 .globl early_gdt_descr
11313 .word GDT_ENTRIES*8-1
11314 early_gdt_descr_base:
11315 - .quad INIT_PER_CPU_VAR(gdt_page)
11316 + .quad cpu_gdt_table
11319 /* This must match the first entry in level2_kernel_pgt */
11320 .quad 0x0000000000000000
11322 #include "../../x86/xen/xen-head.S"
11324 - .section .bss, "aw", @nobits
11326 + .section .rodata,"a",@progbits
11327 .align L1_CACHE_BYTES
11329 - .skip IDT_ENTRIES * 16
11334 diff -urNp linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c
11335 --- linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c 2010-03-15 12:09:39.000000000 -0400
11336 +++ linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c 2010-03-20 16:58:39.000574964 -0400
11337 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
11338 EXPORT_SYMBOL(cmpxchg8b_emu);
11341 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
11343 /* Networking helper routines. */
11344 EXPORT_SYMBOL(csum_partial_copy_generic);
11345 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
11346 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
11348 EXPORT_SYMBOL(__get_user_1);
11349 EXPORT_SYMBOL(__get_user_2);
11350 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
11352 EXPORT_SYMBOL(csum_partial);
11353 EXPORT_SYMBOL(empty_zero_page);
11355 +#ifdef CONFIG_PAX_KERNEXEC
11356 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
11358 diff -urNp linux-2.6.33.1/arch/x86/kernel/init_task.c linux-2.6.33.1/arch/x86/kernel/init_task.c
11359 --- linux-2.6.33.1/arch/x86/kernel/init_task.c 2010-03-15 12:09:39.000000000 -0400
11360 +++ linux-2.6.33.1/arch/x86/kernel/init_task.c 2010-03-20 16:58:39.000574964 -0400
11361 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
11362 * section. Since TSS's are completely CPU-local, we want them
11363 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
11365 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
11367 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
11368 +EXPORT_SYMBOL(init_tss);
11369 diff -urNp linux-2.6.33.1/arch/x86/kernel/ioport.c linux-2.6.33.1/arch/x86/kernel/ioport.c
11370 --- linux-2.6.33.1/arch/x86/kernel/ioport.c 2010-03-15 12:09:39.000000000 -0400
11371 +++ linux-2.6.33.1/arch/x86/kernel/ioport.c 2010-03-20 16:58:39.000574964 -0400
11373 #include <linux/sched.h>
11374 #include <linux/kernel.h>
11375 #include <linux/capability.h>
11376 +#include <linux/security.h>
11377 #include <linux/errno.h>
11378 #include <linux/types.h>
11379 #include <linux/ioport.h>
11380 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
11382 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11384 +#ifdef CONFIG_GRKERNSEC_IO
11386 + gr_handle_ioperm();
11390 if (turn_on && !capable(CAP_SYS_RAWIO))
11393 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
11394 * because the ->io_bitmap_max value must match the bitmap
11397 - tss = &per_cpu(init_tss, get_cpu());
11398 + tss = init_tss + get_cpu();
11400 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
11402 @@ -112,8 +119,13 @@ long sys_iopl(unsigned int level, struct
11404 /* Trying to gain more privileges? */
11406 +#ifdef CONFIG_GRKERNSEC_IO
11407 + gr_handle_iopl();
11410 if (!capable(CAP_SYS_RAWIO))
11414 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
11415 t->iopl = level << 12;
11416 diff -urNp linux-2.6.33.1/arch/x86/kernel/irq_32.c linux-2.6.33.1/arch/x86/kernel/irq_32.c
11417 --- linux-2.6.33.1/arch/x86/kernel/irq_32.c 2010-03-15 12:09:39.000000000 -0400
11418 +++ linux-2.6.33.1/arch/x86/kernel/irq_32.c 2010-03-20 16:58:39.000574964 -0400
11419 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
11422 /* build the stack frame on the IRQ stack */
11423 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11424 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11425 irqctx->tinfo.task = curctx->tinfo.task;
11426 irqctx->tinfo.previous_esp = current_stack_pointer;
11428 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
11429 irqctx->tinfo.previous_esp = current_stack_pointer;
11431 /* build the stack frame on the softirq stack */
11432 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11433 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11435 call_on_stack(__do_softirq, isp);
11437 diff -urNp linux-2.6.33.1/arch/x86/kernel/kgdb.c linux-2.6.33.1/arch/x86/kernel/kgdb.c
11438 --- linux-2.6.33.1/arch/x86/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
11439 +++ linux-2.6.33.1/arch/x86/kernel/kgdb.c 2010-03-20 16:58:39.004585163 -0400
11440 @@ -89,7 +89,7 @@ void pt_regs_to_gdb_regs(unsigned long *
11441 gdb_regs[GDB_CS] = regs->cs;
11442 gdb_regs[GDB_FS] = 0xFFFF;
11443 gdb_regs[GDB_GS] = 0xFFFF;
11444 - if (user_mode_vm(regs)) {
11445 + if (user_mode(regs)) {
11446 gdb_regs[GDB_SS] = regs->ss;
11447 gdb_regs[GDB_SP] = regs->sp;
11449 @@ -690,7 +690,7 @@ unsigned long kgdb_arch_pc(int exception
11450 return instruction_pointer(regs);
11453 -struct kgdb_arch arch_kgdb_ops = {
11454 +const struct kgdb_arch arch_kgdb_ops = {
11455 /* Breakpoint instruction: */
11456 .gdb_bpt_instr = { 0xcc },
11457 .flags = KGDB_HW_BREAKPOINT,
11458 diff -urNp linux-2.6.33.1/arch/x86/kernel/kprobes.c linux-2.6.33.1/arch/x86/kernel/kprobes.c
11459 --- linux-2.6.33.1/arch/x86/kernel/kprobes.c 2010-03-15 12:09:39.000000000 -0400
11460 +++ linux-2.6.33.1/arch/x86/kernel/kprobes.c 2010-03-20 16:58:39.004585163 -0400
11461 @@ -113,9 +113,13 @@ static void __kprobes set_jmp_op(void *f
11464 } __attribute__((packed)) * jop;
11465 - jop = (struct __arch_jmp_op *)from;
11467 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
11469 + pax_open_kernel();
11470 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
11471 jop->op = RELATIVEJUMP_INSTRUCTION;
11472 + pax_close_kernel();
11476 @@ -323,16 +327,18 @@ static void __kprobes fix_riprel(struct
11478 static void __kprobes arch_copy_kprobe(struct kprobe *p)
11480 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11481 + pax_open_kernel();
11482 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11483 + pax_close_kernel();
11487 - if (can_boost(p->addr))
11488 + if (can_boost(ktla_ktva(p->addr)))
11489 p->ainsn.boostable = 0;
11491 p->ainsn.boostable = -1;
11493 - p->opcode = *p->addr;
11494 + p->opcode = *(ktla_ktva(p->addr));
11497 int __kprobes arch_prepare_kprobe(struct kprobe *p)
11498 @@ -412,7 +418,7 @@ static void __kprobes prepare_singlestep
11499 if (p->opcode == BREAKPOINT_INSTRUCTION)
11500 regs->ip = (unsigned long)p->addr;
11502 - regs->ip = (unsigned long)p->ainsn.insn;
11503 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11506 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
11507 @@ -433,7 +439,7 @@ static void __kprobes setup_singlestep(s
11508 if (p->ainsn.boostable == 1 && !p->post_handler) {
11509 /* Boost up -- we can execute copied instructions directly */
11510 reset_current_kprobe();
11511 - regs->ip = (unsigned long)p->ainsn.insn;
11512 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11513 preempt_enable_no_resched();
11516 @@ -490,7 +496,7 @@ static int __kprobes kprobe_handler(stru
11517 struct kprobe_ctlblk *kcb;
11519 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
11520 - if (*addr != BREAKPOINT_INSTRUCTION) {
11521 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
11523 * The breakpoint instruction was removed right
11524 * after we hit it. Another cpu has removed
11525 @@ -742,7 +748,7 @@ static void __kprobes resume_execution(s
11526 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
11528 unsigned long *tos = stack_addr(regs);
11529 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
11530 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
11531 unsigned long orig_ip = (unsigned long)p->addr;
11532 kprobe_opcode_t *insn = p->ainsn.insn;
11534 @@ -925,7 +931,7 @@ int __kprobes kprobe_exceptions_notify(s
11535 struct die_args *args = data;
11536 int ret = NOTIFY_DONE;
11538 - if (args->regs && user_mode_vm(args->regs))
11539 + if (args->regs && user_mode(args->regs))
11543 diff -urNp linux-2.6.33.1/arch/x86/kernel/ldt.c linux-2.6.33.1/arch/x86/kernel/ldt.c
11544 --- linux-2.6.33.1/arch/x86/kernel/ldt.c 2010-03-15 12:09:39.000000000 -0400
11545 +++ linux-2.6.33.1/arch/x86/kernel/ldt.c 2010-03-20 16:58:39.004585163 -0400
11546 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
11551 + load_LDT_nolock(pc);
11552 if (!cpumask_equal(mm_cpumask(current->mm),
11553 cpumask_of(smp_processor_id())))
11554 smp_call_function(flush_ldt, current->mm, 1);
11558 + load_LDT_nolock(pc);
11562 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
11565 for (i = 0; i < old->size; i++)
11566 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
11567 + write_ldt_entry(new->ldt, i, old->ldt + i);
11571 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
11572 retval = copy_ldt(&mm->context, &old_mm->context);
11573 mutex_unlock(&old_mm->context.lock);
11576 + if (tsk == current) {
11577 + mm->context.vdso = ~0UL;
11579 +#ifdef CONFIG_X86_32
11580 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11581 + mm->context.user_cs_base = 0UL;
11582 + mm->context.user_cs_limit = ~0UL;
11584 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
11585 + cpus_clear(mm->context.cpu_user_cs_mask);
11596 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
11600 +#ifdef CONFIG_PAX_SEGMEXEC
11601 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
11607 fill_ldt(&ldt, &ldt_info);
11610 diff -urNp linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c
11611 --- linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c 2010-03-15 12:09:39.000000000 -0400
11612 +++ linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c 2010-03-20 16:58:39.004585163 -0400
11614 #include <asm/cacheflush.h>
11615 #include <asm/debugreg.h>
11617 -static void set_idt(void *newidt, __u16 limit)
11618 +static void set_idt(struct desc_struct *newidt, __u16 limit)
11620 struct desc_ptr curidt;
11622 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
11626 -static void set_gdt(void *newgdt, __u16 limit)
11627 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
11629 struct desc_ptr curgdt;
11631 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
11634 control_page = page_address(image->control_code_page);
11635 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
11636 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
11638 relocate_kernel_ptr = control_page;
11639 page_list[PA_CONTROL_PAGE] = __pa(control_page);
11640 diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_amd.c linux-2.6.33.1/arch/x86/kernel/microcode_amd.c
11641 --- linux-2.6.33.1/arch/x86/kernel/microcode_amd.c 2010-03-15 12:09:39.000000000 -0400
11642 +++ linux-2.6.33.1/arch/x86/kernel/microcode_amd.c 2010-03-20 16:58:39.004585163 -0400
11643 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
11647 -static struct microcode_ops microcode_amd_ops = {
11648 +static const struct microcode_ops microcode_amd_ops = {
11649 .request_microcode_user = request_microcode_user,
11650 .request_microcode_fw = request_microcode_fw,
11651 .collect_cpu_info = collect_cpu_info_amd,
11652 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
11653 .microcode_fini_cpu = microcode_fini_cpu_amd,
11656 -struct microcode_ops * __init init_amd_microcode(void)
11657 +const struct microcode_ops * __init init_amd_microcode(void)
11659 return µcode_amd_ops;
11661 diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_core.c linux-2.6.33.1/arch/x86/kernel/microcode_core.c
11662 --- linux-2.6.33.1/arch/x86/kernel/microcode_core.c 2010-03-15 12:09:39.000000000 -0400
11663 +++ linux-2.6.33.1/arch/x86/kernel/microcode_core.c 2010-03-20 16:58:39.004585163 -0400
11664 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
11666 #define MICROCODE_VERSION "2.00"
11668 -static struct microcode_ops *microcode_ops;
11669 +static const struct microcode_ops *microcode_ops;
11673 diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_intel.c linux-2.6.33.1/arch/x86/kernel/microcode_intel.c
11674 --- linux-2.6.33.1/arch/x86/kernel/microcode_intel.c 2010-03-15 12:09:39.000000000 -0400
11675 +++ linux-2.6.33.1/arch/x86/kernel/microcode_intel.c 2010-03-20 16:58:39.011824892 -0400
11676 @@ -436,13 +436,13 @@ static enum ucode_state request_microcod
11678 static int get_ucode_user(void *to, const void *from, size_t n)
11680 - return copy_from_user(to, from, n);
11681 + return copy_from_user(to, (__force const void __user *)from, n);
11684 static enum ucode_state
11685 request_microcode_user(int cpu, const void __user *buf, size_t size)
11687 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
11688 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
11691 static void microcode_fini_cpu(int cpu)
11692 @@ -453,7 +453,7 @@ static void microcode_fini_cpu(int cpu)
11696 -static struct microcode_ops microcode_intel_ops = {
11697 +static const struct microcode_ops microcode_intel_ops = {
11698 .request_microcode_user = request_microcode_user,
11699 .request_microcode_fw = request_microcode_fw,
11700 .collect_cpu_info = collect_cpu_info,
11701 @@ -461,7 +461,7 @@ static struct microcode_ops microcode_in
11702 .microcode_fini_cpu = microcode_fini_cpu,
11705 -struct microcode_ops * __init init_intel_microcode(void)
11706 +const struct microcode_ops * __init init_intel_microcode(void)
11708 return µcode_intel_ops;
11710 diff -urNp linux-2.6.33.1/arch/x86/kernel/module.c linux-2.6.33.1/arch/x86/kernel/module.c
11711 --- linux-2.6.33.1/arch/x86/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
11712 +++ linux-2.6.33.1/arch/x86/kernel/module.c 2010-03-20 16:58:39.011824892 -0400
11714 #define DEBUGP(fmt...)
11717 -void *module_alloc(unsigned long size)
11718 +static void *__module_alloc(unsigned long size, pgprot_t prot)
11720 struct vm_struct *area;
11722 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
11726 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
11727 - PAGE_KERNEL_EXEC);
11728 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
11731 +void *module_alloc(unsigned long size)
11734 +#ifdef CONFIG_PAX_KERNEXEC
11735 + return __module_alloc(size, PAGE_KERNEL);
11737 + return __module_alloc(size, PAGE_KERNEL_EXEC);
11742 /* Free memory returned from module_alloc */
11743 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
11744 vfree(module_region);
11747 +#ifdef CONFIG_PAX_KERNEXEC
11748 +#ifdef CONFIG_X86_32
11749 +void *module_alloc_exec(unsigned long size)
11751 + struct vm_struct *area;
11756 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
11757 + return area ? area->addr : NULL;
11759 +EXPORT_SYMBOL(module_alloc_exec);
11761 +void module_free_exec(struct module *mod, void *module_region)
11763 + vunmap(module_region);
11765 +EXPORT_SYMBOL(module_free_exec);
11767 +void module_free_exec(struct module *mod, void *module_region)
11769 + module_free(mod, module_region);
11771 +EXPORT_SYMBOL(module_free_exec);
11773 +void *module_alloc_exec(unsigned long size)
11775 + return __module_alloc(size, PAGE_KERNEL_RX);
11777 +EXPORT_SYMBOL(module_alloc_exec);
11781 /* We don't need anything special. */
11782 int module_frob_arch_sections(Elf_Ehdr *hdr,
11784 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11786 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
11788 - uint32_t *location;
11789 + uint32_t *plocation, location;
11791 DEBUGP("Applying relocate section %u to %u\n", relsec,
11792 sechdrs[relsec].sh_info);
11793 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
11794 /* This is where to make the change */
11795 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
11796 - + rel[i].r_offset;
11797 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
11798 + location = (uint32_t)plocation;
11799 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
11800 + plocation = ktla_ktva((void *)plocation);
11801 /* This is the symbol it is referring to. Note that all
11802 undefined symbols have been resolved. */
11803 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
11804 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11805 switch (ELF32_R_TYPE(rel[i].r_info)) {
11807 /* We add the value into the location given */
11808 - *location += sym->st_value;
11809 + pax_open_kernel();
11810 + *plocation += sym->st_value;
11811 + pax_close_kernel();
11814 /* Add the value, subtract its postition */
11815 - *location += sym->st_value - (uint32_t)location;
11816 + pax_open_kernel();
11817 + *plocation += sym->st_value - location;
11818 + pax_close_kernel();
11821 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
11822 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
11823 case R_X86_64_NONE:
11826 + pax_open_kernel();
11828 + pax_close_kernel();
11831 + pax_open_kernel();
11833 + pax_close_kernel();
11834 if (val != *(u32 *)loc)
11838 + pax_open_kernel();
11840 + pax_close_kernel();
11841 if ((s64)val != *(s32 *)loc)
11844 case R_X86_64_PC32:
11846 + pax_open_kernel();
11848 + pax_close_kernel();
11851 if ((s64)val != *(s32 *)loc)
11853 diff -urNp linux-2.6.33.1/arch/x86/kernel/paravirt.c linux-2.6.33.1/arch/x86/kernel/paravirt.c
11854 --- linux-2.6.33.1/arch/x86/kernel/paravirt.c 2010-03-15 12:09:39.000000000 -0400
11855 +++ linux-2.6.33.1/arch/x86/kernel/paravirt.c 2010-03-20 16:58:39.012867487 -0400
11856 @@ -120,9 +120,9 @@ unsigned paravirt_patch_jmp(void *insnbu
11858 /* Neat trick to map patch type back to the call within the
11859 * corresponding structure. */
11860 -static void *get_call_destination(u8 type)
11861 +static const void *get_call_destination(u8 type)
11863 - struct paravirt_patch_template tmpl = {
11864 + const struct paravirt_patch_template tmpl = {
11865 .pv_init_ops = pv_init_ops,
11866 .pv_time_ops = pv_time_ops,
11867 .pv_cpu_ops = pv_cpu_ops,
11868 @@ -133,13 +133,13 @@ static void *get_call_destination(u8 typ
11869 .pv_lock_ops = pv_lock_ops,
11872 - return *((void **)&tmpl + type);
11873 + return *((const void **)&tmpl + type);
11876 unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
11877 unsigned long addr, unsigned len)
11879 - void *opfunc = get_call_destination(type);
11880 + const void *opfunc = get_call_destination(type);
11883 if (opfunc == NULL)
11884 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
11885 if (insn_len > len || start == NULL)
11888 - memcpy(insnbuf, start, insn_len);
11889 + memcpy(insnbuf, ktla_ktva(start), insn_len);
11893 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
11897 -struct pv_info pv_info = {
11898 +struct pv_info pv_info __read_only = {
11899 .name = "bare hardware",
11900 .paravirt_enabled = 0,
11902 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
11905 -struct pv_init_ops pv_init_ops = {
11906 +struct pv_init_ops pv_init_ops __read_only = {
11907 .patch = native_patch,
11910 -struct pv_time_ops pv_time_ops = {
11911 +struct pv_time_ops pv_time_ops __read_only = {
11912 .sched_clock = native_sched_clock,
11915 -struct pv_irq_ops pv_irq_ops = {
11916 +struct pv_irq_ops pv_irq_ops __read_only = {
11917 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
11918 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
11919 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
11920 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
11924 -struct pv_cpu_ops pv_cpu_ops = {
11925 +struct pv_cpu_ops pv_cpu_ops __read_only = {
11926 .cpuid = native_cpuid,
11927 .get_debugreg = native_get_debugreg,
11928 .set_debugreg = native_set_debugreg,
11929 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
11930 .end_context_switch = paravirt_nop,
11933 -struct pv_apic_ops pv_apic_ops = {
11934 +struct pv_apic_ops pv_apic_ops __read_only = {
11935 #ifdef CONFIG_X86_LOCAL_APIC
11936 .startup_ipi_hook = paravirt_nop,
11938 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
11939 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
11942 -struct pv_mmu_ops pv_mmu_ops = {
11943 +struct pv_mmu_ops pv_mmu_ops __read_only = {
11945 .read_cr2 = native_read_cr2,
11946 .write_cr2 = native_write_cr2,
11947 @@ -467,6 +467,12 @@ struct pv_mmu_ops pv_mmu_ops = {
11950 .set_fixmap = native_set_fixmap,
11952 +#ifdef CONFIG_PAX_KERNEXEC
11953 + .pax_open_kernel = native_pax_open_kernel,
11954 + .pax_close_kernel = native_pax_close_kernel,
11959 EXPORT_SYMBOL_GPL(pv_time_ops);
11960 diff -urNp linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c
11961 --- linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c 2010-03-15 12:09:39.000000000 -0400
11962 +++ linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c 2010-03-20 16:58:39.012867487 -0400
11963 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
11964 arch_spin_lock(lock);
11967 -struct pv_lock_ops pv_lock_ops = {
11968 +struct pv_lock_ops pv_lock_ops __read_only = {
11970 .spin_is_locked = __ticket_spin_is_locked,
11971 .spin_is_contended = __ticket_spin_is_contended,
11972 diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c
11973 --- linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c 2010-03-15 12:09:39.000000000 -0400
11974 +++ linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c 2010-03-20 16:58:39.012867487 -0400
11975 @@ -470,7 +470,7 @@ static void calgary_free_coherent(struct
11976 free_pages((unsigned long)vaddr, get_order(size));
11979 -static struct dma_map_ops calgary_dma_ops = {
11980 +static const struct dma_map_ops calgary_dma_ops = {
11981 .alloc_coherent = calgary_alloc_coherent,
11982 .free_coherent = calgary_free_coherent,
11983 .map_sg = calgary_map_sg,
11984 diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-dma.c linux-2.6.33.1/arch/x86/kernel/pci-dma.c
11985 --- linux-2.6.33.1/arch/x86/kernel/pci-dma.c 2010-03-15 12:09:39.000000000 -0400
11986 +++ linux-2.6.33.1/arch/x86/kernel/pci-dma.c 2010-03-20 16:58:39.012867487 -0400
11989 static int forbid_dac __read_mostly;
11991 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
11992 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
11993 EXPORT_SYMBOL(dma_ops);
11995 static int iommu_sac_force __read_mostly;
11996 @@ -240,7 +240,7 @@ early_param("iommu", iommu_setup);
11998 int dma_supported(struct device *dev, u64 mask)
12000 - struct dma_map_ops *ops = get_dma_ops(dev);
12001 + const struct dma_map_ops *ops = get_dma_ops(dev);
12004 if (mask > 0xffffffff && forbid_dac > 0) {
12005 diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c
12006 --- linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c 2010-03-15 12:09:39.000000000 -0400
12007 +++ linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c 2010-03-20 16:58:39.012867487 -0400
12008 @@ -695,7 +695,7 @@ static __init int init_k8_gatt(struct ag
12012 -static struct dma_map_ops gart_dma_ops = {
12013 +static const struct dma_map_ops gart_dma_ops = {
12014 .map_sg = gart_map_sg,
12015 .unmap_sg = gart_unmap_sg,
12016 .map_page = gart_map_page,
12017 diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-nommu.c linux-2.6.33.1/arch/x86/kernel/pci-nommu.c
12018 --- linux-2.6.33.1/arch/x86/kernel/pci-nommu.c 2010-03-15 12:09:39.000000000 -0400
12019 +++ linux-2.6.33.1/arch/x86/kernel/pci-nommu.c 2010-03-20 16:58:39.012867487 -0400
12020 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
12021 flush_write_buffers();
12024 -struct dma_map_ops nommu_dma_ops = {
12025 +const struct dma_map_ops nommu_dma_ops = {
12026 .alloc_coherent = dma_generic_alloc_coherent,
12027 .free_coherent = nommu_free_coherent,
12028 .map_sg = nommu_map_sg,
12029 diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c
12030 --- linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
12031 +++ linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c 2010-03-20 16:58:39.012867487 -0400
12032 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
12033 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
12036 -static struct dma_map_ops swiotlb_dma_ops = {
12037 +static const struct dma_map_ops swiotlb_dma_ops = {
12038 .mapping_error = swiotlb_dma_mapping_error,
12039 .alloc_coherent = x86_swiotlb_alloc_coherent,
12040 .free_coherent = swiotlb_free_coherent,
12041 diff -urNp linux-2.6.33.1/arch/x86/kernel/process_32.c linux-2.6.33.1/arch/x86/kernel/process_32.c
12042 --- linux-2.6.33.1/arch/x86/kernel/process_32.c 2010-03-15 12:09:39.000000000 -0400
12043 +++ linux-2.6.33.1/arch/x86/kernel/process_32.c 2010-03-20 16:58:39.012867487 -0400
12044 @@ -66,6 +66,7 @@ asmlinkage void ret_from_fork(void) __as
12045 unsigned long thread_saved_pc(struct task_struct *tsk)
12047 return ((unsigned long *)tsk->thread.sp)[3];
12048 +//XXX return tsk->thread.eip;
12052 @@ -127,7 +128,7 @@ void __show_regs(struct pt_regs *regs, i
12054 unsigned short ss, gs;
12056 - if (user_mode_vm(regs)) {
12057 + if (user_mode(regs)) {
12059 ss = regs->ss & 0xffff;
12060 gs = get_user_gs(regs);
12061 @@ -203,7 +204,7 @@ int copy_thread(unsigned long clone_flag
12062 struct task_struct *tsk;
12065 - childregs = task_pt_regs(p);
12066 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
12067 *childregs = *regs;
12069 childregs->sp = sp;
12070 @@ -237,6 +238,7 @@ int copy_thread(unsigned long clone_flag
12071 * Set a new TLS for the child thread?
12073 if (clone_flags & CLONE_SETTLS)
12074 +//XXX needs set_fs()?
12075 err = do_set_thread_area(p, -1,
12076 (struct user_desc __user *)childregs->si, 0);
12078 @@ -307,7 +309,7 @@ __switch_to(struct task_struct *prev_p,
12079 struct thread_struct *prev = &prev_p->thread,
12080 *next = &next_p->thread;
12081 int cpu = smp_processor_id();
12082 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
12083 + struct tss_struct *tss = init_tss + cpu;
12086 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
12087 @@ -342,6 +344,11 @@ __switch_to(struct task_struct *prev_p,
12089 lazy_save_gs(prev->gs);
12091 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12092 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
12093 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
12097 * Load the per-thread Thread-Local Storage descriptor.
12099 @@ -418,3 +425,27 @@ unsigned long get_wchan(struct task_stru
12103 +#ifdef CONFIG_PAX_RANDKSTACK
12104 +asmlinkage void pax_randomize_kstack(void)
12106 + struct thread_struct *thread = ¤t->thread;
12107 + unsigned long time;
12109 + if (!randomize_va_space)
12114 + /* P4 seems to return a 0 LSB, ignore it */
12115 +#ifdef CONFIG_MPENTIUM4
12123 + thread->sp0 ^= time;
12124 + load_sp0(init_tss + smp_processor_id(), thread);
12127 diff -urNp linux-2.6.33.1/arch/x86/kernel/process_64.c linux-2.6.33.1/arch/x86/kernel/process_64.c
12128 --- linux-2.6.33.1/arch/x86/kernel/process_64.c 2010-03-15 12:09:39.000000000 -0400
12129 +++ linux-2.6.33.1/arch/x86/kernel/process_64.c 2010-03-20 16:58:39.012867487 -0400
12130 @@ -88,7 +88,7 @@ static void __exit_idle(void)
12131 void exit_idle(void)
12133 /* idle loop has pid 0 */
12134 - if (current->pid)
12135 + if (task_pid_nr(current))
12139 @@ -389,7 +389,7 @@ __switch_to(struct task_struct *prev_p,
12140 struct thread_struct *prev = &prev_p->thread;
12141 struct thread_struct *next = &next_p->thread;
12142 int cpu = smp_processor_id();
12143 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
12144 + struct tss_struct *tss = init_tss + cpu;
12145 unsigned fsindex, gsindex;
12148 @@ -542,12 +542,11 @@ unsigned long get_wchan(struct task_stru
12149 if (!p || p == current || p->state == TASK_RUNNING)
12151 stack = (unsigned long)task_stack_page(p);
12152 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
12153 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
12155 fp = *(u64 *)(p->thread.sp);
12157 - if (fp < (unsigned long)stack ||
12158 - fp >= (unsigned long)stack+THREAD_SIZE)
12159 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
12161 ip = *(u64 *)(fp+8);
12162 if (!in_sched_functions(ip))
12163 diff -urNp linux-2.6.33.1/arch/x86/kernel/process.c linux-2.6.33.1/arch/x86/kernel/process.c
12164 --- linux-2.6.33.1/arch/x86/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
12165 +++ linux-2.6.33.1/arch/x86/kernel/process.c 2010-03-20 16:58:39.012867487 -0400
12166 @@ -78,7 +78,7 @@ void exit_thread(void)
12167 unsigned long *bp = t->io_bitmap_ptr;
12170 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
12171 + struct tss_struct *tss = init_tss + get_cpu();
12173 t->io_bitmap_ptr = NULL;
12174 clear_thread_flag(TIF_IO_BITMAP);
12175 @@ -105,7 +105,7 @@ void show_regs_common(void)
12177 printk(KERN_CONT "\n");
12178 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s %s/%s\n",
12179 - current->pid, current->comm, print_tainted(),
12180 + task_pid_nr(current), current->comm, print_tainted(),
12181 init_utsname()->release,
12182 (int)strcspn(init_utsname()->version, " "),
12183 init_utsname()->version, board, product);
12184 @@ -115,6 +115,9 @@ void flush_thread(void)
12186 struct task_struct *tsk = current;
12188 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
12189 + loadsegment(gs, 0);
12191 flush_ptrace_hw_breakpoint(tsk);
12192 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
12194 @@ -272,8 +275,8 @@ int kernel_thread(int (*fn)(void *), voi
12195 regs.di = (unsigned long) arg;
12197 #ifdef CONFIG_X86_32
12198 - regs.ds = __USER_DS;
12199 - regs.es = __USER_DS;
12200 + regs.ds = __KERNEL_DS;
12201 + regs.es = __KERNEL_DS;
12202 regs.fs = __KERNEL_PERCPU;
12203 regs.gs = __KERNEL_STACK_CANARY;
12205 @@ -664,17 +667,3 @@ static int __init idle_setup(char *str)
12208 early_param("idle", idle_setup);
12210 -unsigned long arch_align_stack(unsigned long sp)
12212 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12213 - sp -= get_random_int() % 8192;
12214 - return sp & ~0xf;
12217 -unsigned long arch_randomize_brk(struct mm_struct *mm)
12219 - unsigned long range_end = mm->brk + 0x02000000;
12220 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
12223 diff -urNp linux-2.6.33.1/arch/x86/kernel/ptrace.c linux-2.6.33.1/arch/x86/kernel/ptrace.c
12224 --- linux-2.6.33.1/arch/x86/kernel/ptrace.c 2010-03-15 12:09:39.000000000 -0400
12225 +++ linux-2.6.33.1/arch/x86/kernel/ptrace.c 2010-03-20 16:58:39.012867487 -0400
12226 @@ -1167,7 +1167,7 @@ static const struct user_regset_view use
12227 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
12230 - unsigned long __user *datap = (unsigned long __user *)data;
12231 + unsigned long __user *datap = (__force unsigned long __user *)data;
12234 /* read the word at location addr in the USER area. */
12235 @@ -1254,14 +1254,14 @@ long arch_ptrace(struct task_struct *chi
12238 ret = do_get_thread_area(child, addr,
12239 - (struct user_desc __user *) data);
12240 + (__force struct user_desc __user *) data);
12243 case PTRACE_SET_THREAD_AREA:
12246 ret = do_set_thread_area(child, addr,
12247 - (struct user_desc __user *) data, 0);
12248 + (__force struct user_desc __user *) data, 0);
12252 @@ -1280,12 +1280,12 @@ long arch_ptrace(struct task_struct *chi
12253 #ifdef CONFIG_X86_PTRACE_BTS
12254 case PTRACE_BTS_CONFIG:
12255 ret = ptrace_bts_config
12256 - (child, data, (struct ptrace_bts_config __user *)addr);
12257 + (child, data, (__force struct ptrace_bts_config __user *)addr);
12260 case PTRACE_BTS_STATUS:
12261 ret = ptrace_bts_status
12262 - (child, data, (struct ptrace_bts_config __user *)addr);
12263 + (child, data, (__force struct ptrace_bts_config __user *)addr);
12266 case PTRACE_BTS_SIZE:
12267 @@ -1294,7 +1294,7 @@ long arch_ptrace(struct task_struct *chi
12269 case PTRACE_BTS_GET:
12270 ret = ptrace_bts_read_record
12271 - (child, data, (struct bts_struct __user *) addr);
12272 + (child, data, (__force struct bts_struct __user *) addr);
12275 case PTRACE_BTS_CLEAR:
12276 @@ -1303,7 +1303,7 @@ long arch_ptrace(struct task_struct *chi
12278 case PTRACE_BTS_DRAIN:
12279 ret = ptrace_bts_drain
12280 - (child, data, (struct bts_struct __user *) addr);
12281 + (child, data, (__force struct bts_struct __user *) addr);
12283 #endif /* CONFIG_X86_PTRACE_BTS */
12285 @@ -1690,7 +1690,7 @@ static void fill_sigtrap_info(struct tas
12286 memset(info, 0, sizeof(*info));
12287 info->si_signo = SIGTRAP;
12288 info->si_code = si_code;
12289 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
12290 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
12293 void user_single_step_siginfo(struct task_struct *tsk,
12294 diff -urNp linux-2.6.33.1/arch/x86/kernel/reboot.c linux-2.6.33.1/arch/x86/kernel/reboot.c
12295 --- linux-2.6.33.1/arch/x86/kernel/reboot.c 2010-03-15 12:09:39.000000000 -0400
12296 +++ linux-2.6.33.1/arch/x86/kernel/reboot.c 2010-03-20 16:58:39.016512700 -0400
12297 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
12298 EXPORT_SYMBOL(pm_power_off);
12300 static const struct desc_ptr no_idt = {};
12301 -static int reboot_mode;
12302 +static unsigned short reboot_mode;
12303 enum reboot_type reboot_type = BOOT_KBD;
12306 @@ -276,7 +276,7 @@ static struct dmi_system_id __initdata r
12307 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
12311 + { NULL, NULL, {{0, {0}}}, NULL}
12314 static int __init reboot_init(void)
12315 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
12316 controller to pulse the CPU reset line, which is more thorough, but
12317 doesn't work with at least one type of 486 motherboard. It is easy
12318 to stop this code working; hence the copious comments. */
12319 -static const unsigned long long
12320 -real_mode_gdt_entries [3] =
12321 +static struct desc_struct
12322 +real_mode_gdt_entries [3] __read_only =
12324 - 0x0000000000000000ULL, /* Null descriptor */
12325 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
12326 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
12327 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
12328 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
12329 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
12332 static const struct desc_ptr
12333 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
12334 * specified by the code and length parameters.
12335 * We assume that length will aways be less that 100!
12337 -void machine_real_restart(const unsigned char *code, int length)
12338 +void machine_real_restart(const unsigned char *code, unsigned int length)
12340 local_irq_disable();
12342 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
12343 /* Remap the kernel at virtual address zero, as well as offset zero
12344 from the kernel segment. This assumes the kernel segment starts at
12345 virtual address PAGE_OFFSET. */
12346 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12347 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
12348 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12349 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12352 * Use `swapper_pg_dir' as our page directory.
12353 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
12354 boot)". This seems like a fairly standard thing that gets set by
12355 REBOOT.COM programs, and the previous reset routine did this
12357 - *((unsigned short *)0x472) = reboot_mode;
12358 + *(unsigned short *)(__va(0x472)) = reboot_mode;
12360 /* For the switch to real mode, copy some code to low memory. It has
12361 to be in the first 64k because it is running in 16-bit mode, and it
12362 has to have the same physical and virtual address, because it turns
12363 off paging. Copy it near the end of the first page, out of the way
12364 of BIOS variables. */
12365 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
12366 - real_mode_switch, sizeof (real_mode_switch));
12367 - memcpy((void *)(0x1000 - 100), code, length);
12368 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
12369 + memcpy(__va(0x1000 - 100), code, length);
12371 /* Set up the IDT for real mode. */
12372 load_idt(&real_mode_idt);
12373 diff -urNp linux-2.6.33.1/arch/x86/kernel/setup.c linux-2.6.33.1/arch/x86/kernel/setup.c
12374 --- linux-2.6.33.1/arch/x86/kernel/setup.c 2010-03-15 12:09:39.000000000 -0400
12375 +++ linux-2.6.33.1/arch/x86/kernel/setup.c 2010-03-20 16:58:39.016512700 -0400
12376 @@ -749,14 +749,14 @@ void __init setup_arch(char **cmdline_p)
12378 if (!boot_params.hdr.root_flags)
12379 root_mountflags &= ~MS_RDONLY;
12380 - init_mm.start_code = (unsigned long) _text;
12381 - init_mm.end_code = (unsigned long) _etext;
12382 + init_mm.start_code = ktla_ktva((unsigned long) _text);
12383 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
12384 init_mm.end_data = (unsigned long) _edata;
12385 init_mm.brk = _brk_end;
12387 - code_resource.start = virt_to_phys(_text);
12388 - code_resource.end = virt_to_phys(_etext)-1;
12389 - data_resource.start = virt_to_phys(_etext);
12390 + code_resource.start = virt_to_phys(ktla_ktva(_text));
12391 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
12392 + data_resource.start = virt_to_phys(_sdata);
12393 data_resource.end = virt_to_phys(_edata)-1;
12394 bss_resource.start = virt_to_phys(&__bss_start);
12395 bss_resource.end = virt_to_phys(&__bss_stop)-1;
12396 diff -urNp linux-2.6.33.1/arch/x86/kernel/setup_percpu.c linux-2.6.33.1/arch/x86/kernel/setup_percpu.c
12397 --- linux-2.6.33.1/arch/x86/kernel/setup_percpu.c 2010-03-15 12:09:39.000000000 -0400
12398 +++ linux-2.6.33.1/arch/x86/kernel/setup_percpu.c 2010-03-20 16:58:39.016512700 -0400
12399 @@ -27,19 +27,17 @@
12400 # define DBG(fmt, ...) do { if (0) pr_dbg(fmt, ##__VA_ARGS__); } while (0)
12404 DEFINE_PER_CPU(int, cpu_number);
12405 EXPORT_PER_CPU_SYMBOL(cpu_number);
12408 -#ifdef CONFIG_X86_64
12409 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
12411 -#define BOOT_PERCPU_OFFSET 0
12414 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
12415 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
12417 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
12418 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
12419 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
12421 EXPORT_SYMBOL(__per_cpu_offset);
12422 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
12424 #ifdef CONFIG_X86_32
12425 struct desc_struct gdt;
12426 + unsigned long base = per_cpu_offset(cpu);
12428 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
12429 - 0x2 | DESCTYPE_S, 0x8);
12431 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
12432 + 0x83 | DESCTYPE_S, 0xC);
12433 write_gdt_entry(get_cpu_gdt_table(cpu),
12434 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
12436 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
12437 /* alrighty, percpu areas up and running */
12438 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
12439 for_each_possible_cpu(cpu) {
12440 +#ifdef CONFIG_CC_STACKPROTECTOR
12441 +#ifdef CONFIG_x86_32
12442 + unsigned long canary = per_cpu(stack_canary, cpu);
12445 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
12446 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
12447 per_cpu(cpu_number, cpu) = cpu;
12448 @@ -240,6 +243,12 @@ void __init setup_per_cpu_areas(void)
12449 early_per_cpu_map(x86_cpu_to_node_map, cpu);
12452 +#ifdef CONFIG_CC_STACKPROTECTOR
12453 +#ifdef CONFIG_x86_32
12454 + if (cpu == boot_cpu_id)
12455 + per_cpu(stack_canary, cpu) = canary;
12459 * Up to this point, the boot CPU has been using .data.init
12460 * area. Reload any changed state for the boot CPU.
12461 diff -urNp linux-2.6.33.1/arch/x86/kernel/signal.c linux-2.6.33.1/arch/x86/kernel/signal.c
12462 --- linux-2.6.33.1/arch/x86/kernel/signal.c 2010-03-15 12:09:39.000000000 -0400
12463 +++ linux-2.6.33.1/arch/x86/kernel/signal.c 2010-03-20 16:58:39.016512700 -0400
12464 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
12465 * Align the stack pointer according to the i386 ABI,
12466 * i.e. so that on function entry ((sp + 4) & 15) == 0.
12468 - sp = ((sp + 4) & -16ul) - 4;
12469 + sp = ((sp - 12) & -16ul) - 4;
12470 #else /* !CONFIG_X86_32 */
12471 sp = round_down(sp, 16) - 8;
12473 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
12474 * Return an always-bogus address instead so we will die with SIGSEGV.
12476 if (onsigstack && !likely(on_sig_stack(sp)))
12477 - return (void __user *)-1L;
12478 + return (__force void __user *)-1L;
12480 /* save i387 state */
12481 if (used_math() && save_i387_xstate(*fpstate) < 0)
12482 - return (void __user *)-1L;
12483 + return (__force void __user *)-1L;
12485 return (void __user *)sp;
12487 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
12490 if (current->mm->context.vdso)
12491 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12492 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12494 - restorer = &frame->retcode;
12495 + restorer = (void __user *)&frame->retcode;
12496 if (ka->sa.sa_flags & SA_RESTORER)
12497 restorer = ka->sa.sa_restorer;
12499 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
12500 * reasons and because gdb uses it as a signature to notice
12501 * signal handler stack frames.
12503 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
12504 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
12508 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
12509 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
12511 /* Set up to return from userspace. */
12512 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12513 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12514 if (ka->sa.sa_flags & SA_RESTORER)
12515 restorer = ka->sa.sa_restorer;
12516 put_user_ex(restorer, &frame->pretcode);
12517 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
12518 * reasons and because gdb uses it as a signature to notice
12519 * signal handler stack frames.
12521 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
12522 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
12523 } put_user_catch(err);
12526 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
12527 * X86_32: vm86 regs switched out by assembly code before reaching
12528 * here, so testing against kernel CS suffices.
12530 - if (!user_mode(regs))
12531 + if (!user_mode_novm(regs))
12534 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
12535 diff -urNp linux-2.6.33.1/arch/x86/kernel/smpboot.c linux-2.6.33.1/arch/x86/kernel/smpboot.c
12536 --- linux-2.6.33.1/arch/x86/kernel/smpboot.c 2010-03-15 12:09:39.000000000 -0400
12537 +++ linux-2.6.33.1/arch/x86/kernel/smpboot.c 2010-03-20 16:58:39.016512700 -0400
12538 @@ -750,7 +750,11 @@ do_rest:
12539 (unsigned long)task_stack_page(c_idle.idle) -
12540 KERNEL_STACK_OFFSET + THREAD_SIZE;
12543 + pax_open_kernel();
12544 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12545 + pax_close_kernel();
12547 initial_code = (unsigned long)start_secondary;
12548 stack_start.sp = (void *) c_idle.idle->thread.sp;
12550 diff -urNp linux-2.6.33.1/arch/x86/kernel/step.c linux-2.6.33.1/arch/x86/kernel/step.c
12551 --- linux-2.6.33.1/arch/x86/kernel/step.c 2010-03-15 12:09:39.000000000 -0400
12552 +++ linux-2.6.33.1/arch/x86/kernel/step.c 2010-03-20 16:58:39.016512700 -0400
12553 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
12554 struct desc_struct *desc;
12555 unsigned long base;
12560 mutex_lock(&child->mm->context.lock);
12561 - if (unlikely((seg >> 3) >= child->mm->context.size))
12562 + if (unlikely(seg >= child->mm->context.size))
12563 addr = -1L; /* bogus selector, access would fault */
12565 desc = child->mm->context.ldt + seg;
12566 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
12567 unsigned char opcode[15];
12568 unsigned long addr = convert_ip_to_linear(child, regs);
12570 + if (addr == -EINVAL)
12573 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
12574 for (i = 0; i < copied; i++) {
12575 switch (opcode[i]) {
12576 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
12578 #ifdef CONFIG_X86_64
12579 case 0x40 ... 0x4f:
12580 - if (regs->cs != __USER_CS)
12581 + if ((regs->cs & 0xffff) != __USER_CS)
12582 /* 32-bit mode: register increment */
12584 /* 64-bit mode: REX prefix */
12585 diff -urNp linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S
12586 --- linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S 2010-03-15 12:09:39.000000000 -0400
12587 +++ linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S 2010-03-20 16:58:39.016512700 -0400
12589 +.section .rodata,"a",@progbits
12590 ENTRY(sys_call_table)
12591 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
12593 diff -urNp linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c
12594 --- linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c 2010-03-15 12:09:39.000000000 -0400
12595 +++ linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c 2010-03-20 16:58:39.016512700 -0400
12598 #include <asm/syscalls.h>
12600 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
12602 + unsigned long pax_task_size = TASK_SIZE;
12604 +#ifdef CONFIG_PAX_SEGMEXEC
12605 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
12606 + pax_task_size = SEGMEXEC_TASK_SIZE;
12609 + if (len > pax_task_size || addr > pax_task_size - len)
12616 * Perform the select(nd, in, out, ex, tv) and mmap() system
12617 * calls. Linux/i386 didn't use to be able to handle more than
12618 @@ -58,6 +73,205 @@ out:
12623 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
12624 + unsigned long len, unsigned long pgoff, unsigned long flags)
12626 + struct mm_struct *mm = current->mm;
12627 + struct vm_area_struct *vma;
12628 + unsigned long start_addr, pax_task_size = TASK_SIZE;
12630 +#ifdef CONFIG_PAX_SEGMEXEC
12631 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12632 + pax_task_size = SEGMEXEC_TASK_SIZE;
12635 + if (len > pax_task_size)
12638 + if (flags & MAP_FIXED)
12641 +#ifdef CONFIG_PAX_RANDMMAP
12642 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12646 + addr = PAGE_ALIGN(addr);
12647 + vma = find_vma(mm, addr);
12648 + if (pax_task_size - len >= addr &&
12649 + (!vma || addr + len <= vma->vm_start))
12652 + if (len > mm->cached_hole_size) {
12653 + start_addr = addr = mm->free_area_cache;
12655 + start_addr = addr = mm->mmap_base;
12656 + mm->cached_hole_size = 0;
12659 +#ifdef CONFIG_PAX_PAGEEXEC
12660 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
12661 + start_addr = 0x00110000UL;
12663 +#ifdef CONFIG_PAX_RANDMMAP
12664 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12665 + start_addr += mm->delta_mmap & 0x03FFF000UL;
12668 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
12669 + start_addr = addr = mm->mmap_base;
12671 + addr = start_addr;
12676 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
12677 + /* At this point: (!vma || addr < vma->vm_end). */
12678 + if (pax_task_size - len < addr) {
12680 + * Start a new search - just in case we missed
12683 + if (start_addr != mm->mmap_base) {
12684 + start_addr = addr = mm->mmap_base;
12685 + mm->cached_hole_size = 0;
12686 + goto full_search;
12690 + if (!vma || addr + len <= vma->vm_start) {
12692 + * Remember the place where we stopped the search:
12694 + mm->free_area_cache = addr + len;
12697 + if (addr + mm->cached_hole_size < vma->vm_start)
12698 + mm->cached_hole_size = vma->vm_start - addr;
12699 + addr = vma->vm_end;
12700 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
12701 + start_addr = addr = mm->mmap_base;
12702 + mm->cached_hole_size = 0;
12703 + goto full_search;
12709 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12710 + const unsigned long len, const unsigned long pgoff,
12711 + const unsigned long flags)
12713 + struct vm_area_struct *vma;
12714 + struct mm_struct *mm = current->mm;
12715 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
12717 +#ifdef CONFIG_PAX_SEGMEXEC
12718 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12719 + pax_task_size = SEGMEXEC_TASK_SIZE;
12722 + /* requested length too big for entire address space */
12723 + if (len > pax_task_size)
12726 + if (flags & MAP_FIXED)
12729 +#ifdef CONFIG_PAX_PAGEEXEC
12730 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
12734 +#ifdef CONFIG_PAX_RANDMMAP
12735 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12738 + /* requesting a specific address */
12740 + addr = PAGE_ALIGN(addr);
12741 + vma = find_vma(mm, addr);
12742 + if (pax_task_size - len >= addr &&
12743 + (!vma || addr + len <= vma->vm_start))
12747 + /* check if free_area_cache is useful for us */
12748 + if (len <= mm->cached_hole_size) {
12749 + mm->cached_hole_size = 0;
12750 + mm->free_area_cache = mm->mmap_base;
12753 + /* either no address requested or can't fit in requested address hole */
12754 + addr = mm->free_area_cache;
12756 + /* make sure it can fit in the remaining address space */
12757 + if (addr > len) {
12758 + vma = find_vma(mm, addr-len);
12759 + if (!vma || addr <= vma->vm_start)
12760 + /* remember the address as a hint for next time */
12761 + return (mm->free_area_cache = addr-len);
12764 + if (mm->mmap_base < len)
12767 + addr = mm->mmap_base-len;
12771 + * Lookup failure means no vma is above this address,
12772 + * else if new region fits below vma->vm_start,
12773 + * return with success:
12775 + vma = find_vma(mm, addr);
12776 + if (!vma || addr+len <= vma->vm_start)
12777 + /* remember the address as a hint for next time */
12778 + return (mm->free_area_cache = addr);
12780 + /* remember the largest hole we saw so far */
12781 + if (addr + mm->cached_hole_size < vma->vm_start)
12782 + mm->cached_hole_size = vma->vm_start - addr;
12784 + /* try just below the current vma->vm_start */
12785 + addr = vma->vm_start-len;
12786 + } while (len < vma->vm_start);
12790 + * A failed mmap() very likely causes application failure,
12791 + * so fall back to the bottom-up function here. This scenario
12792 + * can happen with large stack limits and large mmap()
12796 +#ifdef CONFIG_PAX_SEGMEXEC
12797 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12798 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
12802 + mm->mmap_base = TASK_UNMAPPED_BASE;
12804 +#ifdef CONFIG_PAX_RANDMMAP
12805 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12806 + mm->mmap_base += mm->delta_mmap;
12809 + mm->free_area_cache = mm->mmap_base;
12810 + mm->cached_hole_size = ~0UL;
12811 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12813 + * Restore the topdown base:
12815 + mm->mmap_base = base;
12816 + mm->free_area_cache = base;
12817 + mm->cached_hole_size = ~0UL;
12822 struct sel_arg_struct {
12824 @@ -93,7 +307,7 @@ asmlinkage int sys_ipc(uint call, int fi
12825 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
12827 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
12828 - (const struct timespec __user *)fifth);
12829 + (__force const struct timespec __user *)fifth);
12832 return sys_semget(first, second, third);
12833 @@ -140,7 +354,7 @@ asmlinkage int sys_ipc(uint call, int fi
12834 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
12837 - return put_user(raddr, (ulong __user *) third);
12838 + return put_user(raddr, (__force ulong __user *) third);
12840 case 1: /* iBCS2 emulator entry point */
12841 if (!segment_eq(get_fs(), get_ds()))
12842 diff -urNp linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c
12843 --- linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c 2010-03-15 12:09:39.000000000 -0400
12844 +++ linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c 2010-03-20 16:58:39.016512700 -0400
12845 @@ -32,8 +32,8 @@ out:
12849 -static void find_start_end(unsigned long flags, unsigned long *begin,
12850 - unsigned long *end)
12851 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
12852 + unsigned long *begin, unsigned long *end)
12854 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
12855 unsigned long new_begin;
12856 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
12857 *begin = new_begin;
12860 - *begin = TASK_UNMAPPED_BASE;
12861 + *begin = mm->mmap_base;
12865 @@ -69,11 +69,15 @@ arch_get_unmapped_area(struct file *filp
12866 if (flags & MAP_FIXED)
12869 - find_start_end(flags, &begin, &end);
12870 + find_start_end(mm, flags, &begin, &end);
12875 +#ifdef CONFIG_PAX_RANDMMAP
12876 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12880 addr = PAGE_ALIGN(addr);
12881 vma = find_vma(mm, addr);
12882 @@ -128,7 +132,7 @@ arch_get_unmapped_area_topdown(struct fi
12884 struct vm_area_struct *vma;
12885 struct mm_struct *mm = current->mm;
12886 - unsigned long addr = addr0;
12887 + unsigned long base = mm->mmap_base, addr = addr0;
12889 /* requested length too big for entire address space */
12890 if (len > TASK_SIZE)
12891 @@ -141,6 +145,10 @@ arch_get_unmapped_area_topdown(struct fi
12892 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
12895 +#ifdef CONFIG_PAX_RANDMMAP
12896 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12899 /* requesting a specific address */
12901 addr = PAGE_ALIGN(addr);
12902 @@ -198,13 +206,21 @@ bottomup:
12903 * can happen with large stack limits and large mmap()
12906 + mm->mmap_base = TASK_UNMAPPED_BASE;
12908 +#ifdef CONFIG_PAX_RANDMMAP
12909 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12910 + mm->mmap_base += mm->delta_mmap;
12913 + mm->free_area_cache = mm->mmap_base;
12914 mm->cached_hole_size = ~0UL;
12915 - mm->free_area_cache = TASK_UNMAPPED_BASE;
12916 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12918 * Restore the topdown base:
12920 - mm->free_area_cache = mm->mmap_base;
12921 + mm->mmap_base = base;
12922 + mm->free_area_cache = base;
12923 mm->cached_hole_size = ~0UL;
12926 diff -urNp linux-2.6.33.1/arch/x86/kernel/time.c linux-2.6.33.1/arch/x86/kernel/time.c
12927 --- linux-2.6.33.1/arch/x86/kernel/time.c 2010-03-15 12:09:39.000000000 -0400
12928 +++ linux-2.6.33.1/arch/x86/kernel/time.c 2010-03-20 16:58:39.020693949 -0400
12929 @@ -26,17 +26,13 @@
12933 -#ifdef CONFIG_X86_64
12934 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
12937 unsigned long profile_pc(struct pt_regs *regs)
12939 unsigned long pc = instruction_pointer(regs);
12941 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
12942 + if (!user_mode(regs) && in_lock_functions(pc)) {
12943 #ifdef CONFIG_FRAME_POINTER
12944 - return *(unsigned long *)(regs->bp + sizeof(long));
12945 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
12947 unsigned long *sp =
12948 (unsigned long *)kernel_stack_pointer(regs);
12949 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
12950 * or above a saved flags. Eflags has bits 22-31 zero,
12951 * kernel addresses don't.
12954 +#ifdef CONFIG_PAX_KERNEXEC
12955 + return ktla_ktva(sp[0]);
12967 diff -urNp linux-2.6.33.1/arch/x86/kernel/tls.c linux-2.6.33.1/arch/x86/kernel/tls.c
12968 --- linux-2.6.33.1/arch/x86/kernel/tls.c 2010-03-15 12:09:39.000000000 -0400
12969 +++ linux-2.6.33.1/arch/x86/kernel/tls.c 2010-03-20 16:58:39.020693949 -0400
12970 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
12971 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
12974 +#ifdef CONFIG_PAX_SEGMEXEC
12975 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
12979 set_tls_desc(p, idx, &info, 1);
12982 diff -urNp linux-2.6.33.1/arch/x86/kernel/trampoline_32.S linux-2.6.33.1/arch/x86/kernel/trampoline_32.S
12983 --- linux-2.6.33.1/arch/x86/kernel/trampoline_32.S 2010-03-15 12:09:39.000000000 -0400
12984 +++ linux-2.6.33.1/arch/x86/kernel/trampoline_32.S 2010-03-20 16:58:39.020693949 -0400
12986 #include <asm/segment.h>
12987 #include <asm/page_types.h>
12989 +#ifdef CONFIG_PAX_KERNEXEC
12992 +#define ta(X) ((X) - __PAGE_OFFSET)
12995 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
12998 @@ -60,7 +66,7 @@ r_base = .
12999 inc %ax # protected mode (PE) bit
13000 lmsw %ax # into protected mode
13001 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
13002 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
13003 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
13005 # These need to be in the same 64K segment as the above;
13006 # hence we don't use the boot_gdt_descr defined in head.S
13007 diff -urNp linux-2.6.33.1/arch/x86/kernel/traps.c linux-2.6.33.1/arch/x86/kernel/traps.c
13008 --- linux-2.6.33.1/arch/x86/kernel/traps.c 2010-03-15 12:09:39.000000000 -0400
13009 +++ linux-2.6.33.1/arch/x86/kernel/traps.c 2010-03-20 16:58:39.020693949 -0400
13010 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
13012 /* Do we ignore FPU interrupts ? */
13013 char ignore_fpu_irq;
13016 - * The IDT has to be page-aligned to simplify the Pentium
13017 - * F0 0F bug workaround.
13019 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
13022 DECLARE_BITMAP(used_vectors, NR_VECTORS);
13023 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
13025 die_if_kernel(const char *str, struct pt_regs *regs, long err)
13027 - if (!user_mode_vm(regs))
13028 + if (!user_mode(regs))
13029 die(str, regs, err);
13033 static void __kprobes
13034 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
13035 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
13036 long error_code, siginfo_t *info)
13038 struct task_struct *tsk = current;
13040 #ifdef CONFIG_X86_32
13041 - if (regs->flags & X86_VM_MASK) {
13042 + if (v8086_mode(regs)) {
13044 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
13045 * On nmi (interrupt 2), do_trap should not be called.
13046 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
13050 - if (!user_mode(regs))
13051 + if (!user_mode_novm(regs))
13054 #ifdef CONFIG_X86_32
13055 @@ -158,7 +152,7 @@ trap_signal:
13056 printk_ratelimit()) {
13058 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
13059 - tsk->comm, tsk->pid, str,
13060 + tsk->comm, task_pid_nr(tsk), str,
13061 regs->ip, regs->sp, error_code);
13062 print_vma_addr(" in ", regs->ip);
13064 @@ -175,8 +169,20 @@ kernel_trap:
13065 if (!fixup_exception(regs)) {
13066 tsk->thread.error_code = error_code;
13067 tsk->thread.trap_no = trapnr;
13069 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13070 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
13071 + str = "PAX: suspicious stack segment fault";
13074 die(str, regs, error_code);
13077 +#ifdef CONFIG_PAX_REFCOUNT
13079 + pax_report_refcount_overflow(regs);
13084 #ifdef CONFIG_X86_32
13085 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
13086 conditional_sti(regs);
13088 #ifdef CONFIG_X86_32
13089 - if (regs->flags & X86_VM_MASK)
13090 + if (v8086_mode(regs))
13095 - if (!user_mode(regs))
13096 + if (!user_mode_novm(regs))
13099 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
13100 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
13101 + struct mm_struct *mm = tsk->mm;
13102 + unsigned long limit;
13104 + down_write(&mm->mmap_sem);
13105 + limit = mm->context.user_cs_limit;
13106 + if (limit < TASK_SIZE) {
13107 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
13108 + up_write(&mm->mmap_sem);
13111 + up_write(&mm->mmap_sem);
13115 tsk->thread.error_code = error_code;
13116 tsk->thread.trap_no = 13;
13118 @@ -305,6 +327,13 @@ gp_in_kernel:
13119 if (notify_die(DIE_GPF, "general protection fault", regs,
13120 error_code, 13, SIGSEGV) == NOTIFY_STOP)
13123 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13124 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
13125 + die("PAX: suspicious general protection fault", regs, error_code);
13129 die("general protection fault", regs, error_code);
13132 @@ -556,7 +585,7 @@ dotraplinkage void __kprobes do_debug(st
13133 /* It's safe to allow irq's after DR6 has been saved */
13134 preempt_conditional_sti(regs);
13136 - if (regs->flags & X86_VM_MASK) {
13137 + if (v8086_mode(regs)) {
13138 handle_vm86_trap((struct kernel_vm86_regs *) regs,
13141 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
13142 * We already checked v86 mode above, so we can check for kernel mode
13143 * by just checking the CPL of CS.
13145 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
13146 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
13147 tsk->thread.debugreg6 &= ~DR_STEP;
13148 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
13149 regs->flags &= ~X86_EFLAGS_TF;
13150 @@ -736,7 +765,7 @@ do_simd_coprocessor_error(struct pt_regs
13151 * Handle strange cache flush from user space exception
13152 * in all other cases. This is undocumented behaviour.
13154 - if (regs->flags & X86_VM_MASK) {
13155 + if (v8086_mode(regs)) {
13156 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
13159 diff -urNp linux-2.6.33.1/arch/x86/kernel/tsc.c linux-2.6.33.1/arch/x86/kernel/tsc.c
13160 --- linux-2.6.33.1/arch/x86/kernel/tsc.c 2010-03-15 12:09:39.000000000 -0400
13161 +++ linux-2.6.33.1/arch/x86/kernel/tsc.c 2010-03-20 16:58:39.020693949 -0400
13162 @@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
13163 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
13167 + { NULL, NULL, {{0, {0}}}, NULL}
13170 static void __init check_system_tsc_reliable(void)
13171 diff -urNp linux-2.6.33.1/arch/x86/kernel/vm86_32.c linux-2.6.33.1/arch/x86/kernel/vm86_32.c
13172 --- linux-2.6.33.1/arch/x86/kernel/vm86_32.c 2010-03-15 12:09:39.000000000 -0400
13173 +++ linux-2.6.33.1/arch/x86/kernel/vm86_32.c 2010-03-20 16:58:39.020693949 -0400
13175 #include <linux/ptrace.h>
13176 #include <linux/audit.h>
13177 #include <linux/stddef.h>
13178 +#include <linux/grsecurity.h>
13180 #include <asm/uaccess.h>
13181 #include <asm/io.h>
13182 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
13186 - tss = &per_cpu(init_tss, get_cpu());
13187 + tss = init_tss + get_cpu();
13188 current->thread.sp0 = current->thread.saved_sp0;
13189 current->thread.sysenter_cs = __KERNEL_CS;
13190 load_sp0(tss, ¤t->thread);
13191 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
13192 struct task_struct *tsk;
13193 int tmp, ret = -EPERM;
13195 +#ifdef CONFIG_GRKERNSEC_VM86
13196 + if (!capable(CAP_SYS_RAWIO)) {
13197 + gr_handle_vm86();
13203 if (tsk->thread.saved_sp0)
13205 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
13207 struct vm86plus_struct __user *v86;
13209 +#ifdef CONFIG_GRKERNSEC_VM86
13210 + if (!capable(CAP_SYS_RAWIO)) {
13211 + gr_handle_vm86();
13219 case VM86_REQUEST_IRQ:
13220 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
13221 tsk->thread.saved_fs = info->regs32->fs;
13222 tsk->thread.saved_gs = get_user_gs(info->regs32);
13224 - tss = &per_cpu(init_tss, get_cpu());
13225 + tss = init_tss + get_cpu();
13226 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
13228 tsk->thread.sysenter_cs = 0;
13229 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
13230 goto cannot_handle;
13231 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
13232 goto cannot_handle;
13233 - intr_ptr = (unsigned long __user *) (i << 2);
13234 + intr_ptr = (__force unsigned long __user *) (i << 2);
13235 if (get_user(segoffs, intr_ptr))
13236 goto cannot_handle;
13237 if ((segoffs >> 16) == BIOSSEG)
13238 diff -urNp linux-2.6.33.1/arch/x86/kernel/vmi_32.c linux-2.6.33.1/arch/x86/kernel/vmi_32.c
13239 --- linux-2.6.33.1/arch/x86/kernel/vmi_32.c 2010-03-15 12:09:39.000000000 -0400
13240 +++ linux-2.6.33.1/arch/x86/kernel/vmi_32.c 2010-03-20 16:58:39.020693949 -0400
13241 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
13242 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
13244 #define call_vrom_func(rom,func) \
13245 - (((VROMFUNC *)(rom->func))())
13246 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
13248 #define call_vrom_long_func(rom,func,arg) \
13249 - (((VROMLONGFUNC *)(rom->func)) (arg))
13251 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
13252 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
13253 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
13257 -static struct vrom_header *vmi_rom;
13258 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
13259 static int disable_pge;
13260 static int disable_pse;
13261 static int disable_sep;
13262 @@ -76,10 +81,10 @@ static struct {
13263 void (*set_initial_ap_state)(int, int);
13264 void (*halt)(void);
13265 void (*set_lazy_mode)(int mode);
13267 +} vmi_ops __read_only;
13269 /* Cached VMI operations */
13270 -struct vmi_timer_ops vmi_timer_ops;
13271 +struct vmi_timer_ops vmi_timer_ops __read_only;
13274 * VMI patching routines.
13275 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
13276 static inline void patch_offset(void *insnbuf,
13277 unsigned long ip, unsigned long dest)
13279 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
13280 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
13283 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
13284 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
13287 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
13289 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
13290 switch(rel->type) {
13291 case VMI_RELOCATION_CALL_REL:
13292 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
13294 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
13296 - const pte_t pte = { .pte = 0 };
13297 + const pte_t pte = __pte(0ULL);
13298 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
13301 static void vmi_pmd_clear(pmd_t *pmd)
13303 - const pte_t pte = { .pte = 0 };
13304 + const pte_t pte = __pte(0ULL);
13305 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
13308 @@ -438,8 +444,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
13309 ap.ss = __KERNEL_DS;
13310 ap.esp = (unsigned long) start_esp;
13312 - ap.ds = __USER_DS;
13313 - ap.es = __USER_DS;
13314 + ap.ds = __KERNEL_DS;
13315 + ap.es = __KERNEL_DS;
13316 ap.fs = __KERNEL_PERCPU;
13317 ap.gs = __KERNEL_STACK_CANARY;
13319 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
13320 paravirt_leave_lazy_mmu();
13323 +#ifdef CONFIG_PAX_KERNEXEC
13324 +static unsigned long vmi_pax_open_kernel(void)
13329 +static unsigned long vmi_pax_close_kernel(void)
13335 static inline int __init check_vmi_rom(struct vrom_header *rom)
13337 struct pci_header *pci;
13338 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
13340 if (rom->vrom_signature != VMI_SIGNATURE)
13342 + if (rom->rom_length * 512 > sizeof(*rom)) {
13343 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
13346 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
13347 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
13348 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
13349 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
13350 struct vrom_header *romstart;
13351 romstart = (struct vrom_header *)isa_bus_to_virt(base);
13352 if (check_vmi_rom(romstart)) {
13353 - vmi_rom = romstart;
13354 + vmi_rom = *romstart;
13358 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
13360 para_fill(pv_irq_ops.safe_halt, Halt);
13362 +#ifdef CONFIG_PAX_KERNEXEC
13363 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
13364 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
13368 * Alternative instruction rewriting doesn't happen soon enough
13369 * to convert VMI_IRET to a call instead of a jump; so we have
13370 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
13372 void __init vmi_init(void)
13375 + if (!vmi_rom.rom_signature)
13378 - check_vmi_rom(vmi_rom);
13379 + check_vmi_rom(&vmi_rom);
13381 /* In case probing for or validating the ROM failed, basil */
13383 + if (!vmi_rom.rom_signature)
13386 - reserve_top_address(-vmi_rom->virtual_top);
13387 + reserve_top_address(-vmi_rom.virtual_top);
13389 #ifdef CONFIG_X86_IO_APIC
13390 /* This is virtual hardware; timer routing is wired correctly */
13391 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
13393 unsigned long flags;
13396 + if (!vmi_rom.rom_signature)
13399 local_irq_save(flags);
13400 diff -urNp linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S
13401 --- linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S 2010-03-15 12:09:39.000000000 -0400
13402 +++ linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S 2010-03-20 16:58:39.020693949 -0400
13404 #include <asm/page_types.h>
13405 #include <asm/cache.h>
13406 #include <asm/boot.h>
13407 +#include <asm/segment.h>
13411 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
13412 +#define PMD_SHIFT 21
13414 +#define PMD_SHIFT 22
13416 +#define PMD_SIZE (1 << PMD_SHIFT)
13418 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13419 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
13421 +#define __KERNEL_TEXT_OFFSET 0
13424 #undef i386 /* in case the preprocessor is a 32bit one */
13426 @@ -34,13 +50,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
13427 #ifdef CONFIG_X86_32
13429 ENTRY(phys_startup_32)
13430 -jiffies = jiffies_64;
13432 OUTPUT_ARCH(i386:x86-64)
13433 ENTRY(phys_startup_64)
13434 -jiffies_64 = jiffies;
13437 +jiffies = jiffies_64;
13439 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
13441 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
13442 @@ -69,31 +85,46 @@ jiffies_64 = jiffies;
13445 text PT_LOAD FLAGS(5); /* R_E */
13446 - data PT_LOAD FLAGS(7); /* RWE */
13448 + rodata PT_LOAD FLAGS(5); /* R_E */
13450 + rodata PT_LOAD FLAGS(4); /* R__ */
13452 +#ifdef CONFIG_X86_32
13453 + module PT_LOAD FLAGS(5); /* R_E */
13455 + data PT_LOAD FLAGS(6); /* RW_ */
13456 #ifdef CONFIG_X86_64
13457 user PT_LOAD FLAGS(5); /* R_E */
13459 + init.begin PT_LOAD FLAGS(6); /* RW_ */
13461 percpu PT_LOAD FLAGS(6); /* RW_ */
13463 + text.init PT_LOAD FLAGS(5); /* R_E */
13464 + text.exit PT_LOAD FLAGS(5); /* R_E */
13465 init PT_LOAD FLAGS(7); /* RWE */
13467 note PT_NOTE FLAGS(0); /* ___ */
13472 #ifdef CONFIG_X86_32
13473 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
13474 - phys_startup_32 = startup_32 - LOAD_OFFSET;
13475 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
13477 - . = __START_KERNEL;
13478 - phys_startup_64 = startup_64 - LOAD_OFFSET;
13479 + . = __START_KERNEL;
13482 /* Text and read-only data */
13483 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
13485 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
13486 /* bootstrapping code */
13487 +#ifdef CONFIG_X86_32
13488 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13490 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13492 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13495 #ifdef CONFIG_X86_32
13496 . = ALIGN(PAGE_SIZE);
13497 @@ -108,30 +139,66 @@ SECTIONS
13501 - /* End of text section */
13505 - NOTES :text :note
13506 + . += __KERNEL_TEXT_OFFSET;
13508 + . = ALIGN(PAGE_SIZE);
13509 + NOTES :rodata :note
13511 - EXCEPTION_TABLE(16) :text = 0x9090
13512 + EXCEPTION_TABLE(16) :rodata
13514 X64_ALIGN_DEBUG_RODATA_BEGIN
13516 X64_ALIGN_DEBUG_RODATA_END
13518 +#ifdef CONFIG_X86_32
13519 + . = ALIGN(PAGE_SIZE);
13520 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
13522 + . = ALIGN(PAGE_SIZE);
13523 + *(.empty_zero_page)
13524 + *(.swapper_pg_pmd)
13525 + *(.swapper_pg_dir)
13528 + . = ALIGN(PAGE_SIZE);
13529 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
13533 + . = ALIGN(PAGE_SIZE);
13534 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
13536 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
13537 + MODULES_EXEC_VADDR = .;
13539 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
13540 + . = ALIGN(PMD_SIZE);
13541 + MODULES_EXEC_END = . - 1;
13548 .data : AT(ADDR(.data) - LOAD_OFFSET) {
13549 + /* End of text section */
13550 + _etext = . - __KERNEL_TEXT_OFFSET;
13552 +#ifdef CONFIG_PAX_KERNEXEC
13553 + . = ALIGN(PMD_SIZE);
13555 + . = ALIGN(PAGE_SIZE);
13558 /* Start of data section */
13562 INIT_TASK_DATA(THREAD_SIZE)
13564 -#ifdef CONFIG_X86_32
13565 - /* 32 bit has nosave before _edata */
13569 PAGE_ALIGNED_DATA(PAGE_SIZE)
13571 @@ -194,12 +261,6 @@ SECTIONS
13573 vgetcpu_mode = VVIRT(.vgetcpu_mode);
13575 - . = ALIGN(L1_CACHE_BYTES);
13576 - .jiffies : AT(VLOAD(.jiffies)) {
13579 - jiffies = VVIRT(.jiffies);
13581 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
13584 @@ -215,12 +276,19 @@ SECTIONS
13585 #endif /* CONFIG_X86_64 */
13587 /* Init code and data - will be freed after init */
13588 - . = ALIGN(PAGE_SIZE);
13589 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
13592 +#ifdef CONFIG_PAX_KERNEXEC
13593 + . = ALIGN(PMD_SIZE);
13595 + . = ALIGN(PAGE_SIZE);
13598 __init_begin = .; /* paired with __init_end */
13602 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
13605 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
13606 * output PHDR, so the next output section - .init.text - should
13607 @@ -229,12 +297,27 @@ SECTIONS
13608 PERCPU_VADDR(0, :percpu)
13611 - INIT_TEXT_SECTION(PAGE_SIZE)
13612 -#ifdef CONFIG_X86_64
13615 + . = ALIGN(PAGE_SIZE);
13617 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
13618 + VMLINUX_SYMBOL(_sinittext) = .;
13620 + VMLINUX_SYMBOL(_einittext) = .;
13621 + . = ALIGN(PAGE_SIZE);
13625 + * .exit.text is discard at runtime, not link time, to deal with
13626 + * references from .altinstructions and .eh_frame
13628 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13632 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
13634 - INIT_DATA_SECTION(16)
13635 + . = ALIGN(PAGE_SIZE);
13636 + INIT_DATA_SECTION(16) :init
13638 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
13639 __x86_cpu_dev_start = .;
13640 @@ -260,19 +343,11 @@ SECTIONS
13641 *(.altinstr_replacement)
13645 - * .exit.text is discard at runtime, not link time, to deal with
13646 - * references from .altinstructions and .eh_frame
13648 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13652 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
13656 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
13657 +#ifndef CONFIG_SMP
13661 @@ -295,12 +370,6 @@ SECTIONS
13662 . = ALIGN(PAGE_SIZE);
13665 -#ifdef CONFIG_X86_64
13666 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
13672 . = ALIGN(PAGE_SIZE);
13673 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
13674 @@ -316,6 +385,7 @@ SECTIONS
13676 . += 64 * 1024; /* 64k alignment slop space */
13677 *(.brk_reservation) /* areas brk users have reserved */
13678 + . = ALIGN(PMD_SIZE);
13682 @@ -342,13 +412,12 @@ SECTIONS
13683 * for the boot processor.
13685 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
13686 -INIT_PER_CPU(gdt_page);
13687 INIT_PER_CPU(irq_stack_union);
13690 * Build-time check on the image size:
13692 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
13693 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
13694 "kernel image bigger than KERNEL_IMAGE_SIZE");
13697 diff -urNp linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c
13698 --- linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c 2010-03-15 12:09:39.000000000 -0400
13699 +++ linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c 2010-03-20 16:58:39.020693949 -0400
13700 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
13702 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
13703 /* copy vsyscall data */
13704 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
13705 vsyscall_gtod_data.clock.vread = clock->vread;
13706 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
13707 vsyscall_gtod_data.clock.mask = clock->mask;
13708 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
13709 We do this here because otherwise user space would do it on
13710 its own in a likely inferior way (no access to jiffies).
13711 If you don't like it pass NULL. */
13712 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
13713 + if (tcache && tcache->blob[0] == (j = jiffies)) {
13714 p = tcache->blob[1];
13715 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
13716 /* Load per CPU data from RDTSCP */
13717 diff -urNp linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c
13718 --- linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c 2010-03-15 12:09:39.000000000 -0400
13719 +++ linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c 2010-03-20 16:58:39.020693949 -0400
13720 @@ -28,8 +28,6 @@ EXPORT_SYMBOL(__put_user_8);
13722 EXPORT_SYMBOL(copy_user_generic);
13723 EXPORT_SYMBOL(__copy_user_nocache);
13724 -EXPORT_SYMBOL(_copy_from_user);
13725 -EXPORT_SYMBOL(_copy_to_user);
13727 EXPORT_SYMBOL(copy_page);
13728 EXPORT_SYMBOL(clear_page);
13729 diff -urNp linux-2.6.33.1/arch/x86/kernel/xsave.c linux-2.6.33.1/arch/x86/kernel/xsave.c
13730 --- linux-2.6.33.1/arch/x86/kernel/xsave.c 2010-03-15 12:09:39.000000000 -0400
13731 +++ linux-2.6.33.1/arch/x86/kernel/xsave.c 2010-03-20 16:58:39.020693949 -0400
13732 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
13733 fx_sw_user->xstate_size > fx_sw_user->extended_size)
13736 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
13737 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
13738 fx_sw_user->extended_size -
13739 FP_XSTATE_MAGIC2_SIZE));
13741 @@ -196,7 +196,7 @@ fx_only:
13742 * the other extended state.
13744 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
13745 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
13746 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
13750 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
13751 if (task_thread_info(tsk)->status & TS_XSAVE)
13752 err = restore_user_xstate(buf);
13754 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
13755 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
13757 if (unlikely(err)) {
13759 diff -urNp linux-2.6.33.1/arch/x86/kvm/emulate.c linux-2.6.33.1/arch/x86/kvm/emulate.c
13760 --- linux-2.6.33.1/arch/x86/kvm/emulate.c 2010-03-15 12:09:39.000000000 -0400
13761 +++ linux-2.6.33.1/arch/x86/kvm/emulate.c 2010-03-20 16:58:39.024538149 -0400
13762 @@ -413,6 +413,7 @@ static u32 group2_table[] = {
13764 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
13766 + unsigned long _tmp; \
13767 __asm__ __volatile__ ( \
13768 _PRE_EFLAGS("0", "4", "2") \
13769 _op _suffix " %"_x"3,%1; " \
13770 @@ -426,8 +427,6 @@ static u32 group2_table[] = {
13771 /* Raw emulation: instruction has two explicit operands. */
13772 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
13774 - unsigned long _tmp; \
13776 switch ((_dst).bytes) { \
13778 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
13779 @@ -443,7 +442,6 @@ static u32 group2_table[] = {
13781 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
13783 - unsigned long _tmp; \
13784 switch ((_dst).bytes) { \
13786 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
13787 diff -urNp linux-2.6.33.1/arch/x86/kvm/svm.c linux-2.6.33.1/arch/x86/kvm/svm.c
13788 --- linux-2.6.33.1/arch/x86/kvm/svm.c 2010-03-15 12:09:39.000000000 -0400
13789 +++ linux-2.6.33.1/arch/x86/kvm/svm.c 2010-03-20 16:58:39.024538149 -0400
13790 @@ -2428,7 +2428,11 @@ static void reload_tss(struct kvm_vcpu *
13791 int cpu = raw_smp_processor_id();
13793 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
13795 + pax_open_kernel();
13796 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
13797 + pax_close_kernel();
13802 @@ -2910,7 +2914,7 @@ static bool svm_gb_page_enable(void)
13806 -static struct kvm_x86_ops svm_x86_ops = {
13807 +static const struct kvm_x86_ops svm_x86_ops = {
13808 .cpu_has_kvm_support = has_svm,
13809 .disabled_by_bios = is_disabled,
13810 .hardware_setup = svm_hardware_setup,
13811 diff -urNp linux-2.6.33.1/arch/x86/kvm/vmx.c linux-2.6.33.1/arch/x86/kvm/vmx.c
13812 --- linux-2.6.33.1/arch/x86/kvm/vmx.c 2010-03-15 12:09:39.000000000 -0400
13813 +++ linux-2.6.33.1/arch/x86/kvm/vmx.c 2010-03-20 16:58:39.024538149 -0400
13814 @@ -580,7 +580,11 @@ static void reload_tss(void)
13817 descs = (void *)gdt.base;
13819 + pax_open_kernel();
13820 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
13821 + pax_close_kernel();
13826 @@ -1385,8 +1389,11 @@ static __init int hardware_setup(void)
13827 if (!cpu_has_vmx_flexpriority())
13828 flexpriority_enabled = 0;
13830 - if (!cpu_has_vmx_tpr_shadow())
13831 - kvm_x86_ops->update_cr8_intercept = NULL;
13832 + if (!cpu_has_vmx_tpr_shadow()) {
13833 + pax_open_kernel();
13834 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
13835 + pax_close_kernel();
13838 if (enable_ept && !cpu_has_vmx_ept_2m_page())
13839 kvm_disable_largepages();
13840 @@ -2357,7 +2364,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
13841 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
13843 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
13844 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
13845 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
13846 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
13847 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
13848 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
13849 @@ -3742,6 +3749,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
13850 "jmp .Lkvm_vmx_return \n\t"
13851 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
13852 ".Lkvm_vmx_return: "
13854 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13855 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
13856 + ".Lkvm_vmx_return2: "
13859 /* Save guest registers, load host registers, keep flags */
13860 "xchg %0, (%%"R"sp) \n\t"
13861 "mov %%"R"ax, %c[rax](%0) \n\t"
13862 @@ -3788,6 +3801,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
13863 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
13865 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
13867 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13868 + ,[cs]"i"(__KERNEL_CS)
13872 , R"bx", R"di", R"si"
13873 #ifdef CONFIG_X86_64
13874 @@ -3806,7 +3824,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
13875 if (vmx->rmode.irq.pending)
13876 fixup_rmode_irq(vmx);
13878 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13879 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13882 vmx_complete_interrupts(vmx);
13883 @@ -3974,7 +3992,7 @@ static bool vmx_gb_page_enable(void)
13887 -static struct kvm_x86_ops vmx_x86_ops = {
13888 +static const struct kvm_x86_ops vmx_x86_ops = {
13889 .cpu_has_kvm_support = cpu_has_kvm_support,
13890 .disabled_by_bios = vmx_disabled_by_bios,
13891 .hardware_setup = hardware_setup,
13892 diff -urNp linux-2.6.33.1/arch/x86/kvm/x86.c linux-2.6.33.1/arch/x86/kvm/x86.c
13893 --- linux-2.6.33.1/arch/x86/kvm/x86.c 2010-03-15 12:09:39.000000000 -0400
13894 +++ linux-2.6.33.1/arch/x86/kvm/x86.c 2010-03-20 16:58:39.024538149 -0400
13895 @@ -83,7 +83,7 @@ static void update_cr8_intercept(struct
13896 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
13897 struct kvm_cpuid_entry2 __user *entries);
13899 -struct kvm_x86_ops *kvm_x86_ops;
13900 +const struct kvm_x86_ops *kvm_x86_ops;
13901 EXPORT_SYMBOL_GPL(kvm_x86_ops);
13903 int ignore_msrs = 0;
13904 @@ -109,38 +109,38 @@ static struct kvm_shared_msrs_global __r
13905 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
13907 struct kvm_stats_debugfs_item debugfs_entries[] = {
13908 - { "pf_fixed", VCPU_STAT(pf_fixed) },
13909 - { "pf_guest", VCPU_STAT(pf_guest) },
13910 - { "tlb_flush", VCPU_STAT(tlb_flush) },
13911 - { "invlpg", VCPU_STAT(invlpg) },
13912 - { "exits", VCPU_STAT(exits) },
13913 - { "io_exits", VCPU_STAT(io_exits) },
13914 - { "mmio_exits", VCPU_STAT(mmio_exits) },
13915 - { "signal_exits", VCPU_STAT(signal_exits) },
13916 - { "irq_window", VCPU_STAT(irq_window_exits) },
13917 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
13918 - { "halt_exits", VCPU_STAT(halt_exits) },
13919 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
13920 - { "hypercalls", VCPU_STAT(hypercalls) },
13921 - { "request_irq", VCPU_STAT(request_irq_exits) },
13922 - { "irq_exits", VCPU_STAT(irq_exits) },
13923 - { "host_state_reload", VCPU_STAT(host_state_reload) },
13924 - { "efer_reload", VCPU_STAT(efer_reload) },
13925 - { "fpu_reload", VCPU_STAT(fpu_reload) },
13926 - { "insn_emulation", VCPU_STAT(insn_emulation) },
13927 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
13928 - { "irq_injections", VCPU_STAT(irq_injections) },
13929 - { "nmi_injections", VCPU_STAT(nmi_injections) },
13930 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
13931 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
13932 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
13933 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
13934 - { "mmu_flooded", VM_STAT(mmu_flooded) },
13935 - { "mmu_recycled", VM_STAT(mmu_recycled) },
13936 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
13937 - { "mmu_unsync", VM_STAT(mmu_unsync) },
13938 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
13939 - { "largepages", VM_STAT(lpages) },
13940 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
13941 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
13942 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
13943 + { "invlpg", VCPU_STAT(invlpg), NULL },
13944 + { "exits", VCPU_STAT(exits), NULL },
13945 + { "io_exits", VCPU_STAT(io_exits), NULL },
13946 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
13947 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
13948 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
13949 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
13950 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
13951 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
13952 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
13953 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
13954 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
13955 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
13956 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
13957 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
13958 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
13959 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
13960 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
13961 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
13962 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
13963 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
13964 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
13965 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
13966 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
13967 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
13968 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
13969 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
13970 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
13971 + { "largepages", VM_STAT(lpages), NULL },
13975 @@ -1405,6 +1405,8 @@ long kvm_arch_dev_ioctl(struct file *fil
13976 if (n < msr_list.nmsrs)
13979 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
13981 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
13982 num_msrs_to_save * sizeof(u32)))
13984 @@ -1787,7 +1789,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
13985 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13986 struct kvm_interrupt *irq)
13988 - if (irq->irq < 0 || irq->irq >= 256)
13989 + if (irq->irq >= 256)
13991 if (irqchip_in_kernel(vcpu->kvm))
13993 @@ -3414,10 +3416,10 @@ static void kvm_timer_init(void)
13997 -int kvm_arch_init(void *opaque)
13998 +int kvm_arch_init(const void *opaque)
14001 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
14002 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
14005 printk(KERN_ERR "kvm: already loaded the other module\n");
14006 diff -urNp linux-2.6.33.1/arch/x86/lib/checksum_32.S linux-2.6.33.1/arch/x86/lib/checksum_32.S
14007 --- linux-2.6.33.1/arch/x86/lib/checksum_32.S 2010-03-15 12:09:39.000000000 -0400
14008 +++ linux-2.6.33.1/arch/x86/lib/checksum_32.S 2010-03-20 16:58:39.024538149 -0400
14010 #include <linux/linkage.h>
14011 #include <asm/dwarf2.h>
14012 #include <asm/errno.h>
14014 +#include <asm/segment.h>
14017 * computes a partial checksum, e.g. for TCP/UDP fragments
14019 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
14024 -ENTRY(csum_partial_copy_generic)
14026 +ENTRY(csum_partial_copy_generic_to_user)
14028 + pushl $(__USER_DS)
14029 + CFI_ADJUST_CFA_OFFSET 4
14031 + CFI_ADJUST_CFA_OFFSET -4
14032 + jmp csum_partial_copy_generic
14034 +ENTRY(csum_partial_copy_generic_from_user)
14035 + pushl $(__USER_DS)
14036 + CFI_ADJUST_CFA_OFFSET 4
14038 + CFI_ADJUST_CFA_OFFSET -4
14040 +ENTRY(csum_partial_copy_generic)
14042 CFI_ADJUST_CFA_OFFSET 4
14044 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
14046 SRC(1: movw (%esi), %bx )
14048 -DST( movw %bx, (%edi) )
14049 +DST( movw %bx, %es:(%edi) )
14053 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
14054 SRC(1: movl (%esi), %ebx )
14055 SRC( movl 4(%esi), %edx )
14057 -DST( movl %ebx, (%edi) )
14058 +DST( movl %ebx, %es:(%edi) )
14060 -DST( movl %edx, 4(%edi) )
14061 +DST( movl %edx, %es:4(%edi) )
14063 SRC( movl 8(%esi), %ebx )
14064 SRC( movl 12(%esi), %edx )
14066 -DST( movl %ebx, 8(%edi) )
14067 +DST( movl %ebx, %es:8(%edi) )
14069 -DST( movl %edx, 12(%edi) )
14070 +DST( movl %edx, %es:12(%edi) )
14072 SRC( movl 16(%esi), %ebx )
14073 SRC( movl 20(%esi), %edx )
14075 -DST( movl %ebx, 16(%edi) )
14076 +DST( movl %ebx, %es:16(%edi) )
14078 -DST( movl %edx, 20(%edi) )
14079 +DST( movl %edx, %es:20(%edi) )
14081 SRC( movl 24(%esi), %ebx )
14082 SRC( movl 28(%esi), %edx )
14084 -DST( movl %ebx, 24(%edi) )
14085 +DST( movl %ebx, %es:24(%edi) )
14087 -DST( movl %edx, 28(%edi) )
14088 +DST( movl %edx, %es:28(%edi) )
14092 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
14093 shrl $2, %edx # This clears CF
14094 SRC(3: movl (%esi), %ebx )
14096 -DST( movl %ebx, (%edi) )
14097 +DST( movl %ebx, %es:(%edi) )
14101 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
14103 SRC( movw (%esi), %cx )
14105 -DST( movw %cx, (%edi) )
14106 +DST( movw %cx, %es:(%edi) )
14110 SRC(5: movb (%esi), %cl )
14111 -DST( movb %cl, (%edi) )
14112 +DST( movb %cl, %es:(%edi) )
14116 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
14119 movl ARGBASE+20(%esp), %ebx # src_err_ptr
14120 - movl $-EFAULT, (%ebx)
14121 + movl $-EFAULT, %ss:(%ebx)
14123 # zero the complete destination - computing the rest
14125 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
14128 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14129 - movl $-EFAULT,(%ebx)
14130 + movl $-EFAULT,%ss:(%ebx)
14136 + CFI_ADJUST_CFA_OFFSET 4
14138 + CFI_ADJUST_CFA_OFFSET -4
14140 + CFI_ADJUST_CFA_OFFSET 4
14142 + CFI_ADJUST_CFA_OFFSET -4
14144 CFI_ADJUST_CFA_OFFSET -4
14146 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
14147 CFI_ADJUST_CFA_OFFSET -4
14150 -ENDPROC(csum_partial_copy_generic)
14151 +ENDPROC(csum_partial_copy_generic_to_user)
14155 /* Version for PentiumII/PPro */
14157 #define ROUND1(x) \
14159 SRC(movl x(%esi), %ebx ) ; \
14160 addl %ebx, %eax ; \
14161 - DST(movl %ebx, x(%edi) ) ;
14162 + DST(movl %ebx, %es:x(%edi)) ;
14166 SRC(movl x(%esi), %ebx ) ; \
14167 adcl %ebx, %eax ; \
14168 - DST(movl %ebx, x(%edi) ) ;
14169 + DST(movl %ebx, %es:x(%edi)) ;
14173 -ENTRY(csum_partial_copy_generic)
14175 +ENTRY(csum_partial_copy_generic_to_user)
14177 + pushl $(__USER_DS)
14178 + CFI_ADJUST_CFA_OFFSET 4
14180 + CFI_ADJUST_CFA_OFFSET -4
14181 + jmp csum_partial_copy_generic
14183 +ENTRY(csum_partial_copy_generic_from_user)
14184 + pushl $(__USER_DS)
14185 + CFI_ADJUST_CFA_OFFSET 4
14187 + CFI_ADJUST_CFA_OFFSET -4
14189 +ENTRY(csum_partial_copy_generic)
14191 CFI_ADJUST_CFA_OFFSET 4
14192 CFI_REL_OFFSET ebx, 0
14193 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
14197 - lea 3f(%ebx,%ebx), %ebx
14198 + lea 3f(%ebx,%ebx,2), %ebx
14202 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
14204 SRC( movw (%esi), %dx )
14206 -DST( movw %dx, (%edi) )
14207 +DST( movw %dx, %es:(%edi) )
14212 SRC( movb (%esi), %dl )
14213 -DST( movb %dl, (%edi) )
14214 +DST( movb %dl, %es:(%edi) )
14218 .section .fixup, "ax"
14219 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
14220 - movl $-EFAULT, (%ebx)
14221 + movl $-EFAULT, %ss:(%ebx)
14222 # zero the complete destination (computing the rest is too much work)
14223 movl ARGBASE+8(%esp),%edi # dst
14224 movl ARGBASE+12(%esp),%ecx # len
14225 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
14228 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14229 - movl $-EFAULT, (%ebx)
14230 + movl $-EFAULT, %ss:(%ebx)
14235 + CFI_ADJUST_CFA_OFFSET 4
14237 + CFI_ADJUST_CFA_OFFSET -4
14239 + CFI_ADJUST_CFA_OFFSET 4
14241 + CFI_ADJUST_CFA_OFFSET -4
14243 CFI_ADJUST_CFA_OFFSET -4
14245 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
14249 -ENDPROC(csum_partial_copy_generic)
14250 +ENDPROC(csum_partial_copy_generic_to_user)
14254 diff -urNp linux-2.6.33.1/arch/x86/lib/clear_page_64.S linux-2.6.33.1/arch/x86/lib/clear_page_64.S
14255 --- linux-2.6.33.1/arch/x86/lib/clear_page_64.S 2010-03-15 12:09:39.000000000 -0400
14256 +++ linux-2.6.33.1/arch/x86/lib/clear_page_64.S 2010-03-20 16:58:39.028522513 -0400
14257 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
14259 #include <asm/cpufeature.h>
14261 - .section .altinstr_replacement,"ax"
14262 + .section .altinstr_replacement,"a"
14263 1: .byte 0xeb /* jmp <disp8> */
14264 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
14266 diff -urNp linux-2.6.33.1/arch/x86/lib/copy_page_64.S linux-2.6.33.1/arch/x86/lib/copy_page_64.S
14267 --- linux-2.6.33.1/arch/x86/lib/copy_page_64.S 2010-03-15 12:09:39.000000000 -0400
14268 +++ linux-2.6.33.1/arch/x86/lib/copy_page_64.S 2010-03-20 16:58:39.028522513 -0400
14269 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
14271 #include <asm/cpufeature.h>
14273 - .section .altinstr_replacement,"ax"
14274 + .section .altinstr_replacement,"a"
14275 1: .byte 0xeb /* jmp <disp8> */
14276 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
14278 diff -urNp linux-2.6.33.1/arch/x86/lib/copy_user_64.S linux-2.6.33.1/arch/x86/lib/copy_user_64.S
14279 --- linux-2.6.33.1/arch/x86/lib/copy_user_64.S 2010-03-15 12:09:39.000000000 -0400
14280 +++ linux-2.6.33.1/arch/x86/lib/copy_user_64.S 2010-03-20 16:58:39.028522513 -0400
14282 .byte 0xe9 /* 32bit jump */
14283 .long \orig-1f /* by default jump to orig */
14285 - .section .altinstr_replacement,"ax"
14286 + .section .altinstr_replacement,"a"
14287 2: .byte 0xe9 /* near jump with 32bit immediate */
14288 .long \alt-1b /* offset */ /* or alternatively to alt */
14294 -/* Standard copy_to_user with segment limit checking */
14295 -ENTRY(_copy_to_user)
14297 - GET_THREAD_INFO(%rax)
14301 - cmpq TI_addr_limit(%rax),%rcx
14303 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14305 -ENDPROC(_copy_to_user)
14307 -/* Standard copy_from_user with segment limit checking */
14308 -ENTRY(_copy_from_user)
14310 - GET_THREAD_INFO(%rax)
14314 - cmpq TI_addr_limit(%rax),%rcx
14315 - jae bad_from_user
14316 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14318 -ENDPROC(_copy_from_user)
14320 ENTRY(copy_user_generic)
14322 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14323 @@ -101,6 +75,8 @@ ENDPROC(copy_user_generic)
14324 ENTRY(bad_from_user)
14332 diff -urNp linux-2.6.33.1/arch/x86/lib/getuser.S linux-2.6.33.1/arch/x86/lib/getuser.S
14333 --- linux-2.6.33.1/arch/x86/lib/getuser.S 2010-03-15 12:09:39.000000000 -0400
14334 +++ linux-2.6.33.1/arch/x86/lib/getuser.S 2010-03-20 16:58:39.028522513 -0400
14335 @@ -33,14 +33,28 @@
14336 #include <asm/asm-offsets.h>
14337 #include <asm/thread_info.h>
14338 #include <asm/asm.h>
14339 +#include <asm/segment.h>
14342 ENTRY(__get_user_1)
14345 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14346 + pushl $(__USER_DS)
14349 GET_THREAD_INFO(%_ASM_DX)
14350 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14354 1: movzb (%_ASM_AX),%edx
14356 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14364 @@ -49,11 +63,24 @@ ENDPROC(__get_user_1)
14365 ENTRY(__get_user_2)
14369 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14370 + pushl $(__USER_DS)
14374 GET_THREAD_INFO(%_ASM_DX)
14375 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14379 2: movzwl -1(%_ASM_AX),%edx
14381 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14389 @@ -62,11 +89,24 @@ ENDPROC(__get_user_2)
14390 ENTRY(__get_user_4)
14394 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14395 + pushl $(__USER_DS)
14399 GET_THREAD_INFO(%_ASM_DX)
14400 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14404 3: mov -3(%_ASM_AX),%edx
14406 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14414 @@ -89,6 +129,12 @@ ENDPROC(__get_user_8)
14419 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14425 mov $(-EFAULT),%_ASM_AX
14427 diff -urNp linux-2.6.33.1/arch/x86/lib/memcpy_64.S linux-2.6.33.1/arch/x86/lib/memcpy_64.S
14428 --- linux-2.6.33.1/arch/x86/lib/memcpy_64.S 2010-03-15 12:09:39.000000000 -0400
14429 +++ linux-2.6.33.1/arch/x86/lib/memcpy_64.S 2010-03-20 16:58:39.028522513 -0400
14430 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
14431 * It is also a lot simpler. Use this when possible:
14434 - .section .altinstr_replacement, "ax"
14435 + .section .altinstr_replacement, "a"
14436 1: .byte 0xeb /* jmp <disp8> */
14437 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
14439 diff -urNp linux-2.6.33.1/arch/x86/lib/memset_64.S linux-2.6.33.1/arch/x86/lib/memset_64.S
14440 --- linux-2.6.33.1/arch/x86/lib/memset_64.S 2010-03-15 12:09:39.000000000 -0400
14441 +++ linux-2.6.33.1/arch/x86/lib/memset_64.S 2010-03-20 16:58:39.028522513 -0400
14442 @@ -118,7 +118,7 @@ ENDPROC(__memset)
14444 #include <asm/cpufeature.h>
14446 - .section .altinstr_replacement,"ax"
14447 + .section .altinstr_replacement,"a"
14448 1: .byte 0xeb /* jmp <disp8> */
14449 .byte (memset_c - memset) - (2f - 1b) /* offset */
14451 diff -urNp linux-2.6.33.1/arch/x86/lib/mmx_32.c linux-2.6.33.1/arch/x86/lib/mmx_32.c
14452 --- linux-2.6.33.1/arch/x86/lib/mmx_32.c 2010-03-15 12:09:39.000000000 -0400
14453 +++ linux-2.6.33.1/arch/x86/lib/mmx_32.c 2010-03-20 16:58:39.028522513 -0400
14454 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
14458 + unsigned long cr0;
14460 if (unlikely(in_interrupt()))
14461 return __memcpy(to, from, len);
14462 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
14463 kernel_fpu_begin();
14465 __asm__ __volatile__ (
14466 - "1: prefetch (%0)\n" /* This set is 28 bytes */
14467 - " prefetch 64(%0)\n"
14468 - " prefetch 128(%0)\n"
14469 - " prefetch 192(%0)\n"
14470 - " prefetch 256(%0)\n"
14471 + "1: prefetch (%1)\n" /* This set is 28 bytes */
14472 + " prefetch 64(%1)\n"
14473 + " prefetch 128(%1)\n"
14474 + " prefetch 192(%1)\n"
14475 + " prefetch 256(%1)\n"
14477 ".section .fixup, \"ax\"\n"
14478 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14481 +#ifdef CONFIG_PAX_KERNEXEC
14482 + " movl %%cr0, %0\n"
14483 + " movl %0, %%eax\n"
14484 + " andl $0xFFFEFFFF, %%eax\n"
14485 + " movl %%eax, %%cr0\n"
14488 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14490 +#ifdef CONFIG_PAX_KERNEXEC
14491 + " movl %0, %%cr0\n"
14496 _ASM_EXTABLE(1b, 3b)
14498 + : "=&r" (cr0) : "r" (from) : "ax");
14500 for ( ; i > 5; i--) {
14501 __asm__ __volatile__ (
14502 - "1: prefetch 320(%0)\n"
14503 - "2: movq (%0), %%mm0\n"
14504 - " movq 8(%0), %%mm1\n"
14505 - " movq 16(%0), %%mm2\n"
14506 - " movq 24(%0), %%mm3\n"
14507 - " movq %%mm0, (%1)\n"
14508 - " movq %%mm1, 8(%1)\n"
14509 - " movq %%mm2, 16(%1)\n"
14510 - " movq %%mm3, 24(%1)\n"
14511 - " movq 32(%0), %%mm0\n"
14512 - " movq 40(%0), %%mm1\n"
14513 - " movq 48(%0), %%mm2\n"
14514 - " movq 56(%0), %%mm3\n"
14515 - " movq %%mm0, 32(%1)\n"
14516 - " movq %%mm1, 40(%1)\n"
14517 - " movq %%mm2, 48(%1)\n"
14518 - " movq %%mm3, 56(%1)\n"
14519 + "1: prefetch 320(%1)\n"
14520 + "2: movq (%1), %%mm0\n"
14521 + " movq 8(%1), %%mm1\n"
14522 + " movq 16(%1), %%mm2\n"
14523 + " movq 24(%1), %%mm3\n"
14524 + " movq %%mm0, (%2)\n"
14525 + " movq %%mm1, 8(%2)\n"
14526 + " movq %%mm2, 16(%2)\n"
14527 + " movq %%mm3, 24(%2)\n"
14528 + " movq 32(%1), %%mm0\n"
14529 + " movq 40(%1), %%mm1\n"
14530 + " movq 48(%1), %%mm2\n"
14531 + " movq 56(%1), %%mm3\n"
14532 + " movq %%mm0, 32(%2)\n"
14533 + " movq %%mm1, 40(%2)\n"
14534 + " movq %%mm2, 48(%2)\n"
14535 + " movq %%mm3, 56(%2)\n"
14536 ".section .fixup, \"ax\"\n"
14537 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14540 +#ifdef CONFIG_PAX_KERNEXEC
14541 + " movl %%cr0, %0\n"
14542 + " movl %0, %%eax\n"
14543 + " andl $0xFFFEFFFF, %%eax\n"
14544 + " movl %%eax, %%cr0\n"
14547 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14549 +#ifdef CONFIG_PAX_KERNEXEC
14550 + " movl %0, %%cr0\n"
14555 _ASM_EXTABLE(1b, 3b)
14556 - : : "r" (from), "r" (to) : "memory");
14557 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14561 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
14562 static void fast_copy_page(void *to, void *from)
14565 + unsigned long cr0;
14567 kernel_fpu_begin();
14569 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
14570 * but that is for later. -AV
14572 __asm__ __volatile__(
14573 - "1: prefetch (%0)\n"
14574 - " prefetch 64(%0)\n"
14575 - " prefetch 128(%0)\n"
14576 - " prefetch 192(%0)\n"
14577 - " prefetch 256(%0)\n"
14578 + "1: prefetch (%1)\n"
14579 + " prefetch 64(%1)\n"
14580 + " prefetch 128(%1)\n"
14581 + " prefetch 192(%1)\n"
14582 + " prefetch 256(%1)\n"
14584 ".section .fixup, \"ax\"\n"
14585 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14588 +#ifdef CONFIG_PAX_KERNEXEC
14589 + " movl %%cr0, %0\n"
14590 + " movl %0, %%eax\n"
14591 + " andl $0xFFFEFFFF, %%eax\n"
14592 + " movl %%eax, %%cr0\n"
14595 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14597 +#ifdef CONFIG_PAX_KERNEXEC
14598 + " movl %0, %%cr0\n"
14603 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
14604 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14606 for (i = 0; i < (4096-320)/64; i++) {
14607 __asm__ __volatile__ (
14608 - "1: prefetch 320(%0)\n"
14609 - "2: movq (%0), %%mm0\n"
14610 - " movntq %%mm0, (%1)\n"
14611 - " movq 8(%0), %%mm1\n"
14612 - " movntq %%mm1, 8(%1)\n"
14613 - " movq 16(%0), %%mm2\n"
14614 - " movntq %%mm2, 16(%1)\n"
14615 - " movq 24(%0), %%mm3\n"
14616 - " movntq %%mm3, 24(%1)\n"
14617 - " movq 32(%0), %%mm4\n"
14618 - " movntq %%mm4, 32(%1)\n"
14619 - " movq 40(%0), %%mm5\n"
14620 - " movntq %%mm5, 40(%1)\n"
14621 - " movq 48(%0), %%mm6\n"
14622 - " movntq %%mm6, 48(%1)\n"
14623 - " movq 56(%0), %%mm7\n"
14624 - " movntq %%mm7, 56(%1)\n"
14625 + "1: prefetch 320(%1)\n"
14626 + "2: movq (%1), %%mm0\n"
14627 + " movntq %%mm0, (%2)\n"
14628 + " movq 8(%1), %%mm1\n"
14629 + " movntq %%mm1, 8(%2)\n"
14630 + " movq 16(%1), %%mm2\n"
14631 + " movntq %%mm2, 16(%2)\n"
14632 + " movq 24(%1), %%mm3\n"
14633 + " movntq %%mm3, 24(%2)\n"
14634 + " movq 32(%1), %%mm4\n"
14635 + " movntq %%mm4, 32(%2)\n"
14636 + " movq 40(%1), %%mm5\n"
14637 + " movntq %%mm5, 40(%2)\n"
14638 + " movq 48(%1), %%mm6\n"
14639 + " movntq %%mm6, 48(%2)\n"
14640 + " movq 56(%1), %%mm7\n"
14641 + " movntq %%mm7, 56(%2)\n"
14642 ".section .fixup, \"ax\"\n"
14643 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14646 +#ifdef CONFIG_PAX_KERNEXEC
14647 + " movl %%cr0, %0\n"
14648 + " movl %0, %%eax\n"
14649 + " andl $0xFFFEFFFF, %%eax\n"
14650 + " movl %%eax, %%cr0\n"
14653 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14655 +#ifdef CONFIG_PAX_KERNEXEC
14656 + " movl %0, %%cr0\n"
14661 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
14662 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14666 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
14667 static void fast_copy_page(void *to, void *from)
14670 + unsigned long cr0;
14672 kernel_fpu_begin();
14674 __asm__ __volatile__ (
14675 - "1: prefetch (%0)\n"
14676 - " prefetch 64(%0)\n"
14677 - " prefetch 128(%0)\n"
14678 - " prefetch 192(%0)\n"
14679 - " prefetch 256(%0)\n"
14680 + "1: prefetch (%1)\n"
14681 + " prefetch 64(%1)\n"
14682 + " prefetch 128(%1)\n"
14683 + " prefetch 192(%1)\n"
14684 + " prefetch 256(%1)\n"
14686 ".section .fixup, \"ax\"\n"
14687 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14690 +#ifdef CONFIG_PAX_KERNEXEC
14691 + " movl %%cr0, %0\n"
14692 + " movl %0, %%eax\n"
14693 + " andl $0xFFFEFFFF, %%eax\n"
14694 + " movl %%eax, %%cr0\n"
14697 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14699 +#ifdef CONFIG_PAX_KERNEXEC
14700 + " movl %0, %%cr0\n"
14705 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
14706 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14708 for (i = 0; i < 4096/64; i++) {
14709 __asm__ __volatile__ (
14710 - "1: prefetch 320(%0)\n"
14711 - "2: movq (%0), %%mm0\n"
14712 - " movq 8(%0), %%mm1\n"
14713 - " movq 16(%0), %%mm2\n"
14714 - " movq 24(%0), %%mm3\n"
14715 - " movq %%mm0, (%1)\n"
14716 - " movq %%mm1, 8(%1)\n"
14717 - " movq %%mm2, 16(%1)\n"
14718 - " movq %%mm3, 24(%1)\n"
14719 - " movq 32(%0), %%mm0\n"
14720 - " movq 40(%0), %%mm1\n"
14721 - " movq 48(%0), %%mm2\n"
14722 - " movq 56(%0), %%mm3\n"
14723 - " movq %%mm0, 32(%1)\n"
14724 - " movq %%mm1, 40(%1)\n"
14725 - " movq %%mm2, 48(%1)\n"
14726 - " movq %%mm3, 56(%1)\n"
14727 + "1: prefetch 320(%1)\n"
14728 + "2: movq (%1), %%mm0\n"
14729 + " movq 8(%1), %%mm1\n"
14730 + " movq 16(%1), %%mm2\n"
14731 + " movq 24(%1), %%mm3\n"
14732 + " movq %%mm0, (%2)\n"
14733 + " movq %%mm1, 8(%2)\n"
14734 + " movq %%mm2, 16(%2)\n"
14735 + " movq %%mm3, 24(%2)\n"
14736 + " movq 32(%1), %%mm0\n"
14737 + " movq 40(%1), %%mm1\n"
14738 + " movq 48(%1), %%mm2\n"
14739 + " movq 56(%1), %%mm3\n"
14740 + " movq %%mm0, 32(%2)\n"
14741 + " movq %%mm1, 40(%2)\n"
14742 + " movq %%mm2, 48(%2)\n"
14743 + " movq %%mm3, 56(%2)\n"
14744 ".section .fixup, \"ax\"\n"
14745 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14748 +#ifdef CONFIG_PAX_KERNEXEC
14749 + " movl %%cr0, %0\n"
14750 + " movl %0, %%eax\n"
14751 + " andl $0xFFFEFFFF, %%eax\n"
14752 + " movl %%eax, %%cr0\n"
14755 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14757 +#ifdef CONFIG_PAX_KERNEXEC
14758 + " movl %0, %%cr0\n"
14763 _ASM_EXTABLE(1b, 3b)
14764 - : : "r" (from), "r" (to) : "memory");
14765 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14769 diff -urNp linux-2.6.33.1/arch/x86/lib/putuser.S linux-2.6.33.1/arch/x86/lib/putuser.S
14770 --- linux-2.6.33.1/arch/x86/lib/putuser.S 2010-03-15 12:09:39.000000000 -0400
14771 +++ linux-2.6.33.1/arch/x86/lib/putuser.S 2010-03-20 16:58:39.028522513 -0400
14773 #include <asm/thread_info.h>
14774 #include <asm/errno.h>
14775 #include <asm/asm.h>
14776 +#include <asm/segment.h>
14780 @@ -29,59 +30,120 @@
14781 * as they get called from within inline assembly.
14784 -#define ENTER CFI_STARTPROC ; \
14785 - GET_THREAD_INFO(%_ASM_BX)
14786 +#define ENTER CFI_STARTPROC
14787 #define EXIT ret ; \
14791 ENTRY(__put_user_1)
14794 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14795 + pushl $(__USER_DS)
14798 + GET_THREAD_INFO(%_ASM_BX)
14799 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
14803 1: movb %al,(%_ASM_CX)
14805 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14812 ENDPROC(__put_user_1)
14814 ENTRY(__put_user_2)
14817 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14818 + pushl $(__USER_DS)
14821 + GET_THREAD_INFO(%_ASM_BX)
14822 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14824 cmp %_ASM_BX,%_ASM_CX
14828 2: movw %ax,(%_ASM_CX)
14830 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14837 ENDPROC(__put_user_2)
14839 ENTRY(__put_user_4)
14842 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14843 + pushl $(__USER_DS)
14846 + GET_THREAD_INFO(%_ASM_BX)
14847 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14849 cmp %_ASM_BX,%_ASM_CX
14853 3: movl %eax,(%_ASM_CX)
14855 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14862 ENDPROC(__put_user_4)
14864 ENTRY(__put_user_8)
14867 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14868 + pushl $(__USER_DS)
14871 + GET_THREAD_INFO(%_ASM_BX)
14872 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14874 cmp %_ASM_BX,%_ASM_CX
14878 4: mov %_ASM_AX,(%_ASM_CX)
14879 #ifdef CONFIG_X86_32
14880 5: movl %edx,4(%_ASM_CX)
14883 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14890 ENDPROC(__put_user_8)
14895 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14903 diff -urNp linux-2.6.33.1/arch/x86/lib/usercopy_32.c linux-2.6.33.1/arch/x86/lib/usercopy_32.c
14904 --- linux-2.6.33.1/arch/x86/lib/usercopy_32.c 2010-03-15 12:09:39.000000000 -0400
14905 +++ linux-2.6.33.1/arch/x86/lib/usercopy_32.c 2010-03-20 16:58:39.028522513 -0400
14906 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
14907 * Copy a null terminated string from userspace.
14910 -#define __do_strncpy_from_user(dst, src, count, res) \
14912 - int __d0, __d1, __d2; \
14914 - __asm__ __volatile__( \
14915 - " testl %1,%1\n" \
14919 - " testb %%al,%%al\n" \
14923 - "1: subl %1,%0\n" \
14925 - ".section .fixup,\"ax\"\n" \
14926 - "3: movl %5,%0\n" \
14929 - _ASM_EXTABLE(0b,3b) \
14930 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
14932 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
14935 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
14937 + int __d0, __d1, __d2;
14938 + long res = -EFAULT;
14941 + __asm__ __volatile__(
14942 + " movw %w10,%%ds\n"
14947 + " testb %%al,%%al\n"
14951 + "1: subl %1,%0\n"
14955 + ".section .fixup,\"ax\"\n"
14956 + "3: movl %5,%0\n"
14959 + _ASM_EXTABLE(0b,3b)
14960 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
14962 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
14969 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
14970 @@ -85,9 +92,7 @@ do { \
14972 __strncpy_from_user(char *dst, const char __user *src, long count)
14975 - __do_strncpy_from_user(dst, src, count, res);
14977 + return __do_strncpy_from_user(dst, src, count);
14979 EXPORT_SYMBOL(__strncpy_from_user);
14981 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
14983 long res = -EFAULT;
14984 if (access_ok(VERIFY_READ, src, 1))
14985 - __do_strncpy_from_user(dst, src, count, res);
14986 + res = __do_strncpy_from_user(dst, src, count);
14989 EXPORT_SYMBOL(strncpy_from_user);
14990 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
14994 -#define __do_clear_user(addr,size) \
14998 - __asm__ __volatile__( \
14999 - "0: rep; stosl\n" \
15000 - " movl %2,%0\n" \
15001 - "1: rep; stosb\n" \
15003 - ".section .fixup,\"ax\"\n" \
15004 - "3: lea 0(%2,%0,4),%0\n" \
15007 - _ASM_EXTABLE(0b,3b) \
15008 - _ASM_EXTABLE(1b,2b) \
15009 - : "=&c"(size), "=&D" (__d0) \
15010 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
15012 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
15017 + __asm__ __volatile__(
15018 + " movw %w6,%%es\n"
15019 + "0: rep; stosl\n"
15021 + "1: rep; stosb\n"
15025 + ".section .fixup,\"ax\"\n"
15026 + "3: lea 0(%2,%0,4),%0\n"
15029 + _ASM_EXTABLE(0b,3b)
15030 + _ASM_EXTABLE(1b,2b)
15031 + : "=&c"(size), "=&D" (__d0)
15032 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
15038 * clear_user: - Zero a block of memory in user space.
15039 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
15042 if (access_ok(VERIFY_WRITE, to, n))
15043 - __do_clear_user(to, n);
15044 + n = __do_clear_user(to, n);
15047 EXPORT_SYMBOL(clear_user);
15048 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
15050 __clear_user(void __user *to, unsigned long n)
15052 - __do_clear_user(to, n);
15054 + return __do_clear_user(to, n);
15056 EXPORT_SYMBOL(__clear_user);
15058 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
15061 __asm__ __volatile__(
15062 + " movw %w8,%%es\n"
15065 - " andl %0,%%ecx\n"
15066 + " movl %0,%%ecx\n"
15067 "0: repne; scasb\n"
15074 ".section .fixup,\"ax\"\n"
15075 "2: xorl %%eax,%%eax\n"
15077 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
15080 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
15081 - :"0" (n), "1" (s), "2" (0), "3" (mask)
15082 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
15086 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
15088 #ifdef CONFIG_X86_INTEL_USERCOPY
15089 static unsigned long
15090 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
15091 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
15094 + __asm__ __volatile__(
15095 + " movw %w6, %%es\n"
15096 + " .align 2,0x90\n"
15097 + "1: movl 32(%4), %%eax\n"
15098 + " cmpl $67, %0\n"
15100 + "2: movl 64(%4), %%eax\n"
15101 + " .align 2,0x90\n"
15102 + "3: movl 0(%4), %%eax\n"
15103 + "4: movl 4(%4), %%edx\n"
15104 + "5: movl %%eax, %%es:0(%3)\n"
15105 + "6: movl %%edx, %%es:4(%3)\n"
15106 + "7: movl 8(%4), %%eax\n"
15107 + "8: movl 12(%4),%%edx\n"
15108 + "9: movl %%eax, %%es:8(%3)\n"
15109 + "10: movl %%edx, %%es:12(%3)\n"
15110 + "11: movl 16(%4), %%eax\n"
15111 + "12: movl 20(%4), %%edx\n"
15112 + "13: movl %%eax, %%es:16(%3)\n"
15113 + "14: movl %%edx, %%es:20(%3)\n"
15114 + "15: movl 24(%4), %%eax\n"
15115 + "16: movl 28(%4), %%edx\n"
15116 + "17: movl %%eax, %%es:24(%3)\n"
15117 + "18: movl %%edx, %%es:28(%3)\n"
15118 + "19: movl 32(%4), %%eax\n"
15119 + "20: movl 36(%4), %%edx\n"
15120 + "21: movl %%eax, %%es:32(%3)\n"
15121 + "22: movl %%edx, %%es:36(%3)\n"
15122 + "23: movl 40(%4), %%eax\n"
15123 + "24: movl 44(%4), %%edx\n"
15124 + "25: movl %%eax, %%es:40(%3)\n"
15125 + "26: movl %%edx, %%es:44(%3)\n"
15126 + "27: movl 48(%4), %%eax\n"
15127 + "28: movl 52(%4), %%edx\n"
15128 + "29: movl %%eax, %%es:48(%3)\n"
15129 + "30: movl %%edx, %%es:52(%3)\n"
15130 + "31: movl 56(%4), %%eax\n"
15131 + "32: movl 60(%4), %%edx\n"
15132 + "33: movl %%eax, %%es:56(%3)\n"
15133 + "34: movl %%edx, %%es:60(%3)\n"
15134 + " addl $-64, %0\n"
15135 + " addl $64, %4\n"
15136 + " addl $64, %3\n"
15137 + " cmpl $63, %0\n"
15139 + "35: movl %0, %%eax\n"
15141 + " andl $3, %%eax\n"
15143 + "99: rep; movsl\n"
15144 + "36: movl %%eax, %0\n"
15145 + "37: rep; movsb\n"
15149 + ".section .fixup,\"ax\"\n"
15150 + "101: lea 0(%%eax,%0,4),%0\n"
15153 + ".section __ex_table,\"a\"\n"
15155 + " .long 1b,100b\n"
15156 + " .long 2b,100b\n"
15157 + " .long 3b,100b\n"
15158 + " .long 4b,100b\n"
15159 + " .long 5b,100b\n"
15160 + " .long 6b,100b\n"
15161 + " .long 7b,100b\n"
15162 + " .long 8b,100b\n"
15163 + " .long 9b,100b\n"
15164 + " .long 10b,100b\n"
15165 + " .long 11b,100b\n"
15166 + " .long 12b,100b\n"
15167 + " .long 13b,100b\n"
15168 + " .long 14b,100b\n"
15169 + " .long 15b,100b\n"
15170 + " .long 16b,100b\n"
15171 + " .long 17b,100b\n"
15172 + " .long 18b,100b\n"
15173 + " .long 19b,100b\n"
15174 + " .long 20b,100b\n"
15175 + " .long 21b,100b\n"
15176 + " .long 22b,100b\n"
15177 + " .long 23b,100b\n"
15178 + " .long 24b,100b\n"
15179 + " .long 25b,100b\n"
15180 + " .long 26b,100b\n"
15181 + " .long 27b,100b\n"
15182 + " .long 28b,100b\n"
15183 + " .long 29b,100b\n"
15184 + " .long 30b,100b\n"
15185 + " .long 31b,100b\n"
15186 + " .long 32b,100b\n"
15187 + " .long 33b,100b\n"
15188 + " .long 34b,100b\n"
15189 + " .long 35b,100b\n"
15190 + " .long 36b,100b\n"
15191 + " .long 37b,100b\n"
15192 + " .long 99b,101b\n"
15194 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
15195 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15196 + : "eax", "edx", "memory");
15200 +static unsigned long
15201 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
15204 __asm__ __volatile__(
15205 + " movw %w6, %%ds\n"
15207 "1: movl 32(%4), %%eax\n"
15209 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
15211 "3: movl 0(%4), %%eax\n"
15212 "4: movl 4(%4), %%edx\n"
15213 - "5: movl %%eax, 0(%3)\n"
15214 - "6: movl %%edx, 4(%3)\n"
15215 + "5: movl %%eax, %%es:0(%3)\n"
15216 + "6: movl %%edx, %%es:4(%3)\n"
15217 "7: movl 8(%4), %%eax\n"
15218 "8: movl 12(%4),%%edx\n"
15219 - "9: movl %%eax, 8(%3)\n"
15220 - "10: movl %%edx, 12(%3)\n"
15221 + "9: movl %%eax, %%es:8(%3)\n"
15222 + "10: movl %%edx, %%es:12(%3)\n"
15223 "11: movl 16(%4), %%eax\n"
15224 "12: movl 20(%4), %%edx\n"
15225 - "13: movl %%eax, 16(%3)\n"
15226 - "14: movl %%edx, 20(%3)\n"
15227 + "13: movl %%eax, %%es:16(%3)\n"
15228 + "14: movl %%edx, %%es:20(%3)\n"
15229 "15: movl 24(%4), %%eax\n"
15230 "16: movl 28(%4), %%edx\n"
15231 - "17: movl %%eax, 24(%3)\n"
15232 - "18: movl %%edx, 28(%3)\n"
15233 + "17: movl %%eax, %%es:24(%3)\n"
15234 + "18: movl %%edx, %%es:28(%3)\n"
15235 "19: movl 32(%4), %%eax\n"
15236 "20: movl 36(%4), %%edx\n"
15237 - "21: movl %%eax, 32(%3)\n"
15238 - "22: movl %%edx, 36(%3)\n"
15239 + "21: movl %%eax, %%es:32(%3)\n"
15240 + "22: movl %%edx, %%es:36(%3)\n"
15241 "23: movl 40(%4), %%eax\n"
15242 "24: movl 44(%4), %%edx\n"
15243 - "25: movl %%eax, 40(%3)\n"
15244 - "26: movl %%edx, 44(%3)\n"
15245 + "25: movl %%eax, %%es:40(%3)\n"
15246 + "26: movl %%edx, %%es:44(%3)\n"
15247 "27: movl 48(%4), %%eax\n"
15248 "28: movl 52(%4), %%edx\n"
15249 - "29: movl %%eax, 48(%3)\n"
15250 - "30: movl %%edx, 52(%3)\n"
15251 + "29: movl %%eax, %%es:48(%3)\n"
15252 + "30: movl %%edx, %%es:52(%3)\n"
15253 "31: movl 56(%4), %%eax\n"
15254 "32: movl 60(%4), %%edx\n"
15255 - "33: movl %%eax, 56(%3)\n"
15256 - "34: movl %%edx, 60(%3)\n"
15257 + "33: movl %%eax, %%es:56(%3)\n"
15258 + "34: movl %%edx, %%es:60(%3)\n"
15262 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
15263 "36: movl %%eax, %0\n"
15268 ".section .fixup,\"ax\"\n"
15269 "101: lea 0(%%eax,%0,4),%0\n"
15271 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
15272 " .long 99b,101b\n"
15274 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15275 - : "1"(to), "2"(from), "0"(size)
15276 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15277 : "eax", "edx", "memory");
15280 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
15283 __asm__ __volatile__(
15284 + " movw %w6, %%ds\n"
15286 "0: movl 32(%4), %%eax\n"
15288 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
15290 "2: movl 0(%4), %%eax\n"
15291 "21: movl 4(%4), %%edx\n"
15292 - " movl %%eax, 0(%3)\n"
15293 - " movl %%edx, 4(%3)\n"
15294 + " movl %%eax, %%es:0(%3)\n"
15295 + " movl %%edx, %%es:4(%3)\n"
15296 "3: movl 8(%4), %%eax\n"
15297 "31: movl 12(%4),%%edx\n"
15298 - " movl %%eax, 8(%3)\n"
15299 - " movl %%edx, 12(%3)\n"
15300 + " movl %%eax, %%es:8(%3)\n"
15301 + " movl %%edx, %%es:12(%3)\n"
15302 "4: movl 16(%4), %%eax\n"
15303 "41: movl 20(%4), %%edx\n"
15304 - " movl %%eax, 16(%3)\n"
15305 - " movl %%edx, 20(%3)\n"
15306 + " movl %%eax, %%es:16(%3)\n"
15307 + " movl %%edx, %%es:20(%3)\n"
15308 "10: movl 24(%4), %%eax\n"
15309 "51: movl 28(%4), %%edx\n"
15310 - " movl %%eax, 24(%3)\n"
15311 - " movl %%edx, 28(%3)\n"
15312 + " movl %%eax, %%es:24(%3)\n"
15313 + " movl %%edx, %%es:28(%3)\n"
15314 "11: movl 32(%4), %%eax\n"
15315 "61: movl 36(%4), %%edx\n"
15316 - " movl %%eax, 32(%3)\n"
15317 - " movl %%edx, 36(%3)\n"
15318 + " movl %%eax, %%es:32(%3)\n"
15319 + " movl %%edx, %%es:36(%3)\n"
15320 "12: movl 40(%4), %%eax\n"
15321 "71: movl 44(%4), %%edx\n"
15322 - " movl %%eax, 40(%3)\n"
15323 - " movl %%edx, 44(%3)\n"
15324 + " movl %%eax, %%es:40(%3)\n"
15325 + " movl %%edx, %%es:44(%3)\n"
15326 "13: movl 48(%4), %%eax\n"
15327 "81: movl 52(%4), %%edx\n"
15328 - " movl %%eax, 48(%3)\n"
15329 - " movl %%edx, 52(%3)\n"
15330 + " movl %%eax, %%es:48(%3)\n"
15331 + " movl %%edx, %%es:52(%3)\n"
15332 "14: movl 56(%4), %%eax\n"
15333 "91: movl 60(%4), %%edx\n"
15334 - " movl %%eax, 56(%3)\n"
15335 - " movl %%edx, 60(%3)\n"
15336 + " movl %%eax, %%es:56(%3)\n"
15337 + " movl %%edx, %%es:60(%3)\n"
15341 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
15347 ".section .fixup,\"ax\"\n"
15348 "9: lea 0(%%eax,%0,4),%0\n"
15350 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
15353 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15354 - : "1"(to), "2"(from), "0"(size)
15355 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15356 : "eax", "edx", "memory");
15359 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
15362 __asm__ __volatile__(
15363 + " movw %w6, %%ds\n"
15365 "0: movl 32(%4), %%eax\n"
15367 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
15369 "2: movl 0(%4), %%eax\n"
15370 "21: movl 4(%4), %%edx\n"
15371 - " movnti %%eax, 0(%3)\n"
15372 - " movnti %%edx, 4(%3)\n"
15373 + " movnti %%eax, %%es:0(%3)\n"
15374 + " movnti %%edx, %%es:4(%3)\n"
15375 "3: movl 8(%4), %%eax\n"
15376 "31: movl 12(%4),%%edx\n"
15377 - " movnti %%eax, 8(%3)\n"
15378 - " movnti %%edx, 12(%3)\n"
15379 + " movnti %%eax, %%es:8(%3)\n"
15380 + " movnti %%edx, %%es:12(%3)\n"
15381 "4: movl 16(%4), %%eax\n"
15382 "41: movl 20(%4), %%edx\n"
15383 - " movnti %%eax, 16(%3)\n"
15384 - " movnti %%edx, 20(%3)\n"
15385 + " movnti %%eax, %%es:16(%3)\n"
15386 + " movnti %%edx, %%es:20(%3)\n"
15387 "10: movl 24(%4), %%eax\n"
15388 "51: movl 28(%4), %%edx\n"
15389 - " movnti %%eax, 24(%3)\n"
15390 - " movnti %%edx, 28(%3)\n"
15391 + " movnti %%eax, %%es:24(%3)\n"
15392 + " movnti %%edx, %%es:28(%3)\n"
15393 "11: movl 32(%4), %%eax\n"
15394 "61: movl 36(%4), %%edx\n"
15395 - " movnti %%eax, 32(%3)\n"
15396 - " movnti %%edx, 36(%3)\n"
15397 + " movnti %%eax, %%es:32(%3)\n"
15398 + " movnti %%edx, %%es:36(%3)\n"
15399 "12: movl 40(%4), %%eax\n"
15400 "71: movl 44(%4), %%edx\n"
15401 - " movnti %%eax, 40(%3)\n"
15402 - " movnti %%edx, 44(%3)\n"
15403 + " movnti %%eax, %%es:40(%3)\n"
15404 + " movnti %%edx, %%es:44(%3)\n"
15405 "13: movl 48(%4), %%eax\n"
15406 "81: movl 52(%4), %%edx\n"
15407 - " movnti %%eax, 48(%3)\n"
15408 - " movnti %%edx, 52(%3)\n"
15409 + " movnti %%eax, %%es:48(%3)\n"
15410 + " movnti %%edx, %%es:52(%3)\n"
15411 "14: movl 56(%4), %%eax\n"
15412 "91: movl 60(%4), %%edx\n"
15413 - " movnti %%eax, 56(%3)\n"
15414 - " movnti %%edx, 60(%3)\n"
15415 + " movnti %%eax, %%es:56(%3)\n"
15416 + " movnti %%edx, %%es:60(%3)\n"
15420 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
15426 ".section .fixup,\"ax\"\n"
15427 "9: lea 0(%%eax,%0,4),%0\n"
15429 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
15432 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15433 - : "1"(to), "2"(from), "0"(size)
15434 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15435 : "eax", "edx", "memory");
15438 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
15441 __asm__ __volatile__(
15442 + " movw %w6, %%ds\n"
15444 "0: movl 32(%4), %%eax\n"
15446 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
15448 "2: movl 0(%4), %%eax\n"
15449 "21: movl 4(%4), %%edx\n"
15450 - " movnti %%eax, 0(%3)\n"
15451 - " movnti %%edx, 4(%3)\n"
15452 + " movnti %%eax, %%es:0(%3)\n"
15453 + " movnti %%edx, %%es:4(%3)\n"
15454 "3: movl 8(%4), %%eax\n"
15455 "31: movl 12(%4),%%edx\n"
15456 - " movnti %%eax, 8(%3)\n"
15457 - " movnti %%edx, 12(%3)\n"
15458 + " movnti %%eax, %%es:8(%3)\n"
15459 + " movnti %%edx, %%es:12(%3)\n"
15460 "4: movl 16(%4), %%eax\n"
15461 "41: movl 20(%4), %%edx\n"
15462 - " movnti %%eax, 16(%3)\n"
15463 - " movnti %%edx, 20(%3)\n"
15464 + " movnti %%eax, %%es:16(%3)\n"
15465 + " movnti %%edx, %%es:20(%3)\n"
15466 "10: movl 24(%4), %%eax\n"
15467 "51: movl 28(%4), %%edx\n"
15468 - " movnti %%eax, 24(%3)\n"
15469 - " movnti %%edx, 28(%3)\n"
15470 + " movnti %%eax, %%es:24(%3)\n"
15471 + " movnti %%edx, %%es:28(%3)\n"
15472 "11: movl 32(%4), %%eax\n"
15473 "61: movl 36(%4), %%edx\n"
15474 - " movnti %%eax, 32(%3)\n"
15475 - " movnti %%edx, 36(%3)\n"
15476 + " movnti %%eax, %%es:32(%3)\n"
15477 + " movnti %%edx, %%es:36(%3)\n"
15478 "12: movl 40(%4), %%eax\n"
15479 "71: movl 44(%4), %%edx\n"
15480 - " movnti %%eax, 40(%3)\n"
15481 - " movnti %%edx, 44(%3)\n"
15482 + " movnti %%eax, %%es:40(%3)\n"
15483 + " movnti %%edx, %%es:44(%3)\n"
15484 "13: movl 48(%4), %%eax\n"
15485 "81: movl 52(%4), %%edx\n"
15486 - " movnti %%eax, 48(%3)\n"
15487 - " movnti %%edx, 52(%3)\n"
15488 + " movnti %%eax, %%es:48(%3)\n"
15489 + " movnti %%edx, %%es:52(%3)\n"
15490 "14: movl 56(%4), %%eax\n"
15491 "91: movl 60(%4), %%edx\n"
15492 - " movnti %%eax, 56(%3)\n"
15493 - " movnti %%edx, 60(%3)\n"
15494 + " movnti %%eax, %%es:56(%3)\n"
15495 + " movnti %%edx, %%es:60(%3)\n"
15499 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
15505 ".section .fixup,\"ax\"\n"
15506 "9: lea 0(%%eax,%0,4),%0\n"
15508 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
15511 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15512 - : "1"(to), "2"(from), "0"(size)
15513 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15514 : "eax", "edx", "memory");
15517 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
15519 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
15520 unsigned long size);
15521 -unsigned long __copy_user_intel(void __user *to, const void *from,
15522 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
15523 + unsigned long size);
15524 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
15525 unsigned long size);
15526 unsigned long __copy_user_zeroing_intel_nocache(void *to,
15527 const void __user *from, unsigned long size);
15528 #endif /* CONFIG_X86_INTEL_USERCOPY */
15530 /* Generic arbitrary sized copy. */
15531 -#define __copy_user(to, from, size) \
15533 - int __d0, __d1, __d2; \
15534 - __asm__ __volatile__( \
15537 - " movl %1,%0\n" \
15539 - " andl $7,%0\n" \
15540 - " subl %0,%3\n" \
15541 - "4: rep; movsb\n" \
15542 - " movl %3,%0\n" \
15543 - " shrl $2,%0\n" \
15544 - " andl $3,%3\n" \
15545 - " .align 2,0x90\n" \
15546 - "0: rep; movsl\n" \
15547 - " movl %3,%0\n" \
15548 - "1: rep; movsb\n" \
15550 - ".section .fixup,\"ax\"\n" \
15551 - "5: addl %3,%0\n" \
15553 - "3: lea 0(%3,%0,4),%0\n" \
15556 - ".section __ex_table,\"a\"\n" \
15558 - " .long 4b,5b\n" \
15559 - " .long 0b,3b\n" \
15560 - " .long 1b,2b\n" \
15562 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15563 - : "3"(size), "0"(size), "1"(to), "2"(from) \
15567 -#define __copy_user_zeroing(to, from, size) \
15569 - int __d0, __d1, __d2; \
15570 - __asm__ __volatile__( \
15573 - " movl %1,%0\n" \
15575 - " andl $7,%0\n" \
15576 - " subl %0,%3\n" \
15577 - "4: rep; movsb\n" \
15578 - " movl %3,%0\n" \
15579 - " shrl $2,%0\n" \
15580 - " andl $3,%3\n" \
15581 - " .align 2,0x90\n" \
15582 - "0: rep; movsl\n" \
15583 - " movl %3,%0\n" \
15584 - "1: rep; movsb\n" \
15586 - ".section .fixup,\"ax\"\n" \
15587 - "5: addl %3,%0\n" \
15589 - "3: lea 0(%3,%0,4),%0\n" \
15590 - "6: pushl %0\n" \
15591 - " pushl %%eax\n" \
15592 - " xorl %%eax,%%eax\n" \
15593 - " rep; stosb\n" \
15594 - " popl %%eax\n" \
15598 - ".section __ex_table,\"a\"\n" \
15600 - " .long 4b,5b\n" \
15601 - " .long 0b,3b\n" \
15602 - " .long 1b,6b\n" \
15604 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15605 - : "3"(size), "0"(size), "1"(to), "2"(from) \
15608 +static unsigned long
15609 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
15611 + int __d0, __d1, __d2;
15613 + __asm__ __volatile__(
15614 + " movw %w8,%%es\n"
15621 + "4: rep; movsb\n"
15625 + " .align 2,0x90\n"
15626 + "0: rep; movsl\n"
15628 + "1: rep; movsb\n"
15632 + ".section .fixup,\"ax\"\n"
15633 + "5: addl %3,%0\n"
15635 + "3: lea 0(%3,%0,4),%0\n"
15638 + ".section __ex_table,\"a\"\n"
15644 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15645 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15650 +static unsigned long
15651 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
15653 + int __d0, __d1, __d2;
15655 + __asm__ __volatile__(
15656 + " movw %w8,%%ds\n"
15663 + "4: rep; movsb\n"
15667 + " .align 2,0x90\n"
15668 + "0: rep; movsl\n"
15670 + "1: rep; movsb\n"
15674 + ".section .fixup,\"ax\"\n"
15675 + "5: addl %3,%0\n"
15677 + "3: lea 0(%3,%0,4),%0\n"
15680 + ".section __ex_table,\"a\"\n"
15686 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15687 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15692 +static unsigned long
15693 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
15695 + int __d0, __d1, __d2;
15697 + __asm__ __volatile__(
15698 + " movw %w8,%%ds\n"
15705 + "4: rep; movsb\n"
15709 + " .align 2,0x90\n"
15710 + "0: rep; movsl\n"
15712 + "1: rep; movsb\n"
15716 + ".section .fixup,\"ax\"\n"
15717 + "5: addl %3,%0\n"
15719 + "3: lea 0(%3,%0,4),%0\n"
15722 + " xorl %%eax,%%eax\n"
15728 + ".section __ex_table,\"a\"\n"
15734 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15735 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15740 unsigned long __copy_to_user_ll(void __user *to, const void *from,
15742 @@ -775,9 +966,9 @@ survive:
15745 if (movsl_is_ok(to, from, n))
15746 - __copy_user(to, from, n);
15747 + n = __generic_copy_to_user(to, from, n);
15749 - n = __copy_user_intel(to, from, n);
15750 + n = __generic_copy_to_user_intel(to, from, n);
15753 EXPORT_SYMBOL(__copy_to_user_ll);
15754 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
15757 if (movsl_is_ok(to, from, n))
15758 - __copy_user_zeroing(to, from, n);
15759 + n = __copy_user_zeroing(to, from, n);
15761 n = __copy_user_zeroing_intel(to, from, n);
15763 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
15766 if (movsl_is_ok(to, from, n))
15767 - __copy_user(to, from, n);
15768 + n = __generic_copy_from_user(to, from, n);
15770 - n = __copy_user_intel((void __user *)to,
15771 - (const void *)from, n);
15772 + n = __generic_copy_from_user_intel(to, from, n);
15775 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
15776 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
15777 if (n > 64 && cpu_has_xmm2)
15778 n = __copy_user_zeroing_intel_nocache(to, from, n);
15780 - __copy_user_zeroing(to, from, n);
15781 + n = __copy_user_zeroing(to, from, n);
15783 - __copy_user_zeroing(to, from, n);
15784 + n = __copy_user_zeroing(to, from, n);
15788 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
15789 if (n > 64 && cpu_has_xmm2)
15790 n = __copy_user_intel_nocache(to, from, n);
15792 - __copy_user(to, from, n);
15793 + n = __generic_copy_from_user(to, from, n);
15795 - __copy_user(to, from, n);
15796 + n = __generic_copy_from_user(to, from, n);
15800 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
15803 - * copy_to_user: - Copy a block of data into user space.
15804 - * @to: Destination address, in user space.
15805 - * @from: Source address, in kernel space.
15806 - * @n: Number of bytes to copy.
15808 - * Context: User context only. This function may sleep.
15810 - * Copy data from kernel space to user space.
15812 - * Returns number of bytes that could not be copied.
15813 - * On success, this will be zero.
15816 -copy_to_user(void __user *to, const void *from, unsigned long n)
15817 +void copy_from_user_overflow(void)
15819 - if (access_ok(VERIFY_WRITE, to, n))
15820 - n = __copy_to_user(to, from, n);
15822 + WARN(1, "Buffer overflow detected!\n");
15824 -EXPORT_SYMBOL(copy_to_user);
15825 +EXPORT_SYMBOL(copy_from_user_overflow);
15828 - * copy_from_user: - Copy a block of data from user space.
15829 - * @to: Destination address, in kernel space.
15830 - * @from: Source address, in user space.
15831 - * @n: Number of bytes to copy.
15833 - * Context: User context only. This function may sleep.
15835 - * Copy data from user space to kernel space.
15837 - * Returns number of bytes that could not be copied.
15838 - * On success, this will be zero.
15840 - * If some data could not be copied, this function will pad the copied
15841 - * data to the requested size using zero bytes.
15844 -_copy_from_user(void *to, const void __user *from, unsigned long n)
15845 +void copy_to_user_overflow(void)
15847 - if (access_ok(VERIFY_READ, from, n))
15848 - n = __copy_from_user(to, from, n);
15850 - memset(to, 0, n);
15852 + WARN(1, "Buffer overflow detected!\n");
15854 -EXPORT_SYMBOL(_copy_from_user);
15855 +EXPORT_SYMBOL(copy_to_user_overflow);
15857 -void copy_from_user_overflow(void)
15858 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15859 +void __set_fs(mm_segment_t x, int cpu)
15861 - WARN(1, "Buffer overflow detected!\n");
15862 + unsigned long limit = x.seg;
15863 + struct desc_struct d;
15865 + current_thread_info()->addr_limit = x;
15866 + if (unlikely(paravirt_enabled()))
15869 + if (likely(limit))
15870 + limit = (limit - 1UL) >> PAGE_SHIFT;
15871 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
15872 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
15874 -EXPORT_SYMBOL(copy_from_user_overflow);
15876 +void set_fs(mm_segment_t x)
15878 + __set_fs(x, get_cpu());
15881 +EXPORT_SYMBOL(copy_from_user);
15883 +void set_fs(mm_segment_t x)
15885 + current_thread_info()->addr_limit = x;
15889 +EXPORT_SYMBOL(set_fs);
15890 diff -urNp linux-2.6.33.1/arch/x86/Makefile linux-2.6.33.1/arch/x86/Makefile
15891 --- linux-2.6.33.1/arch/x86/Makefile 2010-03-15 12:09:39.000000000 -0400
15892 +++ linux-2.6.33.1/arch/x86/Makefile 2010-03-20 16:58:39.028522513 -0400
15893 @@ -192,3 +192,12 @@ define archhelp
15894 echo ' FDARGS="..." arguments for the booted kernel'
15895 echo ' FDINITRD=file initrd for the booted kernel'
15900 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
15901 +*** Please upgrade your binutils to 2.18 or newer
15905 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
15906 diff -urNp linux-2.6.33.1/arch/x86/mm/extable.c linux-2.6.33.1/arch/x86/mm/extable.c
15907 --- linux-2.6.33.1/arch/x86/mm/extable.c 2010-03-15 12:09:39.000000000 -0400
15908 +++ linux-2.6.33.1/arch/x86/mm/extable.c 2010-03-20 16:58:39.032549699 -0400
15910 #include <linux/module.h>
15911 #include <linux/spinlock.h>
15912 +#include <linux/sort.h>
15913 #include <asm/uaccess.h>
15914 +#include <asm/pgtable.h>
15917 + * The exception table needs to be sorted so that the binary
15918 + * search that we use to find entries in it works properly.
15919 + * This is used both for the kernel exception table and for
15920 + * the exception tables of modules that get loaded.
15922 +static int cmp_ex(const void *a, const void *b)
15924 + const struct exception_table_entry *x = a, *y = b;
15926 + /* avoid overflow */
15927 + if (x->insn > y->insn)
15929 + if (x->insn < y->insn)
15934 +static void swap_ex(void *a, void *b, int size)
15936 + struct exception_table_entry t, *x = a, *y = b;
15940 + pax_open_kernel();
15943 + pax_close_kernel();
15946 +void sort_extable(struct exception_table_entry *start,
15947 + struct exception_table_entry *finish)
15949 + sort(start, finish - start, sizeof(struct exception_table_entry),
15950 + cmp_ex, swap_ex);
15953 +#ifdef CONFIG_MODULES
15955 + * If the exception table is sorted, any referring to the module init
15956 + * will be at the beginning or the end.
15958 +void trim_init_extable(struct module *m)
15960 + /*trim the beginning*/
15961 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
15963 + m->num_exentries--;
15966 + while (m->num_exentries &&
15967 + within_module_init(m->extable[m->num_exentries-1].insn, m))
15968 + m->num_exentries--;
15970 +#endif /* CONFIG_MODULES */
15972 int fixup_exception(struct pt_regs *regs)
15974 const struct exception_table_entry *fixup;
15976 #ifdef CONFIG_PNPBIOS
15977 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
15978 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
15979 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
15980 extern u32 pnp_bios_is_utter_crap;
15981 pnp_bios_is_utter_crap = 1;
15982 diff -urNp linux-2.6.33.1/arch/x86/mm/fault.c linux-2.6.33.1/arch/x86/mm/fault.c
15983 --- linux-2.6.33.1/arch/x86/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
15984 +++ linux-2.6.33.1/arch/x86/mm/fault.c 2010-03-20 16:58:39.032549699 -0400
15985 @@ -11,10 +11,14 @@
15986 #include <linux/kprobes.h> /* __kprobes, ... */
15987 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
15988 #include <linux/perf_event.h> /* perf_sw_event */
15989 +#include <linux/unistd.h>
15990 +#include <linux/compiler.h>
15992 #include <asm/traps.h> /* dotraplinkage, ... */
15993 #include <asm/pgalloc.h> /* pgd_*(), ... */
15994 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
15995 +#include <asm/vsyscall.h>
15996 +#include <asm/tlbflush.h>
15999 * Page fault error code bits:
16000 @@ -52,7 +56,7 @@ static inline int __kprobes notify_page_
16003 /* kprobe_running() needs smp_processor_id() */
16004 - if (kprobes_built_in() && !user_mode_vm(regs)) {
16005 + if (kprobes_built_in() && !user_mode(regs)) {
16007 if (kprobe_running() && kprobe_fault_handler(regs, 14))
16009 @@ -173,6 +177,30 @@ force_sig_info_fault(int si_signo, int s
16010 force_sig_info(si_signo, &info, tsk);
16013 +#ifdef CONFIG_PAX_EMUTRAMP
16014 +static int pax_handle_fetch_fault(struct pt_regs *regs);
16017 +#ifdef CONFIG_PAX_PAGEEXEC
16018 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
16024 + pgd = pgd_offset(mm, address);
16025 + if (!pgd_present(*pgd))
16027 + pud = pud_offset(pgd, address);
16028 + if (!pud_present(*pud))
16030 + pmd = pmd_offset(pud, address);
16031 + if (!pmd_present(*pmd))
16037 DEFINE_SPINLOCK(pgd_lock);
16038 LIST_HEAD(pgd_list);
16040 @@ -536,7 +564,7 @@ static int is_errata93(struct pt_regs *r
16041 static int is_errata100(struct pt_regs *regs, unsigned long address)
16043 #ifdef CONFIG_X86_64
16044 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
16045 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
16049 @@ -563,7 +591,7 @@ static int is_f00f_bug(struct pt_regs *r
16052 static const char nx_warning[] = KERN_CRIT
16053 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
16054 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
16057 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
16058 @@ -572,15 +600,26 @@ show_fault_oops(struct pt_regs *regs, un
16059 if (!oops_may_print())
16062 - if (error_code & PF_INSTR) {
16063 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
16064 unsigned int level;
16066 pte_t *pte = lookup_address(address, &level);
16068 if (pte && pte_present(*pte) && !pte_exec(*pte))
16069 - printk(nx_warning, current_uid());
16070 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
16073 +#ifdef CONFIG_PAX_KERNEXEC
16074 + if (init_mm.start_code <= address && address < init_mm.end_code) {
16075 + if (current->signal->curr_ip)
16076 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16077 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
16079 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16080 + current->comm, task_pid_nr(current), current_uid(), current_euid());
16084 printk(KERN_ALERT "BUG: unable to handle kernel ");
16085 if (address < PAGE_SIZE)
16086 printk(KERN_CONT "NULL pointer dereference");
16087 @@ -705,6 +744,68 @@ __bad_area_nosemaphore(struct pt_regs *r
16088 unsigned long address, int si_code)
16090 struct task_struct *tsk = current;
16091 + struct mm_struct *mm = tsk->mm;
16093 +#ifdef CONFIG_X86_64
16094 + if (mm && (error_code & PF_INSTR)) {
16095 + if (regs->ip == (unsigned long)vgettimeofday) {
16096 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
16098 + } else if (regs->ip == (unsigned long)vtime) {
16099 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
16101 + } else if (regs->ip == (unsigned long)vgetcpu) {
16102 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
16108 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16109 + if (mm && (error_code & PF_USER)) {
16110 + unsigned long ip = regs->ip;
16112 + if (v8086_mode(regs))
16113 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
16116 + * It's possible to have interrupts off here:
16118 + local_irq_enable();
16120 +#ifdef CONFIG_PAX_PAGEEXEC
16121 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
16122 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
16124 +#ifdef CONFIG_PAX_EMUTRAMP
16125 + switch (pax_handle_fetch_fault(regs)) {
16131 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16132 + do_group_exit(SIGKILL);
16136 +#ifdef CONFIG_PAX_SEGMEXEC
16137 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
16139 +#ifdef CONFIG_PAX_EMUTRAMP
16140 + switch (pax_handle_fetch_fault(regs)) {
16146 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16147 + do_group_exit(SIGKILL);
16154 /* User mode accesses just cause a SIGSEGV */
16155 if (error_code & PF_USER) {
16156 @@ -849,6 +950,106 @@ static int spurious_fault_check(unsigned
16160 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16161 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
16166 + unsigned char pte_mask;
16168 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
16169 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
16172 + /* PaX: it's our fault, let's handle it if we can */
16174 + /* PaX: take a look at read faults before acquiring any locks */
16175 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
16176 + /* instruction fetch attempt from a protected page in user mode */
16177 + up_read(&mm->mmap_sem);
16179 +#ifdef CONFIG_PAX_EMUTRAMP
16180 + switch (pax_handle_fetch_fault(regs)) {
16186 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16187 + do_group_exit(SIGKILL);
16190 + pmd = pax_get_pmd(mm, address);
16191 + if (unlikely(!pmd))
16194 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
16195 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
16196 + pte_unmap_unlock(pte, ptl);
16200 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
16201 + /* write attempt to a protected page in user mode */
16202 + pte_unmap_unlock(pte, ptl);
16207 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
16209 + if (likely(address > get_limit(regs->cs)))
16212 + set_pte(pte, pte_mkread(*pte));
16213 + __flush_tlb_one(address);
16214 + pte_unmap_unlock(pte, ptl);
16215 + up_read(&mm->mmap_sem);
16219 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
16222 + * PaX: fill DTLB with user rights and retry
16224 + __asm__ __volatile__ (
16225 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16226 + "movw %w4,%%es\n"
16229 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
16231 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
16232 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
16233 + * page fault when examined during a TLB load attempt. this is true not only
16234 + * for PTEs holding a non-present entry but also present entries that will
16235 + * raise a page fault (such as those set up by PaX, or the copy-on-write
16236 + * mechanism). in effect it means that we do *not* need to flush the TLBs
16237 + * for our target pages since their PTEs are simply not in the TLBs at all.
16239 + * the best thing in omitting it is that we gain around 15-20% speed in the
16240 + * fast path of the page fault handler and can get rid of tracing since we
16241 + * can no longer flush unintended entries.
16245 + "testb $0,%%es:(%0)\n"
16247 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16252 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
16253 + : "memory", "cc");
16254 + pte_unmap_unlock(pte, ptl);
16255 + up_read(&mm->mmap_sem);
16261 * Handle a spurious fault caused by a stale TLB entry.
16263 @@ -915,6 +1116,9 @@ int show_unhandled_signals = 1;
16265 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
16267 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
16271 /* write, present and write, not present: */
16272 if (unlikely(!(vma->vm_flags & VM_WRITE)))
16273 @@ -948,17 +1152,16 @@ do_page_fault(struct pt_regs *regs, unsi
16275 struct vm_area_struct *vma;
16276 struct task_struct *tsk;
16277 - unsigned long address;
16278 struct mm_struct *mm;
16282 + /* Get the faulting address: */
16283 + const unsigned long address = read_cr2();
16288 - /* Get the faulting address: */
16289 - address = read_cr2();
16292 * Detect and handle instructions that would cause a page fault for
16293 * both a tracked kernel page and a userspace page.
16294 @@ -1018,7 +1221,7 @@ do_page_fault(struct pt_regs *regs, unsi
16295 * User-mode registers count as a user access even for any
16296 * potential system fault or CPU buglet:
16298 - if (user_mode_vm(regs)) {
16299 + if (user_mode(regs)) {
16300 local_irq_enable();
16301 error_code |= PF_USER;
16303 @@ -1072,6 +1275,11 @@ do_page_fault(struct pt_regs *regs, unsi
16307 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16308 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
16312 vma = find_vma(mm, address);
16313 if (unlikely(!vma)) {
16314 bad_area(regs, error_code, address);
16315 @@ -1083,18 +1291,24 @@ do_page_fault(struct pt_regs *regs, unsi
16316 bad_area(regs, error_code, address);
16319 - if (error_code & PF_USER) {
16321 - * Accessing the stack below %sp is always a bug.
16322 - * The large cushion allows instructions like enter
16323 - * and pusha to work. ("enter $65535, $31" pushes
16324 - * 32 pointers and then decrements %sp by 65535.)
16326 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
16327 - bad_area(regs, error_code, address);
16331 + * Accessing the stack below %sp is always a bug.
16332 + * The large cushion allows instructions like enter
16333 + * and pusha to work. ("enter $65535, $31" pushes
16334 + * 32 pointers and then decrements %sp by 65535.)
16336 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
16337 + bad_area(regs, error_code, address);
16341 +#ifdef CONFIG_PAX_SEGMEXEC
16342 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
16343 + bad_area(regs, error_code, address);
16348 if (unlikely(expand_stack(vma, address))) {
16349 bad_area(regs, error_code, address);
16351 @@ -1138,3 +1352,199 @@ good_area:
16353 up_read(&mm->mmap_sem);
16356 +#ifdef CONFIG_PAX_EMUTRAMP
16357 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
16361 + do { /* PaX: gcc trampoline emulation #1 */
16362 + unsigned char mov1, mov2;
16363 + unsigned short jmp;
16364 + unsigned int addr1, addr2;
16366 +#ifdef CONFIG_X86_64
16367 + if ((regs->ip + 11) >> 32)
16371 + err = get_user(mov1, (unsigned char __user *)regs->ip);
16372 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16373 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
16374 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16375 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
16380 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
16381 + regs->cx = addr1;
16382 + regs->ax = addr2;
16383 + regs->ip = addr2;
16388 + do { /* PaX: gcc trampoline emulation #2 */
16389 + unsigned char mov, jmp;
16390 + unsigned int addr1, addr2;
16392 +#ifdef CONFIG_X86_64
16393 + if ((regs->ip + 9) >> 32)
16397 + err = get_user(mov, (unsigned char __user *)regs->ip);
16398 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16399 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
16400 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16405 + if (mov == 0xB9 && jmp == 0xE9) {
16406 + regs->cx = addr1;
16407 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
16412 + return 1; /* PaX in action */
16415 +#ifdef CONFIG_X86_64
16416 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
16420 + do { /* PaX: gcc trampoline emulation #1 */
16421 + unsigned short mov1, mov2, jmp1;
16422 + unsigned char jmp2;
16423 + unsigned int addr1;
16424 + unsigned long addr2;
16426 + err = get_user(mov1, (unsigned short __user *)regs->ip);
16427 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
16428 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
16429 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
16430 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
16431 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
16436 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16437 + regs->r11 = addr1;
16438 + regs->r10 = addr2;
16439 + regs->ip = addr1;
16444 + do { /* PaX: gcc trampoline emulation #2 */
16445 + unsigned short mov1, mov2, jmp1;
16446 + unsigned char jmp2;
16447 + unsigned long addr1, addr2;
16449 + err = get_user(mov1, (unsigned short __user *)regs->ip);
16450 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
16451 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
16452 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
16453 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
16454 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
16459 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16460 + regs->r11 = addr1;
16461 + regs->r10 = addr2;
16462 + regs->ip = addr1;
16467 + return 1; /* PaX in action */
16472 + * PaX: decide what to do with offenders (regs->ip = fault address)
16474 + * returns 1 when task should be killed
16475 + * 2 when gcc trampoline was detected
16477 +static int pax_handle_fetch_fault(struct pt_regs *regs)
16479 + if (v8086_mode(regs))
16482 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
16485 +#ifdef CONFIG_X86_32
16486 + return pax_handle_fetch_fault_32(regs);
16488 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
16489 + return pax_handle_fetch_fault_32(regs);
16491 + return pax_handle_fetch_fault_64(regs);
16496 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16497 +void pax_report_insns(void *pc, void *sp)
16501 + printk(KERN_ERR "PAX: bytes at PC: ");
16502 + for (i = 0; i < 20; i++) {
16504 + if (get_user(c, (__force unsigned char __user *)pc+i))
16505 + printk(KERN_CONT "?? ");
16507 + printk(KERN_CONT "%02x ", c);
16511 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
16512 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
16514 + if (get_user(c, (__force unsigned long __user *)sp+i))
16515 +#ifdef CONFIG_X86_32
16516 + printk(KERN_CONT "???????? ");
16518 + printk(KERN_CONT "???????????????? ");
16521 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
16528 + * probe_kernel_write(): safely attempt to write to a location
16529 + * @dst: address to write to
16530 + * @src: pointer to the data that shall be written
16531 + * @size: size of the data chunk
16533 + * Safely write to address @dst from the buffer at @src. If a kernel fault
16534 + * happens, handle that and return -EFAULT.
16536 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
16539 + mm_segment_t old_fs = get_fs();
16541 + set_fs(KERNEL_DS);
16542 + pagefault_disable();
16543 + pax_open_kernel();
16544 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
16545 + pax_close_kernel();
16546 + pagefault_enable();
16549 + return ret ? -EFAULT : 0;
16551 diff -urNp linux-2.6.33.1/arch/x86/mm/gup.c linux-2.6.33.1/arch/x86/mm/gup.c
16552 --- linux-2.6.33.1/arch/x86/mm/gup.c 2010-03-15 12:09:39.000000000 -0400
16553 +++ linux-2.6.33.1/arch/x86/mm/gup.c 2010-03-20 16:58:39.032549699 -0400
16554 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
16556 len = (unsigned long) nr_pages << PAGE_SHIFT;
16558 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16559 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16560 (void __user *)start, len)))
16563 diff -urNp linux-2.6.33.1/arch/x86/mm/highmem_32.c linux-2.6.33.1/arch/x86/mm/highmem_32.c
16564 --- linux-2.6.33.1/arch/x86/mm/highmem_32.c 2010-03-15 12:09:39.000000000 -0400
16565 +++ linux-2.6.33.1/arch/x86/mm/highmem_32.c 2010-03-20 16:58:39.032549699 -0400
16566 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
16567 idx = type + KM_TYPE_NR*smp_processor_id();
16568 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
16569 BUG_ON(!pte_none(*(kmap_pte-idx)));
16571 + pax_open_kernel();
16572 set_pte(kmap_pte-idx, mk_pte(page, prot));
16573 + pax_close_kernel();
16575 return (void *)vaddr;
16577 diff -urNp linux-2.6.33.1/arch/x86/mm/hugetlbpage.c linux-2.6.33.1/arch/x86/mm/hugetlbpage.c
16578 --- linux-2.6.33.1/arch/x86/mm/hugetlbpage.c 2010-03-15 12:09:39.000000000 -0400
16579 +++ linux-2.6.33.1/arch/x86/mm/hugetlbpage.c 2010-03-20 16:58:39.032549699 -0400
16580 @@ -267,13 +267,18 @@ static unsigned long hugetlb_get_unmappe
16581 struct hstate *h = hstate_file(file);
16582 struct mm_struct *mm = current->mm;
16583 struct vm_area_struct *vma;
16584 - unsigned long start_addr;
16585 + unsigned long start_addr, pax_task_size = TASK_SIZE;
16587 +#ifdef CONFIG_PAX_SEGMEXEC
16588 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16589 + pax_task_size = SEGMEXEC_TASK_SIZE;
16592 if (len > mm->cached_hole_size) {
16593 - start_addr = mm->free_area_cache;
16594 + start_addr = mm->free_area_cache;
16596 - start_addr = TASK_UNMAPPED_BASE;
16597 - mm->cached_hole_size = 0;
16598 + start_addr = mm->mmap_base;
16599 + mm->cached_hole_size = 0;
16603 @@ -281,13 +286,13 @@ full_search:
16605 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16606 /* At this point: (!vma || addr < vma->vm_end). */
16607 - if (TASK_SIZE - len < addr) {
16608 + if (pax_task_size - len < addr) {
16610 * Start a new search - just in case we missed
16613 - if (start_addr != TASK_UNMAPPED_BASE) {
16614 - start_addr = TASK_UNMAPPED_BASE;
16615 + if (start_addr != mm->mmap_base) {
16616 + start_addr = mm->mmap_base;
16617 mm->cached_hole_size = 0;
16620 @@ -310,9 +315,8 @@ static unsigned long hugetlb_get_unmappe
16621 struct hstate *h = hstate_file(file);
16622 struct mm_struct *mm = current->mm;
16623 struct vm_area_struct *vma, *prev_vma;
16624 - unsigned long base = mm->mmap_base, addr = addr0;
16625 + unsigned long base = mm->mmap_base, addr;
16626 unsigned long largest_hole = mm->cached_hole_size;
16627 - int first_time = 1;
16629 /* don't allow allocations above current base */
16630 if (mm->free_area_cache > base)
16631 @@ -322,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
16633 mm->free_area_cache = base;
16637 /* make sure it can fit in the remaining address space */
16638 if (mm->free_area_cache < len)
16640 @@ -364,22 +368,26 @@ try_again:
16644 - * if hint left us with no space for the requested
16645 - * mapping then try again:
16647 - if (first_time) {
16648 - mm->free_area_cache = base;
16649 - largest_hole = 0;
16654 * A failed mmap() very likely causes application failure,
16655 * so fall back to the bottom-up function here. This scenario
16656 * can happen with large stack limits and large mmap()
16659 - mm->free_area_cache = TASK_UNMAPPED_BASE;
16661 +#ifdef CONFIG_PAX_SEGMEXEC
16662 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16663 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
16667 + mm->mmap_base = TASK_UNMAPPED_BASE;
16669 +#ifdef CONFIG_PAX_RANDMMAP
16670 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16671 + mm->mmap_base += mm->delta_mmap;
16674 + mm->free_area_cache = mm->mmap_base;
16675 mm->cached_hole_size = ~0UL;
16676 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
16677 len, pgoff, flags);
16678 @@ -387,6 +395,7 @@ fail:
16680 * Restore the topdown base:
16682 + mm->mmap_base = base;
16683 mm->free_area_cache = base;
16684 mm->cached_hole_size = ~0UL;
16686 @@ -400,10 +409,17 @@ hugetlb_get_unmapped_area(struct file *f
16687 struct hstate *h = hstate_file(file);
16688 struct mm_struct *mm = current->mm;
16689 struct vm_area_struct *vma;
16690 + unsigned long pax_task_size = TASK_SIZE;
16692 if (len & ~huge_page_mask(h))
16694 - if (len > TASK_SIZE)
16696 +#ifdef CONFIG_PAX_SEGMEXEC
16697 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16698 + pax_task_size = SEGMEXEC_TASK_SIZE;
16701 + if (len > pax_task_size)
16704 if (flags & MAP_FIXED) {
16705 @@ -415,7 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
16707 addr = ALIGN(addr, huge_page_size(h));
16708 vma = find_vma(mm, addr);
16709 - if (TASK_SIZE - len >= addr &&
16710 + if (pax_task_size - len >= addr &&
16711 (!vma || addr + len <= vma->vm_start))
16714 diff -urNp linux-2.6.33.1/arch/x86/mm/init_32.c linux-2.6.33.1/arch/x86/mm/init_32.c
16715 --- linux-2.6.33.1/arch/x86/mm/init_32.c 2010-03-15 12:09:39.000000000 -0400
16716 +++ linux-2.6.33.1/arch/x86/mm/init_32.c 2010-03-20 16:58:39.032549699 -0400
16717 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
16721 - * Creates a middle page table and puts a pointer to it in the
16722 - * given global directory entry. This only returns the gd entry
16723 - * in non-PAE compilation mode, since the middle layer is folded.
16725 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
16728 - pmd_t *pmd_table;
16730 -#ifdef CONFIG_X86_PAE
16731 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
16732 - if (after_bootmem)
16733 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
16735 - pmd_table = (pmd_t *)alloc_low_page();
16736 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
16737 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
16738 - pud = pud_offset(pgd, 0);
16739 - BUG_ON(pmd_table != pmd_offset(pud, 0));
16741 - return pmd_table;
16744 - pud = pud_offset(pgd, 0);
16745 - pmd_table = pmd_offset(pud, 0);
16747 - return pmd_table;
16751 * Create a page table and place a pointer to it in a middle page
16754 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
16755 page_table = (pte_t *)alloc_low_page();
16757 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
16758 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16759 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
16761 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
16763 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
16766 return pte_offset_kernel(pmd, 0);
16769 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
16772 + pmd_t *pmd_table;
16774 + pud = pud_offset(pgd, 0);
16775 + pmd_table = pmd_offset(pud, 0);
16777 + return pmd_table;
16780 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
16782 int pgd_idx = pgd_index(vaddr);
16783 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
16784 int pgd_idx, pmd_idx;
16785 unsigned long vaddr;
16791 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
16792 pgd = pgd_base + pgd_idx;
16794 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
16795 - pmd = one_md_table_init(pgd);
16796 - pmd = pmd + pmd_index(vaddr);
16797 + pud = pud_offset(pgd, vaddr);
16798 + pmd = pmd_offset(pud, vaddr);
16800 +#ifdef CONFIG_X86_PAE
16801 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16804 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
16805 pmd++, pmd_idx++) {
16806 pte = page_table_kmap_check(one_page_table_init(pmd),
16807 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
16811 -static inline int is_kernel_text(unsigned long addr)
16812 +static inline int is_kernel_text(unsigned long start, unsigned long end)
16814 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
16817 + if ((start > ktla_ktva((unsigned long)_etext) ||
16818 + end <= ktla_ktva((unsigned long)_stext)) &&
16819 + (start > ktla_ktva((unsigned long)_einittext) ||
16820 + end <= ktla_ktva((unsigned long)_sinittext)) &&
16822 +#ifdef CONFIG_ACPI_SLEEP
16823 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
16826 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
16832 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
16833 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
16834 unsigned long start_pfn, end_pfn;
16835 pgd_t *pgd_base = swapper_pg_dir;
16836 - int pgd_idx, pmd_idx, pte_ofs;
16837 + unsigned int pgd_idx, pmd_idx, pte_ofs;
16843 unsigned pages_2m, pages_4k;
16844 @@ -278,8 +279,13 @@ repeat:
16846 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16847 pgd = pgd_base + pgd_idx;
16848 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
16849 - pmd = one_md_table_init(pgd);
16850 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
16851 + pud = pud_offset(pgd, 0);
16852 + pmd = pmd_offset(pud, 0);
16854 +#ifdef CONFIG_X86_PAE
16855 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16858 if (pfn >= end_pfn)
16860 @@ -291,14 +297,13 @@ repeat:
16862 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
16863 pmd++, pmd_idx++) {
16864 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
16865 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
16868 * Map with big pages if possible, otherwise
16869 * create normal page tables:
16872 - unsigned int addr2;
16873 pgprot_t prot = PAGE_KERNEL_LARGE;
16875 * first pass will use the same initial
16876 @@ -308,11 +313,7 @@ repeat:
16877 __pgprot(PTE_IDENT_ATTR |
16880 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
16881 - PAGE_OFFSET + PAGE_SIZE-1;
16883 - if (is_kernel_text(addr) ||
16884 - is_kernel_text(addr2))
16885 + if (is_kernel_text(address, address + PMD_SIZE))
16886 prot = PAGE_KERNEL_LARGE_EXEC;
16889 @@ -329,7 +330,7 @@ repeat:
16890 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16892 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
16893 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
16894 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
16895 pgprot_t prot = PAGE_KERNEL;
16897 * first pass will use the same initial
16898 @@ -337,7 +338,7 @@ repeat:
16900 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
16902 - if (is_kernel_text(addr))
16903 + if (is_kernel_text(address, address + PAGE_SIZE))
16904 prot = PAGE_KERNEL_EXEC;
16907 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
16909 pud = pud_offset(pgd, va);
16910 pmd = pmd_offset(pud, va);
16911 - if (!pmd_present(*pmd))
16912 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
16915 pte = pte_offset_kernel(pmd, va);
16916 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
16918 static void __init pagetable_init(void)
16920 - pgd_t *pgd_base = swapper_pg_dir;
16922 - permanent_kmaps_init(pgd_base);
16923 + permanent_kmaps_init(swapper_pg_dir);
16926 #ifdef CONFIG_ACPI_SLEEP
16927 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
16928 * ACPI suspend needs this for resume, because things like the intel-agp
16929 * driver might have split up a kernel 4MB mapping.
16931 -char swsusp_pg_dir[PAGE_SIZE]
16932 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
16933 __attribute__ ((aligned(PAGE_SIZE)));
16935 static inline void save_pg_dir(void)
16937 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
16938 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
16940 #else /* !CONFIG_ACPI_SLEEP */
16941 static inline void save_pg_dir(void)
16942 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
16946 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16947 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16948 EXPORT_SYMBOL_GPL(__supported_pte_mask);
16950 /* user-defined highmem size */
16951 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
16952 * Initialize the boot-time allocator (with low memory only):
16954 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
16955 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
16956 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
16958 if (bootmap == -1L)
16959 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
16960 @@ -881,7 +880,7 @@ void __init mem_init(void)
16961 set_highmem_pages_init();
16963 codesize = (unsigned long) &_etext - (unsigned long) &_text;
16964 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
16965 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
16966 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
16968 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
16969 @@ -922,10 +921,10 @@ void __init mem_init(void)
16970 ((unsigned long)&__init_end -
16971 (unsigned long)&__init_begin) >> 10,
16973 - (unsigned long)&_etext, (unsigned long)&_edata,
16974 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
16975 + (unsigned long)&_sdata, (unsigned long)&_edata,
16976 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
16978 - (unsigned long)&_text, (unsigned long)&_etext,
16979 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
16980 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
16983 @@ -1006,6 +1005,7 @@ void set_kernel_text_rw(void)
16984 if (!kernel_set_to_readonly)
16987 + start = ktla_ktva(start);
16988 pr_debug("Set kernel text: %lx - %lx for read write\n",
16989 start, start+size);
16991 @@ -1020,6 +1020,7 @@ void set_kernel_text_ro(void)
16992 if (!kernel_set_to_readonly)
16995 + start = ktla_ktva(start);
16996 pr_debug("Set kernel text: %lx - %lx for read only\n",
16997 start, start+size);
16999 @@ -1031,6 +1032,7 @@ void mark_rodata_ro(void)
17000 unsigned long start = PFN_ALIGN(_text);
17001 unsigned long size = PFN_ALIGN(_etext) - start;
17003 + start = ktla_ktva(start);
17004 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
17005 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
17007 diff -urNp linux-2.6.33.1/arch/x86/mm/init_64.c linux-2.6.33.1/arch/x86/mm/init_64.c
17008 --- linux-2.6.33.1/arch/x86/mm/init_64.c 2010-03-15 12:09:39.000000000 -0400
17009 +++ linux-2.6.33.1/arch/x86/mm/init_64.c 2010-03-20 16:58:39.032549699 -0400
17010 @@ -73,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
17011 * around without checking the pgd every time.
17014 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
17015 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
17016 EXPORT_SYMBOL_GPL(__supported_pte_mask);
17018 int force_personality32;
17019 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
17020 pmd = fill_pmd(pud, vaddr);
17021 pte = fill_pte(pmd, vaddr);
17023 + pax_open_kernel();
17024 set_pte(pte, new_pte);
17025 + pax_close_kernel();
17028 * It's enough to flush this one mapping.
17029 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
17030 pgd = pgd_offset_k((unsigned long)__va(phys));
17031 if (pgd_none(*pgd)) {
17032 pud = (pud_t *) spp_getpage();
17033 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
17035 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
17037 pud = pud_offset(pgd, (unsigned long)__va(phys));
17038 if (pud_none(*pud)) {
17039 pmd = (pmd_t *) spp_getpage();
17040 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
17042 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
17044 pmd = pmd_offset(pud, phys);
17045 BUG_ON(!pmd_none(*pmd));
17046 @@ -882,8 +882,8 @@ int kern_addr_valid(unsigned long addr)
17047 static struct vm_area_struct gate_vma = {
17048 .vm_start = VSYSCALL_START,
17049 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
17050 - .vm_page_prot = PAGE_READONLY_EXEC,
17051 - .vm_flags = VM_READ | VM_EXEC
17052 + .vm_page_prot = PAGE_READONLY,
17053 + .vm_flags = VM_READ
17056 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
17057 @@ -917,7 +917,7 @@ int in_gate_area_no_task(unsigned long a
17059 const char *arch_vma_name(struct vm_area_struct *vma)
17061 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
17062 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
17064 if (vma == &gate_vma)
17065 return "[vsyscall]";
17066 diff -urNp linux-2.6.33.1/arch/x86/mm/init.c linux-2.6.33.1/arch/x86/mm/init.c
17067 --- linux-2.6.33.1/arch/x86/mm/init.c 2010-03-15 12:09:39.000000000 -0400
17068 +++ linux-2.6.33.1/arch/x86/mm/init.c 2010-03-20 16:58:39.036535097 -0400
17069 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
17070 * cause a hotspot and fill up ZONE_DMA. The page tables
17071 * need roughly 0.5KB per GB.
17073 -#ifdef CONFIG_X86_32
17078 + start = 0x100000;
17079 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
17080 tables, PAGE_SIZE);
17081 if (e820_table_start == -1UL)
17082 @@ -327,7 +323,13 @@ unsigned long __init_refok init_memory_m
17084 int devmem_is_allowed(unsigned long pagenr)
17086 - if (pagenr <= 256)
17089 +#ifdef CONFIG_VM86
17090 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
17093 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17095 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
17097 @@ -375,6 +377,87 @@ void free_init_pages(char *what, unsigne
17099 void free_initmem(void)
17102 +#ifdef CONFIG_PAX_KERNEXEC
17107 +#ifdef CONFIG_X86_32
17108 + /* PaX: limit KERNEL_CS to actual size */
17109 + unsigned long addr, limit;
17110 + struct desc_struct d;
17113 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
17114 + limit = (limit - 1UL) >> PAGE_SHIFT;
17116 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
17117 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
17118 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
17119 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
17122 + /* PaX: make KERNEL_CS read-only */
17123 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
17124 + if (!paravirt_enabled())
17125 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
17127 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
17128 + pgd = pgd_offset_k(addr);
17129 + pud = pud_offset(pgd, addr);
17130 + pmd = pmd_offset(pud, addr);
17131 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17134 +#ifdef CONFIG_X86_PAE
17135 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
17136 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
17137 + pgd = pgd_offset_k(addr);
17138 + pud = pud_offset(pgd, addr);
17139 + pmd = pmd_offset(pud, addr);
17140 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17144 +#ifdef CONFIG_MODULES
17145 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
17149 + unsigned long addr, end;
17151 + /* PaX: make kernel code/rodata read-only, rest non-executable */
17152 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
17153 + pgd = pgd_offset_k(addr);
17154 + pud = pud_offset(pgd, addr);
17155 + pmd = pmd_offset(pud, addr);
17156 + if (!pmd_present(*pmd))
17158 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
17159 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17161 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17164 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
17165 + end = addr + KERNEL_IMAGE_SIZE;
17166 + for (; addr < end; addr += PMD_SIZE) {
17167 + pgd = pgd_offset_k(addr);
17168 + pud = pud_offset(pgd, addr);
17169 + pmd = pmd_offset(pud, addr);
17170 + if (!pmd_present(*pmd))
17172 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
17173 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17175 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17182 free_init_pages("unused kernel memory",
17183 (unsigned long)(&__init_begin),
17184 (unsigned long)(&__init_end));
17185 diff -urNp linux-2.6.33.1/arch/x86/mm/iomap_32.c linux-2.6.33.1/arch/x86/mm/iomap_32.c
17186 --- linux-2.6.33.1/arch/x86/mm/iomap_32.c 2010-03-15 12:09:39.000000000 -0400
17187 +++ linux-2.6.33.1/arch/x86/mm/iomap_32.c 2010-03-20 16:58:39.036535097 -0400
17188 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
17189 debug_kmap_atomic(type);
17190 idx = type + KM_TYPE_NR * smp_processor_id();
17191 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17193 + pax_open_kernel();
17194 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
17195 + pax_close_kernel();
17197 arch_flush_lazy_mmu_mode();
17199 return (void *)vaddr;
17200 diff -urNp linux-2.6.33.1/arch/x86/mm/ioremap.c linux-2.6.33.1/arch/x86/mm/ioremap.c
17201 --- linux-2.6.33.1/arch/x86/mm/ioremap.c 2010-03-15 12:09:39.000000000 -0400
17202 +++ linux-2.6.33.1/arch/x86/mm/ioremap.c 2010-03-20 16:58:39.036535097 -0400
17203 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
17204 * Second special case: Some BIOSen report the PC BIOS
17205 * area (640->1Mb) as ram even though it is not.
17207 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
17208 - pagenr < (BIOS_END >> PAGE_SHIFT))
17209 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
17210 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17213 for (i = 0; i < e820.nr_map; i++) {
17214 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
17216 * Don't allow anybody to remap normal RAM that we're using..
17218 - for (pfn = phys_addr >> PAGE_SHIFT;
17219 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
17222 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
17223 int is_ram = page_is_ram(pfn);
17225 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
17226 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
17228 WARN_ON_ONCE(is_ram);
17230 @@ -383,7 +380,7 @@ static int __init early_ioremap_debug_se
17231 early_param("early_ioremap_debug", early_ioremap_debug_setup);
17233 static __initdata int after_paging_init;
17234 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
17235 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
17237 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
17239 @@ -415,8 +412,7 @@ void __init early_ioremap_init(void)
17240 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
17242 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
17243 - memset(bm_pte, 0, sizeof(bm_pte));
17244 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
17245 + pmd_populate_user(&init_mm, pmd, bm_pte);
17248 * The boot-ioremap range spans multiple pmds, for which
17249 diff -urNp linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c
17250 --- linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-03-15 12:09:39.000000000 -0400
17251 +++ linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-03-20 16:58:39.036535097 -0400
17252 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
17253 * memory (e.g. tracked pages)? For now, we need this to avoid
17254 * invoking kmemcheck for PnP BIOS calls.
17256 - if (regs->flags & X86_VM_MASK)
17257 + if (v8086_mode(regs))
17259 - if (regs->cs != __KERNEL_CS)
17260 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
17263 pte = kmemcheck_pte_lookup(address);
17264 diff -urNp linux-2.6.33.1/arch/x86/mm/mmap.c linux-2.6.33.1/arch/x86/mm/mmap.c
17265 --- linux-2.6.33.1/arch/x86/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
17266 +++ linux-2.6.33.1/arch/x86/mm/mmap.c 2010-03-20 16:58:39.036535097 -0400
17267 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
17268 * Leave an at least ~128 MB hole with possible stack randomization.
17270 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
17271 -#define MAX_GAP (TASK_SIZE/6*5)
17272 +#define MAX_GAP (pax_task_size/6*5)
17275 * True on X86_32 or when emulating IA32 on X86_64
17276 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
17277 return rnd << PAGE_SHIFT;
17280 -static unsigned long mmap_base(void)
17281 +static unsigned long mmap_base(struct mm_struct *mm)
17283 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
17284 + unsigned long pax_task_size = TASK_SIZE;
17286 +#ifdef CONFIG_PAX_SEGMEXEC
17287 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17288 + pax_task_size = SEGMEXEC_TASK_SIZE;
17293 else if (gap > MAX_GAP)
17296 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
17297 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
17301 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
17302 * does, but not when emulating X86_32
17304 -static unsigned long mmap_legacy_base(void)
17305 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
17307 - if (mmap_is_ia32())
17308 + if (mmap_is_ia32()) {
17310 +#ifdef CONFIG_PAX_SEGMEXEC
17311 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17312 + return SEGMEXEC_TASK_UNMAPPED_BASE;
17316 return TASK_UNMAPPED_BASE;
17319 return TASK_UNMAPPED_BASE + mmap_rnd();
17322 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
17323 void arch_pick_mmap_layout(struct mm_struct *mm)
17325 if (mmap_is_legacy()) {
17326 - mm->mmap_base = mmap_legacy_base();
17327 + mm->mmap_base = mmap_legacy_base(mm);
17329 +#ifdef CONFIG_PAX_RANDMMAP
17330 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17331 + mm->mmap_base += mm->delta_mmap;
17334 mm->get_unmapped_area = arch_get_unmapped_area;
17335 mm->unmap_area = arch_unmap_area;
17337 - mm->mmap_base = mmap_base();
17338 + mm->mmap_base = mmap_base(mm);
17340 +#ifdef CONFIG_PAX_RANDMMAP
17341 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17342 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
17345 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
17346 mm->unmap_area = arch_unmap_area_topdown;
17348 diff -urNp linux-2.6.33.1/arch/x86/mm/numa_32.c linux-2.6.33.1/arch/x86/mm/numa_32.c
17349 --- linux-2.6.33.1/arch/x86/mm/numa_32.c 2010-03-15 12:09:39.000000000 -0400
17350 +++ linux-2.6.33.1/arch/x86/mm/numa_32.c 2010-03-20 16:58:39.036535097 -0400
17351 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
17355 -extern unsigned long find_max_low_pfn(void);
17356 extern unsigned long highend_pfn, highstart_pfn;
17358 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
17359 diff -urNp linux-2.6.33.1/arch/x86/mm/pageattr.c linux-2.6.33.1/arch/x86/mm/pageattr.c
17360 --- linux-2.6.33.1/arch/x86/mm/pageattr.c 2010-03-15 12:09:39.000000000 -0400
17361 +++ linux-2.6.33.1/arch/x86/mm/pageattr.c 2010-03-20 16:58:39.036535097 -0400
17362 @@ -268,9 +268,10 @@ static inline pgprot_t static_protection
17363 * Does not cover __inittext since that is gone later on. On
17364 * 64bit we do not enforce !NX on the low mapping
17366 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
17367 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
17368 pgprot_val(forbidden) |= _PAGE_NX;
17370 +#ifdef CONFIG_DEBUG_RODATA
17372 * The .rodata section needs to be read-only. Using the pfn
17373 * catches all aliases.
17374 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
17375 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
17376 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
17377 pgprot_val(forbidden) |= _PAGE_RW;
17380 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
17382 @@ -347,7 +349,10 @@ EXPORT_SYMBOL_GPL(lookup_address);
17383 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
17385 /* change init_mm */
17386 + pax_open_kernel();
17387 set_pte_atomic(kpte, pte);
17388 + pax_close_kernel();
17390 #ifdef CONFIG_X86_32
17391 if (!SHARED_KERNEL_PMD) {
17393 diff -urNp linux-2.6.33.1/arch/x86/mm/pageattr-test.c linux-2.6.33.1/arch/x86/mm/pageattr-test.c
17394 --- linux-2.6.33.1/arch/x86/mm/pageattr-test.c 2010-03-15 12:09:39.000000000 -0400
17395 +++ linux-2.6.33.1/arch/x86/mm/pageattr-test.c 2010-03-20 16:58:39.036535097 -0400
17396 @@ -36,7 +36,7 @@ enum {
17398 static int pte_testbit(pte_t pte)
17400 - return pte_flags(pte) & _PAGE_UNUSED1;
17401 + return pte_flags(pte) & _PAGE_CPA_TEST;
17404 struct split_state {
17405 diff -urNp linux-2.6.33.1/arch/x86/mm/pat.c linux-2.6.33.1/arch/x86/mm/pat.c
17406 --- linux-2.6.33.1/arch/x86/mm/pat.c 2010-03-15 12:09:39.000000000 -0400
17407 +++ linux-2.6.33.1/arch/x86/mm/pat.c 2010-03-20 16:58:39.036535097 -0400
17408 @@ -259,7 +259,7 @@ chk_conflict(struct memtype *new, struct
17411 printk(KERN_INFO "%s:%d conflicting memory types "
17412 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
17413 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
17414 new->end, cattr_name(new->type), cattr_name(entry->type));
17417 @@ -555,7 +555,7 @@ unlock_ret:
17420 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
17421 - current->comm, current->pid, start, end);
17422 + current->comm, task_pid_nr(current), start, end);
17425 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
17426 @@ -750,7 +750,7 @@ int kernel_map_sync_memtype(u64 base, un
17428 "%s:%d ioremap_change_attr failed %s "
17430 - current->comm, current->pid,
17431 + current->comm, task_pid_nr(current),
17433 base, (unsigned long long)(base + size));
17435 @@ -808,7 +808,7 @@ static int reserve_pfn_range(u64 paddr,
17436 free_memtype(paddr, paddr + size);
17437 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
17438 " for %Lx-%Lx, got %s\n",
17439 - current->comm, current->pid,
17440 + current->comm, task_pid_nr(current),
17441 cattr_name(want_flags),
17442 (unsigned long long)paddr,
17443 (unsigned long long)(paddr + size),
17444 diff -urNp linux-2.6.33.1/arch/x86/mm/pgtable_32.c linux-2.6.33.1/arch/x86/mm/pgtable_32.c
17445 --- linux-2.6.33.1/arch/x86/mm/pgtable_32.c 2010-03-15 12:09:39.000000000 -0400
17446 +++ linux-2.6.33.1/arch/x86/mm/pgtable_32.c 2010-03-20 16:58:39.036535097 -0400
17447 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
17450 pte = pte_offset_kernel(pmd, vaddr);
17452 + pax_open_kernel();
17453 if (pte_val(pteval))
17454 set_pte_at(&init_mm, vaddr, pte, pteval);
17456 pte_clear(&init_mm, vaddr, pte);
17457 + pax_close_kernel();
17460 * It's enough to flush this one mapping.
17461 diff -urNp linux-2.6.33.1/arch/x86/mm/tlb.c linux-2.6.33.1/arch/x86/mm/tlb.c
17462 --- linux-2.6.33.1/arch/x86/mm/tlb.c 2010-03-15 12:09:39.000000000 -0400
17463 +++ linux-2.6.33.1/arch/x86/mm/tlb.c 2010-03-20 16:58:39.036535097 -0400
17465 #include <asm/uv/uv.h>
17467 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
17468 - = { &init_mm, 0, };
17469 + = { &init_mm, 0 };
17472 * Smarter SMP flushing macros.
17473 diff -urNp linux-2.6.33.1/arch/x86/oprofile/backtrace.c linux-2.6.33.1/arch/x86/oprofile/backtrace.c
17474 --- linux-2.6.33.1/arch/x86/oprofile/backtrace.c 2010-03-15 12:09:39.000000000 -0400
17475 +++ linux-2.6.33.1/arch/x86/oprofile/backtrace.c 2010-03-20 17:06:47.204705877 -0400
17476 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
17477 struct frame_head bufhead[2];
17479 /* Also check accessibility of one struct frame_head beyond */
17480 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
17481 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
17483 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
17485 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
17487 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
17489 - if (!user_mode_vm(regs)) {
17490 + if (!user_mode(regs)) {
17491 unsigned long stack = kernel_stack_pointer(regs);
17493 dump_trace(NULL, regs, (unsigned long *)stack, 0,
17494 diff -urNp linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c
17495 --- linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c 2010-03-15 12:09:39.000000000 -0400
17496 +++ linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c 2010-03-20 16:58:39.036535097 -0400
17497 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
17501 -static int inline addr_increment(void)
17502 +static inline int addr_increment(void)
17505 return smp_num_siblings == 2 ? 2 : 1;
17506 diff -urNp linux-2.6.33.1/arch/x86/pci/common.c linux-2.6.33.1/arch/x86/pci/common.c
17507 --- linux-2.6.33.1/arch/x86/pci/common.c 2010-03-15 12:09:39.000000000 -0400
17508 +++ linux-2.6.33.1/arch/x86/pci/common.c 2010-03-20 16:58:39.036535097 -0400
17509 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
17510 int pcibios_last_bus = -1;
17511 unsigned long pirq_table_addr;
17512 struct pci_bus *pci_root_bus;
17513 -struct pci_raw_ops *raw_pci_ops;
17514 -struct pci_raw_ops *raw_pci_ext_ops;
17515 +const struct pci_raw_ops *raw_pci_ops;
17516 +const struct pci_raw_ops *raw_pci_ext_ops;
17518 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
17519 int reg, int len, u32 *val)
17520 @@ -370,7 +370,7 @@ static const struct dmi_system_id __devi
17521 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
17525 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
17528 void __init dmi_check_pciprobe(void)
17529 diff -urNp linux-2.6.33.1/arch/x86/pci/direct.c linux-2.6.33.1/arch/x86/pci/direct.c
17530 --- linux-2.6.33.1/arch/x86/pci/direct.c 2010-03-15 12:09:39.000000000 -0400
17531 +++ linux-2.6.33.1/arch/x86/pci/direct.c 2010-03-20 16:58:39.040721575 -0400
17532 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
17534 #undef PCI_CONF1_ADDRESS
17536 -struct pci_raw_ops pci_direct_conf1 = {
17537 +const struct pci_raw_ops pci_direct_conf1 = {
17538 .read = pci_conf1_read,
17539 .write = pci_conf1_write,
17541 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
17543 #undef PCI_CONF2_ADDRESS
17545 -struct pci_raw_ops pci_direct_conf2 = {
17546 +const struct pci_raw_ops pci_direct_conf2 = {
17547 .read = pci_conf2_read,
17548 .write = pci_conf2_write,
17550 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
17551 * This should be close to trivial, but it isn't, because there are buggy
17552 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
17554 -static int __init pci_sanity_check(struct pci_raw_ops *o)
17555 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
17559 diff -urNp linux-2.6.33.1/arch/x86/pci/fixup.c linux-2.6.33.1/arch/x86/pci/fixup.c
17560 --- linux-2.6.33.1/arch/x86/pci/fixup.c 2010-03-15 12:09:39.000000000 -0400
17561 +++ linux-2.6.33.1/arch/x86/pci/fixup.c 2010-03-20 16:58:39.040721575 -0400
17562 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
17563 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
17567 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17571 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
17572 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
17576 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17579 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
17580 diff -urNp linux-2.6.33.1/arch/x86/pci/irq.c linux-2.6.33.1/arch/x86/pci/irq.c
17581 --- linux-2.6.33.1/arch/x86/pci/irq.c 2010-03-15 12:09:39.000000000 -0400
17582 +++ linux-2.6.33.1/arch/x86/pci/irq.c 2010-03-20 16:58:39.040721575 -0400
17583 @@ -543,7 +543,7 @@ static __init int intel_router_probe(str
17584 static struct pci_device_id __initdata pirq_440gx[] = {
17585 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
17586 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
17588 + { PCI_DEVICE(0, 0) }
17591 /* 440GX has a proprietary PIRQ router -- don't use it */
17592 @@ -1107,7 +1107,7 @@ static struct dmi_system_id __initdata p
17593 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
17597 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17600 int __init pcibios_irq_init(void)
17601 diff -urNp linux-2.6.33.1/arch/x86/pci/mmconfig_32.c linux-2.6.33.1/arch/x86/pci/mmconfig_32.c
17602 --- linux-2.6.33.1/arch/x86/pci/mmconfig_32.c 2010-03-15 12:09:39.000000000 -0400
17603 +++ linux-2.6.33.1/arch/x86/pci/mmconfig_32.c 2010-03-20 16:58:39.040721575 -0400
17604 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
17608 -static struct pci_raw_ops pci_mmcfg = {
17609 +static const struct pci_raw_ops pci_mmcfg = {
17610 .read = pci_mmcfg_read,
17611 .write = pci_mmcfg_write,
17613 diff -urNp linux-2.6.33.1/arch/x86/pci/mmconfig_64.c linux-2.6.33.1/arch/x86/pci/mmconfig_64.c
17614 --- linux-2.6.33.1/arch/x86/pci/mmconfig_64.c 2010-03-15 12:09:39.000000000 -0400
17615 +++ linux-2.6.33.1/arch/x86/pci/mmconfig_64.c 2010-03-20 16:58:39.040721575 -0400
17616 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
17620 -static struct pci_raw_ops pci_mmcfg = {
17621 +static const struct pci_raw_ops pci_mmcfg = {
17622 .read = pci_mmcfg_read,
17623 .write = pci_mmcfg_write,
17625 diff -urNp linux-2.6.33.1/arch/x86/pci/numaq_32.c linux-2.6.33.1/arch/x86/pci/numaq_32.c
17626 --- linux-2.6.33.1/arch/x86/pci/numaq_32.c 2010-03-15 12:09:39.000000000 -0400
17627 +++ linux-2.6.33.1/arch/x86/pci/numaq_32.c 2010-03-20 16:58:39.040721575 -0400
17628 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
17630 #undef PCI_CONF1_MQ_ADDRESS
17632 -static struct pci_raw_ops pci_direct_conf1_mq = {
17633 +static const struct pci_raw_ops pci_direct_conf1_mq = {
17634 .read = pci_conf1_mq_read,
17635 .write = pci_conf1_mq_write
17637 diff -urNp linux-2.6.33.1/arch/x86/pci/olpc.c linux-2.6.33.1/arch/x86/pci/olpc.c
17638 --- linux-2.6.33.1/arch/x86/pci/olpc.c 2010-03-15 12:09:39.000000000 -0400
17639 +++ linux-2.6.33.1/arch/x86/pci/olpc.c 2010-03-20 16:58:39.040721575 -0400
17640 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
17644 -static struct pci_raw_ops pci_olpc_conf = {
17645 +static const struct pci_raw_ops pci_olpc_conf = {
17646 .read = pci_olpc_read,
17647 .write = pci_olpc_write,
17649 diff -urNp linux-2.6.33.1/arch/x86/pci/pcbios.c linux-2.6.33.1/arch/x86/pci/pcbios.c
17650 --- linux-2.6.33.1/arch/x86/pci/pcbios.c 2010-03-15 12:09:39.000000000 -0400
17651 +++ linux-2.6.33.1/arch/x86/pci/pcbios.c 2010-03-20 16:58:39.040721575 -0400
17652 @@ -56,50 +56,93 @@ union bios32 {
17654 unsigned long address;
17655 unsigned short segment;
17656 -} bios32_indirect = { 0, __KERNEL_CS };
17657 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
17660 * Returns the entry point for the given service, NULL on error
17663 -static unsigned long bios32_service(unsigned long service)
17664 +static unsigned long __devinit bios32_service(unsigned long service)
17666 unsigned char return_code; /* %al */
17667 unsigned long address; /* %ebx */
17668 unsigned long length; /* %ecx */
17669 unsigned long entry; /* %edx */
17670 unsigned long flags;
17671 + struct desc_struct d, *gdt;
17673 local_irq_save(flags);
17674 - __asm__("lcall *(%%edi); cld"
17676 + gdt = get_cpu_gdt_table(smp_processor_id());
17678 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
17679 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17680 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
17681 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17683 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
17684 : "=a" (return_code),
17690 - "D" (&bios32_indirect));
17691 + "D" (&bios32_indirect),
17692 + "r"(__PCIBIOS_DS)
17695 + pax_open_kernel();
17696 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
17697 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
17698 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
17699 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
17700 + pax_close_kernel();
17702 local_irq_restore(flags);
17704 switch (return_code) {
17706 - return address + entry;
17707 - case 0x80: /* Not present */
17708 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17710 - default: /* Shouldn't happen */
17711 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17712 - service, return_code);
17715 + unsigned char flags;
17717 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
17718 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
17719 + printk(KERN_WARNING "bios32_service: not valid\n");
17722 + address = address + PAGE_OFFSET;
17723 + length += 16UL; /* some BIOSs underreport this... */
17725 + if (length >= 64*1024*1024) {
17726 + length >>= PAGE_SHIFT;
17730 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
17731 + gdt = get_cpu_gdt_table(cpu);
17732 + pack_descriptor(&d, address, length, 0x9b, flags);
17733 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17734 + pack_descriptor(&d, address, length, 0x93, flags);
17735 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17739 + case 0x80: /* Not present */
17740 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17742 + default: /* Shouldn't happen */
17743 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17744 + service, return_code);
17750 unsigned long address;
17751 unsigned short segment;
17752 -} pci_indirect = { 0, __KERNEL_CS };
17753 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
17755 -static int pci_bios_present;
17756 +static int pci_bios_present __read_only;
17758 static int __devinit check_pcibios(void)
17760 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
17761 unsigned long flags, pcibios_entry;
17763 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
17764 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
17765 + pci_indirect.address = pcibios_entry;
17767 local_irq_save(flags);
17769 - "lcall *(%%edi); cld\n\t"
17770 + __asm__("movw %w6, %%ds\n\t"
17771 + "lcall *%%ss:(%%edi); cld\n\t"
17777 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
17780 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
17781 - "D" (&pci_indirect)
17782 + "D" (&pci_indirect),
17783 + "r" (__PCIBIOS_DS)
17785 local_irq_restore(flags);
17787 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
17791 - __asm__("lcall *(%%esi); cld\n\t"
17792 + __asm__("movw %w6, %%ds\n\t"
17793 + "lcall *%%ss:(%%esi); cld\n\t"
17799 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
17800 : "1" (PCIBIOS_READ_CONFIG_BYTE),
17803 - "S" (&pci_indirect));
17804 + "S" (&pci_indirect),
17805 + "r" (__PCIBIOS_DS));
17807 * Zero-extend the result beyond 8 bits, do not trust the
17808 * BIOS having done it:
17809 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
17813 - __asm__("lcall *(%%esi); cld\n\t"
17814 + __asm__("movw %w6, %%ds\n\t"
17815 + "lcall *%%ss:(%%esi); cld\n\t"
17821 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
17822 : "1" (PCIBIOS_READ_CONFIG_WORD),
17825 - "S" (&pci_indirect));
17826 + "S" (&pci_indirect),
17827 + "r" (__PCIBIOS_DS));
17829 * Zero-extend the result beyond 16 bits, do not trust the
17830 * BIOS having done it:
17831 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
17835 - __asm__("lcall *(%%esi); cld\n\t"
17836 + __asm__("movw %w6, %%ds\n\t"
17837 + "lcall *%%ss:(%%esi); cld\n\t"
17843 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
17844 : "1" (PCIBIOS_READ_CONFIG_DWORD),
17847 - "S" (&pci_indirect));
17848 + "S" (&pci_indirect),
17849 + "r" (__PCIBIOS_DS));
17853 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
17857 - __asm__("lcall *(%%esi); cld\n\t"
17858 + __asm__("movw %w6, %%ds\n\t"
17859 + "lcall *%%ss:(%%esi); cld\n\t"
17865 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
17869 - "S" (&pci_indirect));
17870 + "S" (&pci_indirect),
17871 + "r" (__PCIBIOS_DS));
17874 - __asm__("lcall *(%%esi); cld\n\t"
17875 + __asm__("movw %w6, %%ds\n\t"
17876 + "lcall *%%ss:(%%esi); cld\n\t"
17882 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
17886 - "S" (&pci_indirect));
17887 + "S" (&pci_indirect),
17888 + "r" (__PCIBIOS_DS));
17891 - __asm__("lcall *(%%esi); cld\n\t"
17892 + __asm__("movw %w6, %%ds\n\t"
17893 + "lcall *%%ss:(%%esi); cld\n\t"
17899 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
17903 - "S" (&pci_indirect));
17904 + "S" (&pci_indirect),
17905 + "r" (__PCIBIOS_DS));
17909 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
17910 * Function table for BIOS32 access
17913 -static struct pci_raw_ops pci_bios_access = {
17914 +static const struct pci_raw_ops pci_bios_access = {
17915 .read = pci_bios_read,
17916 .write = pci_bios_write
17918 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
17919 * Try to find PCI BIOS.
17922 -static struct pci_raw_ops * __devinit pci_find_bios(void)
17923 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
17925 union bios32 *check;
17927 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
17929 DBG("PCI: Fetching IRQ routing table... ");
17930 __asm__("push %%es\n\t"
17931 + "movw %w8, %%ds\n\t"
17934 - "lcall *(%%esi); cld\n\t"
17935 + "lcall *%%ss:(%%esi); cld\n\t"
17942 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
17945 "S" (&pci_indirect),
17948 + "r" (__PCIBIOS_DS)
17950 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
17952 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
17956 - __asm__("lcall *(%%esi); cld\n\t"
17957 + __asm__("movw %w5, %%ds\n\t"
17958 + "lcall *%%ss:(%%esi); cld\n\t"
17964 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
17965 : "0" (PCIBIOS_SET_PCI_HW_INT),
17966 "b" ((dev->bus->number << 8) | dev->devfn),
17967 "c" ((irq << 8) | (pin + 10)),
17968 - "S" (&pci_indirect));
17969 + "S" (&pci_indirect),
17970 + "r" (__PCIBIOS_DS));
17971 return !(ret & 0xff00);
17973 EXPORT_SYMBOL(pcibios_set_irq_routing);
17974 diff -urNp linux-2.6.33.1/arch/x86/power/cpu.c linux-2.6.33.1/arch/x86/power/cpu.c
17975 --- linux-2.6.33.1/arch/x86/power/cpu.c 2010-03-15 12:09:39.000000000 -0400
17976 +++ linux-2.6.33.1/arch/x86/power/cpu.c 2010-03-20 16:58:39.040721575 -0400
17977 @@ -127,7 +127,7 @@ static void do_fpu_end(void)
17978 static void fix_processor_context(void)
17980 int cpu = smp_processor_id();
17981 - struct tss_struct *t = &per_cpu(init_tss, cpu);
17982 + struct tss_struct *t = init_tss + cpu;
17984 set_tss_desc(cpu, t); /*
17985 * This just modifies memory; should not be
17986 @@ -137,7 +137,9 @@ static void fix_processor_context(void)
17989 #ifdef CONFIG_X86_64
17990 + pax_open_kernel();
17991 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
17992 + pax_close_kernel();
17994 syscall_init(); /* This sets MSR_*STAR and related */
17996 diff -urNp linux-2.6.33.1/arch/x86/vdso/Makefile linux-2.6.33.1/arch/x86/vdso/Makefile
17997 --- linux-2.6.33.1/arch/x86/vdso/Makefile 2010-03-15 12:09:39.000000000 -0400
17998 +++ linux-2.6.33.1/arch/x86/vdso/Makefile 2010-03-20 16:58:39.040721575 -0400
17999 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
18000 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
18001 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
18003 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
18004 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
18008 diff -urNp linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c
18009 --- linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c 2010-03-15 12:09:39.000000000 -0400
18010 +++ linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c 2010-03-20 16:58:39.044545939 -0400
18011 @@ -22,24 +22,48 @@
18012 #include <asm/hpet.h>
18013 #include <asm/unistd.h>
18014 #include <asm/io.h>
18015 +#include <asm/fixmap.h>
18016 #include "vextern.h"
18018 #define gtod vdso_vsyscall_gtod_data
18020 +notrace noinline long __vdso_fallback_time(long *t)
18023 + asm volatile("syscall"
18025 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
18029 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
18032 asm("syscall" : "=a" (ret) :
18033 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
18034 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
18038 +notrace static inline cycle_t __vdso_vread_hpet(void)
18040 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
18043 +notrace static inline cycle_t __vdso_vread_tsc(void)
18045 + cycle_t ret = (cycle_t)vget_cycles();
18047 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
18050 notrace static inline long vgetns(void)
18053 - cycles_t (*vread)(void);
18054 - vread = gtod->clock.vread;
18055 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
18056 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
18057 + v = __vdso_vread_tsc();
18059 + v = __vdso_vread_hpet();
18060 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
18061 return (v * gtod->clock.mult) >> gtod->clock.shift;
18064 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
18066 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
18068 - if (likely(gtod->sysctl_enabled))
18069 + if (likely(gtod->sysctl_enabled &&
18070 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18071 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18073 case CLOCK_REALTIME:
18074 if (likely(gtod->clock.vread))
18075 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
18076 int clock_gettime(clockid_t, struct timespec *)
18077 __attribute__((weak, alias("__vdso_clock_gettime")));
18079 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18080 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
18083 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
18084 + asm("syscall" : "=a" (ret) :
18085 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
18089 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18091 + if (likely(gtod->sysctl_enabled &&
18092 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18093 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18095 if (likely(tv != NULL)) {
18096 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
18097 offsetof(struct timespec, tv_nsec) ||
18098 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
18102 - asm("syscall" : "=a" (ret) :
18103 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
18105 + return __vdso_fallback_gettimeofday(tv, tz);
18107 int gettimeofday(struct timeval *, struct timezone *)
18108 __attribute__((weak, alias("__vdso_gettimeofday")));
18109 diff -urNp linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c
18110 --- linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c 2010-03-15 12:09:39.000000000 -0400
18111 +++ linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c 2010-03-20 16:58:39.044545939 -0400
18113 #include <asm/tlbflush.h>
18114 #include <asm/vdso.h>
18115 #include <asm/proto.h>
18116 +#include <asm/mman.h>
18120 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
18121 void enable_sep_cpu(void)
18123 int cpu = get_cpu();
18124 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
18125 + struct tss_struct *tss = init_tss + cpu;
18127 if (!boot_cpu_has(X86_FEATURE_SEP)) {
18129 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
18130 gate_vma.vm_start = FIXADDR_USER_START;
18131 gate_vma.vm_end = FIXADDR_USER_END;
18132 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
18133 - gate_vma.vm_page_prot = __P101;
18134 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
18136 * Make sure the vDSO gets into every core dump.
18137 * Dumping its contents makes post-mortem fully interpretable later
18138 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
18140 addr = VDSO_HIGH_BASE;
18142 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
18143 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
18144 if (IS_ERR_VALUE(addr)) {
18150 - current->mm->context.vdso = (void *)addr;
18151 + current->mm->context.vdso = addr;
18153 if (compat_uses_vma || !compat) {
18155 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
18158 current_thread_info()->sysenter_return =
18159 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
18160 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
18164 - current->mm->context.vdso = NULL;
18165 + current->mm->context.vdso = 0;
18167 up_write(&mm->mmap_sem);
18169 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
18171 const char *arch_vma_name(struct vm_area_struct *vma)
18173 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18174 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18177 +#ifdef CONFIG_PAX_SEGMEXEC
18178 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
18185 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
18186 struct mm_struct *mm = tsk->mm;
18188 /* Check to see if this task was created in compat vdso mode */
18189 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
18190 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
18194 diff -urNp linux-2.6.33.1/arch/x86/vdso/vdso.lds.S linux-2.6.33.1/arch/x86/vdso/vdso.lds.S
18195 --- linux-2.6.33.1/arch/x86/vdso/vdso.lds.S 2010-03-15 12:09:39.000000000 -0400
18196 +++ linux-2.6.33.1/arch/x86/vdso/vdso.lds.S 2010-03-20 16:58:39.044545939 -0400
18197 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
18198 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
18199 #include "vextern.h"
18202 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
18203 +VEXTERN(fallback_gettimeofday)
18204 +VEXTERN(fallback_time)
18207 diff -urNp linux-2.6.33.1/arch/x86/vdso/vextern.h linux-2.6.33.1/arch/x86/vdso/vextern.h
18208 --- linux-2.6.33.1/arch/x86/vdso/vextern.h 2010-03-15 12:09:39.000000000 -0400
18209 +++ linux-2.6.33.1/arch/x86/vdso/vextern.h 2010-03-20 16:58:39.044545939 -0400
18211 put into vextern.h and be referenced as a pointer with vdso prefix.
18212 The main kernel later fills in the values. */
18215 VEXTERN(vgetcpu_mode)
18216 VEXTERN(vsyscall_gtod_data)
18217 diff -urNp linux-2.6.33.1/arch/x86/vdso/vma.c linux-2.6.33.1/arch/x86/vdso/vma.c
18218 --- linux-2.6.33.1/arch/x86/vdso/vma.c 2010-03-15 12:09:39.000000000 -0400
18219 +++ linux-2.6.33.1/arch/x86/vdso/vma.c 2010-03-20 16:58:39.044545939 -0400
18220 @@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
18224 - if (memcmp(vbase, "\177ELF", 4)) {
18225 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
18226 printk("VDSO: I'm broken; not ELF\n");
18229 @@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
18230 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
18231 #include "vextern.h"
18237 @@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
18241 - current->mm->context.vdso = (void *)addr;
18242 + current->mm->context.vdso = addr;
18244 ret = install_special_mapping(mm, addr, vdso_size,
18246 @@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
18250 - current->mm->context.vdso = NULL;
18251 + current->mm->context.vdso = 0;
18255 @@ -132,10 +133,3 @@ up_fail:
18256 up_write(&mm->mmap_sem);
18260 -static __init int vdso_setup(char *s)
18262 - vdso_enabled = simple_strtoul(s, NULL, 0);
18265 -__setup("vdso=", vdso_setup);
18266 diff -urNp linux-2.6.33.1/arch/x86/xen/enlighten.c linux-2.6.33.1/arch/x86/xen/enlighten.c
18267 --- linux-2.6.33.1/arch/x86/xen/enlighten.c 2010-03-15 12:09:39.000000000 -0400
18268 +++ linux-2.6.33.1/arch/x86/xen/enlighten.c 2010-03-20 16:58:39.044545939 -0400
18269 @@ -73,8 +73,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
18271 struct shared_info xen_dummy_shared_info;
18273 -void *xen_initial_gdt;
18276 * Point at some empty memory to start with. We map the real shared_info
18277 * page as soon as fixmap is up and running.
18278 @@ -550,7 +548,7 @@ static void xen_write_idt_entry(gate_des
18282 - start = __get_cpu_var(idt_desc).address;
18283 + start = (unsigned long)__get_cpu_var(idt_desc).address;
18284 end = start + __get_cpu_var(idt_desc).size + 1;
18287 @@ -1133,13 +1131,6 @@ asmlinkage void __init xen_start_kernel(
18289 machine_ops = xen_machine_ops;
18292 - * The only reliable way to retain the initial address of the
18293 - * percpu gdt_page is to remember it here, so we can go and
18294 - * mark it RW later, when the initial percpu area is freed.
18296 - xen_initial_gdt = &per_cpu(gdt_page, 0);
18300 pgd = (pgd_t *)xen_start_info->pt_base;
18301 diff -urNp linux-2.6.33.1/arch/x86/xen/mmu.c linux-2.6.33.1/arch/x86/xen/mmu.c
18302 --- linux-2.6.33.1/arch/x86/xen/mmu.c 2010-03-15 12:09:39.000000000 -0400
18303 +++ linux-2.6.33.1/arch/x86/xen/mmu.c 2010-03-20 16:58:39.044545939 -0400
18304 @@ -1711,6 +1711,8 @@ __init pgd_t *xen_setup_kernel_pagetable
18305 convert_pfn_mfn(init_level4_pgt);
18306 convert_pfn_mfn(level3_ident_pgt);
18307 convert_pfn_mfn(level3_kernel_pgt);
18308 + convert_pfn_mfn(level3_vmalloc_pgt);
18309 + convert_pfn_mfn(level3_vmemmap_pgt);
18311 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
18312 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
18313 @@ -1729,7 +1731,10 @@ __init pgd_t *xen_setup_kernel_pagetable
18314 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
18315 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
18316 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
18317 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
18318 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
18319 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
18320 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
18321 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
18322 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
18324 diff -urNp linux-2.6.33.1/arch/x86/xen/smp.c linux-2.6.33.1/arch/x86/xen/smp.c
18325 --- linux-2.6.33.1/arch/x86/xen/smp.c 2010-03-15 12:09:39.000000000 -0400
18326 +++ linux-2.6.33.1/arch/x86/xen/smp.c 2010-03-20 16:58:39.044545939 -0400
18327 @@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_
18329 BUG_ON(smp_processor_id() != 0);
18330 native_smp_prepare_boot_cpu();
18332 - /* We've switched to the "real" per-cpu gdt, so make sure the
18333 - old memory can be recycled */
18334 - make_lowmem_page_readwrite(xen_initial_gdt);
18336 xen_setup_vcpu_info_placement();
18339 @@ -232,8 +227,8 @@ cpu_initialize_context(unsigned int cpu,
18340 gdt = get_cpu_gdt_table(cpu);
18342 ctxt->flags = VGCF_IN_KERNEL;
18343 - ctxt->user_regs.ds = __USER_DS;
18344 - ctxt->user_regs.es = __USER_DS;
18345 + ctxt->user_regs.ds = __KERNEL_DS;
18346 + ctxt->user_regs.es = __KERNEL_DS;
18347 ctxt->user_regs.ss = __KERNEL_DS;
18348 #ifdef CONFIG_X86_32
18349 ctxt->user_regs.fs = __KERNEL_PERCPU;
18350 diff -urNp linux-2.6.33.1/arch/x86/xen/xen-ops.h linux-2.6.33.1/arch/x86/xen/xen-ops.h
18351 --- linux-2.6.33.1/arch/x86/xen/xen-ops.h 2010-03-15 12:09:39.000000000 -0400
18352 +++ linux-2.6.33.1/arch/x86/xen/xen-ops.h 2010-03-20 16:58:39.044545939 -0400
18354 extern const char xen_hypervisor_callback[];
18355 extern const char xen_failsafe_callback[];
18357 -extern void *xen_initial_gdt;
18360 void xen_copy_trap_info(struct trap_info *traps);
18362 diff -urNp linux-2.6.33.1/block/blk-integrity.c linux-2.6.33.1/block/blk-integrity.c
18363 --- linux-2.6.33.1/block/blk-integrity.c 2010-03-15 12:09:39.000000000 -0400
18364 +++ linux-2.6.33.1/block/blk-integrity.c 2010-03-20 16:58:39.052902082 -0400
18365 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
18369 -static struct sysfs_ops integrity_ops = {
18370 +static const struct sysfs_ops integrity_ops = {
18371 .show = &integrity_attr_show,
18372 .store = &integrity_attr_store,
18374 diff -urNp linux-2.6.33.1/block/blk-iopoll.c linux-2.6.33.1/block/blk-iopoll.c
18375 --- linux-2.6.33.1/block/blk-iopoll.c 2010-03-15 12:09:39.000000000 -0400
18376 +++ linux-2.6.33.1/block/blk-iopoll.c 2010-03-20 16:58:39.068779508 -0400
18377 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
18379 EXPORT_SYMBOL(blk_iopoll_complete);
18381 -static void blk_iopoll_softirq(struct softirq_action *h)
18382 +static void blk_iopoll_softirq(void)
18384 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
18385 int rearm = 0, budget = blk_iopoll_budget;
18386 diff -urNp linux-2.6.33.1/block/blk-map.c linux-2.6.33.1/block/blk-map.c
18387 --- linux-2.6.33.1/block/blk-map.c 2010-03-15 12:09:39.000000000 -0400
18388 +++ linux-2.6.33.1/block/blk-map.c 2010-03-20 16:58:39.068779508 -0400
18389 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
18390 * direct dma. else, set up kernel bounce buffers
18392 uaddr = (unsigned long) ubuf;
18393 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
18394 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
18395 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
18397 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
18398 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
18402 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
18403 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
18405 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
18407 diff -urNp linux-2.6.33.1/block/blk-softirq.c linux-2.6.33.1/block/blk-softirq.c
18408 --- linux-2.6.33.1/block/blk-softirq.c 2010-03-15 12:09:39.000000000 -0400
18409 +++ linux-2.6.33.1/block/blk-softirq.c 2010-03-20 16:58:39.068779508 -0400
18410 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
18411 * Softirq action handler - move entries to local list and loop over them
18412 * while passing them to the queue registered handler.
18414 -static void blk_done_softirq(struct softirq_action *h)
18415 +static void blk_done_softirq(void)
18417 struct list_head *cpu_list, local_list;
18419 diff -urNp linux-2.6.33.1/block/blk-sysfs.c linux-2.6.33.1/block/blk-sysfs.c
18420 --- linux-2.6.33.1/block/blk-sysfs.c 2010-03-15 12:09:39.000000000 -0400
18421 +++ linux-2.6.33.1/block/blk-sysfs.c 2010-03-20 16:58:39.068779508 -0400
18422 @@ -447,7 +447,7 @@ static void blk_release_queue(struct kob
18423 kmem_cache_free(blk_requestq_cachep, q);
18426 -static struct sysfs_ops queue_sysfs_ops = {
18427 +static const struct sysfs_ops queue_sysfs_ops = {
18428 .show = queue_attr_show,
18429 .store = queue_attr_store,
18431 diff -urNp linux-2.6.33.1/block/elevator.c linux-2.6.33.1/block/elevator.c
18432 --- linux-2.6.33.1/block/elevator.c 2010-03-15 12:09:39.000000000 -0400
18433 +++ linux-2.6.33.1/block/elevator.c 2010-03-20 16:58:39.073372227 -0400
18434 @@ -883,7 +883,7 @@ elv_attr_store(struct kobject *kobj, str
18438 -static struct sysfs_ops elv_sysfs_ops = {
18439 +static const struct sysfs_ops elv_sysfs_ops = {
18440 .show = elv_attr_show,
18441 .store = elv_attr_store,
18443 diff -urNp linux-2.6.33.1/crypto/lrw.c linux-2.6.33.1/crypto/lrw.c
18444 --- linux-2.6.33.1/crypto/lrw.c 2010-03-15 12:09:39.000000000 -0400
18445 +++ linux-2.6.33.1/crypto/lrw.c 2010-03-20 16:58:39.077284706 -0400
18446 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
18447 struct priv *ctx = crypto_tfm_ctx(parent);
18448 struct crypto_cipher *child = ctx->child;
18450 - be128 tmp = { 0 };
18451 + be128 tmp = { 0, 0 };
18452 int bsize = crypto_cipher_blocksize(child);
18454 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
18455 diff -urNp linux-2.6.33.1/Documentation/dontdiff linux-2.6.33.1/Documentation/dontdiff
18456 --- linux-2.6.33.1/Documentation/dontdiff 2010-03-15 12:09:39.000000000 -0400
18457 +++ linux-2.6.33.1/Documentation/dontdiff 2010-03-20 16:58:39.077284706 -0400
18474 @@ -49,11 +51,16 @@
18491 @@ -77,7 +84,9 @@ btfixupprep
18501 @@ -107,13 +116,15 @@ generated
18509 initramfs_data.cpio
18510 +initramfs_data.cpio.bz2
18511 initramfs_data.cpio.gz
18518 @@ -137,10 +148,13 @@ mkboot
18532 @@ -153,6 +167,7 @@ patches*
18540 @@ -167,6 +182,7 @@ setup
18548 @@ -190,14 +206,20 @@ version.h*
18569 diff -urNp linux-2.6.33.1/Documentation/filesystems/sysfs.txt linux-2.6.33.1/Documentation/filesystems/sysfs.txt
18570 --- linux-2.6.33.1/Documentation/filesystems/sysfs.txt 2010-03-15 12:09:39.000000000 -0400
18571 +++ linux-2.6.33.1/Documentation/filesystems/sysfs.txt 2010-03-20 16:58:39.077284706 -0400
18572 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
18573 show and store methods of the attribute owners.
18576 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
18577 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
18578 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
18579 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
18582 [ Subsystems should have already defined a struct kobj_type as a
18583 diff -urNp linux-2.6.33.1/Documentation/kernel-parameters.txt linux-2.6.33.1/Documentation/kernel-parameters.txt
18584 --- linux-2.6.33.1/Documentation/kernel-parameters.txt 2010-03-15 12:09:39.000000000 -0400
18585 +++ linux-2.6.33.1/Documentation/kernel-parameters.txt 2010-03-20 16:58:39.081342736 -0400
18586 @@ -1865,6 +1865,12 @@ and is between 256 and 4096 characters.
18587 the specified number of seconds. This is to be used if
18588 your oopses keep scrolling off the screen.
18590 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
18591 + virtualization environments that don't cope well with the
18592 + expand down segment used by UDEREF on X86-32.
18594 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
18599 diff -urNp linux-2.6.33.1/drivers/acpi/battery.c linux-2.6.33.1/drivers/acpi/battery.c
18600 --- linux-2.6.33.1/drivers/acpi/battery.c 2010-03-15 12:09:39.000000000 -0400
18601 +++ linux-2.6.33.1/drivers/acpi/battery.c 2010-03-20 16:58:39.097283097 -0400
18602 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
18605 static struct battery_file {
18606 - struct file_operations ops;
18607 + const struct file_operations ops;
18610 } acpi_battery_file[] = {
18611 diff -urNp linux-2.6.33.1/drivers/acpi/blacklist.c linux-2.6.33.1/drivers/acpi/blacklist.c
18612 --- linux-2.6.33.1/drivers/acpi/blacklist.c 2010-03-15 12:09:39.000000000 -0400
18613 +++ linux-2.6.33.1/drivers/acpi/blacklist.c 2010-03-20 16:58:39.097283097 -0400
18614 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
18615 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
18616 "Incorrect _ADR", 1},
18619 + {"", "", 0, NULL, all_versions, NULL, 0}
18622 #if CONFIG_ACPI_BLACKLIST_YEAR
18623 diff -urNp linux-2.6.33.1/drivers/acpi/dock.c linux-2.6.33.1/drivers/acpi/dock.c
18624 --- linux-2.6.33.1/drivers/acpi/dock.c 2010-03-15 12:09:39.000000000 -0400
18625 +++ linux-2.6.33.1/drivers/acpi/dock.c 2010-03-20 16:58:39.097283097 -0400
18626 @@ -76,7 +76,7 @@ struct dock_dependent_device {
18627 struct list_head list;
18628 struct list_head hotplug_list;
18629 acpi_handle handle;
18630 - struct acpi_dock_ops *ops;
18631 + const struct acpi_dock_ops *ops;
18635 @@ -588,7 +588,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
18636 * the dock driver after _DCK is executed.
18639 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
18640 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
18643 struct dock_dependent_device *dd;
18644 diff -urNp linux-2.6.33.1/drivers/acpi/osl.c linux-2.6.33.1/drivers/acpi/osl.c
18645 --- linux-2.6.33.1/drivers/acpi/osl.c 2010-03-15 12:09:39.000000000 -0400
18646 +++ linux-2.6.33.1/drivers/acpi/osl.c 2010-03-20 16:58:39.101703980 -0400
18647 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
18648 void __iomem *virt_addr;
18650 virt_addr = ioremap(phys_addr, width);
18652 + return AE_NO_MEMORY;
18656 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
18657 void __iomem *virt_addr;
18659 virt_addr = ioremap(phys_addr, width);
18661 + return AE_NO_MEMORY;
18665 diff -urNp linux-2.6.33.1/drivers/acpi/processor_core.c linux-2.6.33.1/drivers/acpi/processor_core.c
18666 --- linux-2.6.33.1/drivers/acpi/processor_core.c 2010-03-15 12:09:39.000000000 -0400
18667 +++ linux-2.6.33.1/drivers/acpi/processor_core.c 2010-03-20 16:58:39.109290821 -0400
18668 @@ -734,7 +734,7 @@ static int __cpuinit acpi_processor_add(
18672 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
18673 + BUG_ON(pr->id >= nr_cpu_ids);
18677 diff -urNp linux-2.6.33.1/drivers/acpi/processor_idle.c linux-2.6.33.1/drivers/acpi/processor_idle.c
18678 --- linux-2.6.33.1/drivers/acpi/processor_idle.c 2010-03-15 12:09:39.000000000 -0400
18679 +++ linux-2.6.33.1/drivers/acpi/processor_idle.c 2010-03-20 16:58:39.109290821 -0400
18680 @@ -118,7 +118,7 @@ static struct dmi_system_id __cpuinitdat
18681 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
18682 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
18685 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
18689 diff -urNp linux-2.6.33.1/drivers/acpi/sleep.c linux-2.6.33.1/drivers/acpi/sleep.c
18690 --- linux-2.6.33.1/drivers/acpi/sleep.c 2010-03-15 12:09:39.000000000 -0400
18691 +++ linux-2.6.33.1/drivers/acpi/sleep.c 2010-03-20 16:58:39.113276130 -0400
18692 @@ -302,7 +302,7 @@ static int acpi_suspend_state_valid(susp
18696 -static struct platform_suspend_ops acpi_suspend_ops = {
18697 +static const struct platform_suspend_ops acpi_suspend_ops = {
18698 .valid = acpi_suspend_state_valid,
18699 .begin = acpi_suspend_begin,
18700 .prepare_late = acpi_pm_prepare,
18701 @@ -330,7 +330,7 @@ static int acpi_suspend_begin_old(suspen
18702 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18705 -static struct platform_suspend_ops acpi_suspend_ops_old = {
18706 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
18707 .valid = acpi_suspend_state_valid,
18708 .begin = acpi_suspend_begin_old,
18709 .prepare_late = acpi_pm_disable_gpes,
18710 @@ -557,7 +557,7 @@ static void acpi_pm_enable_gpes(void)
18711 acpi_enable_all_runtime_gpes();
18714 -static struct platform_hibernation_ops acpi_hibernation_ops = {
18715 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
18716 .begin = acpi_hibernation_begin,
18717 .end = acpi_pm_end,
18718 .pre_snapshot = acpi_hibernation_pre_snapshot,
18719 @@ -610,7 +610,7 @@ static int acpi_hibernation_pre_snapshot
18720 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18723 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
18724 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
18725 .begin = acpi_hibernation_begin_old,
18726 .end = acpi_pm_end,
18727 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
18728 diff -urNp linux-2.6.33.1/drivers/acpi/video.c linux-2.6.33.1/drivers/acpi/video.c
18729 --- linux-2.6.33.1/drivers/acpi/video.c 2010-03-15 12:09:39.000000000 -0400
18730 +++ linux-2.6.33.1/drivers/acpi/video.c 2010-03-20 16:58:39.136890536 -0400
18731 @@ -366,7 +366,7 @@ static int acpi_video_set_brightness(str
18732 vd->brightness->levels[request_level]);
18735 -static struct backlight_ops acpi_backlight_ops = {
18736 +static const struct backlight_ops acpi_backlight_ops = {
18737 .get_brightness = acpi_video_get_brightness,
18738 .update_status = acpi_video_set_brightness,
18740 diff -urNp linux-2.6.33.1/drivers/ata/ahci.c linux-2.6.33.1/drivers/ata/ahci.c
18741 --- linux-2.6.33.1/drivers/ata/ahci.c 2010-03-15 12:09:39.000000000 -0400
18742 +++ linux-2.6.33.1/drivers/ata/ahci.c 2010-03-20 16:58:39.153286662 -0400
18743 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
18744 .sdev_attrs = ahci_sdev_attrs,
18747 -static struct ata_port_operations ahci_ops = {
18748 +static const struct ata_port_operations ahci_ops = {
18749 .inherits = &sata_pmp_port_ops,
18751 .qc_defer = sata_pmp_qc_defer_cmd_switch,
18752 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
18753 .port_stop = ahci_port_stop,
18756 -static struct ata_port_operations ahci_vt8251_ops = {
18757 +static const struct ata_port_operations ahci_vt8251_ops = {
18758 .inherits = &ahci_ops,
18759 .hardreset = ahci_vt8251_hardreset,
18762 -static struct ata_port_operations ahci_p5wdh_ops = {
18763 +static const struct ata_port_operations ahci_p5wdh_ops = {
18764 .inherits = &ahci_ops,
18765 .hardreset = ahci_p5wdh_hardreset,
18768 -static struct ata_port_operations ahci_sb600_ops = {
18769 +static const struct ata_port_operations ahci_sb600_ops = {
18770 .inherits = &ahci_ops,
18771 .softreset = ahci_sb600_softreset,
18772 .pmp_softreset = ahci_sb600_softreset,
18773 @@ -681,7 +681,7 @@ static const struct pci_device_id ahci_p
18774 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
18775 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
18777 - { } /* terminate list */
18778 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18782 diff -urNp linux-2.6.33.1/drivers/ata/ata_generic.c linux-2.6.33.1/drivers/ata/ata_generic.c
18783 --- linux-2.6.33.1/drivers/ata/ata_generic.c 2010-03-15 12:09:39.000000000 -0400
18784 +++ linux-2.6.33.1/drivers/ata/ata_generic.c 2010-03-20 16:58:39.156781730 -0400
18785 @@ -95,7 +95,7 @@ static struct scsi_host_template generic
18786 ATA_BMDMA_SHT(DRV_NAME),
18789 -static struct ata_port_operations generic_port_ops = {
18790 +static const struct ata_port_operations generic_port_ops = {
18791 .inherits = &ata_bmdma_port_ops,
18792 .cable_detect = ata_cable_unknown,
18793 .set_mode = generic_set_mode,
18794 diff -urNp linux-2.6.33.1/drivers/ata/ata_piix.c linux-2.6.33.1/drivers/ata/ata_piix.c
18795 --- linux-2.6.33.1/drivers/ata/ata_piix.c 2010-03-15 12:09:39.000000000 -0400
18796 +++ linux-2.6.33.1/drivers/ata/ata_piix.c 2010-03-20 16:58:39.160672594 -0400
18797 @@ -291,7 +291,7 @@ static const struct pci_device_id piix_p
18798 { 0x8086, 0x3b2d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
18799 /* SATA Controller IDE (PCH) */
18800 { 0x8086, 0x3b2e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
18801 - { } /* terminate list */
18802 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18805 static struct pci_driver piix_pci_driver = {
18806 @@ -309,7 +309,7 @@ static struct scsi_host_template piix_sh
18807 ATA_BMDMA_SHT(DRV_NAME),
18810 -static struct ata_port_operations piix_pata_ops = {
18811 +static const struct ata_port_operations piix_pata_ops = {
18812 .inherits = &ata_bmdma32_port_ops,
18813 .cable_detect = ata_cable_40wire,
18814 .set_piomode = piix_set_piomode,
18815 @@ -317,22 +317,22 @@ static struct ata_port_operations piix_p
18816 .prereset = piix_pata_prereset,
18819 -static struct ata_port_operations piix_vmw_ops = {
18820 +static const struct ata_port_operations piix_vmw_ops = {
18821 .inherits = &piix_pata_ops,
18822 .bmdma_status = piix_vmw_bmdma_status,
18825 -static struct ata_port_operations ich_pata_ops = {
18826 +static const struct ata_port_operations ich_pata_ops = {
18827 .inherits = &piix_pata_ops,
18828 .cable_detect = ich_pata_cable_detect,
18829 .set_dmamode = ich_set_dmamode,
18832 -static struct ata_port_operations piix_sata_ops = {
18833 +static const struct ata_port_operations piix_sata_ops = {
18834 .inherits = &ata_bmdma32_port_ops,
18837 -static struct ata_port_operations piix_sidpr_sata_ops = {
18838 +static const struct ata_port_operations piix_sidpr_sata_ops = {
18839 .inherits = &piix_sata_ops,
18840 .hardreset = sata_std_hardreset,
18841 .scr_read = piix_sidpr_scr_read,
18842 @@ -608,7 +608,7 @@ static const struct ich_laptop ich_lapto
18843 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
18844 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
18851 @@ -1086,7 +1086,7 @@ static int piix_broken_suspend(void)
18855 - { } /* terminate list */
18856 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
18858 static const char *oemstrs[] = {
18860 diff -urNp linux-2.6.33.1/drivers/ata/libata-acpi.c linux-2.6.33.1/drivers/ata/libata-acpi.c
18861 --- linux-2.6.33.1/drivers/ata/libata-acpi.c 2010-03-15 12:09:39.000000000 -0400
18862 +++ linux-2.6.33.1/drivers/ata/libata-acpi.c 2010-03-20 16:58:39.164792430 -0400
18863 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
18864 ata_acpi_uevent(dev->link->ap, dev, event);
18867 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18868 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18869 .handler = ata_acpi_dev_notify_dock,
18870 .uevent = ata_acpi_dev_uevent,
18873 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18874 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18875 .handler = ata_acpi_ap_notify_dock,
18876 .uevent = ata_acpi_ap_uevent,
18878 diff -urNp linux-2.6.33.1/drivers/ata/libata-core.c linux-2.6.33.1/drivers/ata/libata-core.c
18879 --- linux-2.6.33.1/drivers/ata/libata-core.c 2010-03-15 12:09:39.000000000 -0400
18880 +++ linux-2.6.33.1/drivers/ata/libata-core.c 2010-03-20 16:58:39.176796856 -0400
18881 @@ -896,7 +896,7 @@ static const struct ata_xfer_ent {
18882 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
18883 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
18884 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
18890 @@ -3163,7 +3163,7 @@ static const struct ata_timing ata_timin
18891 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
18892 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
18895 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
18898 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
18899 @@ -4385,7 +4385,7 @@ static const struct ata_blacklist_entry
18900 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
18904 + { NULL, NULL, 0 }
18907 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
18908 @@ -5961,7 +5961,7 @@ static void ata_host_stop(struct device
18912 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
18913 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
18915 static DEFINE_SPINLOCK(lock);
18916 const struct ata_port_operations *cur;
18917 @@ -5973,6 +5973,7 @@ static void ata_finalize_port_ops(struct
18921 + pax_open_kernel();
18923 for (cur = ops->inherits; cur; cur = cur->inherits) {
18924 void **inherit = (void **)cur;
18925 @@ -5986,8 +5987,9 @@ static void ata_finalize_port_ops(struct
18929 - ops->inherits = NULL;
18930 + ((struct ata_port_operations *)ops)->inherits = NULL;
18932 + pax_close_kernel();
18933 spin_unlock(&lock);
18936 @@ -6084,7 +6086,7 @@ int ata_host_start(struct ata_host *host
18938 /* KILLME - the only user left is ipr */
18939 void ata_host_init(struct ata_host *host, struct device *dev,
18940 - unsigned long flags, struct ata_port_operations *ops)
18941 + unsigned long flags, const struct ata_port_operations *ops)
18943 spin_lock_init(&host->lock);
18945 @@ -6754,7 +6756,7 @@ static void ata_dummy_error_handler(stru
18949 -struct ata_port_operations ata_dummy_port_ops = {
18950 +const struct ata_port_operations ata_dummy_port_ops = {
18951 .qc_prep = ata_noop_qc_prep,
18952 .qc_issue = ata_dummy_qc_issue,
18953 .error_handler = ata_dummy_error_handler,
18954 diff -urNp linux-2.6.33.1/drivers/ata/libata-eh.c linux-2.6.33.1/drivers/ata/libata-eh.c
18955 --- linux-2.6.33.1/drivers/ata/libata-eh.c 2010-03-15 12:09:39.000000000 -0400
18956 +++ linux-2.6.33.1/drivers/ata/libata-eh.c 2010-03-20 16:58:39.180707680 -0400
18957 @@ -3675,7 +3675,7 @@ void ata_do_eh(struct ata_port *ap, ata_
18959 void ata_std_error_handler(struct ata_port *ap)
18961 - struct ata_port_operations *ops = ap->ops;
18962 + const struct ata_port_operations *ops = ap->ops;
18963 ata_reset_fn_t hardreset = ops->hardreset;
18965 /* ignore built-in hardreset if SCR access is not available */
18966 diff -urNp linux-2.6.33.1/drivers/ata/libata-pmp.c linux-2.6.33.1/drivers/ata/libata-pmp.c
18967 --- linux-2.6.33.1/drivers/ata/libata-pmp.c 2010-03-15 12:09:39.000000000 -0400
18968 +++ linux-2.6.33.1/drivers/ata/libata-pmp.c 2010-03-20 16:58:39.180707680 -0400
18969 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
18971 static int sata_pmp_eh_recover(struct ata_port *ap)
18973 - struct ata_port_operations *ops = ap->ops;
18974 + const struct ata_port_operations *ops = ap->ops;
18975 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
18976 struct ata_link *pmp_link = &ap->link;
18977 struct ata_device *pmp_dev = pmp_link->device;
18978 diff -urNp linux-2.6.33.1/drivers/ata/pata_acpi.c linux-2.6.33.1/drivers/ata/pata_acpi.c
18979 --- linux-2.6.33.1/drivers/ata/pata_acpi.c 2010-03-15 12:09:39.000000000 -0400
18980 +++ linux-2.6.33.1/drivers/ata/pata_acpi.c 2010-03-20 16:58:39.188784803 -0400
18981 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
18982 ATA_BMDMA_SHT(DRV_NAME),
18985 -static struct ata_port_operations pacpi_ops = {
18986 +static const struct ata_port_operations pacpi_ops = {
18987 .inherits = &ata_bmdma_port_ops,
18988 .qc_issue = pacpi_qc_issue,
18989 .cable_detect = pacpi_cable_detect,
18990 diff -urNp linux-2.6.33.1/drivers/ata/pata_ali.c linux-2.6.33.1/drivers/ata/pata_ali.c
18991 --- linux-2.6.33.1/drivers/ata/pata_ali.c 2010-03-15 12:09:39.000000000 -0400
18992 +++ linux-2.6.33.1/drivers/ata/pata_ali.c 2010-03-20 16:58:39.188784803 -0400
18993 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
18994 * Port operations for PIO only ALi
18997 -static struct ata_port_operations ali_early_port_ops = {
18998 +static const struct ata_port_operations ali_early_port_ops = {
18999 .inherits = &ata_sff_port_ops,
19000 .cable_detect = ata_cable_40wire,
19001 .set_piomode = ali_set_piomode,
19002 @@ -382,7 +382,7 @@ static const struct ata_port_operations
19003 * Port operations for DMA capable ALi without cable
19006 -static struct ata_port_operations ali_20_port_ops = {
19007 +static const struct ata_port_operations ali_20_port_ops = {
19008 .inherits = &ali_dma_base_ops,
19009 .cable_detect = ata_cable_40wire,
19010 .mode_filter = ali_20_filter,
19011 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
19013 * Port operations for DMA capable ALi with cable detect
19015 -static struct ata_port_operations ali_c2_port_ops = {
19016 +static const struct ata_port_operations ali_c2_port_ops = {
19017 .inherits = &ali_dma_base_ops,
19018 .check_atapi_dma = ali_check_atapi_dma,
19019 .cable_detect = ali_c2_cable_detect,
19020 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
19022 * Port operations for DMA capable ALi with cable detect
19024 -static struct ata_port_operations ali_c4_port_ops = {
19025 +static const struct ata_port_operations ali_c4_port_ops = {
19026 .inherits = &ali_dma_base_ops,
19027 .check_atapi_dma = ali_check_atapi_dma,
19028 .cable_detect = ali_c2_cable_detect,
19029 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
19031 * Port operations for DMA capable ALi with cable detect and LBA48
19033 -static struct ata_port_operations ali_c5_port_ops = {
19034 +static const struct ata_port_operations ali_c5_port_ops = {
19035 .inherits = &ali_dma_base_ops,
19036 .check_atapi_dma = ali_check_atapi_dma,
19037 .dev_config = ali_warn_atapi_dma,
19038 diff -urNp linux-2.6.33.1/drivers/ata/pata_amd.c linux-2.6.33.1/drivers/ata/pata_amd.c
19039 --- linux-2.6.33.1/drivers/ata/pata_amd.c 2010-03-15 12:09:39.000000000 -0400
19040 +++ linux-2.6.33.1/drivers/ata/pata_amd.c 2010-03-20 16:58:39.214454463 -0400
19041 @@ -397,28 +397,28 @@ static const struct ata_port_operations
19042 .prereset = amd_pre_reset,
19045 -static struct ata_port_operations amd33_port_ops = {
19046 +static const struct ata_port_operations amd33_port_ops = {
19047 .inherits = &amd_base_port_ops,
19048 .cable_detect = ata_cable_40wire,
19049 .set_piomode = amd33_set_piomode,
19050 .set_dmamode = amd33_set_dmamode,
19053 -static struct ata_port_operations amd66_port_ops = {
19054 +static const struct ata_port_operations amd66_port_ops = {
19055 .inherits = &amd_base_port_ops,
19056 .cable_detect = ata_cable_unknown,
19057 .set_piomode = amd66_set_piomode,
19058 .set_dmamode = amd66_set_dmamode,
19061 -static struct ata_port_operations amd100_port_ops = {
19062 +static const struct ata_port_operations amd100_port_ops = {
19063 .inherits = &amd_base_port_ops,
19064 .cable_detect = ata_cable_unknown,
19065 .set_piomode = amd100_set_piomode,
19066 .set_dmamode = amd100_set_dmamode,
19069 -static struct ata_port_operations amd133_port_ops = {
19070 +static const struct ata_port_operations amd133_port_ops = {
19071 .inherits = &amd_base_port_ops,
19072 .cable_detect = amd_cable_detect,
19073 .set_piomode = amd133_set_piomode,
19074 @@ -433,13 +433,13 @@ static const struct ata_port_operations
19075 .host_stop = nv_host_stop,
19078 -static struct ata_port_operations nv100_port_ops = {
19079 +static const struct ata_port_operations nv100_port_ops = {
19080 .inherits = &nv_base_port_ops,
19081 .set_piomode = nv100_set_piomode,
19082 .set_dmamode = nv100_set_dmamode,
19085 -static struct ata_port_operations nv133_port_ops = {
19086 +static const struct ata_port_operations nv133_port_ops = {
19087 .inherits = &nv_base_port_ops,
19088 .set_piomode = nv133_set_piomode,
19089 .set_dmamode = nv133_set_dmamode,
19090 diff -urNp linux-2.6.33.1/drivers/ata/pata_artop.c linux-2.6.33.1/drivers/ata/pata_artop.c
19091 --- linux-2.6.33.1/drivers/ata/pata_artop.c 2010-03-15 12:09:39.000000000 -0400
19092 +++ linux-2.6.33.1/drivers/ata/pata_artop.c 2010-03-20 16:58:39.220796895 -0400
19093 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
19094 ATA_BMDMA_SHT(DRV_NAME),
19097 -static struct ata_port_operations artop6210_ops = {
19098 +static const struct ata_port_operations artop6210_ops = {
19099 .inherits = &ata_bmdma_port_ops,
19100 .cable_detect = ata_cable_40wire,
19101 .set_piomode = artop6210_set_piomode,
19102 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
19103 .qc_defer = artop6210_qc_defer,
19106 -static struct ata_port_operations artop6260_ops = {
19107 +static const struct ata_port_operations artop6260_ops = {
19108 .inherits = &ata_bmdma_port_ops,
19109 .cable_detect = artop6260_cable_detect,
19110 .set_piomode = artop6260_set_piomode,
19111 diff -urNp linux-2.6.33.1/drivers/ata/pata_at32.c linux-2.6.33.1/drivers/ata/pata_at32.c
19112 --- linux-2.6.33.1/drivers/ata/pata_at32.c 2010-03-15 12:09:39.000000000 -0400
19113 +++ linux-2.6.33.1/drivers/ata/pata_at32.c 2010-03-20 16:58:39.220796895 -0400
19114 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
19115 ATA_PIO_SHT(DRV_NAME),
19118 -static struct ata_port_operations at32_port_ops = {
19119 +static const struct ata_port_operations at32_port_ops = {
19120 .inherits = &ata_sff_port_ops,
19121 .cable_detect = ata_cable_40wire,
19122 .set_piomode = pata_at32_set_piomode,
19123 diff -urNp linux-2.6.33.1/drivers/ata/pata_at91.c linux-2.6.33.1/drivers/ata/pata_at91.c
19124 --- linux-2.6.33.1/drivers/ata/pata_at91.c 2010-03-15 12:09:39.000000000 -0400
19125 +++ linux-2.6.33.1/drivers/ata/pata_at91.c 2010-03-20 16:58:39.224661770 -0400
19126 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
19127 ATA_PIO_SHT(DRV_NAME),
19130 -static struct ata_port_operations pata_at91_port_ops = {
19131 +static const struct ata_port_operations pata_at91_port_ops = {
19132 .inherits = &ata_sff_port_ops,
19134 .sff_data_xfer = pata_at91_data_xfer_noirq,
19135 diff -urNp linux-2.6.33.1/drivers/ata/pata_atiixp.c linux-2.6.33.1/drivers/ata/pata_atiixp.c
19136 --- linux-2.6.33.1/drivers/ata/pata_atiixp.c 2010-03-15 12:09:39.000000000 -0400
19137 +++ linux-2.6.33.1/drivers/ata/pata_atiixp.c 2010-03-20 16:58:39.224661770 -0400
19138 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
19139 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19142 -static struct ata_port_operations atiixp_port_ops = {
19143 +static const struct ata_port_operations atiixp_port_ops = {
19144 .inherits = &ata_bmdma_port_ops,
19146 .qc_prep = ata_sff_dumb_qc_prep,
19147 diff -urNp linux-2.6.33.1/drivers/ata/pata_atp867x.c linux-2.6.33.1/drivers/ata/pata_atp867x.c
19148 --- linux-2.6.33.1/drivers/ata/pata_atp867x.c 2010-03-15 12:09:39.000000000 -0400
19149 +++ linux-2.6.33.1/drivers/ata/pata_atp867x.c 2010-03-20 16:58:39.224661770 -0400
19150 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
19151 ATA_BMDMA_SHT(DRV_NAME),
19154 -static struct ata_port_operations atp867x_ops = {
19155 +static const struct ata_port_operations atp867x_ops = {
19156 .inherits = &ata_bmdma_port_ops,
19157 .cable_detect = atp867x_cable_detect,
19158 .set_piomode = atp867x_set_piomode,
19159 diff -urNp linux-2.6.33.1/drivers/ata/pata_bf54x.c linux-2.6.33.1/drivers/ata/pata_bf54x.c
19160 --- linux-2.6.33.1/drivers/ata/pata_bf54x.c 2010-03-15 12:09:39.000000000 -0400
19161 +++ linux-2.6.33.1/drivers/ata/pata_bf54x.c 2010-03-20 16:58:39.236808133 -0400
19162 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
19163 .dma_boundary = ATA_DMA_BOUNDARY,
19166 -static struct ata_port_operations bfin_pata_ops = {
19167 +static const struct ata_port_operations bfin_pata_ops = {
19168 .inherits = &ata_sff_port_ops,
19170 .set_piomode = bfin_set_piomode,
19171 diff -urNp linux-2.6.33.1/drivers/ata/pata_cmd640.c linux-2.6.33.1/drivers/ata/pata_cmd640.c
19172 --- linux-2.6.33.1/drivers/ata/pata_cmd640.c 2010-03-15 12:09:39.000000000 -0400
19173 +++ linux-2.6.33.1/drivers/ata/pata_cmd640.c 2010-03-20 16:58:39.244791590 -0400
19174 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
19175 ATA_BMDMA_SHT(DRV_NAME),
19178 -static struct ata_port_operations cmd640_port_ops = {
19179 +static const struct ata_port_operations cmd640_port_ops = {
19180 .inherits = &ata_bmdma_port_ops,
19181 /* In theory xfer_noirq is not needed once we kill the prefetcher */
19182 .sff_data_xfer = ata_sff_data_xfer_noirq,
19183 diff -urNp linux-2.6.33.1/drivers/ata/pata_cmd64x.c linux-2.6.33.1/drivers/ata/pata_cmd64x.c
19184 --- linux-2.6.33.1/drivers/ata/pata_cmd64x.c 2010-03-15 12:09:39.000000000 -0400
19185 +++ linux-2.6.33.1/drivers/ata/pata_cmd64x.c 2010-03-20 16:58:39.252794847 -0400
19186 @@ -275,18 +275,18 @@ static const struct ata_port_operations
19187 .set_dmamode = cmd64x_set_dmamode,
19190 -static struct ata_port_operations cmd64x_port_ops = {
19191 +static const struct ata_port_operations cmd64x_port_ops = {
19192 .inherits = &cmd64x_base_ops,
19193 .cable_detect = ata_cable_40wire,
19196 -static struct ata_port_operations cmd646r1_port_ops = {
19197 +static const struct ata_port_operations cmd646r1_port_ops = {
19198 .inherits = &cmd64x_base_ops,
19199 .bmdma_stop = cmd646r1_bmdma_stop,
19200 .cable_detect = ata_cable_40wire,
19203 -static struct ata_port_operations cmd648_port_ops = {
19204 +static const struct ata_port_operations cmd648_port_ops = {
19205 .inherits = &cmd64x_base_ops,
19206 .bmdma_stop = cmd648_bmdma_stop,
19207 .cable_detect = cmd648_cable_detect,
19208 diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5520.c linux-2.6.33.1/drivers/ata/pata_cs5520.c
19209 --- linux-2.6.33.1/drivers/ata/pata_cs5520.c 2010-03-15 12:09:39.000000000 -0400
19210 +++ linux-2.6.33.1/drivers/ata/pata_cs5520.c 2010-03-20 16:58:39.268797665 -0400
19211 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
19212 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19215 -static struct ata_port_operations cs5520_port_ops = {
19216 +static const struct ata_port_operations cs5520_port_ops = {
19217 .inherits = &ata_bmdma_port_ops,
19218 .qc_prep = ata_sff_dumb_qc_prep,
19219 .cable_detect = ata_cable_40wire,
19220 diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5530.c linux-2.6.33.1/drivers/ata/pata_cs5530.c
19221 --- linux-2.6.33.1/drivers/ata/pata_cs5530.c 2010-03-15 12:09:39.000000000 -0400
19222 +++ linux-2.6.33.1/drivers/ata/pata_cs5530.c 2010-03-20 16:58:39.272512019 -0400
19223 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
19224 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19227 -static struct ata_port_operations cs5530_port_ops = {
19228 +static const struct ata_port_operations cs5530_port_ops = {
19229 .inherits = &ata_bmdma_port_ops,
19231 .qc_prep = ata_sff_dumb_qc_prep,
19232 diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5535.c linux-2.6.33.1/drivers/ata/pata_cs5535.c
19233 --- linux-2.6.33.1/drivers/ata/pata_cs5535.c 2010-03-15 12:09:39.000000000 -0400
19234 +++ linux-2.6.33.1/drivers/ata/pata_cs5535.c 2010-03-20 16:58:39.272512019 -0400
19235 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
19236 ATA_BMDMA_SHT(DRV_NAME),
19239 -static struct ata_port_operations cs5535_port_ops = {
19240 +static const struct ata_port_operations cs5535_port_ops = {
19241 .inherits = &ata_bmdma_port_ops,
19242 .cable_detect = cs5535_cable_detect,
19243 .set_piomode = cs5535_set_piomode,
19244 diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5536.c linux-2.6.33.1/drivers/ata/pata_cs5536.c
19245 --- linux-2.6.33.1/drivers/ata/pata_cs5536.c 2010-03-15 12:09:39.000000000 -0400
19246 +++ linux-2.6.33.1/drivers/ata/pata_cs5536.c 2010-03-20 16:58:39.272512019 -0400
19247 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
19248 ATA_BMDMA_SHT(DRV_NAME),
19251 -static struct ata_port_operations cs5536_port_ops = {
19252 +static const struct ata_port_operations cs5536_port_ops = {
19253 .inherits = &ata_bmdma32_port_ops,
19254 .cable_detect = cs5536_cable_detect,
19255 .set_piomode = cs5536_set_piomode,
19256 diff -urNp linux-2.6.33.1/drivers/ata/pata_cypress.c linux-2.6.33.1/drivers/ata/pata_cypress.c
19257 --- linux-2.6.33.1/drivers/ata/pata_cypress.c 2010-03-15 12:09:39.000000000 -0400
19258 +++ linux-2.6.33.1/drivers/ata/pata_cypress.c 2010-03-20 16:58:39.272512019 -0400
19259 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
19260 ATA_BMDMA_SHT(DRV_NAME),
19263 -static struct ata_port_operations cy82c693_port_ops = {
19264 +static const struct ata_port_operations cy82c693_port_ops = {
19265 .inherits = &ata_bmdma_port_ops,
19266 .cable_detect = ata_cable_40wire,
19267 .set_piomode = cy82c693_set_piomode,
19268 diff -urNp linux-2.6.33.1/drivers/ata/pata_efar.c linux-2.6.33.1/drivers/ata/pata_efar.c
19269 --- linux-2.6.33.1/drivers/ata/pata_efar.c 2010-03-15 12:09:39.000000000 -0400
19270 +++ linux-2.6.33.1/drivers/ata/pata_efar.c 2010-03-20 16:58:39.272512019 -0400
19271 @@ -223,7 +223,7 @@ static struct scsi_host_template efar_sh
19272 ATA_BMDMA_SHT(DRV_NAME),
19275 -static struct ata_port_operations efar_ops = {
19276 +static const struct ata_port_operations efar_ops = {
19277 .inherits = &ata_bmdma_port_ops,
19278 .cable_detect = efar_cable_detect,
19279 .set_piomode = efar_set_piomode,
19280 diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt366.c linux-2.6.33.1/drivers/ata/pata_hpt366.c
19281 --- linux-2.6.33.1/drivers/ata/pata_hpt366.c 2010-03-15 12:09:39.000000000 -0400
19282 +++ linux-2.6.33.1/drivers/ata/pata_hpt366.c 2010-03-20 16:58:39.272512019 -0400
19283 @@ -280,7 +280,7 @@ static struct scsi_host_template hpt36x_
19284 * Configuration for HPT366/68
19287 -static struct ata_port_operations hpt366_port_ops = {
19288 +static const struct ata_port_operations hpt366_port_ops = {
19289 .inherits = &ata_bmdma_port_ops,
19290 .cable_detect = hpt36x_cable_detect,
19291 .mode_filter = hpt366_filter,
19292 diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt37x.c linux-2.6.33.1/drivers/ata/pata_hpt37x.c
19293 --- linux-2.6.33.1/drivers/ata/pata_hpt37x.c 2010-03-15 12:09:39.000000000 -0400
19294 +++ linux-2.6.33.1/drivers/ata/pata_hpt37x.c 2010-03-20 16:58:39.272512019 -0400
19295 @@ -583,7 +583,7 @@ static struct scsi_host_template hpt37x_
19296 * Configuration for HPT370
19299 -static struct ata_port_operations hpt370_port_ops = {
19300 +static const struct ata_port_operations hpt370_port_ops = {
19301 .inherits = &ata_bmdma_port_ops,
19303 .bmdma_stop = hpt370_bmdma_stop,
19304 @@ -599,7 +599,7 @@ static struct ata_port_operations hpt370
19305 * Configuration for HPT370A. Close to 370 but less filters
19308 -static struct ata_port_operations hpt370a_port_ops = {
19309 +static const struct ata_port_operations hpt370a_port_ops = {
19310 .inherits = &hpt370_port_ops,
19311 .mode_filter = hpt370a_filter,
19313 @@ -609,7 +609,7 @@ static struct ata_port_operations hpt370
19314 * and DMA mode setting functionality.
19317 -static struct ata_port_operations hpt372_port_ops = {
19318 +static const struct ata_port_operations hpt372_port_ops = {
19319 .inherits = &ata_bmdma_port_ops,
19321 .bmdma_stop = hpt37x_bmdma_stop,
19322 @@ -625,7 +625,7 @@ static struct ata_port_operations hpt372
19323 * but we have a different cable detection procedure for function 1.
19326 -static struct ata_port_operations hpt374_fn1_port_ops = {
19327 +static const struct ata_port_operations hpt374_fn1_port_ops = {
19328 .inherits = &hpt372_port_ops,
19329 .cable_detect = hpt374_fn1_cable_detect,
19330 .prereset = hpt37x_pre_reset,
19331 diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c
19332 --- linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c 2010-03-15 12:09:39.000000000 -0400
19333 +++ linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c 2010-03-20 16:58:39.276654661 -0400
19334 @@ -339,7 +339,7 @@ static struct scsi_host_template hpt3x2n
19335 * Configuration for HPT3x2n.
19338 -static struct ata_port_operations hpt3x2n_port_ops = {
19339 +static const struct ata_port_operations hpt3x2n_port_ops = {
19340 .inherits = &ata_bmdma_port_ops,
19342 .bmdma_stop = hpt3x2n_bmdma_stop,
19343 diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt3x3.c linux-2.6.33.1/drivers/ata/pata_hpt3x3.c
19344 --- linux-2.6.33.1/drivers/ata/pata_hpt3x3.c 2010-03-15 12:09:39.000000000 -0400
19345 +++ linux-2.6.33.1/drivers/ata/pata_hpt3x3.c 2010-03-20 16:58:39.284801841 -0400
19346 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
19347 ATA_BMDMA_SHT(DRV_NAME),
19350 -static struct ata_port_operations hpt3x3_port_ops = {
19351 +static const struct ata_port_operations hpt3x3_port_ops = {
19352 .inherits = &ata_bmdma_port_ops,
19353 .cable_detect = ata_cable_40wire,
19354 .set_piomode = hpt3x3_set_piomode,
19355 diff -urNp linux-2.6.33.1/drivers/ata/pata_icside.c linux-2.6.33.1/drivers/ata/pata_icside.c
19356 --- linux-2.6.33.1/drivers/ata/pata_icside.c 2010-03-15 12:09:39.000000000 -0400
19357 +++ linux-2.6.33.1/drivers/ata/pata_icside.c 2010-03-20 16:58:39.284801841 -0400
19358 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
19362 -static struct ata_port_operations pata_icside_port_ops = {
19363 +static const struct ata_port_operations pata_icside_port_ops = {
19364 .inherits = &ata_sff_port_ops,
19365 /* no need to build any PRD tables for DMA */
19366 .qc_prep = ata_noop_qc_prep,
19367 diff -urNp linux-2.6.33.1/drivers/ata/pata_isapnp.c linux-2.6.33.1/drivers/ata/pata_isapnp.c
19368 --- linux-2.6.33.1/drivers/ata/pata_isapnp.c 2010-03-15 12:09:39.000000000 -0400
19369 +++ linux-2.6.33.1/drivers/ata/pata_isapnp.c 2010-03-20 16:58:39.292806212 -0400
19370 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
19371 ATA_PIO_SHT(DRV_NAME),
19374 -static struct ata_port_operations isapnp_port_ops = {
19375 +static const struct ata_port_operations isapnp_port_ops = {
19376 .inherits = &ata_sff_port_ops,
19377 .cable_detect = ata_cable_40wire,
19380 -static struct ata_port_operations isapnp_noalt_port_ops = {
19381 +static const struct ata_port_operations isapnp_noalt_port_ops = {
19382 .inherits = &ata_sff_port_ops,
19383 .cable_detect = ata_cable_40wire,
19384 /* No altstatus so we don't want to use the lost interrupt poll */
19385 diff -urNp linux-2.6.33.1/drivers/ata/pata_it8213.c linux-2.6.33.1/drivers/ata/pata_it8213.c
19386 --- linux-2.6.33.1/drivers/ata/pata_it8213.c 2010-03-15 12:09:39.000000000 -0400
19387 +++ linux-2.6.33.1/drivers/ata/pata_it8213.c 2010-03-20 16:58:39.296567577 -0400
19388 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
19392 -static struct ata_port_operations it8213_ops = {
19393 +static const struct ata_port_operations it8213_ops = {
19394 .inherits = &ata_bmdma_port_ops,
19395 .cable_detect = it8213_cable_detect,
19396 .set_piomode = it8213_set_piomode,
19397 diff -urNp linux-2.6.33.1/drivers/ata/pata_it821x.c linux-2.6.33.1/drivers/ata/pata_it821x.c
19398 --- linux-2.6.33.1/drivers/ata/pata_it821x.c 2010-03-15 12:09:39.000000000 -0400
19399 +++ linux-2.6.33.1/drivers/ata/pata_it821x.c 2010-03-20 16:58:39.296567577 -0400
19400 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
19401 ATA_BMDMA_SHT(DRV_NAME),
19404 -static struct ata_port_operations it821x_smart_port_ops = {
19405 +static const struct ata_port_operations it821x_smart_port_ops = {
19406 .inherits = &ata_bmdma_port_ops,
19408 .check_atapi_dma= it821x_check_atapi_dma,
19409 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
19410 .port_start = it821x_port_start,
19413 -static struct ata_port_operations it821x_passthru_port_ops = {
19414 +static const struct ata_port_operations it821x_passthru_port_ops = {
19415 .inherits = &ata_bmdma_port_ops,
19417 .check_atapi_dma= it821x_check_atapi_dma,
19418 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
19419 .port_start = it821x_port_start,
19422 -static struct ata_port_operations it821x_rdc_port_ops = {
19423 +static const struct ata_port_operations it821x_rdc_port_ops = {
19424 .inherits = &ata_bmdma_port_ops,
19426 .check_atapi_dma= it821x_check_atapi_dma,
19427 diff -urNp linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c
19428 --- linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c 2010-03-15 12:09:39.000000000 -0400
19429 +++ linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c 2010-03-20 16:58:39.296567577 -0400
19430 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
19431 ATA_PIO_SHT(DRV_NAME),
19434 -static struct ata_port_operations ixp4xx_port_ops = {
19435 +static const struct ata_port_operations ixp4xx_port_ops = {
19436 .inherits = &ata_sff_port_ops,
19437 .sff_data_xfer = ixp4xx_mmio_data_xfer,
19438 .cable_detect = ata_cable_40wire,
19439 diff -urNp linux-2.6.33.1/drivers/ata/pata_jmicron.c linux-2.6.33.1/drivers/ata/pata_jmicron.c
19440 --- linux-2.6.33.1/drivers/ata/pata_jmicron.c 2010-03-15 12:09:39.000000000 -0400
19441 +++ linux-2.6.33.1/drivers/ata/pata_jmicron.c 2010-03-20 16:58:39.296567577 -0400
19442 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
19443 ATA_BMDMA_SHT(DRV_NAME),
19446 -static struct ata_port_operations jmicron_ops = {
19447 +static const struct ata_port_operations jmicron_ops = {
19448 .inherits = &ata_bmdma_port_ops,
19449 .prereset = jmicron_pre_reset,
19451 diff -urNp linux-2.6.33.1/drivers/ata/pata_legacy.c linux-2.6.33.1/drivers/ata/pata_legacy.c
19452 --- linux-2.6.33.1/drivers/ata/pata_legacy.c 2010-03-15 12:09:39.000000000 -0400
19453 +++ linux-2.6.33.1/drivers/ata/pata_legacy.c 2010-03-20 16:58:39.296567577 -0400
19454 @@ -113,7 +113,7 @@ struct legacy_probe {
19456 struct legacy_controller {
19458 - struct ata_port_operations *ops;
19459 + const struct ata_port_operations *ops;
19460 unsigned int pio_mask;
19461 unsigned int flags;
19462 unsigned int pflags;
19463 @@ -230,12 +230,12 @@ static const struct ata_port_operations
19464 * pio_mask as well.
19467 -static struct ata_port_operations simple_port_ops = {
19468 +static const struct ata_port_operations simple_port_ops = {
19469 .inherits = &legacy_base_port_ops,
19470 .sff_data_xfer = ata_sff_data_xfer_noirq,
19473 -static struct ata_port_operations legacy_port_ops = {
19474 +static const struct ata_port_operations legacy_port_ops = {
19475 .inherits = &legacy_base_port_ops,
19476 .sff_data_xfer = ata_sff_data_xfer_noirq,
19477 .set_mode = legacy_set_mode,
19478 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
19482 -static struct ata_port_operations pdc20230_port_ops = {
19483 +static const struct ata_port_operations pdc20230_port_ops = {
19484 .inherits = &legacy_base_port_ops,
19485 .set_piomode = pdc20230_set_piomode,
19486 .sff_data_xfer = pdc_data_xfer_vlb,
19487 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
19488 ioread8(ap->ioaddr.status_addr);
19491 -static struct ata_port_operations ht6560a_port_ops = {
19492 +static const struct ata_port_operations ht6560a_port_ops = {
19493 .inherits = &legacy_base_port_ops,
19494 .set_piomode = ht6560a_set_piomode,
19496 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
19497 ioread8(ap->ioaddr.status_addr);
19500 -static struct ata_port_operations ht6560b_port_ops = {
19501 +static const struct ata_port_operations ht6560b_port_ops = {
19502 .inherits = &legacy_base_port_ops,
19503 .set_piomode = ht6560b_set_piomode,
19505 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
19509 -static struct ata_port_operations opti82c611a_port_ops = {
19510 +static const struct ata_port_operations opti82c611a_port_ops = {
19511 .inherits = &legacy_base_port_ops,
19512 .set_piomode = opti82c611a_set_piomode,
19514 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
19515 return ata_sff_qc_issue(qc);
19518 -static struct ata_port_operations opti82c46x_port_ops = {
19519 +static const struct ata_port_operations opti82c46x_port_ops = {
19520 .inherits = &legacy_base_port_ops,
19521 .set_piomode = opti82c46x_set_piomode,
19522 .qc_issue = opti82c46x_qc_issue,
19523 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
19527 -static struct ata_port_operations qdi6500_port_ops = {
19528 +static const struct ata_port_operations qdi6500_port_ops = {
19529 .inherits = &legacy_base_port_ops,
19530 .set_piomode = qdi6500_set_piomode,
19531 .qc_issue = qdi_qc_issue,
19532 .sff_data_xfer = vlb32_data_xfer,
19535 -static struct ata_port_operations qdi6580_port_ops = {
19536 +static const struct ata_port_operations qdi6580_port_ops = {
19537 .inherits = &legacy_base_port_ops,
19538 .set_piomode = qdi6580_set_piomode,
19539 .sff_data_xfer = vlb32_data_xfer,
19542 -static struct ata_port_operations qdi6580dp_port_ops = {
19543 +static const struct ata_port_operations qdi6580dp_port_ops = {
19544 .inherits = &legacy_base_port_ops,
19545 .set_piomode = qdi6580dp_set_piomode,
19546 .qc_issue = qdi_qc_issue,
19547 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
19551 -static struct ata_port_operations winbond_port_ops = {
19552 +static const struct ata_port_operations winbond_port_ops = {
19553 .inherits = &legacy_base_port_ops,
19554 .set_piomode = winbond_set_piomode,
19555 .sff_data_xfer = vlb32_data_xfer,
19556 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
19557 int pio_modes = controller->pio_mask;
19558 unsigned long io = probe->port;
19559 u32 mask = (1 << probe->slot);
19560 - struct ata_port_operations *ops = controller->ops;
19561 + const struct ata_port_operations *ops = controller->ops;
19562 struct legacy_data *ld = &legacy_data[probe->slot];
19563 struct ata_host *host = NULL;
19564 struct ata_port *ap;
19565 diff -urNp linux-2.6.33.1/drivers/ata/pata_macio.c linux-2.6.33.1/drivers/ata/pata_macio.c
19566 --- linux-2.6.33.1/drivers/ata/pata_macio.c 2010-03-15 12:09:39.000000000 -0400
19567 +++ linux-2.6.33.1/drivers/ata/pata_macio.c 2010-03-20 16:58:39.300646647 -0400
19568 @@ -915,7 +915,7 @@ static struct scsi_host_template pata_ma
19569 .slave_configure = pata_macio_slave_config,
19572 -static struct ata_port_operations pata_macio_ops = {
19573 +static const struct ata_port_operations pata_macio_ops = {
19574 .inherits = &ata_sff_port_ops,
19576 .freeze = pata_macio_freeze,
19577 diff -urNp linux-2.6.33.1/drivers/ata/pata_marvell.c linux-2.6.33.1/drivers/ata/pata_marvell.c
19578 --- linux-2.6.33.1/drivers/ata/pata_marvell.c 2010-03-15 12:09:39.000000000 -0400
19579 +++ linux-2.6.33.1/drivers/ata/pata_marvell.c 2010-03-20 16:58:39.300646647 -0400
19580 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
19581 ATA_BMDMA_SHT(DRV_NAME),
19584 -static struct ata_port_operations marvell_ops = {
19585 +static const struct ata_port_operations marvell_ops = {
19586 .inherits = &ata_bmdma_port_ops,
19587 .cable_detect = marvell_cable_detect,
19588 .prereset = marvell_pre_reset,
19589 diff -urNp linux-2.6.33.1/drivers/ata/pata_mpc52xx.c linux-2.6.33.1/drivers/ata/pata_mpc52xx.c
19590 --- linux-2.6.33.1/drivers/ata/pata_mpc52xx.c 2010-03-15 12:09:39.000000000 -0400
19591 +++ linux-2.6.33.1/drivers/ata/pata_mpc52xx.c 2010-03-20 16:58:39.300646647 -0400
19592 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
19593 ATA_PIO_SHT(DRV_NAME),
19596 -static struct ata_port_operations mpc52xx_ata_port_ops = {
19597 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
19598 .inherits = &ata_sff_port_ops,
19599 .sff_dev_select = mpc52xx_ata_dev_select,
19600 .set_piomode = mpc52xx_ata_set_piomode,
19601 diff -urNp linux-2.6.33.1/drivers/ata/pata_mpiix.c linux-2.6.33.1/drivers/ata/pata_mpiix.c
19602 --- linux-2.6.33.1/drivers/ata/pata_mpiix.c 2010-03-15 12:09:39.000000000 -0400
19603 +++ linux-2.6.33.1/drivers/ata/pata_mpiix.c 2010-03-20 16:58:39.300646647 -0400
19604 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
19605 ATA_PIO_SHT(DRV_NAME),
19608 -static struct ata_port_operations mpiix_port_ops = {
19609 +static const struct ata_port_operations mpiix_port_ops = {
19610 .inherits = &ata_sff_port_ops,
19611 .qc_issue = mpiix_qc_issue,
19612 .cable_detect = ata_cable_40wire,
19613 diff -urNp linux-2.6.33.1/drivers/ata/pata_netcell.c linux-2.6.33.1/drivers/ata/pata_netcell.c
19614 --- linux-2.6.33.1/drivers/ata/pata_netcell.c 2010-03-15 12:09:39.000000000 -0400
19615 +++ linux-2.6.33.1/drivers/ata/pata_netcell.c 2010-03-20 16:58:39.300646647 -0400
19616 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
19617 ATA_BMDMA_SHT(DRV_NAME),
19620 -static struct ata_port_operations netcell_ops = {
19621 +static const struct ata_port_operations netcell_ops = {
19622 .inherits = &ata_bmdma_port_ops,
19623 .cable_detect = ata_cable_80wire,
19624 .read_id = netcell_read_id,
19625 diff -urNp linux-2.6.33.1/drivers/ata/pata_ninja32.c linux-2.6.33.1/drivers/ata/pata_ninja32.c
19626 --- linux-2.6.33.1/drivers/ata/pata_ninja32.c 2010-03-15 12:09:39.000000000 -0400
19627 +++ linux-2.6.33.1/drivers/ata/pata_ninja32.c 2010-03-20 16:58:39.304517814 -0400
19628 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
19629 ATA_BMDMA_SHT(DRV_NAME),
19632 -static struct ata_port_operations ninja32_port_ops = {
19633 +static const struct ata_port_operations ninja32_port_ops = {
19634 .inherits = &ata_bmdma_port_ops,
19635 .sff_dev_select = ninja32_dev_select,
19636 .cable_detect = ata_cable_40wire,
19637 diff -urNp linux-2.6.33.1/drivers/ata/pata_ns87410.c linux-2.6.33.1/drivers/ata/pata_ns87410.c
19638 --- linux-2.6.33.1/drivers/ata/pata_ns87410.c 2010-03-15 12:09:39.000000000 -0400
19639 +++ linux-2.6.33.1/drivers/ata/pata_ns87410.c 2010-03-20 16:58:39.304517814 -0400
19640 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
19641 ATA_PIO_SHT(DRV_NAME),
19644 -static struct ata_port_operations ns87410_port_ops = {
19645 +static const struct ata_port_operations ns87410_port_ops = {
19646 .inherits = &ata_sff_port_ops,
19647 .qc_issue = ns87410_qc_issue,
19648 .cable_detect = ata_cable_40wire,
19649 diff -urNp linux-2.6.33.1/drivers/ata/pata_ns87415.c linux-2.6.33.1/drivers/ata/pata_ns87415.c
19650 --- linux-2.6.33.1/drivers/ata/pata_ns87415.c 2010-03-15 12:09:39.000000000 -0400
19651 +++ linux-2.6.33.1/drivers/ata/pata_ns87415.c 2010-03-20 16:58:39.304517814 -0400
19652 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
19654 #endif /* 87560 SuperIO Support */
19656 -static struct ata_port_operations ns87415_pata_ops = {
19657 +static const struct ata_port_operations ns87415_pata_ops = {
19658 .inherits = &ata_bmdma_port_ops,
19660 .check_atapi_dma = ns87415_check_atapi_dma,
19661 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
19664 #if defined(CONFIG_SUPERIO)
19665 -static struct ata_port_operations ns87560_pata_ops = {
19666 +static const struct ata_port_operations ns87560_pata_ops = {
19667 .inherits = &ns87415_pata_ops,
19668 .sff_tf_read = ns87560_tf_read,
19669 .sff_check_status = ns87560_check_status,
19670 diff -urNp linux-2.6.33.1/drivers/ata/pata_octeon_cf.c linux-2.6.33.1/drivers/ata/pata_octeon_cf.c
19671 --- linux-2.6.33.1/drivers/ata/pata_octeon_cf.c 2010-03-15 12:09:39.000000000 -0400
19672 +++ linux-2.6.33.1/drivers/ata/pata_octeon_cf.c 2010-03-20 16:58:39.304517814 -0400
19673 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
19677 +/* cannot be const */
19678 static struct ata_port_operations octeon_cf_ops = {
19679 .inherits = &ata_sff_port_ops,
19680 .check_atapi_dma = octeon_cf_check_atapi_dma,
19681 diff -urNp linux-2.6.33.1/drivers/ata/pata_oldpiix.c linux-2.6.33.1/drivers/ata/pata_oldpiix.c
19682 --- linux-2.6.33.1/drivers/ata/pata_oldpiix.c 2010-03-15 12:09:39.000000000 -0400
19683 +++ linux-2.6.33.1/drivers/ata/pata_oldpiix.c 2010-03-20 16:58:39.304517814 -0400
19684 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
19685 ATA_BMDMA_SHT(DRV_NAME),
19688 -static struct ata_port_operations oldpiix_pata_ops = {
19689 +static const struct ata_port_operations oldpiix_pata_ops = {
19690 .inherits = &ata_bmdma_port_ops,
19691 .qc_issue = oldpiix_qc_issue,
19692 .cable_detect = ata_cable_40wire,
19693 diff -urNp linux-2.6.33.1/drivers/ata/pata_opti.c linux-2.6.33.1/drivers/ata/pata_opti.c
19694 --- linux-2.6.33.1/drivers/ata/pata_opti.c 2010-03-15 12:09:39.000000000 -0400
19695 +++ linux-2.6.33.1/drivers/ata/pata_opti.c 2010-03-20 16:58:39.304517814 -0400
19696 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
19697 ATA_PIO_SHT(DRV_NAME),
19700 -static struct ata_port_operations opti_port_ops = {
19701 +static const struct ata_port_operations opti_port_ops = {
19702 .inherits = &ata_sff_port_ops,
19703 .cable_detect = ata_cable_40wire,
19704 .set_piomode = opti_set_piomode,
19705 diff -urNp linux-2.6.33.1/drivers/ata/pata_optidma.c linux-2.6.33.1/drivers/ata/pata_optidma.c
19706 --- linux-2.6.33.1/drivers/ata/pata_optidma.c 2010-03-15 12:09:39.000000000 -0400
19707 +++ linux-2.6.33.1/drivers/ata/pata_optidma.c 2010-03-20 16:58:39.308536639 -0400
19708 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
19709 ATA_BMDMA_SHT(DRV_NAME),
19712 -static struct ata_port_operations optidma_port_ops = {
19713 +static const struct ata_port_operations optidma_port_ops = {
19714 .inherits = &ata_bmdma_port_ops,
19715 .cable_detect = ata_cable_40wire,
19716 .set_piomode = optidma_set_pio_mode,
19717 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
19718 .prereset = optidma_pre_reset,
19721 -static struct ata_port_operations optiplus_port_ops = {
19722 +static const struct ata_port_operations optiplus_port_ops = {
19723 .inherits = &optidma_port_ops,
19724 .set_piomode = optiplus_set_pio_mode,
19725 .set_dmamode = optiplus_set_dma_mode,
19726 diff -urNp linux-2.6.33.1/drivers/ata/pata_palmld.c linux-2.6.33.1/drivers/ata/pata_palmld.c
19727 --- linux-2.6.33.1/drivers/ata/pata_palmld.c 2010-03-15 12:09:39.000000000 -0400
19728 +++ linux-2.6.33.1/drivers/ata/pata_palmld.c 2010-03-20 16:58:39.308536639 -0400
19729 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
19730 ATA_PIO_SHT(DRV_NAME),
19733 -static struct ata_port_operations palmld_port_ops = {
19734 +static const struct ata_port_operations palmld_port_ops = {
19735 .inherits = &ata_sff_port_ops,
19736 .sff_data_xfer = ata_sff_data_xfer_noirq,
19737 .cable_detect = ata_cable_40wire,
19738 diff -urNp linux-2.6.33.1/drivers/ata/pata_pcmcia.c linux-2.6.33.1/drivers/ata/pata_pcmcia.c
19739 --- linux-2.6.33.1/drivers/ata/pata_pcmcia.c 2010-03-15 12:09:39.000000000 -0400
19740 +++ linux-2.6.33.1/drivers/ata/pata_pcmcia.c 2010-03-20 16:58:39.308536639 -0400
19741 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
19742 ATA_PIO_SHT(DRV_NAME),
19745 -static struct ata_port_operations pcmcia_port_ops = {
19746 +static const struct ata_port_operations pcmcia_port_ops = {
19747 .inherits = &ata_sff_port_ops,
19748 .sff_data_xfer = ata_sff_data_xfer_noirq,
19749 .cable_detect = ata_cable_40wire,
19750 .set_mode = pcmcia_set_mode,
19753 -static struct ata_port_operations pcmcia_8bit_port_ops = {
19754 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
19755 .inherits = &ata_sff_port_ops,
19756 .sff_data_xfer = ata_data_xfer_8bit,
19757 .cable_detect = ata_cable_40wire,
19758 @@ -253,7 +253,7 @@ static int pcmcia_init_one(struct pcmcia
19759 unsigned long io_base, ctl_base;
19760 void __iomem *io_addr, *ctl_addr;
19762 - struct ata_port_operations *ops = &pcmcia_port_ops;
19763 + const struct ata_port_operations *ops = &pcmcia_port_ops;
19765 info = kzalloc(sizeof(*info), GFP_KERNEL);
19767 diff -urNp linux-2.6.33.1/drivers/ata/pata_pdc2027x.c linux-2.6.33.1/drivers/ata/pata_pdc2027x.c
19768 --- linux-2.6.33.1/drivers/ata/pata_pdc2027x.c 2010-03-15 12:09:39.000000000 -0400
19769 +++ linux-2.6.33.1/drivers/ata/pata_pdc2027x.c 2010-03-20 16:58:39.308536639 -0400
19770 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
19771 ATA_BMDMA_SHT(DRV_NAME),
19774 -static struct ata_port_operations pdc2027x_pata100_ops = {
19775 +static const struct ata_port_operations pdc2027x_pata100_ops = {
19776 .inherits = &ata_bmdma_port_ops,
19777 .check_atapi_dma = pdc2027x_check_atapi_dma,
19778 .cable_detect = pdc2027x_cable_detect,
19779 .prereset = pdc2027x_prereset,
19782 -static struct ata_port_operations pdc2027x_pata133_ops = {
19783 +static const struct ata_port_operations pdc2027x_pata133_ops = {
19784 .inherits = &pdc2027x_pata100_ops,
19785 .mode_filter = pdc2027x_mode_filter,
19786 .set_piomode = pdc2027x_set_piomode,
19787 diff -urNp linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c
19788 --- linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c 2010-03-15 12:09:39.000000000 -0400
19789 +++ linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c 2010-03-20 16:58:39.308536639 -0400
19790 @@ -265,7 +265,7 @@ static struct scsi_host_template pdc202x
19791 ATA_BMDMA_SHT(DRV_NAME),
19794 -static struct ata_port_operations pdc2024x_port_ops = {
19795 +static const struct ata_port_operations pdc2024x_port_ops = {
19796 .inherits = &ata_bmdma_port_ops,
19798 .cable_detect = ata_cable_40wire,
19799 @@ -273,7 +273,7 @@ static struct ata_port_operations pdc202
19800 .set_dmamode = pdc202xx_set_dmamode,
19803 -static struct ata_port_operations pdc2026x_port_ops = {
19804 +static const struct ata_port_operations pdc2026x_port_ops = {
19805 .inherits = &pdc2024x_port_ops,
19807 .check_atapi_dma = pdc2026x_check_atapi_dma,
19808 diff -urNp linux-2.6.33.1/drivers/ata/pata_piccolo.c linux-2.6.33.1/drivers/ata/pata_piccolo.c
19809 --- linux-2.6.33.1/drivers/ata/pata_piccolo.c 2010-03-15 12:09:39.000000000 -0400
19810 +++ linux-2.6.33.1/drivers/ata/pata_piccolo.c 2010-03-20 16:58:39.308536639 -0400
19811 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
19812 ATA_BMDMA_SHT(DRV_NAME),
19815 -static struct ata_port_operations tosh_port_ops = {
19816 +static const struct ata_port_operations tosh_port_ops = {
19817 .inherits = &ata_bmdma_port_ops,
19818 .cable_detect = ata_cable_unknown,
19819 .set_piomode = tosh_set_piomode,
19820 diff -urNp linux-2.6.33.1/drivers/ata/pata_platform.c linux-2.6.33.1/drivers/ata/pata_platform.c
19821 --- linux-2.6.33.1/drivers/ata/pata_platform.c 2010-03-15 12:09:39.000000000 -0400
19822 +++ linux-2.6.33.1/drivers/ata/pata_platform.c 2010-03-20 16:58:39.312510954 -0400
19823 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
19824 ATA_PIO_SHT(DRV_NAME),
19827 -static struct ata_port_operations pata_platform_port_ops = {
19828 +static const struct ata_port_operations pata_platform_port_ops = {
19829 .inherits = &ata_sff_port_ops,
19830 .sff_data_xfer = ata_sff_data_xfer_noirq,
19831 .cable_detect = ata_cable_unknown,
19832 diff -urNp linux-2.6.33.1/drivers/ata/pata_qdi.c linux-2.6.33.1/drivers/ata/pata_qdi.c
19833 --- linux-2.6.33.1/drivers/ata/pata_qdi.c 2010-03-15 12:09:39.000000000 -0400
19834 +++ linux-2.6.33.1/drivers/ata/pata_qdi.c 2010-03-20 16:58:39.312510954 -0400
19835 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
19836 ATA_PIO_SHT(DRV_NAME),
19839 -static struct ata_port_operations qdi6500_port_ops = {
19840 +static const struct ata_port_operations qdi6500_port_ops = {
19841 .inherits = &ata_sff_port_ops,
19842 .qc_issue = qdi_qc_issue,
19843 .sff_data_xfer = qdi_data_xfer,
19844 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
19845 .set_piomode = qdi6500_set_piomode,
19848 -static struct ata_port_operations qdi6580_port_ops = {
19849 +static const struct ata_port_operations qdi6580_port_ops = {
19850 .inherits = &qdi6500_port_ops,
19851 .set_piomode = qdi6580_set_piomode,
19853 diff -urNp linux-2.6.33.1/drivers/ata/pata_radisys.c linux-2.6.33.1/drivers/ata/pata_radisys.c
19854 --- linux-2.6.33.1/drivers/ata/pata_radisys.c 2010-03-15 12:09:39.000000000 -0400
19855 +++ linux-2.6.33.1/drivers/ata/pata_radisys.c 2010-03-20 16:58:39.312510954 -0400
19856 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
19857 ATA_BMDMA_SHT(DRV_NAME),
19860 -static struct ata_port_operations radisys_pata_ops = {
19861 +static const struct ata_port_operations radisys_pata_ops = {
19862 .inherits = &ata_bmdma_port_ops,
19863 .qc_issue = radisys_qc_issue,
19864 .cable_detect = ata_cable_unknown,
19865 diff -urNp linux-2.6.33.1/drivers/ata/pata_rb532_cf.c linux-2.6.33.1/drivers/ata/pata_rb532_cf.c
19866 --- linux-2.6.33.1/drivers/ata/pata_rb532_cf.c 2010-03-15 12:09:39.000000000 -0400
19867 +++ linux-2.6.33.1/drivers/ata/pata_rb532_cf.c 2010-03-20 16:58:39.312510954 -0400
19868 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
19869 return IRQ_HANDLED;
19872 -static struct ata_port_operations rb532_pata_port_ops = {
19873 +static const struct ata_port_operations rb532_pata_port_ops = {
19874 .inherits = &ata_sff_port_ops,
19875 .sff_data_xfer = ata_sff_data_xfer32,
19877 diff -urNp linux-2.6.33.1/drivers/ata/pata_rdc.c linux-2.6.33.1/drivers/ata/pata_rdc.c
19878 --- linux-2.6.33.1/drivers/ata/pata_rdc.c 2010-03-15 12:09:39.000000000 -0400
19879 +++ linux-2.6.33.1/drivers/ata/pata_rdc.c 2010-03-20 16:58:39.312510954 -0400
19880 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
19881 pci_write_config_byte(dev, 0x48, udma_enable);
19884 -static struct ata_port_operations rdc_pata_ops = {
19885 +static const struct ata_port_operations rdc_pata_ops = {
19886 .inherits = &ata_bmdma32_port_ops,
19887 .cable_detect = rdc_pata_cable_detect,
19888 .set_piomode = rdc_set_piomode,
19889 diff -urNp linux-2.6.33.1/drivers/ata/pata_rz1000.c linux-2.6.33.1/drivers/ata/pata_rz1000.c
19890 --- linux-2.6.33.1/drivers/ata/pata_rz1000.c 2010-03-15 12:09:39.000000000 -0400
19891 +++ linux-2.6.33.1/drivers/ata/pata_rz1000.c 2010-03-20 16:58:39.312510954 -0400
19892 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
19893 ATA_PIO_SHT(DRV_NAME),
19896 -static struct ata_port_operations rz1000_port_ops = {
19897 +static const struct ata_port_operations rz1000_port_ops = {
19898 .inherits = &ata_sff_port_ops,
19899 .cable_detect = ata_cable_40wire,
19900 .set_mode = rz1000_set_mode,
19901 diff -urNp linux-2.6.33.1/drivers/ata/pata_sc1200.c linux-2.6.33.1/drivers/ata/pata_sc1200.c
19902 --- linux-2.6.33.1/drivers/ata/pata_sc1200.c 2010-03-15 12:09:39.000000000 -0400
19903 +++ linux-2.6.33.1/drivers/ata/pata_sc1200.c 2010-03-20 16:58:39.312510954 -0400
19904 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
19905 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19908 -static struct ata_port_operations sc1200_port_ops = {
19909 +static const struct ata_port_operations sc1200_port_ops = {
19910 .inherits = &ata_bmdma_port_ops,
19911 .qc_prep = ata_sff_dumb_qc_prep,
19912 .qc_issue = sc1200_qc_issue,
19913 diff -urNp linux-2.6.33.1/drivers/ata/pata_scc.c linux-2.6.33.1/drivers/ata/pata_scc.c
19914 --- linux-2.6.33.1/drivers/ata/pata_scc.c 2010-03-15 12:09:39.000000000 -0400
19915 +++ linux-2.6.33.1/drivers/ata/pata_scc.c 2010-03-20 16:58:39.316539767 -0400
19916 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
19917 ATA_BMDMA_SHT(DRV_NAME),
19920 -static struct ata_port_operations scc_pata_ops = {
19921 +static const struct ata_port_operations scc_pata_ops = {
19922 .inherits = &ata_bmdma_port_ops,
19924 .set_piomode = scc_set_piomode,
19925 diff -urNp linux-2.6.33.1/drivers/ata/pata_sch.c linux-2.6.33.1/drivers/ata/pata_sch.c
19926 --- linux-2.6.33.1/drivers/ata/pata_sch.c 2010-03-15 12:09:39.000000000 -0400
19927 +++ linux-2.6.33.1/drivers/ata/pata_sch.c 2010-03-20 16:58:39.316539767 -0400
19928 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
19929 ATA_BMDMA_SHT(DRV_NAME),
19932 -static struct ata_port_operations sch_pata_ops = {
19933 +static const struct ata_port_operations sch_pata_ops = {
19934 .inherits = &ata_bmdma_port_ops,
19935 .cable_detect = ata_cable_unknown,
19936 .set_piomode = sch_set_piomode,
19937 diff -urNp linux-2.6.33.1/drivers/ata/pata_serverworks.c linux-2.6.33.1/drivers/ata/pata_serverworks.c
19938 --- linux-2.6.33.1/drivers/ata/pata_serverworks.c 2010-03-15 12:09:39.000000000 -0400
19939 +++ linux-2.6.33.1/drivers/ata/pata_serverworks.c 2010-03-20 16:58:39.316539767 -0400
19940 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
19941 ATA_BMDMA_SHT(DRV_NAME),
19944 -static struct ata_port_operations serverworks_osb4_port_ops = {
19945 +static const struct ata_port_operations serverworks_osb4_port_ops = {
19946 .inherits = &ata_bmdma_port_ops,
19947 .cable_detect = serverworks_cable_detect,
19948 .mode_filter = serverworks_osb4_filter,
19949 @@ -307,7 +307,7 @@ static struct ata_port_operations server
19950 .set_dmamode = serverworks_set_dmamode,
19953 -static struct ata_port_operations serverworks_csb_port_ops = {
19954 +static const struct ata_port_operations serverworks_csb_port_ops = {
19955 .inherits = &serverworks_osb4_port_ops,
19956 .mode_filter = serverworks_csb_filter,
19958 diff -urNp linux-2.6.33.1/drivers/ata/pata_sil680.c linux-2.6.33.1/drivers/ata/pata_sil680.c
19959 --- linux-2.6.33.1/drivers/ata/pata_sil680.c 2010-03-15 12:09:39.000000000 -0400
19960 +++ linux-2.6.33.1/drivers/ata/pata_sil680.c 2010-03-20 16:58:39.316539767 -0400
19961 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
19962 ATA_BMDMA_SHT(DRV_NAME),
19965 -static struct ata_port_operations sil680_port_ops = {
19966 +static const struct ata_port_operations sil680_port_ops = {
19967 .inherits = &ata_bmdma32_port_ops,
19968 .cable_detect = sil680_cable_detect,
19969 .set_piomode = sil680_set_piomode,
19970 diff -urNp linux-2.6.33.1/drivers/ata/pata_sis.c linux-2.6.33.1/drivers/ata/pata_sis.c
19971 --- linux-2.6.33.1/drivers/ata/pata_sis.c 2010-03-15 12:09:39.000000000 -0400
19972 +++ linux-2.6.33.1/drivers/ata/pata_sis.c 2010-03-20 16:58:39.320616216 -0400
19973 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
19974 ATA_BMDMA_SHT(DRV_NAME),
19977 -static struct ata_port_operations sis_133_for_sata_ops = {
19978 +static const struct ata_port_operations sis_133_for_sata_ops = {
19979 .inherits = &ata_bmdma_port_ops,
19980 .set_piomode = sis_133_set_piomode,
19981 .set_dmamode = sis_133_set_dmamode,
19982 .cable_detect = sis_133_cable_detect,
19985 -static struct ata_port_operations sis_base_ops = {
19986 +static const struct ata_port_operations sis_base_ops = {
19987 .inherits = &ata_bmdma_port_ops,
19988 .prereset = sis_pre_reset,
19991 -static struct ata_port_operations sis_133_ops = {
19992 +static const struct ata_port_operations sis_133_ops = {
19993 .inherits = &sis_base_ops,
19994 .set_piomode = sis_133_set_piomode,
19995 .set_dmamode = sis_133_set_dmamode,
19996 .cable_detect = sis_133_cable_detect,
19999 -static struct ata_port_operations sis_133_early_ops = {
20000 +static const struct ata_port_operations sis_133_early_ops = {
20001 .inherits = &sis_base_ops,
20002 .set_piomode = sis_100_set_piomode,
20003 .set_dmamode = sis_133_early_set_dmamode,
20004 .cable_detect = sis_66_cable_detect,
20007 -static struct ata_port_operations sis_100_ops = {
20008 +static const struct ata_port_operations sis_100_ops = {
20009 .inherits = &sis_base_ops,
20010 .set_piomode = sis_100_set_piomode,
20011 .set_dmamode = sis_100_set_dmamode,
20012 .cable_detect = sis_66_cable_detect,
20015 -static struct ata_port_operations sis_66_ops = {
20016 +static const struct ata_port_operations sis_66_ops = {
20017 .inherits = &sis_base_ops,
20018 .set_piomode = sis_old_set_piomode,
20019 .set_dmamode = sis_66_set_dmamode,
20020 .cable_detect = sis_66_cable_detect,
20023 -static struct ata_port_operations sis_old_ops = {
20024 +static const struct ata_port_operations sis_old_ops = {
20025 .inherits = &sis_base_ops,
20026 .set_piomode = sis_old_set_piomode,
20027 .set_dmamode = sis_old_set_dmamode,
20028 diff -urNp linux-2.6.33.1/drivers/ata/pata_sl82c105.c linux-2.6.33.1/drivers/ata/pata_sl82c105.c
20029 --- linux-2.6.33.1/drivers/ata/pata_sl82c105.c 2010-03-15 12:09:39.000000000 -0400
20030 +++ linux-2.6.33.1/drivers/ata/pata_sl82c105.c 2010-03-20 16:58:39.320616216 -0400
20031 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
20032 ATA_BMDMA_SHT(DRV_NAME),
20035 -static struct ata_port_operations sl82c105_port_ops = {
20036 +static const struct ata_port_operations sl82c105_port_ops = {
20037 .inherits = &ata_bmdma_port_ops,
20038 .qc_defer = sl82c105_qc_defer,
20039 .bmdma_start = sl82c105_bmdma_start,
20040 diff -urNp linux-2.6.33.1/drivers/ata/pata_triflex.c linux-2.6.33.1/drivers/ata/pata_triflex.c
20041 --- linux-2.6.33.1/drivers/ata/pata_triflex.c 2010-03-15 12:09:39.000000000 -0400
20042 +++ linux-2.6.33.1/drivers/ata/pata_triflex.c 2010-03-20 16:58:39.320616216 -0400
20043 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
20044 ATA_BMDMA_SHT(DRV_NAME),
20047 -static struct ata_port_operations triflex_port_ops = {
20048 +static const struct ata_port_operations triflex_port_ops = {
20049 .inherits = &ata_bmdma_port_ops,
20050 .bmdma_start = triflex_bmdma_start,
20051 .bmdma_stop = triflex_bmdma_stop,
20052 diff -urNp linux-2.6.33.1/drivers/ata/pata_via.c linux-2.6.33.1/drivers/ata/pata_via.c
20053 --- linux-2.6.33.1/drivers/ata/pata_via.c 2010-03-15 12:09:39.000000000 -0400
20054 +++ linux-2.6.33.1/drivers/ata/pata_via.c 2010-03-20 16:58:39.320616216 -0400
20055 @@ -452,7 +452,7 @@ static struct scsi_host_template via_sht
20056 ATA_BMDMA_SHT(DRV_NAME),
20059 -static struct ata_port_operations via_port_ops = {
20060 +static const struct ata_port_operations via_port_ops = {
20061 .inherits = &ata_bmdma_port_ops,
20062 .cable_detect = via_cable_detect,
20063 .set_piomode = via_set_piomode,
20064 @@ -463,7 +463,7 @@ static struct ata_port_operations via_po
20065 .mode_filter = via_mode_filter,
20068 -static struct ata_port_operations via_port_ops_noirq = {
20069 +static const struct ata_port_operations via_port_ops_noirq = {
20070 .inherits = &via_port_ops,
20071 .sff_data_xfer = ata_sff_data_xfer_noirq,
20073 diff -urNp linux-2.6.33.1/drivers/ata/pata_winbond.c linux-2.6.33.1/drivers/ata/pata_winbond.c
20074 --- linux-2.6.33.1/drivers/ata/pata_winbond.c 2010-03-15 12:09:39.000000000 -0400
20075 +++ linux-2.6.33.1/drivers/ata/pata_winbond.c 2010-03-20 16:58:39.346062317 -0400
20076 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
20077 ATA_PIO_SHT(DRV_NAME),
20080 -static struct ata_port_operations winbond_port_ops = {
20081 +static const struct ata_port_operations winbond_port_ops = {
20082 .inherits = &ata_sff_port_ops,
20083 .sff_data_xfer = winbond_data_xfer,
20084 .cable_detect = ata_cable_40wire,
20085 diff -urNp linux-2.6.33.1/drivers/ata/pdc_adma.c linux-2.6.33.1/drivers/ata/pdc_adma.c
20086 --- linux-2.6.33.1/drivers/ata/pdc_adma.c 2010-03-15 12:09:39.000000000 -0400
20087 +++ linux-2.6.33.1/drivers/ata/pdc_adma.c 2010-03-20 16:58:39.348522755 -0400
20088 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
20089 .dma_boundary = ADMA_DMA_BOUNDARY,
20092 -static struct ata_port_operations adma_ata_ops = {
20093 +static const struct ata_port_operations adma_ata_ops = {
20094 .inherits = &ata_sff_port_ops,
20096 .lost_interrupt = ATA_OP_NULL,
20097 diff -urNp linux-2.6.33.1/drivers/ata/sata_fsl.c linux-2.6.33.1/drivers/ata/sata_fsl.c
20098 --- linux-2.6.33.1/drivers/ata/sata_fsl.c 2010-03-15 12:09:39.000000000 -0400
20099 +++ linux-2.6.33.1/drivers/ata/sata_fsl.c 2010-03-20 16:58:39.348522755 -0400
20100 @@ -1260,7 +1260,7 @@ static struct scsi_host_template sata_fs
20101 .dma_boundary = ATA_DMA_BOUNDARY,
20104 -static struct ata_port_operations sata_fsl_ops = {
20105 +static const struct ata_port_operations sata_fsl_ops = {
20106 .inherits = &sata_pmp_port_ops,
20108 .qc_defer = ata_std_qc_defer,
20109 diff -urNp linux-2.6.33.1/drivers/ata/sata_inic162x.c linux-2.6.33.1/drivers/ata/sata_inic162x.c
20110 --- linux-2.6.33.1/drivers/ata/sata_inic162x.c 2010-03-15 12:09:39.000000000 -0400
20111 +++ linux-2.6.33.1/drivers/ata/sata_inic162x.c 2010-03-20 16:58:39.348522755 -0400
20112 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
20116 -static struct ata_port_operations inic_port_ops = {
20117 +static const struct ata_port_operations inic_port_ops = {
20118 .inherits = &sata_port_ops,
20120 .check_atapi_dma = inic_check_atapi_dma,
20121 diff -urNp linux-2.6.33.1/drivers/ata/sata_mv.c linux-2.6.33.1/drivers/ata/sata_mv.c
20122 --- linux-2.6.33.1/drivers/ata/sata_mv.c 2010-03-15 12:09:39.000000000 -0400
20123 +++ linux-2.6.33.1/drivers/ata/sata_mv.c 2010-03-20 16:58:39.352614445 -0400
20124 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
20125 .dma_boundary = MV_DMA_BOUNDARY,
20128 -static struct ata_port_operations mv5_ops = {
20129 +static const struct ata_port_operations mv5_ops = {
20130 .inherits = &ata_sff_port_ops,
20132 .lost_interrupt = ATA_OP_NULL,
20133 @@ -684,7 +684,7 @@ static struct ata_port_operations mv5_op
20134 .port_stop = mv_port_stop,
20137 -static struct ata_port_operations mv6_ops = {
20138 +static const struct ata_port_operations mv6_ops = {
20139 .inherits = &mv5_ops,
20140 .dev_config = mv6_dev_config,
20141 .scr_read = mv_scr_read,
20142 @@ -704,7 +704,7 @@ static struct ata_port_operations mv6_op
20143 .bmdma_status = mv_bmdma_status,
20146 -static struct ata_port_operations mv_iie_ops = {
20147 +static const struct ata_port_operations mv_iie_ops = {
20148 .inherits = &mv6_ops,
20149 .dev_config = ATA_OP_NULL,
20150 .qc_prep = mv_qc_prep_iie,
20151 diff -urNp linux-2.6.33.1/drivers/ata/sata_nv.c linux-2.6.33.1/drivers/ata/sata_nv.c
20152 --- linux-2.6.33.1/drivers/ata/sata_nv.c 2010-03-15 12:09:39.000000000 -0400
20153 +++ linux-2.6.33.1/drivers/ata/sata_nv.c 2010-03-20 16:58:39.352614445 -0400
20154 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
20155 * cases. Define nv_hardreset() which only kicks in for post-boot
20156 * probing and use it for all variants.
20158 -static struct ata_port_operations nv_generic_ops = {
20159 +static const struct ata_port_operations nv_generic_ops = {
20160 .inherits = &ata_bmdma_port_ops,
20161 .lost_interrupt = ATA_OP_NULL,
20162 .scr_read = nv_scr_read,
20163 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
20164 .hardreset = nv_hardreset,
20167 -static struct ata_port_operations nv_nf2_ops = {
20168 +static const struct ata_port_operations nv_nf2_ops = {
20169 .inherits = &nv_generic_ops,
20170 .freeze = nv_nf2_freeze,
20171 .thaw = nv_nf2_thaw,
20174 -static struct ata_port_operations nv_ck804_ops = {
20175 +static const struct ata_port_operations nv_ck804_ops = {
20176 .inherits = &nv_generic_ops,
20177 .freeze = nv_ck804_freeze,
20178 .thaw = nv_ck804_thaw,
20179 .host_stop = nv_ck804_host_stop,
20182 -static struct ata_port_operations nv_adma_ops = {
20183 +static const struct ata_port_operations nv_adma_ops = {
20184 .inherits = &nv_ck804_ops,
20186 .check_atapi_dma = nv_adma_check_atapi_dma,
20187 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
20188 .host_stop = nv_adma_host_stop,
20191 -static struct ata_port_operations nv_swncq_ops = {
20192 +static const struct ata_port_operations nv_swncq_ops = {
20193 .inherits = &nv_generic_ops,
20195 .qc_defer = ata_std_qc_defer,
20196 diff -urNp linux-2.6.33.1/drivers/ata/sata_promise.c linux-2.6.33.1/drivers/ata/sata_promise.c
20197 --- linux-2.6.33.1/drivers/ata/sata_promise.c 2010-03-15 12:09:39.000000000 -0400
20198 +++ linux-2.6.33.1/drivers/ata/sata_promise.c 2010-03-20 16:58:39.352614445 -0400
20199 @@ -195,7 +195,7 @@ static const struct ata_port_operations
20200 .error_handler = pdc_error_handler,
20203 -static struct ata_port_operations pdc_sata_ops = {
20204 +static const struct ata_port_operations pdc_sata_ops = {
20205 .inherits = &pdc_common_ops,
20206 .cable_detect = pdc_sata_cable_detect,
20207 .freeze = pdc_sata_freeze,
20208 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
20210 /* First-generation chips need a more restrictive ->check_atapi_dma op,
20211 and ->freeze/thaw that ignore the hotplug controls. */
20212 -static struct ata_port_operations pdc_old_sata_ops = {
20213 +static const struct ata_port_operations pdc_old_sata_ops = {
20214 .inherits = &pdc_sata_ops,
20215 .freeze = pdc_freeze,
20217 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
20220 -static struct ata_port_operations pdc_pata_ops = {
20221 +static const struct ata_port_operations pdc_pata_ops = {
20222 .inherits = &pdc_common_ops,
20223 .cable_detect = pdc_pata_cable_detect,
20224 .freeze = pdc_freeze,
20225 diff -urNp linux-2.6.33.1/drivers/ata/sata_qstor.c linux-2.6.33.1/drivers/ata/sata_qstor.c
20226 --- linux-2.6.33.1/drivers/ata/sata_qstor.c 2010-03-15 12:09:39.000000000 -0400
20227 +++ linux-2.6.33.1/drivers/ata/sata_qstor.c 2010-03-20 16:58:39.356512831 -0400
20228 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
20229 .dma_boundary = QS_DMA_BOUNDARY,
20232 -static struct ata_port_operations qs_ata_ops = {
20233 +static const struct ata_port_operations qs_ata_ops = {
20234 .inherits = &ata_sff_port_ops,
20236 .check_atapi_dma = qs_check_atapi_dma,
20237 diff -urNp linux-2.6.33.1/drivers/ata/sata_sil24.c linux-2.6.33.1/drivers/ata/sata_sil24.c
20238 --- linux-2.6.33.1/drivers/ata/sata_sil24.c 2010-03-15 12:09:39.000000000 -0400
20239 +++ linux-2.6.33.1/drivers/ata/sata_sil24.c 2010-03-20 16:58:39.364799637 -0400
20240 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
20241 .dma_boundary = ATA_DMA_BOUNDARY,
20244 -static struct ata_port_operations sil24_ops = {
20245 +static const struct ata_port_operations sil24_ops = {
20246 .inherits = &sata_pmp_port_ops,
20248 .qc_defer = sil24_qc_defer,
20249 diff -urNp linux-2.6.33.1/drivers/ata/sata_sil.c linux-2.6.33.1/drivers/ata/sata_sil.c
20250 --- linux-2.6.33.1/drivers/ata/sata_sil.c 2010-03-15 12:09:39.000000000 -0400
20251 +++ linux-2.6.33.1/drivers/ata/sata_sil.c 2010-03-20 16:58:39.368722008 -0400
20252 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
20253 .sg_tablesize = ATA_MAX_PRD
20256 -static struct ata_port_operations sil_ops = {
20257 +static const struct ata_port_operations sil_ops = {
20258 .inherits = &ata_bmdma32_port_ops,
20259 .dev_config = sil_dev_config,
20260 .set_mode = sil_set_mode,
20261 diff -urNp linux-2.6.33.1/drivers/ata/sata_sis.c linux-2.6.33.1/drivers/ata/sata_sis.c
20262 --- linux-2.6.33.1/drivers/ata/sata_sis.c 2010-03-15 12:09:39.000000000 -0400
20263 +++ linux-2.6.33.1/drivers/ata/sata_sis.c 2010-03-20 16:58:39.368722008 -0400
20264 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
20265 ATA_BMDMA_SHT(DRV_NAME),
20268 -static struct ata_port_operations sis_ops = {
20269 +static const struct ata_port_operations sis_ops = {
20270 .inherits = &ata_bmdma_port_ops,
20271 .scr_read = sis_scr_read,
20272 .scr_write = sis_scr_write,
20273 diff -urNp linux-2.6.33.1/drivers/ata/sata_svw.c linux-2.6.33.1/drivers/ata/sata_svw.c
20274 --- linux-2.6.33.1/drivers/ata/sata_svw.c 2010-03-15 12:09:39.000000000 -0400
20275 +++ linux-2.6.33.1/drivers/ata/sata_svw.c 2010-03-20 16:58:39.368722008 -0400
20276 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
20280 -static struct ata_port_operations k2_sata_ops = {
20281 +static const struct ata_port_operations k2_sata_ops = {
20282 .inherits = &ata_bmdma_port_ops,
20283 .sff_tf_load = k2_sata_tf_load,
20284 .sff_tf_read = k2_sata_tf_read,
20285 diff -urNp linux-2.6.33.1/drivers/ata/sata_sx4.c linux-2.6.33.1/drivers/ata/sata_sx4.c
20286 --- linux-2.6.33.1/drivers/ata/sata_sx4.c 2010-03-15 12:09:39.000000000 -0400
20287 +++ linux-2.6.33.1/drivers/ata/sata_sx4.c 2010-03-20 16:58:39.368722008 -0400
20288 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
20291 /* TODO: inherit from base port_ops after converting to new EH */
20292 -static struct ata_port_operations pdc_20621_ops = {
20293 +static const struct ata_port_operations pdc_20621_ops = {
20294 .inherits = &ata_sff_port_ops,
20296 .check_atapi_dma = pdc_check_atapi_dma,
20297 diff -urNp linux-2.6.33.1/drivers/ata/sata_uli.c linux-2.6.33.1/drivers/ata/sata_uli.c
20298 --- linux-2.6.33.1/drivers/ata/sata_uli.c 2010-03-15 12:09:39.000000000 -0400
20299 +++ linux-2.6.33.1/drivers/ata/sata_uli.c 2010-03-20 16:58:39.372783452 -0400
20300 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
20301 ATA_BMDMA_SHT(DRV_NAME),
20304 -static struct ata_port_operations uli_ops = {
20305 +static const struct ata_port_operations uli_ops = {
20306 .inherits = &ata_bmdma_port_ops,
20307 .scr_read = uli_scr_read,
20308 .scr_write = uli_scr_write,
20309 diff -urNp linux-2.6.33.1/drivers/ata/sata_via.c linux-2.6.33.1/drivers/ata/sata_via.c
20310 --- linux-2.6.33.1/drivers/ata/sata_via.c 2010-03-15 12:09:39.000000000 -0400
20311 +++ linux-2.6.33.1/drivers/ata/sata_via.c 2010-03-20 16:58:39.372783452 -0400
20312 @@ -112,31 +112,31 @@ static struct scsi_host_template svia_sh
20313 ATA_BMDMA_SHT(DRV_NAME),
20316 -static struct ata_port_operations svia_base_ops = {
20317 +static const struct ata_port_operations svia_base_ops = {
20318 .inherits = &ata_bmdma_port_ops,
20319 .sff_tf_load = svia_tf_load,
20322 -static struct ata_port_operations vt6420_sata_ops = {
20323 +static const struct ata_port_operations vt6420_sata_ops = {
20324 .inherits = &svia_base_ops,
20325 .freeze = svia_noop_freeze,
20326 .prereset = vt6420_prereset,
20329 -static struct ata_port_operations vt6421_pata_ops = {
20330 +static const struct ata_port_operations vt6421_pata_ops = {
20331 .inherits = &svia_base_ops,
20332 .cable_detect = vt6421_pata_cable_detect,
20333 .set_piomode = vt6421_set_pio_mode,
20334 .set_dmamode = vt6421_set_dma_mode,
20337 -static struct ata_port_operations vt6421_sata_ops = {
20338 +static const struct ata_port_operations vt6421_sata_ops = {
20339 .inherits = &svia_base_ops,
20340 .scr_read = svia_scr_read,
20341 .scr_write = svia_scr_write,
20344 -static struct ata_port_operations vt8251_ops = {
20345 +static const struct ata_port_operations vt8251_ops = {
20346 .inherits = &svia_base_ops,
20347 .hardreset = sata_std_hardreset,
20348 .scr_read = vt8251_scr_read,
20349 diff -urNp linux-2.6.33.1/drivers/ata/sata_vsc.c linux-2.6.33.1/drivers/ata/sata_vsc.c
20350 --- linux-2.6.33.1/drivers/ata/sata_vsc.c 2010-03-15 12:09:39.000000000 -0400
20351 +++ linux-2.6.33.1/drivers/ata/sata_vsc.c 2010-03-20 16:58:39.372783452 -0400
20352 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
20356 -static struct ata_port_operations vsc_sata_ops = {
20357 +static const struct ata_port_operations vsc_sata_ops = {
20358 .inherits = &ata_bmdma_port_ops,
20359 /* The IRQ handling is not quite standard SFF behaviour so we
20360 cannot use the default lost interrupt handler */
20361 diff -urNp linux-2.6.33.1/drivers/atm/adummy.c linux-2.6.33.1/drivers/atm/adummy.c
20362 --- linux-2.6.33.1/drivers/atm/adummy.c 2010-03-15 12:09:39.000000000 -0400
20363 +++ linux-2.6.33.1/drivers/atm/adummy.c 2010-03-20 16:58:39.380807655 -0400
20364 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
20365 vcc->pop(vcc, skb);
20367 dev_kfree_skb_any(skb);
20368 - atomic_inc(&vcc->stats->tx);
20369 + atomic_inc_unchecked(&vcc->stats->tx);
20373 diff -urNp linux-2.6.33.1/drivers/atm/ambassador.c linux-2.6.33.1/drivers/atm/ambassador.c
20374 --- linux-2.6.33.1/drivers/atm/ambassador.c 2010-03-15 12:09:39.000000000 -0400
20375 +++ linux-2.6.33.1/drivers/atm/ambassador.c 2010-03-20 16:58:39.414343197 -0400
20376 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
20377 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
20380 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20381 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20383 // free the descriptor
20385 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
20386 dump_skb ("<<<", vc, skb);
20389 - atomic_inc(&atm_vcc->stats->rx);
20390 + atomic_inc_unchecked(&atm_vcc->stats->rx);
20391 __net_timestamp(skb);
20392 // end of our responsability
20393 atm_vcc->push (atm_vcc, skb);
20394 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
20396 PRINTK (KERN_INFO, "dropped over-size frame");
20397 // should we count this?
20398 - atomic_inc(&atm_vcc->stats->rx_drop);
20399 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20403 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
20406 if (check_area (skb->data, skb->len)) {
20407 - atomic_inc(&atm_vcc->stats->tx_err);
20408 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
20409 return -ENOMEM; // ?
20412 diff -urNp linux-2.6.33.1/drivers/atm/atmtcp.c linux-2.6.33.1/drivers/atm/atmtcp.c
20413 --- linux-2.6.33.1/drivers/atm/atmtcp.c 2010-03-15 12:09:39.000000000 -0400
20414 +++ linux-2.6.33.1/drivers/atm/atmtcp.c 2010-03-20 16:58:39.414343197 -0400
20415 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
20416 if (vcc->pop) vcc->pop(vcc,skb);
20417 else dev_kfree_skb(skb);
20418 if (dev_data) return 0;
20419 - atomic_inc(&vcc->stats->tx_err);
20420 + atomic_inc_unchecked(&vcc->stats->tx_err);
20423 size = skb->len+sizeof(struct atmtcp_hdr);
20424 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
20426 if (vcc->pop) vcc->pop(vcc,skb);
20427 else dev_kfree_skb(skb);
20428 - atomic_inc(&vcc->stats->tx_err);
20429 + atomic_inc_unchecked(&vcc->stats->tx_err);
20432 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
20433 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
20434 if (vcc->pop) vcc->pop(vcc,skb);
20435 else dev_kfree_skb(skb);
20436 out_vcc->push(out_vcc,new_skb);
20437 - atomic_inc(&vcc->stats->tx);
20438 - atomic_inc(&out_vcc->stats->rx);
20439 + atomic_inc_unchecked(&vcc->stats->tx);
20440 + atomic_inc_unchecked(&out_vcc->stats->rx);
20444 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
20445 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
20446 read_unlock(&vcc_sklist_lock);
20448 - atomic_inc(&vcc->stats->tx_err);
20449 + atomic_inc_unchecked(&vcc->stats->tx_err);
20452 skb_pull(skb,sizeof(struct atmtcp_hdr));
20453 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
20454 __net_timestamp(new_skb);
20455 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
20456 out_vcc->push(out_vcc,new_skb);
20457 - atomic_inc(&vcc->stats->tx);
20458 - atomic_inc(&out_vcc->stats->rx);
20459 + atomic_inc_unchecked(&vcc->stats->tx);
20460 + atomic_inc_unchecked(&out_vcc->stats->rx);
20462 if (vcc->pop) vcc->pop(vcc,skb);
20463 else dev_kfree_skb(skb);
20464 diff -urNp linux-2.6.33.1/drivers/atm/eni.c linux-2.6.33.1/drivers/atm/eni.c
20465 --- linux-2.6.33.1/drivers/atm/eni.c 2010-03-15 12:09:39.000000000 -0400
20466 +++ linux-2.6.33.1/drivers/atm/eni.c 2010-03-20 16:58:39.441488287 -0400
20467 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
20468 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
20471 - atomic_inc(&vcc->stats->rx_err);
20472 + atomic_inc_unchecked(&vcc->stats->rx_err);
20475 length = ATM_CELL_SIZE-1; /* no HEC */
20476 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20480 - atomic_inc(&vcc->stats->rx_err);
20481 + atomic_inc_unchecked(&vcc->stats->rx_err);
20484 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
20485 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20486 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
20487 vcc->dev->number,vcc->vci,length,size << 2,descr);
20489 - atomic_inc(&vcc->stats->rx_err);
20490 + atomic_inc_unchecked(&vcc->stats->rx_err);
20493 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
20494 @@ -770,7 +770,7 @@ rx_dequeued++;
20495 vcc->push(vcc,skb);
20498 - atomic_inc(&vcc->stats->rx);
20499 + atomic_inc_unchecked(&vcc->stats->rx);
20501 wake_up(&eni_dev->rx_wait);
20503 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
20505 if (vcc->pop) vcc->pop(vcc,skb);
20506 else dev_kfree_skb_irq(skb);
20507 - atomic_inc(&vcc->stats->tx);
20508 + atomic_inc_unchecked(&vcc->stats->tx);
20509 wake_up(&eni_dev->tx_wait);
20512 diff -urNp linux-2.6.33.1/drivers/atm/firestream.c linux-2.6.33.1/drivers/atm/firestream.c
20513 --- linux-2.6.33.1/drivers/atm/firestream.c 2010-03-15 12:09:39.000000000 -0400
20514 +++ linux-2.6.33.1/drivers/atm/firestream.c 2010-03-20 16:58:39.441488287 -0400
20515 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
20519 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20520 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20522 fs_dprintk (FS_DEBUG_TXMEM, "i");
20523 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
20524 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
20526 skb_put (skb, qe->p1 & 0xffff);
20527 ATM_SKB(skb)->vcc = atm_vcc;
20528 - atomic_inc(&atm_vcc->stats->rx);
20529 + atomic_inc_unchecked(&atm_vcc->stats->rx);
20530 __net_timestamp(skb);
20531 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
20532 atm_vcc->push (atm_vcc, skb);
20533 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
20537 - atomic_inc(&atm_vcc->stats->rx_drop);
20538 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20540 case 0x1f: /* Reassembly abort: no buffers. */
20541 /* Silently increment error counter. */
20543 - atomic_inc(&atm_vcc->stats->rx_drop);
20544 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20546 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
20547 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
20548 diff -urNp linux-2.6.33.1/drivers/atm/fore200e.c linux-2.6.33.1/drivers/atm/fore200e.c
20549 --- linux-2.6.33.1/drivers/atm/fore200e.c 2010-03-15 12:09:39.000000000 -0400
20550 +++ linux-2.6.33.1/drivers/atm/fore200e.c 2010-03-20 16:58:39.457804294 -0400
20551 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
20553 /* check error condition */
20554 if (*entry->status & STATUS_ERROR)
20555 - atomic_inc(&vcc->stats->tx_err);
20556 + atomic_inc_unchecked(&vcc->stats->tx_err);
20558 - atomic_inc(&vcc->stats->tx);
20559 + atomic_inc_unchecked(&vcc->stats->tx);
20563 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
20565 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
20567 - atomic_inc(&vcc->stats->rx_drop);
20568 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20572 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
20574 dev_kfree_skb_any(skb);
20576 - atomic_inc(&vcc->stats->rx_drop);
20577 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20581 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20583 vcc->push(vcc, skb);
20584 - atomic_inc(&vcc->stats->rx);
20585 + atomic_inc_unchecked(&vcc->stats->rx);
20587 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20589 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
20590 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
20591 fore200e->atm_dev->number,
20592 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
20593 - atomic_inc(&vcc->stats->rx_err);
20594 + atomic_inc_unchecked(&vcc->stats->rx_err);
20598 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
20602 - atomic_inc(&vcc->stats->tx_err);
20603 + atomic_inc_unchecked(&vcc->stats->tx_err);
20605 fore200e->tx_sat++;
20606 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
20607 diff -urNp linux-2.6.33.1/drivers/atm/he.c linux-2.6.33.1/drivers/atm/he.c
20608 --- linux-2.6.33.1/drivers/atm/he.c 2010-03-15 12:09:39.000000000 -0400
20609 +++ linux-2.6.33.1/drivers/atm/he.c 2010-03-20 16:58:39.488806819 -0400
20610 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20612 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
20613 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
20614 - atomic_inc(&vcc->stats->rx_drop);
20615 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20616 goto return_host_buffers;
20619 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20620 RBRQ_LEN_ERR(he_dev->rbrq_head)
20622 vcc->vpi, vcc->vci);
20623 - atomic_inc(&vcc->stats->rx_err);
20624 + atomic_inc_unchecked(&vcc->stats->rx_err);
20625 goto return_host_buffers;
20628 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20629 vcc->push(vcc, skb);
20630 spin_lock(&he_dev->global_lock);
20632 - atomic_inc(&vcc->stats->rx);
20633 + atomic_inc_unchecked(&vcc->stats->rx);
20635 return_host_buffers:
20637 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
20638 tpd->vcc->pop(tpd->vcc, tpd->skb);
20640 dev_kfree_skb_any(tpd->skb);
20641 - atomic_inc(&tpd->vcc->stats->tx_err);
20642 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
20644 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
20646 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20647 vcc->pop(vcc, skb);
20649 dev_kfree_skb_any(skb);
20650 - atomic_inc(&vcc->stats->tx_err);
20651 + atomic_inc_unchecked(&vcc->stats->tx_err);
20655 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20656 vcc->pop(vcc, skb);
20658 dev_kfree_skb_any(skb);
20659 - atomic_inc(&vcc->stats->tx_err);
20660 + atomic_inc_unchecked(&vcc->stats->tx_err);
20664 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20665 vcc->pop(vcc, skb);
20667 dev_kfree_skb_any(skb);
20668 - atomic_inc(&vcc->stats->tx_err);
20669 + atomic_inc_unchecked(&vcc->stats->tx_err);
20670 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20673 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20674 vcc->pop(vcc, skb);
20676 dev_kfree_skb_any(skb);
20677 - atomic_inc(&vcc->stats->tx_err);
20678 + atomic_inc_unchecked(&vcc->stats->tx_err);
20679 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20682 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20683 __enqueue_tpd(he_dev, tpd, cid);
20684 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20686 - atomic_inc(&vcc->stats->tx);
20687 + atomic_inc_unchecked(&vcc->stats->tx);
20691 diff -urNp linux-2.6.33.1/drivers/atm/horizon.c linux-2.6.33.1/drivers/atm/horizon.c
20692 --- linux-2.6.33.1/drivers/atm/horizon.c 2010-03-15 12:09:39.000000000 -0400
20693 +++ linux-2.6.33.1/drivers/atm/horizon.c 2010-03-20 16:58:39.496821217 -0400
20694 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
20696 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
20698 - atomic_inc(&vcc->stats->rx);
20699 + atomic_inc_unchecked(&vcc->stats->rx);
20700 __net_timestamp(skb);
20701 // end of our responsability
20702 vcc->push (vcc, skb);
20703 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
20704 dev->tx_iovec = NULL;
20707 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20708 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20711 hrz_kfree_skb (skb);
20712 diff -urNp linux-2.6.33.1/drivers/atm/idt77252.c linux-2.6.33.1/drivers/atm/idt77252.c
20713 --- linux-2.6.33.1/drivers/atm/idt77252.c 2010-03-15 12:09:39.000000000 -0400
20714 +++ linux-2.6.33.1/drivers/atm/idt77252.c 2010-03-20 16:58:39.496821217 -0400
20715 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
20717 dev_kfree_skb(skb);
20719 - atomic_inc(&vcc->stats->tx);
20720 + atomic_inc_unchecked(&vcc->stats->tx);
20723 atomic_dec(&scq->used);
20724 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
20725 if ((sb = dev_alloc_skb(64)) == NULL) {
20726 printk("%s: Can't allocate buffers for aal0.\n",
20728 - atomic_add(i, &vcc->stats->rx_drop);
20729 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
20732 if (!atm_charge(vcc, sb->truesize)) {
20733 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
20735 - atomic_add(i - 1, &vcc->stats->rx_drop);
20736 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
20740 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
20741 ATM_SKB(sb)->vcc = vcc;
20742 __net_timestamp(sb);
20743 vcc->push(vcc, sb);
20744 - atomic_inc(&vcc->stats->rx);
20745 + atomic_inc_unchecked(&vcc->stats->rx);
20747 cell += ATM_CELL_PAYLOAD;
20749 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
20751 card->name, len, rpp->len, readl(SAR_REG_CDC));
20752 recycle_rx_pool_skb(card, rpp);
20753 - atomic_inc(&vcc->stats->rx_err);
20754 + atomic_inc_unchecked(&vcc->stats->rx_err);
20757 if (stat & SAR_RSQE_CRC) {
20758 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
20759 recycle_rx_pool_skb(card, rpp);
20760 - atomic_inc(&vcc->stats->rx_err);
20761 + atomic_inc_unchecked(&vcc->stats->rx_err);
20764 if (skb_queue_len(&rpp->queue) > 1) {
20765 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
20766 RXPRINTK("%s: Can't alloc RX skb.\n",
20768 recycle_rx_pool_skb(card, rpp);
20769 - atomic_inc(&vcc->stats->rx_err);
20770 + atomic_inc_unchecked(&vcc->stats->rx_err);
20773 if (!atm_charge(vcc, skb->truesize)) {
20774 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
20775 __net_timestamp(skb);
20777 vcc->push(vcc, skb);
20778 - atomic_inc(&vcc->stats->rx);
20779 + atomic_inc_unchecked(&vcc->stats->rx);
20783 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
20784 __net_timestamp(skb);
20786 vcc->push(vcc, skb);
20787 - atomic_inc(&vcc->stats->rx);
20788 + atomic_inc_unchecked(&vcc->stats->rx);
20790 if (skb->truesize > SAR_FB_SIZE_3)
20791 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
20792 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
20793 if (vcc->qos.aal != ATM_AAL0) {
20794 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
20795 card->name, vpi, vci);
20796 - atomic_inc(&vcc->stats->rx_drop);
20797 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20801 if ((sb = dev_alloc_skb(64)) == NULL) {
20802 printk("%s: Can't allocate buffers for AAL0.\n",
20804 - atomic_inc(&vcc->stats->rx_err);
20805 + atomic_inc_unchecked(&vcc->stats->rx_err);
20809 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
20810 ATM_SKB(sb)->vcc = vcc;
20811 __net_timestamp(sb);
20812 vcc->push(vcc, sb);
20813 - atomic_inc(&vcc->stats->rx);
20814 + atomic_inc_unchecked(&vcc->stats->rx);
20817 skb_pull(queue, 64);
20818 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20821 printk("%s: NULL connection in send().\n", card->name);
20822 - atomic_inc(&vcc->stats->tx_err);
20823 + atomic_inc_unchecked(&vcc->stats->tx_err);
20824 dev_kfree_skb(skb);
20827 if (!test_bit(VCF_TX, &vc->flags)) {
20828 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
20829 - atomic_inc(&vcc->stats->tx_err);
20830 + atomic_inc_unchecked(&vcc->stats->tx_err);
20831 dev_kfree_skb(skb);
20834 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20837 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
20838 - atomic_inc(&vcc->stats->tx_err);
20839 + atomic_inc_unchecked(&vcc->stats->tx_err);
20840 dev_kfree_skb(skb);
20844 if (skb_shinfo(skb)->nr_frags != 0) {
20845 printk("%s: No scatter-gather yet.\n", card->name);
20846 - atomic_inc(&vcc->stats->tx_err);
20847 + atomic_inc_unchecked(&vcc->stats->tx_err);
20848 dev_kfree_skb(skb);
20851 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20853 err = queue_skb(card, vc, skb, oam);
20855 - atomic_inc(&vcc->stats->tx_err);
20856 + atomic_inc_unchecked(&vcc->stats->tx_err);
20857 dev_kfree_skb(skb);
20860 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
20861 skb = dev_alloc_skb(64);
20863 printk("%s: Out of memory in send_oam().\n", card->name);
20864 - atomic_inc(&vcc->stats->tx_err);
20865 + atomic_inc_unchecked(&vcc->stats->tx_err);
20868 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
20869 diff -urNp linux-2.6.33.1/drivers/atm/iphase.c linux-2.6.33.1/drivers/atm/iphase.c
20870 --- linux-2.6.33.1/drivers/atm/iphase.c 2010-03-15 12:09:39.000000000 -0400
20871 +++ linux-2.6.33.1/drivers/atm/iphase.c 2010-03-20 16:58:39.500808414 -0400
20872 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
20873 status = (u_short) (buf_desc_ptr->desc_mode);
20874 if (status & (RX_CER | RX_PTE | RX_OFL))
20876 - atomic_inc(&vcc->stats->rx_err);
20877 + atomic_inc_unchecked(&vcc->stats->rx_err);
20878 IF_ERR(printk("IA: bad packet, dropping it");)
20879 if (status & RX_CER) {
20880 IF_ERR(printk(" cause: packet CRC error\n");)
20881 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
20882 len = dma_addr - buf_addr;
20883 if (len > iadev->rx_buf_sz) {
20884 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
20885 - atomic_inc(&vcc->stats->rx_err);
20886 + atomic_inc_unchecked(&vcc->stats->rx_err);
20887 goto out_free_desc;
20890 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
20891 ia_vcc = INPH_IA_VCC(vcc);
20892 if (ia_vcc == NULL)
20894 - atomic_inc(&vcc->stats->rx_err);
20895 + atomic_inc_unchecked(&vcc->stats->rx_err);
20896 dev_kfree_skb_any(skb);
20897 atm_return(vcc, atm_guess_pdu2truesize(len));
20899 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
20900 if ((length > iadev->rx_buf_sz) || (length >
20901 (skb->len - sizeof(struct cpcs_trailer))))
20903 - atomic_inc(&vcc->stats->rx_err);
20904 + atomic_inc_unchecked(&vcc->stats->rx_err);
20905 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
20906 length, skb->len);)
20907 dev_kfree_skb_any(skb);
20908 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
20910 IF_RX(printk("rx_dle_intr: skb push");)
20911 vcc->push(vcc,skb);
20912 - atomic_inc(&vcc->stats->rx);
20913 + atomic_inc_unchecked(&vcc->stats->rx);
20914 iadev->rx_pkt_cnt++;
20917 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
20919 struct k_sonet_stats *stats;
20920 stats = &PRIV(_ia_dev[board])->sonet_stats;
20921 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
20922 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
20923 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
20924 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
20925 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
20926 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
20927 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
20928 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
20929 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
20930 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
20931 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
20932 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
20933 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
20934 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
20935 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
20936 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
20937 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
20938 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
20940 ia_cmds.status = 0;
20942 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
20943 if ((desc == 0) || (desc > iadev->num_tx_desc))
20945 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
20946 - atomic_inc(&vcc->stats->tx);
20947 + atomic_inc_unchecked(&vcc->stats->tx);
20949 vcc->pop(vcc, skb);
20951 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
20952 ATM_DESC(skb) = vcc->vci;
20953 skb_queue_tail(&iadev->tx_dma_q, skb);
20955 - atomic_inc(&vcc->stats->tx);
20956 + atomic_inc_unchecked(&vcc->stats->tx);
20957 iadev->tx_pkt_cnt++;
20958 /* Increment transaction counter */
20959 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
20962 /* add flow control logic */
20963 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
20964 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
20965 if (iavcc->vc_desc_cnt > 10) {
20966 vcc->tx_quota = vcc->tx_quota * 3 / 4;
20967 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
20968 diff -urNp linux-2.6.33.1/drivers/atm/lanai.c linux-2.6.33.1/drivers/atm/lanai.c
20969 --- linux-2.6.33.1/drivers/atm/lanai.c 2010-03-15 12:09:39.000000000 -0400
20970 +++ linux-2.6.33.1/drivers/atm/lanai.c 2010-03-20 16:58:39.504511968 -0400
20971 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
20972 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
20973 lanai_endtx(lanai, lvcc);
20974 lanai_free_skb(lvcc->tx.atmvcc, skb);
20975 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
20976 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
20979 /* Try to fill the buffer - don't call unless there is backlog */
20980 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
20981 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
20982 __net_timestamp(skb);
20983 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
20984 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
20985 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
20987 lvcc->rx.buf.ptr = end;
20988 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
20989 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
20990 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
20991 "vcc %d\n", lanai->number, (unsigned int) s, vci);
20992 lanai->stats.service_rxnotaal5++;
20993 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20994 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20997 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
20998 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
21000 read_unlock(&vcc_sklist_lock);
21001 DPRINTK("got trashed rx pdu on vci %d\n", vci);
21002 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21003 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21004 lvcc->stats.x.aal5.service_trash++;
21005 bytes = (SERVICE_GET_END(s) * 16) -
21006 (((unsigned long) lvcc->rx.buf.ptr) -
21007 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
21009 if (s & SERVICE_STREAM) {
21010 read_unlock(&vcc_sklist_lock);
21011 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21012 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21013 lvcc->stats.x.aal5.service_stream++;
21014 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
21015 "PDU on VCI %d!\n", lanai->number, vci);
21016 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
21019 DPRINTK("got rx crc error on vci %d\n", vci);
21020 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21021 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21022 lvcc->stats.x.aal5.service_rxcrc++;
21023 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
21024 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
21025 diff -urNp linux-2.6.33.1/drivers/atm/nicstar.c linux-2.6.33.1/drivers/atm/nicstar.c
21026 --- linux-2.6.33.1/drivers/atm/nicstar.c 2010-03-15 12:09:39.000000000 -0400
21027 +++ linux-2.6.33.1/drivers/atm/nicstar.c 2010-03-20 16:58:39.504511968 -0400
21028 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
21029 if ((vc = (vc_map *) vcc->dev_data) == NULL)
21031 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
21032 - atomic_inc(&vcc->stats->tx_err);
21033 + atomic_inc_unchecked(&vcc->stats->tx_err);
21034 dev_kfree_skb_any(skb);
21037 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
21040 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
21041 - atomic_inc(&vcc->stats->tx_err);
21042 + atomic_inc_unchecked(&vcc->stats->tx_err);
21043 dev_kfree_skb_any(skb);
21046 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
21047 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
21049 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
21050 - atomic_inc(&vcc->stats->tx_err);
21051 + atomic_inc_unchecked(&vcc->stats->tx_err);
21052 dev_kfree_skb_any(skb);
21055 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
21056 if (skb_shinfo(skb)->nr_frags != 0)
21058 printk("nicstar%d: No scatter-gather yet.\n", card->index);
21059 - atomic_inc(&vcc->stats->tx_err);
21060 + atomic_inc_unchecked(&vcc->stats->tx_err);
21061 dev_kfree_skb_any(skb);
21064 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
21066 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
21068 - atomic_inc(&vcc->stats->tx_err);
21069 + atomic_inc_unchecked(&vcc->stats->tx_err);
21070 dev_kfree_skb_any(skb);
21073 - atomic_inc(&vcc->stats->tx);
21074 + atomic_inc_unchecked(&vcc->stats->tx);
21078 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
21080 printk("nicstar%d: Can't allocate buffers for aal0.\n",
21082 - atomic_add(i,&vcc->stats->rx_drop);
21083 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
21086 if (!atm_charge(vcc, sb->truesize))
21088 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
21090 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21091 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21092 dev_kfree_skb_any(sb);
21095 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
21096 ATM_SKB(sb)->vcc = vcc;
21097 __net_timestamp(sb);
21098 vcc->push(vcc, sb);
21099 - atomic_inc(&vcc->stats->rx);
21100 + atomic_inc_unchecked(&vcc->stats->rx);
21101 cell += ATM_CELL_PAYLOAD;
21104 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
21107 printk("nicstar%d: Out of iovec buffers.\n", card->index);
21108 - atomic_inc(&vcc->stats->rx_drop);
21109 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21110 recycle_rx_buf(card, skb);
21113 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
21114 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
21116 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
21117 - atomic_inc(&vcc->stats->rx_err);
21118 + atomic_inc_unchecked(&vcc->stats->rx_err);
21119 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
21120 NS_SKB(iovb)->iovcnt = 0;
21122 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
21123 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
21125 which_list(card, skb);
21126 - atomic_inc(&vcc->stats->rx_err);
21127 + atomic_inc_unchecked(&vcc->stats->rx_err);
21128 recycle_rx_buf(card, skb);
21130 recycle_iov_buf(card, iovb);
21131 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
21132 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
21134 which_list(card, skb);
21135 - atomic_inc(&vcc->stats->rx_err);
21136 + atomic_inc_unchecked(&vcc->stats->rx_err);
21137 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21138 NS_SKB(iovb)->iovcnt);
21140 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
21141 printk(" - PDU size mismatch.\n");
21144 - atomic_inc(&vcc->stats->rx_err);
21145 + atomic_inc_unchecked(&vcc->stats->rx_err);
21146 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21147 NS_SKB(iovb)->iovcnt);
21149 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
21150 if (!atm_charge(vcc, skb->truesize))
21152 push_rxbufs(card, skb);
21153 - atomic_inc(&vcc->stats->rx_drop);
21154 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21158 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
21159 ATM_SKB(skb)->vcc = vcc;
21160 __net_timestamp(skb);
21161 vcc->push(vcc, skb);
21162 - atomic_inc(&vcc->stats->rx);
21163 + atomic_inc_unchecked(&vcc->stats->rx);
21166 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
21167 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
21168 if (!atm_charge(vcc, sb->truesize))
21170 push_rxbufs(card, sb);
21171 - atomic_inc(&vcc->stats->rx_drop);
21172 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21176 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
21177 ATM_SKB(sb)->vcc = vcc;
21178 __net_timestamp(sb);
21179 vcc->push(vcc, sb);
21180 - atomic_inc(&vcc->stats->rx);
21181 + atomic_inc_unchecked(&vcc->stats->rx);
21184 push_rxbufs(card, skb);
21185 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
21186 if (!atm_charge(vcc, skb->truesize))
21188 push_rxbufs(card, skb);
21189 - atomic_inc(&vcc->stats->rx_drop);
21190 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21194 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
21195 ATM_SKB(skb)->vcc = vcc;
21196 __net_timestamp(skb);
21197 vcc->push(vcc, skb);
21198 - atomic_inc(&vcc->stats->rx);
21199 + atomic_inc_unchecked(&vcc->stats->rx);
21202 push_rxbufs(card, sb);
21203 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
21206 printk("nicstar%d: Out of huge buffers.\n", card->index);
21207 - atomic_inc(&vcc->stats->rx_drop);
21208 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21209 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21210 NS_SKB(iovb)->iovcnt);
21212 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
21215 dev_kfree_skb_any(hb);
21216 - atomic_inc(&vcc->stats->rx_drop);
21217 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21221 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
21222 #endif /* NS_USE_DESTRUCTORS */
21223 __net_timestamp(hb);
21224 vcc->push(vcc, hb);
21225 - atomic_inc(&vcc->stats->rx);
21226 + atomic_inc_unchecked(&vcc->stats->rx);
21230 diff -urNp linux-2.6.33.1/drivers/atm/solos-pci.c linux-2.6.33.1/drivers/atm/solos-pci.c
21231 --- linux-2.6.33.1/drivers/atm/solos-pci.c 2010-03-15 12:09:39.000000000 -0400
21232 +++ linux-2.6.33.1/drivers/atm/solos-pci.c 2010-03-20 16:58:39.512795633 -0400
21233 @@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
21235 atm_charge(vcc, skb->truesize);
21236 vcc->push(vcc, skb);
21237 - atomic_inc(&vcc->stats->rx);
21238 + atomic_inc_unchecked(&vcc->stats->rx);
21242 @@ -1017,7 +1017,7 @@ static uint32_t fpga_tx(struct solos_car
21243 vcc = SKB_CB(oldskb)->vcc;
21246 - atomic_inc(&vcc->stats->tx);
21247 + atomic_inc_unchecked(&vcc->stats->tx);
21248 solos_pop(vcc, oldskb);
21250 dev_kfree_skb_irq(oldskb);
21251 diff -urNp linux-2.6.33.1/drivers/atm/suni.c linux-2.6.33.1/drivers/atm/suni.c
21252 --- linux-2.6.33.1/drivers/atm/suni.c 2010-03-15 12:09:39.000000000 -0400
21253 +++ linux-2.6.33.1/drivers/atm/suni.c 2010-03-20 16:58:39.516795609 -0400
21254 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
21257 #define ADD_LIMITED(s,v) \
21258 - atomic_add((v),&stats->s); \
21259 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
21260 + atomic_add_unchecked((v),&stats->s); \
21261 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
21264 static void suni_hz(unsigned long from_timer)
21265 diff -urNp linux-2.6.33.1/drivers/atm/uPD98402.c linux-2.6.33.1/drivers/atm/uPD98402.c
21266 --- linux-2.6.33.1/drivers/atm/uPD98402.c 2010-03-15 12:09:39.000000000 -0400
21267 +++ linux-2.6.33.1/drivers/atm/uPD98402.c 2010-03-20 16:58:39.516795609 -0400
21268 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
21269 struct sonet_stats tmp;
21272 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21273 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21274 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
21275 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
21276 if (zero && !error) {
21277 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
21280 #define ADD_LIMITED(s,v) \
21281 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
21282 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
21283 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21284 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
21285 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
21286 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21289 static void stat_event(struct atm_dev *dev)
21290 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
21291 if (reason & uPD98402_INT_PFM) stat_event(dev);
21292 if (reason & uPD98402_INT_PCO) {
21293 (void) GET(PCOCR); /* clear interrupt cause */
21294 - atomic_add(GET(HECCT),
21295 + atomic_add_unchecked(GET(HECCT),
21296 &PRIV(dev)->sonet_stats.uncorr_hcs);
21298 if ((reason & uPD98402_INT_RFO) &&
21299 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
21300 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
21301 uPD98402_INT_LOS),PIMR); /* enable them */
21302 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
21303 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21304 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
21305 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
21306 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21307 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
21308 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
21312 diff -urNp linux-2.6.33.1/drivers/atm/zatm.c linux-2.6.33.1/drivers/atm/zatm.c
21313 --- linux-2.6.33.1/drivers/atm/zatm.c 2010-03-15 12:09:39.000000000 -0400
21314 +++ linux-2.6.33.1/drivers/atm/zatm.c 2010-03-20 16:58:39.516795609 -0400
21315 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21318 dev_kfree_skb_irq(skb);
21319 - if (vcc) atomic_inc(&vcc->stats->rx_err);
21320 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
21323 if (!atm_charge(vcc,skb->truesize)) {
21324 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21326 ATM_SKB(skb)->vcc = vcc;
21327 vcc->push(vcc,skb);
21328 - atomic_inc(&vcc->stats->rx);
21329 + atomic_inc_unchecked(&vcc->stats->rx);
21331 zout(pos & 0xffff,MTA(mbx));
21332 #if 0 /* probably a stupid idea */
21333 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
21334 skb_queue_head(&zatm_vcc->backlog,skb);
21337 - atomic_inc(&vcc->stats->tx);
21338 + atomic_inc_unchecked(&vcc->stats->tx);
21339 wake_up(&zatm_vcc->tx_wait);
21342 diff -urNp linux-2.6.33.1/drivers/base/bus.c linux-2.6.33.1/drivers/base/bus.c
21343 --- linux-2.6.33.1/drivers/base/bus.c 2010-03-15 12:09:39.000000000 -0400
21344 +++ linux-2.6.33.1/drivers/base/bus.c 2010-03-20 16:58:39.548804768 -0400
21345 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
21349 -static struct sysfs_ops driver_sysfs_ops = {
21350 +static const struct sysfs_ops driver_sysfs_ops = {
21351 .show = drv_attr_show,
21352 .store = drv_attr_store,
21354 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
21358 -static struct sysfs_ops bus_sysfs_ops = {
21359 +static const struct sysfs_ops bus_sysfs_ops = {
21360 .show = bus_attr_show,
21361 .store = bus_attr_store,
21363 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
21367 -static struct kset_uevent_ops bus_uevent_ops = {
21368 +static const struct kset_uevent_ops bus_uevent_ops = {
21369 .filter = bus_uevent_filter,
21372 diff -urNp linux-2.6.33.1/drivers/base/class.c linux-2.6.33.1/drivers/base/class.c
21373 --- linux-2.6.33.1/drivers/base/class.c 2010-03-15 12:09:39.000000000 -0400
21374 +++ linux-2.6.33.1/drivers/base/class.c 2010-03-20 16:58:39.548804768 -0400
21375 @@ -63,7 +63,7 @@ static void class_release(struct kobject
21379 -static struct sysfs_ops class_sysfs_ops = {
21380 +static const struct sysfs_ops class_sysfs_ops = {
21381 .show = class_attr_show,
21382 .store = class_attr_store,
21384 diff -urNp linux-2.6.33.1/drivers/base/core.c linux-2.6.33.1/drivers/base/core.c
21385 --- linux-2.6.33.1/drivers/base/core.c 2010-03-15 12:09:39.000000000 -0400
21386 +++ linux-2.6.33.1/drivers/base/core.c 2010-03-20 16:58:39.548804768 -0400
21387 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
21391 -static struct sysfs_ops dev_sysfs_ops = {
21392 +static const struct sysfs_ops dev_sysfs_ops = {
21393 .show = dev_attr_show,
21394 .store = dev_attr_store,
21396 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
21400 -static struct kset_uevent_ops device_uevent_ops = {
21401 +static const struct kset_uevent_ops device_uevent_ops = {
21402 .filter = dev_uevent_filter,
21403 .name = dev_uevent_name,
21404 .uevent = dev_uevent,
21405 diff -urNp linux-2.6.33.1/drivers/base/memory.c linux-2.6.33.1/drivers/base/memory.c
21406 --- linux-2.6.33.1/drivers/base/memory.c 2010-03-15 12:09:39.000000000 -0400
21407 +++ linux-2.6.33.1/drivers/base/memory.c 2010-03-20 16:58:39.553060820 -0400
21408 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
21412 -static struct kset_uevent_ops memory_uevent_ops = {
21413 +static const struct kset_uevent_ops memory_uevent_ops = {
21414 .name = memory_uevent_name,
21415 .uevent = memory_uevent,
21417 diff -urNp linux-2.6.33.1/drivers/base/sys.c linux-2.6.33.1/drivers/base/sys.c
21418 --- linux-2.6.33.1/drivers/base/sys.c 2010-03-15 12:09:39.000000000 -0400
21419 +++ linux-2.6.33.1/drivers/base/sys.c 2010-03-20 16:58:39.553060820 -0400
21420 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
21424 -static struct sysfs_ops sysfs_ops = {
21425 +static const struct sysfs_ops sysfs_ops = {
21426 .show = sysdev_show,
21427 .store = sysdev_store,
21429 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
21433 -static struct sysfs_ops sysfs_class_ops = {
21434 +static const struct sysfs_ops sysfs_class_ops = {
21435 .show = sysdev_class_show,
21436 .store = sysdev_class_store,
21438 diff -urNp linux-2.6.33.1/drivers/block/pktcdvd.c linux-2.6.33.1/drivers/block/pktcdvd.c
21439 --- linux-2.6.33.1/drivers/block/pktcdvd.c 2010-03-15 12:09:39.000000000 -0400
21440 +++ linux-2.6.33.1/drivers/block/pktcdvd.c 2010-03-20 16:58:39.568810035 -0400
21441 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
21445 -static struct sysfs_ops kobj_pkt_ops = {
21446 +static const struct sysfs_ops kobj_pkt_ops = {
21447 .show = kobj_pkt_show,
21448 .store = kobj_pkt_store
21450 diff -urNp linux-2.6.33.1/drivers/char/agp/frontend.c linux-2.6.33.1/drivers/char/agp/frontend.c
21451 --- linux-2.6.33.1/drivers/char/agp/frontend.c 2010-03-15 12:09:39.000000000 -0400
21452 +++ linux-2.6.33.1/drivers/char/agp/frontend.c 2010-03-20 16:58:39.572812162 -0400
21453 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
21454 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
21457 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
21458 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
21461 client = agp_find_client_by_pid(reserve.pid);
21462 diff -urNp linux-2.6.33.1/drivers/char/agp/intel-agp.c linux-2.6.33.1/drivers/char/agp/intel-agp.c
21463 --- linux-2.6.33.1/drivers/char/agp/intel-agp.c 2010-03-15 12:09:39.000000000 -0400
21464 +++ linux-2.6.33.1/drivers/char/agp/intel-agp.c 2010-03-20 16:58:39.588814817 -0400
21465 @@ -2575,7 +2575,7 @@ static struct pci_device_id agp_intel_pc
21466 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB),
21467 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB),
21468 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
21470 + { 0, 0, 0, 0, 0, 0, 0 }
21473 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
21474 diff -urNp linux-2.6.33.1/drivers/char/hpet.c linux-2.6.33.1/drivers/char/hpet.c
21475 --- linux-2.6.33.1/drivers/char/hpet.c 2010-03-15 12:09:39.000000000 -0400
21476 +++ linux-2.6.33.1/drivers/char/hpet.c 2010-03-20 16:58:39.592808427 -0400
21477 @@ -995,7 +995,7 @@ static struct acpi_driver hpet_acpi_driv
21481 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
21482 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
21484 static int __init hpet_init(void)
21486 diff -urNp linux-2.6.33.1/drivers/char/hvc_beat.c linux-2.6.33.1/drivers/char/hvc_beat.c
21487 --- linux-2.6.33.1/drivers/char/hvc_beat.c 2010-03-15 12:09:39.000000000 -0400
21488 +++ linux-2.6.33.1/drivers/char/hvc_beat.c 2010-03-20 16:58:39.596613651 -0400
21489 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
21493 -static struct hv_ops hvc_beat_get_put_ops = {
21494 +static const struct hv_ops hvc_beat_get_put_ops = {
21495 .get_chars = hvc_beat_get_chars,
21496 .put_chars = hvc_beat_put_chars,
21498 diff -urNp linux-2.6.33.1/drivers/char/hvc_console.c linux-2.6.33.1/drivers/char/hvc_console.c
21499 --- linux-2.6.33.1/drivers/char/hvc_console.c 2010-03-15 12:09:39.000000000 -0400
21500 +++ linux-2.6.33.1/drivers/char/hvc_console.c 2010-03-20 16:58:39.596613651 -0400
21501 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
21502 * console interfaces but can still be used as a tty device. This has to be
21503 * static because kmalloc will not work during early console init.
21505 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21506 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21507 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
21508 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
21510 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
21511 * vty adapters do NOT get an hvc_instantiate() callback since they
21512 * appear after early console init.
21514 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
21515 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
21517 struct hvc_struct *hp;
21519 @@ -749,7 +749,7 @@ static const struct tty_operations hvc_o
21522 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
21523 - struct hv_ops *ops, int outbuf_size)
21524 + const struct hv_ops *ops, int outbuf_size)
21526 struct hvc_struct *hp;
21528 diff -urNp linux-2.6.33.1/drivers/char/hvc_console.h linux-2.6.33.1/drivers/char/hvc_console.h
21529 --- linux-2.6.33.1/drivers/char/hvc_console.h 2010-03-15 12:09:39.000000000 -0400
21530 +++ linux-2.6.33.1/drivers/char/hvc_console.h 2010-03-20 16:58:39.596613651 -0400
21531 @@ -55,7 +55,7 @@ struct hvc_struct {
21535 - struct hv_ops *ops;
21536 + const struct hv_ops *ops;
21540 @@ -76,11 +76,11 @@ struct hv_ops {
21543 /* Register a vterm and a slot index for use as a console (console_init) */
21544 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
21545 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
21547 /* register a vterm for hvc tty operation (module_init or hotplug add) */
21548 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
21549 - struct hv_ops *ops, int outbuf_size);
21550 + const struct hv_ops *ops, int outbuf_size);
21551 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
21552 extern int hvc_remove(struct hvc_struct *hp);
21554 diff -urNp linux-2.6.33.1/drivers/char/hvc_iseries.c linux-2.6.33.1/drivers/char/hvc_iseries.c
21555 --- linux-2.6.33.1/drivers/char/hvc_iseries.c 2010-03-15 12:09:39.000000000 -0400
21556 +++ linux-2.6.33.1/drivers/char/hvc_iseries.c 2010-03-20 16:58:39.596613651 -0400
21557 @@ -197,7 +197,7 @@ done:
21561 -static struct hv_ops hvc_get_put_ops = {
21562 +static const struct hv_ops hvc_get_put_ops = {
21563 .get_chars = get_chars,
21564 .put_chars = put_chars,
21565 .notifier_add = notifier_add_irq,
21566 diff -urNp linux-2.6.33.1/drivers/char/hvc_iucv.c linux-2.6.33.1/drivers/char/hvc_iucv.c
21567 --- linux-2.6.33.1/drivers/char/hvc_iucv.c 2010-03-15 12:09:39.000000000 -0400
21568 +++ linux-2.6.33.1/drivers/char/hvc_iucv.c 2010-03-20 16:58:39.596613651 -0400
21569 @@ -922,7 +922,7 @@ static int hvc_iucv_pm_restore_thaw(stru
21572 /* HVC operations */
21573 -static struct hv_ops hvc_iucv_ops = {
21574 +static const struct hv_ops hvc_iucv_ops = {
21575 .get_chars = hvc_iucv_get_chars,
21576 .put_chars = hvc_iucv_put_chars,
21577 .notifier_add = hvc_iucv_notifier_add,
21578 diff -urNp linux-2.6.33.1/drivers/char/hvc_rtas.c linux-2.6.33.1/drivers/char/hvc_rtas.c
21579 --- linux-2.6.33.1/drivers/char/hvc_rtas.c 2010-03-15 12:09:39.000000000 -0400
21580 +++ linux-2.6.33.1/drivers/char/hvc_rtas.c 2010-03-20 16:58:39.600817341 -0400
21581 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
21585 -static struct hv_ops hvc_rtas_get_put_ops = {
21586 +static const struct hv_ops hvc_rtas_get_put_ops = {
21587 .get_chars = hvc_rtas_read_console,
21588 .put_chars = hvc_rtas_write_console,
21590 diff -urNp linux-2.6.33.1/drivers/char/hvcs.c linux-2.6.33.1/drivers/char/hvcs.c
21591 --- linux-2.6.33.1/drivers/char/hvcs.c 2010-03-15 12:09:39.000000000 -0400
21592 +++ linux-2.6.33.1/drivers/char/hvcs.c 2010-03-20 16:58:39.600817341 -0400
21593 @@ -269,7 +269,7 @@ struct hvcs_struct {
21594 unsigned int index;
21596 struct tty_struct *tty;
21598 + atomic_t open_count;
21601 * Used to tell the driver kernel_thread what operations need to take
21602 @@ -419,7 +419,7 @@ static ssize_t hvcs_vterm_state_store(st
21604 spin_lock_irqsave(&hvcsd->lock, flags);
21606 - if (hvcsd->open_count > 0) {
21607 + if (atomic_read(&hvcsd->open_count) > 0) {
21608 spin_unlock_irqrestore(&hvcsd->lock, flags);
21609 printk(KERN_INFO "HVCS: vterm state unchanged. "
21610 "The hvcs device node is still in use.\n");
21611 @@ -1135,7 +1135,7 @@ static int hvcs_open(struct tty_struct *
21612 if ((retval = hvcs_partner_connect(hvcsd)))
21613 goto error_release;
21615 - hvcsd->open_count = 1;
21616 + atomic_set(&hvcsd->open_count, 1);
21618 tty->driver_data = hvcsd;
21620 @@ -1169,7 +1169,7 @@ fast_open:
21622 spin_lock_irqsave(&hvcsd->lock, flags);
21623 kref_get(&hvcsd->kref);
21624 - hvcsd->open_count++;
21625 + atomic_inc(&hvcsd->open_count);
21626 hvcsd->todo_mask |= HVCS_SCHED_READ;
21627 spin_unlock_irqrestore(&hvcsd->lock, flags);
21629 @@ -1213,7 +1213,7 @@ static void hvcs_close(struct tty_struct
21630 hvcsd = tty->driver_data;
21632 spin_lock_irqsave(&hvcsd->lock, flags);
21633 - if (--hvcsd->open_count == 0) {
21634 + if (atomic_dec_and_test(&hvcsd->open_count)) {
21636 vio_disable_interrupts(hvcsd->vdev);
21638 @@ -1239,10 +1239,10 @@ static void hvcs_close(struct tty_struct
21639 free_irq(irq, hvcsd);
21640 kref_put(&hvcsd->kref, destroy_hvcs_struct);
21642 - } else if (hvcsd->open_count < 0) {
21643 + } else if (atomic_read(&hvcsd->open_count) < 0) {
21644 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
21645 " is missmanaged.\n",
21646 - hvcsd->vdev->unit_address, hvcsd->open_count);
21647 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
21650 spin_unlock_irqrestore(&hvcsd->lock, flags);
21651 @@ -1258,7 +1258,7 @@ static void hvcs_hangup(struct tty_struc
21653 spin_lock_irqsave(&hvcsd->lock, flags);
21654 /* Preserve this so that we know how many kref refs to put */
21655 - temp_open_count = hvcsd->open_count;
21656 + temp_open_count = atomic_read(&hvcsd->open_count);
21659 * Don't kref put inside the spinlock because the destruction
21660 @@ -1273,7 +1273,7 @@ static void hvcs_hangup(struct tty_struc
21661 hvcsd->tty->driver_data = NULL;
21664 - hvcsd->open_count = 0;
21665 + atomic_set(&hvcsd->open_count, 0);
21667 /* This will drop any buffered data on the floor which is OK in a hangup
21669 @@ -1344,7 +1344,7 @@ static int hvcs_write(struct tty_struct
21670 * the middle of a write operation? This is a crummy place to do this
21671 * but we want to keep it all in the spinlock.
21673 - if (hvcsd->open_count <= 0) {
21674 + if (atomic_read(&hvcsd->open_count) <= 0) {
21675 spin_unlock_irqrestore(&hvcsd->lock, flags);
21678 @@ -1418,7 +1418,7 @@ static int hvcs_write_room(struct tty_st
21680 struct hvcs_struct *hvcsd = tty->driver_data;
21682 - if (!hvcsd || hvcsd->open_count <= 0)
21683 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
21686 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
21687 diff -urNp linux-2.6.33.1/drivers/char/hvc_udbg.c linux-2.6.33.1/drivers/char/hvc_udbg.c
21688 --- linux-2.6.33.1/drivers/char/hvc_udbg.c 2010-03-15 12:09:39.000000000 -0400
21689 +++ linux-2.6.33.1/drivers/char/hvc_udbg.c 2010-03-20 16:58:39.600817341 -0400
21690 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
21694 -static struct hv_ops hvc_udbg_ops = {
21695 +static const struct hv_ops hvc_udbg_ops = {
21696 .get_chars = hvc_udbg_get,
21697 .put_chars = hvc_udbg_put,
21699 diff -urNp linux-2.6.33.1/drivers/char/hvc_vio.c linux-2.6.33.1/drivers/char/hvc_vio.c
21700 --- linux-2.6.33.1/drivers/char/hvc_vio.c 2010-03-15 12:09:39.000000000 -0400
21701 +++ linux-2.6.33.1/drivers/char/hvc_vio.c 2010-03-20 16:58:39.600817341 -0400
21702 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
21706 -static struct hv_ops hvc_get_put_ops = {
21707 +static const struct hv_ops hvc_get_put_ops = {
21708 .get_chars = filtered_get_chars,
21709 .put_chars = hvc_put_chars,
21710 .notifier_add = notifier_add_irq,
21711 diff -urNp linux-2.6.33.1/drivers/char/hvc_xen.c linux-2.6.33.1/drivers/char/hvc_xen.c
21712 --- linux-2.6.33.1/drivers/char/hvc_xen.c 2010-03-15 12:09:39.000000000 -0400
21713 +++ linux-2.6.33.1/drivers/char/hvc_xen.c 2010-03-20 16:58:39.604556535 -0400
21714 @@ -122,7 +122,7 @@ static int read_console(uint32_t vtermno
21718 -static struct hv_ops hvc_ops = {
21719 +static const struct hv_ops hvc_ops = {
21720 .get_chars = read_console,
21721 .put_chars = write_console,
21722 .notifier_add = notifier_add_irq,
21723 diff -urNp linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c
21724 --- linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c 2010-03-15 12:09:39.000000000 -0400
21725 +++ linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c 2010-03-20 16:58:39.604556535 -0400
21726 @@ -414,7 +414,7 @@ struct ipmi_smi {
21727 struct proc_dir_entry *proc_dir;
21728 char proc_dir_name[10];
21730 - atomic_t stats[IPMI_NUM_STATS];
21731 + atomic_unchecked_t stats[IPMI_NUM_STATS];
21734 * run_to_completion duplicate of smb_info, smi_info
21735 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
21738 #define ipmi_inc_stat(intf, stat) \
21739 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
21740 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
21741 #define ipmi_get_stat(intf, stat) \
21742 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
21743 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
21745 static int is_lan_addr(struct ipmi_addr *addr)
21747 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
21748 INIT_LIST_HEAD(&intf->cmd_rcvrs);
21749 init_waitqueue_head(&intf->waitq);
21750 for (i = 0; i < IPMI_NUM_STATS; i++)
21751 - atomic_set(&intf->stats[i], 0);
21752 + atomic_set_unchecked(&intf->stats[i], 0);
21754 intf->proc_dir = NULL;
21756 diff -urNp linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c
21757 --- linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c 2010-03-15 12:09:39.000000000 -0400
21758 +++ linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c 2010-03-20 16:58:39.608700771 -0400
21759 @@ -278,7 +278,7 @@ struct smi_info {
21760 unsigned char slave_addr;
21762 /* Counters and things for the proc filesystem. */
21763 - atomic_t stats[SI_NUM_STATS];
21764 + atomic_unchecked_t stats[SI_NUM_STATS];
21766 struct task_struct *thread;
21768 @@ -286,9 +286,9 @@ struct smi_info {
21771 #define smi_inc_stat(smi, stat) \
21772 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
21773 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
21774 #define smi_get_stat(smi, stat) \
21775 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
21776 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
21778 #define SI_MAX_PARMS 4
21780 @@ -3020,7 +3020,7 @@ static int try_smi_init(struct smi_info
21781 atomic_set(&new_smi->req_events, 0);
21782 new_smi->run_to_completion = 0;
21783 for (i = 0; i < SI_NUM_STATS; i++)
21784 - atomic_set(&new_smi->stats[i], 0);
21785 + atomic_set_unchecked(&new_smi->stats[i], 0);
21787 new_smi->interrupt_disabled = 0;
21788 atomic_set(&new_smi->stop_operation, 0);
21789 diff -urNp linux-2.6.33.1/drivers/char/keyboard.c linux-2.6.33.1/drivers/char/keyboard.c
21790 --- linux-2.6.33.1/drivers/char/keyboard.c 2010-03-15 12:09:39.000000000 -0400
21791 +++ linux-2.6.33.1/drivers/char/keyboard.c 2010-03-20 16:58:39.608700771 -0400
21792 @@ -652,6 +652,16 @@ static void k_spec(struct vc_data *vc, u
21793 kbd->kbdmode == VC_MEDIUMRAW) &&
21794 value != KVAL(K_SAK))
21795 return; /* SAK is allowed even in raw mode */
21797 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
21799 + void *func = fn_handler[value];
21800 + if (func == fn_show_state || func == fn_show_ptregs ||
21801 + func == fn_show_mem)
21806 fn_handler[value](vc);
21809 @@ -1405,7 +1415,7 @@ static const struct input_device_id kbd_
21810 .evbit = { BIT_MASK(EV_SND) },
21813 - { }, /* Terminating entry */
21814 + { 0 }, /* Terminating entry */
21817 MODULE_DEVICE_TABLE(input, kbd_ids);
21818 diff -urNp linux-2.6.33.1/drivers/char/mem.c linux-2.6.33.1/drivers/char/mem.c
21819 --- linux-2.6.33.1/drivers/char/mem.c 2010-03-15 12:09:39.000000000 -0400
21820 +++ linux-2.6.33.1/drivers/char/mem.c 2010-03-20 16:58:39.608700771 -0400
21822 #include <linux/raw.h>
21823 #include <linux/tty.h>
21824 #include <linux/capability.h>
21825 +#include <linux/security.h>
21826 #include <linux/ptrace.h>
21827 #include <linux/device.h>
21828 #include <linux/highmem.h>
21830 # include <linux/efi.h>
21833 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21834 +extern struct file_operations grsec_fops;
21837 static inline unsigned long size_inside_page(unsigned long start,
21838 unsigned long size)
21840 @@ -191,6 +196,11 @@ static ssize_t write_mem(struct file * f
21841 if (!valid_phys_addr_range(p, count))
21844 +#ifdef CONFIG_GRKERNSEC_KMEM
21845 + gr_handle_mem_write();
21851 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
21852 @@ -311,6 +321,11 @@ static int mmap_mem(struct file * file,
21853 &vma->vm_page_prot))
21856 +#ifdef CONFIG_GRKERNSEC_KMEM
21857 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
21861 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
21863 vma->vm_page_prot);
21864 @@ -527,6 +542,11 @@ static ssize_t write_kmem(struct file *
21865 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
21868 +#ifdef CONFIG_GRKERNSEC_KMEM
21869 + gr_handle_kmem_write();
21873 if (p < (unsigned long) high_memory) {
21874 unsigned long to_write = min_t(unsigned long, count,
21875 (unsigned long)high_memory - p);
21876 @@ -727,6 +747,16 @@ static loff_t memory_lseek(struct file *
21878 static int open_port(struct inode * inode, struct file * filp)
21880 +#ifdef CONFIG_GRKERNSEC_KMEM
21881 + gr_handle_open_port();
21885 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21888 +static int open_mem(struct inode * inode, struct file * filp)
21890 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21893 @@ -734,7 +764,6 @@ static int open_port(struct inode * inod
21894 #define full_lseek null_lseek
21895 #define write_zero write_null
21896 #define read_full read_zero
21897 -#define open_mem open_port
21898 #define open_kmem open_mem
21899 #define open_oldmem open_mem
21901 @@ -850,6 +879,9 @@ static const struct memdev {
21902 #ifdef CONFIG_CRASH_DUMP
21903 [12] = { "oldmem", 0, &oldmem_fops, NULL },
21905 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21906 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
21910 static int memory_open(struct inode *inode, struct file *filp)
21911 diff -urNp linux-2.6.33.1/drivers/char/nvram.c linux-2.6.33.1/drivers/char/nvram.c
21912 --- linux-2.6.33.1/drivers/char/nvram.c 2010-03-15 12:09:39.000000000 -0400
21913 +++ linux-2.6.33.1/drivers/char/nvram.c 2010-03-20 16:58:39.612523711 -0400
21914 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
21916 spin_unlock_irq(&rtc_lock);
21918 - if (copy_to_user(buf, contents, tmp - contents))
21919 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
21923 @@ -434,7 +434,10 @@ static const struct file_operations nvra
21924 static struct miscdevice nvram_dev = {
21934 static int __init nvram_init(void)
21935 diff -urNp linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c
21936 --- linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c 2010-03-15 12:09:39.000000000 -0400
21937 +++ linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c 2010-03-20 16:58:39.612523711 -0400
21938 @@ -51,7 +51,7 @@ struct ipw_tty {
21940 struct ipw_network *network;
21941 struct tty_struct *linux_tty;
21943 + atomic_t open_count;
21944 unsigned int control_lines;
21945 struct mutex ipw_tty_mutex;
21946 int tx_bytes_queued;
21947 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
21948 mutex_unlock(&tty->ipw_tty_mutex);
21951 - if (tty->open_count == 0)
21952 + if (atomic_read(&tty->open_count) == 0)
21953 tty->tx_bytes_queued = 0;
21955 - tty->open_count++;
21956 + atomic_inc(&tty->open_count);
21958 tty->linux_tty = linux_tty;
21959 linux_tty->driver_data = tty;
21960 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
21962 static void do_ipw_close(struct ipw_tty *tty)
21964 - tty->open_count--;
21966 - if (tty->open_count == 0) {
21967 + if (atomic_dec_return(&tty->open_count) == 0) {
21968 struct tty_struct *linux_tty = tty->linux_tty;
21970 if (linux_tty != NULL) {
21971 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
21974 mutex_lock(&tty->ipw_tty_mutex);
21975 - if (tty->open_count == 0) {
21976 + if (atomic_read(&tty->open_count) == 0) {
21977 mutex_unlock(&tty->ipw_tty_mutex);
21980 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
21984 - if (!tty->open_count) {
21985 + if (!atomic_read(&tty->open_count)) {
21986 mutex_unlock(&tty->ipw_tty_mutex);
21989 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
21992 mutex_lock(&tty->ipw_tty_mutex);
21993 - if (!tty->open_count) {
21994 + if (!atomic_read(&tty->open_count)) {
21995 mutex_unlock(&tty->ipw_tty_mutex);
21998 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
22002 - if (!tty->open_count)
22003 + if (!atomic_read(&tty->open_count))
22006 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
22007 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
22011 - if (!tty->open_count)
22012 + if (!atomic_read(&tty->open_count))
22015 return tty->tx_bytes_queued;
22016 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
22020 - if (!tty->open_count)
22021 + if (!atomic_read(&tty->open_count))
22024 return get_control_lines(tty);
22025 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
22029 - if (!tty->open_count)
22030 + if (!atomic_read(&tty->open_count))
22033 return set_control_lines(tty, set, clear);
22034 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
22038 - if (!tty->open_count)
22039 + if (!atomic_read(&tty->open_count))
22042 /* FIXME: Exactly how is the tty object locked here .. */
22043 @@ -591,7 +589,7 @@ void ipwireless_tty_free(struct ipw_tty
22044 against a parallel ioctl etc */
22045 mutex_lock(&ttyj->ipw_tty_mutex);
22047 - while (ttyj->open_count)
22048 + while (atomic_read(&ttyj->open_count))
22049 do_ipw_close(ttyj);
22050 ipwireless_disassociate_network_ttys(network,
22051 ttyj->channel_idx);
22052 diff -urNp linux-2.6.33.1/drivers/char/pty.c linux-2.6.33.1/drivers/char/pty.c
22053 --- linux-2.6.33.1/drivers/char/pty.c 2010-03-15 12:09:39.000000000 -0400
22054 +++ linux-2.6.33.1/drivers/char/pty.c 2010-03-20 16:58:39.612523711 -0400
22055 @@ -676,7 +676,18 @@ static int ptmx_open(struct inode *inode
22059 -static struct file_operations ptmx_fops;
22060 +static const struct file_operations ptmx_fops = {
22061 + .llseek = no_llseek,
22062 + .read = tty_read,
22063 + .write = tty_write,
22064 + .poll = tty_poll,
22065 + .unlocked_ioctl = tty_ioctl,
22066 + .compat_ioctl = tty_compat_ioctl,
22067 + .open = ptmx_open,
22068 + .release = tty_release,
22069 + .fasync = tty_fasync,
22073 static void __init unix98_pty_init(void)
22075 @@ -730,9 +741,6 @@ static void __init unix98_pty_init(void)
22076 register_sysctl_table(pty_root_table);
22078 /* Now create the /dev/ptmx special device */
22079 - tty_default_fops(&ptmx_fops);
22080 - ptmx_fops.open = ptmx_open;
22082 cdev_init(&ptmx_cdev, &ptmx_fops);
22083 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
22084 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
22085 diff -urNp linux-2.6.33.1/drivers/char/random.c linux-2.6.33.1/drivers/char/random.c
22086 --- linux-2.6.33.1/drivers/char/random.c 2010-03-15 12:09:39.000000000 -0400
22087 +++ linux-2.6.33.1/drivers/char/random.c 2010-03-20 16:58:39.620815282 -0400
22088 @@ -254,8 +254,13 @@
22090 * Configuration information
22092 +#ifdef CONFIG_GRKERNSEC_RANDNET
22093 +#define INPUT_POOL_WORDS 512
22094 +#define OUTPUT_POOL_WORDS 128
22096 #define INPUT_POOL_WORDS 128
22097 #define OUTPUT_POOL_WORDS 32
22099 #define SEC_XFER_SIZE 512
22102 @@ -292,10 +297,17 @@ static struct poolinfo {
22104 int tap1, tap2, tap3, tap4, tap5;
22105 } poolinfo_table[] = {
22106 +#ifdef CONFIG_GRKERNSEC_RANDNET
22107 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
22108 + { 512, 411, 308, 208, 104, 1 },
22109 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
22110 + { 128, 103, 76, 51, 25, 1 },
22112 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
22113 { 128, 103, 76, 51, 25, 1 },
22114 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
22115 { 32, 26, 20, 14, 7, 1 },
22118 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
22119 { 2048, 1638, 1231, 819, 411, 1 },
22120 @@ -903,7 +915,7 @@ static ssize_t extract_entropy_user(stru
22122 extract_buf(r, tmp);
22123 i = min_t(int, nbytes, EXTRACT_SIZE);
22124 - if (copy_to_user(buf, tmp, i)) {
22125 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
22129 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
22130 #include <linux/sysctl.h>
22132 static int min_read_thresh = 8, min_write_thresh;
22133 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
22134 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
22135 static int max_write_thresh = INPUT_POOL_WORDS * 32;
22136 static char sysctl_bootid[16];
22138 diff -urNp linux-2.6.33.1/drivers/char/sonypi.c linux-2.6.33.1/drivers/char/sonypi.c
22139 --- linux-2.6.33.1/drivers/char/sonypi.c 2010-03-15 12:09:39.000000000 -0400
22140 +++ linux-2.6.33.1/drivers/char/sonypi.c 2010-03-20 16:58:39.624516836 -0400
22141 @@ -490,7 +490,7 @@ static struct sonypi_device {
22142 spinlock_t fifo_lock;
22143 wait_queue_head_t fifo_proc_list;
22144 struct fasync_struct *fifo_async;
22146 + atomic_t open_count;
22148 struct input_dev *input_jog_dev;
22149 struct input_dev *input_key_dev;
22150 @@ -897,7 +897,7 @@ static int sonypi_misc_fasync(int fd, st
22151 static int sonypi_misc_release(struct inode *inode, struct file *file)
22153 mutex_lock(&sonypi_device.lock);
22154 - sonypi_device.open_count--;
22155 + atomic_dec(&sonypi_device.open_count);
22156 mutex_unlock(&sonypi_device.lock);
22159 @@ -906,9 +906,9 @@ static int sonypi_misc_open(struct inode
22161 mutex_lock(&sonypi_device.lock);
22162 /* Flush input queue on first open */
22163 - if (!sonypi_device.open_count)
22164 + if (!atomic_read(&sonypi_device.open_count))
22165 kfifo_reset(&sonypi_device.fifo);
22166 - sonypi_device.open_count++;
22167 + atomic_inc(&sonypi_device.open_count);
22168 mutex_unlock(&sonypi_device.lock);
22171 diff -urNp linux-2.6.33.1/drivers/char/tpm/tpm_bios.c linux-2.6.33.1/drivers/char/tpm/tpm_bios.c
22172 --- linux-2.6.33.1/drivers/char/tpm/tpm_bios.c 2010-03-15 12:09:39.000000000 -0400
22173 +++ linux-2.6.33.1/drivers/char/tpm/tpm_bios.c 2010-03-20 16:58:39.624516836 -0400
22174 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
22177 if ((event->event_type == 0 && event->event_size == 0) ||
22178 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
22179 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
22183 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
22186 if ((event->event_type == 0 && event->event_size == 0) ||
22187 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
22188 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
22192 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
22195 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
22196 - seq_putc(m, data[i]);
22197 + if (!seq_putc(m, data[i]))
22202 @@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
22203 log->bios_event_log_end = log->bios_event_log + len;
22205 virt = acpi_os_map_memory(start, len);
22207 + kfree(log->bios_event_log);
22208 + log->bios_event_log = NULL;
22212 memcpy(log->bios_event_log, virt, len);
22214 diff -urNp linux-2.6.33.1/drivers/char/tty_io.c linux-2.6.33.1/drivers/char/tty_io.c
22215 --- linux-2.6.33.1/drivers/char/tty_io.c 2010-03-15 12:09:39.000000000 -0400
22216 +++ linux-2.6.33.1/drivers/char/tty_io.c 2010-03-20 16:58:39.628796519 -0400
22217 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
22218 DEFINE_MUTEX(tty_mutex);
22219 EXPORT_SYMBOL(tty_mutex);
22221 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
22222 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
22223 ssize_t redirected_tty_write(struct file *, const char __user *,
22225 -static unsigned int tty_poll(struct file *, poll_table *);
22226 static int tty_open(struct inode *, struct file *);
22227 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
22228 -#ifdef CONFIG_COMPAT
22229 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22230 - unsigned long arg);
22232 -#define tty_compat_ioctl NULL
22234 -static int tty_fasync(int fd, struct file *filp, int on);
22235 static void release_tty(struct tty_struct *tty, int idx);
22236 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22237 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22238 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
22239 * read calls may be outstanding in parallel.
22242 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22243 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22247 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
22251 +EXPORT_SYMBOL(tty_read);
22253 void tty_write_unlock(struct tty_struct *tty)
22255 mutex_unlock(&tty->atomic_write_lock);
22256 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
22257 * write method will not be invoked in parallel for each device.
22260 -static ssize_t tty_write(struct file *file, const char __user *buf,
22261 +ssize_t tty_write(struct file *file, const char __user *buf,
22262 size_t count, loff_t *ppos)
22264 struct tty_struct *tty;
22265 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
22269 +EXPORT_SYMBOL(tty_write);
22271 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
22272 size_t count, loff_t *ppos)
22274 @@ -1894,6 +1888,8 @@ got_driver:
22278 +EXPORT_SYMBOL(tty_release);
22281 * tty_poll - check tty status
22282 * @filp: file being polled
22283 @@ -1906,7 +1902,7 @@ got_driver:
22284 * may be re-entered freely by other callers.
22287 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
22288 +unsigned int tty_poll(struct file *filp, poll_table *wait)
22290 struct tty_struct *tty;
22291 struct tty_ldisc *ld;
22292 @@ -1923,7 +1919,9 @@ static unsigned int tty_poll(struct file
22296 -static int tty_fasync(int fd, struct file *filp, int on)
22297 +EXPORT_SYMBOL(tty_poll);
22299 +int tty_fasync(int fd, struct file *filp, int on)
22301 struct tty_struct *tty;
22302 unsigned long flags;
22303 @@ -1967,6 +1965,8 @@ out:
22307 +EXPORT_SYMBOL(tty_fasync);
22310 * tiocsti - fake input character
22311 * @tty: tty to fake input into
22312 @@ -2599,8 +2599,10 @@ long tty_ioctl(struct file *file, unsign
22316 +EXPORT_SYMBOL(tty_ioctl);
22318 #ifdef CONFIG_COMPAT
22319 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22320 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
22323 struct inode *inode = file->f_dentry->d_inode;
22324 @@ -2624,6 +2626,9 @@ static long tty_compat_ioctl(struct file
22329 +EXPORT_SYMBOL(tty_compat_ioctl);
22334 @@ -3067,11 +3072,6 @@ struct tty_struct *get_current_tty(void)
22336 EXPORT_SYMBOL_GPL(get_current_tty);
22338 -void tty_default_fops(struct file_operations *fops)
22340 - *fops = tty_fops;
22344 * Initialize the console device. This is called *early*, so
22345 * we can't necessarily depend on lots of kernel help here.
22346 diff -urNp linux-2.6.33.1/drivers/char/tty_ldisc.c linux-2.6.33.1/drivers/char/tty_ldisc.c
22347 --- linux-2.6.33.1/drivers/char/tty_ldisc.c 2010-03-15 12:09:39.000000000 -0400
22348 +++ linux-2.6.33.1/drivers/char/tty_ldisc.c 2010-03-20 16:58:39.628796519 -0400
22349 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
22350 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
22351 struct tty_ldisc_ops *ldo = ld->ops;
22354 + atomic_dec(&ldo->refcount);
22355 module_put(ldo->owner);
22356 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22358 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
22359 spin_lock_irqsave(&tty_ldisc_lock, flags);
22360 tty_ldiscs[disc] = new_ldisc;
22361 new_ldisc->num = disc;
22362 - new_ldisc->refcount = 0;
22363 + atomic_set(&new_ldisc->refcount, 0);
22364 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22367 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
22370 spin_lock_irqsave(&tty_ldisc_lock, flags);
22371 - if (tty_ldiscs[disc]->refcount)
22372 + if (atomic_read(&tty_ldiscs[disc]->refcount))
22375 tty_ldiscs[disc] = NULL;
22376 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
22378 ret = ERR_PTR(-EAGAIN);
22379 if (try_module_get(ldops->owner)) {
22380 - ldops->refcount++;
22381 + atomic_inc(&ldops->refcount);
22385 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
22386 unsigned long flags;
22388 spin_lock_irqsave(&tty_ldisc_lock, flags);
22389 - ldops->refcount--;
22390 + atomic_dec(&ldops->refcount);
22391 module_put(ldops->owner);
22392 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22394 diff -urNp linux-2.6.33.1/drivers/char/virtio_console.c linux-2.6.33.1/drivers/char/virtio_console.c
22395 --- linux-2.6.33.1/drivers/char/virtio_console.c 2010-03-15 12:09:39.000000000 -0400
22396 +++ linux-2.6.33.1/drivers/char/virtio_console.c 2010-03-20 16:58:39.628796519 -0400
22397 @@ -44,6 +44,7 @@ static unsigned int in_len;
22398 static char *in, *inbuf;
22400 /* The operations for our console. */
22401 +/* cannot be const */
22402 static struct hv_ops virtio_cons;
22404 /* The hvc device */
22405 diff -urNp linux-2.6.33.1/drivers/char/vt_ioctl.c linux-2.6.33.1/drivers/char/vt_ioctl.c
22406 --- linux-2.6.33.1/drivers/char/vt_ioctl.c 2010-03-15 12:09:39.000000000 -0400
22407 +++ linux-2.6.33.1/drivers/char/vt_ioctl.c 2010-03-20 16:58:39.632763861 -0400
22408 @@ -226,6 +226,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
22413 +#ifdef CONFIG_GRKERNSEC
22414 + if (!capable(CAP_SYS_TTY_CONFIG))
22418 if (!i && v == K_NOSUCHMAP) {
22419 /* deallocate map */
22420 key_map = key_maps[s];
22421 @@ -366,6 +372,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
22425 +#ifdef CONFIG_GRKERNSEC
22426 + if (!capable(CAP_SYS_TTY_CONFIG)) {
22433 first_free = funcbufptr + (funcbufsize - funcbufleft);
22434 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
22435 diff -urNp linux-2.6.33.1/drivers/cpufreq/cpufreq.c linux-2.6.33.1/drivers/cpufreq/cpufreq.c
22436 --- linux-2.6.33.1/drivers/cpufreq/cpufreq.c 2010-03-15 12:09:39.000000000 -0400
22437 +++ linux-2.6.33.1/drivers/cpufreq/cpufreq.c 2010-03-20 16:58:39.632763861 -0400
22438 @@ -766,7 +766,7 @@ static void cpufreq_sysfs_release(struct
22439 complete(&policy->kobj_unregister);
22442 -static struct sysfs_ops sysfs_ops = {
22443 +static const struct sysfs_ops sysfs_ops = {
22447 diff -urNp linux-2.6.33.1/drivers/cpuidle/sysfs.c linux-2.6.33.1/drivers/cpuidle/sysfs.c
22448 --- linux-2.6.33.1/drivers/cpuidle/sysfs.c 2010-03-15 12:09:39.000000000 -0400
22449 +++ linux-2.6.33.1/drivers/cpuidle/sysfs.c 2010-03-20 16:58:39.640816327 -0400
22450 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
22454 -static struct sysfs_ops cpuidle_sysfs_ops = {
22455 +static const struct sysfs_ops cpuidle_sysfs_ops = {
22456 .show = cpuidle_show,
22457 .store = cpuidle_store,
22459 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
22463 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
22464 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
22465 .show = cpuidle_state_show,
22468 diff -urNp linux-2.6.33.1/drivers/dma/ioat/dma.c linux-2.6.33.1/drivers/dma/ioat/dma.c
22469 --- linux-2.6.33.1/drivers/dma/ioat/dma.c 2010-03-15 12:09:39.000000000 -0400
22470 +++ linux-2.6.33.1/drivers/dma/ioat/dma.c 2010-03-20 16:58:39.664561584 -0400
22471 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
22472 return entry->show(&chan->common, page);
22475 -struct sysfs_ops ioat_sysfs_ops = {
22476 +const struct sysfs_ops ioat_sysfs_ops = {
22477 .show = ioat_attr_show,
22480 diff -urNp linux-2.6.33.1/drivers/dma/ioat/dma.h linux-2.6.33.1/drivers/dma/ioat/dma.h
22481 --- linux-2.6.33.1/drivers/dma/ioat/dma.h 2010-03-15 12:09:39.000000000 -0400
22482 +++ linux-2.6.33.1/drivers/dma/ioat/dma.h 2010-03-20 16:58:39.664561584 -0400
22483 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
22484 unsigned long *phys_complete);
22485 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
22486 void ioat_kobject_del(struct ioatdma_device *device);
22487 -extern struct sysfs_ops ioat_sysfs_ops;
22488 +extern const struct sysfs_ops ioat_sysfs_ops;
22489 extern struct ioat_sysfs_entry ioat_version_attr;
22490 extern struct ioat_sysfs_entry ioat_cap_attr;
22491 #endif /* IOATDMA_H */
22492 diff -urNp linux-2.6.33.1/drivers/edac/edac_core.h linux-2.6.33.1/drivers/edac/edac_core.h
22493 --- linux-2.6.33.1/drivers/edac/edac_core.h 2010-03-15 12:09:39.000000000 -0400
22494 +++ linux-2.6.33.1/drivers/edac/edac_core.h 2010-03-20 16:58:39.668813885 -0400
22495 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
22497 #else /* !CONFIG_EDAC_DEBUG */
22499 -#define debugf0( ... )
22500 -#define debugf1( ... )
22501 -#define debugf2( ... )
22502 -#define debugf3( ... )
22503 -#define debugf4( ... )
22504 +#define debugf0( ... ) do {} while (0)
22505 +#define debugf1( ... ) do {} while (0)
22506 +#define debugf2( ... ) do {} while (0)
22507 +#define debugf3( ... ) do {} while (0)
22508 +#define debugf4( ... ) do {} while (0)
22510 #endif /* !CONFIG_EDAC_DEBUG */
22512 diff -urNp linux-2.6.33.1/drivers/edac/edac_device_sysfs.c linux-2.6.33.1/drivers/edac/edac_device_sysfs.c
22513 --- linux-2.6.33.1/drivers/edac/edac_device_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22514 +++ linux-2.6.33.1/drivers/edac/edac_device_sysfs.c 2010-03-20 16:58:39.672639279 -0400
22515 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
22518 /* edac_dev file operations for an 'ctl_info' */
22519 -static struct sysfs_ops device_ctl_info_ops = {
22520 +static const struct sysfs_ops device_ctl_info_ops = {
22521 .show = edac_dev_ctl_info_show,
22522 .store = edac_dev_ctl_info_store
22524 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
22527 /* edac_dev file operations for an 'instance' */
22528 -static struct sysfs_ops device_instance_ops = {
22529 +static const struct sysfs_ops device_instance_ops = {
22530 .show = edac_dev_instance_show,
22531 .store = edac_dev_instance_store
22533 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
22536 /* edac_dev file operations for a 'block' */
22537 -static struct sysfs_ops device_block_ops = {
22538 +static const struct sysfs_ops device_block_ops = {
22539 .show = edac_dev_block_show,
22540 .store = edac_dev_block_store
22542 diff -urNp linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c
22543 --- linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22544 +++ linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c 2010-03-20 16:58:39.676823381 -0400
22545 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
22549 -static struct sysfs_ops csrowfs_ops = {
22550 +static const struct sysfs_ops csrowfs_ops = {
22551 .show = csrowdev_show,
22552 .store = csrowdev_store
22554 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
22557 /* Intermediate show/store table */
22558 -static struct sysfs_ops mci_ops = {
22559 +static const struct sysfs_ops mci_ops = {
22560 .show = mcidev_show,
22561 .store = mcidev_store
22563 diff -urNp linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c
22564 --- linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22565 +++ linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c 2010-03-20 16:58:39.680817937 -0400
22566 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
22570 -static struct sysfs_ops pci_instance_ops = {
22571 +static const struct sysfs_ops pci_instance_ops = {
22572 .show = edac_pci_instance_show,
22573 .store = edac_pci_instance_store
22575 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
22579 -static struct sysfs_ops edac_pci_sysfs_ops = {
22580 +static const struct sysfs_ops edac_pci_sysfs_ops = {
22581 .show = edac_pci_dev_show,
22582 .store = edac_pci_dev_store
22584 diff -urNp linux-2.6.33.1/drivers/firmware/dmi_scan.c linux-2.6.33.1/drivers/firmware/dmi_scan.c
22585 --- linux-2.6.33.1/drivers/firmware/dmi_scan.c 2010-03-15 12:09:39.000000000 -0400
22586 +++ linux-2.6.33.1/drivers/firmware/dmi_scan.c 2010-03-20 16:58:39.680817937 -0400
22587 @@ -388,11 +388,6 @@ void __init dmi_scan_machine(void)
22592 - * no iounmap() for that ioremap(); it would be a no-op, but
22593 - * it's so early in setup that sucker gets confused into doing
22594 - * what it shouldn't if we actually call it.
22596 p = dmi_ioremap(0xF0000, 0x10000);
22599 diff -urNp linux-2.6.33.1/drivers/firmware/edd.c linux-2.6.33.1/drivers/firmware/edd.c
22600 --- linux-2.6.33.1/drivers/firmware/edd.c 2010-03-15 12:09:39.000000000 -0400
22601 +++ linux-2.6.33.1/drivers/firmware/edd.c 2010-03-20 16:58:39.680817937 -0400
22602 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
22606 -static struct sysfs_ops edd_attr_ops = {
22607 +static const struct sysfs_ops edd_attr_ops = {
22608 .show = edd_attr_show,
22611 diff -urNp linux-2.6.33.1/drivers/firmware/efivars.c linux-2.6.33.1/drivers/firmware/efivars.c
22612 --- linux-2.6.33.1/drivers/firmware/efivars.c 2010-03-15 12:09:39.000000000 -0400
22613 +++ linux-2.6.33.1/drivers/firmware/efivars.c 2010-03-20 16:58:39.680817937 -0400
22614 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
22618 -static struct sysfs_ops efivar_attr_ops = {
22619 +static const struct sysfs_ops efivar_attr_ops = {
22620 .show = efivar_attr_show,
22621 .store = efivar_attr_store,
22623 diff -urNp linux-2.6.33.1/drivers/firmware/iscsi_ibft.c linux-2.6.33.1/drivers/firmware/iscsi_ibft.c
22624 --- linux-2.6.33.1/drivers/firmware/iscsi_ibft.c 2010-03-15 12:09:39.000000000 -0400
22625 +++ linux-2.6.33.1/drivers/firmware/iscsi_ibft.c 2010-03-20 16:58:39.680817937 -0400
22626 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
22630 -static struct sysfs_ops ibft_attr_ops = {
22631 +static const struct sysfs_ops ibft_attr_ops = {
22632 .show = ibft_show_attribute,
22635 diff -urNp linux-2.6.33.1/drivers/firmware/memmap.c linux-2.6.33.1/drivers/firmware/memmap.c
22636 --- linux-2.6.33.1/drivers/firmware/memmap.c 2010-03-15 12:09:39.000000000 -0400
22637 +++ linux-2.6.33.1/drivers/firmware/memmap.c 2010-03-20 16:58:39.684538507 -0400
22638 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
22642 -static struct sysfs_ops memmap_attr_ops = {
22643 +static const struct sysfs_ops memmap_attr_ops = {
22644 .show = memmap_attr_show,
22647 diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_drv.c linux-2.6.33.1/drivers/gpu/drm/drm_drv.c
22648 --- linux-2.6.33.1/drivers/gpu/drm/drm_drv.c 2010-03-15 12:09:39.000000000 -0400
22649 +++ linux-2.6.33.1/drivers/gpu/drm/drm_drv.c 2010-03-20 16:58:39.696814507 -0400
22650 @@ -448,7 +448,7 @@ long drm_ioctl(struct file *filp,
22652 dev = file_priv->minor->dev;
22653 atomic_inc(&dev->ioctl_count);
22654 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
22655 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
22656 ++file_priv->ioctl_count;
22658 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
22659 diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_fops.c linux-2.6.33.1/drivers/gpu/drm/drm_fops.c
22660 --- linux-2.6.33.1/drivers/gpu/drm/drm_fops.c 2010-03-15 12:09:39.000000000 -0400
22661 +++ linux-2.6.33.1/drivers/gpu/drm/drm_fops.c 2010-03-20 16:58:39.704802989 -0400
22662 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
22665 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
22666 - atomic_set(&dev->counts[i], 0);
22667 + atomic_set_unchecked(&dev->counts[i], 0);
22669 dev->sigdata.lock = NULL;
22671 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
22673 retcode = drm_open_helper(inode, filp, dev);
22675 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
22676 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
22677 spin_lock(&dev->count_lock);
22678 - if (!dev->open_count++) {
22679 + if (atomic_inc_return(&dev->open_count) == 1) {
22680 spin_unlock(&dev->count_lock);
22681 retcode = drm_setup(dev);
22683 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
22687 - DRM_DEBUG("open_count = %d\n", dev->open_count);
22688 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
22690 if (dev->driver->preclose)
22691 dev->driver->preclose(dev, file_priv);
22692 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
22693 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
22694 task_pid_nr(current),
22695 (long)old_encode_dev(file_priv->minor->device),
22696 - dev->open_count);
22697 + atomic_read(&dev->open_count));
22699 /* if the master has gone away we can't do anything with the lock */
22700 if (file_priv->minor->master)
22701 @@ -565,9 +565,9 @@ int drm_release(struct inode *inode, str
22702 * End inline drm_release
22705 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
22706 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
22707 spin_lock(&dev->count_lock);
22708 - if (!--dev->open_count) {
22709 + if (atomic_dec_and_test(&dev->open_count)) {
22710 if (atomic_read(&dev->ioctl_count)) {
22711 DRM_ERROR("Device busy: %d\n",
22712 atomic_read(&dev->ioctl_count));
22713 diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c
22714 --- linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c 2010-03-15 12:09:39.000000000 -0400
22715 +++ linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c 2010-03-20 16:58:39.704802989 -0400
22716 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
22717 stats->data[i].value =
22718 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
22720 - stats->data[i].value = atomic_read(&dev->counts[i]);
22721 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
22722 stats->data[i].type = dev->types[i];
22725 diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_lock.c linux-2.6.33.1/drivers/gpu/drm/drm_lock.c
22726 --- linux-2.6.33.1/drivers/gpu/drm/drm_lock.c 2010-03-15 12:09:39.000000000 -0400
22727 +++ linux-2.6.33.1/drivers/gpu/drm/drm_lock.c 2010-03-20 16:58:39.712815966 -0400
22728 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
22729 if (drm_lock_take(&master->lock, lock->context)) {
22730 master->lock.file_priv = file_priv;
22731 master->lock.lock_time = jiffies;
22732 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
22733 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
22734 break; /* Got lock */
22737 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
22741 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
22742 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
22744 /* kernel_context_switch isn't used by any of the x86 drm
22745 * modules but is required by the Sparc driver.
22746 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c
22747 --- linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c 2010-03-15 12:09:39.000000000 -0400
22748 +++ linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c 2010-03-20 16:58:39.712815966 -0400
22749 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
22750 dma->buflist[vertex->idx],
22751 vertex->discard, vertex->used);
22753 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22754 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22755 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22756 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22757 sarea_priv->last_enqueue = dev_priv->counter - 1;
22758 sarea_priv->last_dispatch = (int)hw_status[5];
22760 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
22761 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
22764 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22765 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22766 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22767 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22768 sarea_priv->last_enqueue = dev_priv->counter - 1;
22769 sarea_priv->last_dispatch = (int)hw_status[5];
22771 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c
22772 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-03-15 12:09:39.000000000 -0400
22773 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-03-20 16:58:39.720824119 -0400
22774 @@ -444,7 +444,7 @@ static void ch7017_destroy(struct intel_
22778 -struct intel_dvo_dev_ops ch7017_ops = {
22779 +const struct intel_dvo_dev_ops ch7017_ops = {
22780 .init = ch7017_init,
22781 .detect = ch7017_detect,
22782 .mode_valid = ch7017_mode_valid,
22783 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c
22784 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-03-15 12:09:39.000000000 -0400
22785 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-03-20 16:58:39.724540120 -0400
22786 @@ -358,7 +358,7 @@ static void ch7xxx_destroy(struct intel_
22790 -struct intel_dvo_dev_ops ch7xxx_ops = {
22791 +const struct intel_dvo_dev_ops ch7xxx_ops = {
22792 .init = ch7xxx_init,
22793 .detect = ch7xxx_detect,
22794 .mode_valid = ch7xxx_mode_valid,
22795 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h
22796 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h 2010-03-15 12:09:39.000000000 -0400
22797 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h 2010-03-20 16:58:39.724540120 -0400
22798 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
22800 * \return singly-linked list of modes or NULL if no modes found.
22802 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
22803 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
22806 * Clean up driver-specific bits of the output
22808 - void (*destroy) (struct intel_dvo_device *dvo);
22809 + void (* const destroy) (struct intel_dvo_device *dvo);
22812 * Debugging hook to dump device registers to log file
22814 - void (*dump_regs)(struct intel_dvo_device *dvo);
22815 + void (* const dump_regs)(struct intel_dvo_device *dvo);
22818 -extern struct intel_dvo_dev_ops sil164_ops;
22819 -extern struct intel_dvo_dev_ops ch7xxx_ops;
22820 -extern struct intel_dvo_dev_ops ivch_ops;
22821 -extern struct intel_dvo_dev_ops tfp410_ops;
22822 -extern struct intel_dvo_dev_ops ch7017_ops;
22823 +extern const struct intel_dvo_dev_ops sil164_ops;
22824 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
22825 +extern const struct intel_dvo_dev_ops ivch_ops;
22826 +extern const struct intel_dvo_dev_ops tfp410_ops;
22827 +extern const struct intel_dvo_dev_ops ch7017_ops;
22829 #endif /* _INTEL_DVO_H */
22830 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c
22831 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-03-15 12:09:39.000000000 -0400
22832 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-03-20 16:58:39.724540120 -0400
22833 @@ -431,7 +431,7 @@ static void ivch_destroy(struct intel_dv
22837 -struct intel_dvo_dev_ops ivch_ops= {
22838 +const struct intel_dvo_dev_ops ivch_ops= {
22842 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c
22843 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-03-15 12:09:39.000000000 -0400
22844 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-03-20 16:58:39.724540120 -0400
22845 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
22849 -struct intel_dvo_dev_ops sil164_ops = {
22850 +const struct intel_dvo_dev_ops sil164_ops = {
22851 .init = sil164_init,
22852 .detect = sil164_detect,
22853 .mode_valid = sil164_mode_valid,
22854 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c
22855 --- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-03-15 12:09:39.000000000 -0400
22856 +++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-03-20 16:58:39.724540120 -0400
22857 @@ -325,7 +325,7 @@ static void tfp410_destroy(struct intel_
22861 -struct intel_dvo_dev_ops tfp410_ops = {
22862 +const struct intel_dvo_dev_ops tfp410_ops = {
22863 .init = tfp410_init,
22864 .detect = tfp410_detect,
22865 .mode_valid = tfp410_mode_valid,
22866 diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c
22867 --- linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c 2010-03-15 12:09:39.000000000 -0400
22868 +++ linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c 2010-03-20 16:58:39.724540120 -0400
22869 @@ -470,7 +470,7 @@ const struct dev_pm_ops i915_pm_ops = {
22870 .restore = i915_pm_resume,
22873 -static struct vm_operations_struct i915_gem_vm_ops = {
22874 +static const struct vm_operations_struct i915_gem_vm_ops = {
22875 .fault = i915_gem_fault,
22876 .open = drm_gem_vm_open,
22877 .close = drm_gem_vm_close,
22878 diff -urNp linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c
22879 --- linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-03-15 12:09:39.000000000 -0400
22880 +++ linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-03-20 16:58:39.737935163 -0400
22881 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
22885 -static struct backlight_ops nv40_bl_ops = {
22886 +static const struct backlight_ops nv40_bl_ops = {
22887 .options = BL_CORE_SUSPENDRESUME,
22888 .get_brightness = nv40_get_intensity,
22889 .update_status = nv40_set_intensity,
22890 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
22894 -static struct backlight_ops nv50_bl_ops = {
22895 +static const struct backlight_ops nv50_bl_ops = {
22896 .options = BL_CORE_SUSPENDRESUME,
22897 .get_brightness = nv50_get_intensity,
22898 .update_status = nv50_set_intensity,
22899 diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c
22900 --- linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c 2010-03-15 12:09:39.000000000 -0400
22901 +++ linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c 2010-03-20 16:58:39.737935163 -0400
22902 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
22904 regmatch_t match[4];
22912 struct offset *offset;
22913 char last_reg_s[10];
22915 + unsigned long last_reg;
22918 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
22919 diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c
22920 --- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c 2010-03-15 12:09:39.000000000 -0400
22921 +++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c 2010-03-20 16:58:39.737935163 -0400
22922 @@ -637,14 +637,14 @@ static uint16_t atombios_get_connector_o
22926 -struct bios_connector {
22927 +static struct bios_connector {
22931 int connector_type;
22932 struct radeon_i2c_bus_rec ddc_bus;
22933 struct radeon_hpd hpd;
22935 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22937 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
22939 @@ -660,7 +660,6 @@ bool radeon_get_atom_connector_info_from
22941 union atom_supported_devices *supported_devices;
22942 int i, j, max_device;
22943 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22945 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
22947 diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c
22948 --- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c 2010-03-15 12:09:39.000000000 -0400
22949 +++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c 2010-03-20 16:58:39.757317099 -0400
22950 @@ -2139,7 +2139,7 @@ static int radeon_cp_clear(struct drm_de
22951 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
22952 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
22954 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22955 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22956 sarea_priv->nbox * sizeof(depth_boxes[0])))
22959 @@ -3014,7 +3014,7 @@ static int radeon_cp_getparam(struct drm
22961 drm_radeon_private_t *dev_priv = dev->dev_private;
22962 drm_radeon_getparam_t *param = data;
22966 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
22968 diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c
22969 --- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-03-15 12:09:39.000000000 -0400
22970 +++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-03-20 16:58:39.760772786 -0400
22971 @@ -564,27 +564,10 @@ void radeon_ttm_fini(struct radeon_devic
22972 DRM_INFO("radeon: ttm finalized\n");
22975 -static struct vm_operations_struct radeon_ttm_vm_ops;
22976 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
22978 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
22980 - struct ttm_buffer_object *bo;
22983 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
22984 - if (bo == NULL) {
22985 - return VM_FAULT_NOPAGE;
22987 - r = ttm_vm_ops->fault(vma, vmf);
22991 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
22993 struct drm_file *file_priv;
22994 struct radeon_device *rdev;
22997 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
22998 return drm_mmap(filp, vma);
22999 @@ -592,20 +575,9 @@ int radeon_mmap(struct file *filp, struc
23001 file_priv = (struct drm_file *)filp->private_data;
23002 rdev = file_priv->minor->dev->dev_private;
23003 - if (rdev == NULL) {
23007 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
23008 - if (unlikely(r != 0)) {
23011 - if (unlikely(ttm_vm_ops == NULL)) {
23012 - ttm_vm_ops = vma->vm_ops;
23013 - radeon_ttm_vm_ops = *ttm_vm_ops;
23014 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
23016 - vma->vm_ops = &radeon_ttm_vm_ops;
23018 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
23022 diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c
23023 --- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-03-15 12:09:39.000000000 -0400
23024 +++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-03-20 16:58:39.760772786 -0400
23025 @@ -128,7 +128,7 @@ static struct attribute *ttm_bo_global_a
23029 -static struct sysfs_ops ttm_bo_global_ops = {
23030 +static const struct sysfs_ops ttm_bo_global_ops = {
23031 .show = &ttm_bo_global_show
23034 diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c
23035 --- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-03-15 12:09:39.000000000 -0400
23036 +++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-03-20 16:58:39.760772786 -0400
23037 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
23039 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
23040 vma->vm_private_data;
23041 - struct ttm_bo_device *bdev = bo->bdev;
23042 + struct ttm_bo_device *bdev;
23043 unsigned long bus_base;
23044 unsigned long bus_offset;
23045 unsigned long bus_size;
23046 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
23047 unsigned long address = (unsigned long)vmf->virtual_address;
23048 int retval = VM_FAULT_NOPAGE;
23051 + return VM_FAULT_NOPAGE;
23055 * Work around locking order reversal in fault / nopfn
23056 * between mmap_sem and bo_reserve: Perform a trylock operation
23057 diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c
23058 --- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c 2010-03-15 12:09:39.000000000 -0400
23059 +++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c 2010-03-20 16:58:39.764713262 -0400
23061 struct ttm_global_item {
23062 struct mutex mutex;
23065 + atomic_t refcount;
23068 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
23069 @@ -49,7 +49,7 @@ void ttm_global_init(void)
23070 struct ttm_global_item *item = &glob[i];
23071 mutex_init(&item->mutex);
23072 item->object = NULL;
23073 - item->refcount = 0;
23074 + atomic_set(&item->refcount, 0);
23078 @@ -59,7 +59,7 @@ void ttm_global_release(void)
23079 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
23080 struct ttm_global_item *item = &glob[i];
23081 BUG_ON(item->object != NULL);
23082 - BUG_ON(item->refcount != 0);
23083 + BUG_ON(atomic_read(&item->refcount) != 0);
23087 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
23090 mutex_lock(&item->mutex);
23091 - if (item->refcount == 0) {
23092 + if (atomic_read(&item->refcount) == 0) {
23093 item->object = kzalloc(ref->size, GFP_KERNEL);
23094 if (unlikely(item->object == NULL)) {
23096 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
23100 - ++item->refcount;
23101 + atomic_inc(&item->refcount);
23102 ref->object = item->object;
23103 object = item->object;
23104 mutex_unlock(&item->mutex);
23105 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
23106 struct ttm_global_item *item = &glob[ref->global_type];
23108 mutex_lock(&item->mutex);
23109 - BUG_ON(item->refcount == 0);
23110 + BUG_ON(atomic_read(&item->refcount) == 0);
23111 BUG_ON(ref->object != item->object);
23112 - if (--item->refcount == 0) {
23113 + if (atomic_dec_and_test(&item->refcount)) {
23115 item->object = NULL;
23117 diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c
23118 --- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c 2010-03-15 12:09:39.000000000 -0400
23119 +++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c 2010-03-20 16:58:39.764713262 -0400
23120 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
23124 -static struct sysfs_ops ttm_mem_zone_ops = {
23125 +static const struct sysfs_ops ttm_mem_zone_ops = {
23126 .show = &ttm_mem_zone_show,
23127 .store = &ttm_mem_zone_store
23129 diff -urNp linux-2.6.33.1/drivers/hwmon/k8temp.c linux-2.6.33.1/drivers/hwmon/k8temp.c
23130 --- linux-2.6.33.1/drivers/hwmon/k8temp.c 2010-03-15 12:09:39.000000000 -0400
23131 +++ linux-2.6.33.1/drivers/hwmon/k8temp.c 2010-03-20 16:58:39.764713262 -0400
23132 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
23134 static const struct pci_device_id k8temp_ids[] = {
23135 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
23137 + { 0, 0, 0, 0, 0, 0, 0 },
23140 MODULE_DEVICE_TABLE(pci, k8temp_ids);
23141 diff -urNp linux-2.6.33.1/drivers/hwmon/sis5595.c linux-2.6.33.1/drivers/hwmon/sis5595.c
23142 --- linux-2.6.33.1/drivers/hwmon/sis5595.c 2010-03-15 12:09:39.000000000 -0400
23143 +++ linux-2.6.33.1/drivers/hwmon/sis5595.c 2010-03-20 16:58:39.772823109 -0400
23144 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
23146 static const struct pci_device_id sis5595_pci_ids[] = {
23147 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23149 + { 0, 0, 0, 0, 0, 0, 0 }
23152 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
23153 diff -urNp linux-2.6.33.1/drivers/hwmon/via686a.c linux-2.6.33.1/drivers/hwmon/via686a.c
23154 --- linux-2.6.33.1/drivers/hwmon/via686a.c 2010-03-15 12:09:39.000000000 -0400
23155 +++ linux-2.6.33.1/drivers/hwmon/via686a.c 2010-03-20 16:58:39.780824922 -0400
23156 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
23158 static const struct pci_device_id via686a_pci_ids[] = {
23159 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
23161 + { 0, 0, 0, 0, 0, 0, 0 }
23164 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
23165 diff -urNp linux-2.6.33.1/drivers/hwmon/vt8231.c linux-2.6.33.1/drivers/hwmon/vt8231.c
23166 --- linux-2.6.33.1/drivers/hwmon/vt8231.c 2010-03-15 12:09:39.000000000 -0400
23167 +++ linux-2.6.33.1/drivers/hwmon/vt8231.c 2010-03-20 16:58:39.784811184 -0400
23168 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
23170 static const struct pci_device_id vt8231_pci_ids[] = {
23171 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
23173 + { 0, 0, 0, 0, 0, 0, 0 }
23176 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
23177 diff -urNp linux-2.6.33.1/drivers/hwmon/w83791d.c linux-2.6.33.1/drivers/hwmon/w83791d.c
23178 --- linux-2.6.33.1/drivers/hwmon/w83791d.c 2010-03-15 12:09:39.000000000 -0400
23179 +++ linux-2.6.33.1/drivers/hwmon/w83791d.c 2010-03-20 16:58:39.796811468 -0400
23180 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
23181 struct i2c_board_info *info);
23182 static int w83791d_remove(struct i2c_client *client);
23184 -static int w83791d_read(struct i2c_client *client, u8 register);
23185 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
23186 +static int w83791d_read(struct i2c_client *client, u8 reg);
23187 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
23188 static struct w83791d_data *w83791d_update_device(struct device *dev);
23191 diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c
23192 --- linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c 2010-03-15 12:09:39.000000000 -0400
23193 +++ linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c 2010-03-20 16:58:39.804825087 -0400
23194 @@ -578,7 +578,7 @@ static struct pci_device_id i801_ids[] =
23195 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_4) },
23196 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
23197 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
23199 + { 0, 0, 0, 0, 0, 0, 0 }
23202 MODULE_DEVICE_TABLE (pci, i801_ids);
23203 diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c
23204 --- linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c 2010-03-15 12:09:39.000000000 -0400
23205 +++ linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c 2010-03-20 16:58:39.821741415 -0400
23206 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
23208 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
23211 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23214 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
23215 @@ -491,7 +491,7 @@ static struct pci_device_id piix4_ids[]
23216 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
23217 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
23218 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
23220 + { 0, 0, 0, 0, 0, 0, 0 }
23223 MODULE_DEVICE_TABLE (pci, piix4_ids);
23224 diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c
23225 --- linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c 2010-03-15 12:09:39.000000000 -0400
23226 +++ linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c 2010-03-20 16:58:39.832567311 -0400
23227 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
23228 static struct pci_device_id sis630_ids[] __devinitdata = {
23229 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23230 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
23232 + { 0, 0, 0, 0, 0, 0, 0 }
23235 MODULE_DEVICE_TABLE (pci, sis630_ids);
23236 diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c
23237 --- linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c 2010-03-15 12:09:39.000000000 -0400
23238 +++ linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c 2010-03-20 16:58:39.832567311 -0400
23239 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
23241 static struct pci_device_id sis96x_ids[] = {
23242 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
23244 + { 0, 0, 0, 0, 0, 0, 0 }
23247 MODULE_DEVICE_TABLE (pci, sis96x_ids);
23248 diff -urNp linux-2.6.33.1/drivers/ide/ide-cd.c linux-2.6.33.1/drivers/ide/ide-cd.c
23249 --- linux-2.6.33.1/drivers/ide/ide-cd.c 2010-03-15 12:09:39.000000000 -0400
23250 +++ linux-2.6.33.1/drivers/ide/ide-cd.c 2010-03-20 16:58:39.844814079 -0400
23251 @@ -766,7 +766,7 @@ static void cdrom_do_block_pc(ide_drive_
23252 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
23253 if ((unsigned long)buf & alignment
23254 || blk_rq_bytes(rq) & q->dma_pad_mask
23255 - || object_is_on_stack(buf))
23256 + || object_starts_on_stack(buf))
23260 diff -urNp linux-2.6.33.1/drivers/ieee1394/dv1394.c linux-2.6.33.1/drivers/ieee1394/dv1394.c
23261 --- linux-2.6.33.1/drivers/ieee1394/dv1394.c 2010-03-15 12:09:39.000000000 -0400
23262 +++ linux-2.6.33.1/drivers/ieee1394/dv1394.c 2010-03-20 16:58:39.856823569 -0400
23263 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
23264 based upon DIF section and sequence
23267 -static void inline
23268 +static inline void
23269 frame_put_packet (struct frame *f, struct packet *p)
23271 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
23272 @@ -2178,7 +2178,7 @@ static const struct ieee1394_device_id d
23273 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
23274 .version = AVC_SW_VERSION_ENTRY & 0xffffff
23277 + { 0, 0, 0, 0, 0, 0 }
23280 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
23281 diff -urNp linux-2.6.33.1/drivers/ieee1394/eth1394.c linux-2.6.33.1/drivers/ieee1394/eth1394.c
23282 --- linux-2.6.33.1/drivers/ieee1394/eth1394.c 2010-03-15 12:09:39.000000000 -0400
23283 +++ linux-2.6.33.1/drivers/ieee1394/eth1394.c 2010-03-20 16:58:39.865827641 -0400
23284 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
23285 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
23286 .version = ETHER1394_GASP_VERSION,
23289 + { 0, 0, 0, 0, 0, 0 }
23292 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
23293 diff -urNp linux-2.6.33.1/drivers/ieee1394/hosts.c linux-2.6.33.1/drivers/ieee1394/hosts.c
23294 --- linux-2.6.33.1/drivers/ieee1394/hosts.c 2010-03-15 12:09:39.000000000 -0400
23295 +++ linux-2.6.33.1/drivers/ieee1394/hosts.c 2010-03-20 16:58:39.865827641 -0400
23296 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
23299 static struct hpsb_host_driver dummy_driver = {
23301 .transmit_packet = dummy_transmit_packet,
23302 .devctl = dummy_devctl,
23303 .isoctl = dummy_isoctl
23304 diff -urNp linux-2.6.33.1/drivers/ieee1394/ohci1394.c linux-2.6.33.1/drivers/ieee1394/ohci1394.c
23305 --- linux-2.6.33.1/drivers/ieee1394/ohci1394.c 2010-03-15 12:09:39.000000000 -0400
23306 +++ linux-2.6.33.1/drivers/ieee1394/ohci1394.c 2010-03-20 16:58:39.873869022 -0400
23307 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
23308 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
23310 /* Module Parameters */
23311 -static int phys_dma = 1;
23312 +static int phys_dma;
23313 module_param(phys_dma, int, 0444);
23314 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
23315 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
23317 static void dma_trm_tasklet(unsigned long data);
23318 static void dma_trm_reset(struct dma_trm_ctx *d);
23319 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
23320 .subvendor = PCI_ANY_ID,
23321 .subdevice = PCI_ANY_ID,
23324 + { 0, 0, 0, 0, 0, 0, 0 },
23327 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
23328 diff -urNp linux-2.6.33.1/drivers/ieee1394/raw1394.c linux-2.6.33.1/drivers/ieee1394/raw1394.c
23329 --- linux-2.6.33.1/drivers/ieee1394/raw1394.c 2010-03-15 12:09:39.000000000 -0400
23330 +++ linux-2.6.33.1/drivers/ieee1394/raw1394.c 2010-03-20 16:58:39.873869022 -0400
23331 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
23332 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23333 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23334 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
23336 + { 0, 0, 0, 0, 0, 0 }
23339 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
23340 diff -urNp linux-2.6.33.1/drivers/ieee1394/sbp2.c linux-2.6.33.1/drivers/ieee1394/sbp2.c
23341 --- linux-2.6.33.1/drivers/ieee1394/sbp2.c 2010-03-15 12:09:39.000000000 -0400
23342 +++ linux-2.6.33.1/drivers/ieee1394/sbp2.c 2010-03-20 16:58:39.877823938 -0400
23343 @@ -290,7 +290,7 @@ static const struct ieee1394_device_id s
23344 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23345 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
23346 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
23348 + { 0, 0, 0, 0, 0, 0 }
23350 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
23352 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
23353 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
23354 MODULE_LICENSE("GPL");
23356 -static int sbp2_module_init(void)
23357 +static int __init sbp2_module_init(void)
23361 diff -urNp linux-2.6.33.1/drivers/ieee1394/video1394.c linux-2.6.33.1/drivers/ieee1394/video1394.c
23362 --- linux-2.6.33.1/drivers/ieee1394/video1394.c 2010-03-15 12:09:39.000000000 -0400
23363 +++ linux-2.6.33.1/drivers/ieee1394/video1394.c 2010-03-20 16:58:39.877823938 -0400
23364 @@ -1311,7 +1311,7 @@ static const struct ieee1394_device_id v
23365 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23366 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
23369 + { 0, 0, 0, 0, 0, 0 }
23372 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
23373 diff -urNp linux-2.6.33.1/drivers/infiniband/core/cm.c linux-2.6.33.1/drivers/infiniband/core/cm.c
23374 --- linux-2.6.33.1/drivers/infiniband/core/cm.c 2010-03-15 12:09:39.000000000 -0400
23375 +++ linux-2.6.33.1/drivers/infiniband/core/cm.c 2010-03-20 16:58:39.905667556 -0400
23376 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
23378 struct cm_counter_group {
23379 struct kobject obj;
23380 - atomic_long_t counter[CM_ATTR_COUNT];
23381 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
23384 struct cm_counter_attribute {
23385 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
23386 struct ib_mad_send_buf *msg = NULL;
23389 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23390 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23391 counter[CM_REQ_COUNTER]);
23393 /* Quick state check to discard duplicate REQs. */
23394 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
23398 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23399 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23400 counter[CM_REP_COUNTER]);
23401 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
23403 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
23404 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
23405 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
23406 spin_unlock_irq(&cm_id_priv->lock);
23407 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23408 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23409 counter[CM_RTU_COUNTER]);
23412 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
23413 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
23414 dreq_msg->local_comm_id);
23416 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23417 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23418 counter[CM_DREQ_COUNTER]);
23419 cm_issue_drep(work->port, work->mad_recv_wc);
23421 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
23422 case IB_CM_MRA_REP_RCVD:
23424 case IB_CM_TIMEWAIT:
23425 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23426 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23427 counter[CM_DREQ_COUNTER]);
23428 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23430 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
23433 case IB_CM_DREQ_RCVD:
23434 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23435 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23436 counter[CM_DREQ_COUNTER]);
23439 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
23440 ib_modify_mad(cm_id_priv->av.port->mad_agent,
23441 cm_id_priv->msg, timeout)) {
23442 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
23443 - atomic_long_inc(&work->port->
23444 + atomic_long_inc_unchecked(&work->port->
23445 counter_group[CM_RECV_DUPLICATES].
23446 counter[CM_MRA_COUNTER]);
23448 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
23450 case IB_CM_MRA_REQ_RCVD:
23451 case IB_CM_MRA_REP_RCVD:
23452 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23453 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23454 counter[CM_MRA_COUNTER]);
23457 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
23458 case IB_CM_LAP_IDLE:
23460 case IB_CM_MRA_LAP_SENT:
23461 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23462 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23463 counter[CM_LAP_COUNTER]);
23464 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23466 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
23469 case IB_CM_LAP_RCVD:
23470 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23471 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23472 counter[CM_LAP_COUNTER]);
23475 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
23476 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
23477 if (cur_cm_id_priv) {
23478 spin_unlock_irq(&cm.lock);
23479 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23480 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23481 counter[CM_SIDR_REQ_COUNTER]);
23482 goto out; /* Duplicate message. */
23484 @@ -3183,10 +3183,10 @@ static void cm_send_handler(struct ib_ma
23485 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
23488 - atomic_long_add(1 + msg->retries,
23489 + atomic_long_add_unchecked(1 + msg->retries,
23490 &port->counter_group[CM_XMIT].counter[attr_index]);
23492 - atomic_long_add(msg->retries,
23493 + atomic_long_add_unchecked(msg->retries,
23494 &port->counter_group[CM_XMIT_RETRIES].
23495 counter[attr_index]);
23497 @@ -3396,7 +3396,7 @@ static void cm_recv_handler(struct ib_ma
23500 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
23501 - atomic_long_inc(&port->counter_group[CM_RECV].
23502 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
23503 counter[attr_id - CM_ATTR_ID_OFFSET]);
23505 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
23506 @@ -3594,10 +3594,10 @@ static ssize_t cm_show_counter(struct ko
23507 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
23509 return sprintf(buf, "%ld\n",
23510 - atomic_long_read(&group->counter[cm_attr->index]));
23511 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
23514 -static struct sysfs_ops cm_counter_ops = {
23515 +static const struct sysfs_ops cm_counter_ops = {
23516 .show = cm_show_counter
23519 diff -urNp linux-2.6.33.1/drivers/infiniband/core/sysfs.c linux-2.6.33.1/drivers/infiniband/core/sysfs.c
23520 --- linux-2.6.33.1/drivers/infiniband/core/sysfs.c 2010-03-15 12:09:39.000000000 -0400
23521 +++ linux-2.6.33.1/drivers/infiniband/core/sysfs.c 2010-03-20 16:58:39.912829502 -0400
23522 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
23523 return port_attr->show(p, port_attr, buf);
23526 -static struct sysfs_ops port_sysfs_ops = {
23527 +static const struct sysfs_ops port_sysfs_ops = {
23528 .show = port_attr_show
23531 diff -urNp linux-2.6.33.1/drivers/input/keyboard/atkbd.c linux-2.6.33.1/drivers/input/keyboard/atkbd.c
23532 --- linux-2.6.33.1/drivers/input/keyboard/atkbd.c 2010-03-15 12:09:39.000000000 -0400
23533 +++ linux-2.6.33.1/drivers/input/keyboard/atkbd.c 2010-03-20 16:58:39.929160943 -0400
23534 @@ -1229,7 +1229,7 @@ static struct serio_device_id atkbd_seri
23536 .extra = SERIO_ANY,
23542 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
23543 diff -urNp linux-2.6.33.1/drivers/input/mouse/lifebook.c linux-2.6.33.1/drivers/input/mouse/lifebook.c
23544 --- linux-2.6.33.1/drivers/input/mouse/lifebook.c 2010-03-15 12:09:39.000000000 -0400
23545 +++ linux-2.6.33.1/drivers/input/mouse/lifebook.c 2010-03-20 16:58:39.929160943 -0400
23546 @@ -122,7 +122,7 @@ static const struct dmi_system_id __init
23547 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
23551 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
23554 void __init lifebook_module_init(void)
23555 diff -urNp linux-2.6.33.1/drivers/input/mouse/psmouse-base.c linux-2.6.33.1/drivers/input/mouse/psmouse-base.c
23556 --- linux-2.6.33.1/drivers/input/mouse/psmouse-base.c 2010-03-15 12:09:39.000000000 -0400
23557 +++ linux-2.6.33.1/drivers/input/mouse/psmouse-base.c 2010-03-20 16:58:39.936833108 -0400
23558 @@ -1442,7 +1442,7 @@ static struct serio_device_id psmouse_se
23560 .extra = SERIO_ANY,
23566 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
23567 diff -urNp linux-2.6.33.1/drivers/input/mouse/synaptics.c linux-2.6.33.1/drivers/input/mouse/synaptics.c
23568 --- linux-2.6.33.1/drivers/input/mouse/synaptics.c 2010-03-15 12:09:39.000000000 -0400
23569 +++ linux-2.6.33.1/drivers/input/mouse/synaptics.c 2010-03-20 16:58:39.944836883 -0400
23570 @@ -438,7 +438,7 @@ static void synaptics_process_packet(str
23573 if (SYN_MODEL_PEN(priv->model_id))
23574 - ; /* Nothing, treat a pen as a single finger */
23575 + break; /* Nothing, treat a pen as a single finger */
23578 if (SYN_CAP_PALMDETECT(priv->capabilities))
23579 @@ -654,7 +654,6 @@ static const struct dmi_system_id __init
23580 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
23581 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
23586 /* Toshiba Portege M300 */
23587 @@ -663,9 +662,8 @@ static const struct dmi_system_id __init
23588 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
23589 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
23594 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23598 diff -urNp linux-2.6.33.1/drivers/input/mousedev.c linux-2.6.33.1/drivers/input/mousedev.c
23599 --- linux-2.6.33.1/drivers/input/mousedev.c 2010-03-15 12:09:39.000000000 -0400
23600 +++ linux-2.6.33.1/drivers/input/mousedev.c 2010-03-20 16:58:39.952834604 -0400
23601 @@ -760,7 +760,7 @@ static ssize_t mousedev_read(struct file
23603 spin_unlock_irq(&client->packet_lock);
23605 - if (copy_to_user(buffer, data, count))
23606 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
23610 @@ -1057,7 +1057,7 @@ static struct input_handler mousedev_han
23612 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
23613 static struct miscdevice psaux_mouse = {
23614 - PSMOUSE_MINOR, "psaux", &mousedev_fops
23615 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
23617 static int psaux_registered;
23619 diff -urNp linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h
23620 --- linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h 2010-03-15 12:09:39.000000000 -0400
23621 +++ linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h 2010-03-20 16:58:39.964826079 -0400
23622 @@ -172,7 +172,7 @@ static const struct dmi_system_id __init
23623 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
23627 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23631 @@ -402,7 +402,7 @@ static const struct dmi_system_id __init
23632 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
23636 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23639 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
23640 @@ -469,7 +469,7 @@ static const struct dmi_system_id __init
23641 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
23645 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23649 @@ -488,7 +488,7 @@ static const struct dmi_system_id __init
23650 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
23654 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23657 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
23658 @@ -512,7 +512,7 @@ static const struct dmi_system_id __init
23659 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
23663 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23667 @@ -586,7 +586,7 @@ static const struct dmi_system_id __init
23668 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
23672 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23675 #endif /* CONFIG_X86 */
23676 diff -urNp linux-2.6.33.1/drivers/input/serio/serio_raw.c linux-2.6.33.1/drivers/input/serio/serio_raw.c
23677 --- linux-2.6.33.1/drivers/input/serio/serio_raw.c 2010-03-15 12:09:39.000000000 -0400
23678 +++ linux-2.6.33.1/drivers/input/serio/serio_raw.c 2010-03-20 16:58:39.964826079 -0400
23679 @@ -377,7 +377,7 @@ static struct serio_device_id serio_raw_
23681 .extra = SERIO_ANY,
23687 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
23688 diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/common.c linux-2.6.33.1/drivers/isdn/gigaset/common.c
23689 --- linux-2.6.33.1/drivers/isdn/gigaset/common.c 2010-03-15 12:09:39.000000000 -0400
23690 +++ linux-2.6.33.1/drivers/isdn/gigaset/common.c 2010-03-20 16:58:39.984838298 -0400
23691 @@ -732,7 +732,7 @@ struct cardstate *gigaset_initcs(struct
23692 cs->commands_pending = 0;
23693 cs->cur_at_seq = 0;
23695 - cs->open_count = 0;
23696 + atomic_set(&cs->open_count, 0);
23699 cs->tty_dev = NULL;
23700 diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h
23701 --- linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h 2010-03-15 12:09:39.000000000 -0400
23702 +++ linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h 2010-03-20 16:58:39.988819691 -0400
23703 @@ -440,7 +440,7 @@ struct cardstate {
23704 spinlock_t cmdlock;
23705 unsigned curlen, cmdbytes;
23707 - unsigned open_count;
23708 + atomic_t open_count;
23709 struct tty_struct *tty;
23710 struct tasklet_struct if_wake_tasklet;
23711 unsigned control_state;
23712 diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/interface.c linux-2.6.33.1/drivers/isdn/gigaset/interface.c
23713 --- linux-2.6.33.1/drivers/isdn/gigaset/interface.c 2010-03-15 12:09:39.000000000 -0400
23714 +++ linux-2.6.33.1/drivers/isdn/gigaset/interface.c 2010-03-20 16:58:39.996850965 -0400
23715 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
23716 return -ERESTARTSYS;
23717 tty->driver_data = cs;
23719 - ++cs->open_count;
23721 - if (cs->open_count == 1) {
23722 + if (atomic_inc_return(&cs->open_count) == 1) {
23723 spin_lock_irqsave(&cs->lock, flags);
23725 spin_unlock_irqrestore(&cs->lock, flags);
23726 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
23728 if (!cs->connected)
23729 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23730 - else if (!cs->open_count)
23731 + else if (!atomic_read(&cs->open_count))
23732 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23734 - if (!--cs->open_count) {
23735 + if (!atomic_dec_return(&cs->open_count)) {
23736 spin_lock_irqsave(&cs->lock, flags);
23738 spin_unlock_irqrestore(&cs->lock, flags);
23739 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
23740 if (!cs->connected) {
23741 gig_dbg(DEBUG_IF, "not connected");
23743 - } else if (!cs->open_count)
23744 + } else if (!atomic_read(&cs->open_count))
23745 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23748 @@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
23749 if (!cs->connected) {
23750 gig_dbg(DEBUG_IF, "not connected");
23752 - } else if (!cs->open_count)
23753 + } else if (!atomic_read(&cs->open_count))
23754 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23755 else if (cs->mstate != MS_LOCKED) {
23756 dev_warn(cs->dev, "can't write to unlocked device\n");
23757 @@ -394,7 +392,7 @@ static int if_write_room(struct tty_stru
23758 if (!cs->connected) {
23759 gig_dbg(DEBUG_IF, "not connected");
23761 - } else if (!cs->open_count)
23762 + } else if (!atomic_read(&cs->open_count))
23763 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23764 else if (cs->mstate != MS_LOCKED) {
23765 dev_warn(cs->dev, "can't write to unlocked device\n");
23766 @@ -424,7 +422,7 @@ static int if_chars_in_buffer(struct tty
23768 if (!cs->connected)
23769 gig_dbg(DEBUG_IF, "not connected");
23770 - else if (!cs->open_count)
23771 + else if (!atomic_read(&cs->open_count))
23772 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23773 else if (cs->mstate != MS_LOCKED)
23774 dev_warn(cs->dev, "can't write to unlocked device\n");
23775 @@ -452,7 +450,7 @@ static void if_throttle(struct tty_struc
23777 if (!cs->connected)
23778 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23779 - else if (!cs->open_count)
23780 + else if (!atomic_read(&cs->open_count))
23781 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23783 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23784 @@ -476,7 +474,7 @@ static void if_unthrottle(struct tty_str
23786 if (!cs->connected)
23787 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23788 - else if (!cs->open_count)
23789 + else if (!atomic_read(&cs->open_count))
23790 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23792 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23793 @@ -507,7 +505,7 @@ static void if_set_termios(struct tty_st
23797 - if (!cs->open_count) {
23798 + if (!atomic_read(&cs->open_count)) {
23799 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23802 diff -urNp linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c
23803 --- linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c 2010-03-15 12:09:39.000000000 -0400
23804 +++ linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c 2010-03-20 16:58:40.004515803 -0400
23805 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
23808 if (t4file->user) {
23809 - if (copy_from_user(buf, dp, left))
23810 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23813 memcpy(buf, dp, left);
23814 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
23817 if (config->user) {
23818 - if (copy_from_user(buf, dp, left))
23819 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23822 memcpy(buf, dp, left);
23823 diff -urNp linux-2.6.33.1/drivers/isdn/icn/icn.c linux-2.6.33.1/drivers/isdn/icn/icn.c
23824 --- linux-2.6.33.1/drivers/isdn/icn/icn.c 2010-03-15 12:09:39.000000000 -0400
23825 +++ linux-2.6.33.1/drivers/isdn/icn/icn.c 2010-03-20 16:58:40.012833882 -0400
23826 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
23830 - if (copy_from_user(msg, buf, count))
23831 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
23834 memcpy(msg, buf, count);
23835 diff -urNp linux-2.6.33.1/drivers/lguest/core.c linux-2.6.33.1/drivers/lguest/core.c
23836 --- linux-2.6.33.1/drivers/lguest/core.c 2010-03-15 12:09:39.000000000 -0400
23837 +++ linux-2.6.33.1/drivers/lguest/core.c 2010-03-20 16:58:40.012833882 -0400
23838 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
23839 * it's worked so far. The end address needs +1 because __get_vm_area
23840 * allocates an extra guard page, so we need space for that.
23843 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23844 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23845 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
23846 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23848 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23849 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
23850 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23853 if (!switcher_vma) {
23855 printk("lguest: could not map switcher pages high\n");
23856 diff -urNp linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c
23857 --- linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c 2010-03-15 12:09:39.000000000 -0400
23858 +++ linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c 2010-03-20 16:58:40.016740354 -0400
23861 #define MAX_PMU_LEVEL 0xFF
23863 -static struct backlight_ops pmu_backlight_data;
23864 +static const struct backlight_ops pmu_backlight_data;
23865 static DEFINE_SPINLOCK(pmu_backlight_lock);
23866 static int sleeping, uses_pmu_bl;
23867 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
23868 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
23869 return bd->props.brightness;
23872 -static struct backlight_ops pmu_backlight_data = {
23873 +static const struct backlight_ops pmu_backlight_data = {
23874 .get_brightness = pmu_backlight_get_brightness,
23875 .update_status = pmu_backlight_update_status,
23877 diff -urNp linux-2.6.33.1/drivers/macintosh/via-pmu.c linux-2.6.33.1/drivers/macintosh/via-pmu.c
23878 --- linux-2.6.33.1/drivers/macintosh/via-pmu.c 2010-03-15 12:09:39.000000000 -0400
23879 +++ linux-2.6.33.1/drivers/macintosh/via-pmu.c 2010-03-20 16:58:40.028838991 -0400
23880 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
23881 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
23884 -static struct platform_suspend_ops pmu_pm_ops = {
23885 +static const struct platform_suspend_ops pmu_pm_ops = {
23886 .enter = powerbook_sleep,
23887 .valid = pmu_sleep_valid,
23889 diff -urNp linux-2.6.33.1/drivers/md/bitmap.c linux-2.6.33.1/drivers/md/bitmap.c
23890 --- linux-2.6.33.1/drivers/md/bitmap.c 2010-03-15 12:09:39.000000000 -0400
23891 +++ linux-2.6.33.1/drivers/md/bitmap.c 2010-03-20 16:58:40.032827823 -0400
23894 # define PRINTK(x...) printk(KERN_DEBUG x)
23896 -# define PRINTK(x...)
23897 +# define PRINTK(x...) do {} while (0)
23901 diff -urNp linux-2.6.33.1/drivers/md/dm-sysfs.c linux-2.6.33.1/drivers/md/dm-sysfs.c
23902 --- linux-2.6.33.1/drivers/md/dm-sysfs.c 2010-03-15 12:09:39.000000000 -0400
23903 +++ linux-2.6.33.1/drivers/md/dm-sysfs.c 2010-03-20 16:58:40.040842627 -0400
23904 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
23908 -static struct sysfs_ops dm_sysfs_ops = {
23909 +static const struct sysfs_ops dm_sysfs_ops = {
23910 .show = dm_attr_show,
23913 diff -urNp linux-2.6.33.1/drivers/md/dm-table.c linux-2.6.33.1/drivers/md/dm-table.c
23914 --- linux-2.6.33.1/drivers/md/dm-table.c 2010-03-15 12:09:39.000000000 -0400
23915 +++ linux-2.6.33.1/drivers/md/dm-table.c 2010-03-20 16:58:40.048835074 -0400
23916 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
23920 - if ((start >= dev_size) || (start + len > dev_size)) {
23921 + if ((start >= dev_size) || (len > dev_size - start)) {
23922 DMWARN("%s: %s too small for target: "
23923 "start=%llu, len=%llu, dev_size=%llu",
23924 dm_device_name(ti->table->md), bdevname(bdev, b),
23925 diff -urNp linux-2.6.33.1/drivers/md/md.c linux-2.6.33.1/drivers/md/md.c
23926 --- linux-2.6.33.1/drivers/md/md.c 2010-03-15 12:09:39.000000000 -0400
23927 +++ linux-2.6.33.1/drivers/md/md.c 2010-03-20 16:58:40.084837077 -0400
23928 @@ -2642,7 +2642,7 @@ static void rdev_free(struct kobject *ko
23929 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
23932 -static struct sysfs_ops rdev_sysfs_ops = {
23933 +static const struct sysfs_ops rdev_sysfs_ops = {
23934 .show = rdev_attr_show,
23935 .store = rdev_attr_store,
23937 @@ -4059,7 +4059,7 @@ static void md_free(struct kobject *ko)
23941 -static struct sysfs_ops md_sysfs_ops = {
23942 +static const struct sysfs_ops md_sysfs_ops = {
23943 .show = md_attr_show,
23944 .store = md_attr_store,
23946 @@ -6187,7 +6187,7 @@ static int md_seq_show(struct seq_file *
23947 chunk_kb ? "KB" : "B");
23948 if (bitmap->file) {
23949 seq_printf(seq, ", file: ");
23950 - seq_path(seq, &bitmap->file->f_path, " \t\n");
23951 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
23954 seq_printf(seq, "\n");
23955 @@ -6281,7 +6281,7 @@ static int is_mddev_idle(mddev_t *mddev,
23956 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
23957 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
23958 (int)part_stat_read(&disk->part0, sectors[1]) -
23959 - atomic_read(&disk->sync_io);
23960 + atomic_read_unchecked(&disk->sync_io);
23961 /* sync IO will cause sync_io to increase before the disk_stats
23962 * as sync_io is counted when a request starts, and
23963 * disk_stats is counted when it completes.
23964 diff -urNp linux-2.6.33.1/drivers/md/md.h linux-2.6.33.1/drivers/md/md.h
23965 --- linux-2.6.33.1/drivers/md/md.h 2010-03-15 12:09:39.000000000 -0400
23966 +++ linux-2.6.33.1/drivers/md/md.h 2010-03-20 16:58:40.084837077 -0400
23967 @@ -327,7 +327,7 @@ static inline void rdev_dec_pending(mdk_
23969 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
23971 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23972 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23975 struct mdk_personality
23976 diff -urNp linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c
23977 --- linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-03-15 12:09:39.000000000 -0400
23978 +++ linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-03-20 16:58:40.088543139 -0400
23979 @@ -191,6 +191,7 @@ int dvb_register_device(struct dvb_adapt
23980 const struct dvb_device *template, void *priv, int type)
23982 struct dvb_device *dvbdev;
23983 + /* cannot be const */
23984 struct file_operations *dvbdevfops;
23985 struct device *clsdev;
23987 diff -urNp linux-2.6.33.1/drivers/media/radio/radio-cadet.c linux-2.6.33.1/drivers/media/radio/radio-cadet.c
23988 --- linux-2.6.33.1/drivers/media/radio/radio-cadet.c 2010-03-15 12:09:39.000000000 -0400
23989 +++ linux-2.6.33.1/drivers/media/radio/radio-cadet.c 2010-03-20 16:58:40.096832684 -0400
23990 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
23991 while (i < count && dev->rdsin != dev->rdsout)
23992 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
23994 - if (copy_to_user(data, readbuf, i))
23995 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
23999 diff -urNp linux-2.6.33.1/drivers/message/i2o/i2o_proc.c linux-2.6.33.1/drivers/message/i2o/i2o_proc.c
24000 --- linux-2.6.33.1/drivers/message/i2o/i2o_proc.c 2010-03-15 12:09:39.000000000 -0400
24001 +++ linux-2.6.33.1/drivers/message/i2o/i2o_proc.c 2010-03-20 16:58:40.104831679 -0400
24002 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
24003 "Array Controller Device"
24006 -static char *chtostr(u8 * chars, int n)
24010 - return strncat(tmp, (char *)chars, n);
24013 static int i2o_report_query_status(struct seq_file *seq, int block_status,
24016 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
24018 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
24019 seq_printf(seq, "%-#8x", ddm_table.module_id);
24020 - seq_printf(seq, "%-29s",
24021 - chtostr(ddm_table.module_name_version, 28));
24022 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
24023 seq_printf(seq, "%9d ", ddm_table.data_size);
24024 seq_printf(seq, "%8d", ddm_table.code_size);
24026 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
24028 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
24029 seq_printf(seq, "%-#8x", dst->module_id);
24030 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
24031 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
24032 + seq_printf(seq, "%-.28s", dst->module_name_version);
24033 + seq_printf(seq, "%-.8s", dst->date);
24034 seq_printf(seq, "%8d ", dst->module_size);
24035 seq_printf(seq, "%8d ", dst->mpb_size);
24036 seq_printf(seq, "0x%04x", dst->module_flags);
24037 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
24038 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
24039 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
24040 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
24041 - seq_printf(seq, "Vendor info : %s\n",
24042 - chtostr((u8 *) (work32 + 2), 16));
24043 - seq_printf(seq, "Product info : %s\n",
24044 - chtostr((u8 *) (work32 + 6), 16));
24045 - seq_printf(seq, "Description : %s\n",
24046 - chtostr((u8 *) (work32 + 10), 16));
24047 - seq_printf(seq, "Product rev. : %s\n",
24048 - chtostr((u8 *) (work32 + 14), 8));
24049 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
24050 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
24051 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
24052 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
24054 seq_printf(seq, "Serial number : ");
24055 print_serial_number(seq, (u8 *) (work32 + 16),
24056 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
24059 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
24060 - seq_printf(seq, "Module name : %s\n",
24061 - chtostr(result.module_name, 24));
24062 - seq_printf(seq, "Module revision : %s\n",
24063 - chtostr(result.module_rev, 8));
24064 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
24065 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
24067 seq_printf(seq, "Serial number : ");
24068 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
24069 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
24073 - seq_printf(seq, "Device name : %s\n",
24074 - chtostr(result.device_name, 64));
24075 - seq_printf(seq, "Service name : %s\n",
24076 - chtostr(result.service_name, 64));
24077 - seq_printf(seq, "Physical name : %s\n",
24078 - chtostr(result.physical_location, 64));
24079 - seq_printf(seq, "Instance number : %s\n",
24080 - chtostr(result.instance_number, 4));
24081 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
24082 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
24083 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
24084 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
24088 diff -urNp linux-2.6.33.1/drivers/misc/kgdbts.c linux-2.6.33.1/drivers/misc/kgdbts.c
24089 --- linux-2.6.33.1/drivers/misc/kgdbts.c 2010-03-15 12:09:39.000000000 -0400
24090 +++ linux-2.6.33.1/drivers/misc/kgdbts.c 2010-03-20 16:58:40.120597489 -0400
24091 @@ -118,7 +118,7 @@
24093 #define MAX_CONFIG_LEN 40
24095 -static struct kgdb_io kgdbts_io_ops;
24096 +static const struct kgdb_io kgdbts_io_ops;
24097 static char get_buf[BUFMAX];
24098 static int get_buf_cnt;
24099 static char put_buf[BUFMAX];
24100 @@ -1108,7 +1108,7 @@ static void kgdbts_post_exp_handler(void
24101 module_put(THIS_MODULE);
24104 -static struct kgdb_io kgdbts_io_ops = {
24105 +static const struct kgdb_io kgdbts_io_ops = {
24107 .read_char = kgdbts_get_char,
24108 .write_char = kgdbts_put_char,
24109 diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c
24110 --- linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c 2010-03-15 12:09:39.000000000 -0400
24111 +++ linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c 2010-03-20 16:58:40.120597489 -0400
24112 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
24113 unsigned long nsec;
24115 nsec = CLKS2NSEC(clks);
24116 - atomic_long_inc(&mcs_op_statistics[op].count);
24117 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
24118 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
24119 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
24120 if (mcs_op_statistics[op].max < nsec)
24121 mcs_op_statistics[op].max = nsec;
24123 diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c
24124 --- linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c 2010-03-15 12:09:39.000000000 -0400
24125 +++ linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c 2010-03-20 16:58:40.120597489 -0400
24128 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
24130 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
24131 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
24133 - unsigned long val = atomic_long_read(v);
24134 + unsigned long val = atomic_long_read_unchecked(v);
24136 seq_printf(s, "%16lu %s\n", val, id);
24138 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
24140 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
24141 for (op = 0; op < mcsop_last; op++) {
24142 - count = atomic_long_read(&mcs_op_statistics[op].count);
24143 - total = atomic_long_read(&mcs_op_statistics[op].total);
24144 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
24145 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
24146 max = mcs_op_statistics[op].max;
24147 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
24148 count ? total / count : 0, max);
24149 diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h
24150 --- linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h 2010-03-15 12:09:39.000000000 -0400
24151 +++ linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h 2010-03-20 16:58:40.124833908 -0400
24152 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
24155 struct gru_stats_s {
24156 - atomic_long_t vdata_alloc;
24157 - atomic_long_t vdata_free;
24158 - atomic_long_t gts_alloc;
24159 - atomic_long_t gts_free;
24160 - atomic_long_t gms_alloc;
24161 - atomic_long_t gms_free;
24162 - atomic_long_t gts_double_allocate;
24163 - atomic_long_t assign_context;
24164 - atomic_long_t assign_context_failed;
24165 - atomic_long_t free_context;
24166 - atomic_long_t load_user_context;
24167 - atomic_long_t load_kernel_context;
24168 - atomic_long_t lock_kernel_context;
24169 - atomic_long_t unlock_kernel_context;
24170 - atomic_long_t steal_user_context;
24171 - atomic_long_t steal_kernel_context;
24172 - atomic_long_t steal_context_failed;
24173 - atomic_long_t nopfn;
24174 - atomic_long_t asid_new;
24175 - atomic_long_t asid_next;
24176 - atomic_long_t asid_wrap;
24177 - atomic_long_t asid_reuse;
24178 - atomic_long_t intr;
24179 - atomic_long_t intr_cbr;
24180 - atomic_long_t intr_tfh;
24181 - atomic_long_t intr_spurious;
24182 - atomic_long_t intr_mm_lock_failed;
24183 - atomic_long_t call_os;
24184 - atomic_long_t call_os_wait_queue;
24185 - atomic_long_t user_flush_tlb;
24186 - atomic_long_t user_unload_context;
24187 - atomic_long_t user_exception;
24188 - atomic_long_t set_context_option;
24189 - atomic_long_t check_context_retarget_intr;
24190 - atomic_long_t check_context_unload;
24191 - atomic_long_t tlb_dropin;
24192 - atomic_long_t tlb_preload_page;
24193 - atomic_long_t tlb_dropin_fail_no_asid;
24194 - atomic_long_t tlb_dropin_fail_upm;
24195 - atomic_long_t tlb_dropin_fail_invalid;
24196 - atomic_long_t tlb_dropin_fail_range_active;
24197 - atomic_long_t tlb_dropin_fail_idle;
24198 - atomic_long_t tlb_dropin_fail_fmm;
24199 - atomic_long_t tlb_dropin_fail_no_exception;
24200 - atomic_long_t tfh_stale_on_fault;
24201 - atomic_long_t mmu_invalidate_range;
24202 - atomic_long_t mmu_invalidate_page;
24203 - atomic_long_t flush_tlb;
24204 - atomic_long_t flush_tlb_gru;
24205 - atomic_long_t flush_tlb_gru_tgh;
24206 - atomic_long_t flush_tlb_gru_zero_asid;
24208 - atomic_long_t copy_gpa;
24209 - atomic_long_t read_gpa;
24211 - atomic_long_t mesq_receive;
24212 - atomic_long_t mesq_receive_none;
24213 - atomic_long_t mesq_send;
24214 - atomic_long_t mesq_send_failed;
24215 - atomic_long_t mesq_noop;
24216 - atomic_long_t mesq_send_unexpected_error;
24217 - atomic_long_t mesq_send_lb_overflow;
24218 - atomic_long_t mesq_send_qlimit_reached;
24219 - atomic_long_t mesq_send_amo_nacked;
24220 - atomic_long_t mesq_send_put_nacked;
24221 - atomic_long_t mesq_page_overflow;
24222 - atomic_long_t mesq_qf_locked;
24223 - atomic_long_t mesq_qf_noop_not_full;
24224 - atomic_long_t mesq_qf_switch_head_failed;
24225 - atomic_long_t mesq_qf_unexpected_error;
24226 - atomic_long_t mesq_noop_unexpected_error;
24227 - atomic_long_t mesq_noop_lb_overflow;
24228 - atomic_long_t mesq_noop_qlimit_reached;
24229 - atomic_long_t mesq_noop_amo_nacked;
24230 - atomic_long_t mesq_noop_put_nacked;
24231 - atomic_long_t mesq_noop_page_overflow;
24232 + atomic_long_unchecked_t vdata_alloc;
24233 + atomic_long_unchecked_t vdata_free;
24234 + atomic_long_unchecked_t gts_alloc;
24235 + atomic_long_unchecked_t gts_free;
24236 + atomic_long_unchecked_t gms_alloc;
24237 + atomic_long_unchecked_t gms_free;
24238 + atomic_long_unchecked_t gts_double_allocate;
24239 + atomic_long_unchecked_t assign_context;
24240 + atomic_long_unchecked_t assign_context_failed;
24241 + atomic_long_unchecked_t free_context;
24242 + atomic_long_unchecked_t load_user_context;
24243 + atomic_long_unchecked_t load_kernel_context;
24244 + atomic_long_unchecked_t lock_kernel_context;
24245 + atomic_long_unchecked_t unlock_kernel_context;
24246 + atomic_long_unchecked_t steal_user_context;
24247 + atomic_long_unchecked_t steal_kernel_context;
24248 + atomic_long_unchecked_t steal_context_failed;
24249 + atomic_long_unchecked_t nopfn;
24250 + atomic_long_unchecked_t asid_new;
24251 + atomic_long_unchecked_t asid_next;
24252 + atomic_long_unchecked_t asid_wrap;
24253 + atomic_long_unchecked_t asid_reuse;
24254 + atomic_long_unchecked_t intr;
24255 + atomic_long_unchecked_t intr_cbr;
24256 + atomic_long_unchecked_t intr_tfh;
24257 + atomic_long_unchecked_t intr_spurious;
24258 + atomic_long_unchecked_t intr_mm_lock_failed;
24259 + atomic_long_unchecked_t call_os;
24260 + atomic_long_unchecked_t call_os_wait_queue;
24261 + atomic_long_unchecked_t user_flush_tlb;
24262 + atomic_long_unchecked_t user_unload_context;
24263 + atomic_long_unchecked_t user_exception;
24264 + atomic_long_unchecked_t set_context_option;
24265 + atomic_long_unchecked_t check_context_retarget_intr;
24266 + atomic_long_unchecked_t check_context_unload;
24267 + atomic_long_unchecked_t tlb_dropin;
24268 + atomic_long_unchecked_t tlb_preload_page;
24269 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
24270 + atomic_long_unchecked_t tlb_dropin_fail_upm;
24271 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
24272 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
24273 + atomic_long_unchecked_t tlb_dropin_fail_idle;
24274 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
24275 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
24276 + atomic_long_unchecked_t tfh_stale_on_fault;
24277 + atomic_long_unchecked_t mmu_invalidate_range;
24278 + atomic_long_unchecked_t mmu_invalidate_page;
24279 + atomic_long_unchecked_t flush_tlb;
24280 + atomic_long_unchecked_t flush_tlb_gru;
24281 + atomic_long_unchecked_t flush_tlb_gru_tgh;
24282 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
24284 + atomic_long_unchecked_t copy_gpa;
24285 + atomic_long_unchecked_t read_gpa;
24287 + atomic_long_unchecked_t mesq_receive;
24288 + atomic_long_unchecked_t mesq_receive_none;
24289 + atomic_long_unchecked_t mesq_send;
24290 + atomic_long_unchecked_t mesq_send_failed;
24291 + atomic_long_unchecked_t mesq_noop;
24292 + atomic_long_unchecked_t mesq_send_unexpected_error;
24293 + atomic_long_unchecked_t mesq_send_lb_overflow;
24294 + atomic_long_unchecked_t mesq_send_qlimit_reached;
24295 + atomic_long_unchecked_t mesq_send_amo_nacked;
24296 + atomic_long_unchecked_t mesq_send_put_nacked;
24297 + atomic_long_unchecked_t mesq_page_overflow;
24298 + atomic_long_unchecked_t mesq_qf_locked;
24299 + atomic_long_unchecked_t mesq_qf_noop_not_full;
24300 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
24301 + atomic_long_unchecked_t mesq_qf_unexpected_error;
24302 + atomic_long_unchecked_t mesq_noop_unexpected_error;
24303 + atomic_long_unchecked_t mesq_noop_lb_overflow;
24304 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
24305 + atomic_long_unchecked_t mesq_noop_amo_nacked;
24306 + atomic_long_unchecked_t mesq_noop_put_nacked;
24307 + atomic_long_unchecked_t mesq_noop_page_overflow;
24311 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
24312 tghop_invalidate, mcsop_last};
24314 struct mcs_op_statistic {
24315 - atomic_long_t count;
24316 - atomic_long_t total;
24317 + atomic_long_unchecked_t count;
24318 + atomic_long_unchecked_t total;
24322 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
24324 #define STAT(id) do { \
24325 if (gru_options & OPT_STATS) \
24326 - atomic_long_inc(&gru_stats.id); \
24327 + atomic_long_inc_unchecked(&gru_stats.id); \
24330 #ifdef CONFIG_SGI_GRU_DEBUG
24331 diff -urNp linux-2.6.33.1/drivers/mtd/devices/doc2000.c linux-2.6.33.1/drivers/mtd/devices/doc2000.c
24332 --- linux-2.6.33.1/drivers/mtd/devices/doc2000.c 2010-03-15 12:09:39.000000000 -0400
24333 +++ linux-2.6.33.1/drivers/mtd/devices/doc2000.c 2010-03-20 16:58:40.128534904 -0400
24334 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
24336 /* The ECC will not be calculated correctly if less than 512 is written */
24338 - if (len != 0x200 && eccbuf)
24339 + if (len != 0x200)
24340 printk(KERN_WARNING
24341 "ECC needs a full sector write (adr: %lx size %lx)\n",
24342 (long) to, (long) len);
24343 diff -urNp linux-2.6.33.1/drivers/mtd/devices/doc2001.c linux-2.6.33.1/drivers/mtd/devices/doc2001.c
24344 --- linux-2.6.33.1/drivers/mtd/devices/doc2001.c 2010-03-15 12:09:39.000000000 -0400
24345 +++ linux-2.6.33.1/drivers/mtd/devices/doc2001.c 2010-03-20 17:13:45.197003644 -0400
24346 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
24347 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
24349 /* Don't allow read past end of device */
24350 - if (from >= this->totlen)
24351 + if (from >= this->totlen || !len)
24354 /* Don't allow a single read to cross a 512-byte block boundary */
24355 diff -urNp linux-2.6.33.1/drivers/mtd/ubi/build.c linux-2.6.33.1/drivers/mtd/ubi/build.c
24356 --- linux-2.6.33.1/drivers/mtd/ubi/build.c 2010-03-15 12:09:39.000000000 -0400
24357 +++ linux-2.6.33.1/drivers/mtd/ubi/build.c 2010-03-20 16:58:40.128534904 -0400
24358 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
24359 static int __init bytes_str_to_int(const char *str)
24362 - unsigned long result;
24363 + unsigned long result, scale = 1;
24365 result = simple_strtoul(str, &endp, 0);
24366 if (str == endp || result >= INT_MAX) {
24367 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
24379 if (endp[1] == 'i' && endp[2] == 'B')
24382 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
24387 + if ((intoverflow_t)result*scale >= INT_MAX) {
24388 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
24393 + return result*scale;
24397 diff -urNp linux-2.6.33.1/drivers/net/e1000e/82571.c linux-2.6.33.1/drivers/net/e1000e/82571.c
24398 --- linux-2.6.33.1/drivers/net/e1000e/82571.c 2010-03-15 12:09:39.000000000 -0400
24399 +++ linux-2.6.33.1/drivers/net/e1000e/82571.c 2010-03-20 16:58:40.152824721 -0400
24400 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
24402 struct e1000_hw *hw = &adapter->hw;
24403 struct e1000_mac_info *mac = &hw->mac;
24404 + /* cannot be const */
24405 struct e1000_mac_operations *func = &mac->ops;
24408 @@ -1688,7 +1689,7 @@ static void e1000_clear_hw_cntrs_82571(s
24412 -static struct e1000_mac_operations e82571_mac_ops = {
24413 +static const struct e1000_mac_operations e82571_mac_ops = {
24414 /* .check_mng_mode: mac type dependent */
24415 /* .check_for_link: media type dependent */
24416 .id_led_init = e1000e_id_led_init,
24417 @@ -1708,7 +1709,7 @@ static struct e1000_mac_operations e8257
24418 .setup_led = e1000e_setup_led_generic,
24421 -static struct e1000_phy_operations e82_phy_ops_igp = {
24422 +static const struct e1000_phy_operations e82_phy_ops_igp = {
24423 .acquire = e1000_get_hw_semaphore_82571,
24424 .check_polarity = e1000_check_polarity_igp,
24425 .check_reset_block = e1000e_check_reset_block_generic,
24426 @@ -1726,7 +1727,7 @@ static struct e1000_phy_operations e82_p
24427 .cfg_on_link_up = NULL,
24430 -static struct e1000_phy_operations e82_phy_ops_m88 = {
24431 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
24432 .acquire = e1000_get_hw_semaphore_82571,
24433 .check_polarity = e1000_check_polarity_m88,
24434 .check_reset_block = e1000e_check_reset_block_generic,
24435 @@ -1744,7 +1745,7 @@ static struct e1000_phy_operations e82_p
24436 .cfg_on_link_up = NULL,
24439 -static struct e1000_phy_operations e82_phy_ops_bm = {
24440 +static const struct e1000_phy_operations e82_phy_ops_bm = {
24441 .acquire = e1000_get_hw_semaphore_82571,
24442 .check_polarity = e1000_check_polarity_m88,
24443 .check_reset_block = e1000e_check_reset_block_generic,
24444 @@ -1762,7 +1763,7 @@ static struct e1000_phy_operations e82_p
24445 .cfg_on_link_up = NULL,
24448 -static struct e1000_nvm_operations e82571_nvm_ops = {
24449 +static const struct e1000_nvm_operations e82571_nvm_ops = {
24450 .acquire = e1000_acquire_nvm_82571,
24451 .read = e1000e_read_nvm_eerd,
24452 .release = e1000_release_nvm_82571,
24453 diff -urNp linux-2.6.33.1/drivers/net/e1000e/e1000.h linux-2.6.33.1/drivers/net/e1000e/e1000.h
24454 --- linux-2.6.33.1/drivers/net/e1000e/e1000.h 2010-03-15 12:09:39.000000000 -0400
24455 +++ linux-2.6.33.1/drivers/net/e1000e/e1000.h 2010-03-20 16:58:40.152824721 -0400
24456 @@ -379,9 +379,9 @@ struct e1000_info {
24458 u32 max_hw_frame_size;
24459 s32 (*get_variants)(struct e1000_adapter *);
24460 - struct e1000_mac_operations *mac_ops;
24461 - struct e1000_phy_operations *phy_ops;
24462 - struct e1000_nvm_operations *nvm_ops;
24463 + const struct e1000_mac_operations *mac_ops;
24464 + const struct e1000_phy_operations *phy_ops;
24465 + const struct e1000_nvm_operations *nvm_ops;
24468 /* hardware capability, feature, and workaround flags */
24469 diff -urNp linux-2.6.33.1/drivers/net/e1000e/es2lan.c linux-2.6.33.1/drivers/net/e1000e/es2lan.c
24470 --- linux-2.6.33.1/drivers/net/e1000e/es2lan.c 2010-03-15 12:09:39.000000000 -0400
24471 +++ linux-2.6.33.1/drivers/net/e1000e/es2lan.c 2010-03-20 16:58:40.152824721 -0400
24472 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
24474 struct e1000_hw *hw = &adapter->hw;
24475 struct e1000_mac_info *mac = &hw->mac;
24476 + /* cannot be const */
24477 struct e1000_mac_operations *func = &mac->ops;
24479 /* Set media type */
24480 @@ -1402,7 +1403,7 @@ static void e1000_clear_hw_cntrs_80003es
24484 -static struct e1000_mac_operations es2_mac_ops = {
24485 +static const struct e1000_mac_operations es2_mac_ops = {
24486 .id_led_init = e1000e_id_led_init,
24487 .check_mng_mode = e1000e_check_mng_mode_generic,
24488 /* check_for_link dependent on media type */
24489 @@ -1422,7 +1423,7 @@ static struct e1000_mac_operations es2_m
24490 .setup_led = e1000e_setup_led_generic,
24493 -static struct e1000_phy_operations es2_phy_ops = {
24494 +static const struct e1000_phy_operations es2_phy_ops = {
24495 .acquire = e1000_acquire_phy_80003es2lan,
24496 .check_polarity = e1000_check_polarity_m88,
24497 .check_reset_block = e1000e_check_reset_block_generic,
24498 @@ -1440,7 +1441,7 @@ static struct e1000_phy_operations es2_p
24499 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
24502 -static struct e1000_nvm_operations es2_nvm_ops = {
24503 +static const struct e1000_nvm_operations es2_nvm_ops = {
24504 .acquire = e1000_acquire_nvm_80003es2lan,
24505 .read = e1000e_read_nvm_eerd,
24506 .release = e1000_release_nvm_80003es2lan,
24507 diff -urNp linux-2.6.33.1/drivers/net/e1000e/hw.h linux-2.6.33.1/drivers/net/e1000e/hw.h
24508 --- linux-2.6.33.1/drivers/net/e1000e/hw.h 2010-03-15 12:09:39.000000000 -0400
24509 +++ linux-2.6.33.1/drivers/net/e1000e/hw.h 2010-03-20 16:58:40.156835598 -0400
24510 @@ -783,13 +783,13 @@ struct e1000_phy_operations {
24512 /* Function pointers for the NVM. */
24513 struct e1000_nvm_operations {
24514 - s32 (*acquire)(struct e1000_hw *);
24515 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24516 - void (*release)(struct e1000_hw *);
24517 - s32 (*update)(struct e1000_hw *);
24518 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
24519 - s32 (*validate)(struct e1000_hw *);
24520 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24521 + s32 (* const acquire)(struct e1000_hw *);
24522 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24523 + void (* const release)(struct e1000_hw *);
24524 + s32 (* const update)(struct e1000_hw *);
24525 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
24526 + s32 (* const validate)(struct e1000_hw *);
24527 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24530 struct e1000_mac_info {
24531 @@ -864,6 +864,7 @@ struct e1000_phy_info {
24534 struct e1000_nvm_info {
24535 + /* cannot be const */
24536 struct e1000_nvm_operations ops;
24538 enum e1000_nvm_type type;
24539 diff -urNp linux-2.6.33.1/drivers/net/e1000e/ich8lan.c linux-2.6.33.1/drivers/net/e1000e/ich8lan.c
24540 --- linux-2.6.33.1/drivers/net/e1000e/ich8lan.c 2010-03-15 12:09:39.000000000 -0400
24541 +++ linux-2.6.33.1/drivers/net/e1000e/ich8lan.c 2010-03-20 16:58:40.168822418 -0400
24542 @@ -3361,7 +3361,7 @@ static void e1000_clear_hw_cntrs_ich8lan
24546 -static struct e1000_mac_operations ich8_mac_ops = {
24547 +static const struct e1000_mac_operations ich8_mac_ops = {
24548 .id_led_init = e1000e_id_led_init,
24549 .check_mng_mode = e1000_check_mng_mode_ich8lan,
24550 .check_for_link = e1000_check_for_copper_link_ich8lan,
24551 @@ -3379,7 +3379,7 @@ static struct e1000_mac_operations ich8_
24552 /* id_led_init dependent on mac type */
24555 -static struct e1000_phy_operations ich8_phy_ops = {
24556 +static const struct e1000_phy_operations ich8_phy_ops = {
24557 .acquire = e1000_acquire_swflag_ich8lan,
24558 .check_reset_block = e1000_check_reset_block_ich8lan,
24560 @@ -3393,7 +3393,7 @@ static struct e1000_phy_operations ich8_
24561 .write_reg = e1000e_write_phy_reg_igp,
24564 -static struct e1000_nvm_operations ich8_nvm_ops = {
24565 +static const struct e1000_nvm_operations ich8_nvm_ops = {
24566 .acquire = e1000_acquire_nvm_ich8lan,
24567 .read = e1000_read_nvm_ich8lan,
24568 .release = e1000_release_nvm_ich8lan,
24569 diff -urNp linux-2.6.33.1/drivers/net/ibmveth.c linux-2.6.33.1/drivers/net/ibmveth.c
24570 --- linux-2.6.33.1/drivers/net/ibmveth.c 2010-03-15 12:09:39.000000000 -0400
24571 +++ linux-2.6.33.1/drivers/net/ibmveth.c 2010-03-20 16:58:40.180852292 -0400
24572 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
24576 -static struct sysfs_ops veth_pool_ops = {
24577 +static const struct sysfs_ops veth_pool_ops = {
24578 .show = veth_pool_show,
24579 .store = veth_pool_store,
24581 diff -urNp linux-2.6.33.1/drivers/net/igb/e1000_82575.c linux-2.6.33.1/drivers/net/igb/e1000_82575.c
24582 --- linux-2.6.33.1/drivers/net/igb/e1000_82575.c 2010-03-15 12:09:39.000000000 -0400
24583 +++ linux-2.6.33.1/drivers/net/igb/e1000_82575.c 2010-03-20 16:58:40.192835070 -0400
24584 @@ -1583,7 +1583,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
24588 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
24589 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
24590 .init_hw = igb_init_hw_82575,
24591 .check_for_link = igb_check_for_link_82575,
24592 .rar_set = igb_rar_set,
24593 @@ -1591,13 +1591,13 @@ static struct e1000_mac_operations e1000
24594 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
24597 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
24598 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
24599 .acquire = igb_acquire_phy_82575,
24600 .get_cfg_done = igb_get_cfg_done_82575,
24601 .release = igb_release_phy_82575,
24604 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24605 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24606 .acquire = igb_acquire_nvm_82575,
24607 .read = igb_read_nvm_eerd,
24608 .release = igb_release_nvm_82575,
24609 diff -urNp linux-2.6.33.1/drivers/net/igb/e1000_hw.h linux-2.6.33.1/drivers/net/igb/e1000_hw.h
24610 --- linux-2.6.33.1/drivers/net/igb/e1000_hw.h 2010-03-15 12:09:39.000000000 -0400
24611 +++ linux-2.6.33.1/drivers/net/igb/e1000_hw.h 2010-03-20 16:58:40.192835070 -0400
24612 @@ -316,17 +316,17 @@ struct e1000_phy_operations {
24615 struct e1000_nvm_operations {
24616 - s32 (*acquire)(struct e1000_hw *);
24617 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24618 - void (*release)(struct e1000_hw *);
24619 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24620 + s32 (* const acquire)(struct e1000_hw *);
24621 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24622 + void (* const release)(struct e1000_hw *);
24623 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24626 struct e1000_info {
24627 s32 (*get_invariants)(struct e1000_hw *);
24628 - struct e1000_mac_operations *mac_ops;
24629 - struct e1000_phy_operations *phy_ops;
24630 - struct e1000_nvm_operations *nvm_ops;
24631 + const struct e1000_mac_operations *mac_ops;
24632 + const struct e1000_phy_operations *phy_ops;
24633 + const struct e1000_nvm_operations *nvm_ops;
24636 extern const struct e1000_info e1000_82575_info;
24637 @@ -412,6 +412,7 @@ struct e1000_phy_info {
24640 struct e1000_nvm_info {
24641 + /* cannot be const */
24642 struct e1000_nvm_operations ops;
24644 enum e1000_nvm_type type;
24645 diff -urNp linux-2.6.33.1/drivers/net/irda/vlsi_ir.c linux-2.6.33.1/drivers/net/irda/vlsi_ir.c
24646 --- linux-2.6.33.1/drivers/net/irda/vlsi_ir.c 2010-03-15 12:09:39.000000000 -0400
24647 +++ linux-2.6.33.1/drivers/net/irda/vlsi_ir.c 2010-03-20 16:58:40.204836200 -0400
24648 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
24649 /* no race - tx-ring already empty */
24650 vlsi_set_baud(idev, iobase);
24651 netif_wake_queue(ndev);
24656 /* keep the speed change pending like it would
24657 * for any len>0 packet. tx completion interrupt
24658 * will apply it when the tx ring becomes empty.
24661 spin_unlock_irqrestore(&idev->lock, flags);
24662 dev_kfree_skb_any(skb);
24663 return NETDEV_TX_OK;
24664 diff -urNp linux-2.6.33.1/drivers/net/iseries_veth.c linux-2.6.33.1/drivers/net/iseries_veth.c
24665 --- linux-2.6.33.1/drivers/net/iseries_veth.c 2010-03-15 12:09:39.000000000 -0400
24666 +++ linux-2.6.33.1/drivers/net/iseries_veth.c 2010-03-20 16:58:40.227948499 -0400
24667 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
24671 -static struct sysfs_ops veth_cnx_sysfs_ops = {
24672 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
24673 .show = veth_cnx_attribute_show
24676 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
24680 -static struct sysfs_ops veth_port_sysfs_ops = {
24681 +static const struct sysfs_ops veth_port_sysfs_ops = {
24682 .show = veth_port_attribute_show
24685 diff -urNp linux-2.6.33.1/drivers/net/pcnet32.c linux-2.6.33.1/drivers/net/pcnet32.c
24686 --- linux-2.6.33.1/drivers/net/pcnet32.c 2010-03-15 12:09:39.000000000 -0400
24687 +++ linux-2.6.33.1/drivers/net/pcnet32.c 2010-03-20 16:58:40.232840159 -0400
24688 @@ -80,7 +80,7 @@ static int cards_found;
24690 * VLB I/O addresses
24692 -static unsigned int pcnet32_portlist[] __initdata =
24693 +static unsigned int pcnet32_portlist[] __devinitdata =
24694 { 0x300, 0x320, 0x340, 0x360, 0 };
24696 static int pcnet32_debug = 0;
24697 diff -urNp linux-2.6.33.1/drivers/net/ppp_generic.c linux-2.6.33.1/drivers/net/ppp_generic.c
24698 --- linux-2.6.33.1/drivers/net/ppp_generic.c 2010-03-15 12:09:39.000000000 -0400
24699 +++ linux-2.6.33.1/drivers/net/ppp_generic.c 2010-03-20 16:58:40.236519222 -0400
24700 @@ -988,7 +988,6 @@ ppp_net_ioctl(struct net_device *dev, st
24701 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
24702 struct ppp_stats stats;
24703 struct ppp_comp_stats cstats;
24707 case SIOCGPPPSTATS:
24708 @@ -1010,8 +1009,7 @@ ppp_net_ioctl(struct net_device *dev, st
24712 - vers = PPP_VERSION;
24713 - if (copy_to_user(addr, vers, strlen(vers) + 1))
24714 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
24718 diff -urNp linux-2.6.33.1/drivers/net/tg3.h linux-2.6.33.1/drivers/net/tg3.h
24719 --- linux-2.6.33.1/drivers/net/tg3.h 2010-03-15 12:09:39.000000000 -0400
24720 +++ linux-2.6.33.1/drivers/net/tg3.h 2010-03-20 16:58:40.244857185 -0400
24721 @@ -101,6 +101,7 @@
24722 #define CHIPREV_ID_5750_A0 0x4000
24723 #define CHIPREV_ID_5750_A1 0x4001
24724 #define CHIPREV_ID_5750_A3 0x4003
24725 +#define CHIPREV_ID_5750_C1 0x4201
24726 #define CHIPREV_ID_5750_C2 0x4202
24727 #define CHIPREV_ID_5752_A0_HW 0x5000
24728 #define CHIPREV_ID_5752_A0 0x6000
24729 diff -urNp linux-2.6.33.1/drivers/net/tulip/de4x5.c linux-2.6.33.1/drivers/net/tulip/de4x5.c
24730 --- linux-2.6.33.1/drivers/net/tulip/de4x5.c 2010-03-15 12:09:39.000000000 -0400
24731 +++ linux-2.6.33.1/drivers/net/tulip/de4x5.c 2010-03-20 16:58:40.269912385 -0400
24732 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
24733 for (i=0; i<ETH_ALEN; i++) {
24734 tmp.addr[i] = dev->dev_addr[i];
24736 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24737 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24740 case DE4X5_SET_HWADDR: /* Set the hardware address */
24741 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
24742 spin_lock_irqsave(&lp->lock, flags);
24743 memcpy(&statbuf, &lp->pktStats, ioc->len);
24744 spin_unlock_irqrestore(&lp->lock, flags);
24745 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
24746 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
24750 diff -urNp linux-2.6.33.1/drivers/net/usb/hso.c linux-2.6.33.1/drivers/net/usb/hso.c
24751 --- linux-2.6.33.1/drivers/net/usb/hso.c 2010-03-15 12:09:39.000000000 -0400
24752 +++ linux-2.6.33.1/drivers/net/usb/hso.c 2010-03-20 16:58:40.272671924 -0400
24753 @@ -258,7 +258,7 @@ struct hso_serial {
24755 /* from usb_serial_port */
24756 struct tty_struct *tty;
24758 + atomic_t open_count;
24759 spinlock_t serial_lock;
24761 int (*write_data) (struct hso_serial *serial);
24762 @@ -1203,7 +1203,7 @@ static void put_rxbuf_data_and_resubmit_
24765 urb = serial->rx_urb[0];
24766 - if (serial->open_count > 0) {
24767 + if (atomic_read(&serial->open_count) > 0) {
24768 count = put_rxbuf_data(urb, serial);
24771 @@ -1239,7 +1239,7 @@ static void hso_std_serial_read_bulk_cal
24772 DUMP1(urb->transfer_buffer, urb->actual_length);
24774 /* Anyone listening? */
24775 - if (serial->open_count == 0)
24776 + if (atomic_read(&serial->open_count) == 0)
24780 @@ -1334,8 +1334,7 @@ static int hso_serial_open(struct tty_st
24781 spin_unlock_irq(&serial->serial_lock);
24783 /* check for port already opened, if not set the termios */
24784 - serial->open_count++;
24785 - if (serial->open_count == 1) {
24786 + if (atomic_inc_return(&serial->open_count) == 1) {
24787 tty->low_latency = 1;
24788 serial->rx_state = RX_IDLE;
24789 /* Force default termio settings */
24790 @@ -1348,7 +1347,7 @@ static int hso_serial_open(struct tty_st
24791 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
24793 hso_stop_serial_device(serial->parent);
24794 - serial->open_count--;
24795 + atomic_dec(&serial->open_count);
24796 kref_put(&serial->parent->ref, hso_serial_ref_free);
24799 @@ -1385,10 +1384,10 @@ static void hso_serial_close(struct tty_
24801 /* reset the rts and dtr */
24802 /* do the actual close */
24803 - serial->open_count--;
24804 + atomic_dec(&serial->open_count);
24806 - if (serial->open_count <= 0) {
24807 - serial->open_count = 0;
24808 + if (atomic_read(&serial->open_count) <= 0) {
24809 + atomic_set(&serial->open_count, 0);
24810 spin_lock_irq(&serial->serial_lock);
24811 if (serial->tty == tty) {
24812 serial->tty->driver_data = NULL;
24813 @@ -1470,7 +1469,7 @@ static void hso_serial_set_termios(struc
24815 /* the actual setup */
24816 spin_lock_irqsave(&serial->serial_lock, flags);
24817 - if (serial->open_count)
24818 + if (atomic_read(&serial->open_count))
24819 _hso_serial_set_termios(tty, old);
24821 tty->termios = old;
24822 @@ -1933,7 +1932,7 @@ static void intr_callback(struct urb *ur
24823 D1("Pending read interrupt on port %d\n", i);
24824 spin_lock(&serial->serial_lock);
24825 if (serial->rx_state == RX_IDLE &&
24826 - serial->open_count > 0) {
24827 + atomic_read(&serial->open_count) > 0) {
24828 /* Setup and send a ctrl req read on
24830 if (!serial->rx_urb_filled[0]) {
24831 @@ -3124,7 +3123,7 @@ static int hso_resume(struct usb_interfa
24832 /* Start all serial ports */
24833 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
24834 if (serial_table[i] && (serial_table[i]->interface == iface)) {
24835 - if (dev2ser(serial_table[i])->open_count) {
24836 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
24838 hso_start_serial_device(serial_table[i], GFP_NOIO);
24839 hso_kick_transmit(dev2ser(serial_table[i]));
24840 diff -urNp linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c
24841 --- linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24842 +++ linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c 2010-03-20 16:58:40.276838321 -0400
24843 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
24844 struct b43_debugfs_fops {
24845 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
24846 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
24847 - struct file_operations fops;
24848 + const struct file_operations fops;
24849 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
24850 size_t file_struct_offset;
24852 diff -urNp linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c
24853 --- linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24854 +++ linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c 2010-03-20 16:58:40.292572897 -0400
24855 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
24856 struct b43legacy_debugfs_fops {
24857 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
24858 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
24859 - struct file_operations fops;
24860 + const struct file_operations fops;
24861 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
24862 size_t file_struct_offset;
24863 /* Take wl->irq_lock before calling read/write? */
24864 diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c
24865 --- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-03-15 12:09:39.000000000 -0400
24866 +++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-03-20 16:58:40.296852154 -0400
24867 @@ -140,7 +140,7 @@ static struct iwl_lib_ops iwl1000_lib =
24871 -static struct iwl_ops iwl1000_ops = {
24872 +static const struct iwl_ops iwl1000_ops = {
24873 .ucode = &iwl5000_ucode,
24874 .lib = &iwl1000_lib,
24875 .hcmd = &iwl5000_hcmd,
24876 diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c
24877 --- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-03-15 12:09:39.000000000 -0400
24878 +++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-03-20 16:58:40.308852389 -0400
24879 @@ -2804,7 +2804,7 @@ static struct iwl_hcmd_utils_ops iwl3945
24880 .rts_tx_cmd_flag = iwlcore_rts_tx_cmd_flag,
24883 -static struct iwl_ops iwl3945_ops = {
24884 +static const struct iwl_ops iwl3945_ops = {
24885 .ucode = &iwl3945_ucode,
24886 .lib = &iwl3945_lib,
24887 .hcmd = &iwl3945_hcmd,
24888 diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c
24889 --- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-03-15 12:09:39.000000000 -0400
24890 +++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-03-20 16:58:40.316840649 -0400
24891 @@ -2208,7 +2208,7 @@ static struct iwl_lib_ops iwl4965_lib =
24895 -static struct iwl_ops iwl4965_ops = {
24896 +static const struct iwl_ops iwl4965_ops = {
24897 .ucode = &iwl4965_ucode,
24898 .lib = &iwl4965_lib,
24899 .hcmd = &iwl4965_hcmd,
24900 diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c
24901 --- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-03-15 12:09:39.000000000 -0400
24902 +++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-03-20 16:58:40.338443044 -0400
24903 @@ -1553,7 +1553,7 @@ static struct iwl_lib_ops iwl5150_lib =
24907 -static struct iwl_ops iwl5000_ops = {
24908 +static const struct iwl_ops iwl5000_ops = {
24909 .ucode = &iwl5000_ucode,
24910 .lib = &iwl5000_lib,
24911 .hcmd = &iwl5000_hcmd,
24912 @@ -1561,7 +1561,7 @@ static struct iwl_ops iwl5000_ops = {
24913 .led = &iwlagn_led_ops,
24916 -static struct iwl_ops iwl5150_ops = {
24917 +static const struct iwl_ops iwl5150_ops = {
24918 .ucode = &iwl5000_ucode,
24919 .lib = &iwl5150_lib,
24920 .hcmd = &iwl5000_hcmd,
24921 diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c
24922 --- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-03-15 12:09:39.000000000 -0400
24923 +++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-03-20 16:58:40.338443044 -0400
24924 @@ -252,7 +252,7 @@ static struct iwl_lib_ops iwl6000_lib =
24928 -static struct iwl_ops iwl6000_ops = {
24929 +static const struct iwl_ops iwl6000_ops = {
24930 .ucode = &iwl5000_ucode,
24931 .lib = &iwl6000_lib,
24932 .hcmd = &iwl5000_hcmd,
24933 @@ -267,7 +267,7 @@ static struct iwl_hcmd_utils_ops iwl6050
24934 .calc_rssi = iwl5000_calc_rssi,
24937 -static struct iwl_ops iwl6050_ops = {
24938 +static const struct iwl_ops iwl6050_ops = {
24939 .ucode = &iwl5000_ucode,
24940 .lib = &iwl6000_lib,
24941 .hcmd = &iwl5000_hcmd,
24942 diff -urNp linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c
24943 --- linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24944 +++ linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c 2010-03-20 16:58:40.348846186 -0400
24945 @@ -717,7 +717,7 @@ out_unlock:
24946 struct lbs_debugfs_files {
24949 - struct file_operations fops;
24950 + const struct file_operations fops;
24953 static const struct lbs_debugfs_files debugfs_files[] = {
24954 diff -urNp linux-2.6.33.1/drivers/oprofile/buffer_sync.c linux-2.6.33.1/drivers/oprofile/buffer_sync.c
24955 --- linux-2.6.33.1/drivers/oprofile/buffer_sync.c 2010-03-15 12:09:39.000000000 -0400
24956 +++ linux-2.6.33.1/drivers/oprofile/buffer_sync.c 2010-03-20 16:58:40.357847963 -0400
24957 @@ -340,7 +340,7 @@ static void add_data(struct op_entry *en
24958 if (cookie == NO_COOKIE)
24960 if (cookie == INVALID_COOKIE) {
24961 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24962 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24965 if (cookie != last_cookie) {
24966 @@ -384,14 +384,14 @@ add_sample(struct mm_struct *mm, struct
24967 /* add userspace sample */
24970 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
24971 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
24975 cookie = lookup_dcookie(mm, s->eip, &offset);
24977 if (cookie == INVALID_COOKIE) {
24978 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24979 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24983 @@ -560,7 +560,7 @@ void sync_buffer(int cpu)
24984 /* ignore backtraces if failed to add a sample */
24985 if (state == sb_bt_start) {
24986 state = sb_bt_ignore;
24987 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
24988 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
24992 diff -urNp linux-2.6.33.1/drivers/oprofile/event_buffer.c linux-2.6.33.1/drivers/oprofile/event_buffer.c
24993 --- linux-2.6.33.1/drivers/oprofile/event_buffer.c 2010-03-15 12:09:39.000000000 -0400
24994 +++ linux-2.6.33.1/drivers/oprofile/event_buffer.c 2010-03-20 16:58:40.360587811 -0400
24995 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
24998 if (buffer_pos == buffer_size) {
24999 - atomic_inc(&oprofile_stats.event_lost_overflow);
25000 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
25004 diff -urNp linux-2.6.33.1/drivers/oprofile/oprof.c linux-2.6.33.1/drivers/oprofile/oprof.c
25005 --- linux-2.6.33.1/drivers/oprofile/oprof.c 2010-03-15 12:09:39.000000000 -0400
25006 +++ linux-2.6.33.1/drivers/oprofile/oprof.c 2010-03-20 16:58:40.368849108 -0400
25007 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
25008 if (oprofile_ops.switch_events())
25011 - atomic_inc(&oprofile_stats.multiplex_counter);
25012 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
25013 start_switch_worker();
25016 diff -urNp linux-2.6.33.1/drivers/oprofile/oprofilefs.c linux-2.6.33.1/drivers/oprofile/oprofilefs.c
25017 --- linux-2.6.33.1/drivers/oprofile/oprofilefs.c 2010-03-15 12:09:39.000000000 -0400
25018 +++ linux-2.6.33.1/drivers/oprofile/oprofilefs.c 2010-03-20 16:58:40.372843891 -0400
25019 @@ -187,7 +187,7 @@ static const struct file_operations atom
25022 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
25023 - char const *name, atomic_t *val)
25024 + char const *name, atomic_unchecked_t *val)
25026 struct dentry *d = __oprofilefs_create_file(sb, root, name,
25027 &atomic_ro_fops, 0444);
25028 diff -urNp linux-2.6.33.1/drivers/oprofile/oprofile_stats.c linux-2.6.33.1/drivers/oprofile/oprofile_stats.c
25029 --- linux-2.6.33.1/drivers/oprofile/oprofile_stats.c 2010-03-15 12:09:39.000000000 -0400
25030 +++ linux-2.6.33.1/drivers/oprofile/oprofile_stats.c 2010-03-20 16:58:40.376630331 -0400
25031 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
25032 cpu_buf->sample_invalid_eip = 0;
25035 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
25036 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
25037 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
25038 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
25039 - atomic_set(&oprofile_stats.multiplex_counter, 0);
25040 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
25041 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
25042 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
25043 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
25044 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
25048 diff -urNp linux-2.6.33.1/drivers/oprofile/oprofile_stats.h linux-2.6.33.1/drivers/oprofile/oprofile_stats.h
25049 --- linux-2.6.33.1/drivers/oprofile/oprofile_stats.h 2010-03-15 12:09:39.000000000 -0400
25050 +++ linux-2.6.33.1/drivers/oprofile/oprofile_stats.h 2010-03-20 16:58:40.376630331 -0400
25051 @@ -13,11 +13,11 @@
25052 #include <asm/atomic.h>
25054 struct oprofile_stat_struct {
25055 - atomic_t sample_lost_no_mm;
25056 - atomic_t sample_lost_no_mapping;
25057 - atomic_t bt_lost_no_mapping;
25058 - atomic_t event_lost_overflow;
25059 - atomic_t multiplex_counter;
25060 + atomic_unchecked_t sample_lost_no_mm;
25061 + atomic_unchecked_t sample_lost_no_mapping;
25062 + atomic_unchecked_t bt_lost_no_mapping;
25063 + atomic_unchecked_t event_lost_overflow;
25064 + atomic_unchecked_t multiplex_counter;
25067 extern struct oprofile_stat_struct oprofile_stats;
25068 diff -urNp linux-2.6.33.1/drivers/parisc/pdc_stable.c linux-2.6.33.1/drivers/parisc/pdc_stable.c
25069 --- linux-2.6.33.1/drivers/parisc/pdc_stable.c 2010-03-15 12:09:39.000000000 -0400
25070 +++ linux-2.6.33.1/drivers/parisc/pdc_stable.c 2010-03-20 16:58:40.392862259 -0400
25071 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
25075 -static struct sysfs_ops pdcspath_attr_ops = {
25076 +static const struct sysfs_ops pdcspath_attr_ops = {
25077 .show = pdcspath_attr_show,
25078 .store = pdcspath_attr_store,
25080 diff -urNp linux-2.6.33.1/drivers/parport/procfs.c linux-2.6.33.1/drivers/parport/procfs.c
25081 --- linux-2.6.33.1/drivers/parport/procfs.c 2010-03-15 12:09:39.000000000 -0400
25082 +++ linux-2.6.33.1/drivers/parport/procfs.c 2010-03-20 16:58:40.392862259 -0400
25083 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
25087 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
25088 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
25091 #ifdef CONFIG_PARPORT_1284
25092 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
25096 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
25097 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
25099 #endif /* IEEE1284.3 support. */
25101 diff -urNp linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c
25102 --- linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c 2010-03-15 12:09:39.000000000 -0400
25103 +++ linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c 2010-03-20 16:58:40.418811417 -0400
25104 @@ -109,7 +109,7 @@ static int post_dock_fixups(struct notif
25108 -static struct acpi_dock_ops acpiphp_dock_ops = {
25109 +static const struct acpi_dock_ops acpiphp_dock_ops = {
25110 .handler = handle_hotplug_event_func,
25113 diff -urNp linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c
25114 --- linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-03-15 12:09:39.000000000 -0400
25115 +++ linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-03-20 16:58:40.420729851 -0400
25116 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
25118 void compaq_nvram_init (void __iomem *rom_start)
25121 +#ifndef CONFIG_PAX_KERNEXEC
25123 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
25127 dbg("int15 entry = %p\n", compaq_int15_entry_point);
25129 /* initialize our int15 lock */
25130 diff -urNp linux-2.6.33.1/drivers/pci/hotplug/fakephp.c linux-2.6.33.1/drivers/pci/hotplug/fakephp.c
25131 --- linux-2.6.33.1/drivers/pci/hotplug/fakephp.c 2010-03-15 12:09:39.000000000 -0400
25132 +++ linux-2.6.33.1/drivers/pci/hotplug/fakephp.c 2010-03-20 16:58:40.420729851 -0400
25133 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
25136 static struct kobj_type legacy_ktype = {
25137 - .sysfs_ops = &(struct sysfs_ops){
25138 + .sysfs_ops = &(const struct sysfs_ops){
25139 .store = legacy_store, .show = legacy_show
25141 .release = &legacy_release,
25142 diff -urNp linux-2.6.33.1/drivers/pci/intel-iommu.c linux-2.6.33.1/drivers/pci/intel-iommu.c
25143 --- linux-2.6.33.1/drivers/pci/intel-iommu.c 2010-03-15 12:09:39.000000000 -0400
25144 +++ linux-2.6.33.1/drivers/pci/intel-iommu.c 2010-03-20 16:58:40.428854036 -0400
25145 @@ -2940,7 +2940,7 @@ static int intel_mapping_error(struct de
25149 -struct dma_map_ops intel_dma_ops = {
25150 +const struct dma_map_ops intel_dma_ops = {
25151 .alloc_coherent = intel_alloc_coherent,
25152 .free_coherent = intel_free_coherent,
25153 .map_sg = intel_map_sg,
25154 diff -urNp linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c
25155 --- linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c 2010-03-15 12:09:39.000000000 -0400
25156 +++ linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c 2010-03-20 16:58:40.432849247 -0400
25157 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
25158 static const struct pci_device_id port_pci_ids[] = { {
25159 /* handle any PCI-Express port */
25160 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
25161 - }, { /* end: all zeroes */ }
25162 + }, { 0, 0, 0, 0, 0, 0, 0 }
25164 MODULE_DEVICE_TABLE(pci, port_pci_ids);
25166 diff -urNp linux-2.6.33.1/drivers/pci/proc.c linux-2.6.33.1/drivers/pci/proc.c
25167 --- linux-2.6.33.1/drivers/pci/proc.c 2010-03-15 12:09:39.000000000 -0400
25168 +++ linux-2.6.33.1/drivers/pci/proc.c 2010-03-20 16:58:40.432849247 -0400
25169 @@ -480,7 +480,16 @@ static const struct file_operations proc
25170 static int __init pci_proc_init(void)
25172 struct pci_dev *dev = NULL;
25174 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
25175 +#ifdef CONFIG_GRKERNSEC_PROC_USER
25176 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
25177 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25178 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
25181 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
25183 proc_create("devices", 0, proc_bus_pci_dir,
25184 &proc_bus_pci_dev_operations);
25185 proc_initialized = 1;
25186 diff -urNp linux-2.6.33.1/drivers/pci/slot.c linux-2.6.33.1/drivers/pci/slot.c
25187 --- linux-2.6.33.1/drivers/pci/slot.c 2010-03-15 12:09:39.000000000 -0400
25188 +++ linux-2.6.33.1/drivers/pci/slot.c 2010-03-20 16:58:40.436850488 -0400
25189 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
25190 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
25193 -static struct sysfs_ops pci_slot_sysfs_ops = {
25194 +static const struct sysfs_ops pci_slot_sysfs_ops = {
25195 .show = pci_slot_attr_show,
25196 .store = pci_slot_attr_store,
25198 diff -urNp linux-2.6.33.1/drivers/pcmcia/ti113x.h linux-2.6.33.1/drivers/pcmcia/ti113x.h
25199 --- linux-2.6.33.1/drivers/pcmcia/ti113x.h 2010-03-15 12:09:39.000000000 -0400
25200 +++ linux-2.6.33.1/drivers/pcmcia/ti113x.h 2010-03-20 16:58:40.444846583 -0400
25201 @@ -903,7 +903,7 @@ static struct pci_device_id ene_tune_tbl
25202 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
25203 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
25206 + { 0, 0, 0, 0, 0, 0, 0 }
25209 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
25210 diff -urNp linux-2.6.33.1/drivers/pcmcia/yenta_socket.c linux-2.6.33.1/drivers/pcmcia/yenta_socket.c
25211 --- linux-2.6.33.1/drivers/pcmcia/yenta_socket.c 2010-03-15 12:09:39.000000000 -0400
25212 +++ linux-2.6.33.1/drivers/pcmcia/yenta_socket.c 2010-03-20 16:58:40.460864210 -0400
25213 @@ -1432,7 +1432,7 @@ static struct pci_device_id yenta_table[
25215 /* match any cardbus bridge */
25216 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
25217 - { /* all zeroes */ }
25218 + { 0, 0, 0, 0, 0, 0, 0 }
25220 MODULE_DEVICE_TABLE(pci, yenta_table);
25222 diff -urNp linux-2.6.33.1/drivers/platform/x86/acer-wmi.c linux-2.6.33.1/drivers/platform/x86/acer-wmi.c
25223 --- linux-2.6.33.1/drivers/platform/x86/acer-wmi.c 2010-03-15 12:09:39.000000000 -0400
25224 +++ linux-2.6.33.1/drivers/platform/x86/acer-wmi.c 2010-03-20 16:58:40.464856812 -0400
25225 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
25229 -static struct backlight_ops acer_bl_ops = {
25230 +static const struct backlight_ops acer_bl_ops = {
25231 .get_brightness = read_brightness,
25232 .update_status = update_bl_status,
25234 diff -urNp linux-2.6.33.1/drivers/platform/x86/asus_acpi.c linux-2.6.33.1/drivers/platform/x86/asus_acpi.c
25235 --- linux-2.6.33.1/drivers/platform/x86/asus_acpi.c 2010-03-15 12:09:39.000000000 -0400
25236 +++ linux-2.6.33.1/drivers/platform/x86/asus_acpi.c 2010-03-20 16:58:40.480866604 -0400
25237 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
25241 -static struct backlight_ops asus_backlight_data = {
25242 +static const struct backlight_ops asus_backlight_data = {
25243 .get_brightness = read_brightness,
25244 .update_status = set_brightness_status,
25246 diff -urNp linux-2.6.33.1/drivers/platform/x86/asus-laptop.c linux-2.6.33.1/drivers/platform/x86/asus-laptop.c
25247 --- linux-2.6.33.1/drivers/platform/x86/asus-laptop.c 2010-03-15 12:09:39.000000000 -0400
25248 +++ linux-2.6.33.1/drivers/platform/x86/asus-laptop.c 2010-03-20 16:58:40.480866604 -0400
25249 @@ -251,7 +251,7 @@ static struct backlight_device *asus_bac
25251 static int read_brightness(struct backlight_device *bd);
25252 static int update_bl_status(struct backlight_device *bd);
25253 -static struct backlight_ops asusbl_ops = {
25254 +static const struct backlight_ops asusbl_ops = {
25255 .get_brightness = read_brightness,
25256 .update_status = update_bl_status,
25258 diff -urNp linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c
25259 --- linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c 2010-03-15 12:09:39.000000000 -0400
25260 +++ linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c 2010-03-20 16:58:40.484567094 -0400
25261 @@ -452,7 +452,7 @@ static int cmpc_bl_update_status(struct
25265 -static struct backlight_ops cmpc_bl_ops = {
25266 +static const struct backlight_ops cmpc_bl_ops = {
25267 .get_brightness = cmpc_bl_get_brightness,
25268 .update_status = cmpc_bl_update_status
25270 diff -urNp linux-2.6.33.1/drivers/platform/x86/compal-laptop.c linux-2.6.33.1/drivers/platform/x86/compal-laptop.c
25271 --- linux-2.6.33.1/drivers/platform/x86/compal-laptop.c 2010-03-15 12:09:39.000000000 -0400
25272 +++ linux-2.6.33.1/drivers/platform/x86/compal-laptop.c 2010-03-20 16:58:40.484567094 -0400
25273 @@ -162,7 +162,7 @@ static int bl_update_status(struct backl
25274 return set_lcd_level(b->props.brightness);
25277 -static struct backlight_ops compalbl_ops = {
25278 +static const struct backlight_ops compalbl_ops = {
25279 .get_brightness = bl_get_brightness,
25280 .update_status = bl_update_status,
25282 diff -urNp linux-2.6.33.1/drivers/platform/x86/dell-laptop.c linux-2.6.33.1/drivers/platform/x86/dell-laptop.c
25283 --- linux-2.6.33.1/drivers/platform/x86/dell-laptop.c 2010-03-15 12:09:39.000000000 -0400
25284 +++ linux-2.6.33.1/drivers/platform/x86/dell-laptop.c 2010-03-20 16:58:40.484567094 -0400
25285 @@ -333,7 +333,7 @@ static int dell_get_intensity(struct bac
25286 return buffer.output[1];
25289 -static struct backlight_ops dell_ops = {
25290 +static const struct backlight_ops dell_ops = {
25291 .get_brightness = dell_get_intensity,
25292 .update_status = dell_send_intensity,
25294 diff -urNp linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c
25295 --- linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c 2010-03-15 12:09:39.000000000 -0400
25296 +++ linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c 2010-03-20 16:58:40.484567094 -0400
25297 @@ -1096,7 +1096,7 @@ static int update_bl_status(struct backl
25298 return set_brightness(bd, bd->props.brightness);
25301 -static struct backlight_ops eeepcbl_ops = {
25302 +static const struct backlight_ops eeepcbl_ops = {
25303 .get_brightness = read_brightness,
25304 .update_status = update_bl_status,
25306 diff -urNp linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c
25307 --- linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c 2010-03-15 12:09:39.000000000 -0400
25308 +++ linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c 2010-03-20 16:58:40.488600423 -0400
25309 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
25313 -static struct backlight_ops fujitsubl_ops = {
25314 +static const struct backlight_ops fujitsubl_ops = {
25315 .get_brightness = bl_get_brightness,
25316 .update_status = bl_update_status,
25318 diff -urNp linux-2.6.33.1/drivers/platform/x86/msi-laptop.c linux-2.6.33.1/drivers/platform/x86/msi-laptop.c
25319 --- linux-2.6.33.1/drivers/platform/x86/msi-laptop.c 2010-03-15 12:09:39.000000000 -0400
25320 +++ linux-2.6.33.1/drivers/platform/x86/msi-laptop.c 2010-03-20 16:58:40.488600423 -0400
25321 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
25322 return set_lcd_level(b->props.brightness);
25325 -static struct backlight_ops msibl_ops = {
25326 +static const struct backlight_ops msibl_ops = {
25327 .get_brightness = bl_get_brightness,
25328 .update_status = bl_update_status,
25330 diff -urNp linux-2.6.33.1/drivers/platform/x86/msi-wmi.c linux-2.6.33.1/drivers/platform/x86/msi-wmi.c
25331 --- linux-2.6.33.1/drivers/platform/x86/msi-wmi.c 2010-03-15 12:09:39.000000000 -0400
25332 +++ linux-2.6.33.1/drivers/platform/x86/msi-wmi.c 2010-03-20 16:58:40.488600423 -0400
25333 @@ -138,7 +138,7 @@ static int bl_set_status(struct backligh
25334 return msi_wmi_set_block(0, backlight_map[bright]);
25337 -static struct backlight_ops msi_backlight_ops = {
25338 +static const struct backlight_ops msi_backlight_ops = {
25339 .get_brightness = bl_get,
25340 .update_status = bl_set_status,
25342 diff -urNp linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c
25343 --- linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c 2010-03-15 12:09:39.000000000 -0400
25344 +++ linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c 2010-03-20 16:58:40.488600423 -0400
25345 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
25346 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
25349 -static struct backlight_ops pcc_backlight_ops = {
25350 +static const struct backlight_ops pcc_backlight_ops = {
25351 .get_brightness = bl_get,
25352 .update_status = bl_set_status,
25354 diff -urNp linux-2.6.33.1/drivers/platform/x86/sony-laptop.c linux-2.6.33.1/drivers/platform/x86/sony-laptop.c
25355 --- linux-2.6.33.1/drivers/platform/x86/sony-laptop.c 2010-03-15 12:09:39.000000000 -0400
25356 +++ linux-2.6.33.1/drivers/platform/x86/sony-laptop.c 2010-03-20 16:58:40.508859925 -0400
25357 @@ -853,7 +853,7 @@ static int sony_backlight_get_brightness
25360 static struct backlight_device *sony_backlight_device;
25361 -static struct backlight_ops sony_backlight_ops = {
25362 +static const struct backlight_ops sony_backlight_ops = {
25363 .update_status = sony_backlight_update_status,
25364 .get_brightness = sony_backlight_get_brightness,
25366 diff -urNp linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c
25367 --- linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c 2010-03-15 12:09:39.000000000 -0400
25368 +++ linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c 2010-03-20 16:58:40.516859801 -0400
25369 @@ -6131,7 +6131,7 @@ static void tpacpi_brightness_notify_cha
25370 BACKLIGHT_UPDATE_HOTKEY);
25373 -static struct backlight_ops ibm_backlight_data = {
25374 +static const struct backlight_ops ibm_backlight_data = {
25375 .get_brightness = brightness_get,
25376 .update_status = brightness_update_status,
25378 diff -urNp linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c
25379 --- linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c 2010-03-15 12:09:39.000000000 -0400
25380 +++ linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c 2010-03-20 16:58:40.520536360 -0400
25381 @@ -706,7 +706,7 @@ static acpi_status remove_device(void)
25385 -static struct backlight_ops toshiba_backlight_data = {
25386 +static const struct backlight_ops toshiba_backlight_data = {
25387 .get_brightness = get_lcd,
25388 .update_status = set_lcd_status,
25390 diff -urNp linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c
25391 --- linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c 2010-03-15 12:09:39.000000000 -0400
25392 +++ linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c 2010-03-20 16:58:40.524855697 -0400
25393 @@ -60,7 +60,7 @@ do { \
25394 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
25397 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
25398 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
25399 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
25402 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
25405 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
25407 + pax_open_kernel();
25408 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
25409 + pax_close_kernel();
25411 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
25412 spin_lock_irqsave(&pnp_bios_lock, flags);
25413 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
25415 spin_unlock_irqrestore(&pnp_bios_lock, flags);
25417 + pax_open_kernel();
25418 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
25419 + pax_close_kernel();
25423 /* If we get here and this is set then the PnP BIOS faulted on us. */
25424 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
25428 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
25429 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
25433 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
25434 pnp_bios_callpoint.offset = header->fields.pm16offset;
25435 pnp_bios_callpoint.segment = PNP_CS16;
25437 + pax_open_kernel();
25439 for_each_possible_cpu(i) {
25440 struct desc_struct *gdt = get_cpu_gdt_table(i);
25442 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
25443 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
25444 (unsigned long)__va(header->fields.pm16dseg));
25447 + pax_close_kernel();
25449 diff -urNp linux-2.6.33.1/drivers/pnp/quirks.c linux-2.6.33.1/drivers/pnp/quirks.c
25450 --- linux-2.6.33.1/drivers/pnp/quirks.c 2010-03-15 12:09:39.000000000 -0400
25451 +++ linux-2.6.33.1/drivers/pnp/quirks.c 2010-03-20 16:58:40.528847437 -0400
25452 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
25453 /* PnP resources that might overlap PCI BARs */
25454 {"PNP0c01", quirk_system_pci_resources},
25455 {"PNP0c02", quirk_system_pci_resources},
25460 void pnp_fixup_device(struct pnp_dev *dev)
25461 diff -urNp linux-2.6.33.1/drivers/pnp/resource.c linux-2.6.33.1/drivers/pnp/resource.c
25462 --- linux-2.6.33.1/drivers/pnp/resource.c 2010-03-15 12:09:39.000000000 -0400
25463 +++ linux-2.6.33.1/drivers/pnp/resource.c 2010-03-20 16:58:40.532529204 -0400
25464 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
25467 /* check if the resource is valid */
25468 - if (*irq < 0 || *irq > 15)
25472 /* check if the resource is reserved */
25473 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
25476 /* check if the resource is valid */
25477 - if (*dma < 0 || *dma == 4 || *dma > 7)
25478 + if (*dma == 4 || *dma > 7)
25481 /* check if the resource is reserved */
25482 diff -urNp linux-2.6.33.1/drivers/s390/cio/qdio_debug.c linux-2.6.33.1/drivers/s390/cio/qdio_debug.c
25483 --- linux-2.6.33.1/drivers/s390/cio/qdio_debug.c 2010-03-15 12:09:39.000000000 -0400
25484 +++ linux-2.6.33.1/drivers/s390/cio/qdio_debug.c 2010-03-20 16:58:40.552847675 -0400
25485 @@ -215,7 +215,7 @@ static int qperf_seq_open(struct inode *
25486 filp->f_path.dentry->d_inode->i_private);
25489 -static struct file_operations debugfs_perf_fops = {
25490 +static const struct file_operations debugfs_perf_fops = {
25491 .owner = THIS_MODULE,
25492 .open = qperf_seq_open,
25494 diff -urNp linux-2.6.33.1/drivers/scsi/ipr.c linux-2.6.33.1/drivers/scsi/ipr.c
25495 --- linux-2.6.33.1/drivers/scsi/ipr.c 2010-03-15 12:09:39.000000000 -0400
25496 +++ linux-2.6.33.1/drivers/scsi/ipr.c 2010-03-20 16:58:40.596672237 -0400
25497 @@ -5291,7 +5291,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
25501 -static struct ata_port_operations ipr_sata_ops = {
25502 +static const struct ata_port_operations ipr_sata_ops = {
25503 .phy_reset = ipr_ata_phy_reset,
25504 .hardreset = ipr_sata_reset,
25505 .post_internal_cmd = ipr_ata_post_internal,
25506 diff -urNp linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c
25507 --- linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c 2010-03-15 12:09:39.000000000 -0400
25508 +++ linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c 2010-03-20 16:58:40.600909572 -0400
25509 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
25510 * all together if not used XXX
25513 - atomic_t no_free_exch;
25514 - atomic_t no_free_exch_xid;
25515 - atomic_t xid_not_found;
25516 - atomic_t xid_busy;
25517 - atomic_t seq_not_found;
25518 - atomic_t non_bls_resp;
25519 + atomic_unchecked_t no_free_exch;
25520 + atomic_unchecked_t no_free_exch_xid;
25521 + atomic_unchecked_t xid_not_found;
25522 + atomic_unchecked_t xid_busy;
25523 + atomic_unchecked_t seq_not_found;
25524 + atomic_unchecked_t non_bls_resp;
25527 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
25528 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
25529 /* allocate memory for exchange */
25530 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
25532 - atomic_inc(&mp->stats.no_free_exch);
25533 + atomic_inc_unchecked(&mp->stats.no_free_exch);
25536 memset(ep, 0, sizeof(*ep));
25537 @@ -718,7 +718,7 @@ out:
25540 spin_unlock_bh(&pool->lock);
25541 - atomic_inc(&mp->stats.no_free_exch_xid);
25542 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
25543 mempool_free(ep, mp->ep_pool);
25546 @@ -868,7 +868,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25547 xid = ntohs(fh->fh_ox_id); /* we originated exch */
25548 ep = fc_exch_find(mp, xid);
25550 - atomic_inc(&mp->stats.xid_not_found);
25551 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25552 reject = FC_RJT_OX_ID;
25555 @@ -898,7 +898,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25556 ep = fc_exch_find(mp, xid);
25557 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
25559 - atomic_inc(&mp->stats.xid_busy);
25560 + atomic_inc_unchecked(&mp->stats.xid_busy);
25561 reject = FC_RJT_RX_ID;
25564 @@ -909,7 +909,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25566 xid = ep->xid; /* get our XID */
25568 - atomic_inc(&mp->stats.xid_not_found);
25569 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25570 reject = FC_RJT_RX_ID; /* XID not found */
25573 @@ -930,7 +930,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25576 if (sp->id != fh->fh_seq_id) {
25577 - atomic_inc(&mp->stats.seq_not_found);
25578 + atomic_inc_unchecked(&mp->stats.seq_not_found);
25579 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
25582 @@ -1317,22 +1317,22 @@ static void fc_exch_recv_seq_resp(struct
25584 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
25586 - atomic_inc(&mp->stats.xid_not_found);
25587 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25590 if (ep->esb_stat & ESB_ST_COMPLETE) {
25591 - atomic_inc(&mp->stats.xid_not_found);
25592 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25595 if (ep->rxid == FC_XID_UNKNOWN)
25596 ep->rxid = ntohs(fh->fh_rx_id);
25597 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
25598 - atomic_inc(&mp->stats.xid_not_found);
25599 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25602 if (ep->did != ntoh24(fh->fh_s_id) &&
25603 ep->did != FC_FID_FLOGI) {
25604 - atomic_inc(&mp->stats.xid_not_found);
25605 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25609 @@ -1343,7 +1343,7 @@ static void fc_exch_recv_seq_resp(struct
25612 if (sp->id != fh->fh_seq_id) {
25613 - atomic_inc(&mp->stats.seq_not_found);
25614 + atomic_inc_unchecked(&mp->stats.seq_not_found);
25618 @@ -1406,9 +1406,9 @@ static void fc_exch_recv_resp(struct fc_
25619 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
25622 - atomic_inc(&mp->stats.xid_not_found);
25623 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25625 - atomic_inc(&mp->stats.non_bls_resp);
25626 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
25630 diff -urNp linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c
25631 --- linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c 2010-03-15 12:09:39.000000000 -0400
25632 +++ linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c 2010-03-20 16:58:40.625874020 -0400
25633 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
25637 -static struct ata_port_operations sas_sata_ops = {
25638 +static const struct ata_port_operations sas_sata_ops = {
25639 .phy_reset = sas_ata_phy_reset,
25640 .post_internal_cmd = sas_ata_post_internal,
25641 .qc_prep = ata_noop_qc_prep,
25642 diff -urNp linux-2.6.33.1/drivers/scsi/scsi_logging.h linux-2.6.33.1/drivers/scsi/scsi_logging.h
25643 --- linux-2.6.33.1/drivers/scsi/scsi_logging.h 2010-03-15 12:09:39.000000000 -0400
25644 +++ linux-2.6.33.1/drivers/scsi/scsi_logging.h 2010-03-20 16:58:40.673358427 -0400
25645 @@ -51,7 +51,7 @@ do { \
25649 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
25650 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
25651 #endif /* CONFIG_SCSI_LOGGING */
25654 diff -urNp linux-2.6.33.1/drivers/scsi/sg.c linux-2.6.33.1/drivers/scsi/sg.c
25655 --- linux-2.6.33.1/drivers/scsi/sg.c 2010-03-15 12:09:39.000000000 -0400
25656 +++ linux-2.6.33.1/drivers/scsi/sg.c 2010-03-20 16:58:40.692870926 -0400
25657 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
25658 const struct file_operations * fops;
25661 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
25662 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
25663 {"allow_dio", &adio_fops},
25664 {"debug", &debug_fops},
25665 {"def_reserved_size", &dressz_fops},
25666 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
25669 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
25670 - struct sg_proc_leaf * leaf;
25671 + const struct sg_proc_leaf * leaf;
25673 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
25675 diff -urNp linux-2.6.33.1/drivers/serial/8250_pci.c linux-2.6.33.1/drivers/serial/8250_pci.c
25676 --- linux-2.6.33.1/drivers/serial/8250_pci.c 2010-03-15 12:09:39.000000000 -0400
25677 +++ linux-2.6.33.1/drivers/serial/8250_pci.c 2010-03-20 16:58:40.736223750 -0400
25678 @@ -3664,7 +3664,7 @@ static struct pci_device_id serial_pci_t
25679 PCI_ANY_ID, PCI_ANY_ID,
25680 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
25681 0xffff00, pbn_default },
25683 + { 0, 0, 0, 0, 0, 0, 0 }
25686 static struct pci_driver serial_pci_driver = {
25687 diff -urNp linux-2.6.33.1/drivers/serial/kgdboc.c linux-2.6.33.1/drivers/serial/kgdboc.c
25688 --- linux-2.6.33.1/drivers/serial/kgdboc.c 2010-03-15 12:09:39.000000000 -0400
25689 +++ linux-2.6.33.1/drivers/serial/kgdboc.c 2010-03-20 16:58:40.745176799 -0400
25692 #define MAX_CONFIG_LEN 40
25694 -static struct kgdb_io kgdboc_io_ops;
25695 +static const struct kgdb_io kgdboc_io_ops;
25697 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
25698 static int configured = -1;
25699 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
25700 module_put(THIS_MODULE);
25703 -static struct kgdb_io kgdboc_io_ops = {
25704 +static const struct kgdb_io kgdboc_io_ops = {
25706 .read_char = kgdboc_get_char,
25707 .write_char = kgdboc_put_char,
25708 diff -urNp linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c
25709 --- linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c 2010-03-15 12:09:39.000000000 -0400
25710 +++ linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c 2010-03-20 16:58:40.760695484 -0400
25711 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
25712 return VM_FAULT_NOPAGE;
25715 -static struct vm_operations_struct b3dfg_vm_ops = {
25716 +static const struct vm_operations_struct b3dfg_vm_ops = {
25717 .fault = b3dfg_vma_fault,
25720 @@ -836,7 +836,7 @@ static int b3dfg_mmap(struct file *filp,
25724 -static struct file_operations b3dfg_fops = {
25725 +static const struct file_operations b3dfg_fops = {
25726 .owner = THIS_MODULE,
25727 .open = b3dfg_open,
25728 .release = b3dfg_release,
25729 diff -urNp linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c
25730 --- linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c 2010-03-15 12:09:39.000000000 -0400
25731 +++ linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c 2010-03-20 16:58:40.772884102 -0400
25732 @@ -1384,7 +1384,7 @@ void comedi_unmap(struct vm_area_struct
25733 mutex_unlock(&dev->mutex);
25736 -static struct vm_operations_struct comedi_vm_ops = {
25737 +static const struct vm_operations_struct comedi_vm_ops = {
25738 .close = comedi_unmap,
25741 diff -urNp linux-2.6.33.1/drivers/staging/dream/pmem.c linux-2.6.33.1/drivers/staging/dream/pmem.c
25742 --- linux-2.6.33.1/drivers/staging/dream/pmem.c 2010-03-15 12:09:39.000000000 -0400
25743 +++ linux-2.6.33.1/drivers/staging/dream/pmem.c 2010-03-20 16:58:40.792529665 -0400
25744 @@ -174,7 +174,7 @@ static int pmem_mmap(struct file *, stru
25745 static int pmem_open(struct inode *, struct file *);
25746 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
25748 -struct file_operations pmem_fops = {
25749 +const struct file_operations pmem_fops = {
25750 .release = pmem_release,
25753 @@ -1202,7 +1202,7 @@ static ssize_t debug_read(struct file *f
25754 return simple_read_from_buffer(buf, count, ppos, buffer, n);
25757 -static struct file_operations debug_fops = {
25758 +static const struct file_operations debug_fops = {
25759 .read = debug_read,
25760 .open = debug_open,
25762 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c
25763 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-03-15 12:09:39.000000000 -0400
25764 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-03-20 16:58:40.796888570 -0400
25765 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
25766 static dev_t adsp_devno;
25767 static struct class *adsp_class;
25769 -static struct file_operations adsp_fops = {
25770 +static const struct file_operations adsp_fops = {
25771 .owner = THIS_MODULE,
25773 .unlocked_ioctl = adsp_ioctl,
25774 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c
25775 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-03-15 12:09:39.000000000 -0400
25776 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-03-20 16:58:40.808875958 -0400
25777 @@ -1022,7 +1022,7 @@ done:
25781 -static struct file_operations audio_aac_fops = {
25782 +static const struct file_operations audio_aac_fops = {
25783 .owner = THIS_MODULE,
25784 .open = audio_open,
25785 .release = audio_release,
25786 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c
25787 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-03-15 12:09:39.000000000 -0400
25788 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-03-20 16:58:40.808875958 -0400
25789 @@ -833,7 +833,7 @@ done:
25793 -static struct file_operations audio_amrnb_fops = {
25794 +static const struct file_operations audio_amrnb_fops = {
25795 .owner = THIS_MODULE,
25796 .open = audamrnb_open,
25797 .release = audamrnb_release,
25798 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c
25799 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-03-15 12:09:39.000000000 -0400
25800 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-03-20 16:58:40.812532082 -0400
25801 @@ -805,7 +805,7 @@ dma_fail:
25805 -static struct file_operations audio_evrc_fops = {
25806 +static const struct file_operations audio_evrc_fops = {
25807 .owner = THIS_MODULE,
25808 .open = audevrc_open,
25809 .release = audevrc_release,
25810 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c
25811 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c 2010-03-15 12:09:39.000000000 -0400
25812 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c 2010-03-20 16:58:40.812532082 -0400
25813 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
25817 -static struct file_operations audio_fops = {
25818 +static const struct file_operations audio_fops = {
25819 .owner = THIS_MODULE,
25820 .open = audio_in_open,
25821 .release = audio_in_release,
25822 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
25823 .unlocked_ioctl = audio_in_ioctl,
25826 -static struct file_operations audpre_fops = {
25827 +static const struct file_operations audpre_fops = {
25828 .owner = THIS_MODULE,
25829 .open = audpre_open,
25830 .unlocked_ioctl = audpre_ioctl,
25831 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c
25832 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-03-15 12:09:39.000000000 -0400
25833 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-03-20 16:58:40.812532082 -0400
25834 @@ -941,7 +941,7 @@ done:
25838 -static struct file_operations audio_mp3_fops = {
25839 +static const struct file_operations audio_mp3_fops = {
25840 .owner = THIS_MODULE,
25841 .open = audio_open,
25842 .release = audio_release,
25843 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c
25844 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c 2010-03-15 12:09:39.000000000 -0400
25845 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c 2010-03-20 16:58:40.812532082 -0400
25846 @@ -806,7 +806,7 @@ static int audpp_open(struct inode *inod
25850 -static struct file_operations audio_fops = {
25851 +static const struct file_operations audio_fops = {
25852 .owner = THIS_MODULE,
25853 .open = audio_open,
25854 .release = audio_release,
25855 @@ -815,7 +815,7 @@ static struct file_operations audio_fops
25856 .unlocked_ioctl = audio_ioctl,
25859 -static struct file_operations audpp_fops = {
25860 +static const struct file_operations audpp_fops = {
25861 .owner = THIS_MODULE,
25862 .open = audpp_open,
25863 .unlocked_ioctl = audpp_ioctl,
25864 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c
25865 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-03-15 12:09:39.000000000 -0400
25866 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-03-20 16:58:40.816705807 -0400
25867 @@ -816,7 +816,7 @@ err:
25871 -static struct file_operations audio_qcelp_fops = {
25872 +static const struct file_operations audio_qcelp_fops = {
25873 .owner = THIS_MODULE,
25874 .open = audqcelp_open,
25875 .release = audqcelp_release,
25876 diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c
25877 --- linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c 2010-03-15 12:09:39.000000000 -0400
25878 +++ linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c 2010-03-20 16:58:40.816705807 -0400
25879 @@ -242,7 +242,7 @@ err:
25883 -static struct file_operations snd_fops = {
25884 +static const struct file_operations snd_fops = {
25885 .owner = THIS_MODULE,
25887 .release = snd_release,
25888 diff -urNp linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c
25889 --- linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c 2010-03-15 12:09:39.000000000 -0400
25890 +++ linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c 2010-03-20 16:58:40.828884259 -0400
25891 @@ -788,7 +788,7 @@ static int qmi_release(struct inode *ip,
25895 -static struct file_operations qmi_fops = {
25896 +static const struct file_operations qmi_fops = {
25897 .owner = THIS_MODULE,
25899 .write = qmi_write,
25900 diff -urNp linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c
25901 --- linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-03-15 12:09:39.000000000 -0400
25902 +++ linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-03-20 16:58:40.828884259 -0400
25903 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
25907 -static struct file_operations rpcrouter_server_fops = {
25908 +static const struct file_operations rpcrouter_server_fops = {
25909 .owner = THIS_MODULE,
25910 .open = rpcrouter_open,
25911 .release = rpcrouter_release,
25912 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
25913 .unlocked_ioctl = rpcrouter_ioctl,
25916 -static struct file_operations rpcrouter_router_fops = {
25917 +static const struct file_operations rpcrouter_router_fops = {
25918 .owner = THIS_MODULE,
25919 .open = rpcrouter_open,
25920 .release = rpcrouter_release,
25921 diff -urNp linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c
25922 --- linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c 2010-03-15 12:09:39.000000000 -0400
25923 +++ linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c 2010-03-20 16:58:40.858660027 -0400
25924 @@ -1674,7 +1674,7 @@ static int go7007_vm_fault(struct vm_are
25928 -static struct vm_operations_struct go7007_vm_ops = {
25929 +static const struct vm_operations_struct go7007_vm_ops = {
25930 .open = go7007_vm_open,
25931 .close = go7007_vm_close,
25932 .fault = go7007_vm_fault,
25933 diff -urNp linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c
25934 --- linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c 2010-03-15 12:09:39.000000000 -0400
25935 +++ linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c 2010-03-20 16:58:40.876878598 -0400
25936 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
25937 /* The one and only one */
25938 static struct blkvsc_driver_context g_blkvsc_drv;
25940 -static struct block_device_operations block_ops = {
25941 +static const struct block_device_operations block_ops = {
25942 .owner = THIS_MODULE,
25943 .open = blkvsc_open,
25944 .release = blkvsc_release,
25945 diff -urNp linux-2.6.33.1/drivers/staging/panel/panel.c linux-2.6.33.1/drivers/staging/panel/panel.c
25946 --- linux-2.6.33.1/drivers/staging/panel/panel.c 2010-03-15 12:09:39.000000000 -0400
25947 +++ linux-2.6.33.1/drivers/staging/panel/panel.c 2010-03-20 16:58:40.888879754 -0400
25948 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
25952 -static struct file_operations lcd_fops = {
25953 +static const struct file_operations lcd_fops = {
25954 .write = lcd_write,
25956 .release = lcd_release,
25957 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
25961 -static struct file_operations keypad_fops = {
25962 +static const struct file_operations keypad_fops = {
25963 .read = keypad_read, /* read */
25964 .open = keypad_open, /* open */
25965 .release = keypad_release, /* close */
25966 diff -urNp linux-2.6.33.1/drivers/staging/phison/phison.c linux-2.6.33.1/drivers/staging/phison/phison.c
25967 --- linux-2.6.33.1/drivers/staging/phison/phison.c 2010-03-15 12:09:39.000000000 -0400
25968 +++ linux-2.6.33.1/drivers/staging/phison/phison.c 2010-03-20 16:58:40.896878917 -0400
25969 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
25970 ATA_BMDMA_SHT(DRV_NAME),
25973 -static struct ata_port_operations phison_ops = {
25974 +static const struct ata_port_operations phison_ops = {
25975 .inherits = &ata_bmdma_port_ops,
25976 .prereset = phison_pre_reset,
25978 diff -urNp linux-2.6.33.1/drivers/staging/poch/poch.c linux-2.6.33.1/drivers/staging/poch/poch.c
25979 --- linux-2.6.33.1/drivers/staging/poch/poch.c 2010-03-15 12:09:39.000000000 -0400
25980 +++ linux-2.6.33.1/drivers/staging/poch/poch.c 2010-03-20 16:58:40.920050870 -0400
25981 @@ -1032,7 +1032,7 @@ static int poch_ioctl(struct inode *inod
25985 -static struct file_operations poch_fops = {
25986 +static const struct file_operations poch_fops = {
25987 .owner = THIS_MODULE,
25989 .release = poch_release,
25990 diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/inode.c linux-2.6.33.1/drivers/staging/pohmelfs/inode.c
25991 --- linux-2.6.33.1/drivers/staging/pohmelfs/inode.c 2010-03-15 12:09:39.000000000 -0400
25992 +++ linux-2.6.33.1/drivers/staging/pohmelfs/inode.c 2010-03-20 16:58:40.936891697 -0400
25993 @@ -1854,7 +1854,7 @@ static int pohmelfs_fill_super(struct su
25994 mutex_init(&psb->mcache_lock);
25995 psb->mcache_root = RB_ROOT;
25996 psb->mcache_timeout = msecs_to_jiffies(5000);
25997 - atomic_long_set(&psb->mcache_gen, 0);
25998 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
26000 psb->trans_max_pages = 100;
26002 diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c
26003 --- linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c 2010-03-15 12:09:39.000000000 -0400
26004 +++ linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c 2010-03-20 16:58:40.936891697 -0400
26005 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
26009 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
26010 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
26012 mutex_lock(&psb->mcache_lock);
26013 err = pohmelfs_mcache_insert(psb, m);
26014 diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h
26015 --- linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h 2010-03-15 12:09:39.000000000 -0400
26016 +++ linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h 2010-03-20 16:58:40.940661223 -0400
26017 @@ -571,7 +571,7 @@ struct pohmelfs_config;
26018 struct pohmelfs_sb {
26019 struct rb_root mcache_root;
26020 struct mutex mcache_lock;
26021 - atomic_long_t mcache_gen;
26022 + atomic_long_unchecked_t mcache_gen;
26023 unsigned long mcache_timeout;
26026 diff -urNp linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c
26027 --- linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c 2010-03-15 12:09:39.000000000 -0400
26028 +++ linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c 2010-03-20 16:58:40.944873774 -0400
26029 @@ -1288,7 +1288,7 @@ out:
26033 -static struct block_device_operations ramzswap_devops = {
26034 +static const struct block_device_operations ramzswap_devops = {
26035 .ioctl = ramzswap_ioctl,
26036 .owner = THIS_MODULE,
26038 diff -urNp linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c
26039 --- linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-03-15 12:09:39.000000000 -0400
26040 +++ linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-03-20 16:58:40.944873774 -0400
26041 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
26042 return seq_open(file, &crypto_seq_ops);
26045 -static struct file_operations proc_crypto_ops = {
26046 +static const struct file_operations proc_crypto_ops = {
26047 .open = crypto_info_open,
26049 .llseek = seq_lseek,
26050 diff -urNp linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c
26051 --- linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-03-15 12:09:39.000000000 -0400
26052 +++ linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-03-20 16:58:40.952877179 -0400
26053 @@ -268,7 +268,7 @@ static int update_status(struct backligh
26057 -static struct backlight_ops backlight_ops = {
26058 +static const struct backlight_ops backlight_ops = {
26059 .get_brightness = get_brightness,
26060 .update_status = update_status,
26062 diff -urNp linux-2.6.33.1/drivers/staging/sep/sep_driver.c linux-2.6.33.1/drivers/staging/sep/sep_driver.c
26063 --- linux-2.6.33.1/drivers/staging/sep/sep_driver.c 2010-03-15 12:09:39.000000000 -0400
26064 +++ linux-2.6.33.1/drivers/staging/sep/sep_driver.c 2010-03-20 16:58:40.956865691 -0400
26065 @@ -2605,7 +2605,7 @@ static struct pci_driver sep_pci_driver
26066 static dev_t sep_devno;
26068 /* the files operations structure of the driver */
26069 -static struct file_operations sep_file_operations = {
26070 +static const struct file_operations sep_file_operations = {
26071 .owner = THIS_MODULE,
26072 .ioctl = sep_ioctl,
26074 diff -urNp linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c
26075 --- linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c 2010-03-15 12:09:39.000000000 -0400
26076 +++ linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c 2010-03-20 16:58:40.956865691 -0400
26077 @@ -135,7 +135,7 @@ static int vme_user_ioctl(struct inode *
26078 static int __init vme_user_probe(struct device *, int, int);
26079 static int __exit vme_user_remove(struct device *, int, int);
26081 -static struct file_operations vme_user_fops = {
26082 +static const struct file_operations vme_user_fops = {
26083 .open = vme_user_open,
26084 .release = vme_user_release,
26085 .read = vme_user_read,
26086 diff -urNp linux-2.6.33.1/drivers/uio/uio.c linux-2.6.33.1/drivers/uio/uio.c
26087 --- linux-2.6.33.1/drivers/uio/uio.c 2010-03-15 12:09:39.000000000 -0400
26088 +++ linux-2.6.33.1/drivers/uio/uio.c 2010-03-20 16:58:40.964892465 -0400
26089 @@ -129,7 +129,7 @@ static ssize_t map_type_show(struct kobj
26090 return entry->show(mem, buf);
26093 -static struct sysfs_ops map_sysfs_ops = {
26094 +static const struct sysfs_ops map_sysfs_ops = {
26095 .show = map_type_show,
26098 @@ -217,7 +217,7 @@ static ssize_t portio_type_show(struct k
26099 return entry->show(port, buf);
26102 -static struct sysfs_ops portio_sysfs_ops = {
26103 +static const struct sysfs_ops portio_sysfs_ops = {
26104 .show = portio_type_show,
26107 diff -urNp linux-2.6.33.1/drivers/usb/atm/usbatm.c linux-2.6.33.1/drivers/usb/atm/usbatm.c
26108 --- linux-2.6.33.1/drivers/usb/atm/usbatm.c 2010-03-15 12:09:39.000000000 -0400
26109 +++ linux-2.6.33.1/drivers/usb/atm/usbatm.c 2010-03-20 16:58:40.976907794 -0400
26110 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
26111 if (printk_ratelimit())
26112 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
26113 __func__, vpi, vci);
26114 - atomic_inc(&vcc->stats->rx_err);
26115 + atomic_inc_unchecked(&vcc->stats->rx_err);
26119 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
26120 if (length > ATM_MAX_AAL5_PDU) {
26121 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
26122 __func__, length, vcc);
26123 - atomic_inc(&vcc->stats->rx_err);
26124 + atomic_inc_unchecked(&vcc->stats->rx_err);
26128 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
26129 if (sarb->len < pdu_length) {
26130 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
26131 __func__, pdu_length, sarb->len, vcc);
26132 - atomic_inc(&vcc->stats->rx_err);
26133 + atomic_inc_unchecked(&vcc->stats->rx_err);
26137 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
26138 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
26140 - atomic_inc(&vcc->stats->rx_err);
26141 + atomic_inc_unchecked(&vcc->stats->rx_err);
26145 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
26146 if (printk_ratelimit())
26147 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
26149 - atomic_inc(&vcc->stats->rx_drop);
26150 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26154 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
26156 vcc->push(vcc, skb);
26158 - atomic_inc(&vcc->stats->rx);
26159 + atomic_inc_unchecked(&vcc->stats->rx);
26163 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
26164 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
26166 usbatm_pop(vcc, skb);
26167 - atomic_inc(&vcc->stats->tx);
26168 + atomic_inc_unchecked(&vcc->stats->tx);
26170 skb = skb_dequeue(&instance->sndqueue);
26172 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
26174 return sprintf(page,
26175 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
26176 - atomic_read(&atm_dev->stats.aal5.tx),
26177 - atomic_read(&atm_dev->stats.aal5.tx_err),
26178 - atomic_read(&atm_dev->stats.aal5.rx),
26179 - atomic_read(&atm_dev->stats.aal5.rx_err),
26180 - atomic_read(&atm_dev->stats.aal5.rx_drop));
26181 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
26182 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
26183 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
26184 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
26185 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
26188 if (instance->disconnected)
26189 diff -urNp linux-2.6.33.1/drivers/usb/class/cdc-acm.c linux-2.6.33.1/drivers/usb/class/cdc-acm.c
26190 --- linux-2.6.33.1/drivers/usb/class/cdc-acm.c 2010-03-15 12:09:39.000000000 -0400
26191 +++ linux-2.6.33.1/drivers/usb/class/cdc-acm.c 2010-03-20 16:58:40.993421809 -0400
26192 @@ -1590,7 +1590,7 @@ static struct usb_device_id acm_ids[] =
26193 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
26194 USB_CDC_ACM_PROTO_AT_CDMA) },
26197 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
26200 MODULE_DEVICE_TABLE(usb, acm_ids);
26201 diff -urNp linux-2.6.33.1/drivers/usb/class/usblp.c linux-2.6.33.1/drivers/usb/class/usblp.c
26202 --- linux-2.6.33.1/drivers/usb/class/usblp.c 2010-03-15 12:09:39.000000000 -0400
26203 +++ linux-2.6.33.1/drivers/usb/class/usblp.c 2010-03-20 16:58:41.016571934 -0400
26204 @@ -228,7 +228,7 @@ static const struct quirk_printer_struct
26205 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
26206 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
26207 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
26212 static int usblp_wwait(struct usblp *usblp, int nonblock);
26213 @@ -1412,7 +1412,7 @@ static struct usb_device_id usblp_ids []
26214 { USB_INTERFACE_INFO(7, 1, 2) },
26215 { USB_INTERFACE_INFO(7, 1, 3) },
26216 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
26217 - { } /* Terminating entry */
26218 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26221 MODULE_DEVICE_TABLE (usb, usblp_ids);
26222 diff -urNp linux-2.6.33.1/drivers/usb/core/hcd.c linux-2.6.33.1/drivers/usb/core/hcd.c
26223 --- linux-2.6.33.1/drivers/usb/core/hcd.c 2010-03-15 12:09:39.000000000 -0400
26224 +++ linux-2.6.33.1/drivers/usb/core/hcd.c 2010-03-20 16:58:41.020890314 -0400
26225 @@ -2266,7 +2266,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
26227 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26229 -struct usb_mon_operations *mon_ops;
26230 +const struct usb_mon_operations *mon_ops;
26233 * The registration is unlocked.
26234 @@ -2276,7 +2276,7 @@ struct usb_mon_operations *mon_ops;
26235 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
26238 -int usb_mon_register (struct usb_mon_operations *ops)
26239 +int usb_mon_register (const struct usb_mon_operations *ops)
26243 diff -urNp linux-2.6.33.1/drivers/usb/core/hcd.h linux-2.6.33.1/drivers/usb/core/hcd.h
26244 --- linux-2.6.33.1/drivers/usb/core/hcd.h 2010-03-15 12:09:39.000000000 -0400
26245 +++ linux-2.6.33.1/drivers/usb/core/hcd.h 2010-03-20 16:58:41.032566122 -0400
26246 @@ -501,13 +501,13 @@ static inline void usbfs_cleanup(void) {
26247 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26249 struct usb_mon_operations {
26250 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
26251 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26252 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26253 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
26254 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26255 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26256 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
26259 -extern struct usb_mon_operations *mon_ops;
26260 +extern const struct usb_mon_operations *mon_ops;
26262 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
26264 @@ -529,7 +529,7 @@ static inline void usbmon_urb_complete(s
26265 (*mon_ops->urb_complete)(bus, urb, status);
26268 -int usb_mon_register(struct usb_mon_operations *ops);
26269 +int usb_mon_register(const struct usb_mon_operations *ops);
26270 void usb_mon_deregister(void);
26273 diff -urNp linux-2.6.33.1/drivers/usb/core/hub.c linux-2.6.33.1/drivers/usb/core/hub.c
26274 --- linux-2.6.33.1/drivers/usb/core/hub.c 2010-03-15 12:09:39.000000000 -0400
26275 +++ linux-2.6.33.1/drivers/usb/core/hub.c 2010-03-20 16:58:41.044569139 -0400
26276 @@ -3462,7 +3462,7 @@ static struct usb_device_id hub_id_table
26277 .bDeviceClass = USB_CLASS_HUB},
26278 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
26279 .bInterfaceClass = USB_CLASS_HUB},
26280 - { } /* Terminating entry */
26281 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26284 MODULE_DEVICE_TABLE (usb, hub_id_table);
26285 diff -urNp linux-2.6.33.1/drivers/usb/core/message.c linux-2.6.33.1/drivers/usb/core/message.c
26286 --- linux-2.6.33.1/drivers/usb/core/message.c 2010-03-15 12:09:39.000000000 -0400
26287 +++ linux-2.6.33.1/drivers/usb/core/message.c 2010-03-20 16:58:41.048891316 -0400
26288 @@ -909,8 +909,8 @@ char *usb_cache_string(struct usb_device
26289 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
26291 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
26293 - smallbuf = kmalloc(++len, GFP_NOIO);
26295 + smallbuf = kmalloc(len, GFP_NOIO);
26298 memcpy(smallbuf, buf, len);
26299 diff -urNp linux-2.6.33.1/drivers/usb/host/ehci-pci.c linux-2.6.33.1/drivers/usb/host/ehci-pci.c
26300 --- linux-2.6.33.1/drivers/usb/host/ehci-pci.c 2010-03-15 12:09:39.000000000 -0400
26301 +++ linux-2.6.33.1/drivers/usb/host/ehci-pci.c 2010-03-20 16:58:41.060592249 -0400
26302 @@ -422,7 +422,7 @@ static const struct pci_device_id pci_id
26303 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
26304 .driver_data = (unsigned long) &ehci_pci_hc_driver,
26306 - { /* end: all zeroes */ }
26307 + { 0, 0, 0, 0, 0, 0, 0 }
26309 MODULE_DEVICE_TABLE(pci, pci_ids);
26311 diff -urNp linux-2.6.33.1/drivers/usb/host/uhci-hcd.c linux-2.6.33.1/drivers/usb/host/uhci-hcd.c
26312 --- linux-2.6.33.1/drivers/usb/host/uhci-hcd.c 2010-03-15 12:09:39.000000000 -0400
26313 +++ linux-2.6.33.1/drivers/usb/host/uhci-hcd.c 2010-03-20 16:58:41.072592318 -0400
26314 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
26315 /* handle any USB UHCI controller */
26316 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
26317 .driver_data = (unsigned long) &uhci_driver,
26318 - }, { /* end: all zeroes */ }
26319 + }, { 0, 0, 0, 0, 0, 0, 0 }
26322 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
26323 diff -urNp linux-2.6.33.1/drivers/usb/misc/appledisplay.c linux-2.6.33.1/drivers/usb/misc/appledisplay.c
26324 --- linux-2.6.33.1/drivers/usb/misc/appledisplay.c 2010-03-15 12:09:39.000000000 -0400
26325 +++ linux-2.6.33.1/drivers/usb/misc/appledisplay.c 2010-03-20 16:58:41.076561776 -0400
26326 @@ -179,7 +179,7 @@ static int appledisplay_bl_get_brightnes
26327 return pdata->msgdata[1];
26330 -static struct backlight_ops appledisplay_bl_data = {
26331 +static const struct backlight_ops appledisplay_bl_data = {
26332 .get_brightness = appledisplay_bl_get_brightness,
26333 .update_status = appledisplay_bl_update_status,
26335 diff -urNp linux-2.6.33.1/drivers/usb/mon/mon_main.c linux-2.6.33.1/drivers/usb/mon/mon_main.c
26336 --- linux-2.6.33.1/drivers/usb/mon/mon_main.c 2010-03-15 12:09:39.000000000 -0400
26337 +++ linux-2.6.33.1/drivers/usb/mon/mon_main.c 2010-03-20 16:58:41.084588620 -0400
26338 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
26342 -static struct usb_mon_operations mon_ops_0 = {
26343 +static const struct usb_mon_operations mon_ops_0 = {
26344 .urb_submit = mon_submit,
26345 .urb_submit_error = mon_submit_error,
26346 .urb_complete = mon_complete,
26347 diff -urNp linux-2.6.33.1/drivers/usb/storage/debug.h linux-2.6.33.1/drivers/usb/storage/debug.h
26348 --- linux-2.6.33.1/drivers/usb/storage/debug.h 2010-03-15 12:09:39.000000000 -0400
26349 +++ linux-2.6.33.1/drivers/usb/storage/debug.h 2010-03-20 16:58:41.084588620 -0400
26350 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
26351 #define US_DEBUGPX(x...) printk( x )
26352 #define US_DEBUG(x) x
26354 -#define US_DEBUGP(x...)
26355 -#define US_DEBUGPX(x...)
26356 -#define US_DEBUG(x)
26357 +#define US_DEBUGP(x...) do {} while (0)
26358 +#define US_DEBUGPX(x...) do {} while (0)
26359 +#define US_DEBUG(x) do {} while (0)
26363 diff -urNp linux-2.6.33.1/drivers/usb/storage/usb.c linux-2.6.33.1/drivers/usb/storage/usb.c
26364 --- linux-2.6.33.1/drivers/usb/storage/usb.c 2010-03-15 12:09:39.000000000 -0400
26365 +++ linux-2.6.33.1/drivers/usb/storage/usb.c 2010-03-20 16:58:41.084588620 -0400
26366 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
26368 static struct us_unusual_dev us_unusual_dev_list[] = {
26369 # include "unusual_devs.h"
26370 - { } /* Terminating entry */
26371 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
26375 diff -urNp linux-2.6.33.1/drivers/usb/storage/usual-tables.c linux-2.6.33.1/drivers/usb/storage/usual-tables.c
26376 --- linux-2.6.33.1/drivers/usb/storage/usual-tables.c 2010-03-15 12:09:39.000000000 -0400
26377 +++ linux-2.6.33.1/drivers/usb/storage/usual-tables.c 2010-03-20 16:58:41.084588620 -0400
26380 struct usb_device_id usb_storage_usb_ids[] = {
26381 # include "unusual_devs.h"
26382 - { } /* Terminating entry */
26383 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26385 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
26387 diff -urNp linux-2.6.33.1/drivers/uwb/wlp/messages.c linux-2.6.33.1/drivers/uwb/wlp/messages.c
26388 --- linux-2.6.33.1/drivers/uwb/wlp/messages.c 2010-03-15 12:09:39.000000000 -0400
26389 +++ linux-2.6.33.1/drivers/uwb/wlp/messages.c 2010-03-20 16:58:41.096879476 -0400
26390 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
26391 size_t len = skb->len;
26394 - struct wlp_nonce enonce, rnonce;
26395 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
26396 enum wlp_assc_error assc_err;
26397 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
26398 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
26399 diff -urNp linux-2.6.33.1/drivers/uwb/wlp/sysfs.c linux-2.6.33.1/drivers/uwb/wlp/sysfs.c
26400 --- linux-2.6.33.1/drivers/uwb/wlp/sysfs.c 2010-03-15 12:09:39.000000000 -0400
26401 +++ linux-2.6.33.1/drivers/uwb/wlp/sysfs.c 2010-03-20 16:58:41.104559489 -0400
26402 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
26407 -struct sysfs_ops wss_sysfs_ops = {
26408 +static const struct sysfs_ops wss_sysfs_ops = {
26409 .show = wlp_wss_attr_show,
26410 .store = wlp_wss_attr_store,
26412 diff -urNp linux-2.6.33.1/drivers/video/atmel_lcdfb.c linux-2.6.33.1/drivers/video/atmel_lcdfb.c
26413 --- linux-2.6.33.1/drivers/video/atmel_lcdfb.c 2010-03-15 12:09:39.000000000 -0400
26414 +++ linux-2.6.33.1/drivers/video/atmel_lcdfb.c 2010-03-20 16:58:41.116887355 -0400
26415 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
26416 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
26419 -static struct backlight_ops atmel_lcdc_bl_ops = {
26420 +static const struct backlight_ops atmel_lcdc_bl_ops = {
26421 .update_status = atmel_bl_update_status,
26422 .get_brightness = atmel_bl_get_brightness,
26424 diff -urNp linux-2.6.33.1/drivers/video/aty/aty128fb.c linux-2.6.33.1/drivers/video/aty/aty128fb.c
26425 --- linux-2.6.33.1/drivers/video/aty/aty128fb.c 2010-03-15 12:09:39.000000000 -0400
26426 +++ linux-2.6.33.1/drivers/video/aty/aty128fb.c 2010-03-20 16:58:41.141056447 -0400
26427 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
26428 return bd->props.brightness;
26431 -static struct backlight_ops aty128_bl_data = {
26432 +static const struct backlight_ops aty128_bl_data = {
26433 .get_brightness = aty128_bl_get_brightness,
26434 .update_status = aty128_bl_update_status,
26436 diff -urNp linux-2.6.33.1/drivers/video/aty/atyfb_base.c linux-2.6.33.1/drivers/video/aty/atyfb_base.c
26437 --- linux-2.6.33.1/drivers/video/aty/atyfb_base.c 2010-03-15 12:09:39.000000000 -0400
26438 +++ linux-2.6.33.1/drivers/video/aty/atyfb_base.c 2010-03-20 16:58:41.141056447 -0400
26439 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
26440 return bd->props.brightness;
26443 -static struct backlight_ops aty_bl_data = {
26444 +static const struct backlight_ops aty_bl_data = {
26445 .get_brightness = aty_bl_get_brightness,
26446 .update_status = aty_bl_update_status,
26448 diff -urNp linux-2.6.33.1/drivers/video/aty/radeon_backlight.c linux-2.6.33.1/drivers/video/aty/radeon_backlight.c
26449 --- linux-2.6.33.1/drivers/video/aty/radeon_backlight.c 2010-03-15 12:09:39.000000000 -0400
26450 +++ linux-2.6.33.1/drivers/video/aty/radeon_backlight.c 2010-03-20 16:58:41.144609392 -0400
26451 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
26452 return bd->props.brightness;
26455 -static struct backlight_ops radeon_bl_data = {
26456 +static const struct backlight_ops radeon_bl_data = {
26457 .get_brightness = radeon_bl_get_brightness,
26458 .update_status = radeon_bl_update_status,
26460 diff -urNp linux-2.6.33.1/drivers/video/bf54x-lq043fb.c linux-2.6.33.1/drivers/video/bf54x-lq043fb.c
26461 --- linux-2.6.33.1/drivers/video/bf54x-lq043fb.c 2010-03-15 12:09:39.000000000 -0400
26462 +++ linux-2.6.33.1/drivers/video/bf54x-lq043fb.c 2010-03-20 16:58:41.172899299 -0400
26463 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
26467 -static struct backlight_ops bfin_lq043fb_bl_ops = {
26468 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
26469 .get_brightness = bl_get_brightness,
26472 diff -urNp linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c
26473 --- linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c 2010-03-15 12:09:39.000000000 -0400
26474 +++ linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c 2010-03-20 16:58:41.172899299 -0400
26475 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
26479 -static struct backlight_ops bfin_lq043fb_bl_ops = {
26480 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
26481 .get_brightness = bl_get_brightness,
26484 diff -urNp linux-2.6.33.1/drivers/video/fbmem.c linux-2.6.33.1/drivers/video/fbmem.c
26485 --- linux-2.6.33.1/drivers/video/fbmem.c 2010-03-15 12:09:39.000000000 -0400
26486 +++ linux-2.6.33.1/drivers/video/fbmem.c 2010-03-20 16:58:41.176758490 -0400
26487 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
26488 image->dx += image->width + 8;
26490 } else if (rotate == FB_ROTATE_UD) {
26491 - for (x = 0; x < num && image->dx >= 0; x++) {
26492 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
26493 info->fbops->fb_imageblit(info, image);
26494 image->dx -= image->width + 8;
26496 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
26497 image->dy += image->height + 8;
26499 } else if (rotate == FB_ROTATE_CCW) {
26500 - for (x = 0; x < num && image->dy >= 0; x++) {
26501 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
26502 info->fbops->fb_imageblit(info, image);
26503 image->dy -= image->height + 8;
26505 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
26507 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
26509 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
26510 + if (con2fb.framebuffer >= FB_MAX)
26512 if (!registered_fb[con2fb.framebuffer])
26513 request_module("fb%d", con2fb.framebuffer);
26514 diff -urNp linux-2.6.33.1/drivers/video/fbmon.c linux-2.6.33.1/drivers/video/fbmon.c
26515 --- linux-2.6.33.1/drivers/video/fbmon.c 2010-03-15 12:09:39.000000000 -0400
26516 +++ linux-2.6.33.1/drivers/video/fbmon.c 2010-03-20 16:58:41.184890729 -0400
26519 #define DPRINTK(fmt, args...) printk(fmt,## args)
26521 -#define DPRINTK(fmt, args...)
26522 +#define DPRINTK(fmt, args...) do {} while (0)
26525 #define FBMON_FIX_HEADER 1
26526 diff -urNp linux-2.6.33.1/drivers/video/i810/i810_accel.c linux-2.6.33.1/drivers/video/i810/i810_accel.c
26527 --- linux-2.6.33.1/drivers/video/i810/i810_accel.c 2010-03-15 12:09:39.000000000 -0400
26528 +++ linux-2.6.33.1/drivers/video/i810/i810_accel.c 2010-03-20 16:58:41.188702176 -0400
26529 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
26532 printk("ringbuffer lockup!!!\n");
26533 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
26534 i810_report_error(mmio);
26535 par->dev_flags |= LOCKUP;
26536 info->pixmap.scan_align = 1;
26537 diff -urNp linux-2.6.33.1/drivers/video/i810/i810_main.c linux-2.6.33.1/drivers/video/i810/i810_main.c
26538 --- linux-2.6.33.1/drivers/video/i810/i810_main.c 2010-03-15 12:09:39.000000000 -0400
26539 +++ linux-2.6.33.1/drivers/video/i810/i810_main.c 2010-03-20 16:58:41.196891711 -0400
26540 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
26541 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
26542 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
26543 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
26545 + { 0, 0, 0, 0, 0, 0, 0 },
26548 static struct pci_driver i810fb_driver = {
26549 diff -urNp linux-2.6.33.1/drivers/video/modedb.c linux-2.6.33.1/drivers/video/modedb.c
26550 --- linux-2.6.33.1/drivers/video/modedb.c 2010-03-15 12:09:39.000000000 -0400
26551 +++ linux-2.6.33.1/drivers/video/modedb.c 2010-03-20 16:58:41.200859456 -0400
26552 @@ -39,240 +39,240 @@ static const struct fb_videomode modedb[
26554 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
26555 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
26556 - 0, FB_VMODE_NONINTERLACED
26557 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26559 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
26560 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
26561 - 0, FB_VMODE_NONINTERLACED
26562 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26564 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
26565 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
26566 - 0, FB_VMODE_NONINTERLACED
26567 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26569 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
26570 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
26571 - 0, FB_VMODE_INTERLACED
26572 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26574 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
26575 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
26576 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26577 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26579 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
26580 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
26581 - 0, FB_VMODE_NONINTERLACED
26582 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26584 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
26585 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
26586 - 0, FB_VMODE_NONINTERLACED
26587 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26589 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
26590 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
26591 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26592 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26594 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
26595 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
26596 - 0, FB_VMODE_NONINTERLACED
26597 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26599 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
26600 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
26601 - 0, FB_VMODE_INTERLACED
26602 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26604 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
26605 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
26606 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26607 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26609 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
26610 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
26611 - 0, FB_VMODE_NONINTERLACED
26612 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26614 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
26615 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
26616 - 0, FB_VMODE_NONINTERLACED
26617 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26619 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
26620 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
26621 - 0, FB_VMODE_NONINTERLACED
26622 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26624 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
26625 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
26626 - 0, FB_VMODE_NONINTERLACED
26627 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26629 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
26630 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
26631 - 0, FB_VMODE_NONINTERLACED
26632 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26634 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
26635 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
26636 - 0, FB_VMODE_INTERLACED
26637 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26639 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
26640 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
26641 - 0, FB_VMODE_NONINTERLACED
26642 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26644 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
26645 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
26646 - 0, FB_VMODE_NONINTERLACED
26647 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26649 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
26650 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
26651 - 0, FB_VMODE_NONINTERLACED
26652 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26654 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
26655 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
26656 - 0, FB_VMODE_NONINTERLACED
26657 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26659 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
26660 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
26661 - 0, FB_VMODE_NONINTERLACED
26662 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26664 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
26665 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
26666 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26667 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26669 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
26670 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
26671 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26672 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26674 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
26675 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
26676 - 0, FB_VMODE_NONINTERLACED
26677 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26679 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
26680 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
26681 - 0, FB_VMODE_NONINTERLACED
26682 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26684 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
26685 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
26686 - 0, FB_VMODE_NONINTERLACED
26687 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26689 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
26690 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
26691 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26692 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26694 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
26695 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
26696 - 0, FB_VMODE_NONINTERLACED
26697 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26699 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
26700 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
26701 - 0, FB_VMODE_NONINTERLACED
26702 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26704 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
26705 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
26706 - 0, FB_VMODE_NONINTERLACED
26707 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26709 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
26710 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
26711 - 0, FB_VMODE_NONINTERLACED
26712 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26714 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
26715 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
26716 - 0, FB_VMODE_NONINTERLACED
26717 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26719 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
26720 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
26721 - 0, FB_VMODE_NONINTERLACED
26722 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26724 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
26725 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
26726 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26727 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26729 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
26730 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
26731 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26732 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26734 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
26735 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
26736 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26737 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26739 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
26740 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
26741 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26742 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26744 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
26745 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
26746 - 0, FB_VMODE_NONINTERLACED
26747 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26749 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
26750 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
26751 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26752 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26754 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
26755 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
26756 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26757 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26759 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
26760 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
26761 - 0, FB_VMODE_NONINTERLACED
26762 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26764 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
26765 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
26766 - 0, FB_VMODE_NONINTERLACED
26767 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26769 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
26770 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
26771 - 0, FB_VMODE_DOUBLE
26772 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26774 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
26775 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
26776 - 0, FB_VMODE_DOUBLE
26777 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26779 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
26780 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
26781 - 0, FB_VMODE_DOUBLE
26782 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26784 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
26785 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
26786 - 0, FB_VMODE_DOUBLE
26787 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26789 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
26790 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
26791 - 0, FB_VMODE_DOUBLE
26792 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26794 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
26795 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
26796 - 0, FB_VMODE_DOUBLE
26797 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26799 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
26800 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
26801 - 0, FB_VMODE_DOUBLE
26802 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26804 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
26805 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
26806 - 0, FB_VMODE_DOUBLE
26807 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26809 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
26810 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
26811 - 0, FB_VMODE_DOUBLE
26812 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26814 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
26815 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
26816 - 0, FB_VMODE_DOUBLE
26817 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26819 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
26820 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
26821 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
26822 - FB_VMODE_NONINTERLACED
26823 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26825 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
26826 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
26827 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26828 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26830 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
26831 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
26832 - 0, FB_VMODE_NONINTERLACED
26833 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26835 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
26836 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
26837 - 0, FB_VMODE_NONINTERLACED
26838 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26840 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26841 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
26842 - 0, FB_VMODE_INTERLACED
26843 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26845 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26846 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
26847 - 0, FB_VMODE_INTERLACED
26848 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26852 diff -urNp linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c
26853 --- linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c 2010-03-15 12:09:39.000000000 -0400
26854 +++ linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c 2010-03-20 16:58:41.200859456 -0400
26855 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
26856 return bd->props.brightness;
26859 -static struct backlight_ops nvidia_bl_ops = {
26860 +static const struct backlight_ops nvidia_bl_ops = {
26861 .get_brightness = nvidia_bl_get_brightness,
26862 .update_status = nvidia_bl_update_status,
26864 diff -urNp linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c
26865 --- linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c 2010-03-15 12:09:39.000000000 -0400
26866 +++ linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c 2010-03-20 16:58:41.208900904 -0400
26867 @@ -313,7 +313,7 @@ static int taal_bl_get_intensity(struct
26871 -static struct backlight_ops taal_bl_ops = {
26872 +static const struct backlight_ops taal_bl_ops = {
26873 .get_brightness = taal_bl_get_intensity,
26874 .update_status = taal_bl_update_status,
26876 diff -urNp linux-2.6.33.1/drivers/video/omap2/dss/manager.c linux-2.6.33.1/drivers/video/omap2/dss/manager.c
26877 --- linux-2.6.33.1/drivers/video/omap2/dss/manager.c 2010-03-15 12:09:39.000000000 -0400
26878 +++ linux-2.6.33.1/drivers/video/omap2/dss/manager.c 2010-03-20 16:58:41.220903696 -0400
26879 @@ -341,7 +341,7 @@ static ssize_t manager_attr_store(struct
26880 return manager_attr->store(manager, buf, size);
26883 -static struct sysfs_ops manager_sysfs_ops = {
26884 +static const struct sysfs_ops manager_sysfs_ops = {
26885 .show = manager_attr_show,
26886 .store = manager_attr_store,
26888 diff -urNp linux-2.6.33.1/drivers/video/omap2/dss/overlay.c linux-2.6.33.1/drivers/video/omap2/dss/overlay.c
26889 --- linux-2.6.33.1/drivers/video/omap2/dss/overlay.c 2010-03-15 12:09:39.000000000 -0400
26890 +++ linux-2.6.33.1/drivers/video/omap2/dss/overlay.c 2010-03-20 16:58:41.220903696 -0400
26891 @@ -320,7 +320,7 @@ static ssize_t overlay_attr_store(struct
26892 return overlay_attr->store(overlay, buf, size);
26895 -static struct sysfs_ops overlay_sysfs_ops = {
26896 +static const struct sysfs_ops overlay_sysfs_ops = {
26897 .show = overlay_attr_show,
26898 .store = overlay_attr_store,
26900 diff -urNp linux-2.6.33.1/drivers/video/riva/fbdev.c linux-2.6.33.1/drivers/video/riva/fbdev.c
26901 --- linux-2.6.33.1/drivers/video/riva/fbdev.c 2010-03-15 12:09:39.000000000 -0400
26902 +++ linux-2.6.33.1/drivers/video/riva/fbdev.c 2010-03-20 16:58:41.252568052 -0400
26903 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
26904 return bd->props.brightness;
26907 -static struct backlight_ops riva_bl_ops = {
26908 +static const struct backlight_ops riva_bl_ops = {
26909 .get_brightness = riva_bl_get_brightness,
26910 .update_status = riva_bl_update_status,
26912 diff -urNp linux-2.6.33.1/drivers/video/uvesafb.c linux-2.6.33.1/drivers/video/uvesafb.c
26913 --- linux-2.6.33.1/drivers/video/uvesafb.c 2010-03-15 12:09:39.000000000 -0400
26914 +++ linux-2.6.33.1/drivers/video/uvesafb.c 2010-03-20 16:58:41.260895734 -0400
26916 #include <linux/fb.h>
26917 #include <linux/io.h>
26918 #include <linux/mutex.h>
26919 +#include <linux/moduleloader.h>
26920 #include <video/edid.h>
26921 #include <video/uvesafb.h>
26923 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
26927 - return call_usermodehelper(v86d_path, argv, envp, 1);
26928 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
26932 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
26933 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
26934 par->pmi_setpal = par->ypan = 0;
26937 +#ifdef CONFIG_PAX_KERNEXEC
26938 +#ifdef CONFIG_MODULES
26939 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
26941 + if (!par->pmi_code) {
26942 + par->pmi_setpal = par->ypan = 0;
26947 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
26948 + task->t.regs.edi);
26950 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26951 + pax_open_kernel();
26952 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
26953 + pax_close_kernel();
26955 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
26956 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
26958 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
26959 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
26962 printk(KERN_INFO "uvesafb: protected mode interface info at "
26964 (u16)task->t.regs.es, (u16)task->t.regs.edi);
26965 @@ -1799,6 +1822,11 @@ out:
26966 if (par->vbe_modes)
26967 kfree(par->vbe_modes);
26969 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26970 + if (par->pmi_code)
26971 + module_free_exec(NULL, par->pmi_code);
26974 framebuffer_release(info);
26977 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
26978 kfree(par->vbe_state_orig);
26979 if (par->vbe_state_saved)
26980 kfree(par->vbe_state_saved);
26982 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26983 + if (par->pmi_code)
26984 + module_free_exec(NULL, par->pmi_code);
26989 framebuffer_release(info);
26990 diff -urNp linux-2.6.33.1/drivers/video/vesafb.c linux-2.6.33.1/drivers/video/vesafb.c
26991 --- linux-2.6.33.1/drivers/video/vesafb.c 2010-03-15 12:09:39.000000000 -0400
26992 +++ linux-2.6.33.1/drivers/video/vesafb.c 2010-03-20 16:58:41.264903169 -0400
26996 #include <linux/module.h>
26997 +#include <linux/moduleloader.h>
26998 #include <linux/kernel.h>
26999 #include <linux/errno.h>
27000 #include <linux/string.h>
27001 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
27002 static int vram_total __initdata; /* Set total amount of memory */
27003 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
27004 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
27005 -static void (*pmi_start)(void) __read_mostly;
27006 -static void (*pmi_pal) (void) __read_mostly;
27007 +static void (*pmi_start)(void) __read_only;
27008 +static void (*pmi_pal) (void) __read_only;
27009 static int depth __read_mostly;
27010 static int vga_compat __read_mostly;
27011 /* --------------------------------------------------------------------- */
27012 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
27013 unsigned int size_vmode;
27014 unsigned int size_remap;
27015 unsigned int size_total;
27016 + void *pmi_code = NULL;
27018 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
27020 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
27021 size_remap = size_total;
27022 vesafb_fix.smem_len = size_remap;
27025 - screen_info.vesapm_seg = 0;
27028 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
27029 printk(KERN_WARNING
27030 "vesafb: cannot reserve video memory at 0x%lx\n",
27031 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
27032 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
27033 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
27037 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27038 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
27040 +#elif !defined(CONFIG_PAX_KERNEXEC)
27045 + screen_info.vesapm_seg = 0;
27047 if (screen_info.vesapm_seg) {
27048 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
27049 - screen_info.vesapm_seg,screen_info.vesapm_off);
27050 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
27051 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
27054 if (screen_info.vesapm_seg < 0xc000)
27055 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
27057 if (ypan || pmi_setpal) {
27058 unsigned short *pmi_base;
27059 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27060 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
27061 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
27063 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27065 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27066 + pax_open_kernel();
27067 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
27069 + pmi_code = pmi_base;
27072 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
27073 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
27075 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27076 + pmi_start = ktva_ktla(pmi_start);
27077 + pmi_pal = ktva_ktla(pmi_pal);
27078 + pax_close_kernel();
27081 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
27083 printk(KERN_INFO "vesafb: pmi: ports = ");
27084 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
27085 info->node, info->fix.id);
27089 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27090 + module_free_exec(NULL, pmi_code);
27093 if (info->screen_base)
27094 iounmap(info->screen_base);
27095 framebuffer_release(info);
27096 diff -urNp linux-2.6.33.1/drivers/xen/sys-hypervisor.c linux-2.6.33.1/drivers/xen/sys-hypervisor.c
27097 --- linux-2.6.33.1/drivers/xen/sys-hypervisor.c 2010-03-15 12:09:39.000000000 -0400
27098 +++ linux-2.6.33.1/drivers/xen/sys-hypervisor.c 2010-03-20 16:58:41.272886902 -0400
27099 @@ -426,7 +426,7 @@ static ssize_t hyp_sysfs_store(struct ko
27103 -static struct sysfs_ops hyp_sysfs_ops = {
27104 +static const struct sysfs_ops hyp_sysfs_ops = {
27105 .show = hyp_sysfs_show,
27106 .store = hyp_sysfs_store,
27108 diff -urNp linux-2.6.33.1/fs/9p/vfs_inode.c linux-2.6.33.1/fs/9p/vfs_inode.c
27109 --- linux-2.6.33.1/fs/9p/vfs_inode.c 2010-03-15 12:09:39.000000000 -0400
27110 +++ linux-2.6.33.1/fs/9p/vfs_inode.c 2010-03-20 16:58:41.284893283 -0400
27111 @@ -1041,7 +1041,7 @@ static void *v9fs_vfs_follow_link(struct
27113 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
27115 - char *s = nd_get_link(nd);
27116 + const char *s = nd_get_link(nd);
27118 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
27119 IS_ERR(s) ? "<error>" : s);
27120 diff -urNp linux-2.6.33.1/fs/aio.c linux-2.6.33.1/fs/aio.c
27121 --- linux-2.6.33.1/fs/aio.c 2010-03-15 12:09:39.000000000 -0400
27122 +++ linux-2.6.33.1/fs/aio.c 2010-03-20 16:58:41.305540612 -0400
27123 @@ -129,7 +129,7 @@ static int aio_setup_ring(struct kioctx
27124 size += sizeof(struct io_event) * nr_events;
27125 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
27127 - if (nr_pages < 0)
27128 + if (nr_pages <= 0)
27131 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
27132 diff -urNp linux-2.6.33.1/fs/attr.c linux-2.6.33.1/fs/attr.c
27133 --- linux-2.6.33.1/fs/attr.c 2010-03-15 12:09:39.000000000 -0400
27134 +++ linux-2.6.33.1/fs/attr.c 2010-03-20 16:58:41.305540612 -0400
27135 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
27136 unsigned long limit;
27138 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
27139 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
27140 if (limit != RLIM_INFINITY && offset > limit)
27142 if (offset > inode->i_sb->s_maxbytes)
27143 diff -urNp linux-2.6.33.1/fs/autofs/root.c linux-2.6.33.1/fs/autofs/root.c
27144 --- linux-2.6.33.1/fs/autofs/root.c 2010-03-15 12:09:39.000000000 -0400
27145 +++ linux-2.6.33.1/fs/autofs/root.c 2010-03-20 16:58:41.316888614 -0400
27146 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
27147 set_bit(n,sbi->symlink_bitmap);
27148 sl = &sbi->symlink[n];
27149 sl->len = strlen(symname);
27150 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27151 + slsize = sl->len+1;
27152 + sl->data = kmalloc(slsize, GFP_KERNEL);
27154 clear_bit(n,sbi->symlink_bitmap);
27156 diff -urNp linux-2.6.33.1/fs/autofs4/symlink.c linux-2.6.33.1/fs/autofs4/symlink.c
27157 --- linux-2.6.33.1/fs/autofs4/symlink.c 2010-03-15 12:09:39.000000000 -0400
27158 +++ linux-2.6.33.1/fs/autofs4/symlink.c 2010-03-20 16:58:41.324896891 -0400
27160 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
27162 struct autofs_info *ino = autofs4_dentry_ino(dentry);
27163 - nd_set_link(nd, (char *)ino->u.symlink);
27164 + nd_set_link(nd, ino->u.symlink);
27168 diff -urNp linux-2.6.33.1/fs/befs/linuxvfs.c linux-2.6.33.1/fs/befs/linuxvfs.c
27169 --- linux-2.6.33.1/fs/befs/linuxvfs.c 2010-03-15 12:09:39.000000000 -0400
27170 +++ linux-2.6.33.1/fs/befs/linuxvfs.c 2010-03-20 16:58:41.332900573 -0400
27171 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
27173 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
27174 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
27175 - char *link = nd_get_link(nd);
27176 + const char *link = nd_get_link(nd);
27180 diff -urNp linux-2.6.33.1/fs/binfmt_aout.c linux-2.6.33.1/fs/binfmt_aout.c
27181 --- linux-2.6.33.1/fs/binfmt_aout.c 2010-03-15 12:09:39.000000000 -0400
27182 +++ linux-2.6.33.1/fs/binfmt_aout.c 2010-03-20 16:58:41.336873242 -0400
27184 #include <linux/string.h>
27185 #include <linux/fs.h>
27186 #include <linux/file.h>
27187 +#include <linux/security.h>
27188 #include <linux/stat.h>
27189 #include <linux/fcntl.h>
27190 #include <linux/ptrace.h>
27191 @@ -114,10 +115,12 @@ static int aout_core_dump(struct coredum
27193 /* If the size of the dump file exceeds the rlimit, then see what would happen
27194 if we wrote the stack, but not the data area. */
27195 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
27196 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
27199 /* Make sure we have enough room to write the stack and data areas. */
27200 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
27201 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
27204 @@ -250,6 +253,8 @@ static int load_aout_binary(struct linux
27205 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
27206 if (rlim >= RLIM_INFINITY)
27209 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
27210 if (ex.a_data + ex.a_bss > rlim)
27213 @@ -278,6 +283,27 @@ static int load_aout_binary(struct linux
27214 install_exec_creds(bprm);
27215 current->flags &= ~PF_FORKNOEXEC;
27217 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27218 + current->mm->pax_flags = 0UL;
27221 +#ifdef CONFIG_PAX_PAGEEXEC
27222 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
27223 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
27225 +#ifdef CONFIG_PAX_EMUTRAMP
27226 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
27227 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
27230 +#ifdef CONFIG_PAX_MPROTECT
27231 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
27232 + current->mm->pax_flags |= MF_PAX_MPROTECT;
27238 if (N_MAGIC(ex) == OMAGIC) {
27239 unsigned long text_addr, map_size;
27241 @@ -350,7 +376,7 @@ static int load_aout_binary(struct linux
27243 down_write(¤t->mm->mmap_sem);
27244 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
27245 - PROT_READ | PROT_WRITE | PROT_EXEC,
27246 + PROT_READ | PROT_WRITE,
27247 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
27248 fd_offset + ex.a_text);
27249 up_write(¤t->mm->mmap_sem);
27250 diff -urNp linux-2.6.33.1/fs/binfmt_elf.c linux-2.6.33.1/fs/binfmt_elf.c
27251 --- linux-2.6.33.1/fs/binfmt_elf.c 2010-03-15 12:09:39.000000000 -0400
27252 +++ linux-2.6.33.1/fs/binfmt_elf.c 2010-03-20 16:58:41.348904798 -0400
27253 @@ -50,6 +50,10 @@ static int elf_core_dump(struct coredump
27254 #define elf_core_dump NULL
27257 +#ifdef CONFIG_PAX_MPROTECT
27258 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
27261 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
27262 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
27264 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
27265 .load_binary = load_elf_binary,
27266 .load_shlib = load_elf_library,
27267 .core_dump = elf_core_dump,
27269 +#ifdef CONFIG_PAX_MPROTECT
27270 + .handle_mprotect= elf_handle_mprotect,
27273 .min_coredump = ELF_EXEC_PAGESIZE,
27276 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
27278 static int set_brk(unsigned long start, unsigned long end)
27280 + unsigned long e = end;
27282 start = ELF_PAGEALIGN(start);
27283 end = ELF_PAGEALIGN(end);
27285 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
27286 if (BAD_ADDR(addr))
27289 - current->mm->start_brk = current->mm->brk = end;
27290 + current->mm->start_brk = current->mm->brk = e;
27294 @@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
27295 elf_addr_t __user *u_rand_bytes;
27296 const char *k_platform = ELF_PLATFORM;
27297 const char *k_base_platform = ELF_BASE_PLATFORM;
27298 - unsigned char k_rand_bytes[16];
27299 + u32 k_rand_bytes[4];
27301 elf_addr_t *elf_info;
27303 @@ -195,6 +206,10 @@ create_elf_tables(struct linux_binprm *b
27304 * Generate 16 random bytes for userspace PRNG seeding.
27306 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
27307 + srandom32(k_rand_bytes[0] ^ random32());
27308 + srandom32(k_rand_bytes[1] ^ random32());
27309 + srandom32(k_rand_bytes[2] ^ random32());
27310 + srandom32(k_rand_bytes[3] ^ random32());
27311 u_rand_bytes = (elf_addr_t __user *)
27312 STACK_ALLOC(p, sizeof(k_rand_bytes));
27313 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
27314 @@ -385,10 +400,10 @@ static unsigned long load_elf_interp(str
27316 struct elf_phdr *elf_phdata;
27317 struct elf_phdr *eppnt;
27318 - unsigned long load_addr = 0;
27319 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
27320 int load_addr_set = 0;
27321 unsigned long last_bss = 0, elf_bss = 0;
27322 - unsigned long error = ~0UL;
27323 + unsigned long error = -EINVAL;
27324 unsigned long total_size;
27325 int retval, i, size;
27327 @@ -434,6 +449,11 @@ static unsigned long load_elf_interp(str
27331 +#ifdef CONFIG_PAX_SEGMEXEC
27332 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
27333 + pax_task_size = SEGMEXEC_TASK_SIZE;
27336 eppnt = elf_phdata;
27337 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
27338 if (eppnt->p_type == PT_LOAD) {
27339 @@ -477,8 +497,8 @@ static unsigned long load_elf_interp(str
27340 k = load_addr + eppnt->p_vaddr;
27342 eppnt->p_filesz > eppnt->p_memsz ||
27343 - eppnt->p_memsz > TASK_SIZE ||
27344 - TASK_SIZE - eppnt->p_memsz < k) {
27345 + eppnt->p_memsz > pax_task_size ||
27346 + pax_task_size - eppnt->p_memsz < k) {
27350 @@ -532,6 +552,177 @@ out:
27354 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
27355 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
27357 + unsigned long pax_flags = 0UL;
27359 +#ifdef CONFIG_PAX_PAGEEXEC
27360 + if (elf_phdata->p_flags & PF_PAGEEXEC)
27361 + pax_flags |= MF_PAX_PAGEEXEC;
27364 +#ifdef CONFIG_PAX_SEGMEXEC
27365 + if (elf_phdata->p_flags & PF_SEGMEXEC)
27366 + pax_flags |= MF_PAX_SEGMEXEC;
27369 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27370 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27371 + if ((__supported_pte_mask & _PAGE_NX))
27372 + pax_flags &= ~MF_PAX_SEGMEXEC;
27374 + pax_flags &= ~MF_PAX_PAGEEXEC;
27378 +#ifdef CONFIG_PAX_EMUTRAMP
27379 + if (elf_phdata->p_flags & PF_EMUTRAMP)
27380 + pax_flags |= MF_PAX_EMUTRAMP;
27383 +#ifdef CONFIG_PAX_MPROTECT
27384 + if (elf_phdata->p_flags & PF_MPROTECT)
27385 + pax_flags |= MF_PAX_MPROTECT;
27388 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27389 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
27390 + pax_flags |= MF_PAX_RANDMMAP;
27393 + return pax_flags;
27397 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27398 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
27400 + unsigned long pax_flags = 0UL;
27402 +#ifdef CONFIG_PAX_PAGEEXEC
27403 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
27404 + pax_flags |= MF_PAX_PAGEEXEC;
27407 +#ifdef CONFIG_PAX_SEGMEXEC
27408 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
27409 + pax_flags |= MF_PAX_SEGMEXEC;
27412 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27413 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27414 + if ((__supported_pte_mask & _PAGE_NX))
27415 + pax_flags &= ~MF_PAX_SEGMEXEC;
27417 + pax_flags &= ~MF_PAX_PAGEEXEC;
27421 +#ifdef CONFIG_PAX_EMUTRAMP
27422 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
27423 + pax_flags |= MF_PAX_EMUTRAMP;
27426 +#ifdef CONFIG_PAX_MPROTECT
27427 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
27428 + pax_flags |= MF_PAX_MPROTECT;
27431 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27432 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
27433 + pax_flags |= MF_PAX_RANDMMAP;
27436 + return pax_flags;
27440 +#ifdef CONFIG_PAX_EI_PAX
27441 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
27443 + unsigned long pax_flags = 0UL;
27445 +#ifdef CONFIG_PAX_PAGEEXEC
27446 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
27447 + pax_flags |= MF_PAX_PAGEEXEC;
27450 +#ifdef CONFIG_PAX_SEGMEXEC
27451 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
27452 + pax_flags |= MF_PAX_SEGMEXEC;
27455 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27456 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27457 + if ((__supported_pte_mask & _PAGE_NX))
27458 + pax_flags &= ~MF_PAX_SEGMEXEC;
27460 + pax_flags &= ~MF_PAX_PAGEEXEC;
27464 +#ifdef CONFIG_PAX_EMUTRAMP
27465 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
27466 + pax_flags |= MF_PAX_EMUTRAMP;
27469 +#ifdef CONFIG_PAX_MPROTECT
27470 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
27471 + pax_flags |= MF_PAX_MPROTECT;
27474 +#ifdef CONFIG_PAX_ASLR
27475 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
27476 + pax_flags |= MF_PAX_RANDMMAP;
27479 + return pax_flags;
27483 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27484 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
27486 + unsigned long pax_flags = 0UL;
27488 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27492 +#ifdef CONFIG_PAX_EI_PAX
27493 + pax_flags = pax_parse_ei_pax(elf_ex);
27496 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27497 + for (i = 0UL; i < elf_ex->e_phnum; i++)
27498 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
27499 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
27500 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
27501 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
27502 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
27503 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
27506 +#ifdef CONFIG_PAX_SOFTMODE
27507 + if (pax_softmode)
27508 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
27512 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
27517 + if (0 > pax_check_flags(&pax_flags))
27520 + current->mm->pax_flags = pax_flags;
27526 * These are the functions used to load ELF style executables and shared
27527 * libraries. There is no binary dependent code anywhere else.
27528 @@ -548,6 +739,11 @@ static unsigned long randomize_stack_top
27530 unsigned int random_variable = 0;
27532 +#ifdef CONFIG_PAX_RANDUSTACK
27533 + if (randomize_va_space)
27534 + return stack_top - current->mm->delta_stack;
27537 if ((current->flags & PF_RANDOMIZE) &&
27538 !(current->personality & ADDR_NO_RANDOMIZE)) {
27539 random_variable = get_random_int() & STACK_RND_MASK;
27540 @@ -566,7 +762,7 @@ static int load_elf_binary(struct linux_
27541 unsigned long load_addr = 0, load_bias = 0;
27542 int load_addr_set = 0;
27543 char * elf_interpreter = NULL;
27544 - unsigned long error;
27545 + unsigned long error = 0;
27546 struct elf_phdr *elf_ppnt, *elf_phdata;
27547 unsigned long elf_bss, elf_brk;
27549 @@ -576,11 +772,11 @@ static int load_elf_binary(struct linux_
27550 unsigned long start_code, end_code, start_data, end_data;
27551 unsigned long reloc_func_desc = 0;
27552 int executable_stack = EXSTACK_DEFAULT;
27553 - unsigned long def_flags = 0;
27555 struct elfhdr elf_ex;
27556 struct elfhdr interp_elf_ex;
27558 + unsigned long pax_task_size = TASK_SIZE;
27560 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
27562 @@ -718,11 +914,80 @@ static int load_elf_binary(struct linux_
27564 /* OK, This is the point of no return */
27565 current->flags &= ~PF_FORKNOEXEC;
27566 - current->mm->def_flags = def_flags;
27568 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27569 + current->mm->pax_flags = 0UL;
27572 +#ifdef CONFIG_PAX_DLRESOLVE
27573 + current->mm->call_dl_resolve = 0UL;
27576 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
27577 + current->mm->call_syscall = 0UL;
27580 +#ifdef CONFIG_PAX_ASLR
27581 + current->mm->delta_mmap = 0UL;
27582 + current->mm->delta_stack = 0UL;
27585 + current->mm->def_flags = 0;
27587 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27588 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
27589 + send_sig(SIGKILL, current, 0);
27590 + goto out_free_dentry;
27594 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
27595 + pax_set_initial_flags(bprm);
27596 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
27597 + if (pax_set_initial_flags_func)
27598 + (pax_set_initial_flags_func)(bprm);
27601 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
27602 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
27603 + current->mm->context.user_cs_limit = PAGE_SIZE;
27604 + current->mm->def_flags |= VM_PAGEEXEC;
27608 +#ifdef CONFIG_PAX_SEGMEXEC
27609 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
27610 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
27611 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
27612 + pax_task_size = SEGMEXEC_TASK_SIZE;
27616 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
27617 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27618 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
27623 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
27624 may depend on the personality. */
27625 SET_PERSONALITY(loc->elf_ex);
27627 +#ifdef CONFIG_PAX_ASLR
27628 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
27629 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
27630 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
27634 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27635 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27636 + executable_stack = EXSTACK_DISABLE_X;
27637 + current->personality &= ~READ_IMPLIES_EXEC;
27641 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
27642 current->personality |= READ_IMPLIES_EXEC;
27644 @@ -804,6 +1069,20 @@ static int load_elf_binary(struct linux_
27646 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
27649 +#ifdef CONFIG_PAX_RANDMMAP
27650 + /* PaX: randomize base address at the default exe base if requested */
27651 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
27652 +#ifdef CONFIG_SPARC64
27653 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
27655 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
27657 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
27658 + elf_flags |= MAP_FIXED;
27664 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
27665 @@ -836,9 +1115,9 @@ static int load_elf_binary(struct linux_
27666 * allowed task size. Note that p_filesz must always be
27667 * <= p_memsz so it is only necessary to check p_memsz.
27669 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27670 - elf_ppnt->p_memsz > TASK_SIZE ||
27671 - TASK_SIZE - elf_ppnt->p_memsz < k) {
27672 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27673 + elf_ppnt->p_memsz > pax_task_size ||
27674 + pax_task_size - elf_ppnt->p_memsz < k) {
27675 /* set_brk can never work. Avoid overflows. */
27676 send_sig(SIGKILL, current, 0);
27678 @@ -866,6 +1145,11 @@ static int load_elf_binary(struct linux_
27679 start_data += load_bias;
27680 end_data += load_bias;
27682 +#ifdef CONFIG_PAX_RANDMMAP
27683 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
27684 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
27687 /* Calling set_brk effectively mmaps the pages that we need
27688 * for the bss and break sections. We must do this before
27689 * mapping in the interpreter, to make sure it doesn't wind
27690 @@ -877,9 +1161,11 @@ static int load_elf_binary(struct linux_
27691 goto out_free_dentry;
27693 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
27694 - send_sig(SIGSEGV, current, 0);
27695 - retval = -EFAULT; /* Nobody gets to see this, but.. */
27696 - goto out_free_dentry;
27698 + * This bss-zeroing can fail if the ELF
27699 + * file specifies odd protections. So
27700 + * we don't check the return value
27704 if (elf_interpreter) {
27705 @@ -1107,8 +1393,10 @@ static int dump_seek(struct file *file,
27706 unsigned long n = off;
27709 - if (!dump_write(file, buf, n))
27710 + if (!dump_write(file, buf, n)) {
27711 + free_page((unsigned long)buf);
27716 free_page((unsigned long)buf);
27717 @@ -1120,7 +1408,7 @@ static int dump_seek(struct file *file,
27718 * Decide what to dump of a segment, part, all or none.
27720 static unsigned long vma_dump_size(struct vm_area_struct *vma,
27721 - unsigned long mm_flags)
27722 + unsigned long mm_flags, long signr)
27724 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
27726 @@ -1154,7 +1442,7 @@ static unsigned long vma_dump_size(struc
27727 if (vma->vm_file == NULL)
27730 - if (FILTER(MAPPED_PRIVATE))
27731 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
27735 @@ -1250,9 +1538,12 @@ static int writenote(struct memelfnote *
27738 #define DUMP_WRITE(addr, nr) \
27740 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
27741 if ((size += (nr)) > cprm->limit || \
27742 !dump_write(cprm->file, (addr), (nr))) \
27743 - goto end_coredump;
27744 + goto end_coredump; \
27747 static void fill_elf_header(struct elfhdr *elf, int segs,
27748 u16 machine, u32 flags, u8 osabi)
27749 @@ -1381,9 +1672,9 @@ static void fill_auxv_note(struct memelf
27751 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
27756 - while (auxv[i - 2] != AT_NULL);
27757 + } while (auxv[i - 2] != AT_NULL);
27758 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
27761 @@ -1969,7 +2260,7 @@ static int elf_core_dump(struct coredump
27762 phdr.p_offset = offset;
27763 phdr.p_vaddr = vma->vm_start;
27765 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
27766 + phdr.p_filesz = vma_dump_size(vma, mm_flags, cprm->signr);
27767 phdr.p_memsz = vma->vm_end - vma->vm_start;
27768 offset += phdr.p_filesz;
27769 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
27770 @@ -2002,7 +2293,7 @@ static int elf_core_dump(struct coredump
27771 unsigned long addr;
27774 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
27775 + end = vma->vm_start + vma_dump_size(vma, mm_flags, cprm->signr);
27777 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
27779 @@ -2011,6 +2302,7 @@ static int elf_core_dump(struct coredump
27780 page = get_dump_page(addr);
27782 void *kaddr = kmap(page);
27783 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
27784 stop = ((size += PAGE_SIZE) > cprm->limit) ||
27785 !dump_write(cprm->file, kaddr,
27787 @@ -2039,6 +2331,97 @@ out:
27789 #endif /* CONFIG_ELF_CORE */
27791 +#ifdef CONFIG_PAX_MPROTECT
27792 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
27793 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
27794 + * we'll remove VM_MAYWRITE for good on RELRO segments.
27796 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
27797 + * basis because we want to allow the common case and not the special ones.
27799 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
27801 + struct elfhdr elf_h;
27802 + struct elf_phdr elf_p;
27804 + unsigned long oldflags;
27805 + bool is_textrel_rw, is_textrel_rx, is_relro;
27807 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
27810 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
27811 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
27813 +#ifdef CONFIG_PAX_NOELFRELOCS
27814 + is_textrel_rw = false;
27815 + is_textrel_rx = false;
27817 + /* possible TEXTREL */
27818 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
27819 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
27822 + /* possible RELRO */
27823 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
27825 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
27828 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
27829 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
27831 +#ifdef CONFIG_PAX_ETEXECRELOCS
27832 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27834 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
27837 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27838 + !elf_check_arch(&elf_h) ||
27839 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
27840 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
27843 + for (i = 0UL; i < elf_h.e_phnum; i++) {
27844 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
27846 + switch (elf_p.p_type) {
27848 + if (!is_textrel_rw && !is_textrel_rx)
27851 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
27854 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
27856 + if (dyn.d_tag == DT_NULL)
27858 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
27859 + gr_log_textrel(vma);
27860 + if (is_textrel_rw)
27861 + vma->vm_flags |= VM_MAYWRITE;
27863 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
27864 + vma->vm_flags &= ~VM_MAYWRITE;
27871 + case PT_GNU_RELRO:
27874 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
27875 + vma->vm_flags &= ~VM_MAYWRITE;
27882 static int __init init_elf_binfmt(void)
27884 return register_binfmt(&elf_format);
27885 diff -urNp linux-2.6.33.1/fs/binfmt_flat.c linux-2.6.33.1/fs/binfmt_flat.c
27886 --- linux-2.6.33.1/fs/binfmt_flat.c 2010-03-15 12:09:39.000000000 -0400
27887 +++ linux-2.6.33.1/fs/binfmt_flat.c 2010-03-20 16:58:41.369218937 -0400
27888 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
27889 realdatastart = (unsigned long) -ENOMEM;
27890 printk("Unable to allocate RAM for process data, errno %d\n",
27891 (int)-realdatastart);
27892 + down_write(¤t->mm->mmap_sem);
27893 do_munmap(current->mm, textpos, text_len);
27894 + up_write(¤t->mm->mmap_sem);
27895 ret = realdatastart;
27898 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
27900 if (IS_ERR_VALUE(result)) {
27901 printk("Unable to read data+bss, errno %d\n", (int)-result);
27902 + down_write(¤t->mm->mmap_sem);
27903 do_munmap(current->mm, textpos, text_len);
27904 do_munmap(current->mm, realdatastart, data_len + extra);
27905 + up_write(¤t->mm->mmap_sem);
27909 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
27911 if (IS_ERR_VALUE(result)) {
27912 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
27913 + down_write(¤t->mm->mmap_sem);
27914 do_munmap(current->mm, textpos, text_len + data_len + extra +
27915 MAX_SHARED_LIBS * sizeof(unsigned long));
27916 + up_write(¤t->mm->mmap_sem);
27920 diff -urNp linux-2.6.33.1/fs/binfmt_misc.c linux-2.6.33.1/fs/binfmt_misc.c
27921 --- linux-2.6.33.1/fs/binfmt_misc.c 2010-03-15 12:09:39.000000000 -0400
27922 +++ linux-2.6.33.1/fs/binfmt_misc.c 2010-03-20 16:58:41.384059578 -0400
27923 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
27924 static struct tree_descr bm_files[] = {
27925 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
27926 [3] = {"register", &bm_register_operations, S_IWUSR},
27927 - /* last one */ {""}
27928 + /* last one */ {"", NULL, 0}
27930 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
27932 diff -urNp linux-2.6.33.1/fs/bio.c linux-2.6.33.1/fs/bio.c
27933 --- linux-2.6.33.1/fs/bio.c 2010-03-15 12:09:39.000000000 -0400
27934 +++ linux-2.6.33.1/fs/bio.c 2010-03-20 16:58:41.384547944 -0400
27935 @@ -1217,7 +1217,7 @@ static void bio_copy_kern_endio(struct b
27936 const int read = bio_data_dir(bio) == READ;
27937 struct bio_map_data *bmd = bio->bi_private;
27939 - char *p = bmd->sgvecs[0].iov_base;
27940 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
27942 __bio_for_each_segment(bvec, bio, i, 0) {
27943 char *addr = page_address(bvec->bv_page);
27944 diff -urNp linux-2.6.33.1/fs/btrfs/ctree.c linux-2.6.33.1/fs/btrfs/ctree.c
27945 --- linux-2.6.33.1/fs/btrfs/ctree.c 2010-03-15 12:09:39.000000000 -0400
27946 +++ linux-2.6.33.1/fs/btrfs/ctree.c 2010-03-20 16:58:41.388867884 -0400
27947 @@ -3645,7 +3645,6 @@ setup_items_for_insert(struct btrfs_tran
27951 - struct btrfs_disk_key disk_key;
27952 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
27953 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
27955 diff -urNp linux-2.6.33.1/fs/btrfs/disk-io.c linux-2.6.33.1/fs/btrfs/disk-io.c
27956 --- linux-2.6.33.1/fs/btrfs/disk-io.c 2010-03-15 12:09:39.000000000 -0400
27957 +++ linux-2.6.33.1/fs/btrfs/disk-io.c 2010-03-20 16:58:41.388867884 -0400
27959 #include "tree-log.h"
27960 #include "free-space-cache.h"
27962 -static struct extent_io_ops btree_extent_io_ops;
27963 +static const struct extent_io_ops btree_extent_io_ops;
27964 static void end_workqueue_fn(struct btrfs_work *work);
27965 static void free_fs_root(struct btrfs_root *root);
27967 @@ -2605,7 +2605,7 @@ out:
27971 -static struct extent_io_ops btree_extent_io_ops = {
27972 +static const struct extent_io_ops btree_extent_io_ops = {
27973 .write_cache_pages_lock_hook = btree_lock_page_hook,
27974 .readpage_end_io_hook = btree_readpage_end_io_hook,
27975 .submit_bio_hook = btree_submit_bio_hook,
27976 diff -urNp linux-2.6.33.1/fs/btrfs/extent_io.h linux-2.6.33.1/fs/btrfs/extent_io.h
27977 --- linux-2.6.33.1/fs/btrfs/extent_io.h 2010-03-15 12:09:39.000000000 -0400
27978 +++ linux-2.6.33.1/fs/btrfs/extent_io.h 2010-03-20 16:58:41.392898040 -0400
27979 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
27980 struct bio *bio, int mirror_num,
27981 unsigned long bio_flags);
27982 struct extent_io_ops {
27983 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
27984 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
27985 u64 start, u64 end, int *page_started,
27986 unsigned long *nr_written);
27987 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
27988 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
27989 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
27990 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
27991 extent_submit_bio_hook_t *submit_bio_hook;
27992 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
27993 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
27994 size_t size, struct bio *bio,
27995 unsigned long bio_flags);
27996 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
27997 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
27998 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
27999 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
28000 u64 start, u64 end,
28001 struct extent_state *state);
28002 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
28003 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
28004 u64 start, u64 end,
28005 struct extent_state *state);
28006 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
28007 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
28008 struct extent_state *state);
28009 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
28010 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
28011 struct extent_state *state, int uptodate);
28012 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
28013 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
28014 unsigned long old, unsigned long bits);
28015 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
28016 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
28017 unsigned long bits);
28018 - int (*merge_extent_hook)(struct inode *inode,
28019 + int (* const merge_extent_hook)(struct inode *inode,
28020 struct extent_state *new,
28021 struct extent_state *other);
28022 - int (*split_extent_hook)(struct inode *inode,
28023 + int (* const split_extent_hook)(struct inode *inode,
28024 struct extent_state *orig, u64 split);
28025 - int (*write_cache_pages_lock_hook)(struct page *page);
28026 + int (* const write_cache_pages_lock_hook)(struct page *page);
28029 struct extent_io_tree {
28030 @@ -88,7 +88,7 @@ struct extent_io_tree {
28033 spinlock_t buffer_lock;
28034 - struct extent_io_ops *ops;
28035 + const struct extent_io_ops *ops;
28038 struct extent_state {
28039 diff -urNp linux-2.6.33.1/fs/btrfs/free-space-cache.c linux-2.6.33.1/fs/btrfs/free-space-cache.c
28040 --- linux-2.6.33.1/fs/btrfs/free-space-cache.c 2010-03-15 12:09:39.000000000 -0400
28041 +++ linux-2.6.33.1/fs/btrfs/free-space-cache.c 2010-03-20 16:58:41.392898040 -0400
28042 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
28045 if (entry->bytes < bytes || entry->offset < min_start) {
28046 - struct rb_node *node;
28048 node = rb_next(&entry->offset_index);
28051 @@ -1226,7 +1224,7 @@ again:
28053 while (entry->bitmap || found_bitmap ||
28054 (!entry->bitmap && entry->bytes < min_bytes)) {
28055 - struct rb_node *node = rb_next(&entry->offset_index);
28056 + node = rb_next(&entry->offset_index);
28058 if (entry->bitmap && entry->bytes > bytes + empty_size) {
28059 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
28060 diff -urNp linux-2.6.33.1/fs/btrfs/inode.c linux-2.6.33.1/fs/btrfs/inode.c
28061 --- linux-2.6.33.1/fs/btrfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28062 +++ linux-2.6.33.1/fs/btrfs/inode.c 2010-03-20 16:58:41.396902904 -0400
28063 @@ -63,7 +63,7 @@ static const struct inode_operations btr
28064 static const struct address_space_operations btrfs_aops;
28065 static const struct address_space_operations btrfs_symlink_aops;
28066 static const struct file_operations btrfs_dir_file_operations;
28067 -static struct extent_io_ops btrfs_extent_io_ops;
28068 +static const struct extent_io_ops btrfs_extent_io_ops;
28070 static struct kmem_cache *btrfs_inode_cachep;
28071 struct kmem_cache *btrfs_trans_handle_cachep;
28072 @@ -5973,7 +5973,7 @@ static const struct file_operations btrf
28073 .fsync = btrfs_sync_file,
28076 -static struct extent_io_ops btrfs_extent_io_ops = {
28077 +static const struct extent_io_ops btrfs_extent_io_ops = {
28078 .fill_delalloc = run_delalloc_range,
28079 .submit_bio_hook = btrfs_submit_bio_hook,
28080 .merge_bio_hook = btrfs_merge_bio_hook,
28081 diff -urNp linux-2.6.33.1/fs/btrfs/sysfs.c linux-2.6.33.1/fs/btrfs/sysfs.c
28082 --- linux-2.6.33.1/fs/btrfs/sysfs.c 2010-03-15 12:09:39.000000000 -0400
28083 +++ linux-2.6.33.1/fs/btrfs/sysfs.c 2010-03-20 16:58:41.404901120 -0400
28084 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
28085 complete(&root->kobj_unregister);
28088 -static struct sysfs_ops btrfs_super_attr_ops = {
28089 +static const struct sysfs_ops btrfs_super_attr_ops = {
28090 .show = btrfs_super_attr_show,
28091 .store = btrfs_super_attr_store,
28094 -static struct sysfs_ops btrfs_root_attr_ops = {
28095 +static const struct sysfs_ops btrfs_root_attr_ops = {
28096 .show = btrfs_root_attr_show,
28097 .store = btrfs_root_attr_store,
28099 diff -urNp linux-2.6.33.1/fs/buffer.c linux-2.6.33.1/fs/buffer.c
28100 --- linux-2.6.33.1/fs/buffer.c 2010-03-15 12:09:39.000000000 -0400
28101 +++ linux-2.6.33.1/fs/buffer.c 2010-03-20 16:58:41.408897047 -0400
28103 #include <linux/percpu.h>
28104 #include <linux/slab.h>
28105 #include <linux/capability.h>
28106 +#include <linux/security.h>
28107 #include <linux/blkdev.h>
28108 #include <linux/file.h>
28109 #include <linux/quotaops.h>
28110 diff -urNp linux-2.6.33.1/fs/cachefiles/daemon.c linux-2.6.33.1/fs/cachefiles/daemon.c
28111 --- linux-2.6.33.1/fs/cachefiles/daemon.c 2010-03-15 12:09:39.000000000 -0400
28112 +++ linux-2.6.33.1/fs/cachefiles/daemon.c 2010-03-20 16:58:41.408897047 -0400
28113 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
28117 - if (copy_to_user(_buffer, buffer, n) != 0)
28118 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
28122 diff -urNp linux-2.6.33.1/fs/cachefiles/rdwr.c linux-2.6.33.1/fs/cachefiles/rdwr.c
28123 --- linux-2.6.33.1/fs/cachefiles/rdwr.c 2010-03-15 12:09:39.000000000 -0400
28124 +++ linux-2.6.33.1/fs/cachefiles/rdwr.c 2010-03-20 16:58:41.412812404 -0400
28125 @@ -944,7 +944,7 @@ int cachefiles_write_page(struct fscache
28128 ret = file->f_op->write(
28129 - file, (const void __user *) data, len, &pos);
28130 + file, (__force const void __user *) data, len, &pos);
28134 diff -urNp linux-2.6.33.1/fs/cifs/cifs_uniupr.h linux-2.6.33.1/fs/cifs/cifs_uniupr.h
28135 --- linux-2.6.33.1/fs/cifs/cifs_uniupr.h 2010-03-15 12:09:39.000000000 -0400
28136 +++ linux-2.6.33.1/fs/cifs/cifs_uniupr.h 2010-03-20 16:58:41.416893406 -0400
28137 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
28138 {0x0490, 0x04cc, UniCaseRangeU0490},
28139 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
28140 {0xff40, 0xff5a, UniCaseRangeUff40},
28146 diff -urNp linux-2.6.33.1/fs/cifs/link.c linux-2.6.33.1/fs/cifs/link.c
28147 --- linux-2.6.33.1/fs/cifs/link.c 2010-03-15 12:09:39.000000000 -0400
28148 +++ linux-2.6.33.1/fs/cifs/link.c 2010-03-20 16:58:41.416893406 -0400
28149 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
28151 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
28153 - char *p = nd_get_link(nd);
28154 + const char *p = nd_get_link(nd);
28158 diff -urNp linux-2.6.33.1/fs/compat_binfmt_elf.c linux-2.6.33.1/fs/compat_binfmt_elf.c
28159 --- linux-2.6.33.1/fs/compat_binfmt_elf.c 2010-03-15 12:09:39.000000000 -0400
28160 +++ linux-2.6.33.1/fs/compat_binfmt_elf.c 2010-03-20 16:58:41.424927933 -0400
28161 @@ -29,10 +29,12 @@
28167 #define elfhdr elf32_hdr
28168 #define elf_phdr elf32_phdr
28169 #define elf_note elf32_note
28170 +#define elf_dyn Elf32_Dyn
28171 #define elf_addr_t Elf32_Addr
28174 diff -urNp linux-2.6.33.1/fs/compat.c linux-2.6.33.1/fs/compat.c
28175 --- linux-2.6.33.1/fs/compat.c 2010-03-15 12:09:39.000000000 -0400
28176 +++ linux-2.6.33.1/fs/compat.c 2010-03-20 16:58:41.424927933 -0400
28177 @@ -1408,14 +1408,12 @@ static int compat_copy_strings(int argc,
28178 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
28181 -#ifdef CONFIG_STACK_GROWSUP
28182 ret = expand_stack_downwards(bprm->vma, pos);
28184 /* We've exceed the stack rlimit. */
28189 ret = get_user_pages(current, bprm->mm, pos,
28190 1, 1, 1, &page, NULL);
28192 @@ -1461,6 +1459,11 @@ int compat_do_execve(char * filename,
28193 compat_uptr_t __user *envp,
28194 struct pt_regs * regs)
28196 +#ifdef CONFIG_GRKERNSEC
28197 + struct file *old_exec_file;
28198 + struct acl_subject_label *old_acl;
28199 + struct rlimit old_rlim[RLIM_NLIMITS];
28201 struct linux_binprm *bprm;
28203 struct files_struct *displaced;
28204 @@ -1497,6 +1500,14 @@ int compat_do_execve(char * filename,
28205 bprm->filename = filename;
28206 bprm->interp = filename;
28208 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
28209 + retval = -EAGAIN;
28210 + if (gr_handle_nproc())
28212 + retval = -EACCES;
28213 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
28216 retval = bprm_mm_init(bprm);
28219 @@ -1526,9 +1537,40 @@ int compat_do_execve(char * filename,
28223 + if (!gr_tpe_allow(file)) {
28224 + retval = -EACCES;
28228 + if (gr_check_crash_exec(file)) {
28229 + retval = -EACCES;
28233 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28235 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
28237 +#ifdef CONFIG_GRKERNSEC
28238 + old_acl = current->acl;
28239 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28240 + old_exec_file = current->exec_file;
28242 + current->exec_file = file;
28245 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28246 + bprm->unsafe & LSM_UNSAFE_SHARE);
28250 retval = search_binary_handler(bprm, regs);
28254 +#ifdef CONFIG_GRKERNSEC
28255 + if (old_exec_file)
28256 + fput(old_exec_file);
28259 current->stack_start = current->mm->start_stack;
28261 @@ -1541,6 +1583,14 @@ int compat_do_execve(char * filename,
28262 put_files_struct(displaced);
28266 +#ifdef CONFIG_GRKERNSEC
28267 + current->acl = old_acl;
28268 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28269 + fput(current->exec_file);
28270 + current->exec_file = old_exec_file;
28276 diff -urNp linux-2.6.33.1/fs/debugfs/inode.c linux-2.6.33.1/fs/debugfs/inode.c
28277 --- linux-2.6.33.1/fs/debugfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28278 +++ linux-2.6.33.1/fs/debugfs/inode.c 2010-03-20 16:58:41.432715858 -0400
28279 @@ -128,7 +128,7 @@ static inline int debugfs_positive(struc
28281 static int debug_fill_super(struct super_block *sb, void *data, int silent)
28283 - static struct tree_descr debug_files[] = {{""}};
28284 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
28286 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
28288 diff -urNp linux-2.6.33.1/fs/dlm/lockspace.c linux-2.6.33.1/fs/dlm/lockspace.c
28289 --- linux-2.6.33.1/fs/dlm/lockspace.c 2010-03-15 12:09:39.000000000 -0400
28290 +++ linux-2.6.33.1/fs/dlm/lockspace.c 2010-03-20 16:58:41.444895285 -0400
28291 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
28295 -static struct sysfs_ops dlm_attr_ops = {
28296 +static const struct sysfs_ops dlm_attr_ops = {
28297 .show = dlm_attr_show,
28298 .store = dlm_attr_store,
28300 diff -urNp linux-2.6.33.1/fs/ecryptfs/inode.c linux-2.6.33.1/fs/ecryptfs/inode.c
28301 --- linux-2.6.33.1/fs/ecryptfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28302 +++ linux-2.6.33.1/fs/ecryptfs/inode.c 2010-03-20 16:58:41.460901500 -0400
28303 @@ -685,7 +685,7 @@ ecryptfs_readlink(struct dentry *dentry,
28306 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
28307 - (char __user *)lower_buf,
28308 + (__force char __user *)lower_buf,
28312 @@ -729,7 +729,7 @@ static void *ecryptfs_follow_link(struct
28316 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
28317 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
28321 @@ -744,7 +744,7 @@ out:
28323 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
28325 - char *buf = nd_get_link(nd);
28326 + const char *buf = nd_get_link(nd);
28327 if (!IS_ERR(buf)) {
28328 /* Free the char* */
28330 diff -urNp linux-2.6.33.1/fs/ecryptfs/miscdev.c linux-2.6.33.1/fs/ecryptfs/miscdev.c
28331 --- linux-2.6.33.1/fs/ecryptfs/miscdev.c 2010-03-15 12:09:39.000000000 -0400
28332 +++ linux-2.6.33.1/fs/ecryptfs/miscdev.c 2010-03-20 16:58:41.460901500 -0400
28333 @@ -327,7 +327,7 @@ check_list:
28334 goto out_unlock_msg_ctx;
28336 if (msg_ctx->msg) {
28337 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
28338 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
28339 goto out_unlock_msg_ctx;
28340 i += packet_length_size;
28341 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
28342 diff -urNp linux-2.6.33.1/fs/exec.c linux-2.6.33.1/fs/exec.c
28343 --- linux-2.6.33.1/fs/exec.c 2010-03-15 12:09:39.000000000 -0400
28344 +++ linux-2.6.33.1/fs/exec.c 2010-03-20 16:58:41.472962075 -0400
28345 @@ -55,12 +55,24 @@
28346 #include <linux/fsnotify.h>
28347 #include <linux/fs_struct.h>
28348 #include <linux/pipe_fs_i.h>
28349 +#include <linux/random.h>
28350 +#include <linux/seq_file.h>
28352 +#ifdef CONFIG_PAX_REFCOUNT
28353 +#include <linux/kallsyms.h>
28354 +#include <linux/kdebug.h>
28357 #include <asm/uaccess.h>
28358 #include <asm/mmu_context.h>
28359 #include <asm/tlb.h>
28360 #include "internal.h"
28362 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
28363 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
28364 +EXPORT_SYMBOL(pax_set_initial_flags_func);
28368 char core_pattern[CORENAME_MAX_SIZE] = "core";
28369 unsigned int core_pipe_limit;
28370 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
28373 file = do_filp_open(AT_FDCWD, tmp,
28374 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28375 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28376 MAY_READ | MAY_EXEC | MAY_OPEN);
28378 error = PTR_ERR(file);
28379 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
28385 -#ifdef CONFIG_STACK_GROWSUP
28387 - ret = expand_stack_downwards(bprm->vma, pos);
28392 - ret = get_user_pages(current, bprm->mm, pos,
28393 - 1, write, 1, &page, NULL);
28395 + if (0 > expand_stack_downwards(bprm->vma, pos))
28397 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
28401 @@ -245,6 +249,11 @@ static int __bprm_mm_init(struct linux_b
28402 vma->vm_end = STACK_TOP_MAX;
28403 vma->vm_start = vma->vm_end - PAGE_SIZE;
28404 vma->vm_flags = VM_STACK_FLAGS;
28406 +#ifdef CONFIG_PAX_SEGMEXEC
28407 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
28410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
28411 err = insert_vm_struct(mm, vma);
28413 @@ -253,6 +262,12 @@ static int __bprm_mm_init(struct linux_b
28414 mm->stack_vm = mm->total_vm = 1;
28415 up_write(&mm->mmap_sem);
28416 bprm->p = vma->vm_end - sizeof(void *);
28418 +#ifdef CONFIG_PAX_RANDUSTACK
28419 + if (randomize_va_space)
28420 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
28425 up_write(&mm->mmap_sem);
28426 @@ -474,7 +489,7 @@ int copy_strings_kernel(int argc,char **
28428 mm_segment_t oldfs = get_fs();
28430 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
28431 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
28435 @@ -504,7 +519,8 @@ static int shift_arg_pages(struct vm_are
28436 unsigned long new_end = old_end - shift;
28437 struct mmu_gather *tlb;
28439 - BUG_ON(new_start > new_end);
28440 + if (new_start >= new_end || new_start < mmap_min_addr)
28444 * ensure there are no vmas between where we want to go
28445 @@ -513,6 +529,10 @@ static int shift_arg_pages(struct vm_are
28446 if (vma != find_vma(mm, new_start))
28449 +#ifdef CONFIG_PAX_SEGMEXEC
28450 + BUG_ON(pax_find_mirror_vma(vma));
28454 * cover the whole range: [new_start, old_end)
28456 @@ -604,8 +624,28 @@ int setup_arg_pages(struct linux_binprm
28457 bprm->exec -= stack_shift;
28459 down_write(&mm->mmap_sem);
28461 + /* Move stack pages down in memory. */
28462 + if (stack_shift) {
28463 + ret = shift_arg_pages(vma, stack_shift);
28468 vm_flags = VM_STACK_FLAGS;
28470 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28471 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
28472 + vm_flags &= ~VM_EXEC;
28474 +#ifdef CONFIG_PAX_MPROTECT
28475 + if (mm->pax_flags & MF_PAX_MPROTECT)
28476 + vm_flags &= ~VM_MAYEXEC;
28483 * Adjust stack execute permissions; explicitly enable for
28484 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
28485 @@ -623,13 +663,6 @@ int setup_arg_pages(struct linux_binprm
28487 BUG_ON(prev != vma);
28489 - /* Move stack pages down in memory. */
28490 - if (stack_shift) {
28491 - ret = shift_arg_pages(vma, stack_shift);
28496 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
28497 stack_size = vma->vm_end - vma->vm_start;
28499 @@ -666,7 +699,7 @@ struct file *open_exec(const char *name)
28502 file = do_filp_open(AT_FDCWD, name,
28503 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28504 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28505 MAY_EXEC | MAY_OPEN);
28508 @@ -703,7 +736,7 @@ int kernel_read(struct file *file, loff_
28511 /* The cast to a user pointer is valid due to the set_fs() */
28512 - result = vfs_read(file, (void __user *)addr, count, &pos);
28513 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
28517 @@ -1120,7 +1153,7 @@ int check_unsafe_exec(struct linux_binpr
28521 - if (p->fs->users > n_fs) {
28522 + if (atomic_read(&p->fs->users) > n_fs) {
28523 bprm->unsafe |= LSM_UNSAFE_SHARE;
28526 @@ -1316,6 +1349,11 @@ int do_execve(char * filename,
28527 char __user *__user *envp,
28528 struct pt_regs * regs)
28530 +#ifdef CONFIG_GRKERNSEC
28531 + struct file *old_exec_file;
28532 + struct acl_subject_label *old_acl;
28533 + struct rlimit old_rlim[RLIM_NLIMITS];
28535 struct linux_binprm *bprm;
28537 struct files_struct *displaced;
28538 @@ -1352,6 +1390,18 @@ int do_execve(char * filename,
28539 bprm->filename = filename;
28540 bprm->interp = filename;
28542 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
28544 + if (gr_handle_nproc()) {
28545 + retval = -EAGAIN;
28549 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
28550 + retval = -EACCES;
28554 retval = bprm_mm_init(bprm);
28557 @@ -1381,10 +1431,41 @@ int do_execve(char * filename,
28561 + if (!gr_tpe_allow(file)) {
28562 + retval = -EACCES;
28566 + if (gr_check_crash_exec(file)) {
28567 + retval = -EACCES;
28571 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28573 + gr_handle_exec_args(bprm, argv);
28575 +#ifdef CONFIG_GRKERNSEC
28576 + old_acl = current->acl;
28577 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28578 + old_exec_file = current->exec_file;
28580 + current->exec_file = file;
28583 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28584 + bprm->unsafe & LSM_UNSAFE_SHARE);
28588 current->flags &= ~PF_KTHREAD;
28589 retval = search_binary_handler(bprm,regs);
28593 +#ifdef CONFIG_GRKERNSEC
28594 + if (old_exec_file)
28595 + fput(old_exec_file);
28598 current->stack_start = current->mm->start_stack;
28600 @@ -1397,6 +1478,14 @@ int do_execve(char * filename,
28601 put_files_struct(displaced);
28605 +#ifdef CONFIG_GRKERNSEC
28606 + current->acl = old_acl;
28607 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28608 + fput(current->exec_file);
28609 + current->exec_file = old_exec_file;
28615 @@ -1560,6 +1649,169 @@ out:
28619 +int pax_check_flags(unsigned long *flags)
28623 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
28624 + if (*flags & MF_PAX_SEGMEXEC)
28626 + *flags &= ~MF_PAX_SEGMEXEC;
28627 + retval = -EINVAL;
28631 + if ((*flags & MF_PAX_PAGEEXEC)
28633 +#ifdef CONFIG_PAX_PAGEEXEC
28634 + && (*flags & MF_PAX_SEGMEXEC)
28639 + *flags &= ~MF_PAX_PAGEEXEC;
28640 + retval = -EINVAL;
28643 + if ((*flags & MF_PAX_MPROTECT)
28645 +#ifdef CONFIG_PAX_MPROTECT
28646 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28651 + *flags &= ~MF_PAX_MPROTECT;
28652 + retval = -EINVAL;
28655 + if ((*flags & MF_PAX_EMUTRAMP)
28657 +#ifdef CONFIG_PAX_EMUTRAMP
28658 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28663 + *flags &= ~MF_PAX_EMUTRAMP;
28664 + retval = -EINVAL;
28670 +EXPORT_SYMBOL(pax_check_flags);
28672 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28673 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
28675 + struct task_struct *tsk = current;
28676 + struct mm_struct *mm = current->mm;
28677 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
28678 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
28679 + char *path_exec = NULL;
28680 + char *path_fault = NULL;
28681 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
28683 + if (buffer_exec && buffer_fault) {
28684 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
28686 + down_read(&mm->mmap_sem);
28688 + while (vma && (!vma_exec || !vma_fault)) {
28689 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
28691 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
28693 + vma = vma->vm_next;
28696 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
28697 + if (IS_ERR(path_exec))
28698 + path_exec = "<path too long>";
28700 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
28703 + path_exec = buffer_exec;
28705 + path_exec = "<path too long>";
28709 + start = vma_fault->vm_start;
28710 + end = vma_fault->vm_end;
28711 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
28712 + if (vma_fault->vm_file) {
28713 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
28714 + if (IS_ERR(path_fault))
28715 + path_fault = "<path too long>";
28717 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
28718 + if (path_fault) {
28720 + path_fault = buffer_fault;
28722 + path_fault = "<path too long>";
28725 + path_fault = "<anonymous mapping>";
28727 + up_read(&mm->mmap_sem);
28729 + if (tsk->signal->curr_ip)
28730 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
28732 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
28733 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
28734 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
28735 + task_uid(tsk), task_euid(tsk), pc, sp);
28736 + free_page((unsigned long)buffer_exec);
28737 + free_page((unsigned long)buffer_fault);
28738 + pax_report_insns(pc, sp);
28739 + do_coredump(SIGKILL, SIGKILL, regs);
28743 +#ifdef CONFIG_PAX_REFCOUNT
28744 +void pax_report_refcount_overflow(struct pt_regs *regs)
28746 + if (current->signal->curr_ip)
28747 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28748 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
28750 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28751 + current->comm, task_pid_nr(current), current_uid(), current_euid());
28752 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
28754 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
28758 +#ifdef CONFIG_PAX_USERCOPY
28759 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
28761 + if (current->signal->curr_ip)
28762 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
28763 + ¤t->signal->curr_ip, ptr, len);
28765 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
28767 + do_group_exit(SIGKILL);
28770 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
28772 + if (current->signal->curr_ip)
28773 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
28774 + ¤t->signal->curr_ip, ptr, len);
28776 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
28778 + do_group_exit(SIGKILL);
28782 static int zap_process(struct task_struct *start)
28784 struct task_struct *t;
28785 @@ -1762,17 +2014,17 @@ static void wait_for_dump_helpers(struct
28786 pipe = file->f_path.dentry->d_inode->i_pipe;
28791 + atomic_inc(&pipe->readers);
28792 + atomic_dec(&pipe->writers);
28794 - while ((pipe->readers > 1) && (!signal_pending(current))) {
28795 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
28796 wake_up_interruptible_sync(&pipe->wait);
28797 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
28803 + atomic_dec(&pipe->readers);
28804 + atomic_inc(&pipe->writers);
28808 @@ -1846,6 +2098,10 @@ void do_coredump(long signr, int exit_co
28810 clear_thread_flag(TIF_SIGPENDING);
28812 + if (signr == SIGKILL || signr == SIGILL)
28813 + gr_handle_brute_attach(current);
28814 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
28817 * lock_kernel() because format_corename() is controlled by sysctl, which
28818 * uses lock_kernel()
28819 diff -urNp linux-2.6.33.1/fs/ext2/balloc.c linux-2.6.33.1/fs/ext2/balloc.c
28820 --- linux-2.6.33.1/fs/ext2/balloc.c 2010-03-15 12:09:39.000000000 -0400
28821 +++ linux-2.6.33.1/fs/ext2/balloc.c 2010-03-20 16:58:41.476618429 -0400
28822 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
28824 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28825 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28826 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28827 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28828 sbi->s_resuid != current_fsuid() &&
28829 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28831 diff -urNp linux-2.6.33.1/fs/ext3/balloc.c linux-2.6.33.1/fs/ext3/balloc.c
28832 --- linux-2.6.33.1/fs/ext3/balloc.c 2010-03-15 12:09:39.000000000 -0400
28833 +++ linux-2.6.33.1/fs/ext3/balloc.c 2010-03-20 16:58:41.484909301 -0400
28834 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
28836 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28837 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28838 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28839 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28840 sbi->s_resuid != current_fsuid() &&
28841 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28843 diff -urNp linux-2.6.33.1/fs/ext3/namei.c linux-2.6.33.1/fs/ext3/namei.c
28844 --- linux-2.6.33.1/fs/ext3/namei.c 2010-03-15 12:09:39.000000000 -0400
28845 +++ linux-2.6.33.1/fs/ext3/namei.c 2010-03-20 16:58:41.496970241 -0400
28846 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
28847 char *data1 = (*bh)->b_data, *data2;
28848 unsigned split, move, size;
28849 struct ext3_dir_entry_2 *de = NULL, *de2;
28853 bh2 = ext3_append (handle, dir, &newblock, &err);
28855 diff -urNp linux-2.6.33.1/fs/ext3/xattr.c linux-2.6.33.1/fs/ext3/xattr.c
28856 --- linux-2.6.33.1/fs/ext3/xattr.c 2010-03-15 12:09:39.000000000 -0400
28857 +++ linux-2.6.33.1/fs/ext3/xattr.c 2010-03-20 16:58:41.500911319 -0400
28862 -# define ea_idebug(f...)
28863 -# define ea_bdebug(f...)
28864 +# define ea_idebug(f...) do {} while (0)
28865 +# define ea_bdebug(f...) do {} while (0)
28868 static void ext3_xattr_cache_insert(struct buffer_head *);
28869 diff -urNp linux-2.6.33.1/fs/ext4/balloc.c linux-2.6.33.1/fs/ext4/balloc.c
28870 --- linux-2.6.33.1/fs/ext4/balloc.c 2010-03-15 12:09:39.000000000 -0400
28871 +++ linux-2.6.33.1/fs/ext4/balloc.c 2010-03-20 16:58:41.500911319 -0400
28872 @@ -535,7 +535,7 @@ int ext4_has_free_blocks(struct ext4_sb_
28873 /* Hm, nope. Are (enough) root reserved blocks available? */
28874 if (sbi->s_resuid == current_fsuid() ||
28875 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
28876 - capable(CAP_SYS_RESOURCE)) {
28877 + capable_nolog(CAP_SYS_RESOURCE)) {
28878 if (free_blocks >= (nblocks + dirty_blocks))
28881 diff -urNp linux-2.6.33.1/fs/ext4/ioctl.c linux-2.6.33.1/fs/ext4/ioctl.c
28882 --- linux-2.6.33.1/fs/ext4/ioctl.c 2010-03-15 12:09:39.000000000 -0400
28883 +++ linux-2.6.33.1/fs/ext4/ioctl.c 2010-03-20 16:58:41.500911319 -0400
28884 @@ -221,6 +221,9 @@ setversion_out:
28885 struct file *donor_filp;
28888 + /* temporary workaround for bugs in here */
28889 + return -EOPNOTSUPP;
28891 if (!(filp->f_mode & FMODE_READ) ||
28892 !(filp->f_mode & FMODE_WRITE))
28894 diff -urNp linux-2.6.33.1/fs/ext4/namei.c linux-2.6.33.1/fs/ext4/namei.c
28895 --- linux-2.6.33.1/fs/ext4/namei.c 2010-03-15 12:09:39.000000000 -0400
28896 +++ linux-2.6.33.1/fs/ext4/namei.c 2010-03-20 16:58:41.504537056 -0400
28897 @@ -1203,7 +1203,7 @@ static struct ext4_dir_entry_2 *do_split
28898 char *data1 = (*bh)->b_data, *data2;
28899 unsigned split, move, size;
28900 struct ext4_dir_entry_2 *de = NULL, *de2;
28904 bh2 = ext4_append (handle, dir, &newblock, &err);
28906 diff -urNp linux-2.6.33.1/fs/ext4/super.c linux-2.6.33.1/fs/ext4/super.c
28907 --- linux-2.6.33.1/fs/ext4/super.c 2010-03-15 12:09:39.000000000 -0400
28908 +++ linux-2.6.33.1/fs/ext4/super.c 2010-03-20 16:58:41.512931908 -0400
28909 @@ -2292,7 +2292,7 @@ static void ext4_sb_release(struct kobje
28913 -static struct sysfs_ops ext4_attr_ops = {
28914 +static const struct sysfs_ops ext4_attr_ops = {
28915 .show = ext4_attr_show,
28916 .store = ext4_attr_store,
28918 diff -urNp linux-2.6.33.1/fs/fcntl.c linux-2.6.33.1/fs/fcntl.c
28919 --- linux-2.6.33.1/fs/fcntl.c 2010-03-15 12:09:39.000000000 -0400
28920 +++ linux-2.6.33.1/fs/fcntl.c 2010-03-20 16:58:41.516920875 -0400
28921 @@ -344,6 +344,7 @@ static long do_fcntl(int fd, unsigned in
28924 case F_DUPFD_CLOEXEC:
28925 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
28926 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28928 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
28929 @@ -500,7 +501,8 @@ static inline int sigio_perm(struct task
28930 ret = ((fown->euid == 0 ||
28931 fown->euid == cred->suid || fown->euid == cred->uid ||
28932 fown->uid == cred->suid || fown->uid == cred->uid) &&
28933 - !security_file_send_sigiotask(p, fown, sig));
28934 + !security_file_send_sigiotask(p, fown, sig) &&
28935 + !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
28939 diff -urNp linux-2.6.33.1/fs/fifo.c linux-2.6.33.1/fs/fifo.c
28940 --- linux-2.6.33.1/fs/fifo.c 2010-03-15 12:09:39.000000000 -0400
28941 +++ linux-2.6.33.1/fs/fifo.c 2010-03-20 16:58:41.516920875 -0400
28942 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
28944 filp->f_op = &read_pipefifo_fops;
28946 - if (pipe->readers++ == 0)
28947 + if (atomic_inc_return(&pipe->readers) == 1)
28948 wake_up_partner(inode);
28950 - if (!pipe->writers) {
28951 + if (!atomic_read(&pipe->writers)) {
28952 if ((filp->f_flags & O_NONBLOCK)) {
28953 /* suppress POLLHUP until we have
28955 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
28956 * errno=ENXIO when there is no process reading the FIFO.
28959 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
28960 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
28963 filp->f_op = &write_pipefifo_fops;
28965 - if (!pipe->writers++)
28966 + if (atomic_inc_return(&pipe->writers) == 1)
28967 wake_up_partner(inode);
28969 - if (!pipe->readers) {
28970 + if (!atomic_read(&pipe->readers)) {
28971 wait_for_partner(inode, &pipe->r_counter);
28972 if (signal_pending(current))
28974 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
28976 filp->f_op = &rdwr_pipefifo_fops;
28980 + atomic_inc(&pipe->readers);
28981 + atomic_inc(&pipe->writers);
28984 - if (pipe->readers == 1 || pipe->writers == 1)
28985 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
28986 wake_up_partner(inode);
28989 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
28993 - if (!--pipe->readers)
28994 + if (atomic_dec_and_test(&pipe->readers))
28995 wake_up_interruptible(&pipe->wait);
28996 ret = -ERESTARTSYS;
29000 - if (!--pipe->writers)
29001 + if (atomic_dec_and_test(&pipe->writers))
29002 wake_up_interruptible(&pipe->wait);
29003 ret = -ERESTARTSYS;
29007 - if (!pipe->readers && !pipe->writers)
29008 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
29009 free_pipe_info(inode);
29012 diff -urNp linux-2.6.33.1/fs/file.c linux-2.6.33.1/fs/file.c
29013 --- linux-2.6.33.1/fs/file.c 2010-03-15 12:09:39.000000000 -0400
29014 +++ linux-2.6.33.1/fs/file.c 2010-03-20 16:58:41.516920875 -0400
29016 #include <linux/slab.h>
29017 #include <linux/vmalloc.h>
29018 #include <linux/file.h>
29019 +#include <linux/security.h>
29020 #include <linux/fdtable.h>
29021 #include <linux/bitops.h>
29022 #include <linux/interrupt.h>
29023 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
29024 * N.B. For clone tasks sharing a files structure, this test
29025 * will limit the total number of files that can be opened.
29028 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
29029 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
29032 diff -urNp linux-2.6.33.1/fs/fs_struct.c linux-2.6.33.1/fs/fs_struct.c
29033 --- linux-2.6.33.1/fs/fs_struct.c 2010-03-15 12:09:39.000000000 -0400
29034 +++ linux-2.6.33.1/fs/fs_struct.c 2010-03-20 16:58:41.516920875 -0400
29035 @@ -45,10 +45,12 @@ void chroot_fs_refs(struct path *old_roo
29036 struct task_struct *g, *p;
29037 struct fs_struct *fs;
29039 + unsigned long flags;
29041 read_lock(&tasklist_lock);
29042 do_each_thread(g, p) {
29044 + gr_fs_write_lock_irqsave(p, flags);
29047 write_lock(&fs->lock);
29048 @@ -66,6 +68,7 @@ void chroot_fs_refs(struct path *old_roo
29050 write_unlock(&fs->lock);
29052 + gr_fs_write_unlock_irqrestore(p, flags);
29054 } while_each_thread(g, p);
29055 read_unlock(&tasklist_lock);
29056 @@ -83,14 +86,17 @@ void free_fs_struct(struct fs_struct *fs
29057 void exit_fs(struct task_struct *tsk)
29059 struct fs_struct *fs = tsk->fs;
29060 + unsigned long flags;
29065 + gr_fs_write_lock_irqsave(tsk, flags);
29066 write_lock(&fs->lock);
29068 - kill = !--fs->users;
29069 + kill = !atomic_dec_return(&fs->users);
29070 write_unlock(&fs->lock);
29071 + gr_fs_write_unlock_irqrestore(tsk, flags);
29074 free_fs_struct(fs);
29075 @@ -102,7 +108,7 @@ struct fs_struct *copy_fs_struct(struct
29076 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
29077 /* We don't need to lock fs - think why ;-) */
29080 + atomic_set(&fs->users, 1);
29082 rwlock_init(&fs->lock);
29083 fs->umask = old->umask;
29084 @@ -121,15 +127,18 @@ int unshare_fs_struct(void)
29085 struct fs_struct *fs = current->fs;
29086 struct fs_struct *new_fs = copy_fs_struct(fs);
29088 + unsigned long flags;
29093 task_lock(current);
29094 + gr_fs_write_lock_irqsave(current, flags);
29095 write_lock(&fs->lock);
29096 - kill = !--fs->users;
29097 + kill = !atomic_dec_return(&fs->users);
29098 current->fs = new_fs;
29099 write_unlock(&fs->lock);
29100 + gr_fs_write_unlock_irqrestore(current, flags);
29101 task_unlock(current);
29104 @@ -147,7 +156,7 @@ EXPORT_SYMBOL(current_umask);
29106 /* to be mentioned only in INIT_TASK */
29107 struct fs_struct init_fs = {
29109 + .users = ATOMIC_INIT(1),
29110 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
29113 @@ -155,6 +164,7 @@ struct fs_struct init_fs = {
29114 void daemonize_fs_struct(void)
29116 struct fs_struct *fs = current->fs;
29117 + unsigned long flags;
29121 @@ -162,13 +172,15 @@ void daemonize_fs_struct(void)
29122 task_lock(current);
29124 write_lock(&init_fs.lock);
29126 + atomic_inc(&init_fs.users);
29127 write_unlock(&init_fs.lock);
29129 + gr_fs_write_lock_irqsave(current, flags);
29130 write_lock(&fs->lock);
29131 current->fs = &init_fs;
29132 - kill = !--fs->users;
29133 + kill = !atomic_dec_return(&fs->users);
29134 write_unlock(&fs->lock);
29135 + gr_fs_write_unlock_irqrestore(current, flags);
29137 task_unlock(current);
29139 diff -urNp linux-2.6.33.1/fs/fuse/control.c linux-2.6.33.1/fs/fuse/control.c
29140 --- linux-2.6.33.1/fs/fuse/control.c 2010-03-15 12:09:39.000000000 -0400
29141 +++ linux-2.6.33.1/fs/fuse/control.c 2010-03-20 16:58:41.520615009 -0400
29142 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
29144 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
29146 - struct tree_descr empty_descr = {""};
29147 + struct tree_descr empty_descr = {"", NULL, 0};
29148 struct fuse_conn *fc;
29151 diff -urNp linux-2.6.33.1/fs/fuse/cuse.c linux-2.6.33.1/fs/fuse/cuse.c
29152 --- linux-2.6.33.1/fs/fuse/cuse.c 2010-03-15 12:09:39.000000000 -0400
29153 +++ linux-2.6.33.1/fs/fuse/cuse.c 2010-03-20 16:58:41.520615009 -0400
29154 @@ -528,8 +528,18 @@ static int cuse_channel_release(struct i
29158 -static struct file_operations cuse_channel_fops; /* initialized during init */
29160 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
29161 + .owner = THIS_MODULE,
29162 + .llseek = no_llseek,
29163 + .read = do_sync_read,
29164 + .aio_read = fuse_dev_read,
29165 + .write = do_sync_write,
29166 + .aio_write = fuse_dev_write,
29167 + .poll = fuse_dev_poll,
29168 + .open = cuse_channel_open,
29169 + .release = cuse_channel_release,
29170 + .fasync = fuse_dev_fasync,
29173 /**************************************************************************
29174 * Misc stuff and module initializatiion
29175 @@ -575,12 +585,6 @@ static int __init cuse_init(void)
29176 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
29177 INIT_LIST_HEAD(&cuse_conntbl[i]);
29179 - /* inherit and extend fuse_dev_operations */
29180 - cuse_channel_fops = fuse_dev_operations;
29181 - cuse_channel_fops.owner = THIS_MODULE;
29182 - cuse_channel_fops.open = cuse_channel_open;
29183 - cuse_channel_fops.release = cuse_channel_release;
29185 cuse_class = class_create(THIS_MODULE, "cuse");
29186 if (IS_ERR(cuse_class))
29187 return PTR_ERR(cuse_class);
29188 diff -urNp linux-2.6.33.1/fs/fuse/dev.c linux-2.6.33.1/fs/fuse/dev.c
29189 --- linux-2.6.33.1/fs/fuse/dev.c 2010-03-15 12:09:39.000000000 -0400
29190 +++ linux-2.6.33.1/fs/fuse/dev.c 2010-03-20 16:58:41.524892399 -0400
29191 @@ -745,7 +745,7 @@ __releases(&fc->lock)
29192 * request_end(). Otherwise add it to the processing list, and set
29195 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29196 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29197 unsigned long nr_segs, loff_t pos)
29200 @@ -828,6 +828,8 @@ static ssize_t fuse_dev_read(struct kioc
29204 +EXPORT_SYMBOL_GPL(fuse_dev_read);
29206 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
29207 struct fuse_copy_state *cs)
29209 @@ -885,7 +887,7 @@ static int fuse_notify_inval_entry(struc
29211 struct fuse_notify_inval_entry_out outarg;
29213 - char buf[FUSE_NAME_MAX+1];
29214 + char *buf = NULL;
29217 if (size < sizeof(outarg))
29218 @@ -899,6 +901,11 @@ static int fuse_notify_inval_entry(struc
29219 if (outarg.namelen > FUSE_NAME_MAX)
29223 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
29228 name.len = outarg.namelen;
29229 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
29230 @@ -910,17 +917,15 @@ static int fuse_notify_inval_entry(struc
29232 down_read(&fc->killsb);
29237 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29241 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29242 up_read(&fc->killsb);
29247 fuse_copy_finish(cs);
29252 @@ -987,7 +992,7 @@ static int copy_out_args(struct fuse_cop
29253 * it from the list and copy the rest of the buffer to the request.
29254 * The request is finished by calling request_end()
29256 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29257 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29258 unsigned long nr_segs, loff_t pos)
29261 @@ -1084,7 +1089,9 @@ static ssize_t fuse_dev_write(struct kio
29265 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29266 +EXPORT_SYMBOL_GPL(fuse_dev_write);
29268 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29270 unsigned mask = POLLOUT | POLLWRNORM;
29271 struct fuse_conn *fc = fuse_get_conn(file);
29272 @@ -1103,6 +1110,8 @@ static unsigned fuse_dev_poll(struct fil
29276 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
29279 * Abort all requests on the given list (pending or processing)
29281 @@ -1210,7 +1219,7 @@ int fuse_dev_release(struct inode *inode
29283 EXPORT_SYMBOL_GPL(fuse_dev_release);
29285 -static int fuse_dev_fasync(int fd, struct file *file, int on)
29286 +int fuse_dev_fasync(int fd, struct file *file, int on)
29288 struct fuse_conn *fc = fuse_get_conn(file);
29290 @@ -1220,6 +1229,8 @@ static int fuse_dev_fasync(int fd, struc
29291 return fasync_helper(fd, file, on, &fc->fasync);
29294 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
29296 const struct file_operations fuse_dev_operations = {
29297 .owner = THIS_MODULE,
29298 .llseek = no_llseek,
29299 diff -urNp linux-2.6.33.1/fs/fuse/dir.c linux-2.6.33.1/fs/fuse/dir.c
29300 --- linux-2.6.33.1/fs/fuse/dir.c 2010-03-15 12:09:39.000000000 -0400
29301 +++ linux-2.6.33.1/fs/fuse/dir.c 2010-03-20 16:58:41.528872982 -0400
29302 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
29306 -static void free_link(char *link)
29307 +static void free_link(const char *link)
29310 free_page((unsigned long) link);
29311 diff -urNp linux-2.6.33.1/fs/fuse/fuse_i.h linux-2.6.33.1/fs/fuse/fuse_i.h
29312 --- linux-2.6.33.1/fs/fuse/fuse_i.h 2010-03-15 12:09:39.000000000 -0400
29313 +++ linux-2.6.33.1/fs/fuse/fuse_i.h 2010-03-20 16:58:41.532912913 -0400
29314 @@ -521,6 +521,16 @@ extern const struct file_operations fuse
29316 extern const struct dentry_operations fuse_dentry_operations;
29318 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29319 + unsigned long nr_segs, loff_t pos);
29321 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29322 + unsigned long nr_segs, loff_t pos);
29324 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
29326 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
29329 * Inode to nodeid comparison.
29331 diff -urNp linux-2.6.33.1/fs/gfs2/sys.c linux-2.6.33.1/fs/gfs2/sys.c
29332 --- linux-2.6.33.1/fs/gfs2/sys.c 2010-03-15 12:09:39.000000000 -0400
29333 +++ linux-2.6.33.1/fs/gfs2/sys.c 2010-03-20 16:58:41.563618654 -0400
29334 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
29335 return a->store ? a->store(sdp, buf, len) : len;
29338 -static struct sysfs_ops gfs2_attr_ops = {
29339 +static const struct sysfs_ops gfs2_attr_ops = {
29340 .show = gfs2_attr_show,
29341 .store = gfs2_attr_store,
29343 @@ -576,7 +576,7 @@ static int gfs2_uevent(struct kset *kset
29347 -static struct kset_uevent_ops gfs2_uevent_ops = {
29348 +static const struct kset_uevent_ops gfs2_uevent_ops = {
29349 .uevent = gfs2_uevent,
29352 diff -urNp linux-2.6.33.1/fs/hfs/inode.c linux-2.6.33.1/fs/hfs/inode.c
29353 --- linux-2.6.33.1/fs/hfs/inode.c 2010-03-15 12:09:39.000000000 -0400
29354 +++ linux-2.6.33.1/fs/hfs/inode.c 2010-03-20 16:58:41.564527258 -0400
29355 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
29357 if (S_ISDIR(main_inode->i_mode)) {
29358 if (fd.entrylength < sizeof(struct hfs_cat_dir))
29361 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29362 sizeof(struct hfs_cat_dir));
29363 if (rec.type != HFS_CDR_DIR ||
29364 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
29365 sizeof(struct hfs_cat_file));
29367 if (fd.entrylength < sizeof(struct hfs_cat_file))
29370 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29371 sizeof(struct hfs_cat_file));
29372 if (rec.type != HFS_CDR_FIL ||
29373 diff -urNp linux-2.6.33.1/fs/hfsplus/inode.c linux-2.6.33.1/fs/hfsplus/inode.c
29374 --- linux-2.6.33.1/fs/hfsplus/inode.c 2010-03-15 12:09:39.000000000 -0400
29375 +++ linux-2.6.33.1/fs/hfsplus/inode.c 2010-03-20 16:58:41.564527258 -0400
29376 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
29377 struct hfsplus_cat_folder *folder = &entry.folder;
29379 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
29382 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29383 sizeof(struct hfsplus_cat_folder));
29384 hfsplus_get_perms(inode, &folder->permissions, 1);
29385 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
29386 struct hfsplus_cat_file *file = &entry.file;
29388 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
29391 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29392 sizeof(struct hfsplus_cat_file));
29394 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
29395 struct hfsplus_cat_folder *folder = &entry.folder;
29397 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
29400 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29401 sizeof(struct hfsplus_cat_folder));
29402 /* simple node checks? */
29403 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
29404 struct hfsplus_cat_file *file = &entry.file;
29406 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
29409 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29410 sizeof(struct hfsplus_cat_file));
29411 hfsplus_inode_write_fork(inode, &file->data_fork);
29412 diff -urNp linux-2.6.33.1/fs/ioctl.c linux-2.6.33.1/fs/ioctl.c
29413 --- linux-2.6.33.1/fs/ioctl.c 2010-03-15 12:09:39.000000000 -0400
29414 +++ linux-2.6.33.1/fs/ioctl.c 2010-03-20 16:58:41.564527258 -0400
29415 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
29416 u64 phys, u64 len, u32 flags)
29418 struct fiemap_extent extent;
29419 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
29420 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
29422 /* only count the extents */
29423 if (fieinfo->fi_extents_max == 0) {
29424 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
29426 fieinfo.fi_flags = fiemap.fm_flags;
29427 fieinfo.fi_extents_max = fiemap.fm_extent_count;
29428 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
29429 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
29431 if (fiemap.fm_extent_count != 0 &&
29432 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
29433 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
29434 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
29435 fiemap.fm_flags = fieinfo.fi_flags;
29436 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
29437 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
29438 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
29442 diff -urNp linux-2.6.33.1/fs/jffs2/debug.h linux-2.6.33.1/fs/jffs2/debug.h
29443 --- linux-2.6.33.1/fs/jffs2/debug.h 2010-03-15 12:09:39.000000000 -0400
29444 +++ linux-2.6.33.1/fs/jffs2/debug.h 2010-03-20 16:58:41.564527258 -0400
29445 @@ -52,13 +52,13 @@
29446 #if CONFIG_JFFS2_FS_DEBUG > 0
29450 +#define D1(x) do {} while (0);
29453 #if CONFIG_JFFS2_FS_DEBUG > 1
29457 +#define D2(x) do {} while (0);
29460 /* The prefixes of JFFS2 messages */
29461 @@ -114,73 +114,73 @@
29462 #ifdef JFFS2_DBG_READINODE_MESSAGES
29463 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29465 -#define dbg_readinode(fmt, ...)
29466 +#define dbg_readinode(fmt, ...) do {} while (0)
29468 #ifdef JFFS2_DBG_READINODE2_MESSAGES
29469 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29471 -#define dbg_readinode2(fmt, ...)
29472 +#define dbg_readinode2(fmt, ...) do {} while (0)
29475 /* Fragtree build debugging messages */
29476 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
29477 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29479 -#define dbg_fragtree(fmt, ...)
29480 +#define dbg_fragtree(fmt, ...) do {} while (0)
29482 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
29483 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29485 -#define dbg_fragtree2(fmt, ...)
29486 +#define dbg_fragtree2(fmt, ...) do {} while (0)
29489 /* Directory entry list manilulation debugging messages */
29490 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
29491 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29493 -#define dbg_dentlist(fmt, ...)
29494 +#define dbg_dentlist(fmt, ...) do {} while (0)
29497 /* Print the messages about manipulating node_refs */
29498 #ifdef JFFS2_DBG_NODEREF_MESSAGES
29499 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29501 -#define dbg_noderef(fmt, ...)
29502 +#define dbg_noderef(fmt, ...) do {} while (0)
29505 /* Manipulations with the list of inodes (JFFS2 inocache) */
29506 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
29507 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29509 -#define dbg_inocache(fmt, ...)
29510 +#define dbg_inocache(fmt, ...) do {} while (0)
29513 /* Summary debugging messages */
29514 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
29515 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29517 -#define dbg_summary(fmt, ...)
29518 +#define dbg_summary(fmt, ...) do {} while (0)
29521 /* File system build messages */
29522 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
29523 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29525 -#define dbg_fsbuild(fmt, ...)
29526 +#define dbg_fsbuild(fmt, ...) do {} while (0)
29529 /* Watch the object allocations */
29530 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
29531 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29533 -#define dbg_memalloc(fmt, ...)
29534 +#define dbg_memalloc(fmt, ...) do {} while (0)
29537 /* Watch the XATTR subsystem */
29538 #ifdef JFFS2_DBG_XATTR_MESSAGES
29539 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29541 -#define dbg_xattr(fmt, ...)
29542 +#define dbg_xattr(fmt, ...) do {} while (0)
29545 /* "Sanity" checks */
29546 diff -urNp linux-2.6.33.1/fs/jffs2/erase.c linux-2.6.33.1/fs/jffs2/erase.c
29547 --- linux-2.6.33.1/fs/jffs2/erase.c 2010-03-15 12:09:39.000000000 -0400
29548 +++ linux-2.6.33.1/fs/jffs2/erase.c 2010-03-20 16:58:41.588752321 -0400
29549 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
29550 struct jffs2_unknown_node marker = {
29551 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
29552 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29553 - .totlen = cpu_to_je32(c->cleanmarker_size)
29554 + .totlen = cpu_to_je32(c->cleanmarker_size),
29555 + .hdr_crc = cpu_to_je32(0)
29558 jffs2_prealloc_raw_node_refs(c, jeb, 1);
29559 diff -urNp linux-2.6.33.1/fs/jffs2/summary.h linux-2.6.33.1/fs/jffs2/summary.h
29560 --- linux-2.6.33.1/fs/jffs2/summary.h 2010-03-15 12:09:39.000000000 -0400
29561 +++ linux-2.6.33.1/fs/jffs2/summary.h 2010-03-20 16:58:41.588752321 -0400
29562 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
29564 #define jffs2_sum_active() (0)
29565 #define jffs2_sum_init(a) (0)
29566 -#define jffs2_sum_exit(a)
29567 -#define jffs2_sum_disable_collecting(a)
29568 +#define jffs2_sum_exit(a) do {} while (0)
29569 +#define jffs2_sum_disable_collecting(a) do {} while (0)
29570 #define jffs2_sum_is_disabled(a) (0)
29571 -#define jffs2_sum_reset_collected(a)
29572 +#define jffs2_sum_reset_collected(a) do {} while (0)
29573 #define jffs2_sum_add_kvec(a,b,c,d) (0)
29574 -#define jffs2_sum_move_collected(a,b)
29575 +#define jffs2_sum_move_collected(a,b) do {} while (0)
29576 #define jffs2_sum_write_sumnode(a) (0)
29577 -#define jffs2_sum_add_padding_mem(a,b)
29578 -#define jffs2_sum_add_inode_mem(a,b,c)
29579 -#define jffs2_sum_add_dirent_mem(a,b,c)
29580 -#define jffs2_sum_add_xattr_mem(a,b,c)
29581 -#define jffs2_sum_add_xref_mem(a,b,c)
29582 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
29583 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
29584 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
29585 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
29586 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
29587 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
29589 #endif /* CONFIG_JFFS2_SUMMARY */
29590 diff -urNp linux-2.6.33.1/fs/jffs2/wbuf.c linux-2.6.33.1/fs/jffs2/wbuf.c
29591 --- linux-2.6.33.1/fs/jffs2/wbuf.c 2010-03-15 12:09:39.000000000 -0400
29592 +++ linux-2.6.33.1/fs/jffs2/wbuf.c 2010-03-20 16:58:41.588752321 -0400
29593 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
29595 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
29596 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29597 - .totlen = constant_cpu_to_je32(8)
29598 + .totlen = constant_cpu_to_je32(8),
29599 + .hdr_crc = constant_cpu_to_je32(0)
29603 diff -urNp linux-2.6.33.1/fs/lockd/svc.c linux-2.6.33.1/fs/lockd/svc.c
29604 --- linux-2.6.33.1/fs/lockd/svc.c 2010-03-15 12:09:39.000000000 -0400
29605 +++ linux-2.6.33.1/fs/lockd/svc.c 2010-03-20 16:58:41.588752321 -0400
29608 static struct svc_program nlmsvc_program;
29610 -struct nlmsvc_binding * nlmsvc_ops;
29611 +const struct nlmsvc_binding * nlmsvc_ops;
29612 EXPORT_SYMBOL_GPL(nlmsvc_ops);
29614 static DEFINE_MUTEX(nlmsvc_mutex);
29615 diff -urNp linux-2.6.33.1/fs/locks.c linux-2.6.33.1/fs/locks.c
29616 --- linux-2.6.33.1/fs/locks.c 2010-03-15 12:09:39.000000000 -0400
29617 +++ linux-2.6.33.1/fs/locks.c 2010-03-20 16:58:41.600927747 -0400
29618 @@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
29621 if (filp->f_op && filp->f_op->flock) {
29622 - struct file_lock fl = {
29623 + struct file_lock flock = {
29624 .fl_pid = current->tgid,
29626 .fl_flags = FL_FLOCK,
29627 .fl_type = F_UNLCK,
29628 .fl_end = OFFSET_MAX,
29630 - filp->f_op->flock(filp, F_SETLKW, &fl);
29631 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
29632 - fl.fl_ops->fl_release_private(&fl);
29633 + filp->f_op->flock(filp, F_SETLKW, &flock);
29634 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
29635 + flock.fl_ops->fl_release_private(&flock);
29639 diff -urNp linux-2.6.33.1/fs/namei.c linux-2.6.33.1/fs/namei.c
29640 --- linux-2.6.33.1/fs/namei.c 2010-03-15 12:09:39.000000000 -0400
29641 +++ linux-2.6.33.1/fs/namei.c 2010-03-20 16:58:41.612934232 -0400
29642 @@ -565,7 +565,7 @@ static __always_inline int __do_follow_l
29643 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
29644 error = PTR_ERR(cookie);
29645 if (!IS_ERR(cookie)) {
29646 - char *s = nd_get_link(nd);
29647 + const char *s = nd_get_link(nd);
29650 error = __vfs_follow_link(nd, s);
29651 @@ -599,6 +599,13 @@ static inline int do_follow_link(struct
29652 err = security_inode_follow_link(path->dentry, nd);
29656 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
29657 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
29662 current->link_count++;
29663 current->total_link_count++;
29665 @@ -994,11 +1001,18 @@ return_reval:
29669 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
29670 + path_put(&nd->path);
29675 path_put_conditional(&next, nd);
29678 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
29681 path_put(&nd->path);
29684 @@ -1552,12 +1566,19 @@ static int __open_namei_create(struct na
29686 struct dentry *dir = nd->path.dentry;
29688 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
29693 if (!IS_POSIXACL(dir->d_inode))
29694 mode &= ~current_umask();
29695 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
29698 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
29700 + gr_handle_create(path->dentry, nd->path.mnt);
29702 mutex_unlock(&dir->d_inode->i_mutex);
29703 dput(nd->path.dentry);
29704 @@ -1665,6 +1686,22 @@ struct file *do_filp_open(int dfd, const
29705 release_open_intent(&nd);
29707 return ERR_PTR(error);
29709 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
29714 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
29719 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
29727 @@ -1758,6 +1795,24 @@ do_last:
29729 * It already exists.
29732 + if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) {
29734 + goto exit_mutex_unlock;
29736 + if (gr_handle_rawio(path.dentry->d_inode)) {
29738 + goto exit_mutex_unlock;
29740 + if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
29742 + goto exit_mutex_unlock;
29744 + if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
29746 + goto exit_mutex_unlock;
29749 mutex_unlock(&dir->d_inode->i_mutex);
29750 audit_inode(pathname, path.dentry);
29752 @@ -1866,6 +1921,13 @@ do_link:
29753 error = security_inode_follow_link(path.dentry, &nd);
29757 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
29758 + path.dentry, nd.path.mnt)) {
29763 error = __do_follow_link(&path, &nd);
29766 @@ -2045,6 +2107,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29767 error = may_mknod(mode);
29771 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
29776 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
29781 error = mnt_want_write(nd.path.mnt);
29784 @@ -2065,6 +2138,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29787 mnt_drop_write(nd.path.mnt);
29790 + gr_handle_create(dentry, nd.path.mnt);
29794 @@ -2118,6 +2194,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29795 if (IS_ERR(dentry))
29798 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
29803 if (!IS_POSIXACL(nd.path.dentry->d_inode))
29804 mode &= ~current_umask();
29805 error = mnt_want_write(nd.path.mnt);
29806 @@ -2129,6 +2210,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29807 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
29809 mnt_drop_write(nd.path.mnt);
29812 + gr_handle_create(dentry, nd.path.mnt);
29817 @@ -2210,6 +2295,8 @@ static long do_rmdir(int dfd, const char
29819 struct dentry *dentry;
29820 struct nameidata nd;
29821 + ino_t saved_ino = 0;
29822 + dev_t saved_dev = 0;
29824 error = user_path_parent(dfd, pathname, &nd, &name);
29826 @@ -2234,6 +2321,19 @@ static long do_rmdir(int dfd, const char
29827 error = PTR_ERR(dentry);
29828 if (IS_ERR(dentry))
29831 + if (dentry->d_inode != NULL) {
29832 + if (dentry->d_inode->i_nlink <= 1) {
29833 + saved_ino = dentry->d_inode->i_ino;
29834 + saved_dev = dentry->d_inode->i_sb->s_dev;
29837 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
29843 error = mnt_want_write(nd.path.mnt);
29846 @@ -2241,6 +2341,8 @@ static long do_rmdir(int dfd, const char
29849 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
29850 + if (!error && (saved_dev || saved_ino))
29851 + gr_handle_delete(saved_ino, saved_dev);
29853 mnt_drop_write(nd.path.mnt);
29855 @@ -2302,6 +2404,8 @@ static long do_unlinkat(int dfd, const c
29856 struct dentry *dentry;
29857 struct nameidata nd;
29858 struct inode *inode = NULL;
29859 + ino_t saved_ino = 0;
29860 + dev_t saved_dev = 0;
29862 error = user_path_parent(dfd, pathname, &nd, &name);
29864 @@ -2321,8 +2425,19 @@ static long do_unlinkat(int dfd, const c
29865 if (nd.last.name[nd.last.len])
29867 inode = dentry->d_inode;
29870 + if (inode->i_nlink <= 1) {
29871 + saved_ino = inode->i_ino;
29872 + saved_dev = inode->i_sb->s_dev;
29875 atomic_inc(&inode->i_count);
29877 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
29882 error = mnt_want_write(nd.path.mnt);
29885 @@ -2330,6 +2445,8 @@ static long do_unlinkat(int dfd, const c
29888 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
29889 + if (!error && (saved_ino || saved_dev))
29890 + gr_handle_delete(saved_ino, saved_dev);
29892 mnt_drop_write(nd.path.mnt);
29894 @@ -2408,6 +2525,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
29895 if (IS_ERR(dentry))
29898 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
29903 error = mnt_want_write(nd.path.mnt);
29906 @@ -2415,6 +2537,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
29908 goto out_drop_write;
29909 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
29911 + gr_handle_create(dentry, nd.path.mnt);
29913 mnt_drop_write(nd.path.mnt);
29915 @@ -2508,6 +2632,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29916 error = PTR_ERR(new_dentry);
29917 if (IS_ERR(new_dentry))
29920 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
29921 + old_path.dentry->d_inode,
29922 + old_path.dentry->d_inode->i_mode, to)) {
29927 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
29928 + old_path.dentry, old_path.mnt, to)) {
29933 error = mnt_want_write(nd.path.mnt);
29936 @@ -2515,6 +2653,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29938 goto out_drop_write;
29939 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
29941 + gr_handle_create(new_dentry, nd.path.mnt);
29943 mnt_drop_write(nd.path.mnt);
29945 @@ -2748,6 +2888,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29946 if (new_dentry == trap)
29949 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
29950 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
29955 error = mnt_want_write(oldnd.path.mnt);
29958 @@ -2757,6 +2903,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29960 error = vfs_rename(old_dir->d_inode, old_dentry,
29961 new_dir->d_inode, new_dentry);
29963 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
29964 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
29966 mnt_drop_write(oldnd.path.mnt);
29968 diff -urNp linux-2.6.33.1/fs/namespace.c linux-2.6.33.1/fs/namespace.c
29969 --- linux-2.6.33.1/fs/namespace.c 2010-03-15 12:09:39.000000000 -0400
29970 +++ linux-2.6.33.1/fs/namespace.c 2010-03-20 16:58:41.649168726 -0400
29971 @@ -1085,6 +1085,9 @@ static int do_umount(struct vfsmount *mn
29972 if (!(sb->s_flags & MS_RDONLY))
29973 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
29974 up_write(&sb->s_umount);
29976 + gr_log_remount(mnt->mnt_devname, retval);
29981 @@ -1106,6 +1109,9 @@ static int do_umount(struct vfsmount *mn
29982 security_sb_umount_busy(mnt);
29983 up_write(&namespace_sem);
29984 release_mounts(&umount_list);
29986 + gr_log_unmount(mnt->mnt_devname, retval);
29991 @@ -1963,6 +1969,16 @@ long do_mount(char *dev_name, char *dir_
29992 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
29995 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
30000 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
30005 if (flags & MS_REMOUNT)
30006 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
30008 @@ -1977,6 +1993,9 @@ long do_mount(char *dev_name, char *dir_
30009 dev_name, data_page);
30013 + gr_log_mount(dev_name, dir_name, retval);
30018 @@ -2183,6 +2202,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
30022 + if (gr_handle_chroot_pivot()) {
30028 read_lock(¤t->fs->lock);
30029 root = current->fs->root;
30030 path_get(¤t->fs->root);
30031 diff -urNp linux-2.6.33.1/fs/nfs/inode.c linux-2.6.33.1/fs/nfs/inode.c
30032 --- linux-2.6.33.1/fs/nfs/inode.c 2010-03-15 12:09:39.000000000 -0400
30033 +++ linux-2.6.33.1/fs/nfs/inode.c 2010-03-20 16:58:41.649168726 -0400
30034 @@ -965,16 +965,16 @@ static int nfs_size_need_update(const st
30035 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
30038 -static atomic_long_t nfs_attr_generation_counter;
30039 +static atomic_long_unchecked_t nfs_attr_generation_counter;
30041 static unsigned long nfs_read_attr_generation_counter(void)
30043 - return atomic_long_read(&nfs_attr_generation_counter);
30044 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
30047 unsigned long nfs_inc_attr_generation_counter(void)
30049 - return atomic_long_inc_return(&nfs_attr_generation_counter);
30050 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
30053 void nfs_fattr_init(struct nfs_fattr *fattr)
30054 diff -urNp linux-2.6.33.1/fs/nfs/nfs4proc.c linux-2.6.33.1/fs/nfs/nfs4proc.c
30055 --- linux-2.6.33.1/fs/nfs/nfs4proc.c 2010-03-15 12:09:39.000000000 -0400
30056 +++ linux-2.6.33.1/fs/nfs/nfs4proc.c 2010-03-20 16:58:41.652911113 -0400
30057 @@ -1159,7 +1159,7 @@ static int _nfs4_do_open_reclaim(struct
30058 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
30060 struct nfs_server *server = NFS_SERVER(state->inode);
30061 - struct nfs4_exception exception = { };
30062 + struct nfs4_exception exception = {0, 0};
30065 err = _nfs4_do_open_reclaim(ctx, state);
30066 @@ -1201,7 +1201,7 @@ static int _nfs4_open_delegation_recall(
30068 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
30070 - struct nfs4_exception exception = { };
30071 + struct nfs4_exception exception = {0, 0};
30072 struct nfs_server *server = NFS_SERVER(state->inode);
30075 @@ -1572,7 +1572,7 @@ static int _nfs4_open_expired(struct nfs
30076 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
30078 struct nfs_server *server = NFS_SERVER(state->inode);
30079 - struct nfs4_exception exception = { };
30080 + struct nfs4_exception exception = {0, 0};
30084 @@ -1678,7 +1678,7 @@ out_err:
30086 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
30088 - struct nfs4_exception exception = { };
30089 + struct nfs4_exception exception = {0, 0};
30090 struct nfs4_state *res;
30093 @@ -1769,7 +1769,7 @@ static int nfs4_do_setattr(struct inode
30094 struct nfs4_state *state)
30096 struct nfs_server *server = NFS_SERVER(inode);
30097 - struct nfs4_exception exception = { };
30098 + struct nfs4_exception exception = {0, 0};
30101 err = nfs4_handle_exception(server,
30102 @@ -2146,7 +2146,7 @@ static int _nfs4_server_capabilities(str
30104 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
30106 - struct nfs4_exception exception = { };
30107 + struct nfs4_exception exception = {0, 0};
30110 err = nfs4_handle_exception(server,
30111 @@ -2180,7 +2180,7 @@ static int _nfs4_lookup_root(struct nfs_
30112 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
30113 struct nfs_fsinfo *info)
30115 - struct nfs4_exception exception = { };
30116 + struct nfs4_exception exception = {0, 0};
30119 err = nfs4_handle_exception(server,
30120 @@ -2269,7 +2269,7 @@ static int _nfs4_proc_getattr(struct nfs
30122 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30124 - struct nfs4_exception exception = { };
30125 + struct nfs4_exception exception = {0, 0};
30128 err = nfs4_handle_exception(server,
30129 @@ -2357,7 +2357,7 @@ static int nfs4_proc_lookupfh(struct nfs
30130 struct qstr *name, struct nfs_fh *fhandle,
30131 struct nfs_fattr *fattr)
30133 - struct nfs4_exception exception = { };
30134 + struct nfs4_exception exception = {0, 0};
30137 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
30138 @@ -2386,7 +2386,7 @@ static int _nfs4_proc_lookup(struct inod
30140 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30142 - struct nfs4_exception exception = { };
30143 + struct nfs4_exception exception = {0, 0};
30146 err = nfs4_handle_exception(NFS_SERVER(dir),
30147 @@ -2450,7 +2450,7 @@ static int _nfs4_proc_access(struct inod
30149 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
30151 - struct nfs4_exception exception = { };
30152 + struct nfs4_exception exception = {0, 0};
30155 err = nfs4_handle_exception(NFS_SERVER(inode),
30156 @@ -2506,7 +2506,7 @@ static int _nfs4_proc_readlink(struct in
30157 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
30158 unsigned int pgbase, unsigned int pglen)
30160 - struct nfs4_exception exception = { };
30161 + struct nfs4_exception exception = {0, 0};
30164 err = nfs4_handle_exception(NFS_SERVER(inode),
30165 @@ -2604,7 +2604,7 @@ static int _nfs4_proc_remove(struct inod
30167 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
30169 - struct nfs4_exception exception = { };
30170 + struct nfs4_exception exception = {0, 0};
30173 err = nfs4_handle_exception(NFS_SERVER(dir),
30174 @@ -2677,7 +2677,7 @@ static int _nfs4_proc_rename(struct inod
30175 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
30176 struct inode *new_dir, struct qstr *new_name)
30178 - struct nfs4_exception exception = { };
30179 + struct nfs4_exception exception = {0, 0};
30182 err = nfs4_handle_exception(NFS_SERVER(old_dir),
30183 @@ -2724,7 +2724,7 @@ static int _nfs4_proc_link(struct inode
30185 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
30187 - struct nfs4_exception exception = { };
30188 + struct nfs4_exception exception = {0, 0};
30191 err = nfs4_handle_exception(NFS_SERVER(inode),
30192 @@ -2816,7 +2816,7 @@ out:
30193 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
30194 struct page *page, unsigned int len, struct iattr *sattr)
30196 - struct nfs4_exception exception = { };
30197 + struct nfs4_exception exception = {0, 0};
30200 err = nfs4_handle_exception(NFS_SERVER(dir),
30201 @@ -2847,7 +2847,7 @@ out:
30202 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
30203 struct iattr *sattr)
30205 - struct nfs4_exception exception = { };
30206 + struct nfs4_exception exception = {0, 0};
30209 err = nfs4_handle_exception(NFS_SERVER(dir),
30210 @@ -2896,7 +2896,7 @@ static int _nfs4_proc_readdir(struct den
30211 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
30212 u64 cookie, struct page *page, unsigned int count, int plus)
30214 - struct nfs4_exception exception = { };
30215 + struct nfs4_exception exception = {0, 0};
30218 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
30219 @@ -2944,7 +2944,7 @@ out:
30220 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
30221 struct iattr *sattr, dev_t rdev)
30223 - struct nfs4_exception exception = { };
30224 + struct nfs4_exception exception = {0, 0};
30227 err = nfs4_handle_exception(NFS_SERVER(dir),
30228 @@ -2976,7 +2976,7 @@ static int _nfs4_proc_statfs(struct nfs_
30230 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
30232 - struct nfs4_exception exception = { };
30233 + struct nfs4_exception exception = {0, 0};
30236 err = nfs4_handle_exception(server,
30237 @@ -3007,7 +3007,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
30239 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
30241 - struct nfs4_exception exception = { };
30242 + struct nfs4_exception exception = {0, 0};
30246 @@ -3053,7 +3053,7 @@ static int _nfs4_proc_pathconf(struct nf
30247 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
30248 struct nfs_pathconf *pathconf)
30250 - struct nfs4_exception exception = { };
30251 + struct nfs4_exception exception = {0, 0};
30255 @@ -3348,7 +3348,7 @@ out_free:
30257 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
30259 - struct nfs4_exception exception = { };
30260 + struct nfs4_exception exception = {0, 0};
30263 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
30264 @@ -3404,7 +3404,7 @@ static int __nfs4_proc_set_acl(struct in
30266 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
30268 - struct nfs4_exception exception = { };
30269 + struct nfs4_exception exception = {0, 0};
30272 err = nfs4_handle_exception(NFS_SERVER(inode),
30273 @@ -3686,7 +3686,7 @@ out:
30274 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
30276 struct nfs_server *server = NFS_SERVER(inode);
30277 - struct nfs4_exception exception = { };
30278 + struct nfs4_exception exception = {0, 0};
30281 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
30282 @@ -3759,7 +3759,7 @@ out:
30284 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30286 - struct nfs4_exception exception = { };
30287 + struct nfs4_exception exception = {0, 0};
30291 @@ -4171,7 +4171,7 @@ static int _nfs4_do_setlk(struct nfs4_st
30292 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
30294 struct nfs_server *server = NFS_SERVER(state->inode);
30295 - struct nfs4_exception exception = { };
30296 + struct nfs4_exception exception = {0, 0};
30300 @@ -4189,7 +4189,7 @@ static int nfs4_lock_reclaim(struct nfs4
30301 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
30303 struct nfs_server *server = NFS_SERVER(state->inode);
30304 - struct nfs4_exception exception = { };
30305 + struct nfs4_exception exception = {0, 0};
30308 err = nfs4_set_lock_state(state, request);
30309 @@ -4253,7 +4253,7 @@ out:
30311 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30313 - struct nfs4_exception exception = { };
30314 + struct nfs4_exception exception = {0, 0};
30318 @@ -4313,7 +4313,7 @@ nfs4_proc_lock(struct file *filp, int cm
30319 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
30321 struct nfs_server *server = NFS_SERVER(state->inode);
30322 - struct nfs4_exception exception = { };
30323 + struct nfs4_exception exception = {0, 0};
30326 err = nfs4_set_lock_state(state, fl);
30327 diff -urNp linux-2.6.33.1/fs/nfsd/lockd.c linux-2.6.33.1/fs/nfsd/lockd.c
30328 --- linux-2.6.33.1/fs/nfsd/lockd.c 2010-03-15 12:09:39.000000000 -0400
30329 +++ linux-2.6.33.1/fs/nfsd/lockd.c 2010-03-20 16:58:41.660926393 -0400
30330 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
30334 -static struct nlmsvc_binding nfsd_nlm_ops = {
30335 +static const struct nlmsvc_binding nfsd_nlm_ops = {
30336 .fopen = nlm_fopen, /* open file for locking */
30337 .fclose = nlm_fclose, /* close file */
30339 diff -urNp linux-2.6.33.1/fs/nfsd/nfsctl.c linux-2.6.33.1/fs/nfsd/nfsctl.c
30340 --- linux-2.6.33.1/fs/nfsd/nfsctl.c 2010-03-15 12:09:39.000000000 -0400
30341 +++ linux-2.6.33.1/fs/nfsd/nfsctl.c 2010-03-20 16:58:41.676914510 -0400
30342 @@ -159,7 +159,7 @@ static int export_features_open(struct i
30343 return single_open(file, export_features_show, NULL);
30346 -static struct file_operations export_features_operations = {
30347 +static const struct file_operations export_features_operations = {
30348 .open = export_features_open,
30350 .llseek = seq_lseek,
30351 diff -urNp linux-2.6.33.1/fs/nfsd/vfs.c linux-2.6.33.1/fs/nfsd/vfs.c
30352 --- linux-2.6.33.1/fs/nfsd/vfs.c 2010-03-15 12:09:39.000000000 -0400
30353 +++ linux-2.6.33.1/fs/nfsd/vfs.c 2010-03-20 16:58:41.676914510 -0400
30354 @@ -945,7 +945,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
30358 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
30359 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
30363 @@ -1068,7 +1068,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
30365 /* Write the data. */
30366 oldfs = get_fs(); set_fs(KERNEL_DS);
30367 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
30368 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
30372 @@ -1543,7 +1543,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
30375 oldfs = get_fs(); set_fs(KERNEL_DS);
30376 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
30377 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
30381 diff -urNp linux-2.6.33.1/fs/nls/nls_base.c linux-2.6.33.1/fs/nls/nls_base.c
30382 --- linux-2.6.33.1/fs/nls/nls_base.c 2010-03-15 12:09:39.000000000 -0400
30383 +++ linux-2.6.33.1/fs/nls/nls_base.c 2010-03-20 16:58:41.684912030 -0400
30384 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
30385 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
30386 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
30387 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
30388 - {0, /* end of table */}
30389 + {0, 0, 0, 0, 0, /* end of table */}
30392 #define UNICODE_MAX 0x0010ffff
30393 diff -urNp linux-2.6.33.1/fs/ntfs/file.c linux-2.6.33.1/fs/ntfs/file.c
30394 --- linux-2.6.33.1/fs/ntfs/file.c 2010-03-15 12:09:39.000000000 -0400
30395 +++ linux-2.6.33.1/fs/ntfs/file.c 2010-03-20 16:58:41.717206210 -0400
30396 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
30397 #endif /* NTFS_RW */
30400 -const struct file_operations ntfs_empty_file_ops = {};
30401 +const struct file_operations ntfs_empty_file_ops __read_only;
30403 -const struct inode_operations ntfs_empty_inode_ops = {};
30404 +const struct inode_operations ntfs_empty_inode_ops __read_only;
30405 diff -urNp linux-2.6.33.1/fs/ocfs2/cluster/masklog.c linux-2.6.33.1/fs/ocfs2/cluster/masklog.c
30406 --- linux-2.6.33.1/fs/ocfs2/cluster/masklog.c 2010-03-15 12:09:39.000000000 -0400
30407 +++ linux-2.6.33.1/fs/ocfs2/cluster/masklog.c 2010-03-20 16:58:41.724925424 -0400
30408 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
30409 return mlog_mask_store(mlog_attr->mask, buf, count);
30412 -static struct sysfs_ops mlog_attr_ops = {
30413 +static const struct sysfs_ops mlog_attr_ops = {
30415 .store = mlog_store,
30417 diff -urNp linux-2.6.33.1/fs/ocfs2/localalloc.c linux-2.6.33.1/fs/ocfs2/localalloc.c
30418 --- linux-2.6.33.1/fs/ocfs2/localalloc.c 2010-03-15 12:09:39.000000000 -0400
30419 +++ linux-2.6.33.1/fs/ocfs2/localalloc.c 2010-03-20 16:58:41.736921327 -0400
30420 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
30424 - atomic_inc(&osb->alloc_stats.moves);
30425 + atomic_inc_unchecked(&osb->alloc_stats.moves);
30429 diff -urNp linux-2.6.33.1/fs/ocfs2/ocfs2.h linux-2.6.33.1/fs/ocfs2/ocfs2.h
30430 --- linux-2.6.33.1/fs/ocfs2/ocfs2.h 2010-03-15 12:09:39.000000000 -0400
30431 +++ linux-2.6.33.1/fs/ocfs2/ocfs2.h 2010-03-20 16:58:41.753416780 -0400
30432 @@ -221,11 +221,11 @@ enum ocfs2_vol_state
30434 struct ocfs2_alloc_stats
30437 - atomic_t local_data;
30438 - atomic_t bitmap_data;
30439 - atomic_t bg_allocs;
30440 - atomic_t bg_extends;
30441 + atomic_unchecked_t moves;
30442 + atomic_unchecked_t local_data;
30443 + atomic_unchecked_t bitmap_data;
30444 + atomic_unchecked_t bg_allocs;
30445 + atomic_unchecked_t bg_extends;
30448 enum ocfs2_local_alloc_state
30449 diff -urNp linux-2.6.33.1/fs/ocfs2/suballoc.c linux-2.6.33.1/fs/ocfs2/suballoc.c
30450 --- linux-2.6.33.1/fs/ocfs2/suballoc.c 2010-03-15 12:09:39.000000000 -0400
30451 +++ linux-2.6.33.1/fs/ocfs2/suballoc.c 2010-03-20 16:58:41.773443597 -0400
30452 @@ -620,7 +620,7 @@ static int ocfs2_reserve_suballoc_bits(s
30453 mlog_errno(status);
30456 - atomic_inc(&osb->alloc_stats.bg_extends);
30457 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
30459 /* You should never ask for this much metadata */
30460 BUG_ON(bits_wanted >
30461 @@ -1651,7 +1651,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
30462 mlog_errno(status);
30465 - atomic_inc(&osb->alloc_stats.bg_allocs);
30466 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30468 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
30469 ac->ac_bits_given += (*num_bits);
30470 @@ -1725,7 +1725,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
30471 mlog_errno(status);
30474 - atomic_inc(&osb->alloc_stats.bg_allocs);
30475 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30477 BUG_ON(num_bits != 1);
30479 @@ -1827,7 +1827,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30483 - atomic_inc(&osb->alloc_stats.local_data);
30484 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
30486 if (min_clusters > (osb->bitmap_cpg - 1)) {
30487 /* The only paths asking for contiguousness
30488 @@ -1855,7 +1855,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30489 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
30492 - atomic_inc(&osb->alloc_stats.bitmap_data);
30493 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
30497 diff -urNp linux-2.6.33.1/fs/ocfs2/super.c linux-2.6.33.1/fs/ocfs2/super.c
30498 --- linux-2.6.33.1/fs/ocfs2/super.c 2010-03-15 12:09:39.000000000 -0400
30499 +++ linux-2.6.33.1/fs/ocfs2/super.c 2010-03-20 16:58:41.781934851 -0400
30500 @@ -286,11 +286,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
30501 "%10s => GlobalAllocs: %d LocalAllocs: %d "
30502 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
30504 - atomic_read(&osb->alloc_stats.bitmap_data),
30505 - atomic_read(&osb->alloc_stats.local_data),
30506 - atomic_read(&osb->alloc_stats.bg_allocs),
30507 - atomic_read(&osb->alloc_stats.moves),
30508 - atomic_read(&osb->alloc_stats.bg_extends));
30509 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
30510 + atomic_read_unchecked(&osb->alloc_stats.local_data),
30511 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
30512 + atomic_read_unchecked(&osb->alloc_stats.moves),
30513 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
30515 out += snprintf(buf + out, len - out,
30516 "%10s => State: %u Descriptor: %llu Size: %u bits "
30517 @@ -1999,11 +1999,11 @@ static int ocfs2_initialize_super(struct
30518 spin_lock_init(&osb->osb_xattr_lock);
30519 ocfs2_init_inode_steal_slot(osb);
30521 - atomic_set(&osb->alloc_stats.moves, 0);
30522 - atomic_set(&osb->alloc_stats.local_data, 0);
30523 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
30524 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
30525 - atomic_set(&osb->alloc_stats.bg_extends, 0);
30526 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
30527 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
30528 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
30529 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
30530 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
30532 /* Copy the blockcheck stats from the superblock probe */
30533 osb->osb_ecc_stats = *stats;
30534 diff -urNp linux-2.6.33.1/fs/ocfs2/symlink.c linux-2.6.33.1/fs/ocfs2/symlink.c
30535 --- linux-2.6.33.1/fs/ocfs2/symlink.c 2010-03-15 12:09:39.000000000 -0400
30536 +++ linux-2.6.33.1/fs/ocfs2/symlink.c 2010-03-20 16:58:41.809220780 -0400
30537 @@ -148,7 +148,7 @@ bail:
30539 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
30541 - char *link = nd_get_link(nd);
30542 + const char *link = nd_get_link(nd);
30546 diff -urNp linux-2.6.33.1/fs/open.c linux-2.6.33.1/fs/open.c
30547 --- linux-2.6.33.1/fs/open.c 2010-03-15 12:09:39.000000000 -0400
30548 +++ linux-2.6.33.1/fs/open.c 2010-03-20 16:58:41.824559234 -0400
30549 @@ -209,6 +209,9 @@ int do_truncate(struct dentry *dentry, l
30553 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
30556 newattrs.ia_size = length;
30557 newattrs.ia_valid = ATTR_SIZE | time_attrs;
30559 @@ -514,6 +517,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
30560 if (__mnt_is_readonly(path.mnt))
30563 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
30569 @@ -540,6 +546,8 @@ SYSCALL_DEFINE1(chdir, const char __user
30573 + gr_log_chdir(path.dentry, path.mnt);
30575 set_fs_pwd(current->fs, &path);
30578 @@ -566,6 +574,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
30581 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
30583 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
30587 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
30590 set_fs_pwd(current->fs, &file->f_path);
30592 @@ -594,7 +609,18 @@ SYSCALL_DEFINE1(chroot, const char __use
30596 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
30597 + goto dput_and_out;
30599 + if (gr_handle_chroot_caps(&path)) {
30601 + goto dput_and_out;
30604 set_fs_root(current->fs, &path);
30606 + gr_handle_chroot_chdir(&path);
30611 @@ -622,6 +648,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
30612 err = mnt_want_write_file(file);
30616 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
30618 + goto out_drop_write;
30621 mutex_lock(&inode->i_mutex);
30622 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
30624 @@ -633,6 +665,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
30625 err = notify_change(dentry, &newattrs);
30627 mutex_unlock(&inode->i_mutex);
30629 mnt_drop_write(file->f_path.mnt);
30632 @@ -655,17 +688,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
30633 error = mnt_want_write(path.mnt);
30637 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
30639 + goto out_drop_write;
30642 mutex_lock(&inode->i_mutex);
30643 error = security_path_chmod(path.dentry, path.mnt, mode);
30646 if (mode == (mode_t) -1)
30647 mode = inode->i_mode;
30649 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
30654 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
30655 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
30656 error = notify_change(path.dentry, &newattrs);
30658 mutex_unlock(&inode->i_mutex);
30660 mnt_drop_write(path.mnt);
30663 @@ -684,6 +730,9 @@ static int chown_common(struct path *pat
30665 struct iattr newattrs;
30667 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
30670 newattrs.ia_valid = ATTR_CTIME;
30671 if (user != (uid_t) -1) {
30672 newattrs.ia_valid |= ATTR_UID;
30673 diff -urNp linux-2.6.33.1/fs/pipe.c linux-2.6.33.1/fs/pipe.c
30674 --- linux-2.6.33.1/fs/pipe.c 2010-03-15 12:09:39.000000000 -0400
30675 +++ linux-2.6.33.1/fs/pipe.c 2010-03-20 16:58:41.824559234 -0400
30676 @@ -401,9 +401,9 @@ redo:
30678 if (bufs) /* More to do? */
30680 - if (!pipe->writers)
30681 + if (!atomic_read(&pipe->writers))
30683 - if (!pipe->waiting_writers) {
30684 + if (!atomic_read(&pipe->waiting_writers)) {
30685 /* syscall merging: Usually we must not sleep
30686 * if O_NONBLOCK is set, or if we got some data.
30687 * But if a writer sleeps in kernel space, then
30688 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
30689 mutex_lock(&inode->i_mutex);
30690 pipe = inode->i_pipe;
30692 - if (!pipe->readers) {
30693 + if (!atomic_read(&pipe->readers)) {
30694 send_sig(SIGPIPE, current, 0);
30697 @@ -511,7 +511,7 @@ redo1:
30701 - if (!pipe->readers) {
30702 + if (!atomic_read(&pipe->readers)) {
30703 send_sig(SIGPIPE, current, 0);
30706 @@ -597,9 +597,9 @@ redo2:
30707 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30710 - pipe->waiting_writers++;
30711 + atomic_inc(&pipe->waiting_writers);
30713 - pipe->waiting_writers--;
30714 + atomic_dec(&pipe->waiting_writers);
30717 mutex_unlock(&inode->i_mutex);
30718 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
30720 if (filp->f_mode & FMODE_READ) {
30721 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
30722 - if (!pipe->writers && filp->f_version != pipe->w_counter)
30723 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
30727 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
30728 * Most Unices do not set POLLERR for FIFOs but on Linux they
30729 * behave exactly like pipes for poll().
30731 - if (!pipe->readers)
30732 + if (!atomic_read(&pipe->readers))
30736 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
30738 mutex_lock(&inode->i_mutex);
30739 pipe = inode->i_pipe;
30740 - pipe->readers -= decr;
30741 - pipe->writers -= decw;
30742 + atomic_sub(decr, &pipe->readers);
30743 + atomic_sub(decw, &pipe->writers);
30745 - if (!pipe->readers && !pipe->writers) {
30746 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
30747 free_pipe_info(inode);
30749 wake_up_interruptible_sync(&pipe->wait);
30750 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
30752 if (inode->i_pipe) {
30754 - inode->i_pipe->readers++;
30755 + atomic_inc(&inode->i_pipe->readers);
30758 mutex_unlock(&inode->i_mutex);
30759 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
30761 if (inode->i_pipe) {
30763 - inode->i_pipe->writers++;
30764 + atomic_inc(&inode->i_pipe->writers);
30767 mutex_unlock(&inode->i_mutex);
30768 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
30769 if (inode->i_pipe) {
30771 if (filp->f_mode & FMODE_READ)
30772 - inode->i_pipe->readers++;
30773 + atomic_inc(&inode->i_pipe->readers);
30774 if (filp->f_mode & FMODE_WRITE)
30775 - inode->i_pipe->writers++;
30776 + atomic_inc(&inode->i_pipe->writers);
30779 mutex_unlock(&inode->i_mutex);
30780 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
30781 inode->i_pipe = NULL;
30784 -static struct vfsmount *pipe_mnt __read_mostly;
30785 +struct vfsmount *pipe_mnt __read_mostly;
30788 * pipefs_dname() is called from d_path().
30789 @@ -933,7 +933,8 @@ static struct inode * get_pipe_inode(voi
30791 inode->i_pipe = pipe;
30793 - pipe->readers = pipe->writers = 1;
30794 + atomic_set(&pipe->readers, 1);
30795 + atomic_set(&pipe->writers, 1);
30796 inode->i_fop = &rdwr_pipefifo_fops;
30799 diff -urNp linux-2.6.33.1/fs/proc/array.c linux-2.6.33.1/fs/proc/array.c
30800 --- linux-2.6.33.1/fs/proc/array.c 2010-03-15 12:09:39.000000000 -0400
30801 +++ linux-2.6.33.1/fs/proc/array.c 2010-03-20 16:58:41.824559234 -0400
30802 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
30803 seq_printf(m, "\n");
30806 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30807 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
30810 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
30811 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
30812 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
30813 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
30814 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
30815 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
30817 + seq_printf(m, "PaX:\t-----\n");
30821 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
30822 struct pid *pid, struct task_struct *task)
30824 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
30825 task_show_regs(m, task);
30827 task_context_switch_counts(m, task);
30829 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30830 + task_pax(m, task);
30836 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30837 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30838 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
30839 + _mm->pax_flags & MF_PAX_SEGMEXEC))
30842 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
30843 struct pid *pid, struct task_struct *task, int whole)
30845 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
30846 gtime = task->gtime;
30849 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30850 + if (PAX_RAND_FLAGS(mm)) {
30856 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30862 /* scale priority and nice values from timeslices to -20..20 */
30863 /* to make it look like a "normal" Unix priority/nice value */
30864 priority = task_prio(task);
30865 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
30867 mm ? get_mm_rss(mm) : 0,
30869 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30870 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
30871 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
30872 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? task->stack_start : 0),
30874 mm ? mm->start_code : 0,
30875 mm ? mm->end_code : 0,
30876 (permitted && mm) ? task->stack_start : 0,
30880 /* The signal information here is obsolete.
30881 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
30886 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
30887 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
30889 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
30892 diff -urNp linux-2.6.33.1/fs/proc/base.c linux-2.6.33.1/fs/proc/base.c
30893 --- linux-2.6.33.1/fs/proc/base.c 2010-03-15 12:09:39.000000000 -0400
30894 +++ linux-2.6.33.1/fs/proc/base.c 2010-03-20 16:58:41.824559234 -0400
30895 @@ -102,6 +102,22 @@ struct pid_entry {
30899 +struct getdents_callback {
30900 + struct linux_dirent __user * current_dir;
30901 + struct linux_dirent __user * previous;
30902 + struct file * file;
30907 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
30908 + loff_t offset, u64 ino, unsigned int d_type)
30910 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
30911 + buf->error = -EINVAL;
30915 #define NOD(NAME, MODE, IOP, FOP, OP) { \
30917 .len = sizeof(NAME) - 1, \
30918 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
30919 if (task == current)
30922 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
30926 * If current is actively ptrace'ing, and would also be
30927 * permitted to freshly attach with ptrace now, permit it.
30928 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
30930 goto out_mm; /* Shh! No looking before we're done */
30932 + if (gr_acl_handle_procpidmem(task))
30935 len = mm->arg_end - mm->arg_start;
30937 if (len > PAGE_SIZE)
30938 @@ -287,12 +309,26 @@ out:
30942 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30943 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30944 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
30945 + _mm->pax_flags & MF_PAX_SEGMEXEC))
30948 static int proc_pid_auxv(struct task_struct *task, char *buffer)
30951 struct mm_struct *mm = get_task_mm(task);
30953 unsigned int nwords = 0;
30955 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30956 + if (PAX_RAND_FLAGS(mm)) {
30964 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
30965 @@ -328,7 +364,7 @@ static int proc_pid_wchan(struct task_st
30967 #endif /* CONFIG_KALLSYMS */
30969 -#ifdef CONFIG_STACKTRACE
30970 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
30972 #define MAX_STACK_TRACE_DEPTH 64
30974 @@ -521,7 +557,7 @@ static int proc_pid_limits(struct task_s
30978 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
30979 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
30980 static int proc_pid_syscall(struct task_struct *task, char *buffer)
30983 @@ -935,6 +971,9 @@ static ssize_t environ_read(struct file
30987 + if (gr_acl_handle_procpidmem(task))
30990 if (!ptrace_may_access(task, PTRACE_MODE_READ))
30993 @@ -1520,7 +1559,11 @@ static struct inode *proc_pid_make_inode
30995 cred = __task_cred(task);
30996 inode->i_uid = cred->euid;
30997 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30998 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31000 inode->i_gid = cred->egid;
31004 security_task_to_inode(task, inode);
31005 @@ -1538,6 +1581,9 @@ static int pid_getattr(struct vfsmount *
31006 struct inode *inode = dentry->d_inode;
31007 struct task_struct *task;
31008 const struct cred *cred;
31009 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31010 + const struct cred *tmpcred = current_cred();
31013 generic_fillattr(inode, stat);
31015 @@ -1545,12 +1591,34 @@ static int pid_getattr(struct vfsmount *
31018 task = pid_task(proc_pid(inode), PIDTYPE_PID);
31020 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
31021 + rcu_read_unlock();
31026 + cred = __task_cred(task);
31027 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31028 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
31029 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31030 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31034 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
31035 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31036 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
31037 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31038 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
31040 task_dumpable(task)) {
31041 - cred = __task_cred(task);
31042 stat->uid = cred->euid;
31043 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31044 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
31046 stat->gid = cred->egid;
31051 @@ -1582,11 +1650,20 @@ static int pid_revalidate(struct dentry
31054 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
31055 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31056 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
31057 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31058 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
31060 task_dumpable(task)) {
31062 cred = __task_cred(task);
31063 inode->i_uid = cred->euid;
31064 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31065 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31067 inode->i_gid = cred->egid;
31072 @@ -1707,7 +1784,8 @@ static int proc_fd_info(struct inode *in
31073 int fd = proc_fd(inode);
31076 - files = get_files_struct(task);
31077 + if (!gr_acl_handle_procpidmem(task))
31078 + files = get_files_struct(task);
31079 put_task_struct(task);
31082 @@ -1959,12 +2037,22 @@ static const struct file_operations proc
31083 static int proc_fd_permission(struct inode *inode, int mask)
31086 + struct task_struct *task;
31088 rv = generic_permission(inode, mask, NULL);
31092 if (task_pid(current) == proc_pid(inode))
31095 + task = get_proc_task(inode);
31096 + if (task == NULL)
31099 + if (gr_acl_handle_procpidmem(task))
31102 + put_task_struct(task);
31107 @@ -2073,6 +2161,9 @@ static struct dentry *proc_pident_lookup
31111 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31115 * Yes, it does not scale. And it should not. Don't add
31116 * new entries into /proc/<tgid>/ without very good reasons.
31117 @@ -2117,6 +2208,9 @@ static int proc_pident_readdir(struct fi
31121 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31127 @@ -2384,7 +2478,7 @@ static void *proc_self_follow_link(struc
31128 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
31131 - char *s = nd_get_link(nd);
31132 + const char *s = nd_get_link(nd);
31136 @@ -2497,6 +2591,9 @@ static struct dentry *proc_base_lookup(s
31140 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31143 error = proc_base_instantiate(dir, dentry, task, p);
31146 @@ -2584,7 +2681,7 @@ static const struct pid_entry tgid_base_
31147 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31149 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
31150 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31151 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31152 INF("syscall", S_IRUSR, proc_pid_syscall),
31154 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31155 @@ -2612,7 +2709,7 @@ static const struct pid_entry tgid_base_
31156 #ifdef CONFIG_KALLSYMS
31157 INF("wchan", S_IRUGO, proc_pid_wchan),
31159 -#ifdef CONFIG_STACKTRACE
31160 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31161 ONE("stack", S_IRUSR, proc_pid_stack),
31163 #ifdef CONFIG_SCHEDSTATS
31164 @@ -2642,6 +2739,9 @@ static const struct pid_entry tgid_base_
31165 #ifdef CONFIG_TASK_IO_ACCOUNTING
31166 INF("io", S_IRUGO, proc_tgid_io_accounting),
31168 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31169 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
31173 static int proc_tgid_base_readdir(struct file * filp,
31174 @@ -2766,7 +2866,14 @@ static struct dentry *proc_pid_instantia
31178 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31179 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
31180 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31181 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31182 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
31184 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
31186 inode->i_op = &proc_tgid_base_inode_operations;
31187 inode->i_fop = &proc_tgid_base_operations;
31188 inode->i_flags|=S_IMMUTABLE;
31189 @@ -2808,7 +2915,11 @@ struct dentry *proc_pid_lookup(struct in
31193 + if (gr_check_hidden_task(task))
31194 + goto out_put_task;
31196 result = proc_pid_instantiate(dir, dentry, task, NULL);
31198 put_task_struct(task);
31201 @@ -2873,6 +2984,11 @@ int proc_pid_readdir(struct file * filp,
31203 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
31204 struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
31205 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31206 + const struct cred *tmpcred = current_cred();
31207 + const struct cred *itercred;
31209 + filldir_t __filldir = filldir;
31210 struct tgid_iter iter;
31211 struct pid_namespace *ns;
31213 @@ -2891,8 +3007,27 @@ int proc_pid_readdir(struct file * filp,
31214 for (iter = next_tgid(ns, iter);
31216 iter.tgid += 1, iter = next_tgid(ns, iter)) {
31217 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31219 + itercred = __task_cred(iter.task);
31221 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
31222 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31223 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
31224 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31225 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31230 + __filldir = &gr_fake_filldir;
31232 + __filldir = filldir;
31233 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31234 + rcu_read_unlock();
31236 filp->f_pos = iter.tgid + TGID_OFFSET;
31237 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
31238 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
31239 put_task_struct(iter.task);
31242 @@ -2919,7 +3054,7 @@ static const struct pid_entry tid_base_s
31243 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31245 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
31246 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31247 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31248 INF("syscall", S_IRUSR, proc_pid_syscall),
31250 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31251 @@ -2946,7 +3081,7 @@ static const struct pid_entry tid_base_s
31252 #ifdef CONFIG_KALLSYMS
31253 INF("wchan", S_IRUGO, proc_pid_wchan),
31255 -#ifdef CONFIG_STACKTRACE
31256 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31257 ONE("stack", S_IRUSR, proc_pid_stack),
31259 #ifdef CONFIG_SCHEDSTATS
31260 diff -urNp linux-2.6.33.1/fs/proc/cmdline.c linux-2.6.33.1/fs/proc/cmdline.c
31261 --- linux-2.6.33.1/fs/proc/cmdline.c 2010-03-15 12:09:39.000000000 -0400
31262 +++ linux-2.6.33.1/fs/proc/cmdline.c 2010-03-20 16:58:41.828775433 -0400
31263 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
31265 static int __init proc_cmdline_init(void)
31267 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31268 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
31270 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
31274 module_init(proc_cmdline_init);
31275 diff -urNp linux-2.6.33.1/fs/proc/devices.c linux-2.6.33.1/fs/proc/devices.c
31276 --- linux-2.6.33.1/fs/proc/devices.c 2010-03-15 12:09:39.000000000 -0400
31277 +++ linux-2.6.33.1/fs/proc/devices.c 2010-03-20 16:58:41.828775433 -0400
31278 @@ -64,7 +64,11 @@ static const struct file_operations proc
31280 static int __init proc_devices_init(void)
31282 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31283 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
31285 proc_create("devices", 0, NULL, &proc_devinfo_operations);
31289 module_init(proc_devices_init);
31290 diff -urNp linux-2.6.33.1/fs/proc/inode.c linux-2.6.33.1/fs/proc/inode.c
31291 --- linux-2.6.33.1/fs/proc/inode.c 2010-03-15 12:09:39.000000000 -0400
31292 +++ linux-2.6.33.1/fs/proc/inode.c 2010-03-20 16:58:41.828775433 -0400
31293 @@ -434,7 +434,11 @@ struct inode *proc_get_inode(struct supe
31295 inode->i_mode = de->mode;
31296 inode->i_uid = de->uid;
31297 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31298 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31300 inode->i_gid = de->gid;
31304 inode->i_size = de->size;
31305 diff -urNp linux-2.6.33.1/fs/proc/internal.h linux-2.6.33.1/fs/proc/internal.h
31306 --- linux-2.6.33.1/fs/proc/internal.h 2010-03-15 12:09:39.000000000 -0400
31307 +++ linux-2.6.33.1/fs/proc/internal.h 2010-03-20 16:58:41.828775433 -0400
31308 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
31309 struct pid *pid, struct task_struct *task);
31310 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
31311 struct pid *pid, struct task_struct *task);
31312 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31313 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
31315 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
31317 extern const struct file_operations proc_maps_operations;
31318 diff -urNp linux-2.6.33.1/fs/proc/Kconfig linux-2.6.33.1/fs/proc/Kconfig
31319 --- linux-2.6.33.1/fs/proc/Kconfig 2010-03-15 12:09:39.000000000 -0400
31320 +++ linux-2.6.33.1/fs/proc/Kconfig 2010-03-20 16:58:41.828775433 -0400
31321 @@ -30,12 +30,12 @@ config PROC_FS
31324 bool "/proc/kcore support" if !ARM
31325 - depends on PROC_FS && MMU
31326 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
31329 bool "/proc/vmcore support (EXPERIMENTAL)"
31330 - depends on PROC_FS && CRASH_DUMP
31332 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
31335 Exports the dump image of crashed kernel in ELF format.
31337 @@ -59,8 +59,8 @@ config PROC_SYSCTL
31340 config PROC_PAGE_MONITOR
31342 - depends on PROC_FS && MMU
31344 + depends on PROC_FS && MMU && !GRKERNSEC
31345 bool "Enable /proc page monitoring" if EMBEDDED
31347 Various /proc files exist to monitor process memory utilization:
31348 diff -urNp linux-2.6.33.1/fs/proc/kcore.c linux-2.6.33.1/fs/proc/kcore.c
31349 --- linux-2.6.33.1/fs/proc/kcore.c 2010-03-15 12:09:39.000000000 -0400
31350 +++ linux-2.6.33.1/fs/proc/kcore.c 2010-03-20 16:58:41.832562866 -0400
31351 @@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
31353 static int open_kcore(struct inode *inode, struct file *filp)
31355 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
31358 if (!capable(CAP_SYS_RAWIO))
31360 if (kcore_need_update)
31361 diff -urNp linux-2.6.33.1/fs/proc/meminfo.c linux-2.6.33.1/fs/proc/meminfo.c
31362 --- linux-2.6.33.1/fs/proc/meminfo.c 2010-03-15 12:09:39.000000000 -0400
31363 +++ linux-2.6.33.1/fs/proc/meminfo.c 2010-03-20 16:58:41.832562866 -0400
31364 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
31366 vmi.largest_chunk >> 10
31367 #ifdef CONFIG_MEMORY_FAILURE
31368 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
31369 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
31373 diff -urNp linux-2.6.33.1/fs/proc/nommu.c linux-2.6.33.1/fs/proc/nommu.c
31374 --- linux-2.6.33.1/fs/proc/nommu.c 2010-03-15 12:09:39.000000000 -0400
31375 +++ linux-2.6.33.1/fs/proc/nommu.c 2010-03-20 16:58:41.832562866 -0400
31376 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
31379 seq_printf(m, "%*c", len, ' ');
31380 - seq_path(m, &file->f_path, "");
31381 + seq_path(m, &file->f_path, "\n\\");
31385 diff -urNp linux-2.6.33.1/fs/proc/proc_net.c linux-2.6.33.1/fs/proc/proc_net.c
31386 --- linux-2.6.33.1/fs/proc/proc_net.c 2010-03-15 12:09:39.000000000 -0400
31387 +++ linux-2.6.33.1/fs/proc/proc_net.c 2010-03-20 16:58:41.832562866 -0400
31388 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
31389 struct task_struct *task;
31390 struct nsproxy *ns;
31391 struct net *net = NULL;
31392 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31393 + const struct cred *cred = current_cred();
31396 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31399 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31400 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
31405 task = pid_task(proc_pid(dir), PIDTYPE_PID);
31406 diff -urNp linux-2.6.33.1/fs/proc/proc_sysctl.c linux-2.6.33.1/fs/proc/proc_sysctl.c
31407 --- linux-2.6.33.1/fs/proc/proc_sysctl.c 2010-03-15 12:09:39.000000000 -0400
31408 +++ linux-2.6.33.1/fs/proc/proc_sysctl.c 2010-03-20 16:58:41.832562866 -0400
31410 #include <linux/security.h>
31411 #include "internal.h"
31413 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
31415 static const struct dentry_operations proc_sys_dentry_operations;
31416 static const struct file_operations proc_sys_file_operations;
31417 static const struct inode_operations proc_sys_inode_operations;
31418 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
31422 + if (gr_handle_sysctl(p, MAY_EXEC))
31425 err = ERR_PTR(-ENOMEM);
31426 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
31428 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
31429 if (*pos < file->f_pos)
31432 + if (gr_handle_sysctl(table, 0))
31435 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
31438 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
31440 return PTR_ERR(head);
31442 + if (table && gr_handle_sysctl(table, MAY_EXEC))
31445 generic_fillattr(inode, stat);
31447 stat->mode = (stat->mode & S_IFMT) | table->mode;
31448 diff -urNp linux-2.6.33.1/fs/proc/root.c linux-2.6.33.1/fs/proc/root.c
31449 --- linux-2.6.33.1/fs/proc/root.c 2010-03-15 12:09:39.000000000 -0400
31450 +++ linux-2.6.33.1/fs/proc/root.c 2010-03-20 16:58:41.836587389 -0400
31451 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
31452 #ifdef CONFIG_PROC_DEVICETREE
31453 proc_device_tree_init();
31455 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31456 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31457 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
31458 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31459 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
31462 proc_mkdir("bus", NULL);
31467 diff -urNp linux-2.6.33.1/fs/proc/task_mmu.c linux-2.6.33.1/fs/proc/task_mmu.c
31468 --- linux-2.6.33.1/fs/proc/task_mmu.c 2010-03-15 12:09:39.000000000 -0400
31469 +++ linux-2.6.33.1/fs/proc/task_mmu.c 2010-03-20 16:58:41.836587389 -0400
31470 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
31471 "VmStk:\t%8lu kB\n"
31472 "VmExe:\t%8lu kB\n"
31473 "VmLib:\t%8lu kB\n"
31474 - "VmPTE:\t%8lu kB\n",
31475 - hiwater_vm << (PAGE_SHIFT-10),
31476 + "VmPTE:\t%8lu kB\n"
31478 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31479 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
31482 + ,hiwater_vm << (PAGE_SHIFT-10),
31483 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
31484 mm->locked_vm << (PAGE_SHIFT-10),
31485 hiwater_rss << (PAGE_SHIFT-10),
31486 total_rss << (PAGE_SHIFT-10),
31487 data << (PAGE_SHIFT-10),
31488 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
31489 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
31490 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
31492 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31493 + , mm->context.user_cs_base, mm->context.user_cs_limit
31499 unsigned long task_vsize(struct mm_struct *mm)
31500 @@ -199,6 +210,12 @@ static int do_maps_open(struct inode *in
31504 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31505 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
31506 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
31507 + _mm->pax_flags & MF_PAX_SEGMEXEC))
31510 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
31512 struct mm_struct *mm = vma->vm_mm;
31513 @@ -217,13 +234,22 @@ static void show_map_vma(struct seq_file
31516 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
31517 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31518 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
31519 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
31524 flags & VM_READ ? 'r' : '-',
31525 flags & VM_WRITE ? 'w' : '-',
31526 flags & VM_EXEC ? 'x' : '-',
31527 flags & VM_MAYSHARE ? 's' : 'p',
31528 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31529 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
31533 MAJOR(dev), MINOR(dev), ino, &len);
31536 @@ -232,16 +258,16 @@ static void show_map_vma(struct seq_file
31539 pad_len_spaces(m, len);
31540 - seq_path(m, &file->f_path, "\n");
31541 + seq_path(m, &file->f_path, "\n\\");
31543 const char *name = arch_vma_name(vma);
31546 - if (vma->vm_start <= mm->start_brk &&
31547 - vma->vm_end >= mm->brk) {
31548 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
31550 - } else if (vma->vm_start <= mm->start_stack &&
31551 - vma->vm_end >= mm->start_stack) {
31552 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
31553 + (vma->vm_start <= mm->start_stack &&
31554 + vma->vm_end >= mm->start_stack)) {
31557 unsigned long stack_start;
31558 @@ -402,9 +428,16 @@ static int show_smap(struct seq_file *m,
31561 memset(&mss, 0, sizeof mss);
31563 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31564 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31566 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31567 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
31570 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31571 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31572 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31576 show_map_vma(m, vma);
31578 @@ -420,7 +453,11 @@ static int show_smap(struct seq_file *m,
31580 "KernelPageSize: %8lu kB\n"
31581 "MMUPageSize: %8lu kB\n",
31582 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31583 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
31585 (vma->vm_end - vma->vm_start) >> 10,
31587 mss.resident >> 10,
31588 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
31589 mss.shared_clean >> 10,
31590 diff -urNp linux-2.6.33.1/fs/proc/task_nommu.c linux-2.6.33.1/fs/proc/task_nommu.c
31591 --- linux-2.6.33.1/fs/proc/task_nommu.c 2010-03-15 12:09:39.000000000 -0400
31592 +++ linux-2.6.33.1/fs/proc/task_nommu.c 2010-03-20 16:58:41.836587389 -0400
31593 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
31595 bytes += kobjsize(mm);
31597 - if (current->fs && current->fs->users > 1)
31598 + if (current->fs && atomic_read(¤t->fs->users) > 1)
31599 sbytes += kobjsize(current->fs);
31601 bytes += kobjsize(current->fs);
31602 @@ -158,7 +158,7 @@ static int nommu_vma_show(struct seq_fil
31605 seq_printf(m, "%*c", len, ' ');
31606 - seq_path(m, &file->f_path, "");
31607 + seq_path(m, &file->f_path, "\n\\");
31611 diff -urNp linux-2.6.33.1/fs/readdir.c linux-2.6.33.1/fs/readdir.c
31612 --- linux-2.6.33.1/fs/readdir.c 2010-03-15 12:09:39.000000000 -0400
31613 +++ linux-2.6.33.1/fs/readdir.c 2010-03-20 16:58:41.836587389 -0400
31615 #include <linux/security.h>
31616 #include <linux/syscalls.h>
31617 #include <linux/unistd.h>
31618 +#include <linux/namei.h>
31620 #include <asm/uaccess.h>
31622 @@ -67,6 +68,7 @@ struct old_linux_dirent {
31624 struct readdir_callback {
31625 struct old_linux_dirent __user * dirent;
31626 + struct file * file;
31630 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
31631 buf->result = -EOVERFLOW;
31635 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31639 dirent = buf->dirent;
31640 if (!access_ok(VERIFY_WRITE, dirent,
31641 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
31644 buf.dirent = dirent;
31647 error = vfs_readdir(file, fillonedir, &buf);
31649 @@ -142,6 +149,7 @@ struct linux_dirent {
31650 struct getdents_callback {
31651 struct linux_dirent __user * current_dir;
31652 struct linux_dirent __user * previous;
31653 + struct file * file;
31657 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
31658 buf->error = -EOVERFLOW;
31662 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31665 dirent = buf->previous;
31667 if (__put_user(offset, &dirent->d_off))
31668 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
31669 buf.previous = NULL;
31674 error = vfs_readdir(file, filldir, &buf);
31676 @@ -228,6 +241,7 @@ out:
31677 struct getdents_callback64 {
31678 struct linux_dirent64 __user * current_dir;
31679 struct linux_dirent64 __user * previous;
31680 + struct file *file;
31684 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
31685 buf->error = -EINVAL; /* only used if we fail.. */
31686 if (reclen > buf->count)
31689 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31692 dirent = buf->previous;
31694 if (__put_user(offset, &dirent->d_off))
31695 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
31697 buf.current_dir = dirent;
31698 buf.previous = NULL;
31703 diff -urNp linux-2.6.33.1/fs/reiserfs/do_balan.c linux-2.6.33.1/fs/reiserfs/do_balan.c
31704 --- linux-2.6.33.1/fs/reiserfs/do_balan.c 2010-03-15 12:09:39.000000000 -0400
31705 +++ linux-2.6.33.1/fs/reiserfs/do_balan.c 2010-03-20 16:58:41.848535760 -0400
31706 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
31710 - atomic_inc(&(fs_generation(tb->tb_sb)));
31711 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
31712 do_balance_starts(tb);
31714 /* balance leaf returns 0 except if combining L R and S into
31715 diff -urNp linux-2.6.33.1/fs/reiserfs/item_ops.c linux-2.6.33.1/fs/reiserfs/item_ops.c
31716 --- linux-2.6.33.1/fs/reiserfs/item_ops.c 2010-03-15 12:09:39.000000000 -0400
31717 +++ linux-2.6.33.1/fs/reiserfs/item_ops.c 2010-03-20 16:58:41.848535760 -0400
31718 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
31719 vi->vi_index, vi->vi_type, vi->vi_ih);
31722 -static struct item_operations stat_data_ops = {
31723 +static const struct item_operations stat_data_ops = {
31724 .bytes_number = sd_bytes_number,
31725 .decrement_key = sd_decrement_key,
31726 .is_left_mergeable = sd_is_left_mergeable,
31727 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
31728 vi->vi_index, vi->vi_type, vi->vi_ih);
31731 -static struct item_operations direct_ops = {
31732 +static const struct item_operations direct_ops = {
31733 .bytes_number = direct_bytes_number,
31734 .decrement_key = direct_decrement_key,
31735 .is_left_mergeable = direct_is_left_mergeable,
31736 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
31737 vi->vi_index, vi->vi_type, vi->vi_ih);
31740 -static struct item_operations indirect_ops = {
31741 +static const struct item_operations indirect_ops = {
31742 .bytes_number = indirect_bytes_number,
31743 .decrement_key = indirect_decrement_key,
31744 .is_left_mergeable = indirect_is_left_mergeable,
31745 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
31749 -static struct item_operations direntry_ops = {
31750 +static const struct item_operations direntry_ops = {
31751 .bytes_number = direntry_bytes_number,
31752 .decrement_key = direntry_decrement_key,
31753 .is_left_mergeable = direntry_is_left_mergeable,
31754 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
31755 "Invalid item type observed, run fsck ASAP");
31758 -static struct item_operations errcatch_ops = {
31759 +static const struct item_operations errcatch_ops = {
31760 errcatch_bytes_number,
31761 errcatch_decrement_key,
31762 errcatch_is_left_mergeable,
31763 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
31764 #error Item types must use disk-format assigned values.
31767 -struct item_operations *item_ops[TYPE_ANY + 1] = {
31768 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
31772 diff -urNp linux-2.6.33.1/fs/reiserfs/procfs.c linux-2.6.33.1/fs/reiserfs/procfs.c
31773 --- linux-2.6.33.1/fs/reiserfs/procfs.c 2010-03-15 12:09:39.000000000 -0400
31774 +++ linux-2.6.33.1/fs/reiserfs/procfs.c 2010-03-20 16:58:41.848535760 -0400
31775 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
31776 "SMALL_TAILS " : "NO_TAILS ",
31777 replay_only(sb) ? "REPLAY_ONLY " : "",
31778 convert_reiserfs(sb) ? "CONV " : "",
31779 - atomic_read(&r->s_generation_counter),
31780 + atomic_read_unchecked(&r->s_generation_counter),
31781 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
31782 SF(s_do_balance), SF(s_unneeded_left_neighbor),
31783 SF(s_good_search_by_key_reada), SF(s_bmaps),
31784 diff -urNp linux-2.6.33.1/fs/select.c linux-2.6.33.1/fs/select.c
31785 --- linux-2.6.33.1/fs/select.c 2010-03-15 12:09:39.000000000 -0400
31786 +++ linux-2.6.33.1/fs/select.c 2010-03-20 16:58:41.848535760 -0400
31788 #include <linux/module.h>
31789 #include <linux/slab.h>
31790 #include <linux/poll.h>
31791 +#include <linux/security.h>
31792 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
31793 #include <linux/file.h>
31794 #include <linux/fdtable.h>
31795 @@ -821,6 +822,7 @@ int do_sys_poll(struct pollfd __user *uf
31796 struct poll_list *walk = head;
31797 unsigned long todo = nfds;
31799 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
31800 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
31803 diff -urNp linux-2.6.33.1/fs/seq_file.c linux-2.6.33.1/fs/seq_file.c
31804 --- linux-2.6.33.1/fs/seq_file.c 2010-03-15 12:09:39.000000000 -0400
31805 +++ linux-2.6.33.1/fs/seq_file.c 2010-03-20 16:58:41.860772579 -0400
31806 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
31810 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31811 + m->size = PAGE_SIZE;
31812 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31816 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
31820 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31822 + m->buf = kmalloc(m->size, GFP_KERNEL);
31823 return !m->buf ? -ENOMEM : -EAGAIN;
31826 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
31827 m->version = file->f_version;
31828 /* grab buffer if we didn't have one */
31830 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31831 + m->size = PAGE_SIZE;
31832 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31836 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
31840 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31842 + m->buf = kmalloc(m->size, GFP_KERNEL);
31846 diff -urNp linux-2.6.33.1/fs/smbfs/symlink.c linux-2.6.33.1/fs/smbfs/symlink.c
31847 --- linux-2.6.33.1/fs/smbfs/symlink.c 2010-03-15 12:09:39.000000000 -0400
31848 +++ linux-2.6.33.1/fs/smbfs/symlink.c 2010-03-20 16:58:41.860772579 -0400
31849 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
31851 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
31853 - char *s = nd_get_link(nd);
31854 + const char *s = nd_get_link(nd);
31858 diff -urNp linux-2.6.33.1/fs/splice.c linux-2.6.33.1/fs/splice.c
31859 --- linux-2.6.33.1/fs/splice.c 2010-03-15 12:09:39.000000000 -0400
31860 +++ linux-2.6.33.1/fs/splice.c 2010-03-20 16:58:41.877542041 -0400
31861 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
31865 - if (!pipe->readers) {
31866 + if (!atomic_read(&pipe->readers)) {
31867 send_sig(SIGPIPE, current, 0);
31870 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
31874 - pipe->waiting_writers++;
31875 + atomic_inc(&pipe->waiting_writers);
31877 - pipe->waiting_writers--;
31878 + atomic_dec(&pipe->waiting_writers);
31882 @@ -531,7 +531,7 @@ static ssize_t kernel_readv(struct file
31885 /* The cast to a user pointer is valid due to the set_fs() */
31886 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
31887 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
31891 @@ -546,7 +546,7 @@ static ssize_t kernel_write(struct file
31894 /* The cast to a user pointer is valid due to the set_fs() */
31895 - res = vfs_write(file, (const char __user *)buf, count, &pos);
31896 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
31900 @@ -588,7 +588,7 @@ ssize_t default_file_splice_read(struct
31903 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
31904 - vec[i].iov_base = (void __user *) page_address(page);
31905 + vec[i].iov_base = (__force void __user *) page_address(page);
31906 vec[i].iov_len = this_len;
31909 @@ -810,10 +810,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
31910 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
31912 while (!pipe->nrbufs) {
31913 - if (!pipe->writers)
31914 + if (!atomic_read(&pipe->writers))
31917 - if (!pipe->waiting_writers && sd->num_spliced)
31918 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
31921 if (sd->flags & SPLICE_F_NONBLOCK)
31922 @@ -1150,7 +1150,7 @@ ssize_t splice_direct_to_actor(struct fi
31923 * out of the pipe right after the splice_to_pipe(). So set
31924 * PIPE_READERS appropriately.
31926 - pipe->readers = 1;
31927 + atomic_set(&pipe->readers, 1);
31929 current->splice_pipe = pipe;
31931 @@ -1710,9 +1710,9 @@ static int ipipe_prep(struct pipe_inode_
31932 ret = -ERESTARTSYS;
31935 - if (!pipe->writers)
31936 + if (!atomic_read(&pipe->writers))
31938 - if (!pipe->waiting_writers) {
31939 + if (!atomic_read(&pipe->waiting_writers)) {
31940 if (flags & SPLICE_F_NONBLOCK) {
31943 @@ -1744,7 +1744,7 @@ static int opipe_prep(struct pipe_inode_
31946 while (pipe->nrbufs >= PIPE_BUFFERS) {
31947 - if (!pipe->readers) {
31948 + if (!atomic_read(&pipe->readers)) {
31949 send_sig(SIGPIPE, current, 0);
31952 @@ -1757,9 +1757,9 @@ static int opipe_prep(struct pipe_inode_
31953 ret = -ERESTARTSYS;
31956 - pipe->waiting_writers++;
31957 + atomic_inc(&pipe->waiting_writers);
31959 - pipe->waiting_writers--;
31960 + atomic_dec(&pipe->waiting_writers);
31964 @@ -1795,14 +1795,14 @@ retry:
31965 pipe_double_lock(ipipe, opipe);
31968 - if (!opipe->readers) {
31969 + if (!atomic_read(&opipe->readers)) {
31970 send_sig(SIGPIPE, current, 0);
31976 - if (!ipipe->nrbufs && !ipipe->writers)
31977 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
31981 @@ -1902,7 +1902,7 @@ static int link_pipe(struct pipe_inode_i
31982 pipe_double_lock(ipipe, opipe);
31985 - if (!opipe->readers) {
31986 + if (!atomic_read(&opipe->readers)) {
31987 send_sig(SIGPIPE, current, 0);
31990 @@ -1947,7 +1947,7 @@ static int link_pipe(struct pipe_inode_i
31991 * return EAGAIN if we have the potential of some data in the
31992 * future, otherwise just return 0
31994 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
31995 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
31998 pipe_unlock(ipipe);
31999 diff -urNp linux-2.6.33.1/fs/sysfs/file.c linux-2.6.33.1/fs/sysfs/file.c
32000 --- linux-2.6.33.1/fs/sysfs/file.c 2010-03-15 12:09:39.000000000 -0400
32001 +++ linux-2.6.33.1/fs/sysfs/file.c 2010-03-20 16:58:41.877542041 -0400
32002 @@ -53,7 +53,7 @@ struct sysfs_buffer {
32006 - struct sysfs_ops * ops;
32007 + const struct sysfs_ops * ops;
32008 struct mutex mutex;
32009 int needs_read_fill;
32011 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
32013 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
32014 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32015 - struct sysfs_ops * ops = buffer->ops;
32016 + const struct sysfs_ops * ops = buffer->ops;
32020 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
32022 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
32023 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32024 - struct sysfs_ops * ops = buffer->ops;
32025 + const struct sysfs_ops * ops = buffer->ops;
32028 /* need attr_sd for attr and ops, its parent for kobj */
32029 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
32030 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
32031 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32032 struct sysfs_buffer *buffer;
32033 - struct sysfs_ops *ops;
32034 + const struct sysfs_ops *ops;
32035 int error = -EACCES;
32038 diff -urNp linux-2.6.33.1/fs/sysfs/symlink.c linux-2.6.33.1/fs/sysfs/symlink.c
32039 --- linux-2.6.33.1/fs/sysfs/symlink.c 2010-03-15 12:09:39.000000000 -0400
32040 +++ linux-2.6.33.1/fs/sysfs/symlink.c 2010-03-20 16:58:41.877542041 -0400
32041 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
32043 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32045 - char *page = nd_get_link(nd);
32046 + const char *page = nd_get_link(nd);
32048 free_page((unsigned long)page);
32050 diff -urNp linux-2.6.33.1/fs/udf/balloc.c linux-2.6.33.1/fs/udf/balloc.c
32051 --- linux-2.6.33.1/fs/udf/balloc.c 2010-03-15 12:09:39.000000000 -0400
32052 +++ linux-2.6.33.1/fs/udf/balloc.c 2010-03-20 16:58:41.880865953 -0400
32053 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
32055 mutex_lock(&sbi->s_alloc_mutex);
32056 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32057 - if (bloc->logicalBlockNum < 0 ||
32058 - (bloc->logicalBlockNum + count) >
32059 - partmap->s_partition_len) {
32060 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32061 udf_debug("%d < %d || %d + %d > %d\n",
32062 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
32063 count, partmap->s_partition_len);
32064 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
32066 mutex_lock(&sbi->s_alloc_mutex);
32067 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32068 - if (bloc->logicalBlockNum < 0 ||
32069 - (bloc->logicalBlockNum + count) >
32070 - partmap->s_partition_len) {
32071 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32072 udf_debug("%d < %d || %d + %d > %d\n",
32073 bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count,
32074 partmap->s_partition_len);
32075 diff -urNp linux-2.6.33.1/fs/utimes.c linux-2.6.33.1/fs/utimes.c
32076 --- linux-2.6.33.1/fs/utimes.c 2010-03-15 12:09:39.000000000 -0400
32077 +++ linux-2.6.33.1/fs/utimes.c 2010-03-20 16:58:41.884933711 -0400
32079 #include <linux/compiler.h>
32080 #include <linux/file.h>
32081 #include <linux/fs.h>
32082 +#include <linux/security.h>
32083 #include <linux/linkage.h>
32084 #include <linux/mount.h>
32085 #include <linux/namei.h>
32086 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
32087 goto mnt_drop_write_and_out;
32091 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
32093 + goto mnt_drop_write_and_out;
32096 mutex_lock(&inode->i_mutex);
32097 error = notify_change(path->dentry, &newattrs);
32098 mutex_unlock(&inode->i_mutex);
32099 diff -urNp linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c
32100 --- linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-03-15 12:09:39.000000000 -0400
32101 +++ linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-03-20 16:58:41.884933711 -0400
32102 @@ -135,7 +135,7 @@ xfs_find_handle(
32106 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
32107 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
32108 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
32111 diff -urNp linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c
32112 --- linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c 2010-03-15 12:09:39.000000000 -0400
32113 +++ linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c 2010-03-20 16:58:41.884933711 -0400
32114 @@ -469,7 +469,7 @@ xfs_vn_put_link(
32115 struct nameidata *nd,
32118 - char *s = nd_get_link(nd);
32119 + const char *s = nd_get_link(nd);
32123 diff -urNp linux-2.6.33.1/fs/xfs/xfs_bmap.c linux-2.6.33.1/fs/xfs/xfs_bmap.c
32124 --- linux-2.6.33.1/fs/xfs/xfs_bmap.c 2010-03-15 12:09:39.000000000 -0400
32125 +++ linux-2.6.33.1/fs/xfs/xfs_bmap.c 2010-03-20 16:58:41.888938450 -0400
32126 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
32130 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
32131 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
32135 diff -urNp linux-2.6.33.1/grsecurity/gracl_alloc.c linux-2.6.33.1/grsecurity/gracl_alloc.c
32136 --- linux-2.6.33.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
32137 +++ linux-2.6.33.1/grsecurity/gracl_alloc.c 2010-03-20 16:58:41.888938450 -0400
32139 +#include <linux/kernel.h>
32140 +#include <linux/mm.h>
32141 +#include <linux/slab.h>
32142 +#include <linux/vmalloc.h>
32143 +#include <linux/gracl.h>
32144 +#include <linux/grsecurity.h>
32146 +static unsigned long alloc_stack_next = 1;
32147 +static unsigned long alloc_stack_size = 1;
32148 +static void **alloc_stack;
32150 +static __inline__ int
32153 + if (alloc_stack_next == 1)
32156 + kfree(alloc_stack[alloc_stack_next - 2]);
32158 + alloc_stack_next--;
32163 +static __inline__ int
32164 +alloc_push(void *buf)
32166 + if (alloc_stack_next >= alloc_stack_size)
32169 + alloc_stack[alloc_stack_next - 1] = buf;
32171 + alloc_stack_next++;
32177 +acl_alloc(unsigned long len)
32179 + void *ret = NULL;
32181 + if (!len || len > PAGE_SIZE)
32184 + ret = kmalloc(len, GFP_KERNEL);
32187 + if (alloc_push(ret)) {
32198 +acl_alloc_num(unsigned long num, unsigned long len)
32200 + if (!len || (num > (PAGE_SIZE / len)))
32203 + return acl_alloc(num * len);
32207 +acl_free_all(void)
32209 + if (gr_acl_is_enabled() || !alloc_stack)
32212 + while (alloc_pop()) ;
32214 + if (alloc_stack) {
32215 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
32216 + kfree(alloc_stack);
32218 + vfree(alloc_stack);
32221 + alloc_stack = NULL;
32222 + alloc_stack_size = 1;
32223 + alloc_stack_next = 1;
32229 +acl_alloc_stack_init(unsigned long size)
32231 + if ((size * sizeof (void *)) <= PAGE_SIZE)
32233 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
32235 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
32237 + alloc_stack_size = size;
32239 + if (!alloc_stack)
32244 diff -urNp linux-2.6.33.1/grsecurity/gracl.c linux-2.6.33.1/grsecurity/gracl.c
32245 --- linux-2.6.33.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
32246 +++ linux-2.6.33.1/grsecurity/gracl.c 2010-03-20 17:00:48.140865901 -0400
32248 +#include <linux/kernel.h>
32249 +#include <linux/module.h>
32250 +#include <linux/sched.h>
32251 +#include <linux/mm.h>
32252 +#include <linux/file.h>
32253 +#include <linux/fs.h>
32254 +#include <linux/namei.h>
32255 +#include <linux/mount.h>
32256 +#include <linux/tty.h>
32257 +#include <linux/proc_fs.h>
32258 +#include <linux/smp_lock.h>
32259 +#include <linux/slab.h>
32260 +#include <linux/vmalloc.h>
32261 +#include <linux/types.h>
32262 +#include <linux/sysctl.h>
32263 +#include <linux/netdevice.h>
32264 +#include <linux/ptrace.h>
32265 +#include <linux/gracl.h>
32266 +#include <linux/gralloc.h>
32267 +#include <linux/grsecurity.h>
32268 +#include <linux/grinternal.h>
32269 +#include <linux/pid_namespace.h>
32270 +#include <linux/fdtable.h>
32271 +#include <linux/percpu.h>
32273 +#include <asm/uaccess.h>
32274 +#include <asm/errno.h>
32275 +#include <asm/mman.h>
32277 +static struct acl_role_db acl_role_set;
32278 +static struct name_db name_set;
32279 +static struct inodev_db inodev_set;
32281 +/* for keeping track of userspace pointers used for subjects, so we
32282 + can share references in the kernel as well
32285 +static struct dentry *real_root;
32286 +static struct vfsmount *real_root_mnt;
32288 +static struct acl_subj_map_db subj_map_set;
32290 +static struct acl_role_label *default_role;
32292 +static struct acl_role_label *role_list;
32294 +static u16 acl_sp_role_value;
32296 +extern char *gr_shared_page[4];
32297 +static DECLARE_MUTEX(gr_dev_sem);
32298 +DEFINE_RWLOCK(gr_inode_lock);
32300 +struct gr_arg *gr_usermode;
32302 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
32304 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
32305 +extern void gr_clear_learn_entries(void);
32307 +#ifdef CONFIG_GRKERNSEC_RESLOG
32308 +extern void gr_log_resource(const struct task_struct *task,
32309 + const int res, const unsigned long wanted, const int gt);
32312 +unsigned char *gr_system_salt;
32313 +unsigned char *gr_system_sum;
32315 +static struct sprole_pw **acl_special_roles = NULL;
32316 +static __u16 num_sprole_pws = 0;
32318 +static struct acl_role_label *kernel_role = NULL;
32320 +static unsigned int gr_auth_attempts = 0;
32321 +static unsigned long gr_auth_expires = 0UL;
32323 +extern struct vfsmount *sock_mnt;
32324 +extern struct vfsmount *pipe_mnt;
32325 +extern struct vfsmount *shm_mnt;
32326 +static struct acl_object_label *fakefs_obj;
32328 +extern int gr_init_uidset(void);
32329 +extern void gr_free_uidset(void);
32330 +extern void gr_remove_uid(uid_t uid);
32331 +extern int gr_find_uid(uid_t uid);
32334 +gr_acl_is_enabled(void)
32336 + return (gr_status & GR_READY);
32339 +char gr_roletype_to_char(void)
32341 + switch (current->role->roletype &
32342 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
32343 + GR_ROLE_SPECIAL)) {
32344 + case GR_ROLE_DEFAULT:
32346 + case GR_ROLE_USER:
32348 + case GR_ROLE_GROUP:
32350 + case GR_ROLE_SPECIAL:
32358 +gr_acl_tpe_check(void)
32360 + if (unlikely(!(gr_status & GR_READY)))
32362 + if (current->role->roletype & GR_ROLE_TPE)
32369 +gr_handle_rawio(const struct inode *inode)
32371 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32372 + if (inode && S_ISBLK(inode->i_mode) &&
32373 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
32374 + !capable(CAP_SYS_RAWIO))
32381 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
32384 + unsigned long *l1;
32385 + unsigned long *l2;
32386 + unsigned char *c1;
32387 + unsigned char *c2;
32390 + if (likely(lena != lenb))
32393 + l1 = (unsigned long *)a;
32394 + l2 = (unsigned long *)b;
32396 + num_longs = lena / sizeof(unsigned long);
32398 + for (i = num_longs; i--; l1++, l2++) {
32399 + if (unlikely(*l1 != *l2))
32403 + c1 = (unsigned char *) l1;
32404 + c2 = (unsigned char *) l2;
32406 + i = lena - (num_longs * sizeof(unsigned long));
32408 + for (; i--; c1++, c2++) {
32409 + if (unlikely(*c1 != *c2))
32416 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32417 + struct dentry *root, struct vfsmount *rootmnt,
32418 + char *buffer, int buflen)
32420 + char * end = buffer+buflen;
32429 + /* Get '/' right */
32434 + struct dentry * parent;
32436 + if (dentry == root && vfsmnt == rootmnt)
32438 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
32439 + /* Global root? */
32440 + spin_lock(&vfsmount_lock);
32441 + if (vfsmnt->mnt_parent == vfsmnt) {
32442 + spin_unlock(&vfsmount_lock);
32443 + goto global_root;
32445 + dentry = vfsmnt->mnt_mountpoint;
32446 + vfsmnt = vfsmnt->mnt_parent;
32447 + spin_unlock(&vfsmount_lock);
32450 + parent = dentry->d_parent;
32451 + prefetch(parent);
32452 + namelen = dentry->d_name.len;
32453 + buflen -= namelen + 1;
32457 + memcpy(end, dentry->d_name.name, namelen);
32466 + namelen = dentry->d_name.len;
32467 + buflen -= namelen;
32470 + retval -= namelen-1; /* hit the slash */
32471 + memcpy(retval, dentry->d_name.name, namelen);
32474 + return ERR_PTR(-ENAMETOOLONG);
32478 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32479 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
32483 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
32484 + if (unlikely(IS_ERR(retval)))
32485 + retval = strcpy(buf, "<path too long>");
32486 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
32487 + retval[1] = '\0';
32493 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32494 + char *buf, int buflen)
32498 + /* we can use real_root, real_root_mnt, because this is only called
32499 + by the RBAC system */
32500 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
32506 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32507 + char *buf, int buflen)
32510 + struct dentry *root;
32511 + struct vfsmount *rootmnt;
32512 + struct task_struct *reaper = &init_task;
32514 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
32515 + read_lock(&reaper->fs->lock);
32516 + root = dget(reaper->fs->root.dentry);
32517 + rootmnt = mntget(reaper->fs->root.mnt);
32518 + read_unlock(&reaper->fs->lock);
32520 + spin_lock(&dcache_lock);
32521 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
32522 + spin_unlock(&dcache_lock);
32530 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
32533 + spin_lock(&dcache_lock);
32534 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32536 + spin_unlock(&dcache_lock);
32541 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
32543 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32548 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
32550 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
32555 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
32557 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
32562 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
32564 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
32569 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
32571 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
32576 +to_gr_audit(const __u32 reqmode)
32578 + /* masks off auditable permission flags, then shifts them to create
32579 + auditing flags, and adds the special case of append auditing if
32580 + we're requesting write */
32581 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
32584 +struct acl_subject_label *
32585 +lookup_subject_map(const struct acl_subject_label *userp)
32587 + unsigned int index = shash(userp, subj_map_set.s_size);
32588 + struct subject_map *match;
32590 + match = subj_map_set.s_hash[index];
32592 + while (match && match->user != userp)
32593 + match = match->next;
32595 + if (match != NULL)
32596 + return match->kernel;
32602 +insert_subj_map_entry(struct subject_map *subjmap)
32604 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
32605 + struct subject_map **curr;
32607 + subjmap->prev = NULL;
32609 + curr = &subj_map_set.s_hash[index];
32610 + if (*curr != NULL)
32611 + (*curr)->prev = subjmap;
32613 + subjmap->next = *curr;
32619 +static struct acl_role_label *
32620 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
32623 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
32624 + struct acl_role_label *match;
32625 + struct role_allowed_ip *ipp;
32628 + match = acl_role_set.r_hash[index];
32631 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
32632 + for (x = 0; x < match->domain_child_num; x++) {
32633 + if (match->domain_children[x] == uid)
32636 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
32638 + match = match->next;
32641 + if (match == NULL) {
32643 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
32644 + match = acl_role_set.r_hash[index];
32647 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
32648 + for (x = 0; x < match->domain_child_num; x++) {
32649 + if (match->domain_children[x] == gid)
32652 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
32654 + match = match->next;
32657 + if (match == NULL)
32658 + match = default_role;
32659 + if (match->allowed_ips == NULL)
32662 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32664 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32665 + (ntohl(ipp->addr) & ipp->netmask)))
32668 + match = default_role;
32670 + } else if (match->allowed_ips == NULL) {
32673 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32675 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32676 + (ntohl(ipp->addr) & ipp->netmask)))
32685 +struct acl_subject_label *
32686 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
32687 + const struct acl_role_label *role)
32689 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
32690 + struct acl_subject_label *match;
32692 + match = role->subj_hash[index];
32694 + while (match && (match->inode != ino || match->device != dev ||
32695 + (match->mode & GR_DELETED))) {
32696 + match = match->next;
32699 + if (match && !(match->mode & GR_DELETED))
32705 +struct acl_subject_label *
32706 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
32707 + const struct acl_role_label *role)
32709 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
32710 + struct acl_subject_label *match;
32712 + match = role->subj_hash[index];
32714 + while (match && (match->inode != ino || match->device != dev ||
32715 + !(match->mode & GR_DELETED))) {
32716 + match = match->next;
32719 + if (match && (match->mode & GR_DELETED))
32725 +static struct acl_object_label *
32726 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
32727 + const struct acl_subject_label *subj)
32729 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32730 + struct acl_object_label *match;
32732 + match = subj->obj_hash[index];
32734 + while (match && (match->inode != ino || match->device != dev ||
32735 + (match->mode & GR_DELETED))) {
32736 + match = match->next;
32739 + if (match && !(match->mode & GR_DELETED))
32745 +static struct acl_object_label *
32746 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
32747 + const struct acl_subject_label *subj)
32749 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32750 + struct acl_object_label *match;
32752 + match = subj->obj_hash[index];
32754 + while (match && (match->inode != ino || match->device != dev ||
32755 + !(match->mode & GR_DELETED))) {
32756 + match = match->next;
32759 + if (match && (match->mode & GR_DELETED))
32762 + match = subj->obj_hash[index];
32764 + while (match && (match->inode != ino || match->device != dev ||
32765 + (match->mode & GR_DELETED))) {
32766 + match = match->next;
32769 + if (match && !(match->mode & GR_DELETED))
32775 +static struct name_entry *
32776 +lookup_name_entry(const char *name)
32778 + unsigned int len = strlen(name);
32779 + unsigned int key = full_name_hash(name, len);
32780 + unsigned int index = key % name_set.n_size;
32781 + struct name_entry *match;
32783 + match = name_set.n_hash[index];
32785 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
32786 + match = match->next;
32791 +static struct name_entry *
32792 +lookup_name_entry_create(const char *name)
32794 + unsigned int len = strlen(name);
32795 + unsigned int key = full_name_hash(name, len);
32796 + unsigned int index = key % name_set.n_size;
32797 + struct name_entry *match;
32799 + match = name_set.n_hash[index];
32801 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32802 + !match->deleted))
32803 + match = match->next;
32805 + if (match && match->deleted)
32808 + match = name_set.n_hash[index];
32810 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32812 + match = match->next;
32814 + if (match && !match->deleted)
32820 +static struct inodev_entry *
32821 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
32823 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
32824 + struct inodev_entry *match;
32826 + match = inodev_set.i_hash[index];
32828 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
32829 + match = match->next;
32835 +insert_inodev_entry(struct inodev_entry *entry)
32837 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
32838 + inodev_set.i_size);
32839 + struct inodev_entry **curr;
32841 + entry->prev = NULL;
32843 + curr = &inodev_set.i_hash[index];
32844 + if (*curr != NULL)
32845 + (*curr)->prev = entry;
32847 + entry->next = *curr;
32854 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
32856 + unsigned int index =
32857 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
32858 + struct acl_role_label **curr;
32859 + struct acl_role_label *tmp;
32861 + curr = &acl_role_set.r_hash[index];
32863 + /* if role was already inserted due to domains and already has
32864 + a role in the same bucket as it attached, then we need to
32865 + combine these two buckets
32867 + if (role->next) {
32868 + tmp = role->next;
32869 + while (tmp->next)
32871 + tmp->next = *curr;
32873 + role->next = *curr;
32880 +insert_acl_role_label(struct acl_role_label *role)
32884 + if (role_list == NULL) {
32885 + role_list = role;
32886 + role->prev = NULL;
32888 + role->prev = role_list;
32889 + role_list = role;
32892 + /* used for hash chains */
32893 + role->next = NULL;
32895 + if (role->roletype & GR_ROLE_DOMAIN) {
32896 + for (i = 0; i < role->domain_child_num; i++)
32897 + __insert_acl_role_label(role, role->domain_children[i]);
32899 + __insert_acl_role_label(role, role->uidgid);
32903 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
32905 + struct name_entry **curr, *nentry;
32906 + struct inodev_entry *ientry;
32907 + unsigned int len = strlen(name);
32908 + unsigned int key = full_name_hash(name, len);
32909 + unsigned int index = key % name_set.n_size;
32911 + curr = &name_set.n_hash[index];
32913 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
32914 + curr = &((*curr)->next);
32916 + if (*curr != NULL)
32919 + nentry = acl_alloc(sizeof (struct name_entry));
32920 + if (nentry == NULL)
32922 + ientry = acl_alloc(sizeof (struct inodev_entry));
32923 + if (ientry == NULL)
32925 + ientry->nentry = nentry;
32927 + nentry->key = key;
32928 + nentry->name = name;
32929 + nentry->inode = inode;
32930 + nentry->device = device;
32931 + nentry->len = len;
32932 + nentry->deleted = deleted;
32934 + nentry->prev = NULL;
32935 + curr = &name_set.n_hash[index];
32936 + if (*curr != NULL)
32937 + (*curr)->prev = nentry;
32938 + nentry->next = *curr;
32941 + /* insert us into the table searchable by inode/dev */
32942 + insert_inodev_entry(ientry);
32948 +insert_acl_obj_label(struct acl_object_label *obj,
32949 + struct acl_subject_label *subj)
32951 + unsigned int index =
32952 + fhash(obj->inode, obj->device, subj->obj_hash_size);
32953 + struct acl_object_label **curr;
32956 + obj->prev = NULL;
32958 + curr = &subj->obj_hash[index];
32959 + if (*curr != NULL)
32960 + (*curr)->prev = obj;
32962 + obj->next = *curr;
32969 +insert_acl_subj_label(struct acl_subject_label *obj,
32970 + struct acl_role_label *role)
32972 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
32973 + struct acl_subject_label **curr;
32975 + obj->prev = NULL;
32977 + curr = &role->subj_hash[index];
32978 + if (*curr != NULL)
32979 + (*curr)->prev = obj;
32981 + obj->next = *curr;
32987 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
32990 +create_table(__u32 * len, int elementsize)
32992 + unsigned int table_sizes[] = {
32993 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
32994 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
32995 + 4194301, 8388593, 16777213, 33554393, 67108859
32997 + void *newtable = NULL;
32998 + unsigned int pwr = 0;
33000 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
33001 + table_sizes[pwr] <= *len)
33004 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
33007 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
33009 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
33011 + newtable = vmalloc(table_sizes[pwr] * elementsize);
33013 + *len = table_sizes[pwr];
33019 +init_variables(const struct gr_arg *arg)
33021 + struct task_struct *reaper = &init_task;
33022 + unsigned int stacksize;
33024 + subj_map_set.s_size = arg->role_db.num_subjects;
33025 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
33026 + name_set.n_size = arg->role_db.num_objects;
33027 + inodev_set.i_size = arg->role_db.num_objects;
33029 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
33030 + !name_set.n_size || !inodev_set.i_size)
33033 + if (!gr_init_uidset())
33036 + /* set up the stack that holds allocation info */
33038 + stacksize = arg->role_db.num_pointers + 5;
33040 + if (!acl_alloc_stack_init(stacksize))
33043 + /* grab reference for the real root dentry and vfsmount */
33044 + read_lock(&reaper->fs->lock);
33045 + real_root_mnt = mntget(reaper->fs->root.mnt);
33046 + real_root = dget(reaper->fs->root.dentry);
33047 + read_unlock(&reaper->fs->lock);
33049 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
33050 + if (fakefs_obj == NULL)
33052 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
33054 + subj_map_set.s_hash =
33055 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
33056 + acl_role_set.r_hash =
33057 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
33058 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
33059 + inodev_set.i_hash =
33060 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
33062 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
33063 + !name_set.n_hash || !inodev_set.i_hash)
33066 + memset(subj_map_set.s_hash, 0,
33067 + sizeof(struct subject_map *) * subj_map_set.s_size);
33068 + memset(acl_role_set.r_hash, 0,
33069 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
33070 + memset(name_set.n_hash, 0,
33071 + sizeof (struct name_entry *) * name_set.n_size);
33072 + memset(inodev_set.i_hash, 0,
33073 + sizeof (struct inodev_entry *) * inodev_set.i_size);
33078 +/* free information not needed after startup
33079 + currently contains user->kernel pointer mappings for subjects
33083 +free_init_variables(void)
33087 + if (subj_map_set.s_hash) {
33088 + for (i = 0; i < subj_map_set.s_size; i++) {
33089 + if (subj_map_set.s_hash[i]) {
33090 + kfree(subj_map_set.s_hash[i]);
33091 + subj_map_set.s_hash[i] = NULL;
33095 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
33097 + kfree(subj_map_set.s_hash);
33099 + vfree(subj_map_set.s_hash);
33106 +free_variables(void)
33108 + struct acl_subject_label *s;
33109 + struct acl_role_label *r;
33110 + struct task_struct *task, *task2;
33113 + gr_clear_learn_entries();
33115 + read_lock(&tasklist_lock);
33116 + do_each_thread(task2, task) {
33117 + task->acl_sp_role = 0;
33118 + task->acl_role_id = 0;
33119 + task->acl = NULL;
33120 + task->role = NULL;
33121 + } while_each_thread(task2, task);
33122 + read_unlock(&tasklist_lock);
33124 + /* release the reference to the real root dentry and vfsmount */
33127 + real_root = NULL;
33128 + if (real_root_mnt)
33129 + mntput(real_root_mnt);
33130 + real_root_mnt = NULL;
33132 + /* free all object hash tables */
33134 + FOR_EACH_ROLE_START(r)
33135 + if (r->subj_hash == NULL)
33137 + FOR_EACH_SUBJECT_START(r, s, x)
33138 + if (s->obj_hash == NULL)
33140 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33141 + kfree(s->obj_hash);
33143 + vfree(s->obj_hash);
33144 + FOR_EACH_SUBJECT_END(s, x)
33145 + FOR_EACH_NESTED_SUBJECT_START(r, s)
33146 + if (s->obj_hash == NULL)
33148 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33149 + kfree(s->obj_hash);
33151 + vfree(s->obj_hash);
33152 + FOR_EACH_NESTED_SUBJECT_END(s)
33153 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
33154 + kfree(r->subj_hash);
33156 + vfree(r->subj_hash);
33157 + r->subj_hash = NULL;
33159 + FOR_EACH_ROLE_END(r)
33163 + if (acl_role_set.r_hash) {
33164 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
33166 + kfree(acl_role_set.r_hash);
33168 + vfree(acl_role_set.r_hash);
33170 + if (name_set.n_hash) {
33171 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
33173 + kfree(name_set.n_hash);
33175 + vfree(name_set.n_hash);
33178 + if (inodev_set.i_hash) {
33179 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
33181 + kfree(inodev_set.i_hash);
33183 + vfree(inodev_set.i_hash);
33186 + gr_free_uidset();
33188 + memset(&name_set, 0, sizeof (struct name_db));
33189 + memset(&inodev_set, 0, sizeof (struct inodev_db));
33190 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
33191 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
33193 + default_role = NULL;
33194 + role_list = NULL;
33200 +count_user_objs(struct acl_object_label *userp)
33202 + struct acl_object_label o_tmp;
33206 + if (copy_from_user(&o_tmp, userp,
33207 + sizeof (struct acl_object_label)))
33210 + userp = o_tmp.prev;
33217 +static struct acl_subject_label *
33218 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
33221 +copy_user_glob(struct acl_object_label *obj)
33223 + struct acl_object_label *g_tmp, **guser;
33224 + unsigned int len;
33227 + if (obj->globbed == NULL)
33230 + guser = &obj->globbed;
33232 + g_tmp = (struct acl_object_label *)
33233 + acl_alloc(sizeof (struct acl_object_label));
33234 + if (g_tmp == NULL)
33237 + if (copy_from_user(g_tmp, *guser,
33238 + sizeof (struct acl_object_label)))
33241 + len = strnlen_user(g_tmp->filename, PATH_MAX);
33243 + if (!len || len >= PATH_MAX)
33246 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33249 + if (copy_from_user(tmp, g_tmp->filename, len))
33251 + tmp[len-1] = '\0';
33252 + g_tmp->filename = tmp;
33255 + guser = &(g_tmp->next);
33262 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
33263 + struct acl_role_label *role)
33265 + struct acl_object_label *o_tmp;
33266 + unsigned int len;
33271 + if ((o_tmp = (struct acl_object_label *)
33272 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
33275 + if (copy_from_user(o_tmp, userp,
33276 + sizeof (struct acl_object_label)))
33279 + userp = o_tmp->prev;
33281 + len = strnlen_user(o_tmp->filename, PATH_MAX);
33283 + if (!len || len >= PATH_MAX)
33286 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33289 + if (copy_from_user(tmp, o_tmp->filename, len))
33291 + tmp[len-1] = '\0';
33292 + o_tmp->filename = tmp;
33294 + insert_acl_obj_label(o_tmp, subj);
33295 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
33296 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
33299 + ret = copy_user_glob(o_tmp);
33303 + if (o_tmp->nested) {
33304 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
33305 + if (IS_ERR(o_tmp->nested))
33306 + return PTR_ERR(o_tmp->nested);
33308 + /* insert into nested subject list */
33309 + o_tmp->nested->next = role->hash->first;
33310 + role->hash->first = o_tmp->nested;
33318 +count_user_subjs(struct acl_subject_label *userp)
33320 + struct acl_subject_label s_tmp;
33324 + if (copy_from_user(&s_tmp, userp,
33325 + sizeof (struct acl_subject_label)))
33328 + userp = s_tmp.prev;
33329 + /* do not count nested subjects against this count, since
33330 + they are not included in the hash table, but are
33331 + attached to objects. We have already counted
33332 + the subjects in userspace for the allocation
33335 + if (!(s_tmp.mode & GR_NESTED))
33343 +copy_user_allowedips(struct acl_role_label *rolep)
33345 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
33347 + ruserip = rolep->allowed_ips;
33349 + while (ruserip) {
33352 + if ((rtmp = (struct role_allowed_ip *)
33353 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
33356 + if (copy_from_user(rtmp, ruserip,
33357 + sizeof (struct role_allowed_ip)))
33360 + ruserip = rtmp->prev;
33363 + rtmp->prev = NULL;
33364 + rolep->allowed_ips = rtmp;
33366 + rlast->next = rtmp;
33367 + rtmp->prev = rlast;
33371 + rtmp->next = NULL;
33378 +copy_user_transitions(struct acl_role_label *rolep)
33380 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
33382 + unsigned int len;
33385 + rusertp = rolep->transitions;
33387 + while (rusertp) {
33390 + if ((rtmp = (struct role_transition *)
33391 + acl_alloc(sizeof (struct role_transition))) == NULL)
33394 + if (copy_from_user(rtmp, rusertp,
33395 + sizeof (struct role_transition)))
33398 + rusertp = rtmp->prev;
33400 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
33402 + if (!len || len >= GR_SPROLE_LEN)
33405 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33408 + if (copy_from_user(tmp, rtmp->rolename, len))
33410 + tmp[len-1] = '\0';
33411 + rtmp->rolename = tmp;
33414 + rtmp->prev = NULL;
33415 + rolep->transitions = rtmp;
33417 + rlast->next = rtmp;
33418 + rtmp->prev = rlast;
33422 + rtmp->next = NULL;
33428 +static struct acl_subject_label *
33429 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
33431 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
33432 + unsigned int len;
33435 + struct acl_ip_label **i_tmp, *i_utmp2;
33436 + struct gr_hash_struct ghash;
33437 + struct subject_map *subjmap;
33438 + unsigned int i_num;
33441 + s_tmp = lookup_subject_map(userp);
33443 + /* we've already copied this subject into the kernel, just return
33444 + the reference to it, and don't copy it over again
33449 + if ((s_tmp = (struct acl_subject_label *)
33450 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
33451 + return ERR_PTR(-ENOMEM);
33453 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
33454 + if (subjmap == NULL)
33455 + return ERR_PTR(-ENOMEM);
33457 + subjmap->user = userp;
33458 + subjmap->kernel = s_tmp;
33459 + insert_subj_map_entry(subjmap);
33461 + if (copy_from_user(s_tmp, userp,
33462 + sizeof (struct acl_subject_label)))
33463 + return ERR_PTR(-EFAULT);
33465 + len = strnlen_user(s_tmp->filename, PATH_MAX);
33467 + if (!len || len >= PATH_MAX)
33468 + return ERR_PTR(-EINVAL);
33470 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33471 + return ERR_PTR(-ENOMEM);
33473 + if (copy_from_user(tmp, s_tmp->filename, len))
33474 + return ERR_PTR(-EFAULT);
33475 + tmp[len-1] = '\0';
33476 + s_tmp->filename = tmp;
33478 + if (!strcmp(s_tmp->filename, "/"))
33479 + role->root_label = s_tmp;
33481 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
33482 + return ERR_PTR(-EFAULT);
33484 + /* copy user and group transition tables */
33486 + if (s_tmp->user_trans_num) {
33489 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
33490 + if (uidlist == NULL)
33491 + return ERR_PTR(-ENOMEM);
33492 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
33493 + return ERR_PTR(-EFAULT);
33495 + s_tmp->user_transitions = uidlist;
33498 + if (s_tmp->group_trans_num) {
33501 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
33502 + if (gidlist == NULL)
33503 + return ERR_PTR(-ENOMEM);
33504 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
33505 + return ERR_PTR(-EFAULT);
33507 + s_tmp->group_transitions = gidlist;
33510 + /* set up object hash table */
33511 + num_objs = count_user_objs(ghash.first);
33513 + s_tmp->obj_hash_size = num_objs;
33514 + s_tmp->obj_hash =
33515 + (struct acl_object_label **)
33516 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
33518 + if (!s_tmp->obj_hash)
33519 + return ERR_PTR(-ENOMEM);
33521 + memset(s_tmp->obj_hash, 0,
33522 + s_tmp->obj_hash_size *
33523 + sizeof (struct acl_object_label *));
33525 + /* add in objects */
33526 + err = copy_user_objs(ghash.first, s_tmp, role);
33529 + return ERR_PTR(err);
33531 + /* set pointer for parent subject */
33532 + if (s_tmp->parent_subject) {
33533 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
33535 + if (IS_ERR(s_tmp2))
33538 + s_tmp->parent_subject = s_tmp2;
33541 + /* add in ip acls */
33543 + if (!s_tmp->ip_num) {
33544 + s_tmp->ips = NULL;
33549 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
33550 + sizeof (struct acl_ip_label *));
33553 + return ERR_PTR(-ENOMEM);
33555 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
33556 + *(i_tmp + i_num) =
33557 + (struct acl_ip_label *)
33558 + acl_alloc(sizeof (struct acl_ip_label));
33559 + if (!*(i_tmp + i_num))
33560 + return ERR_PTR(-ENOMEM);
33562 + if (copy_from_user
33563 + (&i_utmp2, s_tmp->ips + i_num,
33564 + sizeof (struct acl_ip_label *)))
33565 + return ERR_PTR(-EFAULT);
33567 + if (copy_from_user
33568 + (*(i_tmp + i_num), i_utmp2,
33569 + sizeof (struct acl_ip_label)))
33570 + return ERR_PTR(-EFAULT);
33572 + if ((*(i_tmp + i_num))->iface == NULL)
33575 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
33576 + if (!len || len >= IFNAMSIZ)
33577 + return ERR_PTR(-EINVAL);
33578 + tmp = acl_alloc(len);
33580 + return ERR_PTR(-ENOMEM);
33581 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
33582 + return ERR_PTR(-EFAULT);
33583 + (*(i_tmp + i_num))->iface = tmp;
33586 + s_tmp->ips = i_tmp;
33589 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
33590 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
33591 + return ERR_PTR(-ENOMEM);
33597 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
33599 + struct acl_subject_label s_pre;
33600 + struct acl_subject_label * ret;
33604 + if (copy_from_user(&s_pre, userp,
33605 + sizeof (struct acl_subject_label)))
33608 + /* do not add nested subjects here, add
33609 + while parsing objects
33612 + if (s_pre.mode & GR_NESTED) {
33613 + userp = s_pre.prev;
33617 + ret = do_copy_user_subj(userp, role);
33619 + err = PTR_ERR(ret);
33623 + insert_acl_subj_label(ret, role);
33625 + userp = s_pre.prev;
33632 +copy_user_acl(struct gr_arg *arg)
33634 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
33635 + struct sprole_pw *sptmp;
33636 + struct gr_hash_struct *ghash;
33637 + uid_t *domainlist;
33638 + unsigned int r_num;
33639 + unsigned int len;
33645 + /* we need a default and kernel role */
33646 + if (arg->role_db.num_roles < 2)
33649 + /* copy special role authentication info from userspace */
33651 + num_sprole_pws = arg->num_sprole_pws;
33652 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
33654 + if (!acl_special_roles) {
33659 + for (i = 0; i < num_sprole_pws; i++) {
33660 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
33665 + if (copy_from_user(sptmp, arg->sprole_pws + i,
33666 + sizeof (struct sprole_pw))) {
33672 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
33674 + if (!len || len >= GR_SPROLE_LEN) {
33679 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
33684 + if (copy_from_user(tmp, sptmp->rolename, len)) {
33688 + tmp[len-1] = '\0';
33689 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
33690 + printk(KERN_ALERT "Copying special role %s\n", tmp);
33692 + sptmp->rolename = tmp;
33693 + acl_special_roles[i] = sptmp;
33696 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
33698 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
33699 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
33706 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
33707 + sizeof (struct acl_role_label *))) {
33712 + if (copy_from_user(r_tmp, r_utmp2,
33713 + sizeof (struct acl_role_label))) {
33718 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
33720 + if (!len || len >= PATH_MAX) {
33725 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
33729 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
33733 + tmp[len-1] = '\0';
33734 + r_tmp->rolename = tmp;
33736 + if (!strcmp(r_tmp->rolename, "default")
33737 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
33738 + default_role = r_tmp;
33739 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
33740 + kernel_role = r_tmp;
33743 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
33747 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
33752 + r_tmp->hash = ghash;
33754 + num_subjs = count_user_subjs(r_tmp->hash->first);
33756 + r_tmp->subj_hash_size = num_subjs;
33757 + r_tmp->subj_hash =
33758 + (struct acl_subject_label **)
33759 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
33761 + if (!r_tmp->subj_hash) {
33766 + err = copy_user_allowedips(r_tmp);
33770 + /* copy domain info */
33771 + if (r_tmp->domain_children != NULL) {
33772 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
33773 + if (domainlist == NULL) {
33777 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
33781 + r_tmp->domain_children = domainlist;
33784 + err = copy_user_transitions(r_tmp);
33788 + memset(r_tmp->subj_hash, 0,
33789 + r_tmp->subj_hash_size *
33790 + sizeof (struct acl_subject_label *));
33792 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
33797 + /* set nested subject list to null */
33798 + r_tmp->hash->first = NULL;
33800 + insert_acl_role_label(r_tmp);
33805 + free_variables();
33812 +gracl_init(struct gr_arg *args)
33816 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
33817 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
33819 + if (init_variables(args)) {
33820 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
33822 + free_variables();
33826 + error = copy_user_acl(args);
33827 + free_init_variables();
33829 + free_variables();
33833 + if ((error = gr_set_acls(0))) {
33834 + free_variables();
33838 + pax_open_kernel();
33839 + gr_status |= GR_READY;
33840 + pax_close_kernel();
33846 +/* derived from glibc fnmatch() 0: match, 1: no match*/
33849 +glob_match(const char *p, const char *n)
33853 + while ((c = *p++) != '\0') {
33858 + else if (*n == '/')
33866 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
33869 + else if (c == '?') {
33879 + const char *endp;
33881 + if ((endp = strchr(n, '/')) == NULL)
33882 + endp = n + strlen(n);
33885 + for (--p; n < endp; ++n)
33886 + if (!glob_match(p, n))
33888 + } else if (c == '/') {
33889 + while (*n != '\0' && *n != '/')
33891 + if (*n == '/' && !glob_match(p, n + 1))
33894 + for (--p; n < endp; ++n)
33895 + if (*n == c && !glob_match(p, n))
33906 + if (*n == '\0' || *n == '/')
33909 + not = (*p == '!' || *p == '^');
33915 + unsigned char fn = (unsigned char)*n;
33925 + if (c == '-' && *p != ']') {
33926 + unsigned char cend = *p++;
33928 + if (cend == '\0')
33931 + if (cold <= fn && fn <= cend)
33945 + while (c != ']') {
33972 +static struct acl_object_label *
33973 +chk_glob_label(struct acl_object_label *globbed,
33974 + struct dentry *dentry, struct vfsmount *mnt, char **path)
33976 + struct acl_object_label *tmp;
33978 + if (*path == NULL)
33979 + *path = gr_to_filename_nolock(dentry, mnt);
33984 + if (!glob_match(tmp->filename, *path))
33992 +static struct acl_object_label *
33993 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33994 + const ino_t curr_ino, const dev_t curr_dev,
33995 + const struct acl_subject_label *subj, char **path, const int checkglob)
33997 + struct acl_subject_label *tmpsubj;
33998 + struct acl_object_label *retval;
33999 + struct acl_object_label *retval2;
34001 + tmpsubj = (struct acl_subject_label *) subj;
34002 + read_lock(&gr_inode_lock);
34004 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
34006 + if (checkglob && retval->globbed) {
34007 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
34008 + (struct vfsmount *)orig_mnt, path);
34010 + retval = retval2;
34014 + } while ((tmpsubj = tmpsubj->parent_subject));
34015 + read_unlock(&gr_inode_lock);
34020 +static __inline__ struct acl_object_label *
34021 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
34022 + const struct dentry *curr_dentry,
34023 + const struct acl_subject_label *subj, char **path, const int checkglob)
34025 + return __full_lookup(orig_dentry, orig_mnt,
34026 + curr_dentry->d_inode->i_ino,
34027 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
34030 +static struct acl_object_label *
34031 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34032 + const struct acl_subject_label *subj, char *path, const int checkglob)
34034 + struct dentry *dentry = (struct dentry *) l_dentry;
34035 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
34036 + struct acl_object_label *retval;
34038 + spin_lock(&dcache_lock);
34040 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
34041 + /* ignore Eric Biederman */
34042 + IS_PRIVATE(l_dentry->d_inode))) {
34043 + retval = fakefs_obj;
34048 + if (dentry == real_root && mnt == real_root_mnt)
34051 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34052 + if (mnt->mnt_parent == mnt)
34055 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34056 + if (retval != NULL)
34059 + dentry = mnt->mnt_mountpoint;
34060 + mnt = mnt->mnt_parent;
34064 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34065 + if (retval != NULL)
34068 + dentry = dentry->d_parent;
34071 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34073 + if (retval == NULL)
34074 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
34076 + spin_unlock(&dcache_lock);
34080 +static __inline__ struct acl_object_label *
34081 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34082 + const struct acl_subject_label *subj)
34084 + char *path = NULL;
34085 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34088 +static __inline__ struct acl_object_label *
34089 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34090 + const struct acl_subject_label *subj)
34092 + char *path = NULL;
34093 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
34096 +static __inline__ struct acl_object_label *
34097 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34098 + const struct acl_subject_label *subj, char *path)
34100 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34103 +static struct acl_subject_label *
34104 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34105 + const struct acl_role_label *role)
34107 + struct dentry *dentry = (struct dentry *) l_dentry;
34108 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
34109 + struct acl_subject_label *retval;
34111 + spin_lock(&dcache_lock);
34114 + if (dentry == real_root && mnt == real_root_mnt)
34116 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34117 + if (mnt->mnt_parent == mnt)
34120 + read_lock(&gr_inode_lock);
34122 + lookup_acl_subj_label(dentry->d_inode->i_ino,
34123 + dentry->d_inode->i_sb->s_dev, role);
34124 + read_unlock(&gr_inode_lock);
34125 + if (retval != NULL)
34128 + dentry = mnt->mnt_mountpoint;
34129 + mnt = mnt->mnt_parent;
34133 + read_lock(&gr_inode_lock);
34134 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34135 + dentry->d_inode->i_sb->s_dev, role);
34136 + read_unlock(&gr_inode_lock);
34137 + if (retval != NULL)
34140 + dentry = dentry->d_parent;
34143 + read_lock(&gr_inode_lock);
34144 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34145 + dentry->d_inode->i_sb->s_dev, role);
34146 + read_unlock(&gr_inode_lock);
34148 + if (unlikely(retval == NULL)) {
34149 + read_lock(&gr_inode_lock);
34150 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
34151 + real_root->d_inode->i_sb->s_dev, role);
34152 + read_unlock(&gr_inode_lock);
34155 + spin_unlock(&dcache_lock);
34161 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
34163 + struct task_struct *task = current;
34164 + const struct cred *cred = current_cred();
34166 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34167 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34168 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34169 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
34175 +gr_log_learn_sysctl(const char *path, const __u32 mode)
34177 + struct task_struct *task = current;
34178 + const struct cred *cred = current_cred();
34180 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34181 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34182 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34183 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
34189 +gr_log_learn_id_change(const char type, const unsigned int real,
34190 + const unsigned int effective, const unsigned int fs)
34192 + struct task_struct *task = current;
34193 + const struct cred *cred = current_cred();
34195 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
34196 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34197 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34198 + type, real, effective, fs, &task->signal->curr_ip);
34204 +gr_check_link(const struct dentry * new_dentry,
34205 + const struct dentry * parent_dentry,
34206 + const struct vfsmount * parent_mnt,
34207 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
34209 + struct acl_object_label *obj;
34210 + __u32 oldmode, newmode;
34213 + if (unlikely(!(gr_status & GR_READY)))
34214 + return (GR_CREATE | GR_LINK);
34216 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
34217 + oldmode = obj->mode;
34219 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34220 + oldmode |= (GR_CREATE | GR_LINK);
34222 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
34223 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34224 + needmode |= GR_SETID | GR_AUDIT_SETID;
34227 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
34228 + oldmode | needmode);
34230 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
34231 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
34232 + GR_INHERIT | GR_AUDIT_INHERIT);
34234 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
34237 + if ((oldmode & needmode) != needmode)
34240 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
34241 + if ((newmode & needmode) != needmode)
34244 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
34247 + needmode = oldmode;
34248 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34249 + needmode |= GR_SETID;
34251 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34252 + gr_log_learn(old_dentry, old_mnt, needmode);
34253 + return (GR_CREATE | GR_LINK);
34254 + } else if (newmode & GR_SUPPRESS)
34255 + return GR_SUPPRESS;
34261 +gr_search_file(const struct dentry * dentry, const __u32 mode,
34262 + const struct vfsmount * mnt)
34264 + __u32 retval = mode;
34265 + struct acl_subject_label *curracl;
34266 + struct acl_object_label *currobj;
34268 + if (unlikely(!(gr_status & GR_READY)))
34269 + return (mode & ~GR_AUDITS);
34271 + curracl = current->acl;
34273 + currobj = chk_obj_label(dentry, mnt, curracl);
34274 + retval = currobj->mode & mode;
34277 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
34278 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
34279 + __u32 new_mode = mode;
34281 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34283 + retval = new_mode;
34285 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
34286 + new_mode |= GR_INHERIT;
34288 + if (!(mode & GR_NOLEARN))
34289 + gr_log_learn(dentry, mnt, new_mode);
34296 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
34297 + const struct vfsmount * mnt, const __u32 mode)
34299 + struct name_entry *match;
34300 + struct acl_object_label *matchpo;
34301 + struct acl_subject_label *curracl;
34305 + if (unlikely(!(gr_status & GR_READY)))
34306 + return (mode & ~GR_AUDITS);
34308 + preempt_disable();
34309 + path = gr_to_filename_rbac(new_dentry, mnt);
34310 + match = lookup_name_entry_create(path);
34313 + goto check_parent;
34315 + curracl = current->acl;
34317 + read_lock(&gr_inode_lock);
34318 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
34319 + read_unlock(&gr_inode_lock);
34322 + if ((matchpo->mode & mode) !=
34323 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
34324 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34325 + __u32 new_mode = mode;
34327 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34329 + gr_log_learn(new_dentry, mnt, new_mode);
34331 + preempt_enable();
34334 + preempt_enable();
34335 + return (matchpo->mode & mode);
34339 + curracl = current->acl;
34341 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
34342 + retval = matchpo->mode & mode;
34344 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
34345 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
34346 + __u32 new_mode = mode;
34348 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34350 + gr_log_learn(new_dentry, mnt, new_mode);
34351 + preempt_enable();
34355 + preempt_enable();
34360 +gr_check_hidden_task(const struct task_struct *task)
34362 + if (unlikely(!(gr_status & GR_READY)))
34365 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
34372 +gr_check_protected_task(const struct task_struct *task)
34374 + if (unlikely(!(gr_status & GR_READY) || !task))
34377 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
34378 + task->acl != current->acl)
34385 +gr_copy_label(struct task_struct *tsk)
34387 + tsk->signal->used_accept = 0;
34388 + tsk->acl_sp_role = 0;
34389 + tsk->acl_role_id = current->acl_role_id;
34390 + tsk->acl = current->acl;
34391 + tsk->role = current->role;
34392 + tsk->signal->curr_ip = current->signal->curr_ip;
34393 + if (current->exec_file)
34394 + get_file(current->exec_file);
34395 + tsk->exec_file = current->exec_file;
34396 + tsk->is_writable = current->is_writable;
34397 + if (unlikely(current->signal->used_accept))
34398 + current->signal->curr_ip = 0;
34404 +gr_set_proc_res(struct task_struct *task)
34406 + struct acl_subject_label *proc;
34407 + unsigned short i;
34409 + proc = task->acl;
34411 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
34414 + for (i = 0; i < RLIM_NLIMITS; i++) {
34415 + if (!(proc->resmask & (1 << i)))
34418 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
34419 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
34426 +gr_check_user_change(int real, int effective, int fs)
34433 + int effectiveok = 0;
34436 + if (unlikely(!(gr_status & GR_READY)))
34439 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34440 + gr_log_learn_id_change('u', real, effective, fs);
34442 + num = current->acl->user_trans_num;
34443 + uidlist = current->acl->user_transitions;
34445 + if (uidlist == NULL)
34450 + if (effective == -1)
34455 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
34456 + for (i = 0; i < num; i++) {
34457 + curuid = (int)uidlist[i];
34458 + if (real == curuid)
34460 + if (effective == curuid)
34462 + if (fs == curuid)
34465 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
34466 + for (i = 0; i < num; i++) {
34467 + curuid = (int)uidlist[i];
34468 + if (real == curuid)
34470 + if (effective == curuid)
34472 + if (fs == curuid)
34475 + /* not in deny list */
34483 + if (realok && effectiveok && fsok)
34486 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34492 +gr_check_group_change(int real, int effective, int fs)
34499 + int effectiveok = 0;
34502 + if (unlikely(!(gr_status & GR_READY)))
34505 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34506 + gr_log_learn_id_change('g', real, effective, fs);
34508 + num = current->acl->group_trans_num;
34509 + gidlist = current->acl->group_transitions;
34511 + if (gidlist == NULL)
34516 + if (effective == -1)
34521 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
34522 + for (i = 0; i < num; i++) {
34523 + curgid = (int)gidlist[i];
34524 + if (real == curgid)
34526 + if (effective == curgid)
34528 + if (fs == curgid)
34531 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
34532 + for (i = 0; i < num; i++) {
34533 + curgid = (int)gidlist[i];
34534 + if (real == curgid)
34536 + if (effective == curgid)
34538 + if (fs == curgid)
34541 + /* not in deny list */
34549 + if (realok && effectiveok && fsok)
34552 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34558 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
34560 + struct acl_role_label *role = task->role;
34561 + struct acl_subject_label *subj = NULL;
34562 + struct acl_object_label *obj;
34563 + struct file *filp;
34565 + if (unlikely(!(gr_status & GR_READY)))
34568 + filp = task->exec_file;
34570 + /* kernel process, we'll give them the kernel role */
34571 + if (unlikely(!filp)) {
34572 + task->role = kernel_role;
34573 + task->acl = kernel_role->root_label;
34575 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
34576 + role = lookup_acl_role_label(task, uid, gid);
34578 + /* perform subject lookup in possibly new role
34579 + we can use this result below in the case where role == task->role
34581 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
34583 + /* if we changed uid/gid, but result in the same role
34584 + and are using inheritance, don't lose the inherited subject
34585 + if current subject is other than what normal lookup
34586 + would result in, we arrived via inheritance, don't
34589 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
34590 + (subj == task->acl)))
34591 + task->acl = subj;
34593 + task->role = role;
34595 + task->is_writable = 0;
34597 + /* ignore additional mmap checks for processes that are writable
34598 + by the default ACL */
34599 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34600 + if (unlikely(obj->mode & GR_WRITE))
34601 + task->is_writable = 1;
34602 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
34603 + if (unlikely(obj->mode & GR_WRITE))
34604 + task->is_writable = 1;
34606 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34607 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34610 + gr_set_proc_res(task);
34616 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
34617 + const int unsafe_share)
34619 + struct task_struct *task = current;
34620 + struct acl_subject_label *newacl;
34621 + struct acl_object_label *obj;
34624 + if (unlikely(!(gr_status & GR_READY)))
34627 + newacl = chk_subj_label(dentry, mnt, task->role);
34630 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
34631 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
34632 + !(task->role->roletype & GR_ROLE_GOD) &&
34633 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
34634 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
34635 + task_unlock(task);
34636 + if (unsafe_share)
34637 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
34639 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
34642 + task_unlock(task);
34644 + obj = chk_obj_label(dentry, mnt, task->acl);
34645 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
34647 + if (!(task->acl->mode & GR_INHERITLEARN) &&
34648 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
34650 + task->acl = obj->nested;
34652 + task->acl = newacl;
34653 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
34654 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
34656 + task->is_writable = 0;
34658 + /* ignore additional mmap checks for processes that are writable
34659 + by the default ACL */
34660 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
34661 + if (unlikely(obj->mode & GR_WRITE))
34662 + task->is_writable = 1;
34663 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
34664 + if (unlikely(obj->mode & GR_WRITE))
34665 + task->is_writable = 1;
34667 + gr_set_proc_res(task);
34669 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34670 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34675 +/* always called with valid inodev ptr */
34677 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
34679 + struct acl_object_label *matchpo;
34680 + struct acl_subject_label *matchps;
34681 + struct acl_subject_label *subj;
34682 + struct acl_role_label *role;
34685 + FOR_EACH_ROLE_START(role)
34686 + FOR_EACH_SUBJECT_START(role, subj, x)
34687 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
34688 + matchpo->mode |= GR_DELETED;
34689 + FOR_EACH_SUBJECT_END(subj,x)
34690 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
34691 + if (subj->inode == ino && subj->device == dev)
34692 + subj->mode |= GR_DELETED;
34693 + FOR_EACH_NESTED_SUBJECT_END(subj)
34694 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
34695 + matchps->mode |= GR_DELETED;
34696 + FOR_EACH_ROLE_END(role)
34698 + inodev->nentry->deleted = 1;
34704 +gr_handle_delete(const ino_t ino, const dev_t dev)
34706 + struct inodev_entry *inodev;
34708 + if (unlikely(!(gr_status & GR_READY)))
34711 + write_lock(&gr_inode_lock);
34712 + inodev = lookup_inodev_entry(ino, dev);
34713 + if (inodev != NULL)
34714 + do_handle_delete(inodev, ino, dev);
34715 + write_unlock(&gr_inode_lock);
34721 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
34722 + const ino_t newinode, const dev_t newdevice,
34723 + struct acl_subject_label *subj)
34725 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
34726 + struct acl_object_label *match;
34728 + match = subj->obj_hash[index];
34730 + while (match && (match->inode != oldinode ||
34731 + match->device != olddevice ||
34732 + !(match->mode & GR_DELETED)))
34733 + match = match->next;
34735 + if (match && (match->inode == oldinode)
34736 + && (match->device == olddevice)
34737 + && (match->mode & GR_DELETED)) {
34738 + if (match->prev == NULL) {
34739 + subj->obj_hash[index] = match->next;
34740 + if (match->next != NULL)
34741 + match->next->prev = NULL;
34743 + match->prev->next = match->next;
34744 + if (match->next != NULL)
34745 + match->next->prev = match->prev;
34747 + match->prev = NULL;
34748 + match->next = NULL;
34749 + match->inode = newinode;
34750 + match->device = newdevice;
34751 + match->mode &= ~GR_DELETED;
34753 + insert_acl_obj_label(match, subj);
34760 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
34761 + const ino_t newinode, const dev_t newdevice,
34762 + struct acl_role_label *role)
34764 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
34765 + struct acl_subject_label *match;
34767 + match = role->subj_hash[index];
34769 + while (match && (match->inode != oldinode ||
34770 + match->device != olddevice ||
34771 + !(match->mode & GR_DELETED)))
34772 + match = match->next;
34774 + if (match && (match->inode == oldinode)
34775 + && (match->device == olddevice)
34776 + && (match->mode & GR_DELETED)) {
34777 + if (match->prev == NULL) {
34778 + role->subj_hash[index] = match->next;
34779 + if (match->next != NULL)
34780 + match->next->prev = NULL;
34782 + match->prev->next = match->next;
34783 + if (match->next != NULL)
34784 + match->next->prev = match->prev;
34786 + match->prev = NULL;
34787 + match->next = NULL;
34788 + match->inode = newinode;
34789 + match->device = newdevice;
34790 + match->mode &= ~GR_DELETED;
34792 + insert_acl_subj_label(match, role);
34799 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
34800 + const ino_t newinode, const dev_t newdevice)
34802 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
34803 + struct inodev_entry *match;
34805 + match = inodev_set.i_hash[index];
34807 + while (match && (match->nentry->inode != oldinode ||
34808 + match->nentry->device != olddevice || !match->nentry->deleted))
34809 + match = match->next;
34811 + if (match && (match->nentry->inode == oldinode)
34812 + && (match->nentry->device == olddevice) &&
34813 + match->nentry->deleted) {
34814 + if (match->prev == NULL) {
34815 + inodev_set.i_hash[index] = match->next;
34816 + if (match->next != NULL)
34817 + match->next->prev = NULL;
34819 + match->prev->next = match->next;
34820 + if (match->next != NULL)
34821 + match->next->prev = match->prev;
34823 + match->prev = NULL;
34824 + match->next = NULL;
34825 + match->nentry->inode = newinode;
34826 + match->nentry->device = newdevice;
34827 + match->nentry->deleted = 0;
34829 + insert_inodev_entry(match);
34836 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
34837 + const struct vfsmount *mnt)
34839 + struct acl_subject_label *subj;
34840 + struct acl_role_label *role;
34843 + FOR_EACH_ROLE_START(role)
34844 + update_acl_subj_label(matchn->inode, matchn->device,
34845 + dentry->d_inode->i_ino,
34846 + dentry->d_inode->i_sb->s_dev, role);
34848 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
34849 + if ((subj->inode == dentry->d_inode->i_ino) &&
34850 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
34851 + subj->inode = dentry->d_inode->i_ino;
34852 + subj->device = dentry->d_inode->i_sb->s_dev;
34854 + FOR_EACH_NESTED_SUBJECT_END(subj)
34855 + FOR_EACH_SUBJECT_START(role, subj, x)
34856 + update_acl_obj_label(matchn->inode, matchn->device,
34857 + dentry->d_inode->i_ino,
34858 + dentry->d_inode->i_sb->s_dev, subj);
34859 + FOR_EACH_SUBJECT_END(subj,x)
34860 + FOR_EACH_ROLE_END(role)
34862 + update_inodev_entry(matchn->inode, matchn->device,
34863 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
34869 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
34871 + struct name_entry *matchn;
34873 + if (unlikely(!(gr_status & GR_READY)))
34876 + preempt_disable();
34877 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
34879 + if (unlikely((unsigned long)matchn)) {
34880 + write_lock(&gr_inode_lock);
34881 + do_handle_create(matchn, dentry, mnt);
34882 + write_unlock(&gr_inode_lock);
34884 + preempt_enable();
34890 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
34891 + struct dentry *old_dentry,
34892 + struct dentry *new_dentry,
34893 + struct vfsmount *mnt, const __u8 replace)
34895 + struct name_entry *matchn;
34896 + struct inodev_entry *inodev;
34898 + /* vfs_rename swaps the name and parent link for old_dentry and
34900 + at this point, old_dentry has the new name, parent link, and inode
34901 + for the renamed file
34902 + if a file is being replaced by a rename, new_dentry has the inode
34903 + and name for the replaced file
34906 + if (unlikely(!(gr_status & GR_READY)))
34909 + preempt_disable();
34910 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
34912 + /* we wouldn't have to check d_inode if it weren't for
34913 + NFS silly-renaming
34916 + write_lock(&gr_inode_lock);
34917 + if (unlikely(replace && new_dentry->d_inode)) {
34918 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
34919 + new_dentry->d_inode->i_sb->s_dev);
34920 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
34921 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
34922 + new_dentry->d_inode->i_sb->s_dev);
34925 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
34926 + old_dentry->d_inode->i_sb->s_dev);
34927 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
34928 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
34929 + old_dentry->d_inode->i_sb->s_dev);
34931 + if (unlikely((unsigned long)matchn))
34932 + do_handle_create(matchn, old_dentry, mnt);
34934 + write_unlock(&gr_inode_lock);
34935 + preempt_enable();
34941 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
34942 + unsigned char **sum)
34944 + struct acl_role_label *r;
34945 + struct role_allowed_ip *ipp;
34946 + struct role_transition *trans;
34950 + /* check transition table */
34952 + for (trans = current->role->transitions; trans; trans = trans->next) {
34953 + if (!strcmp(rolename, trans->rolename)) {
34962 + /* handle special roles that do not require authentication
34965 + FOR_EACH_ROLE_START(r)
34966 + if (!strcmp(rolename, r->rolename) &&
34967 + (r->roletype & GR_ROLE_SPECIAL)) {
34969 + if (r->allowed_ips != NULL) {
34970 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
34971 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
34972 + (ntohl(ipp->addr) & ipp->netmask))
34980 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
34981 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
34987 + FOR_EACH_ROLE_END(r)
34989 + for (i = 0; i < num_sprole_pws; i++) {
34990 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
34991 + *salt = acl_special_roles[i]->salt;
34992 + *sum = acl_special_roles[i]->sum;
35001 +assign_special_role(char *rolename)
35003 + struct acl_object_label *obj;
35004 + struct acl_role_label *r;
35005 + struct acl_role_label *assigned = NULL;
35006 + struct task_struct *tsk;
35007 + struct file *filp;
35009 + FOR_EACH_ROLE_START(r)
35010 + if (!strcmp(rolename, r->rolename) &&
35011 + (r->roletype & GR_ROLE_SPECIAL)) {
35015 + FOR_EACH_ROLE_END(r)
35020 + read_lock(&tasklist_lock);
35021 + read_lock(&grsec_exec_file_lock);
35023 + tsk = current->parent;
35027 + filp = tsk->exec_file;
35028 + if (filp == NULL)
35031 + tsk->is_writable = 0;
35033 + tsk->acl_sp_role = 1;
35034 + tsk->acl_role_id = ++acl_sp_role_value;
35035 + tsk->role = assigned;
35036 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
35038 + /* ignore additional mmap checks for processes that are writable
35039 + by the default ACL */
35040 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35041 + if (unlikely(obj->mode & GR_WRITE))
35042 + tsk->is_writable = 1;
35043 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
35044 + if (unlikely(obj->mode & GR_WRITE))
35045 + tsk->is_writable = 1;
35047 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35048 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
35052 + read_unlock(&grsec_exec_file_lock);
35053 + read_unlock(&tasklist_lock);
35057 +int gr_check_secure_terminal(struct task_struct *task)
35059 + struct task_struct *p, *p2, *p3;
35060 + struct files_struct *files;
35061 + struct fdtable *fdt;
35062 + struct file *our_file = NULL, *file;
35065 + if (task->signal->tty == NULL)
35068 + files = get_files_struct(task);
35069 + if (files != NULL) {
35071 + fdt = files_fdtable(files);
35072 + for (i=0; i < fdt->max_fds; i++) {
35073 + file = fcheck_files(files, i);
35074 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
35079 + rcu_read_unlock();
35080 + put_files_struct(files);
35083 + if (our_file == NULL)
35086 + read_lock(&tasklist_lock);
35087 + do_each_thread(p2, p) {
35088 + files = get_files_struct(p);
35089 + if (files == NULL ||
35090 + (p->signal && p->signal->tty == task->signal->tty)) {
35091 + if (files != NULL)
35092 + put_files_struct(files);
35096 + fdt = files_fdtable(files);
35097 + for (i=0; i < fdt->max_fds; i++) {
35098 + file = fcheck_files(files, i);
35099 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
35100 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
35102 + while (p3->pid > 0) {
35109 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
35110 + gr_handle_alertkill(p);
35111 + rcu_read_unlock();
35112 + put_files_struct(files);
35113 + read_unlock(&tasklist_lock);
35118 + rcu_read_unlock();
35119 + put_files_struct(files);
35120 + } while_each_thread(p2, p);
35121 + read_unlock(&tasklist_lock);
35128 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
35130 + struct gr_arg_wrapper uwrap;
35131 + unsigned char *sprole_salt = NULL;
35132 + unsigned char *sprole_sum = NULL;
35133 + int error = sizeof (struct gr_arg_wrapper);
35136 + down(&gr_dev_sem);
35138 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
35143 + if (count != sizeof (struct gr_arg_wrapper)) {
35144 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
35150 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
35151 + gr_auth_expires = 0;
35152 + gr_auth_attempts = 0;
35155 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
35160 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
35165 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
35170 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35171 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35172 + time_after(gr_auth_expires, get_seconds())) {
35177 + /* if non-root trying to do anything other than use a special role,
35178 + do not attempt authentication, do not count towards authentication
35182 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
35183 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35189 + /* ensure pw and special role name are null terminated */
35191 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
35192 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
35195 + * We have our enough of the argument structure..(we have yet
35196 + * to copy_from_user the tables themselves) . Copy the tables
35197 + * only if we need them, i.e. for loading operations. */
35199 + switch (gr_usermode->mode) {
35201 + if (gr_status & GR_READY) {
35203 + if (!gr_check_secure_terminal(current))
35208 + case GR_SHUTDOWN:
35209 + if ((gr_status & GR_READY)
35210 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35211 + pax_open_kernel();
35212 + gr_status &= ~GR_READY;
35213 + pax_close_kernel();
35215 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
35216 + free_variables();
35217 + memset(gr_usermode, 0, sizeof (struct gr_arg));
35218 + memset(gr_system_salt, 0, GR_SALT_LEN);
35219 + memset(gr_system_sum, 0, GR_SHA_LEN);
35220 + } else if (gr_status & GR_READY) {
35221 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
35224 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
35229 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
35230 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
35232 + if (gr_status & GR_READY)
35236 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
35240 + if (!(gr_status & GR_READY)) {
35241 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
35243 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35246 + pax_open_kernel();
35247 + gr_status &= ~GR_READY;
35248 + pax_close_kernel();
35250 + free_variables();
35251 + if (!(error2 = gracl_init(gr_usermode))) {
35253 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
35257 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35260 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35265 + if (unlikely(!(gr_status & GR_READY))) {
35266 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
35271 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35272 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
35273 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
35274 + struct acl_subject_label *segvacl;
35276 + lookup_acl_subj_label(gr_usermode->segv_inode,
35277 + gr_usermode->segv_device,
35280 + segvacl->crashes = 0;
35281 + segvacl->expires = 0;
35283 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
35284 + gr_remove_uid(gr_usermode->segv_uid);
35287 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
35292 + case GR_SPROLEPAM:
35293 + if (unlikely(!(gr_status & GR_READY))) {
35294 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
35299 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
35300 + current->role->expires = 0;
35301 + current->role->auth_attempts = 0;
35304 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35305 + time_after(current->role->expires, get_seconds())) {
35310 + if (lookup_special_role_auth
35311 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
35312 + && ((!sprole_salt && !sprole_sum)
35313 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
35315 + assign_special_role(gr_usermode->sp_role);
35316 + read_lock(&tasklist_lock);
35317 + if (current->parent)
35318 + p = current->parent->role->rolename;
35319 + read_unlock(&tasklist_lock);
35320 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
35321 + p, acl_sp_role_value);
35323 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
35325 + if(!(current->role->auth_attempts++))
35326 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35331 + case GR_UNSPROLE:
35332 + if (unlikely(!(gr_status & GR_READY))) {
35333 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
35338 + if (current->role->roletype & GR_ROLE_SPECIAL) {
35342 + read_lock(&tasklist_lock);
35343 + if (current->parent) {
35344 + p = current->parent->role->rolename;
35345 + i = current->parent->acl_role_id;
35347 + read_unlock(&tasklist_lock);
35349 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
35357 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
35362 + if (error != -EPERM)
35365 + if(!(gr_auth_attempts++))
35366 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35374 +gr_set_acls(const int type)
35376 + struct acl_object_label *obj;
35377 + struct task_struct *task, *task2;
35378 + struct file *filp;
35379 + struct acl_role_label *role = current->role;
35380 + __u16 acl_role_id = current->acl_role_id;
35381 + const struct cred *cred;
35383 + struct name_entry *nmatch;
35384 + struct acl_subject_label *tmpsubj;
35387 + read_lock(&tasklist_lock);
35388 + read_lock(&grsec_exec_file_lock);
35389 + do_each_thread(task2, task) {
35390 + /* check to see if we're called from the exit handler,
35391 + if so, only replace ACLs that have inherited the admin
35394 + if (type && (task->role != role ||
35395 + task->acl_role_id != acl_role_id))
35398 + task->acl_role_id = 0;
35399 + task->acl_sp_role = 0;
35401 + if ((filp = task->exec_file)) {
35402 + cred = __task_cred(task);
35403 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
35405 + /* the following is to apply the correct subject
35406 + on binaries running when the RBAC system
35407 + is enabled, when the binaries have been
35408 + replaced or deleted since their execution
35410 + when the RBAC system starts, the inode/dev
35411 + from exec_file will be one the RBAC system
35412 + is unaware of. It only knows the inode/dev
35413 + of the present file on disk, or the absence
35416 + preempt_disable();
35417 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
35419 + nmatch = lookup_name_entry(tmpname);
35420 + preempt_enable();
35423 + if (nmatch->deleted)
35424 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
35426 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
35427 + if (tmpsubj != NULL)
35428 + task->acl = tmpsubj;
35430 + if (tmpsubj == NULL)
35431 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
35434 + struct acl_subject_label *curr;
35435 + curr = task->acl;
35437 + task->is_writable = 0;
35438 + /* ignore additional mmap checks for processes that are writable
35439 + by the default ACL */
35440 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35441 + if (unlikely(obj->mode & GR_WRITE))
35442 + task->is_writable = 1;
35443 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
35444 + if (unlikely(obj->mode & GR_WRITE))
35445 + task->is_writable = 1;
35447 + gr_set_proc_res(task);
35449 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35450 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
35453 + read_unlock(&grsec_exec_file_lock);
35454 + read_unlock(&tasklist_lock);
35455 + rcu_read_unlock();
35456 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
35460 + // it's a kernel process
35461 + task->role = kernel_role;
35462 + task->acl = kernel_role->root_label;
35463 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
35464 + task->acl->mode &= ~GR_PROCFIND;
35467 + } while_each_thread(task2, task);
35468 + read_unlock(&grsec_exec_file_lock);
35469 + read_unlock(&tasklist_lock);
35470 + rcu_read_unlock();
35476 +gr_learn_resource(const struct task_struct *task,
35477 + const int res, const unsigned long wanted, const int gt)
35479 + struct acl_subject_label *acl;
35480 + const struct cred *cred;
35482 + if (unlikely((gr_status & GR_READY) &&
35483 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
35484 + goto skip_reslog;
35486 +#ifdef CONFIG_GRKERNSEC_RESLOG
35487 + gr_log_resource(task, res, wanted, gt);
35491 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
35496 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
35497 + !(acl->resmask & (1 << (unsigned short) res))))
35500 + if (wanted >= acl->res[res].rlim_cur) {
35501 + unsigned long res_add;
35503 + res_add = wanted;
35506 + res_add += GR_RLIM_CPU_BUMP;
35508 + case RLIMIT_FSIZE:
35509 + res_add += GR_RLIM_FSIZE_BUMP;
35511 + case RLIMIT_DATA:
35512 + res_add += GR_RLIM_DATA_BUMP;
35514 + case RLIMIT_STACK:
35515 + res_add += GR_RLIM_STACK_BUMP;
35517 + case RLIMIT_CORE:
35518 + res_add += GR_RLIM_CORE_BUMP;
35521 + res_add += GR_RLIM_RSS_BUMP;
35523 + case RLIMIT_NPROC:
35524 + res_add += GR_RLIM_NPROC_BUMP;
35526 + case RLIMIT_NOFILE:
35527 + res_add += GR_RLIM_NOFILE_BUMP;
35529 + case RLIMIT_MEMLOCK:
35530 + res_add += GR_RLIM_MEMLOCK_BUMP;
35533 + res_add += GR_RLIM_AS_BUMP;
35535 + case RLIMIT_LOCKS:
35536 + res_add += GR_RLIM_LOCKS_BUMP;
35538 + case RLIMIT_SIGPENDING:
35539 + res_add += GR_RLIM_SIGPENDING_BUMP;
35541 + case RLIMIT_MSGQUEUE:
35542 + res_add += GR_RLIM_MSGQUEUE_BUMP;
35544 + case RLIMIT_NICE:
35545 + res_add += GR_RLIM_NICE_BUMP;
35547 + case RLIMIT_RTPRIO:
35548 + res_add += GR_RLIM_RTPRIO_BUMP;
35550 + case RLIMIT_RTTIME:
35551 + res_add += GR_RLIM_RTTIME_BUMP;
35555 + acl->res[res].rlim_cur = res_add;
35557 + if (wanted > acl->res[res].rlim_max)
35558 + acl->res[res].rlim_max = res_add;
35560 + /* only log the subject filename, since resource logging is supported for
35561 + single-subject learning only */
35563 + cred = __task_cred(task);
35564 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
35565 + task->role->roletype, cred->uid, cred->gid, acl->filename,
35566 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
35567 + "", (unsigned long) res, &task->signal->curr_ip);
35568 + rcu_read_unlock();
35574 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
35576 +pax_set_initial_flags(struct linux_binprm *bprm)
35578 + struct task_struct *task = current;
35579 + struct acl_subject_label *proc;
35580 + unsigned long flags;
35582 + if (unlikely(!(gr_status & GR_READY)))
35585 + flags = pax_get_flags(task);
35587 + proc = task->acl;
35589 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
35590 + flags &= ~MF_PAX_PAGEEXEC;
35591 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
35592 + flags &= ~MF_PAX_SEGMEXEC;
35593 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
35594 + flags &= ~MF_PAX_RANDMMAP;
35595 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
35596 + flags &= ~MF_PAX_EMUTRAMP;
35597 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
35598 + flags &= ~MF_PAX_MPROTECT;
35600 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
35601 + flags |= MF_PAX_PAGEEXEC;
35602 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
35603 + flags |= MF_PAX_SEGMEXEC;
35604 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
35605 + flags |= MF_PAX_RANDMMAP;
35606 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
35607 + flags |= MF_PAX_EMUTRAMP;
35608 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
35609 + flags |= MF_PAX_MPROTECT;
35611 + pax_set_flags(task, flags);
35617 +#ifdef CONFIG_SYSCTL
35618 +/* Eric Biederman likes breaking userland ABI and every inode-based security
35619 + system to save 35kb of memory */
35621 +/* we modify the passed in filename, but adjust it back before returning */
35622 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
35624 + struct name_entry *nmatch;
35625 + char *p, *lastp = NULL;
35626 + struct acl_object_label *obj = NULL, *tmp;
35627 + struct acl_subject_label *tmpsubj;
35630 + read_lock(&gr_inode_lock);
35632 + p = name + len - 1;
35634 + nmatch = lookup_name_entry(name);
35635 + if (lastp != NULL)
35638 + if (nmatch == NULL)
35639 + goto next_component;
35640 + tmpsubj = current->acl;
35642 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
35643 + if (obj != NULL) {
35644 + tmp = obj->globbed;
35646 + if (!glob_match(tmp->filename, name)) {
35654 + } while ((tmpsubj = tmpsubj->parent_subject));
35660 + while (*p != '/')
35672 + read_unlock(&gr_inode_lock);
35673 + /* obj returned will always be non-null */
35677 +/* returns 0 when allowing, non-zero on error
35678 + op of 0 is used for readdir, so we don't log the names of hidden files
35681 +gr_handle_sysctl(const struct ctl_table *table, const int op)
35684 + const char *proc_sys = "/proc/sys";
35686 + struct acl_object_label *obj;
35687 + unsigned short len = 0, pos = 0, depth = 0, i;
35691 + if (unlikely(!(gr_status & GR_READY)))
35694 + /* for now, ignore operations on non-sysctl entries if it's not a
35696 + if (table->child != NULL && op != 0)
35700 + /* it's only a read if it's an entry, read on dirs is for readdir */
35701 + if (op & MAY_READ)
35703 + if (op & MAY_WRITE)
35704 + mode |= GR_WRITE;
35706 + preempt_disable();
35708 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
35710 + /* it's only a read/write if it's an actual entry, not a dir
35711 + (which are opened for readdir)
35714 + /* convert the requested sysctl entry into a pathname */
35716 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35717 + len += strlen(tmp->procname);
35722 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
35727 + memset(path, 0, PAGE_SIZE);
35729 + memcpy(path, proc_sys, strlen(proc_sys));
35731 + pos += strlen(proc_sys);
35733 + for (; depth > 0; depth--) {
35736 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35737 + if (depth == i) {
35738 + memcpy(path + pos, tmp->procname,
35739 + strlen(tmp->procname));
35740 + pos += strlen(tmp->procname);
35746 + obj = gr_lookup_by_name(path, pos);
35747 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
35749 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
35750 + ((err & mode) != mode))) {
35751 + __u32 new_mode = mode;
35753 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
35756 + gr_log_learn_sysctl(path, new_mode);
35757 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
35758 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
35760 + } else if (!(err & GR_FIND)) {
35762 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
35763 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
35764 + path, (mode & GR_READ) ? " reading" : "",
35765 + (mode & GR_WRITE) ? " writing" : "");
35767 + } else if ((err & mode) != mode) {
35769 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
35770 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
35771 + path, (mode & GR_READ) ? " reading" : "",
35772 + (mode & GR_WRITE) ? " writing" : "");
35778 + preempt_enable();
35785 +gr_handle_proc_ptrace(struct task_struct *task)
35787 + struct file *filp;
35788 + struct task_struct *tmp = task;
35789 + struct task_struct *curtemp = current;
35792 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35793 + if (unlikely(!(gr_status & GR_READY)))
35797 + read_lock(&tasklist_lock);
35798 + read_lock(&grsec_exec_file_lock);
35799 + filp = task->exec_file;
35801 + while (tmp->pid > 0) {
35802 + if (tmp == curtemp)
35804 + tmp = tmp->parent;
35807 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35808 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
35809 + read_unlock(&grsec_exec_file_lock);
35810 + read_unlock(&tasklist_lock);
35814 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35815 + if (!(gr_status & GR_READY)) {
35816 + read_unlock(&grsec_exec_file_lock);
35817 + read_unlock(&tasklist_lock);
35822 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
35823 + read_unlock(&grsec_exec_file_lock);
35824 + read_unlock(&tasklist_lock);
35826 + if (retmode & GR_NOPTRACE)
35829 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
35830 + && (current->acl != task->acl || (current->acl != current->role->root_label
35831 + && current->pid != task->pid)))
35838 +gr_handle_ptrace(struct task_struct *task, const long request)
35840 + struct task_struct *tmp = task;
35841 + struct task_struct *curtemp = current;
35844 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35845 + if (unlikely(!(gr_status & GR_READY)))
35849 + read_lock(&tasklist_lock);
35850 + while (tmp->pid > 0) {
35851 + if (tmp == curtemp)
35853 + tmp = tmp->parent;
35856 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35857 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
35858 + read_unlock(&tasklist_lock);
35859 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35862 + read_unlock(&tasklist_lock);
35864 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35865 + if (!(gr_status & GR_READY))
35869 + read_lock(&grsec_exec_file_lock);
35870 + if (unlikely(!task->exec_file)) {
35871 + read_unlock(&grsec_exec_file_lock);
35875 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
35876 + read_unlock(&grsec_exec_file_lock);
35878 + if (retmode & GR_NOPTRACE) {
35879 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35883 + if (retmode & GR_PTRACERD) {
35884 + switch (request) {
35885 + case PTRACE_POKETEXT:
35886 + case PTRACE_POKEDATA:
35887 + case PTRACE_POKEUSR:
35888 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
35889 + case PTRACE_SETREGS:
35890 + case PTRACE_SETFPREGS:
35893 + case PTRACE_SETFPXREGS:
35895 +#ifdef CONFIG_ALTIVEC
35896 + case PTRACE_SETVRREGS:
35902 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
35903 + !(current->role->roletype & GR_ROLE_GOD) &&
35904 + (current->acl != task->acl)) {
35905 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35912 +static int is_writable_mmap(const struct file *filp)
35914 + struct task_struct *task = current;
35915 + struct acl_object_label *obj, *obj2;
35917 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
35918 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {
35919 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35920 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
35921 + task->role->root_label);
35922 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
35923 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
35931 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
35935 + if (unlikely(!file || !(prot & PROT_EXEC)))
35938 + if (is_writable_mmap(file))
35942 + gr_search_file(file->f_path.dentry,
35943 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35944 + file->f_path.mnt);
35946 + if (!gr_tpe_allow(file))
35949 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35950 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35952 + } else if (unlikely(!(mode & GR_EXEC))) {
35954 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35955 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35963 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
35967 + if (unlikely(!file || !(prot & PROT_EXEC)))
35970 + if (is_writable_mmap(file))
35974 + gr_search_file(file->f_path.dentry,
35975 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35976 + file->f_path.mnt);
35978 + if (!gr_tpe_allow(file))
35981 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35982 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35984 + } else if (unlikely(!(mode & GR_EXEC))) {
35986 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35987 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35995 +gr_acl_handle_psacct(struct task_struct *task, const long code)
35997 + unsigned long runtime;
35998 + unsigned long cputime;
35999 + unsigned int wday, cday;
36003 + struct timespec timeval;
36005 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
36006 + !(task->acl->mode & GR_PROCACCT)))
36009 + do_posix_clock_monotonic_gettime(&timeval);
36010 + runtime = timeval.tv_sec - task->start_time.tv_sec;
36011 + wday = runtime / (3600 * 24);
36012 + runtime -= wday * (3600 * 24);
36013 + whr = runtime / 3600;
36014 + runtime -= whr * 3600;
36015 + wmin = runtime / 60;
36016 + runtime -= wmin * 60;
36019 + cputime = (task->utime + task->stime) / HZ;
36020 + cday = cputime / (3600 * 24);
36021 + cputime -= cday * (3600 * 24);
36022 + chr = cputime / 3600;
36023 + cputime -= chr * 3600;
36024 + cmin = cputime / 60;
36025 + cputime -= cmin * 60;
36028 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
36033 +void gr_set_kernel_label(struct task_struct *task)
36035 + if (gr_status & GR_READY) {
36036 + task->role = kernel_role;
36037 + task->acl = kernel_role->root_label;
36042 +#ifdef CONFIG_TASKSTATS
36043 +int gr_is_taskstats_denied(int pid)
36045 + struct task_struct *task;
36046 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36047 + const struct cred *cred;
36051 + /* restrict taskstats viewing to un-chrooted root users
36052 + who have the 'view' subject flag if the RBAC system is enabled
36055 + read_lock(&tasklist_lock);
36056 + task = find_task_by_vpid(pid);
36058 + gr_fs_read_lock(task);
36059 +#ifdef CONFIG_GRKERNSEC_CHROOT
36060 + if (proc_is_chrooted(task))
36063 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36064 + cred = __task_cred(task);
36065 +#ifdef CONFIG_GRKERNSEC_PROC_USER
36066 + if (cred->uid != 0)
36068 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36069 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
36073 + if (gr_status & GR_READY) {
36074 + if (!(task->acl->mode & GR_VIEW))
36078 + gr_fs_read_unlock(task);
36082 + read_unlock(&tasklist_lock);
36088 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
36090 + struct task_struct *task = current;
36091 + struct dentry *dentry = file->f_path.dentry;
36092 + struct vfsmount *mnt = file->f_path.mnt;
36093 + struct acl_object_label *obj, *tmp;
36094 + struct acl_subject_label *subj;
36095 + unsigned int bufsize;
36099 + if (unlikely(!(gr_status & GR_READY)))
36102 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36105 + /* ignore Eric Biederman */
36106 + if (IS_PRIVATE(dentry->d_inode))
36109 + subj = task->acl;
36111 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
36113 + return (obj->mode & GR_FIND) ? 1 : 0;
36114 + } while ((subj = subj->parent_subject));
36116 + /* this is purely an optimization since we're looking for an object
36117 + for the directory we're doing a readdir on
36118 + if it's possible for any globbed object to match the entry we're
36119 + filling into the directory, then the object we find here will be
36120 + an anchor point with attached globbed objects
36122 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
36123 + if (obj->globbed == NULL)
36124 + return (obj->mode & GR_FIND) ? 1 : 0;
36126 + is_not_root = ((obj->filename[0] == '/') &&
36127 + (obj->filename[1] == '\0')) ? 0 : 1;
36128 + bufsize = PAGE_SIZE - namelen - is_not_root;
36130 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
36131 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
36134 + preempt_disable();
36135 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36138 + bufsize = strlen(path);
36140 + /* if base is "/", don't append an additional slash */
36142 + *(path + bufsize) = '/';
36143 + memcpy(path + bufsize + is_not_root, name, namelen);
36144 + *(path + bufsize + namelen + is_not_root) = '\0';
36146 + tmp = obj->globbed;
36148 + if (!glob_match(tmp->filename, path)) {
36149 + preempt_enable();
36150 + return (tmp->mode & GR_FIND) ? 1 : 0;
36154 + preempt_enable();
36155 + return (obj->mode & GR_FIND) ? 1 : 0;
36158 +EXPORT_SYMBOL(gr_learn_resource);
36159 +EXPORT_SYMBOL(gr_set_kernel_label);
36160 +#ifdef CONFIG_SECURITY
36161 +EXPORT_SYMBOL(gr_check_user_change);
36162 +EXPORT_SYMBOL(gr_check_group_change);
36165 diff -urNp linux-2.6.33.1/grsecurity/gracl_cap.c linux-2.6.33.1/grsecurity/gracl_cap.c
36166 --- linux-2.6.33.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
36167 +++ linux-2.6.33.1/grsecurity/gracl_cap.c 2010-03-20 16:58:41.888938450 -0400
36169 +#include <linux/kernel.h>
36170 +#include <linux/module.h>
36171 +#include <linux/sched.h>
36172 +#include <linux/gracl.h>
36173 +#include <linux/grsecurity.h>
36174 +#include <linux/grinternal.h>
36176 +static const char *captab_log[] = {
36178 + "CAP_DAC_OVERRIDE",
36179 + "CAP_DAC_READ_SEARCH",
36186 + "CAP_LINUX_IMMUTABLE",
36187 + "CAP_NET_BIND_SERVICE",
36188 + "CAP_NET_BROADCAST",
36193 + "CAP_SYS_MODULE",
36195 + "CAP_SYS_CHROOT",
36196 + "CAP_SYS_PTRACE",
36201 + "CAP_SYS_RESOURCE",
36203 + "CAP_SYS_TTY_CONFIG",
36206 + "CAP_AUDIT_WRITE",
36207 + "CAP_AUDIT_CONTROL",
36209 + "CAP_MAC_OVERRIDE",
36213 +EXPORT_SYMBOL(gr_is_capable);
36214 +EXPORT_SYMBOL(gr_is_capable_nolog);
36217 +gr_is_capable(const int cap)
36219 + struct task_struct *task = current;
36220 + const struct cred *cred = current_cred();
36221 + struct acl_subject_label *curracl;
36222 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36224 + if (!gr_acl_is_enabled())
36227 + curracl = task->acl;
36229 + cap_drop = curracl->cap_lower;
36230 + cap_mask = curracl->cap_mask;
36232 + while ((curracl = curracl->parent_subject)) {
36233 + /* if the cap isn't specified in the current computed mask but is specified in the
36234 + current level subject, and is lowered in the current level subject, then add
36235 + it to the set of dropped capabilities
36236 + otherwise, add the current level subject's mask to the current computed mask
36238 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36239 + cap_raise(cap_mask, cap);
36240 + if (cap_raised(curracl->cap_lower, cap))
36241 + cap_raise(cap_drop, cap);
36245 + if (!cap_raised(cap_drop, cap))
36248 + curracl = task->acl;
36250 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
36251 + && cap_raised(cred->cap_effective, cap)) {
36252 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
36253 + task->role->roletype, cred->uid,
36254 + cred->gid, task->exec_file ?
36255 + gr_to_filename(task->exec_file->f_path.dentry,
36256 + task->exec_file->f_path.mnt) : curracl->filename,
36257 + curracl->filename, 0UL,
36258 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
36262 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
36263 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
36268 +gr_is_capable_nolog(const int cap)
36270 + struct acl_subject_label *curracl;
36271 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36273 + if (!gr_acl_is_enabled())
36276 + curracl = current->acl;
36278 + cap_drop = curracl->cap_lower;
36279 + cap_mask = curracl->cap_mask;
36281 + while ((curracl = curracl->parent_subject)) {
36282 + /* if the cap isn't specified in the current computed mask but is specified in the
36283 + current level subject, and is lowered in the current level subject, then add
36284 + it to the set of dropped capabilities
36285 + otherwise, add the current level subject's mask to the current computed mask
36287 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36288 + cap_raise(cap_mask, cap);
36289 + if (cap_raised(curracl->cap_lower, cap))
36290 + cap_raise(cap_drop, cap);
36294 + if (!cap_raised(cap_drop, cap))
36300 diff -urNp linux-2.6.33.1/grsecurity/gracl_fs.c linux-2.6.33.1/grsecurity/gracl_fs.c
36301 --- linux-2.6.33.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
36302 +++ linux-2.6.33.1/grsecurity/gracl_fs.c 2010-03-20 16:58:41.888938450 -0400
36304 +#include <linux/kernel.h>
36305 +#include <linux/sched.h>
36306 +#include <linux/types.h>
36307 +#include <linux/fs.h>
36308 +#include <linux/file.h>
36309 +#include <linux/stat.h>
36310 +#include <linux/grsecurity.h>
36311 +#include <linux/grinternal.h>
36312 +#include <linux/gracl.h>
36315 +gr_acl_handle_hidden_file(const struct dentry * dentry,
36316 + const struct vfsmount * mnt)
36320 + if (unlikely(!dentry->d_inode))
36324 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
36326 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
36327 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36329 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
36330 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36332 + } else if (unlikely(!(mode & GR_FIND)))
36339 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
36342 + __u32 reqmode = GR_FIND;
36345 + if (unlikely(!dentry->d_inode))
36348 + if (unlikely(fmode & O_APPEND))
36349 + reqmode |= GR_APPEND;
36350 + else if (unlikely(fmode & FMODE_WRITE))
36351 + reqmode |= GR_WRITE;
36352 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36353 + reqmode |= GR_READ;
36354 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
36355 + reqmode &= ~GR_READ;
36357 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36360 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36361 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36362 + reqmode & GR_READ ? " reading" : "",
36363 + reqmode & GR_WRITE ? " writing" : reqmode &
36364 + GR_APPEND ? " appending" : "");
36367 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36369 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36370 + reqmode & GR_READ ? " reading" : "",
36371 + reqmode & GR_WRITE ? " writing" : reqmode &
36372 + GR_APPEND ? " appending" : "");
36374 + } else if (unlikely((mode & reqmode) != reqmode))
36381 +gr_acl_handle_creat(const struct dentry * dentry,
36382 + const struct dentry * p_dentry,
36383 + const struct vfsmount * p_mnt, const int fmode,
36386 + __u32 reqmode = GR_WRITE | GR_CREATE;
36389 + if (unlikely(fmode & O_APPEND))
36390 + reqmode |= GR_APPEND;
36391 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36392 + reqmode |= GR_READ;
36393 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
36394 + reqmode |= GR_SETID;
36397 + gr_check_create(dentry, p_dentry, p_mnt,
36398 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36400 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36401 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36402 + reqmode & GR_READ ? " reading" : "",
36403 + reqmode & GR_WRITE ? " writing" : reqmode &
36404 + GR_APPEND ? " appending" : "");
36407 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36409 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36410 + reqmode & GR_READ ? " reading" : "",
36411 + reqmode & GR_WRITE ? " writing" : reqmode &
36412 + GR_APPEND ? " appending" : "");
36414 + } else if (unlikely((mode & reqmode) != reqmode))
36421 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
36424 + __u32 mode, reqmode = GR_FIND;
36426 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
36427 + reqmode |= GR_EXEC;
36428 + if (fmode & S_IWOTH)
36429 + reqmode |= GR_WRITE;
36430 + if (fmode & S_IROTH)
36431 + reqmode |= GR_READ;
36434 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36437 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36438 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36439 + reqmode & GR_READ ? " reading" : "",
36440 + reqmode & GR_WRITE ? " writing" : "",
36441 + reqmode & GR_EXEC ? " executing" : "");
36444 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36446 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36447 + reqmode & GR_READ ? " reading" : "",
36448 + reqmode & GR_WRITE ? " writing" : "",
36449 + reqmode & GR_EXEC ? " executing" : "");
36451 + } else if (unlikely((mode & reqmode) != reqmode))
36457 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
36461 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
36463 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36464 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
36466 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36467 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
36469 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
36472 + return (reqmode);
36476 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
36478 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
36482 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
36484 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
36488 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
36490 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
36494 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
36496 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
36500 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
36503 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
36506 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36507 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36508 + GR_FCHMOD_ACL_MSG);
36510 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
36515 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
36518 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36519 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36520 + GR_CHMOD_ACL_MSG);
36522 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
36527 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
36529 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
36533 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
36535 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
36539 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
36541 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
36542 + GR_UNIXCONNECT_ACL_MSG);
36545 +/* hardlinks require at minimum create permission,
36546 + any additional privilege required is based on the
36547 + privilege of the file being linked to
36550 +gr_acl_handle_link(const struct dentry * new_dentry,
36551 + const struct dentry * parent_dentry,
36552 + const struct vfsmount * parent_mnt,
36553 + const struct dentry * old_dentry,
36554 + const struct vfsmount * old_mnt, const char *to)
36557 + __u32 needmode = GR_CREATE | GR_LINK;
36558 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
36561 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
36564 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
36565 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36567 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36568 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36570 + } else if (unlikely((mode & needmode) != needmode))
36577 +gr_acl_handle_symlink(const struct dentry * new_dentry,
36578 + const struct dentry * parent_dentry,
36579 + const struct vfsmount * parent_mnt, const char *from)
36581 + __u32 needmode = GR_WRITE | GR_CREATE;
36585 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36586 + GR_CREATE | GR_AUDIT_CREATE |
36587 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
36589 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
36590 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36592 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36593 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36595 + } else if (unlikely((mode & needmode) != needmode))
36598 + return (GR_WRITE | GR_CREATE);
36601 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
36605 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36607 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36608 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
36610 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36611 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
36613 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
36616 + return (reqmode);
36620 +gr_acl_handle_mknod(const struct dentry * new_dentry,
36621 + const struct dentry * parent_dentry,
36622 + const struct vfsmount * parent_mnt,
36625 + __u32 reqmode = GR_WRITE | GR_CREATE;
36626 + if (unlikely(mode & (S_ISUID | S_ISGID)))
36627 + reqmode |= GR_SETID;
36629 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36630 + reqmode, GR_MKNOD_ACL_MSG);
36634 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
36635 + const struct dentry *parent_dentry,
36636 + const struct vfsmount *parent_mnt)
36638 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36639 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
36642 +#define RENAME_CHECK_SUCCESS(old, new) \
36643 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
36644 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
36647 +gr_acl_handle_rename(struct dentry *new_dentry,
36648 + struct dentry *parent_dentry,
36649 + const struct vfsmount *parent_mnt,
36650 + struct dentry *old_dentry,
36651 + struct inode *old_parent_inode,
36652 + struct vfsmount *old_mnt, const char *newname)
36654 + __u32 comp1, comp2;
36657 + if (unlikely(!gr_acl_is_enabled()))
36660 + if (!new_dentry->d_inode) {
36661 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
36662 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
36663 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
36664 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
36665 + GR_DELETE | GR_AUDIT_DELETE |
36666 + GR_AUDIT_READ | GR_AUDIT_WRITE |
36667 + GR_SUPPRESS, old_mnt);
36669 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
36670 + GR_CREATE | GR_DELETE |
36671 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
36672 + GR_AUDIT_READ | GR_AUDIT_WRITE |
36673 + GR_SUPPRESS, parent_mnt);
36675 + gr_search_file(old_dentry,
36676 + GR_READ | GR_WRITE | GR_AUDIT_READ |
36677 + GR_DELETE | GR_AUDIT_DELETE |
36678 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
36681 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
36682 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
36683 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36684 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
36685 + && !(comp2 & GR_SUPPRESS)) {
36686 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36688 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
36695 +gr_acl_handle_exit(void)
36699 + struct file *exec_file;
36701 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
36702 + id = current->acl_role_id;
36703 + rolename = current->role->rolename;
36705 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
36708 + write_lock(&grsec_exec_file_lock);
36709 + exec_file = current->exec_file;
36710 + current->exec_file = NULL;
36711 + write_unlock(&grsec_exec_file_lock);
36718 +gr_acl_handle_procpidmem(const struct task_struct *task)
36720 + if (unlikely(!gr_acl_is_enabled()))
36723 + if (task != current && task->acl->mode & GR_PROTPROCFD)
36728 diff -urNp linux-2.6.33.1/grsecurity/gracl_ip.c linux-2.6.33.1/grsecurity/gracl_ip.c
36729 --- linux-2.6.33.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
36730 +++ linux-2.6.33.1/grsecurity/gracl_ip.c 2010-03-20 16:58:41.892922620 -0400
36732 +#include <linux/kernel.h>
36733 +#include <asm/uaccess.h>
36734 +#include <asm/errno.h>
36735 +#include <net/sock.h>
36736 +#include <linux/file.h>
36737 +#include <linux/fs.h>
36738 +#include <linux/net.h>
36739 +#include <linux/in.h>
36740 +#include <linux/skbuff.h>
36741 +#include <linux/ip.h>
36742 +#include <linux/udp.h>
36743 +#include <linux/smp_lock.h>
36744 +#include <linux/types.h>
36745 +#include <linux/sched.h>
36746 +#include <linux/netdevice.h>
36747 +#include <linux/inetdevice.h>
36748 +#include <linux/gracl.h>
36749 +#include <linux/grsecurity.h>
36750 +#include <linux/grinternal.h>
36752 +#define GR_BIND 0x01
36753 +#define GR_CONNECT 0x02
36754 +#define GR_INVERT 0x04
36755 +#define GR_BINDOVERRIDE 0x08
36756 +#define GR_CONNECTOVERRIDE 0x10
36758 +static const char * gr_protocols[256] = {
36759 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
36760 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
36761 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
36762 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
36763 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
36764 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
36765 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
36766 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
36767 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
36768 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
36769 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
36770 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
36771 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
36772 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
36773 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
36774 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
36775 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
36776 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
36777 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
36778 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
36779 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
36780 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
36781 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
36782 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
36783 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
36784 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
36785 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
36786 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
36787 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
36788 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
36789 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
36790 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
36793 +static const char * gr_socktypes[11] = {
36794 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
36795 + "unknown:7", "unknown:8", "unknown:9", "packet"
36799 +gr_proto_to_name(unsigned char proto)
36801 + return gr_protocols[proto];
36805 +gr_socktype_to_name(unsigned char type)
36807 + return gr_socktypes[type];
36811 +gr_search_socket(const int domain, const int type, const int protocol)
36813 + struct acl_subject_label *curr;
36814 + const struct cred *cred = current_cred();
36816 + if (unlikely(!gr_acl_is_enabled()))
36819 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
36820 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
36821 + goto exit; // let the kernel handle it
36823 + curr = current->acl;
36828 + if ((curr->ip_type & (1 << type)) &&
36829 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
36832 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36833 + /* we don't place acls on raw sockets , and sometimes
36834 + dgram/ip sockets are opened for ioctl and not
36835 + bind/connect, so we'll fake a bind learn log */
36836 + if (type == SOCK_RAW || type == SOCK_PACKET) {
36837 + __u32 fakeip = 0;
36838 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36839 + current->role->roletype, cred->uid,
36840 + cred->gid, current->exec_file ?
36841 + gr_to_filename(current->exec_file->f_path.dentry,
36842 + current->exec_file->f_path.mnt) :
36843 + curr->filename, curr->filename,
36844 + &fakeip, 0, type,
36845 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
36846 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
36847 + __u32 fakeip = 0;
36848 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36849 + current->role->roletype, cred->uid,
36850 + cred->gid, current->exec_file ?
36851 + gr_to_filename(current->exec_file->f_path.dentry,
36852 + current->exec_file->f_path.mnt) :
36853 + curr->filename, curr->filename,
36854 + &fakeip, 0, type,
36855 + protocol, GR_BIND, ¤t->signal->curr_ip);
36857 + /* we'll log when they use connect or bind */
36861 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
36862 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
36869 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
36871 + if ((ip->mode & mode) &&
36872 + (ip_port >= ip->low) &&
36873 + (ip_port <= ip->high) &&
36874 + ((ntohl(ip_addr) & our_netmask) ==
36875 + (ntohl(our_addr) & our_netmask))
36876 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
36877 + && (ip->type & (1 << type))) {
36878 + if (ip->mode & GR_INVERT)
36879 + return 2; // specifically denied
36881 + return 1; // allowed
36884 + return 0; // not specifically allowed, may continue parsing
36888 +gr_search_connectbind(const int full_mode, struct sock *sk,
36889 + struct sockaddr_in *addr, const int type)
36891 + char iface[IFNAMSIZ] = {0};
36892 + struct acl_subject_label *curr;
36893 + struct acl_ip_label *ip;
36894 + struct inet_sock *isk;
36895 + struct net_device *dev;
36896 + struct in_device *idev;
36899 + int mode = full_mode & (GR_BIND | GR_CONNECT);
36900 + __u32 ip_addr = 0;
36902 + __u32 our_netmask;
36904 + __u16 ip_port = 0;
36905 + const struct cred *cred = current_cred();
36907 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
36910 + curr = current->acl;
36911 + isk = inet_sk(sk);
36913 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
36914 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
36915 + addr->sin_addr.s_addr = curr->inaddr_any_override;
36916 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
36917 + struct sockaddr_in saddr;
36920 + saddr.sin_family = AF_INET;
36921 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
36922 + saddr.sin_port = isk->inet_sport;
36924 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36928 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36936 + ip_addr = addr->sin_addr.s_addr;
36937 + ip_port = ntohs(addr->sin_port);
36939 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36940 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36941 + current->role->roletype, cred->uid,
36942 + cred->gid, current->exec_file ?
36943 + gr_to_filename(current->exec_file->f_path.dentry,
36944 + current->exec_file->f_path.mnt) :
36945 + curr->filename, curr->filename,
36946 + &ip_addr, ip_port, type,
36947 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
36951 + for (i = 0; i < curr->ip_num; i++) {
36952 + ip = *(curr->ips + i);
36953 + if (ip->iface != NULL) {
36954 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
36955 + p = strchr(iface, ':');
36958 + dev = dev_get_by_name(sock_net(sk), iface);
36961 + idev = in_dev_get(dev);
36962 + if (idev == NULL) {
36968 + if (!strcmp(ip->iface, ifa->ifa_label)) {
36969 + our_addr = ifa->ifa_address;
36970 + our_netmask = 0xffffffff;
36971 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36973 + rcu_read_unlock();
36974 + in_dev_put(idev);
36977 + } else if (ret == 2) {
36978 + rcu_read_unlock();
36979 + in_dev_put(idev);
36984 + } endfor_ifa(idev);
36985 + rcu_read_unlock();
36986 + in_dev_put(idev);
36989 + our_addr = ip->addr;
36990 + our_netmask = ip->netmask;
36991 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36994 + else if (ret == 2)
37000 + if (mode == GR_BIND)
37001 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
37002 + else if (mode == GR_CONNECT)
37003 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
37009 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
37011 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
37015 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
37017 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
37020 +int gr_search_listen(struct socket *sock)
37022 + struct sock *sk = sock->sk;
37023 + struct sockaddr_in addr;
37025 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
37026 + addr.sin_port = inet_sk(sk)->inet_sport;
37028 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
37031 +int gr_search_accept(struct socket *sock)
37033 + struct sock *sk = sock->sk;
37034 + struct sockaddr_in addr;
37036 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
37037 + addr.sin_port = inet_sk(sk)->inet_sport;
37039 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
37043 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
37046 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
37048 + struct sockaddr_in sin;
37049 + const struct inet_sock *inet = inet_sk(sk);
37051 + sin.sin_addr.s_addr = inet->inet_daddr;
37052 + sin.sin_port = inet->inet_dport;
37054 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37059 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
37061 + struct sockaddr_in sin;
37063 + if (unlikely(skb->len < sizeof (struct udphdr)))
37064 + return 0; // skip this packet
37066 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
37067 + sin.sin_port = udp_hdr(skb)->source;
37069 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37071 diff -urNp linux-2.6.33.1/grsecurity/gracl_learn.c linux-2.6.33.1/grsecurity/gracl_learn.c
37072 --- linux-2.6.33.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
37073 +++ linux-2.6.33.1/grsecurity/gracl_learn.c 2010-03-20 16:58:41.892922620 -0400
37075 +#include <linux/kernel.h>
37076 +#include <linux/mm.h>
37077 +#include <linux/sched.h>
37078 +#include <linux/poll.h>
37079 +#include <linux/smp_lock.h>
37080 +#include <linux/string.h>
37081 +#include <linux/file.h>
37082 +#include <linux/types.h>
37083 +#include <linux/vmalloc.h>
37084 +#include <linux/grinternal.h>
37086 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
37087 + size_t count, loff_t *ppos);
37088 +extern int gr_acl_is_enabled(void);
37090 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
37091 +static int gr_learn_attached;
37093 +/* use a 512k buffer */
37094 +#define LEARN_BUFFER_SIZE (512 * 1024)
37096 +static DEFINE_SPINLOCK(gr_learn_lock);
37097 +static DECLARE_MUTEX(gr_learn_user_sem);
37099 +/* we need to maintain two buffers, so that the kernel context of grlearn
37100 + uses a semaphore around the userspace copying, and the other kernel contexts
37101 + use a spinlock when copying into the buffer, since they cannot sleep
37103 +static char *learn_buffer;
37104 +static char *learn_buffer_user;
37105 +static int learn_buffer_len;
37106 +static int learn_buffer_user_len;
37109 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
37111 + DECLARE_WAITQUEUE(wait, current);
37112 + ssize_t retval = 0;
37114 + add_wait_queue(&learn_wait, &wait);
37115 + set_current_state(TASK_INTERRUPTIBLE);
37117 + down(&gr_learn_user_sem);
37118 + spin_lock(&gr_learn_lock);
37119 + if (learn_buffer_len)
37121 + spin_unlock(&gr_learn_lock);
37122 + up(&gr_learn_user_sem);
37123 + if (file->f_flags & O_NONBLOCK) {
37124 + retval = -EAGAIN;
37127 + if (signal_pending(current)) {
37128 + retval = -ERESTARTSYS;
37135 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
37136 + learn_buffer_user_len = learn_buffer_len;
37137 + retval = learn_buffer_len;
37138 + learn_buffer_len = 0;
37140 + spin_unlock(&gr_learn_lock);
37142 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
37143 + retval = -EFAULT;
37145 + up(&gr_learn_user_sem);
37147 + set_current_state(TASK_RUNNING);
37148 + remove_wait_queue(&learn_wait, &wait);
37152 +static unsigned int
37153 +poll_learn(struct file * file, poll_table * wait)
37155 + poll_wait(file, &learn_wait, wait);
37157 + if (learn_buffer_len)
37158 + return (POLLIN | POLLRDNORM);
37164 +gr_clear_learn_entries(void)
37168 + down(&gr_learn_user_sem);
37169 + if (learn_buffer != NULL) {
37170 + spin_lock(&gr_learn_lock);
37171 + tmp = learn_buffer;
37172 + learn_buffer = NULL;
37173 + spin_unlock(&gr_learn_lock);
37174 + vfree(learn_buffer);
37176 + if (learn_buffer_user != NULL) {
37177 + vfree(learn_buffer_user);
37178 + learn_buffer_user = NULL;
37180 + learn_buffer_len = 0;
37181 + up(&gr_learn_user_sem);
37187 +gr_add_learn_entry(const char *fmt, ...)
37190 + unsigned int len;
37192 + if (!gr_learn_attached)
37195 + spin_lock(&gr_learn_lock);
37197 + /* leave a gap at the end so we know when it's "full" but don't have to
37198 + compute the exact length of the string we're trying to append
37200 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
37201 + spin_unlock(&gr_learn_lock);
37202 + wake_up_interruptible(&learn_wait);
37205 + if (learn_buffer == NULL) {
37206 + spin_unlock(&gr_learn_lock);
37210 + va_start(args, fmt);
37211 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
37214 + learn_buffer_len += len + 1;
37216 + spin_unlock(&gr_learn_lock);
37217 + wake_up_interruptible(&learn_wait);
37223 +open_learn(struct inode *inode, struct file *file)
37225 + if (file->f_mode & FMODE_READ && gr_learn_attached)
37227 + if (file->f_mode & FMODE_READ) {
37229 + down(&gr_learn_user_sem);
37230 + if (learn_buffer == NULL)
37231 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
37232 + if (learn_buffer_user == NULL)
37233 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
37234 + if (learn_buffer == NULL) {
37235 + retval = -ENOMEM;
37238 + if (learn_buffer_user == NULL) {
37239 + retval = -ENOMEM;
37242 + learn_buffer_len = 0;
37243 + learn_buffer_user_len = 0;
37244 + gr_learn_attached = 1;
37246 + up(&gr_learn_user_sem);
37253 +close_learn(struct inode *inode, struct file *file)
37257 + if (file->f_mode & FMODE_READ) {
37258 + down(&gr_learn_user_sem);
37259 + if (learn_buffer != NULL) {
37260 + spin_lock(&gr_learn_lock);
37261 + tmp = learn_buffer;
37262 + learn_buffer = NULL;
37263 + spin_unlock(&gr_learn_lock);
37266 + if (learn_buffer_user != NULL) {
37267 + vfree(learn_buffer_user);
37268 + learn_buffer_user = NULL;
37270 + learn_buffer_len = 0;
37271 + learn_buffer_user_len = 0;
37272 + gr_learn_attached = 0;
37273 + up(&gr_learn_user_sem);
37279 +const struct file_operations grsec_fops = {
37280 + .read = read_learn,
37281 + .write = write_grsec_handler,
37282 + .open = open_learn,
37283 + .release = close_learn,
37284 + .poll = poll_learn,
37286 diff -urNp linux-2.6.33.1/grsecurity/gracl_res.c linux-2.6.33.1/grsecurity/gracl_res.c
37287 --- linux-2.6.33.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
37288 +++ linux-2.6.33.1/grsecurity/gracl_res.c 2010-03-20 16:58:41.892922620 -0400
37290 +#include <linux/kernel.h>
37291 +#include <linux/sched.h>
37292 +#include <linux/gracl.h>
37293 +#include <linux/grinternal.h>
37295 +static const char *restab_log[] = {
37296 + [RLIMIT_CPU] = "RLIMIT_CPU",
37297 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
37298 + [RLIMIT_DATA] = "RLIMIT_DATA",
37299 + [RLIMIT_STACK] = "RLIMIT_STACK",
37300 + [RLIMIT_CORE] = "RLIMIT_CORE",
37301 + [RLIMIT_RSS] = "RLIMIT_RSS",
37302 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
37303 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
37304 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
37305 + [RLIMIT_AS] = "RLIMIT_AS",
37306 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
37307 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
37308 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
37309 + [RLIMIT_NICE] = "RLIMIT_NICE",
37310 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
37311 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
37312 + [GR_CRASH_RES] = "RLIMIT_CRASH"
37316 +gr_log_resource(const struct task_struct *task,
37317 + const int res, const unsigned long wanted, const int gt)
37319 + const struct cred *cred;
37321 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
37324 + // not yet supported resource
37325 + if (!restab_log[res])
37329 + cred = __task_cred(task);
37331 + if (res == RLIMIT_NPROC &&
37332 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
37333 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
37334 + goto out_rcu_unlock;
37335 + else if (res == RLIMIT_MEMLOCK &&
37336 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
37337 + goto out_rcu_unlock;
37338 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
37339 + goto out_rcu_unlock;
37340 + rcu_read_unlock();
37342 + preempt_disable();
37344 + if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
37345 + (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
37346 + task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
37347 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
37348 + preempt_enable_no_resched();
37352 + rcu_read_unlock();
37355 diff -urNp linux-2.6.33.1/grsecurity/gracl_segv.c linux-2.6.33.1/grsecurity/gracl_segv.c
37356 --- linux-2.6.33.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
37357 +++ linux-2.6.33.1/grsecurity/gracl_segv.c 2010-03-20 16:58:41.892922620 -0400
37359 +#include <linux/kernel.h>
37360 +#include <linux/mm.h>
37361 +#include <asm/uaccess.h>
37362 +#include <asm/errno.h>
37363 +#include <asm/mman.h>
37364 +#include <net/sock.h>
37365 +#include <linux/file.h>
37366 +#include <linux/fs.h>
37367 +#include <linux/net.h>
37368 +#include <linux/in.h>
37369 +#include <linux/smp_lock.h>
37370 +#include <linux/slab.h>
37371 +#include <linux/types.h>
37372 +#include <linux/sched.h>
37373 +#include <linux/timer.h>
37374 +#include <linux/gracl.h>
37375 +#include <linux/grsecurity.h>
37376 +#include <linux/grinternal.h>
37378 +static struct crash_uid *uid_set;
37379 +static unsigned short uid_used;
37380 +static DEFINE_SPINLOCK(gr_uid_lock);
37381 +extern rwlock_t gr_inode_lock;
37382 +extern struct acl_subject_label *
37383 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
37384 + struct acl_role_label *role);
37385 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
37388 +gr_init_uidset(void)
37391 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
37394 + return uid_set ? 1 : 0;
37398 +gr_free_uidset(void)
37407 +gr_find_uid(const uid_t uid)
37409 + struct crash_uid *tmp = uid_set;
37411 + int low = 0, high = uid_used - 1, mid;
37413 + while (high >= low) {
37414 + mid = (low + high) >> 1;
37415 + buid = tmp[mid].uid;
37427 +static __inline__ void
37428 +gr_insertsort(void)
37430 + unsigned short i, j;
37431 + struct crash_uid index;
37433 + for (i = 1; i < uid_used; i++) {
37434 + index = uid_set[i];
37436 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
37437 + uid_set[j] = uid_set[j - 1];
37440 + uid_set[j] = index;
37446 +static __inline__ void
37447 +gr_insert_uid(const uid_t uid, const unsigned long expires)
37451 + if (uid_used == GR_UIDTABLE_MAX)
37454 + loc = gr_find_uid(uid);
37457 + uid_set[loc].expires = expires;
37461 + uid_set[uid_used].uid = uid;
37462 + uid_set[uid_used].expires = expires;
37471 +gr_remove_uid(const unsigned short loc)
37473 + unsigned short i;
37475 + for (i = loc + 1; i < uid_used; i++)
37476 + uid_set[i - 1] = uid_set[i];
37484 +gr_check_crash_uid(const uid_t uid)
37489 + if (unlikely(!gr_acl_is_enabled()))
37492 + spin_lock(&gr_uid_lock);
37493 + loc = gr_find_uid(uid);
37498 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
37499 + gr_remove_uid(loc);
37504 + spin_unlock(&gr_uid_lock);
37508 +static __inline__ int
37509 +proc_is_setxid(const struct cred *cred)
37511 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
37512 + cred->uid != cred->fsuid)
37514 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
37515 + cred->gid != cred->fsgid)
37520 +static __inline__ int
37521 +gr_fake_force_sig(int sig, struct task_struct *t)
37523 + unsigned long int flags;
37524 + int ret, blocked, ignored;
37525 + struct k_sigaction *action;
37527 + spin_lock_irqsave(&t->sighand->siglock, flags);
37528 + action = &t->sighand->action[sig-1];
37529 + ignored = action->sa.sa_handler == SIG_IGN;
37530 + blocked = sigismember(&t->blocked, sig);
37531 + if (blocked || ignored) {
37532 + action->sa.sa_handler = SIG_DFL;
37534 + sigdelset(&t->blocked, sig);
37535 + recalc_sigpending_and_wake(t);
37538 + if (action->sa.sa_handler == SIG_DFL)
37539 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
37540 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
37542 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
37548 +gr_handle_crash(struct task_struct *task, const int sig)
37550 + struct acl_subject_label *curr;
37551 + struct acl_subject_label *curr2;
37552 + struct task_struct *tsk, *tsk2;
37553 + const struct cred *cred;
37554 + const struct cred *cred2;
37556 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
37559 + if (unlikely(!gr_acl_is_enabled()))
37562 + curr = task->acl;
37564 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
37567 + if (time_before_eq(curr->expires, get_seconds())) {
37568 + curr->expires = 0;
37569 + curr->crashes = 0;
37574 + if (!curr->expires)
37575 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
37577 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37578 + time_after(curr->expires, get_seconds())) {
37580 + cred = __task_cred(task);
37581 + if (cred->uid && proc_is_setxid(cred)) {
37582 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37583 + spin_lock(&gr_uid_lock);
37584 + gr_insert_uid(cred->uid, curr->expires);
37585 + spin_unlock(&gr_uid_lock);
37586 + curr->expires = 0;
37587 + curr->crashes = 0;
37588 + read_lock(&tasklist_lock);
37589 + do_each_thread(tsk2, tsk) {
37590 + cred2 = __task_cred(tsk);
37591 + if (tsk != task && cred2->uid == cred->uid)
37592 + gr_fake_force_sig(SIGKILL, tsk);
37593 + } while_each_thread(tsk2, tsk);
37594 + read_unlock(&tasklist_lock);
37596 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37597 + read_lock(&tasklist_lock);
37598 + do_each_thread(tsk2, tsk) {
37599 + if (likely(tsk != task)) {
37600 + curr2 = tsk->acl;
37602 + if (curr2->device == curr->device &&
37603 + curr2->inode == curr->inode)
37604 + gr_fake_force_sig(SIGKILL, tsk);
37606 + } while_each_thread(tsk2, tsk);
37607 + read_unlock(&tasklist_lock);
37609 + rcu_read_unlock();
37616 +gr_check_crash_exec(const struct file *filp)
37618 + struct acl_subject_label *curr;
37620 + if (unlikely(!gr_acl_is_enabled()))
37623 + read_lock(&gr_inode_lock);
37624 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
37625 + filp->f_path.dentry->d_inode->i_sb->s_dev,
37627 + read_unlock(&gr_inode_lock);
37629 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
37630 + (!curr->crashes && !curr->expires))
37633 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37634 + time_after(curr->expires, get_seconds()))
37636 + else if (time_before_eq(curr->expires, get_seconds())) {
37637 + curr->crashes = 0;
37638 + curr->expires = 0;
37645 +gr_handle_alertkill(struct task_struct *task)
37647 + struct acl_subject_label *curracl;
37649 + struct task_struct *p, *p2;
37651 + if (unlikely(!gr_acl_is_enabled()))
37654 + curracl = task->acl;
37655 + curr_ip = task->signal->curr_ip;
37657 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
37658 + read_lock(&tasklist_lock);
37659 + do_each_thread(p2, p) {
37660 + if (p->signal->curr_ip == curr_ip)
37661 + gr_fake_force_sig(SIGKILL, p);
37662 + } while_each_thread(p2, p);
37663 + read_unlock(&tasklist_lock);
37664 + } else if (curracl->mode & GR_KILLPROC)
37665 + gr_fake_force_sig(SIGKILL, task);
37669 diff -urNp linux-2.6.33.1/grsecurity/gracl_shm.c linux-2.6.33.1/grsecurity/gracl_shm.c
37670 --- linux-2.6.33.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
37671 +++ linux-2.6.33.1/grsecurity/gracl_shm.c 2010-03-20 16:58:41.892922620 -0400
37673 +#include <linux/kernel.h>
37674 +#include <linux/mm.h>
37675 +#include <linux/sched.h>
37676 +#include <linux/file.h>
37677 +#include <linux/ipc.h>
37678 +#include <linux/gracl.h>
37679 +#include <linux/grsecurity.h>
37680 +#include <linux/grinternal.h>
37683 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37684 + const time_t shm_createtime, const uid_t cuid, const int shmid)
37686 + struct task_struct *task;
37688 + if (!gr_acl_is_enabled())
37691 + read_lock(&tasklist_lock);
37693 + task = find_task_by_vpid(shm_cprid);
37695 + if (unlikely(!task))
37696 + task = find_task_by_vpid(shm_lapid);
37698 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
37699 + (task->pid == shm_lapid)) &&
37700 + (task->acl->mode & GR_PROTSHM) &&
37701 + (task->acl != current->acl))) {
37702 + read_unlock(&tasklist_lock);
37703 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
37706 + read_unlock(&tasklist_lock);
37710 diff -urNp linux-2.6.33.1/grsecurity/grsec_chdir.c linux-2.6.33.1/grsecurity/grsec_chdir.c
37711 --- linux-2.6.33.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
37712 +++ linux-2.6.33.1/grsecurity/grsec_chdir.c 2010-03-20 16:58:41.892922620 -0400
37714 +#include <linux/kernel.h>
37715 +#include <linux/sched.h>
37716 +#include <linux/fs.h>
37717 +#include <linux/file.h>
37718 +#include <linux/grsecurity.h>
37719 +#include <linux/grinternal.h>
37722 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
37724 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
37725 + if ((grsec_enable_chdir && grsec_enable_group &&
37726 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
37727 + !grsec_enable_group)) {
37728 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
37733 diff -urNp linux-2.6.33.1/grsecurity/grsec_chroot.c linux-2.6.33.1/grsecurity/grsec_chroot.c
37734 --- linux-2.6.33.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
37735 +++ linux-2.6.33.1/grsecurity/grsec_chroot.c 2010-03-20 16:58:41.892922620 -0400
37737 +#include <linux/kernel.h>
37738 +#include <linux/module.h>
37739 +#include <linux/sched.h>
37740 +#include <linux/file.h>
37741 +#include <linux/fs.h>
37742 +#include <linux/mount.h>
37743 +#include <linux/types.h>
37744 +#include <linux/pid_namespace.h>
37745 +#include <linux/grsecurity.h>
37746 +#include <linux/grinternal.h>
37749 +gr_handle_chroot_unix(const pid_t pid)
37751 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
37752 + struct pid *spid = NULL;
37754 + if (unlikely(!grsec_enable_chroot_unix))
37757 + if (likely(!proc_is_chrooted(current)))
37760 + read_lock(&tasklist_lock);
37762 + spid = find_vpid(pid);
37764 + struct task_struct *p;
37765 + p = pid_task(spid, PIDTYPE_PID);
37766 + gr_fs_read_lock(p);
37767 + if (unlikely(!have_same_root(current, p))) {
37768 + gr_fs_read_unlock(p);
37769 + read_unlock(&tasklist_lock);
37770 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
37773 + gr_fs_read_unlock(p);
37775 + read_unlock(&tasklist_lock);
37781 +gr_handle_chroot_nice(void)
37783 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37784 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
37785 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
37793 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
37795 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37796 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
37797 + && proc_is_chrooted(current)) {
37798 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
37806 +gr_handle_chroot_rawio(const struct inode *inode)
37808 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37809 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
37810 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
37817 +gr_pid_is_chrooted(struct task_struct *p)
37819 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
37820 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
37823 + gr_fs_read_lock(p);
37824 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
37825 + !have_same_root(current, p)) {
37826 + gr_fs_read_unlock(p);
37829 + gr_fs_read_unlock(p);
37834 +EXPORT_SYMBOL(gr_pid_is_chrooted);
37836 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
37837 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
37839 + struct dentry *dentry = (struct dentry *)u_dentry;
37840 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
37841 + struct dentry *realroot;
37842 + struct vfsmount *realrootmnt;
37843 + struct dentry *currentroot;
37844 + struct vfsmount *currentmnt;
37845 + struct task_struct *reaper = &init_task;
37848 + read_lock(&reaper->fs->lock);
37849 + realrootmnt = mntget(reaper->fs->root.mnt);
37850 + realroot = dget(reaper->fs->root.dentry);
37851 + read_unlock(&reaper->fs->lock);
37853 + read_lock(¤t->fs->lock);
37854 + currentmnt = mntget(current->fs->root.mnt);
37855 + currentroot = dget(current->fs->root.dentry);
37856 + read_unlock(¤t->fs->lock);
37858 + spin_lock(&dcache_lock);
37860 + if (unlikely((dentry == realroot && mnt == realrootmnt)
37861 + || (dentry == currentroot && mnt == currentmnt)))
37863 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
37864 + if (mnt->mnt_parent == mnt)
37866 + dentry = mnt->mnt_mountpoint;
37867 + mnt = mnt->mnt_parent;
37870 + dentry = dentry->d_parent;
37872 + spin_unlock(&dcache_lock);
37874 + dput(currentroot);
37875 + mntput(currentmnt);
37877 + /* access is outside of chroot */
37878 + if (dentry == realroot && mnt == realrootmnt)
37882 + mntput(realrootmnt);
37888 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
37890 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
37891 + if (!grsec_enable_chroot_fchdir)
37894 + if (!proc_is_chrooted(current))
37896 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
37897 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
37905 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37906 + const time_t shm_createtime)
37908 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
37909 + struct pid *pid = NULL;
37910 + time_t starttime;
37912 + if (unlikely(!grsec_enable_chroot_shmat))
37915 + if (likely(!proc_is_chrooted(current)))
37918 + read_lock(&tasklist_lock);
37920 + pid = find_vpid(shm_cprid);
37922 + struct task_struct *p;
37923 + p = pid_task(pid, PIDTYPE_PID);
37924 + gr_fs_read_lock(p);
37925 + starttime = p->start_time.tv_sec;
37926 + if (unlikely(!have_same_root(current, p) &&
37927 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
37928 + gr_fs_read_unlock(p);
37929 + read_unlock(&tasklist_lock);
37930 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37933 + gr_fs_read_unlock(p);
37935 + pid = find_vpid(shm_lapid);
37937 + struct task_struct *p;
37938 + p = pid_task(pid, PIDTYPE_PID);
37939 + gr_fs_read_lock(p);
37940 + if (unlikely(!have_same_root(current, p))) {
37941 + gr_fs_read_unlock(p);
37942 + read_unlock(&tasklist_lock);
37943 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37946 + gr_fs_read_unlock(p);
37950 + read_unlock(&tasklist_lock);
37956 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
37958 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
37959 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
37960 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
37966 +gr_handle_chroot_mknod(const struct dentry *dentry,
37967 + const struct vfsmount *mnt, const int mode)
37969 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
37970 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
37971 + proc_is_chrooted(current)) {
37972 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
37980 +gr_handle_chroot_mount(const struct dentry *dentry,
37981 + const struct vfsmount *mnt, const char *dev_name)
37983 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
37984 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
37985 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
37993 +gr_handle_chroot_pivot(void)
37995 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
37996 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
37997 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
38005 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
38007 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38008 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
38009 + !gr_is_outside_chroot(dentry, mnt)) {
38010 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
38018 +gr_handle_chroot_caps(struct path *path)
38020 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38021 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
38022 + (init_task.fs->root.dentry != path->dentry) &&
38023 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
38025 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
38026 + const struct cred *old = current_cred();
38027 + struct cred *new = prepare_creds();
38031 + new->cap_permitted = cap_drop(old->cap_permitted,
38033 + new->cap_inheritable = cap_drop(old->cap_inheritable,
38035 + new->cap_effective = cap_drop(old->cap_effective,
38038 + commit_creds(new);
38047 +gr_handle_chroot_sysctl(const int op)
38049 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38050 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
38051 + proc_is_chrooted(current))
38058 +gr_handle_chroot_chdir(struct path *path)
38060 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38061 + if (grsec_enable_chroot_chdir)
38062 + set_fs_pwd(current->fs, path);
38068 +gr_handle_chroot_chmod(const struct dentry *dentry,
38069 + const struct vfsmount *mnt, const int mode)
38071 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38072 + if (grsec_enable_chroot_chmod &&
38073 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
38074 + proc_is_chrooted(current)) {
38075 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
38082 +#ifdef CONFIG_SECURITY
38083 +EXPORT_SYMBOL(gr_handle_chroot_caps);
38085 diff -urNp linux-2.6.33.1/grsecurity/grsec_disabled.c linux-2.6.33.1/grsecurity/grsec_disabled.c
38086 --- linux-2.6.33.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
38087 +++ linux-2.6.33.1/grsecurity/grsec_disabled.c 2010-03-20 16:58:41.892922620 -0400
38089 +#include <linux/kernel.h>
38090 +#include <linux/module.h>
38091 +#include <linux/sched.h>
38092 +#include <linux/file.h>
38093 +#include <linux/fs.h>
38094 +#include <linux/kdev_t.h>
38095 +#include <linux/net.h>
38096 +#include <linux/in.h>
38097 +#include <linux/ip.h>
38098 +#include <linux/skbuff.h>
38099 +#include <linux/sysctl.h>
38101 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
38103 +pax_set_initial_flags(struct linux_binprm *bprm)
38109 +#ifdef CONFIG_SYSCTL
38111 +gr_handle_sysctl(const struct ctl_table * table, const int op)
38117 +#ifdef CONFIG_TASKSTATS
38118 +int gr_is_taskstats_denied(int pid)
38125 +gr_acl_is_enabled(void)
38131 +gr_handle_rawio(const struct inode *inode)
38137 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38143 +gr_handle_ptrace(struct task_struct *task, const long request)
38149 +gr_handle_proc_ptrace(struct task_struct *task)
38155 +gr_learn_resource(const struct task_struct *task,
38156 + const int res, const unsigned long wanted, const int gt)
38162 +gr_set_acls(const int type)
38168 +gr_check_hidden_task(const struct task_struct *tsk)
38174 +gr_check_protected_task(const struct task_struct *task)
38180 +gr_copy_label(struct task_struct *tsk)
38186 +gr_set_pax_flags(struct task_struct *task)
38192 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38193 + const int unsafe_share)
38199 +gr_handle_delete(const ino_t ino, const dev_t dev)
38205 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38211 +gr_handle_crash(struct task_struct *task, const int sig)
38217 +gr_check_crash_exec(const struct file *filp)
38223 +gr_check_crash_uid(const uid_t uid)
38229 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38230 + struct dentry *old_dentry,
38231 + struct dentry *new_dentry,
38232 + struct vfsmount *mnt, const __u8 replace)
38238 +gr_search_socket(const int family, const int type, const int protocol)
38244 +gr_search_connectbind(const int mode, const struct socket *sock,
38245 + const struct sockaddr_in *addr)
38251 +gr_is_capable(const int cap)
38257 +gr_is_capable_nolog(const int cap)
38263 +gr_handle_alertkill(struct task_struct *task)
38269 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
38275 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38276 + const struct vfsmount * mnt)
38282 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38289 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38295 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
38301 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
38302 + unsigned int *vm_flags)
38308 +gr_acl_handle_truncate(const struct dentry * dentry,
38309 + const struct vfsmount * mnt)
38315 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
38321 +gr_acl_handle_access(const struct dentry * dentry,
38322 + const struct vfsmount * mnt, const int fmode)
38328 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
38335 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
38342 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
38348 +grsecurity_init(void)
38354 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38355 + const struct dentry * parent_dentry,
38356 + const struct vfsmount * parent_mnt,
38363 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
38364 + const struct dentry * parent_dentry,
38365 + const struct vfsmount * parent_mnt)
38371 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38372 + const struct dentry * parent_dentry,
38373 + const struct vfsmount * parent_mnt, const char *from)
38379 +gr_acl_handle_link(const struct dentry * new_dentry,
38380 + const struct dentry * parent_dentry,
38381 + const struct vfsmount * parent_mnt,
38382 + const struct dentry * old_dentry,
38383 + const struct vfsmount * old_mnt, const char *to)
38389 +gr_acl_handle_rename(const struct dentry *new_dentry,
38390 + const struct dentry *parent_dentry,
38391 + const struct vfsmount *parent_mnt,
38392 + const struct dentry *old_dentry,
38393 + const struct inode *old_parent_inode,
38394 + const struct vfsmount *old_mnt, const char *newname)
38400 +gr_acl_handle_filldir(const struct file *file, const char *name,
38401 + const int namelen, const ino_t ino)
38407 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
38408 + const time_t shm_createtime, const uid_t cuid, const int shmid)
38414 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
38420 +gr_search_accept(const struct socket *sock)
38426 +gr_search_listen(const struct socket *sock)
38432 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
38438 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
38444 +gr_acl_handle_creat(const struct dentry * dentry,
38445 + const struct dentry * p_dentry,
38446 + const struct vfsmount * p_mnt, const int fmode,
38453 +gr_acl_handle_exit(void)
38459 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38465 +gr_set_role_label(const uid_t uid, const gid_t gid)
38471 +gr_acl_handle_procpidmem(const struct task_struct *task)
38477 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
38483 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
38489 +gr_set_kernel_label(struct task_struct *task)
38495 +gr_check_user_change(int real, int effective, int fs)
38501 +gr_check_group_change(int real, int effective, int fs)
38507 +EXPORT_SYMBOL(gr_is_capable);
38508 +EXPORT_SYMBOL(gr_is_capable_nolog);
38509 +EXPORT_SYMBOL(gr_learn_resource);
38510 +EXPORT_SYMBOL(gr_set_kernel_label);
38511 +#ifdef CONFIG_SECURITY
38512 +EXPORT_SYMBOL(gr_check_user_change);
38513 +EXPORT_SYMBOL(gr_check_group_change);
38515 diff -urNp linux-2.6.33.1/grsecurity/grsec_exec.c linux-2.6.33.1/grsecurity/grsec_exec.c
38516 --- linux-2.6.33.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
38517 +++ linux-2.6.33.1/grsecurity/grsec_exec.c 2010-03-20 16:58:41.892922620 -0400
38519 +#include <linux/kernel.h>
38520 +#include <linux/sched.h>
38521 +#include <linux/file.h>
38522 +#include <linux/binfmts.h>
38523 +#include <linux/smp_lock.h>
38524 +#include <linux/fs.h>
38525 +#include <linux/types.h>
38526 +#include <linux/grdefs.h>
38527 +#include <linux/grinternal.h>
38528 +#include <linux/capability.h>
38530 +#include <asm/uaccess.h>
38532 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38533 +static char gr_exec_arg_buf[132];
38534 +static DECLARE_MUTEX(gr_exec_arg_sem);
38538 +gr_handle_nproc(void)
38540 +#ifdef CONFIG_GRKERNSEC_EXECVE
38541 + const struct cred *cred = current_cred();
38542 + if (grsec_enable_execve && cred->user &&
38543 + (atomic_read(&cred->user->processes) >
38544 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
38545 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
38546 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
38554 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
38556 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38557 + char *grarg = gr_exec_arg_buf;
38558 + unsigned int i, x, execlen = 0;
38561 + if (!((grsec_enable_execlog && grsec_enable_group &&
38562 + in_group_p(grsec_audit_gid))
38563 + || (grsec_enable_execlog && !grsec_enable_group)))
38566 + down(&gr_exec_arg_sem);
38567 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
38569 + if (unlikely(argv == NULL))
38572 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
38573 + const char __user *p;
38574 + unsigned int len;
38576 + if (copy_from_user(&p, argv + i, sizeof(p)))
38580 + len = strnlen_user(p, 128 - execlen);
38581 + if (len > 128 - execlen)
38582 + len = 128 - execlen;
38583 + else if (len > 0)
38585 + if (copy_from_user(grarg + execlen, p, len))
38588 + /* rewrite unprintable characters */
38589 + for (x = 0; x < len; x++) {
38590 + c = *(grarg + execlen + x);
38591 + if (c < 32 || c > 126)
38592 + *(grarg + execlen + x) = ' ';
38596 + *(grarg + execlen) = ' ';
38597 + *(grarg + execlen + 1) = '\0';
38602 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
38603 + bprm->file->f_path.mnt, grarg);
38604 + up(&gr_exec_arg_sem);
38608 diff -urNp linux-2.6.33.1/grsecurity/grsec_fifo.c linux-2.6.33.1/grsecurity/grsec_fifo.c
38609 --- linux-2.6.33.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
38610 +++ linux-2.6.33.1/grsecurity/grsec_fifo.c 2010-03-20 16:58:41.892922620 -0400
38612 +#include <linux/kernel.h>
38613 +#include <linux/sched.h>
38614 +#include <linux/fs.h>
38615 +#include <linux/file.h>
38616 +#include <linux/grinternal.h>
38619 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
38620 + const struct dentry *dir, const int flag, const int acc_mode)
38622 +#ifdef CONFIG_GRKERNSEC_FIFO
38623 + const struct cred *cred = current_cred();
38625 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
38626 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
38627 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
38628 + (cred->fsuid != dentry->d_inode->i_uid)) {
38629 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
38630 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
38636 diff -urNp linux-2.6.33.1/grsecurity/grsec_fork.c linux-2.6.33.1/grsecurity/grsec_fork.c
38637 --- linux-2.6.33.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
38638 +++ linux-2.6.33.1/grsecurity/grsec_fork.c 2010-03-20 16:58:41.892922620 -0400
38640 +#include <linux/kernel.h>
38641 +#include <linux/sched.h>
38642 +#include <linux/grsecurity.h>
38643 +#include <linux/grinternal.h>
38644 +#include <linux/errno.h>
38647 +gr_log_forkfail(const int retval)
38649 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
38650 + if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
38651 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
38655 diff -urNp linux-2.6.33.1/grsecurity/grsec_init.c linux-2.6.33.1/grsecurity/grsec_init.c
38656 --- linux-2.6.33.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
38657 +++ linux-2.6.33.1/grsecurity/grsec_init.c 2010-03-20 17:00:48.140865901 -0400
38659 +#include <linux/kernel.h>
38660 +#include <linux/sched.h>
38661 +#include <linux/mm.h>
38662 +#include <linux/smp_lock.h>
38663 +#include <linux/gracl.h>
38664 +#include <linux/slab.h>
38665 +#include <linux/vmalloc.h>
38666 +#include <linux/percpu.h>
38668 +int grsec_enable_link;
38669 +int grsec_enable_dmesg;
38670 +int grsec_enable_harden_ptrace;
38671 +int grsec_enable_fifo;
38672 +int grsec_enable_execve;
38673 +int grsec_enable_execlog;
38674 +int grsec_enable_signal;
38675 +int grsec_enable_forkfail;
38676 +int grsec_enable_audit_ptrace;
38677 +int grsec_enable_time;
38678 +int grsec_enable_audit_textrel;
38679 +int grsec_enable_group;
38680 +int grsec_audit_gid;
38681 +int grsec_enable_chdir;
38682 +int grsec_enable_mount;
38683 +int grsec_enable_rofs;
38684 +int grsec_enable_chroot_findtask;
38685 +int grsec_enable_chroot_mount;
38686 +int grsec_enable_chroot_shmat;
38687 +int grsec_enable_chroot_fchdir;
38688 +int grsec_enable_chroot_double;
38689 +int grsec_enable_chroot_pivot;
38690 +int grsec_enable_chroot_chdir;
38691 +int grsec_enable_chroot_chmod;
38692 +int grsec_enable_chroot_mknod;
38693 +int grsec_enable_chroot_nice;
38694 +int grsec_enable_chroot_execlog;
38695 +int grsec_enable_chroot_caps;
38696 +int grsec_enable_chroot_sysctl;
38697 +int grsec_enable_chroot_unix;
38698 +int grsec_enable_tpe;
38699 +int grsec_tpe_gid;
38700 +int grsec_enable_blackhole;
38701 +int grsec_lastack_retries;
38702 +int grsec_enable_tpe_all;
38703 +int grsec_enable_socket_all;
38704 +int grsec_socket_all_gid;
38705 +int grsec_enable_socket_client;
38706 +int grsec_socket_client_gid;
38707 +int grsec_enable_socket_server;
38708 +int grsec_socket_server_gid;
38709 +int grsec_resource_logging;
38712 +DEFINE_SPINLOCK(grsec_alert_lock);
38713 +unsigned long grsec_alert_wtime = 0;
38714 +unsigned long grsec_alert_fyet = 0;
38716 +DEFINE_SPINLOCK(grsec_audit_lock);
38718 +DEFINE_RWLOCK(grsec_exec_file_lock);
38720 +char *gr_shared_page[4];
38722 +char *gr_alert_log_fmt;
38723 +char *gr_audit_log_fmt;
38724 +char *gr_alert_log_buf;
38725 +char *gr_audit_log_buf;
38727 +extern struct gr_arg *gr_usermode;
38728 +extern unsigned char *gr_system_salt;
38729 +extern unsigned char *gr_system_sum;
38732 +grsecurity_init(void)
38735 + /* create the per-cpu shared pages */
38738 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
38741 + for (j = 0; j < 4; j++) {
38742 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
38743 + if (gr_shared_page[j] == NULL) {
38744 + panic("Unable to allocate grsecurity shared page");
38749 + /* allocate log buffers */
38750 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
38751 + if (!gr_alert_log_fmt) {
38752 + panic("Unable to allocate grsecurity alert log format buffer");
38755 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
38756 + if (!gr_audit_log_fmt) {
38757 + panic("Unable to allocate grsecurity audit log format buffer");
38760 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38761 + if (!gr_alert_log_buf) {
38762 + panic("Unable to allocate grsecurity alert log buffer");
38765 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38766 + if (!gr_audit_log_buf) {
38767 + panic("Unable to allocate grsecurity audit log buffer");
38771 + /* allocate memory for authentication structure */
38772 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
38773 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
38774 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
38776 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
38777 + panic("Unable to allocate grsecurity authentication structure");
38781 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
38782 +#ifndef CONFIG_GRKERNSEC_SYSCTL
38785 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
38786 + grsec_enable_audit_textrel = 1;
38788 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
38789 + grsec_enable_group = 1;
38790 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
38792 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
38793 + grsec_enable_chdir = 1;
38795 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38796 + grsec_enable_harden_ptrace = 1;
38798 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
38799 + grsec_enable_mount = 1;
38801 +#ifdef CONFIG_GRKERNSEC_LINK
38802 + grsec_enable_link = 1;
38804 +#ifdef CONFIG_GRKERNSEC_DMESG
38805 + grsec_enable_dmesg = 1;
38807 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
38808 + grsec_enable_blackhole = 1;
38809 + grsec_lastack_retries = 4;
38811 +#ifdef CONFIG_GRKERNSEC_FIFO
38812 + grsec_enable_fifo = 1;
38814 +#ifdef CONFIG_GRKERNSEC_EXECVE
38815 + grsec_enable_execve = 1;
38817 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38818 + grsec_enable_execlog = 1;
38820 +#ifdef CONFIG_GRKERNSEC_SIGNAL
38821 + grsec_enable_signal = 1;
38823 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
38824 + grsec_enable_forkfail = 1;
38826 +#ifdef CONFIG_GRKERNSEC_TIME
38827 + grsec_enable_time = 1;
38829 +#ifdef CONFIG_GRKERNSEC_RESLOG
38830 + grsec_resource_logging = 1;
38832 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
38833 + grsec_enable_chroot_findtask = 1;
38835 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
38836 + grsec_enable_chroot_unix = 1;
38838 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
38839 + grsec_enable_chroot_mount = 1;
38841 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
38842 + grsec_enable_chroot_fchdir = 1;
38844 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
38845 + grsec_enable_chroot_shmat = 1;
38847 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
38848 + grsec_enable_audit_ptrace = 1;
38850 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38851 + grsec_enable_chroot_double = 1;
38853 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
38854 + grsec_enable_chroot_pivot = 1;
38856 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38857 + grsec_enable_chroot_chdir = 1;
38859 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38860 + grsec_enable_chroot_chmod = 1;
38862 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
38863 + grsec_enable_chroot_mknod = 1;
38865 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
38866 + grsec_enable_chroot_nice = 1;
38868 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
38869 + grsec_enable_chroot_execlog = 1;
38871 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38872 + grsec_enable_chroot_caps = 1;
38874 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38875 + grsec_enable_chroot_sysctl = 1;
38877 +#ifdef CONFIG_GRKERNSEC_TPE
38878 + grsec_enable_tpe = 1;
38879 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
38880 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
38881 + grsec_enable_tpe_all = 1;
38884 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
38885 + grsec_enable_socket_all = 1;
38886 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
38888 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
38889 + grsec_enable_socket_client = 1;
38890 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
38892 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
38893 + grsec_enable_socket_server = 1;
38894 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
38900 diff -urNp linux-2.6.33.1/grsecurity/grsec_link.c linux-2.6.33.1/grsecurity/grsec_link.c
38901 --- linux-2.6.33.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
38902 +++ linux-2.6.33.1/grsecurity/grsec_link.c 2010-03-20 16:58:41.892922620 -0400
38904 +#include <linux/kernel.h>
38905 +#include <linux/sched.h>
38906 +#include <linux/fs.h>
38907 +#include <linux/file.h>
38908 +#include <linux/grinternal.h>
38911 +gr_handle_follow_link(const struct inode *parent,
38912 + const struct inode *inode,
38913 + const struct dentry *dentry, const struct vfsmount *mnt)
38915 +#ifdef CONFIG_GRKERNSEC_LINK
38916 + const struct cred *cred = current_cred();
38918 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
38919 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
38920 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
38921 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
38929 +gr_handle_hardlink(const struct dentry *dentry,
38930 + const struct vfsmount *mnt,
38931 + struct inode *inode, const int mode, const char *to)
38933 +#ifdef CONFIG_GRKERNSEC_LINK
38934 + const struct cred *cred = current_cred();
38936 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
38937 + (!S_ISREG(mode) || (mode & S_ISUID) ||
38938 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
38939 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
38940 + !capable(CAP_FOWNER) && cred->uid) {
38941 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
38947 diff -urNp linux-2.6.33.1/grsecurity/grsec_log.c linux-2.6.33.1/grsecurity/grsec_log.c
38948 --- linux-2.6.33.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
38949 +++ linux-2.6.33.1/grsecurity/grsec_log.c 2010-03-20 16:58:41.892922620 -0400
38951 +#include <linux/kernel.h>
38952 +#include <linux/sched.h>
38953 +#include <linux/file.h>
38954 +#include <linux/tty.h>
38955 +#include <linux/fs.h>
38956 +#include <linux/grinternal.h>
38958 +#define BEGIN_LOCKS(x) \
38959 + rcu_read_lock(); \
38960 + read_lock(&tasklist_lock); \
38961 + read_lock(&grsec_exec_file_lock); \
38962 + if (x != GR_DO_AUDIT) \
38963 + spin_lock(&grsec_alert_lock); \
38965 + spin_lock(&grsec_audit_lock)
38967 +#define END_LOCKS(x) \
38968 + if (x != GR_DO_AUDIT) \
38969 + spin_unlock(&grsec_alert_lock); \
38971 + spin_unlock(&grsec_audit_lock); \
38972 + read_unlock(&grsec_exec_file_lock); \
38973 + read_unlock(&tasklist_lock); \
38974 + rcu_read_unlock(); \
38975 + if (x == GR_DONT_AUDIT) \
38976 + gr_handle_alertkill(current)
38983 +extern char *gr_alert_log_fmt;
38984 +extern char *gr_audit_log_fmt;
38985 +extern char *gr_alert_log_buf;
38986 +extern char *gr_audit_log_buf;
38988 +static int gr_log_start(int audit)
38990 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
38991 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
38992 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38994 + if (audit == GR_DO_AUDIT)
38997 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
38998 + grsec_alert_wtime = jiffies;
38999 + grsec_alert_fyet = 0;
39000 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
39001 + grsec_alert_fyet++;
39002 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
39003 + grsec_alert_wtime = jiffies;
39004 + grsec_alert_fyet++;
39005 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
39007 + } else return FLOODING;
39010 + memset(buf, 0, PAGE_SIZE);
39011 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
39012 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
39013 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
39014 + } else if (current->signal->curr_ip) {
39015 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
39016 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
39017 + } else if (gr_acl_is_enabled()) {
39018 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
39019 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
39021 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
39022 + strcpy(buf, fmt);
39025 + return NO_FLOODING;
39028 +static void gr_log_middle(int audit, const char *msg, va_list ap)
39029 + __attribute__ ((format (printf, 2, 0)));
39031 +static void gr_log_middle(int audit, const char *msg, va_list ap)
39033 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39034 + unsigned int len = strlen(buf);
39036 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
39041 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
39042 + __attribute__ ((format (printf, 2, 3)));
39044 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
39046 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39047 + unsigned int len = strlen(buf);
39050 + va_start(ap, msg);
39051 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
39057 +static void gr_log_end(int audit)
39059 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39060 + unsigned int len = strlen(buf);
39062 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
39063 + printk("%s\n", buf);
39068 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
39071 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
39072 + char *str1, *str2, *str3;
39075 + unsigned long ulong1, ulong2;
39076 + struct dentry *dentry;
39077 + struct vfsmount *mnt;
39078 + struct file *file;
39079 + struct task_struct *task;
39080 + const struct cred *cred, *pcred;
39083 + BEGIN_LOCKS(audit);
39084 + logtype = gr_log_start(audit);
39085 + if (logtype == FLOODING) {
39086 + END_LOCKS(audit);
39089 + va_start(ap, argtypes);
39090 + switch (argtypes) {
39091 + case GR_TTYSNIFF:
39092 + task = va_arg(ap, struct task_struct *);
39093 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
39095 + case GR_SYSCTL_HIDDEN:
39096 + str1 = va_arg(ap, char *);
39097 + gr_log_middle_varargs(audit, msg, result, str1);
39100 + dentry = va_arg(ap, struct dentry *);
39101 + mnt = va_arg(ap, struct vfsmount *);
39102 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
39104 + case GR_RBAC_STR:
39105 + dentry = va_arg(ap, struct dentry *);
39106 + mnt = va_arg(ap, struct vfsmount *);
39107 + str1 = va_arg(ap, char *);
39108 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
39110 + case GR_STR_RBAC:
39111 + str1 = va_arg(ap, char *);
39112 + dentry = va_arg(ap, struct dentry *);
39113 + mnt = va_arg(ap, struct vfsmount *);
39114 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
39116 + case GR_RBAC_MODE2:
39117 + dentry = va_arg(ap, struct dentry *);
39118 + mnt = va_arg(ap, struct vfsmount *);
39119 + str1 = va_arg(ap, char *);
39120 + str2 = va_arg(ap, char *);
39121 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
39123 + case GR_RBAC_MODE3:
39124 + dentry = va_arg(ap, struct dentry *);
39125 + mnt = va_arg(ap, struct vfsmount *);
39126 + str1 = va_arg(ap, char *);
39127 + str2 = va_arg(ap, char *);
39128 + str3 = va_arg(ap, char *);
39129 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
39131 + case GR_FILENAME:
39132 + dentry = va_arg(ap, struct dentry *);
39133 + mnt = va_arg(ap, struct vfsmount *);
39134 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
39136 + case GR_STR_FILENAME:
39137 + str1 = va_arg(ap, char *);
39138 + dentry = va_arg(ap, struct dentry *);
39139 + mnt = va_arg(ap, struct vfsmount *);
39140 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
39142 + case GR_FILENAME_STR:
39143 + dentry = va_arg(ap, struct dentry *);
39144 + mnt = va_arg(ap, struct vfsmount *);
39145 + str1 = va_arg(ap, char *);
39146 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
39148 + case GR_FILENAME_TWO_INT:
39149 + dentry = va_arg(ap, struct dentry *);
39150 + mnt = va_arg(ap, struct vfsmount *);
39151 + num1 = va_arg(ap, int);
39152 + num2 = va_arg(ap, int);
39153 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
39155 + case GR_FILENAME_TWO_INT_STR:
39156 + dentry = va_arg(ap, struct dentry *);
39157 + mnt = va_arg(ap, struct vfsmount *);
39158 + num1 = va_arg(ap, int);
39159 + num2 = va_arg(ap, int);
39160 + str1 = va_arg(ap, char *);
39161 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
39164 + file = va_arg(ap, struct file *);
39165 + ulong1 = va_arg(ap, unsigned long);
39166 + ulong2 = va_arg(ap, unsigned long);
39167 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
39170 + task = va_arg(ap, struct task_struct *);
39171 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
39173 + case GR_RESOURCE:
39174 + task = va_arg(ap, struct task_struct *);
39175 + cred = __task_cred(task);
39176 + pcred = __task_cred(task->parent);
39177 + ulong1 = va_arg(ap, unsigned long);
39178 + str1 = va_arg(ap, char *);
39179 + ulong2 = va_arg(ap, unsigned long);
39180 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39183 + task = va_arg(ap, struct task_struct *);
39184 + cred = __task_cred(task);
39185 + pcred = __task_cred(task->parent);
39186 + str1 = va_arg(ap, char *);
39187 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39190 + str1 = va_arg(ap, char *);
39191 + voidptr = va_arg(ap, void *);
39192 + gr_log_middle_varargs(audit, msg, str1, voidptr);
39195 + task = va_arg(ap, struct task_struct *);
39196 + cred = __task_cred(task);
39197 + pcred = __task_cred(task->parent);
39198 + num1 = va_arg(ap, int);
39199 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39202 + task = va_arg(ap, struct task_struct *);
39203 + cred = __task_cred(task);
39204 + pcred = __task_cred(task->parent);
39205 + ulong1 = va_arg(ap, unsigned long);
39206 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
39209 + task = va_arg(ap, struct task_struct *);
39210 + cred = __task_cred(task);
39211 + pcred = __task_cred(task->parent);
39212 + ulong1 = va_arg(ap, unsigned long);
39213 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
39217 + unsigned int wday, cday;
39221 + char cur_tty[64] = { 0 };
39222 + char parent_tty[64] = { 0 };
39224 + task = va_arg(ap, struct task_struct *);
39225 + wday = va_arg(ap, unsigned int);
39226 + cday = va_arg(ap, unsigned int);
39227 + whr = va_arg(ap, int);
39228 + chr = va_arg(ap, int);
39229 + wmin = va_arg(ap, int);
39230 + cmin = va_arg(ap, int);
39231 + wsec = va_arg(ap, int);
39232 + csec = va_arg(ap, int);
39233 + ulong1 = va_arg(ap, unsigned long);
39234 + cred = __task_cred(task);
39235 + pcred = __task_cred(task->parent);
39237 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39241 + gr_log_middle(audit, msg, ap);
39244 + gr_log_end(audit);
39245 + END_LOCKS(audit);
39247 diff -urNp linux-2.6.33.1/grsecurity/grsec_mem.c linux-2.6.33.1/grsecurity/grsec_mem.c
39248 --- linux-2.6.33.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
39249 +++ linux-2.6.33.1/grsecurity/grsec_mem.c 2010-03-20 16:58:41.892922620 -0400
39251 +#include <linux/kernel.h>
39252 +#include <linux/sched.h>
39253 +#include <linux/mm.h>
39254 +#include <linux/mman.h>
39255 +#include <linux/grinternal.h>
39258 +gr_handle_ioperm(void)
39260 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
39265 +gr_handle_iopl(void)
39267 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
39272 +gr_handle_mem_write(void)
39274 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
39279 +gr_handle_kmem_write(void)
39281 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
39286 +gr_handle_open_port(void)
39288 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
39293 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
39295 + unsigned long start, end;
39298 + end = start + vma->vm_end - vma->vm_start;
39300 + if (start > end) {
39301 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39305 + /* allowed ranges : ISA I/O BIOS */
39306 + if ((start >= __pa(high_memory))
39307 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
39308 + || (start >= 0x000a0000 && end <= 0x00100000)
39309 + || (start >= 0x00000000 && end <= 0x00001000)
39314 + if (vma->vm_flags & VM_WRITE) {
39315 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39318 + vma->vm_flags &= ~VM_MAYWRITE;
39324 +gr_log_nonroot_mod_load(const char *modname)
39326 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
39331 +gr_handle_vm86(void)
39333 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
39336 diff -urNp linux-2.6.33.1/grsecurity/grsec_mount.c linux-2.6.33.1/grsecurity/grsec_mount.c
39337 --- linux-2.6.33.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
39338 +++ linux-2.6.33.1/grsecurity/grsec_mount.c 2010-03-20 16:58:41.892922620 -0400
39340 +#include <linux/kernel.h>
39341 +#include <linux/sched.h>
39342 +#include <linux/mount.h>
39343 +#include <linux/grsecurity.h>
39344 +#include <linux/grinternal.h>
39347 +gr_log_remount(const char *devname, const int retval)
39349 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39350 + if (grsec_enable_mount && (retval >= 0))
39351 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
39357 +gr_log_unmount(const char *devname, const int retval)
39359 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39360 + if (grsec_enable_mount && (retval >= 0))
39361 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
39367 +gr_log_mount(const char *from, const char *to, const int retval)
39369 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39370 + if (grsec_enable_mount && (retval >= 0))
39371 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
39377 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
39379 +#ifdef CONFIG_GRKERNSEC_ROFS
39380 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
39381 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
39390 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
39392 +#ifdef CONFIG_GRKERNSEC_ROFS
39393 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
39394 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
39395 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
39402 diff -urNp linux-2.6.33.1/grsecurity/grsec_ptrace.c linux-2.6.33.1/grsecurity/grsec_ptrace.c
39403 --- linux-2.6.33.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
39404 +++ linux-2.6.33.1/grsecurity/grsec_ptrace.c 2010-03-20 16:58:41.892922620 -0400
39406 +#include <linux/kernel.h>
39407 +#include <linux/sched.h>
39408 +#include <linux/grinternal.h>
39409 +#include <linux/grsecurity.h>
39412 +gr_audit_ptrace(struct task_struct *task)
39414 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
39415 + if (grsec_enable_audit_ptrace)
39416 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
39420 diff -urNp linux-2.6.33.1/grsecurity/grsec_sig.c linux-2.6.33.1/grsecurity/grsec_sig.c
39421 --- linux-2.6.33.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
39422 +++ linux-2.6.33.1/grsecurity/grsec_sig.c 2010-03-20 16:58:41.892922620 -0400
39424 +#include <linux/kernel.h>
39425 +#include <linux/sched.h>
39426 +#include <linux/delay.h>
39427 +#include <linux/grsecurity.h>
39428 +#include <linux/grinternal.h>
39430 +char *signames[] = {
39431 + [SIGSEGV] = "Segmentation fault",
39432 + [SIGILL] = "Illegal instruction",
39433 + [SIGABRT] = "Abort",
39434 + [SIGBUS] = "Invalid alignment/Bus error"
39438 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
39440 +#ifdef CONFIG_GRKERNSEC_SIGNAL
39441 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
39442 + (sig == SIGABRT) || (sig == SIGBUS))) {
39443 + if (t->pid == current->pid) {
39444 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
39446 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
39454 +gr_handle_signal(const struct task_struct *p, const int sig)
39456 +#ifdef CONFIG_GRKERNSEC
39457 + if (current->pid > 1 && gr_check_protected_task(p)) {
39458 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
39460 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
39467 +void gr_handle_brute_attach(struct task_struct *p)
39469 +#ifdef CONFIG_GRKERNSEC_BRUTE
39470 + read_lock(&tasklist_lock);
39471 + read_lock(&grsec_exec_file_lock);
39472 + if (p->parent && p->parent->exec_file == p->exec_file)
39473 + p->parent->brute = 1;
39474 + read_unlock(&grsec_exec_file_lock);
39475 + read_unlock(&tasklist_lock);
39480 +void gr_handle_brute_check(void)
39482 +#ifdef CONFIG_GRKERNSEC_BRUTE
39483 + if (current->brute)
39484 + msleep(30 * 1000);
39489 diff -urNp linux-2.6.33.1/grsecurity/grsec_sock.c linux-2.6.33.1/grsecurity/grsec_sock.c
39490 --- linux-2.6.33.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
39491 +++ linux-2.6.33.1/grsecurity/grsec_sock.c 2010-03-20 16:58:41.892922620 -0400
39493 +#include <linux/kernel.h>
39494 +#include <linux/module.h>
39495 +#include <linux/sched.h>
39496 +#include <linux/file.h>
39497 +#include <linux/net.h>
39498 +#include <linux/in.h>
39499 +#include <linux/ip.h>
39500 +#include <net/sock.h>
39501 +#include <net/inet_sock.h>
39502 +#include <linux/grsecurity.h>
39503 +#include <linux/grinternal.h>
39504 +#include <linux/gracl.h>
39506 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
39507 +EXPORT_SYMBOL(gr_cap_rtnetlink);
39509 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
39510 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
39512 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
39513 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
39515 +#ifdef CONFIG_UNIX_MODULE
39516 +EXPORT_SYMBOL(gr_acl_handle_unix);
39517 +EXPORT_SYMBOL(gr_acl_handle_mknod);
39518 +EXPORT_SYMBOL(gr_handle_chroot_unix);
39519 +EXPORT_SYMBOL(gr_handle_create);
39522 +#ifdef CONFIG_GRKERNSEC
39523 +#define gr_conn_table_size 32749
39524 +struct conn_table_entry {
39525 + struct conn_table_entry *next;
39526 + struct signal_struct *sig;
39529 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
39530 +DEFINE_SPINLOCK(gr_conn_table_lock);
39532 +extern const char * gr_socktype_to_name(unsigned char type);
39533 +extern const char * gr_proto_to_name(unsigned char proto);
39535 +static __inline__ int
39536 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
39538 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
39541 +static __inline__ int
39542 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
39543 + __u16 sport, __u16 dport)
39545 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
39546 + sig->gr_sport == sport && sig->gr_dport == dport))
39552 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
39554 + struct conn_table_entry **match;
39555 + unsigned int index;
39557 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39558 + sig->gr_sport, sig->gr_dport,
39559 + gr_conn_table_size);
39561 + newent->sig = sig;
39563 + match = &gr_conn_table[index];
39564 + newent->next = *match;
39570 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
39572 + struct conn_table_entry *match, *last = NULL;
39573 + unsigned int index;
39575 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39576 + sig->gr_sport, sig->gr_dport,
39577 + gr_conn_table_size);
39579 + match = gr_conn_table[index];
39580 + while (match && !conn_match(match->sig,
39581 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
39582 + sig->gr_dport)) {
39584 + match = match->next;
39589 + last->next = match->next;
39591 + gr_conn_table[index] = NULL;
39598 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
39599 + __u16 sport, __u16 dport)
39601 + struct conn_table_entry *match;
39602 + unsigned int index;
39604 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
39606 + match = gr_conn_table[index];
39607 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
39608 + match = match->next;
39611 + return match->sig;
39618 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
39620 +#ifdef CONFIG_GRKERNSEC
39621 + struct signal_struct *sig = task->signal;
39622 + struct conn_table_entry *newent;
39624 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
39625 + if (newent == NULL)
39627 + /* no bh lock needed since we are called with bh disabled */
39628 + spin_lock(&gr_conn_table_lock);
39629 + gr_del_task_from_ip_table_nolock(sig);
39630 + sig->gr_saddr = inet->inet_rcv_saddr;
39631 + sig->gr_daddr = inet->inet_daddr;
39632 + sig->gr_sport = inet->inet_sport;
39633 + sig->gr_dport = inet->inet_dport;
39634 + gr_add_to_task_ip_table_nolock(sig, newent);
39635 + spin_unlock(&gr_conn_table_lock);
39640 +void gr_del_task_from_ip_table(struct task_struct *task)
39642 +#ifdef CONFIG_GRKERNSEC
39643 + spin_lock_bh(&gr_conn_table_lock);
39644 + gr_del_task_from_ip_table_nolock(task->signal);
39645 + spin_unlock_bh(&gr_conn_table_lock);
39651 +gr_attach_curr_ip(const struct sock *sk)
39653 +#ifdef CONFIG_GRKERNSEC
39654 + struct signal_struct *p, *set;
39655 + const struct inet_sock *inet = inet_sk(sk);
39657 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
39660 + set = current->signal;
39662 + spin_lock_bh(&gr_conn_table_lock);
39663 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
39664 + inet->inet_dport, inet->inet_sport);
39665 + if (unlikely(p != NULL)) {
39666 + set->curr_ip = p->curr_ip;
39667 + set->used_accept = 1;
39668 + gr_del_task_from_ip_table_nolock(p);
39669 + spin_unlock_bh(&gr_conn_table_lock);
39672 + spin_unlock_bh(&gr_conn_table_lock);
39674 + set->curr_ip = inet->inet_daddr;
39675 + set->used_accept = 1;
39681 +gr_handle_sock_all(const int family, const int type, const int protocol)
39683 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39684 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
39685 + (family != AF_UNIX) && (family != AF_LOCAL)) {
39686 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
39694 +gr_handle_sock_server(const struct sockaddr *sck)
39696 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39697 + if (grsec_enable_socket_server &&
39698 + in_group_p(grsec_socket_server_gid) &&
39699 + sck && (sck->sa_family != AF_UNIX) &&
39700 + (sck->sa_family != AF_LOCAL)) {
39701 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39709 +gr_handle_sock_server_other(const struct sock *sck)
39711 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39712 + if (grsec_enable_socket_server &&
39713 + in_group_p(grsec_socket_server_gid) &&
39714 + sck && (sck->sk_family != AF_UNIX) &&
39715 + (sck->sk_family != AF_LOCAL)) {
39716 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39724 +gr_handle_sock_client(const struct sockaddr *sck)
39726 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39727 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
39728 + sck && (sck->sa_family != AF_UNIX) &&
39729 + (sck->sa_family != AF_LOCAL)) {
39730 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
39738 +gr_cap_rtnetlink(struct sock *sock)
39740 +#ifdef CONFIG_GRKERNSEC
39741 + if (!gr_acl_is_enabled())
39742 + return current_cap();
39743 + else if (sock->sk_protocol == NETLINK_ISCSI &&
39744 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
39745 + gr_is_capable(CAP_SYS_ADMIN))
39746 + return current_cap();
39747 + else if (sock->sk_protocol == NETLINK_AUDIT &&
39748 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
39749 + gr_is_capable(CAP_AUDIT_WRITE) &&
39750 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
39751 + gr_is_capable(CAP_AUDIT_CONTROL))
39752 + return current_cap();
39753 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
39754 + ((sock->sk_protocol == NETLINK_ROUTE) ?
39755 + gr_is_capable_nolog(CAP_NET_ADMIN) :
39756 + gr_is_capable(CAP_NET_ADMIN)))
39757 + return current_cap();
39759 + return __cap_empty_set;
39761 + return current_cap();
39764 diff -urNp linux-2.6.33.1/grsecurity/grsec_sysctl.c linux-2.6.33.1/grsecurity/grsec_sysctl.c
39765 --- linux-2.6.33.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
39766 +++ linux-2.6.33.1/grsecurity/grsec_sysctl.c 2010-03-20 17:08:11.436987044 -0400
39768 +#include <linux/kernel.h>
39769 +#include <linux/sched.h>
39770 +#include <linux/sysctl.h>
39771 +#include <linux/grsecurity.h>
39772 +#include <linux/grinternal.h>
39775 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
39777 +#ifdef CONFIG_GRKERNSEC_SYSCTL
39778 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
39779 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
39786 +#ifdef CONFIG_GRKERNSEC_ROFS
39787 +static int __maybe_unused one = 1;
39790 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
39791 +ctl_table grsecurity_table[] = {
39792 +#ifdef CONFIG_GRKERNSEC_SYSCTL
39793 +#ifdef CONFIG_GRKERNSEC_LINK
39795 + .procname = "linking_restrictions",
39796 + .data = &grsec_enable_link,
39797 + .maxlen = sizeof(int),
39799 + .proc_handler = &proc_dointvec,
39802 +#ifdef CONFIG_GRKERNSEC_FIFO
39804 + .procname = "fifo_restrictions",
39805 + .data = &grsec_enable_fifo,
39806 + .maxlen = sizeof(int),
39808 + .proc_handler = &proc_dointvec,
39811 +#ifdef CONFIG_GRKERNSEC_EXECVE
39813 + .procname = "execve_limiting",
39814 + .data = &grsec_enable_execve,
39815 + .maxlen = sizeof(int),
39817 + .proc_handler = &proc_dointvec,
39820 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
39822 + .procname = "ip_blackhole",
39823 + .data = &grsec_enable_blackhole,
39824 + .maxlen = sizeof(int),
39826 + .proc_handler = &proc_dointvec,
39829 + .procname = "lastack_retries",
39830 + .data = &grsec_lastack_retries,
39831 + .maxlen = sizeof(int),
39833 + .proc_handler = &proc_dointvec,
39836 +#ifdef CONFIG_GRKERNSEC_EXECLOG
39838 + .procname = "exec_logging",
39839 + .data = &grsec_enable_execlog,
39840 + .maxlen = sizeof(int),
39842 + .proc_handler = &proc_dointvec,
39845 +#ifdef CONFIG_GRKERNSEC_SIGNAL
39847 + .procname = "signal_logging",
39848 + .data = &grsec_enable_signal,
39849 + .maxlen = sizeof(int),
39851 + .proc_handler = &proc_dointvec,
39854 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
39856 + .procname = "forkfail_logging",
39857 + .data = &grsec_enable_forkfail,
39858 + .maxlen = sizeof(int),
39860 + .proc_handler = &proc_dointvec,
39863 +#ifdef CONFIG_GRKERNSEC_TIME
39865 + .procname = "timechange_logging",
39866 + .data = &grsec_enable_time,
39867 + .maxlen = sizeof(int),
39869 + .proc_handler = &proc_dointvec,
39872 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39874 + .procname = "chroot_deny_shmat",
39875 + .data = &grsec_enable_chroot_shmat,
39876 + .maxlen = sizeof(int),
39878 + .proc_handler = &proc_dointvec,
39881 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39883 + .procname = "chroot_deny_unix",
39884 + .data = &grsec_enable_chroot_unix,
39885 + .maxlen = sizeof(int),
39887 + .proc_handler = &proc_dointvec,
39890 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39892 + .procname = "chroot_deny_mount",
39893 + .data = &grsec_enable_chroot_mount,
39894 + .maxlen = sizeof(int),
39896 + .proc_handler = &proc_dointvec,
39899 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39901 + .procname = "chroot_deny_fchdir",
39902 + .data = &grsec_enable_chroot_fchdir,
39903 + .maxlen = sizeof(int),
39905 + .proc_handler = &proc_dointvec,
39908 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39910 + .procname = "chroot_deny_chroot",
39911 + .data = &grsec_enable_chroot_double,
39912 + .maxlen = sizeof(int),
39914 + .proc_handler = &proc_dointvec,
39917 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39919 + .procname = "chroot_deny_pivot",
39920 + .data = &grsec_enable_chroot_pivot,
39921 + .maxlen = sizeof(int),
39923 + .proc_handler = &proc_dointvec,
39926 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39928 + .procname = "chroot_enforce_chdir",
39929 + .data = &grsec_enable_chroot_chdir,
39930 + .maxlen = sizeof(int),
39932 + .proc_handler = &proc_dointvec,
39935 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39937 + .procname = "chroot_deny_chmod",
39938 + .data = &grsec_enable_chroot_chmod,
39939 + .maxlen = sizeof(int),
39941 + .proc_handler = &proc_dointvec,
39944 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39946 + .procname = "chroot_deny_mknod",
39947 + .data = &grsec_enable_chroot_mknod,
39948 + .maxlen = sizeof(int),
39950 + .proc_handler = &proc_dointvec,
39953 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39955 + .procname = "chroot_restrict_nice",
39956 + .data = &grsec_enable_chroot_nice,
39957 + .maxlen = sizeof(int),
39959 + .proc_handler = &proc_dointvec,
39962 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39964 + .procname = "chroot_execlog",
39965 + .data = &grsec_enable_chroot_execlog,
39966 + .maxlen = sizeof(int),
39968 + .proc_handler = &proc_dointvec,
39971 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39973 + .procname = "chroot_caps",
39974 + .data = &grsec_enable_chroot_caps,
39975 + .maxlen = sizeof(int),
39977 + .proc_handler = &proc_dointvec,
39980 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39982 + .procname = "chroot_deny_sysctl",
39983 + .data = &grsec_enable_chroot_sysctl,
39984 + .maxlen = sizeof(int),
39986 + .proc_handler = &proc_dointvec,
39989 +#ifdef CONFIG_GRKERNSEC_TPE
39991 + .procname = "tpe",
39992 + .data = &grsec_enable_tpe,
39993 + .maxlen = sizeof(int),
39995 + .proc_handler = &proc_dointvec,
39998 + .procname = "tpe_gid",
39999 + .data = &grsec_tpe_gid,
40000 + .maxlen = sizeof(int),
40002 + .proc_handler = &proc_dointvec,
40005 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40007 + .procname = "tpe_restrict_all",
40008 + .data = &grsec_enable_tpe_all,
40009 + .maxlen = sizeof(int),
40011 + .proc_handler = &proc_dointvec,
40014 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40016 + .procname = "socket_all",
40017 + .data = &grsec_enable_socket_all,
40018 + .maxlen = sizeof(int),
40020 + .proc_handler = &proc_dointvec,
40023 + .procname = "socket_all_gid",
40024 + .data = &grsec_socket_all_gid,
40025 + .maxlen = sizeof(int),
40027 + .proc_handler = &proc_dointvec,
40030 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40032 + .procname = "socket_client",
40033 + .data = &grsec_enable_socket_client,
40034 + .maxlen = sizeof(int),
40036 + .proc_handler = &proc_dointvec,
40039 + .procname = "socket_client_gid",
40040 + .data = &grsec_socket_client_gid,
40041 + .maxlen = sizeof(int),
40043 + .proc_handler = &proc_dointvec,
40046 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40048 + .procname = "socket_server",
40049 + .data = &grsec_enable_socket_server,
40050 + .maxlen = sizeof(int),
40052 + .proc_handler = &proc_dointvec,
40055 + .procname = "socket_server_gid",
40056 + .data = &grsec_socket_server_gid,
40057 + .maxlen = sizeof(int),
40059 + .proc_handler = &proc_dointvec,
40062 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40064 + .procname = "audit_group",
40065 + .data = &grsec_enable_group,
40066 + .maxlen = sizeof(int),
40068 + .proc_handler = &proc_dointvec,
40071 + .procname = "audit_gid",
40072 + .data = &grsec_audit_gid,
40073 + .maxlen = sizeof(int),
40075 + .proc_handler = &proc_dointvec,
40078 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40080 + .procname = "audit_chdir",
40081 + .data = &grsec_enable_chdir,
40082 + .maxlen = sizeof(int),
40084 + .proc_handler = &proc_dointvec,
40087 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40089 + .procname = "audit_mount",
40090 + .data = &grsec_enable_mount,
40091 + .maxlen = sizeof(int),
40093 + .proc_handler = &proc_dointvec,
40096 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40098 + .procname = "audit_textrel",
40099 + .data = &grsec_enable_audit_textrel,
40100 + .maxlen = sizeof(int),
40102 + .proc_handler = &proc_dointvec,
40105 +#ifdef CONFIG_GRKERNSEC_DMESG
40107 + .procname = "dmesg",
40108 + .data = &grsec_enable_dmesg,
40109 + .maxlen = sizeof(int),
40111 + .proc_handler = &proc_dointvec,
40114 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40116 + .procname = "chroot_findtask",
40117 + .data = &grsec_enable_chroot_findtask,
40118 + .maxlen = sizeof(int),
40120 + .proc_handler = &proc_dointvec,
40123 +#ifdef CONFIG_GRKERNSEC_RESLOG
40125 + .procname = "resource_logging",
40126 + .data = &grsec_resource_logging,
40127 + .maxlen = sizeof(int),
40129 + .proc_handler = &proc_dointvec,
40132 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40134 + .procname = "audit_ptrace",
40135 + .data = &grsec_enable_audit_ptrace,
40136 + .maxlen = sizeof(int),
40138 + .proc_handler = &proc_dointvec,
40141 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40143 + .procname = "harden_ptrace",
40144 + .data = &grsec_enable_harden_ptrace,
40145 + .maxlen = sizeof(int),
40147 + .proc_handler = &proc_dointvec,
40151 + .procname = "grsec_lock",
40152 + .data = &grsec_lock,
40153 + .maxlen = sizeof(int),
40155 + .proc_handler = &proc_dointvec,
40158 +#ifdef CONFIG_GRKERNSEC_ROFS
40160 + .procname = "romount_protect",
40161 + .data = &grsec_enable_rofs,
40162 + .maxlen = sizeof(int),
40164 + .proc_handler = &proc_dointvec_minmax,
40172 diff -urNp linux-2.6.33.1/grsecurity/grsec_textrel.c linux-2.6.33.1/grsecurity/grsec_textrel.c
40173 --- linux-2.6.33.1/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
40174 +++ linux-2.6.33.1/grsecurity/grsec_textrel.c 2010-03-20 16:58:41.900965882 -0400
40176 +#include <linux/kernel.h>
40177 +#include <linux/sched.h>
40178 +#include <linux/mm.h>
40179 +#include <linux/file.h>
40180 +#include <linux/grinternal.h>
40181 +#include <linux/grsecurity.h>
40184 +gr_log_textrel(struct vm_area_struct * vma)
40186 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40187 + if (grsec_enable_audit_textrel)
40188 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
40192 diff -urNp linux-2.6.33.1/grsecurity/grsec_time.c linux-2.6.33.1/grsecurity/grsec_time.c
40193 --- linux-2.6.33.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
40194 +++ linux-2.6.33.1/grsecurity/grsec_time.c 2010-03-20 16:58:41.900965882 -0400
40196 +#include <linux/kernel.h>
40197 +#include <linux/sched.h>
40198 +#include <linux/grinternal.h>
40201 +gr_log_timechange(void)
40203 +#ifdef CONFIG_GRKERNSEC_TIME
40204 + if (grsec_enable_time)
40205 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
40209 diff -urNp linux-2.6.33.1/grsecurity/grsec_tpe.c linux-2.6.33.1/grsecurity/grsec_tpe.c
40210 --- linux-2.6.33.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
40211 +++ linux-2.6.33.1/grsecurity/grsec_tpe.c 2010-03-20 16:58:41.900965882 -0400
40213 +#include <linux/kernel.h>
40214 +#include <linux/sched.h>
40215 +#include <linux/file.h>
40216 +#include <linux/fs.h>
40217 +#include <linux/grinternal.h>
40219 +extern int gr_acl_tpe_check(void);
40222 +gr_tpe_allow(const struct file *file)
40224 +#ifdef CONFIG_GRKERNSEC
40225 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
40226 + const struct cred *cred = current_cred();
40228 + if (cred->uid && ((grsec_enable_tpe &&
40229 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40230 + !in_group_p(grsec_tpe_gid)
40232 + in_group_p(grsec_tpe_gid)
40234 + ) || gr_acl_tpe_check()) &&
40235 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
40236 + (inode->i_mode & S_IWOTH))))) {
40237 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40240 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40241 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
40242 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
40243 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
40244 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40251 diff -urNp linux-2.6.33.1/grsecurity/grsum.c linux-2.6.33.1/grsecurity/grsum.c
40252 --- linux-2.6.33.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
40253 +++ linux-2.6.33.1/grsecurity/grsum.c 2010-03-20 16:58:41.900965882 -0400
40255 +#include <linux/err.h>
40256 +#include <linux/kernel.h>
40257 +#include <linux/sched.h>
40258 +#include <linux/mm.h>
40259 +#include <linux/scatterlist.h>
40260 +#include <linux/crypto.h>
40261 +#include <linux/gracl.h>
40264 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
40265 +#error "crypto and sha256 must be built into the kernel"
40269 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
40272 + struct crypto_hash *tfm;
40273 + struct hash_desc desc;
40274 + struct scatterlist sg;
40275 + unsigned char temp_sum[GR_SHA_LEN];
40276 + volatile int retval = 0;
40277 + volatile int dummy = 0;
40280 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
40281 + if (IS_ERR(tfm)) {
40282 + /* should never happen, since sha256 should be built in */
40289 + crypto_hash_init(&desc);
40292 + sg_set_buf(&sg, p, GR_SALT_LEN);
40293 + crypto_hash_update(&desc, &sg, sg.length);
40296 + sg_set_buf(&sg, p, strlen(p));
40298 + crypto_hash_update(&desc, &sg, sg.length);
40300 + crypto_hash_final(&desc, temp_sum);
40302 + memset(entry->pw, 0, GR_PW_LEN);
40304 + for (i = 0; i < GR_SHA_LEN; i++)
40305 + if (sum[i] != temp_sum[i])
40308 + dummy = 1; // waste a cycle
40310 + crypto_free_hash(tfm);
40314 diff -urNp linux-2.6.33.1/grsecurity/Kconfig linux-2.6.33.1/grsecurity/Kconfig
40315 --- linux-2.6.33.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
40316 +++ linux-2.6.33.1/grsecurity/Kconfig 2010-03-20 17:00:48.140865901 -0400
40319 +# grecurity configuration
40325 + bool "Grsecurity"
40327 + select CRYPTO_SHA256
40329 + If you say Y here, you will be able to configure many features
40330 + that will enhance the security of your system. It is highly
40331 + recommended that you say Y here and read through the help
40332 + for each option so that you fully understand the features and
40333 + can evaluate their usefulness for your machine.
40336 + prompt "Security Level"
40337 + depends on GRKERNSEC
40338 + default GRKERNSEC_CUSTOM
40340 +config GRKERNSEC_LOW
40342 + select GRKERNSEC_LINK
40343 + select GRKERNSEC_FIFO
40344 + select GRKERNSEC_EXECVE
40345 + select GRKERNSEC_RANDNET
40346 + select GRKERNSEC_DMESG
40347 + select GRKERNSEC_CHROOT
40348 + select GRKERNSEC_CHROOT_CHDIR
40351 + If you choose this option, several of the grsecurity options will
40352 + be enabled that will give you greater protection against a number
40353 + of attacks, while assuring that none of your software will have any
40354 + conflicts with the additional security measures. If you run a lot
40355 + of unusual software, or you are having problems with the higher
40356 + security levels, you should say Y here. With this option, the
40357 + following features are enabled:
40359 + - Linking restrictions
40360 + - FIFO restrictions
40361 + - Enforcing RLIMIT_NPROC on execve
40362 + - Restricted dmesg
40363 + - Enforced chdir("/") on chroot
40364 + - Runtime module disabling
40366 +config GRKERNSEC_MEDIUM
40369 + select PAX_EI_PAX
40370 + select PAX_PT_PAX_FLAGS
40371 + select PAX_HAVE_ACL_FLAGS
40372 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40373 + select GRKERNSEC_CHROOT
40374 + select GRKERNSEC_CHROOT_SYSCTL
40375 + select GRKERNSEC_LINK
40376 + select GRKERNSEC_FIFO
40377 + select GRKERNSEC_EXECVE
40378 + select GRKERNSEC_DMESG
40379 + select GRKERNSEC_RANDNET
40380 + select GRKERNSEC_FORKFAIL
40381 + select GRKERNSEC_TIME
40382 + select GRKERNSEC_SIGNAL
40383 + select GRKERNSEC_CHROOT
40384 + select GRKERNSEC_CHROOT_UNIX
40385 + select GRKERNSEC_CHROOT_MOUNT
40386 + select GRKERNSEC_CHROOT_PIVOT
40387 + select GRKERNSEC_CHROOT_DOUBLE
40388 + select GRKERNSEC_CHROOT_CHDIR
40389 + select GRKERNSEC_CHROOT_MKNOD
40390 + select GRKERNSEC_PROC
40391 + select GRKERNSEC_PROC_USERGROUP
40392 + select PAX_RANDUSTACK
40394 + select PAX_RANDMMAP
40395 + select PAX_REFCOUNT if (X86 || SPARC64)
40396 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC32 || PPC64) && (SLAB || SLUB || SLOB))
40399 + If you say Y here, several features in addition to those included
40400 + in the low additional security level will be enabled. These
40401 + features provide even more security to your system, though in rare
40402 + cases they may be incompatible with very old or poorly written
40403 + software. If you enable this option, make sure that your auth
40404 + service (identd) is running as gid 1001. With this option,
40405 + the following features (in addition to those provided in the
40406 + low additional security level) will be enabled:
40408 + - Failed fork logging
40409 + - Time change logging
40411 + - Deny mounts in chroot
40412 + - Deny double chrooting
40413 + - Deny sysctl writes in chroot
40414 + - Deny mknod in chroot
40415 + - Deny access to abstract AF_UNIX sockets out of chroot
40416 + - Deny pivot_root in chroot
40417 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
40418 + - /proc restrictions with special GID set to 10 (usually wheel)
40419 + - Address Space Layout Randomization (ASLR)
40420 + - Prevent exploitation of most refcount overflows
40421 + - Bounds checking of copying between the kernel and userland
40423 +config GRKERNSEC_HIGH
40425 + select GRKERNSEC_LINK
40426 + select GRKERNSEC_FIFO
40427 + select GRKERNSEC_EXECVE
40428 + select GRKERNSEC_DMESG
40429 + select GRKERNSEC_FORKFAIL
40430 + select GRKERNSEC_TIME
40431 + select GRKERNSEC_SIGNAL
40432 + select GRKERNSEC_CHROOT
40433 + select GRKERNSEC_CHROOT_SHMAT
40434 + select GRKERNSEC_CHROOT_UNIX
40435 + select GRKERNSEC_CHROOT_MOUNT
40436 + select GRKERNSEC_CHROOT_FCHDIR
40437 + select GRKERNSEC_CHROOT_PIVOT
40438 + select GRKERNSEC_CHROOT_DOUBLE
40439 + select GRKERNSEC_CHROOT_CHDIR
40440 + select GRKERNSEC_CHROOT_MKNOD
40441 + select GRKERNSEC_CHROOT_CAPS
40442 + select GRKERNSEC_CHROOT_SYSCTL
40443 + select GRKERNSEC_CHROOT_FINDTASK
40444 + select GRKERNSEC_PROC
40445 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40446 + select GRKERNSEC_HIDESYM
40447 + select GRKERNSEC_BRUTE
40448 + select GRKERNSEC_PROC_USERGROUP
40449 + select GRKERNSEC_KMEM
40450 + select GRKERNSEC_RESLOG
40451 + select GRKERNSEC_RANDNET
40452 + select GRKERNSEC_PROC_ADD
40453 + select GRKERNSEC_CHROOT_CHMOD
40454 + select GRKERNSEC_CHROOT_NICE
40455 + select GRKERNSEC_AUDIT_MOUNT
40456 + select GRKERNSEC_MODHARDEN if (MODULES)
40457 + select GRKERNSEC_HARDEN_PTRACE
40458 + select GRKERNSEC_VM86 if (X86_32)
40460 + select PAX_RANDUSTACK
40462 + select PAX_RANDMMAP
40463 + select PAX_NOEXEC
40464 + select PAX_MPROTECT
40465 + select PAX_EI_PAX
40466 + select PAX_PT_PAX_FLAGS
40467 + select PAX_HAVE_ACL_FLAGS
40468 + select PAX_KERNEXEC if ((PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
40469 + select PAX_MEMORY_UDEREF if (X86_32 && !XEN)
40470 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
40471 + select PAX_SEGMEXEC if (X86_32)
40472 + select PAX_PAGEEXEC
40473 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
40474 + select PAX_EMUTRAMP if (PARISC)
40475 + select PAX_EMUSIGRT if (PARISC)
40476 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
40477 + select PAX_REFCOUNT if (X86 || SPARC64)
40478 + select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
40480 + If you say Y here, many of the features of grsecurity will be
40481 + enabled, which will protect you against many kinds of attacks
40482 + against your system. The heightened security comes at a cost
40483 + of an increased chance of incompatibilities with rare software
40484 + on your machine. Since this security level enables PaX, you should
40485 + view <http://pax.grsecurity.net> and read about the PaX
40486 + project. While you are there, download chpax and run it on
40487 + binaries that cause problems with PaX. Also remember that
40488 + since the /proc restrictions are enabled, you must run your
40489 + identd as gid 1001. This security level enables the following
40490 + features in addition to those listed in the low and medium
40493 + - Additional /proc restrictions
40494 + - Chmod restrictions in chroot
40495 + - No signals, ptrace, or viewing of processes outside of chroot
40496 + - Capability restrictions in chroot
40497 + - Deny fchdir out of chroot
40498 + - Priority restrictions in chroot
40499 + - Segmentation-based implementation of PaX
40500 + - Mprotect restrictions
40501 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
40502 + - Kernel stack randomization
40503 + - Mount/unmount/remount logging
40504 + - Kernel symbol hiding
40505 + - Prevention of memory exhaustion-based exploits
40506 + - Hardening of module auto-loading
40507 + - Ptrace restrictions
40508 + - Restricted vm86 mode
40510 +config GRKERNSEC_CUSTOM
40513 + If you say Y here, you will be able to configure every grsecurity
40514 + option, which allows you to enable many more features that aren't
40515 + covered in the basic security levels. These additional features
40516 + include TPE, socket restrictions, and the sysctl system for
40517 + grsecurity. It is advised that you read through the help for
40518 + each option to determine its usefulness in your situation.
40522 +menu "Address Space Protection"
40523 +depends on GRKERNSEC
40525 +config GRKERNSEC_KMEM
40526 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
40528 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
40529 + be written to via mmap or otherwise to modify the running kernel.
40530 + /dev/port will also not be allowed to be opened. If you have module
40531 + support disabled, enabling this will close up four ways that are
40532 + currently used to insert malicious code into the running kernel.
40533 + Even with all these features enabled, we still highly recommend that
40534 + you use the RBAC system, as it is still possible for an attacker to
40535 + modify the running kernel through privileged I/O granted by ioperm/iopl.
40536 + If you are not using XFree86, you may be able to stop this additional
40537 + case by enabling the 'Disable privileged I/O' option. Though nothing
40538 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
40539 + but only to video memory, which is the only writing we allow in this
40540 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
40541 + not be allowed to mprotect it with PROT_WRITE later.
40542 + It is highly recommended that you say Y here if you meet all the
40543 + conditions above.
40545 +config GRKERNSEC_VM86
40546 + bool "Restrict VM86 mode"
40547 + depends on X86_32
40550 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
40551 + make use of a special execution mode on 32bit x86 processors called
40552 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
40553 + video cards and will still work with this option enabled. The purpose
40554 + of the option is to prevent exploitation of emulation errors in
40555 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
40556 + Nearly all users should be able to enable this option.
40558 +config GRKERNSEC_IO
40559 + bool "Disable privileged I/O"
40562 + select RTC_INTF_DEV
40563 + select RTC_DRV_CMOS
40566 + If you say Y here, all ioperm and iopl calls will return an error.
40567 + Ioperm and iopl can be used to modify the running kernel.
40568 + Unfortunately, some programs need this access to operate properly,
40569 + the most notable of which are XFree86 and hwclock. hwclock can be
40570 + remedied by having RTC support in the kernel, so real-time
40571 + clock support is enabled if this option is enabled, to ensure
40572 + that hwclock operates correctly. XFree86 still will not
40573 + operate correctly with this option enabled, so DO NOT CHOOSE Y
40574 + IF YOU USE XFree86. If you use XFree86 and you still want to
40575 + protect your kernel against modification, use the RBAC system.
40577 +config GRKERNSEC_PROC_MEMMAP
40578 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
40579 + default y if (PAX_NOEXEC || PAX_ASLR)
40580 + depends on PAX_NOEXEC || PAX_ASLR
40582 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
40583 + give no information about the addresses of its mappings if
40584 + PaX features that rely on random addresses are enabled on the task.
40585 + If you use PaX it is greatly recommended that you say Y here as it
40586 + closes up a hole that makes the full ASLR useless for suid
40589 +config GRKERNSEC_BRUTE
40590 + bool "Deter exploit bruteforcing"
40592 + If you say Y here, attempts to bruteforce exploits against forking
40593 + daemons such as apache or sshd will be deterred. When a child of a
40594 + forking daemon is killed by PaX or crashes due to an illegal
40595 + instruction, the parent process will be delayed 30 seconds upon every
40596 + subsequent fork until the administrator is able to assess the
40597 + situation and restart the daemon. It is recommended that you also
40598 + enable signal logging in the auditing section so that logs are
40599 + generated when a process performs an illegal instruction.
40601 +config GRKERNSEC_MODHARDEN
40602 + bool "Harden module auto-loading"
40603 + depends on MODULES
40605 + If you say Y here, module auto-loading in response to use of some
40606 + feature implemented by an unloaded module will be restricted to
40607 + root users. Enabling this option helps defend against attacks
40608 + by unprivileged users who abuse the auto-loading behavior to
40609 + cause a vulnerable module to load that is then exploited.
40611 + If this option prevents a legitimate use of auto-loading for a
40612 + non-root user, the administrator can execute modprobe manually
40613 + with the exact name of the module mentioned in the alert log.
40614 + Alternatively, the administrator can add the module to the list
40615 + of modules loaded at boot by modifying init scripts.
40617 + Modification of init scripts will most likely be needed on
40618 + Ubuntu servers with encrypted home directory support enabled,
40619 + as the first non-root user logging in will cause the ecb(aes),
40620 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
40622 +config GRKERNSEC_HIDESYM
40623 + bool "Hide kernel symbols"
40625 + If you say Y here, getting information on loaded modules, and
40626 + displaying all kernel symbols through a syscall will be restricted
40627 + to users with CAP_SYS_MODULE. For software compatibility reasons,
40628 + /proc/kallsyms will be restricted to the root user. The RBAC
40629 + system can hide that entry even from root. Note that this option
40630 + is only effective provided the following conditions are met:
40631 + 1) The kernel using grsecurity is not precompiled by some distribution
40632 + 2) You are using the RBAC system and hiding other files such as your
40633 + kernel image and System.map. Alternatively, enabling this option
40634 + causes the permissions on /boot, /lib/modules, and the kernel
40635 + source directory to change at compile time to prevent
40636 + reading by non-root users.
40637 + If the above conditions are met, this option will aid in providing a
40638 + useful protection against local kernel exploitation of overflows
40639 + and arbitrary read/write vulnerabilities.
40642 +menu "Role Based Access Control Options"
40643 +depends on GRKERNSEC
40645 +config GRKERNSEC_NO_RBAC
40646 + bool "Disable RBAC system"
40648 + If you say Y here, the /dev/grsec device will be removed from the kernel,
40649 + preventing the RBAC system from being enabled. You should only say Y
40650 + here if you have no intention of using the RBAC system, so as to prevent
40651 + an attacker with root access from misusing the RBAC system to hide files
40652 + and processes when loadable module support and /dev/[k]mem have been
40655 +config GRKERNSEC_ACL_HIDEKERN
40656 + bool "Hide kernel processes"
40658 + If you say Y here, all kernel threads will be hidden to all
40659 + processes but those whose subject has the "view hidden processes"
40662 +config GRKERNSEC_ACL_MAXTRIES
40663 + int "Maximum tries before password lockout"
40666 + This option enforces the maximum number of times a user can attempt
40667 + to authorize themselves with the grsecurity RBAC system before being
40668 + denied the ability to attempt authorization again for a specified time.
40669 + The lower the number, the harder it will be to brute-force a password.
40671 +config GRKERNSEC_ACL_TIMEOUT
40672 + int "Time to wait after max password tries, in seconds"
40675 + This option specifies the time the user must wait after attempting to
40676 + authorize to the RBAC system with the maximum number of invalid
40677 + passwords. The higher the number, the harder it will be to brute-force
40681 +menu "Filesystem Protections"
40682 +depends on GRKERNSEC
40684 +config GRKERNSEC_PROC
40685 + bool "Proc restrictions"
40687 + If you say Y here, the permissions of the /proc filesystem
40688 + will be altered to enhance system security and privacy. You MUST
40689 + choose either a user only restriction or a user and group restriction.
40690 + Depending upon the option you choose, you can either restrict users to
40691 + see only the processes they themselves run, or choose a group that can
40692 + view all processes and files normally restricted to root if you choose
40693 + the "restrict to user only" option. NOTE: If you're running identd as
40694 + a non-root user, you will have to run it as the group you specify here.
40696 +config GRKERNSEC_PROC_USER
40697 + bool "Restrict /proc to user only"
40698 + depends on GRKERNSEC_PROC
40700 + If you say Y here, non-root users will only be able to view their own
40701 + processes, and restricts them from viewing network-related information,
40702 + and viewing kernel symbol and module information.
40704 +config GRKERNSEC_PROC_USERGROUP
40705 + bool "Allow special group"
40706 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
40708 + If you say Y here, you will be able to select a group that will be
40709 + able to view all processes, network-related information, and
40710 + kernel and symbol information. This option is useful if you want
40711 + to run identd as a non-root user.
40713 +config GRKERNSEC_PROC_GID
40714 + int "GID for special group"
40715 + depends on GRKERNSEC_PROC_USERGROUP
40718 +config GRKERNSEC_PROC_ADD
40719 + bool "Additional restrictions"
40720 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
40722 + If you say Y here, additional restrictions will be placed on
40723 + /proc that keep normal users from viewing device information and
40724 + slabinfo information that could be useful for exploits.
40726 +config GRKERNSEC_LINK
40727 + bool "Linking restrictions"
40729 + If you say Y here, /tmp race exploits will be prevented, since users
40730 + will no longer be able to follow symlinks owned by other users in
40731 + world-writable +t directories (i.e. /tmp), unless the owner of the
40732 + symlink is the owner of the directory. users will also not be
40733 + able to hardlink to files they do not own. If the sysctl option is
40734 + enabled, a sysctl option with name "linking_restrictions" is created.
40736 +config GRKERNSEC_FIFO
40737 + bool "FIFO restrictions"
40739 + If you say Y here, users will not be able to write to FIFOs they don't
40740 + own in world-writable +t directories (i.e. /tmp), unless the owner of
40741 + the FIFO is the same owner of the directory it's held in. If the sysctl
40742 + option is enabled, a sysctl option with name "fifo_restrictions" is
40745 +config GRKERNSEC_ROFS
40746 + bool "Runtime read-only mount protection"
40748 + If you say Y here, a sysctl option with name "romount_protect" will
40749 + be created. By setting this option to 1 at runtime, filesystems
40750 + will be protected in the following ways:
40751 + * No new writable mounts will be allowed
40752 + * Existing read-only mounts won't be able to be remounted read/write
40753 + * Write operations will be denied on all block devices
40754 + This option acts independently of grsec_lock: once it is set to 1,
40755 + it cannot be turned off. Therefore, please be mindful of the resulting
40756 + behavior if this option is enabled in an init script on a read-only
40757 + filesystem. This feature is mainly intended for secure embedded systems.
40759 +config GRKERNSEC_CHROOT
40760 + bool "Chroot jail restrictions"
40762 + If you say Y here, you will be able to choose several options that will
40763 + make breaking out of a chrooted jail much more difficult. If you
40764 + encounter no software incompatibilities with the following options, it
40765 + is recommended that you enable each one.
40767 +config GRKERNSEC_CHROOT_MOUNT
40768 + bool "Deny mounts"
40769 + depends on GRKERNSEC_CHROOT
40771 + If you say Y here, processes inside a chroot will not be able to
40772 + mount or remount filesystems. If the sysctl option is enabled, a
40773 + sysctl option with name "chroot_deny_mount" is created.
40775 +config GRKERNSEC_CHROOT_DOUBLE
40776 + bool "Deny double-chroots"
40777 + depends on GRKERNSEC_CHROOT
40779 + If you say Y here, processes inside a chroot will not be able to chroot
40780 + again outside the chroot. This is a widely used method of breaking
40781 + out of a chroot jail and should not be allowed. If the sysctl
40782 + option is enabled, a sysctl option with name
40783 + "chroot_deny_chroot" is created.
40785 +config GRKERNSEC_CHROOT_PIVOT
40786 + bool "Deny pivot_root in chroot"
40787 + depends on GRKERNSEC_CHROOT
40789 + If you say Y here, processes inside a chroot will not be able to use
40790 + a function called pivot_root() that was introduced in Linux 2.3.41. It
40791 + works similar to chroot in that it changes the root filesystem. This
40792 + function could be misused in a chrooted process to attempt to break out
40793 + of the chroot, and therefore should not be allowed. If the sysctl
40794 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
40797 +config GRKERNSEC_CHROOT_CHDIR
40798 + bool "Enforce chdir(\"/\") on all chroots"
40799 + depends on GRKERNSEC_CHROOT
40801 + If you say Y here, the current working directory of all newly-chrooted
40802 + applications will be set to the the root directory of the chroot.
40803 + The man page on chroot(2) states:
40804 + Note that this call does not change the current working
40805 + directory, so that `.' can be outside the tree rooted at
40806 + `/'. In particular, the super-user can escape from a
40807 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
40809 + It is recommended that you say Y here, since it's not known to break
40810 + any software. If the sysctl option is enabled, a sysctl option with
40811 + name "chroot_enforce_chdir" is created.
40813 +config GRKERNSEC_CHROOT_CHMOD
40814 + bool "Deny (f)chmod +s"
40815 + depends on GRKERNSEC_CHROOT
40817 + If you say Y here, processes inside a chroot will not be able to chmod
40818 + or fchmod files to make them have suid or sgid bits. This protects
40819 + against another published method of breaking a chroot. If the sysctl
40820 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
40823 +config GRKERNSEC_CHROOT_FCHDIR
40824 + bool "Deny fchdir out of chroot"
40825 + depends on GRKERNSEC_CHROOT
40827 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
40828 + to a file descriptor of the chrooting process that points to a directory
40829 + outside the filesystem will be stopped. If the sysctl option
40830 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
40832 +config GRKERNSEC_CHROOT_MKNOD
40833 + bool "Deny mknod"
40834 + depends on GRKERNSEC_CHROOT
40836 + If you say Y here, processes inside a chroot will not be allowed to
40837 + mknod. The problem with using mknod inside a chroot is that it
40838 + would allow an attacker to create a device entry that is the same
40839 + as one on the physical root of your system, which could range from
40840 + anything from the console device to a device for your harddrive (which
40841 + they could then use to wipe the drive or steal data). It is recommended
40842 + that you say Y here, unless you run into software incompatibilities.
40843 + If the sysctl option is enabled, a sysctl option with name
40844 + "chroot_deny_mknod" is created.
40846 +config GRKERNSEC_CHROOT_SHMAT
40847 + bool "Deny shmat() out of chroot"
40848 + depends on GRKERNSEC_CHROOT
40850 + If you say Y here, processes inside a chroot will not be able to attach
40851 + to shared memory segments that were created outside of the chroot jail.
40852 + It is recommended that you say Y here. If the sysctl option is enabled,
40853 + a sysctl option with name "chroot_deny_shmat" is created.
40855 +config GRKERNSEC_CHROOT_UNIX
40856 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
40857 + depends on GRKERNSEC_CHROOT
40859 + If you say Y here, processes inside a chroot will not be able to
40860 + connect to abstract (meaning not belonging to a filesystem) Unix
40861 + domain sockets that were bound outside of a chroot. It is recommended
40862 + that you say Y here. If the sysctl option is enabled, a sysctl option
40863 + with name "chroot_deny_unix" is created.
40865 +config GRKERNSEC_CHROOT_FINDTASK
40866 + bool "Protect outside processes"
40867 + depends on GRKERNSEC_CHROOT
40869 + If you say Y here, processes inside a chroot will not be able to
40870 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
40871 + getsid, or view any process outside of the chroot. If the sysctl
40872 + option is enabled, a sysctl option with name "chroot_findtask" is
40875 +config GRKERNSEC_CHROOT_NICE
40876 + bool "Restrict priority changes"
40877 + depends on GRKERNSEC_CHROOT
40879 + If you say Y here, processes inside a chroot will not be able to raise
40880 + the priority of processes in the chroot, or alter the priority of
40881 + processes outside the chroot. This provides more security than simply
40882 + removing CAP_SYS_NICE from the process' capability set. If the
40883 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
40886 +config GRKERNSEC_CHROOT_SYSCTL
40887 + bool "Deny sysctl writes"
40888 + depends on GRKERNSEC_CHROOT
40890 + If you say Y here, an attacker in a chroot will not be able to
40891 + write to sysctl entries, either by sysctl(2) or through a /proc
40892 + interface. It is strongly recommended that you say Y here. If the
40893 + sysctl option is enabled, a sysctl option with name
40894 + "chroot_deny_sysctl" is created.
40896 +config GRKERNSEC_CHROOT_CAPS
40897 + bool "Capability restrictions"
40898 + depends on GRKERNSEC_CHROOT
40900 + If you say Y here, the capabilities on all root processes within a
40901 + chroot jail will be lowered to stop module insertion, raw i/o,
40902 + system and net admin tasks, rebooting the system, modifying immutable
40903 + files, modifying IPC owned by another, and changing the system time.
40904 + This is left an option because it can break some apps. Disable this
40905 + if your chrooted apps are having problems performing those kinds of
40906 + tasks. If the sysctl option is enabled, a sysctl option with
40907 + name "chroot_caps" is created.
40910 +menu "Kernel Auditing"
40911 +depends on GRKERNSEC
40913 +config GRKERNSEC_AUDIT_GROUP
40914 + bool "Single group for auditing"
40916 + If you say Y here, the exec, chdir, and (un)mount logging features
40917 + will only operate on a group you specify. This option is recommended
40918 + if you only want to watch certain users instead of having a large
40919 + amount of logs from the entire system. If the sysctl option is enabled,
40920 + a sysctl option with name "audit_group" is created.
40922 +config GRKERNSEC_AUDIT_GID
40923 + int "GID for auditing"
40924 + depends on GRKERNSEC_AUDIT_GROUP
40927 +config GRKERNSEC_EXECLOG
40928 + bool "Exec logging"
40930 + If you say Y here, all execve() calls will be logged (since the
40931 + other exec*() calls are frontends to execve(), all execution
40932 + will be logged). Useful for shell-servers that like to keep track
40933 + of their users. If the sysctl option is enabled, a sysctl option with
40934 + name "exec_logging" is created.
40935 + WARNING: This option when enabled will produce a LOT of logs, especially
40936 + on an active system.
40938 +config GRKERNSEC_RESLOG
40939 + bool "Resource logging"
40941 + If you say Y here, all attempts to overstep resource limits will
40942 + be logged with the resource name, the requested size, and the current
40943 + limit. It is highly recommended that you say Y here. If the sysctl
40944 + option is enabled, a sysctl option with name "resource_logging" is
40945 + created. If the RBAC system is enabled, the sysctl value is ignored.
40947 +config GRKERNSEC_CHROOT_EXECLOG
40948 + bool "Log execs within chroot"
40950 + If you say Y here, all executions inside a chroot jail will be logged
40951 + to syslog. This can cause a large amount of logs if certain
40952 + applications (eg. djb's daemontools) are installed on the system, and
40953 + is therefore left as an option. If the sysctl option is enabled, a
40954 + sysctl option with name "chroot_execlog" is created.
40956 +config GRKERNSEC_AUDIT_PTRACE
40957 + bool "Ptrace logging"
40959 + If you say Y here, all attempts to attach to a process via ptrace
40960 + will be logged. If the sysctl option is enabled, a sysctl option
40961 + with name "audit_ptrace" is created.
40963 +config GRKERNSEC_AUDIT_CHDIR
40964 + bool "Chdir logging"
40966 + If you say Y here, all chdir() calls will be logged. If the sysctl
40967 + option is enabled, a sysctl option with name "audit_chdir" is created.
40969 +config GRKERNSEC_AUDIT_MOUNT
40970 + bool "(Un)Mount logging"
40972 + If you say Y here, all mounts and unmounts will be logged. If the
40973 + sysctl option is enabled, a sysctl option with name "audit_mount" is
40976 +config GRKERNSEC_SIGNAL
40977 + bool "Signal logging"
40979 + If you say Y here, certain important signals will be logged, such as
40980 + SIGSEGV, which will as a result inform you of when a error in a program
40981 + occurred, which in some cases could mean a possible exploit attempt.
40982 + If the sysctl option is enabled, a sysctl option with name
40983 + "signal_logging" is created.
40985 +config GRKERNSEC_FORKFAIL
40986 + bool "Fork failure logging"
40988 + If you say Y here, all failed fork() attempts will be logged.
40989 + This could suggest a fork bomb, or someone attempting to overstep
40990 + their process limit. If the sysctl option is enabled, a sysctl option
40991 + with name "forkfail_logging" is created.
40993 +config GRKERNSEC_TIME
40994 + bool "Time change logging"
40996 + If you say Y here, any changes of the system clock will be logged.
40997 + If the sysctl option is enabled, a sysctl option with name
40998 + "timechange_logging" is created.
41000 +config GRKERNSEC_PROC_IPADDR
41001 + bool "/proc/<pid>/ipaddr support"
41003 + If you say Y here, a new entry will be added to each /proc/<pid>
41004 + directory that contains the IP address of the person using the task.
41005 + The IP is carried across local TCP and AF_UNIX stream sockets.
41006 + This information can be useful for IDS/IPSes to perform remote response
41007 + to a local attack. The entry is readable by only the owner of the
41008 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
41009 + the RBAC system), and thus does not create privacy concerns.
41011 +config GRKERNSEC_AUDIT_TEXTREL
41012 + bool 'ELF text relocations logging (READ HELP)'
41013 + depends on PAX_MPROTECT
41015 + If you say Y here, text relocations will be logged with the filename
41016 + of the offending library or binary. The purpose of the feature is
41017 + to help Linux distribution developers get rid of libraries and
41018 + binaries that need text relocations which hinder the future progress
41019 + of PaX. Only Linux distribution developers should say Y here, and
41020 + never on a production machine, as this option creates an information
41021 + leak that could aid an attacker in defeating the randomization of
41022 + a single memory region. If the sysctl option is enabled, a sysctl
41023 + option with name "audit_textrel" is created.
41027 +menu "Executable Protections"
41028 +depends on GRKERNSEC
41030 +config GRKERNSEC_EXECVE
41031 + bool "Enforce RLIMIT_NPROC on execs"
41033 + If you say Y here, users with a resource limit on processes will
41034 + have the value checked during execve() calls. The current system
41035 + only checks the system limit during fork() calls. If the sysctl option
41036 + is enabled, a sysctl option with name "execve_limiting" is created.
41038 +config GRKERNSEC_DMESG
41039 + bool "Dmesg(8) restriction"
41041 + If you say Y here, non-root users will not be able to use dmesg(8)
41042 + to view up to the last 4kb of messages in the kernel's log buffer.
41043 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
41046 +config GRKERNSEC_HARDEN_PTRACE
41047 + bool "Deter ptrace-based process snooping"
41049 + If you say Y here, TTY sniffers and other malicious monitoring
41050 + programs implemented through ptrace will be defeated. If you
41051 + have been using the RBAC system, this option has already been
41052 + enabled for several years for all users, with the ability to make
41053 + fine-grained exceptions.
41055 + This option only affects the ability of non-root users to ptrace
41056 + processes that are not a descendent of the ptracing process.
41057 + This means that strace ./binary and gdb ./binary will still work,
41058 + but attaching to arbitrary processes will not. If the sysctl
41059 + option is enabled, a sysctl option with name "harden_ptrace" is
41062 +config GRKERNSEC_TPE
41063 + bool "Trusted Path Execution (TPE)"
41065 + If you say Y here, you will be able to choose a gid to add to the
41066 + supplementary groups of users you want to mark as "untrusted."
41067 + These users will not be able to execute any files that are not in
41068 + root-owned directories writable only by root. If the sysctl option
41069 + is enabled, a sysctl option with name "tpe" is created.
41071 +config GRKERNSEC_TPE_ALL
41072 + bool "Partially restrict non-root users"
41073 + depends on GRKERNSEC_TPE
41075 + If you say Y here, All non-root users other than the ones in the
41076 + group specified in the main TPE option will only be allowed to
41077 + execute files in directories they own that are not group or
41078 + world-writable, or in directories owned by root and writable only by
41079 + root. If the sysctl option is enabled, a sysctl option with name
41080 + "tpe_restrict_all" is created.
41082 +config GRKERNSEC_TPE_INVERT
41083 + bool "Invert GID option"
41084 + depends on GRKERNSEC_TPE
41086 + If you say Y here, the group you specify in the TPE configuration will
41087 + decide what group TPE restrictions will be *disabled* for. This
41088 + option is useful if you want TPE restrictions to be applied to most
41089 + users on the system.
41091 +config GRKERNSEC_TPE_GID
41092 + int "GID for untrusted users"
41093 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
41096 + If you have selected the "Invert GID option" above, setting this
41097 + GID determines what group TPE restrictions will be *disabled* for.
41098 + If you have not selected the "Invert GID option" above, setting this
41099 + GID determines what group TPE restrictions will be *enabled* for.
41100 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41103 +config GRKERNSEC_TPE_GID
41104 + int "GID for trusted users"
41105 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
41108 + If you have selected the "Invert GID option" above, setting this
41109 + GID determines what group TPE restrictions will be *disabled* for.
41110 + If you have not selected the "Invert GID option" above, setting this
41111 + GID determines what group TPE restrictions will be *enabled* for.
41112 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41116 +menu "Network Protections"
41117 +depends on GRKERNSEC
41119 +config GRKERNSEC_RANDNET
41120 + bool "Larger entropy pools"
41122 + If you say Y here, the entropy pools used for many features of Linux
41123 + and grsecurity will be doubled in size. Since several grsecurity
41124 + features use additional randomness, it is recommended that you say Y
41125 + here. Saying Y here has a similar effect as modifying
41126 + /proc/sys/kernel/random/poolsize.
41128 +config GRKERNSEC_BLACKHOLE
41129 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
41131 + If you say Y here, neither TCP resets nor ICMP
41132 + destination-unreachable packets will be sent in response to packets
41133 + send to ports for which no associated listening process exists.
41134 + This feature supports both IPV4 and IPV6 and exempts the
41135 + loopback interface from blackholing. Enabling this feature
41136 + makes a host more resilient to DoS attacks and reduces network
41137 + visibility against scanners.
41139 + The blackhole feature as-implemented is equivalent to the FreeBSD
41140 + blackhole feature, as prevents RST responses to all packets, not
41141 + just SYNs. Under most application behavior this causes no
41142 + problems, but applications (like haproxy) may not close certain
41143 + connections in a way that cleanly terminates them on the remote
41144 + end, leaving the remote host in LAST_ACK state. Because of this
41145 + side-effect and to prevent intentional LAST_ACK DoSes, this
41146 + feature also adds automatic mitigation against such attacks.
41147 + The mitigation drastically reduces the amount of time a socket
41148 + can spend in LAST_ACK state. If you're using haproxy and not
41149 + all servers it connects to have this option enabled, consider
41150 + disabling this feature on the haproxy host.
41152 + If this option is enabled, two sysctl options with names
41153 + "ip_blackhole" and "lastack_retries" will be created.
41154 + While "ip_blackhole" takes the standard zero/non-zero on/off
41155 + toggle, "lastack_retries" uses the same kinds of values as
41156 + "tcp_retries1" and "tcp_retries2". The default value of 4
41157 + prevents a socket from lasting more than 45 seconds in LAST_ACK
41160 +config GRKERNSEC_SOCKET
41161 + bool "Socket restrictions"
41163 + If you say Y here, you will be able to choose from several options.
41164 + If you assign a GID on your system and add it to the supplementary
41165 + groups of users you want to restrict socket access to, this patch
41166 + will perform up to three things, based on the option(s) you choose.
41168 +config GRKERNSEC_SOCKET_ALL
41169 + bool "Deny any sockets to group"
41170 + depends on GRKERNSEC_SOCKET
41172 + If you say Y here, you will be able to choose a GID of whose users will
41173 + be unable to connect to other hosts from your machine or run server
41174 + applications from your machine. If the sysctl option is enabled, a
41175 + sysctl option with name "socket_all" is created.
41177 +config GRKERNSEC_SOCKET_ALL_GID
41178 + int "GID to deny all sockets for"
41179 + depends on GRKERNSEC_SOCKET_ALL
41182 + Here you can choose the GID to disable socket access for. Remember to
41183 + add the users you want socket access disabled for to the GID
41184 + specified here. If the sysctl option is enabled, a sysctl option
41185 + with name "socket_all_gid" is created.
41187 +config GRKERNSEC_SOCKET_CLIENT
41188 + bool "Deny client sockets to group"
41189 + depends on GRKERNSEC_SOCKET
41191 + If you say Y here, you will be able to choose a GID of whose users will
41192 + be unable to connect to other hosts from your machine, but will be
41193 + able to run servers. If this option is enabled, all users in the group
41194 + you specify will have to use passive mode when initiating ftp transfers
41195 + from the shell on your machine. If the sysctl option is enabled, a
41196 + sysctl option with name "socket_client" is created.
41198 +config GRKERNSEC_SOCKET_CLIENT_GID
41199 + int "GID to deny client sockets for"
41200 + depends on GRKERNSEC_SOCKET_CLIENT
41203 + Here you can choose the GID to disable client socket access for.
41204 + Remember to add the users you want client socket access disabled for to
41205 + the GID specified here. If the sysctl option is enabled, a sysctl
41206 + option with name "socket_client_gid" is created.
41208 +config GRKERNSEC_SOCKET_SERVER
41209 + bool "Deny server sockets to group"
41210 + depends on GRKERNSEC_SOCKET
41212 + If you say Y here, you will be able to choose a GID of whose users will
41213 + be unable to run server applications from your machine. If the sysctl
41214 + option is enabled, a sysctl option with name "socket_server" is created.
41216 +config GRKERNSEC_SOCKET_SERVER_GID
41217 + int "GID to deny server sockets for"
41218 + depends on GRKERNSEC_SOCKET_SERVER
41221 + Here you can choose the GID to disable server socket access for.
41222 + Remember to add the users you want server socket access disabled for to
41223 + the GID specified here. If the sysctl option is enabled, a sysctl
41224 + option with name "socket_server_gid" is created.
41227 +menu "Sysctl support"
41228 +depends on GRKERNSEC && SYSCTL
41230 +config GRKERNSEC_SYSCTL
41231 + bool "Sysctl support"
41233 + If you say Y here, you will be able to change the options that
41234 + grsecurity runs with at bootup, without having to recompile your
41235 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
41236 + to enable (1) or disable (0) various features. All the sysctl entries
41237 + are mutable until the "grsec_lock" entry is set to a non-zero value.
41238 + All features enabled in the kernel configuration are disabled at boot
41239 + if you do not say Y to the "Turn on features by default" option.
41240 + All options should be set at startup, and the grsec_lock entry should
41241 + be set to a non-zero value after all the options are set.
41242 + *THIS IS EXTREMELY IMPORTANT*
41244 +config GRKERNSEC_SYSCTL_ON
41245 + bool "Turn on features by default"
41246 + depends on GRKERNSEC_SYSCTL
41248 + If you say Y here, instead of having all features enabled in the
41249 + kernel configuration disabled at boot time, the features will be
41250 + enabled at boot time. It is recommended you say Y here unless
41251 + there is some reason you would want all sysctl-tunable features to
41252 + be disabled by default. As mentioned elsewhere, it is important
41253 + to enable the grsec_lock entry once you have finished modifying
41254 + the sysctl entries.
41257 +menu "Logging Options"
41258 +depends on GRKERNSEC
41260 +config GRKERNSEC_FLOODTIME
41261 + int "Seconds in between log messages (minimum)"
41264 + This option allows you to enforce the number of seconds between
41265 + grsecurity log messages. The default should be suitable for most
41266 + people, however, if you choose to change it, choose a value small enough
41267 + to allow informative logs to be produced, but large enough to
41268 + prevent flooding.
41270 +config GRKERNSEC_FLOODBURST
41271 + int "Number of messages in a burst (maximum)"
41274 + This option allows you to choose the maximum number of messages allowed
41275 + within the flood time interval you chose in a separate option. The
41276 + default should be suitable for most people, however if you find that
41277 + many of your logs are being interpreted as flooding, you may want to
41278 + raise this value.
41283 diff -urNp linux-2.6.33.1/grsecurity/Makefile linux-2.6.33.1/grsecurity/Makefile
41284 --- linux-2.6.33.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
41285 +++ linux-2.6.33.1/grsecurity/Makefile 2010-03-20 16:58:41.900965882 -0400
41287 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
41288 +# during 2001-2009 it has been completely redesigned by Brad Spengler
41289 +# into an RBAC system
41291 +# All code in this directory and various hooks inserted throughout the kernel
41292 +# are copyright Brad Spengler - Open Source Security, Inc., and released
41293 +# under the GPL v2 or higher
41295 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
41296 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
41297 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
41299 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
41300 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
41301 + gracl_learn.o grsec_log.o
41302 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
41304 +ifndef CONFIG_GRKERNSEC
41305 +obj-y += grsec_disabled.o
41308 +ifdef CONFIG_GRKERNSEC_HIDESYM
41309 +extra-y := grsec_hidesym.o
41310 +$(obj)/grsec_hidesym.o:
41311 + @-chmod -f 500 /boot
41312 + @-chmod -f 500 /lib/modules
41314 + @echo ' grsec: protected kernel image paths'
41316 diff -urNp linux-2.6.33.1/include/acpi/acpi_drivers.h linux-2.6.33.1/include/acpi/acpi_drivers.h
41317 --- linux-2.6.33.1/include/acpi/acpi_drivers.h 2010-03-15 12:09:39.000000000 -0400
41318 +++ linux-2.6.33.1/include/acpi/acpi_drivers.h 2010-03-20 16:58:41.900965882 -0400
41319 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
41321 -------------------------------------------------------------------------- */
41322 struct acpi_dock_ops {
41323 - acpi_notify_handler handler;
41324 - acpi_notify_handler uevent;
41325 + const acpi_notify_handler handler;
41326 + const acpi_notify_handler uevent;
41329 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
41330 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
41331 extern int register_dock_notifier(struct notifier_block *nb);
41332 extern void unregister_dock_notifier(struct notifier_block *nb);
41333 extern int register_hotplug_dock_device(acpi_handle handle,
41334 - struct acpi_dock_ops *ops,
41335 + const struct acpi_dock_ops *ops,
41337 extern void unregister_hotplug_dock_device(acpi_handle handle);
41339 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
41342 static inline int register_hotplug_dock_device(acpi_handle handle,
41343 - struct acpi_dock_ops *ops,
41344 + const struct acpi_dock_ops *ops,
41348 diff -urNp linux-2.6.33.1/include/asm-generic/atomic-long.h linux-2.6.33.1/include/asm-generic/atomic-long.h
41349 --- linux-2.6.33.1/include/asm-generic/atomic-long.h 2010-03-15 12:09:39.000000000 -0400
41350 +++ linux-2.6.33.1/include/asm-generic/atomic-long.h 2010-03-20 16:58:41.900965882 -0400
41353 typedef atomic64_t atomic_long_t;
41355 +#ifdef CONFIG_PAX_REFCOUNT
41356 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
41358 +typedef atomic64_t atomic_long_unchecked_t;
41361 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
41363 static inline long atomic_long_read(atomic_long_t *l)
41364 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
41365 return (long)atomic64_read(v);
41368 +#ifdef CONFIG_PAX_REFCOUNT
41369 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41371 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41373 + return (long)atomic64_read_unchecked(v);
41377 static inline void atomic_long_set(atomic_long_t *l, long i)
41379 atomic64_t *v = (atomic64_t *)l;
41380 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
41381 atomic64_set(v, i);
41384 +#ifdef CONFIG_PAX_REFCOUNT
41385 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41387 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41389 + atomic64_set_unchecked(v, i);
41393 static inline void atomic_long_inc(atomic_long_t *l)
41395 atomic64_t *v = (atomic64_t *)l;
41396 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
41400 +#ifdef CONFIG_PAX_REFCOUNT
41401 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41403 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41405 + atomic64_inc_unchecked(v);
41409 static inline void atomic_long_dec(atomic_long_t *l)
41411 atomic64_t *v = (atomic64_t *)l;
41412 @@ -59,6 +92,15 @@ static inline void atomic_long_add(long
41413 atomic64_add(i, v);
41416 +#ifdef CONFIG_PAX_REFCOUNT
41417 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41419 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41421 + atomic64_add_unchecked(i, v);
41425 static inline void atomic_long_sub(long i, atomic_long_t *l)
41427 atomic64_t *v = (atomic64_t *)l;
41428 @@ -115,6 +157,15 @@ static inline long atomic_long_inc_retur
41429 return (long)atomic64_inc_return(v);
41432 +#ifdef CONFIG_PAX_REFCOUNT
41433 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41435 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41437 + return (long)atomic64_inc_return_unchecked(v);
41441 static inline long atomic_long_dec_return(atomic_long_t *l)
41443 atomic64_t *v = (atomic64_t *)l;
41444 @@ -140,6 +191,12 @@ static inline long atomic_long_add_unles
41446 typedef atomic_t atomic_long_t;
41448 +#ifdef CONFIG_PAX_REFCOUNT
41449 +typedef atomic_unchecked_t atomic_long_unchecked_t;
41451 +typedef atomic_t atomic_long_unchecked_t;
41454 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
41455 static inline long atomic_long_read(atomic_long_t *l)
41457 @@ -148,6 +205,15 @@ static inline long atomic_long_read(atom
41458 return (long)atomic_read(v);
41461 +#ifdef CONFIG_PAX_REFCOUNT
41462 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41464 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41466 + return (long)atomic_read_unchecked(v);
41470 static inline void atomic_long_set(atomic_long_t *l, long i)
41472 atomic_t *v = (atomic_t *)l;
41473 @@ -155,6 +221,15 @@ static inline void atomic_long_set(atomi
41477 +#ifdef CONFIG_PAX_REFCOUNT
41478 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41480 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41482 + atomic_set_unchecked(v, i);
41486 static inline void atomic_long_inc(atomic_long_t *l)
41488 atomic_t *v = (atomic_t *)l;
41489 @@ -162,6 +237,15 @@ static inline void atomic_long_inc(atomi
41493 +#ifdef CONFIG_PAX_REFCOUNT
41494 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41496 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41498 + atomic_inc_unchecked(v);
41502 static inline void atomic_long_dec(atomic_long_t *l)
41504 atomic_t *v = (atomic_t *)l;
41505 @@ -176,6 +260,15 @@ static inline void atomic_long_add(long
41509 +#ifdef CONFIG_PAX_REFCOUNT
41510 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41512 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41514 + atomic_add_unchecked(i, v);
41518 static inline void atomic_long_sub(long i, atomic_long_t *l)
41520 atomic_t *v = (atomic_t *)l;
41521 @@ -232,6 +325,15 @@ static inline long atomic_long_inc_retur
41522 return (long)atomic_inc_return(v);
41525 +#ifdef CONFIG_PAX_REFCOUNT
41526 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41528 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41530 + return (long)atomic_inc_return_unchecked(v);
41534 static inline long atomic_long_dec_return(atomic_long_t *l)
41536 atomic_t *v = (atomic_t *)l;
41537 @@ -255,4 +357,33 @@ static inline long atomic_long_add_unles
41539 #endif /* BITS_PER_LONG == 64 */
41541 +#ifdef CONFIG_PAX_REFCOUNT
41542 +static inline void pax_refcount_needs_these_functions(void)
41544 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
41545 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
41546 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
41547 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
41548 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
41550 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
41551 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
41552 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
41553 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
41554 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
41557 +#define atomic_read_unchecked(v) atomic_read(v)
41558 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
41559 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
41560 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
41561 +#define atomic_inc_unchecked(v) atomic_inc(v)
41563 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
41564 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
41565 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
41566 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
41567 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
41570 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
41571 diff -urNp linux-2.6.33.1/include/asm-generic/dma-mapping-common.h linux-2.6.33.1/include/asm-generic/dma-mapping-common.h
41572 --- linux-2.6.33.1/include/asm-generic/dma-mapping-common.h 2010-03-15 12:09:39.000000000 -0400
41573 +++ linux-2.6.33.1/include/asm-generic/dma-mapping-common.h 2010-03-20 16:58:41.904583344 -0400
41574 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
41575 enum dma_data_direction dir,
41576 struct dma_attrs *attrs)
41578 - struct dma_map_ops *ops = get_dma_ops(dev);
41579 + const struct dma_map_ops *ops = get_dma_ops(dev);
41582 kmemcheck_mark_initialized(ptr, size);
41583 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
41584 enum dma_data_direction dir,
41585 struct dma_attrs *attrs)
41587 - struct dma_map_ops *ops = get_dma_ops(dev);
41588 + const struct dma_map_ops *ops = get_dma_ops(dev);
41590 BUG_ON(!valid_dma_direction(dir));
41591 if (ops->unmap_page)
41592 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
41593 int nents, enum dma_data_direction dir,
41594 struct dma_attrs *attrs)
41596 - struct dma_map_ops *ops = get_dma_ops(dev);
41597 + const struct dma_map_ops *ops = get_dma_ops(dev);
41599 struct scatterlist *s;
41601 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
41602 int nents, enum dma_data_direction dir,
41603 struct dma_attrs *attrs)
41605 - struct dma_map_ops *ops = get_dma_ops(dev);
41606 + const struct dma_map_ops *ops = get_dma_ops(dev);
41608 BUG_ON(!valid_dma_direction(dir));
41609 debug_dma_unmap_sg(dev, sg, nents, dir);
41610 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
41611 size_t offset, size_t size,
41612 enum dma_data_direction dir)
41614 - struct dma_map_ops *ops = get_dma_ops(dev);
41615 + const struct dma_map_ops *ops = get_dma_ops(dev);
41618 kmemcheck_mark_initialized(page_address(page) + offset, size);
41619 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
41620 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
41621 size_t size, enum dma_data_direction dir)
41623 - struct dma_map_ops *ops = get_dma_ops(dev);
41624 + const struct dma_map_ops *ops = get_dma_ops(dev);
41626 BUG_ON(!valid_dma_direction(dir));
41627 if (ops->unmap_page)
41628 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
41630 enum dma_data_direction dir)
41632 - struct dma_map_ops *ops = get_dma_ops(dev);
41633 + const struct dma_map_ops *ops = get_dma_ops(dev);
41635 BUG_ON(!valid_dma_direction(dir));
41636 if (ops->sync_single_for_cpu)
41637 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
41638 dma_addr_t addr, size_t size,
41639 enum dma_data_direction dir)
41641 - struct dma_map_ops *ops = get_dma_ops(dev);
41642 + const struct dma_map_ops *ops = get_dma_ops(dev);
41644 BUG_ON(!valid_dma_direction(dir));
41645 if (ops->sync_single_for_device)
41646 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
41648 enum dma_data_direction dir)
41650 - struct dma_map_ops *ops = get_dma_ops(dev);
41651 + const struct dma_map_ops *ops = get_dma_ops(dev);
41653 BUG_ON(!valid_dma_direction(dir));
41654 if (ops->sync_single_range_for_cpu) {
41655 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
41657 enum dma_data_direction dir)
41659 - struct dma_map_ops *ops = get_dma_ops(dev);
41660 + const struct dma_map_ops *ops = get_dma_ops(dev);
41662 BUG_ON(!valid_dma_direction(dir));
41663 if (ops->sync_single_range_for_device) {
41664 @@ -155,7 +155,7 @@ static inline void
41665 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
41666 int nelems, enum dma_data_direction dir)
41668 - struct dma_map_ops *ops = get_dma_ops(dev);
41669 + const struct dma_map_ops *ops = get_dma_ops(dev);
41671 BUG_ON(!valid_dma_direction(dir));
41672 if (ops->sync_sg_for_cpu)
41673 @@ -167,7 +167,7 @@ static inline void
41674 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
41675 int nelems, enum dma_data_direction dir)
41677 - struct dma_map_ops *ops = get_dma_ops(dev);
41678 + const struct dma_map_ops *ops = get_dma_ops(dev);
41680 BUG_ON(!valid_dma_direction(dir));
41681 if (ops->sync_sg_for_device)
41682 diff -urNp linux-2.6.33.1/include/asm-generic/futex.h linux-2.6.33.1/include/asm-generic/futex.h
41683 --- linux-2.6.33.1/include/asm-generic/futex.h 2010-03-15 12:09:39.000000000 -0400
41684 +++ linux-2.6.33.1/include/asm-generic/futex.h 2010-03-20 16:58:41.904583344 -0400
41686 #include <asm/errno.h>
41689 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
41690 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
41692 int op = (encoded_op >> 28) & 7;
41693 int cmp = (encoded_op >> 24) & 15;
41694 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
41698 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
41699 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
41703 diff -urNp linux-2.6.33.1/include/asm-generic/int-l64.h linux-2.6.33.1/include/asm-generic/int-l64.h
41704 --- linux-2.6.33.1/include/asm-generic/int-l64.h 2010-03-15 12:09:39.000000000 -0400
41705 +++ linux-2.6.33.1/include/asm-generic/int-l64.h 2010-03-20 16:58:41.904583344 -0400
41706 @@ -46,6 +46,8 @@ typedef unsigned int u32;
41707 typedef signed long s64;
41708 typedef unsigned long u64;
41710 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
41713 #define U8_C(x) x ## U
41715 diff -urNp linux-2.6.33.1/include/asm-generic/int-ll64.h linux-2.6.33.1/include/asm-generic/int-ll64.h
41716 --- linux-2.6.33.1/include/asm-generic/int-ll64.h 2010-03-15 12:09:39.000000000 -0400
41717 +++ linux-2.6.33.1/include/asm-generic/int-ll64.h 2010-03-20 16:58:41.904583344 -0400
41718 @@ -51,6 +51,8 @@ typedef unsigned int u32;
41719 typedef signed long long s64;
41720 typedef unsigned long long u64;
41722 +typedef unsigned long long intoverflow_t;
41725 #define U8_C(x) x ## U
41727 diff -urNp linux-2.6.33.1/include/asm-generic/kmap_types.h linux-2.6.33.1/include/asm-generic/kmap_types.h
41728 --- linux-2.6.33.1/include/asm-generic/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
41729 +++ linux-2.6.33.1/include/asm-generic/kmap_types.h 2010-03-20 16:58:41.904583344 -0400
41730 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
41731 KMAP_D(16) KM_IRQ_PTE,
41733 KMAP_D(18) KM_NMI_PTE,
41734 -KMAP_D(19) KM_TYPE_NR
41735 +KMAP_D(19) KM_CLEARPAGE,
41736 +KMAP_D(20) KM_TYPE_NR
41740 diff -urNp linux-2.6.33.1/include/asm-generic/pgtable.h linux-2.6.33.1/include/asm-generic/pgtable.h
41741 --- linux-2.6.33.1/include/asm-generic/pgtable.h 2010-03-15 12:09:39.000000000 -0400
41742 +++ linux-2.6.33.1/include/asm-generic/pgtable.h 2010-03-20 16:58:41.904583344 -0400
41743 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
41744 unsigned long size);
41747 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
41748 +static inline unsigned long pax_open_kernel(void) { return 0; }
41751 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
41752 +static inline unsigned long pax_close_kernel(void) { return 0; }
41755 #endif /* !__ASSEMBLY__ */
41757 #endif /* _ASM_GENERIC_PGTABLE_H */
41758 diff -urNp linux-2.6.33.1/include/asm-generic/vmlinux.lds.h linux-2.6.33.1/include/asm-generic/vmlinux.lds.h
41759 --- linux-2.6.33.1/include/asm-generic/vmlinux.lds.h 2010-03-15 12:09:39.000000000 -0400
41760 +++ linux-2.6.33.1/include/asm-generic/vmlinux.lds.h 2010-03-20 16:58:41.904583344 -0400
41761 @@ -203,6 +203,7 @@
41762 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
41763 VMLINUX_SYMBOL(__start_rodata) = .; \
41764 *(.rodata) *(.rodata.*) \
41765 + *(.data.read_only) \
41766 *(__vermagic) /* Kernel version magic */ \
41767 *(__markers_strings) /* Markers: strings */ \
41768 *(__tracepoints_strings)/* Tracepoints: strings */ \
41769 @@ -660,22 +661,24 @@
41770 * section in the linker script will go there too. @phdr should have
41773 - * Note that this macros defines __per_cpu_load as an absolute symbol.
41774 + * Note that this macros defines per_cpu_load as an absolute symbol.
41775 * If there is no need to put the percpu section at a predetermined
41776 * address, use PERCPU().
41778 #define PERCPU_VADDR(vaddr, phdr) \
41779 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
41780 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
41781 + per_cpu_load = .; \
41782 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
41784 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
41785 VMLINUX_SYMBOL(__per_cpu_start) = .; \
41786 *(.data.percpu.first) \
41787 - *(.data.percpu.page_aligned) \
41789 + . = ALIGN(PAGE_SIZE); \
41790 + *(.data.percpu.page_aligned) \
41791 *(.data.percpu.shared_aligned) \
41792 VMLINUX_SYMBOL(__per_cpu_end) = .; \
41794 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
41795 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
41798 * PERCPU - define output section for percpu area, simple version
41799 diff -urNp linux-2.6.33.1/include/drm/drm_pciids.h linux-2.6.33.1/include/drm/drm_pciids.h
41800 --- linux-2.6.33.1/include/drm/drm_pciids.h 2010-03-15 12:09:39.000000000 -0400
41801 +++ linux-2.6.33.1/include/drm/drm_pciids.h 2010-03-20 16:58:41.904583344 -0400
41802 @@ -375,7 +375,7 @@
41803 {0x1002, 0x9712, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41804 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41805 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41807 + {0, 0, 0, 0, 0, 0}
41809 #define r128_PCI_IDS \
41810 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41811 @@ -415,14 +415,14 @@
41812 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41813 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41814 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41816 + {0, 0, 0, 0, 0, 0}
41818 #define mga_PCI_IDS \
41819 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41820 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41821 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
41822 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
41824 + {0, 0, 0, 0, 0, 0}
41826 #define mach64_PCI_IDS \
41827 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41828 @@ -445,7 +445,7 @@
41829 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41830 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41831 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41833 + {0, 0, 0, 0, 0, 0}
41835 #define sisdrv_PCI_IDS \
41836 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41837 @@ -456,7 +456,7 @@
41838 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41839 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41840 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41842 + {0, 0, 0, 0, 0, 0}
41844 #define tdfx_PCI_IDS \
41845 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41846 @@ -465,7 +465,7 @@
41847 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41848 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41849 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41851 + {0, 0, 0, 0, 0, 0}
41853 #define viadrv_PCI_IDS \
41854 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41855 @@ -477,14 +477,14 @@
41856 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41857 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
41858 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
41860 + {0, 0, 0, 0, 0, 0}
41862 #define i810_PCI_IDS \
41863 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41864 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41865 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41866 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41868 + {0, 0, 0, 0, 0, 0}
41870 #define i830_PCI_IDS \
41871 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41872 @@ -492,11 +492,11 @@
41873 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41874 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41875 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41877 + {0, 0, 0, 0, 0, 0}
41879 #define gamma_PCI_IDS \
41880 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41882 + {0, 0, 0, 0, 0, 0}
41884 #define savage_PCI_IDS \
41885 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
41886 @@ -522,10 +522,10 @@
41887 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
41888 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41889 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41891 + {0, 0, 0, 0, 0, 0}
41893 #define ffb_PCI_IDS \
41895 + {0, 0, 0, 0, 0, 0}
41897 #define i915_PCI_IDS \
41898 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41899 @@ -558,4 +558,4 @@
41900 {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41901 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41902 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41904 + {0, 0, 0, 0, 0, 0}
41905 diff -urNp linux-2.6.33.1/include/drm/drmP.h linux-2.6.33.1/include/drm/drmP.h
41906 --- linux-2.6.33.1/include/drm/drmP.h 2010-03-15 12:09:39.000000000 -0400
41907 +++ linux-2.6.33.1/include/drm/drmP.h 2010-03-20 16:58:41.904583344 -0400
41908 @@ -806,7 +806,7 @@ struct drm_driver {
41909 void (*vgaarb_irq)(struct drm_device *dev, bool state);
41911 /* Driver private ops for this object */
41912 - struct vm_operations_struct *gem_vm_ops;
41913 + const struct vm_operations_struct *gem_vm_ops;
41917 @@ -915,7 +915,7 @@ struct drm_device {
41919 /** \name Usage Counters */
41921 - int open_count; /**< Outstanding files open */
41922 + atomic_t open_count; /**< Outstanding files open */
41923 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
41924 atomic_t vma_count; /**< Outstanding vma areas open */
41925 int buf_use; /**< Buffers in use -- cannot alloc */
41926 @@ -926,7 +926,7 @@ struct drm_device {
41928 unsigned long counters;
41929 enum drm_stat_type types[15];
41930 - atomic_t counts[15];
41931 + atomic_unchecked_t counts[15];
41934 struct list_head filelist;
41935 diff -urNp linux-2.6.33.1/include/linux/a.out.h linux-2.6.33.1/include/linux/a.out.h
41936 --- linux-2.6.33.1/include/linux/a.out.h 2010-03-15 12:09:39.000000000 -0400
41937 +++ linux-2.6.33.1/include/linux/a.out.h 2010-03-20 16:58:41.904583344 -0400
41938 @@ -39,6 +39,14 @@ enum machine_type {
41939 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
41942 +/* Constants for the N_FLAGS field */
41943 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
41944 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
41945 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
41946 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
41947 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
41948 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
41950 #if !defined (N_MAGIC)
41951 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
41953 diff -urNp linux-2.6.33.1/include/linux/atmdev.h linux-2.6.33.1/include/linux/atmdev.h
41954 --- linux-2.6.33.1/include/linux/atmdev.h 2010-03-15 12:09:39.000000000 -0400
41955 +++ linux-2.6.33.1/include/linux/atmdev.h 2010-03-20 16:58:41.904583344 -0400
41956 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
41959 struct k_atm_aal_stats {
41960 -#define __HANDLE_ITEM(i) atomic_t i
41961 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
41963 #undef __HANDLE_ITEM
41965 diff -urNp linux-2.6.33.1/include/linux/binfmts.h linux-2.6.33.1/include/linux/binfmts.h
41966 --- linux-2.6.33.1/include/linux/binfmts.h 2010-03-15 12:09:39.000000000 -0400
41967 +++ linux-2.6.33.1/include/linux/binfmts.h 2010-03-20 16:58:41.904583344 -0400
41968 @@ -86,6 +86,7 @@ struct linux_binfmt {
41969 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
41970 int (*load_shlib)(struct file *);
41971 int (*core_dump)(struct coredump_params *cprm);
41972 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
41973 unsigned long min_coredump; /* minimal dump size */
41976 diff -urNp linux-2.6.33.1/include/linux/blkdev.h linux-2.6.33.1/include/linux/blkdev.h
41977 --- linux-2.6.33.1/include/linux/blkdev.h 2010-03-15 12:09:39.000000000 -0400
41978 +++ linux-2.6.33.1/include/linux/blkdev.h 2010-03-20 16:58:41.908542968 -0400
41979 @@ -1287,19 +1287,19 @@ static inline int blk_integrity_rq(struc
41980 #endif /* CONFIG_BLK_DEV_INTEGRITY */
41982 struct block_device_operations {
41983 - int (*open) (struct block_device *, fmode_t);
41984 - int (*release) (struct gendisk *, fmode_t);
41985 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41986 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41987 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41988 - int (*direct_access) (struct block_device *, sector_t,
41989 + int (* const open) (struct block_device *, fmode_t);
41990 + int (* const release) (struct gendisk *, fmode_t);
41991 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41992 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41993 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41994 + int (* const direct_access) (struct block_device *, sector_t,
41995 void **, unsigned long *);
41996 - int (*media_changed) (struct gendisk *);
41997 - unsigned long long (*set_capacity) (struct gendisk *,
41998 + int (* const media_changed) (struct gendisk *);
41999 + unsigned long long (* const set_capacity) (struct gendisk *,
42000 unsigned long long);
42001 - int (*revalidate_disk) (struct gendisk *);
42002 - int (*getgeo)(struct block_device *, struct hd_geometry *);
42003 - struct module *owner;
42004 + int (* const revalidate_disk) (struct gendisk *);
42005 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
42006 + struct module * const owner;
42009 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
42010 diff -urNp linux-2.6.33.1/include/linux/cache.h linux-2.6.33.1/include/linux/cache.h
42011 --- linux-2.6.33.1/include/linux/cache.h 2010-03-15 12:09:39.000000000 -0400
42012 +++ linux-2.6.33.1/include/linux/cache.h 2010-03-20 16:58:41.908542968 -0400
42014 #define __read_mostly
42017 +#ifndef __read_only
42018 +#define __read_only __read_mostly
42021 #ifndef ____cacheline_aligned
42022 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
42024 diff -urNp linux-2.6.33.1/include/linux/capability.h linux-2.6.33.1/include/linux/capability.h
42025 --- linux-2.6.33.1/include/linux/capability.h 2010-03-15 12:09:39.000000000 -0400
42026 +++ linux-2.6.33.1/include/linux/capability.h 2010-03-20 16:58:41.908542968 -0400
42027 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
42028 (security_real_capable_noaudit((t), (cap)) == 0)
42030 extern int capable(int cap);
42031 +int capable_nolog(int cap);
42033 /* audit system wants to get cap info from files as well */
42035 diff -urNp linux-2.6.33.1/include/linux/compiler-gcc4.h linux-2.6.33.1/include/linux/compiler-gcc4.h
42036 --- linux-2.6.33.1/include/linux/compiler-gcc4.h 2010-03-15 12:09:39.000000000 -0400
42037 +++ linux-2.6.33.1/include/linux/compiler-gcc4.h 2010-03-20 16:58:41.908542968 -0400
42039 #define unreachable() __builtin_unreachable()
42042 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
42043 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
42044 +#define __bos0(ptr) __bos((ptr), 0)
42045 +#define __bos1(ptr) __bos((ptr), 1)
42048 #if __GNUC_MINOR__ > 0
42049 diff -urNp linux-2.6.33.1/include/linux/compiler.h linux-2.6.33.1/include/linux/compiler.h
42050 --- linux-2.6.33.1/include/linux/compiler.h 2010-03-15 12:09:39.000000000 -0400
42051 +++ linux-2.6.33.1/include/linux/compiler.h 2010-03-20 16:58:41.908542968 -0400
42052 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
42056 +#ifndef __alloc_size
42057 +#define __alloc_size
42072 /* Simple shorthand for a section definition */
42074 # define __section(S) __attribute__ ((__section__(#S)))
42075 diff -urNp linux-2.6.33.1/include/linux/decompress/mm.h linux-2.6.33.1/include/linux/decompress/mm.h
42076 --- linux-2.6.33.1/include/linux/decompress/mm.h 2010-03-15 12:09:39.000000000 -0400
42077 +++ linux-2.6.33.1/include/linux/decompress/mm.h 2010-03-20 16:58:41.908542968 -0400
42078 @@ -68,7 +68,7 @@ static void free(void *where)
42079 * warnings when not needed (indeed large_malloc / large_free are not
42080 * needed by inflate */
42082 -#define malloc(a) kmalloc(a, GFP_KERNEL)
42083 +#define malloc(a) kmalloc((a), GFP_KERNEL)
42084 #define free(a) kfree(a)
42086 #define large_malloc(a) vmalloc(a)
42087 diff -urNp linux-2.6.33.1/include/linux/dma-mapping.h linux-2.6.33.1/include/linux/dma-mapping.h
42088 --- linux-2.6.33.1/include/linux/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
42089 +++ linux-2.6.33.1/include/linux/dma-mapping.h 2010-03-20 16:58:41.908542968 -0400
42090 @@ -16,50 +16,50 @@ enum dma_data_direction {
42093 struct dma_map_ops {
42094 - void* (*alloc_coherent)(struct device *dev, size_t size,
42095 + void* (* const alloc_coherent)(struct device *dev, size_t size,
42096 dma_addr_t *dma_handle, gfp_t gfp);
42097 - void (*free_coherent)(struct device *dev, size_t size,
42098 + void (* const free_coherent)(struct device *dev, size_t size,
42099 void *vaddr, dma_addr_t dma_handle);
42100 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
42101 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
42102 unsigned long offset, size_t size,
42103 enum dma_data_direction dir,
42104 struct dma_attrs *attrs);
42105 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
42106 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
42107 size_t size, enum dma_data_direction dir,
42108 struct dma_attrs *attrs);
42109 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
42110 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
42111 int nents, enum dma_data_direction dir,
42112 struct dma_attrs *attrs);
42113 - void (*unmap_sg)(struct device *dev,
42114 + void (* const unmap_sg)(struct device *dev,
42115 struct scatterlist *sg, int nents,
42116 enum dma_data_direction dir,
42117 struct dma_attrs *attrs);
42118 - void (*sync_single_for_cpu)(struct device *dev,
42119 + void (* const sync_single_for_cpu)(struct device *dev,
42120 dma_addr_t dma_handle, size_t size,
42121 enum dma_data_direction dir);
42122 - void (*sync_single_for_device)(struct device *dev,
42123 + void (* const sync_single_for_device)(struct device *dev,
42124 dma_addr_t dma_handle, size_t size,
42125 enum dma_data_direction dir);
42126 - void (*sync_single_range_for_cpu)(struct device *dev,
42127 + void (* const sync_single_range_for_cpu)(struct device *dev,
42128 dma_addr_t dma_handle,
42129 unsigned long offset,
42131 enum dma_data_direction dir);
42132 - void (*sync_single_range_for_device)(struct device *dev,
42133 + void (* const sync_single_range_for_device)(struct device *dev,
42134 dma_addr_t dma_handle,
42135 unsigned long offset,
42137 enum dma_data_direction dir);
42138 - void (*sync_sg_for_cpu)(struct device *dev,
42139 + void (* const sync_sg_for_cpu)(struct device *dev,
42140 struct scatterlist *sg, int nents,
42141 enum dma_data_direction dir);
42142 - void (*sync_sg_for_device)(struct device *dev,
42143 + void (* const sync_sg_for_device)(struct device *dev,
42144 struct scatterlist *sg, int nents,
42145 enum dma_data_direction dir);
42146 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
42147 - int (*dma_supported)(struct device *dev, u64 mask);
42148 - int (*set_dma_mask)(struct device *dev, u64 mask);
42150 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
42151 + int (* const dma_supported)(struct device *dev, u64 mask);
42152 + int (* set_dma_mask)(struct device *dev, u64 mask);
42153 + const int is_phys;
42156 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
42157 diff -urNp linux-2.6.33.1/include/linux/elf.h linux-2.6.33.1/include/linux/elf.h
42158 --- linux-2.6.33.1/include/linux/elf.h 2010-03-15 12:09:39.000000000 -0400
42159 +++ linux-2.6.33.1/include/linux/elf.h 2010-03-20 16:58:41.908542968 -0400
42160 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
42161 #define PT_GNU_EH_FRAME 0x6474e550
42163 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
42164 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
42166 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
42168 +/* Constants for the e_flags field */
42169 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
42170 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
42171 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
42172 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
42173 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
42174 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
42176 /* These constants define the different elf file types */
42178 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
42179 #define DT_DEBUG 21
42180 #define DT_TEXTREL 22
42181 #define DT_JMPREL 23
42182 +#define DT_FLAGS 30
42183 + #define DF_TEXTREL 0x00000004
42184 #define DT_ENCODING 32
42185 #define OLD_DT_LOOS 0x60000000
42186 #define DT_LOOS 0x6000000d
42187 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
42191 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
42192 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
42193 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
42194 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
42195 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
42196 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
42197 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
42198 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
42199 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
42200 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
42201 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
42202 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
42204 typedef struct elf32_phdr{
42206 Elf32_Off p_offset;
42207 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
42213 #define ELFMAG0 0x7f /* EI_MAG */
42214 #define ELFMAG1 'E'
42215 #define ELFMAG2 'L'
42216 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
42217 #define elf_phdr elf32_phdr
42218 #define elf_note elf32_note
42219 #define elf_addr_t Elf32_Off
42220 +#define elf_dyn Elf32_Dyn
42224 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
42225 #define elf_phdr elf64_phdr
42226 #define elf_note elf64_note
42227 #define elf_addr_t Elf64_Off
42228 +#define elf_dyn Elf64_Dyn
42232 diff -urNp linux-2.6.33.1/include/linux/fs.h linux-2.6.33.1/include/linux/fs.h
42233 --- linux-2.6.33.1/include/linux/fs.h 2010-03-15 12:09:39.000000000 -0400
42234 +++ linux-2.6.33.1/include/linux/fs.h 2010-03-20 16:59:37.096727099 -0400
42235 @@ -90,6 +90,11 @@ struct inodes_stat_t {
42236 /* Expect random access pattern */
42237 #define FMODE_RANDOM ((__force fmode_t)4096)
42239 +/* Hack for grsec so as not to require read permission simply to execute
42242 +#define FMODE_GREXEC ((__force fmode_t)8192)
42245 * The below are the various read and write types that we support. Some of
42246 * them include behavioral modifiers that send information down to the
42247 @@ -570,41 +575,41 @@ typedef int (*read_actor_t)(read_descrip
42248 unsigned long, unsigned long);
42250 struct address_space_operations {
42251 - int (*writepage)(struct page *page, struct writeback_control *wbc);
42252 - int (*readpage)(struct file *, struct page *);
42253 - void (*sync_page)(struct page *);
42254 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
42255 + int (* const readpage)(struct file *, struct page *);
42256 + void (* const sync_page)(struct page *);
42258 /* Write back some dirty pages from this mapping. */
42259 - int (*writepages)(struct address_space *, struct writeback_control *);
42260 + int (* const writepages)(struct address_space *, struct writeback_control *);
42262 /* Set a page dirty. Return true if this dirtied it */
42263 - int (*set_page_dirty)(struct page *page);
42264 + int (* const set_page_dirty)(struct page *page);
42266 - int (*readpages)(struct file *filp, struct address_space *mapping,
42267 + int (* const readpages)(struct file *filp, struct address_space *mapping,
42268 struct list_head *pages, unsigned nr_pages);
42270 - int (*write_begin)(struct file *, struct address_space *mapping,
42271 + int (* const write_begin)(struct file *, struct address_space *mapping,
42272 loff_t pos, unsigned len, unsigned flags,
42273 struct page **pagep, void **fsdata);
42274 - int (*write_end)(struct file *, struct address_space *mapping,
42275 + int (* const write_end)(struct file *, struct address_space *mapping,
42276 loff_t pos, unsigned len, unsigned copied,
42277 struct page *page, void *fsdata);
42279 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
42280 - sector_t (*bmap)(struct address_space *, sector_t);
42281 - void (*invalidatepage) (struct page *, unsigned long);
42282 - int (*releasepage) (struct page *, gfp_t);
42283 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
42284 + sector_t (* const bmap)(struct address_space *, sector_t);
42285 + void (* const invalidatepage) (struct page *, unsigned long);
42286 + int (* const releasepage) (struct page *, gfp_t);
42287 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
42288 loff_t offset, unsigned long nr_segs);
42289 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
42290 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
42291 void **, unsigned long *);
42292 /* migrate the contents of a page to the specified target */
42293 - int (*migratepage) (struct address_space *,
42294 + int (* const migratepage) (struct address_space *,
42295 struct page *, struct page *);
42296 - int (*launder_page) (struct page *);
42297 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
42298 + int (* const launder_page) (struct page *);
42299 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
42301 - int (*error_remove_page)(struct address_space *, struct page *);
42302 + int (* const error_remove_page)(struct address_space *, struct page *);
42306 @@ -1032,19 +1037,19 @@ static inline int file_check_writeable(s
42307 typedef struct files_struct *fl_owner_t;
42309 struct file_lock_operations {
42310 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42311 - void (*fl_release_private)(struct file_lock *);
42312 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42313 + void (* const fl_release_private)(struct file_lock *);
42316 struct lock_manager_operations {
42317 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
42318 - void (*fl_notify)(struct file_lock *); /* unblock callback */
42319 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
42320 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42321 - void (*fl_release_private)(struct file_lock *);
42322 - void (*fl_break)(struct file_lock *);
42323 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
42324 - int (*fl_change)(struct file_lock **, int);
42325 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
42326 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
42327 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
42328 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42329 + void (* const fl_release_private)(struct file_lock *);
42330 + void (* const fl_break)(struct file_lock *);
42331 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
42332 + int (* const fl_change)(struct file_lock **, int);
42335 struct lock_manager {
42336 @@ -1437,7 +1442,7 @@ struct fiemap_extent_info {
42337 unsigned int fi_flags; /* Flags as passed from user */
42338 unsigned int fi_extents_mapped; /* Number of mapped extents */
42339 unsigned int fi_extents_max; /* Size of fiemap_extent array */
42340 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
42341 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
42344 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
42345 @@ -1554,30 +1559,30 @@ extern ssize_t vfs_writev(struct file *,
42346 unsigned long, loff_t *);
42348 struct super_operations {
42349 - struct inode *(*alloc_inode)(struct super_block *sb);
42350 - void (*destroy_inode)(struct inode *);
42351 + struct inode *(* const alloc_inode)(struct super_block *sb);
42352 + void (* const destroy_inode)(struct inode *);
42354 - void (*dirty_inode) (struct inode *);
42355 - int (*write_inode) (struct inode *, int);
42356 - void (*drop_inode) (struct inode *);
42357 - void (*delete_inode) (struct inode *);
42358 - void (*put_super) (struct super_block *);
42359 - void (*write_super) (struct super_block *);
42360 - int (*sync_fs)(struct super_block *sb, int wait);
42361 - int (*freeze_fs) (struct super_block *);
42362 - int (*unfreeze_fs) (struct super_block *);
42363 - int (*statfs) (struct dentry *, struct kstatfs *);
42364 - int (*remount_fs) (struct super_block *, int *, char *);
42365 - void (*clear_inode) (struct inode *);
42366 - void (*umount_begin) (struct super_block *);
42367 + void (* const dirty_inode) (struct inode *);
42368 + int (* const write_inode) (struct inode *, int);
42369 + void (* const drop_inode) (struct inode *);
42370 + void (* const delete_inode) (struct inode *);
42371 + void (* const put_super) (struct super_block *);
42372 + void (* const write_super) (struct super_block *);
42373 + int (* const sync_fs)(struct super_block *sb, int wait);
42374 + int (* const freeze_fs) (struct super_block *);
42375 + int (* const unfreeze_fs) (struct super_block *);
42376 + int (* const statfs) (struct dentry *, struct kstatfs *);
42377 + int (* const remount_fs) (struct super_block *, int *, char *);
42378 + void (* const clear_inode) (struct inode *);
42379 + void (* const umount_begin) (struct super_block *);
42381 - int (*show_options)(struct seq_file *, struct vfsmount *);
42382 - int (*show_stats)(struct seq_file *, struct vfsmount *);
42383 + int (* const show_options)(struct seq_file *, struct vfsmount *);
42384 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
42385 #ifdef CONFIG_QUOTA
42386 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
42387 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42388 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
42389 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42391 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42392 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42396 diff -urNp linux-2.6.33.1/include/linux/fs_struct.h linux-2.6.33.1/include/linux/fs_struct.h
42397 --- linux-2.6.33.1/include/linux/fs_struct.h 2010-03-15 12:09:39.000000000 -0400
42398 +++ linux-2.6.33.1/include/linux/fs_struct.h 2010-03-20 16:58:41.908542968 -0400
42400 #include <linux/path.h>
42408 diff -urNp linux-2.6.33.1/include/linux/genhd.h linux-2.6.33.1/include/linux/genhd.h
42409 --- linux-2.6.33.1/include/linux/genhd.h 2010-03-15 12:09:39.000000000 -0400
42410 +++ linux-2.6.33.1/include/linux/genhd.h 2010-03-20 16:58:41.912517036 -0400
42411 @@ -162,7 +162,7 @@ struct gendisk {
42413 struct timer_rand_state *random;
42415 - atomic_t sync_io; /* RAID */
42416 + atomic_unchecked_t sync_io; /* RAID */
42417 struct work_struct async_notify;
42418 #ifdef CONFIG_BLK_DEV_INTEGRITY
42419 struct blk_integrity *integrity;
42420 diff -urNp linux-2.6.33.1/include/linux/gracl.h linux-2.6.33.1/include/linux/gracl.h
42421 --- linux-2.6.33.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
42422 +++ linux-2.6.33.1/include/linux/gracl.h 2010-03-20 16:58:41.912517036 -0400
42427 +#include <linux/grdefs.h>
42428 +#include <linux/resource.h>
42429 +#include <linux/capability.h>
42430 +#include <linux/dcache.h>
42431 +#include <asm/resource.h>
42433 +/* Major status information */
42435 +#define GR_VERSION "grsecurity 2.1.14"
42436 +#define GRSECURITY_VERSION 0x2114
42447 + GR_SPROLEPAM = 8,
42450 +/* Password setup definitions
42451 + * kernel/grhash.c */
42454 + GR_SALT_LEN = 16,
42459 + GR_SPROLE_LEN = 64,
42462 +#define GR_NLIMITS 32
42464 +/* Begin Data Structures */
42466 +struct sprole_pw {
42467 + unsigned char *rolename;
42468 + unsigned char salt[GR_SALT_LEN];
42469 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
42472 +struct name_entry {
42479 + struct name_entry *prev;
42480 + struct name_entry *next;
42483 +struct inodev_entry {
42484 + struct name_entry *nentry;
42485 + struct inodev_entry *prev;
42486 + struct inodev_entry *next;
42489 +struct acl_role_db {
42490 + struct acl_role_label **r_hash;
42494 +struct inodev_db {
42495 + struct inodev_entry **i_hash;
42500 + struct name_entry **n_hash;
42504 +struct crash_uid {
42506 + unsigned long expires;
42509 +struct gr_hash_struct {
42511 + void **nametable;
42513 + __u32 table_size;
42518 +/* Userspace Grsecurity ACL data structures */
42520 +struct acl_subject_label {
42525 + kernel_cap_t cap_mask;
42526 + kernel_cap_t cap_lower;
42528 + struct rlimit res[GR_NLIMITS];
42531 + __u8 user_trans_type;
42532 + __u8 group_trans_type;
42533 + uid_t *user_transitions;
42534 + gid_t *group_transitions;
42535 + __u16 user_trans_num;
42536 + __u16 group_trans_num;
42538 + __u32 ip_proto[8];
42540 + struct acl_ip_label **ips;
42542 + __u32 inaddr_any_override;
42545 + unsigned long expires;
42547 + struct acl_subject_label *parent_subject;
42548 + struct gr_hash_struct *hash;
42549 + struct acl_subject_label *prev;
42550 + struct acl_subject_label *next;
42552 + struct acl_object_label **obj_hash;
42553 + __u32 obj_hash_size;
42557 +struct role_allowed_ip {
42561 + struct role_allowed_ip *prev;
42562 + struct role_allowed_ip *next;
42565 +struct role_transition {
42568 + struct role_transition *prev;
42569 + struct role_transition *next;
42572 +struct acl_role_label {
42577 + __u16 auth_attempts;
42578 + unsigned long expires;
42580 + struct acl_subject_label *root_label;
42581 + struct gr_hash_struct *hash;
42583 + struct acl_role_label *prev;
42584 + struct acl_role_label *next;
42586 + struct role_transition *transitions;
42587 + struct role_allowed_ip *allowed_ips;
42588 + uid_t *domain_children;
42589 + __u16 domain_child_num;
42591 + struct acl_subject_label **subj_hash;
42592 + __u32 subj_hash_size;
42595 +struct user_acl_role_db {
42596 + struct acl_role_label **r_table;
42597 + __u32 num_pointers; /* Number of allocations to track */
42598 + __u32 num_roles; /* Number of roles */
42599 + __u32 num_domain_children; /* Number of domain children */
42600 + __u32 num_subjects; /* Number of subjects */
42601 + __u32 num_objects; /* Number of objects */
42604 +struct acl_object_label {
42610 + struct acl_subject_label *nested;
42611 + struct acl_object_label *globbed;
42613 + /* next two structures not used */
42615 + struct acl_object_label *prev;
42616 + struct acl_object_label *next;
42619 +struct acl_ip_label {
42628 + /* next two structures not used */
42630 + struct acl_ip_label *prev;
42631 + struct acl_ip_label *next;
42635 + struct user_acl_role_db role_db;
42636 + unsigned char pw[GR_PW_LEN];
42637 + unsigned char salt[GR_SALT_LEN];
42638 + unsigned char sum[GR_SHA_LEN];
42639 + unsigned char sp_role[GR_SPROLE_LEN];
42640 + struct sprole_pw *sprole_pws;
42641 + dev_t segv_device;
42642 + ino_t segv_inode;
42644 + __u16 num_sprole_pws;
42648 +struct gr_arg_wrapper {
42649 + struct gr_arg *arg;
42654 +struct subject_map {
42655 + struct acl_subject_label *user;
42656 + struct acl_subject_label *kernel;
42657 + struct subject_map *prev;
42658 + struct subject_map *next;
42661 +struct acl_subj_map_db {
42662 + struct subject_map **s_hash;
42666 +/* End Data Structures Section */
42668 +/* Hash functions generated by empirical testing by Brad Spengler
42669 + Makes good use of the low bits of the inode. Generally 0-1 times
42670 + in loop for successful match. 0-3 for unsuccessful match.
42671 + Shift/add algorithm with modulus of table size and an XOR*/
42673 +static __inline__ unsigned int
42674 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
42676 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
42679 + static __inline__ unsigned int
42680 +shash(const struct acl_subject_label *userp, const unsigned int sz)
42682 + return ((const unsigned long)userp % sz);
42685 +static __inline__ unsigned int
42686 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
42688 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
42691 +static __inline__ unsigned int
42692 +nhash(const char *name, const __u16 len, const unsigned int sz)
42694 + return full_name_hash((const unsigned char *)name, len) % sz;
42697 +#define FOR_EACH_ROLE_START(role) \
42698 + role = role_list; \
42701 +#define FOR_EACH_ROLE_END(role) \
42702 + role = role->prev; \
42705 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
42708 + while (iter < role->subj_hash_size) { \
42709 + if (subj == NULL) \
42710 + subj = role->subj_hash[iter]; \
42711 + if (subj == NULL) { \
42716 +#define FOR_EACH_SUBJECT_END(subj,iter) \
42717 + subj = subj->next; \
42718 + if (subj == NULL) \
42723 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
42724 + subj = role->hash->first; \
42725 + while (subj != NULL) {
42727 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
42728 + subj = subj->next; \
42733 diff -urNp linux-2.6.33.1/include/linux/gralloc.h linux-2.6.33.1/include/linux/gralloc.h
42734 --- linux-2.6.33.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
42735 +++ linux-2.6.33.1/include/linux/gralloc.h 2010-03-20 16:58:41.912517036 -0400
42737 +#ifndef __GRALLOC_H
42738 +#define __GRALLOC_H
42740 +void acl_free_all(void);
42741 +int acl_alloc_stack_init(unsigned long size);
42742 +void *acl_alloc(unsigned long len);
42743 +void *acl_alloc_num(unsigned long num, unsigned long len);
42746 diff -urNp linux-2.6.33.1/include/linux/grdefs.h linux-2.6.33.1/include/linux/grdefs.h
42747 --- linux-2.6.33.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
42748 +++ linux-2.6.33.1/include/linux/grdefs.h 2010-03-20 16:58:41.912517036 -0400
42753 +/* Begin grsecurity status declarations */
42757 + GR_STATUS_INIT = 0x00 // disabled state
42760 +/* Begin ACL declarations */
42765 + GR_ROLE_USER = 0x0001,
42766 + GR_ROLE_GROUP = 0x0002,
42767 + GR_ROLE_DEFAULT = 0x0004,
42768 + GR_ROLE_SPECIAL = 0x0008,
42769 + GR_ROLE_AUTH = 0x0010,
42770 + GR_ROLE_NOPW = 0x0020,
42771 + GR_ROLE_GOD = 0x0040,
42772 + GR_ROLE_LEARN = 0x0080,
42773 + GR_ROLE_TPE = 0x0100,
42774 + GR_ROLE_DOMAIN = 0x0200,
42775 + GR_ROLE_PAM = 0x0400
42778 +/* ACL Subject and Object mode flags */
42780 + GR_DELETED = 0x80000000
42783 +/* ACL Object-only mode flags */
42785 + GR_READ = 0x00000001,
42786 + GR_APPEND = 0x00000002,
42787 + GR_WRITE = 0x00000004,
42788 + GR_EXEC = 0x00000008,
42789 + GR_FIND = 0x00000010,
42790 + GR_INHERIT = 0x00000020,
42791 + GR_SETID = 0x00000040,
42792 + GR_CREATE = 0x00000080,
42793 + GR_DELETE = 0x00000100,
42794 + GR_LINK = 0x00000200,
42795 + GR_AUDIT_READ = 0x00000400,
42796 + GR_AUDIT_APPEND = 0x00000800,
42797 + GR_AUDIT_WRITE = 0x00001000,
42798 + GR_AUDIT_EXEC = 0x00002000,
42799 + GR_AUDIT_FIND = 0x00004000,
42800 + GR_AUDIT_INHERIT= 0x00008000,
42801 + GR_AUDIT_SETID = 0x00010000,
42802 + GR_AUDIT_CREATE = 0x00020000,
42803 + GR_AUDIT_DELETE = 0x00040000,
42804 + GR_AUDIT_LINK = 0x00080000,
42805 + GR_PTRACERD = 0x00100000,
42806 + GR_NOPTRACE = 0x00200000,
42807 + GR_SUPPRESS = 0x00400000,
42808 + GR_NOLEARN = 0x00800000
42811 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
42812 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
42813 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
42815 +/* ACL subject-only mode flags */
42817 + GR_KILL = 0x00000001,
42818 + GR_VIEW = 0x00000002,
42819 + GR_PROTECTED = 0x00000004,
42820 + GR_LEARN = 0x00000008,
42821 + GR_OVERRIDE = 0x00000010,
42822 + /* just a placeholder, this mode is only used in userspace */
42823 + GR_DUMMY = 0x00000020,
42824 + GR_PROTSHM = 0x00000040,
42825 + GR_KILLPROC = 0x00000080,
42826 + GR_KILLIPPROC = 0x00000100,
42827 + /* just a placeholder, this mode is only used in userspace */
42828 + GR_NOTROJAN = 0x00000200,
42829 + GR_PROTPROCFD = 0x00000400,
42830 + GR_PROCACCT = 0x00000800,
42831 + GR_RELAXPTRACE = 0x00001000,
42832 + GR_NESTED = 0x00002000,
42833 + GR_INHERITLEARN = 0x00004000,
42834 + GR_PROCFIND = 0x00008000,
42835 + GR_POVERRIDE = 0x00010000,
42836 + GR_KERNELAUTH = 0x00020000,
42840 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
42841 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
42842 + GR_PAX_ENABLE_MPROTECT = 0x0004,
42843 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
42844 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
42845 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
42846 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
42847 + GR_PAX_DISABLE_MPROTECT = 0x0400,
42848 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
42849 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
42853 + GR_ID_USER = 0x01,
42854 + GR_ID_GROUP = 0x02,
42858 + GR_ID_ALLOW = 0x01,
42859 + GR_ID_DENY = 0x02,
42862 +#define GR_CRASH_RES 31
42863 +#define GR_UIDTABLE_MAX 500
42865 +/* begin resource learning section */
42867 + GR_RLIM_CPU_BUMP = 60,
42868 + GR_RLIM_FSIZE_BUMP = 50000,
42869 + GR_RLIM_DATA_BUMP = 10000,
42870 + GR_RLIM_STACK_BUMP = 1000,
42871 + GR_RLIM_CORE_BUMP = 10000,
42872 + GR_RLIM_RSS_BUMP = 500000,
42873 + GR_RLIM_NPROC_BUMP = 1,
42874 + GR_RLIM_NOFILE_BUMP = 5,
42875 + GR_RLIM_MEMLOCK_BUMP = 50000,
42876 + GR_RLIM_AS_BUMP = 500000,
42877 + GR_RLIM_LOCKS_BUMP = 2,
42878 + GR_RLIM_SIGPENDING_BUMP = 5,
42879 + GR_RLIM_MSGQUEUE_BUMP = 10000,
42880 + GR_RLIM_NICE_BUMP = 1,
42881 + GR_RLIM_RTPRIO_BUMP = 1,
42882 + GR_RLIM_RTTIME_BUMP = 1000000
42886 diff -urNp linux-2.6.33.1/include/linux/grinternal.h linux-2.6.33.1/include/linux/grinternal.h
42887 --- linux-2.6.33.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
42888 +++ linux-2.6.33.1/include/linux/grinternal.h 2010-03-20 17:34:52.485855710 -0400
42890 +#ifndef __GRINTERNAL_H
42891 +#define __GRINTERNAL_H
42893 +#ifdef CONFIG_GRKERNSEC
42895 +#include <linux/fs.h>
42896 +#include <linux/mnt_namespace.h>
42897 +#include <linux/nsproxy.h>
42898 +#include <linux/gracl.h>
42899 +#include <linux/grdefs.h>
42900 +#include <linux/grmsg.h>
42902 +void gr_add_learn_entry(const char *fmt, ...)
42903 + __attribute__ ((format (printf, 1, 2)));
42904 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
42905 + const struct vfsmount *mnt);
42906 +__u32 gr_check_create(const struct dentry *new_dentry,
42907 + const struct dentry *parent,
42908 + const struct vfsmount *mnt, const __u32 mode);
42909 +int gr_check_protected_task(const struct task_struct *task);
42910 +__u32 to_gr_audit(const __u32 reqmode);
42911 +int gr_set_acls(const int type);
42913 +int gr_acl_is_enabled(void);
42914 +char gr_roletype_to_char(void);
42916 +void gr_handle_alertkill(struct task_struct *task);
42917 +char *gr_to_filename(const struct dentry *dentry,
42918 + const struct vfsmount *mnt);
42919 +char *gr_to_filename1(const struct dentry *dentry,
42920 + const struct vfsmount *mnt);
42921 +char *gr_to_filename2(const struct dentry *dentry,
42922 + const struct vfsmount *mnt);
42923 +char *gr_to_filename3(const struct dentry *dentry,
42924 + const struct vfsmount *mnt);
42926 +extern int grsec_enable_harden_ptrace;
42927 +extern int grsec_enable_link;
42928 +extern int grsec_enable_fifo;
42929 +extern int grsec_enable_execve;
42930 +extern int grsec_enable_shm;
42931 +extern int grsec_enable_execlog;
42932 +extern int grsec_enable_signal;
42933 +extern int grsec_enable_audit_ptrace;
42934 +extern int grsec_enable_forkfail;
42935 +extern int grsec_enable_time;
42936 +extern int grsec_enable_rofs;
42937 +extern int grsec_enable_chroot_shmat;
42938 +extern int grsec_enable_chroot_findtask;
42939 +extern int grsec_enable_chroot_mount;
42940 +extern int grsec_enable_chroot_double;
42941 +extern int grsec_enable_chroot_pivot;
42942 +extern int grsec_enable_chroot_chdir;
42943 +extern int grsec_enable_chroot_chmod;
42944 +extern int grsec_enable_chroot_mknod;
42945 +extern int grsec_enable_chroot_fchdir;
42946 +extern int grsec_enable_chroot_nice;
42947 +extern int grsec_enable_chroot_execlog;
42948 +extern int grsec_enable_chroot_caps;
42949 +extern int grsec_enable_chroot_sysctl;
42950 +extern int grsec_enable_chroot_unix;
42951 +extern int grsec_enable_tpe;
42952 +extern int grsec_tpe_gid;
42953 +extern int grsec_enable_tpe_all;
42954 +extern int grsec_enable_sidcaps;
42955 +extern int grsec_enable_socket_all;
42956 +extern int grsec_socket_all_gid;
42957 +extern int grsec_enable_socket_client;
42958 +extern int grsec_socket_client_gid;
42959 +extern int grsec_enable_socket_server;
42960 +extern int grsec_socket_server_gid;
42961 +extern int grsec_audit_gid;
42962 +extern int grsec_enable_group;
42963 +extern int grsec_enable_audit_textrel;
42964 +extern int grsec_enable_mount;
42965 +extern int grsec_enable_chdir;
42966 +extern int grsec_resource_logging;
42967 +extern int grsec_enable_blackhole;
42968 +extern int grsec_lastack_retries;
42969 +extern int grsec_lock;
42971 +extern spinlock_t grsec_alert_lock;
42972 +extern unsigned long grsec_alert_wtime;
42973 +extern unsigned long grsec_alert_fyet;
42975 +extern spinlock_t grsec_audit_lock;
42977 +extern rwlock_t grsec_exec_file_lock;
42979 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
42980 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
42981 + tsk->exec_file->f_vfsmnt) : "/")
42983 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
42984 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
42985 + tsk->parent->exec_file->f_vfsmnt) : "/")
42987 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
42988 + gr_to_filename(tsk->exec_file->f_path.dentry, \
42989 + tsk->exec_file->f_vfsmnt) : "/")
42991 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
42992 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
42993 + tsk->parent->exec_file->f_vfsmnt) : "/")
42995 +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
42996 + ((init_task.fs->root.dentry != tsk_a->fs->root.dentry) && \
42997 + (tsk_a->nsproxy->mnt_ns->root->mnt_root != \
42998 + tsk_a->fs->root.dentry)))
43000 +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
43001 + (tsk_a->fs->root.dentry == tsk_b->fs->root.dentry))
43003 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
43004 + task->pid, cred->uid, \
43005 + cred->euid, cred->gid, cred->egid, \
43006 + gr_parent_task_fullpath(task), \
43007 + task->parent->comm, task->parent->pid, \
43008 + pcred->uid, pcred->euid, \
43009 + pcred->gid, pcred->egid
43011 +#define GR_CHROOT_CAPS {{ \
43012 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
43013 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
43014 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
43015 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
43016 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
43017 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
43019 +#define security_learn(normal_msg,args...) \
43021 + read_lock(&grsec_exec_file_lock); \
43022 + gr_add_learn_entry(normal_msg "\n", ## args); \
43023 + read_unlock(&grsec_exec_file_lock); \
43029 + GR_DONT_AUDIT_GOOD
43040 + GR_SYSCTL_HIDDEN,
43043 + GR_ONE_INT_TWO_STR,
43048 + GR_FIVE_INT_TWO_STR,
43054 + GR_FILENAME_TWO_INT,
43055 + GR_FILENAME_TWO_INT_STR,
43067 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
43068 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
43069 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
43070 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
43071 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
43072 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
43073 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
43074 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
43075 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
43076 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
43077 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
43078 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
43079 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
43080 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
43081 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
43082 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
43083 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
43084 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
43085 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
43086 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
43087 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
43088 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
43089 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
43090 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
43091 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
43092 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
43093 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
43094 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
43095 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
43096 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
43097 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
43098 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
43100 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
43105 diff -urNp linux-2.6.33.1/include/linux/grmsg.h linux-2.6.33.1/include/linux/grmsg.h
43106 --- linux-2.6.33.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
43107 +++ linux-2.6.33.1/include/linux/grmsg.h 2010-03-20 17:00:48.140865901 -0400
43109 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
43110 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
43111 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
43112 +#define GR_STOPMOD_MSG "denied modification of module state by "
43113 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
43114 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
43115 +#define GR_IOPERM_MSG "denied use of ioperm() by "
43116 +#define GR_IOPL_MSG "denied use of iopl() by "
43117 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
43118 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
43119 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
43120 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
43121 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
43122 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
43123 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
43124 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
43125 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
43126 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
43127 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
43128 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
43129 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
43130 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
43131 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
43132 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
43133 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
43134 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
43135 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
43136 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
43137 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
43138 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
43139 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
43140 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
43141 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
43142 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
43143 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
43144 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
43145 +#define GR_NPROC_MSG "denied overstep of process limit by "
43146 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
43147 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
43148 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
43149 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
43150 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
43151 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
43152 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
43153 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
43154 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
43155 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
43156 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
43157 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
43158 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
43159 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
43160 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
43161 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
43162 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
43163 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
43164 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
43165 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
43166 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
43167 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
43168 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
43169 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
43170 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
43171 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
43172 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
43173 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
43174 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
43175 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
43176 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
43177 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
43178 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
43179 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
43180 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
43181 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
43182 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
43183 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
43184 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
43185 +#define GR_NICE_CHROOT_MSG "denied priority change by "
43186 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
43187 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
43188 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
43189 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
43190 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
43191 +#define GR_TIME_MSG "time set by "
43192 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
43193 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
43194 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
43195 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
43196 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
43197 +#define GR_BIND_MSG "denied bind() by "
43198 +#define GR_CONNECT_MSG "denied connect() by "
43199 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
43200 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
43201 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
43202 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
43203 +#define GR_CAP_ACL_MSG "use of %s denied for "
43204 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
43205 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
43206 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
43207 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
43208 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
43209 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
43210 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
43211 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
43212 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
43213 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
43214 +#define GR_VM86_MSG "denied use of vm86 by "
43215 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
43216 diff -urNp linux-2.6.33.1/include/linux/grsecurity.h linux-2.6.33.1/include/linux/grsecurity.h
43217 --- linux-2.6.33.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
43218 +++ linux-2.6.33.1/include/linux/grsecurity.h 2010-03-20 17:00:48.140865901 -0400
43220 +#ifndef GR_SECURITY_H
43221 +#define GR_SECURITY_H
43222 +#include <linux/fs.h>
43223 +#include <linux/fs_struct.h>
43224 +#include <linux/binfmts.h>
43225 +#include <linux/gracl.h>
43227 +/* notify of brain-dead configs */
43228 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
43229 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
43231 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43232 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43234 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43235 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43237 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
43238 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
43240 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
43241 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
43244 +void gr_handle_brute_attach(struct task_struct *p);
43245 +void gr_handle_brute_check(void);
43247 +char gr_roletype_to_char(void);
43249 +int gr_check_user_change(int real, int effective, int fs);
43250 +int gr_check_group_change(int real, int effective, int fs);
43252 +void gr_del_task_from_ip_table(struct task_struct *p);
43254 +int gr_pid_is_chrooted(struct task_struct *p);
43255 +int gr_handle_chroot_nice(void);
43256 +int gr_handle_chroot_sysctl(const int op);
43257 +int gr_handle_chroot_setpriority(struct task_struct *p,
43258 + const int niceval);
43259 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
43260 +int gr_handle_chroot_chroot(const struct dentry *dentry,
43261 + const struct vfsmount *mnt);
43262 +int gr_handle_chroot_caps(struct path *path);
43263 +void gr_handle_chroot_chdir(struct path *path);
43264 +int gr_handle_chroot_chmod(const struct dentry *dentry,
43265 + const struct vfsmount *mnt, const int mode);
43266 +int gr_handle_chroot_mknod(const struct dentry *dentry,
43267 + const struct vfsmount *mnt, const int mode);
43268 +int gr_handle_chroot_mount(const struct dentry *dentry,
43269 + const struct vfsmount *mnt,
43270 + const char *dev_name);
43271 +int gr_handle_chroot_pivot(void);
43272 +int gr_handle_chroot_unix(const pid_t pid);
43274 +int gr_handle_rawio(const struct inode *inode);
43275 +int gr_handle_nproc(void);
43277 +void gr_handle_ioperm(void);
43278 +void gr_handle_iopl(void);
43280 +int gr_tpe_allow(const struct file *file);
43282 +int gr_random_pid(void);
43284 +void gr_log_forkfail(const int retval);
43285 +void gr_log_timechange(void);
43286 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
43287 +void gr_log_chdir(const struct dentry *dentry,
43288 + const struct vfsmount *mnt);
43289 +void gr_log_chroot_exec(const struct dentry *dentry,
43290 + const struct vfsmount *mnt);
43291 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
43292 +void gr_log_remount(const char *devname, const int retval);
43293 +void gr_log_unmount(const char *devname, const int retval);
43294 +void gr_log_mount(const char *from, const char *to, const int retval);
43295 +void gr_log_textrel(struct vm_area_struct *vma);
43297 +int gr_handle_follow_link(const struct inode *parent,
43298 + const struct inode *inode,
43299 + const struct dentry *dentry,
43300 + const struct vfsmount *mnt);
43301 +int gr_handle_fifo(const struct dentry *dentry,
43302 + const struct vfsmount *mnt,
43303 + const struct dentry *dir, const int flag,
43304 + const int acc_mode);
43305 +int gr_handle_hardlink(const struct dentry *dentry,
43306 + const struct vfsmount *mnt,
43307 + struct inode *inode,
43308 + const int mode, const char *to);
43310 +int gr_is_capable(const int cap);
43311 +int gr_is_capable_nolog(const int cap);
43312 +void gr_learn_resource(const struct task_struct *task, const int limit,
43313 + const unsigned long wanted, const int gt);
43314 +void gr_copy_label(struct task_struct *tsk);
43315 +void gr_handle_crash(struct task_struct *task, const int sig);
43316 +int gr_handle_signal(const struct task_struct *p, const int sig);
43317 +int gr_check_crash_uid(const uid_t uid);
43318 +int gr_check_protected_task(const struct task_struct *task);
43319 +int gr_acl_handle_mmap(const struct file *file,
43320 + const unsigned long prot);
43321 +int gr_acl_handle_mprotect(const struct file *file,
43322 + const unsigned long prot);
43323 +int gr_check_hidden_task(const struct task_struct *tsk);
43324 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
43325 + const struct vfsmount *mnt);
43326 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
43327 + const struct vfsmount *mnt);
43328 +__u32 gr_acl_handle_access(const struct dentry *dentry,
43329 + const struct vfsmount *mnt, const int fmode);
43330 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
43331 + const struct vfsmount *mnt, mode_t mode);
43332 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
43333 + const struct vfsmount *mnt, mode_t mode);
43334 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
43335 + const struct vfsmount *mnt);
43336 +int gr_handle_ptrace(struct task_struct *task, const long request);
43337 +int gr_handle_proc_ptrace(struct task_struct *task);
43338 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
43339 + const struct vfsmount *mnt);
43340 +int gr_check_crash_exec(const struct file *filp);
43341 +int gr_acl_is_enabled(void);
43342 +void gr_set_kernel_label(struct task_struct *task);
43343 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
43344 + const gid_t gid);
43345 +int gr_set_proc_label(const struct dentry *dentry,
43346 + const struct vfsmount *mnt,
43347 + const int unsafe_share);
43348 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
43349 + const struct vfsmount *mnt);
43350 +__u32 gr_acl_handle_open(const struct dentry *dentry,
43351 + const struct vfsmount *mnt, const int fmode);
43352 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
43353 + const struct dentry *p_dentry,
43354 + const struct vfsmount *p_mnt, const int fmode,
43355 + const int imode);
43356 +void gr_handle_create(const struct dentry *dentry,
43357 + const struct vfsmount *mnt);
43358 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
43359 + const struct dentry *parent_dentry,
43360 + const struct vfsmount *parent_mnt,
43362 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
43363 + const struct dentry *parent_dentry,
43364 + const struct vfsmount *parent_mnt);
43365 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
43366 + const struct vfsmount *mnt);
43367 +void gr_handle_delete(const ino_t ino, const dev_t dev);
43368 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
43369 + const struct vfsmount *mnt);
43370 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
43371 + const struct dentry *parent_dentry,
43372 + const struct vfsmount *parent_mnt,
43373 + const char *from);
43374 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
43375 + const struct dentry *parent_dentry,
43376 + const struct vfsmount *parent_mnt,
43377 + const struct dentry *old_dentry,
43378 + const struct vfsmount *old_mnt, const char *to);
43379 +int gr_acl_handle_rename(struct dentry *new_dentry,
43380 + struct dentry *parent_dentry,
43381 + const struct vfsmount *parent_mnt,
43382 + struct dentry *old_dentry,
43383 + struct inode *old_parent_inode,
43384 + struct vfsmount *old_mnt, const char *newname);
43385 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
43386 + struct dentry *old_dentry,
43387 + struct dentry *new_dentry,
43388 + struct vfsmount *mnt, const __u8 replace);
43389 +__u32 gr_check_link(const struct dentry *new_dentry,
43390 + const struct dentry *parent_dentry,
43391 + const struct vfsmount *parent_mnt,
43392 + const struct dentry *old_dentry,
43393 + const struct vfsmount *old_mnt);
43394 +int gr_acl_handle_filldir(const struct file *file, const char *name,
43395 + const unsigned int namelen, const ino_t ino);
43397 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
43398 + const struct vfsmount *mnt);
43399 +void gr_acl_handle_exit(void);
43400 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
43401 +int gr_acl_handle_procpidmem(const struct task_struct *task);
43402 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
43403 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
43404 +void gr_audit_ptrace(struct task_struct *task);
43406 +#ifdef CONFIG_GRKERNSEC
43407 +void gr_log_nonroot_mod_load(const char *modname);
43408 +void gr_handle_vm86(void);
43409 +void gr_handle_mem_write(void);
43410 +void gr_handle_kmem_write(void);
43411 +void gr_handle_open_port(void);
43412 +int gr_handle_mem_mmap(const unsigned long offset,
43413 + struct vm_area_struct *vma);
43415 +extern int grsec_enable_dmesg;
43419 diff -urNp linux-2.6.33.1/include/linux/grsock.h linux-2.6.33.1/include/linux/grsock.h
43420 --- linux-2.6.33.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
43421 +++ linux-2.6.33.1/include/linux/grsock.h 2010-03-20 16:58:41.912517036 -0400
43423 +#ifndef __GRSOCK_H
43424 +#define __GRSOCK_H
43426 +extern void gr_attach_curr_ip(const struct sock *sk);
43427 +extern int gr_handle_sock_all(const int family, const int type,
43428 + const int protocol);
43429 +extern int gr_handle_sock_server(const struct sockaddr *sck);
43430 +extern int gr_handle_sock_server_other(const struct socket *sck);
43431 +extern int gr_handle_sock_client(const struct sockaddr *sck);
43432 +extern int gr_search_connect(struct socket * sock,
43433 + struct sockaddr_in * addr);
43434 +extern int gr_search_bind(struct socket * sock,
43435 + struct sockaddr_in * addr);
43436 +extern int gr_search_listen(struct socket * sock);
43437 +extern int gr_search_accept(struct socket * sock);
43438 +extern int gr_search_socket(const int domain, const int type,
43439 + const int protocol);
43442 diff -urNp linux-2.6.33.1/include/linux/hdpu_features.h linux-2.6.33.1/include/linux/hdpu_features.h
43443 --- linux-2.6.33.1/include/linux/hdpu_features.h 2010-03-15 12:09:39.000000000 -0400
43444 +++ linux-2.6.33.1/include/linux/hdpu_features.h 2010-03-20 16:58:41.912517036 -0400
43446 struct cpustate_t {
43450 + atomic_t open_count;
43451 unsigned char cached_val;
43453 unsigned long *set_addr;
43454 diff -urNp linux-2.6.33.1/include/linux/highmem.h linux-2.6.33.1/include/linux/highmem.h
43455 --- linux-2.6.33.1/include/linux/highmem.h 2010-03-15 12:09:39.000000000 -0400
43456 +++ linux-2.6.33.1/include/linux/highmem.h 2010-03-20 16:58:41.912517036 -0400
43457 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
43458 kunmap_atomic(kaddr, KM_USER0);
43461 +static inline void sanitize_highpage(struct page *page)
43464 + unsigned long flags;
43466 + local_irq_save(flags);
43467 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
43468 + clear_page(kaddr);
43469 + kunmap_atomic(kaddr, KM_CLEARPAGE);
43470 + local_irq_restore(flags);
43473 static inline void zero_user_segments(struct page *page,
43474 unsigned start1, unsigned end1,
43475 unsigned start2, unsigned end2)
43476 diff -urNp linux-2.6.33.1/include/linux/init_task.h linux-2.6.33.1/include/linux/init_task.h
43477 --- linux-2.6.33.1/include/linux/init_task.h 2010-03-15 12:09:39.000000000 -0400
43478 +++ linux-2.6.33.1/include/linux/init_task.h 2010-03-20 16:58:41.912517036 -0400
43479 @@ -111,6 +111,13 @@ extern struct cred init_cred;
43480 # define INIT_PERF_EVENTS(tsk)
43483 +#ifdef CONFIG_GRKERNSEC
43484 +# define INIT_GR_FS_LOCK \
43485 + .gr_fs_lock = __RW_LOCK_UNLOCKED(gr_fs_lock),
43487 +# define INIT_GR_FS_LOCK
43491 * INIT_TASK is used to set up the first task table, touch at
43492 * your own risk!. Base=0, limit=0x1fffff (=2MB)
43493 @@ -180,6 +187,7 @@ extern struct cred init_cred;
43494 INIT_FTRACE_GRAPH \
43495 INIT_TRACE_RECURSION \
43496 INIT_TASK_RCU_PREEMPT(tsk) \
43497 + INIT_GR_FS_LOCK \
43501 diff -urNp linux-2.6.33.1/include/linux/interrupt.h linux-2.6.33.1/include/linux/interrupt.h
43502 --- linux-2.6.33.1/include/linux/interrupt.h 2010-03-15 12:09:39.000000000 -0400
43503 +++ linux-2.6.33.1/include/linux/interrupt.h 2010-03-20 16:58:41.912517036 -0400
43504 @@ -357,7 +357,7 @@ enum
43505 /* map softirq index to softirq name. update 'softirq_to_name' in
43506 * kernel/softirq.c when adding a new softirq.
43508 -extern char *softirq_to_name[NR_SOFTIRQS];
43509 +extern const char * const softirq_to_name[NR_SOFTIRQS];
43511 /* softirq mask and active fields moved to irq_cpustat_t in
43512 * asm/hardirq.h to get better cache usage. KAO
43513 @@ -365,12 +365,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
43515 struct softirq_action
43517 - void (*action)(struct softirq_action *);
43518 + void (*action)(void);
43521 asmlinkage void do_softirq(void);
43522 asmlinkage void __do_softirq(void);
43523 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
43524 +extern void open_softirq(int nr, void (*action)(void));
43525 extern void softirq_init(void);
43526 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
43527 extern void raise_softirq_irqoff(unsigned int nr);
43528 diff -urNp linux-2.6.33.1/include/linux/jbd2.h linux-2.6.33.1/include/linux/jbd2.h
43529 --- linux-2.6.33.1/include/linux/jbd2.h 2010-03-15 12:09:39.000000000 -0400
43530 +++ linux-2.6.33.1/include/linux/jbd2.h 2010-03-20 16:58:41.912517036 -0400
43531 @@ -66,7 +66,7 @@ extern u8 jbd2_journal_enable_debug;
43535 -#define jbd_debug(f, a...) /**/
43536 +#define jbd_debug(f, a...) do {} while (0)
43539 static inline void *jbd2_alloc(size_t size, gfp_t flags)
43540 diff -urNp linux-2.6.33.1/include/linux/jbd.h linux-2.6.33.1/include/linux/jbd.h
43541 --- linux-2.6.33.1/include/linux/jbd.h 2010-03-15 12:09:39.000000000 -0400
43542 +++ linux-2.6.33.1/include/linux/jbd.h 2010-03-20 16:58:41.916544293 -0400
43543 @@ -66,7 +66,7 @@ extern u8 journal_enable_debug;
43547 -#define jbd_debug(f, a...) /**/
43548 +#define jbd_debug(f, a...) do {} while (0)
43551 static inline void *jbd_alloc(size_t size, gfp_t flags)
43552 diff -urNp linux-2.6.33.1/include/linux/kallsyms.h linux-2.6.33.1/include/linux/kallsyms.h
43553 --- linux-2.6.33.1/include/linux/kallsyms.h 2010-03-15 12:09:39.000000000 -0400
43554 +++ linux-2.6.33.1/include/linux/kallsyms.h 2010-03-20 16:58:41.916544293 -0400
43559 -#ifdef CONFIG_KALLSYMS
43560 +#ifndef __INCLUDED_BY_HIDESYM
43561 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
43562 /* Lookup the address for a symbol. Returns 0 if not found. */
43563 unsigned long kallsyms_lookup_name(const char *name);
43565 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
43566 /* Stupid that this does nothing, but I didn't create this mess. */
43567 #define __print_symbol(fmt, addr)
43568 #endif /*CONFIG_KALLSYMS*/
43569 +#else /* when included by kallsyms.c, with HIDESYM enabled */
43570 +extern void __print_symbol(const char *fmt, unsigned long address);
43573 /* This macro allows us to keep printk typechecking */
43574 static void __check_printsym_format(const char *fmt, ...)
43575 diff -urNp linux-2.6.33.1/include/linux/kgdb.h linux-2.6.33.1/include/linux/kgdb.h
43576 --- linux-2.6.33.1/include/linux/kgdb.h 2010-03-15 12:09:39.000000000 -0400
43577 +++ linux-2.6.33.1/include/linux/kgdb.h 2010-03-20 16:58:41.916544293 -0400
43578 @@ -250,20 +250,20 @@ struct kgdb_arch {
43582 - int (*read_char) (void);
43583 - void (*write_char) (u8);
43584 - void (*flush) (void);
43585 - int (*init) (void);
43586 - void (*pre_exception) (void);
43587 - void (*post_exception) (void);
43588 + int (* const read_char) (void);
43589 + void (* const write_char) (u8);
43590 + void (* const flush) (void);
43591 + int (* const init) (void);
43592 + void (* const pre_exception) (void);
43593 + void (* const post_exception) (void);
43596 -extern struct kgdb_arch arch_kgdb_ops;
43597 +extern const struct kgdb_arch arch_kgdb_ops;
43599 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
43601 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
43602 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
43603 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
43604 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
43606 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
43607 extern int kgdb_mem2hex(char *mem, char *buf, int count);
43608 diff -urNp linux-2.6.33.1/include/linux/kobject.h linux-2.6.33.1/include/linux/kobject.h
43609 --- linux-2.6.33.1/include/linux/kobject.h 2010-03-15 12:09:39.000000000 -0400
43610 +++ linux-2.6.33.1/include/linux/kobject.h 2010-03-20 16:58:41.916544293 -0400
43611 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
43614 void (*release)(struct kobject *kobj);
43615 - struct sysfs_ops *sysfs_ops;
43616 + const struct sysfs_ops *sysfs_ops;
43617 struct attribute **default_attrs;
43620 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
43623 struct kset_uevent_ops {
43624 - int (*filter)(struct kset *kset, struct kobject *kobj);
43625 - const char *(*name)(struct kset *kset, struct kobject *kobj);
43626 - int (*uevent)(struct kset *kset, struct kobject *kobj,
43627 + int (* const filter)(struct kset *kset, struct kobject *kobj);
43628 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
43629 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
43630 struct kobj_uevent_env *env);
43633 @@ -132,7 +132,7 @@ struct kobj_attribute {
43634 const char *buf, size_t count);
43637 -extern struct sysfs_ops kobj_sysfs_ops;
43638 +extern const struct sysfs_ops kobj_sysfs_ops;
43641 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
43642 @@ -155,14 +155,14 @@ struct kset {
43643 struct list_head list;
43644 spinlock_t list_lock;
43645 struct kobject kobj;
43646 - struct kset_uevent_ops *uevent_ops;
43647 + const struct kset_uevent_ops *uevent_ops;
43650 extern void kset_init(struct kset *kset);
43651 extern int __must_check kset_register(struct kset *kset);
43652 extern void kset_unregister(struct kset *kset);
43653 extern struct kset * __must_check kset_create_and_add(const char *name,
43654 - struct kset_uevent_ops *u,
43655 + const struct kset_uevent_ops *u,
43656 struct kobject *parent_kobj);
43658 static inline struct kset *to_kset(struct kobject *kobj)
43659 diff -urNp linux-2.6.33.1/include/linux/kvm_host.h linux-2.6.33.1/include/linux/kvm_host.h
43660 --- linux-2.6.33.1/include/linux/kvm_host.h 2010-03-15 12:09:39.000000000 -0400
43661 +++ linux-2.6.33.1/include/linux/kvm_host.h 2010-03-20 16:58:41.916544293 -0400
43662 @@ -225,7 +225,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
43663 void vcpu_load(struct kvm_vcpu *vcpu);
43664 void vcpu_put(struct kvm_vcpu *vcpu);
43666 -int kvm_init(void *opaque, unsigned int vcpu_size,
43667 +int kvm_init(const void *opaque, unsigned int vcpu_size,
43668 struct module *module);
43669 void kvm_exit(void);
43671 @@ -332,7 +332,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
43672 struct kvm_guest_debug *dbg);
43673 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
43675 -int kvm_arch_init(void *opaque);
43676 +int kvm_arch_init(const void *opaque);
43677 void kvm_arch_exit(void);
43679 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
43680 diff -urNp linux-2.6.33.1/include/linux/libata.h linux-2.6.33.1/include/linux/libata.h
43681 --- linux-2.6.33.1/include/linux/libata.h 2010-03-15 12:09:39.000000000 -0400
43682 +++ linux-2.6.33.1/include/linux/libata.h 2010-03-20 16:58:41.916544293 -0400
43683 @@ -64,11 +64,11 @@
43684 #ifdef ATA_VERBOSE_DEBUG
43685 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43687 -#define VPRINTK(fmt, args...)
43688 +#define VPRINTK(fmt, args...) do {} while (0)
43689 #endif /* ATA_VERBOSE_DEBUG */
43691 -#define DPRINTK(fmt, args...)
43692 -#define VPRINTK(fmt, args...)
43693 +#define DPRINTK(fmt, args...) do {} while (0)
43694 +#define VPRINTK(fmt, args...) do {} while (0)
43695 #endif /* ATA_DEBUG */
43697 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43698 @@ -524,11 +524,11 @@ struct ata_ioports {
43702 - struct device *dev;
43703 + struct device *dev;
43704 void __iomem * const *iomap;
43705 unsigned int n_ports;
43706 void *private_data;
43707 - struct ata_port_operations *ops;
43708 + const struct ata_port_operations *ops;
43709 unsigned long flags;
43710 #ifdef CONFIG_ATA_ACPI
43711 acpi_handle acpi_handle;
43712 @@ -710,7 +710,7 @@ struct ata_link {
43715 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
43716 - struct ata_port_operations *ops;
43717 + const struct ata_port_operations *ops;
43719 /* Flags owned by the EH context. Only EH should touch these once the
43721 @@ -892,7 +892,7 @@ struct ata_port_info {
43722 unsigned long pio_mask;
43723 unsigned long mwdma_mask;
43724 unsigned long udma_mask;
43725 - struct ata_port_operations *port_ops;
43726 + const struct ata_port_operations *port_ops;
43727 void *private_data;
43730 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
43731 extern const unsigned long sata_deb_timing_hotplug[];
43732 extern const unsigned long sata_deb_timing_long[];
43734 -extern struct ata_port_operations ata_dummy_port_ops;
43735 +extern const struct ata_port_operations ata_dummy_port_ops;
43736 extern const struct ata_port_info ata_dummy_port_info;
43738 static inline const unsigned long *
43739 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
43740 struct scsi_host_template *sht);
43741 extern void ata_host_detach(struct ata_host *host);
43742 extern void ata_host_init(struct ata_host *, struct device *,
43743 - unsigned long, struct ata_port_operations *);
43744 + unsigned long, const struct ata_port_operations *);
43745 extern int ata_scsi_detect(struct scsi_host_template *sht);
43746 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
43747 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
43748 diff -urNp linux-2.6.33.1/include/linux/lockd/bind.h linux-2.6.33.1/include/linux/lockd/bind.h
43749 --- linux-2.6.33.1/include/linux/lockd/bind.h 2010-03-15 12:09:39.000000000 -0400
43750 +++ linux-2.6.33.1/include/linux/lockd/bind.h 2010-03-20 16:58:41.916544293 -0400
43751 @@ -23,13 +23,13 @@ struct svc_rqst;
43752 * This is the set of functions for lockd->nfsd communication
43754 struct nlmsvc_binding {
43755 - __be32 (*fopen)(struct svc_rqst *,
43756 + __be32 (* const fopen)(struct svc_rqst *,
43759 - void (*fclose)(struct file *);
43760 + void (* const fclose)(struct file *);
43763 -extern struct nlmsvc_binding * nlmsvc_ops;
43764 +extern const struct nlmsvc_binding * nlmsvc_ops;
43767 * Similar to nfs_client_initdata, but without the NFS-specific
43768 diff -urNp linux-2.6.33.1/include/linux/mm.h linux-2.6.33.1/include/linux/mm.h
43769 --- linux-2.6.33.1/include/linux/mm.h 2010-03-15 12:09:39.000000000 -0400
43770 +++ linux-2.6.33.1/include/linux/mm.h 2010-03-20 16:58:41.916544293 -0400
43771 @@ -106,6 +106,10 @@ extern unsigned int kobjsize(const void
43772 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
43773 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
43775 +#ifdef CONFIG_PAX_PAGEEXEC
43776 +#define VM_PAGEEXEC 0x80000000 /* vma->vm_page_prot needs special handling */
43779 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
43780 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
43782 @@ -895,6 +899,8 @@ struct shrinker {
43783 extern void register_shrinker(struct shrinker *);
43784 extern void unregister_shrinker(struct shrinker *);
43786 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
43788 int vma_wants_writenotify(struct vm_area_struct *vma);
43790 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
43791 @@ -1171,6 +1177,7 @@ out:
43794 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
43795 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
43797 extern unsigned long do_brk(unsigned long, unsigned long);
43799 @@ -1225,6 +1232,10 @@ extern struct vm_area_struct * find_vma(
43800 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
43801 struct vm_area_struct **pprev);
43803 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
43804 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
43805 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
43807 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
43808 NULL if none. Assume start_addr < end_addr. */
43809 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
43810 @@ -1241,7 +1252,6 @@ static inline unsigned long vma_pages(st
43811 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
43814 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
43815 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
43816 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
43817 unsigned long pfn, unsigned long size, pgprot_t);
43818 @@ -1344,8 +1354,14 @@ extern int unpoison_memory(unsigned long
43819 extern int sysctl_memory_failure_early_kill;
43820 extern int sysctl_memory_failure_recovery;
43821 extern void shake_page(struct page *p, int access);
43822 -extern atomic_long_t mce_bad_pages;
43823 +extern atomic_long_unchecked_t mce_bad_pages;
43824 extern int soft_offline_page(struct page *page, int flags);
43826 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43827 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
43829 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
43832 #endif /* __KERNEL__ */
43833 #endif /* _LINUX_MM_H */
43834 diff -urNp linux-2.6.33.1/include/linux/mm_types.h linux-2.6.33.1/include/linux/mm_types.h
43835 --- linux-2.6.33.1/include/linux/mm_types.h 2010-03-15 12:09:39.000000000 -0400
43836 +++ linux-2.6.33.1/include/linux/mm_types.h 2010-03-20 16:58:41.916544293 -0400
43837 @@ -188,6 +188,8 @@ struct vm_area_struct {
43839 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
43842 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
43845 struct core_thread {
43846 @@ -291,6 +293,24 @@ struct mm_struct {
43847 #ifdef CONFIG_MMU_NOTIFIER
43848 struct mmu_notifier_mm *mmu_notifier_mm;
43851 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43852 + unsigned long pax_flags;
43855 +#ifdef CONFIG_PAX_DLRESOLVE
43856 + unsigned long call_dl_resolve;
43859 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43860 + unsigned long call_syscall;
43863 +#ifdef CONFIG_PAX_ASLR
43864 + unsigned long delta_mmap; /* randomized offset */
43865 + unsigned long delta_stack; /* randomized offset */
43870 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
43871 diff -urNp linux-2.6.33.1/include/linux/mmu_notifier.h linux-2.6.33.1/include/linux/mmu_notifier.h
43872 --- linux-2.6.33.1/include/linux/mmu_notifier.h 2010-03-15 12:09:39.000000000 -0400
43873 +++ linux-2.6.33.1/include/linux/mmu_notifier.h 2010-03-20 16:58:41.916544293 -0400
43874 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
43876 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
43880 struct vm_area_struct *___vma = __vma; \
43881 unsigned long ___address = __address; \
43882 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
43883 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
43884 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
43889 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
43890 diff -urNp linux-2.6.33.1/include/linux/mod_devicetable.h linux-2.6.33.1/include/linux/mod_devicetable.h
43891 --- linux-2.6.33.1/include/linux/mod_devicetable.h 2010-03-15 12:09:39.000000000 -0400
43892 +++ linux-2.6.33.1/include/linux/mod_devicetable.h 2010-03-20 16:58:41.916544293 -0400
43894 typedef unsigned long kernel_ulong_t;
43897 -#define PCI_ANY_ID (~0)
43898 +#define PCI_ANY_ID ((__u16)~0)
43900 struct pci_device_id {
43901 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
43902 @@ -131,7 +131,7 @@ struct usb_device_id {
43903 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
43904 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
43906 -#define HID_ANY_ID (~0)
43907 +#define HID_ANY_ID (~0U)
43909 struct hid_device_id {
43911 diff -urNp linux-2.6.33.1/include/linux/module.h linux-2.6.33.1/include/linux/module.h
43912 --- linux-2.6.33.1/include/linux/module.h 2010-03-15 12:09:39.000000000 -0400
43913 +++ linux-2.6.33.1/include/linux/module.h 2010-03-20 16:58:41.916544293 -0400
43914 @@ -289,16 +289,16 @@ struct module
43917 /* If this is non-NULL, vfree after init() returns */
43918 - void *module_init;
43919 + void *module_init_rx, *module_init_rw;
43921 /* Here is the actual code + data, vfree'd on unload. */
43922 - void *module_core;
43923 + void *module_core_rx, *module_core_rw;
43925 /* Here are the sizes of the init and core sections */
43926 - unsigned int init_size, core_size;
43927 + unsigned int init_size_rw, core_size_rw;
43929 /* The size of the executable code in each section. */
43930 - unsigned int init_text_size, core_text_size;
43931 + unsigned int init_size_rx, core_size_rx;
43933 /* Arch-specific module values */
43934 struct mod_arch_specific arch;
43935 @@ -395,16 +395,46 @@ struct module *__module_address(unsigned
43936 bool is_module_address(unsigned long addr);
43937 bool is_module_text_address(unsigned long addr);
43939 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
43942 +#ifdef CONFIG_PAX_KERNEXEC
43943 + if (ktla_ktva(addr) >= (unsigned long)start &&
43944 + ktla_ktva(addr) < (unsigned long)start + size)
43948 + return ((void *)addr >= start && (void *)addr < start + size);
43951 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
43953 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
43956 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
43958 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
43961 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
43963 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
43966 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
43968 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
43971 static inline int within_module_core(unsigned long addr, struct module *mod)
43973 - return (unsigned long)mod->module_core <= addr &&
43974 - addr < (unsigned long)mod->module_core + mod->core_size;
43975 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
43978 static inline int within_module_init(unsigned long addr, struct module *mod)
43980 - return (unsigned long)mod->module_init <= addr &&
43981 - addr < (unsigned long)mod->module_init + mod->init_size;
43982 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
43985 /* Search for module by name: must hold module_mutex. */
43986 diff -urNp linux-2.6.33.1/include/linux/moduleloader.h linux-2.6.33.1/include/linux/moduleloader.h
43987 --- linux-2.6.33.1/include/linux/moduleloader.h 2010-03-15 12:09:39.000000000 -0400
43988 +++ linux-2.6.33.1/include/linux/moduleloader.h 2010-03-20 16:58:41.916544293 -0400
43989 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
43990 sections. Returns NULL on failure. */
43991 void *module_alloc(unsigned long size);
43993 +#ifdef CONFIG_PAX_KERNEXEC
43994 +void *module_alloc_exec(unsigned long size);
43996 +#define module_alloc_exec(x) module_alloc(x)
43999 /* Free memory returned from module_alloc. */
44000 void module_free(struct module *mod, void *module_region);
44002 +#ifdef CONFIG_PAX_KERNEXEC
44003 +void module_free_exec(struct module *mod, void *module_region);
44005 +#define module_free_exec(x, y) module_free((x), (y))
44008 /* Apply the given relocation to the (simplified) ELF. Return -error
44010 int apply_relocate(Elf_Shdr *sechdrs,
44011 diff -urNp linux-2.6.33.1/include/linux/namei.h linux-2.6.33.1/include/linux/namei.h
44012 --- linux-2.6.33.1/include/linux/namei.h 2010-03-15 12:09:39.000000000 -0400
44013 +++ linux-2.6.33.1/include/linux/namei.h 2010-03-20 16:58:41.916544293 -0400
44014 @@ -22,7 +22,7 @@ struct nameidata {
44015 unsigned int flags;
44018 - char *saved_names[MAX_NESTED_LINKS + 1];
44019 + const char *saved_names[MAX_NESTED_LINKS + 1];
44023 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
44024 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
44025 extern void unlock_rename(struct dentry *, struct dentry *);
44027 -static inline void nd_set_link(struct nameidata *nd, char *path)
44028 +static inline void nd_set_link(struct nameidata *nd, const char *path)
44030 nd->saved_names[nd->depth] = path;
44033 -static inline char *nd_get_link(struct nameidata *nd)
44034 +static inline const char *nd_get_link(const struct nameidata *nd)
44036 return nd->saved_names[nd->depth];
44038 diff -urNp linux-2.6.33.1/include/linux/nodemask.h linux-2.6.33.1/include/linux/nodemask.h
44039 --- linux-2.6.33.1/include/linux/nodemask.h 2010-03-15 12:09:39.000000000 -0400
44040 +++ linux-2.6.33.1/include/linux/nodemask.h 2010-03-20 16:58:41.916544293 -0400
44041 @@ -469,11 +469,11 @@ static inline int num_node_state(enum no
44043 #define any_online_node(mask) \
44046 - for_each_node_mask(node, (mask)) \
44047 - if (node_online(node)) \
44049 + for_each_node_mask(__node, (mask)) \
44050 + if (node_online(__node)) \
44056 #define num_online_nodes() num_node_state(N_ONLINE)
44057 diff -urNp linux-2.6.33.1/include/linux/oprofile.h linux-2.6.33.1/include/linux/oprofile.h
44058 --- linux-2.6.33.1/include/linux/oprofile.h 2010-03-15 12:09:39.000000000 -0400
44059 +++ linux-2.6.33.1/include/linux/oprofile.h 2010-03-20 16:58:41.920592896 -0400
44060 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
44061 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
44062 char const * name, ulong * val);
44064 -/** Create a file for read-only access to an atomic_t. */
44065 +/** Create a file for read-only access to an atomic_unchecked_t. */
44066 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
44067 - char const * name, atomic_t * val);
44068 + char const * name, atomic_unchecked_t * val);
44070 /** create a directory */
44071 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
44072 diff -urNp linux-2.6.33.1/include/linux/pipe_fs_i.h linux-2.6.33.1/include/linux/pipe_fs_i.h
44073 --- linux-2.6.33.1/include/linux/pipe_fs_i.h 2010-03-15 12:09:39.000000000 -0400
44074 +++ linux-2.6.33.1/include/linux/pipe_fs_i.h 2010-03-20 16:58:41.920592896 -0400
44075 @@ -46,9 +46,9 @@ struct pipe_inode_info {
44076 wait_queue_head_t wait;
44077 unsigned int nrbufs, curbuf;
44078 struct page *tmp_page;
44079 - unsigned int readers;
44080 - unsigned int writers;
44081 - unsigned int waiting_writers;
44082 + atomic_t readers;
44083 + atomic_t writers;
44084 + atomic_t waiting_writers;
44085 unsigned int r_counter;
44086 unsigned int w_counter;
44087 struct fasync_struct *fasync_readers;
44088 diff -urNp linux-2.6.33.1/include/linux/poison.h linux-2.6.33.1/include/linux/poison.h
44089 --- linux-2.6.33.1/include/linux/poison.h 2010-03-15 12:09:39.000000000 -0400
44090 +++ linux-2.6.33.1/include/linux/poison.h 2010-03-20 16:58:41.920592896 -0400
44092 * under normal circumstances, used to verify that nobody uses
44093 * non-initialized list entries.
44095 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
44096 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
44097 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
44098 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
44100 /********** include/linux/timer.h **********/
44102 diff -urNp linux-2.6.33.1/include/linux/proc_fs.h linux-2.6.33.1/include/linux/proc_fs.h
44103 --- linux-2.6.33.1/include/linux/proc_fs.h 2010-03-15 12:09:39.000000000 -0400
44104 +++ linux-2.6.33.1/include/linux/proc_fs.h 2010-03-20 16:58:41.920592896 -0400
44105 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
44106 return proc_create_data(name, mode, parent, proc_fops, NULL);
44109 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
44110 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
44112 +#ifdef CONFIG_GRKERNSEC_PROC_USER
44113 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
44114 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
44115 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
44117 + return proc_create_data(name, mode, parent, proc_fops, NULL);
44122 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
44123 mode_t mode, struct proc_dir_entry *base,
44124 read_proc_t *read_proc, void * data)
44125 diff -urNp linux-2.6.33.1/include/linux/random.h linux-2.6.33.1/include/linux/random.h
44126 --- linux-2.6.33.1/include/linux/random.h 2010-03-15 12:09:39.000000000 -0400
44127 +++ linux-2.6.33.1/include/linux/random.h 2010-03-20 16:58:41.920592896 -0400
44128 @@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
44129 u32 random32(void);
44130 void srandom32(u32 seed);
44132 +static inline unsigned long pax_get_random_long(void)
44134 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
44137 #endif /* __KERNEL___ */
44139 #endif /* _LINUX_RANDOM_H */
44140 diff -urNp linux-2.6.33.1/include/linux/reiserfs_fs.h linux-2.6.33.1/include/linux/reiserfs_fs.h
44141 --- linux-2.6.33.1/include/linux/reiserfs_fs.h 2010-03-15 12:09:39.000000000 -0400
44142 +++ linux-2.6.33.1/include/linux/reiserfs_fs.h 2010-03-20 16:58:41.920592896 -0400
44143 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
44144 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
44146 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
44147 -#define get_generation(s) atomic_read (&fs_generation(s))
44148 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
44149 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
44150 #define __fs_changed(gen,s) (gen != get_generation (s))
44151 #define fs_changed(gen,s) \
44152 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
44155 struct item_operations {
44156 - int (*bytes_number) (struct item_head * ih, int block_size);
44157 - void (*decrement_key) (struct cpu_key *);
44158 - int (*is_left_mergeable) (struct reiserfs_key * ih,
44159 + int (* const bytes_number) (struct item_head * ih, int block_size);
44160 + void (* const decrement_key) (struct cpu_key *);
44161 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
44162 unsigned long bsize);
44163 - void (*print_item) (struct item_head *, char *item);
44164 - void (*check_item) (struct item_head *, char *item);
44165 + void (* const print_item) (struct item_head *, char *item);
44166 + void (* const check_item) (struct item_head *, char *item);
44168 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44169 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44170 int is_affected, int insert_size);
44171 - int (*check_left) (struct virtual_item * vi, int free,
44172 + int (* const check_left) (struct virtual_item * vi, int free,
44173 int start_skip, int end_skip);
44174 - int (*check_right) (struct virtual_item * vi, int free);
44175 - int (*part_size) (struct virtual_item * vi, int from, int to);
44176 - int (*unit_num) (struct virtual_item * vi);
44177 - void (*print_vi) (struct virtual_item * vi);
44178 + int (* const check_right) (struct virtual_item * vi, int free);
44179 + int (* const part_size) (struct virtual_item * vi, int from, int to);
44180 + int (* const unit_num) (struct virtual_item * vi);
44181 + void (* const print_vi) (struct virtual_item * vi);
44184 -extern struct item_operations *item_ops[TYPE_ANY + 1];
44185 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
44187 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
44188 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
44189 diff -urNp linux-2.6.33.1/include/linux/reiserfs_fs_sb.h linux-2.6.33.1/include/linux/reiserfs_fs_sb.h
44190 --- linux-2.6.33.1/include/linux/reiserfs_fs_sb.h 2010-03-15 12:09:39.000000000 -0400
44191 +++ linux-2.6.33.1/include/linux/reiserfs_fs_sb.h 2010-03-20 16:58:41.920592896 -0400
44192 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
44193 /* Comment? -Hans */
44194 wait_queue_head_t s_wait;
44195 /* To be obsoleted soon by per buffer seals.. -Hans */
44196 - atomic_t s_generation_counter; // increased by one every time the
44197 + atomic_unchecked_t s_generation_counter; // increased by one every time the
44198 // tree gets re-balanced
44199 unsigned long s_properties; /* File system properties. Currently holds
44200 on-disk FS format */
44201 diff -urNp linux-2.6.33.1/include/linux/sched.h linux-2.6.33.1/include/linux/sched.h
44202 --- linux-2.6.33.1/include/linux/sched.h 2010-03-15 12:09:39.000000000 -0400
44203 +++ linux-2.6.33.1/include/linux/sched.h 2010-03-20 16:58:41.920592896 -0400
44204 @@ -101,6 +101,7 @@ struct bio;
44206 struct bts_context;
44207 struct perf_event_context;
44208 +struct linux_binprm;
44211 * List of flags we want to share for kernel threads,
44212 @@ -678,6 +679,15 @@ struct signal_struct {
44213 struct tty_audit_buf *tty_audit_buf;
44216 +#ifdef CONFIG_GRKERNSEC
44222 + u8 used_accept:1;
44225 int oom_adj; /* OOM kill score adjustment (bit shift) */
44228 @@ -1234,7 +1244,7 @@ struct rcu_node;
44230 struct task_struct {
44231 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
44233 + struct thread_info *stack;
44235 unsigned int flags; /* per process flags, defined below */
44236 unsigned int ptrace;
44237 @@ -1346,8 +1356,8 @@ struct task_struct {
44238 struct list_head thread_group;
44240 struct completion *vfork_done; /* for vfork() */
44241 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
44242 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44243 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
44244 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44246 cputime_t utime, stime, utimescaled, stimescaled;
44248 @@ -1363,16 +1373,6 @@ struct task_struct {
44249 struct task_cputime cputime_expires;
44250 struct list_head cpu_timers[3];
44252 -/* process credentials */
44253 - const struct cred *real_cred; /* objective and real subjective task
44254 - * credentials (COW) */
44255 - const struct cred *cred; /* effective (overridable) subjective task
44256 - * credentials (COW) */
44257 - struct mutex cred_guard_mutex; /* guard against foreign influences on
44258 - * credential calculations
44259 - * (notably. ptrace) */
44260 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44262 char comm[TASK_COMM_LEN]; /* executable name excluding path
44263 - access with [gs]et_task_comm (which lock
44264 it with task_lock())
44265 @@ -1456,6 +1456,15 @@ struct task_struct {
44266 int softirqs_enabled;
44267 int softirq_context;
44270 +/* process credentials */
44271 + const struct cred *real_cred; /* objective and real subjective task
44272 + * credentials (COW) */
44273 + struct mutex cred_guard_mutex; /* guard against foreign influences on
44274 + * credential calculations
44275 + * (notably. ptrace) */
44276 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44278 #ifdef CONFIG_LOCKDEP
44279 # define MAX_LOCK_DEPTH 48UL
44280 u64 curr_chain_key;
44281 @@ -1476,6 +1485,9 @@ struct task_struct {
44283 struct backing_dev_info *backing_dev_info;
44285 + const struct cred *cred; /* effective (overridable) subjective task
44286 + * credentials (COW) */
44288 struct io_context *io_context;
44290 unsigned long ptrace_message;
44291 @@ -1539,6 +1551,19 @@ struct task_struct {
44292 unsigned long default_timer_slack_ns;
44294 struct list_head *scm_work_list;
44296 +#ifdef CONFIG_GRKERNSEC
44298 + rwlock_t gr_fs_lock;
44299 + struct acl_subject_label *acl;
44300 + struct acl_role_label *role;
44301 + struct file *exec_file;
44308 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
44309 /* Index of current stored adress in ret_stack */
44310 int curr_ret_stack;
44311 @@ -1571,6 +1596,52 @@ struct task_struct {
44315 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
44316 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
44317 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
44318 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
44319 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
44320 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
44322 +#ifdef CONFIG_PAX_SOFTMODE
44323 +extern unsigned int pax_softmode;
44326 +extern int pax_check_flags(unsigned long *);
44328 +/* if tsk != current then task_lock must be held on it */
44329 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44330 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
44332 + if (likely(tsk->mm))
44333 + return tsk->mm->pax_flags;
44338 +/* if tsk != current then task_lock must be held on it */
44339 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
44341 + if (likely(tsk->mm)) {
44342 + tsk->mm->pax_flags = flags;
44349 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44350 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
44351 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44352 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44355 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
44356 +void pax_report_insns(void *pc, void *sp);
44357 +void pax_report_refcount_overflow(struct pt_regs *regs);
44358 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
44359 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
44361 /* Future-safe accessor for struct task_struct's cpus_allowed. */
44362 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
44364 @@ -2172,7 +2243,7 @@ extern void __cleanup_sighand(struct sig
44365 extern void exit_itimers(struct signal_struct *);
44366 extern void flush_itimer_signals(void);
44368 -extern NORET_TYPE void do_group_exit(int);
44369 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
44371 extern void daemonize(const char *, ...);
44372 extern int allow_signal(int);
44373 @@ -2274,6 +2345,33 @@ static inline void task_unlock(struct ta
44374 spin_unlock(&p->alloc_lock);
44377 +/* grsec: protects only ->fs as task_lock is overkill and we can't
44378 + be using a spin_lock in interrupt context
44380 +#ifdef CONFIG_GRKERNSEC
44381 +#define gr_fs_write_lock_irqsave(x, y) \
44382 + write_lock_irqsave(&x->gr_fs_lock, y)
44383 +#define gr_fs_write_unlock_irqrestore(x, y) \
44384 + write_unlock_irqrestore(&x->gr_fs_lock, y)
44386 +#define gr_fs_write_lock_irqsave(x, y)
44387 +#define gr_fs_write_unlock_irqrestore(x, y)
44390 +static inline void gr_fs_read_lock(struct task_struct *p)
44392 +#ifdef CONFIG_GRKERNSEC
44393 + read_lock(&p->gr_fs_lock);
44397 +static inline void gr_fs_read_unlock(struct task_struct *p)
44399 +#ifdef CONFIG_GRKERNSEC
44400 + read_unlock(&p->gr_fs_lock);
44404 extern struct sighand_struct *lock_task_sighand(struct task_struct *tsk,
44405 unsigned long *flags);
44407 @@ -2285,8 +2383,8 @@ static inline void unlock_task_sighand(s
44409 #ifndef __HAVE_THREAD_FUNCTIONS
44411 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
44412 -#define task_stack_page(task) ((task)->stack)
44413 +#define task_thread_info(task) ((task)->stack)
44414 +#define task_stack_page(task) ((void *)(task)->stack)
44416 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
44418 @@ -2301,13 +2399,31 @@ static inline unsigned long *end_of_stac
44422 -static inline int object_is_on_stack(void *obj)
44423 +static inline int object_starts_on_stack(void *obj)
44425 - void *stack = task_stack_page(current);
44426 + const void *stack = task_stack_page(current);
44428 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
44431 +/* 0: not at all, 1: fully, -1: partially (implies an error) */
44432 +static inline int object_is_on_stack(const void *obj, unsigned long len)
44434 + const void *stack = task_stack_page(current);
44435 + const void *stackend = stack + THREAD_SIZE;
44437 + if (obj + len < obj)
44440 + if (stack <= obj && obj + len <= stackend)
44443 + if (obj + len <= stack || stackend <= obj)
44449 extern void thread_info_cache_init(void);
44451 #ifdef CONFIG_DEBUG_STACK_USAGE
44452 diff -urNp linux-2.6.33.1/include/linux/screen_info.h linux-2.6.33.1/include/linux/screen_info.h
44453 --- linux-2.6.33.1/include/linux/screen_info.h 2010-03-15 12:09:39.000000000 -0400
44454 +++ linux-2.6.33.1/include/linux/screen_info.h 2010-03-20 16:58:41.920592896 -0400
44455 @@ -43,7 +43,8 @@ struct screen_info {
44456 __u16 pages; /* 0x32 */
44457 __u16 vesa_attributes; /* 0x34 */
44458 __u32 capabilities; /* 0x36 */
44459 - __u8 _reserved[6]; /* 0x3a */
44460 + __u16 vesapm_size; /* 0x3a */
44461 + __u8 _reserved[4]; /* 0x3c */
44462 } __attribute__((packed));
44464 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
44465 diff -urNp linux-2.6.33.1/include/linux/security.h linux-2.6.33.1/include/linux/security.h
44466 --- linux-2.6.33.1/include/linux/security.h 2010-03-15 12:09:39.000000000 -0400
44467 +++ linux-2.6.33.1/include/linux/security.h 2010-03-20 16:58:41.924637706 -0400
44469 #include <linux/key.h>
44470 #include <linux/xfrm.h>
44471 #include <linux/gfp.h>
44472 +#include <linux/grsecurity.h>
44473 #include <net/flow.h>
44475 /* Maximum number of letters for an LSM name string */
44476 diff -urNp linux-2.6.33.1/include/linux/shm.h linux-2.6.33.1/include/linux/shm.h
44477 --- linux-2.6.33.1/include/linux/shm.h 2010-03-15 12:09:39.000000000 -0400
44478 +++ linux-2.6.33.1/include/linux/shm.h 2010-03-20 16:58:41.924637706 -0400
44479 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
44482 struct user_struct *mlock_user;
44483 +#ifdef CONFIG_GRKERNSEC
44484 + time_t shm_createtime;
44489 /* shm_mode upper byte flags */
44490 diff -urNp linux-2.6.33.1/include/linux/slab.h linux-2.6.33.1/include/linux/slab.h
44491 --- linux-2.6.33.1/include/linux/slab.h 2010-03-15 12:09:39.000000000 -0400
44492 +++ linux-2.6.33.1/include/linux/slab.h 2010-03-20 16:58:41.924637706 -0400
44495 #include <linux/gfp.h>
44496 #include <linux/types.h>
44497 +#include <linux/err.h>
44500 * Flags to pass to kmem_cache_create().
44501 @@ -82,10 +83,13 @@
44502 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
44503 * Both make kfree a no-op.
44505 -#define ZERO_SIZE_PTR ((void *)16)
44506 +#define ZERO_SIZE_PTR \
44508 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
44509 + (void *)(-MAX_ERRNO-1L); \
44512 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
44513 - (unsigned long)ZERO_SIZE_PTR)
44514 +#define ZERO_OR_NULL_PTR(x) (!(x) || (x) == ZERO_SIZE_PTR)
44517 * struct kmem_cache related prototypes
44518 @@ -138,6 +142,7 @@ void * __must_check krealloc(const void
44519 void kfree(const void *);
44520 void kzfree(const void *);
44521 size_t ksize(const void *);
44522 +void check_object_size(const void *ptr, unsigned long n, bool to);
44525 * Allocator specific definitions. These are mainly used to establish optimized
44526 @@ -328,4 +333,37 @@ static inline void *kzalloc_node(size_t
44528 void __init kmem_cache_init_late(void);
44530 +#define kmalloc(x, y) \
44532 + void *___retval; \
44533 + intoverflow_t ___x = (intoverflow_t)x; \
44534 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
44535 + ___retval = NULL; \
44537 + ___retval = kmalloc((size_t)___x, (y)); \
44541 +#define kmalloc_node(x, y, z) \
44543 + void *___retval; \
44544 + intoverflow_t ___x = (intoverflow_t)x; \
44545 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
44546 + ___retval = NULL; \
44548 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
44552 +#define kzalloc(x, y) \
44554 + void *___retval; \
44555 + intoverflow_t ___x = (intoverflow_t)x; \
44556 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
44557 + ___retval = NULL; \
44559 + ___retval = kzalloc((size_t)___x, (y)); \
44563 #endif /* _LINUX_SLAB_H */
44564 diff -urNp linux-2.6.33.1/include/linux/slub_def.h linux-2.6.33.1/include/linux/slub_def.h
44565 --- linux-2.6.33.1/include/linux/slub_def.h 2010-03-15 12:09:39.000000000 -0400
44566 +++ linux-2.6.33.1/include/linux/slub_def.h 2010-03-20 16:58:41.924637706 -0400
44567 @@ -86,7 +86,7 @@ struct kmem_cache {
44568 struct kmem_cache_order_objects max;
44569 struct kmem_cache_order_objects min;
44570 gfp_t allocflags; /* gfp flags to use on each alloc */
44571 - int refcount; /* Refcount for slab cache destroy */
44572 + atomic_t refcount; /* Refcount for slab cache destroy */
44573 void (*ctor)(void *);
44574 int inuse; /* Offset to metadata */
44575 int align; /* Alignment */
44576 diff -urNp linux-2.6.33.1/include/linux/sonet.h linux-2.6.33.1/include/linux/sonet.h
44577 --- linux-2.6.33.1/include/linux/sonet.h 2010-03-15 12:09:39.000000000 -0400
44578 +++ linux-2.6.33.1/include/linux/sonet.h 2010-03-20 16:58:41.924637706 -0400
44579 @@ -61,7 +61,7 @@ struct sonet_stats {
44580 #include <asm/atomic.h>
44582 struct k_sonet_stats {
44583 -#define __HANDLE_ITEM(i) atomic_t i
44584 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44586 #undef __HANDLE_ITEM
44588 diff -urNp linux-2.6.33.1/include/linux/suspend.h linux-2.6.33.1/include/linux/suspend.h
44589 --- linux-2.6.33.1/include/linux/suspend.h 2010-03-15 12:09:39.000000000 -0400
44590 +++ linux-2.6.33.1/include/linux/suspend.h 2010-03-20 16:58:41.924637706 -0400
44591 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
44592 * which require special recovery actions in that situation.
44594 struct platform_suspend_ops {
44595 - int (*valid)(suspend_state_t state);
44596 - int (*begin)(suspend_state_t state);
44597 - int (*prepare)(void);
44598 - int (*prepare_late)(void);
44599 - int (*enter)(suspend_state_t state);
44600 - void (*wake)(void);
44601 - void (*finish)(void);
44602 - void (*end)(void);
44603 - void (*recover)(void);
44604 + int (* const valid)(suspend_state_t state);
44605 + int (* const begin)(suspend_state_t state);
44606 + int (* const prepare)(void);
44607 + int (* const prepare_late)(void);
44608 + int (* const enter)(suspend_state_t state);
44609 + void (* const wake)(void);
44610 + void (* const finish)(void);
44611 + void (* const end)(void);
44612 + void (* const recover)(void);
44615 #ifdef CONFIG_SUSPEND
44616 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
44617 * suspend_set_ops - set platform dependent suspend operations
44618 * @ops: The new suspend operations to set.
44620 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
44621 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
44622 extern int suspend_valid_only_mem(suspend_state_t state);
44625 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
44626 #else /* !CONFIG_SUSPEND */
44627 #define suspend_valid_only_mem NULL
44629 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
44630 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
44631 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
44632 #endif /* !CONFIG_SUSPEND */
44634 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
44635 * platforms which require special recovery actions in that situation.
44637 struct platform_hibernation_ops {
44638 - int (*begin)(void);
44639 - void (*end)(void);
44640 - int (*pre_snapshot)(void);
44641 - void (*finish)(void);
44642 - int (*prepare)(void);
44643 - int (*enter)(void);
44644 - void (*leave)(void);
44645 - int (*pre_restore)(void);
44646 - void (*restore_cleanup)(void);
44647 - void (*recover)(void);
44648 + int (* const begin)(void);
44649 + void (* const end)(void);
44650 + int (* const pre_snapshot)(void);
44651 + void (* const finish)(void);
44652 + int (* const prepare)(void);
44653 + int (* const enter)(void);
44654 + void (* const leave)(void);
44655 + int (* const pre_restore)(void);
44656 + void (* const restore_cleanup)(void);
44657 + void (* const recover)(void);
44660 #ifdef CONFIG_HIBERNATION
44661 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
44662 extern void swsusp_unset_page_free(struct page *);
44663 extern unsigned long get_safe_page(gfp_t gfp_mask);
44665 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
44666 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
44667 extern int hibernate(void);
44668 extern bool system_entering_hibernation(void);
44669 #else /* CONFIG_HIBERNATION */
44670 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
44671 static inline void swsusp_set_page_free(struct page *p) {}
44672 static inline void swsusp_unset_page_free(struct page *p) {}
44674 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
44675 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
44676 static inline int hibernate(void) { return -ENOSYS; }
44677 static inline bool system_entering_hibernation(void) { return false; }
44678 #endif /* CONFIG_HIBERNATION */
44679 diff -urNp linux-2.6.33.1/include/linux/sysctl.h linux-2.6.33.1/include/linux/sysctl.h
44680 --- linux-2.6.33.1/include/linux/sysctl.h 2010-03-15 12:09:39.000000000 -0400
44681 +++ linux-2.6.33.1/include/linux/sysctl.h 2010-03-20 16:58:41.924637706 -0400
44682 @@ -155,7 +155,11 @@ enum
44683 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
44687 +#ifdef CONFIG_PAX_SOFTMODE
44689 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
44693 /* CTL_VM names: */
44695 diff -urNp linux-2.6.33.1/include/linux/sysfs.h linux-2.6.33.1/include/linux/sysfs.h
44696 --- linux-2.6.33.1/include/linux/sysfs.h 2010-03-15 12:09:39.000000000 -0400
44697 +++ linux-2.6.33.1/include/linux/sysfs.h 2010-03-20 16:58:41.924637706 -0400
44698 @@ -75,8 +75,8 @@ struct bin_attribute {
44702 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
44703 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
44704 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
44705 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
44708 struct sysfs_dirent;
44709 diff -urNp linux-2.6.33.1/include/linux/thread_info.h linux-2.6.33.1/include/linux/thread_info.h
44710 --- linux-2.6.33.1/include/linux/thread_info.h 2010-03-15 12:09:39.000000000 -0400
44711 +++ linux-2.6.33.1/include/linux/thread_info.h 2010-03-20 16:58:41.924637706 -0400
44712 @@ -23,7 +23,7 @@ struct restart_block {
44714 /* For futex_wait and futex_wait_requeue_pi */
44717 + u32 __user *uaddr;
44721 diff -urNp linux-2.6.33.1/include/linux/tty.h linux-2.6.33.1/include/linux/tty.h
44722 --- linux-2.6.33.1/include/linux/tty.h 2010-03-15 12:09:39.000000000 -0400
44723 +++ linux-2.6.33.1/include/linux/tty.h 2010-03-20 16:58:41.924637706 -0400
44725 #include <linux/tty_driver.h>
44726 #include <linux/tty_ldisc.h>
44727 #include <linux/mutex.h>
44728 +#include <linux/poll.h>
44730 #include <asm/system.h>
44732 @@ -440,7 +441,6 @@ extern int tty_perform_flush(struct tty_
44733 extern dev_t tty_devnum(struct tty_struct *tty);
44734 extern void proc_clear_tty(struct task_struct *p);
44735 extern struct tty_struct *get_current_tty(void);
44736 -extern void tty_default_fops(struct file_operations *fops);
44737 extern struct tty_struct *alloc_tty_struct(void);
44738 extern void free_tty_struct(struct tty_struct *tty);
44739 extern void initialize_tty_struct(struct tty_struct *tty,
44740 @@ -501,6 +501,18 @@ extern void tty_ldisc_begin(void);
44741 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
44742 extern void tty_ldisc_enable(struct tty_struct *tty);
44745 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
44746 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
44747 +extern unsigned int tty_poll(struct file *, poll_table *);
44748 +#ifdef CONFIG_COMPAT
44749 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
44750 + unsigned long arg);
44752 +#define tty_compat_ioctl NULL
44754 +extern int tty_release(struct inode *, struct file *);
44755 +extern int tty_fasync(int fd, struct file *filp, int on);
44758 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
44759 diff -urNp linux-2.6.33.1/include/linux/tty_ldisc.h linux-2.6.33.1/include/linux/tty_ldisc.h
44760 --- linux-2.6.33.1/include/linux/tty_ldisc.h 2010-03-15 12:09:39.000000000 -0400
44761 +++ linux-2.6.33.1/include/linux/tty_ldisc.h 2010-03-20 16:58:41.924637706 -0400
44762 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
44764 struct module *owner;
44767 + atomic_t refcount;
44771 diff -urNp linux-2.6.33.1/include/linux/types.h linux-2.6.33.1/include/linux/types.h
44772 --- linux-2.6.33.1/include/linux/types.h 2010-03-15 12:09:39.000000000 -0400
44773 +++ linux-2.6.33.1/include/linux/types.h 2010-03-20 16:58:41.924637706 -0400
44774 @@ -191,10 +191,26 @@ typedef struct {
44775 volatile int counter;
44778 +#ifdef CONFIG_PAX_REFCOUNT
44780 + volatile int counter;
44781 +} atomic_unchecked_t;
44783 +typedef atomic_t atomic_unchecked_t;
44786 #ifdef CONFIG_64BIT
44788 volatile long counter;
44791 +#ifdef CONFIG_PAX_REFCOUNT
44793 + volatile long counter;
44794 +} atomic64_unchecked_t;
44796 +typedef atomic64_t atomic64_unchecked_t;
44801 diff -urNp linux-2.6.33.1/include/linux/uaccess.h linux-2.6.33.1/include/linux/uaccess.h
44802 --- linux-2.6.33.1/include/linux/uaccess.h 2010-03-15 12:09:39.000000000 -0400
44803 +++ linux-2.6.33.1/include/linux/uaccess.h 2010-03-20 16:58:41.924637706 -0400
44804 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
44806 mm_segment_t old_fs = get_fs(); \
44808 - set_fs(KERNEL_DS); \
44809 pagefault_disable(); \
44810 + set_fs(KERNEL_DS); \
44811 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
44812 - pagefault_enable(); \
44814 + pagefault_enable(); \
44818 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
44819 * Safely read from address @src to the buffer at @dst. If a kernel fault
44820 * happens, handle that and return -EFAULT.
44822 -extern long probe_kernel_read(void *dst, void *src, size_t size);
44823 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
44824 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
44825 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
44828 * probe_kernel_write(): safely attempt to write to a location
44829 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
44830 * Safely write to address @dst from the buffer at @src. If a kernel fault
44831 * happens, handle that and return -EFAULT.
44833 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
44834 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
44835 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
44836 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
44838 #endif /* __LINUX_UACCESS_H__ */
44839 diff -urNp linux-2.6.33.1/include/linux/vmalloc.h linux-2.6.33.1/include/linux/vmalloc.h
44840 --- linux-2.6.33.1/include/linux/vmalloc.h 2010-03-15 12:09:39.000000000 -0400
44841 +++ linux-2.6.33.1/include/linux/vmalloc.h 2010-03-20 16:58:41.928524770 -0400
44842 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
44843 #define VM_MAP 0x00000004 /* vmap()ed pages */
44844 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
44845 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
44847 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44848 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
44851 /* bits [20..32] reserved for arch specific ioremap internals */
44854 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
44856 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
44858 +#define vmalloc(x) \
44860 + void *___retval; \
44861 + intoverflow_t ___x = (intoverflow_t)x; \
44862 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
44863 + ___retval = NULL; \
44865 + ___retval = vmalloc((unsigned long)___x); \
44869 +#define __vmalloc(x, y, z) \
44871 + void *___retval; \
44872 + intoverflow_t ___x = (intoverflow_t)x; \
44873 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
44874 + ___retval = NULL; \
44876 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
44880 +#define vmalloc_user(x) \
44882 + void *___retval; \
44883 + intoverflow_t ___x = (intoverflow_t)x; \
44884 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
44885 + ___retval = NULL; \
44887 + ___retval = vmalloc_user((unsigned long)___x); \
44891 +#define vmalloc_exec(x) \
44893 + void *___retval; \
44894 + intoverflow_t ___x = (intoverflow_t)x; \
44895 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
44896 + ___retval = NULL; \
44898 + ___retval = vmalloc_exec((unsigned long)___x); \
44902 +#define vmalloc_node(x, y) \
44904 + void *___retval; \
44905 + intoverflow_t ___x = (intoverflow_t)x; \
44906 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
44907 + ___retval = NULL; \
44909 + ___retval = vmalloc_node((unsigned long)___x, (y));\
44913 +#define vmalloc_32(x) \
44915 + void *___retval; \
44916 + intoverflow_t ___x = (intoverflow_t)x; \
44917 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
44918 + ___retval = NULL; \
44920 + ___retval = vmalloc_32((unsigned long)___x); \
44924 +#define vmalloc_32_user(x) \
44926 + void *___retval; \
44927 + intoverflow_t ___x = (intoverflow_t)x; \
44928 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
44929 + ___retval = NULL; \
44931 + ___retval = vmalloc_32_user((unsigned long)___x);\
44935 #endif /* _LINUX_VMALLOC_H */
44936 diff -urNp linux-2.6.33.1/include/net/irda/ircomm_tty.h linux-2.6.33.1/include/net/irda/ircomm_tty.h
44937 --- linux-2.6.33.1/include/net/irda/ircomm_tty.h 2010-03-15 12:09:39.000000000 -0400
44938 +++ linux-2.6.33.1/include/net/irda/ircomm_tty.h 2010-03-20 16:58:41.928524770 -0400
44939 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
44940 unsigned short close_delay;
44941 unsigned short closing_wait; /* time to wait before closing */
44944 - int blocked_open; /* # of blocked opens */
44945 + atomic_t open_count;
44946 + atomic_t blocked_open; /* # of blocked opens */
44948 /* Protect concurent access to :
44949 * o self->open_count
44950 diff -urNp linux-2.6.33.1/include/net/neighbour.h linux-2.6.33.1/include/net/neighbour.h
44951 --- linux-2.6.33.1/include/net/neighbour.h 2010-03-15 12:09:39.000000000 -0400
44952 +++ linux-2.6.33.1/include/net/neighbour.h 2010-03-20 16:58:41.928524770 -0400
44953 @@ -116,12 +116,12 @@ struct neighbour {
44957 - void (*solicit)(struct neighbour *, struct sk_buff*);
44958 - void (*error_report)(struct neighbour *, struct sk_buff*);
44959 - int (*output)(struct sk_buff*);
44960 - int (*connected_output)(struct sk_buff*);
44961 - int (*hh_output)(struct sk_buff*);
44962 - int (*queue_xmit)(struct sk_buff*);
44963 + void (* const solicit)(struct neighbour *, struct sk_buff*);
44964 + void (* const error_report)(struct neighbour *, struct sk_buff*);
44965 + int (* const output)(struct sk_buff*);
44966 + int (* const connected_output)(struct sk_buff*);
44967 + int (* const hh_output)(struct sk_buff*);
44968 + int (* const queue_xmit)(struct sk_buff*);
44971 struct pneigh_entry {
44972 diff -urNp linux-2.6.33.1/include/net/sctp/sctp.h linux-2.6.33.1/include/net/sctp/sctp.h
44973 --- linux-2.6.33.1/include/net/sctp/sctp.h 2010-03-15 12:09:39.000000000 -0400
44974 +++ linux-2.6.33.1/include/net/sctp/sctp.h 2010-03-20 16:58:41.928524770 -0400
44975 @@ -304,8 +304,8 @@ extern int sctp_debug_flag;
44977 #else /* SCTP_DEBUG */
44979 -#define SCTP_DEBUG_PRINTK(whatever...)
44980 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
44981 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
44982 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
44983 #define SCTP_ENABLE_DEBUG
44984 #define SCTP_DISABLE_DEBUG
44985 #define SCTP_ASSERT(expr, str, func)
44986 diff -urNp linux-2.6.33.1/include/net/tcp.h linux-2.6.33.1/include/net/tcp.h
44987 --- linux-2.6.33.1/include/net/tcp.h 2010-03-15 12:09:39.000000000 -0400
44988 +++ linux-2.6.33.1/include/net/tcp.h 2010-03-20 16:58:41.928524770 -0400
44989 @@ -1392,6 +1392,7 @@ enum tcp_seq_states {
44990 struct tcp_seq_afinfo {
44992 sa_family_t family;
44993 + /* cannot be const */
44994 struct file_operations seq_fops;
44995 struct seq_operations seq_ops;
44997 diff -urNp linux-2.6.33.1/include/net/udp.h linux-2.6.33.1/include/net/udp.h
44998 --- linux-2.6.33.1/include/net/udp.h 2010-03-15 12:09:39.000000000 -0400
44999 +++ linux-2.6.33.1/include/net/udp.h 2010-03-20 16:58:41.928524770 -0400
45000 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
45002 sa_family_t family;
45003 struct udp_table *udp_table;
45004 + /* cannot be const */
45005 struct file_operations seq_fops;
45006 struct seq_operations seq_ops;
45008 diff -urNp linux-2.6.33.1/include/sound/ac97_codec.h linux-2.6.33.1/include/sound/ac97_codec.h
45009 --- linux-2.6.33.1/include/sound/ac97_codec.h 2010-03-15 12:09:39.000000000 -0400
45010 +++ linux-2.6.33.1/include/sound/ac97_codec.h 2010-03-20 16:58:41.928524770 -0400
45011 @@ -419,15 +419,15 @@
45014 struct snd_ac97_build_ops {
45015 - int (*build_3d) (struct snd_ac97 *ac97);
45016 - int (*build_specific) (struct snd_ac97 *ac97);
45017 - int (*build_spdif) (struct snd_ac97 *ac97);
45018 - int (*build_post_spdif) (struct snd_ac97 *ac97);
45019 + int (* const build_3d) (struct snd_ac97 *ac97);
45020 + int (* const build_specific) (struct snd_ac97 *ac97);
45021 + int (* const build_spdif) (struct snd_ac97 *ac97);
45022 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
45024 - void (*suspend) (struct snd_ac97 *ac97);
45025 - void (*resume) (struct snd_ac97 *ac97);
45026 + void (* const suspend) (struct snd_ac97 *ac97);
45027 + void (* const resume) (struct snd_ac97 *ac97);
45029 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
45030 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
45033 struct snd_ac97_bus_ops {
45034 @@ -477,7 +477,7 @@ struct snd_ac97_template {
45037 /* -- lowlevel (hardware) driver specific -- */
45038 - struct snd_ac97_build_ops * build_ops;
45039 + const struct snd_ac97_build_ops * build_ops;
45040 void *private_data;
45041 void (*private_free) (struct snd_ac97 *ac97);
45043 diff -urNp linux-2.6.33.1/include/trace/events/irq.h linux-2.6.33.1/include/trace/events/irq.h
45044 --- linux-2.6.33.1/include/trace/events/irq.h 2010-03-15 12:09:39.000000000 -0400
45045 +++ linux-2.6.33.1/include/trace/events/irq.h 2010-03-20 16:58:41.928524770 -0400
45048 TRACE_EVENT(irq_handler_entry,
45050 - TP_PROTO(int irq, struct irqaction *action),
45051 + TP_PROTO(int irq, const struct irqaction *action),
45053 TP_ARGS(irq, action),
45055 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
45057 TRACE_EVENT(irq_handler_exit,
45059 - TP_PROTO(int irq, struct irqaction *action, int ret),
45060 + TP_PROTO(int irq, const struct irqaction *action, int ret),
45062 TP_ARGS(irq, action, ret),
45064 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
45066 DECLARE_EVENT_CLASS(softirq,
45068 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45069 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45073 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
45075 DEFINE_EVENT(softirq, softirq_entry,
45077 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45078 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45082 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
45084 DEFINE_EVENT(softirq, softirq_exit,
45086 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45087 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45091 diff -urNp linux-2.6.33.1/include/video/uvesafb.h linux-2.6.33.1/include/video/uvesafb.h
45092 --- linux-2.6.33.1/include/video/uvesafb.h 2010-03-15 12:09:39.000000000 -0400
45093 +++ linux-2.6.33.1/include/video/uvesafb.h 2010-03-20 16:58:41.928524770 -0400
45094 @@ -177,6 +177,7 @@ struct uvesafb_par {
45095 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
45096 u8 pmi_setpal; /* PMI for palette changes */
45097 u16 *pmi_base; /* protected mode interface location */
45098 + u8 *pmi_code; /* protected mode code location */
45101 u8 *vbe_state_orig; /*
45102 diff -urNp linux-2.6.33.1/init/do_mounts.c linux-2.6.33.1/init/do_mounts.c
45103 --- linux-2.6.33.1/init/do_mounts.c 2010-03-15 12:09:39.000000000 -0400
45104 +++ linux-2.6.33.1/init/do_mounts.c 2010-03-20 16:58:41.936928392 -0400
45105 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
45107 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
45109 - int err = sys_mount(name, "/root", fs, flags, data);
45110 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
45114 - sys_chdir("/root");
45115 + sys_chdir((__force char __user *)"/root");
45116 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
45117 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
45118 current->fs->pwd.mnt->mnt_sb->s_type->name,
45119 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
45120 va_start(args, fmt);
45121 vsprintf(buf, fmt, args);
45123 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
45124 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
45126 sys_ioctl(fd, FDEJECT, 0);
45129 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
45130 - fd = sys_open("/dev/console", O_RDWR, 0);
45131 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
45133 sys_ioctl(fd, TCGETS, (long)&termios);
45134 termios.c_lflag &= ~ICANON;
45135 sys_ioctl(fd, TCSETSF, (long)&termios);
45136 - sys_read(fd, &c, 1);
45137 + sys_read(fd, (char __user *)&c, 1);
45138 termios.c_lflag |= ICANON;
45139 sys_ioctl(fd, TCSETSF, (long)&termios);
45141 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
45144 devtmpfs_mount("dev");
45145 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
45147 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45148 + sys_chroot((__force char __user *)".");
45150 diff -urNp linux-2.6.33.1/init/do_mounts.h linux-2.6.33.1/init/do_mounts.h
45151 --- linux-2.6.33.1/init/do_mounts.h 2010-03-15 12:09:39.000000000 -0400
45152 +++ linux-2.6.33.1/init/do_mounts.h 2010-03-20 16:58:41.973158089 -0400
45153 @@ -15,15 +15,15 @@ extern int root_mountflags;
45155 static inline int create_dev(char *name, dev_t dev)
45157 - sys_unlink(name);
45158 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
45159 + sys_unlink((__force char __user *)name);
45160 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
45163 #if BITS_PER_LONG == 32
45164 static inline u32 bstat(char *name)
45166 struct stat64 stat;
45167 - if (sys_stat64(name, &stat) != 0)
45168 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
45170 if (!S_ISBLK(stat.st_mode))
45172 diff -urNp linux-2.6.33.1/init/do_mounts_initrd.c linux-2.6.33.1/init/do_mounts_initrd.c
45173 --- linux-2.6.33.1/init/do_mounts_initrd.c 2010-03-15 12:09:39.000000000 -0400
45174 +++ linux-2.6.33.1/init/do_mounts_initrd.c 2010-03-20 16:58:41.973158089 -0400
45175 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
45176 sys_close(old_fd);sys_close(root_fd);
45177 sys_close(0);sys_close(1);sys_close(2);
45179 - (void) sys_open("/dev/console",O_RDWR,0);
45180 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
45183 return kernel_execve(shell, argv, envp_init);
45184 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
45185 create_dev("/dev/root.old", Root_RAM0);
45186 /* mount initrd on rootfs' /root */
45187 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
45188 - sys_mkdir("/old", 0700);
45189 - root_fd = sys_open("/", 0, 0);
45190 - old_fd = sys_open("/old", 0, 0);
45191 + sys_mkdir((__force const char __user *)"/old", 0700);
45192 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
45193 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
45194 /* move initrd over / and chdir/chroot in initrd root */
45195 - sys_chdir("/root");
45196 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
45198 + sys_chdir((__force const char __user *)"/root");
45199 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45200 + sys_chroot((__force const char __user *)".");
45203 * In case that a resume from disk is carried out by linuxrc or one of
45204 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
45206 /* move initrd to rootfs' /old */
45207 sys_fchdir(old_fd);
45208 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
45209 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
45210 /* switch root and cwd back to / of rootfs */
45211 sys_fchdir(root_fd);
45213 + sys_chroot((__force const char __user *)".");
45215 sys_close(root_fd);
45217 if (new_decode_dev(real_root_dev) == Root_RAM0) {
45218 - sys_chdir("/old");
45219 + sys_chdir((__force const char __user *)"/old");
45223 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
45226 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
45227 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
45228 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
45232 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
45233 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
45234 if (error == -ENOENT)
45235 printk("/initrd does not exist. Ignored.\n");
45237 printk("failed\n");
45238 printk(KERN_NOTICE "Unmounting old root\n");
45239 - sys_umount("/old", MNT_DETACH);
45240 + sys_umount((__force char __user *)"/old", MNT_DETACH);
45241 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
45244 @@ -119,11 +119,11 @@ int __init initrd_load(void)
45245 * mounted in the normal path.
45247 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
45248 - sys_unlink("/initrd.image");
45249 + sys_unlink((__force const char __user *)"/initrd.image");
45254 - sys_unlink("/initrd.image");
45255 + sys_unlink((__force const char __user *)"/initrd.image");
45258 diff -urNp linux-2.6.33.1/init/do_mounts_md.c linux-2.6.33.1/init/do_mounts_md.c
45259 --- linux-2.6.33.1/init/do_mounts_md.c 2010-03-15 12:09:39.000000000 -0400
45260 +++ linux-2.6.33.1/init/do_mounts_md.c 2010-03-20 16:58:41.973158089 -0400
45261 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
45262 partitioned ? "_d" : "", minor,
45263 md_setup_args[ent].device_names);
45265 - fd = sys_open(name, 0, 0);
45266 + fd = sys_open((__force char __user *)name, 0, 0);
45268 printk(KERN_ERR "md: open failed - cannot start "
45269 "array %s\n", name);
45270 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
45274 - fd = sys_open(name, 0, 0);
45275 + fd = sys_open((__force char __user *)name, 0, 0);
45276 sys_ioctl(fd, BLKRRPART, 0);
45279 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
45281 wait_for_device_probe();
45283 - fd = sys_open("/dev/md0", 0, 0);
45284 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
45286 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
45288 diff -urNp linux-2.6.33.1/init/initramfs.c linux-2.6.33.1/init/initramfs.c
45289 --- linux-2.6.33.1/init/initramfs.c 2010-03-15 12:09:39.000000000 -0400
45290 +++ linux-2.6.33.1/init/initramfs.c 2010-03-20 16:58:41.973158089 -0400
45291 @@ -74,7 +74,7 @@ static void __init free_hash(void)
45295 -static long __init do_utime(char __user *filename, time_t mtime)
45296 +static long __init do_utime(__force char __user *filename, time_t mtime)
45298 struct timespec t[2];
45300 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
45301 struct dir_entry *de, *tmp;
45302 list_for_each_entry_safe(de, tmp, &dir_list, list) {
45303 list_del(&de->list);
45304 - do_utime(de->name, de->mtime);
45305 + do_utime((__force char __user *)de->name, de->mtime);
45309 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
45311 char *old = find_link(major, minor, ino, mode, collected);
45313 - return (sys_link(old, collected) < 0) ? -1 : 1;
45314 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
45318 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
45322 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
45323 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
45324 if (S_ISDIR(st.st_mode))
45326 + sys_rmdir((__force char __user *)path);
45328 - sys_unlink(path);
45329 + sys_unlink((__force char __user *)path);
45333 @@ -305,7 +305,7 @@ static int __init do_name(void)
45334 int openflags = O_WRONLY|O_CREAT;
45336 openflags |= O_TRUNC;
45337 - wfd = sys_open(collected, openflags, mode);
45338 + wfd = sys_open((__force char __user *)collected, openflags, mode);
45341 sys_fchown(wfd, uid, gid);
45342 @@ -317,17 +317,17 @@ static int __init do_name(void)
45345 } else if (S_ISDIR(mode)) {
45346 - sys_mkdir(collected, mode);
45347 - sys_chown(collected, uid, gid);
45348 - sys_chmod(collected, mode);
45349 + sys_mkdir((__force char __user *)collected, mode);
45350 + sys_chown((__force char __user *)collected, uid, gid);
45351 + sys_chmod((__force char __user *)collected, mode);
45352 dir_add(collected, mtime);
45353 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
45354 S_ISFIFO(mode) || S_ISSOCK(mode)) {
45355 if (maybe_link() == 0) {
45356 - sys_mknod(collected, mode, rdev);
45357 - sys_chown(collected, uid, gid);
45358 - sys_chmod(collected, mode);
45359 - do_utime(collected, mtime);
45360 + sys_mknod((__force char __user *)collected, mode, rdev);
45361 + sys_chown((__force char __user *)collected, uid, gid);
45362 + sys_chmod((__force char __user *)collected, mode);
45363 + do_utime((__force char __user *)collected, mtime);
45367 @@ -336,15 +336,15 @@ static int __init do_name(void)
45368 static int __init do_copy(void)
45370 if (count >= body_len) {
45371 - sys_write(wfd, victim, body_len);
45372 + sys_write(wfd, (__force char __user *)victim, body_len);
45374 - do_utime(vcollected, mtime);
45375 + do_utime((__force char __user *)vcollected, mtime);
45381 - sys_write(wfd, victim, count);
45382 + sys_write(wfd, (__force char __user *)victim, count);
45386 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
45388 collected[N_ALIGN(name_len) + body_len] = '\0';
45389 clean_path(collected, 0);
45390 - sys_symlink(collected + N_ALIGN(name_len), collected);
45391 - sys_lchown(collected, uid, gid);
45392 - do_utime(collected, mtime);
45393 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
45394 + sys_lchown((__force char __user *)collected, uid, gid);
45395 + do_utime((__force char __user *)collected, mtime);
45397 next_state = Reset;
45399 diff -urNp linux-2.6.33.1/init/Kconfig linux-2.6.33.1/init/Kconfig
45400 --- linux-2.6.33.1/init/Kconfig 2010-03-15 12:09:39.000000000 -0400
45401 +++ linux-2.6.33.1/init/Kconfig 2010-03-20 16:58:41.973158089 -0400
45402 @@ -1046,7 +1046,7 @@ config SLUB_DEBUG
45405 bool "Disable heap randomization"
45409 Randomizing heap placement makes heap exploits harder, but it
45410 also breaks ancient binaries (including anything libc5 based).
45411 @@ -1158,9 +1158,9 @@ config HAVE_GENERIC_DMA_COHERENT
45415 - depends on PROC_FS
45416 + depends on PROC_FS && !GRKERNSEC_PROC_ADD
45417 depends on SLAB || SLUB_DEBUG
45423 diff -urNp linux-2.6.33.1/init/main.c linux-2.6.33.1/init/main.c
45424 --- linux-2.6.33.1/init/main.c 2010-03-15 12:09:39.000000000 -0400
45425 +++ linux-2.6.33.1/init/main.c 2010-03-20 16:58:41.976562026 -0400
45426 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
45428 extern void tc_init(void);
45430 +extern void grsecurity_init(void);
45432 enum system_states system_state __read_mostly;
45433 EXPORT_SYMBOL(system_state);
45434 @@ -183,6 +184,35 @@ static int __init set_reset_devices(char
45436 __setup("reset_devices", set_reset_devices);
45438 +#if defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)
45439 +static int __init setup_pax_nouderef(char *str)
45441 + unsigned int cpu;
45443 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
45444 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
45445 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
45447 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
45448 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
45449 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
45453 +early_param("pax_nouderef", setup_pax_nouderef);
45456 +#ifdef CONFIG_PAX_SOFTMODE
45457 +unsigned int pax_softmode;
45459 +static int __init setup_pax_softmode(char *str)
45461 + get_option(&str, &pax_softmode);
45464 +__setup("pax_softmode=", setup_pax_softmode);
45467 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
45468 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
45469 static const char *panic_later, *panic_param;
45470 @@ -697,52 +727,53 @@ int initcall_debug;
45471 core_param(initcall_debug, initcall_debug, bool, 0644);
45473 static char msgbuf[64];
45474 -static struct boot_trace_call call;
45475 -static struct boot_trace_ret ret;
45476 +static struct boot_trace_call trace_call;
45477 +static struct boot_trace_ret trace_ret;
45479 int do_one_initcall(initcall_t fn)
45481 int count = preempt_count();
45482 ktime_t calltime, delta, rettime;
45483 + const char *msg1 = "", *msg2 = "";
45485 if (initcall_debug) {
45486 - call.caller = task_pid_nr(current);
45487 - printk("calling %pF @ %i\n", fn, call.caller);
45488 + trace_call.caller = task_pid_nr(current);
45489 + printk("calling %pF @ %i\n", fn, trace_call.caller);
45490 calltime = ktime_get();
45491 - trace_boot_call(&call, fn);
45492 + trace_boot_call(&trace_call, fn);
45493 enable_boot_trace();
45496 - ret.result = fn();
45497 + trace_ret.result = fn();
45499 if (initcall_debug) {
45500 disable_boot_trace();
45501 rettime = ktime_get();
45502 delta = ktime_sub(rettime, calltime);
45503 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45504 - trace_boot_ret(&ret, fn);
45505 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45506 + trace_boot_ret(&trace_ret, fn);
45507 printk("initcall %pF returned %d after %Ld usecs\n", fn,
45508 - ret.result, ret.duration);
45509 + trace_ret.result, trace_ret.duration);
45514 - if (ret.result && ret.result != -ENODEV && initcall_debug)
45515 - sprintf(msgbuf, "error code %d ", ret.result);
45516 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
45517 + sprintf(msgbuf, "error code %d ", trace_ret.result);
45519 if (preempt_count() != count) {
45520 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
45521 + msg1 = " preemption imbalance";
45522 preempt_count() = count;
45524 if (irqs_disabled()) {
45525 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
45526 + msg2 = " disabled interrupts";
45527 local_irq_enable();
45530 - printk("initcall %pF returned with %s\n", fn, msgbuf);
45531 + if (msgbuf[0] || *msg1 || *msg2) {
45532 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
45535 - return ret.result;
45536 + return trace_ret.result;
45540 @@ -881,11 +912,13 @@ static int __init kernel_init(void * unu
45541 if (!ramdisk_execute_command)
45542 ramdisk_execute_command = "/init";
45544 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
45545 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
45546 ramdisk_execute_command = NULL;
45547 prepare_namespace();
45550 + grsecurity_init();
45553 * Ok, we have completed the initial bootup, and
45554 * we're essentially up and running. Get rid of the
45555 diff -urNp linux-2.6.33.1/init/noinitramfs.c linux-2.6.33.1/init/noinitramfs.c
45556 --- linux-2.6.33.1/init/noinitramfs.c 2010-03-15 12:09:39.000000000 -0400
45557 +++ linux-2.6.33.1/init/noinitramfs.c 2010-03-20 16:58:41.976562026 -0400
45558 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
45562 - err = sys_mkdir("/dev", 0755);
45563 + err = sys_mkdir((const char __user *)"/dev", 0755);
45567 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
45571 - err = sys_mkdir("/root", 0700);
45572 + err = sys_mkdir((const char __user *)"/root", 0700);
45576 diff -urNp linux-2.6.33.1/ipc/mqueue.c linux-2.6.33.1/ipc/mqueue.c
45577 --- linux-2.6.33.1/ipc/mqueue.c 2010-03-15 12:09:39.000000000 -0400
45578 +++ linux-2.6.33.1/ipc/mqueue.c 2010-03-20 16:58:41.976562026 -0400
45579 @@ -149,6 +149,7 @@ static struct inode *mqueue_get_inode(st
45580 mq_bytes = (mq_msg_tblsz +
45581 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
45583 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
45584 spin_lock(&mq_lock);
45585 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
45586 u->mq_bytes + mq_bytes >
45587 diff -urNp linux-2.6.33.1/ipc/shm.c linux-2.6.33.1/ipc/shm.c
45588 --- linux-2.6.33.1/ipc/shm.c 2010-03-15 12:09:39.000000000 -0400
45589 +++ linux-2.6.33.1/ipc/shm.c 2010-03-20 16:58:41.997340945 -0400
45590 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
45591 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
45594 +#ifdef CONFIG_GRKERNSEC
45595 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45596 + const time_t shm_createtime, const uid_t cuid,
45597 + const int shmid);
45598 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45599 + const time_t shm_createtime);
45602 void shm_init_ns(struct ipc_namespace *ns)
45604 ns->shm_ctlmax = SHMMAX;
45605 @@ -398,6 +406,14 @@ static int newseg(struct ipc_namespace *
45606 shp->shm_lprid = 0;
45607 shp->shm_atim = shp->shm_dtim = 0;
45608 shp->shm_ctim = get_seconds();
45609 +#ifdef CONFIG_GRKERNSEC
45611 + struct timespec timeval;
45612 + do_posix_clock_monotonic_gettime(&timeval);
45614 + shp->shm_createtime = timeval.tv_sec;
45617 shp->shm_segsz = size;
45618 shp->shm_nattch = 0;
45619 shp->shm_file = file;
45620 @@ -881,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
45624 +#ifdef CONFIG_GRKERNSEC
45625 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
45626 + shp->shm_perm.cuid, shmid) ||
45627 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
45633 path = shp->shm_file->f_path;
45636 +#ifdef CONFIG_GRKERNSEC
45637 + shp->shm_lapid = current->pid;
45639 size = i_size_read(path.dentry->d_inode);
45642 diff -urNp linux-2.6.33.1/kernel/acct.c linux-2.6.33.1/kernel/acct.c
45643 --- linux-2.6.33.1/kernel/acct.c 2010-03-15 12:09:39.000000000 -0400
45644 +++ linux-2.6.33.1/kernel/acct.c 2010-03-20 16:58:42.008931878 -0400
45645 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
45647 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
45648 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
45649 - file->f_op->write(file, (char *)&ac,
45650 + file->f_op->write(file, (__force char __user *)&ac,
45651 sizeof(acct_t), &file->f_pos);
45652 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
45654 diff -urNp linux-2.6.33.1/kernel/capability.c linux-2.6.33.1/kernel/capability.c
45655 --- linux-2.6.33.1/kernel/capability.c 2010-03-15 12:09:39.000000000 -0400
45656 +++ linux-2.6.33.1/kernel/capability.c 2010-03-20 16:58:42.008931878 -0400
45657 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
45658 * before modification is attempted and the application
45661 + if (tocopy > ARRAY_SIZE(kdata))
45664 if (copy_to_user(dataptr, kdata, tocopy
45665 * sizeof(struct __user_cap_data_struct))) {
45667 @@ -307,10 +310,21 @@ int capable(int cap)
45671 - if (security_capable(cap) == 0) {
45672 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
45673 + current->flags |= PF_SUPERPRIV;
45679 +int capable_nolog(int cap)
45681 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
45682 current->flags |= PF_SUPERPRIV;
45688 EXPORT_SYMBOL(capable);
45689 +EXPORT_SYMBOL(capable_nolog);
45690 diff -urNp linux-2.6.33.1/kernel/configs.c linux-2.6.33.1/kernel/configs.c
45691 --- linux-2.6.33.1/kernel/configs.c 2010-03-15 12:09:39.000000000 -0400
45692 +++ linux-2.6.33.1/kernel/configs.c 2010-03-20 16:58:42.020953047 -0400
45693 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
45694 struct proc_dir_entry *entry;
45696 /* create the current config file */
45697 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45698 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
45699 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
45700 + &ikconfig_file_ops);
45701 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45702 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
45703 + &ikconfig_file_ops);
45706 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
45707 &ikconfig_file_ops);
45713 diff -urNp linux-2.6.33.1/kernel/cpu.c linux-2.6.33.1/kernel/cpu.c
45714 --- linux-2.6.33.1/kernel/cpu.c 2010-03-15 12:09:39.000000000 -0400
45715 +++ linux-2.6.33.1/kernel/cpu.c 2010-03-20 16:58:42.028929112 -0400
45717 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
45718 static DEFINE_MUTEX(cpu_add_remove_lock);
45720 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
45721 +static RAW_NOTIFIER_HEAD(cpu_chain);
45723 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
45724 * Should always be manipulated under cpu_add_remove_lock
45725 diff -urNp linux-2.6.33.1/kernel/cred.c linux-2.6.33.1/kernel/cred.c
45726 --- linux-2.6.33.1/kernel/cred.c 2010-03-15 12:09:39.000000000 -0400
45727 +++ linux-2.6.33.1/kernel/cred.c 2010-03-20 16:58:42.028929112 -0400
45728 @@ -520,6 +520,8 @@ int commit_creds(struct cred *new)
45730 get_cred(new); /* we will require a ref for the subj creds too */
45732 + gr_set_role_label(task, new->uid, new->gid);
45734 /* dumpability changes */
45735 if (old->euid != new->euid ||
45736 old->egid != new->egid ||
45737 diff -urNp linux-2.6.33.1/kernel/exit.c linux-2.6.33.1/kernel/exit.c
45738 --- linux-2.6.33.1/kernel/exit.c 2010-03-15 12:09:39.000000000 -0400
45739 +++ linux-2.6.33.1/kernel/exit.c 2010-03-20 16:58:42.032663961 -0400
45741 #include <asm/mmu_context.h>
45742 #include "cred-internals.h"
45744 +#ifdef CONFIG_GRKERNSEC
45745 +extern rwlock_t grsec_exec_file_lock;
45748 static void exit_mm(struct task_struct * tsk);
45750 static void __unhash_process(struct task_struct *p)
45751 @@ -168,6 +172,8 @@ void release_task(struct task_struct * p
45752 struct task_struct *leader;
45755 + gr_del_task_from_ip_table(p);
45757 tracehook_prepare_release_task(p);
45758 /* don't need to get the RCU readlock here - the process is dead and
45759 * can't be modifying its own credentials */
45760 @@ -335,11 +341,22 @@ static void reparent_to_kthreadd(void)
45762 write_lock_irq(&tasklist_lock);
45764 +#ifdef CONFIG_GRKERNSEC
45765 + write_lock(&grsec_exec_file_lock);
45766 + if (current->exec_file) {
45767 + fput(current->exec_file);
45768 + current->exec_file = NULL;
45770 + write_unlock(&grsec_exec_file_lock);
45773 ptrace_unlink(current);
45774 /* Reparent to init */
45775 current->real_parent = current->parent = kthreadd_task;
45776 list_move_tail(¤t->sibling, ¤t->real_parent->children);
45778 + gr_set_kernel_label(current);
45780 /* Set the exit signal to SIGCHLD so we signal init on exit */
45781 current->exit_signal = SIGCHLD;
45783 @@ -391,7 +408,7 @@ int allow_signal(int sig)
45784 * know it'll be handled, so that they don't get converted to
45785 * SIGKILL or just silently dropped.
45787 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
45788 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
45789 recalc_sigpending();
45790 spin_unlock_irq(¤t->sighand->siglock);
45792 @@ -427,6 +444,17 @@ void daemonize(const char *name, ...)
45793 vsnprintf(current->comm, sizeof(current->comm), name, args);
45796 +#ifdef CONFIG_GRKERNSEC
45797 + write_lock(&grsec_exec_file_lock);
45798 + if (current->exec_file) {
45799 + fput(current->exec_file);
45800 + current->exec_file = NULL;
45802 + write_unlock(&grsec_exec_file_lock);
45805 + gr_set_kernel_label(current);
45808 * If we were started as result of loading a module, close all of the
45809 * user space pages. We don't need them, and if we didn't close them
45810 @@ -961,6 +989,9 @@ NORET_TYPE void do_exit(long code)
45811 tsk->exit_code = code;
45812 taskstats_exit(tsk, group_dead);
45814 + gr_acl_handle_psacct(tsk, code);
45815 + gr_acl_handle_exit();
45820 @@ -1180,7 +1211,7 @@ static int wait_task_zombie(struct wait_
45822 if (unlikely(wo->wo_flags & WNOWAIT)) {
45823 int exit_code = p->exit_code;
45827 get_task_struct(p);
45828 read_unlock(&tasklist_lock);
45829 diff -urNp linux-2.6.33.1/kernel/fork.c linux-2.6.33.1/kernel/fork.c
45830 --- linux-2.6.33.1/kernel/fork.c 2010-03-15 12:09:39.000000000 -0400
45831 +++ linux-2.6.33.1/kernel/fork.c 2010-03-20 16:58:42.032663961 -0400
45832 @@ -255,7 +255,7 @@ static struct task_struct *dup_task_stru
45833 *stackend = STACK_END_MAGIC; /* for overflow detection */
45835 #ifdef CONFIG_CC_STACKPROTECTOR
45836 - tsk->stack_canary = get_random_int();
45837 + tsk->stack_canary = pax_get_random_long();
45840 /* One for us, one for whoever does the "release_task()" (usually parent) */
45841 @@ -295,8 +295,8 @@ static int dup_mmap(struct mm_struct *mm
45844 mm->mmap_cache = NULL;
45845 - mm->free_area_cache = oldmm->mmap_base;
45846 - mm->cached_hole_size = ~0UL;
45847 + mm->free_area_cache = oldmm->free_area_cache;
45848 + mm->cached_hole_size = oldmm->cached_hole_size;
45850 cpumask_clear(mm_cpumask(mm));
45851 mm->mm_rb = RB_ROOT;
45852 @@ -336,6 +336,7 @@ static int dup_mmap(struct mm_struct *mm
45853 tmp->vm_flags &= ~VM_LOCKED;
45855 tmp->vm_next = NULL;
45856 + tmp->vm_mirror = NULL;
45857 anon_vma_link(tmp);
45858 file = tmp->vm_file;
45860 @@ -383,6 +384,31 @@ static int dup_mmap(struct mm_struct *mm
45865 +#ifdef CONFIG_PAX_SEGMEXEC
45866 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
45867 + struct vm_area_struct *mpnt_m;
45869 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
45870 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
45872 + if (!mpnt->vm_mirror)
45875 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
45876 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
45877 + mpnt->vm_mirror = mpnt_m;
45879 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
45880 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
45881 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
45882 + mpnt->vm_mirror->vm_mirror = mpnt;
45889 /* a new mm has just been created */
45890 arch_dup_mmap(oldmm, mm);
45892 @@ -733,7 +759,7 @@ static int copy_fs(unsigned long clone_f
45893 write_unlock(&fs->lock);
45897 + atomic_inc(&fs->users);
45898 write_unlock(&fs->lock);
45901 @@ -1032,10 +1058,13 @@ static struct task_struct *copy_process(
45902 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
45906 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
45908 if (atomic_read(&p->real_cred->user->processes) >=
45909 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45910 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
45911 - p->real_cred->user != INIT_USER)
45912 + if (p->real_cred->user != INIT_USER &&
45913 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
45914 goto bad_fork_free;
45917 @@ -1064,6 +1093,10 @@ static struct task_struct *copy_process(
45918 p->vfork_done = NULL;
45919 spin_lock_init(&p->alloc_lock);
45921 +#ifdef CONFIG_GRKERNSEC
45922 + rwlock_init(&p->gr_fs_lock);
45925 init_sigpending(&p->pending);
45927 p->utime = cputime_zero;
45928 @@ -1190,6 +1223,8 @@ static struct task_struct *copy_process(
45929 goto bad_fork_free_pid;
45932 + gr_copy_label(p);
45934 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
45936 * Clear TID on mm_release()?
45937 @@ -1342,6 +1377,8 @@ bad_fork_cleanup_count:
45941 + gr_log_forkfail(retval);
45943 return ERR_PTR(retval);
45946 @@ -1435,6 +1472,8 @@ long do_fork(unsigned long clone_flags,
45947 if (clone_flags & CLONE_PARENT_SETTID)
45948 put_user(nr, parent_tidptr);
45950 + gr_handle_brute_check();
45952 if (clone_flags & CLONE_VFORK) {
45953 p->vfork_done = &vfork;
45954 init_completion(&vfork);
45955 @@ -1567,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
45958 /* don't need lock here; in the worst case we'll do useless copy */
45959 - if (fs->users == 1)
45960 + if (atomic_read(&fs->users) == 1)
45963 *new_fsp = copy_fs_struct(fs);
45964 @@ -1687,14 +1726,18 @@ SYSCALL_DEFINE1(unshare, unsigned long,
45965 task_lock(current);
45968 + unsigned long flags;
45970 + gr_fs_write_lock_irqsave(current, flags);
45972 write_lock(&fs->lock);
45973 current->fs = new_fs;
45975 + if (atomic_dec_return(&fs->users))
45979 write_unlock(&fs->lock);
45980 + gr_fs_write_unlock_irqrestore(current, flags);
45984 diff -urNp linux-2.6.33.1/kernel/futex.c linux-2.6.33.1/kernel/futex.c
45985 --- linux-2.6.33.1/kernel/futex.c 2010-03-15 12:09:39.000000000 -0400
45986 +++ linux-2.6.33.1/kernel/futex.c 2010-03-20 16:58:42.048537218 -0400
45988 #include <linux/mount.h>
45989 #include <linux/pagemap.h>
45990 #include <linux/syscalls.h>
45991 +#include <linux/ptrace.h>
45992 #include <linux/signal.h>
45993 #include <linux/module.h>
45994 #include <linux/magic.h>
45995 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
45999 +#ifdef CONFIG_PAX_SEGMEXEC
46000 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
46005 * The futex address must be "naturally" aligned.
46007 @@ -1852,7 +1858,7 @@ retry:
46009 restart = ¤t_thread_info()->restart_block;
46010 restart->fn = futex_wait_restart;
46011 - restart->futex.uaddr = (u32 *)uaddr;
46012 + restart->futex.uaddr = uaddr;
46013 restart->futex.val = val;
46014 restart->futex.time = abs_time->tv64;
46015 restart->futex.bitset = bitset;
46016 @@ -2385,7 +2391,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
46018 struct robust_list_head __user *head;
46020 - const struct cred *cred = current_cred(), *pcred;
46021 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
46022 + const struct cred *cred = current_cred();
46023 + const struct cred *pcred;
46026 if (!futex_cmpxchg_enabled)
46028 @@ -2401,11 +2410,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
46032 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46033 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
46036 pcred = __task_cred(p);
46037 if (cred->euid != pcred->euid &&
46038 cred->euid != pcred->uid &&
46039 !capable(CAP_SYS_PTRACE))
46042 head = p->robust_list;
46045 @@ -2467,7 +2481,7 @@ retry:
46047 static inline int fetch_robust_entry(struct robust_list __user **entry,
46048 struct robust_list __user * __user *head,
46050 + unsigned int *pi)
46052 unsigned long uentry;
46054 diff -urNp linux-2.6.33.1/kernel/futex_compat.c linux-2.6.33.1/kernel/futex_compat.c
46055 --- linux-2.6.33.1/kernel/futex_compat.c 2010-03-15 12:09:39.000000000 -0400
46056 +++ linux-2.6.33.1/kernel/futex_compat.c 2010-03-20 16:58:42.048537218 -0400
46058 #include <linux/compat.h>
46059 #include <linux/nsproxy.h>
46060 #include <linux/futex.h>
46061 +#include <linux/ptrace.h>
46063 #include <asm/uaccess.h>
46065 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
46067 struct compat_robust_list_head __user *head;
46069 - const struct cred *cred = current_cred(), *pcred;
46070 + const struct cred *cred = current_cred();
46071 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
46072 + const struct cred *pcred;
46075 if (!futex_cmpxchg_enabled)
46077 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
46081 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46082 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
46085 pcred = __task_cred(p);
46086 if (cred->euid != pcred->euid &&
46087 cred->euid != pcred->uid &&
46088 !capable(CAP_SYS_PTRACE))
46091 head = p->compat_robust_list;
46092 read_unlock(&tasklist_lock);
46094 diff -urNp linux-2.6.33.1/kernel/gcov/base.c linux-2.6.33.1/kernel/gcov/base.c
46095 --- linux-2.6.33.1/kernel/gcov/base.c 2010-03-15 12:09:39.000000000 -0400
46096 +++ linux-2.6.33.1/kernel/gcov/base.c 2010-03-20 16:58:42.048537218 -0400
46097 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
46100 #ifdef CONFIG_MODULES
46101 -static inline int within(void *addr, void *start, unsigned long size)
46103 - return ((addr >= start) && (addr < start + size));
46106 /* Update list and generate events when modules are unloaded. */
46107 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
46109 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
46111 /* Remove entries located in module from linked list. */
46112 for (info = gcov_info_head; info; info = info->next) {
46113 - if (within(info, mod->module_core, mod->core_size)) {
46114 + if (within_module_core_rw((unsigned long)info, mod)) {
46116 prev->next = info->next;
46118 diff -urNp linux-2.6.33.1/kernel/hrtimer.c linux-2.6.33.1/kernel/hrtimer.c
46119 --- linux-2.6.33.1/kernel/hrtimer.c 2010-03-15 12:09:39.000000000 -0400
46120 +++ linux-2.6.33.1/kernel/hrtimer.c 2010-03-20 16:58:42.048537218 -0400
46121 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
46122 local_irq_restore(flags);
46125 -static void run_hrtimer_softirq(struct softirq_action *h)
46126 +static void run_hrtimer_softirq(void)
46128 hrtimer_peek_ahead_timers();
46130 diff -urNp linux-2.6.33.1/kernel/kallsyms.c linux-2.6.33.1/kernel/kallsyms.c
46131 --- linux-2.6.33.1/kernel/kallsyms.c 2010-03-15 12:09:39.000000000 -0400
46132 +++ linux-2.6.33.1/kernel/kallsyms.c 2010-03-20 16:58:42.064920323 -0400
46134 * Changed the compression method from stem compression to "table lookup"
46135 * compression (see scripts/kallsyms.c for a more complete description)
46137 +#ifdef CONFIG_GRKERNSEC_HIDESYM
46138 +#define __INCLUDED_BY_HIDESYM 1
46140 #include <linux/kallsyms.h>
46141 #include <linux/module.h>
46142 #include <linux/init.h>
46143 @@ -51,6 +54,9 @@ extern const unsigned long kallsyms_mark
46145 static inline int is_kernel_inittext(unsigned long addr)
46147 + if (system_state != SYSTEM_BOOTING)
46150 if (addr >= (unsigned long)_sinittext
46151 && addr <= (unsigned long)_einittext)
46153 @@ -67,6 +73,24 @@ static inline int is_kernel_text(unsigne
46155 static inline int is_kernel(unsigned long addr)
46157 + if (is_kernel_inittext(addr))
46160 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46161 + if ((unsigned long)MODULES_EXEC_VADDR <= ktla_ktva(addr) && ktla_ktva(addr) <= (unsigned long)MODULES_EXEC_END)
46164 + if (is_kernel_text(addr))
46167 + if (ktla_ktva((unsigned long)_stext) <= addr && addr < ktla_ktva((unsigned long)_etext))
46170 + if ((addr >= (unsigned long)_sdata && addr <= (unsigned long)_end))
46172 + return in_gate_area_no_task(addr);
46175 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
46177 return in_gate_area_no_task(addr);
46178 @@ -414,7 +438,6 @@ static unsigned long get_ksymbol_core(st
46180 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
46182 - iter->name[0] = '\0';
46183 iter->nameoff = get_symbol_offset(new_pos);
46184 iter->pos = new_pos;
46186 @@ -462,6 +485,11 @@ static int s_show(struct seq_file *m, vo
46188 struct kallsym_iter *iter = m->private;
46190 +#ifdef CONFIG_GRKERNSEC_HIDESYM
46191 + if (current_uid())
46195 /* Some debugging symbols have no name. Ignore them. */
46196 if (!iter->name[0])
46198 @@ -502,7 +530,7 @@ static int kallsyms_open(struct inode *i
46199 struct kallsym_iter *iter;
46202 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
46203 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
46206 reset_iter(iter, 0);
46207 diff -urNp linux-2.6.33.1/kernel/kgdb.c linux-2.6.33.1/kernel/kgdb.c
46208 --- linux-2.6.33.1/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
46209 +++ linux-2.6.33.1/kernel/kgdb.c 2010-03-20 16:58:42.068659558 -0400
46210 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
46211 /* Guard for recursive entry */
46212 static int exception_level;
46214 -static struct kgdb_io *kgdb_io_ops;
46215 +static const struct kgdb_io *kgdb_io_ops;
46216 static DEFINE_SPINLOCK(kgdb_registration_lock);
46218 /* kgdb console driver is loaded */
46219 @@ -1664,7 +1664,7 @@ static void kgdb_initial_breakpoint(void
46221 * Register it with the KGDB core.
46223 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
46224 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
46228 @@ -1709,7 +1709,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
46230 * Unregister it with the KGDB core.
46232 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
46233 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
46235 BUG_ON(kgdb_connected);
46237 diff -urNp linux-2.6.33.1/kernel/kmod.c linux-2.6.33.1/kernel/kmod.c
46238 --- linux-2.6.33.1/kernel/kmod.c 2010-03-15 12:09:39.000000000 -0400
46239 +++ linux-2.6.33.1/kernel/kmod.c 2010-03-20 16:58:42.068659558 -0400
46240 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
46244 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46245 + /* we could do a tighter check here, but some distros
46246 + are taking it upon themselves to remove CAP_SYS_MODULE
46247 + from even root-running apps which cause modules to be
46250 + if (current_uid()) {
46251 + gr_log_nonroot_mod_load(module_name);
46256 /* If modprobe needs a service that is in a module, we get a recursive
46257 * loop. Limit the number of running kmod threads to max_threads/2 or
46258 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
46259 diff -urNp linux-2.6.33.1/kernel/kprobes.c linux-2.6.33.1/kernel/kprobes.c
46260 --- linux-2.6.33.1/kernel/kprobes.c 2010-03-15 12:09:39.000000000 -0400
46261 +++ linux-2.6.33.1/kernel/kprobes.c 2010-03-20 16:58:42.068659558 -0400
46262 @@ -186,7 +186,7 @@ static kprobe_opcode_t __kprobes *__get_
46263 * kernel image and loaded module images reside. This is required
46264 * so x86_64 can correctly handle the %rip-relative fixups.
46266 - kip->insns = module_alloc(PAGE_SIZE);
46267 + kip->insns = module_alloc_exec(PAGE_SIZE);
46271 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
46273 if (!list_is_singular(&kprobe_insn_pages)) {
46274 list_del(&kip->list);
46275 - module_free(NULL, kip->insns);
46276 + module_free_exec(NULL, kip->insns);
46280 diff -urNp linux-2.6.33.1/kernel/lockdep.c linux-2.6.33.1/kernel/lockdep.c
46281 --- linux-2.6.33.1/kernel/lockdep.c 2010-03-15 12:09:39.000000000 -0400
46282 +++ linux-2.6.33.1/kernel/lockdep.c 2010-03-20 16:58:42.072946288 -0400
46283 @@ -586,6 +586,10 @@ static int static_obj(void *obj)
46287 +#ifdef CONFIG_PAX_KERNEXEC
46288 + start = ktla_ktva(start);
46294 @@ -601,8 +605,7 @@ static int static_obj(void *obj)
46296 for_each_possible_cpu(i) {
46297 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
46298 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
46299 - + per_cpu_offset(i);
46300 + end = start + PERCPU_ENOUGH_ROOM;
46302 if ((addr >= start) && (addr < end))
46304 @@ -719,6 +722,7 @@ register_lock_class(struct lockdep_map *
46305 if (!static_obj(lock->key)) {
46307 printk("INFO: trying to register non-static key.\n");
46308 + printk("lock:%pS key:%pS.\n", lock, lock->key);
46309 printk("the code is fine but needs lockdep annotation.\n");
46310 printk("turning off the locking correctness validator.\n");
46312 diff -urNp linux-2.6.33.1/kernel/module.c linux-2.6.33.1/kernel/module.c
46313 --- linux-2.6.33.1/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
46314 +++ linux-2.6.33.1/kernel/module.c 2010-03-20 16:58:42.072946288 -0400
46315 @@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
46316 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
46318 /* Bounds of module allocation, for speeding __module_address */
46319 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
46320 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
46321 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
46323 int register_module_notifier(struct notifier_block * nb)
46325 @@ -245,7 +246,7 @@ bool each_symbol(bool (*fn)(const struct
46328 list_for_each_entry_rcu(mod, &modules, list) {
46329 - struct symsearch arr[] = {
46330 + struct symsearch modarr[] = {
46331 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
46332 NOT_GPL_ONLY, false },
46333 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
46334 @@ -267,7 +268,7 @@ bool each_symbol(bool (*fn)(const struct
46338 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
46339 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
46343 @@ -375,7 +376,7 @@ static void *percpu_modalloc(unsigned lo
46347 - if (align > PAGE_SIZE) {
46348 + if (align-1 >= PAGE_SIZE) {
46349 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
46350 name, align, PAGE_SIZE);
46352 @@ -1393,7 +1394,8 @@ static void free_module(struct module *m
46353 destroy_params(mod->kp, mod->num_kp);
46355 /* This may be NULL, but that's OK */
46356 - module_free(mod, mod->module_init);
46357 + module_free(mod, mod->module_init_rw);
46358 + module_free_exec(mod, mod->module_init_rx);
46361 percpu_modfree(mod->percpu);
46362 @@ -1402,10 +1404,12 @@ static void free_module(struct module *m
46363 percpu_modfree(mod->refptr);
46365 /* Free lock-classes: */
46366 - lockdep_free_key_range(mod->module_core, mod->core_size);
46367 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
46368 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
46370 /* Finally, free the core (containing the module structure) */
46371 - module_free(mod, mod->module_core);
46372 + module_free_exec(mod, mod->module_core_rx);
46373 + module_free(mod, mod->module_core_rw);
46376 update_protections(current->mm);
46377 @@ -1499,7 +1503,9 @@ static int simplify_symbols(Elf_Shdr *se
46378 strtab + sym[i].st_name, mod);
46379 /* Ok if resolved. */
46381 + pax_open_kernel();
46382 sym[i].st_value = ksym->value;
46383 + pax_close_kernel();
46387 @@ -1518,7 +1524,9 @@ static int simplify_symbols(Elf_Shdr *se
46388 secbase = (unsigned long)mod->percpu;
46390 secbase = sechdrs[sym[i].st_shndx].sh_addr;
46391 + pax_open_kernel();
46392 sym[i].st_value += secbase;
46393 + pax_close_kernel();
46397 @@ -1579,11 +1587,12 @@ static void layout_sections(struct modul
46398 || s->sh_entsize != ~0UL
46399 || strstarts(secstrings + s->sh_name, ".init"))
46401 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
46402 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46403 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
46405 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
46406 DEBUGP("\t%s\n", secstrings + s->sh_name);
46409 - mod->core_text_size = mod->core_size;
46412 DEBUGP("Init section allocation order:\n");
46413 @@ -1596,12 +1605,13 @@ static void layout_sections(struct modul
46414 || s->sh_entsize != ~0UL
46415 || !strstarts(secstrings + s->sh_name, ".init"))
46417 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
46418 - | INIT_OFFSET_MASK);
46419 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46420 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
46422 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
46423 + s->sh_entsize |= INIT_OFFSET_MASK;
46424 DEBUGP("\t%s\n", secstrings + s->sh_name);
46427 - mod->init_text_size = mod->init_size;
46431 @@ -1705,9 +1715,8 @@ static int is_exported(const char *name,
46434 static char elf_type(const Elf_Sym *sym,
46435 - Elf_Shdr *sechdrs,
46436 - const char *secstrings,
46437 - struct module *mod)
46438 + const Elf_Shdr *sechdrs,
46439 + const char *secstrings)
46441 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
46442 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
46443 @@ -1782,7 +1791,7 @@ static unsigned long layout_symtab(struc
46445 /* Put symbol section at end of init part of module. */
46446 symsect->sh_flags |= SHF_ALLOC;
46447 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
46448 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
46449 symindex) | INIT_OFFSET_MASK;
46450 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
46452 @@ -1799,19 +1808,19 @@ static unsigned long layout_symtab(struc
46455 /* Append room for core symbols at end of core part. */
46456 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
46457 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
46458 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
46459 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
46461 /* Put string table section at end of init part of module. */
46462 strsect->sh_flags |= SHF_ALLOC;
46463 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
46464 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
46465 strindex) | INIT_OFFSET_MASK;
46466 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
46468 /* Append room for core symbols' strings at end of core part. */
46469 - *pstroffs = mod->core_size;
46470 + *pstroffs = mod->core_size_rx;
46471 __set_bit(0, strmap);
46472 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
46473 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
46477 @@ -1835,12 +1844,14 @@ static void add_kallsyms(struct module *
46478 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
46479 mod->strtab = (void *)sechdrs[strindex].sh_addr;
46481 + pax_open_kernel();
46483 /* Set types up while we still have access to sections. */
46484 for (i = 0; i < mod->num_symtab; i++)
46485 mod->symtab[i].st_info
46486 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
46487 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
46489 - mod->core_symtab = dst = mod->module_core + symoffs;
46490 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
46493 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
46494 @@ -1852,10 +1863,12 @@ static void add_kallsyms(struct module *
46496 mod->core_num_syms = ndst;
46498 - mod->core_strtab = s = mod->module_core + stroffs;
46499 + mod->core_strtab = s = mod->module_core_rx + stroffs;
46500 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
46501 if (test_bit(i, strmap))
46502 *++s = mod->strtab[i];
46504 + pax_close_kernel();
46507 static inline unsigned long layout_symtab(struct module *mod,
46508 @@ -1892,16 +1905,30 @@ static void dynamic_debug_setup(struct _
46512 -static void *module_alloc_update_bounds(unsigned long size)
46513 +static void *module_alloc_update_bounds_rw(unsigned long size)
46515 void *ret = module_alloc(size);
46518 /* Update module bounds. */
46519 - if ((unsigned long)ret < module_addr_min)
46520 - module_addr_min = (unsigned long)ret;
46521 - if ((unsigned long)ret + size > module_addr_max)
46522 - module_addr_max = (unsigned long)ret + size;
46523 + if ((unsigned long)ret < module_addr_min_rw)
46524 + module_addr_min_rw = (unsigned long)ret;
46525 + if ((unsigned long)ret + size > module_addr_max_rw)
46526 + module_addr_max_rw = (unsigned long)ret + size;
46531 +static void *module_alloc_update_bounds_rx(unsigned long size)
46533 + void *ret = module_alloc_exec(size);
46536 + /* Update module bounds. */
46537 + if ((unsigned long)ret < module_addr_min_rx)
46538 + module_addr_min_rx = (unsigned long)ret;
46539 + if ((unsigned long)ret + size > module_addr_max_rx)
46540 + module_addr_max_rx = (unsigned long)ret + size;
46544 @@ -2108,7 +2135,7 @@ static noinline struct module *load_modu
46545 secstrings, &stroffs, strmap);
46547 /* Do the allocs. */
46548 - ptr = module_alloc_update_bounds(mod->core_size);
46549 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
46551 * The pointer to this block is stored in the module structure
46552 * which is inside the block. Just mark it as not being a
46553 @@ -2119,23 +2146,47 @@ static noinline struct module *load_modu
46557 - memset(ptr, 0, mod->core_size);
46558 - mod->module_core = ptr;
46559 + memset(ptr, 0, mod->core_size_rw);
46560 + mod->module_core_rw = ptr;
46562 - ptr = module_alloc_update_bounds(mod->init_size);
46563 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
46565 * The pointer to this block is stored in the module structure
46566 * which is inside the block. This block doesn't need to be
46567 * scanned as it contains data and code that will be freed
46568 * after the module is initialized.
46570 - kmemleak_ignore(ptr);
46571 - if (!ptr && mod->init_size) {
46572 + kmemleak_not_leak(ptr);
46573 + if (!ptr && mod->init_size_rw) {
46575 + goto free_core_rw;
46577 + memset(ptr, 0, mod->init_size_rw);
46578 + mod->module_init_rw = ptr;
46580 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
46581 + kmemleak_not_leak(ptr);
46585 + goto free_init_rw;
46587 - memset(ptr, 0, mod->init_size);
46588 - mod->module_init = ptr;
46590 + pax_open_kernel();
46591 + memset(ptr, 0, mod->core_size_rx);
46592 + pax_close_kernel();
46593 + mod->module_core_rx = ptr;
46595 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
46596 + kmemleak_not_leak(ptr);
46597 + if (!ptr && mod->init_size_rx) {
46599 + goto free_core_rx;
46602 + pax_open_kernel();
46603 + memset(ptr, 0, mod->init_size_rx);
46604 + pax_close_kernel();
46605 + mod->module_init_rx = ptr;
46607 /* Transfer each section which specifies SHF_ALLOC */
46608 DEBUGP("final section addresses:\n");
46609 @@ -2145,17 +2196,41 @@ static noinline struct module *load_modu
46610 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
46613 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
46614 - dest = mod->module_init
46615 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46617 - dest = mod->module_core + sechdrs[i].sh_entsize;
46618 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
46619 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46620 + dest = mod->module_init_rw
46621 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46623 + dest = mod->module_init_rx
46624 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46626 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46627 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
46629 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
46632 + if (sechdrs[i].sh_type != SHT_NOBITS) {
46634 +#ifdef CONFIG_PAX_KERNEXEC
46635 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
46636 + pax_open_kernel();
46637 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46638 + pax_close_kernel();
46642 - if (sechdrs[i].sh_type != SHT_NOBITS)
46643 - memcpy(dest, (void *)sechdrs[i].sh_addr,
46644 - sechdrs[i].sh_size);
46645 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46647 /* Update sh_addr to point to copy in image. */
46648 - sechdrs[i].sh_addr = (unsigned long)dest;
46650 +#ifdef CONFIG_PAX_KERNEXEC
46651 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
46652 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
46656 + sechdrs[i].sh_addr = (unsigned long)dest;
46657 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
46659 /* Module has been moved. */
46660 @@ -2167,7 +2242,7 @@ static noinline struct module *load_modu
46662 if (!mod->refptr) {
46665 + goto free_init_rx;
46668 /* Now we've moved module, initialize linked lists, etc. */
46669 @@ -2282,8 +2357,8 @@ static noinline struct module *load_modu
46671 /* Now do relocations. */
46672 for (i = 1; i < hdr->e_shnum; i++) {
46673 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
46674 unsigned int info = sechdrs[i].sh_info;
46675 + strtab = (char *)sechdrs[strindex].sh_addr;
46677 /* Not a valid relocation section? */
46678 if (info >= hdr->e_shnum)
46679 @@ -2344,12 +2419,12 @@ static noinline struct module *load_modu
46680 * Do it before processing of module parameters, so the module
46681 * can provide parameter accessor functions of its own.
46683 - if (mod->module_init)
46684 - flush_icache_range((unsigned long)mod->module_init,
46685 - (unsigned long)mod->module_init
46686 - + mod->init_size);
46687 - flush_icache_range((unsigned long)mod->module_core,
46688 - (unsigned long)mod->module_core + mod->core_size);
46689 + if (mod->module_init_rx)
46690 + flush_icache_range((unsigned long)mod->module_init_rx,
46691 + (unsigned long)mod->module_init_rx
46692 + + mod->init_size_rx);
46693 + flush_icache_range((unsigned long)mod->module_core_rx,
46694 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
46698 @@ -2397,12 +2472,16 @@ static noinline struct module *load_modu
46700 module_unload_free(mod);
46701 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
46703 percpu_modfree(mod->refptr);
46706 - module_free(mod, mod->module_init);
46708 - module_free(mod, mod->module_core);
46709 + module_free_exec(mod, mod->module_init_rx);
46711 + module_free_exec(mod, mod->module_core_rx);
46713 + module_free(mod, mod->module_init_rw);
46715 + module_free(mod, mod->module_core_rw);
46716 /* mod will be freed with core. Don't access it beyond this line! */
46719 @@ -2504,10 +2583,12 @@ SYSCALL_DEFINE3(init_module, void __user
46720 mod->symtab = mod->core_symtab;
46721 mod->strtab = mod->core_strtab;
46723 - module_free(mod, mod->module_init);
46724 - mod->module_init = NULL;
46725 - mod->init_size = 0;
46726 - mod->init_text_size = 0;
46727 + module_free(mod, mod->module_init_rw);
46728 + module_free_exec(mod, mod->module_init_rx);
46729 + mod->module_init_rw = NULL;
46730 + mod->module_init_rx = NULL;
46731 + mod->init_size_rw = 0;
46732 + mod->init_size_rx = 0;
46733 mutex_unlock(&module_mutex);
46736 @@ -2538,10 +2619,16 @@ static const char *get_ksymbol(struct mo
46737 unsigned long nextval;
46739 /* At worse, next value is at end of module */
46740 - if (within_module_init(addr, mod))
46741 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
46742 + if (within_module_init_rx(addr, mod))
46743 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
46744 + else if (within_module_init_rw(addr, mod))
46745 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
46746 + else if (within_module_core_rx(addr, mod))
46747 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
46748 + else if (within_module_core_rw(addr, mod))
46749 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
46751 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
46754 /* Scan for closest preceeding symbol, and next symbol. (ELF
46755 starts real symbols at 1). */
46756 @@ -2787,7 +2874,7 @@ static int m_show(struct seq_file *m, vo
46759 seq_printf(m, "%s %u",
46760 - mod->name, mod->init_size + mod->core_size);
46761 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
46762 print_unload_info(m, mod);
46764 /* Informative for users. */
46765 @@ -2796,7 +2883,7 @@ static int m_show(struct seq_file *m, vo
46766 mod->state == MODULE_STATE_COMING ? "Loading":
46768 /* Used by oprofile and other similar tools. */
46769 - seq_printf(m, " 0x%p", mod->module_core);
46770 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
46774 @@ -2832,7 +2919,17 @@ static const struct file_operations proc
46776 static int __init proc_modules_init(void)
46778 +#ifndef CONFIG_GRKERNSEC_HIDESYM
46779 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46780 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46781 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46782 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
46784 proc_create("modules", 0, NULL, &proc_modules_operations);
46787 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46791 module_init(proc_modules_init);
46792 @@ -2891,12 +2988,12 @@ struct module *__module_address(unsigned
46794 struct module *mod;
46796 - if (addr < module_addr_min || addr > module_addr_max)
46797 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
46798 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
46801 list_for_each_entry_rcu(mod, &modules, list)
46802 - if (within_module_core(addr, mod)
46803 - || within_module_init(addr, mod))
46804 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
46808 @@ -2930,11 +3027,20 @@ bool is_module_text_address(unsigned lon
46810 struct module *__module_text_address(unsigned long addr)
46812 - struct module *mod = __module_address(addr);
46813 + struct module *mod;
46815 +#ifdef CONFIG_X86_32
46816 + addr = ktla_ktva(addr);
46819 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
46822 + mod = __module_address(addr);
46825 /* Make sure it's within the text section. */
46826 - if (!within(addr, mod->module_init, mod->init_text_size)
46827 - && !within(addr, mod->module_core, mod->core_text_size))
46828 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
46832 diff -urNp linux-2.6.33.1/kernel/panic.c linux-2.6.33.1/kernel/panic.c
46833 --- linux-2.6.33.1/kernel/panic.c 2010-03-15 12:09:39.000000000 -0400
46834 +++ linux-2.6.33.1/kernel/panic.c 2010-03-20 16:58:42.076969908 -0400
46835 @@ -396,7 +396,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
46837 void __stack_chk_fail(void)
46839 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
46841 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
46842 __builtin_return_address(0));
46844 EXPORT_SYMBOL(__stack_chk_fail);
46845 diff -urNp linux-2.6.33.1/kernel/params.c linux-2.6.33.1/kernel/params.c
46846 --- linux-2.6.33.1/kernel/params.c 2010-03-15 12:09:39.000000000 -0400
46847 +++ linux-2.6.33.1/kernel/params.c 2010-03-20 16:58:42.088938657 -0400
46848 @@ -723,7 +723,7 @@ static ssize_t module_attr_store(struct
46852 -static struct sysfs_ops module_sysfs_ops = {
46853 +static const struct sysfs_ops module_sysfs_ops = {
46854 .show = module_attr_show,
46855 .store = module_attr_store,
46857 @@ -737,7 +737,7 @@ static int uevent_filter(struct kset *ks
46861 -static struct kset_uevent_ops module_uevent_ops = {
46862 +static const struct kset_uevent_ops module_uevent_ops = {
46863 .filter = uevent_filter,
46866 diff -urNp linux-2.6.33.1/kernel/pid.c linux-2.6.33.1/kernel/pid.c
46867 --- linux-2.6.33.1/kernel/pid.c 2010-03-15 12:09:39.000000000 -0400
46868 +++ linux-2.6.33.1/kernel/pid.c 2010-03-20 16:58:42.092540045 -0400
46870 #include <linux/rculist.h>
46871 #include <linux/bootmem.h>
46872 #include <linux/hash.h>
46873 +#include <linux/security.h>
46874 #include <linux/pid_namespace.h>
46875 #include <linux/init_task.h>
46876 #include <linux/syscalls.h>
46877 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
46879 int pid_max = PID_MAX_DEFAULT;
46881 -#define RESERVED_PIDS 300
46882 +#define RESERVED_PIDS 500
46884 int pid_max_min = RESERVED_PIDS + 1;
46885 int pid_max_max = PID_MAX_LIMIT;
46886 @@ -380,7 +381,14 @@ EXPORT_SYMBOL(pid_task);
46888 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
46890 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46891 + struct task_struct *task;
46893 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46895 + if (gr_pid_is_chrooted(task))
46901 struct task_struct *find_task_by_vpid(pid_t vnr)
46902 diff -urNp linux-2.6.33.1/kernel/posix-cpu-timers.c linux-2.6.33.1/kernel/posix-cpu-timers.c
46903 --- linux-2.6.33.1/kernel/posix-cpu-timers.c 2010-03-15 12:09:39.000000000 -0400
46904 +++ linux-2.6.33.1/kernel/posix-cpu-timers.c 2010-03-20 16:58:42.092540045 -0400
46906 #include <linux/posix-timers.h>
46907 #include <linux/errno.h>
46908 #include <linux/math64.h>
46909 +#include <linux/security.h>
46910 #include <asm/uaccess.h>
46911 #include <linux/kernel_stat.h>
46912 #include <trace/events/timer.h>
46913 @@ -1043,6 +1044,7 @@ static void check_thread_timers(struct t
46914 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46917 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout, 1);
46918 if (tsk->rt.timeout > DIV_ROUND_UP(*soft, USEC_PER_SEC/HZ)) {
46920 * At the soft limit, send a SIGXCPU every second.
46921 @@ -1205,6 +1207,7 @@ static void check_process_timers(struct
46922 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46925 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
46926 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
46928 * At the soft limit, send a SIGXCPU every second.
46929 diff -urNp linux-2.6.33.1/kernel/power/hibernate.c linux-2.6.33.1/kernel/power/hibernate.c
46930 --- linux-2.6.33.1/kernel/power/hibernate.c 2010-03-15 12:09:39.000000000 -0400
46931 +++ linux-2.6.33.1/kernel/power/hibernate.c 2010-03-20 16:58:42.092540045 -0400
46932 @@ -49,14 +49,14 @@ enum {
46934 static int hibernation_mode = HIBERNATION_SHUTDOWN;
46936 -static struct platform_hibernation_ops *hibernation_ops;
46937 +static const struct platform_hibernation_ops *hibernation_ops;
46940 * hibernation_set_ops - set the global hibernate operations
46941 * @ops: the hibernation operations to use in subsequent hibernation transitions
46944 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
46945 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
46947 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
46948 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
46949 diff -urNp linux-2.6.33.1/kernel/power/poweroff.c linux-2.6.33.1/kernel/power/poweroff.c
46950 --- linux-2.6.33.1/kernel/power/poweroff.c 2010-03-15 12:09:39.000000000 -0400
46951 +++ linux-2.6.33.1/kernel/power/poweroff.c 2010-03-20 16:58:42.096640751 -0400
46952 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
46953 .enable_mask = SYSRQ_ENABLE_BOOT,
46956 -static int pm_sysrq_init(void)
46957 +static int __init pm_sysrq_init(void)
46959 register_sysrq_key('o', &sysrq_poweroff_op);
46961 diff -urNp linux-2.6.33.1/kernel/power/process.c linux-2.6.33.1/kernel/power/process.c
46962 --- linux-2.6.33.1/kernel/power/process.c 2010-03-15 12:09:39.000000000 -0400
46963 +++ linux-2.6.33.1/kernel/power/process.c 2010-03-20 16:58:42.096640751 -0400
46964 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
46965 struct timeval start, end;
46966 u64 elapsed_csecs64;
46967 unsigned int elapsed_csecs;
46968 + bool timedout = false;
46970 do_gettimeofday(&start);
46972 end_time = jiffies + TIMEOUT;
46975 + if (time_after(jiffies, end_time))
46977 read_lock(&tasklist_lock);
46978 do_each_thread(g, p) {
46979 if (frozen(p) || !freezeable(p))
46980 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
46981 * It is "frozen enough". If the task does wake
46982 * up, it will immediately call try_to_freeze.
46984 - if (!task_is_stopped_or_traced(p) &&
46985 - !freezer_should_skip(p))
46986 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
46989 + printk(KERN_ERR "Task refusing to freeze:\n");
46990 + sched_show_task(p);
46993 } while_each_thread(g, p);
46994 read_unlock(&tasklist_lock);
46995 - if (!todo || time_after(jiffies, end_time))
46996 + if (!todo || timedout)
47000 diff -urNp linux-2.6.33.1/kernel/power/suspend.c linux-2.6.33.1/kernel/power/suspend.c
47001 --- linux-2.6.33.1/kernel/power/suspend.c 2010-03-15 12:09:39.000000000 -0400
47002 +++ linux-2.6.33.1/kernel/power/suspend.c 2010-03-20 16:58:42.096640751 -0400
47003 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
47004 [PM_SUSPEND_MEM] = "mem",
47007 -static struct platform_suspend_ops *suspend_ops;
47008 +static const struct platform_suspend_ops *suspend_ops;
47011 * suspend_set_ops - Set the global suspend method table.
47012 * @ops: Pointer to ops structure.
47014 -void suspend_set_ops(struct platform_suspend_ops *ops)
47015 +void suspend_set_ops(const struct platform_suspend_ops *ops)
47017 mutex_lock(&pm_mutex);
47019 diff -urNp linux-2.6.33.1/kernel/printk.c linux-2.6.33.1/kernel/printk.c
47020 --- linux-2.6.33.1/kernel/printk.c 2010-03-15 12:09:39.000000000 -0400
47021 +++ linux-2.6.33.1/kernel/printk.c 2010-03-20 16:58:42.096640751 -0400
47022 @@ -280,6 +280,11 @@ int do_syslog(int type, char __user *buf
47026 +#ifdef CONFIG_GRKERNSEC_DMESG
47027 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
47031 error = security_syslog(type);
47034 diff -urNp linux-2.6.33.1/kernel/ptrace.c linux-2.6.33.1/kernel/ptrace.c
47035 --- linux-2.6.33.1/kernel/ptrace.c 2010-03-15 12:09:39.000000000 -0400
47036 +++ linux-2.6.33.1/kernel/ptrace.c 2010-03-20 16:58:42.104944311 -0400
47037 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
47038 cred->gid != tcred->egid ||
47039 cred->gid != tcred->sgid ||
47040 cred->gid != tcred->gid) &&
47041 - !capable(CAP_SYS_PTRACE)) {
47042 + !capable_nolog(CAP_SYS_PTRACE)) {
47046 @@ -149,7 +149,7 @@ int __ptrace_may_access(struct task_stru
47049 dumpable = get_dumpable(task->mm);
47050 - if (!dumpable && !capable(CAP_SYS_PTRACE))
47051 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
47054 return security_ptrace_access_check(task, mode);
47055 @@ -199,7 +199,7 @@ int ptrace_attach(struct task_struct *ta
47056 goto unlock_tasklist;
47058 task->ptrace = PT_PTRACED;
47059 - if (capable(CAP_SYS_PTRACE))
47060 + if (capable_nolog(CAP_SYS_PTRACE))
47061 task->ptrace |= PT_PTRACE_CAP;
47063 __ptrace_link(task, current);
47064 @@ -362,7 +362,7 @@ int ptrace_readdata(struct task_struct *
47068 - if (copy_to_user(dst, buf, retval))
47069 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
47073 @@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c
47074 ret = ptrace_setoptions(child, data);
47076 case PTRACE_GETEVENTMSG:
47077 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
47078 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
47081 case PTRACE_GETSIGINFO:
47082 ret = ptrace_getsiginfo(child, &siginfo);
47084 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
47085 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
47089 case PTRACE_SETSIGINFO:
47090 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
47091 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
47095 @@ -621,14 +621,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
47099 + if (gr_handle_ptrace(child, request)) {
47101 + goto out_put_task_struct;
47104 if (request == PTRACE_ATTACH) {
47105 ret = ptrace_attach(child);
47107 * Some architectures need to do book-keeping after
47112 arch_ptrace_attach(child);
47113 + gr_audit_ptrace(child);
47115 goto out_put_task_struct;
47118 @@ -653,7 +660,7 @@ int generic_ptrace_peekdata(struct task_
47119 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
47120 if (copied != sizeof(tmp))
47122 - return put_user(tmp, (unsigned long __user *)data);
47123 + return put_user(tmp, (__force unsigned long __user *)data);
47126 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
47127 diff -urNp linux-2.6.33.1/kernel/rcutree.c linux-2.6.33.1/kernel/rcutree.c
47128 --- linux-2.6.33.1/kernel/rcutree.c 2010-03-15 12:09:39.000000000 -0400
47129 +++ linux-2.6.33.1/kernel/rcutree.c 2010-03-20 16:58:42.108722969 -0400
47130 @@ -1315,7 +1315,7 @@ __rcu_process_callbacks(struct rcu_state
47132 * Do softirq processing for the current CPU.
47134 -static void rcu_process_callbacks(struct softirq_action *unused)
47135 +static void rcu_process_callbacks(void)
47138 * Memory references from any prior RCU read-side critical sections
47139 diff -urNp linux-2.6.33.1/kernel/relay.c linux-2.6.33.1/kernel/relay.c
47140 --- linux-2.6.33.1/kernel/relay.c 2010-03-15 12:09:39.000000000 -0400
47141 +++ linux-2.6.33.1/kernel/relay.c 2010-03-20 16:58:42.108722969 -0400
47142 @@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi
47145 ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
47146 - if (ret < 0 || ret < total_len)
47147 + if ((int)ret < 0 || ret < total_len)
47150 if (read_start + ret == nonpad_end)
47151 diff -urNp linux-2.6.33.1/kernel/resource.c linux-2.6.33.1/kernel/resource.c
47152 --- linux-2.6.33.1/kernel/resource.c 2010-03-15 12:09:39.000000000 -0400
47153 +++ linux-2.6.33.1/kernel/resource.c 2010-03-20 16:58:42.108722969 -0400
47154 @@ -132,8 +132,18 @@ static const struct file_operations proc
47156 static int __init ioresources_init(void)
47158 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
47159 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47160 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
47161 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
47162 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47163 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
47164 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
47167 proc_create("ioports", 0, NULL, &proc_ioports_operations);
47168 proc_create("iomem", 0, NULL, &proc_iomem_operations);
47172 __initcall(ioresources_init);
47173 diff -urNp linux-2.6.33.1/kernel/sched.c linux-2.6.33.1/kernel/sched.c
47174 --- linux-2.6.33.1/kernel/sched.c 2010-03-15 12:09:39.000000000 -0400
47175 +++ linux-2.6.33.1/kernel/sched.c 2010-03-20 16:58:42.116976245 -0400
47176 @@ -4855,7 +4855,7 @@ out:
47177 * In CONFIG_NO_HZ case, the idle load balance owner will do the
47178 * rebalancing for all the cpus for whom scheduler ticks are stopped.
47180 -static void run_rebalance_domains(struct softirq_action *h)
47181 +static void run_rebalance_domains(void)
47183 int this_cpu = smp_processor_id();
47184 struct rq *this_rq = cpu_rq(this_cpu);
47185 @@ -6158,6 +6158,8 @@ int can_nice(const struct task_struct *p
47186 /* convert nice value [19,-20] to rlimit style value [1,40] */
47187 int nice_rlim = 20 - nice;
47189 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
47191 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
47192 capable(CAP_SYS_NICE));
47194 @@ -6191,7 +6193,8 @@ SYSCALL_DEFINE1(nice, int, increment)
47198 - if (increment < 0 && !can_nice(current, nice))
47199 + if (increment < 0 && (!can_nice(current, nice) ||
47200 + gr_handle_chroot_nice()))
47203 retval = security_task_setnice(current, nice);
47204 @@ -6333,6 +6336,8 @@ recheck:
47205 if (rt_policy(policy)) {
47206 unsigned long rlim_rtprio;
47208 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
47210 if (!lock_task_sighand(p, &flags))
47212 rlim_rtprio = p->signal->rlim[RLIMIT_RTPRIO].rlim_cur;
47213 diff -urNp linux-2.6.33.1/kernel/signal.c linux-2.6.33.1/kernel/signal.c
47214 --- linux-2.6.33.1/kernel/signal.c 2010-03-15 12:09:39.000000000 -0400
47215 +++ linux-2.6.33.1/kernel/signal.c 2010-03-20 16:58:42.116976245 -0400
47216 @@ -226,6 +226,9 @@ __sigqueue_alloc(int sig, struct task_st
47217 atomic_inc(&user->sigpending);
47220 + if (!override_rlimit)
47221 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
47223 if (override_rlimit ||
47224 atomic_read(&user->sigpending) <=
47225 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) {
47226 @@ -659,6 +662,9 @@ static int check_kill_permission(int sig
47230 + if (gr_handle_signal(t, sig))
47233 return security_task_kill(t, info, sig, 0);
47236 @@ -1006,7 +1012,7 @@ __group_send_sig_info(int sig, struct si
47237 return send_signal(sig, info, p, 1);
47242 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
47244 return send_signal(sig, info, t, 0);
47245 @@ -1060,6 +1066,9 @@ force_sig_info(int sig, struct siginfo *
47246 ret = specific_send_sig_info(sig, info, t);
47247 spin_unlock_irqrestore(&t->sighand->siglock, flags);
47249 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
47250 + gr_handle_crash(t, sig);
47255 @@ -1113,8 +1122,11 @@ int group_send_sig_info(int sig, struct
47257 int ret = check_kill_permission(sig, info, p);
47260 + if (!ret && sig) {
47261 ret = do_send_sig_info(sig, info, p, true);
47263 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
47268 diff -urNp linux-2.6.33.1/kernel/smp.c linux-2.6.33.1/kernel/smp.c
47269 --- linux-2.6.33.1/kernel/smp.c 2010-03-15 12:09:39.000000000 -0400
47270 +++ linux-2.6.33.1/kernel/smp.c 2010-03-20 16:58:42.120938497 -0400
47271 @@ -498,22 +498,22 @@ int smp_call_function(void (*func)(void
47273 EXPORT_SYMBOL(smp_call_function);
47275 -void ipi_call_lock(void)
47276 +void ipi_call_lock(void) __acquires(call_function.lock)
47278 raw_spin_lock(&call_function.lock);
47281 -void ipi_call_unlock(void)
47282 +void ipi_call_unlock(void) __releases(call_function.lock)
47284 raw_spin_unlock(&call_function.lock);
47287 -void ipi_call_lock_irq(void)
47288 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
47290 raw_spin_lock_irq(&call_function.lock);
47293 -void ipi_call_unlock_irq(void)
47294 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
47296 raw_spin_unlock_irq(&call_function.lock);
47298 diff -urNp linux-2.6.33.1/kernel/softirq.c linux-2.6.33.1/kernel/softirq.c
47299 --- linux-2.6.33.1/kernel/softirq.c 2010-03-15 12:09:39.000000000 -0400
47300 +++ linux-2.6.33.1/kernel/softirq.c 2010-03-20 16:58:42.120938497 -0400
47301 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
47303 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
47305 -char *softirq_to_name[NR_SOFTIRQS] = {
47306 +const char * const softirq_to_name[NR_SOFTIRQS] = {
47307 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
47308 "TASKLET", "SCHED", "HRTIMER", "RCU"
47310 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
47312 asmlinkage void __do_softirq(void)
47314 - struct softirq_action *h;
47315 + const struct softirq_action *h;
47317 int max_restart = MAX_SOFTIRQ_RESTART;
47319 @@ -216,7 +216,7 @@ restart:
47320 kstat_incr_softirqs_this_cpu(h - softirq_vec);
47322 trace_softirq_entry(h, softirq_vec);
47325 trace_softirq_exit(h, softirq_vec);
47326 if (unlikely(prev_count != preempt_count())) {
47327 printk(KERN_ERR "huh, entered softirq %td %s %p"
47328 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
47329 local_irq_restore(flags);
47332 -void open_softirq(int nr, void (*action)(struct softirq_action *))
47333 +void open_softirq(int nr, void (*action)(void))
47335 softirq_vec[nr].action = action;
47337 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
47339 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
47341 -static void tasklet_action(struct softirq_action *a)
47342 +static void tasklet_action(void)
47344 struct tasklet_struct *list;
47346 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
47350 -static void tasklet_hi_action(struct softirq_action *a)
47351 +static void tasklet_hi_action(void)
47353 struct tasklet_struct *list;
47355 diff -urNp linux-2.6.33.1/kernel/sys.c linux-2.6.33.1/kernel/sys.c
47356 --- linux-2.6.33.1/kernel/sys.c 2010-03-15 12:09:39.000000000 -0400
47357 +++ linux-2.6.33.1/kernel/sys.c 2010-03-20 16:58:42.128666983 -0400
47358 @@ -132,6 +132,12 @@ static int set_one_prio(struct task_stru
47363 + if (gr_handle_chroot_setpriority(p, niceval)) {
47368 no_nice = security_task_setnice(p, niceval);
47371 @@ -513,6 +519,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
47375 + if (gr_check_group_change(new->gid, new->egid, -1))
47378 if (rgid != (gid_t) -1 ||
47379 (egid != (gid_t) -1 && egid != old->gid))
47380 new->sgid = new->egid;
47381 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
47386 + if (gr_check_group_change(gid, gid, gid))
47389 if (capable(CAP_SETGID))
47390 new->gid = new->egid = new->sgid = new->fsgid = gid;
47391 else if (gid == old->gid || gid == old->sgid)
47392 @@ -636,6 +649,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
47396 + if (gr_check_user_change(new->uid, new->euid, -1))
47399 if (new->uid != old->uid) {
47400 retval = set_user(new);
47402 @@ -684,6 +700,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
47407 + if (gr_check_crash_uid(uid))
47409 + if (gr_check_user_change(uid, uid, uid))
47412 if (capable(CAP_SETUID)) {
47413 new->suid = new->uid = uid;
47414 if (uid != old->uid) {
47415 @@ -741,6 +763,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
47419 + if (gr_check_user_change(ruid, euid, -1))
47422 if (ruid != (uid_t) -1) {
47424 if (ruid != old->uid) {
47425 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
47429 + if (gr_check_group_change(rgid, egid, -1))
47432 if (rgid != (gid_t) -1)
47434 if (egid != (gid_t) -1)
47435 @@ -858,6 +886,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
47436 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
47439 + if (gr_check_user_change(-1, -1, uid))
47442 if (uid == old->uid || uid == old->euid ||
47443 uid == old->suid || uid == old->fsuid ||
47444 capable(CAP_SETUID)) {
47445 @@ -898,6 +929,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
47446 if (gid == old->gid || gid == old->egid ||
47447 gid == old->sgid || gid == old->fsgid ||
47448 capable(CAP_SETGID)) {
47449 + if (gr_check_group_change(-1, -1, gid))
47452 if (gid != old_fsgid) {
47455 @@ -1460,7 +1494,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
47456 error = get_dumpable(me->mm);
47458 case PR_SET_DUMPABLE:
47459 - if (arg2 < 0 || arg2 > 1) {
47464 diff -urNp linux-2.6.33.1/kernel/sysctl.c linux-2.6.33.1/kernel/sysctl.c
47465 --- linux-2.6.33.1/kernel/sysctl.c 2010-03-15 12:09:39.000000000 -0400
47466 +++ linux-2.6.33.1/kernel/sysctl.c 2010-03-20 16:58:42.186495404 -0400
47470 #if defined(CONFIG_SYSCTL)
47471 +#include <linux/grsecurity.h>
47472 +#include <linux/grinternal.h>
47474 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
47475 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
47477 +extern int gr_handle_chroot_sysctl(const int op);
47479 /* External variables not in a header file. */
47481 @@ -169,6 +176,7 @@ static int proc_do_cad_pid(struct ctl_ta
47482 static int proc_taint(struct ctl_table *table, int write,
47483 void __user *buffer, size_t *lenp, loff_t *ppos);
47485 +extern ctl_table grsecurity_table[];
47487 static struct ctl_table root_table[];
47488 static struct ctl_table_root sysctl_table_root;
47489 @@ -201,6 +209,20 @@ extern struct ctl_table epoll_table[];
47490 int sysctl_legacy_va_layout;
47493 +#ifdef CONFIG_PAX_SOFTMODE
47494 +static ctl_table pax_table[] = {
47496 + .procname = "softmode",
47497 + .data = &pax_softmode,
47498 + .maxlen = sizeof(unsigned int),
47500 + .proc_handler = &proc_dointvec,
47507 extern int prove_locking;
47508 extern int lock_stat;
47510 @@ -251,6 +273,22 @@ static int max_sched_shares_ratelimit =
47513 static struct ctl_table kern_table[] = {
47514 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
47516 + .procname = "grsecurity",
47518 + .child = grsecurity_table,
47522 +#ifdef CONFIG_PAX_SOFTMODE
47524 + .procname = "pax",
47526 + .child = pax_table,
47531 .procname = "sched_child_runs_first",
47532 .data = &sysctl_sched_child_runs_first,
47533 @@ -1629,6 +1667,16 @@ int sysctl_perm(struct ctl_table_root *r
47537 + if (table->parent != NULL && table->parent->procname != NULL &&
47538 + table->procname != NULL &&
47539 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
47541 + if (gr_handle_chroot_sysctl(op))
47543 + error = gr_handle_sysctl(table, op);
47547 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
47550 @@ -2137,6 +2185,8 @@ static int __do_proc_dointvec(void *tbl_
47554 + if (len > sizeof(buf))
47555 + len = sizeof(buf);
47556 if(copy_to_user(s, buf, len))
47559 @@ -2362,6 +2412,8 @@ static int __do_proc_doulongvec_minmax(v
47563 + if (len > sizeof(buf))
47564 + len = sizeof(buf);
47565 if(copy_to_user(s, buf, len))
47568 diff -urNp linux-2.6.33.1/kernel/taskstats.c linux-2.6.33.1/kernel/taskstats.c
47569 --- linux-2.6.33.1/kernel/taskstats.c 2010-03-15 12:09:39.000000000 -0400
47570 +++ linux-2.6.33.1/kernel/taskstats.c 2010-03-20 16:58:42.186495404 -0400
47572 #include <linux/cgroup.h>
47573 #include <linux/fs.h>
47574 #include <linux/file.h>
47575 +#include <linux/grsecurity.h>
47576 #include <net/genetlink.h>
47577 #include <asm/atomic.h>
47579 +extern int gr_is_taskstats_denied(int pid);
47582 * Maximum length of a cpumask that can be specified in
47583 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
47584 @@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
47586 cpumask_var_t mask;
47588 + if (gr_is_taskstats_denied(current->pid))
47591 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
47594 diff -urNp linux-2.6.33.1/kernel/time/tick-broadcast.c linux-2.6.33.1/kernel/time/tick-broadcast.c
47595 --- linux-2.6.33.1/kernel/time/tick-broadcast.c 2010-03-15 12:09:39.000000000 -0400
47596 +++ linux-2.6.33.1/kernel/time/tick-broadcast.c 2010-03-20 16:58:42.200972419 -0400
47597 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
47598 * then clear the broadcast bit.
47600 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
47601 - int cpu = smp_processor_id();
47602 + cpu = smp_processor_id();
47604 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
47605 tick_broadcast_clear_oneshot(cpu);
47606 diff -urNp linux-2.6.33.1/kernel/time.c linux-2.6.33.1/kernel/time.c
47607 --- linux-2.6.33.1/kernel/time.c 2010-03-15 12:09:39.000000000 -0400
47608 +++ linux-2.6.33.1/kernel/time.c 2010-03-20 16:58:42.200972419 -0400
47609 @@ -94,6 +94,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
47612 do_settimeofday(&tv);
47614 + gr_log_timechange();
47619 @@ -202,6 +205,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
47623 + gr_log_timechange();
47625 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
47628 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
47629 * Avoid unnecessary multiplications/divisions in the
47630 * two most common HZ cases:
47632 -unsigned int inline jiffies_to_msecs(const unsigned long j)
47633 +inline unsigned int jiffies_to_msecs(const unsigned long j)
47635 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
47636 return (MSEC_PER_SEC / HZ) * j;
47637 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
47639 EXPORT_SYMBOL(jiffies_to_msecs);
47641 -unsigned int inline jiffies_to_usecs(const unsigned long j)
47642 +inline unsigned int jiffies_to_usecs(const unsigned long j)
47644 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
47645 return (USEC_PER_SEC / HZ) * j;
47646 diff -urNp linux-2.6.33.1/kernel/timer.c linux-2.6.33.1/kernel/timer.c
47647 --- linux-2.6.33.1/kernel/timer.c 2010-03-15 12:09:39.000000000 -0400
47648 +++ linux-2.6.33.1/kernel/timer.c 2010-03-20 16:58:42.212949807 -0400
47649 @@ -1206,7 +1206,7 @@ void update_process_times(int user_tick)
47651 * This function runs timers and the timer-tq in bottom half context.
47653 -static void run_timer_softirq(struct softirq_action *h)
47654 +static void run_timer_softirq(void)
47656 struct tvec_base *base = __get_cpu_var(tvec_bases);
47658 diff -urNp linux-2.6.33.1/kernel/trace/ftrace.c linux-2.6.33.1/kernel/trace/ftrace.c
47659 --- linux-2.6.33.1/kernel/trace/ftrace.c 2010-03-15 12:09:39.000000000 -0400
47660 +++ linux-2.6.33.1/kernel/trace/ftrace.c 2010-03-20 16:58:42.212949807 -0400
47661 @@ -1102,13 +1102,18 @@ ftrace_code_disable(struct module *mod,
47665 + ret = ftrace_arch_code_modify_prepare();
47666 + FTRACE_WARN_ON(ret);
47670 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
47671 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
47673 ftrace_bug(ret, ip);
47674 rec->flags |= FTRACE_FL_FAILED;
47678 + return ret ? 0 : 1;
47682 diff -urNp linux-2.6.33.1/kernel/trace/Kconfig linux-2.6.33.1/kernel/trace/Kconfig
47683 --- linux-2.6.33.1/kernel/trace/Kconfig 2010-03-15 12:09:39.000000000 -0400
47684 +++ linux-2.6.33.1/kernel/trace/Kconfig 2010-03-20 16:58:42.212949807 -0400
47685 @@ -124,6 +124,7 @@ if FTRACE
47686 config FUNCTION_TRACER
47687 bool "Kernel Function Tracer"
47688 depends on HAVE_FUNCTION_TRACER
47689 + depends on !PAX_KERNEXEC
47690 select FRAME_POINTER
47692 select GENERIC_TRACER
47693 @@ -362,6 +363,7 @@ config PROFILE_KSYM_TRACER
47694 config STACK_TRACER
47695 bool "Trace max stack"
47696 depends on HAVE_FUNCTION_TRACER
47697 + depends on !PAX_KERNEXEC
47698 select FUNCTION_TRACER
47701 diff -urNp linux-2.6.33.1/kernel/trace/trace.c linux-2.6.33.1/kernel/trace/trace.c
47702 --- linux-2.6.33.1/kernel/trace/trace.c 2010-03-15 12:09:39.000000000 -0400
47703 +++ linux-2.6.33.1/kernel/trace/trace.c 2010-03-20 16:58:42.217937104 -0400
47704 @@ -3820,10 +3820,9 @@ static const struct file_operations trac
47708 -static struct dentry *d_tracer;
47710 struct dentry *tracing_init_dentry(void)
47712 + static struct dentry *d_tracer;
47716 @@ -3843,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
47720 -static struct dentry *d_percpu;
47722 struct dentry *tracing_dentry_percpu(void)
47724 + static struct dentry *d_percpu;
47726 struct dentry *d_tracer;
47728 diff -urNp linux-2.6.33.1/kernel/trace/trace_output.c linux-2.6.33.1/kernel/trace/trace_output.c
47729 --- linux-2.6.33.1/kernel/trace/trace_output.c 2010-03-15 12:09:39.000000000 -0400
47730 +++ linux-2.6.33.1/kernel/trace/trace_output.c 2010-03-20 16:58:42.220764190 -0400
47731 @@ -280,7 +280,7 @@ int trace_seq_path(struct trace_seq *s,
47733 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
47735 - p = mangle_path(s->buffer + s->len, p, "\n");
47736 + p = mangle_path(s->buffer + s->len, p, "\n\\");
47738 s->len = p - s->buffer;
47740 diff -urNp linux-2.6.33.1/kernel/trace/trace_stack.c linux-2.6.33.1/kernel/trace/trace_stack.c
47741 --- linux-2.6.33.1/kernel/trace/trace_stack.c 2010-03-15 12:09:39.000000000 -0400
47742 +++ linux-2.6.33.1/kernel/trace/trace_stack.c 2010-03-20 16:58:42.220764190 -0400
47743 @@ -50,7 +50,7 @@ static inline void check_stack(void)
47746 /* we do not handle interrupt stacks yet */
47747 - if (!object_is_on_stack(&this_size))
47748 + if (!object_starts_on_stack(&this_size))
47751 local_irq_save(flags);
47752 diff -urNp linux-2.6.33.1/lib/bug.c linux-2.6.33.1/lib/bug.c
47753 --- linux-2.6.33.1/lib/bug.c 2010-03-15 12:09:39.000000000 -0400
47754 +++ linux-2.6.33.1/lib/bug.c 2010-03-20 16:58:42.225948146 -0400
47755 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
47756 return BUG_TRAP_TYPE_NONE;
47758 bug = find_bug(bugaddr);
47760 + return BUG_TRAP_TYPE_NONE;
47762 printk(KERN_EMERG "------------[ cut here ]------------\n");
47764 diff -urNp linux-2.6.33.1/lib/debugobjects.c linux-2.6.33.1/lib/debugobjects.c
47765 --- linux-2.6.33.1/lib/debugobjects.c 2010-03-15 12:09:39.000000000 -0400
47766 +++ linux-2.6.33.1/lib/debugobjects.c 2010-03-20 16:58:42.225948146 -0400
47767 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
47771 - is_on_stack = object_is_on_stack(addr);
47772 + is_on_stack = object_starts_on_stack(addr);
47773 if (is_on_stack == onstack)
47776 diff -urNp linux-2.6.33.1/lib/dma-debug.c linux-2.6.33.1/lib/dma-debug.c
47777 --- linux-2.6.33.1/lib/dma-debug.c 2010-03-15 12:09:39.000000000 -0400
47778 +++ linux-2.6.33.1/lib/dma-debug.c 2010-03-20 16:58:42.240954646 -0400
47779 @@ -861,7 +861,7 @@ out:
47781 static void check_for_stack(struct device *dev, void *addr)
47783 - if (object_is_on_stack(addr))
47784 + if (object_starts_on_stack(addr))
47785 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
47786 "stack [addr=%p]\n", addr);
47788 diff -urNp linux-2.6.33.1/lib/inflate.c linux-2.6.33.1/lib/inflate.c
47789 --- linux-2.6.33.1/lib/inflate.c 2010-03-15 12:09:39.000000000 -0400
47790 +++ linux-2.6.33.1/lib/inflate.c 2010-03-20 16:58:42.240954646 -0400
47791 @@ -266,7 +266,7 @@ static void free(void *where)
47792 malloc_ptr = free_mem_ptr;
47795 -#define malloc(a) kmalloc(a, GFP_KERNEL)
47796 +#define malloc(a) kmalloc((a), GFP_KERNEL)
47797 #define free(a) kfree(a)
47800 diff -urNp linux-2.6.33.1/lib/Kconfig.debug linux-2.6.33.1/lib/Kconfig.debug
47801 --- linux-2.6.33.1/lib/Kconfig.debug 2010-03-15 12:09:39.000000000 -0400
47802 +++ linux-2.6.33.1/lib/Kconfig.debug 2010-03-20 16:58:42.244515655 -0400
47803 @@ -914,7 +914,7 @@ config LATENCYTOP
47807 - depends on HAVE_LATENCYTOP_SUPPORT
47808 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
47810 Enable this option if you want to use the LatencyTOP tool
47811 to find out which userspace is blocking on what kernel operations.
47812 diff -urNp linux-2.6.33.1/lib/kobject.c linux-2.6.33.1/lib/kobject.c
47813 --- linux-2.6.33.1/lib/kobject.c 2010-03-15 12:09:39.000000000 -0400
47814 +++ linux-2.6.33.1/lib/kobject.c 2010-03-20 16:58:42.244515655 -0400
47815 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
47819 -struct sysfs_ops kobj_sysfs_ops = {
47820 +const struct sysfs_ops kobj_sysfs_ops = {
47821 .show = kobj_attr_show,
47822 .store = kobj_attr_store,
47824 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
47825 * If the kset was not able to be created, NULL will be returned.
47827 static struct kset *kset_create(const char *name,
47828 - struct kset_uevent_ops *uevent_ops,
47829 + const struct kset_uevent_ops *uevent_ops,
47830 struct kobject *parent_kobj)
47833 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
47834 * If the kset was not able to be created, NULL will be returned.
47836 struct kset *kset_create_and_add(const char *name,
47837 - struct kset_uevent_ops *uevent_ops,
47838 + const struct kset_uevent_ops *uevent_ops,
47839 struct kobject *parent_kobj)
47842 diff -urNp linux-2.6.33.1/lib/kobject_uevent.c linux-2.6.33.1/lib/kobject_uevent.c
47843 --- linux-2.6.33.1/lib/kobject_uevent.c 2010-03-15 12:09:39.000000000 -0400
47844 +++ linux-2.6.33.1/lib/kobject_uevent.c 2010-03-20 16:58:42.244515655 -0400
47845 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
47846 const char *subsystem;
47847 struct kobject *top_kobj;
47849 - struct kset_uevent_ops *uevent_ops;
47850 + const struct kset_uevent_ops *uevent_ops;
47854 diff -urNp linux-2.6.33.1/lib/parser.c linux-2.6.33.1/lib/parser.c
47855 --- linux-2.6.33.1/lib/parser.c 2010-03-15 12:09:39.000000000 -0400
47856 +++ linux-2.6.33.1/lib/parser.c 2010-03-20 16:58:42.244515655 -0400
47857 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
47861 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
47862 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
47865 memcpy(buf, s->from, s->to - s->from);
47866 diff -urNp linux-2.6.33.1/lib/radix-tree.c linux-2.6.33.1/lib/radix-tree.c
47867 --- linux-2.6.33.1/lib/radix-tree.c 2010-03-15 12:09:39.000000000 -0400
47868 +++ linux-2.6.33.1/lib/radix-tree.c 2010-03-20 16:58:42.253002352 -0400
47869 @@ -81,7 +81,7 @@ struct radix_tree_preload {
47871 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
47873 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
47874 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
47876 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
47878 diff -urNp linux-2.6.33.1/lib/random32.c linux-2.6.33.1/lib/random32.c
47879 --- linux-2.6.33.1/lib/random32.c 2010-03-15 12:09:39.000000000 -0400
47880 +++ linux-2.6.33.1/lib/random32.c 2010-03-20 16:58:42.256945498 -0400
47881 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
47883 static inline u32 __seed(u32 x, u32 m)
47885 - return (x < m) ? x + m : x;
47886 + return (x <= m) ? x + m + 1 : x;
47890 diff -urNp linux-2.6.33.1/localversion-grsec linux-2.6.33.1/localversion-grsec
47891 --- linux-2.6.33.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
47892 +++ linux-2.6.33.1/localversion-grsec 2010-03-20 16:58:42.256945498 -0400
47895 diff -urNp linux-2.6.33.1/Makefile linux-2.6.33.1/Makefile
47896 --- linux-2.6.33.1/Makefile 2010-03-15 12:09:39.000000000 -0400
47897 +++ linux-2.6.33.1/Makefile 2010-03-20 16:58:42.256945498 -0400
47898 @@ -227,8 +227,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
47902 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
47903 -HOSTCXXFLAGS = -O2
47904 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
47905 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
47907 # Decide whether to build built-in, modular, or both.
47908 # Normally, just do built-in.
47909 @@ -650,7 +650,7 @@ export mod_strip_cmd
47912 ifeq ($(KBUILD_EXTMOD),)
47913 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
47914 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
47916 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
47917 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
47918 diff -urNp linux-2.6.33.1/mm/filemap.c linux-2.6.33.1/mm/filemap.c
47919 --- linux-2.6.33.1/mm/filemap.c 2010-03-15 12:09:39.000000000 -0400
47920 +++ linux-2.6.33.1/mm/filemap.c 2010-03-20 16:58:42.256945498 -0400
47921 @@ -1601,7 +1601,7 @@ int generic_file_mmap(struct file * file
47922 struct address_space *mapping = file->f_mapping;
47924 if (!mapping->a_ops->readpage)
47927 file_accessed(file);
47928 vma->vm_ops = &generic_file_vm_ops;
47929 vma->vm_flags |= VM_CAN_NONLINEAR;
47930 @@ -1997,6 +1997,7 @@ inline int generic_write_checks(struct f
47931 *pos = i_size_read(inode);
47933 if (limit != RLIM_INFINITY) {
47934 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
47935 if (*pos >= limit) {
47936 send_sig(SIGXFSZ, current, 0);
47938 diff -urNp linux-2.6.33.1/mm/fremap.c linux-2.6.33.1/mm/fremap.c
47939 --- linux-2.6.33.1/mm/fremap.c 2010-03-15 12:09:39.000000000 -0400
47940 +++ linux-2.6.33.1/mm/fremap.c 2010-03-20 16:58:42.256945498 -0400
47941 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
47943 vma = find_vma(mm, start);
47945 +#ifdef CONFIG_PAX_SEGMEXEC
47946 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
47951 * Make sure the vma is shared, that it supports prefaulting,
47952 * and that the remapped range is valid and fully within
47953 diff -urNp linux-2.6.33.1/mm/highmem.c linux-2.6.33.1/mm/highmem.c
47954 --- linux-2.6.33.1/mm/highmem.c 2010-03-15 12:09:39.000000000 -0400
47955 +++ linux-2.6.33.1/mm/highmem.c 2010-03-20 16:58:42.256945498 -0400
47956 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
47957 * So no dangers, even with speculative execution.
47959 page = pte_page(pkmap_page_table[i]);
47960 + pax_open_kernel();
47961 pte_clear(&init_mm, (unsigned long)page_address(page),
47962 &pkmap_page_table[i]);
47964 + pax_close_kernel();
47965 set_page_address(page, NULL);
47968 @@ -177,9 +178,11 @@ start:
47971 vaddr = PKMAP_ADDR(last_pkmap_nr);
47973 + pax_open_kernel();
47974 set_pte_at(&init_mm, vaddr,
47975 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
47977 + pax_close_kernel();
47978 pkmap_count[last_pkmap_nr] = 1;
47979 set_page_address(page, (void *)vaddr);
47981 diff -urNp linux-2.6.33.1/mm/hugetlb.c linux-2.6.33.1/mm/hugetlb.c
47982 --- linux-2.6.33.1/mm/hugetlb.c 2010-03-15 12:09:39.000000000 -0400
47983 +++ linux-2.6.33.1/mm/hugetlb.c 2010-03-20 16:58:42.256945498 -0400
47984 @@ -2267,6 +2267,26 @@ static int unmap_ref_private(struct mm_s
47988 +#ifdef CONFIG_PAX_SEGMEXEC
47989 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
47991 + struct mm_struct *mm = vma->vm_mm;
47992 + struct vm_area_struct *vma_m;
47993 + unsigned long address_m;
47996 + vma_m = pax_find_mirror_vma(vma);
48000 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48001 + address_m = address + SEGMEXEC_TASK_SIZE;
48002 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
48003 + get_page(page_m);
48004 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
48008 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
48009 unsigned long address, pte_t *ptep, pte_t pte,
48010 struct page *pagecache_page)
48011 @@ -2347,6 +2367,11 @@ retry_avoidcopy:
48012 huge_ptep_clear_flush(vma, address, ptep);
48013 set_huge_pte_at(mm, address, ptep,
48014 make_huge_pte(vma, new_page, 1));
48016 +#ifdef CONFIG_PAX_SEGMEXEC
48017 + pax_mirror_huge_pte(vma, address, new_page);
48020 /* Make the old page be freed below */
48021 new_page = old_page;
48023 @@ -2476,6 +2501,10 @@ retry:
48024 && (vma->vm_flags & VM_SHARED)));
48025 set_huge_pte_at(mm, address, ptep, new_pte);
48027 +#ifdef CONFIG_PAX_SEGMEXEC
48028 + pax_mirror_huge_pte(vma, address, page);
48031 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
48032 /* Optimization, do the COW without a second fault */
48033 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
48034 @@ -2504,6 +2533,28 @@ int hugetlb_fault(struct mm_struct *mm,
48035 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
48036 struct hstate *h = hstate_vma(vma);
48038 +#ifdef CONFIG_PAX_SEGMEXEC
48039 + struct vm_area_struct *vma_m;
48041 + vma_m = pax_find_mirror_vma(vma);
48043 + unsigned long address_m;
48045 + if (vma->vm_start > vma_m->vm_start) {
48046 + address_m = address;
48047 + address -= SEGMEXEC_TASK_SIZE;
48049 + h = hstate_vma(vma);
48051 + address_m = address + SEGMEXEC_TASK_SIZE;
48053 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
48054 + return VM_FAULT_OOM;
48055 + address_m &= HPAGE_MASK;
48056 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
48060 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
48062 return VM_FAULT_OOM;
48063 diff -urNp linux-2.6.33.1/mm/Kconfig linux-2.6.33.1/mm/Kconfig
48064 --- linux-2.6.33.1/mm/Kconfig 2010-03-15 12:09:39.000000000 -0400
48065 +++ linux-2.6.33.1/mm/Kconfig 2010-03-20 16:58:42.256945498 -0400
48066 @@ -222,7 +222,7 @@ config KSM
48067 config DEFAULT_MMAP_MIN_ADDR
48068 int "Low address space to protect from user allocation"
48073 This is the portion of low virtual memory which should be protected
48074 from userspace allocation. Keeping a user from writing to low pages
48075 diff -urNp linux-2.6.33.1/mm/maccess.c linux-2.6.33.1/mm/maccess.c
48076 --- linux-2.6.33.1/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
48077 +++ linux-2.6.33.1/mm/maccess.c 2010-03-20 16:58:42.256945498 -0400
48078 @@ -15,10 +15,10 @@
48079 * happens, handle that and return -EFAULT.
48082 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
48083 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
48084 __attribute__((alias("__probe_kernel_read")));
48086 -long __probe_kernel_read(void *dst, void *src, size_t size)
48087 +long __probe_kernel_read(void *dst, const void *src, size_t size)
48090 mm_segment_t old_fs = get_fs();
48091 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
48092 * Safely write to address @dst from the buffer at @src. If a kernel fault
48093 * happens, handle that and return -EFAULT.
48095 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
48096 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
48097 __attribute__((alias("__probe_kernel_write")));
48099 -long __probe_kernel_write(void *dst, void *src, size_t size)
48100 +long __probe_kernel_write(void *dst, const void *src, size_t size)
48103 mm_segment_t old_fs = get_fs();
48104 diff -urNp linux-2.6.33.1/mm/madvise.c linux-2.6.33.1/mm/madvise.c
48105 --- linux-2.6.33.1/mm/madvise.c 2010-03-15 12:09:39.000000000 -0400
48106 +++ linux-2.6.33.1/mm/madvise.c 2010-03-20 16:58:42.256945498 -0400
48107 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
48109 unsigned long new_flags = vma->vm_flags;
48111 +#ifdef CONFIG_PAX_SEGMEXEC
48112 + struct vm_area_struct *vma_m;
48115 switch (behavior) {
48117 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
48118 @@ -104,6 +108,13 @@ success:
48120 * vm_flags is protected by the mmap_sem held in write mode.
48123 +#ifdef CONFIG_PAX_SEGMEXEC
48124 + vma_m = pax_find_mirror_vma(vma);
48126 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
48129 vma->vm_flags = new_flags;
48132 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
48133 struct vm_area_struct ** prev,
48134 unsigned long start, unsigned long end)
48137 +#ifdef CONFIG_PAX_SEGMEXEC
48138 + struct vm_area_struct *vma_m;
48142 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
48144 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
48145 zap_page_range(vma, start, end - start, &details);
48147 zap_page_range(vma, start, end - start, NULL);
48149 +#ifdef CONFIG_PAX_SEGMEXEC
48150 + vma_m = pax_find_mirror_vma(vma);
48152 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
48153 + struct zap_details details = {
48154 + .nonlinear_vma = vma_m,
48155 + .last_index = ULONG_MAX,
48157 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
48159 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
48166 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
48170 +#ifdef CONFIG_PAX_SEGMEXEC
48171 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48172 + if (end > SEGMEXEC_TASK_SIZE)
48177 + if (end > TASK_SIZE)
48183 diff -urNp linux-2.6.33.1/mm/memory.c linux-2.6.33.1/mm/memory.c
48184 --- linux-2.6.33.1/mm/memory.c 2010-03-15 12:09:39.000000000 -0400
48185 +++ linux-2.6.33.1/mm/memory.c 2010-03-20 16:58:42.260726041 -0400
48187 #include <linux/ksm.h>
48188 #include <linux/rmap.h>
48189 #include <linux/module.h>
48190 +#include <linux/security.h>
48191 #include <linux/delayacct.h>
48192 #include <linux/init.h>
48193 #include <linux/writeback.h>
48194 @@ -1266,10 +1267,10 @@ int __get_user_pages(struct task_struct
48195 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
48199 + while (nr_pages) {
48200 struct vm_area_struct *vma;
48202 - vma = find_extend_vma(mm, start);
48203 + vma = find_vma(mm, start);
48204 if (!vma && in_gate_area(tsk, start)) {
48205 unsigned long pg = start & PAGE_MASK;
48206 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
48207 @@ -1311,7 +1312,7 @@ int __get_user_pages(struct task_struct
48212 + if (!vma || start < vma->vm_start ||
48213 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
48214 !(vm_flags & vma->vm_flags))
48215 return i ? : -EFAULT;
48216 @@ -1386,7 +1387,7 @@ int __get_user_pages(struct task_struct
48217 start += PAGE_SIZE;
48219 } while (nr_pages && start < vma->vm_end);
48220 - } while (nr_pages);
48225 @@ -1982,6 +1983,186 @@ static inline void cow_user_page(struct
48226 copy_user_highpage(dst, src, va, vma);
48229 +#ifdef CONFIG_PAX_SEGMEXEC
48230 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
48232 + struct mm_struct *mm = vma->vm_mm;
48234 + pte_t *pte, entry;
48236 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48238 + if (!pte_present(entry)) {
48239 + if (!pte_none(entry)) {
48240 + BUG_ON(pte_file(entry));
48241 + free_swap_and_cache(pte_to_swp_entry(entry));
48242 + pte_clear_not_present_full(mm, address, pte, 0);
48245 + struct page *page;
48247 + flush_cache_page(vma, address, pte_pfn(entry));
48248 + entry = ptep_clear_flush(vma, address, pte);
48249 + BUG_ON(pte_dirty(entry));
48250 + page = vm_normal_page(vma, address, entry);
48252 + update_hiwater_rss(mm);
48253 + if (PageAnon(page))
48254 + dec_mm_counter(mm, anon_rss);
48256 + dec_mm_counter(mm, file_rss);
48257 + page_remove_rmap(page);
48258 + page_cache_release(page);
48261 + pte_unmap_unlock(pte, ptl);
48264 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
48266 + * the ptl of the lower mapped page is held on entry and is not released on exit
48267 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
48269 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48271 + struct mm_struct *mm = vma->vm_mm;
48272 + unsigned long address_m;
48273 + spinlock_t *ptl_m;
48274 + struct vm_area_struct *vma_m;
48276 + pte_t *pte_m, entry_m;
48278 + BUG_ON(!page_m || !PageAnon(page_m));
48280 + vma_m = pax_find_mirror_vma(vma);
48284 + BUG_ON(!PageLocked(page_m));
48285 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48286 + address_m = address + SEGMEXEC_TASK_SIZE;
48287 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48288 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48289 + ptl_m = pte_lockptr(mm, pmd_m);
48290 + if (ptl != ptl_m) {
48291 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48292 + if (!pte_none(*pte_m))
48296 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48297 + page_cache_get(page_m);
48298 + page_add_anon_rmap(page_m, vma_m, address_m);
48299 + inc_mm_counter(mm, anon_rss);
48300 + set_pte_at(mm, address_m, pte_m, entry_m);
48301 + update_mmu_cache(vma_m, address_m, entry_m);
48303 + if (ptl != ptl_m)
48304 + spin_unlock(ptl_m);
48305 + pte_unmap_nested(pte_m);
48306 + unlock_page(page_m);
48309 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48311 + struct mm_struct *mm = vma->vm_mm;
48312 + unsigned long address_m;
48313 + spinlock_t *ptl_m;
48314 + struct vm_area_struct *vma_m;
48316 + pte_t *pte_m, entry_m;
48318 + BUG_ON(!page_m || PageAnon(page_m));
48320 + vma_m = pax_find_mirror_vma(vma);
48324 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48325 + address_m = address + SEGMEXEC_TASK_SIZE;
48326 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48327 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48328 + ptl_m = pte_lockptr(mm, pmd_m);
48329 + if (ptl != ptl_m) {
48330 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48331 + if (!pte_none(*pte_m))
48335 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48336 + page_cache_get(page_m);
48337 + page_add_file_rmap(page_m);
48338 + inc_mm_counter(mm, file_rss);
48339 + set_pte_at(mm, address_m, pte_m, entry_m);
48340 + update_mmu_cache(vma_m, address_m, entry_m);
48342 + if (ptl != ptl_m)
48343 + spin_unlock(ptl_m);
48344 + pte_unmap_nested(pte_m);
48347 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
48349 + struct mm_struct *mm = vma->vm_mm;
48350 + unsigned long address_m;
48351 + spinlock_t *ptl_m;
48352 + struct vm_area_struct *vma_m;
48354 + pte_t *pte_m, entry_m;
48356 + vma_m = pax_find_mirror_vma(vma);
48360 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48361 + address_m = address + SEGMEXEC_TASK_SIZE;
48362 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48363 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48364 + ptl_m = pte_lockptr(mm, pmd_m);
48365 + if (ptl != ptl_m) {
48366 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48367 + if (!pte_none(*pte_m))
48371 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
48372 + set_pte_at(mm, address_m, pte_m, entry_m);
48374 + if (ptl != ptl_m)
48375 + spin_unlock(ptl_m);
48376 + pte_unmap_nested(pte_m);
48379 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
48381 + struct page *page_m;
48384 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
48388 + page_m = vm_normal_page(vma, address, entry);
48390 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
48391 + else if (PageAnon(page_m)) {
48392 + if (pax_find_mirror_vma(vma)) {
48393 + pte_unmap_unlock(pte, ptl);
48394 + lock_page(page_m);
48395 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
48396 + if (pte_same(entry, *pte))
48397 + pax_mirror_anon_pte(vma, address, page_m, ptl);
48399 + unlock_page(page_m);
48402 + pax_mirror_file_pte(vma, address, page_m, ptl);
48405 + pte_unmap_unlock(pte, ptl);
48410 * This routine handles present pages, when users try to write
48411 * to a shared page. It is done by copying the page to a new address
48412 @@ -2161,6 +2342,12 @@ gotten:
48414 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
48415 if (likely(pte_same(*page_table, orig_pte))) {
48417 +#ifdef CONFIG_PAX_SEGMEXEC
48418 + if (pax_find_mirror_vma(vma))
48419 + BUG_ON(!trylock_page(new_page));
48423 if (!PageAnon(old_page)) {
48424 dec_mm_counter(mm, file_rss);
48425 @@ -2212,6 +2399,10 @@ gotten:
48426 page_remove_rmap(old_page);
48429 +#ifdef CONFIG_PAX_SEGMEXEC
48430 + pax_mirror_anon_pte(vma, address, new_page, ptl);
48433 /* Free the old page.. */
48434 new_page = old_page;
48435 ret |= VM_FAULT_WRITE;
48436 @@ -2619,6 +2810,11 @@ static int do_swap_page(struct mm_struct
48438 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
48439 try_to_free_swap(page);
48441 +#ifdef CONFIG_PAX_SEGMEXEC
48442 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
48447 if (flags & FAULT_FLAG_WRITE) {
48448 @@ -2630,6 +2826,11 @@ static int do_swap_page(struct mm_struct
48450 /* No need to invalidate - it was non-present before */
48451 update_mmu_cache(vma, address, pte);
48453 +#ifdef CONFIG_PAX_SEGMEXEC
48454 + pax_mirror_anon_pte(vma, address, page, ptl);
48458 pte_unmap_unlock(page_table, ptl);
48460 @@ -2653,7 +2854,7 @@ static int do_anonymous_page(struct mm_s
48461 unsigned long address, pte_t *page_table, pmd_t *pmd,
48462 unsigned int flags)
48464 - struct page *page;
48465 + struct page *page = NULL;
48469 @@ -2688,6 +2889,11 @@ static int do_anonymous_page(struct mm_s
48470 if (!pte_none(*page_table))
48473 +#ifdef CONFIG_PAX_SEGMEXEC
48474 + if (pax_find_mirror_vma(vma))
48475 + BUG_ON(!trylock_page(page));
48478 inc_mm_counter(mm, anon_rss);
48479 page_add_new_anon_rmap(page, vma, address);
48481 @@ -2695,6 +2901,12 @@ setpte:
48483 /* No need to invalidate - it was non-present before */
48484 update_mmu_cache(vma, address, entry);
48486 +#ifdef CONFIG_PAX_SEGMEXEC
48488 + pax_mirror_anon_pte(vma, address, page, ptl);
48492 pte_unmap_unlock(page_table, ptl);
48494 @@ -2837,6 +3049,12 @@ static int __do_fault(struct mm_struct *
48496 /* Only go through if we didn't race with anybody else... */
48497 if (likely(pte_same(*page_table, orig_pte))) {
48499 +#ifdef CONFIG_PAX_SEGMEXEC
48500 + if (anon && pax_find_mirror_vma(vma))
48501 + BUG_ON(!trylock_page(page));
48504 flush_icache_page(vma, page);
48505 entry = mk_pte(page, vma->vm_page_prot);
48506 if (flags & FAULT_FLAG_WRITE)
48507 @@ -2856,6 +3074,14 @@ static int __do_fault(struct mm_struct *
48509 /* no need to invalidate: a not-present page won't be cached */
48510 update_mmu_cache(vma, address, entry);
48512 +#ifdef CONFIG_PAX_SEGMEXEC
48514 + pax_mirror_anon_pte(vma, address, page, ptl);
48516 + pax_mirror_file_pte(vma, address, page, ptl);
48521 mem_cgroup_uncharge_page(page);
48522 @@ -3003,6 +3229,12 @@ static inline int handle_pte_fault(struc
48523 if (flags & FAULT_FLAG_WRITE)
48524 flush_tlb_page(vma, address);
48527 +#ifdef CONFIG_PAX_SEGMEXEC
48528 + pax_mirror_pte(vma, address, pte, pmd, ptl);
48533 pte_unmap_unlock(pte, ptl);
48535 @@ -3019,6 +3251,10 @@ int handle_mm_fault(struct mm_struct *mm
48539 +#ifdef CONFIG_PAX_SEGMEXEC
48540 + struct vm_area_struct *vma_m;
48543 __set_current_state(TASK_RUNNING);
48545 count_vm_event(PGFAULT);
48546 @@ -3026,6 +3262,34 @@ int handle_mm_fault(struct mm_struct *mm
48547 if (unlikely(is_vm_hugetlb_page(vma)))
48548 return hugetlb_fault(mm, vma, address, flags);
48550 +#ifdef CONFIG_PAX_SEGMEXEC
48551 + vma_m = pax_find_mirror_vma(vma);
48553 + unsigned long address_m;
48558 + if (vma->vm_start > vma_m->vm_start) {
48559 + address_m = address;
48560 + address -= SEGMEXEC_TASK_SIZE;
48563 + address_m = address + SEGMEXEC_TASK_SIZE;
48565 + pgd_m = pgd_offset(mm, address_m);
48566 + pud_m = pud_alloc(mm, pgd_m, address_m);
48568 + return VM_FAULT_OOM;
48569 + pmd_m = pmd_alloc(mm, pud_m, address_m);
48571 + return VM_FAULT_OOM;
48572 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
48573 + return VM_FAULT_OOM;
48574 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
48578 pgd = pgd_offset(mm, address);
48579 pud = pud_alloc(mm, pgd, address);
48581 @@ -3123,7 +3387,7 @@ static int __init gate_vma_init(void)
48582 gate_vma.vm_start = FIXADDR_USER_START;
48583 gate_vma.vm_end = FIXADDR_USER_END;
48584 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
48585 - gate_vma.vm_page_prot = __P101;
48586 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
48588 * Make sure the vDSO gets into every core dump.
48589 * Dumping its contents makes post-mortem fully interpretable later
48590 diff -urNp linux-2.6.33.1/mm/memory-failure.c linux-2.6.33.1/mm/memory-failure.c
48591 --- linux-2.6.33.1/mm/memory-failure.c 2010-03-15 12:09:39.000000000 -0400
48592 +++ linux-2.6.33.1/mm/memory-failure.c 2010-03-20 16:58:42.260726041 -0400
48593 @@ -50,7 +50,7 @@ int sysctl_memory_failure_early_kill __r
48595 int sysctl_memory_failure_recovery __read_mostly = 1;
48597 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48598 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48600 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
48602 @@ -935,7 +935,7 @@ int __memory_failure(unsigned long pfn,
48606 - atomic_long_add(1, &mce_bad_pages);
48607 + atomic_long_add_unchecked(1, &mce_bad_pages);
48610 * We need/can do nothing about count=0 pages.
48611 diff -urNp linux-2.6.33.1/mm/mempolicy.c linux-2.6.33.1/mm/mempolicy.c
48612 --- linux-2.6.33.1/mm/mempolicy.c 2010-03-15 12:09:39.000000000 -0400
48613 +++ linux-2.6.33.1/mm/mempolicy.c 2010-03-20 16:58:42.260726041 -0400
48614 @@ -569,6 +569,10 @@ static int mbind_range(struct vm_area_st
48615 struct vm_area_struct *next;
48618 +#ifdef CONFIG_PAX_SEGMEXEC
48619 + struct vm_area_struct *vma_m;
48623 for (; vma && vma->vm_start < end; vma = next) {
48624 next = vma->vm_next;
48625 @@ -580,6 +584,16 @@ static int mbind_range(struct vm_area_st
48626 err = policy_vma(vma, new);
48630 +#ifdef CONFIG_PAX_SEGMEXEC
48631 + vma_m = pax_find_mirror_vma(vma);
48633 + err = policy_vma(vma_m, new);
48642 @@ -1000,6 +1014,17 @@ static long do_mbind(unsigned long start
48647 +#ifdef CONFIG_PAX_SEGMEXEC
48648 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
48649 + if (end > SEGMEXEC_TASK_SIZE)
48654 + if (end > TASK_SIZE)
48660 @@ -1205,6 +1230,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48664 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48665 + if (mm != current->mm &&
48666 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48673 * Check if this process has the right to modify the specified
48674 * process. The right exists if the process has administrative
48675 @@ -1214,8 +1247,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48677 tcred = __task_cred(task);
48678 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48679 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
48680 - !capable(CAP_SYS_NICE)) {
48681 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48685 @@ -2431,7 +2463,7 @@ int show_numa_map(struct seq_file *m, vo
48688 seq_printf(m, " file=");
48689 - seq_path(m, &file->f_path, "\n\t= ");
48690 + seq_path(m, &file->f_path, "\n\t\\= ");
48691 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
48692 seq_printf(m, " heap");
48693 } else if (vma->vm_start <= mm->start_stack &&
48694 diff -urNp linux-2.6.33.1/mm/migrate.c linux-2.6.33.1/mm/migrate.c
48695 --- linux-2.6.33.1/mm/migrate.c 2010-03-15 12:09:39.000000000 -0400
48696 +++ linux-2.6.33.1/mm/migrate.c 2010-03-20 16:58:42.260726041 -0400
48697 @@ -1059,6 +1059,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48701 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48702 + if (mm != current->mm &&
48703 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48710 * Check if this process has the right to modify the specified
48711 * process. The right exists if the process has administrative
48712 @@ -1068,8 +1076,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48714 tcred = __task_cred(task);
48715 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48716 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
48717 - !capable(CAP_SYS_NICE)) {
48718 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48722 diff -urNp linux-2.6.33.1/mm/mlock.c linux-2.6.33.1/mm/mlock.c
48723 --- linux-2.6.33.1/mm/mlock.c 2010-03-15 12:09:39.000000000 -0400
48724 +++ linux-2.6.33.1/mm/mlock.c 2010-03-20 16:58:42.264564412 -0400
48726 #include <linux/pagemap.h>
48727 #include <linux/mempolicy.h>
48728 #include <linux/syscalls.h>
48729 +#include <linux/security.h>
48730 #include <linux/sched.h>
48731 #include <linux/module.h>
48732 #include <linux/rmap.h>
48733 @@ -432,6 +433,17 @@ static int do_mlock(unsigned long start,
48738 +#ifdef CONFIG_PAX_SEGMEXEC
48739 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48740 + if (end > SEGMEXEC_TASK_SIZE)
48745 + if (end > TASK_SIZE)
48748 vma = find_vma_prev(current->mm, start, &prev);
48749 if (!vma || vma->vm_start > start)
48751 @@ -491,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
48752 lock_limit >>= PAGE_SHIFT;
48754 /* check against resource limits */
48755 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
48756 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
48757 error = do_mlock(start, len, 1);
48758 up_write(¤t->mm->mmap_sem);
48759 @@ -512,10 +525,10 @@ SYSCALL_DEFINE2(munlock, unsigned long,
48760 static int do_mlockall(int flags)
48762 struct vm_area_struct * vma, * prev = NULL;
48763 - unsigned int def_flags = 0;
48764 + unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
48766 if (flags & MCL_FUTURE)
48767 - def_flags = VM_LOCKED;
48768 + def_flags |= VM_LOCKED;
48769 current->mm->def_flags = def_flags;
48770 if (flags == MCL_FUTURE)
48772 @@ -523,6 +536,12 @@ static int do_mlockall(int flags)
48773 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
48774 unsigned int newflags;
48776 +#ifdef CONFIG_PAX_SEGMEXEC
48777 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
48781 + BUG_ON(vma->vm_end > TASK_SIZE);
48782 newflags = vma->vm_flags | VM_LOCKED;
48783 if (!(flags & MCL_CURRENT))
48784 newflags &= ~VM_LOCKED;
48785 @@ -554,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
48786 lock_limit >>= PAGE_SHIFT;
48789 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
48790 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
48791 capable(CAP_IPC_LOCK))
48792 ret = do_mlockall(flags);
48793 diff -urNp linux-2.6.33.1/mm/mmap.c linux-2.6.33.1/mm/mmap.c
48794 --- linux-2.6.33.1/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
48795 +++ linux-2.6.33.1/mm/mmap.c 2010-03-20 16:58:42.264564412 -0400
48797 #define arch_rebalance_pgtables(addr, len) (addr)
48800 +static inline void verify_mm_writelocked(struct mm_struct *mm)
48802 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
48803 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
48804 + up_read(&mm->mmap_sem);
48810 static void unmap_region(struct mm_struct *mm,
48811 struct vm_area_struct *vma, struct vm_area_struct *prev,
48812 unsigned long start, unsigned long end);
48813 @@ -69,16 +79,25 @@ static void unmap_region(struct mm_struc
48814 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
48817 -pgprot_t protection_map[16] = {
48818 +pgprot_t protection_map[16] __read_only = {
48819 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
48820 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
48823 pgprot_t vm_get_page_prot(unsigned long vm_flags)
48825 - return __pgprot(pgprot_val(protection_map[vm_flags &
48826 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
48827 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
48828 pgprot_val(arch_vm_get_page_prot(vm_flags)));
48830 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48831 + if (!(__supported_pte_mask & _PAGE_NX) &&
48832 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
48833 + (vm_flags & (VM_READ | VM_WRITE)))
48834 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
48839 EXPORT_SYMBOL(vm_get_page_prot);
48841 @@ -230,6 +249,7 @@ static struct vm_area_struct *remove_vma
48842 struct vm_area_struct *next = vma->vm_next;
48845 + BUG_ON(vma->vm_mirror);
48846 if (vma->vm_ops && vma->vm_ops->close)
48847 vma->vm_ops->close(vma);
48848 if (vma->vm_file) {
48849 @@ -266,6 +286,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
48850 * not page aligned -Ram Gupta
48852 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
48853 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
48854 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
48855 (mm->end_data - mm->start_data) > rlim)
48857 @@ -693,6 +714,12 @@ static int
48858 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
48859 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48862 +#ifdef CONFIG_PAX_SEGMEXEC
48863 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
48867 if (is_mergeable_vma(vma, file, vm_flags) &&
48868 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48869 if (vma->vm_pgoff == vm_pgoff)
48870 @@ -712,6 +739,12 @@ static int
48871 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
48872 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48875 +#ifdef CONFIG_PAX_SEGMEXEC
48876 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
48880 if (is_mergeable_vma(vma, file, vm_flags) &&
48881 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48883 @@ -754,12 +787,19 @@ can_vma_merge_after(struct vm_area_struc
48884 struct vm_area_struct *vma_merge(struct mm_struct *mm,
48885 struct vm_area_struct *prev, unsigned long addr,
48886 unsigned long end, unsigned long vm_flags,
48887 - struct anon_vma *anon_vma, struct file *file,
48888 + struct anon_vma *anon_vma, struct file *file,
48889 pgoff_t pgoff, struct mempolicy *policy)
48891 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
48892 struct vm_area_struct *area, *next;
48894 +#ifdef CONFIG_PAX_SEGMEXEC
48895 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
48896 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
48898 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
48902 * We later require that vma->vm_flags == vm_flags,
48903 * so this tests vma->vm_flags & VM_SPECIAL, too.
48904 @@ -775,6 +815,15 @@ struct vm_area_struct *vma_merge(struct
48905 if (next && next->vm_end == end) /* cases 6, 7, 8 */
48906 next = next->vm_next;
48908 +#ifdef CONFIG_PAX_SEGMEXEC
48910 + prev_m = pax_find_mirror_vma(prev);
48912 + area_m = pax_find_mirror_vma(area);
48914 + next_m = pax_find_mirror_vma(next);
48918 * Can it merge with the predecessor?
48920 @@ -794,9 +843,24 @@ struct vm_area_struct *vma_merge(struct
48922 vma_adjust(prev, prev->vm_start,
48923 next->vm_end, prev->vm_pgoff, NULL);
48924 - } else /* cases 2, 5, 7 */
48926 +#ifdef CONFIG_PAX_SEGMEXEC
48928 + vma_adjust(prev_m, prev_m->vm_start,
48929 + next_m->vm_end, prev_m->vm_pgoff, NULL);
48932 + } else { /* cases 2, 5, 7 */
48933 vma_adjust(prev, prev->vm_start,
48934 end, prev->vm_pgoff, NULL);
48936 +#ifdef CONFIG_PAX_SEGMEXEC
48938 + vma_adjust(prev_m, prev_m->vm_start,
48939 + end_m, prev_m->vm_pgoff, NULL);
48946 @@ -807,12 +871,27 @@ struct vm_area_struct *vma_merge(struct
48947 mpol_equal(policy, vma_policy(next)) &&
48948 can_vma_merge_before(next, vm_flags,
48949 anon_vma, file, pgoff+pglen)) {
48950 - if (prev && addr < prev->vm_end) /* case 4 */
48951 + if (prev && addr < prev->vm_end) { /* case 4 */
48952 vma_adjust(prev, prev->vm_start,
48953 addr, prev->vm_pgoff, NULL);
48954 - else /* cases 3, 8 */
48956 +#ifdef CONFIG_PAX_SEGMEXEC
48958 + vma_adjust(prev_m, prev_m->vm_start,
48959 + addr_m, prev_m->vm_pgoff, NULL);
48962 + } else { /* cases 3, 8 */
48963 vma_adjust(area, addr, next->vm_end,
48964 next->vm_pgoff - pglen, NULL);
48966 +#ifdef CONFIG_PAX_SEGMEXEC
48968 + vma_adjust(area_m, addr_m, next_m->vm_end,
48969 + next_m->vm_pgoff - pglen, NULL);
48976 @@ -887,14 +966,11 @@ none:
48977 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
48978 struct file *file, long pages)
48980 - const unsigned long stack_flags
48981 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
48984 mm->shared_vm += pages;
48985 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
48986 mm->exec_vm += pages;
48987 - } else if (flags & stack_flags)
48988 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
48989 mm->stack_vm += pages;
48990 if (flags & (VM_RESERVED|VM_IO))
48991 mm->reserved_vm += pages;
48992 @@ -921,7 +997,7 @@ unsigned long do_mmap_pgoff(struct file
48993 * (the exception is when the underlying filesystem is noexec
48994 * mounted, in which case we dont add PROT_EXEC.)
48996 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
48997 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
48998 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
49001 @@ -947,7 +1023,7 @@ unsigned long do_mmap_pgoff(struct file
49002 /* Obtain the address to map to. we verify (or select) it and ensure
49003 * that it represents a valid section of the address space.
49005 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
49006 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
49007 if (addr & ~PAGE_MASK)
49010 @@ -958,6 +1034,26 @@ unsigned long do_mmap_pgoff(struct file
49011 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
49012 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
49014 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49015 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49017 +#ifdef CONFIG_PAX_MPROTECT
49018 + if (mm->pax_flags & MF_PAX_MPROTECT) {
49019 + if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
49020 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49022 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49029 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49030 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
49031 + vm_flags &= ~VM_PAGEEXEC;
49034 if (flags & MAP_LOCKED)
49035 if (!can_do_mlock())
49037 @@ -969,6 +1065,7 @@ unsigned long do_mmap_pgoff(struct file
49038 locked += mm->locked_vm;
49039 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49040 lock_limit >>= PAGE_SHIFT;
49041 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49042 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
49045 @@ -1039,6 +1136,9 @@ unsigned long do_mmap_pgoff(struct file
49049 + if (!gr_acl_handle_mmap(file, prot))
49052 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
49054 EXPORT_SYMBOL(do_mmap_pgoff);
49055 @@ -1091,10 +1191,10 @@ out:
49057 int vma_wants_writenotify(struct vm_area_struct *vma)
49059 - unsigned int vm_flags = vma->vm_flags;
49060 + unsigned long vm_flags = vma->vm_flags;
49062 /* If it was private or non-writable, the write bit is already clear */
49063 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
49064 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
49067 /* The backer wishes to know when pages are first written to? */
49068 @@ -1143,14 +1243,24 @@ unsigned long mmap_region(struct file *f
49069 unsigned long charged = 0;
49070 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
49072 +#ifdef CONFIG_PAX_SEGMEXEC
49073 + struct vm_area_struct *vma_m = NULL;
49077 + * mm->mmap_sem is required to protect against another thread
49078 + * changing the mappings in case we sleep.
49080 + verify_mm_writelocked(mm);
49082 /* Clear old maps */
49085 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49086 if (vma && vma->vm_start < addr + len) {
49087 if (do_munmap(mm, addr, len))
49089 - goto munmap_back;
49090 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49091 + BUG_ON(vma && vma->vm_start < addr + len);
49094 /* Check against address space limit. */
49095 @@ -1199,6 +1309,16 @@ munmap_back:
49099 +#ifdef CONFIG_PAX_SEGMEXEC
49100 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
49101 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49110 vma->vm_start = addr;
49111 vma->vm_end = addr + len;
49112 @@ -1221,6 +1341,19 @@ munmap_back:
49113 error = file->f_op->mmap(file, vma);
49115 goto unmap_and_free_vma;
49117 +#ifdef CONFIG_PAX_SEGMEXEC
49118 + if (vma_m && (vm_flags & VM_EXECUTABLE))
49119 + added_exe_file_vma(mm);
49122 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49123 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
49124 + vma->vm_flags |= VM_PAGEEXEC;
49125 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49129 if (vm_flags & VM_EXECUTABLE)
49130 added_exe_file_vma(mm);
49132 @@ -1256,6 +1389,11 @@ munmap_back:
49133 vma_link(mm, vma, prev, rb_link, rb_parent);
49134 file = vma->vm_file;
49136 +#ifdef CONFIG_PAX_SEGMEXEC
49138 + pax_mirror_vma(vma_m, vma);
49141 /* Once vma denies write, undo our temporary denial count */
49142 if (correct_wcount)
49143 atomic_inc(&inode->i_writecount);
49144 @@ -1264,6 +1402,7 @@ out:
49146 mm->total_vm += len >> PAGE_SHIFT;
49147 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
49148 + track_exec_limit(mm, addr, addr + len, vm_flags);
49149 if (vm_flags & VM_LOCKED) {
49151 * makes pages present; downgrades, drops, reacquires mmap_sem
49152 @@ -1286,6 +1425,12 @@ unmap_and_free_vma:
49153 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
49157 +#ifdef CONFIG_PAX_SEGMEXEC
49159 + kmem_cache_free(vm_area_cachep, vma_m);
49162 kmem_cache_free(vm_area_cachep, vma);
49165 @@ -1319,6 +1464,10 @@ arch_get_unmapped_area(struct file *filp
49166 if (flags & MAP_FIXED)
49169 +#ifdef CONFIG_PAX_RANDMMAP
49170 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49174 addr = PAGE_ALIGN(addr);
49175 vma = find_vma(mm, addr);
49176 @@ -1327,10 +1476,10 @@ arch_get_unmapped_area(struct file *filp
49179 if (len > mm->cached_hole_size) {
49180 - start_addr = addr = mm->free_area_cache;
49181 + start_addr = addr = mm->free_area_cache;
49183 - start_addr = addr = TASK_UNMAPPED_BASE;
49184 - mm->cached_hole_size = 0;
49185 + start_addr = addr = mm->mmap_base;
49186 + mm->cached_hole_size = 0;
49190 @@ -1341,9 +1490,8 @@ full_search:
49191 * Start a new search - just in case we missed
49194 - if (start_addr != TASK_UNMAPPED_BASE) {
49195 - addr = TASK_UNMAPPED_BASE;
49196 - start_addr = addr;
49197 + if (start_addr != mm->mmap_base) {
49198 + start_addr = addr = mm->mmap_base;
49199 mm->cached_hole_size = 0;
49202 @@ -1365,10 +1513,16 @@ full_search:
49204 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
49207 +#ifdef CONFIG_PAX_SEGMEXEC
49208 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49213 * Is this a new hole at the lowest possible address?
49215 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
49216 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
49217 mm->free_area_cache = addr;
49218 mm->cached_hole_size = ~0UL;
49220 @@ -1386,7 +1540,7 @@ arch_get_unmapped_area_topdown(struct fi
49222 struct vm_area_struct *vma;
49223 struct mm_struct *mm = current->mm;
49224 - unsigned long addr = addr0;
49225 + unsigned long base = mm->mmap_base, addr = addr0;
49227 /* requested length too big for entire address space */
49228 if (len > TASK_SIZE)
49229 @@ -1395,6 +1549,10 @@ arch_get_unmapped_area_topdown(struct fi
49230 if (flags & MAP_FIXED)
49233 +#ifdef CONFIG_PAX_RANDMMAP
49234 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49237 /* requesting a specific address */
49239 addr = PAGE_ALIGN(addr);
49240 @@ -1452,13 +1610,21 @@ bottomup:
49241 * can happen with large stack limits and large mmap()
49244 + mm->mmap_base = TASK_UNMAPPED_BASE;
49246 +#ifdef CONFIG_PAX_RANDMMAP
49247 + if (mm->pax_flags & MF_PAX_RANDMMAP)
49248 + mm->mmap_base += mm->delta_mmap;
49251 + mm->free_area_cache = mm->mmap_base;
49252 mm->cached_hole_size = ~0UL;
49253 - mm->free_area_cache = TASK_UNMAPPED_BASE;
49254 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
49256 * Restore the topdown base:
49258 - mm->free_area_cache = mm->mmap_base;
49259 + mm->mmap_base = base;
49260 + mm->free_area_cache = base;
49261 mm->cached_hole_size = ~0UL;
49264 @@ -1467,6 +1633,12 @@ bottomup:
49266 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
49269 +#ifdef CONFIG_PAX_SEGMEXEC
49270 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49275 * Is this a new hole at the highest possible address?
49277 @@ -1474,8 +1646,10 @@ void arch_unmap_area_topdown(struct mm_s
49278 mm->free_area_cache = addr;
49280 /* dont allow allocations above current base */
49281 - if (mm->free_area_cache > mm->mmap_base)
49282 + if (mm->free_area_cache > mm->mmap_base) {
49283 mm->free_area_cache = mm->mmap_base;
49284 + mm->cached_hole_size = ~0UL;
49289 @@ -1583,6 +1757,27 @@ out:
49290 return prev ? prev->vm_next : vma;
49293 +#ifdef CONFIG_PAX_SEGMEXEC
49294 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
49296 + struct vm_area_struct *vma_m;
49298 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
49299 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
49300 + BUG_ON(vma->vm_mirror);
49303 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
49304 + vma_m = vma->vm_mirror;
49305 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
49306 + BUG_ON(vma->vm_file != vma_m->vm_file);
49307 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
49308 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
49309 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
49315 * Verify that the stack growth is acceptable and
49316 * update accounting. This is shared with both the
49317 @@ -1599,6 +1794,7 @@ static int acct_stack_growth(struct vm_a
49320 /* Stack limit test */
49321 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
49322 if (size > rlim[RLIMIT_STACK].rlim_cur)
49325 @@ -1608,6 +1804,7 @@ static int acct_stack_growth(struct vm_a
49326 unsigned long limit;
49327 locked = mm->locked_vm + grow;
49328 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
49329 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49330 if (locked > limit && !capable(CAP_IPC_LOCK))
49333 @@ -1643,35 +1840,40 @@ static
49335 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
49338 + int error, locknext;
49340 if (!(vma->vm_flags & VM_GROWSUP))
49343 + /* Also guard against wrapping around to address 0. */
49344 + if (address < PAGE_ALIGN(address+1))
49345 + address = PAGE_ALIGN(address+1);
49350 * We must make sure the anon_vma is allocated
49351 * so that the anon_vma locking is not a noop.
49353 if (unlikely(anon_vma_prepare(vma)))
49355 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
49356 + if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
49358 anon_vma_lock(vma);
49360 + anon_vma_lock(vma->vm_next);
49363 * vma->vm_start/vm_end cannot change under us because the caller
49364 * is required to hold the mmap_sem in read mode. We need the
49365 - * anon_vma lock to serialize against concurrent expand_stacks.
49366 - * Also guard against wrapping around to address 0.
49367 + * anon_vma locks to serialize against concurrent expand_stacks
49368 + * and expand_upwards.
49370 - if (address < PAGE_ALIGN(address+4))
49371 - address = PAGE_ALIGN(address+4);
49373 - anon_vma_unlock(vma);
49378 /* Somebody else might have raced and expanded it already */
49379 - if (address > vma->vm_end) {
49380 + if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
49381 unsigned long size, grow;
49383 size = address - vma->vm_start;
49384 @@ -1681,6 +1883,8 @@ int expand_upwards(struct vm_area_struct
49386 vma->vm_end = address;
49389 + anon_vma_unlock(vma->vm_next);
49390 anon_vma_unlock(vma);
49393 @@ -1692,7 +1896,8 @@ int expand_upwards(struct vm_area_struct
49394 static int expand_downwards(struct vm_area_struct *vma,
49395 unsigned long address)
49398 + int error, lockprev = 0;
49399 + struct vm_area_struct *prev = NULL;
49402 * We must make sure the anon_vma is allocated
49403 @@ -1706,6 +1911,15 @@ static int expand_downwards(struct vm_ar
49407 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
49408 + find_vma_prev(vma->vm_mm, address, &prev);
49409 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
49411 + if (lockprev && unlikely(anon_vma_prepare(prev)))
49414 + anon_vma_lock(prev);
49416 anon_vma_lock(vma);
49419 @@ -1715,9 +1929,15 @@ static int expand_downwards(struct vm_ar
49422 /* Somebody else might have raced and expanded it already */
49423 - if (address < vma->vm_start) {
49424 + if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
49425 unsigned long size, grow;
49427 +#ifdef CONFIG_PAX_SEGMEXEC
49428 + struct vm_area_struct *vma_m;
49430 + vma_m = pax_find_mirror_vma(vma);
49433 size = vma->vm_end - address;
49434 grow = (vma->vm_start - address) >> PAGE_SHIFT;
49436 @@ -1725,9 +1945,20 @@ static int expand_downwards(struct vm_ar
49438 vma->vm_start = address;
49439 vma->vm_pgoff -= grow;
49440 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
49442 +#ifdef CONFIG_PAX_SEGMEXEC
49444 + vma_m->vm_start -= grow << PAGE_SHIFT;
49445 + vma_m->vm_pgoff -= grow;
49451 anon_vma_unlock(vma);
49453 + anon_vma_unlock(prev);
49457 @@ -1803,6 +2034,13 @@ static void remove_vma_list(struct mm_st
49459 long nrpages = vma_pages(vma);
49461 +#ifdef CONFIG_PAX_SEGMEXEC
49462 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
49463 + vma = remove_vma(vma);
49468 mm->total_vm -= nrpages;
49469 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
49470 vma = remove_vma(vma);
49471 @@ -1847,6 +2085,16 @@ detach_vmas_to_be_unmapped(struct mm_str
49473 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
49476 +#ifdef CONFIG_PAX_SEGMEXEC
49477 + if (vma->vm_mirror) {
49478 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
49479 + vma->vm_mirror->vm_mirror = NULL;
49480 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
49481 + vma->vm_mirror = NULL;
49485 rb_erase(&vma->vm_rb, &mm->mm_rb);
49488 @@ -1872,14 +2120,33 @@ static int __split_vma(struct mm_struct
49489 struct mempolicy *pol;
49490 struct vm_area_struct *new;
49492 +#ifdef CONFIG_PAX_SEGMEXEC
49493 + struct vm_area_struct *vma_m, *new_m = NULL;
49494 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
49497 if (is_vm_hugetlb_page(vma) && (addr &
49498 ~(huge_page_mask(hstate_vma(vma)))))
49501 +#ifdef CONFIG_PAX_SEGMEXEC
49502 + vma_m = pax_find_mirror_vma(vma);
49505 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49509 +#ifdef CONFIG_PAX_SEGMEXEC
49511 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49513 + kmem_cache_free(vm_area_cachep, new);
49519 /* most fields are the same, copy all, and then fixup */
49522 @@ -1890,8 +2157,29 @@ static int __split_vma(struct mm_struct
49523 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
49526 +#ifdef CONFIG_PAX_SEGMEXEC
49529 + new_m->vm_mirror = new;
49530 + new->vm_mirror = new_m;
49533 + new_m->vm_end = addr_m;
49535 + new_m->vm_start = addr_m;
49536 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
49541 pol = mpol_dup(vma_policy(vma));
49544 +#ifdef CONFIG_PAX_SEGMEXEC
49546 + kmem_cache_free(vm_area_cachep, new_m);
49549 kmem_cache_free(vm_area_cachep, new);
49550 return PTR_ERR(pol);
49552 @@ -1912,6 +2200,28 @@ static int __split_vma(struct mm_struct
49554 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
49556 +#ifdef CONFIG_PAX_SEGMEXEC
49559 + vma_set_policy(new_m, pol);
49561 + if (new_m->vm_file) {
49562 + get_file(new_m->vm_file);
49563 + if (vma_m->vm_flags & VM_EXECUTABLE)
49564 + added_exe_file_vma(mm);
49567 + if (new_m->vm_ops && new_m->vm_ops->open)
49568 + new_m->vm_ops->open(new_m);
49571 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
49572 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
49574 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
49581 @@ -1922,6 +2232,15 @@ static int __split_vma(struct mm_struct
49582 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
49583 unsigned long addr, int new_below)
49586 +#ifdef CONFIG_PAX_SEGMEXEC
49587 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
49588 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
49589 + if (mm->map_count >= sysctl_max_map_count-1)
49594 if (mm->map_count >= sysctl_max_map_count)
49597 @@ -1933,11 +2252,30 @@ int split_vma(struct mm_struct *mm, stru
49598 * work. This now handles partial unmappings.
49599 * Jeremy Fitzhardinge <jeremy@goop.org>
49601 +#ifdef CONFIG_PAX_SEGMEXEC
49602 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49604 + int ret = __do_munmap(mm, start, len);
49605 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
49608 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
49611 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49613 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49617 struct vm_area_struct *vma, *prev, *last;
49620 + * mm->mmap_sem is required to protect against another thread
49621 + * changing the mappings in case we sleep.
49623 + verify_mm_writelocked(mm);
49625 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
49628 @@ -2011,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
49629 /* Fix up all other VM information */
49630 remove_vma_list(mm, vma);
49632 + track_exec_limit(mm, start, end, 0UL);
49637 @@ -2023,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
49639 profile_munmap(addr);
49641 +#ifdef CONFIG_PAX_SEGMEXEC
49642 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
49643 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
49647 down_write(&mm->mmap_sem);
49648 ret = do_munmap(mm, addr, len);
49649 up_write(&mm->mmap_sem);
49653 -static inline void verify_mm_writelocked(struct mm_struct *mm)
49655 -#ifdef CONFIG_DEBUG_VM
49656 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
49658 - up_read(&mm->mmap_sem);
49664 * this is really a simplified "do_mmap". it only handles
49665 * anonymous maps. eventually we may be able to do some
49666 @@ -2052,6 +2388,11 @@ unsigned long do_brk(unsigned long addr,
49667 struct rb_node ** rb_link, * rb_parent;
49668 pgoff_t pgoff = addr >> PAGE_SHIFT;
49670 + unsigned long charged;
49672 +#ifdef CONFIG_PAX_SEGMEXEC
49673 + struct vm_area_struct *vma_m = NULL;
49676 len = PAGE_ALIGN(len);
49678 @@ -2063,16 +2404,30 @@ unsigned long do_brk(unsigned long addr,
49680 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
49682 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49683 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49684 + flags &= ~VM_EXEC;
49686 +#ifdef CONFIG_PAX_MPROTECT
49687 + if (mm->pax_flags & MF_PAX_MPROTECT)
49688 + flags &= ~VM_MAYEXEC;
49694 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
49695 if (error & ~PAGE_MASK)
49698 + charged = len >> PAGE_SHIFT;
49701 * mlock MCL_FUTURE?
49703 if (mm->def_flags & VM_LOCKED) {
49704 unsigned long locked, lock_limit;
49705 - locked = len >> PAGE_SHIFT;
49706 + locked = charged;
49707 locked += mm->locked_vm;
49708 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49709 lock_limit >>= PAGE_SHIFT;
49710 @@ -2089,22 +2444,22 @@ unsigned long do_brk(unsigned long addr,
49712 * Clear old maps. this also does some error checking for us
49715 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49716 if (vma && vma->vm_start < addr + len) {
49717 if (do_munmap(mm, addr, len))
49719 - goto munmap_back;
49720 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49721 + BUG_ON(vma && vma->vm_start < addr + len);
49724 /* Check against address space limits *after* clearing old maps... */
49725 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
49726 + if (!may_expand_vm(mm, charged))
49729 if (mm->map_count > sysctl_max_map_count)
49732 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
49733 + if (security_vm_enough_memory(charged))
49736 /* Can we just expand an old private anonymous mapping? */
49737 @@ -2118,10 +2473,21 @@ unsigned long do_brk(unsigned long addr,
49739 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49741 - vm_unacct_memory(len >> PAGE_SHIFT);
49742 + vm_unacct_memory(charged);
49746 +#ifdef CONFIG_PAX_SEGMEXEC
49747 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
49748 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49750 + kmem_cache_free(vm_area_cachep, vma);
49751 + vm_unacct_memory(charged);
49758 vma->vm_start = addr;
49759 vma->vm_end = addr + len;
49760 @@ -2130,11 +2496,12 @@ unsigned long do_brk(unsigned long addr,
49761 vma->vm_page_prot = vm_get_page_prot(flags);
49762 vma_link(mm, vma, prev, rb_link, rb_parent);
49764 - mm->total_vm += len >> PAGE_SHIFT;
49765 + mm->total_vm += charged;
49766 if (flags & VM_LOCKED) {
49767 if (!mlock_vma_pages_range(vma, addr, addr + len))
49768 - mm->locked_vm += (len >> PAGE_SHIFT);
49769 + mm->locked_vm += charged;
49771 + track_exec_limit(mm, addr, addr + len, flags);
49775 @@ -2181,8 +2548,10 @@ void exit_mmap(struct mm_struct *mm)
49776 * Walk the list again, actually closing and freeing it,
49777 * with preemption enabled, without holding any MM locks.
49781 + vma->vm_mirror = NULL;
49782 vma = remove_vma(vma);
49785 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
49787 @@ -2196,6 +2565,10 @@ int insert_vm_struct(struct mm_struct *
49788 struct vm_area_struct * __vma, * prev;
49789 struct rb_node ** rb_link, * rb_parent;
49791 +#ifdef CONFIG_PAX_SEGMEXEC
49792 + struct vm_area_struct *vma_m = NULL;
49796 * The vm_pgoff of a purely anonymous vma should be irrelevant
49797 * until its first write fault, when page's anon_vma and index
49798 @@ -2218,7 +2591,22 @@ int insert_vm_struct(struct mm_struct *
49799 if ((vma->vm_flags & VM_ACCOUNT) &&
49800 security_vm_enough_memory_mm(mm, vma_pages(vma)))
49803 +#ifdef CONFIG_PAX_SEGMEXEC
49804 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
49805 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49811 vma_link(mm, vma, prev, rb_link, rb_parent);
49813 +#ifdef CONFIG_PAX_SEGMEXEC
49815 + pax_mirror_vma(vma_m, vma);
49821 @@ -2236,6 +2624,8 @@ struct vm_area_struct *copy_vma(struct v
49822 struct rb_node **rb_link, *rb_parent;
49823 struct mempolicy *pol;
49825 + BUG_ON(vma->vm_mirror);
49828 * If anonymous vma has not yet been faulted, update new pgoff
49829 * to match new location, to increase its chance of merging.
49830 @@ -2279,6 +2669,35 @@ struct vm_area_struct *copy_vma(struct v
49834 +#ifdef CONFIG_PAX_SEGMEXEC
49835 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
49837 + struct vm_area_struct *prev_m;
49838 + struct rb_node **rb_link_m, *rb_parent_m;
49839 + struct mempolicy *pol_m;
49841 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
49842 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
49843 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
49845 + pol_m = vma_policy(vma_m);
49847 + vma_set_policy(vma_m, pol_m);
49848 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
49849 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
49850 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
49851 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
49852 + if (vma_m->vm_file)
49853 + get_file(vma_m->vm_file);
49854 + if (vma_m->vm_ops && vma_m->vm_ops->open)
49855 + vma_m->vm_ops->open(vma_m);
49856 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
49857 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
49858 + vma_m->vm_mirror = vma;
49859 + vma->vm_mirror = vma_m;
49864 * Return true if the calling process may expand its vm space by the passed
49866 @@ -2289,7 +2708,7 @@ int may_expand_vm(struct mm_struct *mm,
49869 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
49871 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
49872 if (cur + npages > lim)
49875 @@ -2358,6 +2777,15 @@ int install_special_mapping(struct mm_st
49876 vma->vm_start = addr;
49877 vma->vm_end = addr + len;
49879 +#ifdef CONFIG_PAX_MPROTECT
49880 + if (mm->pax_flags & MF_PAX_MPROTECT) {
49881 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
49882 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49884 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49888 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
49889 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49891 diff -urNp linux-2.6.33.1/mm/mprotect.c linux-2.6.33.1/mm/mprotect.c
49892 --- linux-2.6.33.1/mm/mprotect.c 2010-03-15 12:09:39.000000000 -0400
49893 +++ linux-2.6.33.1/mm/mprotect.c 2010-03-20 16:58:42.264564412 -0400
49894 @@ -24,10 +24,16 @@
49895 #include <linux/mmu_notifier.h>
49896 #include <linux/migrate.h>
49897 #include <linux/perf_event.h>
49899 +#ifdef CONFIG_PAX_MPROTECT
49900 +#include <linux/elf.h>
49903 #include <asm/uaccess.h>
49904 #include <asm/pgtable.h>
49905 #include <asm/cacheflush.h>
49906 #include <asm/tlbflush.h>
49907 +#include <asm/mmu_context.h>
49909 #ifndef pgprot_modify
49910 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
49911 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
49912 flush_tlb_range(vma, start, end);
49915 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49916 +/* called while holding the mmap semaphor for writing except stack expansion */
49917 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
49919 + unsigned long oldlimit, newlimit = 0UL;
49921 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
49924 + spin_lock(&mm->page_table_lock);
49925 + oldlimit = mm->context.user_cs_limit;
49926 + if ((prot & VM_EXEC) && oldlimit < end)
49927 + /* USER_CS limit moved up */
49929 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
49930 + /* USER_CS limit moved down */
49931 + newlimit = start;
49934 + mm->context.user_cs_limit = newlimit;
49938 + cpus_clear(mm->context.cpu_user_cs_mask);
49939 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
49942 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
49944 + spin_unlock(&mm->page_table_lock);
49945 + if (newlimit == end) {
49946 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
49948 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
49949 + if (is_vm_hugetlb_page(vma))
49950 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
49952 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
49958 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
49959 unsigned long start, unsigned long end, unsigned long newflags)
49960 @@ -144,6 +192,14 @@ mprotect_fixup(struct vm_area_struct *vm
49962 int dirty_accountable = 0;
49964 +#ifdef CONFIG_PAX_SEGMEXEC
49965 + struct vm_area_struct *vma_m = NULL;
49966 + unsigned long start_m, end_m;
49968 + start_m = start + SEGMEXEC_TASK_SIZE;
49969 + end_m = end + SEGMEXEC_TASK_SIZE;
49972 if (newflags == oldflags) {
49975 @@ -165,6 +221,38 @@ mprotect_fixup(struct vm_area_struct *vm
49979 +#ifdef CONFIG_PAX_SEGMEXEC
49980 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
49981 + if (start != vma->vm_start) {
49982 + error = split_vma(mm, vma, start, 1);
49985 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
49986 + *pprev = (*pprev)->vm_next;
49989 + if (end != vma->vm_end) {
49990 + error = split_vma(mm, vma, end, 0);
49995 + if (pax_find_mirror_vma(vma)) {
49996 + error = __do_munmap(mm, start_m, end_m - start_m);
50000 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
50005 + vma->vm_flags = newflags;
50006 + pax_mirror_vma(vma_m, vma);
50012 * First try to merge with previous and/or next vma.
50014 @@ -196,8 +284,14 @@ success:
50015 * held in write mode.
50017 vma->vm_flags = newflags;
50019 +#ifdef CONFIG_PAX_MPROTECT
50020 + if (mm->binfmt && mm->binfmt->handle_mprotect)
50021 + mm->binfmt->handle_mprotect(vma, newflags);
50024 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
50025 - vm_get_page_prot(newflags));
50026 + vm_get_page_prot(vma->vm_flags));
50028 if (vma_wants_writenotify(vma)) {
50029 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
50030 @@ -238,6 +332,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50035 +#ifdef CONFIG_PAX_SEGMEXEC
50036 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50037 + if (end > SEGMEXEC_TASK_SIZE)
50042 + if (end > TASK_SIZE)
50045 if (!arch_validate_prot(prot))
50048 @@ -245,7 +350,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50050 * Does the application expect PROT_READ to imply PROT_EXEC:
50052 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
50053 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
50056 vm_flags = calc_vm_prot_bits(prot);
50057 @@ -277,6 +382,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50058 if (start > vma->vm_start)
50061 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
50066 +#ifdef CONFIG_PAX_MPROTECT
50067 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
50068 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
50071 for (nstart = start ; ; ) {
50072 unsigned long newflags;
50074 @@ -301,6 +416,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50077 perf_event_mmap(vma);
50079 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
50083 if (nstart < prev->vm_end)
50084 diff -urNp linux-2.6.33.1/mm/mremap.c linux-2.6.33.1/mm/mremap.c
50085 --- linux-2.6.33.1/mm/mremap.c 2010-03-15 12:09:39.000000000 -0400
50086 +++ linux-2.6.33.1/mm/mremap.c 2010-03-20 16:58:42.264564412 -0400
50087 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
50089 pte = ptep_clear_flush(vma, old_addr, old_pte);
50090 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
50092 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50093 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
50094 + pte = pte_exprotect(pte);
50097 set_pte_at(mm, new_addr, new_pte, pte);
50100 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
50101 if (is_vm_hugetlb_page(vma))
50104 +#ifdef CONFIG_PAX_SEGMEXEC
50105 + if (pax_find_mirror_vma(vma))
50109 /* We can't remap across vm area boundaries */
50110 if (old_len > vma->vm_end - addr)
50112 @@ -322,20 +333,23 @@ static unsigned long mremap_to(unsigned
50113 unsigned long ret = -EINVAL;
50114 unsigned long charged = 0;
50115 unsigned long map_flags;
50116 + unsigned long pax_task_size = TASK_SIZE;
50118 if (new_addr & ~PAGE_MASK)
50121 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
50122 +#ifdef CONFIG_PAX_SEGMEXEC
50123 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
50124 + pax_task_size = SEGMEXEC_TASK_SIZE;
50127 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
50130 /* Check if the location we're moving into overlaps the
50131 * old location at all, and fail if it does.
50133 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
50136 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
50137 + if (addr + old_len > new_addr && new_addr + new_len > addr)
50140 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50141 @@ -407,6 +421,7 @@ unsigned long do_mremap(unsigned long ad
50142 struct vm_area_struct *vma;
50143 unsigned long ret = -EINVAL;
50144 unsigned long charged = 0;
50145 + unsigned long pax_task_size = TASK_SIZE;
50147 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
50149 @@ -425,6 +440,15 @@ unsigned long do_mremap(unsigned long ad
50153 +#ifdef CONFIG_PAX_SEGMEXEC
50154 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
50155 + pax_task_size = SEGMEXEC_TASK_SIZE;
50158 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
50159 + old_len > pax_task_size || addr > pax_task_size-old_len)
50162 if (flags & MREMAP_FIXED) {
50163 if (flags & MREMAP_MAYMOVE)
50164 ret = mremap_to(addr, old_len, new_addr, new_len);
50165 @@ -471,6 +495,7 @@ unsigned long do_mremap(unsigned long ad
50169 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
50173 @@ -497,7 +522,13 @@ unsigned long do_mremap(unsigned long ad
50174 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50178 + map_flags = vma->vm_flags;
50179 ret = move_vma(vma, addr, old_len, new_len, new_addr);
50180 + if (!(ret & ~PAGE_MASK)) {
50181 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
50182 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
50186 if (ret & ~PAGE_MASK)
50187 diff -urNp linux-2.6.33.1/mm/nommu.c linux-2.6.33.1/mm/nommu.c
50188 --- linux-2.6.33.1/mm/nommu.c 2010-03-15 12:09:39.000000000 -0400
50189 +++ linux-2.6.33.1/mm/nommu.c 2010-03-20 16:58:42.268525965 -0400
50190 @@ -759,15 +759,6 @@ struct vm_area_struct *find_vma(struct m
50191 EXPORT_SYMBOL(find_vma);
50195 - * - we don't extend stack VMAs under NOMMU conditions
50197 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
50199 - return find_vma(mm, addr);
50203 * expand a stack to a given address
50204 * - not supported under NOMMU conditions
50206 diff -urNp linux-2.6.33.1/mm/page_alloc.c linux-2.6.33.1/mm/page_alloc.c
50207 --- linux-2.6.33.1/mm/page_alloc.c 2010-03-15 12:09:39.000000000 -0400
50208 +++ linux-2.6.33.1/mm/page_alloc.c 2010-03-20 16:58:42.272540377 -0400
50209 @@ -583,6 +583,10 @@ static void __free_pages_ok(struct page
50211 int wasMlocked = __TestClearPageMlocked(page);
50213 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50214 + unsigned long index = 1UL << order;
50217 kmemcheck_free_shadow(page, order);
50219 for (i = 0 ; i < (1 << order) ; ++i)
50220 @@ -595,6 +599,12 @@ static void __free_pages_ok(struct page
50221 debug_check_no_obj_freed(page_address(page),
50222 PAGE_SIZE << order);
50225 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50226 + for (; index; --index)
50227 + sanitize_highpage(page + index - 1);
50230 arch_free_page(page, order);
50231 kernel_map_pages(page, 1 << order, 0);
50233 @@ -698,8 +708,10 @@ static int prep_new_page(struct page *pa
50234 arch_alloc_page(page, order);
50235 kernel_map_pages(page, 1 << order, 1);
50237 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
50238 if (gfp_flags & __GFP_ZERO)
50239 prep_zero_page(page, order, gfp_flags);
50242 if (order && (gfp_flags & __GFP_COMP))
50243 prep_compound_page(page, order);
50244 @@ -1093,6 +1105,11 @@ static void free_hot_cold_page(struct pa
50245 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
50246 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
50249 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50250 + sanitize_highpage(page);
50253 arch_free_page(page, 0);
50254 kernel_map_pages(page, 1, 0);
50256 diff -urNp linux-2.6.33.1/mm/percpu.c linux-2.6.33.1/mm/percpu.c
50257 --- linux-2.6.33.1/mm/percpu.c 2010-03-15 12:09:39.000000000 -0400
50258 +++ linux-2.6.33.1/mm/percpu.c 2010-03-20 16:58:42.272540377 -0400
50259 @@ -114,7 +114,7 @@ static unsigned int pcpu_first_unit_cpu
50260 static unsigned int pcpu_last_unit_cpu __read_mostly;
50262 /* the address of the first chunk which starts with the kernel static area */
50263 -void *pcpu_base_addr __read_mostly;
50264 +void *pcpu_base_addr __read_only;
50265 EXPORT_SYMBOL_GPL(pcpu_base_addr);
50267 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
50268 diff -urNp linux-2.6.33.1/mm/rmap.c linux-2.6.33.1/mm/rmap.c
50269 --- linux-2.6.33.1/mm/rmap.c 2010-03-15 12:09:39.000000000 -0400
50270 +++ linux-2.6.33.1/mm/rmap.c 2010-03-20 16:58:42.272540377 -0400
50271 @@ -109,6 +109,10 @@ int anon_vma_prepare(struct vm_area_stru
50272 struct mm_struct *mm = vma->vm_mm;
50273 struct anon_vma *allocated;
50275 +#ifdef CONFIG_PAX_SEGMEXEC
50276 + struct vm_area_struct *vma_m;
50279 anon_vma = find_mergeable_anon_vma(vma);
50282 @@ -122,6 +126,15 @@ int anon_vma_prepare(struct vm_area_stru
50283 /* page_table_lock to protect against threads */
50284 spin_lock(&mm->page_table_lock);
50285 if (likely(!vma->anon_vma)) {
50287 +#ifdef CONFIG_PAX_SEGMEXEC
50288 + vma_m = pax_find_mirror_vma(vma);
50290 + vma_m->anon_vma = anon_vma;
50291 + __anon_vma_link(vma_m);
50295 vma->anon_vma = anon_vma;
50296 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
50298 diff -urNp linux-2.6.33.1/mm/shmem.c linux-2.6.33.1/mm/shmem.c
50299 --- linux-2.6.33.1/mm/shmem.c 2010-03-15 12:09:39.000000000 -0400
50300 +++ linux-2.6.33.1/mm/shmem.c 2010-03-20 16:58:42.272540377 -0400
50302 #include <linux/module.h>
50303 #include <linux/swap.h>
50305 -static struct vfsmount *shm_mnt;
50306 +struct vfsmount *shm_mnt;
50308 #ifdef CONFIG_SHMEM
50310 diff -urNp linux-2.6.33.1/mm/slab.c linux-2.6.33.1/mm/slab.c
50311 --- linux-2.6.33.1/mm/slab.c 2010-03-15 12:09:39.000000000 -0400
50312 +++ linux-2.6.33.1/mm/slab.c 2010-03-20 16:58:42.276578221 -0400
50313 @@ -308,7 +308,7 @@ struct kmem_list3 {
50314 * Need this for bootstrapping a per node allocator.
50316 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
50317 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
50318 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
50319 #define CACHE_CACHE 0
50320 #define SIZE_AC MAX_NUMNODES
50321 #define SIZE_L3 (2 * MAX_NUMNODES)
50322 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
50323 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
50325 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
50326 - const struct slab *slab, void *obj)
50327 + const struct slab *slab, const void *obj)
50329 u32 offset = (obj - slab->s_mem);
50330 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
50331 @@ -584,14 +584,14 @@ struct cache_names {
50332 static struct cache_names __initdata cache_names[] = {
50333 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
50334 #include <linux/kmalloc_sizes.h>
50340 static struct arraycache_init initarray_cache __initdata =
50341 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50342 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50343 static struct arraycache_init initarray_generic =
50344 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50345 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50347 /* internal cache of cache description objs */
50348 static struct kmem_cache cache_cache = {
50349 @@ -4104,7 +4104,7 @@ out:
50350 schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_CPUC));
50353 -#ifdef CONFIG_SLABINFO
50354 +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50356 static void print_slabinfo_header(struct seq_file *m)
50358 @@ -4502,6 +4502,51 @@ static int __init slab_proc_init(void)
50359 module_init(slab_proc_init);
50362 +void check_object_size(const void *ptr, unsigned long n, bool to)
50365 +#ifdef CONFIG_PAX_USERCOPY
50366 + struct kmem_cache *cachep;
50367 + struct slab *slabp;
50368 + struct page *page;
50369 + unsigned int objnr;
50370 + unsigned long offset;
50375 + if (ZERO_OR_NULL_PTR(ptr))
50378 + if (!virt_addr_valid(ptr))
50381 + page = virt_to_head_page(ptr);
50383 + if (!PageSlab(page)) {
50384 + if (object_is_on_stack(ptr, n) == -1)
50389 + cachep = page_get_cache(page);
50390 + slabp = page_get_slab(page);
50391 + objnr = obj_to_index(cachep, slabp, ptr);
50392 + BUG_ON(objnr >= cachep->num);
50393 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
50394 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
50399 + pax_report_leak_to_user(ptr, n);
50401 + pax_report_overflow_from_user(ptr, n);
50405 +EXPORT_SYMBOL(check_object_size);
50408 * ksize - get the actual amount of memory allocated for a given object
50409 * @objp: Pointer to the object
50410 diff -urNp linux-2.6.33.1/mm/slob.c linux-2.6.33.1/mm/slob.c
50411 --- linux-2.6.33.1/mm/slob.c 2010-03-15 12:09:39.000000000 -0400
50412 +++ linux-2.6.33.1/mm/slob.c 2010-03-20 16:58:42.276578221 -0400
50414 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
50415 * alloc_pages() directly, allocating compound pages so the page order
50416 * does not have to be separately tracked, and also stores the exact
50417 - * allocation size in page->private so that it can be used to accurately
50418 + * allocation size in slob_page->size so that it can be used to accurately
50419 * provide ksize(). These objects are detected in kfree() because slob_page()
50420 * is false for them.
50425 #include <linux/kernel.h>
50426 +#include <linux/sched.h>
50427 #include <linux/slab.h>
50428 #include <linux/mm.h>
50429 #include <linux/swap.h> /* struct reclaim_state */
50430 @@ -100,7 +101,8 @@ struct slob_page {
50431 unsigned long flags; /* mandatory */
50432 atomic_t _count; /* mandatory */
50433 slobidx_t units; /* free units left in page */
50434 - unsigned long pad[2];
50435 + unsigned long pad[1];
50436 + unsigned long size; /* size when >=PAGE_SIZE */
50437 slob_t *free; /* first free slob_t in page */
50438 struct list_head list; /* linked list of free pages */
50440 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
50442 static inline int is_slob_page(struct slob_page *sp)
50444 - return PageSlab((struct page *)sp);
50445 + return PageSlab((struct page *)sp) && !sp->size;
50448 static inline void set_slob_page(struct slob_page *sp)
50449 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
50451 static inline struct slob_page *slob_page(const void *addr)
50453 - return (struct slob_page *)virt_to_page(addr);
50454 + return (struct slob_page *)virt_to_head_page(addr);
50458 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
50460 * Return the size of a slob block.
50462 -static slobidx_t slob_units(slob_t *s)
50463 +static slobidx_t slob_units(const slob_t *s)
50467 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
50469 * Return the next free slob block pointer after this one.
50471 -static slob_t *slob_next(slob_t *s)
50472 +static slob_t *slob_next(const slob_t *s)
50474 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
50476 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
50478 * Returns true if s is the last free block in its page.
50480 -static int slob_last(slob_t *s)
50481 +static int slob_last(const slob_t *s)
50483 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
50485 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
50489 + set_slob_page(page);
50490 return page_address(page);
50493 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
50497 - set_slob_page(sp);
50499 spin_lock_irqsave(&slob_lock, flags);
50500 sp->units = SLOB_UNITS(PAGE_SIZE);
50503 INIT_LIST_HEAD(&sp->list);
50504 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
50505 set_slob_page_free(sp, slob_list);
50506 @@ -475,10 +478,9 @@ out:
50507 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
50510 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50511 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
50514 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50518 lockdep_trace_alloc(gfp);
50519 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
50524 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
50525 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
50526 + m[0].units = size;
50527 + m[1].units = align;
50528 ret = (void *)m + align;
50530 trace_kmalloc_node(_RET_IP_, ret,
50531 @@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
50533 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
50535 - struct page *page;
50536 - page = virt_to_page(ret);
50537 - page->private = size;
50538 + struct slob_page *sp;
50539 + sp = slob_page(ret);
50543 trace_kmalloc_node(_RET_IP_, ret,
50544 @@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
50545 kmemleak_alloc(ret, size, 1, gfp);
50549 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50551 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50553 + return __kmalloc_node_align(size, gfp, node, align);
50555 EXPORT_SYMBOL(__kmalloc_node);
50557 void kfree(const void *block)
50558 @@ -528,13 +540,84 @@ void kfree(const void *block)
50559 sp = slob_page(block);
50560 if (is_slob_page(sp)) {
50561 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50562 - unsigned int *m = (unsigned int *)(block - align);
50563 - slob_free(m, *m + align);
50565 + slob_t *m = (slob_t *)(block - align);
50566 + slob_free(m, m[0].units + align);
50568 + clear_slob_page(sp);
50569 + free_slob_page(sp);
50571 put_page(&sp->page);
50574 EXPORT_SYMBOL(kfree);
50576 +void check_object_size(const void *ptr, unsigned long n, bool to)
50579 +#ifdef CONFIG_PAX_USERCOPY
50580 + struct slob_page *sp;
50581 + const slob_t *free;
50582 + const void *base;
50587 + if (ZERO_OR_NULL_PTR(ptr))
50590 + if (!virt_addr_valid(ptr))
50593 + sp = slob_page(ptr);
50594 + if (!PageSlab((struct page*)sp)) {
50595 + if (object_is_on_stack(ptr, n) == -1)
50601 + base = page_address(&sp->page);
50602 + if (base <= ptr && n <= sp->size - (ptr - base))
50607 + /* some tricky double walking to find the chunk */
50608 + base = (void *)((unsigned long)ptr & PAGE_MASK);
50611 + while (!slob_last(free) && (void *)free <= ptr) {
50612 + base = free + slob_units(free);
50613 + free = slob_next(free);
50616 + while (base < (void *)free) {
50617 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
50618 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
50621 + if (ptr < base + align)
50624 + offset = ptr - base - align;
50625 + if (offset < m) {
50626 + if (n <= m - offset)
50635 + pax_report_leak_to_user(ptr, n);
50637 + pax_report_overflow_from_user(ptr, n);
50641 +EXPORT_SYMBOL(check_object_size);
50643 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
50644 size_t ksize(const void *block)
50646 @@ -547,10 +630,10 @@ size_t ksize(const void *block)
50647 sp = slob_page(block);
50648 if (is_slob_page(sp)) {
50649 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50650 - unsigned int *m = (unsigned int *)(block - align);
50651 - return SLOB_UNITS(*m) * SLOB_UNIT;
50652 + slob_t *m = (slob_t *)(block - align);
50653 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
50655 - return sp->page.private;
50658 EXPORT_SYMBOL(ksize);
50660 @@ -605,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
50664 +#ifdef CONFIG_PAX_USERCOPY
50665 + b = __kmalloc_node_align(c->size, flags, node, c->align);
50667 if (c->size < PAGE_SIZE) {
50668 b = slob_alloc(c->size, flags, c->align, node);
50669 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50670 SLOB_UNITS(c->size) * SLOB_UNIT,
50673 + struct slob_page *sp;
50675 b = slob_new_pages(flags, get_order(c->size), node);
50676 + sp = slob_page(b);
50677 + sp->size = c->size;
50678 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50679 PAGE_SIZE << get_order(c->size),
50686 @@ -627,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
50688 static void __kmem_cache_free(void *b, int size)
50690 - if (size < PAGE_SIZE)
50691 + struct slob_page *sp = slob_page(b);
50693 + if (is_slob_page(sp))
50694 slob_free(b, size);
50697 + clear_slob_page(sp);
50698 + free_slob_page(sp);
50700 slob_free_pages(b, get_order(size));
50704 static void kmem_rcu_free(struct rcu_head *head)
50705 @@ -643,15 +740,24 @@ static void kmem_rcu_free(struct rcu_hea
50707 void kmem_cache_free(struct kmem_cache *c, void *b)
50709 + int size = c->size;
50711 +#ifdef CONFIG_PAX_USERCOPY
50712 + if (size + c->align < PAGE_SIZE) {
50713 + size += c->align;
50718 kmemleak_free_recursive(b, c->flags);
50719 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
50720 struct slob_rcu *slob_rcu;
50721 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
50722 + slob_rcu = b + (size - sizeof(struct slob_rcu));
50723 INIT_RCU_HEAD(&slob_rcu->head);
50724 - slob_rcu->size = c->size;
50725 + slob_rcu->size = size;
50726 call_rcu(&slob_rcu->head, kmem_rcu_free);
50728 - __kmem_cache_free(b, c->size);
50729 + __kmem_cache_free(b, size);
50732 trace_kmem_cache_free(_RET_IP_, b);
50733 diff -urNp linux-2.6.33.1/mm/slub.c linux-2.6.33.1/mm/slub.c
50734 --- linux-2.6.33.1/mm/slub.c 2010-03-15 12:09:39.000000000 -0400
50735 +++ linux-2.6.33.1/mm/slub.c 2010-03-20 16:58:42.280534479 -0400
50736 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
50738 page = virt_to_head_page(x);
50740 + BUG_ON(!PageSlab(page));
50742 slab_free(s, page, x, _RET_IP_);
50744 trace_kmem_cache_free(_RET_IP_, x);
50745 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
50746 * Merge control. If this is set then no merging of slab caches will occur.
50747 * (Could be removed. This was introduced to pacify the merge skeptics.)
50749 -static int slub_nomerge;
50750 +static int slub_nomerge = 1;
50753 * Calculate the order of allocation given an slab object size.
50754 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
50755 * list to avoid pounding the page allocator excessively.
50757 set_min_partial(s, ilog2(s->size));
50759 + atomic_set(&s->refcount, 1);
50761 s->remote_node_defrag_ratio = 1000;
50763 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
50764 void kmem_cache_destroy(struct kmem_cache *s)
50766 down_write(&slub_lock);
50768 - if (!s->refcount) {
50769 + if (atomic_dec_and_test(&s->refcount)) {
50770 list_del(&s->list);
50771 up_write(&slub_lock);
50772 if (kmem_cache_close(s)) {
50773 @@ -2915,6 +2916,46 @@ void *__kmalloc_node(size_t size, gfp_t
50774 EXPORT_SYMBOL(__kmalloc_node);
50777 +void check_object_size(const void *ptr, unsigned long n, bool to)
50780 +#ifdef CONFIG_PAX_USERCOPY
50781 + struct page *page;
50782 + struct kmem_cache *s;
50783 + unsigned long offset;
50788 + if (ZERO_OR_NULL_PTR(ptr))
50791 + if (!virt_addr_valid(ptr))
50794 + page = get_object_page(ptr);
50797 + if (object_is_on_stack(ptr, n) == -1)
50803 + offset = (ptr - page_address(page)) % s->size;
50804 + if (offset <= s->objsize && n <= s->objsize - offset)
50809 + pax_report_leak_to_user(ptr, n);
50811 + pax_report_overflow_from_user(ptr, n);
50815 +EXPORT_SYMBOL(check_object_size);
50817 size_t ksize(const void *object)
50820 @@ -3186,7 +3227,7 @@ void __init kmem_cache_init(void)
50822 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
50823 sizeof(struct kmem_cache_node), GFP_NOWAIT);
50824 - kmalloc_caches[0].refcount = -1;
50825 + atomic_set(&kmalloc_caches[0].refcount, -1);
50828 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
50829 @@ -3293,7 +3334,7 @@ static int slab_unmergeable(struct kmem_
50831 * We may have set a slab to be unmergeable during bootstrap.
50833 - if (s->refcount < 0)
50834 + if (atomic_read(&s->refcount) < 0)
50838 @@ -3353,7 +3394,7 @@ struct kmem_cache *kmem_cache_create(con
50843 + atomic_inc(&s->refcount);
50845 * Adjust the object sizes so that we clear
50846 * the complete object on kzalloc.
50847 @@ -3372,7 +3413,7 @@ struct kmem_cache *kmem_cache_create(con
50849 if (sysfs_slab_alias(s, name)) {
50850 down_write(&slub_lock);
50852 + atomic_dec(&s->refcount);
50853 up_write(&slub_lock);
50856 @@ -4101,7 +4142,7 @@ SLAB_ATTR_RO(ctor);
50858 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
50860 - return sprintf(buf, "%d\n", s->refcount - 1);
50861 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
50863 SLAB_ATTR_RO(aliases);
50865 @@ -4519,7 +4560,7 @@ static void kmem_cache_release(struct ko
50869 -static struct sysfs_ops slab_sysfs_ops = {
50870 +static const struct sysfs_ops slab_sysfs_ops = {
50871 .show = slab_attr_show,
50872 .store = slab_attr_store,
50874 @@ -4538,7 +4579,7 @@ static int uevent_filter(struct kset *ks
50878 -static struct kset_uevent_ops slab_uevent_ops = {
50879 +static const struct kset_uevent_ops slab_uevent_ops = {
50880 .filter = uevent_filter,
50883 @@ -4712,7 +4753,7 @@ __initcall(slab_sysfs_init);
50885 * The /proc/slabinfo ABI
50887 -#ifdef CONFIG_SLABINFO
50888 +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50889 static void print_slabinfo_header(struct seq_file *m)
50891 seq_puts(m, "slabinfo - version: 2.1\n");
50892 diff -urNp linux-2.6.33.1/mm/util.c linux-2.6.33.1/mm/util.c
50893 --- linux-2.6.33.1/mm/util.c 2010-03-15 12:09:39.000000000 -0400
50894 +++ linux-2.6.33.1/mm/util.c 2010-03-20 16:58:42.280534479 -0400
50895 @@ -224,6 +224,12 @@ EXPORT_SYMBOL(strndup_user);
50896 void arch_pick_mmap_layout(struct mm_struct *mm)
50898 mm->mmap_base = TASK_UNMAPPED_BASE;
50900 +#ifdef CONFIG_PAX_RANDMMAP
50901 + if (mm->pax_flags & MF_PAX_RANDMMAP)
50902 + mm->mmap_base += mm->delta_mmap;
50905 mm->get_unmapped_area = arch_get_unmapped_area;
50906 mm->unmap_area = arch_unmap_area;
50908 diff -urNp linux-2.6.33.1/mm/vmalloc.c linux-2.6.33.1/mm/vmalloc.c
50909 --- linux-2.6.33.1/mm/vmalloc.c 2010-03-15 12:09:39.000000000 -0400
50910 +++ linux-2.6.33.1/mm/vmalloc.c 2010-03-20 16:58:42.280534479 -0400
50911 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
50913 pte = pte_offset_kernel(pmd, addr);
50915 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50916 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50918 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50919 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
50920 + BUG_ON(!pte_exec(*pte));
50921 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
50927 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50928 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50930 } while (pte++, addr += PAGE_SIZE, addr != end);
50933 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
50934 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
50937 + int ret = -ENOMEM;
50940 * nr is a running index into the array which helps higher level
50941 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
50942 pte = pte_alloc_kernel(pmd, addr);
50946 + pax_open_kernel();
50948 struct page *page = pages[*nr];
50950 - if (WARN_ON(!pte_none(*pte)))
50952 - if (WARN_ON(!page))
50954 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50955 + if (pgprot_val(prot) & _PAGE_NX)
50958 + if (WARN_ON(!pte_none(*pte))) {
50962 + if (WARN_ON(!page)) {
50966 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
50968 } while (pte++, addr += PAGE_SIZE, addr != end);
50972 + pax_close_kernel();
50976 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
50977 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
50978 * and fall back on vmalloc() if that fails. Others
50979 * just put it in the vmalloc space.
50981 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
50982 +#ifdef CONFIG_MODULES
50983 +#ifdef MODULES_VADDR
50984 unsigned long addr = (unsigned long)x;
50985 if (addr >= MODULES_VADDR && addr < MODULES_END)
50989 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50990 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
50996 return is_vmalloc_addr(x);
50999 @@ -292,13 +326,13 @@ static void __insert_vmap_area(struct vm
51000 struct rb_node *tmp;
51003 - struct vmap_area *tmp;
51004 + struct vmap_area *varea;
51007 - tmp = rb_entry(parent, struct vmap_area, rb_node);
51008 - if (va->va_start < tmp->va_end)
51009 + varea = rb_entry(parent, struct vmap_area, rb_node);
51010 + if (va->va_start < varea->va_end)
51011 p = &(*p)->rb_left;
51012 - else if (va->va_end > tmp->va_start)
51013 + else if (va->va_end > varea->va_start)
51014 p = &(*p)->rb_right;
51017 @@ -1224,6 +1258,16 @@ static struct vm_struct *__get_vm_area_n
51018 struct vm_struct *area;
51020 BUG_ON(in_interrupt());
51022 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51023 + if (flags & VM_KERNEXEC) {
51024 + if (start != VMALLOC_START || end != VMALLOC_END)
51026 + start = (unsigned long)&MODULES_EXEC_VADDR;
51027 + end = (unsigned long)&MODULES_EXEC_END;
51031 if (flags & VM_IOREMAP) {
51032 int bit = fls(size);
51034 @@ -1449,6 +1493,11 @@ void *vmap(struct page **pages, unsigned
51035 if (count > totalram_pages)
51038 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51039 + if (!(pgprot_val(prot) & _PAGE_NX))
51040 + flags |= VM_KERNEXEC;
51043 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
51044 __builtin_return_address(0));
51046 @@ -1558,6 +1607,13 @@ static void *__vmalloc_node(unsigned lon
51047 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
51050 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51051 + if (!(pgprot_val(prot) & _PAGE_NX))
51052 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
51053 + node, gfp_mask, caller);
51057 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
51058 VMALLOC_END, node, gfp_mask, caller);
51060 @@ -1576,6 +1632,7 @@ static void *__vmalloc_node(unsigned lon
51065 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
51067 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
51068 @@ -1592,6 +1649,7 @@ EXPORT_SYMBOL(__vmalloc);
51069 * For tight control over page level allocator and protection flags
51070 * use __vmalloc() instead.
51073 void *vmalloc(unsigned long size)
51075 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51076 @@ -1606,6 +1664,7 @@ EXPORT_SYMBOL(vmalloc);
51077 * The resulting memory area is zeroed so it can be mapped to userspace
51078 * without leaking data.
51080 +#undef vmalloc_user
51081 void *vmalloc_user(unsigned long size)
51083 struct vm_struct *area;
51084 @@ -1633,6 +1692,7 @@ EXPORT_SYMBOL(vmalloc_user);
51085 * For tight control over page level allocator and protection flags
51086 * use __vmalloc() instead.
51088 +#undef vmalloc_node
51089 void *vmalloc_node(unsigned long size, int node)
51091 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51092 @@ -1655,10 +1715,10 @@ EXPORT_SYMBOL(vmalloc_node);
51093 * For tight control over page level allocator and protection flags
51094 * use __vmalloc() instead.
51097 +#undef vmalloc_exec
51098 void *vmalloc_exec(unsigned long size)
51100 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
51101 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
51102 -1, __builtin_return_address(0));
51105 @@ -1677,6 +1737,7 @@ void *vmalloc_exec(unsigned long size)
51106 * Allocate enough 32bit PA addressable pages to cover @size from the
51107 * page level allocator and map them into contiguous kernel virtual space.
51110 void *vmalloc_32(unsigned long size)
51112 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
51113 @@ -1691,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc_32);
51114 * The resulting memory area is 32bit addressable and zeroed so it can be
51115 * mapped to userspace without leaking data.
51117 +#undef vmalloc_32_user
51118 void *vmalloc_32_user(unsigned long size)
51120 struct vm_struct *area;
51121 diff -urNp linux-2.6.33.1/net/atm/atm_misc.c linux-2.6.33.1/net/atm/atm_misc.c
51122 --- linux-2.6.33.1/net/atm/atm_misc.c 2010-03-15 12:09:39.000000000 -0400
51123 +++ linux-2.6.33.1/net/atm/atm_misc.c 2010-03-20 16:58:42.280534479 -0400
51124 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
51125 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
51127 atm_return(vcc,truesize);
51128 - atomic_inc(&vcc->stats->rx_drop);
51129 + atomic_inc_unchecked(&vcc->stats->rx_drop);
51133 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
51136 atm_return(vcc,guess);
51137 - atomic_inc(&vcc->stats->rx_drop);
51138 + atomic_inc_unchecked(&vcc->stats->rx_drop);
51142 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
51144 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51146 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51147 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51149 #undef __HANDLE_ITEM
51151 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
51153 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51155 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
51156 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
51158 #undef __HANDLE_ITEM
51160 diff -urNp linux-2.6.33.1/net/atm/proc.c linux-2.6.33.1/net/atm/proc.c
51161 --- linux-2.6.33.1/net/atm/proc.c 2010-03-15 12:09:39.000000000 -0400
51162 +++ linux-2.6.33.1/net/atm/proc.c 2010-03-20 16:58:42.280534479 -0400
51163 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
51164 const struct k_atm_aal_stats *stats)
51166 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
51167 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
51168 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
51169 - atomic_read(&stats->rx_drop));
51170 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
51171 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
51172 + atomic_read_unchecked(&stats->rx_drop));
51175 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
51176 diff -urNp linux-2.6.33.1/net/atm/resources.c linux-2.6.33.1/net/atm/resources.c
51177 --- linux-2.6.33.1/net/atm/resources.c 2010-03-15 12:09:39.000000000 -0400
51178 +++ linux-2.6.33.1/net/atm/resources.c 2010-03-20 16:58:42.280534479 -0400
51179 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
51180 static void copy_aal_stats(struct k_atm_aal_stats *from,
51181 struct atm_aal_stats *to)
51183 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51184 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51186 #undef __HANDLE_ITEM
51188 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
51189 static void subtract_aal_stats(struct k_atm_aal_stats *from,
51190 struct atm_aal_stats *to)
51192 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
51193 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
51195 #undef __HANDLE_ITEM
51197 diff -urNp linux-2.6.33.1/net/bridge/br_private.h linux-2.6.33.1/net/bridge/br_private.h
51198 --- linux-2.6.33.1/net/bridge/br_private.h 2010-03-15 12:09:39.000000000 -0400
51199 +++ linux-2.6.33.1/net/bridge/br_private.h 2010-03-20 16:58:42.280534479 -0400
51200 @@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
51202 #ifdef CONFIG_SYSFS
51203 /* br_sysfs_if.c */
51204 -extern struct sysfs_ops brport_sysfs_ops;
51205 +extern const struct sysfs_ops brport_sysfs_ops;
51206 extern int br_sysfs_addif(struct net_bridge_port *p);
51208 /* br_sysfs_br.c */
51209 diff -urNp linux-2.6.33.1/net/bridge/br_stp_if.c linux-2.6.33.1/net/bridge/br_stp_if.c
51210 --- linux-2.6.33.1/net/bridge/br_stp_if.c 2010-03-15 12:09:39.000000000 -0400
51211 +++ linux-2.6.33.1/net/bridge/br_stp_if.c 2010-03-20 16:58:42.280534479 -0400
51212 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
51213 char *envp[] = { NULL };
51215 if (br->stp_enabled == BR_USER_STP) {
51216 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
51217 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
51218 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
51221 diff -urNp linux-2.6.33.1/net/bridge/br_sysfs_if.c linux-2.6.33.1/net/bridge/br_sysfs_if.c
51222 --- linux-2.6.33.1/net/bridge/br_sysfs_if.c 2010-03-15 12:09:39.000000000 -0400
51223 +++ linux-2.6.33.1/net/bridge/br_sysfs_if.c 2010-03-20 16:58:42.280534479 -0400
51224 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
51228 -struct sysfs_ops brport_sysfs_ops = {
51229 +const struct sysfs_ops brport_sysfs_ops = {
51230 .show = brport_show,
51231 .store = brport_store,
51233 diff -urNp linux-2.6.33.1/net/bridge/netfilter/ebtables.c linux-2.6.33.1/net/bridge/netfilter/ebtables.c
51234 --- linux-2.6.33.1/net/bridge/netfilter/ebtables.c 2010-03-15 12:09:39.000000000 -0400
51235 +++ linux-2.6.33.1/net/bridge/netfilter/ebtables.c 2010-03-20 16:58:42.284535154 -0400
51236 @@ -1456,7 +1456,7 @@ static int do_ebt_get_ctl(struct sock *s
51237 tmp.valid_hooks = t->table->valid_hooks;
51239 mutex_unlock(&ebt_mutex);
51240 - if (copy_to_user(user, &tmp, *len) != 0){
51241 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
51242 BUGPRINT("c2u Didn't work\n");
51245 diff -urNp linux-2.6.33.1/net/core/dev.c linux-2.6.33.1/net/core/dev.c
51246 --- linux-2.6.33.1/net/core/dev.c 2010-03-15 12:09:39.000000000 -0400
51247 +++ linux-2.6.33.1/net/core/dev.c 2010-03-20 16:58:42.284535154 -0400
51248 @@ -2183,7 +2183,7 @@ int netif_rx_ni(struct sk_buff *skb)
51250 EXPORT_SYMBOL(netif_rx_ni);
51252 -static void net_tx_action(struct softirq_action *h)
51253 +static void net_tx_action(void)
51255 struct softnet_data *sd = &__get_cpu_var(softnet_data);
51257 @@ -2939,7 +2939,7 @@ void netif_napi_del(struct napi_struct *
51258 EXPORT_SYMBOL(netif_napi_del);
51261 -static void net_rx_action(struct softirq_action *h)
51262 +static void net_rx_action(void)
51264 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
51265 unsigned long time_limit = jiffies + 2;
51266 diff -urNp linux-2.6.33.1/net/core/flow.c linux-2.6.33.1/net/core/flow.c
51267 --- linux-2.6.33.1/net/core/flow.c 2010-03-15 12:09:39.000000000 -0400
51268 +++ linux-2.6.33.1/net/core/flow.c 2010-03-20 16:58:42.284535154 -0400
51269 @@ -39,7 +39,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
51271 static u32 flow_hash_shift;
51272 #define flow_hash_size (1 << flow_hash_shift)
51273 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
51274 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
51276 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
51278 @@ -52,7 +52,7 @@ struct flow_percpu_info {
51282 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
51283 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
51285 #define flow_hash_rnd_recalc(cpu) \
51286 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
51287 @@ -69,7 +69,7 @@ struct flow_flush_info {
51289 struct completion completion;
51291 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
51292 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
51294 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
51296 diff -urNp linux-2.6.33.1/net/core/sock.c linux-2.6.33.1/net/core/sock.c
51297 --- linux-2.6.33.1/net/core/sock.c 2010-03-15 12:09:39.000000000 -0400
51298 +++ linux-2.6.33.1/net/core/sock.c 2010-03-20 16:58:42.284535154 -0400
51299 @@ -896,7 +896,7 @@ int sock_getsockopt(struct socket *sock,
51303 - if (copy_to_user(optval, address, len))
51304 + if (len > sizeof(address) || copy_to_user(optval, address, len))
51308 @@ -929,7 +929,7 @@ int sock_getsockopt(struct socket *sock,
51312 - if (copy_to_user(optval, &v, len))
51313 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
51316 if (put_user(len, optlen))
51317 diff -urNp linux-2.6.33.1/net/dccp/ccids/ccid3.c linux-2.6.33.1/net/dccp/ccids/ccid3.c
51318 --- linux-2.6.33.1/net/dccp/ccids/ccid3.c 2010-03-15 12:09:39.000000000 -0400
51319 +++ linux-2.6.33.1/net/dccp/ccids/ccid3.c 2010-03-20 16:58:42.284535154 -0400
51321 static int ccid3_debug;
51322 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
51324 -#define ccid3_pr_debug(format, a...)
51325 +#define ccid3_pr_debug(format, a...) do {} while (0)
51329 diff -urNp linux-2.6.33.1/net/dccp/dccp.h linux-2.6.33.1/net/dccp/dccp.h
51330 --- linux-2.6.33.1/net/dccp/dccp.h 2010-03-15 12:09:39.000000000 -0400
51331 +++ linux-2.6.33.1/net/dccp/dccp.h 2010-03-20 16:58:42.284535154 -0400
51332 @@ -44,9 +44,9 @@ extern int dccp_debug;
51333 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
51334 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
51336 -#define dccp_pr_debug(format, a...)
51337 -#define dccp_pr_debug_cat(format, a...)
51338 -#define dccp_debug(format, a...)
51339 +#define dccp_pr_debug(format, a...) do {} while (0)
51340 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
51341 +#define dccp_debug(format, a...) do {} while (0)
51344 extern struct inet_hashinfo dccp_hashinfo;
51345 diff -urNp linux-2.6.33.1/net/decnet/sysctl_net_decnet.c linux-2.6.33.1/net/decnet/sysctl_net_decnet.c
51346 --- linux-2.6.33.1/net/decnet/sysctl_net_decnet.c 2010-03-15 12:09:39.000000000 -0400
51347 +++ linux-2.6.33.1/net/decnet/sysctl_net_decnet.c 2010-03-20 16:58:42.284535154 -0400
51348 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
51350 if (len > *lenp) len = *lenp;
51352 - if (copy_to_user(buffer, addr, len))
51353 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
51357 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
51359 if (len > *lenp) len = *lenp;
51361 - if (copy_to_user(buffer, devname, len))
51362 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
51366 diff -urNp linux-2.6.33.1/net/ipv4/inet_hashtables.c linux-2.6.33.1/net/ipv4/inet_hashtables.c
51367 --- linux-2.6.33.1/net/ipv4/inet_hashtables.c 2010-03-15 12:09:39.000000000 -0400
51368 +++ linux-2.6.33.1/net/ipv4/inet_hashtables.c 2010-03-20 16:58:42.311008973 -0400
51369 @@ -18,11 +18,14 @@
51370 #include <linux/sched.h>
51371 #include <linux/slab.h>
51372 #include <linux/wait.h>
51373 +#include <linux/security.h>
51375 #include <net/inet_connection_sock.h>
51376 #include <net/inet_hashtables.h>
51377 #include <net/ip.h>
51379 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
51382 * Allocate and initialize a new local port bind bucket.
51383 * The bindhash mutex for snum's hash chain must be held here.
51384 @@ -506,6 +509,8 @@ ok:
51385 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
51386 spin_unlock(&head->lock);
51388 + gr_update_task_in_ip_table(current, inet_sk(sk));
51391 inet_twsk_deschedule(tw, death_row);
51393 diff -urNp linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
51394 --- linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-03-15 12:09:39.000000000 -0400
51395 +++ linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-03-20 16:58:42.311008973 -0400
51396 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
51400 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
51401 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
51402 if (*octets == NULL) {
51403 if (net_ratelimit())
51404 printk("OOM in bsalg (%d)\n", __LINE__);
51405 diff -urNp linux-2.6.33.1/net/ipv4/tcp_ipv4.c linux-2.6.33.1/net/ipv4/tcp_ipv4.c
51406 --- linux-2.6.33.1/net/ipv4/tcp_ipv4.c 2010-03-15 12:09:39.000000000 -0400
51407 +++ linux-2.6.33.1/net/ipv4/tcp_ipv4.c 2010-03-20 17:00:48.140865901 -0400
51409 int sysctl_tcp_tw_reuse __read_mostly;
51410 int sysctl_tcp_low_latency __read_mostly;
51412 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51413 +extern int grsec_enable_blackhole;
51416 #ifdef CONFIG_TCP_MD5SIG
51417 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
51418 @@ -1646,12 +1649,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
51419 TCP_SKB_CB(skb)->sacked = 0;
51421 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
51424 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51427 goto no_tcp_socket;
51431 - if (sk->sk_state == TCP_TIME_WAIT)
51432 + if (sk->sk_state == TCP_TIME_WAIT) {
51433 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51439 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
51440 goto discard_and_relse;
51441 @@ -1693,6 +1704,10 @@ no_tcp_socket:
51443 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51445 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51446 + if (!grsec_enable_blackhole || (ret == 1 &&
51447 + (skb->dev->flags & IFF_LOOPBACK)))
51449 tcp_v4_send_reset(NULL, skb);
51452 diff -urNp linux-2.6.33.1/net/ipv4/tcp_minisocks.c linux-2.6.33.1/net/ipv4/tcp_minisocks.c
51453 --- linux-2.6.33.1/net/ipv4/tcp_minisocks.c 2010-03-15 12:09:39.000000000 -0400
51454 +++ linux-2.6.33.1/net/ipv4/tcp_minisocks.c 2010-03-20 17:06:01.445852790 -0400
51456 #include <net/inet_common.h>
51457 #include <net/xfrm.h>
51459 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51460 +extern int grsec_enable_blackhole;
51463 int sysctl_tcp_syncookies __read_mostly = 1;
51464 EXPORT_SYMBOL(sysctl_tcp_syncookies);
51466 @@ -698,8 +702,11 @@ listen_overflow:
51469 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
51470 - if (!(flg & TCP_FLAG_RST))
51472 +#ifndef CONFIG_GRKERNSEC_BLACKHOLE
51473 + if (!grsec_enable_blackhole || !(flg & TCP_FLAG_RST))
51474 req->rsk_ops->send_reset(sk, skb);
51477 inet_csk_reqsk_queue_drop(sk, req, prev);
51479 diff -urNp linux-2.6.33.1/net/ipv4/tcp_probe.c linux-2.6.33.1/net/ipv4/tcp_probe.c
51480 --- linux-2.6.33.1/net/ipv4/tcp_probe.c 2010-03-15 12:09:39.000000000 -0400
51481 +++ linux-2.6.33.1/net/ipv4/tcp_probe.c 2010-03-20 16:58:42.312547376 -0400
51482 @@ -201,7 +201,7 @@ static ssize_t tcpprobe_read(struct file
51483 if (cnt + width >= len)
51486 - if (copy_to_user(buf + cnt, tbuf, width))
51487 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
51491 diff -urNp linux-2.6.33.1/net/ipv4/tcp_timer.c linux-2.6.33.1/net/ipv4/tcp_timer.c
51492 --- linux-2.6.33.1/net/ipv4/tcp_timer.c 2010-03-15 12:09:39.000000000 -0400
51493 +++ linux-2.6.33.1/net/ipv4/tcp_timer.c 2010-03-20 17:00:48.145360815 -0400
51495 #include <linux/module.h>
51496 #include <net/tcp.h>
51498 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51499 +extern int grsec_lastack_retries;
51502 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
51503 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
51504 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
51505 @@ -193,6 +197,13 @@ static int tcp_write_timeout(struct sock
51509 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51510 + if ((sk->sk_state == TCP_LAST_ACK) &&
51511 + (grsec_lastack_retries > 0) &&
51512 + (grsec_lastack_retries < retry_until))
51513 + retry_until = grsec_lastack_retries;
51516 if (retransmits_timed_out(sk, retry_until)) {
51517 /* Has it gone just too far? */
51519 diff -urNp linux-2.6.33.1/net/ipv4/udp.c linux-2.6.33.1/net/ipv4/udp.c
51520 --- linux-2.6.33.1/net/ipv4/udp.c 2010-03-15 12:09:39.000000000 -0400
51521 +++ linux-2.6.33.1/net/ipv4/udp.c 2010-03-20 17:06:32.628937453 -0400
51523 #include <linux/types.h>
51524 #include <linux/fcntl.h>
51525 #include <linux/module.h>
51526 +#include <linux/security.h>
51527 #include <linux/socket.h>
51528 #include <linux/sockios.h>
51529 #include <linux/igmp.h>
51530 @@ -106,6 +107,10 @@
51531 #include <net/xfrm.h>
51532 #include "udp_impl.h"
51534 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51535 +extern int grsec_enable_blackhole;
51538 struct udp_table udp_table __read_mostly;
51539 EXPORT_SYMBOL(udp_table);
51541 @@ -562,6 +567,9 @@ found:
51545 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
51546 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
51549 * This routine is called by the ICMP module when it gets some
51550 * sort of error condition. If err < 0 then the socket should
51551 @@ -830,9 +838,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
51552 dport = usin->sin_port;
51556 + err = gr_search_udp_sendmsg(sk, usin);
51560 if (sk->sk_state != TCP_ESTABLISHED)
51561 return -EDESTADDRREQ;
51563 + err = gr_search_udp_sendmsg(sk, NULL);
51567 daddr = inet->inet_daddr;
51568 dport = inet->inet_dport;
51569 /* Open fast path for connected socket.
51570 @@ -1137,6 +1154,10 @@ try_again:
51574 + err = gr_search_udp_recvmsg(sk, skb);
51578 ulen = skb->len - sizeof(struct udphdr);
51581 @@ -1568,6 +1589,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
51584 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
51585 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51586 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
51588 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
51591 diff -urNp linux-2.6.33.1/net/ipv6/exthdrs.c linux-2.6.33.1/net/ipv6/exthdrs.c
51592 --- linux-2.6.33.1/net/ipv6/exthdrs.c 2010-03-15 12:09:39.000000000 -0400
51593 +++ linux-2.6.33.1/net/ipv6/exthdrs.c 2010-03-20 16:58:42.312547376 -0400
51594 @@ -635,7 +635,7 @@ static struct tlvtype_proc tlvprochopopt
51595 .type = IPV6_TLV_JUMBO,
51596 .func = ipv6_hop_jumbo,
51602 int ipv6_parse_hopopts(struct sk_buff *skb)
51603 diff -urNp linux-2.6.33.1/net/ipv6/raw.c linux-2.6.33.1/net/ipv6/raw.c
51604 --- linux-2.6.33.1/net/ipv6/raw.c 2010-03-15 12:09:39.000000000 -0400
51605 +++ linux-2.6.33.1/net/ipv6/raw.c 2010-03-20 16:58:42.312547376 -0400
51606 @@ -597,7 +597,7 @@ out:
51610 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
51611 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
51612 struct flowi *fl, struct rt6_info *rt,
51613 unsigned int flags)
51615 diff -urNp linux-2.6.33.1/net/ipv6/tcp_ipv6.c linux-2.6.33.1/net/ipv6/tcp_ipv6.c
51616 --- linux-2.6.33.1/net/ipv6/tcp_ipv6.c 2010-03-15 12:09:39.000000000 -0400
51617 +++ linux-2.6.33.1/net/ipv6/tcp_ipv6.c 2010-03-20 16:58:42.316527391 -0400
51618 @@ -1625,6 +1625,9 @@ static int tcp_v6_do_rcv(struct sock *sk
51622 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51623 + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51625 tcp_v6_send_reset(sk, skb);
51628 @@ -1747,6 +1750,9 @@ no_tcp_socket:
51630 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51632 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51633 + if (skb->dev->flags & IFF_LOOPBACK)
51635 tcp_v6_send_reset(NULL, skb);
51638 diff -urNp linux-2.6.33.1/net/ipv6/udp.c linux-2.6.33.1/net/ipv6/udp.c
51639 --- linux-2.6.33.1/net/ipv6/udp.c 2010-03-15 12:09:39.000000000 -0400
51640 +++ linux-2.6.33.1/net/ipv6/udp.c 2010-03-20 16:58:42.316527391 -0400
51641 @@ -745,6 +745,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
51642 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
51643 proto == IPPROTO_UDPLITE);
51645 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51646 + if (skb->dev->flags & IFF_LOOPBACK)
51648 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
51651 diff -urNp linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c
51652 --- linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c 2010-03-15 12:09:39.000000000 -0400
51653 +++ linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c 2010-03-20 16:58:42.316527391 -0400
51654 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
51655 add_wait_queue(&self->open_wait, &wait);
51657 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
51658 - __FILE__,__LINE__, tty->driver->name, self->open_count );
51659 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51661 /* As far as I can see, we protect open_count - Jean II */
51662 spin_lock_irqsave(&self->spinlock, flags);
51663 if (!tty_hung_up_p(filp)) {
51665 - self->open_count--;
51666 + atomic_dec(&self->open_count);
51668 spin_unlock_irqrestore(&self->spinlock, flags);
51669 - self->blocked_open++;
51670 + atomic_inc(&self->blocked_open);
51673 if (tty->termios->c_cflag & CBAUD) {
51674 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
51677 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
51678 - __FILE__,__LINE__, tty->driver->name, self->open_count );
51679 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51683 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
51685 /* ++ is not atomic, so this should be protected - Jean II */
51686 spin_lock_irqsave(&self->spinlock, flags);
51687 - self->open_count++;
51688 + atomic_inc(&self->open_count);
51689 spin_unlock_irqrestore(&self->spinlock, flags);
51691 - self->blocked_open--;
51692 + atomic_dec(&self->blocked_open);
51694 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
51695 - __FILE__,__LINE__, tty->driver->name, self->open_count);
51696 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
51699 self->flags |= ASYNC_NORMAL_ACTIVE;
51700 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
51702 /* ++ is not atomic, so this should be protected - Jean II */
51703 spin_lock_irqsave(&self->spinlock, flags);
51704 - self->open_count++;
51705 + atomic_inc(&self->open_count);
51707 tty->driver_data = self;
51709 spin_unlock_irqrestore(&self->spinlock, flags);
51711 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
51712 - self->line, self->open_count);
51713 + self->line, atomic_read(&self->open_count));
51715 /* Not really used by us, but lets do it anyway */
51716 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
51717 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
51721 - if ((tty->count == 1) && (self->open_count != 1)) {
51722 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
51724 * Uh, oh. tty->count is 1, which means that the tty
51725 * structure will be freed. state->count should always
51726 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
51728 IRDA_DEBUG(0, "%s(), bad serial port count; "
51729 "tty->count is 1, state->count is %d\n", __func__ ,
51730 - self->open_count);
51731 - self->open_count = 1;
51732 + atomic_read(&self->open_count));
51733 + atomic_set(&self->open_count, 1);
51736 - if (--self->open_count < 0) {
51737 + if (atomic_dec_return(&self->open_count) < 0) {
51738 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
51739 - __func__, self->line, self->open_count);
51740 - self->open_count = 0;
51741 + __func__, self->line, atomic_read(&self->open_count));
51742 + atomic_set(&self->open_count, 0);
51744 - if (self->open_count) {
51745 + if (atomic_read(&self->open_count)) {
51746 spin_unlock_irqrestore(&self->spinlock, flags);
51748 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
51749 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
51753 - if (self->blocked_open) {
51754 + if (atomic_read(&self->blocked_open)) {
51755 if (self->close_delay)
51756 schedule_timeout_interruptible(self->close_delay);
51757 wake_up_interruptible(&self->open_wait);
51758 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
51759 spin_lock_irqsave(&self->spinlock, flags);
51760 self->flags &= ~ASYNC_NORMAL_ACTIVE;
51762 - self->open_count = 0;
51763 + atomic_set(&self->open_count, 0);
51764 spin_unlock_irqrestore(&self->spinlock, flags);
51766 wake_up_interruptible(&self->open_wait);
51767 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
51770 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
51771 - seq_printf(m, "Open count: %d\n", self->open_count);
51772 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
51773 seq_printf(m, "Max data size: %d\n", self->max_data_size);
51774 seq_printf(m, "Max header size: %d\n", self->max_header_size);
51776 diff -urNp linux-2.6.33.1/net/mac80211/ieee80211_i.h linux-2.6.33.1/net/mac80211/ieee80211_i.h
51777 --- linux-2.6.33.1/net/mac80211/ieee80211_i.h 2010-03-15 12:09:39.000000000 -0400
51778 +++ linux-2.6.33.1/net/mac80211/ieee80211_i.h 2010-03-20 16:58:42.316527391 -0400
51779 @@ -574,7 +574,7 @@ struct ieee80211_local {
51780 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
51781 spinlock_t queue_stop_reason_lock;
51784 + atomic_t open_count;
51785 int monitors, cooked_mntrs;
51786 /* number of interfaces with corresponding FIF_ flags */
51787 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
51788 diff -urNp linux-2.6.33.1/net/mac80211/iface.c linux-2.6.33.1/net/mac80211/iface.c
51789 --- linux-2.6.33.1/net/mac80211/iface.c 2010-03-15 12:09:39.000000000 -0400
51790 +++ linux-2.6.33.1/net/mac80211/iface.c 2010-03-20 16:58:42.316527391 -0400
51791 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
51795 - if (local->open_count == 0) {
51796 + if (atomic_read(&local->open_count) == 0) {
51797 res = drv_start(local);
51800 @@ -198,7 +198,7 @@ static int ieee80211_open(struct net_dev
51801 * Validate the MAC address for this device.
51803 if (!is_valid_ether_addr(dev->dev_addr)) {
51804 - if (!local->open_count)
51805 + if (!atomic_read(&local->open_count))
51807 return -EADDRNOTAVAIL;
51809 @@ -294,7 +294,7 @@ static int ieee80211_open(struct net_dev
51811 hw_reconf_flags |= __ieee80211_recalc_idle(local);
51813 - local->open_count++;
51814 + atomic_inc(&local->open_count);
51815 if (hw_reconf_flags) {
51816 ieee80211_hw_config(local, hw_reconf_flags);
51818 @@ -322,7 +322,7 @@ static int ieee80211_open(struct net_dev
51820 drv_remove_interface(local, &conf);
51822 - if (!local->open_count)
51823 + if (!atomic_read(&local->open_count))
51827 @@ -422,7 +422,7 @@ static int ieee80211_stop(struct net_dev
51828 WARN_ON(!list_empty(&sdata->u.ap.vlans));
51831 - local->open_count--;
51832 + atomic_dec(&local->open_count);
51834 switch (sdata->vif.type) {
51835 case NL80211_IFTYPE_AP_VLAN:
51836 @@ -528,7 +528,7 @@ static int ieee80211_stop(struct net_dev
51838 ieee80211_recalc_ps(local, -1);
51840 - if (local->open_count == 0) {
51841 + if (atomic_read(&local->open_count) == 0) {
51842 ieee80211_clear_tx_pending(local);
51843 ieee80211_stop_device(local);
51845 diff -urNp linux-2.6.33.1/net/mac80211/main.c linux-2.6.33.1/net/mac80211/main.c
51846 --- linux-2.6.33.1/net/mac80211/main.c 2010-03-15 12:09:39.000000000 -0400
51847 +++ linux-2.6.33.1/net/mac80211/main.c 2010-03-20 16:58:42.316527391 -0400
51848 @@ -129,7 +129,7 @@ int ieee80211_hw_config(struct ieee80211
51849 local->hw.conf.power_level = power;
51852 - if (changed && local->open_count) {
51853 + if (changed && atomic_read(&local->open_count)) {
51854 ret = drv_config(local, changed);
51857 diff -urNp linux-2.6.33.1/net/mac80211/pm.c linux-2.6.33.1/net/mac80211/pm.c
51858 --- linux-2.6.33.1/net/mac80211/pm.c 2010-03-15 12:09:39.000000000 -0400
51859 +++ linux-2.6.33.1/net/mac80211/pm.c 2010-03-20 16:58:42.316527391 -0400
51860 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
51863 /* stop hardware - this must stop RX */
51864 - if (local->open_count)
51865 + if (atomic_read(&local->open_count))
51866 ieee80211_stop_device(local);
51868 local->suspended = true;
51869 diff -urNp linux-2.6.33.1/net/mac80211/rate.c linux-2.6.33.1/net/mac80211/rate.c
51870 --- linux-2.6.33.1/net/mac80211/rate.c 2010-03-15 12:09:39.000000000 -0400
51871 +++ linux-2.6.33.1/net/mac80211/rate.c 2010-03-20 16:58:42.316527391 -0400
51872 @@ -288,7 +288,7 @@ int ieee80211_init_rate_ctrl_alg(struct
51876 - if (local->open_count)
51877 + if (atomic_read(&local->open_count))
51880 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
51881 diff -urNp linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c
51882 --- linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c 2010-03-15 12:09:39.000000000 -0400
51883 +++ linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c 2010-03-20 16:58:42.323982192 -0400
51884 @@ -191,7 +191,7 @@ static ssize_t rate_control_pid_events_r
51886 spin_unlock_irqrestore(&events->lock, status);
51888 - if (copy_to_user(buf, pb, p))
51889 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
51893 diff -urNp linux-2.6.33.1/net/mac80211/util.c linux-2.6.33.1/net/mac80211/util.c
51894 --- linux-2.6.33.1/net/mac80211/util.c 2010-03-15 12:09:39.000000000 -0400
51895 +++ linux-2.6.33.1/net/mac80211/util.c 2010-03-20 16:58:42.329957671 -0400
51896 @@ -1050,14 +1050,14 @@ int ieee80211_reconfig(struct ieee80211_
51897 local->resuming = true;
51899 /* restart hardware */
51900 - if (local->open_count) {
51901 + if (atomic_read(&local->open_count)) {
51903 * Upon resume hardware can sometimes be goofy due to
51904 * various platform / driver / bus issues, so restarting
51905 * the device may at times not work immediately. Propagate
51908 - res = drv_start(local);
51909 + res = drv_start(local);
51911 WARN(local->suspended, "Harware became unavailable "
51912 "upon resume. This is could be a software issue"
51913 diff -urNp linux-2.6.33.1/net/packet/af_packet.c linux-2.6.33.1/net/packet/af_packet.c
51914 --- linux-2.6.33.1/net/packet/af_packet.c 2010-03-15 12:09:39.000000000 -0400
51915 +++ linux-2.6.33.1/net/packet/af_packet.c 2010-03-20 16:58:42.329957671 -0400
51916 @@ -1886,7 +1886,7 @@ static int packet_getsockopt(struct sock
51917 case PACKET_HDRLEN:
51918 if (len > sizeof(int))
51920 - if (copy_from_user(&val, optval, len))
51921 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
51925 @@ -1919,7 +1919,7 @@ static int packet_getsockopt(struct sock
51927 if (put_user(len, optlen))
51929 - if (copy_to_user(optval, data, len))
51930 + if (len > sizeof(st) || copy_to_user(optval, data, len))
51934 diff -urNp linux-2.6.33.1/net/sctp/socket.c linux-2.6.33.1/net/sctp/socket.c
51935 --- linux-2.6.33.1/net/sctp/socket.c 2010-03-15 12:09:39.000000000 -0400
51936 +++ linux-2.6.33.1/net/sctp/socket.c 2010-03-20 16:58:42.332512321 -0400
51937 @@ -1482,7 +1482,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
51938 struct sctp_sndrcvinfo *sinfo;
51939 struct sctp_initmsg *sinit;
51940 sctp_assoc_t associd = 0;
51941 - sctp_cmsgs_t cmsgs = { NULL };
51942 + sctp_cmsgs_t cmsgs = { NULL, NULL };
51944 sctp_scope_t scope;
51946 @@ -4386,7 +4386,7 @@ static int sctp_getsockopt_peer_addrs(st
51947 addrlen = sctp_get_af_specific(sk->sk_family)->sockaddr_len;
51948 if (space_left < addrlen)
51950 - if (copy_to_user(to, &temp, addrlen))
51951 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
51955 @@ -5478,7 +5478,6 @@ pp_found:
51957 int reuse = sk->sk_reuse;
51959 - struct hlist_node *node;
51961 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
51962 if (pp->fastreuse && sk->sk_reuse &&
51963 diff -urNp linux-2.6.33.1/net/socket.c linux-2.6.33.1/net/socket.c
51964 --- linux-2.6.33.1/net/socket.c 2010-03-15 12:09:39.000000000 -0400
51965 +++ linux-2.6.33.1/net/socket.c 2010-03-20 16:58:42.332512321 -0400
51967 #include <linux/wireless.h>
51968 #include <linux/nsproxy.h>
51969 #include <linux/magic.h>
51970 +#include <linux/in.h>
51972 #include <asm/uaccess.h>
51973 #include <asm/unistd.h>
51974 @@ -103,6 +104,8 @@
51975 #include <linux/sockios.h>
51976 #include <linux/atalk.h>
51978 +#include <linux/grsock.h>
51980 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
51981 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
51982 unsigned long nr_segs, loff_t pos);
51983 @@ -304,7 +307,7 @@ static int sockfs_get_sb(struct file_sys
51987 -static struct vfsmount *sock_mnt __read_mostly;
51988 +struct vfsmount *sock_mnt __read_mostly;
51990 static struct file_system_type sock_fs_type = {
51992 @@ -1310,6 +1313,16 @@ SYSCALL_DEFINE3(socket, int, family, int
51993 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
51994 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
51996 + if(!gr_search_socket(family, type, protocol)) {
51997 + retval = -EACCES;
52001 + if (gr_handle_sock_all(family, type, protocol)) {
52002 + retval = -EACCES;
52006 retval = sock_create(family, type, protocol, &sock);
52009 @@ -1422,6 +1435,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
52011 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
52013 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
52017 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
52021 err = security_socket_bind(sock,
52022 (struct sockaddr *)&address,
52024 @@ -1430,6 +1451,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
52025 (struct sockaddr *)
52026 &address, addrlen);
52029 fput_light(sock->file, fput_needed);
52032 @@ -1453,10 +1475,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
52033 if ((unsigned)backlog > somaxconn)
52034 backlog = somaxconn;
52036 + if (gr_handle_sock_server_other(sock)) {
52041 + err = gr_search_listen(sock);
52045 err = security_socket_listen(sock, backlog);
52047 err = sock->ops->listen(sock, backlog);
52050 fput_light(sock->file, fput_needed);
52053 @@ -1499,6 +1531,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
52054 newsock->type = sock->type;
52055 newsock->ops = sock->ops;
52057 + if (gr_handle_sock_server_other(sock)) {
52059 + sock_release(newsock);
52063 + err = gr_search_accept(sock);
52065 + sock_release(newsock);
52070 * We don't need try_module_get here, as the listening socket (sock)
52071 * has the protocol module (sock->ops->owner) held.
52072 @@ -1537,6 +1581,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
52073 fd_install(newfd, newfile);
52076 + gr_attach_curr_ip(newsock->sk);
52079 fput_light(sock->file, fput_needed);
52081 @@ -1569,6 +1615,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
52084 struct socket *sock;
52085 + struct sockaddr *sck;
52086 struct sockaddr_storage address;
52087 int err, fput_needed;
52089 @@ -1579,6 +1626,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
52093 + sck = (struct sockaddr *)&address;
52095 + if (gr_handle_sock_client(sck)) {
52100 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
52105 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
52107 diff -urNp linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c
52108 --- linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-03-15 12:09:39.000000000 -0400
52109 +++ linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-03-20 16:58:42.332512321 -0400
52110 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
52114 - if (len && copy_to_user(buffer, str_buf, len))
52115 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
52119 diff -urNp linux-2.6.33.1/net/sysctl_net.c linux-2.6.33.1/net/sysctl_net.c
52120 --- linux-2.6.33.1/net/sysctl_net.c 2010-03-15 12:09:39.000000000 -0400
52121 +++ linux-2.6.33.1/net/sysctl_net.c 2010-03-20 16:58:42.332512321 -0400
52122 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
52123 struct ctl_table *table)
52125 /* Allow network administrator to have same access as root. */
52126 - if (capable(CAP_NET_ADMIN)) {
52127 + if (capable_nolog(CAP_NET_ADMIN)) {
52128 int mode = (table->mode >> 6) & 7;
52129 return (mode << 6) | (mode << 3) | mode;
52131 diff -urNp linux-2.6.33.1/net/unix/af_unix.c linux-2.6.33.1/net/unix/af_unix.c
52132 --- linux-2.6.33.1/net/unix/af_unix.c 2010-03-15 12:09:39.000000000 -0400
52133 +++ linux-2.6.33.1/net/unix/af_unix.c 2010-03-20 16:58:42.332512321 -0400
52134 @@ -735,6 +735,12 @@ static struct sock *unix_find_other(stru
52135 err = -ECONNREFUSED;
52136 if (!S_ISSOCK(inode->i_mode))
52139 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
52144 u = unix_find_socket_byinode(net, inode);
52147 @@ -755,6 +761,13 @@ static struct sock *unix_find_other(stru
52149 struct dentry *dentry;
52150 dentry = unix_sk(u)->dentry;
52152 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
52159 touch_atime(unix_sk(u)->mnt, dentry);
52161 @@ -840,11 +853,18 @@ static int unix_bind(struct socket *sock
52162 err = security_path_mknod(&nd.path, dentry, mode, 0);
52164 goto out_mknod_drop_write;
52165 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
52167 + goto out_mknod_drop_write;
52169 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
52170 out_mknod_drop_write:
52171 mnt_drop_write(nd.path.mnt);
52173 goto out_mknod_dput;
52175 + gr_handle_create(dentry, nd.path.mnt);
52177 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
52178 dput(nd.path.dentry);
52179 nd.path.dentry = dentry;
52180 @@ -862,6 +882,10 @@ out_mknod_drop_write:
52184 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
52185 + sk->sk_peercred.pid = current->pid;
52188 list = &unix_socket_table[addr->hash];
52190 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
52191 diff -urNp linux-2.6.33.1/samples/kobject/kset-example.c linux-2.6.33.1/samples/kobject/kset-example.c
52192 --- linux-2.6.33.1/samples/kobject/kset-example.c 2010-03-15 12:09:39.000000000 -0400
52193 +++ linux-2.6.33.1/samples/kobject/kset-example.c 2010-03-20 16:58:42.344967210 -0400
52194 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
52197 /* Our custom sysfs_ops that we will associate with our ktype later on */
52198 -static struct sysfs_ops foo_sysfs_ops = {
52199 +static const struct sysfs_ops foo_sysfs_ops = {
52200 .show = foo_attr_show,
52201 .store = foo_attr_store,
52203 diff -urNp linux-2.6.33.1/scripts/basic/fixdep.c linux-2.6.33.1/scripts/basic/fixdep.c
52204 --- linux-2.6.33.1/scripts/basic/fixdep.c 2010-03-15 12:09:39.000000000 -0400
52205 +++ linux-2.6.33.1/scripts/basic/fixdep.c 2010-03-20 16:58:42.344967210 -0400
52206 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
52208 static void parse_config_file(char *map, size_t len)
52210 - int *end = (int *) (map + len);
52211 + unsigned int *end = (unsigned int *) (map + len);
52212 /* start at +1, so that p can never be < map */
52213 - int *m = (int *) map + 1;
52214 + unsigned int *m = (unsigned int *) map + 1;
52217 for (; m < end; m++) {
52218 @@ -371,7 +371,7 @@ static void print_deps(void)
52219 static void traps(void)
52221 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
52222 - int *p = (int *)test;
52223 + unsigned int *p = (unsigned int *)test;
52225 if (*p != INT_CONF) {
52226 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
52227 diff -urNp linux-2.6.33.1/scripts/kallsyms.c linux-2.6.33.1/scripts/kallsyms.c
52228 --- linux-2.6.33.1/scripts/kallsyms.c 2010-03-15 12:09:39.000000000 -0400
52229 +++ linux-2.6.33.1/scripts/kallsyms.c 2010-03-20 16:58:42.344967210 -0400
52230 @@ -43,10 +43,10 @@ struct text_range {
52232 static unsigned long long _text;
52233 static struct text_range text_ranges[] = {
52234 - { "_stext", "_etext" },
52235 - { "_sinittext", "_einittext" },
52236 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
52237 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
52238 + { "_stext", "_etext", 0, 0 },
52239 + { "_sinittext", "_einittext", 0, 0 },
52240 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
52241 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
52243 #define text_range_text (&text_ranges[0])
52244 #define text_range_inittext (&text_ranges[1])
52245 diff -urNp linux-2.6.33.1/scripts/mod/file2alias.c linux-2.6.33.1/scripts/mod/file2alias.c
52246 --- linux-2.6.33.1/scripts/mod/file2alias.c 2010-03-15 12:09:39.000000000 -0400
52247 +++ linux-2.6.33.1/scripts/mod/file2alias.c 2010-03-20 16:58:42.348544513 -0400
52248 @@ -72,7 +72,7 @@ static void device_id_check(const char *
52249 unsigned long size, unsigned long id_size,
52255 if (size % id_size || size < id_size) {
52256 if (cross_build != 0)
52257 @@ -102,7 +102,7 @@ static void device_id_check(const char *
52258 /* USB is special because the bcdDevice can be matched against a numeric range */
52259 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
52260 static void do_usb_entry(struct usb_device_id *id,
52261 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
52262 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
52263 unsigned char range_lo, unsigned char range_hi,
52264 unsigned char max, struct module *mod)
52266 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
52267 for (i = 0; i < count; i++) {
52268 const char *id = (char *)devs[i].id;
52269 char acpi_id[sizeof(devs[0].id)];
52273 buf_printf(&mod->dev_table_buf,
52274 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52275 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
52277 for (j = 0; j < PNP_MAX_DEVICES; j++) {
52278 const char *id = (char *)card->devs[j].id;
52280 + unsigned int i2, j2;
52284 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
52285 /* add an individual alias for every device entry */
52287 char acpi_id[sizeof(card->devs[0].id)];
52291 buf_printf(&mod->dev_table_buf,
52292 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52293 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
52294 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
52298 + unsigned int i, j;
52300 sprintf(alias, "dmi*");
52302 diff -urNp linux-2.6.33.1/scripts/mod/modpost.c linux-2.6.33.1/scripts/mod/modpost.c
52303 --- linux-2.6.33.1/scripts/mod/modpost.c 2010-03-15 12:09:39.000000000 -0400
52304 +++ linux-2.6.33.1/scripts/mod/modpost.c 2010-03-20 16:58:42.348544513 -0400
52305 @@ -842,6 +842,7 @@ enum mismatch {
52308 EXPORT_TO_INIT_EXIT,
52312 struct sectioncheck {
52313 @@ -927,6 +928,12 @@ const struct sectioncheck sectioncheck[]
52314 .fromsec = { "__ksymtab*", NULL },
52315 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
52316 .mismatch = EXPORT_TO_INIT_EXIT
52318 +/* Do not reference code from writable data */
52320 + .fromsec = { DATA_SECTIONS, NULL },
52321 + .tosec = { TEXT_SECTIONS, NULL },
52322 + .mismatch = DATA_TO_TEXT
52326 @@ -1031,10 +1038,10 @@ static Elf_Sym *find_elf_symbol(struct e
52328 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
52330 - if (sym->st_value == addr)
52332 /* Find a symbol nearby - addr are maybe negative */
52333 d = sym->st_value - addr;
52337 d = addr - sym->st_value;
52338 if (d < distance) {
52339 @@ -1275,6 +1282,14 @@ static void report_sec_mismatch(const ch
52340 "Fix this by removing the %sannotation of %s "
52341 "or drop the export.\n",
52342 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
52343 + case DATA_TO_TEXT:
52346 + "The variable %s references\n"
52347 + "the %s %s%s%s\n",
52348 + fromsym, to, sec2annotation(tosec), tosym, to_p);
52352 /* To get warnings on missing members */
52354 @@ -1600,7 +1615,7 @@ void __attribute__((format(printf, 2, 3)
52358 -void buf_write(struct buffer *buf, const char *s, int len)
52359 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
52361 if (buf->size - buf->pos < len) {
52362 buf->size += len + SZ;
52363 @@ -1812,7 +1827,7 @@ static void write_if_changed(struct buff
52364 if (fstat(fileno(file), &st) < 0)
52367 - if (st.st_size != b->pos)
52368 + if (st.st_size != (off_t)b->pos)
52371 tmp = NOFAIL(malloc(b->pos));
52372 diff -urNp linux-2.6.33.1/scripts/mod/modpost.h linux-2.6.33.1/scripts/mod/modpost.h
52373 --- linux-2.6.33.1/scripts/mod/modpost.h 2010-03-15 12:09:39.000000000 -0400
52374 +++ linux-2.6.33.1/scripts/mod/modpost.h 2010-03-20 16:58:42.348544513 -0400
52375 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
52381 + unsigned int pos;
52382 + unsigned int size;
52385 void __attribute__((format(printf, 2, 3)))
52386 buf_printf(struct buffer *buf, const char *fmt, ...);
52389 -buf_write(struct buffer *buf, const char *s, int len);
52390 +buf_write(struct buffer *buf, const char *s, unsigned int len);
52393 struct module *next;
52394 diff -urNp linux-2.6.33.1/scripts/mod/sumversion.c linux-2.6.33.1/scripts/mod/sumversion.c
52395 --- linux-2.6.33.1/scripts/mod/sumversion.c 2010-03-15 12:09:39.000000000 -0400
52396 +++ linux-2.6.33.1/scripts/mod/sumversion.c 2010-03-20 16:58:42.348544513 -0400
52397 @@ -455,7 +455,7 @@ static void write_version(const char *fi
52401 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
52402 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
52403 warn("writing sum in %s failed: %s\n",
52404 filename, strerror(errno));
52406 diff -urNp linux-2.6.33.1/scripts/pnmtologo.c linux-2.6.33.1/scripts/pnmtologo.c
52407 --- linux-2.6.33.1/scripts/pnmtologo.c 2010-03-15 12:09:39.000000000 -0400
52408 +++ linux-2.6.33.1/scripts/pnmtologo.c 2010-03-20 16:58:42.348544513 -0400
52409 @@ -237,14 +237,14 @@ static void write_header(void)
52410 fprintf(out, " * Linux logo %s\n", logoname);
52411 fputs(" */\n\n", out);
52412 fputs("#include <linux/linux_logo.h>\n\n", out);
52413 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
52414 + fprintf(out, "static unsigned char %s_data[] = {\n",
52418 static void write_footer(void)
52420 fputs("\n};\n\n", out);
52421 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
52422 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
52423 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
52424 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
52425 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
52426 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
52427 fputs("\n};\n\n", out);
52429 /* write logo clut */
52430 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
52431 + fprintf(out, "static unsigned char %s_clut[] = {\n",
52434 for (i = 0; i < logo_clutsize; i++) {
52435 diff -urNp linux-2.6.33.1/security/commoncap.c linux-2.6.33.1/security/commoncap.c
52436 --- linux-2.6.33.1/security/commoncap.c 2010-03-15 12:09:39.000000000 -0400
52437 +++ linux-2.6.33.1/security/commoncap.c 2010-03-20 16:58:42.348544513 -0400
52439 #include <linux/sched.h>
52440 #include <linux/prctl.h>
52441 #include <linux/securebits.h>
52443 +#include <net/sock.h>
52445 * If a non-root user executes a setuid-root binary in
52446 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
52447 @@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
52451 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
52453 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
52455 - NETLINK_CB(skb).eff_cap = current_cap();
52456 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
52460 diff -urNp linux-2.6.33.1/security/integrity/ima/ima_api.c linux-2.6.33.1/security/integrity/ima/ima_api.c
52461 --- linux-2.6.33.1/security/integrity/ima/ima_api.c 2010-03-15 12:09:39.000000000 -0400
52462 +++ linux-2.6.33.1/security/integrity/ima/ima_api.c 2010-03-20 16:58:42.348544513 -0400
52463 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
52466 /* can overflow, only indicator */
52467 - atomic_long_inc(&ima_htable.violations);
52468 + atomic_long_inc_unchecked(&ima_htable.violations);
52470 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
52472 diff -urNp linux-2.6.33.1/security/integrity/ima/ima_fs.c linux-2.6.33.1/security/integrity/ima/ima_fs.c
52473 --- linux-2.6.33.1/security/integrity/ima/ima_fs.c 2010-03-15 12:09:39.000000000 -0400
52474 +++ linux-2.6.33.1/security/integrity/ima/ima_fs.c 2010-03-20 16:58:42.348544513 -0400
52475 @@ -27,12 +27,12 @@
52476 static int valid_policy = 1;
52477 #define TMPBUFLEN 12
52478 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
52479 - loff_t *ppos, atomic_long_t *val)
52480 + loff_t *ppos, atomic_long_unchecked_t *val)
52482 char tmpbuf[TMPBUFLEN];
52485 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
52486 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
52487 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
52490 diff -urNp linux-2.6.33.1/security/integrity/ima/ima.h linux-2.6.33.1/security/integrity/ima/ima.h
52491 --- linux-2.6.33.1/security/integrity/ima/ima.h 2010-03-15 12:09:39.000000000 -0400
52492 +++ linux-2.6.33.1/security/integrity/ima/ima.h 2010-03-20 16:58:42.348544513 -0400
52493 @@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
52494 extern spinlock_t ima_queue_lock;
52496 struct ima_h_table {
52497 - atomic_long_t len; /* number of stored measurements in the list */
52498 - atomic_long_t violations;
52499 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
52500 + atomic_long_unchecked_t violations;
52501 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
52503 extern struct ima_h_table ima_htable;
52504 diff -urNp linux-2.6.33.1/security/integrity/ima/ima_queue.c linux-2.6.33.1/security/integrity/ima/ima_queue.c
52505 --- linux-2.6.33.1/security/integrity/ima/ima_queue.c 2010-03-15 12:09:39.000000000 -0400
52506 +++ linux-2.6.33.1/security/integrity/ima/ima_queue.c 2010-03-20 16:58:42.348544513 -0400
52507 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
52508 INIT_LIST_HEAD(&qe->later);
52509 list_add_tail_rcu(&qe->later, &ima_measurements);
52511 - atomic_long_inc(&ima_htable.len);
52512 + atomic_long_inc_unchecked(&ima_htable.len);
52513 key = ima_hash_key(entry->digest);
52514 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
52516 diff -urNp linux-2.6.33.1/security/Kconfig linux-2.6.33.1/security/Kconfig
52517 --- linux-2.6.33.1/security/Kconfig 2010-03-15 12:09:39.000000000 -0400
52518 +++ linux-2.6.33.1/security/Kconfig 2010-03-20 17:07:22.208972401 -0400
52521 menu "Security options"
52523 +source grsecurity/Kconfig
52528 + bool "Enable various PaX features"
52529 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC || SPARC || X86)
52531 + This allows you to enable various PaX features. PaX adds
52532 + intrusion prevention mechanisms to the kernel that reduce
52533 + the risks posed by exploitable memory corruption bugs.
52535 +menu "PaX Control"
52538 +config PAX_SOFTMODE
52539 + bool 'Support soft mode'
52540 + select PAX_PT_PAX_FLAGS
52542 + Enabling this option will allow you to run PaX in soft mode, that
52543 + is, PaX features will not be enforced by default, only on executables
52544 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
52545 + is the only way to mark executables for soft mode use.
52547 + Soft mode can be activated by using the "pax_softmode=1" kernel command
52548 + line option on boot. Furthermore you can control various PaX features
52549 + at runtime via the entries in /proc/sys/kernel/pax.
52552 + bool 'Use legacy ELF header marking'
52554 + Enabling this option will allow you to control PaX features on
52555 + a per executable basis via the 'chpax' utility available at
52556 + http://pax.grsecurity.net/. The control flags will be read from
52557 + an otherwise reserved part of the ELF header. This marking has
52558 + numerous drawbacks (no support for soft-mode, toolchain does not
52559 + know about the non-standard use of the ELF header) therefore it
52560 + has been deprecated in favour of PT_PAX_FLAGS support.
52562 + If you have applications not marked by the PT_PAX_FLAGS ELF
52563 + program header then you MUST enable this option otherwise they
52564 + will not get any protection.
52566 + Note that if you enable PT_PAX_FLAGS marking support as well,
52567 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
52569 +config PAX_PT_PAX_FLAGS
52570 + bool 'Use ELF program header marking'
52572 + Enabling this option will allow you to control PaX features on
52573 + a per executable basis via the 'paxctl' utility available at
52574 + http://pax.grsecurity.net/. The control flags will be read from
52575 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
52576 + has the benefits of supporting both soft mode and being fully
52577 + integrated into the toolchain (the binutils patch is available
52578 + from http://pax.grsecurity.net).
52580 + If you have applications not marked by the PT_PAX_FLAGS ELF
52581 + program header then you MUST enable the EI_PAX marking support
52582 + otherwise they will not get any protection.
52584 + Note that if you enable the legacy EI_PAX marking support as well,
52585 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
52588 + prompt 'MAC system integration'
52589 + default PAX_HAVE_ACL_FLAGS
52591 + Mandatory Access Control systems have the option of controlling
52592 + PaX flags on a per executable basis, choose the method supported
52593 + by your particular system.
52595 + - "none": if your MAC system does not interact with PaX,
52596 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
52597 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
52599 + NOTE: this option is for developers/integrators only.
52601 + config PAX_NO_ACL_FLAGS
52604 + config PAX_HAVE_ACL_FLAGS
52607 + config PAX_HOOK_ACL_FLAGS
52613 +menu "Non-executable pages"
52617 + bool "Enforce non-executable pages"
52618 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
52620 + By design some architectures do not allow for protecting memory
52621 + pages against execution or even if they do, Linux does not make
52622 + use of this feature. In practice this means that if a page is
52623 + readable (such as the stack or heap) it is also executable.
52625 + There is a well known exploit technique that makes use of this
52626 + fact and a common programming mistake where an attacker can
52627 + introduce code of his choice somewhere in the attacked program's
52628 + memory (typically the stack or the heap) and then execute it.
52630 + If the attacked program was running with different (typically
52631 + higher) privileges than that of the attacker, then he can elevate
52632 + his own privilege level (e.g. get a root shell, write to files for
52633 + which he does not have write access to, etc).
52635 + Enabling this option will let you choose from various features
52636 + that prevent the injection and execution of 'foreign' code in
52639 + This will also break programs that rely on the old behaviour and
52640 + expect that dynamically allocated memory via the malloc() family
52641 + of functions is executable (which it is not). Notable examples
52642 + are the XFree86 4.x server, the java runtime and wine.
52644 +config PAX_PAGEEXEC
52645 + bool "Paging based non-executable pages"
52646 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
52647 + select S390_SWITCH_AMODE if S390
52648 + select S390_EXEC_PROTECT if S390
52650 + This implementation is based on the paging feature of the CPU.
52651 + On i386 without hardware non-executable bit support there is a
52652 + variable but usually low performance impact, however on Intel's
52653 + P4 core based CPUs it is very high so you should not enable this
52654 + for kernels meant to be used on such CPUs.
52656 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
52657 + with hardware non-executable bit support there is no performance
52658 + impact, on ppc the impact is negligible.
52660 + Note that several architectures require various emulations due to
52661 + badly designed userland ABIs, this will cause a performance impact
52662 + but will disappear as soon as userland is fixed. For example, ppc
52663 + userland MUST have been built with secure-plt by a recent toolchain.
52665 +config PAX_SEGMEXEC
52666 + bool "Segmentation based non-executable pages"
52667 + depends on PAX_NOEXEC && X86_32
52669 + This implementation is based on the segmentation feature of the
52670 + CPU and has a very small performance impact, however applications
52671 + will be limited to a 1.5 GB address space instead of the normal
52674 +config PAX_EMUTRAMP
52675 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
52676 + default y if PARISC
52678 + There are some programs and libraries that for one reason or
52679 + another attempt to execute special small code snippets from
52680 + non-executable memory pages. Most notable examples are the
52681 + signal handler return code generated by the kernel itself and
52682 + the GCC trampolines.
52684 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
52685 + such programs will no longer work under your kernel.
52687 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
52688 + utilities to enable trampoline emulation for the affected programs
52689 + yet still have the protection provided by the non-executable pages.
52691 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
52692 + your system will not even boot.
52694 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
52695 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
52696 + for the affected files.
52698 + NOTE: enabling this feature *may* open up a loophole in the
52699 + protection provided by non-executable pages that an attacker
52700 + could abuse. Therefore the best solution is to not have any
52701 + files on your system that would require this option. This can
52702 + be achieved by not using libc5 (which relies on the kernel
52703 + signal handler return code) and not using or rewriting programs
52704 + that make use of the nested function implementation of GCC.
52705 + Skilled users can just fix GCC itself so that it implements
52706 + nested function calls in a way that does not interfere with PaX.
52708 +config PAX_EMUSIGRT
52709 + bool "Automatically emulate sigreturn trampolines"
52710 + depends on PAX_EMUTRAMP && PARISC
52713 + Enabling this option will have the kernel automatically detect
52714 + and emulate signal return trampolines executing on the stack
52715 + that would otherwise lead to task termination.
52717 + This solution is intended as a temporary one for users with
52718 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
52719 + Modula-3 runtime, etc) or executables linked to such, basically
52720 + everything that does not specify its own SA_RESTORER function in
52721 + normal executable memory like glibc 2.1+ does.
52723 + On parisc you MUST enable this option, otherwise your system will
52726 + NOTE: this feature cannot be disabled on a per executable basis
52727 + and since it *does* open up a loophole in the protection provided
52728 + by non-executable pages, the best solution is to not have any
52729 + files on your system that would require this option.
52731 +config PAX_MPROTECT
52732 + bool "Restrict mprotect()"
52733 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
52735 + Enabling this option will prevent programs from
52736 + - changing the executable status of memory pages that were
52737 + not originally created as executable,
52738 + - making read-only executable pages writable again,
52739 + - creating executable pages from anonymous memory.
52741 + You should say Y here to complete the protection provided by
52742 + the enforcement of non-executable pages.
52744 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52745 + this feature on a per file basis.
52747 +config PAX_NOELFRELOCS
52748 + bool "Disallow ELF text relocations"
52749 + depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || PPC || X86)
52751 + Non-executable pages and mprotect() restrictions are effective
52752 + in preventing the introduction of new executable code into an
52753 + attacked task's address space. There remain only two venues
52754 + for this kind of attack: if the attacker can execute already
52755 + existing code in the attacked task then he can either have it
52756 + create and mmap() a file containing his code or have it mmap()
52757 + an already existing ELF library that does not have position
52758 + independent code in it and use mprotect() on it to make it
52759 + writable and copy his code there. While protecting against
52760 + the former approach is beyond PaX, the latter can be prevented
52761 + by having only PIC ELF libraries on one's system (which do not
52762 + need to relocate their code). If you are sure this is your case,
52763 + then enable this option otherwise be careful as you may not even
52764 + be able to boot or log on your system (for example, some PAM
52765 + modules are erroneously compiled as non-PIC by default).
52767 + NOTE: if you are using dynamic ELF executables (as suggested
52768 + when using ASLR) then you must have made sure that you linked
52769 + your files using the PIC version of crt1 (the et_dyn.tar.gz package
52770 + referenced there has already been updated to support this).
52772 +config PAX_ETEXECRELOCS
52773 + bool "Allow ELF ET_EXEC text relocations"
52774 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
52777 + On some architectures there are incorrectly created applications
52778 + that require text relocations and would not work without enabling
52779 + this option. If you are an alpha, ia64 or parisc user, you should
52780 + enable this option and disable it once you have made sure that
52781 + none of your applications need it.
52784 + bool "Automatically emulate ELF PLT"
52785 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
52788 + Enabling this option will have the kernel automatically detect
52789 + and emulate the Procedure Linkage Table entries in ELF files.
52790 + On some architectures such entries are in writable memory, and
52791 + become non-executable leading to task termination. Therefore
52792 + it is mandatory that you enable this option on alpha, parisc,
52793 + sparc and sparc64, otherwise your system would not even boot.
52795 + NOTE: this feature *does* open up a loophole in the protection
52796 + provided by the non-executable pages, therefore the proper
52797 + solution is to modify the toolchain to produce a PLT that does
52798 + not need to be writable.
52800 +config PAX_DLRESOLVE
52801 + bool 'Emulate old glibc resolver stub'
52802 + depends on PAX_EMUPLT && SPARC
52805 + This option is needed if userland has an old glibc (before 2.4)
52806 + that puts a 'save' instruction into the runtime generated resolver
52807 + stub that needs special emulation.
52809 +config PAX_KERNEXEC
52810 + bool "Enforce non-executable kernel pages"
52811 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
52813 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
52814 + that is, enabling this option will make it harder to inject
52815 + and execute 'foreign' code in kernel memory itself.
52817 +config PAX_KERNEXEC_MODULE_TEXT
52818 + int "Minimum amount of memory reserved for module code"
52820 + depends on PAX_KERNEXEC && X86_32 && MODULES
52822 + Due to implementation details the kernel must reserve a fixed
52823 + amount of memory for module code at compile time that cannot be
52824 + changed at runtime. Here you can specify the minimum amount
52825 + in MB that will be reserved. Due to the same implementation
52826 + details this size will always be rounded up to the next 2/4 MB
52827 + boundary (depends on PAE) so the actually available memory for
52828 + module code will usually be more than this minimum.
52830 + The default 4 MB should be enough for most users but if you have
52831 + an excessive number of modules (e.g., most distribution configs
52832 + compile many drivers as modules) or use huge modules such as
52833 + nvidia's kernel driver, you will need to adjust this amount.
52834 + A good rule of thumb is to look at your currently loaded kernel
52835 + modules and add up their sizes.
52839 +menu "Address Space Layout Randomization"
52843 + bool "Address Space Layout Randomization"
52844 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
52846 + Many if not most exploit techniques rely on the knowledge of
52847 + certain addresses in the attacked program. The following options
52848 + will allow the kernel to apply a certain amount of randomization
52849 + to specific parts of the program thereby forcing an attacker to
52850 + guess them in most cases. Any failed guess will most likely crash
52851 + the attacked program which allows the kernel to detect such attempts
52852 + and react on them. PaX itself provides no reaction mechanisms,
52853 + instead it is strongly encouraged that you make use of Nergal's
52854 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
52855 + (http://www.grsecurity.net/) built-in crash detection features or
52856 + develop one yourself.
52858 + By saying Y here you can choose to randomize the following areas:
52859 + - top of the task's kernel stack
52860 + - top of the task's userland stack
52861 + - base address for mmap() requests that do not specify one
52862 + (this includes all libraries)
52863 + - base address of the main executable
52865 + It is strongly recommended to say Y here as address space layout
52866 + randomization has negligible impact on performance yet it provides
52867 + a very effective protection.
52869 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52870 + this feature on a per file basis.
52872 +config PAX_RANDKSTACK
52873 + bool "Randomize kernel stack base"
52874 + depends on PAX_ASLR && X86_TSC && X86_32
52876 + By saying Y here the kernel will randomize every task's kernel
52877 + stack on every system call. This will not only force an attacker
52878 + to guess it but also prevent him from making use of possible
52879 + leaked information about it.
52881 + Since the kernel stack is a rather scarce resource, randomization
52882 + may cause unexpected stack overflows, therefore you should very
52883 + carefully test your system. Note that once enabled in the kernel
52884 + configuration, this feature cannot be disabled on a per file basis.
52886 +config PAX_RANDUSTACK
52887 + bool "Randomize user stack base"
52888 + depends on PAX_ASLR
52890 + By saying Y here the kernel will randomize every task's userland
52891 + stack. The randomization is done in two steps where the second
52892 + one may apply a big amount of shift to the top of the stack and
52893 + cause problems for programs that want to use lots of memory (more
52894 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
52895 + For this reason the second step can be controlled by 'chpax' or
52896 + 'paxctl' on a per file basis.
52898 +config PAX_RANDMMAP
52899 + bool "Randomize mmap() base"
52900 + depends on PAX_ASLR
52902 + By saying Y here the kernel will use a randomized base address for
52903 + mmap() requests that do not specify one themselves. As a result
52904 + all dynamically loaded libraries will appear at random addresses
52905 + and therefore be harder to exploit by a technique where an attacker
52906 + attempts to execute library code for his purposes (e.g. spawn a
52907 + shell from an exploited program that is running at an elevated
52908 + privilege level).
52910 + Furthermore, if a program is relinked as a dynamic ELF file, its
52911 + base address will be randomized as well, completing the full
52912 + randomization of the address space layout. Attacking such programs
52913 + becomes a guess game. You can find an example of doing this at
52914 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
52915 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
52917 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
52918 + feature on a per file basis.
52922 +menu "Miscellaneous hardening features"
52924 +config PAX_MEMORY_SANITIZE
52925 + bool "Sanitize all freed memory"
52927 + By saying Y here the kernel will erase memory pages as soon as they
52928 + are freed. This in turn reduces the lifetime of data stored in the
52929 + pages, making it less likely that sensitive information such as
52930 + passwords, cryptographic secrets, etc stay in memory for too long.
52932 + This is especially useful for programs whose runtime is short, long
52933 + lived processes and the kernel itself benefit from this as long as
52934 + they operate on whole memory pages and ensure timely freeing of pages
52935 + that may hold sensitive information.
52937 + The tradeoff is performance impact, on a single CPU system kernel
52938 + compilation sees a 3% slowdown, other systems and workloads may vary
52939 + and you are advised to test this feature on your expected workload
52940 + before deploying it.
52942 + Note that this feature does not protect data stored in live pages,
52943 + e.g., process memory swapped to disk may stay there for a long time.
52945 +config PAX_MEMORY_UDEREF
52946 + bool "Prevent invalid userland pointer dereference"
52947 + depends on X86_32 && !UML_X86 && !XEN
52949 + By saying Y here the kernel will be prevented from dereferencing
52950 + userland pointers in contexts where the kernel expects only kernel
52951 + pointers. This is both a useful runtime debugging feature and a
52952 + security measure that prevents exploiting a class of kernel bugs.
52954 + The tradeoff is that some virtualization solutions may experience
52955 + a huge slowdown and therefore you should not enable this feature
52956 + for kernels meant to run in such environments. Whether a given VM
52957 + solution is affected or not is best determined by simply trying it
52958 + out, the performance impact will be obvious right on boot as this
52959 + mechanism engages from very early on. A good rule of thumb is that
52960 + VMs running on CPUs without hardware virtualization support (i.e.,
52961 + the majority of IA-32 CPUs) will likely experience the slowdown.
52963 +config PAX_REFCOUNT
52964 + bool "Prevent various kernel object reference counter overflows"
52965 + depends on GRKERNSEC && (X86 || SPARC64)
52967 + By saying Y here the kernel will detect and prevent overflowing
52968 + various (but not all) kinds of object reference counters. Such
52969 + overflows can normally occur due to bugs only and are often, if
52970 + not always, exploitable.
52972 + The tradeoff is that data structures protected by an overflowed
52973 + refcount will never be freed and therefore will leak memory. Note
52974 + that this leak also happens even without this protection but in
52975 + that case the overflow can eventually trigger the freeing of the
52976 + data structure while it is still being used elsewhere, resulting
52977 + in the exploitable situation that this feature prevents.
52979 + Since this has a negligible performance impact, you should enable
52982 +config PAX_USERCOPY
52983 + bool "Bounds check heap object copies between kernel and userland"
52984 + depends on X86 || PPC || SPARC
52985 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
52987 + By saying Y here the kernel will enforce the size of heap objects
52988 + when they are copied in either direction between the kernel and
52989 + userland, even if only a part of the heap object is copied.
52991 + Specifically, this checking prevents information leaking from the
52992 + kernel heap during kernel to userland copies (if the kernel heap
52993 + object is otherwise fully initialized) and prevents kernel heap
52994 + overflows during userland to kernel copies.
52996 + Note that the current implementation provides the strictest checks
52997 + for the SLUB allocator.
52999 + Since this has a negligible performance impact, you should enable
53006 bool "Enable access key retention support"
53008 @@ -124,7 +606,7 @@ config INTEL_TXT
53009 config LSM_MMAP_MIN_ADDR
53010 int "Low address space for LSM to protect from user allocation"
53011 depends on SECURITY && SECURITY_SELINUX
53015 This is the portion of low virtual memory which should be protected
53016 from userspace allocation. Keeping a user from writing to low pages
53017 diff -urNp linux-2.6.33.1/security/min_addr.c linux-2.6.33.1/security/min_addr.c
53018 --- linux-2.6.33.1/security/min_addr.c 2010-03-15 12:09:39.000000000 -0400
53019 +++ linux-2.6.33.1/security/min_addr.c 2010-03-20 16:58:42.348544513 -0400
53020 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
53022 static void update_mmap_min_addr(void)
53025 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
53026 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
53027 mmap_min_addr = dac_mmap_min_addr;
53028 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
53030 mmap_min_addr = dac_mmap_min_addr;
53036 diff -urNp linux-2.6.33.1/sound/aoa/codecs/onyx.c linux-2.6.33.1/sound/aoa/codecs/onyx.c
53037 --- linux-2.6.33.1/sound/aoa/codecs/onyx.c 2010-03-15 12:09:39.000000000 -0400
53038 +++ linux-2.6.33.1/sound/aoa/codecs/onyx.c 2010-03-20 16:58:42.365465627 -0400
53039 @@ -53,7 +53,7 @@ struct onyx {
53044 + atomic_t open_count;
53045 struct codec_info *codec_info;
53047 /* mutex serializes concurrent access to the device
53048 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
53049 struct onyx *onyx = cii->codec_data;
53051 mutex_lock(&onyx->mutex);
53052 - onyx->open_count++;
53053 + atomic_inc(&onyx->open_count);
53054 mutex_unlock(&onyx->mutex);
53057 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
53058 struct onyx *onyx = cii->codec_data;
53060 mutex_lock(&onyx->mutex);
53061 - onyx->open_count--;
53062 - if (!onyx->open_count)
53063 + if (atomic_dec_and_test(&onyx->open_count))
53064 onyx->spdif_locked = onyx->analog_locked = 0;
53065 mutex_unlock(&onyx->mutex);
53067 diff -urNp linux-2.6.33.1/sound/core/oss/pcm_oss.c linux-2.6.33.1/sound/core/oss/pcm_oss.c
53068 --- linux-2.6.33.1/sound/core/oss/pcm_oss.c 2010-03-15 12:09:39.000000000 -0400
53069 +++ linux-2.6.33.1/sound/core/oss/pcm_oss.c 2010-03-20 16:58:42.372956563 -0400
53070 @@ -2949,8 +2949,8 @@ static void snd_pcm_oss_proc_done(struct
53073 #else /* !CONFIG_SND_VERBOSE_PROCFS */
53074 -#define snd_pcm_oss_proc_init(pcm)
53075 -#define snd_pcm_oss_proc_done(pcm)
53076 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
53077 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
53078 #endif /* CONFIG_SND_VERBOSE_PROCFS */
53081 diff -urNp linux-2.6.33.1/sound/core/seq/seq_lock.h linux-2.6.33.1/sound/core/seq/seq_lock.h
53082 --- linux-2.6.33.1/sound/core/seq/seq_lock.h 2010-03-15 12:09:39.000000000 -0400
53083 +++ linux-2.6.33.1/sound/core/seq/seq_lock.h 2010-03-20 16:58:42.376941145 -0400
53084 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
53085 #else /* SMP || CONFIG_SND_DEBUG */
53087 typedef spinlock_t snd_use_lock_t; /* dummy */
53088 -#define snd_use_lock_init(lockp) /**/
53089 -#define snd_use_lock_use(lockp) /**/
53090 -#define snd_use_lock_free(lockp) /**/
53091 -#define snd_use_lock_sync(lockp) /**/
53092 +#define snd_use_lock_init(lockp) do {} while (0)
53093 +#define snd_use_lock_use(lockp) do {} while (0)
53094 +#define snd_use_lock_free(lockp) do {} while (0)
53095 +#define snd_use_lock_sync(lockp) do {} while (0)
53097 #endif /* SMP || CONFIG_SND_DEBUG */
53099 diff -urNp linux-2.6.33.1/sound/drivers/mts64.c linux-2.6.33.1/sound/drivers/mts64.c
53100 --- linux-2.6.33.1/sound/drivers/mts64.c 2010-03-15 12:09:39.000000000 -0400
53101 +++ linux-2.6.33.1/sound/drivers/mts64.c 2010-03-20 16:58:42.380965540 -0400
53102 @@ -65,7 +65,7 @@ struct mts64 {
53103 struct pardevice *pardev;
53104 int pardev_claimed;
53107 + atomic_t open_count;
53108 int current_midi_output_port;
53109 int current_midi_input_port;
53110 u8 mode[MTS64_NUM_INPUT_PORTS];
53111 @@ -695,7 +695,7 @@ static int snd_mts64_rawmidi_open(struct
53113 struct mts64 *mts = substream->rmidi->private_data;
53115 - if (mts->open_count == 0) {
53116 + if (atomic_read(&mts->open_count) == 0) {
53117 /* We don't need a spinlock here, because this is just called
53118 if the device has not been opened before.
53119 So there aren't any IRQs from the device */
53120 @@ -703,7 +703,7 @@ static int snd_mts64_rawmidi_open(struct
53124 - ++(mts->open_count);
53125 + atomic_inc(&mts->open_count);
53129 @@ -713,8 +713,7 @@ static int snd_mts64_rawmidi_close(struc
53130 struct mts64 *mts = substream->rmidi->private_data;
53131 unsigned long flags;
53133 - --(mts->open_count);
53134 - if (mts->open_count == 0) {
53135 + if (atomic_dec_return(&mts->open_count) == 0) {
53136 /* We need the spinlock_irqsave here because we can still
53137 have IRQs at this point */
53138 spin_lock_irqsave(&mts->lock, flags);
53139 @@ -723,8 +722,8 @@ static int snd_mts64_rawmidi_close(struc
53143 - } else if (mts->open_count < 0)
53144 - mts->open_count = 0;
53145 + } else if (atomic_read(&mts->open_count) < 0)
53146 + atomic_set(&mts->open_count, 0);
53150 diff -urNp linux-2.6.33.1/sound/drivers/portman2x4.c linux-2.6.33.1/sound/drivers/portman2x4.c
53151 --- linux-2.6.33.1/sound/drivers/portman2x4.c 2010-03-15 12:09:39.000000000 -0400
53152 +++ linux-2.6.33.1/sound/drivers/portman2x4.c 2010-03-20 16:58:42.396942474 -0400
53153 @@ -83,7 +83,7 @@ struct portman {
53154 struct pardevice *pardev;
53155 int pardev_claimed;
53158 + atomic_t open_count;
53159 int mode[PORTMAN_NUM_INPUT_PORTS];
53160 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
53162 diff -urNp linux-2.6.33.1/sound/oss/sb_audio.c linux-2.6.33.1/sound/oss/sb_audio.c
53163 --- linux-2.6.33.1/sound/oss/sb_audio.c 2010-03-15 12:09:39.000000000 -0400
53164 +++ linux-2.6.33.1/sound/oss/sb_audio.c 2010-03-20 16:58:42.404957454 -0400
53165 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
53166 buf16 = (signed short *)(localbuf + localoffs);
53169 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53170 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53171 if (copy_from_user(lbuf8,
53172 userbuf+useroffs + p,
53174 diff -urNp linux-2.6.33.1/sound/pci/ac97/ac97_codec.c linux-2.6.33.1/sound/pci/ac97/ac97_codec.c
53175 --- linux-2.6.33.1/sound/pci/ac97/ac97_codec.c 2010-03-15 12:09:39.000000000 -0400
53176 +++ linux-2.6.33.1/sound/pci/ac97/ac97_codec.c 2010-03-20 16:58:42.416962707 -0400
53177 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
53180 /* build_ops to do nothing */
53181 -static struct snd_ac97_build_ops null_build_ops;
53182 +static const struct snd_ac97_build_ops null_build_ops;
53184 #ifdef CONFIG_SND_AC97_POWER_SAVE
53185 static void do_update_power(struct work_struct *work)
53186 diff -urNp linux-2.6.33.1/sound/pci/ac97/ac97_patch.c linux-2.6.33.1/sound/pci/ac97/ac97_patch.c
53187 --- linux-2.6.33.1/sound/pci/ac97/ac97_patch.c 2010-03-15 12:09:39.000000000 -0400
53188 +++ linux-2.6.33.1/sound/pci/ac97/ac97_patch.c 2010-03-20 16:58:42.440672764 -0400
53189 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
53193 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53194 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53195 .build_spdif = patch_yamaha_ymf743_build_spdif,
53196 .build_3d = patch_yamaha_ymf7x3_3d,
53198 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
53202 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53203 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53204 .build_3d = patch_yamaha_ymf7x3_3d,
53205 .build_post_spdif = patch_yamaha_ymf753_post_spdif
53207 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
53211 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53212 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53213 .build_specific = patch_wolfson_wm9703_specific,
53216 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
53220 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53221 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53222 .build_specific = patch_wolfson_wm9704_specific,
53225 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
53229 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53230 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53231 .build_specific = patch_wolfson_wm9705_specific,
53234 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
53238 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53239 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53240 .build_specific = patch_wolfson_wm9711_specific,
53243 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
53247 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53248 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53249 .build_specific = patch_wolfson_wm9713_specific,
53250 .build_3d = patch_wolfson_wm9713_3d,
53252 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
53256 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53257 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53258 .build_3d = patch_sigmatel_stac9700_3d,
53259 .build_specific = patch_sigmatel_stac97xx_specific
53261 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
53262 return patch_sigmatel_stac97xx_specific(ac97);
53265 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53266 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53267 .build_3d = patch_sigmatel_stac9708_3d,
53268 .build_specific = patch_sigmatel_stac9708_specific
53270 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
53274 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53275 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53276 .build_3d = patch_sigmatel_stac9700_3d,
53277 .build_specific = patch_sigmatel_stac9758_specific
53279 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
53283 -static struct snd_ac97_build_ops patch_cirrus_ops = {
53284 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
53285 .build_spdif = patch_cirrus_build_spdif
53288 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
53292 -static struct snd_ac97_build_ops patch_conexant_ops = {
53293 +static const struct snd_ac97_build_ops patch_conexant_ops = {
53294 .build_spdif = patch_conexant_build_spdif
53297 @@ -1501,7 +1501,7 @@ static const struct snd_ac97_res_table a
53298 { AC97_VIDEO, 0x9f1f },
53299 { AC97_AUX, 0x9f1f },
53300 { AC97_PCM, 0x9f1f },
53301 - { } /* terminator */
53302 + { 0, 0 } /* terminator */
53305 static int patch_ad1819(struct snd_ac97 * ac97)
53306 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
53310 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
53311 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
53313 .resume = ad18xx_resume
53315 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
53319 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
53320 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
53321 .build_specific = &patch_ad1885_specific,
53323 .resume = ad18xx_resume
53324 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
53328 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
53329 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
53330 .build_specific = &patch_ad1886_specific,
53332 .resume = ad18xx_resume
53333 @@ -1894,7 +1894,7 @@ static int patch_ad1981a_specific(struct
53334 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53337 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53338 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53339 .build_post_spdif = patch_ad198x_post_spdif,
53340 .build_specific = patch_ad1981a_specific,
53342 @@ -1949,7 +1949,7 @@ static int patch_ad1981b_specific(struct
53343 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53346 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53347 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53348 .build_post_spdif = patch_ad198x_post_spdif,
53349 .build_specific = patch_ad1981b_specific,
53351 @@ -2088,7 +2088,7 @@ static int patch_ad1888_specific(struct
53352 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
53355 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
53356 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
53357 .build_post_spdif = patch_ad198x_post_spdif,
53358 .build_specific = patch_ad1888_specific,
53360 @@ -2137,7 +2137,7 @@ static int patch_ad1980_specific(struct
53361 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
53364 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
53365 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
53366 .build_post_spdif = patch_ad198x_post_spdif,
53367 .build_specific = patch_ad1980_specific,
53369 @@ -2252,7 +2252,7 @@ static int patch_ad1985_specific(struct
53370 ARRAY_SIZE(snd_ac97_ad1985_controls));
53373 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
53374 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
53375 .build_post_spdif = patch_ad198x_post_spdif,
53376 .build_specific = patch_ad1985_specific,
53378 @@ -2544,7 +2544,7 @@ static int patch_ad1986_specific(struct
53379 ARRAY_SIZE(snd_ac97_ad1985_controls));
53382 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
53383 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
53384 .build_post_spdif = patch_ad198x_post_spdif,
53385 .build_specific = patch_ad1986_specific,
53387 @@ -2649,7 +2649,7 @@ static int patch_alc650_specific(struct
53391 -static struct snd_ac97_build_ops patch_alc650_ops = {
53392 +static const struct snd_ac97_build_ops patch_alc650_ops = {
53393 .build_specific = patch_alc650_specific,
53394 .update_jacks = alc650_update_jacks
53396 @@ -2801,7 +2801,7 @@ static int patch_alc655_specific(struct
53400 -static struct snd_ac97_build_ops patch_alc655_ops = {
53401 +static const struct snd_ac97_build_ops patch_alc655_ops = {
53402 .build_specific = patch_alc655_specific,
53403 .update_jacks = alc655_update_jacks
53405 @@ -2913,7 +2913,7 @@ static int patch_alc850_specific(struct
53409 -static struct snd_ac97_build_ops patch_alc850_ops = {
53410 +static const struct snd_ac97_build_ops patch_alc850_ops = {
53411 .build_specific = patch_alc850_specific,
53412 .update_jacks = alc850_update_jacks
53414 @@ -2975,7 +2975,7 @@ static int patch_cm9738_specific(struct
53415 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
53418 -static struct snd_ac97_build_ops patch_cm9738_ops = {
53419 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
53420 .build_specific = patch_cm9738_specific,
53421 .update_jacks = cm9738_update_jacks
53423 @@ -3066,7 +3066,7 @@ static int patch_cm9739_post_spdif(struc
53424 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
53427 -static struct snd_ac97_build_ops patch_cm9739_ops = {
53428 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
53429 .build_specific = patch_cm9739_specific,
53430 .build_post_spdif = patch_cm9739_post_spdif,
53431 .update_jacks = cm9739_update_jacks
53432 @@ -3240,7 +3240,7 @@ static int patch_cm9761_specific(struct
53433 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
53436 -static struct snd_ac97_build_ops patch_cm9761_ops = {
53437 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
53438 .build_specific = patch_cm9761_specific,
53439 .build_post_spdif = patch_cm9761_post_spdif,
53440 .update_jacks = cm9761_update_jacks
53441 @@ -3336,7 +3336,7 @@ static int patch_cm9780_specific(struct
53442 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
53445 -static struct snd_ac97_build_ops patch_cm9780_ops = {
53446 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
53447 .build_specific = patch_cm9780_specific,
53448 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
53450 @@ -3456,7 +3456,7 @@ static int patch_vt1616_specific(struct
53454 -static struct snd_ac97_build_ops patch_vt1616_ops = {
53455 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
53456 .build_specific = patch_vt1616_specific
53459 @@ -3810,7 +3810,7 @@ static int patch_it2646_specific(struct
53463 -static struct snd_ac97_build_ops patch_it2646_ops = {
53464 +static const struct snd_ac97_build_ops patch_it2646_ops = {
53465 .build_specific = patch_it2646_specific,
53466 .update_jacks = it2646_update_jacks
53468 @@ -3844,7 +3844,7 @@ static int patch_si3036_specific(struct
53472 -static struct snd_ac97_build_ops patch_si3036_ops = {
53473 +static const struct snd_ac97_build_ops patch_si3036_ops = {
53474 .build_specific = patch_si3036_specific,
53477 @@ -3877,7 +3877,7 @@ static struct snd_ac97_res_table lm4550_
53478 { AC97_AUX, 0x1f1f },
53479 { AC97_PCM, 0x1f1f },
53480 { AC97_REC_GAIN, 0x0f0f },
53481 - { } /* terminator */
53482 + { 0, 0 } /* terminator */
53485 static int patch_lm4550(struct snd_ac97 *ac97)
53486 @@ -3911,7 +3911,7 @@ static int patch_ucb1400_specific(struct
53490 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
53491 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
53492 .build_specific = patch_ucb1400_specific,
53495 diff -urNp linux-2.6.33.1/sound/pci/ens1370.c linux-2.6.33.1/sound/pci/ens1370.c
53496 --- linux-2.6.33.1/sound/pci/ens1370.c 2010-03-15 12:09:39.000000000 -0400
53497 +++ linux-2.6.33.1/sound/pci/ens1370.c 2010-03-20 16:58:42.452959690 -0400
53498 @@ -452,7 +452,7 @@ static struct pci_device_id snd_audiopci
53499 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
53500 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
53503 + { 0, 0, 0, 0, 0, 0, 0 }
53506 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
53507 diff -urNp linux-2.6.33.1/sound/pci/intel8x0.c linux-2.6.33.1/sound/pci/intel8x0.c
53508 --- linux-2.6.33.1/sound/pci/intel8x0.c 2010-03-15 12:09:39.000000000 -0400
53509 +++ linux-2.6.33.1/sound/pci/intel8x0.c 2010-03-20 16:58:42.464956802 -0400
53510 @@ -444,7 +444,7 @@ static struct pci_device_id snd_intel8x0
53511 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53512 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
53513 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53515 + { 0, 0, 0, 0, 0, 0, 0 }
53518 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
53519 @@ -2129,7 +2129,7 @@ static struct ac97_quirk ac97_quirks[] _
53520 .type = AC97_TUNE_HP_ONLY
53523 - { } /* terminator */
53524 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
53527 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
53528 diff -urNp linux-2.6.33.1/sound/pci/intel8x0m.c linux-2.6.33.1/sound/pci/intel8x0m.c
53529 --- linux-2.6.33.1/sound/pci/intel8x0m.c 2010-03-15 12:09:39.000000000 -0400
53530 +++ linux-2.6.33.1/sound/pci/intel8x0m.c 2010-03-20 16:58:42.469451186 -0400
53531 @@ -239,7 +239,7 @@ static struct pci_device_id snd_intel8x0
53532 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53533 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53536 + { 0, 0, 0, 0, 0, 0, 0 }
53539 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
53540 @@ -1264,7 +1264,7 @@ static struct shortname_table {
53541 { 0x5455, "ALi M5455" },
53542 { 0x746d, "AMD AMD8111" },
53548 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
53549 diff -urNp linux-2.6.33.1/usr/gen_init_cpio.c linux-2.6.33.1/usr/gen_init_cpio.c
53550 --- linux-2.6.33.1/usr/gen_init_cpio.c 2010-03-15 12:09:39.000000000 -0400
53551 +++ linux-2.6.33.1/usr/gen_init_cpio.c 2010-03-20 16:58:42.469451186 -0400
53552 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
53561 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
53562 *env_var = *expanded = '\0';
53563 strncat(env_var, start + 2, end - start - 2);
53564 strncat(expanded, new_location, start - new_location);
53565 - strncat(expanded, getenv(env_var), PATH_MAX);
53566 - strncat(expanded, end + 1, PATH_MAX);
53567 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
53568 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
53569 strncpy(new_location, expanded, PATH_MAX);
53570 + new_location[PATH_MAX] = 0;
53574 diff -urNp linux-2.6.33.1/virt/kvm/kvm_main.c linux-2.6.33.1/virt/kvm/kvm_main.c
53575 --- linux-2.6.33.1/virt/kvm/kvm_main.c 2010-03-15 12:09:39.000000000 -0400
53576 +++ linux-2.6.33.1/virt/kvm/kvm_main.c 2010-03-20 16:58:42.489458390 -0400
53577 @@ -1168,6 +1168,7 @@ static int kvm_vcpu_release(struct inode
53581 +/* cannot be const */
53582 static struct file_operations kvm_vcpu_fops = {
53583 .release = kvm_vcpu_release,
53584 .unlocked_ioctl = kvm_vcpu_ioctl,
53585 @@ -1624,6 +1625,7 @@ static int kvm_vm_mmap(struct file *file
53589 +/* cannot be const */
53590 static struct file_operations kvm_vm_fops = {
53591 .release = kvm_vm_release,
53592 .unlocked_ioctl = kvm_vm_ioctl,
53593 @@ -1714,6 +1716,7 @@ out:
53597 +/* cannot be const */
53598 static struct file_operations kvm_chardev_ops = {
53599 .unlocked_ioctl = kvm_dev_ioctl,
53600 .compat_ioctl = kvm_dev_ioctl,
53601 @@ -1723,6 +1726,9 @@ static struct miscdevice kvm_dev = {
53610 static void hardware_enable(void *junk)
53611 @@ -2050,7 +2056,7 @@ static void kvm_sched_out(struct preempt
53612 kvm_arch_vcpu_put(vcpu);
53615 -int kvm_init(void *opaque, unsigned int vcpu_size,
53616 +int kvm_init(const void *opaque, unsigned int vcpu_size,
53617 struct module *module)