1 diff -urNp linux-2.6.37/arch/alpha/include/asm/dma-mapping.h linux-2.6.37/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.37/arch/alpha/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3 +++ linux-2.6.37/arch/alpha/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.37/arch/alpha/include/asm/elf.h linux-2.6.37/arch/alpha/include/asm/elf.h
17 --- linux-2.6.37/arch/alpha/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
18 +++ linux-2.6.37/arch/alpha/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.37/arch/alpha/include/asm/pgtable.h linux-2.6.37/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.37/arch/alpha/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
35 +++ linux-2.6.37/arch/alpha/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.37/arch/alpha/kernel/module.c linux-2.6.37/arch/alpha/kernel/module.c
55 --- linux-2.6.37/arch/alpha/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
56 +++ linux-2.6.37/arch/alpha/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.37/arch/alpha/kernel/osf_sys.c linux-2.6.37/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.37/arch/alpha/kernel/osf_sys.c 2011-01-04 19:50:19.000000000 -0500
68 +++ linux-2.6.37/arch/alpha/kernel/osf_sys.c 2011-01-17 02:41:00.000000000 -0500
69 @@ -1165,7 +1165,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1201,6 +1201,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1208,8 +1212,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.37/arch/alpha/kernel/pci_iommu.c linux-2.6.37/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.37/arch/alpha/kernel/pci_iommu.c 2011-01-04 19:50:19.000000000 -0500
102 +++ linux-2.6.37/arch/alpha/kernel/pci_iommu.c 2011-01-17 02:41:00.000000000 -0500
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.37/arch/alpha/kernel/pci-noop.c linux-2.6.37/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.37/arch/alpha/kernel/pci-noop.c 2011-01-04 19:50:19.000000000 -0500
121 +++ linux-2.6.37/arch/alpha/kernel/pci-noop.c 2011-01-17 02:41:00.000000000 -0500
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.37/arch/alpha/mm/fault.c linux-2.6.37/arch/alpha/mm/fault.c
141 --- linux-2.6.37/arch/alpha/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
142 +++ linux-2.6.37/arch/alpha/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.37/arch/arm/include/asm/elf.h linux-2.6.37/arch/arm/include/asm/elf.h
300 --- linux-2.6.37/arch/arm/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
301 +++ linux-2.6.37/arch/arm/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
302 @@ -113,7 +113,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -123,10 +130,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.37/arch/arm/include/asm/kmap_types.h linux-2.6.37/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.37/arch/arm/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
331 +++ linux-2.6.37/arch/arm/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.37/arch/arm/include/asm/uaccess.h linux-2.6.37/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.37/arch/arm/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
342 +++ linux-2.6.37/arch/arm/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.37/arch/arm/kernel/kgdb.c linux-2.6.37/arch/arm/kernel/kgdb.c
364 --- linux-2.6.37/arch/arm/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
365 +++ linux-2.6.37/arch/arm/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.37/arch/arm/kernel/process.c linux-2.6.37/arch/arm/kernel/process.c
376 --- linux-2.6.37/arch/arm/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
377 +++ linux-2.6.37/arch/arm/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
397 * The vectors page is always readable from user space for the
398 * atomic helpers and the signal restart code. Let's declare a mapping
399 diff -urNp linux-2.6.37/arch/arm/mach-at91/pm.c linux-2.6.37/arch/arm/mach-at91/pm.c
400 --- linux-2.6.37/arch/arm/mach-at91/pm.c 2011-01-04 19:50:19.000000000 -0500
401 +++ linux-2.6.37/arch/arm/mach-at91/pm.c 2011-01-17 02:41:00.000000000 -0500
402 @@ -301,7 +301,7 @@ static void at91_pm_end(void)
406 -static struct platform_suspend_ops at91_pm_ops ={
407 +static const struct platform_suspend_ops at91_pm_ops ={
408 .valid = at91_pm_valid_state,
409 .begin = at91_pm_begin,
410 .enter = at91_pm_enter,
411 diff -urNp linux-2.6.37/arch/arm/mach-davinci/pm.c linux-2.6.37/arch/arm/mach-davinci/pm.c
412 --- linux-2.6.37/arch/arm/mach-davinci/pm.c 2011-01-04 19:50:19.000000000 -0500
413 +++ linux-2.6.37/arch/arm/mach-davinci/pm.c 2011-01-17 02:41:00.000000000 -0500
414 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
418 -static struct platform_suspend_ops davinci_pm_ops = {
419 +static const struct platform_suspend_ops davinci_pm_ops = {
420 .enter = davinci_pm_enter,
421 .valid = suspend_valid_only_mem,
423 diff -urNp linux-2.6.37/arch/arm/mach-imx/pm-imx27.c linux-2.6.37/arch/arm/mach-imx/pm-imx27.c
424 --- linux-2.6.37/arch/arm/mach-imx/pm-imx27.c 2011-01-04 19:50:19.000000000 -0500
425 +++ linux-2.6.37/arch/arm/mach-imx/pm-imx27.c 2011-01-17 02:41:00.000000000 -0500
426 @@ -32,7 +32,7 @@ static int mx27_suspend_enter(suspend_st
430 -static struct platform_suspend_ops mx27_suspend_ops = {
431 +static const struct platform_suspend_ops mx27_suspend_ops = {
432 .enter = mx27_suspend_enter,
433 .valid = suspend_valid_only_mem,
435 diff -urNp linux-2.6.37/arch/arm/mach-lpc32xx/pm.c linux-2.6.37/arch/arm/mach-lpc32xx/pm.c
436 --- linux-2.6.37/arch/arm/mach-lpc32xx/pm.c 2011-01-04 19:50:19.000000000 -0500
437 +++ linux-2.6.37/arch/arm/mach-lpc32xx/pm.c 2011-01-17 02:41:00.000000000 -0500
438 @@ -123,7 +123,7 @@ static int lpc32xx_pm_enter(suspend_stat
442 -static struct platform_suspend_ops lpc32xx_pm_ops = {
443 +static const struct platform_suspend_ops lpc32xx_pm_ops = {
444 .valid = suspend_valid_only_mem,
445 .enter = lpc32xx_pm_enter,
447 diff -urNp linux-2.6.37/arch/arm/mach-msm/last_radio_log.c linux-2.6.37/arch/arm/mach-msm/last_radio_log.c
448 --- linux-2.6.37/arch/arm/mach-msm/last_radio_log.c 2011-01-04 19:50:19.000000000 -0500
449 +++ linux-2.6.37/arch/arm/mach-msm/last_radio_log.c 2011-01-17 02:41:00.000000000 -0500
450 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
454 +/* cannot be const, see msm_init_last_radio_log */
455 static struct file_operations last_radio_log_fops = {
456 .read = last_radio_log_read,
457 .llseek = default_llseek,
458 diff -urNp linux-2.6.37/arch/arm/mach-omap1/pm.c linux-2.6.37/arch/arm/mach-omap1/pm.c
459 --- linux-2.6.37/arch/arm/mach-omap1/pm.c 2011-01-04 19:50:19.000000000 -0500
460 +++ linux-2.6.37/arch/arm/mach-omap1/pm.c 2011-01-17 02:41:00.000000000 -0500
461 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
465 -static struct platform_suspend_ops omap_pm_ops ={
466 +static const struct platform_suspend_ops omap_pm_ops ={
467 .prepare = omap_pm_prepare,
468 .enter = omap_pm_enter,
469 .finish = omap_pm_finish,
470 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm24xx.c linux-2.6.37/arch/arm/mach-omap2/pm24xx.c
471 --- linux-2.6.37/arch/arm/mach-omap2/pm24xx.c 2011-01-04 19:50:19.000000000 -0500
472 +++ linux-2.6.37/arch/arm/mach-omap2/pm24xx.c 2011-01-17 02:41:00.000000000 -0500
473 @@ -359,7 +359,7 @@ static void omap2_pm_end(void)
474 suspend_state = PM_SUSPEND_ON;
477 -static struct platform_suspend_ops omap_pm_ops = {
478 +static const struct platform_suspend_ops omap_pm_ops = {
479 .begin = omap2_pm_begin,
480 .prepare = omap2_pm_prepare,
481 .enter = omap2_pm_enter,
482 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm34xx.c linux-2.6.37/arch/arm/mach-omap2/pm34xx.c
483 --- linux-2.6.37/arch/arm/mach-omap2/pm34xx.c 2011-01-04 19:50:19.000000000 -0500
484 +++ linux-2.6.37/arch/arm/mach-omap2/pm34xx.c 2011-01-17 02:41:00.000000000 -0500
485 @@ -617,7 +617,7 @@ static void omap3_pm_end(void)
489 -static struct platform_suspend_ops omap_pm_ops = {
490 +static const struct platform_suspend_ops omap_pm_ops = {
491 .begin = omap3_pm_begin,
493 .prepare = omap3_pm_prepare,
494 diff -urNp linux-2.6.37/arch/arm/mach-omap2/pm44xx.c linux-2.6.37/arch/arm/mach-omap2/pm44xx.c
495 --- linux-2.6.37/arch/arm/mach-omap2/pm44xx.c 2011-01-04 19:50:19.000000000 -0500
496 +++ linux-2.6.37/arch/arm/mach-omap2/pm44xx.c 2011-01-17 02:41:00.000000000 -0500
497 @@ -75,7 +75,7 @@ static void omap4_pm_end(void)
501 -static struct platform_suspend_ops omap_pm_ops = {
502 +static const struct platform_suspend_ops omap_pm_ops = {
503 .begin = omap4_pm_begin,
505 .prepare = omap4_pm_prepare,
506 diff -urNp linux-2.6.37/arch/arm/mach-pnx4008/pm.c linux-2.6.37/arch/arm/mach-pnx4008/pm.c
507 --- linux-2.6.37/arch/arm/mach-pnx4008/pm.c 2011-01-04 19:50:19.000000000 -0500
508 +++ linux-2.6.37/arch/arm/mach-pnx4008/pm.c 2011-01-17 02:41:00.000000000 -0500
509 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
510 (state == PM_SUSPEND_MEM);
513 -static struct platform_suspend_ops pnx4008_pm_ops = {
514 +static const struct platform_suspend_ops pnx4008_pm_ops = {
515 .enter = pnx4008_pm_enter,
516 .valid = pnx4008_pm_valid,
518 diff -urNp linux-2.6.37/arch/arm/mach-pxa/pm.c linux-2.6.37/arch/arm/mach-pxa/pm.c
519 --- linux-2.6.37/arch/arm/mach-pxa/pm.c 2011-01-04 19:50:19.000000000 -0500
520 +++ linux-2.6.37/arch/arm/mach-pxa/pm.c 2011-01-17 02:41:00.000000000 -0500
521 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
522 pxa_cpu_pm_fns->finish();
525 -static struct platform_suspend_ops pxa_pm_ops = {
526 +static const struct platform_suspend_ops pxa_pm_ops = {
527 .valid = pxa_pm_valid,
528 .enter = pxa_pm_enter,
529 .prepare = pxa_pm_prepare,
530 diff -urNp linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c
531 --- linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c 2011-01-04 19:50:19.000000000 -0500
532 +++ linux-2.6.37/arch/arm/mach-pxa/sharpsl_pm.c 2011-01-17 02:41:00.000000000 -0500
533 @@ -868,7 +868,7 @@ static void sharpsl_apm_get_power_status
537 -static struct platform_suspend_ops sharpsl_pm_ops = {
538 +static const struct platform_suspend_ops sharpsl_pm_ops = {
539 .prepare = pxa_pm_prepare,
540 .finish = pxa_pm_finish,
541 .enter = corgi_pxa_pm_enter,
542 diff -urNp linux-2.6.37/arch/arm/mach-sa1100/pm.c linux-2.6.37/arch/arm/mach-sa1100/pm.c
543 --- linux-2.6.37/arch/arm/mach-sa1100/pm.c 2011-01-04 19:50:19.000000000 -0500
544 +++ linux-2.6.37/arch/arm/mach-sa1100/pm.c 2011-01-17 02:41:00.000000000 -0500
545 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
546 return virt_to_phys(sp);
549 -static struct platform_suspend_ops sa11x0_pm_ops = {
550 +static const struct platform_suspend_ops sa11x0_pm_ops = {
551 .enter = sa11x0_pm_enter,
552 .valid = suspend_valid_only_mem,
554 diff -urNp linux-2.6.37/arch/arm/mm/fault.c linux-2.6.37/arch/arm/mm/fault.c
555 --- linux-2.6.37/arch/arm/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
556 +++ linux-2.6.37/arch/arm/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
557 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
561 +#ifdef CONFIG_PAX_PAGEEXEC
562 + if (fsr & FSR_LNX_PF) {
563 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
564 + do_group_exit(SIGKILL);
568 tsk->thread.address = addr;
569 tsk->thread.error_code = fsr;
570 tsk->thread.trap_no = 14;
571 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
573 #endif /* CONFIG_MMU */
575 +#ifdef CONFIG_PAX_PAGEEXEC
576 +void pax_report_insns(void *pc, void *sp)
580 + printk(KERN_ERR "PAX: bytes at PC: ");
581 + for (i = 0; i < 20; i++) {
583 + if (get_user(c, (__force unsigned char __user *)pc+i))
584 + printk(KERN_CONT "?? ");
586 + printk(KERN_CONT "%02x ", c);
590 + printk(KERN_ERR "PAX: bytes at SP-4: ");
591 + for (i = -1; i < 20; i++) {
593 + if (get_user(c, (__force unsigned long __user *)sp+i))
594 + printk(KERN_CONT "???????? ");
596 + printk(KERN_CONT "%08lx ", c);
603 * First Level Translation Fault Handler
605 diff -urNp linux-2.6.37/arch/arm/mm/mmap.c linux-2.6.37/arch/arm/mm/mmap.c
606 --- linux-2.6.37/arch/arm/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
607 +++ linux-2.6.37/arch/arm/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
608 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
612 +#ifdef CONFIG_PAX_RANDMMAP
613 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
618 addr = COLOUR_ALIGN(addr, pgoff);
619 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
620 addr = PAGE_ALIGN(addr);
622 vma = find_vma(mm, addr);
623 - if (TASK_SIZE - len >= addr &&
624 - (!vma || addr + len <= vma->vm_start))
625 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
628 if (len > mm->cached_hole_size) {
629 - start_addr = addr = mm->free_area_cache;
630 + start_addr = addr = mm->free_area_cache;
632 - start_addr = addr = TASK_UNMAPPED_BASE;
633 - mm->cached_hole_size = 0;
634 + start_addr = addr = mm->mmap_base;
635 + mm->cached_hole_size = 0;
637 /* 8 bits of randomness in 20 address space bits */
638 if (current->flags & PF_RANDOMIZE)
639 @@ -98,14 +101,14 @@ full_search:
640 * Start a new search - just in case we missed
643 - if (start_addr != TASK_UNMAPPED_BASE) {
644 - start_addr = addr = TASK_UNMAPPED_BASE;
645 + if (start_addr != mm->mmap_base) {
646 + start_addr = addr = mm->mmap_base;
647 mm->cached_hole_size = 0;
652 - if (!vma || addr + len <= vma->vm_start) {
653 + if (check_heap_stack_gap(vma, addr, len)) {
655 * Remember the place where we stopped the search:
657 diff -urNp linux-2.6.37/arch/arm/plat-samsung/pm.c linux-2.6.37/arch/arm/plat-samsung/pm.c
658 --- linux-2.6.37/arch/arm/plat-samsung/pm.c 2011-01-04 19:50:19.000000000 -0500
659 +++ linux-2.6.37/arch/arm/plat-samsung/pm.c 2011-01-17 02:41:00.000000000 -0500
660 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
661 s3c_pm_check_cleanup();
664 -static struct platform_suspend_ops s3c_pm_ops = {
665 +static const struct platform_suspend_ops s3c_pm_ops = {
666 .enter = s3c_pm_enter,
667 .prepare = s3c_pm_prepare,
668 .finish = s3c_pm_finish,
669 diff -urNp linux-2.6.37/arch/avr32/include/asm/elf.h linux-2.6.37/arch/avr32/include/asm/elf.h
670 --- linux-2.6.37/arch/avr32/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
671 +++ linux-2.6.37/arch/avr32/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
672 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
673 the loader. We need to make sure that it is out of the way of the program
674 that it will "exec", and that there is sufficient room for the brk. */
676 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
677 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
679 +#ifdef CONFIG_PAX_ASLR
680 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
682 +#define PAX_DELTA_MMAP_LEN 15
683 +#define PAX_DELTA_STACK_LEN 15
686 /* This yields a mask that user programs can use to figure out what
687 instruction set this CPU supports. This could be done in user space,
688 diff -urNp linux-2.6.37/arch/avr32/include/asm/kmap_types.h linux-2.6.37/arch/avr32/include/asm/kmap_types.h
689 --- linux-2.6.37/arch/avr32/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
690 +++ linux-2.6.37/arch/avr32/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
691 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
701 diff -urNp linux-2.6.37/arch/avr32/mach-at32ap/pm.c linux-2.6.37/arch/avr32/mach-at32ap/pm.c
702 --- linux-2.6.37/arch/avr32/mach-at32ap/pm.c 2011-01-04 19:50:19.000000000 -0500
703 +++ linux-2.6.37/arch/avr32/mach-at32ap/pm.c 2011-01-17 02:41:00.000000000 -0500
704 @@ -176,7 +176,7 @@ out:
708 -static struct platform_suspend_ops avr32_pm_ops = {
709 +static const struct platform_suspend_ops avr32_pm_ops = {
710 .valid = avr32_pm_valid_state,
711 .enter = avr32_pm_enter,
713 diff -urNp linux-2.6.37/arch/avr32/mm/fault.c linux-2.6.37/arch/avr32/mm/fault.c
714 --- linux-2.6.37/arch/avr32/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
715 +++ linux-2.6.37/arch/avr32/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
716 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
718 int exception_trace = 1;
720 +#ifdef CONFIG_PAX_PAGEEXEC
721 +void pax_report_insns(void *pc, void *sp)
725 + printk(KERN_ERR "PAX: bytes at PC: ");
726 + for (i = 0; i < 20; i++) {
728 + if (get_user(c, (unsigned char *)pc+i))
729 + printk(KERN_CONT "???????? ");
731 + printk(KERN_CONT "%02x ", c);
738 * This routine handles page faults. It determines the address and the
739 * problem, and then passes it off to one of the appropriate routines.
740 @@ -156,6 +173,16 @@ bad_area:
741 up_read(&mm->mmap_sem);
743 if (user_mode(regs)) {
745 +#ifdef CONFIG_PAX_PAGEEXEC
746 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
747 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
748 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
749 + do_group_exit(SIGKILL);
754 if (exception_trace && printk_ratelimit())
755 printk("%s%s[%d]: segfault at %08lx pc %08lx "
756 "sp %08lx ecr %lu\n",
757 diff -urNp linux-2.6.37/arch/blackfin/kernel/kgdb.c linux-2.6.37/arch/blackfin/kernel/kgdb.c
758 --- linux-2.6.37/arch/blackfin/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
759 +++ linux-2.6.37/arch/blackfin/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
760 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
761 return -1; /* this means that we do not want to exit from the handler */
764 -struct kgdb_arch arch_kgdb_ops = {
765 +const struct kgdb_arch arch_kgdb_ops = {
766 .gdb_bpt_instr = {0xa1},
768 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
769 diff -urNp linux-2.6.37/arch/blackfin/mach-common/pm.c linux-2.6.37/arch/blackfin/mach-common/pm.c
770 --- linux-2.6.37/arch/blackfin/mach-common/pm.c 2011-01-04 19:50:19.000000000 -0500
771 +++ linux-2.6.37/arch/blackfin/mach-common/pm.c 2011-01-17 02:41:00.000000000 -0500
772 @@ -233,7 +233,7 @@ static int bfin_pm_enter(suspend_state_t
776 -struct platform_suspend_ops bfin_pm_ops = {
777 +const struct platform_suspend_ops bfin_pm_ops = {
778 .enter = bfin_pm_enter,
779 .valid = bfin_pm_valid,
781 diff -urNp linux-2.6.37/arch/blackfin/mm/maccess.c linux-2.6.37/arch/blackfin/mm/maccess.c
782 --- linux-2.6.37/arch/blackfin/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
783 +++ linux-2.6.37/arch/blackfin/mm/maccess.c 2011-01-17 02:41:00.000000000 -0500
784 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
785 return bfin_mem_access_type(addr, size);
788 -long probe_kernel_read(void *dst, void *src, size_t size)
789 +long probe_kernel_read(void *dst, const void *src, size_t size)
791 unsigned long lsrc = (unsigned long)src;
793 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
797 -long probe_kernel_write(void *dst, void *src, size_t size)
798 +long probe_kernel_write(void *dst, const void *src, size_t size)
800 unsigned long ldst = (unsigned long)dst;
802 diff -urNp linux-2.6.37/arch/frv/include/asm/kmap_types.h linux-2.6.37/arch/frv/include/asm/kmap_types.h
803 --- linux-2.6.37/arch/frv/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
804 +++ linux-2.6.37/arch/frv/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
805 @@ -23,6 +23,7 @@ enum km_type {
813 diff -urNp linux-2.6.37/arch/frv/mm/elf-fdpic.c linux-2.6.37/arch/frv/mm/elf-fdpic.c
814 --- linux-2.6.37/arch/frv/mm/elf-fdpic.c 2011-01-04 19:50:19.000000000 -0500
815 +++ linux-2.6.37/arch/frv/mm/elf-fdpic.c 2011-01-17 02:41:00.000000000 -0500
816 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
818 addr = PAGE_ALIGN(addr);
819 vma = find_vma(current->mm, addr);
820 - if (TASK_SIZE - len >= addr &&
821 - (!vma || addr + len <= vma->vm_start))
822 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
826 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
827 for (; vma; vma = vma->vm_next) {
830 - if (addr + len <= vma->vm_start)
831 + if (check_heap_stack_gap(vma, addr, len))
835 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
836 for (; vma; vma = vma->vm_next) {
839 - if (addr + len <= vma->vm_start)
840 + if (check_heap_stack_gap(vma, addr, len))
844 diff -urNp linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c
845 --- linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c 2011-01-04 19:50:19.000000000 -0500
846 +++ linux-2.6.37/arch/ia64/hp/common/hwsw_iommu.c 2011-01-17 02:41:00.000000000 -0500
848 #include <linux/swiotlb.h>
849 #include <asm/machvec.h>
851 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
852 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
854 /* swiotlb declarations & definitions: */
855 extern int swiotlb_late_init_with_default_size (size_t size);
856 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
857 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
860 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
861 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
863 if (use_swiotlb(dev))
864 return &swiotlb_dma_ops;
865 diff -urNp linux-2.6.37/arch/ia64/hp/common/sba_iommu.c linux-2.6.37/arch/ia64/hp/common/sba_iommu.c
866 --- linux-2.6.37/arch/ia64/hp/common/sba_iommu.c 2011-01-04 19:50:19.000000000 -0500
867 +++ linux-2.6.37/arch/ia64/hp/common/sba_iommu.c 2011-01-17 02:41:00.000000000 -0500
868 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
872 -extern struct dma_map_ops swiotlb_dma_ops;
873 +extern const struct dma_map_ops swiotlb_dma_ops;
877 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
879 __setup("sbapagesize=",sba_page_override);
881 -struct dma_map_ops sba_dma_ops = {
882 +const struct dma_map_ops sba_dma_ops = {
883 .alloc_coherent = sba_alloc_coherent,
884 .free_coherent = sba_free_coherent,
885 .map_page = sba_map_page,
886 diff -urNp linux-2.6.37/arch/ia64/include/asm/dma-mapping.h linux-2.6.37/arch/ia64/include/asm/dma-mapping.h
887 --- linux-2.6.37/arch/ia64/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
888 +++ linux-2.6.37/arch/ia64/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
891 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
893 -extern struct dma_map_ops *dma_ops;
894 +extern const struct dma_map_ops *dma_ops;
895 extern struct ia64_machine_vector ia64_mv;
896 extern void set_iommu_machvec(void);
898 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
899 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
900 dma_addr_t *daddr, gfp_t gfp)
902 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
903 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
906 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
907 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
908 static inline void dma_free_coherent(struct device *dev, size_t size,
909 void *caddr, dma_addr_t daddr)
911 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
912 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
913 debug_dma_free_coherent(dev, size, caddr, daddr);
914 ops->free_coherent(dev, size, caddr, daddr);
916 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
918 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
920 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
921 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
922 return ops->mapping_error(dev, daddr);
925 static inline int dma_supported(struct device *dev, u64 mask)
927 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
928 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
929 return ops->dma_supported(dev, mask);
932 diff -urNp linux-2.6.37/arch/ia64/include/asm/elf.h linux-2.6.37/arch/ia64/include/asm/elf.h
933 --- linux-2.6.37/arch/ia64/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
934 +++ linux-2.6.37/arch/ia64/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
937 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
939 +#ifdef CONFIG_PAX_ASLR
940 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
942 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
943 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
946 #define PT_IA_64_UNWIND 0x70000001
948 /* IA-64 relocations: */
949 diff -urNp linux-2.6.37/arch/ia64/include/asm/machvec.h linux-2.6.37/arch/ia64/include/asm/machvec.h
950 --- linux-2.6.37/arch/ia64/include/asm/machvec.h 2011-01-04 19:50:19.000000000 -0500
951 +++ linux-2.6.37/arch/ia64/include/asm/machvec.h 2011-01-17 02:41:00.000000000 -0500
952 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
953 /* DMA-mapping interface: */
954 typedef void ia64_mv_dma_init (void);
955 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
956 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
957 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
960 * WARNING: The legacy I/O space is _architected_. Platforms are
961 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
962 # endif /* CONFIG_IA64_GENERIC */
964 extern void swiotlb_dma_init(void);
965 -extern struct dma_map_ops *dma_get_ops(struct device *);
966 +extern const struct dma_map_ops *dma_get_ops(struct device *);
969 * Define default versions so we can extend machvec for new platforms without having
970 diff -urNp linux-2.6.37/arch/ia64/include/asm/pgtable.h linux-2.6.37/arch/ia64/include/asm/pgtable.h
971 --- linux-2.6.37/arch/ia64/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
972 +++ linux-2.6.37/arch/ia64/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
974 * David Mosberger-Tang <davidm@hpl.hp.com>
978 +#include <linux/const.h>
979 #include <asm/mman.h>
980 #include <asm/page.h>
981 #include <asm/processor.h>
983 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
984 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
985 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
987 +#ifdef CONFIG_PAX_PAGEEXEC
988 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
989 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
990 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
992 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
993 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
994 +# define PAGE_COPY_NOEXEC PAGE_COPY
997 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
998 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
999 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1000 diff -urNp linux-2.6.37/arch/ia64/include/asm/uaccess.h linux-2.6.37/arch/ia64/include/asm/uaccess.h
1001 --- linux-2.6.37/arch/ia64/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
1002 +++ linux-2.6.37/arch/ia64/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
1003 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1004 const void *__cu_from = (from); \
1005 long __cu_len = (n); \
1007 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1008 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1009 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1012 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1013 long __cu_len = (n); \
1015 __chk_user_ptr(__cu_from); \
1016 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1017 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1018 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1021 diff -urNp linux-2.6.37/arch/ia64/kernel/dma-mapping.c linux-2.6.37/arch/ia64/kernel/dma-mapping.c
1022 --- linux-2.6.37/arch/ia64/kernel/dma-mapping.c 2011-01-04 19:50:19.000000000 -0500
1023 +++ linux-2.6.37/arch/ia64/kernel/dma-mapping.c 2011-01-17 02:41:00.000000000 -0500
1025 /* Set this to 1 if there is a HW IOMMU in the system */
1026 int iommu_detected __read_mostly;
1028 -struct dma_map_ops *dma_ops;
1029 +const struct dma_map_ops *dma_ops;
1030 EXPORT_SYMBOL(dma_ops);
1032 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1033 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1035 fs_initcall(dma_init);
1037 -struct dma_map_ops *dma_get_ops(struct device *dev)
1038 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1042 diff -urNp linux-2.6.37/arch/ia64/kernel/module.c linux-2.6.37/arch/ia64/kernel/module.c
1043 --- linux-2.6.37/arch/ia64/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
1044 +++ linux-2.6.37/arch/ia64/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
1045 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1047 module_free (struct module *mod, void *module_region)
1049 - if (mod && mod->arch.init_unw_table &&
1050 - module_region == mod->module_init) {
1051 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1052 unw_remove_unwind_table(mod->arch.init_unw_table);
1053 mod->arch.init_unw_table = NULL;
1055 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1059 +in_init_rx (const struct module *mod, uint64_t addr)
1061 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1065 +in_init_rw (const struct module *mod, uint64_t addr)
1067 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1071 in_init (const struct module *mod, uint64_t addr)
1073 - return addr - (uint64_t) mod->module_init < mod->init_size;
1074 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1078 +in_core_rx (const struct module *mod, uint64_t addr)
1080 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1084 +in_core_rw (const struct module *mod, uint64_t addr)
1086 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1090 in_core (const struct module *mod, uint64_t addr)
1092 - return addr - (uint64_t) mod->module_core < mod->core_size;
1093 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1097 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1101 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1102 + if (in_init_rx(mod, val))
1103 + val -= (uint64_t) mod->module_init_rx;
1104 + else if (in_init_rw(mod, val))
1105 + val -= (uint64_t) mod->module_init_rw;
1106 + else if (in_core_rx(mod, val))
1107 + val -= (uint64_t) mod->module_core_rx;
1108 + else if (in_core_rw(mod, val))
1109 + val -= (uint64_t) mod->module_core_rw;
1113 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1114 * addresses have been selected...
1117 - if (mod->core_size > MAX_LTOFF)
1118 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1120 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1121 * at the end of the module.
1123 - gp = mod->core_size - MAX_LTOFF / 2;
1124 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1126 - gp = mod->core_size / 2;
1127 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1128 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1129 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1131 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1133 diff -urNp linux-2.6.37/arch/ia64/kernel/pci-dma.c linux-2.6.37/arch/ia64/kernel/pci-dma.c
1134 --- linux-2.6.37/arch/ia64/kernel/pci-dma.c 2011-01-04 19:50:19.000000000 -0500
1135 +++ linux-2.6.37/arch/ia64/kernel/pci-dma.c 2011-01-17 02:41:00.000000000 -0500
1136 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1137 .dma_mask = &fallback_dev.coherent_dma_mask,
1140 -extern struct dma_map_ops intel_dma_ops;
1141 +extern const struct dma_map_ops intel_dma_ops;
1143 static int __init pci_iommu_init(void)
1145 diff -urNp linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c
1146 --- linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
1147 +++ linux-2.6.37/arch/ia64/kernel/pci-swiotlb.c 2011-01-17 02:41:00.000000000 -0500
1148 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1149 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1152 -struct dma_map_ops swiotlb_dma_ops = {
1153 +const struct dma_map_ops swiotlb_dma_ops = {
1154 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1155 .free_coherent = swiotlb_free_coherent,
1156 .map_page = swiotlb_map_page,
1157 diff -urNp linux-2.6.37/arch/ia64/kernel/sys_ia64.c linux-2.6.37/arch/ia64/kernel/sys_ia64.c
1158 --- linux-2.6.37/arch/ia64/kernel/sys_ia64.c 2011-01-04 19:50:19.000000000 -0500
1159 +++ linux-2.6.37/arch/ia64/kernel/sys_ia64.c 2011-01-17 02:41:00.000000000 -0500
1160 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1161 if (REGION_NUMBER(addr) == RGN_HPAGE)
1165 +#ifdef CONFIG_PAX_RANDMMAP
1166 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1167 + addr = mm->free_area_cache;
1172 addr = mm->free_area_cache;
1174 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1175 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1176 /* At this point: (!vma || addr < vma->vm_end). */
1177 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1178 - if (start_addr != TASK_UNMAPPED_BASE) {
1179 + if (start_addr != mm->mmap_base) {
1180 /* Start a new search --- just in case we missed some holes. */
1181 - addr = TASK_UNMAPPED_BASE;
1182 + addr = mm->mmap_base;
1187 - if (!vma || addr + len <= vma->vm_start) {
1188 + if (check_heap_stack_gap(vma, addr, len)) {
1189 /* Remember the address where we stopped this search: */
1190 mm->free_area_cache = addr + len;
1192 diff -urNp linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S
1193 --- linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S 2011-01-04 19:50:19.000000000 -0500
1194 +++ linux-2.6.37/arch/ia64/kernel/vmlinux.lds.S 2011-01-17 02:41:00.000000000 -0500
1195 @@ -199,7 +199,7 @@ SECTIONS {
1197 . = ALIGN(PERCPU_PAGE_SIZE);
1198 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1199 - __phys_per_cpu_start = __per_cpu_load;
1200 + __phys_per_cpu_start = per_cpu_load;
1202 * ensure percpu data fits
1203 * into percpu page size
1204 diff -urNp linux-2.6.37/arch/ia64/mm/fault.c linux-2.6.37/arch/ia64/mm/fault.c
1205 --- linux-2.6.37/arch/ia64/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
1206 +++ linux-2.6.37/arch/ia64/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
1207 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1208 return pte_present(pte);
1211 +#ifdef CONFIG_PAX_PAGEEXEC
1212 +void pax_report_insns(void *pc, void *sp)
1216 + printk(KERN_ERR "PAX: bytes at PC: ");
1217 + for (i = 0; i < 8; i++) {
1219 + if (get_user(c, (unsigned int *)pc+i))
1220 + printk(KERN_CONT "???????? ");
1222 + printk(KERN_CONT "%08x ", c);
1229 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1231 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1232 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1233 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1235 - if ((vma->vm_flags & mask) != mask)
1236 + if ((vma->vm_flags & mask) != mask) {
1238 +#ifdef CONFIG_PAX_PAGEEXEC
1239 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1240 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1243 + up_read(&mm->mmap_sem);
1244 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1245 + do_group_exit(SIGKILL);
1254 * If for any reason at all we couldn't handle the fault, make
1255 * sure we exit gracefully rather than endlessly redo the
1256 diff -urNp linux-2.6.37/arch/ia64/mm/hugetlbpage.c linux-2.6.37/arch/ia64/mm/hugetlbpage.c
1257 --- linux-2.6.37/arch/ia64/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
1258 +++ linux-2.6.37/arch/ia64/mm/hugetlbpage.c 2011-01-17 02:41:00.000000000 -0500
1259 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1260 /* At this point: (!vmm || addr < vmm->vm_end). */
1261 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1263 - if (!vmm || (addr + len) <= vmm->vm_start)
1264 + if (check_heap_stack_gap(vmm, addr, len))
1266 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1268 diff -urNp linux-2.6.37/arch/ia64/mm/init.c linux-2.6.37/arch/ia64/mm/init.c
1269 --- linux-2.6.37/arch/ia64/mm/init.c 2011-01-04 19:50:19.000000000 -0500
1270 +++ linux-2.6.37/arch/ia64/mm/init.c 2011-01-17 02:41:00.000000000 -0500
1271 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1272 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1273 vma->vm_end = vma->vm_start + PAGE_SIZE;
1274 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1276 +#ifdef CONFIG_PAX_PAGEEXEC
1277 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1278 + vma->vm_flags &= ~VM_EXEC;
1280 +#ifdef CONFIG_PAX_MPROTECT
1281 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1282 + vma->vm_flags &= ~VM_MAYEXEC;
1288 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1289 down_write(¤t->mm->mmap_sem);
1290 if (insert_vm_struct(current->mm, vma)) {
1291 diff -urNp linux-2.6.37/arch/ia64/sn/pci/pci_dma.c linux-2.6.37/arch/ia64/sn/pci/pci_dma.c
1292 --- linux-2.6.37/arch/ia64/sn/pci/pci_dma.c 2011-01-04 19:50:19.000000000 -0500
1293 +++ linux-2.6.37/arch/ia64/sn/pci/pci_dma.c 2011-01-17 02:41:00.000000000 -0500
1294 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1298 -static struct dma_map_ops sn_dma_ops = {
1299 +static const struct dma_map_ops sn_dma_ops = {
1300 .alloc_coherent = sn_dma_alloc_coherent,
1301 .free_coherent = sn_dma_free_coherent,
1302 .map_page = sn_dma_map_page,
1303 diff -urNp linux-2.6.37/arch/m32r/lib/usercopy.c linux-2.6.37/arch/m32r/lib/usercopy.c
1304 --- linux-2.6.37/arch/m32r/lib/usercopy.c 2011-01-04 19:50:19.000000000 -0500
1305 +++ linux-2.6.37/arch/m32r/lib/usercopy.c 2011-01-17 02:41:00.000000000 -0500
1308 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1314 if (access_ok(VERIFY_WRITE, to, n))
1315 __copy_user(to,from,n);
1316 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1318 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1324 if (access_ok(VERIFY_READ, from, n))
1325 __copy_user_zeroing(to,from,n);
1326 diff -urNp linux-2.6.37/arch/microblaze/include/asm/device.h linux-2.6.37/arch/microblaze/include/asm/device.h
1327 --- linux-2.6.37/arch/microblaze/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
1328 +++ linux-2.6.37/arch/microblaze/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
1329 @@ -13,7 +13,7 @@ struct device_node;
1331 struct dev_archdata {
1332 /* DMA operations on that device */
1333 - struct dma_map_ops *dma_ops;
1334 + const struct dma_map_ops *dma_ops;
1338 diff -urNp linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h
1339 --- linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
1340 +++ linux-2.6.37/arch/microblaze/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
1341 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1342 return 0xfffffffful;
1345 -extern struct dma_map_ops *dma_ops;
1346 +extern const struct dma_map_ops *dma_ops;
1349 * Available generic sets of operations
1351 -extern struct dma_map_ops dma_direct_ops;
1352 +extern const struct dma_map_ops dma_direct_ops;
1354 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1355 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1357 /* We don't handle the NULL dev case for ISA for now. We could
1358 * do it via an out of line call but it is not needed for now. The
1359 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1360 return dev->archdata.dma_ops;
1363 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1364 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1366 dev->archdata.dma_ops = ops;
1369 static inline int dma_supported(struct device *dev, u64 mask)
1371 - struct dma_map_ops *ops = get_dma_ops(dev);
1372 + const struct dma_map_ops *ops = get_dma_ops(dev);
1376 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1378 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1380 - struct dma_map_ops *ops = get_dma_ops(dev);
1381 + const struct dma_map_ops *ops = get_dma_ops(dev);
1383 if (unlikely(ops == NULL))
1385 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1387 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1389 - struct dma_map_ops *ops = get_dma_ops(dev);
1390 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 if (ops->mapping_error)
1392 return ops->mapping_error(dev, dma_addr);
1394 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1395 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1396 dma_addr_t *dma_handle, gfp_t flag)
1398 - struct dma_map_ops *ops = get_dma_ops(dev);
1399 + const struct dma_map_ops *ops = get_dma_ops(dev);
1403 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1404 static inline void dma_free_coherent(struct device *dev, size_t size,
1405 void *cpu_addr, dma_addr_t dma_handle)
1407 - struct dma_map_ops *ops = get_dma_ops(dev);
1408 + const struct dma_map_ops *ops = get_dma_ops(dev);
1411 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1412 diff -urNp linux-2.6.37/arch/microblaze/include/asm/pci.h linux-2.6.37/arch/microblaze/include/asm/pci.h
1413 --- linux-2.6.37/arch/microblaze/include/asm/pci.h 2011-01-04 19:50:19.000000000 -0500
1414 +++ linux-2.6.37/arch/microblaze/include/asm/pci.h 2011-01-17 02:41:00.000000000 -0500
1415 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1419 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1420 -extern struct dma_map_ops *get_pci_dma_ops(void);
1421 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1422 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1423 #else /* CONFIG_PCI */
1424 #define set_pci_dma_ops(d)
1425 #define get_pci_dma_ops() NULL
1426 diff -urNp linux-2.6.37/arch/microblaze/kernel/dma.c linux-2.6.37/arch/microblaze/kernel/dma.c
1427 --- linux-2.6.37/arch/microblaze/kernel/dma.c 2011-01-04 19:50:19.000000000 -0500
1428 +++ linux-2.6.37/arch/microblaze/kernel/dma.c 2011-01-17 02:41:00.000000000 -0500
1429 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1430 __dma_sync_page(dma_address, 0 , size, direction);
1433 -struct dma_map_ops dma_direct_ops = {
1434 +const struct dma_map_ops dma_direct_ops = {
1435 .alloc_coherent = dma_direct_alloc_coherent,
1436 .free_coherent = dma_direct_free_coherent,
1437 .map_sg = dma_direct_map_sg,
1438 diff -urNp linux-2.6.37/arch/microblaze/kernel/kgdb.c linux-2.6.37/arch/microblaze/kernel/kgdb.c
1439 --- linux-2.6.37/arch/microblaze/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
1440 +++ linux-2.6.37/arch/microblaze/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
1441 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1445 -struct kgdb_arch arch_kgdb_ops = {
1446 +const struct kgdb_arch arch_kgdb_ops = {
1447 #ifdef __MICROBLAZEEL__
1448 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1451 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1454 diff -urNp linux-2.6.37/arch/microblaze/pci/pci-common.c linux-2.6.37/arch/microblaze/pci/pci-common.c
1455 --- linux-2.6.37/arch/microblaze/pci/pci-common.c 2011-01-04 19:50:19.000000000 -0500
1456 +++ linux-2.6.37/arch/microblaze/pci/pci-common.c 2011-01-17 02:41:00.000000000 -0500
1457 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1458 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1459 unsigned int pci_flags;
1461 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1462 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1464 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1465 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1467 pci_dma_ops = dma_ops;
1470 -struct dma_map_ops *get_pci_dma_ops(void)
1471 +const struct dma_map_ops *get_pci_dma_ops(void)
1475 diff -urNp linux-2.6.37/arch/mips/alchemy/devboards/pm.c linux-2.6.37/arch/mips/alchemy/devboards/pm.c
1476 --- linux-2.6.37/arch/mips/alchemy/devboards/pm.c 2011-01-04 19:50:19.000000000 -0500
1477 +++ linux-2.6.37/arch/mips/alchemy/devboards/pm.c 2011-01-17 02:41:00.000000000 -0500
1478 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1482 -static struct platform_suspend_ops db1x_pm_ops = {
1483 +static const struct platform_suspend_ops db1x_pm_ops = {
1484 .valid = suspend_valid_only_mem,
1485 .begin = db1x_pm_begin,
1486 .enter = db1x_pm_enter,
1487 diff -urNp linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c
1488 --- linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c 2011-01-04 19:50:19.000000000 -0500
1489 +++ linux-2.6.37/arch/mips/cavium-octeon/dma-octeon.c 2011-01-17 02:41:00.000000000 -0500
1490 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1493 struct octeon_dma_map_ops {
1494 - struct dma_map_ops dma_map_ops;
1495 + const struct dma_map_ops dma_map_ops;
1496 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1497 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1499 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1503 -struct dma_map_ops *octeon_pci_dma_map_ops;
1504 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1506 void __init octeon_pci_dma_init(void)
1508 diff -urNp linux-2.6.37/arch/mips/include/asm/device.h linux-2.6.37/arch/mips/include/asm/device.h
1509 --- linux-2.6.37/arch/mips/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
1510 +++ linux-2.6.37/arch/mips/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
1511 @@ -10,7 +10,7 @@ struct dma_map_ops;
1513 struct dev_archdata {
1514 /* DMA operations on that device */
1515 - struct dma_map_ops *dma_ops;
1516 + const struct dma_map_ops *dma_ops;
1519 struct pdev_archdata {
1520 diff -urNp linux-2.6.37/arch/mips/include/asm/dma-mapping.h linux-2.6.37/arch/mips/include/asm/dma-mapping.h
1521 --- linux-2.6.37/arch/mips/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
1522 +++ linux-2.6.37/arch/mips/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
1525 #include <dma-coherence.h>
1527 -extern struct dma_map_ops *mips_dma_map_ops;
1528 +extern const struct dma_map_ops *mips_dma_map_ops;
1530 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1531 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1533 if (dev && dev->archdata.dma_ops)
1534 return dev->archdata.dma_ops;
1535 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1537 static inline int dma_supported(struct device *dev, u64 mask)
1539 - struct dma_map_ops *ops = get_dma_ops(dev);
1540 + const struct dma_map_ops *ops = get_dma_ops(dev);
1541 return ops->dma_supported(dev, mask);
1544 static inline int dma_mapping_error(struct device *dev, u64 mask)
1546 - struct dma_map_ops *ops = get_dma_ops(dev);
1547 + const struct dma_map_ops *ops = get_dma_ops(dev);
1548 return ops->mapping_error(dev, mask);
1551 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1552 dma_addr_t *dma_handle, gfp_t gfp)
1555 - struct dma_map_ops *ops = get_dma_ops(dev);
1556 + const struct dma_map_ops *ops = get_dma_ops(dev);
1558 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1560 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1561 static inline void dma_free_coherent(struct device *dev, size_t size,
1562 void *vaddr, dma_addr_t dma_handle)
1564 - struct dma_map_ops *ops = get_dma_ops(dev);
1565 + const struct dma_map_ops *ops = get_dma_ops(dev);
1567 ops->free_coherent(dev, size, vaddr, dma_handle);
1569 diff -urNp linux-2.6.37/arch/mips/include/asm/elf.h linux-2.6.37/arch/mips/include/asm/elf.h
1570 --- linux-2.6.37/arch/mips/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
1571 +++ linux-2.6.37/arch/mips/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
1572 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1573 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1576 +#ifdef CONFIG_PAX_ASLR
1577 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1579 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1580 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1583 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1584 struct linux_binprm;
1585 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1589 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1590 -#define arch_randomize_brk arch_randomize_brk
1592 #endif /* _ASM_ELF_H */
1593 diff -urNp linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1594 --- linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-01-04 19:50:19.000000000 -0500
1595 +++ linux-2.6.37/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-01-17 02:41:00.000000000 -0500
1596 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1597 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1600 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1601 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1602 extern char *octeon_swiotlb;
1604 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1605 diff -urNp linux-2.6.37/arch/mips/include/asm/page.h linux-2.6.37/arch/mips/include/asm/page.h
1606 --- linux-2.6.37/arch/mips/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
1607 +++ linux-2.6.37/arch/mips/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
1608 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1609 #ifdef CONFIG_CPU_MIPS32
1610 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1611 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1612 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1613 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1615 typedef struct { unsigned long long pte; } pte_t;
1616 #define pte_val(x) ((x).pte)
1617 diff -urNp linux-2.6.37/arch/mips/include/asm/system.h linux-2.6.37/arch/mips/include/asm/system.h
1618 --- linux-2.6.37/arch/mips/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
1619 +++ linux-2.6.37/arch/mips/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
1621 #include <asm/dsp.h>
1622 #include <asm/watch.h>
1623 #include <asm/war.h>
1624 +#include <asm/asm.h>
1628 @@ -230,6 +231,6 @@ extern void per_cpu_trap_init(void);
1630 #define __ARCH_WANT_UNLOCKED_CTXSW
1632 -extern unsigned long arch_align_stack(unsigned long sp);
1633 +#define arch_align_stack(x) ((x) & ALMASK)
1635 #endif /* _ASM_SYSTEM_H */
1636 diff -urNp linux-2.6.37/arch/mips/jz4740/pm.c linux-2.6.37/arch/mips/jz4740/pm.c
1637 --- linux-2.6.37/arch/mips/jz4740/pm.c 2011-01-04 19:50:19.000000000 -0500
1638 +++ linux-2.6.37/arch/mips/jz4740/pm.c 2011-01-17 02:41:00.000000000 -0500
1639 @@ -42,7 +42,7 @@ static int jz4740_pm_enter(suspend_state
1643 -static struct platform_suspend_ops jz4740_pm_ops = {
1644 +static const struct platform_suspend_ops jz4740_pm_ops = {
1645 .valid = suspend_valid_only_mem,
1646 .enter = jz4740_pm_enter,
1648 diff -urNp linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c
1649 --- linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c 2011-01-04 19:50:19.000000000 -0500
1650 +++ linux-2.6.37/arch/mips/kernel/binfmt_elfn32.c 2011-01-17 02:41:00.000000000 -0500
1651 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1652 #undef ELF_ET_DYN_BASE
1653 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1655 +#ifdef CONFIG_PAX_ASLR
1656 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1658 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1659 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1662 #include <asm/processor.h>
1663 #include <linux/module.h>
1664 #include <linux/elfcore.h>
1665 diff -urNp linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c
1666 --- linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c 2011-01-04 19:50:19.000000000 -0500
1667 +++ linux-2.6.37/arch/mips/kernel/binfmt_elfo32.c 2011-01-17 02:41:00.000000000 -0500
1668 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1669 #undef ELF_ET_DYN_BASE
1670 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1672 +#ifdef CONFIG_PAX_ASLR
1673 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1675 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1676 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1679 #include <asm/processor.h>
1682 diff -urNp linux-2.6.37/arch/mips/kernel/kgdb.c linux-2.6.37/arch/mips/kernel/kgdb.c
1683 --- linux-2.6.37/arch/mips/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
1684 +++ linux-2.6.37/arch/mips/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
1685 @@ -351,6 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1689 +/* cannot be const, see kgdb_arch_init */
1690 struct kgdb_arch arch_kgdb_ops;
1693 diff -urNp linux-2.6.37/arch/mips/kernel/process.c linux-2.6.37/arch/mips/kernel/process.c
1694 --- linux-2.6.37/arch/mips/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
1695 +++ linux-2.6.37/arch/mips/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
1696 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1702 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1703 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1705 -unsigned long arch_align_stack(unsigned long sp)
1707 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1708 - sp -= get_random_int() & ~PAGE_MASK;
1710 - return sp & ALMASK;
1712 diff -urNp linux-2.6.37/arch/mips/kernel/syscall.c linux-2.6.37/arch/mips/kernel/syscall.c
1713 --- linux-2.6.37/arch/mips/kernel/syscall.c 2011-01-04 19:50:19.000000000 -0500
1714 +++ linux-2.6.37/arch/mips/kernel/syscall.c 2011-01-17 02:41:00.000000000 -0500
1715 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1717 if (filp || (flags & MAP_SHARED))
1720 +#ifdef CONFIG_PAX_RANDMMAP
1721 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1726 addr = COLOUR_ALIGN(addr, pgoff);
1728 addr = PAGE_ALIGN(addr);
1729 vmm = find_vma(current->mm, addr);
1730 - if (task_size - len >= addr &&
1731 - (!vmm || addr + len <= vmm->vm_start))
1732 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1735 addr = current->mm->mmap_base;
1736 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1737 /* At this point: (!vmm || addr < vmm->vm_end). */
1738 if (task_size - len < addr)
1740 - if (!vmm || addr + len <= vmm->vm_start)
1741 + if (check_heap_stack_gap(vmm, addr, len))
1745 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1749 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1751 - unsigned long base = mm->brk;
1752 - unsigned long ret;
1754 - ret = PAGE_ALIGN(base + brk_rnd());
1756 - if (ret < mm->brk)
1762 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1763 unsigned long, prot, unsigned long, flags, unsigned long,
1765 diff -urNp linux-2.6.37/arch/mips/loongson/common/pm.c linux-2.6.37/arch/mips/loongson/common/pm.c
1766 --- linux-2.6.37/arch/mips/loongson/common/pm.c 2011-01-04 19:50:19.000000000 -0500
1767 +++ linux-2.6.37/arch/mips/loongson/common/pm.c 2011-01-17 02:41:00.000000000 -0500
1768 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1772 -static struct platform_suspend_ops loongson_pm_ops = {
1773 +static const struct platform_suspend_ops loongson_pm_ops = {
1774 .valid = loongson_pm_valid_state,
1775 .enter = loongson_pm_enter,
1777 diff -urNp linux-2.6.37/arch/mips/mm/dma-default.c linux-2.6.37/arch/mips/mm/dma-default.c
1778 --- linux-2.6.37/arch/mips/mm/dma-default.c 2011-01-04 19:50:19.000000000 -0500
1779 +++ linux-2.6.37/arch/mips/mm/dma-default.c 2011-01-17 02:41:00.000000000 -0500
1780 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1782 EXPORT_SYMBOL(dma_cache_sync);
1784 -static struct dma_map_ops mips_default_dma_map_ops = {
1785 +static const struct dma_map_ops mips_default_dma_map_ops = {
1786 .alloc_coherent = mips_dma_alloc_coherent,
1787 .free_coherent = mips_dma_free_coherent,
1788 .map_page = mips_dma_map_page,
1789 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1790 .dma_supported = mips_dma_supported
1793 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1794 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1795 EXPORT_SYMBOL(mips_dma_map_ops);
1797 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1798 diff -urNp linux-2.6.37/arch/mips/mm/fault.c linux-2.6.37/arch/mips/mm/fault.c
1799 --- linux-2.6.37/arch/mips/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
1800 +++ linux-2.6.37/arch/mips/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
1802 #include <asm/highmem.h> /* For VMALLOC_END */
1803 #include <linux/kdebug.h>
1805 +#ifdef CONFIG_PAX_PAGEEXEC
1806 +void pax_report_insns(void *pc, void *sp)
1810 + printk(KERN_ERR "PAX: bytes at PC: ");
1811 + for (i = 0; i < 5; i++) {
1813 + if (get_user(c, (unsigned int *)pc+i))
1814 + printk(KERN_CONT "???????? ");
1816 + printk(KERN_CONT "%08x ", c);
1823 * This routine handles page faults. It determines the address,
1824 * and the problem, and then passes it off to one of the appropriate
1825 diff -urNp linux-2.6.37/arch/parisc/include/asm/elf.h linux-2.6.37/arch/parisc/include/asm/elf.h
1826 --- linux-2.6.37/arch/parisc/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
1827 +++ linux-2.6.37/arch/parisc/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
1828 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1830 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1832 +#ifdef CONFIG_PAX_ASLR
1833 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1835 +#define PAX_DELTA_MMAP_LEN 16
1836 +#define PAX_DELTA_STACK_LEN 16
1839 /* This yields a mask that user programs can use to figure out what
1840 instruction set this CPU supports. This could be done in user space,
1841 but it's not easy, and we've already done it here. */
1842 diff -urNp linux-2.6.37/arch/parisc/include/asm/pgtable.h linux-2.6.37/arch/parisc/include/asm/pgtable.h
1843 --- linux-2.6.37/arch/parisc/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
1844 +++ linux-2.6.37/arch/parisc/include/asm/pgtable.h 2011-01-17 02:41:00.000000000 -0500
1845 @@ -207,6 +207,17 @@
1846 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1847 #define PAGE_COPY PAGE_EXECREAD
1848 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1850 +#ifdef CONFIG_PAX_PAGEEXEC
1851 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1852 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1853 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1855 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1856 +# define PAGE_COPY_NOEXEC PAGE_COPY
1857 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1860 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1861 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1862 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1863 diff -urNp linux-2.6.37/arch/parisc/kernel/module.c linux-2.6.37/arch/parisc/kernel/module.c
1864 --- linux-2.6.37/arch/parisc/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
1865 +++ linux-2.6.37/arch/parisc/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
1868 /* three functions to determine where in the module core
1869 * or init pieces the location is */
1870 +static inline int in_init_rx(struct module *me, void *loc)
1872 + return (loc >= me->module_init_rx &&
1873 + loc < (me->module_init_rx + me->init_size_rx));
1876 +static inline int in_init_rw(struct module *me, void *loc)
1878 + return (loc >= me->module_init_rw &&
1879 + loc < (me->module_init_rw + me->init_size_rw));
1882 static inline int in_init(struct module *me, void *loc)
1884 - return (loc >= me->module_init &&
1885 - loc <= (me->module_init + me->init_size));
1886 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1889 +static inline int in_core_rx(struct module *me, void *loc)
1891 + return (loc >= me->module_core_rx &&
1892 + loc < (me->module_core_rx + me->core_size_rx));
1895 +static inline int in_core_rw(struct module *me, void *loc)
1897 + return (loc >= me->module_core_rw &&
1898 + loc < (me->module_core_rw + me->core_size_rw));
1901 static inline int in_core(struct module *me, void *loc)
1903 - return (loc >= me->module_core &&
1904 - loc <= (me->module_core + me->core_size));
1905 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1908 static inline int in_local(struct module *me, void *loc)
1909 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1912 /* align things a bit */
1913 - me->core_size = ALIGN(me->core_size, 16);
1914 - me->arch.got_offset = me->core_size;
1915 - me->core_size += gots * sizeof(struct got_entry);
1917 - me->core_size = ALIGN(me->core_size, 16);
1918 - me->arch.fdesc_offset = me->core_size;
1919 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1920 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1921 + me->arch.got_offset = me->core_size_rw;
1922 + me->core_size_rw += gots * sizeof(struct got_entry);
1924 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1925 + me->arch.fdesc_offset = me->core_size_rw;
1926 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1928 me->arch.got_max = gots;
1929 me->arch.fdesc_max = fdescs;
1930 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1934 - got = me->module_core + me->arch.got_offset;
1935 + got = me->module_core_rw + me->arch.got_offset;
1936 for (i = 0; got[i].addr; i++)
1937 if (got[i].addr == value)
1939 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1941 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1943 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1944 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1947 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1948 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1950 /* Create new one */
1951 fdesc->addr = value;
1952 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1953 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1954 return (Elf_Addr)fdesc;
1956 #endif /* CONFIG_64BIT */
1957 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1959 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1960 end = table + sechdrs[me->arch.unwind_section].sh_size;
1961 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1962 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1964 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1965 me->arch.unwind_section, table, end, gp);
1966 diff -urNp linux-2.6.37/arch/parisc/kernel/sys_parisc.c linux-2.6.37/arch/parisc/kernel/sys_parisc.c
1967 --- linux-2.6.37/arch/parisc/kernel/sys_parisc.c 2011-01-04 19:50:19.000000000 -0500
1968 +++ linux-2.6.37/arch/parisc/kernel/sys_parisc.c 2011-01-17 02:41:00.000000000 -0500
1969 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1970 /* At this point: (!vma || addr < vma->vm_end). */
1971 if (TASK_SIZE - len < addr)
1973 - if (!vma || addr + len <= vma->vm_start)
1974 + if (check_heap_stack_gap(vma, addr, len))
1978 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1979 /* At this point: (!vma || addr < vma->vm_end). */
1980 if (TASK_SIZE - len < addr)
1982 - if (!vma || addr + len <= vma->vm_start)
1983 + if (check_heap_stack_gap(vma, addr, len))
1985 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1986 if (addr < vma->vm_end) /* handle wraparound */
1987 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1988 if (flags & MAP_FIXED)
1991 - addr = TASK_UNMAPPED_BASE;
1992 + addr = current->mm->mmap_base;
1995 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1996 diff -urNp linux-2.6.37/arch/parisc/kernel/traps.c linux-2.6.37/arch/parisc/kernel/traps.c
1997 --- linux-2.6.37/arch/parisc/kernel/traps.c 2011-01-04 19:50:19.000000000 -0500
1998 +++ linux-2.6.37/arch/parisc/kernel/traps.c 2011-01-17 02:41:00.000000000 -0500
1999 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
2001 down_read(¤t->mm->mmap_sem);
2002 vma = find_vma(current->mm,regs->iaoq[0]);
2003 - if (vma && (regs->iaoq[0] >= vma->vm_start)
2004 - && (vma->vm_flags & VM_EXEC)) {
2006 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
2007 fault_address = regs->iaoq[0];
2008 fault_space = regs->iasq[0];
2010 diff -urNp linux-2.6.37/arch/parisc/mm/fault.c linux-2.6.37/arch/parisc/mm/fault.c
2011 --- linux-2.6.37/arch/parisc/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
2012 +++ linux-2.6.37/arch/parisc/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
2014 #include <linux/sched.h>
2015 #include <linux/interrupt.h>
2016 #include <linux/module.h>
2017 +#include <linux/unistd.h>
2019 #include <asm/uaccess.h>
2020 #include <asm/traps.h>
2021 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
2022 static unsigned long
2023 parisc_acctyp(unsigned long code, unsigned int inst)
2025 - if (code == 6 || code == 16)
2026 + if (code == 6 || code == 7 || code == 16)
2029 switch (inst & 0xf0000000) {
2030 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
2034 +#ifdef CONFIG_PAX_PAGEEXEC
2036 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
2038 + * returns 1 when task should be killed
2039 + * 2 when rt_sigreturn trampoline was detected
2040 + * 3 when unpatched PLT trampoline was detected
2042 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2045 +#ifdef CONFIG_PAX_EMUPLT
2048 + do { /* PaX: unpatched PLT emulation */
2049 + unsigned int bl, depwi;
2051 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
2052 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
2057 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
2058 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
2060 + err = get_user(ldw, (unsigned int *)addr);
2061 + err |= get_user(bv, (unsigned int *)(addr+4));
2062 + err |= get_user(ldw2, (unsigned int *)(addr+8));
2067 + if (ldw == 0x0E801096U &&
2068 + bv == 0xEAC0C000U &&
2069 + ldw2 == 0x0E881095U)
2071 + unsigned int resolver, map;
2073 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
2074 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
2078 + regs->gr[20] = instruction_pointer(regs)+8;
2079 + regs->gr[21] = map;
2080 + regs->gr[22] = resolver;
2081 + regs->iaoq[0] = resolver | 3UL;
2082 + regs->iaoq[1] = regs->iaoq[0] + 4;
2089 +#ifdef CONFIG_PAX_EMUTRAMP
2091 +#ifndef CONFIG_PAX_EMUSIGRT
2092 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
2096 + do { /* PaX: rt_sigreturn emulation */
2097 + unsigned int ldi1, ldi2, bel, nop;
2099 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
2100 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
2101 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
2102 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
2107 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
2108 + ldi2 == 0x3414015AU &&
2109 + bel == 0xE4008200U &&
2110 + nop == 0x08000240U)
2112 + regs->gr[25] = (ldi1 & 2) >> 1;
2113 + regs->gr[20] = __NR_rt_sigreturn;
2114 + regs->gr[31] = regs->iaoq[1] + 16;
2115 + regs->sr[0] = regs->iasq[1];
2116 + regs->iaoq[0] = 0x100UL;
2117 + regs->iaoq[1] = regs->iaoq[0] + 4;
2118 + regs->iasq[0] = regs->sr[2];
2119 + regs->iasq[1] = regs->sr[2];
2128 +void pax_report_insns(void *pc, void *sp)
2132 + printk(KERN_ERR "PAX: bytes at PC: ");
2133 + for (i = 0; i < 5; i++) {
2135 + if (get_user(c, (unsigned int *)pc+i))
2136 + printk(KERN_CONT "???????? ");
2138 + printk(KERN_CONT "%08x ", c);
2144 int fixup_exception(struct pt_regs *regs)
2146 const struct exception_table_entry *fix;
2147 @@ -192,8 +303,33 @@ good_area:
2149 acc_type = parisc_acctyp(code,regs->iir);
2151 - if ((vma->vm_flags & acc_type) != acc_type)
2152 + if ((vma->vm_flags & acc_type) != acc_type) {
2154 +#ifdef CONFIG_PAX_PAGEEXEC
2155 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2156 + (address & ~3UL) == instruction_pointer(regs))
2158 + up_read(&mm->mmap_sem);
2159 + switch (pax_handle_fetch_fault(regs)) {
2161 +#ifdef CONFIG_PAX_EMUPLT
2166 +#ifdef CONFIG_PAX_EMUTRAMP
2172 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2173 + do_group_exit(SIGKILL);
2181 * If for any reason at all we couldn't handle the fault, make
2182 diff -urNp linux-2.6.37/arch/powerpc/include/asm/device.h linux-2.6.37/arch/powerpc/include/asm/device.h
2183 --- linux-2.6.37/arch/powerpc/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
2184 +++ linux-2.6.37/arch/powerpc/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
2185 @@ -11,7 +11,7 @@ struct device_node;
2187 struct dev_archdata {
2188 /* DMA operations on that device */
2189 - struct dma_map_ops *dma_ops;
2190 + const struct dma_map_ops *dma_ops;
2193 * When an iommu is in use, dma_data is used as a ptr to the base of the
2194 diff -urNp linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h
2195 --- linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
2196 +++ linux-2.6.37/arch/powerpc/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
2197 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2199 * Available generic sets of operations
2201 +/* cannot be const */
2203 -extern struct dma_map_ops dma_iommu_ops;
2204 +extern const struct dma_map_ops dma_iommu_ops;
2206 -extern struct dma_map_ops dma_direct_ops;
2207 +extern const struct dma_map_ops dma_direct_ops;
2209 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2210 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2212 /* We don't handle the NULL dev case for ISA for now. We could
2213 * do it via an out of line call but it is not needed for now. The
2214 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2215 return dev->archdata.dma_ops;
2218 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2219 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2221 dev->archdata.dma_ops = ops;
2223 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2225 static inline int dma_supported(struct device *dev, u64 mask)
2227 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2228 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2230 if (unlikely(dma_ops == NULL))
2232 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2233 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2234 dma_addr_t *dma_handle, gfp_t flag)
2236 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2237 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2241 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2242 static inline void dma_free_coherent(struct device *dev, size_t size,
2243 void *cpu_addr, dma_addr_t dma_handle)
2245 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2246 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2250 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2252 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2254 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2255 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2257 if (dma_ops->mapping_error)
2258 return dma_ops->mapping_error(dev, dma_addr);
2259 diff -urNp linux-2.6.37/arch/powerpc/include/asm/elf.h linux-2.6.37/arch/powerpc/include/asm/elf.h
2260 --- linux-2.6.37/arch/powerpc/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
2261 +++ linux-2.6.37/arch/powerpc/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
2262 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2263 the loader. We need to make sure that it is out of the way of the program
2264 that it will "exec", and that there is sufficient room for the brk. */
2266 -extern unsigned long randomize_et_dyn(unsigned long base);
2267 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2268 +#define ELF_ET_DYN_BASE (0x20000000)
2270 +#ifdef CONFIG_PAX_ASLR
2271 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2273 +#ifdef __powerpc64__
2274 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2275 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2277 +#define PAX_DELTA_MMAP_LEN 15
2278 +#define PAX_DELTA_STACK_LEN 15
2283 * Our registers are always unsigned longs, whether we're a 32 bit
2284 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2285 (0x7ff >> (PAGE_SHIFT - 12)) : \
2286 (0x3ffff >> (PAGE_SHIFT - 12)))
2288 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2289 -#define arch_randomize_brk arch_randomize_brk
2291 #endif /* __KERNEL__ */
2294 diff -urNp linux-2.6.37/arch/powerpc/include/asm/iommu.h linux-2.6.37/arch/powerpc/include/asm/iommu.h
2295 --- linux-2.6.37/arch/powerpc/include/asm/iommu.h 2011-01-04 19:50:19.000000000 -0500
2296 +++ linux-2.6.37/arch/powerpc/include/asm/iommu.h 2011-01-17 02:41:00.000000000 -0500
2297 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2298 extern void iommu_init_early_dart(void);
2299 extern void iommu_init_early_pasemi(void);
2302 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2305 extern void pci_iommu_init(void);
2306 extern void pci_direct_iommu_init(void);
2307 diff -urNp linux-2.6.37/arch/powerpc/include/asm/kmap_types.h linux-2.6.37/arch/powerpc/include/asm/kmap_types.h
2308 --- linux-2.6.37/arch/powerpc/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
2309 +++ linux-2.6.37/arch/powerpc/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
2310 @@ -27,6 +27,7 @@ enum km_type {
2318 diff -urNp linux-2.6.37/arch/powerpc/include/asm/page_64.h linux-2.6.37/arch/powerpc/include/asm/page_64.h
2319 --- linux-2.6.37/arch/powerpc/include/asm/page_64.h 2011-01-04 19:50:19.000000000 -0500
2320 +++ linux-2.6.37/arch/powerpc/include/asm/page_64.h 2011-01-17 02:41:00.000000000 -0500
2321 @@ -172,15 +172,18 @@ do { \
2322 * stack by default, so in the absense of a PT_GNU_STACK program header
2323 * we turn execute permission off.
2325 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2326 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2327 +#define VM_STACK_DEFAULT_FLAGS32 \
2328 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2329 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2331 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2332 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2334 +#ifndef CONFIG_PAX_PAGEEXEC
2335 #define VM_STACK_DEFAULT_FLAGS \
2336 (is_32bit_task() ? \
2337 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2340 #include <asm-generic/getorder.h>
2342 diff -urNp linux-2.6.37/arch/powerpc/include/asm/page.h linux-2.6.37/arch/powerpc/include/asm/page.h
2343 --- linux-2.6.37/arch/powerpc/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
2344 +++ linux-2.6.37/arch/powerpc/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
2345 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2346 * and needs to be executable. This means the whole heap ends
2347 * up being executable.
2349 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2350 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2351 +#define VM_DATA_DEFAULT_FLAGS32 \
2352 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2353 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2355 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2356 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2357 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2358 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2361 +#define ktla_ktva(addr) (addr)
2362 +#define ktva_ktla(addr) (addr)
2364 #ifndef __ASSEMBLY__
2366 #undef STRICT_MM_TYPECHECKS
2367 diff -urNp linux-2.6.37/arch/powerpc/include/asm/pci.h linux-2.6.37/arch/powerpc/include/asm/pci.h
2368 --- linux-2.6.37/arch/powerpc/include/asm/pci.h 2011-01-04 19:50:19.000000000 -0500
2369 +++ linux-2.6.37/arch/powerpc/include/asm/pci.h 2011-01-17 02:41:00.000000000 -0500
2370 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2374 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2375 -extern struct dma_map_ops *get_pci_dma_ops(void);
2376 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2377 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2378 #else /* CONFIG_PCI */
2379 #define set_pci_dma_ops(d)
2380 #define get_pci_dma_ops() NULL
2381 diff -urNp linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h
2382 --- linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h 2011-01-04 19:50:19.000000000 -0500
2383 +++ linux-2.6.37/arch/powerpc/include/asm/pte-hash32.h 2011-01-17 02:41:00.000000000 -0500
2385 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2386 #define _PAGE_USER 0x004 /* usermode access allowed */
2387 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2388 +#define _PAGE_EXEC _PAGE_GUARDED
2389 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2390 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2391 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2392 diff -urNp linux-2.6.37/arch/powerpc/include/asm/reg.h linux-2.6.37/arch/powerpc/include/asm/reg.h
2393 --- linux-2.6.37/arch/powerpc/include/asm/reg.h 2011-01-04 19:50:19.000000000 -0500
2394 +++ linux-2.6.37/arch/powerpc/include/asm/reg.h 2011-01-17 02:41:00.000000000 -0500
2396 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2397 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2398 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2399 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2400 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2401 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2402 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2403 diff -urNp linux-2.6.37/arch/powerpc/include/asm/swiotlb.h linux-2.6.37/arch/powerpc/include/asm/swiotlb.h
2404 --- linux-2.6.37/arch/powerpc/include/asm/swiotlb.h 2011-01-04 19:50:19.000000000 -0500
2405 +++ linux-2.6.37/arch/powerpc/include/asm/swiotlb.h 2011-01-17 02:41:00.000000000 -0500
2408 #include <linux/swiotlb.h>
2410 -extern struct dma_map_ops swiotlb_dma_ops;
2411 +extern const struct dma_map_ops swiotlb_dma_ops;
2413 static inline void dma_mark_clean(void *addr, size_t size) {}
2415 diff -urNp linux-2.6.37/arch/powerpc/include/asm/system.h linux-2.6.37/arch/powerpc/include/asm/system.h
2416 --- linux-2.6.37/arch/powerpc/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
2417 +++ linux-2.6.37/arch/powerpc/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
2418 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2419 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2422 -extern unsigned long arch_align_stack(unsigned long sp);
2423 +#define arch_align_stack(x) ((x) & ~0xfUL)
2425 /* Used in very early kernel initialization. */
2426 extern unsigned long reloc_offset(void);
2427 diff -urNp linux-2.6.37/arch/powerpc/include/asm/uaccess.h linux-2.6.37/arch/powerpc/include/asm/uaccess.h
2428 --- linux-2.6.37/arch/powerpc/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
2429 +++ linux-2.6.37/arch/powerpc/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
2431 #define VERIFY_READ 0
2432 #define VERIFY_WRITE 1
2434 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2437 * The fs value determines whether argument validity checking should be
2438 * performed or not. If get_fs() == USER_DS, checking is performed, with
2439 @@ -327,52 +329,6 @@ do { \
2440 extern unsigned long __copy_tofrom_user(void __user *to,
2441 const void __user *from, unsigned long size);
2443 -#ifndef __powerpc64__
2445 -static inline unsigned long copy_from_user(void *to,
2446 - const void __user *from, unsigned long n)
2448 - unsigned long over;
2450 - if (access_ok(VERIFY_READ, from, n))
2451 - return __copy_tofrom_user((__force void __user *)to, from, n);
2452 - if ((unsigned long)from < TASK_SIZE) {
2453 - over = (unsigned long)from + n - TASK_SIZE;
2454 - return __copy_tofrom_user((__force void __user *)to, from,
2460 -static inline unsigned long copy_to_user(void __user *to,
2461 - const void *from, unsigned long n)
2463 - unsigned long over;
2465 - if (access_ok(VERIFY_WRITE, to, n))
2466 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2467 - if ((unsigned long)to < TASK_SIZE) {
2468 - over = (unsigned long)to + n - TASK_SIZE;
2469 - return __copy_tofrom_user(to, (__force void __user *)from,
2475 -#else /* __powerpc64__ */
2477 -#define __copy_in_user(to, from, size) \
2478 - __copy_tofrom_user((to), (from), (size))
2480 -extern unsigned long copy_from_user(void *to, const void __user *from,
2482 -extern unsigned long copy_to_user(void __user *to, const void *from,
2484 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487 -#endif /* __powerpc64__ */
2489 static inline unsigned long __copy_from_user_inatomic(void *to,
2490 const void __user *from, unsigned long n)
2492 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2497 + if (!__builtin_constant_p(n))
2498 + check_object_size(to, n, false);
2500 return __copy_tofrom_user((__force void __user *)to, from, n);
2503 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2508 + if (!__builtin_constant_p(n))
2509 + check_object_size(from, n, true);
2511 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2514 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2515 return __copy_to_user_inatomic(to, from, size);
2518 +#ifndef __powerpc64__
2520 +static inline unsigned long __must_check copy_from_user(void *to,
2521 + const void __user *from, unsigned long n)
2523 + unsigned long over;
2528 + if (access_ok(VERIFY_READ, from, n)) {
2529 + if (!__builtin_constant_p(n))
2530 + check_object_size(to, n, false);
2531 + return __copy_tofrom_user((__force void __user *)to, from, n);
2533 + if ((unsigned long)from < TASK_SIZE) {
2534 + over = (unsigned long)from + n - TASK_SIZE;
2535 + if (!__builtin_constant_p(n - over))
2536 + check_object_size(to, n - over, false);
2537 + return __copy_tofrom_user((__force void __user *)to, from,
2543 +static inline unsigned long __must_check copy_to_user(void __user *to,
2544 + const void *from, unsigned long n)
2546 + unsigned long over;
2551 + if (access_ok(VERIFY_WRITE, to, n)) {
2552 + if (!__builtin_constant_p(n))
2553 + check_object_size(from, n, true);
2554 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2556 + if ((unsigned long)to < TASK_SIZE) {
2557 + over = (unsigned long)to + n - TASK_SIZE;
2558 + if (!__builtin_constant_p(n))
2559 + check_object_size(from, n - over, true);
2560 + return __copy_tofrom_user(to, (__force void __user *)from,
2566 +#else /* __powerpc64__ */
2568 +#define __copy_in_user(to, from, size) \
2569 + __copy_tofrom_user((to), (from), (size))
2571 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2573 + if ((long)n < 0 || n > INT_MAX)
2576 + if (!__builtin_constant_p(n))
2577 + check_object_size(to, n, false);
2579 + if (likely(access_ok(VERIFY_READ, from, n)))
2580 + n = __copy_from_user(to, from, n);
2586 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2588 + if ((long)n < 0 || n > INT_MAX)
2591 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2592 + if (!__builtin_constant_p(n))
2593 + check_object_size(from, n, true);
2594 + n = __copy_to_user(to, from, n);
2599 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2602 +#endif /* __powerpc64__ */
2604 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2606 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2607 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma.c linux-2.6.37/arch/powerpc/kernel/dma.c
2608 --- linux-2.6.37/arch/powerpc/kernel/dma.c 2011-01-04 19:50:19.000000000 -0500
2609 +++ linux-2.6.37/arch/powerpc/kernel/dma.c 2011-01-17 02:41:00.000000000 -0500
2610 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2614 -struct dma_map_ops dma_direct_ops = {
2615 +const struct dma_map_ops dma_direct_ops = {
2616 .alloc_coherent = dma_direct_alloc_coherent,
2617 .free_coherent = dma_direct_free_coherent,
2618 .map_sg = dma_direct_map_sg,
2619 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2621 int dma_set_mask(struct device *dev, u64 dma_mask)
2623 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2624 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2626 if (ppc_md.dma_set_mask)
2627 return ppc_md.dma_set_mask(dev, dma_mask);
2628 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma-iommu.c linux-2.6.37/arch/powerpc/kernel/dma-iommu.c
2629 --- linux-2.6.37/arch/powerpc/kernel/dma-iommu.c 2011-01-04 19:50:19.000000000 -0500
2630 +++ linux-2.6.37/arch/powerpc/kernel/dma-iommu.c 2011-01-17 02:41:00.000000000 -0500
2631 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2634 /* We support DMA to/from any memory page via the iommu */
2635 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2636 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2638 struct iommu_table *tbl = get_iommu_table_base(dev);
2640 @@ -90,6 +90,7 @@ static int dma_iommu_dma_supported(struc
2644 +/* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2645 struct dma_map_ops dma_iommu_ops = {
2646 .alloc_coherent = dma_iommu_alloc_coherent,
2647 .free_coherent = dma_iommu_free_coherent,
2648 diff -urNp linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c
2649 --- linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
2650 +++ linux-2.6.37/arch/powerpc/kernel/dma-swiotlb.c 2011-01-17 02:41:00.000000000 -0500
2651 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2652 * map_page, and unmap_page on highmem, use normal dma_ops
2653 * for everything else.
2655 -struct dma_map_ops swiotlb_dma_ops = {
2656 +const struct dma_map_ops swiotlb_dma_ops = {
2657 .alloc_coherent = dma_direct_alloc_coherent,
2658 .free_coherent = dma_direct_free_coherent,
2659 .map_sg = swiotlb_map_sg_attrs,
2660 diff -urNp linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S
2661 --- linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S 2011-01-04 19:50:19.000000000 -0500
2662 +++ linux-2.6.37/arch/powerpc/kernel/exceptions-64e.S 2011-01-17 02:41:00.000000000 -0500
2663 @@ -495,6 +495,7 @@ storage_fault_common:
2666 addi r3,r1,STACK_FRAME_OVERHEAD
2670 ld r14,PACA_EXGEN+EX_R14(r13)
2671 @@ -504,8 +505,7 @@ storage_fault_common:
2674 b .ret_from_except_lite
2678 addi r3,r1,STACK_FRAME_OVERHEAD
2681 diff -urNp linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S
2682 --- linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S 2011-01-04 19:50:19.000000000 -0500
2683 +++ linux-2.6.37/arch/powerpc/kernel/exceptions-64s.S 2011-01-17 02:41:00.000000000 -0500
2684 @@ -847,10 +847,10 @@ handle_page_fault:
2687 addi r3,r1,STACK_FRAME_OVERHEAD
2694 addi r3,r1,STACK_FRAME_OVERHEAD
2696 diff -urNp linux-2.6.37/arch/powerpc/kernel/ibmebus.c linux-2.6.37/arch/powerpc/kernel/ibmebus.c
2697 --- linux-2.6.37/arch/powerpc/kernel/ibmebus.c 2011-01-04 19:50:19.000000000 -0500
2698 +++ linux-2.6.37/arch/powerpc/kernel/ibmebus.c 2011-01-17 02:41:00.000000000 -0500
2699 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2703 -static struct dma_map_ops ibmebus_dma_ops = {
2704 +static const struct dma_map_ops ibmebus_dma_ops = {
2705 .alloc_coherent = ibmebus_alloc_coherent,
2706 .free_coherent = ibmebus_free_coherent,
2707 .map_sg = ibmebus_map_sg,
2708 diff -urNp linux-2.6.37/arch/powerpc/kernel/kgdb.c linux-2.6.37/arch/powerpc/kernel/kgdb.c
2709 --- linux-2.6.37/arch/powerpc/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
2710 +++ linux-2.6.37/arch/powerpc/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
2711 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2715 -struct kgdb_arch arch_kgdb_ops = {
2716 +const struct kgdb_arch arch_kgdb_ops = {
2717 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2720 diff -urNp linux-2.6.37/arch/powerpc/kernel/module_32.c linux-2.6.37/arch/powerpc/kernel/module_32.c
2721 --- linux-2.6.37/arch/powerpc/kernel/module_32.c 2011-01-04 19:50:19.000000000 -0500
2722 +++ linux-2.6.37/arch/powerpc/kernel/module_32.c 2011-01-17 02:41:00.000000000 -0500
2723 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2724 me->arch.core_plt_section = i;
2726 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2727 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2728 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2732 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2734 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2735 /* Init, or core PLT? */
2736 - if (location >= mod->module_core
2737 - && location < mod->module_core + mod->core_size)
2738 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2739 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2740 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2742 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2743 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2744 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2746 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2750 /* Find this entry, or if that fails, the next avail. entry */
2751 while (entry->jump[0]) {
2752 diff -urNp linux-2.6.37/arch/powerpc/kernel/module.c linux-2.6.37/arch/powerpc/kernel/module.c
2753 --- linux-2.6.37/arch/powerpc/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
2754 +++ linux-2.6.37/arch/powerpc/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
2757 LIST_HEAD(module_bug_list);
2759 +#ifdef CONFIG_PAX_KERNEXEC
2760 void *module_alloc(unsigned long size)
2765 + return vmalloc(size);
2768 +void *module_alloc_exec(unsigned long size)
2770 +void *module_alloc(unsigned long size)
2777 return vmalloc_exec(size);
2780 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2781 vfree(module_region);
2784 +#ifdef CONFIG_PAX_KERNEXEC
2785 +void module_free_exec(struct module *mod, void *module_region)
2787 + module_free(mod, module_region);
2791 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2792 const Elf_Shdr *sechdrs,
2794 diff -urNp linux-2.6.37/arch/powerpc/kernel/pci-common.c linux-2.6.37/arch/powerpc/kernel/pci-common.c
2795 --- linux-2.6.37/arch/powerpc/kernel/pci-common.c 2011-01-04 19:50:19.000000000 -0500
2796 +++ linux-2.6.37/arch/powerpc/kernel/pci-common.c 2011-01-17 02:41:00.000000000 -0500
2797 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2798 unsigned int ppc_pci_flags = 0;
2801 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2802 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2804 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2805 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2807 pci_dma_ops = dma_ops;
2810 -struct dma_map_ops *get_pci_dma_ops(void)
2811 +const struct dma_map_ops *get_pci_dma_ops(void)
2815 diff -urNp linux-2.6.37/arch/powerpc/kernel/process.c linux-2.6.37/arch/powerpc/kernel/process.c
2816 --- linux-2.6.37/arch/powerpc/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
2817 +++ linux-2.6.37/arch/powerpc/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
2818 @@ -653,8 +653,8 @@ void show_regs(struct pt_regs * regs)
2819 * Lookup NIP late so we have the best change of getting the
2820 * above info out without failing
2822 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2823 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2824 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2825 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2827 show_stack(current, (unsigned long *) regs->gpr[1]);
2828 if (!user_mode(regs))
2829 @@ -1144,10 +1144,10 @@ void show_stack(struct task_struct *tsk,
2831 ip = stack[STACK_FRAME_LR_SAVE];
2832 if (!firstframe || ip != lr) {
2833 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2834 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2835 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2836 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2839 (void *)current->ret_stack[curr_frame].ret);
2842 @@ -1167,7 +1167,7 @@ void show_stack(struct task_struct *tsk,
2843 struct pt_regs *regs = (struct pt_regs *)
2844 (sp + STACK_FRAME_OVERHEAD);
2846 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2847 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2848 regs->trap, (void *)regs->nip, (void *)lr);
2851 @@ -1242,58 +1242,3 @@ void thread_info_cache_init(void)
2854 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2856 -unsigned long arch_align_stack(unsigned long sp)
2858 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2859 - sp -= get_random_int() & ~PAGE_MASK;
2863 -static inline unsigned long brk_rnd(void)
2865 - unsigned long rnd = 0;
2867 - /* 8MB for 32bit, 1GB for 64bit */
2868 - if (is_32bit_task())
2869 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2871 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2873 - return rnd << PAGE_SHIFT;
2876 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2878 - unsigned long base = mm->brk;
2879 - unsigned long ret;
2881 -#ifdef CONFIG_PPC_STD_MMU_64
2883 - * If we are using 1TB segments and we are allowed to randomise
2884 - * the heap, we can put it above 1TB so it is backed by a 1TB
2885 - * segment. Otherwise the heap will be in the bottom 1TB
2886 - * which always uses 256MB segments and this may result in a
2887 - * performance penalty.
2889 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2890 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2893 - ret = PAGE_ALIGN(base + brk_rnd());
2895 - if (ret < mm->brk)
2901 -unsigned long randomize_et_dyn(unsigned long base)
2903 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2910 diff -urNp linux-2.6.37/arch/powerpc/kernel/signal_32.c linux-2.6.37/arch/powerpc/kernel/signal_32.c
2911 --- linux-2.6.37/arch/powerpc/kernel/signal_32.c 2011-01-04 19:50:19.000000000 -0500
2912 +++ linux-2.6.37/arch/powerpc/kernel/signal_32.c 2011-01-17 02:41:00.000000000 -0500
2913 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2914 /* Save user registers on the stack */
2915 frame = &rt_sf->uc.uc_mcontext;
2917 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2918 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2919 if (save_user_regs(regs, frame, 0, 1))
2921 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2922 diff -urNp linux-2.6.37/arch/powerpc/kernel/signal_64.c linux-2.6.37/arch/powerpc/kernel/signal_64.c
2923 --- linux-2.6.37/arch/powerpc/kernel/signal_64.c 2011-01-04 19:50:19.000000000 -0500
2924 +++ linux-2.6.37/arch/powerpc/kernel/signal_64.c 2011-01-17 02:41:00.000000000 -0500
2925 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2926 current->thread.fpscr.val = 0;
2928 /* Set up to return from userspace. */
2929 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2930 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2931 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2933 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2934 diff -urNp linux-2.6.37/arch/powerpc/kernel/vdso.c linux-2.6.37/arch/powerpc/kernel/vdso.c
2935 --- linux-2.6.37/arch/powerpc/kernel/vdso.c 2011-01-04 19:50:19.000000000 -0500
2936 +++ linux-2.6.37/arch/powerpc/kernel/vdso.c 2011-01-17 02:41:00.000000000 -0500
2938 #include <asm/firmware.h>
2939 #include <asm/vdso.h>
2940 #include <asm/vdso_datapage.h>
2941 +#include <asm/mman.h>
2945 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2946 vdso_base = VDSO32_MBASE;
2949 - current->mm->context.vdso_base = 0;
2950 + current->mm->context.vdso_base = ~0UL;
2952 /* vDSO has a problem and was disabled, just don't "enable" it for the
2954 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2955 vdso_base = get_unmapped_area(NULL, vdso_base,
2956 (vdso_pages << PAGE_SHIFT) +
2957 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2959 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2960 if (IS_ERR_VALUE(vdso_base)) {
2963 diff -urNp linux-2.6.37/arch/powerpc/kernel/vio.c linux-2.6.37/arch/powerpc/kernel/vio.c
2964 --- linux-2.6.37/arch/powerpc/kernel/vio.c 2011-01-04 19:50:19.000000000 -0500
2965 +++ linux-2.6.37/arch/powerpc/kernel/vio.c 2011-01-17 02:41:00.000000000 -0500
2966 @@ -600,11 +600,12 @@ static void vio_dma_iommu_unmap_sg(struc
2967 vio_cmo_dealloc(viodev, alloc_size);
2970 -struct dma_map_ops vio_dma_mapping_ops = {
2971 +static const struct dma_map_ops vio_dma_mapping_ops = {
2972 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2973 .free_coherent = vio_dma_iommu_free_coherent,
2974 .map_sg = vio_dma_iommu_map_sg,
2975 .unmap_sg = vio_dma_iommu_unmap_sg,
2976 + .dma_supported = dma_iommu_dma_supported,
2977 .map_page = vio_dma_iommu_map_page,
2978 .unmap_page = vio_dma_iommu_unmap_page,
2980 @@ -858,7 +859,6 @@ static void vio_cmo_bus_remove(struct vi
2982 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2984 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2985 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2988 diff -urNp linux-2.6.37/arch/powerpc/lib/usercopy_64.c linux-2.6.37/arch/powerpc/lib/usercopy_64.c
2989 --- linux-2.6.37/arch/powerpc/lib/usercopy_64.c 2011-01-04 19:50:19.000000000 -0500
2990 +++ linux-2.6.37/arch/powerpc/lib/usercopy_64.c 2011-01-17 02:41:00.000000000 -0500
2992 #include <linux/module.h>
2993 #include <asm/uaccess.h>
2995 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2997 - if (likely(access_ok(VERIFY_READ, from, n)))
2998 - n = __copy_from_user(to, from, n);
3004 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3006 - if (likely(access_ok(VERIFY_WRITE, to, n)))
3007 - n = __copy_to_user(to, from, n);
3011 unsigned long copy_in_user(void __user *to, const void __user *from,
3014 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
3018 -EXPORT_SYMBOL(copy_from_user);
3019 -EXPORT_SYMBOL(copy_to_user);
3020 EXPORT_SYMBOL(copy_in_user);
3022 diff -urNp linux-2.6.37/arch/powerpc/mm/fault.c linux-2.6.37/arch/powerpc/mm/fault.c
3023 --- linux-2.6.37/arch/powerpc/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
3024 +++ linux-2.6.37/arch/powerpc/mm/fault.c 2011-01-17 02:41:00.000000000 -0500
3026 #include <linux/kdebug.h>
3027 #include <linux/perf_event.h>
3028 #include <linux/magic.h>
3029 +#include <linux/slab.h>
3030 +#include <linux/pagemap.h>
3031 +#include <linux/compiler.h>
3032 +#include <linux/unistd.h>
3034 #include <asm/firmware.h>
3035 #include <asm/page.h>
3037 #include <asm/tlbflush.h>
3038 #include <asm/siginfo.h>
3039 #include <mm/mmu_decl.h>
3040 +#include <asm/ptrace.h>
3042 #ifdef CONFIG_KPROBES
3043 static inline int notify_page_fault(struct pt_regs *regs)
3044 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
3048 +#ifdef CONFIG_PAX_PAGEEXEC
3050 + * PaX: decide what to do with offenders (regs->nip = fault address)
3052 + * returns 1 when task should be killed
3054 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3059 +void pax_report_insns(void *pc, void *sp)
3063 + printk(KERN_ERR "PAX: bytes at PC: ");
3064 + for (i = 0; i < 5; i++) {
3066 + if (get_user(c, (unsigned int __user *)pc+i))
3067 + printk(KERN_CONT "???????? ");
3069 + printk(KERN_CONT "%08x ", c);
3076 * Check whether the instruction at regs->nip is a store using
3077 * an update addressing form which will update r1.
3078 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
3079 * indicate errors in DSISR but can validly be set in SRR1.
3082 - error_code &= 0x48200000;
3083 + error_code &= 0x58200000;
3085 is_write = error_code & DSISR_ISSTORE;
3087 @@ -258,7 +290,7 @@ good_area:
3088 * "undefined". Of those that can be set, this is the only
3089 * one which seems bad.
3091 - if (error_code & 0x10000000)
3092 + if (error_code & DSISR_GUARDED)
3093 /* Guarded storage error. */
3095 #endif /* CONFIG_8xx */
3096 @@ -273,7 +305,7 @@ good_area:
3097 * processors use the same I/D cache coherency mechanism
3100 - if (error_code & DSISR_PROTFAULT)
3101 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3103 #endif /* CONFIG_PPC_STD_MMU */
3105 @@ -342,6 +374,23 @@ bad_area:
3106 bad_area_nosemaphore:
3107 /* User mode accesses cause a SIGSEGV */
3108 if (user_mode(regs)) {
3110 +#ifdef CONFIG_PAX_PAGEEXEC
3111 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3112 +#ifdef CONFIG_PPC_STD_MMU
3113 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3115 + if (is_exec && regs->nip == address) {
3117 + switch (pax_handle_fetch_fault(regs)) {
3120 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3121 + do_group_exit(SIGKILL);
3126 _exception(SIGSEGV, regs, code, address);
3129 diff -urNp linux-2.6.37/arch/powerpc/mm/mmap_64.c linux-2.6.37/arch/powerpc/mm/mmap_64.c
3130 --- linux-2.6.37/arch/powerpc/mm/mmap_64.c 2011-01-04 19:50:19.000000000 -0500
3131 +++ linux-2.6.37/arch/powerpc/mm/mmap_64.c 2011-01-17 02:41:00.000000000 -0500
3132 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3134 if (mmap_is_legacy()) {
3135 mm->mmap_base = TASK_UNMAPPED_BASE;
3137 +#ifdef CONFIG_PAX_RANDMMAP
3138 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3139 + mm->mmap_base += mm->delta_mmap;
3142 mm->get_unmapped_area = arch_get_unmapped_area;
3143 mm->unmap_area = arch_unmap_area;
3145 mm->mmap_base = mmap_base();
3147 +#ifdef CONFIG_PAX_RANDMMAP
3148 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3149 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3152 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3153 mm->unmap_area = arch_unmap_area_topdown;
3155 diff -urNp linux-2.6.37/arch/powerpc/mm/slice.c linux-2.6.37/arch/powerpc/mm/slice.c
3156 --- linux-2.6.37/arch/powerpc/mm/slice.c 2011-01-04 19:50:19.000000000 -0500
3157 +++ linux-2.6.37/arch/powerpc/mm/slice.c 2011-01-17 02:41:00.000000000 -0500
3158 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3159 if ((mm->task_size - len) < addr)
3161 vma = find_vma(mm, addr);
3162 - return (!vma || (addr + len) <= vma->vm_start);
3163 + return check_heap_stack_gap(vma, addr, len);
3166 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3167 @@ -256,7 +256,7 @@ full_search:
3168 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3171 - if (!vma || addr + len <= vma->vm_start) {
3172 + if (check_heap_stack_gap(vma, addr, len)) {
3174 * Remember the place where we stopped the search:
3176 @@ -336,7 +336,7 @@ static unsigned long slice_find_area_top
3177 * return with success:
3179 vma = find_vma(mm, addr);
3180 - if (!vma || (addr + len) <= vma->vm_start) {
3181 + if (check_heap_stack_gap(vma, addr, len)) {
3182 /* remember the address as a hint for next time */
3184 mm->free_area_cache = addr;
3185 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3189 +#ifdef CONFIG_PAX_RANDMMAP
3190 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197 diff -urNp linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c
3198 --- linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-01-04 19:50:19.000000000 -0500
3199 +++ linux-2.6.37/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-01-17 02:41:00.000000000 -0500
3200 @@ -232,7 +232,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3204 -static struct platform_suspend_ops lite5200_pm_ops = {
3205 +static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209 diff -urNp linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210 --- linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-01-04 19:50:19.000000000 -0500
3211 +++ linux-2.6.37/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-01-17 02:41:00.000000000 -0500
3212 @@ -186,7 +186,7 @@ void mpc52xx_pm_finish(void)
3216 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3217 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221 diff -urNp linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c
3222 --- linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c 2011-01-04 19:50:19.000000000 -0500
3223 +++ linux-2.6.37/arch/powerpc/platforms/83xx/suspend.c 2011-01-17 02:41:00.000000000 -0500
3224 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
3228 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233 diff -urNp linux-2.6.37/arch/powerpc/platforms/cell/iommu.c linux-2.6.37/arch/powerpc/platforms/cell/iommu.c
3234 --- linux-2.6.37/arch/powerpc/platforms/cell/iommu.c 2011-01-04 19:50:19.000000000 -0500
3235 +++ linux-2.6.37/arch/powerpc/platforms/cell/iommu.c 2011-01-17 02:41:00.000000000 -0500
3236 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3240 -struct dma_map_ops dma_iommu_fixed_ops = {
3241 +const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245 diff -urNp linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c
3246 --- linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c 2011-01-04 19:50:19.000000000 -0500
3247 +++ linux-2.6.37/arch/powerpc/platforms/ps3/system-bus.c 2011-01-17 02:41:00.000000000 -0500
3248 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3252 -static struct dma_map_ops ps3_sb_dma_ops = {
3253 +static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3261 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3262 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266 diff -urNp linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c
3267 --- linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c 2011-01-04 19:50:19.000000000 -0500
3268 +++ linux-2.6.37/arch/powerpc/platforms/pseries/suspend.c 2011-01-17 02:41:00.000000000 -0500
3269 @@ -153,7 +153,7 @@ static struct sysdev_class suspend_sysde
3273 -static struct platform_suspend_ops pseries_suspend_ops = {
3274 +static const struct platform_suspend_ops pseries_suspend_ops = {
3275 .valid = suspend_valid_only_mem,
3276 .begin = pseries_suspend_begin,
3277 .prepare_late = pseries_prepare_late,
3278 diff -urNp linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c
3279 --- linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c 2011-01-04 19:50:19.000000000 -0500
3280 +++ linux-2.6.37/arch/powerpc/sysdev/fsl_pmc.c 2011-01-17 02:41:00.000000000 -0500
3281 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3285 -static struct platform_suspend_ops pmc_suspend_ops = {
3286 +static const struct platform_suspend_ops pmc_suspend_ops = {
3287 .valid = pmc_suspend_valid,
3288 .enter = pmc_suspend_enter,
3290 diff -urNp linux-2.6.37/arch/s390/include/asm/elf.h linux-2.6.37/arch/s390/include/asm/elf.h
3291 --- linux-2.6.37/arch/s390/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
3292 +++ linux-2.6.37/arch/s390/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
3293 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3294 that it will "exec", and that there is sufficient room for the brk. */
3295 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3297 +#ifdef CONFIG_PAX_ASLR
3298 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3300 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3301 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3304 /* This yields a mask that user programs can use to figure out what
3305 instruction set this CPU supports. */
3307 diff -urNp linux-2.6.37/arch/s390/include/asm/uaccess.h linux-2.6.37/arch/s390/include/asm/uaccess.h
3308 --- linux-2.6.37/arch/s390/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
3309 +++ linux-2.6.37/arch/s390/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
3310 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3311 copy_to_user(void __user *to, const void *from, unsigned long n)
3318 if (access_ok(VERIFY_WRITE, to, n))
3319 n = __copy_to_user(to, from, n);
3321 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3322 static inline unsigned long __must_check
3323 __copy_from_user(void *to, const void __user *from, unsigned long n)
3328 if (__builtin_constant_p(n) && (n <= 256))
3329 return uaccess.copy_from_user_small(n, from, to);
3331 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3332 unsigned int sz = __compiletime_object_size(to);
3339 if (unlikely(sz != -1 && sz < n)) {
3340 copy_from_user_overflow();
3342 diff -urNp linux-2.6.37/arch/s390/Kconfig linux-2.6.37/arch/s390/Kconfig
3343 --- linux-2.6.37/arch/s390/Kconfig 2011-01-04 19:50:19.000000000 -0500
3344 +++ linux-2.6.37/arch/s390/Kconfig 2011-01-17 02:41:00.000000000 -0500
3345 @@ -242,13 +242,12 @@ config AUDIT_ARCH
3347 config S390_EXEC_PROTECT
3348 bool "Data execute protection"
3351 This option allows to enable a buffer overflow protection for user
3352 - space programs and it also selects the addressing mode option above.
3353 - The kernel parameter noexec=on will enable this feature and also
3354 - switch the addressing modes, default is disabled. Enabling this (via
3355 - kernel parameter) on machines earlier than IBM System z9 this will
3356 - reduce system performance.
3358 + Enabling this (via kernel parameter) on machines earlier than IBM
3359 + System z9 will reduce system performance.
3361 comment "Code generation options"
3363 diff -urNp linux-2.6.37/arch/s390/kernel/module.c linux-2.6.37/arch/s390/kernel/module.c
3364 --- linux-2.6.37/arch/s390/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
3365 +++ linux-2.6.37/arch/s390/kernel/module.c 2011-01-17 02:41:00.000000000 -0500
3366 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3368 /* Increase core size by size of got & plt and set start
3369 offsets for got and plt. */
3370 - me->core_size = ALIGN(me->core_size, 4);
3371 - me->arch.got_offset = me->core_size;
3372 - me->core_size += me->arch.got_size;
3373 - me->arch.plt_offset = me->core_size;
3374 - me->core_size += me->arch.plt_size;
3375 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3376 + me->arch.got_offset = me->core_size_rw;
3377 + me->core_size_rw += me->arch.got_size;
3378 + me->arch.plt_offset = me->core_size_rx;
3379 + me->core_size_rx += me->arch.plt_size;
3383 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3384 if (info->got_initialized == 0) {
3387 - gotent = me->module_core + me->arch.got_offset +
3388 + gotent = me->module_core_rw + me->arch.got_offset +
3391 info->got_initialized = 1;
3392 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3393 else if (r_type == R_390_GOTENT ||
3394 r_type == R_390_GOTPLTENT)
3395 *(unsigned int *) loc =
3396 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3397 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3398 else if (r_type == R_390_GOT64 ||
3399 r_type == R_390_GOTPLT64)
3400 *(unsigned long *) loc = val;
3401 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3402 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3403 if (info->plt_initialized == 0) {
3405 - ip = me->module_core + me->arch.plt_offset +
3406 + ip = me->module_core_rx + me->arch.plt_offset +
3408 #ifndef CONFIG_64BIT
3409 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3410 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3411 val - loc + 0xffffUL < 0x1ffffeUL) ||
3412 (r_type == R_390_PLT32DBL &&
3413 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3414 - val = (Elf_Addr) me->module_core +
3415 + val = (Elf_Addr) me->module_core_rx +
3416 me->arch.plt_offset +
3418 val += rela->r_addend - loc;
3419 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3420 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3421 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3422 val = val + rela->r_addend -
3423 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3424 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3425 if (r_type == R_390_GOTOFF16)
3426 *(unsigned short *) loc = val;
3427 else if (r_type == R_390_GOTOFF32)
3428 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3430 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3431 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3432 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3433 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3434 rela->r_addend - loc;
3435 if (r_type == R_390_GOTPC)
3436 *(unsigned int *) loc = val;
3437 diff -urNp linux-2.6.37/arch/s390/kernel/setup.c linux-2.6.37/arch/s390/kernel/setup.c
3438 --- linux-2.6.37/arch/s390/kernel/setup.c 2011-01-04 19:50:19.000000000 -0500
3439 +++ linux-2.6.37/arch/s390/kernel/setup.c 2011-01-17 02:41:00.000000000 -0500
3440 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3442 early_param("mem", early_parse_mem);
3444 -unsigned int user_mode = HOME_SPACE_MODE;
3445 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3446 EXPORT_SYMBOL_GPL(user_mode);
3448 static int set_amode_and_uaccess(unsigned long user_amode,
3449 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3454 - * Switch kernel/user addressing modes?
3456 -static int __init early_parse_switch_amode(char *p)
3458 - if (user_mode != SECONDARY_SPACE_MODE)
3459 - user_mode = PRIMARY_SPACE_MODE;
3462 -early_param("switch_amode", early_parse_switch_amode);
3464 static int __init early_parse_user_mode(char *p)
3466 if (p && strcmp(p, "primary") == 0)
3467 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3469 early_param("user_mode", early_parse_user_mode);
3471 -#ifdef CONFIG_S390_EXEC_PROTECT
3473 - * Enable execute protection?
3475 -static int __init early_parse_noexec(char *p)
3477 - if (!strncmp(p, "off", 3))
3479 - user_mode = SECONDARY_SPACE_MODE;
3482 -early_param("noexec", early_parse_noexec);
3483 -#endif /* CONFIG_S390_EXEC_PROTECT */
3485 static void setup_addressing_mode(void)
3487 if (user_mode == SECONDARY_SPACE_MODE) {
3488 diff -urNp linux-2.6.37/arch/s390/mm/maccess.c linux-2.6.37/arch/s390/mm/maccess.c
3489 --- linux-2.6.37/arch/s390/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
3490 +++ linux-2.6.37/arch/s390/mm/maccess.c 2011-01-17 02:41:00.000000000 -0500
3491 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3492 return rc ? rc : count;
3495 -long probe_kernel_write(void *dst, void *src, size_t size)
3496 +long probe_kernel_write(void *dst, const void *src, size_t size)
3500 diff -urNp linux-2.6.37/arch/s390/mm/mmap.c linux-2.6.37/arch/s390/mm/mmap.c
3501 --- linux-2.6.37/arch/s390/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
3502 +++ linux-2.6.37/arch/s390/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
3503 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3505 if (mmap_is_legacy()) {
3506 mm->mmap_base = TASK_UNMAPPED_BASE;
3508 +#ifdef CONFIG_PAX_RANDMMAP
3509 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3510 + mm->mmap_base += mm->delta_mmap;
3513 mm->get_unmapped_area = arch_get_unmapped_area;
3514 mm->unmap_area = arch_unmap_area;
3516 mm->mmap_base = mmap_base();
3518 +#ifdef CONFIG_PAX_RANDMMAP
3519 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3520 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3523 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3524 mm->unmap_area = arch_unmap_area_topdown;
3526 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3528 if (mmap_is_legacy()) {
3529 mm->mmap_base = TASK_UNMAPPED_BASE;
3531 +#ifdef CONFIG_PAX_RANDMMAP
3532 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3533 + mm->mmap_base += mm->delta_mmap;
3536 mm->get_unmapped_area = s390_get_unmapped_area;
3537 mm->unmap_area = arch_unmap_area;
3539 mm->mmap_base = mmap_base();
3541 +#ifdef CONFIG_PAX_RANDMMAP
3542 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3543 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3546 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3547 mm->unmap_area = arch_unmap_area_topdown;
3549 diff -urNp linux-2.6.37/arch/score/include/asm/system.h linux-2.6.37/arch/score/include/asm/system.h
3550 --- linux-2.6.37/arch/score/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
3551 +++ linux-2.6.37/arch/score/include/asm/system.h 2011-01-17 02:41:00.000000000 -0500
3552 @@ -17,7 +17,7 @@ do { \
3553 #define finish_arch_switch(prev) do {} while (0)
3555 typedef void (*vi_handler_t)(void);
3556 -extern unsigned long arch_align_stack(unsigned long sp);
3557 +#define arch_align_stack(x) (x)
3559 #define mb() barrier()
3560 #define rmb() barrier()
3561 diff -urNp linux-2.6.37/arch/score/kernel/process.c linux-2.6.37/arch/score/kernel/process.c
3562 --- linux-2.6.37/arch/score/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
3563 +++ linux-2.6.37/arch/score/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
3564 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3566 return task_pt_regs(task)->cp0_epc;
3569 -unsigned long arch_align_stack(unsigned long sp)
3573 diff -urNp linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c
3574 --- linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c 2011-01-04 19:50:19.000000000 -0500
3575 +++ linux-2.6.37/arch/sh/boards/mach-hp6xx/pm.c 2011-01-17 02:41:00.000000000 -0500
3576 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3580 -static struct platform_suspend_ops hp6x0_pm_ops = {
3581 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3582 .enter = hp6x0_pm_enter,
3583 .valid = suspend_valid_only_mem,
3585 diff -urNp linux-2.6.37/arch/sh/include/asm/dma-mapping.h linux-2.6.37/arch/sh/include/asm/dma-mapping.h
3586 --- linux-2.6.37/arch/sh/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3587 +++ linux-2.6.37/arch/sh/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
3589 #ifndef __ASM_SH_DMA_MAPPING_H
3590 #define __ASM_SH_DMA_MAPPING_H
3592 -extern struct dma_map_ops *dma_ops;
3593 +extern const struct dma_map_ops *dma_ops;
3594 extern void no_iommu_init(void);
3596 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3597 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3601 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3603 static inline int dma_supported(struct device *dev, u64 mask)
3605 - struct dma_map_ops *ops = get_dma_ops(dev);
3606 + const struct dma_map_ops *ops = get_dma_ops(dev);
3608 if (ops->dma_supported)
3609 return ops->dma_supported(dev, mask);
3610 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3612 static inline int dma_set_mask(struct device *dev, u64 mask)
3614 - struct dma_map_ops *ops = get_dma_ops(dev);
3615 + const struct dma_map_ops *ops = get_dma_ops(dev);
3617 if (!dev->dma_mask || !dma_supported(dev, mask))
3619 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3621 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3623 - struct dma_map_ops *ops = get_dma_ops(dev);
3624 + const struct dma_map_ops *ops = get_dma_ops(dev);
3626 if (ops->mapping_error)
3627 return ops->mapping_error(dev, dma_addr);
3628 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3629 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3630 dma_addr_t *dma_handle, gfp_t gfp)
3632 - struct dma_map_ops *ops = get_dma_ops(dev);
3633 + const struct dma_map_ops *ops = get_dma_ops(dev);
3636 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3637 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3638 static inline void dma_free_coherent(struct device *dev, size_t size,
3639 void *vaddr, dma_addr_t dma_handle)
3641 - struct dma_map_ops *ops = get_dma_ops(dev);
3642 + const struct dma_map_ops *ops = get_dma_ops(dev);
3644 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3646 diff -urNp linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c
3647 --- linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c 2011-01-04 19:50:19.000000000 -0500
3648 +++ linux-2.6.37/arch/sh/kernel/cpu/shmobile/pm.c 2011-01-17 02:41:00.000000000 -0500
3649 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3653 -static struct platform_suspend_ops sh_pm_ops = {
3654 +static const struct platform_suspend_ops sh_pm_ops = {
3655 .enter = sh_pm_enter,
3656 .valid = suspend_valid_only_mem,
3658 diff -urNp linux-2.6.37/arch/sh/kernel/dma-nommu.c linux-2.6.37/arch/sh/kernel/dma-nommu.c
3659 --- linux-2.6.37/arch/sh/kernel/dma-nommu.c 2011-01-04 19:50:19.000000000 -0500
3660 +++ linux-2.6.37/arch/sh/kernel/dma-nommu.c 2011-01-17 02:41:00.000000000 -0500
3661 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3665 -struct dma_map_ops nommu_dma_ops = {
3666 +const struct dma_map_ops nommu_dma_ops = {
3667 .alloc_coherent = dma_generic_alloc_coherent,
3668 .free_coherent = dma_generic_free_coherent,
3669 .map_page = nommu_map_page,
3670 diff -urNp linux-2.6.37/arch/sh/kernel/kgdb.c linux-2.6.37/arch/sh/kernel/kgdb.c
3671 --- linux-2.6.37/arch/sh/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
3672 +++ linux-2.6.37/arch/sh/kernel/kgdb.c 2011-01-17 02:41:00.000000000 -0500
3673 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3674 unregister_die_notifier(&kgdb_notifier);
3677 -struct kgdb_arch arch_kgdb_ops = {
3678 +const struct kgdb_arch arch_kgdb_ops = {
3679 /* Breakpoint instruction: trapa #0x3c */
3680 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3681 .gdb_bpt_instr = { 0x3c, 0xc3 },
3682 diff -urNp linux-2.6.37/arch/sh/mm/consistent.c linux-2.6.37/arch/sh/mm/consistent.c
3683 --- linux-2.6.37/arch/sh/mm/consistent.c 2011-01-04 19:50:19.000000000 -0500
3684 +++ linux-2.6.37/arch/sh/mm/consistent.c 2011-01-17 02:41:00.000000000 -0500
3687 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3689 -struct dma_map_ops *dma_ops;
3690 +const struct dma_map_ops *dma_ops;
3691 EXPORT_SYMBOL(dma_ops);
3693 static int __init dma_init(void)
3694 diff -urNp linux-2.6.37/arch/sh/mm/mmap.c linux-2.6.37/arch/sh/mm/mmap.c
3695 --- linux-2.6.37/arch/sh/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
3696 +++ linux-2.6.37/arch/sh/mm/mmap.c 2011-01-17 02:41:00.000000000 -0500
3697 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3698 addr = PAGE_ALIGN(addr);
3700 vma = find_vma(mm, addr);
3701 - if (TASK_SIZE - len >= addr &&
3702 - (!vma || addr + len <= vma->vm_start))
3703 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3707 @@ -106,7 +105,7 @@ full_search:
3711 - if (likely(!vma || addr + len <= vma->vm_start)) {
3712 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3714 * Remember the place where we stopped the search:
3716 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3717 addr = PAGE_ALIGN(addr);
3719 vma = find_vma(mm, addr);
3720 - if (TASK_SIZE - len >= addr &&
3721 - (!vma || addr + len <= vma->vm_start))
3722 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3726 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3727 /* make sure it can fit in the remaining address space */
3728 if (likely(addr > len)) {
3729 vma = find_vma(mm, addr-len);
3730 - if (!vma || addr <= vma->vm_start) {
3731 + if (check_heap_stack_gap(vma, addr - len, len)) {
3732 /* remember the address as a hint for next time */
3733 return (mm->free_area_cache = addr-len);
3735 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3736 * return with success:
3738 vma = find_vma(mm, addr);
3739 - if (likely(!vma || addr+len <= vma->vm_start)) {
3740 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3741 /* remember the address as a hint for next time */
3742 return (mm->free_area_cache = addr);
3744 diff -urNp linux-2.6.37/arch/sparc/include/asm/atomic_64.h linux-2.6.37/arch/sparc/include/asm/atomic_64.h
3745 --- linux-2.6.37/arch/sparc/include/asm/atomic_64.h 2011-01-04 19:50:19.000000000 -0500
3746 +++ linux-2.6.37/arch/sparc/include/asm/atomic_64.h 2011-01-17 02:41:00.000000000 -0500
3748 #define ATOMIC64_INIT(i) { (i) }
3750 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3751 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3753 + return v->counter;
3755 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3756 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3758 + return v->counter;
3761 #define atomic_set(v, i) (((v)->counter) = i)
3762 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3766 #define atomic64_set(v, i) (((v)->counter) = i)
3767 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3772 extern void atomic_add(int, atomic_t *);
3773 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3774 extern void atomic64_add(long, atomic64_t *);
3775 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3776 extern void atomic_sub(int, atomic_t *);
3777 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3778 extern void atomic64_sub(long, atomic64_t *);
3779 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3781 extern int atomic_add_ret(int, atomic_t *);
3782 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3783 extern long atomic64_add_ret(long, atomic64_t *);
3784 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3785 extern int atomic_sub_ret(int, atomic_t *);
3786 extern long atomic64_sub_ret(long, atomic64_t *);
3788 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3789 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3791 #define atomic_inc_return(v) atomic_add_ret(1, v)
3792 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3794 + return atomic_add_ret_unchecked(1, v);
3796 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3797 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3799 + return atomic64_add_ret_unchecked(1, v);
3802 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3803 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3805 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3806 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3808 + return atomic_add_ret_unchecked(i, v);
3810 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3813 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3814 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3816 #define atomic_inc(v) atomic_add(1, v)
3817 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3819 + atomic_add_unchecked(1, v);
3821 #define atomic64_inc(v) atomic64_add(1, v)
3822 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3824 + atomic64_add_unchecked(1, v);
3827 #define atomic_dec(v) atomic_sub(1, v)
3828 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3830 + atomic_sub_unchecked(1, v);
3832 #define atomic64_dec(v) atomic64_sub(1, v)
3833 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3835 + atomic64_sub_unchecked(1, v);
3838 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3839 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3840 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3842 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3848 - if (unlikely(c == (u)))
3849 + if (unlikely(c == u))
3851 - old = atomic_cmpxchg((v), c, c + (a));
3853 + asm volatile("addcc %2, %0, %0\n"
3855 +#ifdef CONFIG_PAX_REFCOUNT
3860 + : "0" (c), "ir" (a)
3863 + old = atomic_cmpxchg(v, c, new);
3864 if (likely(old == c))
3872 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3873 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3875 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3879 c = atomic64_read(v);
3881 - if (unlikely(c == (u)))
3882 + if (unlikely(c == u))
3884 - old = atomic64_cmpxchg((v), c, c + (a));
3886 + asm volatile("addcc %2, %0, %0\n"
3888 +#ifdef CONFIG_PAX_REFCOUNT
3893 + : "0" (c), "ir" (a)
3896 + old = atomic64_cmpxchg(v, c, new);
3897 if (likely(old == c))
3905 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3906 diff -urNp linux-2.6.37/arch/sparc/include/asm/dma-mapping.h linux-2.6.37/arch/sparc/include/asm/dma-mapping.h
3907 --- linux-2.6.37/arch/sparc/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
3908 +++ linux-2.6.37/arch/sparc/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
3909 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3910 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3911 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3913 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3914 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3915 extern struct bus_type pci_bus_type;
3917 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3918 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3920 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3921 if (dev->bus == &pci_bus_type)
3922 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3923 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3924 dma_addr_t *dma_handle, gfp_t flag)
3926 - struct dma_map_ops *ops = get_dma_ops(dev);
3927 + const struct dma_map_ops *ops = get_dma_ops(dev);
3930 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3931 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3932 static inline void dma_free_coherent(struct device *dev, size_t size,
3933 void *cpu_addr, dma_addr_t dma_handle)
3935 - struct dma_map_ops *ops = get_dma_ops(dev);
3936 + const struct dma_map_ops *ops = get_dma_ops(dev);
3938 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3939 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3940 diff -urNp linux-2.6.37/arch/sparc/include/asm/elf_32.h linux-2.6.37/arch/sparc/include/asm/elf_32.h
3941 --- linux-2.6.37/arch/sparc/include/asm/elf_32.h 2011-01-04 19:50:19.000000000 -0500
3942 +++ linux-2.6.37/arch/sparc/include/asm/elf_32.h 2011-01-17 02:41:00.000000000 -0500
3943 @@ -114,6 +114,13 @@ typedef struct {
3945 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3947 +#ifdef CONFIG_PAX_ASLR
3948 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3950 +#define PAX_DELTA_MMAP_LEN 16
3951 +#define PAX_DELTA_STACK_LEN 16
3954 /* This yields a mask that user programs can use to figure out what
3955 instruction set this cpu supports. This can NOT be done in userspace
3957 diff -urNp linux-2.6.37/arch/sparc/include/asm/elf_64.h linux-2.6.37/arch/sparc/include/asm/elf_64.h
3958 --- linux-2.6.37/arch/sparc/include/asm/elf_64.h 2011-01-04 19:50:19.000000000 -0500
3959 +++ linux-2.6.37/arch/sparc/include/asm/elf_64.h 2011-01-17 02:41:00.000000000 -0500
3960 @@ -162,6 +162,12 @@ typedef struct {
3961 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3962 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3964 +#ifdef CONFIG_PAX_ASLR
3965 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3967 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3968 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3971 /* This yields a mask that user programs can use to figure out what
3972 instruction set this cpu supports. */
3973 diff -urNp linux-2.6.37/arch/sparc/include/asm/pgtable_32.h linux-2.6.37/arch/sparc/include/asm/pgtable_32.h
3974 --- linux-2.6.37/arch/sparc/include/asm/pgtable_32.h 2011-01-04 19:50:19.000000000 -0500
3975 +++ linux-2.6.37/arch/sparc/include/asm/pgtable_32.h 2011-01-17 02:41:00.000000000 -0500
3976 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3977 BTFIXUPDEF_INT(page_none)
3978 BTFIXUPDEF_INT(page_copy)
3979 BTFIXUPDEF_INT(page_readonly)
3981 +#ifdef CONFIG_PAX_PAGEEXEC
3982 +BTFIXUPDEF_INT(page_shared_noexec)
3983 +BTFIXUPDEF_INT(page_copy_noexec)
3984 +BTFIXUPDEF_INT(page_readonly_noexec)
3987 BTFIXUPDEF_INT(page_kernel)
3989 #define PMD_SHIFT SUN4C_PMD_SHIFT
3990 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3991 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3992 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3994 +#ifdef CONFIG_PAX_PAGEEXEC
3995 +extern pgprot_t PAGE_SHARED_NOEXEC;
3996 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3997 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3999 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4000 +# define PAGE_COPY_NOEXEC PAGE_COPY
4001 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4004 extern unsigned long page_kernel;
4007 diff -urNp linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h
4008 --- linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h 2011-01-04 19:50:19.000000000 -0500
4009 +++ linux-2.6.37/arch/sparc/include/asm/pgtsrmmu.h 2011-01-17 02:41:00.000000000 -0500
4010 @@ -115,6 +115,13 @@
4011 SRMMU_EXEC | SRMMU_REF)
4012 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4013 SRMMU_EXEC | SRMMU_REF)
4015 +#ifdef CONFIG_PAX_PAGEEXEC
4016 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4017 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4018 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4021 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4022 SRMMU_DIRTY | SRMMU_REF)
4024 diff -urNp linux-2.6.37/arch/sparc/include/asm/spinlock_64.h linux-2.6.37/arch/sparc/include/asm/spinlock_64.h
4025 --- linux-2.6.37/arch/sparc/include/asm/spinlock_64.h 2011-01-04 19:50:19.000000000 -0500
4026 +++ linux-2.6.37/arch/sparc/include/asm/spinlock_64.h 2011-01-17 02:41:00.000000000 -0500
4027 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
4028 __asm__ __volatile__ (
4029 "1: ldsw [%2], %0\n"
4031 -"4: add %0, 1, %1\n"
4032 +"4: addcc %0, 1, %1\n"
4034 +#ifdef CONFIG_PAX_REFCOUNT
4038 " cas [%2], %0, %1\n"
4040 " bne,pn %%icc, 1b\n"
4041 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
4043 : "=&r" (tmp1), "=&r" (tmp2)
4046 + : "memory", "cc");
4049 static int inline arch_read_trylock(arch_rwlock_t *lock)
4050 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
4051 "1: ldsw [%2], %0\n"
4052 " brlz,a,pn %0, 2f\n"
4055 +" addcc %0, 1, %1\n"
4057 +#ifdef CONFIG_PAX_REFCOUNT
4061 " cas [%2], %0, %1\n"
4063 " bne,pn %%icc, 1b\n"
4064 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
4066 __asm__ __volatile__(
4067 "1: lduw [%2], %0\n"
4069 +" subcc %0, 1, %1\n"
4071 +#ifdef CONFIG_PAX_REFCOUNT
4075 " cas [%2], %0, %1\n"
4077 " bne,pn %%xcc, 1b\n"
4078 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess_32.h linux-2.6.37/arch/sparc/include/asm/uaccess_32.h
4079 --- linux-2.6.37/arch/sparc/include/asm/uaccess_32.h 2011-01-04 19:50:19.000000000 -0500
4080 +++ linux-2.6.37/arch/sparc/include/asm/uaccess_32.h 2011-01-17 02:41:00.000000000 -0500
4081 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4083 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4085 - if (n && __access_ok((unsigned long) to, n))
4089 + if (n && __access_ok((unsigned long) to, n)) {
4090 + if (!__builtin_constant_p(n))
4091 + check_object_size(from, n, true);
4092 return __copy_user(to, (__force void __user *) from, n);
4098 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4103 + if (!__builtin_constant_p(n))
4104 + check_object_size(from, n, true);
4106 return __copy_user(to, (__force void __user *) from, n);
4109 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4111 - if (n && __access_ok((unsigned long) from, n))
4115 + if (n && __access_ok((unsigned long) from, n)) {
4116 + if (!__builtin_constant_p(n))
4117 + check_object_size(to, n, false);
4118 return __copy_user((__force void __user *) to, from, n);
4124 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4129 return __copy_user((__force void __user *) to, from, n);
4132 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess_64.h linux-2.6.37/arch/sparc/include/asm/uaccess_64.h
4133 --- linux-2.6.37/arch/sparc/include/asm/uaccess_64.h 2011-01-04 19:50:19.000000000 -0500
4134 +++ linux-2.6.37/arch/sparc/include/asm/uaccess_64.h 2011-01-17 02:41:00.000000000 -0500
4136 #include <linux/compiler.h>
4137 #include <linux/string.h>
4138 #include <linux/thread_info.h>
4139 +#include <linux/kernel.h>
4140 #include <asm/asi.h>
4141 #include <asm/system.h>
4142 #include <asm/spitfire.h>
4143 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4144 static inline unsigned long __must_check
4145 copy_from_user(void *to, const void __user *from, unsigned long size)
4147 - unsigned long ret = ___copy_from_user(to, from, size);
4148 + unsigned long ret;
4150 + if ((long)size < 0 || size > INT_MAX)
4153 + if (!__builtin_constant_p(size))
4154 + check_object_size(to, size, false);
4156 + ret = ___copy_from_user(to, from, size);
4158 ret = copy_from_user_fixup(to, from, size);
4160 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4161 static inline unsigned long __must_check
4162 copy_to_user(void __user *to, const void *from, unsigned long size)
4164 - unsigned long ret = ___copy_to_user(to, from, size);
4165 + unsigned long ret;
4167 + if ((long)size < 0 || size > INT_MAX)
4170 + if (!__builtin_constant_p(size))
4171 + check_object_size(from, size, true);
4173 + ret = ___copy_to_user(to, from, size);
4175 ret = copy_to_user_fixup(to, from, size);
4177 diff -urNp linux-2.6.37/arch/sparc/include/asm/uaccess.h linux-2.6.37/arch/sparc/include/asm/uaccess.h
4178 --- linux-2.6.37/arch/sparc/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
4179 +++ linux-2.6.37/arch/sparc/include/asm/uaccess.h 2011-01-17 02:41:00.000000000 -0500
4181 #ifndef ___ASM_SPARC_UACCESS_H
4182 #define ___ASM_SPARC_UACCESS_H
4185 +#ifndef __ASSEMBLY__
4186 +#include <linux/types.h>
4187 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4191 #if defined(__sparc__) && defined(__arch64__)
4192 #include <asm/uaccess_64.h>
4194 diff -urNp linux-2.6.37/arch/sparc/kernel/iommu.c linux-2.6.37/arch/sparc/kernel/iommu.c
4195 --- linux-2.6.37/arch/sparc/kernel/iommu.c 2011-01-04 19:50:19.000000000 -0500
4196 +++ linux-2.6.37/arch/sparc/kernel/iommu.c 2011-01-17 02:41:00.000000000 -0500
4197 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4198 spin_unlock_irqrestore(&iommu->lock, flags);
4201 -static struct dma_map_ops sun4u_dma_ops = {
4202 +static const struct dma_map_ops sun4u_dma_ops = {
4203 .alloc_coherent = dma_4u_alloc_coherent,
4204 .free_coherent = dma_4u_free_coherent,
4205 .map_page = dma_4u_map_page,
4206 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
4207 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4210 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4211 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4212 EXPORT_SYMBOL(dma_ops);
4214 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4215 diff -urNp linux-2.6.37/arch/sparc/kernel/ioport.c linux-2.6.37/arch/sparc/kernel/ioport.c
4216 --- linux-2.6.37/arch/sparc/kernel/ioport.c 2011-01-04 19:50:19.000000000 -0500
4217 +++ linux-2.6.37/arch/sparc/kernel/ioport.c 2011-01-17 02:41:00.000000000 -0500
4218 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4222 -struct dma_map_ops sbus_dma_ops = {
4223 +const struct dma_map_ops sbus_dma_ops = {
4224 .alloc_coherent = sbus_alloc_coherent,
4225 .free_coherent = sbus_free_coherent,
4226 .map_page = sbus_map_page,
4227 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4228 .sync_sg_for_device = sbus_sync_sg_for_device,
4231 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4232 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4233 EXPORT_SYMBOL(dma_ops);
4235 static int __init sparc_register_ioport(void)
4236 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4240 -struct dma_map_ops pci32_dma_ops = {
4241 +const struct dma_map_ops pci32_dma_ops = {
4242 .alloc_coherent = pci32_alloc_coherent,
4243 .free_coherent = pci32_free_coherent,
4244 .map_page = pci32_map_page,
4245 diff -urNp linux-2.6.37/arch/sparc/kernel/kgdb_32.c linux-2.6.37/arch/sparc/kernel/kgdb_32.c
4246 --- linux-2.6.37/arch/sparc/kernel/kgdb_32.c 2011-01-04 19:50:19.000000000 -0500
4247 +++ linux-2.6.37/arch/sparc/kernel/kgdb_32.c 2011-01-17 02:41:00.000000000 -0500
4248 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4249 regs->npc = regs->pc + 4;
4252 -struct kgdb_arch arch_kgdb_ops = {
4253 +const struct kgdb_arch arch_kgdb_ops = {
4254 /* Breakpoint instruction: ta 0x7d */
4255 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4257 diff -urNp linux-2.6.37/arch/sparc/kernel/kgdb_64.c linux-2.6.37/arch/sparc/kernel/kgdb_64.c
4258 --- linux-2.6.37/arch/sparc/kernel/kgdb_64.c 2011-01-04 19:50:19.000000000 -0500
4259 +++ linux-2.6.37/arch/sparc/kernel/kgdb_64.c 2011-01-17 02:41:00.000000000 -0500
4260 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4261 regs->tnpc = regs->tpc + 4;
4264 -struct kgdb_arch arch_kgdb_ops = {
4265 +const struct kgdb_arch arch_kgdb_ops = {
4266 /* Breakpoint instruction: ta 0x72 */
4267 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4269 diff -urNp linux-2.6.37/arch/sparc/kernel/Makefile linux-2.6.37/arch/sparc/kernel/Makefile
4270 --- linux-2.6.37/arch/sparc/kernel/Makefile 2011-01-04 19:50:19.000000000 -0500
4271 +++ linux-2.6.37/arch/sparc/kernel/Makefile 2011-01-17 02:41:00.000000000 -0500
4276 -ccflags-y := -Werror
4277 +#ccflags-y := -Werror
4279 extra-y := head_$(BITS).o
4280 extra-y += init_task.o
4281 diff -urNp linux-2.6.37/arch/sparc/kernel/pci_sun4v.c linux-2.6.37/arch/sparc/kernel/pci_sun4v.c
4282 --- linux-2.6.37/arch/sparc/kernel/pci_sun4v.c 2011-01-04 19:50:19.000000000 -0500
4283 +++ linux-2.6.37/arch/sparc/kernel/pci_sun4v.c 2011-01-17 02:41:00.000000000 -0500
4284 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4285 spin_unlock_irqrestore(&iommu->lock, flags);
4288 -static struct dma_map_ops sun4v_dma_ops = {
4289 +static const struct dma_map_ops sun4v_dma_ops = {
4290 .alloc_coherent = dma_4v_alloc_coherent,
4291 .free_coherent = dma_4v_free_coherent,
4292 .map_page = dma_4v_map_page,
4293 diff -urNp linux-2.6.37/arch/sparc/kernel/process_32.c linux-2.6.37/arch/sparc/kernel/process_32.c
4294 --- linux-2.6.37/arch/sparc/kernel/process_32.c 2011-01-04 19:50:19.000000000 -0500
4295 +++ linux-2.6.37/arch/sparc/kernel/process_32.c 2011-01-17 02:41:00.000000000 -0500
4296 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4297 rw->ins[4], rw->ins[5],
4300 - printk("%pS\n", (void *) rw->ins[7]);
4301 + printk("%pA\n", (void *) rw->ins[7]);
4302 rw = (struct reg_window32 *) rw->ins[6];
4304 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4305 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4307 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4308 r->psr, r->pc, r->npc, r->y, print_tainted());
4309 - printk("PC: <%pS>\n", (void *) r->pc);
4310 + printk("PC: <%pA>\n", (void *) r->pc);
4311 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4312 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4313 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4314 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4315 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4316 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4317 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4318 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4320 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4321 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4322 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4323 rw = (struct reg_window32 *) fp;
4325 printk("[%08lx : ", pc);
4326 - printk("%pS ] ", (void *) pc);
4327 + printk("%pA ] ", (void *) pc);
4329 } while (++count < 16);
4331 diff -urNp linux-2.6.37/arch/sparc/kernel/process_64.c linux-2.6.37/arch/sparc/kernel/process_64.c
4332 --- linux-2.6.37/arch/sparc/kernel/process_64.c 2011-01-04 19:50:19.000000000 -0500
4333 +++ linux-2.6.37/arch/sparc/kernel/process_64.c 2011-01-17 02:41:00.000000000 -0500
4334 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4335 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4336 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4337 if (regs->tstate & TSTATE_PRIV)
4338 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4339 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4342 void show_regs(struct pt_regs *regs)
4344 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4345 regs->tpc, regs->tnpc, regs->y, print_tainted());
4346 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4347 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4348 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4349 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4351 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4352 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4353 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4355 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4356 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4357 show_regwindow(regs);
4358 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4360 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4361 ((tp && tp->task) ? tp->task->pid : -1));
4363 if (gp->tstate & TSTATE_PRIV) {
4364 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4365 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4369 diff -urNp linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c
4370 --- linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c 2011-01-04 19:50:19.000000000 -0500
4371 +++ linux-2.6.37/arch/sparc/kernel/sys_sparc_32.c 2011-01-17 02:41:00.000000000 -0500
4372 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4373 if (ARCH_SUN4C && len > 0x20000000)
4376 - addr = TASK_UNMAPPED_BASE;
4377 + addr = current->mm->mmap_base;
4379 if (flags & MAP_SHARED)
4380 addr = COLOUR_ALIGN(addr);
4381 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4383 if (TASK_SIZE - PAGE_SIZE - len < addr)
4385 - if (!vmm || addr + len <= vmm->vm_start)
4386 + if (check_heap_stack_gap(vmm, addr, len))
4389 if (flags & MAP_SHARED)
4390 diff -urNp linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c
4391 --- linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c 2011-01-04 19:50:19.000000000 -0500
4392 +++ linux-2.6.37/arch/sparc/kernel/sys_sparc_64.c 2011-01-17 02:41:00.000000000 -0500
4393 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4394 /* We do not accept a shared mapping if it would violate
4395 * cache aliasing constraints.
4397 - if ((flags & MAP_SHARED) &&
4398 + if ((filp || (flags & MAP_SHARED)) &&
4399 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4402 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4403 if (filp || (flags & MAP_SHARED))
4406 +#ifdef CONFIG_PAX_RANDMMAP
4407 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4412 addr = COLOUR_ALIGN(addr, pgoff);
4413 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4414 addr = PAGE_ALIGN(addr);
4416 vma = find_vma(mm, addr);
4417 - if (task_size - len >= addr &&
4418 - (!vma || addr + len <= vma->vm_start))
4419 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4423 if (len > mm->cached_hole_size) {
4424 - start_addr = addr = mm->free_area_cache;
4425 + start_addr = addr = mm->free_area_cache;
4427 - start_addr = addr = TASK_UNMAPPED_BASE;
4428 + start_addr = addr = mm->mmap_base;
4429 mm->cached_hole_size = 0;
4432 @@ -174,14 +177,14 @@ full_search:
4433 vma = find_vma(mm, VA_EXCLUDE_END);
4435 if (unlikely(task_size < addr)) {
4436 - if (start_addr != TASK_UNMAPPED_BASE) {
4437 - start_addr = addr = TASK_UNMAPPED_BASE;
4438 + if (start_addr != mm->mmap_base) {
4439 + start_addr = addr = mm->mmap_base;
4440 mm->cached_hole_size = 0;
4445 - if (likely(!vma || addr + len <= vma->vm_start)) {
4446 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4448 * Remember the place where we stopped the search:
4450 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4451 /* We do not accept a shared mapping if it would violate
4452 * cache aliasing constraints.
4454 - if ((flags & MAP_SHARED) &&
4455 + if ((filp || (flags & MAP_SHARED)) &&
4456 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4459 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4460 addr = PAGE_ALIGN(addr);
4462 vma = find_vma(mm, addr);
4463 - if (task_size - len >= addr &&
4464 - (!vma || addr + len <= vma->vm_start))
4465 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4469 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4470 /* make sure it can fit in the remaining address space */
4471 if (likely(addr > len)) {
4472 vma = find_vma(mm, addr-len);
4473 - if (!vma || addr <= vma->vm_start) {
4474 + if (check_heap_stack_gap(vma, addr - len, len)) {
4475 /* remember the address as a hint for next time */
4476 return (mm->free_area_cache = addr-len);
4478 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4479 * return with success:
4481 vma = find_vma(mm, addr);
4482 - if (likely(!vma || addr+len <= vma->vm_start)) {
4483 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4484 /* remember the address as a hint for next time */
4485 return (mm->free_area_cache = addr);
4487 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4488 gap == RLIM_INFINITY ||
4489 sysctl_legacy_va_layout) {
4490 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4492 +#ifdef CONFIG_PAX_RANDMMAP
4493 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4494 + mm->mmap_base += mm->delta_mmap;
4497 mm->get_unmapped_area = arch_get_unmapped_area;
4498 mm->unmap_area = arch_unmap_area;
4500 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4501 gap = (task_size / 6 * 5);
4503 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4505 +#ifdef CONFIG_PAX_RANDMMAP
4506 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4507 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4510 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4511 mm->unmap_area = arch_unmap_area_topdown;
4513 diff -urNp linux-2.6.37/arch/sparc/kernel/traps_32.c linux-2.6.37/arch/sparc/kernel/traps_32.c
4514 --- linux-2.6.37/arch/sparc/kernel/traps_32.c 2011-01-04 19:50:19.000000000 -0500
4515 +++ linux-2.6.37/arch/sparc/kernel/traps_32.c 2011-01-17 02:41:00.000000000 -0500
4516 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4518 (((unsigned long) rw) >= PAGE_OFFSET) &&
4519 !(((unsigned long) rw) & 0x7)) {
4520 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4521 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4522 (void *) rw->ins[7]);
4523 rw = (struct reg_window32 *)rw->ins[6];
4525 diff -urNp linux-2.6.37/arch/sparc/kernel/traps_64.c linux-2.6.37/arch/sparc/kernel/traps_64.c
4526 --- linux-2.6.37/arch/sparc/kernel/traps_64.c 2011-01-04 19:50:19.000000000 -0500
4527 +++ linux-2.6.37/arch/sparc/kernel/traps_64.c 2011-01-17 02:41:00.000000000 -0500
4528 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4530 p->trapstack[i].tstate, p->trapstack[i].tpc,
4531 p->trapstack[i].tnpc, p->trapstack[i].tt);
4532 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4533 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4537 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4540 if (regs->tstate & TSTATE_PRIV) {
4542 +#ifdef CONFIG_PAX_REFCOUNT
4544 + pax_report_refcount_overflow(regs);
4547 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4548 die_if_kernel(buffer, regs);
4550 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4551 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4556 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4557 0, lvl, SIGTRAP) == NOTIFY_STOP)
4560 +#ifdef CONFIG_PAX_REFCOUNT
4562 + pax_report_refcount_overflow(regs);
4565 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4567 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4568 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4569 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4570 printk("%s" "ERROR(%d): ",
4571 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4572 - printk("TPC<%pS>\n", (void *) regs->tpc);
4573 + printk("TPC<%pA>\n", (void *) regs->tpc);
4574 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4575 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4576 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4577 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4579 (type & 0x1) ? 'I' : 'D',
4581 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4582 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4583 panic("Irrecoverable Cheetah+ parity error.");
4586 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4588 (type & 0x1) ? 'I' : 'D',
4590 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4591 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4594 struct sun4v_error_entry {
4595 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4597 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4599 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4600 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4601 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4602 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4603 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4604 (void *) regs->u_regs[UREG_I7]);
4605 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4606 "pte[%lx] error[%lx]\n",
4607 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4609 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4611 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4612 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4613 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4614 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4615 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4616 (void *) regs->u_regs[UREG_I7]);
4617 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4618 "pte[%lx] error[%lx]\n",
4619 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4620 fp = (unsigned long)sf->fp + STACK_BIAS;
4623 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4624 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4625 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4626 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4627 int index = tsk->curr_ret_stack;
4628 if (tsk->ret_stack && index >= graph) {
4629 pc = tsk->ret_stack[index - graph].ret;
4630 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4631 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4635 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4638 kstack_valid(tp, (unsigned long) rw)) {
4639 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4640 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4641 (void *) rw->ins[7]);
4643 rw = kernel_stack_up(rw);
4644 diff -urNp linux-2.6.37/arch/sparc/kernel/unaligned_64.c linux-2.6.37/arch/sparc/kernel/unaligned_64.c
4645 --- linux-2.6.37/arch/sparc/kernel/unaligned_64.c 2011-01-04 19:50:19.000000000 -0500
4646 +++ linux-2.6.37/arch/sparc/kernel/unaligned_64.c 2011-01-17 02:41:00.000000000 -0500
4647 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4648 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4650 if (__ratelimit(&ratelimit)) {
4651 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4652 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4653 regs->tpc, (void *) regs->tpc);
4656 diff -urNp linux-2.6.37/arch/sparc/lib/atomic_64.S linux-2.6.37/arch/sparc/lib/atomic_64.S
4657 --- linux-2.6.37/arch/sparc/lib/atomic_64.S 2011-01-04 19:50:19.000000000 -0500
4658 +++ linux-2.6.37/arch/sparc/lib/atomic_64.S 2011-01-17 02:41:00.000000000 -0500
4660 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4664 + addcc %g1, %o0, %g7
4666 +#ifdef CONFIG_PAX_REFCOUNT
4672 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4673 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4674 2: BACKOFF_SPIN(%o2, %o3, 1b)
4675 .size atomic_add, .-atomic_add
4677 + .globl atomic_add_unchecked
4678 + .type atomic_add_unchecked,#function
4679 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4680 + BACKOFF_SETUP(%o2)
4683 + cas [%o1], %g1, %g7
4689 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4690 + .size atomic_add_unchecked, .-atomic_add_unchecked
4693 .type atomic_sub,#function
4694 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4698 + subcc %g1, %o0, %g7
4700 +#ifdef CONFIG_PAX_REFCOUNT
4706 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4707 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4708 2: BACKOFF_SPIN(%o2, %o3, 1b)
4709 .size atomic_sub, .-atomic_sub
4711 + .globl atomic_sub_unchecked
4712 + .type atomic_sub_unchecked,#function
4713 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4714 + BACKOFF_SETUP(%o2)
4717 + cas [%o1], %g1, %g7
4723 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4724 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4726 .globl atomic_add_ret
4727 .type atomic_add_ret,#function
4728 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4732 + addcc %g1, %o0, %g7
4734 +#ifdef CONFIG_PAX_REFCOUNT
4740 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4741 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4742 2: BACKOFF_SPIN(%o2, %o3, 1b)
4743 .size atomic_add_ret, .-atomic_add_ret
4745 + .globl atomic_add_ret_unchecked
4746 + .type atomic_add_ret_unchecked,#function
4747 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4748 + BACKOFF_SETUP(%o2)
4750 + addcc %g1, %o0, %g7
4751 + cas [%o1], %g1, %g7
4758 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4759 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4761 .globl atomic_sub_ret
4762 .type atomic_sub_ret,#function
4763 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4767 + subcc %g1, %o0, %g7
4769 +#ifdef CONFIG_PAX_REFCOUNT
4775 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4776 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4777 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4781 + addcc %g1, %o0, %g7
4783 +#ifdef CONFIG_PAX_REFCOUNT
4787 casx [%o1], %g1, %g7
4789 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4790 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4791 2: BACKOFF_SPIN(%o2, %o3, 1b)
4792 .size atomic64_add, .-atomic64_add
4794 + .globl atomic64_add_unchecked
4795 + .type atomic64_add_unchecked,#function
4796 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4797 + BACKOFF_SETUP(%o2)
4799 + addcc %g1, %o0, %g7
4800 + casx [%o1], %g1, %g7
4806 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4807 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4810 .type atomic64_sub,#function
4811 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4815 + subcc %g1, %o0, %g7
4817 +#ifdef CONFIG_PAX_REFCOUNT
4821 casx [%o1], %g1, %g7
4823 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4824 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4825 2: BACKOFF_SPIN(%o2, %o3, 1b)
4826 .size atomic64_sub, .-atomic64_sub
4828 + .globl atomic64_sub_unchecked
4829 + .type atomic64_sub_unchecked,#function
4830 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4831 + BACKOFF_SETUP(%o2)
4833 + subcc %g1, %o0, %g7
4834 + casx [%o1], %g1, %g7
4840 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4841 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4843 .globl atomic64_add_ret
4844 .type atomic64_add_ret,#function
4845 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4849 + addcc %g1, %o0, %g7
4851 +#ifdef CONFIG_PAX_REFCOUNT
4855 casx [%o1], %g1, %g7
4857 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4858 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4859 2: BACKOFF_SPIN(%o2, %o3, 1b)
4860 .size atomic64_add_ret, .-atomic64_add_ret
4862 + .globl atomic64_add_ret_unchecked
4863 + .type atomic64_add_ret_unchecked,#function
4864 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4865 + BACKOFF_SETUP(%o2)
4867 + addcc %g1, %o0, %g7
4868 + casx [%o1], %g1, %g7
4875 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4876 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4878 .globl atomic64_sub_ret
4879 .type atomic64_sub_ret,#function
4880 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4884 + subcc %g1, %o0, %g7
4886 +#ifdef CONFIG_PAX_REFCOUNT
4890 casx [%o1], %g1, %g7
4892 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4893 diff -urNp linux-2.6.37/arch/sparc/lib/ksyms.c linux-2.6.37/arch/sparc/lib/ksyms.c
4894 --- linux-2.6.37/arch/sparc/lib/ksyms.c 2011-01-04 19:50:19.000000000 -0500
4895 +++ linux-2.6.37/arch/sparc/lib/ksyms.c 2011-01-17 02:41:00.000000000 -0500
4896 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4898 /* Atomic counter implementation. */
4899 EXPORT_SYMBOL(atomic_add);
4900 +EXPORT_SYMBOL(atomic_add_unchecked);
4901 EXPORT_SYMBOL(atomic_add_ret);
4902 EXPORT_SYMBOL(atomic_sub);
4903 +EXPORT_SYMBOL(atomic_sub_unchecked);
4904 EXPORT_SYMBOL(atomic_sub_ret);
4905 EXPORT_SYMBOL(atomic64_add);
4906 +EXPORT_SYMBOL(atomic64_add_unchecked);
4907 EXPORT_SYMBOL(atomic64_add_ret);
4908 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4909 EXPORT_SYMBOL(atomic64_sub);
4910 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4911 EXPORT_SYMBOL(atomic64_sub_ret);
4913 /* Atomic bit operations. */
4914 diff -urNp linux-2.6.37/arch/sparc/Makefile linux-2.6.37/arch/sparc/Makefile
4915 --- linux-2.6.37/arch/sparc/Makefile 2011-01-04 19:50:19.000000000 -0500
4916 +++ linux-2.6.37/arch/sparc/Makefile 2011-01-17 02:41:00.000000000 -0500
4917 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4918 # Export what is needed by arch/sparc/boot/Makefile
4919 export VMLINUX_INIT VMLINUX_MAIN
4920 VMLINUX_INIT := $(head-y) $(init-y)
4921 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4922 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4923 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4924 VMLINUX_MAIN += $(drivers-y) $(net-y)
4926 diff -urNp linux-2.6.37/arch/sparc/mm/fault_32.c linux-2.6.37/arch/sparc/mm/fault_32.c
4927 --- linux-2.6.37/arch/sparc/mm/fault_32.c 2011-01-04 19:50:19.000000000 -0500
4928 +++ linux-2.6.37/arch/sparc/mm/fault_32.c 2011-01-17 02:41:00.000000000 -0500
4930 #include <linux/interrupt.h>
4931 #include <linux/module.h>
4932 #include <linux/kdebug.h>
4933 +#include <linux/slab.h>
4934 +#include <linux/pagemap.h>
4935 +#include <linux/compiler.h>
4937 #include <asm/system.h>
4938 #include <asm/page.h>
4939 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4940 return safe_compute_effective_address(regs, insn);
4943 +#ifdef CONFIG_PAX_PAGEEXEC
4944 +#ifdef CONFIG_PAX_DLRESOLVE
4945 +static void pax_emuplt_close(struct vm_area_struct *vma)
4947 + vma->vm_mm->call_dl_resolve = 0UL;
4950 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4952 + unsigned int *kaddr;
4954 + vmf->page = alloc_page(GFP_HIGHUSER);
4956 + return VM_FAULT_OOM;
4958 + kaddr = kmap(vmf->page);
4959 + memset(kaddr, 0, PAGE_SIZE);
4960 + kaddr[0] = 0x9DE3BFA8U; /* save */
4961 + flush_dcache_page(vmf->page);
4962 + kunmap(vmf->page);
4963 + return VM_FAULT_MAJOR;
4966 +static const struct vm_operations_struct pax_vm_ops = {
4967 + .close = pax_emuplt_close,
4968 + .fault = pax_emuplt_fault
4971 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4975 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4976 + vma->vm_mm = current->mm;
4977 + vma->vm_start = addr;
4978 + vma->vm_end = addr + PAGE_SIZE;
4979 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4980 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4981 + vma->vm_ops = &pax_vm_ops;
4983 + ret = insert_vm_struct(current->mm, vma);
4987 + ++current->mm->total_vm;
4993 + * PaX: decide what to do with offenders (regs->pc = fault address)
4995 + * returns 1 when task should be killed
4996 + * 2 when patched PLT trampoline was detected
4997 + * 3 when unpatched PLT trampoline was detected
4999 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5002 +#ifdef CONFIG_PAX_EMUPLT
5005 + do { /* PaX: patched PLT emulation #1 */
5006 + unsigned int sethi1, sethi2, jmpl;
5008 + err = get_user(sethi1, (unsigned int *)regs->pc);
5009 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5010 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5015 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5016 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5017 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5019 + unsigned int addr;
5021 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5022 + addr = regs->u_regs[UREG_G1];
5023 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5025 + regs->npc = addr+4;
5030 + { /* PaX: patched PLT emulation #2 */
5033 + err = get_user(ba, (unsigned int *)regs->pc);
5035 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5036 + unsigned int addr;
5038 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5040 + regs->npc = addr+4;
5045 + do { /* PaX: patched PLT emulation #3 */
5046 + unsigned int sethi, jmpl, nop;
5048 + err = get_user(sethi, (unsigned int *)regs->pc);
5049 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5050 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5055 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5056 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5057 + nop == 0x01000000U)
5059 + unsigned int addr;
5061 + addr = (sethi & 0x003FFFFFU) << 10;
5062 + regs->u_regs[UREG_G1] = addr;
5063 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5065 + regs->npc = addr+4;
5070 + do { /* PaX: unpatched PLT emulation step 1 */
5071 + unsigned int sethi, ba, nop;
5073 + err = get_user(sethi, (unsigned int *)regs->pc);
5074 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5075 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5080 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5081 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5082 + nop == 0x01000000U)
5084 + unsigned int addr, save, call;
5086 + if ((ba & 0xFFC00000U) == 0x30800000U)
5087 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5089 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5091 + err = get_user(save, (unsigned int *)addr);
5092 + err |= get_user(call, (unsigned int *)(addr+4));
5093 + err |= get_user(nop, (unsigned int *)(addr+8));
5097 +#ifdef CONFIG_PAX_DLRESOLVE
5098 + if (save == 0x9DE3BFA8U &&
5099 + (call & 0xC0000000U) == 0x40000000U &&
5100 + nop == 0x01000000U)
5102 + struct vm_area_struct *vma;
5103 + unsigned long call_dl_resolve;
5105 + down_read(¤t->mm->mmap_sem);
5106 + call_dl_resolve = current->mm->call_dl_resolve;
5107 + up_read(¤t->mm->mmap_sem);
5108 + if (likely(call_dl_resolve))
5111 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5113 + down_write(¤t->mm->mmap_sem);
5114 + if (current->mm->call_dl_resolve) {
5115 + call_dl_resolve = current->mm->call_dl_resolve;
5116 + up_write(¤t->mm->mmap_sem);
5118 + kmem_cache_free(vm_area_cachep, vma);
5122 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5123 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5124 + up_write(¤t->mm->mmap_sem);
5126 + kmem_cache_free(vm_area_cachep, vma);
5130 + if (pax_insert_vma(vma, call_dl_resolve)) {
5131 + up_write(¤t->mm->mmap_sem);
5132 + kmem_cache_free(vm_area_cachep, vma);
5136 + current->mm->call_dl_resolve = call_dl_resolve;
5137 + up_write(¤t->mm->mmap_sem);
5140 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5141 + regs->pc = call_dl_resolve;
5142 + regs->npc = addr+4;
5147 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5148 + if ((save & 0xFFC00000U) == 0x05000000U &&
5149 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5150 + nop == 0x01000000U)
5152 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5153 + regs->u_regs[UREG_G2] = addr + 4;
5154 + addr = (save & 0x003FFFFFU) << 10;
5155 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5157 + regs->npc = addr+4;
5163 + do { /* PaX: unpatched PLT emulation step 2 */
5164 + unsigned int save, call, nop;
5166 + err = get_user(save, (unsigned int *)(regs->pc-4));
5167 + err |= get_user(call, (unsigned int *)regs->pc);
5168 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5172 + if (save == 0x9DE3BFA8U &&
5173 + (call & 0xC0000000U) == 0x40000000U &&
5174 + nop == 0x01000000U)
5176 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5178 + regs->u_regs[UREG_RETPC] = regs->pc;
5179 + regs->pc = dl_resolve;
5180 + regs->npc = dl_resolve+4;
5189 +void pax_report_insns(void *pc, void *sp)
5193 + printk(KERN_ERR "PAX: bytes at PC: ");
5194 + for (i = 0; i < 8; i++) {
5196 + if (get_user(c, (unsigned int *)pc+i))
5197 + printk(KERN_CONT "???????? ");
5199 + printk(KERN_CONT "%08x ", c);
5205 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5208 @@ -282,6 +547,24 @@ good_area:
5209 if(!(vma->vm_flags & VM_WRITE))
5213 +#ifdef CONFIG_PAX_PAGEEXEC
5214 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5215 + up_read(&mm->mmap_sem);
5216 + switch (pax_handle_fetch_fault(regs)) {
5218 +#ifdef CONFIG_PAX_EMUPLT
5225 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5226 + do_group_exit(SIGKILL);
5230 /* Allow reads even for write-only mappings */
5231 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5233 diff -urNp linux-2.6.37/arch/sparc/mm/fault_64.c linux-2.6.37/arch/sparc/mm/fault_64.c
5234 --- linux-2.6.37/arch/sparc/mm/fault_64.c 2011-01-04 19:50:19.000000000 -0500
5235 +++ linux-2.6.37/arch/sparc/mm/fault_64.c 2011-01-17 02:41:00.000000000 -0500
5237 #include <linux/kprobes.h>
5238 #include <linux/kdebug.h>
5239 #include <linux/percpu.h>
5240 +#include <linux/slab.h>
5241 +#include <linux/pagemap.h>
5242 +#include <linux/compiler.h>
5244 #include <asm/page.h>
5245 #include <asm/pgtable.h>
5246 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5247 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5249 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5250 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5251 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5252 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5254 unhandled_fault(regs->tpc, current, regs);
5255 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5259 +#ifdef CONFIG_PAX_PAGEEXEC
5260 +#ifdef CONFIG_PAX_DLRESOLVE
5261 +static void pax_emuplt_close(struct vm_area_struct *vma)
5263 + vma->vm_mm->call_dl_resolve = 0UL;
5266 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5268 + unsigned int *kaddr;
5270 + vmf->page = alloc_page(GFP_HIGHUSER);
5272 + return VM_FAULT_OOM;
5274 + kaddr = kmap(vmf->page);
5275 + memset(kaddr, 0, PAGE_SIZE);
5276 + kaddr[0] = 0x9DE3BFA8U; /* save */
5277 + flush_dcache_page(vmf->page);
5278 + kunmap(vmf->page);
5279 + return VM_FAULT_MAJOR;
5282 +static const struct vm_operations_struct pax_vm_ops = {
5283 + .close = pax_emuplt_close,
5284 + .fault = pax_emuplt_fault
5287 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5291 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5292 + vma->vm_mm = current->mm;
5293 + vma->vm_start = addr;
5294 + vma->vm_end = addr + PAGE_SIZE;
5295 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5296 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5297 + vma->vm_ops = &pax_vm_ops;
5299 + ret = insert_vm_struct(current->mm, vma);
5303 + ++current->mm->total_vm;
5309 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5311 + * returns 1 when task should be killed
5312 + * 2 when patched PLT trampoline was detected
5313 + * 3 when unpatched PLT trampoline was detected
5315 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5318 +#ifdef CONFIG_PAX_EMUPLT
5321 + do { /* PaX: patched PLT emulation #1 */
5322 + unsigned int sethi1, sethi2, jmpl;
5324 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5325 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5326 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5331 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5332 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5333 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5335 + unsigned long addr;
5337 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5338 + addr = regs->u_regs[UREG_G1];
5339 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5341 + if (test_thread_flag(TIF_32BIT))
5342 + addr &= 0xFFFFFFFFUL;
5345 + regs->tnpc = addr+4;
5350 + { /* PaX: patched PLT emulation #2 */
5353 + err = get_user(ba, (unsigned int *)regs->tpc);
5355 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5356 + unsigned long addr;
5358 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5360 + if (test_thread_flag(TIF_32BIT))
5361 + addr &= 0xFFFFFFFFUL;
5364 + regs->tnpc = addr+4;
5369 + do { /* PaX: patched PLT emulation #3 */
5370 + unsigned int sethi, jmpl, nop;
5372 + err = get_user(sethi, (unsigned int *)regs->tpc);
5373 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5374 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5379 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5380 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5381 + nop == 0x01000000U)
5383 + unsigned long addr;
5385 + addr = (sethi & 0x003FFFFFU) << 10;
5386 + regs->u_regs[UREG_G1] = addr;
5387 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5389 + if (test_thread_flag(TIF_32BIT))
5390 + addr &= 0xFFFFFFFFUL;
5393 + regs->tnpc = addr+4;
5398 + do { /* PaX: patched PLT emulation #4 */
5399 + unsigned int sethi, mov1, call, mov2;
5401 + err = get_user(sethi, (unsigned int *)regs->tpc);
5402 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5403 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5404 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5409 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5410 + mov1 == 0x8210000FU &&
5411 + (call & 0xC0000000U) == 0x40000000U &&
5412 + mov2 == 0x9E100001U)
5414 + unsigned long addr;
5416 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5417 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5419 + if (test_thread_flag(TIF_32BIT))
5420 + addr &= 0xFFFFFFFFUL;
5423 + regs->tnpc = addr+4;
5428 + do { /* PaX: patched PLT emulation #5 */
5429 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5431 + err = get_user(sethi, (unsigned int *)regs->tpc);
5432 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5433 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5434 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5435 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5436 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5437 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5438 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5443 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5444 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5445 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5446 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5447 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5448 + sllx == 0x83287020U &&
5449 + jmpl == 0x81C04005U &&
5450 + nop == 0x01000000U)
5452 + unsigned long addr;
5454 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5455 + regs->u_regs[UREG_G1] <<= 32;
5456 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5457 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5459 + regs->tnpc = addr+4;
5464 + do { /* PaX: patched PLT emulation #6 */
5465 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5467 + err = get_user(sethi, (unsigned int *)regs->tpc);
5468 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5469 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5470 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5471 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5472 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5473 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5478 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5479 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5480 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5481 + sllx == 0x83287020U &&
5482 + (or & 0xFFFFE000U) == 0x8A116000U &&
5483 + jmpl == 0x81C04005U &&
5484 + nop == 0x01000000U)
5486 + unsigned long addr;
5488 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5489 + regs->u_regs[UREG_G1] <<= 32;
5490 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5491 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5493 + regs->tnpc = addr+4;
5498 + do { /* PaX: unpatched PLT emulation step 1 */
5499 + unsigned int sethi, ba, nop;
5501 + err = get_user(sethi, (unsigned int *)regs->tpc);
5502 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5503 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5508 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5509 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5510 + nop == 0x01000000U)
5512 + unsigned long addr;
5513 + unsigned int save, call;
5514 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5516 + if ((ba & 0xFFC00000U) == 0x30800000U)
5517 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5519 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5521 + if (test_thread_flag(TIF_32BIT))
5522 + addr &= 0xFFFFFFFFUL;
5524 + err = get_user(save, (unsigned int *)addr);
5525 + err |= get_user(call, (unsigned int *)(addr+4));
5526 + err |= get_user(nop, (unsigned int *)(addr+8));
5530 +#ifdef CONFIG_PAX_DLRESOLVE
5531 + if (save == 0x9DE3BFA8U &&
5532 + (call & 0xC0000000U) == 0x40000000U &&
5533 + nop == 0x01000000U)
5535 + struct vm_area_struct *vma;
5536 + unsigned long call_dl_resolve;
5538 + down_read(¤t->mm->mmap_sem);
5539 + call_dl_resolve = current->mm->call_dl_resolve;
5540 + up_read(¤t->mm->mmap_sem);
5541 + if (likely(call_dl_resolve))
5544 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5546 + down_write(¤t->mm->mmap_sem);
5547 + if (current->mm->call_dl_resolve) {
5548 + call_dl_resolve = current->mm->call_dl_resolve;
5549 + up_write(¤t->mm->mmap_sem);
5551 + kmem_cache_free(vm_area_cachep, vma);
5555 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5556 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5557 + up_write(¤t->mm->mmap_sem);
5559 + kmem_cache_free(vm_area_cachep, vma);
5563 + if (pax_insert_vma(vma, call_dl_resolve)) {
5564 + up_write(¤t->mm->mmap_sem);
5565 + kmem_cache_free(vm_area_cachep, vma);
5569 + current->mm->call_dl_resolve = call_dl_resolve;
5570 + up_write(¤t->mm->mmap_sem);
5573 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5574 + regs->tpc = call_dl_resolve;
5575 + regs->tnpc = addr+4;
5580 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5581 + if ((save & 0xFFC00000U) == 0x05000000U &&
5582 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5583 + nop == 0x01000000U)
5585 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5586 + regs->u_regs[UREG_G2] = addr + 4;
5587 + addr = (save & 0x003FFFFFU) << 10;
5588 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5590 + if (test_thread_flag(TIF_32BIT))
5591 + addr &= 0xFFFFFFFFUL;
5594 + regs->tnpc = addr+4;
5598 + /* PaX: 64-bit PLT stub */
5599 + err = get_user(sethi1, (unsigned int *)addr);
5600 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5601 + err |= get_user(or1, (unsigned int *)(addr+8));
5602 + err |= get_user(or2, (unsigned int *)(addr+12));
5603 + err |= get_user(sllx, (unsigned int *)(addr+16));
5604 + err |= get_user(add, (unsigned int *)(addr+20));
5605 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5606 + err |= get_user(nop, (unsigned int *)(addr+28));
5610 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5611 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5612 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5613 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5614 + sllx == 0x89293020U &&
5615 + add == 0x8A010005U &&
5616 + jmpl == 0x89C14000U &&
5617 + nop == 0x01000000U)
5619 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5620 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5621 + regs->u_regs[UREG_G4] <<= 32;
5622 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5623 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5624 + regs->u_regs[UREG_G4] = addr + 24;
5625 + addr = regs->u_regs[UREG_G5];
5627 + regs->tnpc = addr+4;
5633 +#ifdef CONFIG_PAX_DLRESOLVE
5634 + do { /* PaX: unpatched PLT emulation step 2 */
5635 + unsigned int save, call, nop;
5637 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5638 + err |= get_user(call, (unsigned int *)regs->tpc);
5639 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5643 + if (save == 0x9DE3BFA8U &&
5644 + (call & 0xC0000000U) == 0x40000000U &&
5645 + nop == 0x01000000U)
5647 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5649 + if (test_thread_flag(TIF_32BIT))
5650 + dl_resolve &= 0xFFFFFFFFUL;
5652 + regs->u_regs[UREG_RETPC] = regs->tpc;
5653 + regs->tpc = dl_resolve;
5654 + regs->tnpc = dl_resolve+4;
5660 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5661 + unsigned int sethi, ba, nop;
5663 + err = get_user(sethi, (unsigned int *)regs->tpc);
5664 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5665 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5670 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5671 + (ba & 0xFFF00000U) == 0x30600000U &&
5672 + nop == 0x01000000U)
5674 + unsigned long addr;
5676 + addr = (sethi & 0x003FFFFFU) << 10;
5677 + regs->u_regs[UREG_G1] = addr;
5678 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5680 + if (test_thread_flag(TIF_32BIT))
5681 + addr &= 0xFFFFFFFFUL;
5684 + regs->tnpc = addr+4;
5694 +void pax_report_insns(void *pc, void *sp)
5698 + printk(KERN_ERR "PAX: bytes at PC: ");
5699 + for (i = 0; i < 8; i++) {
5701 + if (get_user(c, (unsigned int *)pc+i))
5702 + printk(KERN_CONT "???????? ");
5704 + printk(KERN_CONT "%08x ", c);
5710 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5712 struct mm_struct *mm = current->mm;
5713 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5717 +#ifdef CONFIG_PAX_PAGEEXEC
5718 + /* PaX: detect ITLB misses on non-exec pages */
5719 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5720 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5722 + if (address != regs->tpc)
5725 + up_read(&mm->mmap_sem);
5726 + switch (pax_handle_fetch_fault(regs)) {
5728 +#ifdef CONFIG_PAX_EMUPLT
5735 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5736 + do_group_exit(SIGKILL);
5740 /* Pure DTLB misses do not tell us whether the fault causing
5741 * load/store/atomic was a write or not, it only says that there
5742 * was no match. So in such a case we (carefully) read the
5743 diff -urNp linux-2.6.37/arch/sparc/mm/hugetlbpage.c linux-2.6.37/arch/sparc/mm/hugetlbpage.c
5744 --- linux-2.6.37/arch/sparc/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
5745 +++ linux-2.6.37/arch/sparc/mm/hugetlbpage.c 2011-01-17 02:41:00.000000000 -0500
5746 @@ -68,7 +68,7 @@ full_search:
5750 - if (likely(!vma || addr + len <= vma->vm_start)) {
5751 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5753 * Remember the place where we stopped the search:
5755 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5756 /* make sure it can fit in the remaining address space */
5757 if (likely(addr > len)) {
5758 vma = find_vma(mm, addr-len);
5759 - if (!vma || addr <= vma->vm_start) {
5760 + if (check_heap_stack_gap(vma, addr - len, len)) {
5761 /* remember the address as a hint for next time */
5762 return (mm->free_area_cache = addr-len);
5764 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5765 * return with success:
5767 vma = find_vma(mm, addr);
5768 - if (likely(!vma || addr+len <= vma->vm_start)) {
5769 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5770 /* remember the address as a hint for next time */
5771 return (mm->free_area_cache = addr);
5773 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5775 addr = ALIGN(addr, HPAGE_SIZE);
5776 vma = find_vma(mm, addr);
5777 - if (task_size - len >= addr &&
5778 - (!vma || addr + len <= vma->vm_start))
5779 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5782 if (mm->get_unmapped_area == arch_get_unmapped_area)
5783 diff -urNp linux-2.6.37/arch/sparc/mm/init_32.c linux-2.6.37/arch/sparc/mm/init_32.c
5784 --- linux-2.6.37/arch/sparc/mm/init_32.c 2011-01-04 19:50:19.000000000 -0500
5785 +++ linux-2.6.37/arch/sparc/mm/init_32.c 2011-01-17 02:41:00.000000000 -0500
5786 @@ -318,6 +318,9 @@ extern void device_scan(void);
5787 pgprot_t PAGE_SHARED __read_mostly;
5788 EXPORT_SYMBOL(PAGE_SHARED);
5790 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5791 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5793 void __init paging_init(void)
5795 switch(sparc_cpu_model) {
5796 @@ -346,17 +349,17 @@ void __init paging_init(void)
5798 /* Initialize the protection map with non-constant, MMU dependent values. */
5799 protection_map[0] = PAGE_NONE;
5800 - protection_map[1] = PAGE_READONLY;
5801 - protection_map[2] = PAGE_COPY;
5802 - protection_map[3] = PAGE_COPY;
5803 + protection_map[1] = PAGE_READONLY_NOEXEC;
5804 + protection_map[2] = PAGE_COPY_NOEXEC;
5805 + protection_map[3] = PAGE_COPY_NOEXEC;
5806 protection_map[4] = PAGE_READONLY;
5807 protection_map[5] = PAGE_READONLY;
5808 protection_map[6] = PAGE_COPY;
5809 protection_map[7] = PAGE_COPY;
5810 protection_map[8] = PAGE_NONE;
5811 - protection_map[9] = PAGE_READONLY;
5812 - protection_map[10] = PAGE_SHARED;
5813 - protection_map[11] = PAGE_SHARED;
5814 + protection_map[9] = PAGE_READONLY_NOEXEC;
5815 + protection_map[10] = PAGE_SHARED_NOEXEC;
5816 + protection_map[11] = PAGE_SHARED_NOEXEC;
5817 protection_map[12] = PAGE_READONLY;
5818 protection_map[13] = PAGE_READONLY;
5819 protection_map[14] = PAGE_SHARED;
5820 diff -urNp linux-2.6.37/arch/sparc/mm/Makefile linux-2.6.37/arch/sparc/mm/Makefile
5821 --- linux-2.6.37/arch/sparc/mm/Makefile 2011-01-04 19:50:19.000000000 -0500
5822 +++ linux-2.6.37/arch/sparc/mm/Makefile 2011-01-17 02:41:00.000000000 -0500
5827 -ccflags-y := -Werror
5828 +#ccflags-y := -Werror
5830 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5831 obj-y += fault_$(BITS).o
5832 diff -urNp linux-2.6.37/arch/sparc/mm/srmmu.c linux-2.6.37/arch/sparc/mm/srmmu.c
5833 --- linux-2.6.37/arch/sparc/mm/srmmu.c 2011-01-04 19:50:19.000000000 -0500
5834 +++ linux-2.6.37/arch/sparc/mm/srmmu.c 2011-01-17 02:41:00.000000000 -0500
5835 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5836 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5837 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5838 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5840 +#ifdef CONFIG_PAX_PAGEEXEC
5841 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5842 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5843 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5846 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5847 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5849 diff -urNp linux-2.6.37/arch/um/include/asm/kmap_types.h linux-2.6.37/arch/um/include/asm/kmap_types.h
5850 --- linux-2.6.37/arch/um/include/asm/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
5851 +++ linux-2.6.37/arch/um/include/asm/kmap_types.h 2011-01-17 02:41:00.000000000 -0500
5852 @@ -23,6 +23,7 @@ enum km_type {
5860 diff -urNp linux-2.6.37/arch/um/include/asm/page.h linux-2.6.37/arch/um/include/asm/page.h
5861 --- linux-2.6.37/arch/um/include/asm/page.h 2011-01-04 19:50:19.000000000 -0500
5862 +++ linux-2.6.37/arch/um/include/asm/page.h 2011-01-17 02:41:00.000000000 -0500
5864 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5865 #define PAGE_MASK (~(PAGE_SIZE-1))
5867 +#define ktla_ktva(addr) (addr)
5868 +#define ktva_ktla(addr) (addr)
5870 #ifndef __ASSEMBLY__
5873 diff -urNp linux-2.6.37/arch/um/kernel/process.c linux-2.6.37/arch/um/kernel/process.c
5874 --- linux-2.6.37/arch/um/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
5875 +++ linux-2.6.37/arch/um/kernel/process.c 2011-01-17 02:41:00.000000000 -0500
5876 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5881 - * Only x86 and x86_64 have an arch_align_stack().
5882 - * All other arches have "#define arch_align_stack(x) (x)"
5883 - * in their asm/system.h
5884 - * As this is included in UML from asm-um/system-generic.h,
5885 - * we can use it to behave as the subarch does.
5887 -#ifndef arch_align_stack
5888 -unsigned long arch_align_stack(unsigned long sp)
5890 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5891 - sp -= get_random_int() % 8192;
5896 unsigned long get_wchan(struct task_struct *p)
5898 unsigned long stack_page, sp, ip;
5899 diff -urNp linux-2.6.37/arch/um/sys-i386/syscalls.c linux-2.6.37/arch/um/sys-i386/syscalls.c
5900 --- linux-2.6.37/arch/um/sys-i386/syscalls.c 2011-01-04 19:50:19.000000000 -0500
5901 +++ linux-2.6.37/arch/um/sys-i386/syscalls.c 2011-01-17 02:41:00.000000000 -0500
5903 #include "asm/uaccess.h"
5904 #include "asm/unistd.h"
5906 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5908 + unsigned long pax_task_size = TASK_SIZE;
5910 +#ifdef CONFIG_PAX_SEGMEXEC
5911 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5912 + pax_task_size = SEGMEXEC_TASK_SIZE;
5915 + if (len > pax_task_size || addr > pax_task_size - len)
5922 * The prototype on i386 is:
5924 diff -urNp linux-2.6.37/arch/x86/boot/bitops.h linux-2.6.37/arch/x86/boot/bitops.h
5925 --- linux-2.6.37/arch/x86/boot/bitops.h 2011-01-04 19:50:19.000000000 -0500
5926 +++ linux-2.6.37/arch/x86/boot/bitops.h 2011-01-17 02:41:00.000000000 -0500
5927 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5929 const u32 *p = (const u32 *)addr;
5931 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5932 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5936 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5938 static inline void set_bit(int nr, void *addr)
5940 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5941 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5944 #endif /* BOOT_BITOPS_H */
5945 diff -urNp linux-2.6.37/arch/x86/boot/boot.h linux-2.6.37/arch/x86/boot/boot.h
5946 --- linux-2.6.37/arch/x86/boot/boot.h 2011-01-04 19:50:19.000000000 -0500
5947 +++ linux-2.6.37/arch/x86/boot/boot.h 2011-01-17 02:41:00.000000000 -0500
5948 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5949 static inline u16 ds(void)
5952 - asm("movw %%ds,%0" : "=rm" (seg));
5953 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5957 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5958 static inline int memcmp(const void *s1, const void *s2, size_t len)
5961 - asm("repe; cmpsb; setnz %0"
5962 + asm volatile("repe; cmpsb; setnz %0"
5963 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5966 diff -urNp linux-2.6.37/arch/x86/boot/compressed/head_32.S linux-2.6.37/arch/x86/boot/compressed/head_32.S
5967 --- linux-2.6.37/arch/x86/boot/compressed/head_32.S 2011-01-04 19:50:19.000000000 -0500
5968 +++ linux-2.6.37/arch/x86/boot/compressed/head_32.S 2011-01-17 02:41:00.000000000 -0500
5969 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5973 - movl $LOAD_PHYSICAL_ADDR, %ebx
5974 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5977 /* Target address to relocate to for decompression */
5978 @@ -162,7 +162,7 @@ relocated:
5979 * and where it was actually loaded.
5982 - subl $LOAD_PHYSICAL_ADDR, %ebx
5983 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5984 jz 2f /* Nothing to be done if loaded at compiled addr. */
5986 * Process relocations.
5987 @@ -170,8 +170,7 @@ relocated:
5994 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5997 diff -urNp linux-2.6.37/arch/x86/boot/compressed/head_64.S linux-2.6.37/arch/x86/boot/compressed/head_64.S
5998 --- linux-2.6.37/arch/x86/boot/compressed/head_64.S 2011-01-04 19:50:19.000000000 -0500
5999 +++ linux-2.6.37/arch/x86/boot/compressed/head_64.S 2011-01-17 02:41:00.000000000 -0500
6000 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6004 - movl $LOAD_PHYSICAL_ADDR, %ebx
6005 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6008 /* Target address to relocate to for decompression */
6009 @@ -233,7 +233,7 @@ ENTRY(startup_64)
6013 - movq $LOAD_PHYSICAL_ADDR, %rbp
6014 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6017 /* Target address to relocate to for decompression */
6018 diff -urNp linux-2.6.37/arch/x86/boot/compressed/misc.c linux-2.6.37/arch/x86/boot/compressed/misc.c
6019 --- linux-2.6.37/arch/x86/boot/compressed/misc.c 2011-01-04 19:50:19.000000000 -0500
6020 +++ linux-2.6.37/arch/x86/boot/compressed/misc.c 2011-01-17 02:41:00.000000000 -0500
6021 @@ -306,7 +306,7 @@ static void parse_elf(void *output)
6023 #ifdef CONFIG_RELOCATABLE
6025 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6026 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6028 dest = (void *)(phdr->p_paddr);
6030 @@ -359,7 +359,7 @@ asmlinkage void decompress_kernel(void *
6031 error("Destination address too large");
6033 #ifndef CONFIG_RELOCATABLE
6034 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6035 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6036 error("Wrong destination address");
6039 diff -urNp linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c
6040 --- linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c 2011-01-04 19:50:19.000000000 -0500
6041 +++ linux-2.6.37/arch/x86/boot/compressed/mkpiggy.c 2011-01-17 02:41:00.000000000 -0500
6042 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6044 offs = (olen > ilen) ? olen - ilen : 0;
6045 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6046 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6047 + offs += 64*1024; /* Add 64K bytes slack */
6048 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6050 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
6051 diff -urNp linux-2.6.37/arch/x86/boot/compressed/relocs.c linux-2.6.37/arch/x86/boot/compressed/relocs.c
6052 --- linux-2.6.37/arch/x86/boot/compressed/relocs.c 2011-01-04 19:50:19.000000000 -0500
6053 +++ linux-2.6.37/arch/x86/boot/compressed/relocs.c 2011-01-17 02:41:00.000000000 -0500
6056 static void die(char *fmt, ...);
6058 +#include "../../../../include/generated/autoconf.h"
6060 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6061 static Elf32_Ehdr ehdr;
6062 +static Elf32_Phdr *phdr;
6063 static unsigned long reloc_count, reloc_idx;
6064 static unsigned long *relocs;
6066 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
6070 +static void read_phdrs(FILE *fp)
6074 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6076 + die("Unable to allocate %d program headers\n",
6079 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6080 + die("Seek to %d failed: %s\n",
6081 + ehdr.e_phoff, strerror(errno));
6083 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6084 + die("Cannot read ELF program headers: %s\n",
6087 + for(i = 0; i < ehdr.e_phnum; i++) {
6088 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6089 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6090 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6091 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6092 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6093 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6094 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6095 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6100 static void read_shdrs(FILE *fp)
6106 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6107 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
6109 static void read_strtabs(FILE *fp)
6113 for (i = 0; i < ehdr.e_shnum; i++) {
6114 struct section *sec = &secs[i];
6115 if (sec->shdr.sh_type != SHT_STRTAB) {
6116 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6118 static void read_symtabs(FILE *fp)
6122 for (i = 0; i < ehdr.e_shnum; i++) {
6123 struct section *sec = &secs[i];
6124 if (sec->shdr.sh_type != SHT_SYMTAB) {
6125 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6127 static void read_relocs(FILE *fp)
6133 for (i = 0; i < ehdr.e_shnum; i++) {
6134 struct section *sec = &secs[i];
6135 if (sec->shdr.sh_type != SHT_REL) {
6136 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6137 die("Cannot read symbol table: %s\n",
6141 + for (j = 0; j < ehdr.e_phnum; j++) {
6142 + if (phdr[j].p_type != PT_LOAD )
6144 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6146 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6149 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6150 Elf32_Rel *rel = &sec->reltab[j];
6151 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6152 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6153 rel->r_info = elf32_to_cpu(rel->r_info);
6156 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6158 static void print_absolute_symbols(void)
6162 printf("Absolute symbols\n");
6163 printf(" Num: Value Size Type Bind Visibility Name\n");
6164 for (i = 0; i < ehdr.e_shnum; i++) {
6165 struct section *sec = &secs[i];
6167 Elf32_Sym *sh_symtab;
6171 if (sec->shdr.sh_type != SHT_SYMTAB) {
6173 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6175 static void print_absolute_relocs(void)
6177 - int i, printed = 0;
6178 + unsigned int i, printed = 0;
6180 for (i = 0; i < ehdr.e_shnum; i++) {
6181 struct section *sec = &secs[i];
6182 struct section *sec_applies, *sec_symtab;
6184 Elf32_Sym *sh_symtab;
6187 if (sec->shdr.sh_type != SHT_REL) {
6190 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6192 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6196 /* Walk through the relocations */
6197 for (i = 0; i < ehdr.e_shnum; i++) {
6199 Elf32_Sym *sh_symtab;
6200 struct section *sec_applies, *sec_symtab;
6203 struct section *sec = &secs[i];
6205 if (sec->shdr.sh_type != SHT_REL) {
6206 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6207 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6210 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6211 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6214 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6215 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6216 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6218 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6220 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6222 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6229 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6231 static void emit_relocs(int as_text)
6235 /* Count how many relocations I have and allocate space for them. */
6237 walk_relocs(count_reloc);
6238 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6239 fname, strerror(errno));
6246 diff -urNp linux-2.6.37/arch/x86/boot/cpucheck.c linux-2.6.37/arch/x86/boot/cpucheck.c
6247 --- linux-2.6.37/arch/x86/boot/cpucheck.c 2011-01-04 19:50:19.000000000 -0500
6248 +++ linux-2.6.37/arch/x86/boot/cpucheck.c 2011-01-17 02:41:00.000000000 -0500
6249 @@ -74,7 +74,7 @@ static int has_fpu(void)
6250 u16 fcw = -1, fsw = -1;
6253 - asm("movl %%cr0,%0" : "=r" (cr0));
6254 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6255 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6256 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6257 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6258 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6263 + asm volatile("pushfl ; "
6267 @@ -115,7 +115,7 @@ static void get_flags(void)
6268 set_bit(X86_FEATURE_FPU, cpu.flags);
6270 if (has_eflag(X86_EFLAGS_ID)) {
6272 + asm volatile("cpuid"
6273 : "=a" (max_intel_level),
6274 "=b" (cpu_vendor[0]),
6275 "=d" (cpu_vendor[1]),
6276 @@ -124,7 +124,7 @@ static void get_flags(void)
6278 if (max_intel_level >= 0x00000001 &&
6279 max_intel_level <= 0x0000ffff) {
6281 + asm volatile("cpuid"
6283 "=c" (cpu.flags[4]),
6285 @@ -136,7 +136,7 @@ static void get_flags(void)
6286 cpu.model += ((tfms >> 16) & 0xf) << 4;
6290 + asm volatile("cpuid"
6291 : "=a" (max_amd_level)
6293 : "ebx", "ecx", "edx");
6294 @@ -144,7 +144,7 @@ static void get_flags(void)
6295 if (max_amd_level >= 0x80000001 &&
6296 max_amd_level <= 0x8000ffff) {
6297 u32 eax = 0x80000001;
6299 + asm volatile("cpuid"
6301 "=c" (cpu.flags[6]),
6303 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6304 u32 ecx = MSR_K7_HWCR;
6307 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6308 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6310 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6311 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6313 get_flags(); /* Make sure it really did something */
6314 err = check_flags();
6315 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6316 u32 ecx = MSR_VIA_FCR;
6319 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6320 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6321 eax |= (1<<1)|(1<<7);
6322 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6323 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6325 set_bit(X86_FEATURE_CX8, cpu.flags);
6326 err = check_flags();
6327 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6331 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6332 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6334 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6335 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6336 + asm volatile("cpuid"
6337 : "+a" (level), "=d" (cpu.flags[0])
6339 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6340 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6342 err = check_flags();
6344 diff -urNp linux-2.6.37/arch/x86/boot/header.S linux-2.6.37/arch/x86/boot/header.S
6345 --- linux-2.6.37/arch/x86/boot/header.S 2011-01-04 19:50:19.000000000 -0500
6346 +++ linux-2.6.37/arch/x86/boot/header.S 2011-01-17 02:41:00.000000000 -0500
6347 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6348 # single linked list of
6351 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6352 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6354 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6355 #define VO_INIT_SIZE (VO__end - VO__text)
6356 diff -urNp linux-2.6.37/arch/x86/boot/memory.c linux-2.6.37/arch/x86/boot/memory.c
6357 --- linux-2.6.37/arch/x86/boot/memory.c 2011-01-04 19:50:19.000000000 -0500
6358 +++ linux-2.6.37/arch/x86/boot/memory.c 2011-01-17 02:41:00.000000000 -0500
6361 static int detect_memory_e820(void)
6364 + unsigned int count = 0;
6365 struct biosregs ireg, oreg;
6366 struct e820entry *desc = boot_params.e820_map;
6367 static struct e820entry buf; /* static so it is zeroed */
6368 diff -urNp linux-2.6.37/arch/x86/boot/video.c linux-2.6.37/arch/x86/boot/video.c
6369 --- linux-2.6.37/arch/x86/boot/video.c 2011-01-04 19:50:19.000000000 -0500
6370 +++ linux-2.6.37/arch/x86/boot/video.c 2011-01-17 02:41:00.000000000 -0500
6371 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6372 static unsigned int get_entry(void)
6376 + unsigned int i, len = 0;
6380 diff -urNp linux-2.6.37/arch/x86/boot/video-vesa.c linux-2.6.37/arch/x86/boot/video-vesa.c
6381 --- linux-2.6.37/arch/x86/boot/video-vesa.c 2011-01-04 19:50:19.000000000 -0500
6382 +++ linux-2.6.37/arch/x86/boot/video-vesa.c 2011-01-17 02:41:00.000000000 -0500
6383 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6385 boot_params.screen_info.vesapm_seg = oreg.es;
6386 boot_params.screen_info.vesapm_off = oreg.di;
6387 + boot_params.screen_info.vesapm_size = oreg.cx;
6391 diff -urNp linux-2.6.37/arch/x86/ia32/ia32_aout.c linux-2.6.37/arch/x86/ia32/ia32_aout.c
6392 --- linux-2.6.37/arch/x86/ia32/ia32_aout.c 2011-01-04 19:50:19.000000000 -0500
6393 +++ linux-2.6.37/arch/x86/ia32/ia32_aout.c 2011-01-17 02:41:00.000000000 -0500
6394 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6395 unsigned long dump_start, dump_size;
6398 + memset(&dump, 0, sizeof(dump));
6403 diff -urNp linux-2.6.37/arch/x86/ia32/ia32entry.S linux-2.6.37/arch/x86/ia32/ia32entry.S
6404 --- linux-2.6.37/arch/x86/ia32/ia32entry.S 2011-01-04 19:50:19.000000000 -0500
6405 +++ linux-2.6.37/arch/x86/ia32/ia32entry.S 2011-01-17 02:41:00.000000000 -0500
6407 #include <asm/thread_info.h>
6408 #include <asm/segment.h>
6409 #include <asm/irqflags.h>
6410 +#include <asm/pgtable.h>
6411 #include <linux/linkage.h>
6413 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6414 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
6416 movq PER_CPU_VAR(kernel_stack), %rsp
6417 addq $(KERNEL_STACK_OFFSET),%rsp
6419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6420 + call pax_enter_kernel_user
6424 * No need to follow this irqs on/off section: the syscall
6425 * disabled irqs, here we enable it straight after entry:
6426 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
6428 /* no need to do an access_ok check here because rbp has been
6429 32bit zero extended */
6431 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6432 + mov $PAX_USER_SHADOW_BASE,%r10
6437 .section __ex_table,"a"
6438 .quad 1b,ia32_badarg
6439 @@ -172,6 +184,11 @@ sysenter_dispatch:
6440 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6442 sysexit_from_sys_call:
6444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6445 + call pax_exit_kernel_user
6448 andl $~TS_COMPAT,TI_status(%r10)
6449 /* clear IF, that popfq doesn't enable interrupts early */
6450 andl $~0x200,EFLAGS-R11(%rsp)
6451 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6454 movq PER_CPU_VAR(kernel_stack),%rsp
6456 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6457 + call pax_enter_kernel_user
6461 * No need to follow this irqs on/off section: the syscall
6462 * disabled irqs and here we enable it straight after entry:
6463 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6464 /* no need to do an access_ok check here because r8 has been
6465 32bit zero extended */
6466 /* hardware stack frame is complete now */
6468 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6469 + mov $PAX_USER_SHADOW_BASE,%r10
6474 .section __ex_table,"a"
6475 .quad 1b,ia32_badarg
6476 @@ -333,6 +361,11 @@ cstar_dispatch:
6477 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6479 sysretl_from_sys_call:
6481 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6482 + call pax_exit_kernel_user
6485 andl $~TS_COMPAT,TI_status(%r10)
6486 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6487 movl RIP-ARGOFFSET(%rsp),%ecx
6488 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6489 CFI_REL_OFFSET rip,RIP-RIP
6490 PARAVIRT_ADJUST_EXCEPTION_FRAME
6493 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6494 + call pax_enter_kernel_user
6498 * No need to follow this irqs on/off section: the syscall
6499 * disabled irqs and here we enable it straight after entry:
6500 diff -urNp linux-2.6.37/arch/x86/ia32/ia32_signal.c linux-2.6.37/arch/x86/ia32/ia32_signal.c
6501 --- linux-2.6.37/arch/x86/ia32/ia32_signal.c 2011-01-04 19:50:19.000000000 -0500
6502 +++ linux-2.6.37/arch/x86/ia32/ia32_signal.c 2011-01-17 02:41:00.000000000 -0500
6503 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6505 /* Align the stack pointer according to the i386 ABI,
6506 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6507 - sp = ((sp + 4) & -16ul) - 4;
6508 + sp = ((sp - 12) & -16ul) - 4;
6509 return (void __user *) sp;
6512 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6513 * These are actually not used anymore, but left because some
6514 * gdb versions depend on them as a marker.
6516 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6517 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6518 } put_user_catch(err);
6521 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6523 __NR_ia32_rt_sigreturn,
6529 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6530 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6532 if (ka->sa.sa_flags & SA_RESTORER)
6533 restorer = ka->sa.sa_restorer;
6534 + else if (current->mm->context.vdso)
6535 + /* Return stub is in 32bit vsyscall page */
6536 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6538 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6540 + restorer = &frame->retcode;
6541 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6544 * Not actually used anymore, but left because some gdb
6547 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6548 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6549 } put_user_catch(err);
6552 diff -urNp linux-2.6.37/arch/x86/include/asm/alternative.h linux-2.6.37/arch/x86/include/asm/alternative.h
6553 --- linux-2.6.37/arch/x86/include/asm/alternative.h 2011-01-04 19:50:19.000000000 -0500
6554 +++ linux-2.6.37/arch/x86/include/asm/alternative.h 2011-01-17 02:41:00.000000000 -0500
6555 @@ -93,7 +93,7 @@ static inline int alternatives_text_rese
6556 ".section .discard,\"aw\",@progbits\n" \
6557 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6559 - ".section .altinstr_replacement, \"ax\"\n" \
6560 + ".section .altinstr_replacement, \"a\"\n" \
6561 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6564 diff -urNp linux-2.6.37/arch/x86/include/asm/apm.h linux-2.6.37/arch/x86/include/asm/apm.h
6565 --- linux-2.6.37/arch/x86/include/asm/apm.h 2011-01-04 19:50:19.000000000 -0500
6566 +++ linux-2.6.37/arch/x86/include/asm/apm.h 2011-01-17 02:41:00.000000000 -0500
6567 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6568 __asm__ __volatile__(APM_DO_ZERO_SEGS
6571 - "lcall *%%cs:apm_bios_entry\n\t"
6572 + "lcall *%%ss:apm_bios_entry\n\t"
6576 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6577 __asm__ __volatile__(APM_DO_ZERO_SEGS
6580 - "lcall *%%cs:apm_bios_entry\n\t"
6581 + "lcall *%%ss:apm_bios_entry\n\t"
6585 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic64_32.h linux-2.6.37/arch/x86/include/asm/atomic64_32.h
6586 --- linux-2.6.37/arch/x86/include/asm/atomic64_32.h 2011-01-04 19:50:19.000000000 -0500
6587 +++ linux-2.6.37/arch/x86/include/asm/atomic64_32.h 2011-01-17 02:41:00.000000000 -0500
6588 @@ -12,6 +12,14 @@ typedef struct {
6589 u64 __aligned(8) counter;
6592 +#ifdef CONFIG_PAX_REFCOUNT
6594 + u64 __aligned(8) counter;
6595 +} atomic64_unchecked_t;
6597 +typedef atomic64_t atomic64_unchecked_t;
6600 #define ATOMIC64_INIT(val) { (val) }
6602 #ifdef CONFIG_X86_CMPXCHG64
6603 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic64_64.h linux-2.6.37/arch/x86/include/asm/atomic64_64.h
6604 --- linux-2.6.37/arch/x86/include/asm/atomic64_64.h 2011-01-04 19:50:19.000000000 -0500
6605 +++ linux-2.6.37/arch/x86/include/asm/atomic64_64.h 2011-01-17 02:41:00.000000000 -0500
6608 static inline long atomic64_read(const atomic64_t *v)
6610 - return (*(volatile long *)&(v)->counter);
6611 + return (*(volatile const long *)&(v)->counter);
6615 + * atomic64_read_unchecked - read atomic64 variable
6616 + * @v: pointer of type atomic64_unchecked_t
6618 + * Atomically reads the value of @v.
6619 + * Doesn't imply a read memory barrier.
6621 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6623 + return (*(volatile const long *)&(v)->counter);
6627 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6631 + * atomic64_set_unchecked - set atomic64 variable
6632 + * @v: pointer to type atomic64_unchecked_t
6633 + * @i: required value
6635 + * Atomically sets the value of @v to @i.
6637 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6643 * atomic64_add - add integer to atomic64 variable
6644 * @i: integer value to add
6645 * @v: pointer to type atomic64_t
6646 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6648 static inline void atomic64_add(long i, atomic64_t *v)
6650 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6652 +#ifdef CONFIG_PAX_REFCOUNT
6654 + LOCK_PREFIX "subq %1,%0\n"
6656 + _ASM_EXTABLE(0b, 0b)
6659 + : "=m" (v->counter)
6660 + : "er" (i), "m" (v->counter));
6664 + * atomic64_add_unchecked - add integer to atomic64 variable
6665 + * @i: integer value to add
6666 + * @v: pointer to type atomic64_unchecked_t
6668 + * Atomically adds @i to @v.
6670 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6672 asm volatile(LOCK_PREFIX "addq %1,%0"
6674 : "er" (i), "m" (v->counter));
6675 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6677 static inline void atomic64_sub(long i, atomic64_t *v)
6679 - asm volatile(LOCK_PREFIX "subq %1,%0"
6680 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6682 +#ifdef CONFIG_PAX_REFCOUNT
6684 + LOCK_PREFIX "addq %1,%0\n"
6686 + _ASM_EXTABLE(0b, 0b)
6689 + : "=m" (v->counter)
6690 + : "er" (i), "m" (v->counter));
6694 + * atomic64_sub_unchecked - subtract the atomic64 variable
6695 + * @i: integer value to subtract
6696 + * @v: pointer to type atomic64_unchecked_t
6698 + * Atomically subtracts @i from @v.
6700 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6702 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6704 : "er" (i), "m" (v->counter));
6706 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6710 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6711 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6713 +#ifdef CONFIG_PAX_REFCOUNT
6715 + LOCK_PREFIX "addq %2,%0\n"
6717 + _ASM_EXTABLE(0b, 0b)
6721 : "=m" (v->counter), "=qm" (c)
6722 : "er" (i), "m" (v->counter) : "memory");
6724 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6726 static inline void atomic64_inc(atomic64_t *v)
6728 + asm volatile(LOCK_PREFIX "incq %0\n"
6730 +#ifdef CONFIG_PAX_REFCOUNT
6732 + LOCK_PREFIX "decq %0\n"
6734 + _ASM_EXTABLE(0b, 0b)
6737 + : "=m" (v->counter)
6738 + : "m" (v->counter));
6742 + * atomic64_inc_unchecked - increment atomic64 variable
6743 + * @v: pointer to type atomic64_unchecked_t
6745 + * Atomically increments @v by 1.
6747 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6749 asm volatile(LOCK_PREFIX "incq %0"
6751 : "m" (v->counter));
6752 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6754 static inline void atomic64_dec(atomic64_t *v)
6756 - asm volatile(LOCK_PREFIX "decq %0"
6757 + asm volatile(LOCK_PREFIX "decq %0\n"
6759 +#ifdef CONFIG_PAX_REFCOUNT
6761 + LOCK_PREFIX "incq %0\n"
6763 + _ASM_EXTABLE(0b, 0b)
6766 + : "=m" (v->counter)
6767 + : "m" (v->counter));
6771 + * atomic64_dec_unchecked - decrement atomic64 variable
6772 + * @v: pointer to type atomic64_t
6774 + * Atomically decrements @v by 1.
6776 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6778 + asm volatile(LOCK_PREFIX "decq %0\n"
6780 : "m" (v->counter));
6782 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6786 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6787 + asm volatile(LOCK_PREFIX "decq %0\n"
6789 +#ifdef CONFIG_PAX_REFCOUNT
6791 + LOCK_PREFIX "incq %0\n"
6793 + _ASM_EXTABLE(0b, 0b)
6797 : "=m" (v->counter), "=qm" (c)
6798 : "m" (v->counter) : "memory");
6800 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6804 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6805 + asm volatile(LOCK_PREFIX "incq %0\n"
6807 +#ifdef CONFIG_PAX_REFCOUNT
6809 + LOCK_PREFIX "decq %0\n"
6811 + _ASM_EXTABLE(0b, 0b)
6815 : "=m" (v->counter), "=qm" (c)
6816 : "m" (v->counter) : "memory");
6818 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6822 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6823 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6825 +#ifdef CONFIG_PAX_REFCOUNT
6827 + LOCK_PREFIX "subq %2,%0\n"
6829 + _ASM_EXTABLE(0b, 0b)
6833 : "=m" (v->counter), "=qm" (c)
6834 : "er" (i), "m" (v->counter) : "memory");
6836 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6837 static inline long atomic64_add_return(long i, atomic64_t *v)
6840 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6841 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6843 +#ifdef CONFIG_PAX_REFCOUNT
6847 + _ASM_EXTABLE(0b, 0b)
6850 + : "+r" (i), "+m" (v->counter)
6856 + * atomic64_add_return_unchecked - add and return
6857 + * @i: integer value to add
6858 + * @v: pointer to type atomic64_unchecked_t
6860 + * Atomically adds @i to @v and returns @i + @v
6862 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6865 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6866 : "+r" (i), "+m" (v->counter)
6869 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6872 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6873 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6875 + return atomic64_add_return_unchecked(1, v);
6877 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6879 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6880 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6882 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6886 c = atomic64_read(v);
6888 - if (unlikely(c == (u)))
6889 + if (unlikely(c == u))
6891 - old = atomic64_cmpxchg((v), c, c + (a));
6893 + asm volatile("add %2,%0\n"
6895 +#ifdef CONFIG_PAX_REFCOUNT
6899 + _ASM_EXTABLE(0b, 0b)
6903 + : "0" (c), "ir" (a));
6905 + old = atomic64_cmpxchg(v, c, new);
6906 if (likely(old == c))
6914 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6915 diff -urNp linux-2.6.37/arch/x86/include/asm/atomic.h linux-2.6.37/arch/x86/include/asm/atomic.h
6916 --- linux-2.6.37/arch/x86/include/asm/atomic.h 2011-01-04 19:50:19.000000000 -0500
6917 +++ linux-2.6.37/arch/x86/include/asm/atomic.h 2011-01-17 02:41:00.000000000 -0500
6920 static inline int atomic_read(const atomic_t *v)
6922 - return (*(volatile int *)&(v)->counter);
6923 + return (*(volatile const int *)&(v)->counter);
6927 + * atomic_read_unchecked - read atomic variable
6928 + * @v: pointer of type atomic_unchecked_t
6930 + * Atomically reads the value of @v.
6932 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6934 + return (*(volatile const int *)&(v)->counter);
6938 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6942 + * atomic_set_unchecked - set atomic variable
6943 + * @v: pointer of type atomic_unchecked_t
6944 + * @i: required value
6946 + * Atomically sets the value of @v to @i.
6948 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6954 * atomic_add - add integer to atomic variable
6955 * @i: integer value to add
6956 * @v: pointer of type atomic_t
6957 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6959 static inline void atomic_add(int i, atomic_t *v)
6961 - asm volatile(LOCK_PREFIX "addl %1,%0"
6962 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6964 +#ifdef CONFIG_PAX_REFCOUNT
6966 + LOCK_PREFIX "subl %1,%0\n"
6968 + _ASM_EXTABLE(0b, 0b)
6971 + : "+m" (v->counter)
6976 + * atomic_add_unchecked - add integer to atomic variable
6977 + * @i: integer value to add
6978 + * @v: pointer of type atomic_unchecked_t
6980 + * Atomically adds @i to @v.
6982 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6984 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6988 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6990 static inline void atomic_sub(int i, atomic_t *v)
6992 - asm volatile(LOCK_PREFIX "subl %1,%0"
6993 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6995 +#ifdef CONFIG_PAX_REFCOUNT
6997 + LOCK_PREFIX "addl %1,%0\n"
6999 + _ASM_EXTABLE(0b, 0b)
7002 + : "+m" (v->counter)
7007 + * atomic_sub_unchecked - subtract integer from atomic variable
7008 + * @i: integer value to subtract
7009 + * @v: pointer of type atomic_t
7011 + * Atomically subtracts @i from @v.
7013 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7015 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7019 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
7023 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7024 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7026 +#ifdef CONFIG_PAX_REFCOUNT
7028 + LOCK_PREFIX "addl %2,%0\n"
7030 + _ASM_EXTABLE(0b, 0b)
7034 : "+m" (v->counter), "=qm" (c)
7035 : "ir" (i) : "memory");
7037 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
7039 static inline void atomic_inc(atomic_t *v)
7041 - asm volatile(LOCK_PREFIX "incl %0"
7042 + asm volatile(LOCK_PREFIX "incl %0\n"
7044 +#ifdef CONFIG_PAX_REFCOUNT
7046 + LOCK_PREFIX "decl %0\n"
7048 + _ASM_EXTABLE(0b, 0b)
7051 + : "+m" (v->counter));
7055 + * atomic_inc_unchecked - increment atomic variable
7056 + * @v: pointer of type atomic_unchecked_t
7058 + * Atomically increments @v by 1.
7060 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7062 + asm volatile(LOCK_PREFIX "incl %0\n"
7063 : "+m" (v->counter));
7066 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
7068 static inline void atomic_dec(atomic_t *v)
7070 - asm volatile(LOCK_PREFIX "decl %0"
7071 + asm volatile(LOCK_PREFIX "decl %0\n"
7073 +#ifdef CONFIG_PAX_REFCOUNT
7075 + LOCK_PREFIX "incl %0\n"
7077 + _ASM_EXTABLE(0b, 0b)
7080 + : "+m" (v->counter));
7084 + * atomic_dec_unchecked - decrement atomic variable
7085 + * @v: pointer of type atomic_t
7087 + * Atomically decrements @v by 1.
7089 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7091 + asm volatile(LOCK_PREFIX "decl %0\n"
7092 : "+m" (v->counter));
7095 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
7099 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7100 + asm volatile(LOCK_PREFIX "decl %0\n"
7102 +#ifdef CONFIG_PAX_REFCOUNT
7104 + LOCK_PREFIX "incl %0\n"
7106 + _ASM_EXTABLE(0b, 0b)
7110 : "+m" (v->counter), "=qm" (c)
7113 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7117 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7118 + asm volatile(LOCK_PREFIX "incl %0\n"
7120 +#ifdef CONFIG_PAX_REFCOUNT
7122 + LOCK_PREFIX "decl %0\n"
7124 + _ASM_EXTABLE(0b, 0b)
7128 : "+m" (v->counter), "=qm" (c)
7131 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7135 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7136 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7138 +#ifdef CONFIG_PAX_REFCOUNT
7140 + LOCK_PREFIX "subl %2,%0\n"
7142 + _ASM_EXTABLE(0b, 0b)
7146 : "+m" (v->counter), "=qm" (c)
7147 : "ir" (i) : "memory");
7149 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7151 /* Modern 486+ processor */
7153 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7155 +#ifdef CONFIG_PAX_REFCOUNT
7159 + _ASM_EXTABLE(0b, 0b)
7162 + : "+r" (i), "+m" (v->counter)
7167 +no_xadd: /* Legacy 386 processor */
7168 + local_irq_save(flags);
7169 + __i = atomic_read(v);
7170 + atomic_set(v, i + __i);
7171 + local_irq_restore(flags);
7177 + * atomic_add_return_unchecked - add integer and return
7178 + * @v: pointer of type atomic_unchecked_t
7179 + * @i: integer value to add
7181 + * Atomically adds @i to @v and returns @i + @v
7183 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7187 + unsigned long flags;
7188 + if (unlikely(boot_cpu_data.x86 <= 3))
7191 + /* Modern 486+ processor */
7193 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7194 : "+r" (i), "+m" (v->counter)
7196 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7199 #define atomic_inc_return(v) (atomic_add_return(1, v))
7200 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7202 + return atomic_add_return_unchecked(1, v);
7204 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7206 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7207 @@ -231,17 +418,30 @@ static inline int atomic_xchg(atomic_t *
7209 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7215 - if (unlikely(c == (u)))
7216 + if (unlikely(c == u))
7218 - old = atomic_cmpxchg((v), c, c + (a));
7220 + asm volatile("addl %2,%0\n"
7222 +#ifdef CONFIG_PAX_REFCOUNT
7226 + _ASM_EXTABLE(0b, 0b)
7230 + : "0" (c), "ir" (a));
7232 + old = atomic_cmpxchg(v, c, new);
7233 if (likely(old == c))
7241 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7242 diff -urNp linux-2.6.37/arch/x86/include/asm/bitops.h linux-2.6.37/arch/x86/include/asm/bitops.h
7243 --- linux-2.6.37/arch/x86/include/asm/bitops.h 2011-01-04 19:50:19.000000000 -0500
7244 +++ linux-2.6.37/arch/x86/include/asm/bitops.h 2011-01-17 02:41:00.000000000 -0500
7246 * a mask operation on a byte.
7248 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7249 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7250 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7251 #define CONST_MASK(nr) (1 << ((nr) & 7))
7254 diff -urNp linux-2.6.37/arch/x86/include/asm/boot.h linux-2.6.37/arch/x86/include/asm/boot.h
7255 --- linux-2.6.37/arch/x86/include/asm/boot.h 2011-01-04 19:50:19.000000000 -0500
7256 +++ linux-2.6.37/arch/x86/include/asm/boot.h 2011-01-17 02:41:00.000000000 -0500
7258 #include <asm/pgtable_types.h>
7260 /* Physical address where kernel should be loaded. */
7261 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7262 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7263 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7264 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7266 +#ifndef __ASSEMBLY__
7267 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7268 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7271 /* Minimum kernel alignment, as a power of two */
7272 #ifdef CONFIG_X86_64
7273 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7274 diff -urNp linux-2.6.37/arch/x86/include/asm/cacheflush.h linux-2.6.37/arch/x86/include/asm/cacheflush.h
7275 --- linux-2.6.37/arch/x86/include/asm/cacheflush.h 2011-01-04 19:50:19.000000000 -0500
7276 +++ linux-2.6.37/arch/x86/include/asm/cacheflush.h 2011-01-17 02:41:00.000000000 -0500
7277 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
7278 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7280 if (pg_flags == _PGMT_DEFAULT)
7283 else if (pg_flags == _PGMT_WC)
7284 return _PAGE_CACHE_WC;
7285 else if (pg_flags == _PGMT_UC_MINUS)
7286 diff -urNp linux-2.6.37/arch/x86/include/asm/cache.h linux-2.6.37/arch/x86/include/asm/cache.h
7287 --- linux-2.6.37/arch/x86/include/asm/cache.h 2011-01-04 19:50:19.000000000 -0500
7288 +++ linux-2.6.37/arch/x86/include/asm/cache.h 2011-01-17 02:41:00.000000000 -0500
7290 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7292 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7293 +#define __read_only __attribute__((__section__(".data..read_only")))
7295 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7296 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7297 diff -urNp linux-2.6.37/arch/x86/include/asm/checksum_32.h linux-2.6.37/arch/x86/include/asm/checksum_32.h
7298 --- linux-2.6.37/arch/x86/include/asm/checksum_32.h 2011-01-04 19:50:19.000000000 -0500
7299 +++ linux-2.6.37/arch/x86/include/asm/checksum_32.h 2011-01-17 02:41:00.000000000 -0500
7300 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7301 int len, __wsum sum,
7302 int *src_err_ptr, int *dst_err_ptr);
7304 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7305 + int len, __wsum sum,
7306 + int *src_err_ptr, int *dst_err_ptr);
7308 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7309 + int len, __wsum sum,
7310 + int *src_err_ptr, int *dst_err_ptr);
7313 * Note: when you get a NULL pointer exception here this means someone
7314 * passed in an incorrect kernel address to one of these functions.
7315 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7319 - return csum_partial_copy_generic((__force void *)src, dst,
7320 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7321 len, sum, err_ptr, NULL);
7324 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7327 if (access_ok(VERIFY_WRITE, dst, len))
7328 - return csum_partial_copy_generic(src, (__force void *)dst,
7329 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7330 len, sum, NULL, err_ptr);
7333 diff -urNp linux-2.6.37/arch/x86/include/asm/cpufeature.h linux-2.6.37/arch/x86/include/asm/cpufeature.h
7334 --- linux-2.6.37/arch/x86/include/asm/cpufeature.h 2011-01-04 19:50:19.000000000 -0500
7335 +++ linux-2.6.37/arch/x86/include/asm/cpufeature.h 2011-01-17 02:41:00.000000000 -0500
7336 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7337 ".section .discard,\"aw\",@progbits\n"
7338 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7340 - ".section .altinstr_replacement,\"ax\"\n"
7341 + ".section .altinstr_replacement,\"a\"\n"
7345 diff -urNp linux-2.6.37/arch/x86/include/asm/desc.h linux-2.6.37/arch/x86/include/asm/desc.h
7346 --- linux-2.6.37/arch/x86/include/asm/desc.h 2011-01-04 19:50:19.000000000 -0500
7347 +++ linux-2.6.37/arch/x86/include/asm/desc.h 2011-01-17 02:41:00.000000000 -0500
7349 #include <asm/desc_defs.h>
7350 #include <asm/ldt.h>
7351 #include <asm/mmu.h>
7352 +#include <asm/pgtable.h>
7353 #include <linux/smp.h>
7355 static inline void fill_ldt(struct desc_struct *desc,
7356 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7357 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7358 desc->type = (info->read_exec_only ^ 1) << 1;
7359 desc->type |= info->contents << 2;
7360 + desc->type |= info->seg_not_present ^ 1;
7363 desc->p = info->seg_not_present ^ 1;
7364 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7367 extern struct desc_ptr idt_descr;
7368 -extern gate_desc idt_table[];
7371 - struct desc_struct gdt[GDT_ENTRIES];
7372 -} __attribute__((aligned(PAGE_SIZE)));
7373 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7374 +extern gate_desc idt_table[256];
7376 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7377 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7379 - return per_cpu(gdt_page, cpu).gdt;
7380 + return cpu_gdt_table[cpu];
7383 #ifdef CONFIG_X86_64
7384 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
7385 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7386 const gate_desc *gate)
7388 + pax_open_kernel();
7389 memcpy(&idt[entry], gate, sizeof(*gate));
7390 + pax_close_kernel();
7393 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7396 + pax_open_kernel();
7397 memcpy(&ldt[entry], desc, 8);
7398 + pax_close_kernel();
7401 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7402 const void *desc, int type)
7408 size = sizeof(tss_desc);
7409 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
7410 size = sizeof(struct desc_struct);
7414 + pax_open_kernel();
7415 memcpy(&gdt[entry], desc, size);
7416 + pax_close_kernel();
7419 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7420 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
7422 static inline void native_load_tr_desc(void)
7424 + pax_open_kernel();
7425 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7426 + pax_close_kernel();
7429 static inline void native_load_gdt(const struct desc_ptr *dtr)
7430 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
7432 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7434 + pax_open_kernel();
7435 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7436 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7437 + pax_close_kernel();
7440 #define _LDT_empty(info) \
7441 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7442 desc->limit = (limit >> 16) & 0xf;
7445 -static inline void _set_gate(int gate, unsigned type, void *addr,
7446 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7447 unsigned dpl, unsigned ist, unsigned seg)
7450 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7451 * Pentium F0 0F bugfix can have resulted in the mapped
7452 * IDT being write-protected.
7454 -static inline void set_intr_gate(unsigned int n, void *addr)
7455 +static inline void set_intr_gate(unsigned int n, const void *addr)
7457 BUG_ON((unsigned)n > 0xFF);
7458 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7459 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7461 * This routine sets up an interrupt gate at directory privilege level 3.
7463 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7464 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7466 BUG_ON((unsigned)n > 0xFF);
7467 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7470 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7471 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7473 BUG_ON((unsigned)n > 0xFF);
7474 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7477 -static inline void set_trap_gate(unsigned int n, void *addr)
7478 +static inline void set_trap_gate(unsigned int n, const void *addr)
7480 BUG_ON((unsigned)n > 0xFF);
7481 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7482 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7483 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7485 BUG_ON((unsigned)n > 0xFF);
7486 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7487 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7490 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7491 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7493 BUG_ON((unsigned)n > 0xFF);
7494 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7497 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7498 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7500 BUG_ON((unsigned)n > 0xFF);
7501 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7504 +#ifdef CONFIG_X86_32
7505 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7507 + struct desc_struct d;
7509 + if (likely(limit))
7510 + limit = (limit - 1UL) >> PAGE_SHIFT;
7511 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7512 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7516 #endif /* _ASM_X86_DESC_H */
7517 diff -urNp linux-2.6.37/arch/x86/include/asm/device.h linux-2.6.37/arch/x86/include/asm/device.h
7518 --- linux-2.6.37/arch/x86/include/asm/device.h 2011-01-04 19:50:19.000000000 -0500
7519 +++ linux-2.6.37/arch/x86/include/asm/device.h 2011-01-17 02:41:00.000000000 -0500
7520 @@ -6,7 +6,7 @@ struct dev_archdata {
7523 #ifdef CONFIG_X86_64
7524 -struct dma_map_ops *dma_ops;
7525 + const struct dma_map_ops *dma_ops;
7527 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7528 void *iommu; /* hook for IOMMU specific extension */
7529 diff -urNp linux-2.6.37/arch/x86/include/asm/dma-mapping.h linux-2.6.37/arch/x86/include/asm/dma-mapping.h
7530 --- linux-2.6.37/arch/x86/include/asm/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
7531 +++ linux-2.6.37/arch/x86/include/asm/dma-mapping.h 2011-01-17 02:41:00.000000000 -0500
7532 @@ -26,9 +26,9 @@ extern int iommu_merge;
7533 extern struct device x86_dma_fallback_dev;
7534 extern int panic_on_overflow;
7536 -extern struct dma_map_ops *dma_ops;
7537 +extern const struct dma_map_ops *dma_ops;
7539 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7540 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7542 #ifdef CONFIG_X86_32
7544 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7545 /* Make sure we keep the same behaviour */
7546 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7548 - struct dma_map_ops *ops = get_dma_ops(dev);
7549 + const struct dma_map_ops *ops = get_dma_ops(dev);
7550 if (ops->mapping_error)
7551 return ops->mapping_error(dev, dma_addr);
7553 @@ -115,7 +115,7 @@ static inline void *
7554 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7557 - struct dma_map_ops *ops = get_dma_ops(dev);
7558 + const struct dma_map_ops *ops = get_dma_ops(dev);
7561 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7562 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7563 static inline void dma_free_coherent(struct device *dev, size_t size,
7564 void *vaddr, dma_addr_t bus)
7566 - struct dma_map_ops *ops = get_dma_ops(dev);
7567 + const struct dma_map_ops *ops = get_dma_ops(dev);
7569 WARN_ON(irqs_disabled()); /* for portability */
7571 diff -urNp linux-2.6.37/arch/x86/include/asm/e820.h linux-2.6.37/arch/x86/include/asm/e820.h
7572 --- linux-2.6.37/arch/x86/include/asm/e820.h 2011-01-04 19:50:19.000000000 -0500
7573 +++ linux-2.6.37/arch/x86/include/asm/e820.h 2011-01-17 02:41:00.000000000 -0500
7574 @@ -69,7 +69,7 @@ struct e820map {
7575 #define ISA_START_ADDRESS 0xa0000
7576 #define ISA_END_ADDRESS 0x100000
7578 -#define BIOS_BEGIN 0x000a0000
7579 +#define BIOS_BEGIN 0x000c0000
7580 #define BIOS_END 0x00100000
7582 #define BIOS_ROM_BASE 0xffe00000
7583 diff -urNp linux-2.6.37/arch/x86/include/asm/elf.h linux-2.6.37/arch/x86/include/asm/elf.h
7584 --- linux-2.6.37/arch/x86/include/asm/elf.h 2011-01-04 19:50:19.000000000 -0500
7585 +++ linux-2.6.37/arch/x86/include/asm/elf.h 2011-01-17 02:41:00.000000000 -0500
7586 @@ -237,7 +237,25 @@ extern int force_personality32;
7587 the loader. We need to make sure that it is out of the way of the program
7588 that it will "exec", and that there is sufficient room for the brk. */
7590 +#ifdef CONFIG_PAX_SEGMEXEC
7591 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7593 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7596 +#ifdef CONFIG_PAX_ASLR
7597 +#ifdef CONFIG_X86_32
7598 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7600 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7601 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7603 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7605 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7606 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7610 /* This yields a mask that user programs can use to figure out what
7611 instruction set this CPU supports. This could be done in user space,
7612 @@ -291,8 +309,7 @@ do { \
7613 #define ARCH_DLINFO \
7616 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7617 - (unsigned long)current->mm->context.vdso); \
7618 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7621 #define AT_SYSINFO 32
7622 @@ -303,7 +320,7 @@ do { \
7624 #endif /* !CONFIG_X86_32 */
7626 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7627 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7629 #define VDSO_ENTRY \
7630 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7631 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7632 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7633 #define compat_arch_setup_additional_pages syscall32_setup_pages
7635 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7636 -#define arch_randomize_brk arch_randomize_brk
7638 #endif /* _ASM_X86_ELF_H */
7639 diff -urNp linux-2.6.37/arch/x86/include/asm/futex.h linux-2.6.37/arch/x86/include/asm/futex.h
7640 --- linux-2.6.37/arch/x86/include/asm/futex.h 2011-01-04 19:50:19.000000000 -0500
7641 +++ linux-2.6.37/arch/x86/include/asm/futex.h 2011-01-17 02:41:00.000000000 -0500
7643 #include <asm/system.h>
7645 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7646 + typecheck(u32 *, uaddr); \
7647 asm volatile("1:\t" insn "\n" \
7648 "2:\t.section .fixup,\"ax\"\n" \
7649 "3:\tmov\t%3, %1\n" \
7652 _ASM_EXTABLE(1b, 3b) \
7653 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7654 + : "=r" (oldval), "=r" (ret), "+m" (*____m(uaddr))\
7655 : "i" (-EFAULT), "0" (oparg), "1" (0))
7657 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7658 + typecheck(u32 *, uaddr); \
7659 asm volatile("1:\tmovl %2, %0\n" \
7660 "\tmovl\t%0, %3\n" \
7663 _ASM_EXTABLE(1b, 4b) \
7664 _ASM_EXTABLE(2b, 4b) \
7665 : "=&a" (oldval), "=&r" (ret), \
7666 - "+m" (*uaddr), "=&r" (tem) \
7667 + "+m" (*(____m(uaddr))), "=&r" (tem) \
7668 : "r" (oparg), "i" (-EFAULT), "1" (0))
7670 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7671 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7673 int op = (encoded_op >> 28) & 7;
7674 int cmp = (encoded_op >> 24) & 15;
7675 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7679 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7680 + __futex_atomic_op1("xchgl %0, "__copyuser_seg"%2", ret, oldval, uaddr, oparg);
7683 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7684 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, "__copyuser_seg"%2", ret, oldval,
7688 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7692 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7693 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7697 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7701 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7702 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7705 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7706 + asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, "__copyuser_seg"%1\n"
7707 "2:\t.section .fixup, \"ax\"\n"
7711 _ASM_EXTABLE(1b, 3b)
7712 - : "=a" (oldval), "+m" (*uaddr)
7713 + : "=a" (oldval), "+m" (*____m(uaddr))
7714 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7717 diff -urNp linux-2.6.37/arch/x86/include/asm/i387.h linux-2.6.37/arch/x86/include/asm/i387.h
7718 --- linux-2.6.37/arch/x86/include/asm/i387.h 2011-01-04 19:50:19.000000000 -0500
7719 +++ linux-2.6.37/arch/x86/include/asm/i387.h 2011-01-17 02:41:00.000000000 -0500
7720 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7724 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7725 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7726 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7729 /* See comment in fxsave() below. */
7730 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7732 @@ -109,6 +114,11 @@ static inline int fxsave_user(struct i38
7736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7737 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7738 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7742 * Clear the bytes not touched by the fxsave and reserved
7744 @@ -189,13 +199,8 @@ static inline void fpu_fxsave(struct fpu
7745 #endif /* CONFIG_X86_64 */
7747 /* We need a safe address that is cheap to find and that is already
7748 - in L1 during context switch. The best choices are unfortunately
7749 - different for UP and SMP */
7751 -#define safe_address (__per_cpu_offset[0])
7753 -#define safe_address (kstat_cpu(0).cpustat.user)
7755 + in L1 during context switch. */
7756 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7759 * These must be called with preempt disabled
7760 diff -urNp linux-2.6.37/arch/x86/include/asm/io.h linux-2.6.37/arch/x86/include/asm/io.h
7761 --- linux-2.6.37/arch/x86/include/asm/io.h 2011-01-04 19:50:19.000000000 -0500
7762 +++ linux-2.6.37/arch/x86/include/asm/io.h 2011-01-17 02:41:00.000000000 -0500
7763 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7765 #include <linux/vmalloc.h>
7767 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7768 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7770 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7773 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7775 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7779 * Convert a virtual cached pointer to an uncached pointer
7781 diff -urNp linux-2.6.37/arch/x86/include/asm/iommu.h linux-2.6.37/arch/x86/include/asm/iommu.h
7782 --- linux-2.6.37/arch/x86/include/asm/iommu.h 2011-01-04 19:50:19.000000000 -0500
7783 +++ linux-2.6.37/arch/x86/include/asm/iommu.h 2011-01-17 02:41:00.000000000 -0500
7785 #ifndef _ASM_X86_IOMMU_H
7786 #define _ASM_X86_IOMMU_H
7788 -extern struct dma_map_ops nommu_dma_ops;
7789 +extern const struct dma_map_ops nommu_dma_ops;
7790 extern int force_iommu, no_iommu;
7791 extern int iommu_detected;
7792 extern int iommu_pass_through;
7793 diff -urNp linux-2.6.37/arch/x86/include/asm/irqflags.h linux-2.6.37/arch/x86/include/asm/irqflags.h
7794 --- linux-2.6.37/arch/x86/include/asm/irqflags.h 2011-01-04 19:50:19.000000000 -0500
7795 +++ linux-2.6.37/arch/x86/include/asm/irqflags.h 2011-01-17 02:41:00.000000000 -0500
7796 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7800 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7801 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7802 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7803 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7806 #define INTERRUPT_RETURN iret
7807 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7808 diff -urNp linux-2.6.37/arch/x86/include/asm/kvm_host.h linux-2.6.37/arch/x86/include/asm/kvm_host.h
7809 --- linux-2.6.37/arch/x86/include/asm/kvm_host.h 2011-01-04 19:50:19.000000000 -0500
7810 +++ linux-2.6.37/arch/x86/include/asm/kvm_host.h 2011-01-17 02:41:00.000000000 -0500
7811 @@ -585,7 +585,7 @@ struct kvm_x86_ops {
7812 const struct trace_print_flags *exit_reasons_str;
7815 -extern struct kvm_x86_ops *kvm_x86_ops;
7816 +extern const struct kvm_x86_ops *kvm_x86_ops;
7818 int kvm_mmu_module_init(void);
7819 void kvm_mmu_module_exit(void);
7820 diff -urNp linux-2.6.37/arch/x86/include/asm/local.h linux-2.6.37/arch/x86/include/asm/local.h
7821 --- linux-2.6.37/arch/x86/include/asm/local.h 2011-01-04 19:50:19.000000000 -0500
7822 +++ linux-2.6.37/arch/x86/include/asm/local.h 2011-01-17 02:41:00.000000000 -0500
7823 @@ -18,26 +18,58 @@ typedef struct {
7825 static inline void local_inc(local_t *l)
7827 - asm volatile(_ASM_INC "%0"
7828 + asm volatile(_ASM_INC "%0\n"
7830 +#ifdef CONFIG_PAX_REFCOUNT
7834 + _ASM_EXTABLE(0b, 0b)
7837 : "+m" (l->a.counter));
7840 static inline void local_dec(local_t *l)
7842 - asm volatile(_ASM_DEC "%0"
7843 + asm volatile(_ASM_DEC "%0\n"
7845 +#ifdef CONFIG_PAX_REFCOUNT
7849 + _ASM_EXTABLE(0b, 0b)
7852 : "+m" (l->a.counter));
7855 static inline void local_add(long i, local_t *l)
7857 - asm volatile(_ASM_ADD "%1,%0"
7858 + asm volatile(_ASM_ADD "%1,%0\n"
7860 +#ifdef CONFIG_PAX_REFCOUNT
7862 + _ASM_SUB "%1,%0\n"
7864 + _ASM_EXTABLE(0b, 0b)
7867 : "+m" (l->a.counter)
7871 static inline void local_sub(long i, local_t *l)
7873 - asm volatile(_ASM_SUB "%1,%0"
7874 + asm volatile(_ASM_SUB "%1,%0\n"
7876 +#ifdef CONFIG_PAX_REFCOUNT
7878 + _ASM_ADD "%1,%0\n"
7880 + _ASM_EXTABLE(0b, 0b)
7883 : "+m" (l->a.counter)
7886 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7890 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7891 + asm volatile(_ASM_SUB "%2,%0\n"
7893 +#ifdef CONFIG_PAX_REFCOUNT
7895 + _ASM_ADD "%2,%0\n"
7897 + _ASM_EXTABLE(0b, 0b)
7901 : "+m" (l->a.counter), "=qm" (c)
7902 : "ir" (i) : "memory");
7904 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7908 - asm volatile(_ASM_DEC "%0; sete %1"
7909 + asm volatile(_ASM_DEC "%0\n"
7911 +#ifdef CONFIG_PAX_REFCOUNT
7915 + _ASM_EXTABLE(0b, 0b)
7919 : "+m" (l->a.counter), "=qm" (c)
7922 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7926 - asm volatile(_ASM_INC "%0; sete %1"
7927 + asm volatile(_ASM_INC "%0\n"
7929 +#ifdef CONFIG_PAX_REFCOUNT
7933 + _ASM_EXTABLE(0b, 0b)
7937 : "+m" (l->a.counter), "=qm" (c)
7940 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7944 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7945 + asm volatile(_ASM_ADD "%2,%0\n"
7947 +#ifdef CONFIG_PAX_REFCOUNT
7949 + _ASM_SUB "%2,%0\n"
7951 + _ASM_EXTABLE(0b, 0b)
7955 : "+m" (l->a.counter), "=qm" (c)
7956 : "ir" (i) : "memory");
7958 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7960 /* Modern 486+ processor */
7962 - asm volatile(_ASM_XADD "%0, %1;"
7963 + asm volatile(_ASM_XADD "%0, %1\n"
7965 +#ifdef CONFIG_PAX_REFCOUNT
7967 + _ASM_MOV "%0,%1\n"
7969 + _ASM_EXTABLE(0b, 0b)
7972 : "+r" (i), "+m" (l->a.counter)
7975 diff -urNp linux-2.6.37/arch/x86/include/asm/mc146818rtc.h linux-2.6.37/arch/x86/include/asm/mc146818rtc.h
7976 --- linux-2.6.37/arch/x86/include/asm/mc146818rtc.h 2011-01-04 19:50:19.000000000 -0500
7977 +++ linux-2.6.37/arch/x86/include/asm/mc146818rtc.h 2011-01-17 02:41:00.000000000 -0500
7978 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7980 #define lock_cmos_prefix(reg) do {} while (0)
7981 #define lock_cmos_suffix(reg) do {} while (0)
7982 -#define lock_cmos(reg)
7983 -#define unlock_cmos()
7984 +#define lock_cmos(reg) do {} while (0)
7985 +#define unlock_cmos() do {} while (0)
7986 #define do_i_have_lock_cmos() 0
7987 #define current_lock_cmos_reg() 0
7989 diff -urNp linux-2.6.37/arch/x86/include/asm/microcode.h linux-2.6.37/arch/x86/include/asm/microcode.h
7990 --- linux-2.6.37/arch/x86/include/asm/microcode.h 2011-01-04 19:50:19.000000000 -0500
7991 +++ linux-2.6.37/arch/x86/include/asm/microcode.h 2011-01-17 02:41:00.000000000 -0500
7992 @@ -12,13 +12,13 @@ struct device;
7993 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7995 struct microcode_ops {
7996 - enum ucode_state (*request_microcode_user) (int cpu,
7997 + enum ucode_state (* const request_microcode_user) (int cpu,
7998 const void __user *buf, size_t size);
8000 - enum ucode_state (*request_microcode_fw) (int cpu,
8001 + enum ucode_state (* const request_microcode_fw) (int cpu,
8002 struct device *device);
8004 - void (*microcode_fini_cpu) (int cpu);
8005 + void (* const microcode_fini_cpu) (int cpu);
8008 * The generic 'microcode_core' part guarantees that
8009 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
8010 extern struct ucode_cpu_info ucode_cpu_info[];
8012 #ifdef CONFIG_MICROCODE_INTEL
8013 -extern struct microcode_ops * __init init_intel_microcode(void);
8014 +extern const struct microcode_ops * __init init_intel_microcode(void);
8016 -static inline struct microcode_ops * __init init_intel_microcode(void)
8017 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8021 #endif /* CONFIG_MICROCODE_INTEL */
8023 #ifdef CONFIG_MICROCODE_AMD
8024 -extern struct microcode_ops * __init init_amd_microcode(void);
8025 +extern const struct microcode_ops * __init init_amd_microcode(void);
8027 -static inline struct microcode_ops * __init init_amd_microcode(void)
8028 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8032 diff -urNp linux-2.6.37/arch/x86/include/asm/mman.h linux-2.6.37/arch/x86/include/asm/mman.h
8033 --- linux-2.6.37/arch/x86/include/asm/mman.h 2011-01-04 19:50:19.000000000 -0500
8034 +++ linux-2.6.37/arch/x86/include/asm/mman.h 2011-01-17 02:41:00.000000000 -0500
8037 #include <asm-generic/mman.h>
8040 +#ifndef __ASSEMBLY__
8041 +#ifdef CONFIG_X86_32
8042 +#define arch_mmap_check i386_mmap_check
8043 +int i386_mmap_check(unsigned long addr, unsigned long len,
8044 + unsigned long flags);
8049 #endif /* _ASM_X86_MMAN_H */
8050 diff -urNp linux-2.6.37/arch/x86/include/asm/mmu_context.h linux-2.6.37/arch/x86/include/asm/mmu_context.h
8051 --- linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-04 19:50:19.000000000 -0500
8052 +++ linux-2.6.37/arch/x86/include/asm/mmu_context.h 2011-01-17 02:41:00.000000000 -0500
8053 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8055 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8058 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8062 + pax_open_kernel();
8063 + pgd = get_cpu_pgd(smp_processor_id());
8064 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8065 + if (paravirt_enabled())
8066 + set_pgd(pgd+i, native_make_pgd(0));
8068 + pgd[i] = native_make_pgd(0);
8069 + pax_close_kernel();
8073 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8074 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8075 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
8076 struct task_struct *tsk)
8078 unsigned cpu = smp_processor_id();
8079 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8080 + int tlbstate = TLBSTATE_OK;
8083 if (likely(prev != next)) {
8084 /* stop flush ipis for the previous mm */
8085 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8087 +#ifdef CONFIG_X86_32
8088 + tlbstate = percpu_read(cpu_tlbstate.state);
8090 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8091 percpu_write(cpu_tlbstate.active_mm, next);
8093 cpumask_set_cpu(cpu, mm_cpumask(next));
8095 /* Re-load page tables */
8096 +#ifdef CONFIG_PAX_PER_CPU_PGD
8097 + pax_open_kernel();
8098 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8099 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8100 + pax_close_kernel();
8101 + load_cr3(get_cpu_pgd(cpu));
8103 load_cr3(next->pgd);
8107 * load the LDT, if the LDT is different:
8109 if (unlikely(prev->context.ldt != next->context.ldt))
8110 load_LDT_nolock(&next->context);
8113 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8114 + if (!(__supported_pte_mask & _PAGE_NX)) {
8115 + smp_mb__before_clear_bit();
8116 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8117 + smp_mb__after_clear_bit();
8118 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8122 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8123 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8124 + prev->context.user_cs_limit != next->context.user_cs_limit))
8125 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8127 + else if (unlikely(tlbstate != TLBSTATE_OK))
8128 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8135 +#ifdef CONFIG_PAX_PER_CPU_PGD
8136 + pax_open_kernel();
8137 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8138 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8139 + pax_close_kernel();
8140 + load_cr3(get_cpu_pgd(cpu));
8144 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8145 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8147 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
8148 * tlb flush IPI delivery. We must reload CR3
8149 * to make sure to use no freed page tables.
8152 +#ifndef CONFIG_PAX_PER_CPU_PGD
8153 load_cr3(next->pgd);
8156 load_LDT_nolock(&next->context);
8158 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8159 + if (!(__supported_pte_mask & _PAGE_NX))
8160 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8163 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8164 +#ifdef CONFIG_PAX_PAGEEXEC
8165 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8167 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8176 #define activate_mm(prev, next) \
8177 diff -urNp linux-2.6.37/arch/x86/include/asm/mmu.h linux-2.6.37/arch/x86/include/asm/mmu.h
8178 --- linux-2.6.37/arch/x86/include/asm/mmu.h 2011-01-04 19:50:19.000000000 -0500
8179 +++ linux-2.6.37/arch/x86/include/asm/mmu.h 2011-01-17 02:41:00.000000000 -0500
8181 * we put the segment information here.
8185 + struct desc_struct *ldt;
8189 + unsigned long vdso;
8191 +#ifdef CONFIG_X86_32
8192 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8193 + unsigned long user_cs_base;
8194 + unsigned long user_cs_limit;
8196 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8197 + cpumask_t cpu_user_cs_mask;
8206 diff -urNp linux-2.6.37/arch/x86/include/asm/module.h linux-2.6.37/arch/x86/include/asm/module.h
8207 --- linux-2.6.37/arch/x86/include/asm/module.h 2011-01-04 19:50:19.000000000 -0500
8208 +++ linux-2.6.37/arch/x86/include/asm/module.h 2011-01-17 02:41:00.000000000 -0500
8210 #error unknown processor family
8213 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8214 +#define MODULE_PAX_UDEREF "UDEREF "
8216 +#define MODULE_PAX_UDEREF ""
8219 #ifdef CONFIG_X86_32
8220 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8221 +# ifdef CONFIG_PAX_KERNEXEC
8222 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8224 +# define MODULE_PAX_KERNEXEC ""
8226 +# ifdef CONFIG_GRKERNSEC
8227 +# define MODULE_GRSEC "GRSECURITY "
8229 +# define MODULE_GRSEC ""
8231 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8233 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8236 #endif /* _ASM_X86_MODULE_H */
8237 diff -urNp linux-2.6.37/arch/x86/include/asm/page_64_types.h linux-2.6.37/arch/x86/include/asm/page_64_types.h
8238 --- linux-2.6.37/arch/x86/include/asm/page_64_types.h 2011-01-04 19:50:19.000000000 -0500
8239 +++ linux-2.6.37/arch/x86/include/asm/page_64_types.h 2011-01-17 02:41:00.000000000 -0500
8240 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8242 /* duplicated to the one in bootmem.h */
8243 extern unsigned long max_pfn;
8244 -extern unsigned long phys_base;
8245 +extern const unsigned long phys_base;
8247 extern unsigned long __phys_addr(unsigned long);
8248 #define __phys_reloc_hide(x) (x)
8249 diff -urNp linux-2.6.37/arch/x86/include/asm/paravirt.h linux-2.6.37/arch/x86/include/asm/paravirt.h
8250 --- linux-2.6.37/arch/x86/include/asm/paravirt.h 2011-01-04 19:50:19.000000000 -0500
8251 +++ linux-2.6.37/arch/x86/include/asm/paravirt.h 2011-01-17 02:41:00.000000000 -0500
8252 @@ -715,6 +715,21 @@ static inline void __set_fixmap(unsigned
8253 pv_mmu_ops.set_fixmap(idx, phys, flags);
8256 +#ifdef CONFIG_PAX_KERNEXEC
8257 +static inline unsigned long pax_open_kernel(void)
8259 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8262 +static inline unsigned long pax_close_kernel(void)
8264 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8267 +static inline unsigned long pax_open_kernel(void) { return 0; }
8268 +static inline unsigned long pax_close_kernel(void) { return 0; }
8271 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8273 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8274 @@ -931,7 +946,7 @@ extern void default_banner(void);
8276 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8277 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8278 -#define PARA_INDIRECT(addr) *%cs:addr
8279 +#define PARA_INDIRECT(addr) *%ss:addr
8282 #define INTERRUPT_RETURN \
8283 @@ -1008,6 +1023,21 @@ extern void default_banner(void);
8284 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8286 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8288 +#define GET_CR0_INTO_RDI \
8289 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8292 +#define SET_RDI_INTO_CR0 \
8293 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8295 +#define GET_CR3_INTO_RDI \
8296 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8299 +#define SET_RDI_INTO_CR3 \
8300 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8302 #endif /* CONFIG_X86_32 */
8304 #endif /* __ASSEMBLY__ */
8305 diff -urNp linux-2.6.37/arch/x86/include/asm/paravirt_types.h linux-2.6.37/arch/x86/include/asm/paravirt_types.h
8306 --- linux-2.6.37/arch/x86/include/asm/paravirt_types.h 2011-01-04 19:50:19.000000000 -0500
8307 +++ linux-2.6.37/arch/x86/include/asm/paravirt_types.h 2011-01-17 02:41:00.000000000 -0500
8308 @@ -311,6 +311,12 @@ struct pv_mmu_ops {
8309 an mfn. We can tell which is which from the index. */
8310 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8311 phys_addr_t phys, pgprot_t flags);
8313 +#ifdef CONFIG_PAX_KERNEXEC
8314 + unsigned long (*pax_open_kernel)(void);
8315 + unsigned long (*pax_close_kernel)(void);
8320 struct arch_spinlock;
8321 diff -urNp linux-2.6.37/arch/x86/include/asm/pci_x86.h linux-2.6.37/arch/x86/include/asm/pci_x86.h
8322 --- linux-2.6.37/arch/x86/include/asm/pci_x86.h 2011-01-04 19:50:19.000000000 -0500
8323 +++ linux-2.6.37/arch/x86/include/asm/pci_x86.h 2011-01-17 02:41:01.000000000 -0500
8324 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8325 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8327 struct pci_raw_ops {
8328 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8329 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8330 int reg, int len, u32 *val);
8331 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8332 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8333 int reg, int len, u32 val);
8336 -extern struct pci_raw_ops *raw_pci_ops;
8337 -extern struct pci_raw_ops *raw_pci_ext_ops;
8338 +extern const struct pci_raw_ops *raw_pci_ops;
8339 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8341 -extern struct pci_raw_ops pci_direct_conf1;
8342 +extern const struct pci_raw_ops pci_direct_conf1;
8343 extern bool port_cf9_safe;
8345 /* arch_initcall level */
8346 diff -urNp linux-2.6.37/arch/x86/include/asm/pgalloc.h linux-2.6.37/arch/x86/include/asm/pgalloc.h
8347 --- linux-2.6.37/arch/x86/include/asm/pgalloc.h 2011-01-04 19:50:19.000000000 -0500
8348 +++ linux-2.6.37/arch/x86/include/asm/pgalloc.h 2011-01-17 02:41:01.000000000 -0500
8349 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8350 pmd_t *pmd, pte_t *pte)
8352 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8353 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8356 +static inline void pmd_populate_user(struct mm_struct *mm,
8357 + pmd_t *pmd, pte_t *pte)
8359 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8360 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8363 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable-2level.h linux-2.6.37/arch/x86/include/asm/pgtable-2level.h
8364 --- linux-2.6.37/arch/x86/include/asm/pgtable-2level.h 2011-01-04 19:50:19.000000000 -0500
8365 +++ linux-2.6.37/arch/x86/include/asm/pgtable-2level.h 2011-01-17 02:41:01.000000000 -0500
8366 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8368 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8370 + pax_open_kernel();
8372 + pax_close_kernel();
8375 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8376 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_32.h linux-2.6.37/arch/x86/include/asm/pgtable_32.h
8377 --- linux-2.6.37/arch/x86/include/asm/pgtable_32.h 2011-01-04 19:50:19.000000000 -0500
8378 +++ linux-2.6.37/arch/x86/include/asm/pgtable_32.h 2011-01-17 02:41:01.000000000 -0500
8381 struct vm_area_struct;
8383 -extern pgd_t swapper_pg_dir[1024];
8384 -extern pgd_t initial_page_table[1024];
8386 static inline void pgtable_cache_init(void) { }
8387 static inline void check_pgt_cache(void) { }
8388 void paging_init(void);
8389 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8390 # include <asm/pgtable-2level.h>
8393 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8394 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8395 +#ifdef CONFIG_X86_PAE
8396 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8399 #if defined(CONFIG_HIGHPTE)
8400 #define pte_offset_map(dir, address) \
8401 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8402 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8403 /* Clear a kernel PTE and flush it from the TLB */
8404 #define kpte_clear_flush(ptep, vaddr) \
8406 + pax_open_kernel(); \
8407 pte_clear(&init_mm, (vaddr), (ptep)); \
8408 + pax_close_kernel(); \
8409 __flush_tlb_one((vaddr)); \
8412 @@ -74,6 +79,9 @@ do { \
8414 #endif /* !__ASSEMBLY__ */
8416 +#define HAVE_ARCH_UNMAPPED_AREA
8417 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8420 * kern_addr_valid() is (1) for FLATMEM and (0) for
8421 * SPARSEMEM and DISCONTIGMEM
8422 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h
8423 --- linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h 2011-01-04 19:50:19.000000000 -0500
8424 +++ linux-2.6.37/arch/x86/include/asm/pgtable_32_types.h 2011-01-17 02:41:01.000000000 -0500
8427 #ifdef CONFIG_X86_PAE
8428 # include <asm/pgtable-3level_types.h>
8429 -# define PMD_SIZE (1UL << PMD_SHIFT)
8430 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8431 # define PMD_MASK (~(PMD_SIZE - 1))
8433 # include <asm/pgtable-2level_types.h>
8434 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8435 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8438 +#ifdef CONFIG_PAX_KERNEXEC
8439 +#ifndef __ASSEMBLY__
8440 +extern unsigned char MODULES_EXEC_VADDR[];
8441 +extern unsigned char MODULES_EXEC_END[];
8443 +#include <asm/boot.h>
8444 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8445 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8447 +#define ktla_ktva(addr) (addr)
8448 +#define ktva_ktla(addr) (addr)
8451 #define MODULES_VADDR VMALLOC_START
8452 #define MODULES_END VMALLOC_END
8453 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8454 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable-3level.h linux-2.6.37/arch/x86/include/asm/pgtable-3level.h
8455 --- linux-2.6.37/arch/x86/include/asm/pgtable-3level.h 2011-01-04 19:50:19.000000000 -0500
8456 +++ linux-2.6.37/arch/x86/include/asm/pgtable-3level.h 2011-01-17 02:41:01.000000000 -0500
8457 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8459 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8461 + pax_open_kernel();
8462 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8463 + pax_close_kernel();
8466 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8468 + pax_open_kernel();
8469 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8470 + pax_close_kernel();
8474 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_64.h linux-2.6.37/arch/x86/include/asm/pgtable_64.h
8475 --- linux-2.6.37/arch/x86/include/asm/pgtable_64.h 2011-01-04 19:50:19.000000000 -0500
8476 +++ linux-2.6.37/arch/x86/include/asm/pgtable_64.h 2011-01-17 02:41:01.000000000 -0500
8479 extern pud_t level3_kernel_pgt[512];
8480 extern pud_t level3_ident_pgt[512];
8481 +extern pud_t level3_vmalloc_pgt[512];
8482 +extern pud_t level3_vmemmap_pgt[512];
8483 +extern pud_t level2_vmemmap_pgt[512];
8484 extern pmd_t level2_kernel_pgt[512];
8485 extern pmd_t level2_fixmap_pgt[512];
8486 -extern pmd_t level2_ident_pgt[512];
8487 -extern pgd_t init_level4_pgt[];
8488 +extern pmd_t level2_ident_pgt[512*2];
8489 +extern pgd_t init_level4_pgt[512];
8491 #define swapper_pg_dir init_level4_pgt
8493 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8495 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8497 + pax_open_kernel();
8499 + pax_close_kernel();
8502 static inline void native_pmd_clear(pmd_t *pmd)
8503 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8505 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8507 + pax_open_kernel();
8509 + pax_close_kernel();
8512 static inline void native_pgd_clear(pgd_t *pgd)
8513 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h
8514 --- linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h 2011-01-04 19:50:19.000000000 -0500
8515 +++ linux-2.6.37/arch/x86/include/asm/pgtable_64_types.h 2011-01-17 02:41:01.000000000 -0500
8516 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8517 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8518 #define MODULES_END _AC(0xffffffffff000000, UL)
8519 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8520 +#define MODULES_EXEC_VADDR MODULES_VADDR
8521 +#define MODULES_EXEC_END MODULES_END
8523 +#define ktla_ktva(addr) (addr)
8524 +#define ktva_ktla(addr) (addr)
8526 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8527 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable.h linux-2.6.37/arch/x86/include/asm/pgtable.h
8528 --- linux-2.6.37/arch/x86/include/asm/pgtable.h 2011-01-04 19:50:19.000000000 -0500
8529 +++ linux-2.6.37/arch/x86/include/asm/pgtable.h 2011-01-17 02:41:01.000000000 -0500
8530 @@ -78,12 +78,51 @@ extern struct mm_struct *pgd_page_get_mm
8532 #define arch_end_context_switch(prev) do {} while(0)
8534 +#define pax_open_kernel() native_pax_open_kernel()
8535 +#define pax_close_kernel() native_pax_close_kernel()
8536 #endif /* CONFIG_PARAVIRT */
8538 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8539 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8541 +#ifdef CONFIG_PAX_KERNEXEC
8542 +static inline unsigned long native_pax_open_kernel(void)
8544 + unsigned long cr0;
8546 + preempt_disable();
8548 + cr0 = read_cr0() ^ X86_CR0_WP;
8549 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8551 + return cr0 ^ X86_CR0_WP;
8554 +static inline unsigned long native_pax_close_kernel(void)
8556 + unsigned long cr0;
8558 + cr0 = read_cr0() ^ X86_CR0_WP;
8559 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8562 + preempt_enable_no_resched();
8563 + return cr0 ^ X86_CR0_WP;
8566 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8567 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8571 * The following only work if pte_present() is true.
8572 * Undefined behaviour if not..
8574 +static inline int pte_user(pte_t pte)
8576 + return pte_val(pte) & _PAGE_USER;
8579 static inline int pte_dirty(pte_t pte)
8581 return pte_flags(pte) & _PAGE_DIRTY;
8582 @@ -171,9 +210,29 @@ static inline pte_t pte_wrprotect(pte_t
8583 return pte_clear_flags(pte, _PAGE_RW);
8586 +static inline pte_t pte_mkread(pte_t pte)
8588 + return __pte(pte_val(pte) | _PAGE_USER);
8591 static inline pte_t pte_mkexec(pte_t pte)
8593 - return pte_clear_flags(pte, _PAGE_NX);
8594 +#ifdef CONFIG_X86_PAE
8595 + if (__supported_pte_mask & _PAGE_NX)
8596 + return pte_clear_flags(pte, _PAGE_NX);
8599 + return pte_set_flags(pte, _PAGE_USER);
8602 +static inline pte_t pte_exprotect(pte_t pte)
8604 +#ifdef CONFIG_X86_PAE
8605 + if (__supported_pte_mask & _PAGE_NX)
8606 + return pte_set_flags(pte, _PAGE_NX);
8609 + return pte_clear_flags(pte, _PAGE_USER);
8612 static inline pte_t pte_mkdirty(pte_t pte)
8613 @@ -306,6 +365,15 @@ pte_t *populate_extra_pte(unsigned long
8616 #ifndef __ASSEMBLY__
8618 +#ifdef CONFIG_PAX_PER_CPU_PGD
8619 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8620 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8622 + return cpu_pgd[cpu];
8626 #include <linux/mm_types.h>
8628 static inline int pte_none(pte_t pte)
8629 @@ -476,7 +544,7 @@ static inline pud_t *pud_offset(pgd_t *p
8631 static inline int pgd_bad(pgd_t pgd)
8633 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8634 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8637 static inline int pgd_none(pgd_t pgd)
8638 @@ -499,7 +567,12 @@ static inline int pgd_none(pgd_t pgd)
8639 * pgd_offset() returns a (pgd_t *)
8640 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8642 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8643 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8645 +#ifdef CONFIG_PAX_PER_CPU_PGD
8646 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8650 * a shortcut which implies the use of the kernel's pgd, instead
8652 @@ -510,6 +583,20 @@ static inline int pgd_none(pgd_t pgd)
8653 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8654 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8656 +#ifdef CONFIG_X86_32
8657 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8659 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8660 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8662 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8663 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8665 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8670 #ifndef __ASSEMBLY__
8672 extern int direct_gbpages;
8673 @@ -617,11 +704,23 @@ static inline void ptep_set_wrprotect(st
8674 * dst and src can be on the same page, but the range must not overlap,
8675 * and must not cross a page boundary.
8677 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8678 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8680 - memcpy(dst, src, count * sizeof(pgd_t));
8681 + pax_open_kernel();
8684 + pax_close_kernel();
8687 +#ifdef CONFIG_PAX_PER_CPU_PGD
8688 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8691 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8692 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8694 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8697 #include <asm-generic/pgtable.h>
8698 #endif /* __ASSEMBLY__ */
8699 diff -urNp linux-2.6.37/arch/x86/include/asm/pgtable_types.h linux-2.6.37/arch/x86/include/asm/pgtable_types.h
8700 --- linux-2.6.37/arch/x86/include/asm/pgtable_types.h 2011-01-04 19:50:19.000000000 -0500
8701 +++ linux-2.6.37/arch/x86/include/asm/pgtable_types.h 2011-01-17 02:41:01.000000000 -0500
8703 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8704 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8705 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8706 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8707 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8708 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8709 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8710 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8711 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8712 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8713 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8714 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8716 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8718 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8719 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8720 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8721 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8722 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8723 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8724 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8727 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8728 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8730 +#elif defined(CONFIG_KMEMCHECK)
8731 #define _PAGE_NX (_AT(pteval_t, 0))
8733 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8736 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8738 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8741 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8742 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8744 #define __PAGE_KERNEL_EXEC \
8745 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8746 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8748 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8749 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8750 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8751 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8752 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8753 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8754 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8755 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8756 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8757 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8759 * bits are combined, this will alow user to access the high address mapped
8760 * VDSO in the presence of CONFIG_COMPAT_VDSO
8762 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8763 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8764 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8765 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8766 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8769 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8771 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8775 +#if PAGETABLE_LEVELS == 3
8776 +#include <asm-generic/pgtable-nopud.h>
8779 +#if PAGETABLE_LEVELS == 2
8780 +#include <asm-generic/pgtable-nopmd.h>
8783 +#ifndef __ASSEMBLY__
8784 #if PAGETABLE_LEVELS > 3
8785 typedef struct { pudval_t pud; } pud_t;
8787 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8791 -#include <asm-generic/pgtable-nopud.h>
8793 static inline pudval_t native_pud_val(pud_t pud)
8795 return native_pgd_val(pud.pgd);
8796 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8800 -#include <asm-generic/pgtable-nopmd.h>
8802 static inline pmdval_t native_pmd_val(pmd_t pmd)
8804 return native_pgd_val(pmd.pud.pgd);
8805 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8807 extern pteval_t __supported_pte_mask;
8808 extern void set_nx(void);
8809 -extern int nx_enabled;
8811 #define pgprot_writecombine pgprot_writecombine
8812 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8813 diff -urNp linux-2.6.37/arch/x86/include/asm/processor.h linux-2.6.37/arch/x86/include/asm/processor.h
8814 --- linux-2.6.37/arch/x86/include/asm/processor.h 2011-01-04 19:50:19.000000000 -0500
8815 +++ linux-2.6.37/arch/x86/include/asm/processor.h 2011-01-17 02:41:01.000000000 -0500
8816 @@ -271,7 +271,7 @@ struct tss_struct {
8818 } ____cacheline_aligned;
8820 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8821 +extern struct tss_struct init_tss[NR_CPUS];
8824 * Save the original ist values for checking stack pointers during debugging
8825 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8827 #define TASK_SIZE PAGE_OFFSET
8828 #define TASK_SIZE_MAX TASK_SIZE
8830 +#ifdef CONFIG_PAX_SEGMEXEC
8831 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8832 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8834 #define STACK_TOP TASK_SIZE
8835 -#define STACK_TOP_MAX STACK_TOP
8838 +#define STACK_TOP_MAX TASK_SIZE
8840 #define INIT_THREAD { \
8841 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8842 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8844 #define INIT_TSS { \
8846 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8847 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8848 .ss0 = __KERNEL_DS, \
8849 .ss1 = __KERNEL_CS, \
8850 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8851 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8852 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8854 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8855 -#define KSTK_TOP(info) \
8857 - unsigned long *__ptr = (unsigned long *)(info); \
8858 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8860 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8863 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8864 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8865 #define task_pt_regs(task) \
8867 struct pt_regs *__regs__; \
8868 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8869 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8873 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8875 * User space process size. 47bits minus one guard page.
8877 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8878 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8880 /* This decides where the kernel will search for a free chunk of vm
8881 * space during mmap's.
8883 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8884 - 0xc0000000 : 0xFFFFe000)
8885 + 0xc0000000 : 0xFFFFf000)
8887 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8888 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8889 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8891 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8893 +#ifdef CONFIG_PAX_SEGMEXEC
8894 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8897 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8899 /* Get/set a process' ability to use the timestamp counter instruction */
8900 diff -urNp linux-2.6.37/arch/x86/include/asm/ptrace.h linux-2.6.37/arch/x86/include/asm/ptrace.h
8901 --- linux-2.6.37/arch/x86/include/asm/ptrace.h 2011-01-04 19:50:19.000000000 -0500
8902 +++ linux-2.6.37/arch/x86/include/asm/ptrace.h 2011-01-17 02:41:01.000000000 -0500
8903 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8907 - * user_mode_vm(regs) determines whether a register set came from user mode.
8908 + * user_mode(regs) determines whether a register set came from user mode.
8909 * This is true if V8086 mode was enabled OR if the register set was from
8910 * protected mode with RPL-3 CS value. This tricky test checks that with
8911 * one comparison. Many places in the kernel can bypass this full check
8912 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8913 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8916 -static inline int user_mode(struct pt_regs *regs)
8917 +static inline int user_mode_novm(struct pt_regs *regs)
8919 #ifdef CONFIG_X86_32
8920 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8922 - return !!(regs->cs & 3);
8923 + return !!(regs->cs & SEGMENT_RPL_MASK);
8927 -static inline int user_mode_vm(struct pt_regs *regs)
8928 +static inline int user_mode(struct pt_regs *regs)
8930 #ifdef CONFIG_X86_32
8931 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8934 - return user_mode(regs);
8935 + return user_mode_novm(regs);
8939 diff -urNp linux-2.6.37/arch/x86/include/asm/reboot.h linux-2.6.37/arch/x86/include/asm/reboot.h
8940 --- linux-2.6.37/arch/x86/include/asm/reboot.h 2011-01-04 19:50:19.000000000 -0500
8941 +++ linux-2.6.37/arch/x86/include/asm/reboot.h 2011-01-17 02:41:01.000000000 -0500
8942 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8944 void native_machine_crash_shutdown(struct pt_regs *regs);
8945 void native_machine_shutdown(void);
8946 -void machine_real_restart(const unsigned char *code, int length);
8947 +void machine_real_restart(const unsigned char *code, unsigned int length);
8949 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8950 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8951 diff -urNp linux-2.6.37/arch/x86/include/asm/rwsem.h linux-2.6.37/arch/x86/include/asm/rwsem.h
8952 --- linux-2.6.37/arch/x86/include/asm/rwsem.h 2011-01-04 19:50:19.000000000 -0500
8953 +++ linux-2.6.37/arch/x86/include/asm/rwsem.h 2011-01-17 02:41:01.000000000 -0500
8954 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
8956 asm volatile("# beginning down_read\n\t"
8957 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8959 +#ifdef CONFIG_PAX_REFCOUNT
8961 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8963 + _ASM_EXTABLE(0b, 0b)
8966 /* adds 0x00000001 */
8968 " call call_rwsem_down_read_failed\n"
8969 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
8974 +#ifdef CONFIG_PAX_REFCOUNT
8978 + _ASM_EXTABLE(0b, 0b)
8982 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8984 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
8986 asm volatile("# beginning down_write\n\t"
8987 LOCK_PREFIX " xadd %1,(%2)\n\t"
8989 +#ifdef CONFIG_PAX_REFCOUNT
8993 + _ASM_EXTABLE(0b, 0b)
8996 /* adds 0xffff0001, returns the old value */
8998 /* was the count 0 before? */
8999 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9001 asm volatile("# beginning __up_read\n\t"
9002 LOCK_PREFIX " xadd %1,(%2)\n\t"
9004 +#ifdef CONFIG_PAX_REFCOUNT
9008 + _ASM_EXTABLE(0b, 0b)
9011 /* subtracts 1, returns the old value */
9013 " call call_rwsem_wake\n" /* expects old value in %edx */
9014 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9016 asm volatile("# beginning __up_write\n\t"
9017 LOCK_PREFIX " xadd %1,(%2)\n\t"
9019 +#ifdef CONFIG_PAX_REFCOUNT
9023 + _ASM_EXTABLE(0b, 0b)
9026 /* subtracts 0xffff0001, returns the old value */
9028 " call call_rwsem_wake\n" /* expects old value in %edx */
9029 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9031 asm volatile("# beginning __downgrade_write\n\t"
9032 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9034 +#ifdef CONFIG_PAX_REFCOUNT
9036 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9038 + _ASM_EXTABLE(0b, 0b)
9042 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9043 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9044 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9045 static inline void rwsem_atomic_add(rwsem_count_t delta,
9046 struct rw_semaphore *sem)
9048 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9049 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9051 +#ifdef CONFIG_PAX_REFCOUNT
9053 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9055 + _ASM_EXTABLE(0b, 0b)
9061 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9063 rwsem_count_t tmp = delta;
9065 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9066 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 : "+r" (tmp), "+m" (sem->count)
9078 diff -urNp linux-2.6.37/arch/x86/include/asm/segment.h linux-2.6.37/arch/x86/include/asm/segment.h
9079 --- linux-2.6.37/arch/x86/include/asm/segment.h 2011-01-04 19:50:19.000000000 -0500
9080 +++ linux-2.6.37/arch/x86/include/asm/segment.h 2011-01-17 02:41:01.000000000 -0500
9082 * 26 - ESPFIX small SS
9083 * 27 - per-cpu [ offset to per-cpu data area ]
9084 * 28 - stack_canary-20 [ for stack protector ]
9087 + * 29 - PCI BIOS CS
9088 + * 30 - PCI BIOS DS
9089 * 31 - TSS for double fault handler
9091 #define GDT_ENTRY_TLS_MIN 6
9094 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9096 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9098 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9100 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9101 @@ -102,6 +104,12 @@
9102 #define __KERNEL_STACK_CANARY 0
9105 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9106 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9108 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9109 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9111 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9117 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9118 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9119 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9124 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9125 #define __USER32_DS __USER_DS
9127 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9129 #define GDT_ENTRY_TSS 8 /* needs two entries */
9130 #define GDT_ENTRY_LDT 10 /* needs two entries */
9131 #define GDT_ENTRY_TLS_MIN 12
9135 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9136 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9137 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9138 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9139 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9140 diff -urNp linux-2.6.37/arch/x86/include/asm/smp.h linux-2.6.37/arch/x86/include/asm/smp.h
9141 --- linux-2.6.37/arch/x86/include/asm/smp.h 2011-01-04 19:50:19.000000000 -0500
9142 +++ linux-2.6.37/arch/x86/include/asm/smp.h 2011-01-17 02:41:01.000000000 -0500
9143 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9144 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9145 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9146 DECLARE_PER_CPU(u16, cpu_llc_id);
9147 -DECLARE_PER_CPU(int, cpu_number);
9148 +DECLARE_PER_CPU(unsigned int, cpu_number);
9150 static inline struct cpumask *cpu_sibling_mask(int cpu)
9152 diff -urNp linux-2.6.37/arch/x86/include/asm/spinlock.h linux-2.6.37/arch/x86/include/asm/spinlock.h
9153 --- linux-2.6.37/arch/x86/include/asm/spinlock.h 2011-01-04 19:50:19.000000000 -0500
9154 +++ linux-2.6.37/arch/x86/include/asm/spinlock.h 2011-01-17 02:41:01.000000000 -0500
9155 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9156 static inline void arch_read_lock(arch_rwlock_t *rw)
9158 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9160 +#ifdef CONFIG_PAX_REFCOUNT
9162 + LOCK_PREFIX " addl $1,(%0)\n"
9164 + _ASM_EXTABLE(0b, 0b)
9168 "call __read_lock_failed\n\t"
9170 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9171 static inline void arch_write_lock(arch_rwlock_t *rw)
9173 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9175 +#ifdef CONFIG_PAX_REFCOUNT
9177 + LOCK_PREFIX " addl %1,(%0)\n"
9179 + _ASM_EXTABLE(0b, 0b)
9183 "call __write_lock_failed\n\t"
9185 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9187 static inline void arch_read_unlock(arch_rwlock_t *rw)
9189 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9190 + asm volatile(LOCK_PREFIX "incl %0\n"
9192 +#ifdef CONFIG_PAX_REFCOUNT
9194 + LOCK_PREFIX "decl %0\n"
9196 + _ASM_EXTABLE(0b, 0b)
9199 + :"+m" (rw->lock) : : "memory");
9202 static inline void arch_write_unlock(arch_rwlock_t *rw)
9204 - asm volatile(LOCK_PREFIX "addl %1, %0"
9205 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9207 +#ifdef CONFIG_PAX_REFCOUNT
9209 + LOCK_PREFIX "subl %1, %0\n"
9211 + _ASM_EXTABLE(0b, 0b)
9214 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9217 diff -urNp linux-2.6.37/arch/x86/include/asm/stackprotector.h linux-2.6.37/arch/x86/include/asm/stackprotector.h
9218 --- linux-2.6.37/arch/x86/include/asm/stackprotector.h 2011-01-04 19:50:19.000000000 -0500
9219 +++ linux-2.6.37/arch/x86/include/asm/stackprotector.h 2011-01-17 02:41:01.000000000 -0500
9220 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9222 static inline void load_stack_canary_segment(void)
9224 -#ifdef CONFIG_X86_32
9225 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9226 asm volatile ("mov %0, %%gs" : : "r" (0));
9229 diff -urNp linux-2.6.37/arch/x86/include/asm/system.h linux-2.6.37/arch/x86/include/asm/system.h
9230 --- linux-2.6.37/arch/x86/include/asm/system.h 2011-01-04 19:50:19.000000000 -0500
9231 +++ linux-2.6.37/arch/x86/include/asm/system.h 2011-01-17 02:41:01.000000000 -0500
9232 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9234 unsigned long __limit;
9235 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9236 - return __limit + 1;
9240 static inline void native_clts(void)
9241 @@ -342,7 +342,7 @@ void enable_hlt(void);
9243 void cpu_idle_wait(void);
9245 -extern unsigned long arch_align_stack(unsigned long sp);
9246 +#define arch_align_stack(x) ((x) & ~0xfUL)
9247 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9249 void default_idle(void);
9250 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess_32.h linux-2.6.37/arch/x86/include/asm/uaccess_32.h
9251 --- linux-2.6.37/arch/x86/include/asm/uaccess_32.h 2011-01-04 19:50:19.000000000 -0500
9252 +++ linux-2.6.37/arch/x86/include/asm/uaccess_32.h 2011-01-17 02:41:01.000000000 -0500
9253 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9254 static __always_inline unsigned long __must_check
9255 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9260 if (__builtin_constant_p(n)) {
9263 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9267 + if (!__builtin_constant_p(n))
9268 + check_object_size(from, n, true);
9269 return __copy_to_user_ll(to, from, n);
9272 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9273 static __always_inline unsigned long
9274 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9279 /* Avoid zeroing the tail if the copy fails..
9280 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9281 * but as the zeroing behaviour is only significant when n is not
9282 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9283 __copy_from_user(void *to, const void __user *from, unsigned long n)
9290 if (__builtin_constant_p(n)) {
9293 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9297 + if (!__builtin_constant_p(n))
9298 + check_object_size(to, n, false);
9299 return __copy_from_user_ll(to, from, n);
9302 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9303 const void __user *from, unsigned long n)
9310 if (__builtin_constant_p(n)) {
9313 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9314 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9317 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9322 -unsigned long __must_check copy_to_user(void __user *to,
9323 - const void *from, unsigned long n);
9324 -unsigned long __must_check _copy_from_user(void *to,
9325 - const void __user *from,
9327 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9330 +extern void copy_to_user_overflow(void)
9331 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9332 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9334 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9338 extern void copy_from_user_overflow(void)
9339 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9340 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9344 -static inline unsigned long __must_check copy_from_user(void *to,
9345 - const void __user *from,
9348 + * copy_to_user: - Copy a block of data into user space.
9349 + * @to: Destination address, in user space.
9350 + * @from: Source address, in kernel space.
9351 + * @n: Number of bytes to copy.
9353 + * Context: User context only. This function may sleep.
9355 + * Copy data from kernel space to user space.
9357 + * Returns number of bytes that could not be copied.
9358 + * On success, this will be zero.
9360 +static inline unsigned long __must_check
9361 +copy_to_user(void __user *to, const void *from, unsigned long n)
9363 + int sz = __compiletime_object_size(from);
9365 + if (unlikely(sz != -1 && sz < n))
9366 + copy_to_user_overflow();
9367 + else if (access_ok(VERIFY_WRITE, to, n))
9368 + n = __copy_to_user(to, from, n);
9373 + * copy_from_user: - Copy a block of data from user space.
9374 + * @to: Destination address, in kernel space.
9375 + * @from: Source address, in user space.
9376 + * @n: Number of bytes to copy.
9378 + * Context: User context only. This function may sleep.
9380 + * Copy data from user space to kernel space.
9382 + * Returns number of bytes that could not be copied.
9383 + * On success, this will be zero.
9385 + * If some data could not be copied, this function will pad the copied
9386 + * data to the requested size using zero bytes.
9388 +static inline unsigned long __must_check
9389 +copy_from_user(void *to, const void __user *from, unsigned long n)
9391 int sz = __compiletime_object_size(to);
9393 - if (likely(sz == -1 || sz >= n))
9394 - n = _copy_from_user(to, from, n);
9396 + if (unlikely(sz != -1 && sz < n))
9397 copy_from_user_overflow();
9399 + else if (access_ok(VERIFY_READ, from, n))
9400 + n = __copy_from_user(to, from, n);
9401 + else if ((long)n > 0) {
9402 + if (!__builtin_constant_p(n))
9403 + check_object_size(to, n, false);
9409 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess_64.h linux-2.6.37/arch/x86/include/asm/uaccess_64.h
9410 --- linux-2.6.37/arch/x86/include/asm/uaccess_64.h 2011-01-04 19:50:19.000000000 -0500
9411 +++ linux-2.6.37/arch/x86/include/asm/uaccess_64.h 2011-01-17 02:41:01.000000000 -0500
9413 #include <asm/alternative.h>
9414 #include <asm/cpufeature.h>
9415 #include <asm/page.h>
9416 +#include <asm/pgtable.h>
9418 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9421 * Copy To/From Userspace
9422 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9426 -__must_check unsigned long
9427 -_copy_to_user(void __user *to, const void *from, unsigned len);
9428 -__must_check unsigned long
9429 -_copy_from_user(void *to, const void __user *from, unsigned len);
9430 +static __always_inline __must_check unsigned long
9431 +__copy_to_user(void __user *to, const void *from, unsigned len);
9432 +static __always_inline __must_check unsigned long
9433 +__copy_from_user(void *to, const void __user *from, unsigned len);
9434 __must_check unsigned long
9435 copy_in_user(void __user *to, const void __user *from, unsigned len);
9437 static inline unsigned long __must_check copy_from_user(void *to,
9438 const void __user *from,
9442 - int sz = __compiletime_object_size(to);
9445 - if (likely(sz == -1 || sz >= n))
9446 - n = _copy_from_user(to, from, n);
9447 -#ifdef CONFIG_DEBUG_VM
9449 - WARN(1, "Buffer overflow detected!\n");
9452 + if (access_ok(VERIFY_READ, from, n))
9453 + n = __copy_from_user(to, from, n);
9454 + else if ((int)n > 0) {
9455 + if (!__builtin_constant_p(n))
9456 + check_object_size(to, n, false);
9462 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9466 - return _copy_to_user(dst, src, size);
9467 + if (access_ok(VERIFY_WRITE, dst, size))
9468 + size = __copy_to_user(dst, src, size);
9472 static __always_inline __must_check
9473 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9474 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9477 + int sz = __compiletime_object_size(dst);
9481 - if (!__builtin_constant_p(size))
9482 - return copy_user_generic(dst, (__force void *)src, size);
9484 + if ((int)size < 0)
9487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9488 + if (!__access_ok(VERIFY_READ, src, size))
9492 + if (unlikely(sz != -1 && sz < size)) {
9493 +#ifdef CONFIG_DEBUG_VM
9494 + WARN(1, "Buffer overflow detected!\n");
9499 + if (!__builtin_constant_p(size)) {
9500 + check_object_size(dst, size, false);
9501 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9502 + src += PAX_USER_SHADOW_BASE;
9503 + return copy_user_generic(dst, (__force const void *)src, size);
9506 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9507 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9508 ret, "b", "b", "=q", 1);
9510 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9511 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9512 ret, "w", "w", "=r", 2);
9514 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9515 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9516 ret, "l", "k", "=r", 4);
9518 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9519 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9520 ret, "q", "", "=r", 8);
9523 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9524 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9525 ret, "q", "", "=r", 10);
9528 __get_user_asm(*(u16 *)(8 + (char *)dst),
9529 - (u16 __user *)(8 + (char __user *)src),
9530 + (const u16 __user *)(8 + (const char __user *)src),
9531 ret, "w", "w", "=r", 2);
9534 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9535 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9536 ret, "q", "", "=r", 16);
9539 __get_user_asm(*(u64 *)(8 + (char *)dst),
9540 - (u64 __user *)(8 + (char __user *)src),
9541 + (const u64 __user *)(8 + (const char __user *)src),
9542 ret, "q", "", "=r", 8);
9545 - return copy_user_generic(dst, (__force void *)src, size);
9546 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9547 + src += PAX_USER_SHADOW_BASE;
9548 + return copy_user_generic(dst, (__force const void *)src, size);
9552 static __always_inline __must_check
9553 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9554 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9557 + int sz = __compiletime_object_size(src);
9561 - if (!__builtin_constant_p(size))
9563 + if ((int)size < 0)
9566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9567 + if (!__access_ok(VERIFY_WRITE, dst, size))
9571 + if (unlikely(sz != -1 && sz < size)) {
9572 +#ifdef CONFIG_DEBUG_VM
9573 + WARN(1, "Buffer overflow detected!\n");
9578 + if (!__builtin_constant_p(size)) {
9579 + check_object_size(src, size, true);
9580 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9581 + dst += PAX_USER_SHADOW_BASE;
9582 return copy_user_generic((__force void *)dst, src, size);
9585 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9586 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9587 ret, "b", "b", "iq", 1);
9589 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9590 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9591 ret, "w", "w", "ir", 2);
9593 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9594 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9595 ret, "l", "k", "ir", 4);
9597 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9598 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9599 ret, "q", "", "er", 8);
9602 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9603 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9604 ret, "q", "", "er", 10);
9608 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9609 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9610 ret, "w", "w", "ir", 2);
9613 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9614 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9615 ret, "q", "", "er", 16);
9619 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9620 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9621 ret, "q", "", "er", 8);
9624 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9625 + dst += PAX_USER_SHADOW_BASE;
9626 return copy_user_generic((__force void *)dst, src, size);
9630 static __always_inline __must_check
9631 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9632 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9638 - if (!__builtin_constant_p(size))
9640 + if ((int)size < 0)
9643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9644 + if (!__access_ok(VERIFY_READ, src, size))
9646 + if (!__access_ok(VERIFY_WRITE, dst, size))
9650 + if (!__builtin_constant_p(size)) {
9651 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9652 + src += PAX_USER_SHADOW_BASE;
9653 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9654 + dst += PAX_USER_SHADOW_BASE;
9655 return copy_user_generic((__force void *)dst,
9656 - (__force void *)src, size);
9657 + (__force const void *)src, size);
9662 - __get_user_asm(tmp, (u8 __user *)src,
9663 + __get_user_asm(tmp, (const u8 __user *)src,
9664 ret, "b", "b", "=q", 1);
9666 __put_user_asm(tmp, (u8 __user *)dst,
9667 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9671 - __get_user_asm(tmp, (u16 __user *)src,
9672 + __get_user_asm(tmp, (const u16 __user *)src,
9673 ret, "w", "w", "=r", 2);
9675 __put_user_asm(tmp, (u16 __user *)dst,
9676 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9680 - __get_user_asm(tmp, (u32 __user *)src,
9681 + __get_user_asm(tmp, (const u32 __user *)src,
9682 ret, "l", "k", "=r", 4);
9684 __put_user_asm(tmp, (u32 __user *)dst,
9685 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9689 - __get_user_asm(tmp, (u64 __user *)src,
9690 + __get_user_asm(tmp, (const u64 __user *)src,
9691 ret, "q", "", "=r", 8);
9693 __put_user_asm(tmp, (u64 __user *)dst,
9694 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9698 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9699 + src += PAX_USER_SHADOW_BASE;
9700 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9701 + dst += PAX_USER_SHADOW_BASE;
9702 return copy_user_generic((__force void *)dst,
9703 - (__force void *)src, size);
9704 + (__force const void *)src, size);
9708 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9709 static __must_check __always_inline int
9710 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9712 + if ((int)size < 0)
9715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9716 + if (!__access_ok(VERIFY_READ, src, size))
9720 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9721 + src += PAX_USER_SHADOW_BASE;
9722 return copy_user_generic(dst, (__force const void *)src, size);
9725 -static __must_check __always_inline int
9726 +static __must_check __always_inline unsigned long
9727 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9729 + if ((int)size < 0)
9732 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9733 + if (!__access_ok(VERIFY_WRITE, dst, size))
9737 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9738 + dst += PAX_USER_SHADOW_BASE;
9739 return copy_user_generic((__force void *)dst, src, size);
9742 -extern long __copy_user_nocache(void *dst, const void __user *src,
9743 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9744 unsigned size, int zerorest);
9747 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9748 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9752 + if ((int)size < 0)
9755 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9756 + if (!__access_ok(VERIFY_READ, src, size))
9760 return __copy_user_nocache(dst, src, size, 1);
9764 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9765 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 return __copy_user_nocache(dst, src, size, 0);
9780 +extern unsigned long
9781 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9783 #endif /* _ASM_X86_UACCESS_64_H */
9784 diff -urNp linux-2.6.37/arch/x86/include/asm/uaccess.h linux-2.6.37/arch/x86/include/asm/uaccess.h
9785 --- linux-2.6.37/arch/x86/include/asm/uaccess.h 2011-01-04 19:50:19.000000000 -0500
9786 +++ linux-2.6.37/arch/x86/include/asm/uaccess.h 2011-01-17 02:41:01.000000000 -0500
9788 #include <linux/thread_info.h>
9789 #include <linux/prefetch.h>
9790 #include <linux/string.h>
9791 +#include <linux/sched.h>
9792 #include <asm/asm.h>
9793 #include <asm/page.h>
9795 #define VERIFY_READ 0
9796 #define VERIFY_WRITE 1
9798 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9801 * The fs value determines whether argument validity checking should be
9802 * performed or not. If get_fs() == USER_DS, checking is performed, with
9805 #define get_ds() (KERNEL_DS)
9806 #define get_fs() (current_thread_info()->addr_limit)
9807 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9808 +void __set_fs(mm_segment_t x);
9809 +void set_fs(mm_segment_t x);
9811 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9814 #define segment_eq(a, b) ((a).seg == (b).seg)
9817 * checks that the pointer is in the user space range - after calling
9818 * this function, memory access functions may still return -EFAULT.
9820 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9821 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9822 +#define access_ok(type, addr, size) \
9824 + long __size = size; \
9825 + unsigned long __addr = (unsigned long)addr; \
9826 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9827 + unsigned long __end_ao = __addr + __size - 1; \
9828 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9829 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9830 + while(__addr_ao <= __end_ao) { \
9832 + __addr_ao += PAGE_SIZE; \
9833 + if (__size > PAGE_SIZE) \
9835 + if (__get_user(__c_ao, (char __user *)__addr)) \
9837 + if (type != VERIFY_WRITE) { \
9838 + __addr = __addr_ao; \
9841 + if (__put_user(__c_ao, (char __user *)__addr)) \
9843 + __addr = __addr_ao; \
9850 * The exception table consists of pairs of addresses: the first is the
9851 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
9852 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9853 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9856 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9857 +#define __copyuser_seg "%%gs:"
9858 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
9859 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
9861 +#define __copyuser_seg
9862 +#define __COPYUSER_SET_ES
9863 +#define __COPYUSER_RESTORE_ES
9866 #ifdef CONFIG_X86_32
9867 #define __put_user_asm_u64(x, addr, err, errret) \
9868 - asm volatile("1: movl %%eax,0(%2)\n" \
9869 - "2: movl %%edx,4(%2)\n" \
9870 + asm volatile("1: movl %%eax," __copyuser_seg"0(%2)\n" \
9871 + "2: movl %%edx," __copyuser_seg"4(%2)\n" \
9873 ".section .fixup,\"ax\"\n" \
9875 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
9876 : "A" (x), "r" (addr), "i" (errret), "0" (err))
9878 #define __put_user_asm_ex_u64(x, addr) \
9879 - asm volatile("1: movl %%eax,0(%1)\n" \
9880 - "2: movl %%edx,4(%1)\n" \
9881 + asm volatile("1: movl %%eax," __copyuser_seg"0(%1)\n" \
9882 + "2: movl %%edx," __copyuser_seg"4(%1)\n" \
9884 _ASM_EXTABLE(1b, 2b - 1b) \
9885 _ASM_EXTABLE(2b, 3b - 2b) \
9886 @@ -374,7 +416,7 @@ do { \
9889 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9890 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9891 + asm volatile("1: mov"itype" "__copyuser_seg"%2,%"rtype"1\n"\
9893 ".section .fixup,\"ax\"\n" \
9895 @@ -382,7 +424,7 @@ do { \
9898 _ASM_EXTABLE(1b, 3b) \
9899 - : "=r" (err), ltype(x) \
9900 + : "=r" (err), ltype (x) \
9901 : "m" (__m(addr)), "i" (errret), "0" (err))
9903 #define __get_user_size_ex(x, ptr, size) \
9904 @@ -407,7 +449,7 @@ do { \
9907 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9908 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9909 + asm volatile("1: mov"itype" "__copyuser_seg"%1,%"rtype"0\n"\
9911 _ASM_EXTABLE(1b, 2b - 1b) \
9912 : ltype(x) : "m" (__m(addr)))
9913 @@ -424,13 +466,24 @@ do { \
9915 unsigned long __gu_val; \
9916 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9917 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9918 + (x) = (__typeof__(*(ptr)))__gu_val; \
9922 /* FIXME: this hack is definitely wrong -AK */
9923 struct __large_struct { unsigned long buf[100]; };
9924 -#define __m(x) (*(struct __large_struct __user *)(x))
9925 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9928 + unsigned long ____x = (unsigned long)(x); \
9929 + if (____x < PAX_USER_SHADOW_BASE) \
9930 + ____x += PAX_USER_SHADOW_BASE; \
9931 + (void __user *)____x; \
9934 +#define ____m(x) (x)
9936 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9939 * Tell gcc we read from memory instead of writing: this is because
9940 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
9943 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9944 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9945 + asm volatile("1: mov"itype" %"rtype"1," __copyuser_seg"%2\n"\
9947 ".section .fixup,\"ax\"\n" \
9949 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
9951 _ASM_EXTABLE(1b, 3b) \
9953 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9954 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
9956 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9957 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9958 + asm volatile("1: mov"itype" %"rtype"0," __copyuser_seg"%1\n"\
9960 _ASM_EXTABLE(1b, 2b - 1b) \
9961 : : ltype(x), "m" (__m(addr)))
9962 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
9963 * On error, the variable @x is set to zero.
9966 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9967 +#define __get_user(x, ptr) get_user((x), (ptr))
9969 #define __get_user(x, ptr) \
9970 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
9974 * __put_user: - Write a simple value into user space, with less checking.
9975 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
9976 * Returns zero on success, or -EFAULT on error.
9979 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9980 +#define __put_user(x, ptr) put_user((x), (ptr))
9982 #define __put_user(x, ptr) \
9983 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
9986 #define __get_user_unaligned __get_user
9987 #define __put_user_unaligned __put_user
9988 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
9989 #define get_user_ex(x, ptr) do { \
9990 unsigned long __gue_val; \
9991 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9992 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9993 + (x) = (__typeof__(*(ptr)))__gue_val; \
9996 #ifdef CONFIG_X86_WP_WORKS_OK
9997 @@ -567,6 +628,7 @@ extern struct movsl_mask {
9999 #define ARCH_HAS_NOCACHE_UACCESS 1
10001 +#define ARCH_HAS_SORT_EXTABLE
10002 #ifdef CONFIG_X86_32
10003 # include "uaccess_32.h"
10005 diff -urNp linux-2.6.37/arch/x86/include/asm/vgtod.h linux-2.6.37/arch/x86/include/asm/vgtod.h
10006 --- linux-2.6.37/arch/x86/include/asm/vgtod.h 2011-01-04 19:50:19.000000000 -0500
10007 +++ linux-2.6.37/arch/x86/include/asm/vgtod.h 2011-01-17 02:41:01.000000000 -0500
10008 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10009 int sysctl_enabled;
10010 struct timezone sys_tz;
10011 struct { /* extract of a clocksource struct */
10013 cycle_t (*vread)(void);
10014 cycle_t cycle_last;
10016 diff -urNp linux-2.6.37/arch/x86/include/asm/vsyscall.h linux-2.6.37/arch/x86/include/asm/vsyscall.h
10017 --- linux-2.6.37/arch/x86/include/asm/vsyscall.h 2011-01-04 19:50:19.000000000 -0500
10018 +++ linux-2.6.37/arch/x86/include/asm/vsyscall.h 2011-01-17 02:41:01.000000000 -0500
10019 @@ -15,9 +15,10 @@ enum vsyscall_num {
10022 #include <linux/seqlock.h>
10023 +#include <linux/getcpu.h>
10024 +#include <linux/time.h>
10026 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10027 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10029 /* Definitions for CONFIG_GENERIC_TIME definitions */
10030 #define __section_vsyscall_gtod_data __attribute__ \
10031 @@ -31,7 +32,6 @@ enum vsyscall_num {
10032 #define VGETCPU_LSL 2
10034 extern int __vgetcpu_mode;
10035 -extern volatile unsigned long __jiffies;
10037 /* kernel space (writeable) */
10038 extern int vgetcpu_mode;
10039 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10041 extern void map_vsyscall(void);
10043 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10044 +extern time_t vtime(time_t *t);
10045 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10046 #endif /* __KERNEL__ */
10048 #endif /* _ASM_X86_VSYSCALL_H */
10049 diff -urNp linux-2.6.37/arch/x86/include/asm/xsave.h linux-2.6.37/arch/x86/include/asm/xsave.h
10050 --- linux-2.6.37/arch/x86/include/asm/xsave.h 2011-01-04 19:50:19.000000000 -0500
10051 +++ linux-2.6.37/arch/x86/include/asm/xsave.h 2011-01-17 02:41:01.000000000 -0500
10052 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10057 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10058 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10062 * Clear the xsave header first, so that reserved fields are
10063 * initialized to zero.
10064 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10066 u32 hmask = mask >> 32;
10068 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10069 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10070 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10073 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10075 ".section .fixup,\"ax\"\n"
10076 diff -urNp linux-2.6.37/arch/x86/Kconfig linux-2.6.37/arch/x86/Kconfig
10077 --- linux-2.6.37/arch/x86/Kconfig 2011-01-04 19:50:19.000000000 -0500
10078 +++ linux-2.6.37/arch/x86/Kconfig 2011-01-17 02:41:01.000000000 -0500
10079 @@ -225,7 +225,7 @@ config X86_TRAMPOLINE
10081 config X86_32_LAZY_GS
10083 - depends on X86_32 && !CC_STACKPROTECTOR
10084 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10086 config ARCH_HWEIGHT_CFLAGS
10088 @@ -992,7 +992,7 @@ choice
10092 - depends on !X86_NUMAQ
10093 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10095 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10096 However, the address space of 32-bit x86 processors is only 4
10097 @@ -1029,7 +1029,7 @@ config NOHIGHMEM
10101 - depends on !X86_NUMAQ
10102 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10104 Select this if you have a 32-bit processor and between 1 and 4
10105 gigabytes of physical RAM.
10106 @@ -1083,7 +1083,7 @@ config PAGE_OFFSET
10108 default 0xB0000000 if VMSPLIT_3G_OPT
10109 default 0x80000000 if VMSPLIT_2G
10110 - default 0x78000000 if VMSPLIT_2G_OPT
10111 + default 0x70000000 if VMSPLIT_2G_OPT
10112 default 0x40000000 if VMSPLIT_1G
10115 @@ -1427,7 +1427,7 @@ config ARCH_USES_PG_UNCACHED
10118 bool "EFI runtime service support"
10120 + depends on ACPI && !PAX_KERNEXEC
10122 This enables the kernel to use EFI runtime services that are
10123 available (such as the EFI variable services).
10124 @@ -1457,6 +1457,7 @@ config SECCOMP
10126 config CC_STACKPROTECTOR
10127 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10128 + depends on X86_64 || !PAX_MEMORY_UDEREF
10130 This option turns on the -fstack-protector GCC feature. This
10131 feature puts, at the beginning of functions, a canary value on
10132 @@ -1514,6 +1515,7 @@ config KEXEC_JUMP
10133 config PHYSICAL_START
10134 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
10135 default "0x1000000"
10136 + range 0x400000 0x40000000
10138 This gives the physical address where the kernel is loaded.
10140 @@ -1577,6 +1579,7 @@ config X86_NEED_RELOCS
10141 config PHYSICAL_ALIGN
10142 hex "Alignment value to which kernel should be aligned" if X86_32
10143 default "0x1000000"
10144 + range 0x400000 0x1000000 if PAX_KERNEXEC
10145 range 0x2000 0x1000000
10147 This value puts the alignment restrictions on physical address
10148 @@ -1608,9 +1611,10 @@ config HOTPLUG_CPU
10149 Say N if you want to disable CPU hotplug.
10154 prompt "Compat VDSO support"
10155 depends on X86_32 || IA32_EMULATION
10156 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10158 Map the 32-bit VDSO to the predictable old-style address too.
10160 diff -urNp linux-2.6.37/arch/x86/Kconfig.cpu linux-2.6.37/arch/x86/Kconfig.cpu
10161 --- linux-2.6.37/arch/x86/Kconfig.cpu 2011-01-04 19:50:19.000000000 -0500
10162 +++ linux-2.6.37/arch/x86/Kconfig.cpu 2011-01-17 02:41:01.000000000 -0500
10163 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
10165 config X86_F00F_BUG
10167 - depends on M586MMX || M586TSC || M586 || M486 || M386
10168 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10170 config X86_INVD_BUG
10172 @@ -360,7 +360,7 @@ config X86_POPAD_OK
10174 config X86_ALIGNMENT_16
10176 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10177 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10179 config X86_INTEL_USERCOPY
10181 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
10185 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10186 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10188 config X86_MINIMUM_CPU_FAMILY
10190 diff -urNp linux-2.6.37/arch/x86/Kconfig.debug linux-2.6.37/arch/x86/Kconfig.debug
10191 --- linux-2.6.37/arch/x86/Kconfig.debug 2011-01-04 19:50:19.000000000 -0500
10192 +++ linux-2.6.37/arch/x86/Kconfig.debug 2011-01-17 02:41:01.000000000 -0500
10193 @@ -101,7 +101,7 @@ config X86_PTDUMP
10194 config DEBUG_RODATA
10195 bool "Write protect kernel read-only data structures"
10197 - depends on DEBUG_KERNEL
10198 + depends on DEBUG_KERNEL && BROKEN
10200 Mark the kernel read-only data as write-protected in the pagetables,
10201 in order to catch accidental (and incorrect) writes to such const
10202 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/boot.c linux-2.6.37/arch/x86/kernel/acpi/boot.c
10203 --- linux-2.6.37/arch/x86/kernel/acpi/boot.c 2011-01-04 19:50:19.000000000 -0500
10204 +++ linux-2.6.37/arch/x86/kernel/acpi/boot.c 2011-01-17 02:41:01.000000000 -0500
10205 @@ -1498,7 +1498,7 @@ static struct dmi_system_id __initdata a
10206 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10210 + { NULL, NULL, {{0, {0}}}, NULL}
10214 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/sleep.c linux-2.6.37/arch/x86/kernel/acpi/sleep.c
10215 --- linux-2.6.37/arch/x86/kernel/acpi/sleep.c 2011-01-04 19:50:19.000000000 -0500
10216 +++ linux-2.6.37/arch/x86/kernel/acpi/sleep.c 2011-01-17 02:41:01.000000000 -0500
10218 #include <linux/cpumask.h>
10219 #include <asm/segment.h>
10220 #include <asm/desc.h>
10221 +#include <asm/e820.h>
10223 #ifdef CONFIG_X86_32
10224 #include <asm/pgtable.h>
10226 #include "realmode/wakeup.h"
10229 -unsigned long acpi_wakeup_address;
10230 +unsigned long acpi_wakeup_address = 0x2000;
10231 unsigned long acpi_realmode_flags;
10233 /* address in low memory of the wakeup routine. */
10234 @@ -101,8 +102,12 @@ int acpi_save_state_mem(void)
10235 header->trampoline_segment = setup_trampoline() >> 4;
10237 stack_start.sp = temp_stack + sizeof(temp_stack);
10239 + pax_open_kernel();
10240 early_gdt_descr.address =
10241 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10242 + pax_close_kernel();
10244 initial_gs = per_cpu_offset(smp_processor_id());
10246 initial_code = (unsigned long)wakeup_long64;
10247 diff -urNp linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S
10248 --- linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S 2011-01-04 19:50:19.000000000 -0500
10249 +++ linux-2.6.37/arch/x86/kernel/acpi/wakeup_32.S 2011-01-17 02:41:01.000000000 -0500
10250 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10251 # and restore the stack ... but you need gdt for this to work
10252 movl saved_context_esp, %esp
10254 - movl %cs:saved_magic, %eax
10255 - cmpl $0x12345678, %eax
10256 + cmpl $0x12345678, saved_magic
10259 # jump to place where we left off
10260 - movl saved_eip, %eax
10266 diff -urNp linux-2.6.37/arch/x86/kernel/alternative.c linux-2.6.37/arch/x86/kernel/alternative.c
10267 --- linux-2.6.37/arch/x86/kernel/alternative.c 2011-01-04 19:50:19.000000000 -0500
10268 +++ linux-2.6.37/arch/x86/kernel/alternative.c 2011-01-17 02:41:01.000000000 -0500
10269 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10270 if (!*poff || ptr < text || ptr >= text_end)
10272 /* turn DS segment override prefix into lock prefix */
10273 - if (*ptr == 0x3e)
10274 + if (*ktla_ktva(ptr) == 0x3e)
10275 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10277 mutex_unlock(&text_mutex);
10278 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10279 if (!*poff || ptr < text || ptr >= text_end)
10281 /* turn lock prefix into DS segment override prefix */
10282 - if (*ptr == 0xf0)
10283 + if (*ktla_ktva(ptr) == 0xf0)
10284 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10286 mutex_unlock(&text_mutex);
10287 @@ -437,7 +437,7 @@ void __init_or_module apply_paravirt(str
10289 BUG_ON(p->len > MAX_PATCH_LEN);
10290 /* prep the buffer with the original instructions */
10291 - memcpy(insnbuf, p->instr, p->len);
10292 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10293 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10294 (unsigned long)p->instr, p->len);
10296 @@ -505,7 +505,7 @@ void __init alternative_instructions(voi
10298 free_init_pages("SMP alternatives",
10299 (unsigned long)__smp_locks,
10300 - (unsigned long)__smp_locks_end);
10301 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10305 @@ -522,13 +522,17 @@ void __init alternative_instructions(voi
10306 * instructions. And on the local CPU you need to be protected again NMI or MCE
10307 * handlers seeing an inconsistent instruction while you patch.
10309 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10310 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10313 unsigned long flags;
10314 local_irq_save(flags);
10315 - memcpy(addr, opcode, len);
10317 + pax_open_kernel();
10318 + memcpy(ktla_ktva(addr), opcode, len);
10320 + pax_close_kernel();
10322 local_irq_restore(flags);
10323 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10324 that causes hangs on some VIA CPUs. */
10325 @@ -550,36 +554,22 @@ void *__init_or_module text_poke_early(v
10327 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10329 - unsigned long flags;
10331 + unsigned char *vaddr = ktla_ktva(addr);
10332 struct page *pages[2];
10336 if (!core_kernel_text((unsigned long)addr)) {
10337 - pages[0] = vmalloc_to_page(addr);
10338 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10339 + pages[0] = vmalloc_to_page(vaddr);
10340 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10342 - pages[0] = virt_to_page(addr);
10343 + pages[0] = virt_to_page(vaddr);
10344 WARN_ON(!PageReserved(pages[0]));
10345 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10346 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10349 - local_irq_save(flags);
10350 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10352 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10353 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10354 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10355 - clear_fixmap(FIX_TEXT_POKE0);
10357 - clear_fixmap(FIX_TEXT_POKE1);
10358 - local_flush_tlb();
10360 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10361 - that causes hangs on some VIA CPUs. */
10362 + text_poke_early(addr, opcode, len);
10363 for (i = 0; i < len; i++)
10364 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10365 - local_irq_restore(flags);
10366 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10370 @@ -645,9 +635,9 @@ void *__kprobes text_poke_smp(void *addr
10371 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10373 #ifdef CONFIG_X86_64
10374 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10375 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10377 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10378 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10381 void __init arch_init_ideal_nop5(void)
10382 diff -urNp linux-2.6.37/arch/x86/kernel/amd_iommu.c linux-2.6.37/arch/x86/kernel/amd_iommu.c
10383 --- linux-2.6.37/arch/x86/kernel/amd_iommu.c 2011-01-04 19:50:19.000000000 -0500
10384 +++ linux-2.6.37/arch/x86/kernel/amd_iommu.c 2011-01-17 02:41:01.000000000 -0500
10385 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10389 -static struct dma_map_ops amd_iommu_dma_ops = {
10390 +static const struct dma_map_ops amd_iommu_dma_ops = {
10391 .alloc_coherent = alloc_coherent,
10392 .free_coherent = free_coherent,
10393 .map_page = map_page,
10394 diff -urNp linux-2.6.37/arch/x86/kernel/apic/io_apic.c linux-2.6.37/arch/x86/kernel/apic/io_apic.c
10395 --- linux-2.6.37/arch/x86/kernel/apic/io_apic.c 2011-01-04 19:50:19.000000000 -0500
10396 +++ linux-2.6.37/arch/x86/kernel/apic/io_apic.c 2011-01-17 02:41:01.000000000 -0500
10397 @@ -597,7 +597,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10398 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10400 if (!ioapic_entries)
10404 for (apic = 0; apic < nr_ioapics; apic++) {
10405 ioapic_entries[apic] =
10406 @@ -614,7 +614,7 @@ nomem:
10407 kfree(ioapic_entries[apic]);
10408 kfree(ioapic_entries);
10415 @@ -1024,7 +1024,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10417 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10419 -void lock_vector_lock(void)
10420 +void lock_vector_lock(void) __acquires(vector_lock)
10422 /* Used to the online set of cpus does not change
10423 * during assign_irq_vector.
10424 @@ -1032,7 +1032,7 @@ void lock_vector_lock(void)
10425 raw_spin_lock(&vector_lock);
10428 -void unlock_vector_lock(void)
10429 +void unlock_vector_lock(void) __releases(vector_lock)
10431 raw_spin_unlock(&vector_lock);
10433 diff -urNp linux-2.6.37/arch/x86/kernel/apm_32.c linux-2.6.37/arch/x86/kernel/apm_32.c
10434 --- linux-2.6.37/arch/x86/kernel/apm_32.c 2011-01-04 19:50:19.000000000 -0500
10435 +++ linux-2.6.37/arch/x86/kernel/apm_32.c 2011-01-17 02:41:01.000000000 -0500
10436 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10437 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10438 * even though they are called in protected mode.
10440 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10441 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10442 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10444 static const char driver_version[] = "1.16ac"; /* no spaces */
10445 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10447 gdt = get_cpu_gdt_table(cpu);
10448 save_desc_40 = gdt[0x40 / 8];
10450 + pax_open_kernel();
10451 gdt[0x40 / 8] = bad_bios_desc;
10452 + pax_close_kernel();
10454 apm_irq_save(flags);
10456 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10458 APM_DO_RESTORE_SEGS;
10459 apm_irq_restore(flags);
10461 + pax_open_kernel();
10462 gdt[0x40 / 8] = save_desc_40;
10463 + pax_close_kernel();
10467 return call->eax & 0xff;
10468 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10470 gdt = get_cpu_gdt_table(cpu);
10471 save_desc_40 = gdt[0x40 / 8];
10473 + pax_open_kernel();
10474 gdt[0x40 / 8] = bad_bios_desc;
10475 + pax_close_kernel();
10477 apm_irq_save(flags);
10479 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10481 APM_DO_RESTORE_SEGS;
10482 apm_irq_restore(flags);
10484 + pax_open_kernel();
10485 gdt[0x40 / 8] = save_desc_40;
10486 + pax_close_kernel();
10491 @@ -975,7 +989,7 @@ recalc:
10493 static void apm_power_off(void)
10495 - unsigned char po_bios_call[] = {
10496 + const unsigned char po_bios_call[] = {
10497 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10498 0x8e, 0xd0, /* movw ax,ss */
10499 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10500 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10501 static struct miscdevice apm_device = {
10512 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10513 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10517 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10521 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10522 * code to that CPU.
10524 gdt = get_cpu_gdt_table(0);
10526 + pax_open_kernel();
10527 set_desc_base(&gdt[APM_CS >> 3],
10528 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10529 set_desc_base(&gdt[APM_CS_16 >> 3],
10530 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10531 set_desc_base(&gdt[APM_DS >> 3],
10532 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10533 + pax_close_kernel();
10535 proc_create("apm", 0, NULL, &apm_file_ops);
10537 diff -urNp linux-2.6.37/arch/x86/kernel/asm-offsets_32.c linux-2.6.37/arch/x86/kernel/asm-offsets_32.c
10538 --- linux-2.6.37/arch/x86/kernel/asm-offsets_32.c 2011-01-04 19:50:19.000000000 -0500
10539 +++ linux-2.6.37/arch/x86/kernel/asm-offsets_32.c 2011-01-17 02:41:01.000000000 -0500
10540 @@ -113,6 +113,11 @@ void foo(void)
10541 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10542 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10543 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10545 +#ifdef CONFIG_PAX_KERNEXEC
10546 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10552 diff -urNp linux-2.6.37/arch/x86/kernel/asm-offsets_64.c linux-2.6.37/arch/x86/kernel/asm-offsets_64.c
10553 --- linux-2.6.37/arch/x86/kernel/asm-offsets_64.c 2011-01-04 19:50:19.000000000 -0500
10554 +++ linux-2.6.37/arch/x86/kernel/asm-offsets_64.c 2011-01-17 02:41:01.000000000 -0500
10555 @@ -63,6 +63,18 @@ int main(void)
10556 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10557 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10558 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10560 +#ifdef CONFIG_PAX_KERNEXEC
10561 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10562 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10565 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10566 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10567 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10568 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10574 @@ -115,6 +127,7 @@ int main(void)
10578 + DEFINE(TSS_size, sizeof(struct tss_struct));
10579 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10581 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10582 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/common.c linux-2.6.37/arch/x86/kernel/cpu/common.c
10583 --- linux-2.6.37/arch/x86/kernel/cpu/common.c 2011-01-04 19:50:19.000000000 -0500
10584 +++ linux-2.6.37/arch/x86/kernel/cpu/common.c 2011-01-17 02:41:01.000000000 -0500
10585 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10587 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10589 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10590 -#ifdef CONFIG_X86_64
10592 - * We need valid kernel segments for data and code in long mode too
10593 - * IRET will check the segment types kkeil 2000/10/28
10594 - * Also sysret mandates a special GDT layout
10596 - * TLS descriptors are currently at a different place compared to i386.
10597 - * Hopefully nobody expects them at a fixed place (Wine?)
10599 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10600 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10601 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10602 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10603 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10604 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10606 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10607 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10608 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10609 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10611 - * Segments used for calling PnP BIOS have byte granularity.
10612 - * They code segments and data segments have fixed 64k limits,
10613 - * the transfer segment sizes are set at run time.
10615 - /* 32-bit code */
10616 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10617 - /* 16-bit code */
10618 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10619 - /* 16-bit data */
10620 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10621 - /* 16-bit data */
10622 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10623 - /* 16-bit data */
10624 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10626 - * The APM segments have byte granularity and their bases
10627 - * are set at run time. All have 64k limits.
10629 - /* 32-bit code */
10630 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10631 - /* 16-bit code */
10632 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10634 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10636 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10637 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10638 - GDT_STACK_CANARY_INIT
10641 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10643 static int __init x86_xsave_setup(char *s)
10645 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10646 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10648 struct desc_ptr gdt_descr;
10650 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10651 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10652 gdt_descr.size = GDT_SIZE - 1;
10653 load_gdt(&gdt_descr);
10654 /* Reload the per-cpu base */
10655 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10656 /* Filter out anything that depends on CPUID levels we don't have */
10657 filter_cpuid_features(c, true);
10659 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10660 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10663 /* If the model name is still unset, do table lookup. */
10664 if (!c->x86_model_id[0]) {
10666 @@ -1085,7 +1035,7 @@ struct pt_regs * __cpuinit idle_regs(str
10668 memset(regs, 0, sizeof(struct pt_regs));
10669 regs->fs = __KERNEL_PERCPU;
10670 - regs->gs = __KERNEL_STACK_CANARY;
10671 + savesegment(gs, regs->gs);
10675 @@ -1140,7 +1090,7 @@ void __cpuinit cpu_init(void)
10678 cpu = stack_smp_processor_id();
10679 - t = &per_cpu(init_tss, cpu);
10680 + t = init_tss + cpu;
10681 oist = &per_cpu(orig_ist, cpu);
10684 @@ -1166,7 +1116,7 @@ void __cpuinit cpu_init(void)
10685 switch_to_new_gdt(cpu);
10686 loadsegment(fs, 0);
10688 - load_idt((const struct desc_ptr *)&idt_descr);
10689 + load_idt(&idt_descr);
10691 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10693 @@ -1175,7 +1125,6 @@ void __cpuinit cpu_init(void)
10694 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10697 - x86_configure_nx();
10701 @@ -1229,7 +1178,7 @@ void __cpuinit cpu_init(void)
10703 int cpu = smp_processor_id();
10704 struct task_struct *curr = current;
10705 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10706 + struct tss_struct *t = init_tss + cpu;
10707 struct thread_struct *thread = &curr->thread;
10709 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10710 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10711 --- linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-01-04 19:50:19.000000000 -0500
10712 +++ linux-2.6.37/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-01-17 02:41:01.000000000 -0500
10713 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10714 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10718 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10721 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10722 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10723 --- linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-01-04 19:50:19.000000000 -0500
10724 +++ linux-2.6.37/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-01-17 02:41:01.000000000 -0500
10725 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10726 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10727 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10730 + { NULL, NULL, 0, NULL}
10734 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/intel.c linux-2.6.37/arch/x86/kernel/cpu/intel.c
10735 --- linux-2.6.37/arch/x86/kernel/cpu/intel.c 2011-01-04 19:50:19.000000000 -0500
10736 +++ linux-2.6.37/arch/x86/kernel/cpu/intel.c 2011-01-17 02:41:01.000000000 -0500
10737 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10738 * Update the IDT descriptor and reload the IDT so that
10739 * it uses the read-only mapped virtual address.
10741 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10742 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10743 load_idt(&idt_descr);
10746 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/Makefile linux-2.6.37/arch/x86/kernel/cpu/Makefile
10747 --- linux-2.6.37/arch/x86/kernel/cpu/Makefile 2011-01-04 19:50:19.000000000 -0500
10748 +++ linux-2.6.37/arch/x86/kernel/cpu/Makefile 2011-01-17 02:41:01.000000000 -0500
10749 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10750 CFLAGS_REMOVE_perf_event.o = -pg
10753 -# Make sure load_percpu_segment has no stackprotector
10754 -nostackp := $(call cc-option, -fno-stack-protector)
10755 -CFLAGS_common.o := $(nostackp)
10757 obj-y := intel_cacheinfo.o scattered.o topology.o
10758 obj-y += proc.o capflags.o powerflags.o common.o
10759 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10760 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c
10761 --- linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c 2011-01-04 19:50:19.000000000 -0500
10762 +++ linux-2.6.37/arch/x86/kernel/cpu/mcheck/mce.c 2011-01-17 02:41:01.000000000 -0500
10763 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10764 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10767 - if (m->cs == __KERNEL_CS)
10768 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10769 print_symbol("{%s}", m->ip);
10772 @@ -1460,14 +1460,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10775 static DEFINE_SPINLOCK(mce_state_lock);
10776 -static int open_count; /* #times opened */
10777 +static atomic_t open_count; /* #times opened */
10778 static int open_exclu; /* already open exclusive? */
10780 static int mce_open(struct inode *inode, struct file *file)
10782 spin_lock(&mce_state_lock);
10784 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10785 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10786 spin_unlock(&mce_state_lock);
10789 @@ -1475,7 +1475,7 @@ static int mce_open(struct inode *inode,
10791 if (file->f_flags & O_EXCL)
10794 + atomic_inc(&open_count);
10796 spin_unlock(&mce_state_lock);
10798 @@ -1486,7 +1486,7 @@ static int mce_release(struct inode *ino
10800 spin_lock(&mce_state_lock);
10803 + atomic_dec(&open_count);
10806 spin_unlock(&mce_state_lock);
10807 @@ -1673,6 +1673,7 @@ static struct miscdevice mce_log_device
10811 + {NULL, NULL}, NULL, NULL
10815 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c
10816 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c 2011-01-04 19:50:19.000000000 -0500
10817 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/generic.c 2011-01-17 02:41:01.000000000 -0500
10818 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10819 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10820 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10821 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10826 static unsigned long smp_changes_mask;
10827 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c
10828 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c 2011-01-04 19:50:19.000000000 -0500
10829 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/main.c 2011-01-17 02:41:01.000000000 -0500
10830 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10831 u64 size_or_mask, size_and_mask;
10832 static bool mtrr_aps_delayed_init;
10834 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10835 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10837 const struct mtrr_ops *mtrr_if;
10839 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h
10840 --- linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-01-04 19:50:19.000000000 -0500
10841 +++ linux-2.6.37/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-01-17 02:41:01.000000000 -0500
10842 @@ -12,19 +12,19 @@
10843 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10847 - u32 use_intel_if;
10848 - void (*set)(unsigned int reg, unsigned long base,
10849 + const u32 vendor;
10850 + const u32 use_intel_if;
10851 + void (* const set)(unsigned int reg, unsigned long base,
10852 unsigned long size, mtrr_type type);
10853 - void (*set_all)(void);
10854 + void (* const set_all)(void);
10856 - void (*get)(unsigned int reg, unsigned long *base,
10857 + void (* const get)(unsigned int reg, unsigned long *base,
10858 unsigned long *size, mtrr_type *type);
10859 - int (*get_free_region)(unsigned long base, unsigned long size,
10860 + int (* const get_free_region)(unsigned long base, unsigned long size,
10862 - int (*validate_add_page)(unsigned long base, unsigned long size,
10863 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10864 unsigned int type);
10865 - int (*have_wrcomb)(void);
10866 + int (* const have_wrcomb)(void);
10869 extern int generic_get_free_region(unsigned long base, unsigned long size,
10870 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c
10871 --- linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-01-04 19:50:19.000000000 -0500
10872 +++ linux-2.6.37/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-01-17 02:41:01.000000000 -0500
10873 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10875 /* Interface defining a CPU specific perfctr watchdog */
10877 - int (*reserve)(void);
10878 - void (*unreserve)(void);
10879 - int (*setup)(unsigned nmi_hz);
10880 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10881 - void (*stop)(void);
10882 + int (* const reserve)(void);
10883 + void (* const unreserve)(void);
10884 + int (* const setup)(unsigned nmi_hz);
10885 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10886 + void (* const stop)(void);
10890 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10891 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10892 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10894 +/* cannot be const, see probe_nmi_watchdog */
10895 static struct wd_ops intel_arch_wd_ops;
10897 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10898 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10902 +/* cannot be const */
10903 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10904 .reserve = single_msr_reserve,
10905 .unreserve = single_msr_unreserve,
10906 diff -urNp linux-2.6.37/arch/x86/kernel/cpu/perf_event.c linux-2.6.37/arch/x86/kernel/cpu/perf_event.c
10907 --- linux-2.6.37/arch/x86/kernel/cpu/perf_event.c 2011-01-04 19:50:19.000000000 -0500
10908 +++ linux-2.6.37/arch/x86/kernel/cpu/perf_event.c 2011-01-17 02:41:01.000000000 -0500
10909 @@ -1757,7 +1757,7 @@ perf_callchain_user(struct perf_callchai
10912 perf_callchain_store(entry, frame.return_address);
10913 - fp = frame.next_frame;
10914 + fp = (__force const void __user *)frame.next_frame;
10918 diff -urNp linux-2.6.37/arch/x86/kernel/crash.c linux-2.6.37/arch/x86/kernel/crash.c
10919 --- linux-2.6.37/arch/x86/kernel/crash.c 2011-01-04 19:50:19.000000000 -0500
10920 +++ linux-2.6.37/arch/x86/kernel/crash.c 2011-01-17 02:41:01.000000000 -0500
10921 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
10924 #ifdef CONFIG_X86_32
10925 - if (!user_mode_vm(regs)) {
10926 + if (!user_mode(regs)) {
10927 crash_fixup_ss_esp(&fixed_regs, regs);
10928 regs = &fixed_regs;
10930 diff -urNp linux-2.6.37/arch/x86/kernel/doublefault_32.c linux-2.6.37/arch/x86/kernel/doublefault_32.c
10931 --- linux-2.6.37/arch/x86/kernel/doublefault_32.c 2011-01-04 19:50:19.000000000 -0500
10932 +++ linux-2.6.37/arch/x86/kernel/doublefault_32.c 2011-01-17 02:41:01.000000000 -0500
10935 #define DOUBLEFAULT_STACKSIZE (1024)
10936 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10937 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10938 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10940 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10942 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10943 unsigned long gdt, tss;
10945 store_gdt(&gdt_desc);
10946 - gdt = gdt_desc.address;
10947 + gdt = (unsigned long)gdt_desc.address;
10949 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10951 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10952 /* 0x2 bit is always set */
10953 .flags = X86_EFLAGS_SF | 0x2,
10956 + .es = __KERNEL_DS,
10960 + .ds = __KERNEL_DS,
10961 .fs = __KERNEL_PERCPU,
10963 .__cr3 = __pa_nodebug(swapper_pg_dir),
10964 diff -urNp linux-2.6.37/arch/x86/kernel/dumpstack_32.c linux-2.6.37/arch/x86/kernel/dumpstack_32.c
10965 --- linux-2.6.37/arch/x86/kernel/dumpstack_32.c 2011-01-04 19:50:19.000000000 -0500
10966 +++ linux-2.6.37/arch/x86/kernel/dumpstack_32.c 2011-01-17 02:41:01.000000000 -0500
10967 @@ -105,11 +105,12 @@ void show_registers(struct pt_regs *regs
10968 * When in-kernel, we also print out the stack and code at the
10969 * time of the fault..
10971 - if (!user_mode_vm(regs)) {
10972 + if (!user_mode(regs)) {
10973 unsigned int code_prologue = code_bytes * 43 / 64;
10974 unsigned int code_len = code_bytes;
10977 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10979 printk(KERN_EMERG "Stack:\n");
10980 show_stack_log_lvl(NULL, regs, ®s->sp,
10981 @@ -117,10 +118,10 @@ void show_registers(struct pt_regs *regs
10983 printk(KERN_EMERG "Code: ");
10985 - ip = (u8 *)regs->ip - code_prologue;
10986 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10987 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10988 /* try starting at IP */
10989 - ip = (u8 *)regs->ip;
10990 + ip = (u8 *)regs->ip + cs_base;
10991 code_len = code_len - code_prologue + 1;
10993 for (i = 0; i < code_len; i++, ip++) {
10994 @@ -129,7 +130,7 @@ void show_registers(struct pt_regs *regs
10995 printk(" Bad EIP value.");
10998 - if (ip == (u8 *)regs->ip)
10999 + if (ip == (u8 *)regs->ip + cs_base)
11000 printk("<%02x> ", c);
11002 printk("%02x ", c);
11003 @@ -142,6 +143,7 @@ int is_valid_bugaddr(unsigned long ip)
11005 unsigned short ud2;
11007 + ip = ktla_ktva(ip);
11008 if (ip < PAGE_OFFSET)
11010 if (probe_kernel_address((unsigned short *)ip, ud2))
11011 diff -urNp linux-2.6.37/arch/x86/kernel/dumpstack.c linux-2.6.37/arch/x86/kernel/dumpstack.c
11012 --- linux-2.6.37/arch/x86/kernel/dumpstack.c 2011-01-04 19:50:19.000000000 -0500
11013 +++ linux-2.6.37/arch/x86/kernel/dumpstack.c 2011-01-17 02:41:01.000000000 -0500
11015 * Copyright (C) 1991, 1992 Linus Torvalds
11016 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11018 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11019 +#define __INCLUDED_BY_HIDESYM 1
11021 #include <linux/kallsyms.h>
11022 #include <linux/kprobes.h>
11023 #include <linux/uaccess.h>
11024 @@ -27,7 +30,7 @@ static int die_counter;
11026 void printk_address(unsigned long address, int reliable)
11028 - printk(" [<%p>] %s%pS\n", (void *) address,
11029 + printk(" [<%p>] %s%pA\n", (void *) address,
11030 reliable ? "" : "? ", (void *) address);
11033 @@ -206,7 +209,7 @@ void dump_stack(void)
11036 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
11037 - current->pid, current->comm, print_tainted(),
11038 + task_pid_nr(current), current->comm, print_tainted(),
11039 init_utsname()->release,
11040 (int)strcspn(init_utsname()->version, " "),
11041 init_utsname()->version);
11042 @@ -262,7 +265,7 @@ void __kprobes oops_end(unsigned long fl
11043 panic("Fatal exception in interrupt");
11045 panic("Fatal exception");
11047 + do_group_exit(signr);
11050 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11051 @@ -289,7 +292,7 @@ int __kprobes __die(const char *str, str
11053 show_registers(regs);
11054 #ifdef CONFIG_X86_32
11055 - if (user_mode_vm(regs)) {
11056 + if (user_mode(regs)) {
11058 ss = regs->ss & 0xffff;
11060 @@ -317,7 +320,7 @@ void die(const char *str, struct pt_regs
11061 unsigned long flags = oops_begin();
11064 - if (!user_mode_vm(regs))
11065 + if (!user_mode(regs))
11066 report_bug(regs->ip, regs);
11068 if (__die(str, regs, err))
11069 diff -urNp linux-2.6.37/arch/x86/kernel/entry_32.S linux-2.6.37/arch/x86/kernel/entry_32.S
11070 --- linux-2.6.37/arch/x86/kernel/entry_32.S 2011-01-04 19:50:19.000000000 -0500
11071 +++ linux-2.6.37/arch/x86/kernel/entry_32.S 2011-01-17 02:41:01.000000000 -0500
11072 @@ -183,13 +183,81 @@
11073 /*CFI_REL_OFFSET gs, PT_GS*/
11075 .macro SET_KERNEL_GS reg
11077 +#ifdef CONFIG_CC_STACKPROTECTOR
11078 movl $(__KERNEL_STACK_CANARY), \reg
11079 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11080 + movl $(__USER_DS), \reg
11088 #endif /* CONFIG_X86_32_LAZY_GS */
11091 +.macro PAX_EXIT_KERNEL
11092 +#ifdef CONFIG_PAX_KERNEXEC
11093 +#ifdef CONFIG_PARAVIRT
11094 + push %eax; push %ecx
11097 + cmp $__KERNEXEC_KERNEL_CS, %esi
11099 +#ifdef CONFIG_PARAVIRT
11100 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11106 + ljmp $__KERNEL_CS, $1f
11108 +#ifdef CONFIG_PARAVIRT
11110 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11115 +#ifdef CONFIG_PARAVIRT
11116 + pop %ecx; pop %eax
11121 +.macro PAX_ENTER_KERNEL
11122 +#ifdef CONFIG_PAX_KERNEXEC
11123 +#ifdef CONFIG_PARAVIRT
11124 + push %eax; push %ecx
11125 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11133 + cmp $__KERNEL_CS, %esi
11135 + ljmp $__KERNEL_CS, $3f
11136 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11138 +#ifdef CONFIG_PARAVIRT
11140 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11145 +#ifdef CONFIG_PARAVIRT
11146 + pop %ecx; pop %eax
11151 +.macro __SAVE_ALL _DS
11155 @@ -212,7 +280,7 @@
11156 CFI_REL_OFFSET ecx, 0
11158 CFI_REL_OFFSET ebx, 0
11159 - movl $(__USER_DS), %edx
11163 movl $(__KERNEL_PERCPU), %edx
11164 @@ -220,6 +288,15 @@
11169 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11170 + __SAVE_ALL __KERNEL_DS
11173 + __SAVE_ALL __USER_DS
11177 .macro RESTORE_INT_REGS
11180 @@ -330,7 +407,15 @@ check_userspace:
11181 movb PT_CS(%esp), %al
11182 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11183 cmpl $USER_RPL, %eax
11185 +#ifdef CONFIG_PAX_KERNEXEC
11186 + jae resume_userspace
11189 + jmp resume_kernel
11191 jb resume_kernel # not returning to v8086 or userspace
11194 ENTRY(resume_userspace)
11196 @@ -392,10 +477,9 @@ sysenter_past_esp:
11197 /*CFI_REL_OFFSET cs, 0*/
11199 * Push current_thread_info()->sysenter_return to the stack.
11200 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11201 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11203 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11204 + GET_THREAD_INFO(%ebp)
11205 + pushl_cfi TI_sysenter_return(%ebp)
11206 CFI_REL_OFFSET eip, 0
11209 @@ -406,9 +490,19 @@ sysenter_past_esp:
11210 * Load the potential sixth argument from user stack.
11211 * Careful about security.
11213 + movl PT_OLDESP(%esp),%ebp
11215 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11216 + mov PT_OLDSS(%esp),%ds
11217 +1: movl %ds:(%ebp),%ebp
11221 cmpl $__PAGE_OFFSET-3,%ebp
11223 1: movl (%ebp),%ebp
11226 movl %ebp,PT_EBP(%esp)
11227 .section __ex_table,"a"
11229 @@ -431,12 +525,23 @@ sysenter_do_call:
11230 testl $_TIF_ALLWORK_MASK, %ecx
11234 +#ifdef CONFIG_PAX_RANDKSTACK
11236 + CFI_ADJUST_CFA_OFFSET 4
11237 + call pax_randomize_kstack
11239 + CFI_ADJUST_CFA_OFFSET -4
11242 /* if something modifies registers it must also disable sysexit */
11243 movl PT_EIP(%esp), %edx
11244 movl PT_OLDESP(%esp), %ecx
11247 1: mov PT_FS(%esp), %fs
11248 +2: mov PT_DS(%esp), %ds
11249 +3: mov PT_ES(%esp), %es
11251 ENABLE_INTERRUPTS_SYSEXIT
11253 @@ -479,11 +584,17 @@ sysexit_audit:
11256 .pushsection .fixup,"ax"
11257 -2: movl $0,PT_FS(%esp)
11258 +4: movl $0,PT_FS(%esp)
11260 +5: movl $0,PT_DS(%esp)
11262 +6: movl $0,PT_ES(%esp)
11264 .section __ex_table,"a"
11272 ENDPROC(ia32_sysenter_target)
11273 @@ -516,6 +627,10 @@ syscall_exit:
11274 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11275 jne syscall_exit_work
11277 +#ifdef CONFIG_PAX_RANDKSTACK
11278 + call pax_randomize_kstack
11283 restore_all_notrace:
11284 @@ -575,14 +690,21 @@ ldt_ss:
11285 * compensating for the offset by changing to the ESPFIX segment with
11286 * a base address that matches for the difference.
11288 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11289 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11290 mov %esp, %edx /* load kernel esp */
11291 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11292 mov %dx, %ax /* eax: new kernel esp */
11293 sub %eax, %edx /* offset (low word is 0) */
11295 + movl PER_CPU_VAR(cpu_number), %ebx
11296 + shll $PAGE_SHIFT_asm, %ebx
11297 + addl $cpu_gdt_table, %ebx
11299 + movl $cpu_gdt_table, %ebx
11302 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11303 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11304 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11305 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11306 pushl_cfi $__ESPFIX_SS
11307 pushl_cfi %eax /* new kernel esp */
11308 /* Disable interrupts, but do not irqtrace this section: we
11309 @@ -617,23 +739,17 @@ work_resched:
11311 work_notifysig: # deal with pending signals and
11312 # notify-resume requests
11315 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11317 - jne work_notifysig_v86 # returning to kernel-space or
11318 + jz 1f # returning to kernel-space or
11321 - call do_notify_resume
11322 - jmp resume_userspace_sig
11325 -work_notifysig_v86:
11326 pushl_cfi %ecx # save ti_flags for do_notify_resume
11327 call save_v86_state # %eax contains pt_regs pointer
11335 call do_notify_resume
11336 @@ -668,6 +784,10 @@ END(syscall_exit_work)
11338 RING0_INT_FRAME # can't unwind into user space anyway
11340 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11344 GET_THREAD_INFO(%ebp)
11345 movl $-EFAULT,PT_EAX(%esp)
11346 jmp resume_userspace
11347 @@ -750,6 +870,36 @@ ptregs_clone:
11349 ENDPROC(ptregs_clone)
11352 +ENTRY(kernel_execve)
11355 + sub $PT_OLDSS+4,%esp
11359 + lea 3*4(%esp),%edi
11360 + mov $PT_OLDSS/4+1,%ecx
11366 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11370 + CFI_ADJUST_CFA_OFFSET -4
11371 + GET_THREAD_INFO(%ebp)
11374 + add $PT_OLDSS+4,%esp
11375 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11379 +ENDPROC(kernel_execve)
11381 .macro FIXUP_ESPFIX_STACK
11383 * Switch back for ESPFIX stack to the normal zerobased stack
11384 @@ -759,8 +909,15 @@ ENDPROC(ptregs_clone)
11385 * normal stack and adjusts ESP with the matching offset.
11387 /* fixup the stack */
11388 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11389 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11391 + movl PER_CPU_VAR(cpu_number), %ebx
11392 + shll $PAGE_SHIFT_asm, %ebx
11393 + addl $cpu_gdt_table, %ebx
11395 + movl $cpu_gdt_table, %ebx
11397 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11398 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11400 addl %esp, %eax /* the adjusted stack pointer */
11401 pushl_cfi $__KERNEL_DS
11402 @@ -1211,7 +1368,6 @@ return_to_handler:
11406 -.section .rodata,"a"
11407 #include "syscall_table_32.S"
11409 syscall_table_size=(.-sys_call_table)
11410 @@ -1257,9 +1413,12 @@ error_code:
11411 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11414 - movl $(__USER_DS), %ecx
11415 + movl $(__KERNEL_DS), %ecx
11422 movl %esp,%eax # pt_regs pointer
11424 @@ -1344,6 +1503,9 @@ nmi_stack_correct:
11425 xorl %edx,%edx # zero error code
11426 movl %esp,%eax # pt_regs pointer
11431 jmp restore_all_notrace
11434 @@ -1380,6 +1542,9 @@ nmi_espfix_stack:
11435 FIXUP_ESPFIX_STACK # %eax == %esp
11436 xorl %edx,%edx # zero error code
11442 lss 12+4(%esp), %esp # back to espfix stack
11443 CFI_ADJUST_CFA_OFFSET -24
11444 diff -urNp linux-2.6.37/arch/x86/kernel/entry_64.S linux-2.6.37/arch/x86/kernel/entry_64.S
11445 --- linux-2.6.37/arch/x86/kernel/entry_64.S 2011-01-04 19:50:19.000000000 -0500
11446 +++ linux-2.6.37/arch/x86/kernel/entry_64.S 2011-01-17 02:41:01.000000000 -0500
11448 #include <asm/paravirt.h>
11449 #include <asm/ftrace.h>
11450 #include <asm/percpu.h>
11451 +#include <asm/pgtable.h>
11453 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11454 #include <linux/elf-em.h>
11455 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11456 ENDPROC(native_usergs_sysret64)
11457 #endif /* CONFIG_PARAVIRT */
11459 + .macro ljmpq sel, off
11460 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11461 + .byte 0x48; ljmp *1234f(%rip)
11462 + .pushsection .rodata
11464 + 1234: .quad \off; .word \sel
11473 +ENTRY(pax_enter_kernel)
11475 +#ifdef CONFIG_PAX_KERNEXEC
11478 +#ifdef CONFIG_PARAVIRT
11479 + PV_SAVE_REGS(CLBR_RDI)
11486 + cmp $__KERNEL_CS,%edi
11488 + ljmpq __KERNEL_CS,3f
11489 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11490 +2: SET_RDI_INTO_CR0
11493 +#ifdef CONFIG_PARAVIRT
11494 + PV_RESTORE_REGS(CLBR_RDI)
11501 +ENDPROC(pax_enter_kernel)
11503 +ENTRY(pax_exit_kernel)
11505 +#ifdef CONFIG_PAX_KERNEXEC
11508 +#ifdef CONFIG_PARAVIRT
11509 + PV_SAVE_REGS(CLBR_RDI)
11513 + cmp $__KERNEXEC_KERNEL_CS,%edi
11517 + ljmpq __KERNEL_CS,1f
11518 +1: SET_RDI_INTO_CR0
11521 +#ifdef CONFIG_PARAVIRT
11522 + PV_RESTORE_REGS(CLBR_RDI);
11529 +ENDPROC(pax_exit_kernel)
11531 +ENTRY(pax_enter_kernel_user)
11533 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11537 +#ifdef CONFIG_PARAVIRT
11538 + PV_SAVE_REGS(CLBR_RDI)
11543 + add $__START_KERNEL_map,%rbx
11544 + sub phys_base(%rip),%rbx
11546 +#ifdef CONFIG_PARAVIRT
11548 + cmpl $0, pv_info+PARAVIRT_enabled
11551 + .rept USER_PGD_PTRS
11552 + mov i*8(%rbx),%rsi
11554 + lea i*8(%rbx),%rdi
11555 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11563 + .rept USER_PGD_PTRS
11564 + movb $0,i*8(%rbx)
11568 +#ifdef CONFIG_PARAVIRT
11573 +#ifdef CONFIG_PAX_KERNEXEC
11579 +#ifdef CONFIG_PARAVIRT
11580 + PV_RESTORE_REGS(CLBR_RDI)
11588 +ENDPROC(pax_enter_kernel_user)
11590 +ENTRY(pax_exit_kernel_user)
11592 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11595 +#ifdef CONFIG_PARAVIRT
11597 + PV_SAVE_REGS(CLBR_RDI)
11600 +#ifdef CONFIG_PAX_KERNEXEC
11607 + add $__START_KERNEL_map,%rdi
11608 + sub phys_base(%rip),%rdi
11610 +#ifdef CONFIG_PARAVIRT
11611 + cmpl $0, pv_info+PARAVIRT_enabled
11615 + .rept USER_PGD_PTRS
11616 + mov i*8(%rbx),%rsi
11618 + lea i*8(%rbx),%rdi
11619 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11627 + .rept USER_PGD_PTRS
11628 + movb $0x67,i*8(%rdi)
11632 +#ifdef CONFIG_PARAVIRT
11633 +2: PV_RESTORE_REGS(CLBR_RDI)
11641 +ENDPROC(pax_exit_kernel_user)
11643 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11644 #ifdef CONFIG_TRACE_IRQFLAGS
11645 @@ -312,7 +496,7 @@ ENTRY(save_args)
11646 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11647 movq_cfi rbp, 8 /* push %rbp */
11648 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11649 - testl $3, CS(%rdi)
11650 + testb $3, CS(%rdi)
11654 @@ -403,7 +587,7 @@ ENTRY(ret_from_fork)
11658 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11659 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11660 je int_ret_from_sys_call
11662 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11663 @@ -462,6 +646,11 @@ ENTRY(system_call_after_swapgs)
11665 movq %rsp,PER_CPU_VAR(old_rsp)
11666 movq PER_CPU_VAR(kernel_stack),%rsp
11668 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11669 + call pax_enter_kernel_user
11673 * No need to follow this irqs off/on section - it's straight
11675 @@ -496,6 +685,11 @@ sysret_check:
11680 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11681 + call pax_exit_kernel_user
11685 * sysretq will re-enable interrupts:
11687 @@ -605,7 +799,7 @@ tracesys:
11688 GLOBAL(int_ret_from_sys_call)
11689 DISABLE_INTERRUPTS(CLBR_NONE)
11691 - testl $3,CS-ARGOFFSET(%rsp)
11692 + testb $3,CS-ARGOFFSET(%rsp)
11693 je retint_restore_args
11694 movl $_TIF_ALLWORK_MASK,%edi
11695 /* edi: mask to check */
11696 @@ -786,6 +980,16 @@ END(interrupt)
11697 CFI_ADJUST_CFA_OFFSET ORIG_RAX-ARGOFFSET+8
11700 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11701 + testb $3, CS(%rdi)
11703 + call pax_enter_kernel
11705 +1: call pax_enter_kernel_user
11708 + call pax_enter_kernel
11713 @@ -813,7 +1017,7 @@ ret_from_intr:
11714 CFI_ADJUST_CFA_OFFSET -8
11716 GET_THREAD_INFO(%rcx)
11717 - testl $3,CS-ARGOFFSET(%rsp)
11718 + testb $3,CS-ARGOFFSET(%rsp)
11721 /* Interrupt came from user space */
11722 @@ -835,12 +1039,18 @@ retint_swapgs: /* return to user-space
11723 * The iretq could re-enable interrupts:
11725 DISABLE_INTERRUPTS(CLBR_ANY)
11727 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11728 + call pax_exit_kernel_user
11735 retint_restore_args: /* return to kernel space */
11736 DISABLE_INTERRUPTS(CLBR_ANY)
11737 + call pax_exit_kernel
11739 * The iretq could re-enable interrupts:
11741 @@ -1012,6 +1222,16 @@ ENTRY(\sym)
11742 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11745 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11746 + testb $3, CS(%rsp)
11748 + call pax_enter_kernel
11750 +1: call pax_enter_kernel_user
11753 + call pax_enter_kernel
11755 movq %rsp,%rdi /* pt_regs pointer */
11756 xorl %esi,%esi /* no error code */
11758 @@ -1029,6 +1249,16 @@ ENTRY(\sym)
11759 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11762 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11763 + testb $3, CS(%rsp)
11765 + call pax_enter_kernel
11767 +1: call pax_enter_kernel_user
11770 + call pax_enter_kernel
11772 movq %rsp,%rdi /* pt_regs pointer */
11773 xorl %esi,%esi /* no error code */
11775 @@ -1037,7 +1267,7 @@ ENTRY(\sym)
11779 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
11780 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
11781 .macro paranoidzeroentry_ist sym do_sym ist
11784 @@ -1047,8 +1277,24 @@ ENTRY(\sym)
11785 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11788 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11789 + testb $3, CS(%rsp)
11791 + call pax_enter_kernel
11793 +1: call pax_enter_kernel_user
11796 + call pax_enter_kernel
11798 movq %rsp,%rdi /* pt_regs pointer */
11799 xorl %esi,%esi /* no error code */
11801 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11802 + lea init_tss(%r12), %r12
11804 + lea init_tss(%rip), %r12
11806 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11808 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11809 @@ -1065,6 +1311,16 @@ ENTRY(\sym)
11810 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11813 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11814 + testb $3, CS(%rsp)
11816 + call pax_enter_kernel
11818 +1: call pax_enter_kernel_user
11821 + call pax_enter_kernel
11823 movq %rsp,%rdi /* pt_regs pointer */
11824 movq ORIG_RAX(%rsp),%rsi /* get error code */
11825 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11826 @@ -1084,6 +1340,16 @@ ENTRY(\sym)
11830 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11831 + testb $3, CS(%rsp)
11833 + call pax_enter_kernel
11835 +1: call pax_enter_kernel_user
11838 + call pax_enter_kernel
11840 movq %rsp,%rdi /* pt_regs pointer */
11841 movq ORIG_RAX(%rsp),%rsi /* get error code */
11842 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11843 @@ -1343,14 +1609,27 @@ ENTRY(paranoid_exit)
11845 testl %ebx,%ebx /* swapgs needed? */
11846 jnz paranoid_restore
11847 - testl $3,CS(%rsp)
11848 + testb $3,CS(%rsp)
11849 jnz paranoid_userspace
11850 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11851 + call pax_exit_kernel
11852 + TRACE_IRQS_IRETQ 0
11853 + SWAPGS_UNSAFE_STACK
11858 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11859 + call pax_exit_kernel_user
11861 + call pax_exit_kernel
11864 SWAPGS_UNSAFE_STACK
11868 + call pax_exit_kernel
11872 @@ -1408,7 +1687,7 @@ ENTRY(error_entry)
11873 movq_cfi r14, R14+8
11874 movq_cfi r15, R15+8
11876 - testl $3,CS+8(%rsp)
11877 + testb $3,CS+8(%rsp)
11878 je error_kernelspace
11881 @@ -1472,6 +1751,16 @@ ENTRY(nmi)
11882 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11885 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11886 + testb $3, CS(%rsp)
11888 + call pax_enter_kernel
11890 +1: call pax_enter_kernel_user
11893 + call pax_enter_kernel
11895 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11898 @@ -1482,11 +1771,12 @@ ENTRY(nmi)
11899 DISABLE_INTERRUPTS(CLBR_NONE)
11900 testl %ebx,%ebx /* swapgs needed? */
11902 - testl $3,CS(%rsp)
11903 + testb $3,CS(%rsp)
11906 SWAPGS_UNSAFE_STACK
11908 + call pax_exit_kernel
11912 diff -urNp linux-2.6.37/arch/x86/kernel/ftrace.c linux-2.6.37/arch/x86/kernel/ftrace.c
11913 --- linux-2.6.37/arch/x86/kernel/ftrace.c 2011-01-04 19:50:19.000000000 -0500
11914 +++ linux-2.6.37/arch/x86/kernel/ftrace.c 2011-01-17 02:41:01.000000000 -0500
11915 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11917 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11919 + pax_open_kernel();
11921 + pax_close_kernel();
11922 atomic_inc(&nmi_update_count);
11924 /* Must have previous changes seen before executions */
11925 @@ -268,6 +270,8 @@ ftrace_modify_code(unsigned long ip, uns
11927 unsigned char replaced[MCOUNT_INSN_SIZE];
11929 + ip = ktla_ktva(ip);
11932 * Note: Due to modules and __init, code can
11933 * disappear and change, we need to protect against faulting
11934 @@ -324,7 +328,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11935 unsigned char old[MCOUNT_INSN_SIZE], *new;
11938 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11939 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11940 new = ftrace_call_replace(ip, (unsigned long)func);
11941 ret = ftrace_modify_code(ip, old, new);
11943 @@ -350,6 +354,8 @@ static int ftrace_mod_jmp(unsigned long
11945 unsigned char code[MCOUNT_INSN_SIZE];
11947 + ip = ktla_ktva(ip);
11949 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11952 diff -urNp linux-2.6.37/arch/x86/kernel/head32.c linux-2.6.37/arch/x86/kernel/head32.c
11953 --- linux-2.6.37/arch/x86/kernel/head32.c 2011-01-04 19:50:19.000000000 -0500
11954 +++ linux-2.6.37/arch/x86/kernel/head32.c 2011-01-17 02:41:01.000000000 -0500
11956 #include <asm/io_apic.h>
11957 #include <asm/bios_ebda.h>
11958 #include <asm/tlbflush.h>
11959 +#include <asm/boot.h>
11961 static void __init i386_default_early_setup(void)
11963 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
11964 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
11967 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11968 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11970 #ifdef CONFIG_BLK_DEV_INITRD
11971 /* Reserve INITRD */
11972 diff -urNp linux-2.6.37/arch/x86/kernel/head_32.S linux-2.6.37/arch/x86/kernel/head_32.S
11973 --- linux-2.6.37/arch/x86/kernel/head_32.S 2011-01-04 19:50:19.000000000 -0500
11974 +++ linux-2.6.37/arch/x86/kernel/head_32.S 2011-01-17 02:41:01.000000000 -0500
11976 /* Physical address */
11977 #define pa(X) ((X) - __PAGE_OFFSET)
11979 +#ifdef CONFIG_PAX_KERNEXEC
11982 +#define ta(X) ((X) - __PAGE_OFFSET)
11986 * References to members of the new_cpu_data structure.
11989 * and small than max_low_pfn, otherwise will waste some page table entries
11992 -#if PTRS_PER_PMD > 1
11993 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11995 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11997 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11999 /* Number of possible pages in the lowmem region */
12000 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
12001 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12002 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12005 + * Real beginning of normal "text" segment
12011 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12012 * %esi points to the real-mode code as a 32-bit pointer.
12013 * CS and DS must be 4 GB flat segments, but we don't depend on
12014 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12019 +#ifdef CONFIG_PAX_KERNEXEC
12021 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12022 +.fill PAGE_SIZE-5,1,0xcc
12026 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
12027 us to not reload segments */
12028 @@ -101,6 +116,57 @@ ENTRY(startup_32)
12033 + movl $pa(cpu_gdt_table),%edi
12034 + movl $__per_cpu_load,%eax
12035 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12037 + movb %al,__KERNEL_PERCPU + 4(%edi)
12038 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12039 + movl $__per_cpu_end - 1,%eax
12040 + subl $__per_cpu_start,%eax
12041 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12044 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12045 + movl $NR_CPUS,%ecx
12046 + movl $pa(cpu_gdt_table),%edi
12048 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12049 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12050 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12051 + addl $PAGE_SIZE_asm,%edi
12055 +#ifdef CONFIG_PAX_KERNEXEC
12056 + movl $pa(boot_gdt),%edi
12057 + movl $__LOAD_PHYSICAL_ADDR,%eax
12058 + movw %ax,__BOOT_CS + 2(%edi)
12060 + movb %al,__BOOT_CS + 4(%edi)
12061 + movb %ah,__BOOT_CS + 7(%edi)
12064 + ljmp $(__BOOT_CS),$1f
12067 + movl $NR_CPUS,%ecx
12068 + movl $pa(cpu_gdt_table),%edi
12069 + addl $__PAGE_OFFSET,%eax
12071 + movw %ax,__KERNEL_CS + 2(%edi)
12072 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12074 + movb %al,__KERNEL_CS + 4(%edi)
12075 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12076 + movb %ah,__KERNEL_CS + 7(%edi)
12077 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12079 + addl $PAGE_SIZE_asm,%edi
12084 * Clear BSS first so that there are no surprises...
12086 @@ -150,9 +216,7 @@ ENTRY(startup_32)
12087 cmpl $num_subarch_entries, %eax
12090 - movl pa(subarch_entries)(,%eax,4), %eax
12091 - subl $__PAGE_OFFSET, %eax
12093 + jmp *pa(subarch_entries)(,%eax,4)
12097 @@ -164,10 +228,10 @@ WEAK(xen_entry)
12101 - .long default_entry /* normal x86/PC */
12102 - .long lguest_entry /* lguest hypervisor */
12103 - .long xen_entry /* Xen hypervisor */
12104 - .long default_entry /* Moorestown MID */
12105 + .long ta(default_entry) /* normal x86/PC */
12106 + .long ta(lguest_entry) /* lguest hypervisor */
12107 + .long ta(xen_entry) /* Xen hypervisor */
12108 + .long ta(default_entry) /* Moorestown MID */
12109 num_subarch_entries = (. - subarch_entries) / 4
12111 #endif /* CONFIG_PARAVIRT */
12112 @@ -227,8 +291,11 @@ default_entry:
12113 movl %eax, pa(max_pfn_mapped)
12115 /* Do early initialization of the fixmap area */
12116 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12117 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12118 +#ifdef CONFIG_COMPAT_VDSO
12119 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12121 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12123 #else /* Not PAE */
12125 page_pde_offset = (__PAGE_OFFSET >> 20);
12126 @@ -258,8 +325,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12127 movl %eax, pa(max_pfn_mapped)
12129 /* Do early initialization of the fixmap area */
12130 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12131 - movl %eax,pa(initial_page_table+0xffc)
12132 +#ifdef CONFIG_COMPAT_VDSO
12133 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12135 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12140 @@ -306,6 +376,7 @@ ENTRY(startup_32_smp)
12144 +#ifdef CONFIG_X86_PAE
12145 testb $X86_CR4_PAE, %al # check if PAE is enabled
12148 @@ -330,6 +401,9 @@ ENTRY(startup_32_smp)
12149 /* Make changes effective */
12152 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12158 @@ -355,9 +429,7 @@ ENTRY(startup_32_smp)
12162 - jz 1f /* Initial CPU cleans BSS */
12165 + jnz checkCPUtype /* Initial CPU cleans BSS */
12166 #endif /* CONFIG_SMP */
12169 @@ -435,7 +507,7 @@ is386: movl $2,%ecx # set MP
12170 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12171 movl %eax,%ss # after changing gdt.
12173 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12174 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12178 @@ -449,15 +521,22 @@ is386: movl $2,%ecx # set MP
12182 - movl $gdt_page,%eax
12183 + movl $cpu_gdt_table,%eax
12184 movl $stack_canary,%ecx
12186 + addl $__per_cpu_load,%ecx
12188 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12190 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12191 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12194 movl $(__KERNEL_STACK_CANARY),%eax
12195 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12196 + movl $(__USER_DS),%eax
12202 xorl %eax,%eax # Clear LDT
12203 @@ -468,10 +547,6 @@ is386: movl $2,%ecx # set MP
12207 - cmpb $0,%cl # the first CPU calls start_kernel
12209 - movl (stack_start), %esp
12211 #endif /* CONFIG_SMP */
12212 jmp *(initial_code)
12214 @@ -557,22 +632,22 @@ early_page_fault:
12219 #ifdef CONFIG_PRINTK
12220 + cmpl $1,%ss:early_recursion_flag
12222 + incl %ss:early_recursion_flag
12225 movl $(__KERNEL_DS),%eax
12228 - cmpl $2,early_recursion_flag
12230 - incl early_recursion_flag
12233 pushl %edx /* trapno */
12242 @@ -580,8 +655,11 @@ hlt_loop:
12243 /* This is the default interrupt "handler" :-) */
12247 #ifdef CONFIG_PRINTK
12248 + cmpl $2,%ss:early_recursion_flag
12250 + incl %ss:early_recursion_flag
12255 @@ -590,9 +668,6 @@ ignore_int:
12256 movl $(__KERNEL_DS),%eax
12259 - cmpl $2,early_recursion_flag
12261 - incl early_recursion_flag
12265 @@ -619,29 +694,42 @@ ENTRY(initial_code)
12269 -__PAGE_ALIGNED_BSS
12270 - .align PAGE_SIZE_asm
12271 #ifdef CONFIG_X86_PAE
12272 +.section .initial_pg_pmd,"a",@progbits
12273 ENTRY(initial_pg_pmd)
12274 .fill 1024*KPMDS,4,0
12276 ENTRY(initial_page_table)
12279 +.section .initial_pg_fixmap,"a",@progbits
12280 ENTRY(initial_pg_fixmap)
12282 +.section .empty_zero_page,"a",@progbits
12283 ENTRY(empty_zero_page)
12285 +.section .swapper_pg_dir,"a",@progbits
12286 ENTRY(swapper_pg_dir)
12287 +#ifdef CONFIG_X86_PAE
12294 + * The IDT has to be page-aligned to simplify the Pentium
12295 + * F0 0F bug workaround.. We have a special link segment
12298 +.section .idt,"a",@progbits
12303 * This starts the data section.
12305 #ifdef CONFIG_X86_PAE
12306 -__PAGE_ALIGNED_DATA
12307 - /* Page-aligned for the benefit of paravirt? */
12308 - .align PAGE_SIZE_asm
12309 +.section .initial_page_table,"a",@progbits
12310 ENTRY(initial_page_table)
12311 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12313 @@ -660,15 +748,24 @@ ENTRY(initial_page_table)
12314 # error "Kernel PMDs should be 1, 2 or 3"
12316 .align PAGE_SIZE_asm /* needs to be page-sized too */
12318 +#ifdef CONFIG_PAX_PER_CPU_PGD
12329 - .long init_thread_union+THREAD_SIZE
12330 + .long init_thread_union+THREAD_SIZE-8
12335 +.section .rodata,"a",@progbits
12336 early_recursion_flag:
12339 @@ -704,7 +801,7 @@ fault_msg:
12340 .word 0 # 32 bit align gdt_desc.address
12343 - .long boot_gdt - __PAGE_OFFSET
12344 + .long pa(boot_gdt)
12346 .word 0 # 32-bit align idt_desc.address
12348 @@ -715,7 +812,7 @@ idt_descr:
12349 .word 0 # 32 bit align gdt_desc.address
12350 ENTRY(early_gdt_descr)
12351 .word GDT_ENTRIES*8-1
12352 - .long gdt_page /* Overwritten for secondary CPUs */
12353 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12356 * The boot_gdt must mirror the equivalent in setup.S and is
12357 @@ -724,5 +821,65 @@ ENTRY(early_gdt_descr)
12358 .align L1_CACHE_BYTES
12360 .fill GDT_ENTRY_BOOT_CS,8,0
12361 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12362 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12363 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12364 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12366 + .align PAGE_SIZE_asm
12367 +ENTRY(cpu_gdt_table)
12369 + .quad 0x0000000000000000 /* NULL descriptor */
12370 + .quad 0x0000000000000000 /* 0x0b reserved */
12371 + .quad 0x0000000000000000 /* 0x13 reserved */
12372 + .quad 0x0000000000000000 /* 0x1b reserved */
12374 +#ifdef CONFIG_PAX_KERNEXEC
12375 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12377 + .quad 0x0000000000000000 /* 0x20 unused */
12380 + .quad 0x0000000000000000 /* 0x28 unused */
12381 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12382 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12383 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12384 + .quad 0x0000000000000000 /* 0x4b reserved */
12385 + .quad 0x0000000000000000 /* 0x53 reserved */
12386 + .quad 0x0000000000000000 /* 0x5b reserved */
12388 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12389 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12390 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12391 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12393 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12394 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12397 + * Segments used for calling PnP BIOS have byte granularity.
12398 + * The code segments and data segments have fixed 64k limits,
12399 + * the transfer segment sizes are set at run time.
12401 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12402 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12403 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12404 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12405 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12408 + * The APM segments have byte granularity and their bases
12409 + * are set at run time. All have 64k limits.
12411 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12412 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12413 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12415 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12416 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12417 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12418 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12419 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12420 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12422 + /* Be sure this is zeroed to avoid false validations in Xen */
12423 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12425 diff -urNp linux-2.6.37/arch/x86/kernel/head_64.S linux-2.6.37/arch/x86/kernel/head_64.S
12426 --- linux-2.6.37/arch/x86/kernel/head_64.S 2011-01-04 19:50:19.000000000 -0500
12427 +++ linux-2.6.37/arch/x86/kernel/head_64.S 2011-01-17 02:41:01.000000000 -0500
12429 #include <asm/cache.h>
12430 #include <asm/processor-flags.h>
12431 #include <asm/percpu.h>
12432 +#include <asm/cpufeature.h>
12434 #ifdef CONFIG_PARAVIRT
12435 #include <asm/asm-offsets.h>
12436 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12437 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12438 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12439 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12440 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12441 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12442 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12443 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12447 @@ -85,35 +90,22 @@ startup_64:
12449 addq %rbp, init_level4_pgt + 0(%rip)
12450 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12451 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12452 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12453 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12455 addq %rbp, level3_ident_pgt + 0(%rip)
12456 +#ifndef CONFIG_XEN
12457 + addq %rbp, level3_ident_pgt + 8(%rip)
12460 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12461 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12462 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12464 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12465 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12466 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12468 - /* Add an Identity mapping if I am above 1G */
12469 - leaq _text(%rip), %rdi
12470 - andq $PMD_PAGE_MASK, %rdi
12473 - shrq $PUD_SHIFT, %rax
12474 - andq $(PTRS_PER_PUD - 1), %rax
12475 - jz ident_complete
12477 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12478 - leaq level3_ident_pgt(%rip), %rbx
12479 - movq %rdx, 0(%rbx, %rax, 8)
12482 - shrq $PMD_SHIFT, %rax
12483 - andq $(PTRS_PER_PMD - 1), %rax
12484 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12485 - leaq level2_spare_pgt(%rip), %rbx
12486 - movq %rdx, 0(%rbx, %rax, 8)
12488 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12489 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12492 * Fixup the kernel text+data virtual addresses. Note that
12493 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12494 * after the boot processor executes this code.
12497 - /* Enable PAE mode and PGE */
12498 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12499 + /* Enable PAE mode and PSE/PGE */
12500 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12503 /* Setup early boot stage 4 level pagetables. */
12504 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12505 movl $MSR_EFER, %ecx
12507 btsl $_EFER_SCE, %eax /* Enable System Call */
12508 - btl $20,%edi /* No Execute supported? */
12509 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12511 btsl $_EFER_NX, %eax
12512 + leaq init_level4_pgt(%rip), %rdi
12513 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12514 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12515 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12516 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12517 1: wrmsr /* Make changes effective */
12520 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12524 - .section ".init.text","ax"
12526 #ifdef CONFIG_EARLY_PRINTK
12527 .globl early_idt_handlers
12528 early_idt_handlers:
12529 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12530 #endif /* EARLY_PRINTK */
12535 #ifdef CONFIG_EARLY_PRINTK
12537 early_recursion_flag:
12541 + .section .rodata,"a",@progbits
12543 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12546 -#endif /* CONFIG_EARLY_PRINTK */
12548 +#endif /* CONFIG_EARLY_PRINTK */
12550 + .section .rodata,"a",@progbits
12551 #define NEXT_PAGE(name) \
12552 .balign PAGE_SIZE; \
12554 @@ -339,7 +341,6 @@ ENTRY(name)
12560 * This default setting generates an ident mapping at address 0x100000
12561 * and a mapping for the kernel that precisely maps virtual address
12562 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12563 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12564 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12565 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12566 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12567 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12568 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12569 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12570 .org init_level4_pgt + L4_START_KERNEL*8, 0
12571 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12572 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12574 +#ifdef CONFIG_PAX_PER_CPU_PGD
12575 +NEXT_PAGE(cpu_pgd)
12581 NEXT_PAGE(level3_ident_pgt)
12582 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12586 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12590 +NEXT_PAGE(level3_vmalloc_pgt)
12593 +NEXT_PAGE(level3_vmemmap_pgt)
12594 + .fill L3_VMEMMAP_START,8,0
12595 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12597 NEXT_PAGE(level3_kernel_pgt)
12598 .fill L3_START_KERNEL,8,0
12599 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12600 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12601 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12603 +NEXT_PAGE(level2_vmemmap_pgt)
12606 NEXT_PAGE(level2_fixmap_pgt)
12608 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12609 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12612 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12613 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12616 -NEXT_PAGE(level1_fixmap_pgt)
12617 +NEXT_PAGE(level1_vsyscall_pgt)
12620 -NEXT_PAGE(level2_ident_pgt)
12621 - /* Since I easily can, map the first 1G.
12622 + /* Since I easily can, map the first 2G.
12623 * Don't set NX because code runs from these pages.
12625 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12626 +NEXT_PAGE(level2_ident_pgt)
12627 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12629 NEXT_PAGE(level2_kernel_pgt)
12631 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12632 * If you want to increase this then increase MODULES_VADDR
12635 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12636 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12638 -NEXT_PAGE(level2_spare_pgt)
12640 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12647 +ENTRY(cpu_gdt_table)
12649 + .quad 0x0000000000000000 /* NULL descriptor */
12650 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12651 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12652 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12653 + .quad 0x00cffb000000ffff /* __USER32_CS */
12654 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12655 + .quad 0x00affb000000ffff /* __USER_CS */
12657 +#ifdef CONFIG_PAX_KERNEXEC
12658 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12660 + .quad 0x0 /* unused */
12663 + .quad 0,0 /* TSS */
12664 + .quad 0,0 /* LDT */
12665 + .quad 0,0,0 /* three TLS descriptors */
12666 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12667 + /* asm/segment.h:GDT_ENTRIES must match this */
12669 + /* zero the remaining page */
12670 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12674 .globl early_gdt_descr
12676 .word GDT_ENTRIES*8-1
12677 early_gdt_descr_base:
12678 - .quad INIT_PER_CPU_VAR(gdt_page)
12679 + .quad cpu_gdt_table
12682 /* This must match the first entry in level2_kernel_pgt */
12683 .quad 0x0000000000000000
12685 #include "../../x86/xen/xen-head.S"
12687 - .section .bss, "aw", @nobits
12689 + .section .rodata,"a",@progbits
12690 .align L1_CACHE_BYTES
12692 - .skip IDT_ENTRIES * 16
12697 diff -urNp linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c
12698 --- linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c 2011-01-04 19:50:19.000000000 -0500
12699 +++ linux-2.6.37/arch/x86/kernel/i386_ksyms_32.c 2011-01-17 02:41:01.000000000 -0500
12700 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12701 EXPORT_SYMBOL(cmpxchg8b_emu);
12704 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12706 /* Networking helper routines. */
12707 EXPORT_SYMBOL(csum_partial_copy_generic);
12708 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12709 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12711 EXPORT_SYMBOL(__get_user_1);
12712 EXPORT_SYMBOL(__get_user_2);
12713 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12715 EXPORT_SYMBOL(csum_partial);
12716 EXPORT_SYMBOL(empty_zero_page);
12718 +#ifdef CONFIG_PAX_KERNEXEC
12719 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12721 diff -urNp linux-2.6.37/arch/x86/kernel/init_task.c linux-2.6.37/arch/x86/kernel/init_task.c
12722 --- linux-2.6.37/arch/x86/kernel/init_task.c 2011-01-04 19:50:19.000000000 -0500
12723 +++ linux-2.6.37/arch/x86/kernel/init_task.c 2011-01-17 02:41:01.000000000 -0500
12724 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12725 * section. Since TSS's are completely CPU-local, we want them
12726 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12728 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12730 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12731 +EXPORT_SYMBOL(init_tss);
12732 diff -urNp linux-2.6.37/arch/x86/kernel/ioport.c linux-2.6.37/arch/x86/kernel/ioport.c
12733 --- linux-2.6.37/arch/x86/kernel/ioport.c 2011-01-04 19:50:19.000000000 -0500
12734 +++ linux-2.6.37/arch/x86/kernel/ioport.c 2011-01-17 02:41:01.000000000 -0500
12736 #include <linux/sched.h>
12737 #include <linux/kernel.h>
12738 #include <linux/capability.h>
12739 +#include <linux/security.h>
12740 #include <linux/errno.h>
12741 #include <linux/types.h>
12742 #include <linux/ioport.h>
12743 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12745 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12747 +#ifdef CONFIG_GRKERNSEC_IO
12748 + if (turn_on && grsec_disable_privio) {
12749 + gr_handle_ioperm();
12753 if (turn_on && !capable(CAP_SYS_RAWIO))
12756 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12757 * because the ->io_bitmap_max value must match the bitmap
12760 - tss = &per_cpu(init_tss, get_cpu());
12761 + tss = init_tss + get_cpu();
12763 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12765 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12767 /* Trying to gain more privileges? */
12769 +#ifdef CONFIG_GRKERNSEC_IO
12770 + if (grsec_disable_privio) {
12771 + gr_handle_iopl();
12775 if (!capable(CAP_SYS_RAWIO))
12778 diff -urNp linux-2.6.37/arch/x86/kernel/irq_32.c linux-2.6.37/arch/x86/kernel/irq_32.c
12779 --- linux-2.6.37/arch/x86/kernel/irq_32.c 2011-01-04 19:50:19.000000000 -0500
12780 +++ linux-2.6.37/arch/x86/kernel/irq_32.c 2011-01-17 02:41:01.000000000 -0500
12781 @@ -91,7 +91,7 @@ execute_on_irq_stack(int overflow, struc
12784 /* build the stack frame on the IRQ stack */
12785 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12786 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12787 irqctx->tinfo.task = curctx->tinfo.task;
12788 irqctx->tinfo.previous_esp = current_stack_pointer;
12790 @@ -103,6 +103,10 @@ execute_on_irq_stack(int overflow, struc
12791 (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
12792 (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
12794 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12795 + __set_fs(irqctx->tinfo.addr_limit);
12798 if (unlikely(overflow))
12799 call_on_stack(print_stack_overflow, isp);
12801 @@ -113,6 +117,11 @@ execute_on_irq_stack(int overflow, struc
12802 : "0" (irq), "1" (desc), "2" (isp),
12803 "D" (desc->handle_irq)
12804 : "memory", "cc", "ecx");
12806 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12807 + __set_fs(curctx->tinfo.addr_limit);
12813 @@ -171,9 +180,18 @@ asmlinkage void do_softirq(void)
12814 irqctx->tinfo.previous_esp = current_stack_pointer;
12816 /* build the stack frame on the softirq stack */
12817 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12818 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12820 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12821 + __set_fs(irqctx->tinfo.addr_limit);
12824 call_on_stack(__do_softirq, isp);
12826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12827 + __set_fs(curctx->addr_limit);
12831 * Shouldnt happen, we returned above if in_interrupt():
12833 diff -urNp linux-2.6.37/arch/x86/kernel/kgdb.c linux-2.6.37/arch/x86/kernel/kgdb.c
12834 --- linux-2.6.37/arch/x86/kernel/kgdb.c 2011-01-04 19:50:19.000000000 -0500
12835 +++ linux-2.6.37/arch/x86/kernel/kgdb.c 2011-01-17 02:41:01.000000000 -0500
12836 @@ -123,11 +123,11 @@ char *dbg_get_reg(int regno, void *mem,
12838 #ifdef CONFIG_X86_32
12840 - if (!user_mode_vm(regs))
12841 + if (!user_mode(regs))
12842 *(unsigned long *)mem = __KERNEL_DS;
12845 - if (!user_mode_vm(regs))
12846 + if (!user_mode(regs))
12847 *(unsigned long *)mem = kernel_stack_pointer(regs);
12850 @@ -722,7 +722,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12854 -struct kgdb_arch arch_kgdb_ops = {
12855 +const struct kgdb_arch arch_kgdb_ops = {
12856 /* Breakpoint instruction: */
12857 .gdb_bpt_instr = { 0xcc },
12858 .flags = KGDB_HW_BREAKPOINT,
12859 diff -urNp linux-2.6.37/arch/x86/kernel/kprobes.c linux-2.6.37/arch/x86/kernel/kprobes.c
12860 --- linux-2.6.37/arch/x86/kernel/kprobes.c 2011-01-04 19:50:19.000000000 -0500
12861 +++ linux-2.6.37/arch/x86/kernel/kprobes.c 2011-01-17 02:41:01.000000000 -0500
12862 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
12863 } __attribute__((packed)) *insn;
12865 insn = (struct __arch_relative_insn *)from;
12867 + pax_open_kernel();
12868 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12870 + pax_close_kernel();
12873 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12874 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
12875 kprobe_opcode_t opcode;
12876 kprobe_opcode_t *orig_opcodes = opcodes;
12878 - if (search_exception_tables((unsigned long)opcodes))
12879 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
12880 return 0; /* Page fault may occur on this address. */
12883 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
12886 insn_get_length(&insn);
12887 + pax_open_kernel();
12888 memcpy(dest, insn.kaddr, insn.length);
12889 + pax_close_kernel();
12891 #ifdef CONFIG_X86_64
12892 if (insn_rip_relative(&insn)) {
12893 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
12895 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12896 disp = (u8 *) dest + insn_offset_displacement(&insn);
12897 + pax_open_kernel();
12898 *(s32 *) disp = (s32) newdisp;
12899 + pax_close_kernel();
12902 return insn.length;
12903 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
12905 __copy_instruction(p->ainsn.insn, p->addr, 0);
12907 - if (can_boost(p->addr))
12908 + if (can_boost(ktla_ktva(p->addr)))
12909 p->ainsn.boostable = 0;
12911 p->ainsn.boostable = -1;
12913 - p->opcode = *p->addr;
12914 + p->opcode = *(ktla_ktva(p->addr));
12917 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12918 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
12919 * nor set current_kprobe, because it doesn't use single
12922 - regs->ip = (unsigned long)p->ainsn.insn;
12923 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12924 preempt_enable_no_resched();
12927 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
12928 if (p->opcode == BREAKPOINT_INSTRUCTION)
12929 regs->ip = (unsigned long)p->addr;
12931 - regs->ip = (unsigned long)p->ainsn.insn;
12932 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12936 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
12937 setup_singlestep(p, regs, kcb, 0);
12940 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12941 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12943 * The breakpoint instruction was removed right
12944 * after we hit it. Another cpu has removed
12945 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
12946 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12948 unsigned long *tos = stack_addr(regs);
12949 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12950 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12951 unsigned long orig_ip = (unsigned long)p->addr;
12952 kprobe_opcode_t *insn = p->ainsn.insn;
12954 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
12955 struct die_args *args = data;
12956 int ret = NOTIFY_DONE;
12958 - if (args->regs && user_mode_vm(args->regs))
12959 + if (args->regs && user_mode(args->regs))
12963 @@ -1368,7 +1375,7 @@ int __kprobes arch_prepare_optimized_kpr
12964 * Verify if the address gap is in 2GB range, because this uses
12967 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
12968 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
12969 if (abs(rel) > 0x7fffffff)
12972 @@ -1389,11 +1396,11 @@ int __kprobes arch_prepare_optimized_kpr
12973 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
12975 /* Set probe function call */
12976 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
12977 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
12979 /* Set returning jmp instruction at the tail of out-of-line buffer */
12980 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
12981 - (u8 *)op->kp.addr + op->optinsn.size);
12982 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
12984 flush_icache_range((unsigned long) buf,
12985 (unsigned long) buf + TMPL_END_IDX +
12986 @@ -1409,7 +1416,7 @@ int __kprobes arch_optimize_kprobe(struc
12987 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
12989 /* Backup instructions which will be replaced by jump address */
12990 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
12991 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
12992 RELATIVE_ADDR_SIZE);
12994 jmp_code[0] = RELATIVEJUMP_OPCODE;
12995 diff -urNp linux-2.6.37/arch/x86/kernel/ldt.c linux-2.6.37/arch/x86/kernel/ldt.c
12996 --- linux-2.6.37/arch/x86/kernel/ldt.c 2011-01-04 19:50:19.000000000 -0500
12997 +++ linux-2.6.37/arch/x86/kernel/ldt.c 2011-01-17 02:41:01.000000000 -0500
12998 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
13003 + load_LDT_nolock(pc);
13004 if (!cpumask_equal(mm_cpumask(current->mm),
13005 cpumask_of(smp_processor_id())))
13006 smp_call_function(flush_ldt, current->mm, 1);
13010 + load_LDT_nolock(pc);
13014 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13017 for (i = 0; i < old->size; i++)
13018 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13019 + write_ldt_entry(new->ldt, i, old->ldt + i);
13023 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13024 retval = copy_ldt(&mm->context, &old_mm->context);
13025 mutex_unlock(&old_mm->context.lock);
13028 + if (tsk == current) {
13029 + mm->context.vdso = 0;
13031 +#ifdef CONFIG_X86_32
13032 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13033 + mm->context.user_cs_base = 0UL;
13034 + mm->context.user_cs_limit = ~0UL;
13036 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13037 + cpus_clear(mm->context.cpu_user_cs_mask);
13048 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13052 +#ifdef CONFIG_PAX_SEGMEXEC
13053 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13059 fill_ldt(&ldt, &ldt_info);
13062 diff -urNp linux-2.6.37/arch/x86/kernel/machine_kexec_32.c linux-2.6.37/arch/x86/kernel/machine_kexec_32.c
13063 --- linux-2.6.37/arch/x86/kernel/machine_kexec_32.c 2011-01-04 19:50:19.000000000 -0500
13064 +++ linux-2.6.37/arch/x86/kernel/machine_kexec_32.c 2011-01-17 02:41:01.000000000 -0500
13066 #include <asm/cacheflush.h>
13067 #include <asm/debugreg.h>
13069 -static void set_idt(void *newidt, __u16 limit)
13070 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13072 struct desc_ptr curidt;
13074 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13078 -static void set_gdt(void *newgdt, __u16 limit)
13079 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13081 struct desc_ptr curgdt;
13083 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13086 control_page = page_address(image->control_code_page);
13087 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13088 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13090 relocate_kernel_ptr = control_page;
13091 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13092 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_amd.c linux-2.6.37/arch/x86/kernel/microcode_amd.c
13093 --- linux-2.6.37/arch/x86/kernel/microcode_amd.c 2011-01-04 19:50:19.000000000 -0500
13094 +++ linux-2.6.37/arch/x86/kernel/microcode_amd.c 2011-01-17 02:41:01.000000000 -0500
13095 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
13099 -static struct microcode_ops microcode_amd_ops = {
13100 +static const struct microcode_ops microcode_amd_ops = {
13101 .request_microcode_user = request_microcode_user,
13102 .request_microcode_fw = request_microcode_fw,
13103 .collect_cpu_info = collect_cpu_info_amd,
13104 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
13105 .microcode_fini_cpu = microcode_fini_cpu_amd,
13108 -struct microcode_ops * __init init_amd_microcode(void)
13109 +const struct microcode_ops * __init init_amd_microcode(void)
13111 return µcode_amd_ops;
13113 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_core.c linux-2.6.37/arch/x86/kernel/microcode_core.c
13114 --- linux-2.6.37/arch/x86/kernel/microcode_core.c 2011-01-04 19:50:19.000000000 -0500
13115 +++ linux-2.6.37/arch/x86/kernel/microcode_core.c 2011-01-17 02:41:01.000000000 -0500
13116 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13118 #define MICROCODE_VERSION "2.00"
13120 -static struct microcode_ops *microcode_ops;
13121 +static const struct microcode_ops *microcode_ops;
13125 diff -urNp linux-2.6.37/arch/x86/kernel/microcode_intel.c linux-2.6.37/arch/x86/kernel/microcode_intel.c
13126 --- linux-2.6.37/arch/x86/kernel/microcode_intel.c 2011-01-04 19:50:19.000000000 -0500
13127 +++ linux-2.6.37/arch/x86/kernel/microcode_intel.c 2011-01-17 02:41:01.000000000 -0500
13128 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13130 static int get_ucode_user(void *to, const void *from, size_t n)
13132 - return copy_from_user(to, from, n);
13133 + return copy_from_user(to, (__force const void __user *)from, n);
13136 static enum ucode_state
13137 request_microcode_user(int cpu, const void __user *buf, size_t size)
13139 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13140 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13143 static void microcode_fini_cpu(int cpu)
13144 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13148 -static struct microcode_ops microcode_intel_ops = {
13149 +static const struct microcode_ops microcode_intel_ops = {
13150 .request_microcode_user = request_microcode_user,
13151 .request_microcode_fw = request_microcode_fw,
13152 .collect_cpu_info = collect_cpu_info,
13153 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13154 .microcode_fini_cpu = microcode_fini_cpu,
13157 -struct microcode_ops * __init init_intel_microcode(void)
13158 +const struct microcode_ops * __init init_intel_microcode(void)
13160 return µcode_intel_ops;
13162 diff -urNp linux-2.6.37/arch/x86/kernel/module.c linux-2.6.37/arch/x86/kernel/module.c
13163 --- linux-2.6.37/arch/x86/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
13164 +++ linux-2.6.37/arch/x86/kernel/module.c 2011-01-17 02:41:01.000000000 -0500
13166 #define DEBUGP(fmt...)
13169 -void *module_alloc(unsigned long size)
13170 +static void *__module_alloc(unsigned long size, pgprot_t prot)
13172 struct vm_struct *area;
13174 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
13178 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
13179 - PAGE_KERNEL_EXEC);
13180 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
13183 +void *module_alloc(unsigned long size)
13186 +#ifdef CONFIG_PAX_KERNEXEC
13187 + return __module_alloc(size, PAGE_KERNEL);
13189 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13194 /* Free memory returned from module_alloc */
13195 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
13196 vfree(module_region);
13199 +#ifdef CONFIG_PAX_KERNEXEC
13200 +#ifdef CONFIG_X86_32
13201 +void *module_alloc_exec(unsigned long size)
13203 + struct vm_struct *area;
13208 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13209 + return area ? area->addr : NULL;
13211 +EXPORT_SYMBOL(module_alloc_exec);
13213 +void module_free_exec(struct module *mod, void *module_region)
13215 + vunmap(module_region);
13217 +EXPORT_SYMBOL(module_free_exec);
13219 +void module_free_exec(struct module *mod, void *module_region)
13221 + module_free(mod, module_region);
13223 +EXPORT_SYMBOL(module_free_exec);
13225 +void *module_alloc_exec(unsigned long size)
13227 + return __module_alloc(size, PAGE_KERNEL_RX);
13229 +EXPORT_SYMBOL(module_alloc_exec);
13233 /* We don't need anything special. */
13234 int module_frob_arch_sections(Elf_Ehdr *hdr,
13236 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13238 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13240 - uint32_t *location;
13241 + uint32_t *plocation, location;
13243 DEBUGP("Applying relocate section %u to %u\n", relsec,
13244 sechdrs[relsec].sh_info);
13245 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13246 /* This is where to make the change */
13247 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13248 - + rel[i].r_offset;
13249 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13250 + location = (uint32_t)plocation;
13251 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13252 + plocation = ktla_ktva((void *)plocation);
13253 /* This is the symbol it is referring to. Note that all
13254 undefined symbols have been resolved. */
13255 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13256 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13257 switch (ELF32_R_TYPE(rel[i].r_info)) {
13259 /* We add the value into the location given */
13260 - *location += sym->st_value;
13261 + pax_open_kernel();
13262 + *plocation += sym->st_value;
13263 + pax_close_kernel();
13266 /* Add the value, subtract its postition */
13267 - *location += sym->st_value - (uint32_t)location;
13268 + pax_open_kernel();
13269 + *plocation += sym->st_value - location;
13270 + pax_close_kernel();
13273 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13274 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13275 case R_X86_64_NONE:
13278 + pax_open_kernel();
13280 + pax_close_kernel();
13283 + pax_open_kernel();
13285 + pax_close_kernel();
13286 if (val != *(u32 *)loc)
13290 + pax_open_kernel();
13292 + pax_close_kernel();
13293 if ((s64)val != *(s32 *)loc)
13296 case R_X86_64_PC32:
13298 + pax_open_kernel();
13300 + pax_close_kernel();
13303 if ((s64)val != *(s32 *)loc)
13305 diff -urNp linux-2.6.37/arch/x86/kernel/paravirt.c linux-2.6.37/arch/x86/kernel/paravirt.c
13306 --- linux-2.6.37/arch/x86/kernel/paravirt.c 2011-01-04 19:50:19.000000000 -0500
13307 +++ linux-2.6.37/arch/x86/kernel/paravirt.c 2011-01-17 02:41:01.000000000 -0500
13308 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13309 * corresponding structure. */
13310 static void *get_call_destination(u8 type)
13312 - struct paravirt_patch_template tmpl = {
13313 + const struct paravirt_patch_template tmpl = {
13314 .pv_init_ops = pv_init_ops,
13315 .pv_time_ops = pv_time_ops,
13316 .pv_cpu_ops = pv_cpu_ops,
13317 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13318 if (opfunc == NULL)
13319 /* If there's no function, patch it with a ud2a (BUG) */
13320 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13321 - else if (opfunc == _paravirt_nop)
13322 + else if (opfunc == (void *)_paravirt_nop)
13323 /* If the operation is a nop, then nop the callsite */
13324 ret = paravirt_patch_nop();
13326 /* identity functions just return their single argument */
13327 - else if (opfunc == _paravirt_ident_32)
13328 + else if (opfunc == (void *)_paravirt_ident_32)
13329 ret = paravirt_patch_ident_32(insnbuf, len);
13330 - else if (opfunc == _paravirt_ident_64)
13331 + else if (opfunc == (void *)_paravirt_ident_64)
13332 ret = paravirt_patch_ident_64(insnbuf, len);
13334 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13335 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13336 if (insn_len > len || start == NULL)
13339 - memcpy(insnbuf, start, insn_len);
13340 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13344 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13348 -struct pv_info pv_info = {
13349 +struct pv_info pv_info __read_only = {
13350 .name = "bare hardware",
13351 .paravirt_enabled = 0,
13353 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13356 -struct pv_init_ops pv_init_ops = {
13357 +struct pv_init_ops pv_init_ops __read_only = {
13358 .patch = native_patch,
13361 -struct pv_time_ops pv_time_ops = {
13362 +struct pv_time_ops pv_time_ops __read_only = {
13363 .sched_clock = native_sched_clock,
13366 -struct pv_irq_ops pv_irq_ops = {
13367 +struct pv_irq_ops pv_irq_ops __read_only = {
13368 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13369 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13370 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13371 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13375 -struct pv_cpu_ops pv_cpu_ops = {
13376 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13377 .cpuid = native_cpuid,
13378 .get_debugreg = native_get_debugreg,
13379 .set_debugreg = native_set_debugreg,
13380 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13381 .end_context_switch = paravirt_nop,
13384 -struct pv_apic_ops pv_apic_ops = {
13385 +struct pv_apic_ops pv_apic_ops __read_only = {
13386 #ifdef CONFIG_X86_LOCAL_APIC
13387 .startup_ipi_hook = paravirt_nop,
13389 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13390 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13393 -struct pv_mmu_ops pv_mmu_ops = {
13394 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13396 .read_cr2 = native_read_cr2,
13397 .write_cr2 = native_write_cr2,
13398 @@ -462,6 +462,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13401 .set_fixmap = native_set_fixmap,
13403 +#ifdef CONFIG_PAX_KERNEXEC
13404 + .pax_open_kernel = native_pax_open_kernel,
13405 + .pax_close_kernel = native_pax_close_kernel,
13410 EXPORT_SYMBOL_GPL(pv_time_ops);
13411 diff -urNp linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c
13412 --- linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c 2011-01-04 19:50:19.000000000 -0500
13413 +++ linux-2.6.37/arch/x86/kernel/paravirt-spinlocks.c 2011-01-17 02:41:01.000000000 -0500
13414 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13415 arch_spin_lock(lock);
13418 -struct pv_lock_ops pv_lock_ops = {
13419 +struct pv_lock_ops pv_lock_ops __read_only = {
13421 .spin_is_locked = __ticket_spin_is_locked,
13422 .spin_is_contended = __ticket_spin_is_contended,
13423 diff -urNp linux-2.6.37/arch/x86/kernel/pci-calgary_64.c linux-2.6.37/arch/x86/kernel/pci-calgary_64.c
13424 --- linux-2.6.37/arch/x86/kernel/pci-calgary_64.c 2011-01-04 19:50:19.000000000 -0500
13425 +++ linux-2.6.37/arch/x86/kernel/pci-calgary_64.c 2011-01-17 02:41:01.000000000 -0500
13426 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
13427 free_pages((unsigned long)vaddr, get_order(size));
13430 -static struct dma_map_ops calgary_dma_ops = {
13431 +static const struct dma_map_ops calgary_dma_ops = {
13432 .alloc_coherent = calgary_alloc_coherent,
13433 .free_coherent = calgary_free_coherent,
13434 .map_sg = calgary_map_sg,
13435 diff -urNp linux-2.6.37/arch/x86/kernel/pci-dma.c linux-2.6.37/arch/x86/kernel/pci-dma.c
13436 --- linux-2.6.37/arch/x86/kernel/pci-dma.c 2011-01-04 19:50:19.000000000 -0500
13437 +++ linux-2.6.37/arch/x86/kernel/pci-dma.c 2011-01-17 02:41:01.000000000 -0500
13440 static int forbid_dac __read_mostly;
13442 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13443 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13444 EXPORT_SYMBOL(dma_ops);
13446 static int iommu_sac_force __read_mostly;
13447 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
13449 int dma_supported(struct device *dev, u64 mask)
13451 - struct dma_map_ops *ops = get_dma_ops(dev);
13452 + const struct dma_map_ops *ops = get_dma_ops(dev);
13455 if (mask > 0xffffffff && forbid_dac > 0) {
13456 diff -urNp linux-2.6.37/arch/x86/kernel/pci-gart_64.c linux-2.6.37/arch/x86/kernel/pci-gart_64.c
13457 --- linux-2.6.37/arch/x86/kernel/pci-gart_64.c 2011-01-04 19:50:19.000000000 -0500
13458 +++ linux-2.6.37/arch/x86/kernel/pci-gart_64.c 2011-01-17 02:41:01.000000000 -0500
13459 @@ -706,7 +706,7 @@ static __init int init_k8_gatt(struct ag
13463 -static struct dma_map_ops gart_dma_ops = {
13464 +static const struct dma_map_ops gart_dma_ops = {
13465 .map_sg = gart_map_sg,
13466 .unmap_sg = gart_unmap_sg,
13467 .map_page = gart_map_page,
13468 diff -urNp linux-2.6.37/arch/x86/kernel/pci-nommu.c linux-2.6.37/arch/x86/kernel/pci-nommu.c
13469 --- linux-2.6.37/arch/x86/kernel/pci-nommu.c 2011-01-04 19:50:19.000000000 -0500
13470 +++ linux-2.6.37/arch/x86/kernel/pci-nommu.c 2011-01-17 02:41:01.000000000 -0500
13471 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13472 flush_write_buffers();
13475 -struct dma_map_ops nommu_dma_ops = {
13476 +const struct dma_map_ops nommu_dma_ops = {
13477 .alloc_coherent = dma_generic_alloc_coherent,
13478 .free_coherent = nommu_free_coherent,
13479 .map_sg = nommu_map_sg,
13480 diff -urNp linux-2.6.37/arch/x86/kernel/pci-swiotlb.c linux-2.6.37/arch/x86/kernel/pci-swiotlb.c
13481 --- linux-2.6.37/arch/x86/kernel/pci-swiotlb.c 2011-01-04 19:50:19.000000000 -0500
13482 +++ linux-2.6.37/arch/x86/kernel/pci-swiotlb.c 2011-01-17 02:41:01.000000000 -0500
13483 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
13484 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13487 -static struct dma_map_ops swiotlb_dma_ops = {
13488 +static const struct dma_map_ops swiotlb_dma_ops = {
13489 .mapping_error = swiotlb_dma_mapping_error,
13490 .alloc_coherent = x86_swiotlb_alloc_coherent,
13491 .free_coherent = swiotlb_free_coherent,
13492 diff -urNp linux-2.6.37/arch/x86/kernel/process_32.c linux-2.6.37/arch/x86/kernel/process_32.c
13493 --- linux-2.6.37/arch/x86/kernel/process_32.c 2011-01-04 19:50:19.000000000 -0500
13494 +++ linux-2.6.37/arch/x86/kernel/process_32.c 2011-01-17 02:41:01.000000000 -0500
13495 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
13496 unsigned long thread_saved_pc(struct task_struct *tsk)
13498 return ((unsigned long *)tsk->thread.sp)[3];
13499 +//XXX return tsk->thread.eip;
13503 @@ -130,15 +131,14 @@ void __show_regs(struct pt_regs *regs, i
13505 unsigned short ss, gs;
13507 - if (user_mode_vm(regs)) {
13508 + if (user_mode(regs)) {
13510 ss = regs->ss & 0xffff;
13511 - gs = get_user_gs(regs);
13513 sp = kernel_stack_pointer(regs);
13514 savesegment(ss, ss);
13515 - savesegment(gs, gs);
13517 + gs = get_user_gs(regs);
13519 show_regs_common();
13521 @@ -200,7 +200,7 @@ int copy_thread(unsigned long clone_flag
13522 struct task_struct *tsk;
13525 - childregs = task_pt_regs(p);
13526 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13527 *childregs = *regs;
13529 childregs->sp = sp;
13530 @@ -297,7 +297,7 @@ __switch_to(struct task_struct *prev_p,
13531 struct thread_struct *prev = &prev_p->thread,
13532 *next = &next_p->thread;
13533 int cpu = smp_processor_id();
13534 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13535 + struct tss_struct *tss = init_tss + cpu;
13538 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13539 @@ -332,6 +332,10 @@ __switch_to(struct task_struct *prev_p,
13541 lazy_save_gs(prev->gs);
13543 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13544 + __set_fs(task_thread_info(next_p)->addr_limit);
13548 * Load the per-thread Thread-Local Storage descriptor.
13550 @@ -408,3 +412,27 @@ unsigned long get_wchan(struct task_stru
13554 +#ifdef CONFIG_PAX_RANDKSTACK
13555 +asmlinkage void pax_randomize_kstack(void)
13557 + struct thread_struct *thread = ¤t->thread;
13558 + unsigned long time;
13560 + if (!randomize_va_space)
13565 + /* P4 seems to return a 0 LSB, ignore it */
13566 +#ifdef CONFIG_MPENTIUM4
13574 + thread->sp0 ^= time;
13575 + load_sp0(init_tss + smp_processor_id(), thread);
13578 diff -urNp linux-2.6.37/arch/x86/kernel/process_64.c linux-2.6.37/arch/x86/kernel/process_64.c
13579 --- linux-2.6.37/arch/x86/kernel/process_64.c 2011-01-04 19:50:19.000000000 -0500
13580 +++ linux-2.6.37/arch/x86/kernel/process_64.c 2011-01-17 02:41:01.000000000 -0500
13581 @@ -89,7 +89,7 @@ static void __exit_idle(void)
13582 void exit_idle(void)
13584 /* idle loop has pid 0 */
13585 - if (current->pid)
13586 + if (task_pid_nr(current))
13590 @@ -380,7 +380,7 @@ __switch_to(struct task_struct *prev_p,
13591 struct thread_struct *prev = &prev_p->thread;
13592 struct thread_struct *next = &next_p->thread;
13593 int cpu = smp_processor_id();
13594 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13595 + struct tss_struct *tss = init_tss + cpu;
13596 unsigned fsindex, gsindex;
13599 @@ -533,12 +533,11 @@ unsigned long get_wchan(struct task_stru
13600 if (!p || p == current || p->state == TASK_RUNNING)
13602 stack = (unsigned long)task_stack_page(p);
13603 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13604 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13606 fp = *(u64 *)(p->thread.sp);
13608 - if (fp < (unsigned long)stack ||
13609 - fp >= (unsigned long)stack+THREAD_SIZE)
13610 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13612 ip = *(u64 *)(fp+8);
13613 if (!in_sched_functions(ip))
13614 diff -urNp linux-2.6.37/arch/x86/kernel/process.c linux-2.6.37/arch/x86/kernel/process.c
13615 --- linux-2.6.37/arch/x86/kernel/process.c 2011-01-04 19:50:19.000000000 -0500
13616 +++ linux-2.6.37/arch/x86/kernel/process.c 2011-01-17 02:41:01.000000000 -0500
13617 @@ -74,7 +74,7 @@ void exit_thread(void)
13618 unsigned long *bp = t->io_bitmap_ptr;
13621 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13622 + struct tss_struct *tss = init_tss + get_cpu();
13624 t->io_bitmap_ptr = NULL;
13625 clear_thread_flag(TIF_IO_BITMAP);
13626 @@ -108,7 +108,7 @@ void show_regs_common(void)
13628 printk(KERN_CONT "\n");
13629 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s %s/%s\n",
13630 - current->pid, current->comm, print_tainted(),
13631 + task_pid_nr(current), current->comm, print_tainted(),
13632 init_utsname()->release,
13633 (int)strcspn(init_utsname()->version, " "),
13634 init_utsname()->version, board, product);
13635 @@ -118,6 +118,9 @@ void flush_thread(void)
13637 struct task_struct *tsk = current;
13639 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
13640 + loadsegment(gs, 0);
13642 flush_ptrace_hw_breakpoint(tsk);
13643 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13645 @@ -280,10 +283,10 @@ int kernel_thread(int (*fn)(void *), voi
13646 regs.di = (unsigned long) arg;
13648 #ifdef CONFIG_X86_32
13649 - regs.ds = __USER_DS;
13650 - regs.es = __USER_DS;
13651 + regs.ds = __KERNEL_DS;
13652 + regs.es = __KERNEL_DS;
13653 regs.fs = __KERNEL_PERCPU;
13654 - regs.gs = __KERNEL_STACK_CANARY;
13655 + savesegment(gs, regs.gs);
13657 regs.ss = __KERNEL_DS;
13659 @@ -658,17 +661,3 @@ static int __init idle_setup(char *str)
13662 early_param("idle", idle_setup);
13664 -unsigned long arch_align_stack(unsigned long sp)
13666 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13667 - sp -= get_random_int() % 8192;
13668 - return sp & ~0xf;
13671 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13673 - unsigned long range_end = mm->brk + 0x02000000;
13674 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13677 diff -urNp linux-2.6.37/arch/x86/kernel/ptrace.c linux-2.6.37/arch/x86/kernel/ptrace.c
13678 --- linux-2.6.37/arch/x86/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500
13679 +++ linux-2.6.37/arch/x86/kernel/ptrace.c 2011-01-17 02:41:01.000000000 -0500
13680 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
13681 unsigned long addr, unsigned long data)
13684 - unsigned long __user *datap = (unsigned long __user *)data;
13685 + unsigned long __user *datap = (__force unsigned long __user *)data;
13688 /* read the word at location addr in the USER area. */
13689 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
13690 if ((int) addr < 0)
13692 ret = do_get_thread_area(child, addr,
13693 - (struct user_desc __user *)data);
13694 + (__force struct user_desc __user *) data);
13697 case PTRACE_SET_THREAD_AREA:
13698 if ((int) addr < 0)
13700 ret = do_set_thread_area(child, addr,
13701 - (struct user_desc __user *)data, 0);
13702 + (__force struct user_desc __user *) data, 0);
13706 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
13707 memset(info, 0, sizeof(*info));
13708 info->si_signo = SIGTRAP;
13709 info->si_code = si_code;
13710 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13711 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13714 void user_single_step_siginfo(struct task_struct *tsk,
13715 diff -urNp linux-2.6.37/arch/x86/kernel/reboot.c linux-2.6.37/arch/x86/kernel/reboot.c
13716 --- linux-2.6.37/arch/x86/kernel/reboot.c 2011-01-04 19:50:19.000000000 -0500
13717 +++ linux-2.6.37/arch/x86/kernel/reboot.c 2011-01-17 02:41:01.000000000 -0500
13718 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13719 EXPORT_SYMBOL(pm_power_off);
13721 static const struct desc_ptr no_idt = {};
13722 -static int reboot_mode;
13723 +static unsigned short reboot_mode;
13724 enum reboot_type reboot_type = BOOT_KBD;
13727 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13728 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13732 + { NULL, NULL, {{0, {0}}}, NULL}
13735 static int __init reboot_init(void)
13736 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13737 controller to pulse the CPU reset line, which is more thorough, but
13738 doesn't work with at least one type of 486 motherboard. It is easy
13739 to stop this code working; hence the copious comments. */
13740 -static const unsigned long long
13741 -real_mode_gdt_entries [3] =
13742 +static struct desc_struct
13743 +real_mode_gdt_entries [3] __read_only =
13745 - 0x0000000000000000ULL, /* Null descriptor */
13746 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13747 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13748 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13749 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13750 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13753 static const struct desc_ptr
13754 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13755 * specified by the code and length parameters.
13756 * We assume that length will aways be less that 100!
13758 -void machine_real_restart(const unsigned char *code, int length)
13759 +void machine_real_restart(const unsigned char *code, unsigned int length)
13761 local_irq_disable();
13763 @@ -381,16 +381,15 @@ void machine_real_restart(const unsigned
13764 boot)". This seems like a fairly standard thing that gets set by
13765 REBOOT.COM programs, and the previous reset routine did this
13767 - *((unsigned short *)0x472) = reboot_mode;
13768 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13770 /* For the switch to real mode, copy some code to low memory. It has
13771 to be in the first 64k because it is running in 16-bit mode, and it
13772 has to have the same physical and virtual address, because it turns
13773 off paging. Copy it near the end of the first page, out of the way
13774 of BIOS variables. */
13775 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13776 - real_mode_switch, sizeof (real_mode_switch));
13777 - memcpy((void *)(0x1000 - 100), code, length);
13778 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13779 + memcpy(__va(0x1000 - 100), code, length);
13781 /* Set up the IDT for real mode. */
13782 load_idt(&real_mode_idt);
13783 diff -urNp linux-2.6.37/arch/x86/kernel/setup.c linux-2.6.37/arch/x86/kernel/setup.c
13784 --- linux-2.6.37/arch/x86/kernel/setup.c 2011-01-04 19:50:19.000000000 -0500
13785 +++ linux-2.6.37/arch/x86/kernel/setup.c 2011-01-17 02:41:01.000000000 -0500
13786 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
13787 * area (640->1Mb) as ram even though it is not.
13790 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13791 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13792 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13795 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
13797 if (!boot_params.hdr.root_flags)
13798 root_mountflags &= ~MS_RDONLY;
13799 - init_mm.start_code = (unsigned long) _text;
13800 - init_mm.end_code = (unsigned long) _etext;
13801 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13802 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13803 init_mm.end_data = (unsigned long) _edata;
13804 init_mm.brk = _brk_end;
13806 - code_resource.start = virt_to_phys(_text);
13807 - code_resource.end = virt_to_phys(_etext)-1;
13808 - data_resource.start = virt_to_phys(_etext);
13809 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13810 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13811 + data_resource.start = virt_to_phys(_sdata);
13812 data_resource.end = virt_to_phys(_edata)-1;
13813 bss_resource.start = virt_to_phys(&__bss_start);
13814 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13815 diff -urNp linux-2.6.37/arch/x86/kernel/setup_percpu.c linux-2.6.37/arch/x86/kernel/setup_percpu.c
13816 --- linux-2.6.37/arch/x86/kernel/setup_percpu.c 2011-01-04 19:50:19.000000000 -0500
13817 +++ linux-2.6.37/arch/x86/kernel/setup_percpu.c 2011-01-17 02:41:01.000000000 -0500
13818 @@ -21,19 +21,17 @@
13819 #include <asm/cpu.h>
13820 #include <asm/stackprotector.h>
13822 -DEFINE_PER_CPU(int, cpu_number);
13824 +DEFINE_PER_CPU(unsigned int, cpu_number);
13825 EXPORT_PER_CPU_SYMBOL(cpu_number);
13828 -#ifdef CONFIG_X86_64
13829 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13831 -#define BOOT_PERCPU_OFFSET 0
13834 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13835 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13837 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13838 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13839 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13841 EXPORT_SYMBOL(__per_cpu_offset);
13842 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
13844 #ifdef CONFIG_X86_32
13845 struct desc_struct gdt;
13846 + unsigned long base = per_cpu_offset(cpu);
13848 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13849 - 0x2 | DESCTYPE_S, 0x8);
13851 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13852 + 0x83 | DESCTYPE_S, 0xC);
13853 write_gdt_entry(get_cpu_gdt_table(cpu),
13854 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13856 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
13857 /* alrighty, percpu areas up and running */
13858 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13859 for_each_possible_cpu(cpu) {
13860 +#ifdef CONFIG_CC_STACKPROTECTOR
13861 +#ifdef CONFIG_x86_32
13862 + unsigned long canary = per_cpu(stack_canary, cpu);
13865 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13866 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13867 per_cpu(cpu_number, cpu) = cpu;
13868 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
13869 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13872 +#ifdef CONFIG_CC_STACKPROTECTOR
13873 +#ifdef CONFIG_x86_32
13874 + if (cpu == boot_cpu_id)
13875 + per_cpu(stack_canary, cpu) = canary;
13879 * Up to this point, the boot CPU has been using .init.data
13880 * area. Reload any changed state for the boot CPU.
13881 diff -urNp linux-2.6.37/arch/x86/kernel/signal.c linux-2.6.37/arch/x86/kernel/signal.c
13882 --- linux-2.6.37/arch/x86/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500
13883 +++ linux-2.6.37/arch/x86/kernel/signal.c 2011-01-17 02:41:01.000000000 -0500
13884 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13885 * Align the stack pointer according to the i386 ABI,
13886 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13888 - sp = ((sp + 4) & -16ul) - 4;
13889 + sp = ((sp - 12) & -16ul) - 4;
13890 #else /* !CONFIG_X86_32 */
13891 sp = round_down(sp, 16) - 8;
13893 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13894 * Return an always-bogus address instead so we will die with SIGSEGV.
13896 if (onsigstack && !likely(on_sig_stack(sp)))
13897 - return (void __user *)-1L;
13898 + return (__force void __user *)-1L;
13900 /* save i387 state */
13901 if (used_math() && save_i387_xstate(*fpstate) < 0)
13902 - return (void __user *)-1L;
13903 + return (__force void __user *)-1L;
13905 return (void __user *)sp;
13907 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13910 if (current->mm->context.vdso)
13911 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13912 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13914 - restorer = &frame->retcode;
13915 + restorer = (void __user *)&frame->retcode;
13916 if (ka->sa.sa_flags & SA_RESTORER)
13917 restorer = ka->sa.sa_restorer;
13919 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13920 * reasons and because gdb uses it as a signature to notice
13921 * signal handler stack frames.
13923 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13924 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13928 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13929 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13931 /* Set up to return from userspace. */
13932 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13933 + if (current->mm->context.vdso)
13934 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13936 + restorer = (void __user *)&frame->retcode;
13937 if (ka->sa.sa_flags & SA_RESTORER)
13938 restorer = ka->sa.sa_restorer;
13939 put_user_ex(restorer, &frame->pretcode);
13940 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13941 * reasons and because gdb uses it as a signature to notice
13942 * signal handler stack frames.
13944 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13945 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13946 } put_user_catch(err);
13949 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13950 * X86_32: vm86 regs switched out by assembly code before reaching
13951 * here, so testing against kernel CS suffices.
13953 - if (!user_mode(regs))
13954 + if (!user_mode_novm(regs))
13957 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13958 diff -urNp linux-2.6.37/arch/x86/kernel/smpboot.c linux-2.6.37/arch/x86/kernel/smpboot.c
13959 --- linux-2.6.37/arch/x86/kernel/smpboot.c 2011-01-04 19:50:19.000000000 -0500
13960 +++ linux-2.6.37/arch/x86/kernel/smpboot.c 2011-01-17 02:41:01.000000000 -0500
13961 @@ -786,7 +786,11 @@ do_rest:
13962 (unsigned long)task_stack_page(c_idle.idle) -
13963 KERNEL_STACK_OFFSET + THREAD_SIZE;
13966 + pax_open_kernel();
13967 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13968 + pax_close_kernel();
13970 initial_code = (unsigned long)start_secondary;
13971 stack_start.sp = (void *) c_idle.idle->thread.sp;
13973 @@ -926,6 +930,12 @@ int __cpuinit native_cpu_up(unsigned int
13975 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13977 +#ifdef CONFIG_PAX_PER_CPU_PGD
13978 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13979 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13980 + KERNEL_PGD_PTRS);
13983 err = do_boot_cpu(apicid, cpu);
13985 pr_debug("do_boot_cpu failed %d\n", err);
13986 diff -urNp linux-2.6.37/arch/x86/kernel/step.c linux-2.6.37/arch/x86/kernel/step.c
13987 --- linux-2.6.37/arch/x86/kernel/step.c 2011-01-04 19:50:19.000000000 -0500
13988 +++ linux-2.6.37/arch/x86/kernel/step.c 2011-01-17 02:41:01.000000000 -0500
13989 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13990 struct desc_struct *desc;
13991 unsigned long base;
13996 mutex_lock(&child->mm->context.lock);
13997 - if (unlikely((seg >> 3) >= child->mm->context.size))
13998 + if (unlikely(seg >= child->mm->context.size))
13999 addr = -1L; /* bogus selector, access would fault */
14001 desc = child->mm->context.ldt + seg;
14002 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14005 mutex_unlock(&child->mm->context.lock);
14007 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14008 + addr = ktla_ktva(addr);
14012 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14013 unsigned char opcode[15];
14014 unsigned long addr = convert_ip_to_linear(child, regs);
14016 + if (addr == -EINVAL)
14019 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14020 for (i = 0; i < copied; i++) {
14021 switch (opcode[i]) {
14022 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14024 #ifdef CONFIG_X86_64
14025 case 0x40 ... 0x4f:
14026 - if (regs->cs != __USER_CS)
14027 + if ((regs->cs & 0xffff) != __USER_CS)
14028 /* 32-bit mode: register increment */
14030 /* 64-bit mode: REX prefix */
14031 diff -urNp linux-2.6.37/arch/x86/kernel/syscall_table_32.S linux-2.6.37/arch/x86/kernel/syscall_table_32.S
14032 --- linux-2.6.37/arch/x86/kernel/syscall_table_32.S 2011-01-04 19:50:19.000000000 -0500
14033 +++ linux-2.6.37/arch/x86/kernel/syscall_table_32.S 2011-01-17 02:41:01.000000000 -0500
14035 +.section .rodata,"a",@progbits
14036 ENTRY(sys_call_table)
14037 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14039 diff -urNp linux-2.6.37/arch/x86/kernel/sys_i386_32.c linux-2.6.37/arch/x86/kernel/sys_i386_32.c
14040 --- linux-2.6.37/arch/x86/kernel/sys_i386_32.c 2011-01-04 19:50:19.000000000 -0500
14041 +++ linux-2.6.37/arch/x86/kernel/sys_i386_32.c 2011-01-17 02:41:01.000000000 -0500
14042 @@ -24,17 +24,224 @@
14044 #include <asm/syscalls.h>
14047 - * Do a system call from kernel instead of calling sys_execve so we
14048 - * end up with proper pt_regs.
14050 -int kernel_execve(const char *filename,
14051 - const char *const argv[],
14052 - const char *const envp[])
14053 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14056 - asm volatile ("int $0x80"
14058 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14060 + unsigned long pax_task_size = TASK_SIZE;
14062 +#ifdef CONFIG_PAX_SEGMEXEC
14063 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14064 + pax_task_size = SEGMEXEC_TASK_SIZE;
14067 + if (len > pax_task_size || addr > pax_task_size - len)
14074 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14075 + unsigned long len, unsigned long pgoff, unsigned long flags)
14077 + struct mm_struct *mm = current->mm;
14078 + struct vm_area_struct *vma;
14079 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14081 +#ifdef CONFIG_PAX_SEGMEXEC
14082 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14083 + pax_task_size = SEGMEXEC_TASK_SIZE;
14086 + pax_task_size -= PAGE_SIZE;
14088 + if (len > pax_task_size)
14091 + if (flags & MAP_FIXED)
14094 +#ifdef CONFIG_PAX_RANDMMAP
14095 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14099 + addr = PAGE_ALIGN(addr);
14100 + if (pax_task_size - len >= addr) {
14101 + vma = find_vma(mm, addr);
14102 + if (check_heap_stack_gap(vma, addr, len))
14106 + if (len > mm->cached_hole_size) {
14107 + start_addr = addr = mm->free_area_cache;
14109 + start_addr = addr = mm->mmap_base;
14110 + mm->cached_hole_size = 0;
14113 +#ifdef CONFIG_PAX_PAGEEXEC
14114 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14115 + start_addr = 0x00110000UL;
14117 +#ifdef CONFIG_PAX_RANDMMAP
14118 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14119 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14122 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14123 + start_addr = addr = mm->mmap_base;
14125 + addr = start_addr;
14130 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14131 + /* At this point: (!vma || addr < vma->vm_end). */
14132 + if (pax_task_size - len < addr) {
14134 + * Start a new search - just in case we missed
14137 + if (start_addr != mm->mmap_base) {
14138 + start_addr = addr = mm->mmap_base;
14139 + mm->cached_hole_size = 0;
14140 + goto full_search;
14144 + if (check_heap_stack_gap(vma, addr, len))
14146 + if (addr + mm->cached_hole_size < vma->vm_start)
14147 + mm->cached_hole_size = vma->vm_start - addr;
14148 + addr = vma->vm_end;
14149 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14150 + start_addr = addr = mm->mmap_base;
14151 + mm->cached_hole_size = 0;
14152 + goto full_search;
14157 + * Remember the place where we stopped the search:
14159 + mm->free_area_cache = addr + len;
14164 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14165 + const unsigned long len, const unsigned long pgoff,
14166 + const unsigned long flags)
14168 + struct vm_area_struct *vma;
14169 + struct mm_struct *mm = current->mm;
14170 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14172 +#ifdef CONFIG_PAX_SEGMEXEC
14173 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14174 + pax_task_size = SEGMEXEC_TASK_SIZE;
14177 + pax_task_size -= PAGE_SIZE;
14179 + /* requested length too big for entire address space */
14180 + if (len > pax_task_size)
14183 + if (flags & MAP_FIXED)
14186 +#ifdef CONFIG_PAX_PAGEEXEC
14187 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14191 +#ifdef CONFIG_PAX_RANDMMAP
14192 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14195 + /* requesting a specific address */
14197 + addr = PAGE_ALIGN(addr);
14198 + if (pax_task_size - len >= addr) {
14199 + vma = find_vma(mm, addr);
14200 + if (check_heap_stack_gap(vma, addr, len))
14205 + /* check if free_area_cache is useful for us */
14206 + if (len <= mm->cached_hole_size) {
14207 + mm->cached_hole_size = 0;
14208 + mm->free_area_cache = mm->mmap_base;
14211 + /* either no address requested or can't fit in requested address hole */
14212 + addr = mm->free_area_cache;
14214 + /* make sure it can fit in the remaining address space */
14215 + if (addr > len) {
14216 + vma = find_vma(mm, addr-len);
14217 + if (check_heap_stack_gap(vma, addr - len, len))
14218 + /* remember the address as a hint for next time */
14219 + return (mm->free_area_cache = addr-len);
14222 + if (mm->mmap_base < len)
14225 + addr = mm->mmap_base-len;
14229 + * Lookup failure means no vma is above this address,
14230 + * else if new region fits below vma->vm_start,
14231 + * return with success:
14233 + vma = find_vma(mm, addr);
14234 + if (check_heap_stack_gap(vma, addr, len))
14235 + /* remember the address as a hint for next time */
14236 + return (mm->free_area_cache = addr);
14238 + /* remember the largest hole we saw so far */
14239 + if (addr + mm->cached_hole_size < vma->vm_start)
14240 + mm->cached_hole_size = vma->vm_start - addr;
14242 + /* try just below the current vma->vm_start */
14243 + addr = vma->vm_start-len;
14244 + } while (len < vma->vm_start);
14248 + * A failed mmap() very likely causes application failure,
14249 + * so fall back to the bottom-up function here. This scenario
14250 + * can happen with large stack limits and large mmap()
14254 +#ifdef CONFIG_PAX_SEGMEXEC
14255 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14256 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14260 + mm->mmap_base = TASK_UNMAPPED_BASE;
14262 +#ifdef CONFIG_PAX_RANDMMAP
14263 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14264 + mm->mmap_base += mm->delta_mmap;
14267 + mm->free_area_cache = mm->mmap_base;
14268 + mm->cached_hole_size = ~0UL;
14269 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14271 + * Restore the topdown base:
14273 + mm->mmap_base = base;
14274 + mm->free_area_cache = base;
14275 + mm->cached_hole_size = ~0UL;
14279 diff -urNp linux-2.6.37/arch/x86/kernel/sys_x86_64.c linux-2.6.37/arch/x86/kernel/sys_x86_64.c
14280 --- linux-2.6.37/arch/x86/kernel/sys_x86_64.c 2011-01-04 19:50:19.000000000 -0500
14281 +++ linux-2.6.37/arch/x86/kernel/sys_x86_64.c 2011-01-17 02:41:01.000000000 -0500
14282 @@ -32,8 +32,8 @@ out:
14286 -static void find_start_end(unsigned long flags, unsigned long *begin,
14287 - unsigned long *end)
14288 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14289 + unsigned long *begin, unsigned long *end)
14291 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14292 unsigned long new_begin;
14293 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14294 *begin = new_begin;
14297 - *begin = TASK_UNMAPPED_BASE;
14298 + *begin = mm->mmap_base;
14302 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14303 if (flags & MAP_FIXED)
14306 - find_start_end(flags, &begin, &end);
14307 + find_start_end(mm, flags, &begin, &end);
14312 +#ifdef CONFIG_PAX_RANDMMAP
14313 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14317 addr = PAGE_ALIGN(addr);
14318 vma = find_vma(mm, addr);
14319 - if (end - len >= addr &&
14320 - (!vma || addr + len <= vma->vm_start))
14321 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14324 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14325 @@ -106,7 +109,7 @@ full_search:
14329 - if (!vma || addr + len <= vma->vm_start) {
14330 + if (check_heap_stack_gap(vma, addr, len)) {
14332 * Remember the place where we stopped the search:
14334 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14336 struct vm_area_struct *vma;
14337 struct mm_struct *mm = current->mm;
14338 - unsigned long addr = addr0;
14339 + unsigned long base = mm->mmap_base, addr = addr0;
14341 /* requested length too big for entire address space */
14342 if (len > TASK_SIZE)
14343 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14344 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14347 +#ifdef CONFIG_PAX_RANDMMAP
14348 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14351 /* requesting a specific address */
14353 addr = PAGE_ALIGN(addr);
14354 vma = find_vma(mm, addr);
14355 - if (TASK_SIZE - len >= addr &&
14356 - (!vma || addr + len <= vma->vm_start))
14357 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14361 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14362 /* make sure it can fit in the remaining address space */
14364 vma = find_vma(mm, addr-len);
14365 - if (!vma || addr <= vma->vm_start)
14366 + if (check_heap_stack_gap(vma, addr - len, len))
14367 /* remember the address as a hint for next time */
14368 return mm->free_area_cache = addr-len;
14370 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14371 * return with success:
14373 vma = find_vma(mm, addr);
14374 - if (!vma || addr+len <= vma->vm_start)
14375 + if (check_heap_stack_gap(vma, addr, len))
14376 /* remember the address as a hint for next time */
14377 return mm->free_area_cache = addr;
14379 @@ -198,13 +204,21 @@ bottomup:
14380 * can happen with large stack limits and large mmap()
14383 + mm->mmap_base = TASK_UNMAPPED_BASE;
14385 +#ifdef CONFIG_PAX_RANDMMAP
14386 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14387 + mm->mmap_base += mm->delta_mmap;
14390 + mm->free_area_cache = mm->mmap_base;
14391 mm->cached_hole_size = ~0UL;
14392 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14393 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14395 * Restore the topdown base:
14397 - mm->free_area_cache = mm->mmap_base;
14398 + mm->mmap_base = base;
14399 + mm->free_area_cache = base;
14400 mm->cached_hole_size = ~0UL;
14403 diff -urNp linux-2.6.37/arch/x86/kernel/time.c linux-2.6.37/arch/x86/kernel/time.c
14404 --- linux-2.6.37/arch/x86/kernel/time.c 2011-01-04 19:50:19.000000000 -0500
14405 +++ linux-2.6.37/arch/x86/kernel/time.c 2011-01-17 02:41:01.000000000 -0500
14406 @@ -26,17 +26,13 @@
14410 -#ifdef CONFIG_X86_64
14411 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14414 unsigned long profile_pc(struct pt_regs *regs)
14416 unsigned long pc = instruction_pointer(regs);
14418 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14419 + if (!user_mode(regs) && in_lock_functions(pc)) {
14420 #ifdef CONFIG_FRAME_POINTER
14421 - return *(unsigned long *)(regs->bp + sizeof(long));
14422 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14424 unsigned long *sp =
14425 (unsigned long *)kernel_stack_pointer(regs);
14426 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14427 * or above a saved flags. Eflags has bits 22-31 zero,
14428 * kernel addresses don't.
14431 +#ifdef CONFIG_PAX_KERNEXEC
14432 + return ktla_ktva(sp[0]);
14444 diff -urNp linux-2.6.37/arch/x86/kernel/tls.c linux-2.6.37/arch/x86/kernel/tls.c
14445 --- linux-2.6.37/arch/x86/kernel/tls.c 2011-01-04 19:50:19.000000000 -0500
14446 +++ linux-2.6.37/arch/x86/kernel/tls.c 2011-01-17 02:41:01.000000000 -0500
14447 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14448 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14451 +#ifdef CONFIG_PAX_SEGMEXEC
14452 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14456 set_tls_desc(p, idx, &info, 1);
14459 diff -urNp linux-2.6.37/arch/x86/kernel/trampoline_32.S linux-2.6.37/arch/x86/kernel/trampoline_32.S
14460 --- linux-2.6.37/arch/x86/kernel/trampoline_32.S 2011-01-04 19:50:19.000000000 -0500
14461 +++ linux-2.6.37/arch/x86/kernel/trampoline_32.S 2011-01-17 02:41:01.000000000 -0500
14463 #include <asm/segment.h>
14464 #include <asm/page_types.h>
14466 +#ifdef CONFIG_PAX_KERNEXEC
14469 +#define ta(X) ((X) - __PAGE_OFFSET)
14472 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14475 @@ -60,7 +66,7 @@ r_base = .
14476 inc %ax # protected mode (PE) bit
14477 lmsw %ax # into protected mode
14478 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14479 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14480 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14482 # These need to be in the same 64K segment as the above;
14483 # hence we don't use the boot_gdt_descr defined in head.S
14484 diff -urNp linux-2.6.37/arch/x86/kernel/trampoline_64.S linux-2.6.37/arch/x86/kernel/trampoline_64.S
14485 --- linux-2.6.37/arch/x86/kernel/trampoline_64.S 2011-01-04 19:50:19.000000000 -0500
14486 +++ linux-2.6.37/arch/x86/kernel/trampoline_64.S 2011-01-17 02:41:01.000000000 -0500
14487 @@ -91,7 +91,7 @@ startup_32:
14488 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14491 - movl $X86_CR4_PAE, %eax
14492 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14493 movl %eax, %cr4 # Enable PAE mode
14495 # Setup trampoline 4 level pagetables
14496 @@ -138,7 +138,7 @@ tidt:
14497 # so the kernel can live anywhere
14500 - .short tgdt_end - tgdt # gdt limit
14501 + .short tgdt_end - tgdt - 1 # gdt limit
14502 .long tgdt - r_base
14504 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14505 diff -urNp linux-2.6.37/arch/x86/kernel/traps.c linux-2.6.37/arch/x86/kernel/traps.c
14506 --- linux-2.6.37/arch/x86/kernel/traps.c 2011-01-04 19:50:19.000000000 -0500
14507 +++ linux-2.6.37/arch/x86/kernel/traps.c 2011-01-17 02:41:01.000000000 -0500
14508 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14510 /* Do we ignore FPU interrupts ? */
14511 char ignore_fpu_irq;
14514 - * The IDT has to be page-aligned to simplify the Pentium
14515 - * F0 0F bug workaround.
14517 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14520 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14521 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14524 static void __kprobes
14525 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14526 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14527 long error_code, siginfo_t *info)
14529 struct task_struct *tsk = current;
14531 #ifdef CONFIG_X86_32
14532 - if (regs->flags & X86_VM_MASK) {
14533 + if (v8086_mode(regs)) {
14535 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14536 * On nmi (interrupt 2), do_trap should not be called.
14537 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14541 - if (!user_mode(regs))
14542 + if (!user_mode_novm(regs))
14545 #ifdef CONFIG_X86_32
14546 @@ -150,7 +144,7 @@ trap_signal:
14547 printk_ratelimit()) {
14549 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14550 - tsk->comm, tsk->pid, str,
14551 + tsk->comm, task_pid_nr(tsk), str,
14552 regs->ip, regs->sp, error_code);
14553 print_vma_addr(" in ", regs->ip);
14555 @@ -167,8 +161,20 @@ kernel_trap:
14556 if (!fixup_exception(regs)) {
14557 tsk->thread.error_code = error_code;
14558 tsk->thread.trap_no = trapnr;
14560 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14561 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14562 + str = "PAX: suspicious stack segment fault";
14565 die(str, regs, error_code);
14568 +#ifdef CONFIG_PAX_REFCOUNT
14570 + pax_report_refcount_overflow(regs);
14575 #ifdef CONFIG_X86_32
14576 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14577 conditional_sti(regs);
14579 #ifdef CONFIG_X86_32
14580 - if (regs->flags & X86_VM_MASK)
14581 + if (v8086_mode(regs))
14586 - if (!user_mode(regs))
14587 + if (!user_mode_novm(regs))
14590 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14591 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14592 + struct mm_struct *mm = tsk->mm;
14593 + unsigned long limit;
14595 + down_write(&mm->mmap_sem);
14596 + limit = mm->context.user_cs_limit;
14597 + if (limit < TASK_SIZE) {
14598 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14599 + up_write(&mm->mmap_sem);
14602 + up_write(&mm->mmap_sem);
14606 tsk->thread.error_code = error_code;
14607 tsk->thread.trap_no = 13;
14609 @@ -297,6 +319,13 @@ gp_in_kernel:
14610 if (notify_die(DIE_GPF, "general protection fault", regs,
14611 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14614 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14615 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14616 + die("PAX: suspicious general protection fault", regs, error_code);
14620 die("general protection fault", regs, error_code);
14623 @@ -572,7 +601,7 @@ dotraplinkage void __kprobes do_debug(st
14624 /* It's safe to allow irq's after DR6 has been saved */
14625 preempt_conditional_sti(regs);
14627 - if (regs->flags & X86_VM_MASK) {
14628 + if (v8086_mode(regs)) {
14629 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14631 preempt_conditional_cli(regs);
14632 @@ -586,7 +615,7 @@ dotraplinkage void __kprobes do_debug(st
14633 * We already checked v86 mode above, so we can check for kernel mode
14634 * by just checking the CPL of CS.
14636 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14637 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14638 tsk->thread.debugreg6 &= ~DR_STEP;
14639 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14640 regs->flags &= ~X86_EFLAGS_TF;
14641 @@ -615,7 +644,7 @@ void math_error(struct pt_regs *regs, in
14643 conditional_sti(regs);
14645 - if (!user_mode_vm(regs))
14646 + if (!user_mode(regs))
14648 if (!fixup_exception(regs)) {
14649 task->thread.error_code = error_code;
14650 diff -urNp linux-2.6.37/arch/x86/kernel/tsc.c linux-2.6.37/arch/x86/kernel/tsc.c
14651 --- linux-2.6.37/arch/x86/kernel/tsc.c 2011-01-04 19:50:19.000000000 -0500
14652 +++ linux-2.6.37/arch/x86/kernel/tsc.c 2011-01-17 02:41:01.000000000 -0500
14653 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
14654 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14658 + { NULL, NULL, {{0, {0}}}, NULL}
14661 static void __init check_system_tsc_reliable(void)
14662 diff -urNp linux-2.6.37/arch/x86/kernel/vm86_32.c linux-2.6.37/arch/x86/kernel/vm86_32.c
14663 --- linux-2.6.37/arch/x86/kernel/vm86_32.c 2011-01-04 19:50:19.000000000 -0500
14664 +++ linux-2.6.37/arch/x86/kernel/vm86_32.c 2011-01-17 02:41:01.000000000 -0500
14666 #include <linux/ptrace.h>
14667 #include <linux/audit.h>
14668 #include <linux/stddef.h>
14669 +#include <linux/grsecurity.h>
14671 #include <asm/uaccess.h>
14672 #include <asm/io.h>
14673 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14677 - tss = &per_cpu(init_tss, get_cpu());
14678 + tss = init_tss + get_cpu();
14679 current->thread.sp0 = current->thread.saved_sp0;
14680 current->thread.sysenter_cs = __KERNEL_CS;
14681 load_sp0(tss, ¤t->thread);
14682 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14683 struct task_struct *tsk;
14684 int tmp, ret = -EPERM;
14686 +#ifdef CONFIG_GRKERNSEC_VM86
14687 + if (!capable(CAP_SYS_RAWIO)) {
14688 + gr_handle_vm86();
14694 if (tsk->thread.saved_sp0)
14696 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14698 struct vm86plus_struct __user *v86;
14700 +#ifdef CONFIG_GRKERNSEC_VM86
14701 + if (!capable(CAP_SYS_RAWIO)) {
14702 + gr_handle_vm86();
14710 case VM86_REQUEST_IRQ:
14711 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14712 tsk->thread.saved_fs = info->regs32->fs;
14713 tsk->thread.saved_gs = get_user_gs(info->regs32);
14715 - tss = &per_cpu(init_tss, get_cpu());
14716 + tss = init_tss + get_cpu();
14717 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14719 tsk->thread.sysenter_cs = 0;
14720 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14721 goto cannot_handle;
14722 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14723 goto cannot_handle;
14724 - intr_ptr = (unsigned long __user *) (i << 2);
14725 + intr_ptr = (__force unsigned long __user *) (i << 2);
14726 if (get_user(segoffs, intr_ptr))
14727 goto cannot_handle;
14728 if ((segoffs >> 16) == BIOSSEG)
14729 diff -urNp linux-2.6.37/arch/x86/kernel/vmlinux.lds.S linux-2.6.37/arch/x86/kernel/vmlinux.lds.S
14730 --- linux-2.6.37/arch/x86/kernel/vmlinux.lds.S 2011-01-04 19:50:19.000000000 -0500
14731 +++ linux-2.6.37/arch/x86/kernel/vmlinux.lds.S 2011-01-17 02:41:01.000000000 -0500
14733 #include <asm/page_types.h>
14734 #include <asm/cache.h>
14735 #include <asm/boot.h>
14736 +#include <asm/segment.h>
14738 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14739 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14741 +#define __KERNEL_TEXT_OFFSET 0
14744 #undef i386 /* in case the preprocessor is a 32bit one */
14746 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14747 #ifdef CONFIG_X86_32
14749 ENTRY(phys_startup_32)
14750 -jiffies = jiffies_64;
14752 OUTPUT_ARCH(i386:x86-64)
14753 ENTRY(phys_startup_64)
14754 -jiffies_64 = jiffies;
14757 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14758 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
14761 text PT_LOAD FLAGS(5); /* R_E */
14762 - data PT_LOAD FLAGS(7); /* RWE */
14763 +#ifdef CONFIG_X86_32
14764 + module PT_LOAD FLAGS(5); /* R_E */
14767 + rodata PT_LOAD FLAGS(5); /* R_E */
14769 + rodata PT_LOAD FLAGS(4); /* R__ */
14771 + data PT_LOAD FLAGS(6); /* RW_ */
14772 #ifdef CONFIG_X86_64
14773 user PT_LOAD FLAGS(5); /* R_E */
14775 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14777 percpu PT_LOAD FLAGS(6); /* RW_ */
14779 + text.init PT_LOAD FLAGS(5); /* R_E */
14780 + text.exit PT_LOAD FLAGS(5); /* R_E */
14781 init PT_LOAD FLAGS(7); /* RWE */
14783 note PT_NOTE FLAGS(0); /* ___ */
14788 #ifdef CONFIG_X86_32
14789 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14790 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14791 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14793 - . = __START_KERNEL;
14794 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14795 + . = __START_KERNEL;
14798 /* Text and read-only data */
14799 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14801 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14802 /* bootstrapping code */
14803 +#ifdef CONFIG_X86_32
14804 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14806 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14808 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14811 #ifdef CONFIG_X86_32
14812 . = ALIGN(PAGE_SIZE);
14813 @@ -108,13 +128,47 @@ SECTIONS
14817 - /* End of text section */
14821 - NOTES :text :note
14822 + . += __KERNEL_TEXT_OFFSET;
14824 +#ifdef CONFIG_X86_32
14825 + . = ALIGN(PAGE_SIZE);
14826 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14828 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14829 + MODULES_EXEC_VADDR = .;
14831 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14832 + . = ALIGN(HPAGE_SIZE);
14833 + MODULES_EXEC_END = . - 1;
14839 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14840 + /* End of text section */
14841 + _etext = . - __KERNEL_TEXT_OFFSET;
14844 - EXCEPTION_TABLE(16) :text = 0x9090
14845 +#ifdef CONFIG_X86_32
14846 + . = ALIGN(PAGE_SIZE);
14847 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14849 + . = ALIGN(PAGE_SIZE);
14850 + *(.empty_zero_page)
14851 + *(.initial_pg_fixmap)
14852 + *(.initial_pg_pmd)
14853 + *(.initial_page_table)
14854 + *(.swapper_pg_dir)
14858 + . = ALIGN(PAGE_SIZE);
14859 + NOTES :rodata :note
14861 + EXCEPTION_TABLE(16) :rodata
14863 X64_ALIGN_DEBUG_RODATA_BEGIN
14865 @@ -122,16 +176,20 @@ SECTIONS
14868 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14870 +#ifdef CONFIG_PAX_KERNEXEC
14871 + . = ALIGN(HPAGE_SIZE);
14873 + . = ALIGN(PAGE_SIZE);
14876 /* Start of data section */
14880 INIT_TASK_DATA(THREAD_SIZE)
14882 -#ifdef CONFIG_X86_32
14883 - /* 32 bit has nosave before _edata */
14887 PAGE_ALIGNED_DATA(PAGE_SIZE)
14889 @@ -140,6 +198,8 @@ SECTIONS
14893 + jiffies = jiffies_64;
14895 /* rarely changed data like cpu maps */
14896 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
14898 @@ -194,12 +254,6 @@ SECTIONS
14900 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14902 - . = ALIGN(L1_CACHE_BYTES);
14903 - .jiffies : AT(VLOAD(.jiffies)) {
14906 - jiffies = VVIRT(.jiffies);
14908 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14911 @@ -215,12 +269,19 @@ SECTIONS
14912 #endif /* CONFIG_X86_64 */
14914 /* Init code and data - will be freed after init */
14915 - . = ALIGN(PAGE_SIZE);
14916 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14919 +#ifdef CONFIG_PAX_KERNEXEC
14920 + . = ALIGN(HPAGE_SIZE);
14922 + . = ALIGN(PAGE_SIZE);
14925 __init_begin = .; /* paired with __init_end */
14929 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14932 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14933 * output PHDR, so the next output section - .init.text - should
14934 @@ -229,12 +290,27 @@ SECTIONS
14935 PERCPU_VADDR(0, :percpu)
14938 - INIT_TEXT_SECTION(PAGE_SIZE)
14939 -#ifdef CONFIG_X86_64
14942 + . = ALIGN(PAGE_SIZE);
14944 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14945 + VMLINUX_SYMBOL(_sinittext) = .;
14947 + VMLINUX_SYMBOL(_einittext) = .;
14948 + . = ALIGN(PAGE_SIZE);
14951 - INIT_DATA_SECTION(16)
14953 + * .exit.text is discard at runtime, not link time, to deal with
14954 + * references from .altinstructions and .eh_frame
14956 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14960 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14962 + . = ALIGN(PAGE_SIZE);
14963 + INIT_DATA_SECTION(16) :init
14965 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14966 __x86_cpu_dev_start = .;
14967 @@ -288,19 +364,12 @@ SECTIONS
14968 __iommu_table_end = .;
14972 - * .exit.text is discard at runtime, not link time, to deal with
14973 - * references from .altinstructions and .eh_frame
14975 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14979 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14983 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14984 +#ifndef CONFIG_SMP
14985 PERCPU(THREAD_SIZE)
14988 @@ -319,16 +388,10 @@ SECTIONS
14989 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14992 - . = ALIGN(PAGE_SIZE);
14993 __smp_locks_end = .;
14994 + . = ALIGN(PAGE_SIZE);
14997 -#ifdef CONFIG_X86_64
14998 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15004 . = ALIGN(PAGE_SIZE);
15005 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15006 @@ -344,6 +407,7 @@ SECTIONS
15008 . += 64 * 1024; /* 64k alignment slop space */
15009 *(.brk_reservation) /* areas brk users have reserved */
15010 + . = ALIGN(HPAGE_SIZE);
15014 @@ -370,13 +434,12 @@ SECTIONS
15015 * for the boot processor.
15017 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15018 -INIT_PER_CPU(gdt_page);
15019 INIT_PER_CPU(irq_stack_union);
15022 * Build-time check on the image size:
15024 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15025 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15026 "kernel image bigger than KERNEL_IMAGE_SIZE");
15029 diff -urNp linux-2.6.37/arch/x86/kernel/vsyscall_64.c linux-2.6.37/arch/x86/kernel/vsyscall_64.c
15030 --- linux-2.6.37/arch/x86/kernel/vsyscall_64.c 2011-01-04 19:50:19.000000000 -0500
15031 +++ linux-2.6.37/arch/x86/kernel/vsyscall_64.c 2011-01-17 02:41:01.000000000 -0500
15032 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15034 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15035 /* copy vsyscall data */
15036 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15037 vsyscall_gtod_data.clock.vread = clock->vread;
15038 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15039 vsyscall_gtod_data.clock.mask = clock->mask;
15040 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15041 We do this here because otherwise user space would do it on
15042 its own in a likely inferior way (no access to jiffies).
15043 If you don't like it pass NULL. */
15044 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15045 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15046 p = tcache->blob[1];
15047 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15048 /* Load per CPU data from RDTSCP */
15049 diff -urNp linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c
15050 --- linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c 2011-01-04 19:50:19.000000000 -0500
15051 +++ linux-2.6.37/arch/x86/kernel/x8664_ksyms_64.c 2011-01-17 02:41:01.000000000 -0500
15052 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15053 EXPORT_SYMBOL(copy_user_generic_string);
15054 EXPORT_SYMBOL(copy_user_generic_unrolled);
15055 EXPORT_SYMBOL(__copy_user_nocache);
15056 -EXPORT_SYMBOL(_copy_from_user);
15057 -EXPORT_SYMBOL(_copy_to_user);
15059 EXPORT_SYMBOL(copy_page);
15060 EXPORT_SYMBOL(clear_page);
15061 diff -urNp linux-2.6.37/arch/x86/kernel/xsave.c linux-2.6.37/arch/x86/kernel/xsave.c
15062 --- linux-2.6.37/arch/x86/kernel/xsave.c 2011-01-04 19:50:19.000000000 -0500
15063 +++ linux-2.6.37/arch/x86/kernel/xsave.c 2011-01-17 02:41:01.000000000 -0500
15064 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15065 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15068 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15069 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15070 fx_sw_user->extended_size -
15071 FP_XSTATE_MAGIC2_SIZE));
15073 @@ -267,7 +267,7 @@ fx_only:
15074 * the other extended state.
15076 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15077 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15078 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15082 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15084 err = restore_user_xstate(buf);
15086 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15087 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15089 if (unlikely(err)) {
15091 diff -urNp linux-2.6.37/arch/x86/kvm/emulate.c linux-2.6.37/arch/x86/kvm/emulate.c
15092 --- linux-2.6.37/arch/x86/kvm/emulate.c 2011-01-04 19:50:19.000000000 -0500
15093 +++ linux-2.6.37/arch/x86/kvm/emulate.c 2011-01-17 02:41:01.000000000 -0500
15095 #define Src2ImmByte (2<<29)
15096 #define Src2One (3<<29)
15097 #define Src2Imm (4<<29)
15098 -#define Src2Mask (7<<29)
15099 +#define Src2Mask (7U<<29)
15101 #define X2(x...) x, x
15102 #define X3(x...) X2(x), x
15103 @@ -197,6 +197,7 @@ struct group_dual {
15105 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15107 + unsigned long _tmp; \
15108 __asm__ __volatile__ ( \
15109 _PRE_EFLAGS("0", "4", "2") \
15110 _op _suffix " %"_x"3,%1; " \
15111 @@ -210,8 +211,6 @@ struct group_dual {
15112 /* Raw emulation: instruction has two explicit operands. */
15113 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15115 - unsigned long _tmp; \
15117 switch ((_dst).bytes) { \
15119 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15120 @@ -227,7 +226,6 @@ struct group_dual {
15122 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15124 - unsigned long _tmp; \
15125 switch ((_dst).bytes) { \
15127 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15128 diff -urNp linux-2.6.37/arch/x86/kvm/lapic.c linux-2.6.37/arch/x86/kvm/lapic.c
15129 --- linux-2.6.37/arch/x86/kvm/lapic.c 2011-01-04 19:50:19.000000000 -0500
15130 +++ linux-2.6.37/arch/x86/kvm/lapic.c 2011-01-17 02:41:01.000000000 -0500
15132 #define APIC_BUS_CYCLE_NS 1
15134 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15135 -#define apic_debug(fmt, arg...)
15136 +#define apic_debug(fmt, arg...) do {} while (0)
15138 #define APIC_LVT_NUM 6
15139 /* 14 is the version for Xeon and Pentium 8.4.8*/
15140 diff -urNp linux-2.6.37/arch/x86/kvm/svm.c linux-2.6.37/arch/x86/kvm/svm.c
15141 --- linux-2.6.37/arch/x86/kvm/svm.c 2011-01-04 19:50:19.000000000 -0500
15142 +++ linux-2.6.37/arch/x86/kvm/svm.c 2011-01-17 02:41:01.000000000 -0500
15143 @@ -3023,7 +3023,11 @@ static void reload_tss(struct kvm_vcpu *
15144 int cpu = raw_smp_processor_id();
15146 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15148 + pax_open_kernel();
15149 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15150 + pax_close_kernel();
15155 @@ -3600,7 +3604,7 @@ static void svm_fpu_deactivate(struct kv
15156 update_cr0_intercept(svm);
15159 -static struct kvm_x86_ops svm_x86_ops = {
15160 +static const struct kvm_x86_ops svm_x86_ops = {
15161 .cpu_has_kvm_support = has_svm,
15162 .disabled_by_bios = is_disabled,
15163 .hardware_setup = svm_hardware_setup,
15164 diff -urNp linux-2.6.37/arch/x86/kvm/vmx.c linux-2.6.37/arch/x86/kvm/vmx.c
15165 --- linux-2.6.37/arch/x86/kvm/vmx.c 2011-01-04 19:50:19.000000000 -0500
15166 +++ linux-2.6.37/arch/x86/kvm/vmx.c 2011-01-17 02:41:01.000000000 -0500
15167 @@ -705,7 +705,11 @@ static void reload_tss(void)
15168 struct desc_struct *descs;
15170 descs = (void *)gdt->address;
15172 + pax_open_kernel();
15173 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15174 + pax_close_kernel();
15179 @@ -1589,8 +1593,11 @@ static __init int hardware_setup(void)
15180 if (!cpu_has_vmx_flexpriority())
15181 flexpriority_enabled = 0;
15183 - if (!cpu_has_vmx_tpr_shadow())
15184 - kvm_x86_ops->update_cr8_intercept = NULL;
15185 + if (!cpu_has_vmx_tpr_shadow()) {
15186 + pax_open_kernel();
15187 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15188 + pax_close_kernel();
15191 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15192 kvm_disable_largepages();
15193 @@ -2575,7 +2582,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15194 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15196 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15197 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15198 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15199 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15200 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15201 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15202 @@ -3959,6 +3966,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15203 "jmp .Lkvm_vmx_return \n\t"
15204 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15205 ".Lkvm_vmx_return: "
15207 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15208 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15209 + ".Lkvm_vmx_return2: "
15212 /* Save guest registers, load host registers, keep flags */
15213 "xchg %0, (%%"R"sp) \n\t"
15214 "mov %%"R"ax, %c[rax](%0) \n\t"
15215 @@ -4005,6 +4018,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15216 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15218 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15220 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15221 + ,[cs]"i"(__KERNEL_CS)
15225 , R"ax", R"bx", R"di", R"si"
15226 #ifdef CONFIG_X86_64
15227 @@ -4018,7 +4036,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15229 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15231 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15232 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15235 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15236 @@ -4253,7 +4271,7 @@ static void vmx_set_supported_cpuid(u32
15240 -static struct kvm_x86_ops vmx_x86_ops = {
15241 +static const struct kvm_x86_ops vmx_x86_ops = {
15242 .cpu_has_kvm_support = cpu_has_kvm_support,
15243 .disabled_by_bios = vmx_disabled_by_bios,
15244 .hardware_setup = hardware_setup,
15245 diff -urNp linux-2.6.37/arch/x86/kvm/x86.c linux-2.6.37/arch/x86/kvm/x86.c
15246 --- linux-2.6.37/arch/x86/kvm/x86.c 2011-01-04 19:50:19.000000000 -0500
15247 +++ linux-2.6.37/arch/x86/kvm/x86.c 2011-01-17 02:41:01.000000000 -0500
15248 @@ -92,7 +92,7 @@ static void update_cr8_intercept(struct
15249 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15250 struct kvm_cpuid_entry2 __user *entries);
15252 -struct kvm_x86_ops *kvm_x86_ops;
15253 +const struct kvm_x86_ops *kvm_x86_ops;
15254 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15256 int ignore_msrs = 0;
15257 @@ -118,38 +118,38 @@ static struct kvm_shared_msrs_global __r
15258 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15260 struct kvm_stats_debugfs_item debugfs_entries[] = {
15261 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15262 - { "pf_guest", VCPU_STAT(pf_guest) },
15263 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15264 - { "invlpg", VCPU_STAT(invlpg) },
15265 - { "exits", VCPU_STAT(exits) },
15266 - { "io_exits", VCPU_STAT(io_exits) },
15267 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15268 - { "signal_exits", VCPU_STAT(signal_exits) },
15269 - { "irq_window", VCPU_STAT(irq_window_exits) },
15270 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15271 - { "halt_exits", VCPU_STAT(halt_exits) },
15272 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15273 - { "hypercalls", VCPU_STAT(hypercalls) },
15274 - { "request_irq", VCPU_STAT(request_irq_exits) },
15275 - { "irq_exits", VCPU_STAT(irq_exits) },
15276 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15277 - { "efer_reload", VCPU_STAT(efer_reload) },
15278 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15279 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15280 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15281 - { "irq_injections", VCPU_STAT(irq_injections) },
15282 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15283 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15284 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15285 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15286 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15287 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15288 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15289 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15290 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15291 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15292 - { "largepages", VM_STAT(lpages) },
15293 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15294 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15295 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15296 + { "invlpg", VCPU_STAT(invlpg), NULL },
15297 + { "exits", VCPU_STAT(exits), NULL },
15298 + { "io_exits", VCPU_STAT(io_exits), NULL },
15299 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15300 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15301 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15302 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15303 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15304 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15305 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15306 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15307 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15308 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15309 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15310 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15311 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15312 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15313 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15314 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15315 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15316 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15317 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15318 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15319 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15320 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15321 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15322 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15323 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15324 + { "largepages", VM_STAT(lpages), NULL },
15328 @@ -1979,6 +1979,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15329 if (n < msr_list.nmsrs)
15332 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15334 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15335 num_msrs_to_save * sizeof(u32)))
15337 @@ -2446,7 +2448,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15338 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15339 struct kvm_interrupt *irq)
15341 - if (irq->irq < 0 || irq->irq >= 256)
15342 + if (irq->irq >= 256)
15344 if (irqchip_in_kernel(vcpu->kvm))
15346 @@ -4623,10 +4625,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15348 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15350 -int kvm_arch_init(void *opaque)
15351 +int kvm_arch_init(const void *opaque)
15354 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15355 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15358 printk(KERN_ERR "kvm: already loaded the other module\n");
15359 diff -urNp linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S
15360 --- linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S 2011-01-04 19:50:19.000000000 -0500
15361 +++ linux-2.6.37/arch/x86/lib/atomic64_cx8_32.S 2011-01-17 02:41:01.000000000 -0500
15362 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15364 \ins\()l %esi, %ebx
15365 \insc\()l %edi, %ecx
15367 +#ifdef CONFIG_PAX_REFCOUNT
15370 + _ASM_EXTABLE(2b, 3f)
15381 +#ifdef CONFIG_PAX_REFCOUNT
15388 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15393 +#ifdef CONFIG_PAX_REFCOUNT
15396 + _ASM_EXTABLE(2b, 3f)
15407 +#ifdef CONFIG_PAX_REFCOUNT
15414 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15419 +#ifdef CONFIG_PAX_REFCOUNT
15422 + _ASM_EXTABLE(1234b, 1234b)
15428 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15433 +#ifdef CONFIG_PAX_REFCOUNT
15436 + _ASM_EXTABLE(1234b, 1234b)
15442 diff -urNp linux-2.6.37/arch/x86/lib/checksum_32.S linux-2.6.37/arch/x86/lib/checksum_32.S
15443 --- linux-2.6.37/arch/x86/lib/checksum_32.S 2011-01-04 19:50:19.000000000 -0500
15444 +++ linux-2.6.37/arch/x86/lib/checksum_32.S 2011-01-17 02:41:01.000000000 -0500
15446 #include <linux/linkage.h>
15447 #include <asm/dwarf2.h>
15448 #include <asm/errno.h>
15450 +#include <asm/segment.h>
15453 * computes a partial checksum, e.g. for TCP/UDP fragments
15455 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
15460 -ENTRY(csum_partial_copy_generic)
15462 +ENTRY(csum_partial_copy_generic_to_user)
15465 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15467 + CFI_ADJUST_CFA_OFFSET 4
15469 + CFI_ADJUST_CFA_OFFSET -4
15470 + jmp csum_partial_copy_generic
15473 +ENTRY(csum_partial_copy_generic_from_user)
15475 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15477 + CFI_ADJUST_CFA_OFFSET 4
15479 + CFI_ADJUST_CFA_OFFSET -4
15482 +ENTRY(csum_partial_copy_generic)
15484 CFI_ADJUST_CFA_OFFSET 4
15486 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
15488 SRC(1: movw (%esi), %bx )
15490 -DST( movw %bx, (%edi) )
15491 +DST( movw %bx, %es:(%edi) )
15495 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
15496 SRC(1: movl (%esi), %ebx )
15497 SRC( movl 4(%esi), %edx )
15499 -DST( movl %ebx, (%edi) )
15500 +DST( movl %ebx, %es:(%edi) )
15502 -DST( movl %edx, 4(%edi) )
15503 +DST( movl %edx, %es:4(%edi) )
15505 SRC( movl 8(%esi), %ebx )
15506 SRC( movl 12(%esi), %edx )
15508 -DST( movl %ebx, 8(%edi) )
15509 +DST( movl %ebx, %es:8(%edi) )
15511 -DST( movl %edx, 12(%edi) )
15512 +DST( movl %edx, %es:12(%edi) )
15514 SRC( movl 16(%esi), %ebx )
15515 SRC( movl 20(%esi), %edx )
15517 -DST( movl %ebx, 16(%edi) )
15518 +DST( movl %ebx, %es:16(%edi) )
15520 -DST( movl %edx, 20(%edi) )
15521 +DST( movl %edx, %es:20(%edi) )
15523 SRC( movl 24(%esi), %ebx )
15524 SRC( movl 28(%esi), %edx )
15526 -DST( movl %ebx, 24(%edi) )
15527 +DST( movl %ebx, %es:24(%edi) )
15529 -DST( movl %edx, 28(%edi) )
15530 +DST( movl %edx, %es:28(%edi) )
15534 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
15535 shrl $2, %edx # This clears CF
15536 SRC(3: movl (%esi), %ebx )
15538 -DST( movl %ebx, (%edi) )
15539 +DST( movl %ebx, %es:(%edi) )
15543 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
15545 SRC( movw (%esi), %cx )
15547 -DST( movw %cx, (%edi) )
15548 +DST( movw %cx, %es:(%edi) )
15552 SRC(5: movb (%esi), %cl )
15553 -DST( movb %cl, (%edi) )
15554 +DST( movb %cl, %es:(%edi) )
15558 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
15561 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15562 - movl $-EFAULT, (%ebx)
15563 + movl $-EFAULT, %ss:(%ebx)
15565 # zero the complete destination - computing the rest
15567 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
15570 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15571 - movl $-EFAULT,(%ebx)
15572 + movl $-EFAULT,%ss:(%ebx)
15578 + CFI_ADJUST_CFA_OFFSET 4
15580 + CFI_ADJUST_CFA_OFFSET -4
15582 + CFI_ADJUST_CFA_OFFSET 4
15584 + CFI_ADJUST_CFA_OFFSET -4
15586 CFI_ADJUST_CFA_OFFSET -4
15588 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
15589 CFI_ADJUST_CFA_OFFSET -4
15592 -ENDPROC(csum_partial_copy_generic)
15593 +ENDPROC(csum_partial_copy_generic_to_user)
15597 /* Version for PentiumII/PPro */
15599 #define ROUND1(x) \
15601 SRC(movl x(%esi), %ebx ) ; \
15602 addl %ebx, %eax ; \
15603 - DST(movl %ebx, x(%edi) ) ;
15604 + DST(movl %ebx, %es:x(%edi)) ;
15608 SRC(movl x(%esi), %ebx ) ; \
15609 adcl %ebx, %eax ; \
15610 - DST(movl %ebx, x(%edi) ) ;
15611 + DST(movl %ebx, %es:x(%edi)) ;
15615 -ENTRY(csum_partial_copy_generic)
15617 +ENTRY(csum_partial_copy_generic_to_user)
15620 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15622 + CFI_ADJUST_CFA_OFFSET 4
15624 + CFI_ADJUST_CFA_OFFSET -4
15625 + jmp csum_partial_copy_generic
15628 +ENTRY(csum_partial_copy_generic_from_user)
15630 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15632 + CFI_ADJUST_CFA_OFFSET 4
15634 + CFI_ADJUST_CFA_OFFSET -4
15637 +ENTRY(csum_partial_copy_generic)
15639 CFI_ADJUST_CFA_OFFSET 4
15640 CFI_REL_OFFSET ebx, 0
15641 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
15645 - lea 3f(%ebx,%ebx), %ebx
15646 + lea 3f(%ebx,%ebx,2), %ebx
15650 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
15652 SRC( movw (%esi), %dx )
15654 -DST( movw %dx, (%edi) )
15655 +DST( movw %dx, %es:(%edi) )
15660 SRC( movb (%esi), %dl )
15661 -DST( movb %dl, (%edi) )
15662 +DST( movb %dl, %es:(%edi) )
15666 .section .fixup, "ax"
15667 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15668 - movl $-EFAULT, (%ebx)
15669 + movl $-EFAULT, %ss:(%ebx)
15670 # zero the complete destination (computing the rest is too much work)
15671 movl ARGBASE+8(%esp),%edi # dst
15672 movl ARGBASE+12(%esp),%ecx # len
15673 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
15676 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15677 - movl $-EFAULT, (%ebx)
15678 + movl $-EFAULT, %ss:(%ebx)
15682 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15684 + CFI_ADJUST_CFA_OFFSET 4
15686 + CFI_ADJUST_CFA_OFFSET -4
15688 + CFI_ADJUST_CFA_OFFSET 4
15690 + CFI_ADJUST_CFA_OFFSET -4
15694 CFI_ADJUST_CFA_OFFSET -4
15696 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
15700 -ENDPROC(csum_partial_copy_generic)
15701 +ENDPROC(csum_partial_copy_generic_to_user)
15705 diff -urNp linux-2.6.37/arch/x86/lib/clear_page_64.S linux-2.6.37/arch/x86/lib/clear_page_64.S
15706 --- linux-2.6.37/arch/x86/lib/clear_page_64.S 2011-01-04 19:50:19.000000000 -0500
15707 +++ linux-2.6.37/arch/x86/lib/clear_page_64.S 2011-01-17 02:41:01.000000000 -0500
15708 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15710 #include <asm/cpufeature.h>
15712 - .section .altinstr_replacement,"ax"
15713 + .section .altinstr_replacement,"a"
15714 1: .byte 0xeb /* jmp <disp8> */
15715 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15717 diff -urNp linux-2.6.37/arch/x86/lib/copy_page_64.S linux-2.6.37/arch/x86/lib/copy_page_64.S
15718 --- linux-2.6.37/arch/x86/lib/copy_page_64.S 2011-01-04 19:50:19.000000000 -0500
15719 +++ linux-2.6.37/arch/x86/lib/copy_page_64.S 2011-01-17 02:41:01.000000000 -0500
15720 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15722 #include <asm/cpufeature.h>
15724 - .section .altinstr_replacement,"ax"
15725 + .section .altinstr_replacement,"a"
15726 1: .byte 0xeb /* jmp <disp8> */
15727 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15729 diff -urNp linux-2.6.37/arch/x86/lib/copy_user_64.S linux-2.6.37/arch/x86/lib/copy_user_64.S
15730 --- linux-2.6.37/arch/x86/lib/copy_user_64.S 2011-01-04 19:50:19.000000000 -0500
15731 +++ linux-2.6.37/arch/x86/lib/copy_user_64.S 2011-01-17 02:41:01.000000000 -0500
15732 @@ -15,13 +15,14 @@
15733 #include <asm/asm-offsets.h>
15734 #include <asm/thread_info.h>
15735 #include <asm/cpufeature.h>
15736 +#include <asm/pgtable.h>
15738 .macro ALTERNATIVE_JUMP feature,orig,alt
15740 .byte 0xe9 /* 32bit jump */
15741 .long \orig-1f /* by default jump to orig */
15743 - .section .altinstr_replacement,"ax"
15744 + .section .altinstr_replacement,"a"
15745 2: .byte 0xe9 /* near jump with 32bit immediate */
15746 .long \alt-1b /* offset */ /* or alternatively to alt */
15748 @@ -64,37 +65,13 @@
15752 -/* Standard copy_to_user with segment limit checking */
15753 -ENTRY(_copy_to_user)
15755 - GET_THREAD_INFO(%rax)
15759 - cmpq TI_addr_limit(%rax),%rcx
15761 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15763 -ENDPROC(_copy_to_user)
15765 -/* Standard copy_from_user with segment limit checking */
15766 -ENTRY(_copy_from_user)
15768 - GET_THREAD_INFO(%rax)
15772 - cmpq TI_addr_limit(%rax),%rcx
15773 - jae bad_from_user
15774 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15776 -ENDPROC(_copy_from_user)
15778 .section .fixup,"ax"
15779 /* must zero dest */
15780 ENTRY(bad_from_user)
15788 diff -urNp linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S
15789 --- linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S 2011-01-04 19:50:19.000000000 -0500
15790 +++ linux-2.6.37/arch/x86/lib/copy_user_nocache_64.S 2011-01-17 02:41:01.000000000 -0500
15792 #include <asm/current.h>
15793 #include <asm/asm-offsets.h>
15794 #include <asm/thread_info.h>
15795 +#include <asm/pgtable.h>
15797 .macro ALIGN_DESTINATION
15798 #ifdef FIX_ALIGNMENT
15801 ENTRY(__copy_user_nocache)
15804 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15805 + mov $PAX_USER_SHADOW_BASE,%rcx
15813 jb 20f /* less then 8 bytes, go to byte copy loop */
15815 diff -urNp linux-2.6.37/arch/x86/lib/csum-wrappers_64.c linux-2.6.37/arch/x86/lib/csum-wrappers_64.c
15816 --- linux-2.6.37/arch/x86/lib/csum-wrappers_64.c 2011-01-04 19:50:19.000000000 -0500
15817 +++ linux-2.6.37/arch/x86/lib/csum-wrappers_64.c 2011-01-17 02:41:01.000000000 -0500
15818 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15822 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15823 + src += PAX_USER_SHADOW_BASE;
15824 isum = csum_partial_copy_generic((__force const void *)src,
15825 dst, len, isum, errp, NULL);
15826 if (unlikely(*errp))
15827 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15831 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15832 + dst += PAX_USER_SHADOW_BASE;
15833 return csum_partial_copy_generic(src, (void __force *)dst,
15834 len, isum, NULL, errp);
15836 diff -urNp linux-2.6.37/arch/x86/lib/getuser.S linux-2.6.37/arch/x86/lib/getuser.S
15837 --- linux-2.6.37/arch/x86/lib/getuser.S 2011-01-04 19:50:19.000000000 -0500
15838 +++ linux-2.6.37/arch/x86/lib/getuser.S 2011-01-17 02:41:01.000000000 -0500
15839 @@ -33,14 +33,35 @@
15840 #include <asm/asm-offsets.h>
15841 #include <asm/thread_info.h>
15842 #include <asm/asm.h>
15843 +#include <asm/segment.h>
15844 +#include <asm/pgtable.h>
15846 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15847 +#define __copyuser_seg %gs:
15849 +#define __copyuser_seg
15853 ENTRY(__get_user_1)
15856 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15857 GET_THREAD_INFO(%_ASM_DX)
15858 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15860 -1: movzb (%_ASM_AX),%edx
15862 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15863 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15864 + cmp %_ASM_DX,%_ASM_AX
15866 + add %_ASM_DX,%_ASM_AX
15872 +1: movzb __copyuser_seg (%_ASM_AX),%edx
15876 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
15877 ENTRY(__get_user_2)
15881 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15883 GET_THREAD_INFO(%_ASM_DX)
15884 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15886 -2: movzwl -1(%_ASM_AX),%edx
15888 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15889 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15890 + cmp %_ASM_DX,%_ASM_AX
15892 + add %_ASM_DX,%_ASM_AX
15898 +2: movzwl __copyuser_seg -1(%_ASM_AX),%edx
15902 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
15903 ENTRY(__get_user_4)
15907 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15909 GET_THREAD_INFO(%_ASM_DX)
15910 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15912 -3: mov -3(%_ASM_AX),%edx
15914 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15915 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15916 + cmp %_ASM_DX,%_ASM_AX
15918 + add %_ASM_DX,%_ASM_AX
15924 +3: mov __copyuser_seg -3(%_ASM_AX),%edx
15928 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
15929 GET_THREAD_INFO(%_ASM_DX)
15930 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15933 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15934 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15935 + cmp %_ASM_DX,%_ASM_AX
15937 + add %_ASM_DX,%_ASM_AX
15941 4: movq -7(%_ASM_AX),%_ASM_DX
15944 diff -urNp linux-2.6.37/arch/x86/lib/insn.c linux-2.6.37/arch/x86/lib/insn.c
15945 --- linux-2.6.37/arch/x86/lib/insn.c 2011-01-04 19:50:19.000000000 -0500
15946 +++ linux-2.6.37/arch/x86/lib/insn.c 2011-01-17 02:41:01.000000000 -0500
15948 #include <linux/string.h>
15949 #include <asm/inat.h>
15950 #include <asm/insn.h>
15951 +#include <asm/pgtable_types.h>
15953 #define get_next(t, insn) \
15954 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15956 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15958 memset(insn, 0, sizeof(*insn));
15959 - insn->kaddr = kaddr;
15960 - insn->next_byte = kaddr;
15961 + insn->kaddr = ktla_ktva(kaddr);
15962 + insn->next_byte = ktla_ktva(kaddr);
15963 insn->x86_64 = x86_64 ? 1 : 0;
15964 insn->opnd_bytes = 4;
15966 diff -urNp linux-2.6.37/arch/x86/lib/mmx_32.c linux-2.6.37/arch/x86/lib/mmx_32.c
15967 --- linux-2.6.37/arch/x86/lib/mmx_32.c 2011-01-04 19:50:19.000000000 -0500
15968 +++ linux-2.6.37/arch/x86/lib/mmx_32.c 2011-01-17 02:41:01.000000000 -0500
15969 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15973 + unsigned long cr0;
15975 if (unlikely(in_interrupt()))
15976 return __memcpy(to, from, len);
15977 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15978 kernel_fpu_begin();
15980 __asm__ __volatile__ (
15981 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15982 - " prefetch 64(%0)\n"
15983 - " prefetch 128(%0)\n"
15984 - " prefetch 192(%0)\n"
15985 - " prefetch 256(%0)\n"
15986 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15987 + " prefetch 64(%1)\n"
15988 + " prefetch 128(%1)\n"
15989 + " prefetch 192(%1)\n"
15990 + " prefetch 256(%1)\n"
15992 ".section .fixup, \"ax\"\n"
15993 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15996 +#ifdef CONFIG_PAX_KERNEXEC
15997 + " movl %%cr0, %0\n"
15998 + " movl %0, %%eax\n"
15999 + " andl $0xFFFEFFFF, %%eax\n"
16000 + " movl %%eax, %%cr0\n"
16003 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16005 +#ifdef CONFIG_PAX_KERNEXEC
16006 + " movl %0, %%cr0\n"
16011 _ASM_EXTABLE(1b, 3b)
16013 + : "=&r" (cr0) : "r" (from) : "ax");
16015 for ( ; i > 5; i--) {
16016 __asm__ __volatile__ (
16017 - "1: prefetch 320(%0)\n"
16018 - "2: movq (%0), %%mm0\n"
16019 - " movq 8(%0), %%mm1\n"
16020 - " movq 16(%0), %%mm2\n"
16021 - " movq 24(%0), %%mm3\n"
16022 - " movq %%mm0, (%1)\n"
16023 - " movq %%mm1, 8(%1)\n"
16024 - " movq %%mm2, 16(%1)\n"
16025 - " movq %%mm3, 24(%1)\n"
16026 - " movq 32(%0), %%mm0\n"
16027 - " movq 40(%0), %%mm1\n"
16028 - " movq 48(%0), %%mm2\n"
16029 - " movq 56(%0), %%mm3\n"
16030 - " movq %%mm0, 32(%1)\n"
16031 - " movq %%mm1, 40(%1)\n"
16032 - " movq %%mm2, 48(%1)\n"
16033 - " movq %%mm3, 56(%1)\n"
16034 + "1: prefetch 320(%1)\n"
16035 + "2: movq (%1), %%mm0\n"
16036 + " movq 8(%1), %%mm1\n"
16037 + " movq 16(%1), %%mm2\n"
16038 + " movq 24(%1), %%mm3\n"
16039 + " movq %%mm0, (%2)\n"
16040 + " movq %%mm1, 8(%2)\n"
16041 + " movq %%mm2, 16(%2)\n"
16042 + " movq %%mm3, 24(%2)\n"
16043 + " movq 32(%1), %%mm0\n"
16044 + " movq 40(%1), %%mm1\n"
16045 + " movq 48(%1), %%mm2\n"
16046 + " movq 56(%1), %%mm3\n"
16047 + " movq %%mm0, 32(%2)\n"
16048 + " movq %%mm1, 40(%2)\n"
16049 + " movq %%mm2, 48(%2)\n"
16050 + " movq %%mm3, 56(%2)\n"
16051 ".section .fixup, \"ax\"\n"
16052 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16055 +#ifdef CONFIG_PAX_KERNEXEC
16056 + " movl %%cr0, %0\n"
16057 + " movl %0, %%eax\n"
16058 + " andl $0xFFFEFFFF, %%eax\n"
16059 + " movl %%eax, %%cr0\n"
16062 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16064 +#ifdef CONFIG_PAX_KERNEXEC
16065 + " movl %0, %%cr0\n"
16070 _ASM_EXTABLE(1b, 3b)
16071 - : : "r" (from), "r" (to) : "memory");
16072 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16076 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16077 static void fast_copy_page(void *to, void *from)
16080 + unsigned long cr0;
16082 kernel_fpu_begin();
16084 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16085 * but that is for later. -AV
16087 __asm__ __volatile__(
16088 - "1: prefetch (%0)\n"
16089 - " prefetch 64(%0)\n"
16090 - " prefetch 128(%0)\n"
16091 - " prefetch 192(%0)\n"
16092 - " prefetch 256(%0)\n"
16093 + "1: prefetch (%1)\n"
16094 + " prefetch 64(%1)\n"
16095 + " prefetch 128(%1)\n"
16096 + " prefetch 192(%1)\n"
16097 + " prefetch 256(%1)\n"
16099 ".section .fixup, \"ax\"\n"
16100 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16103 +#ifdef CONFIG_PAX_KERNEXEC
16104 + " movl %%cr0, %0\n"
16105 + " movl %0, %%eax\n"
16106 + " andl $0xFFFEFFFF, %%eax\n"
16107 + " movl %%eax, %%cr0\n"
16110 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16112 +#ifdef CONFIG_PAX_KERNEXEC
16113 + " movl %0, %%cr0\n"
16118 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16119 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16121 for (i = 0; i < (4096-320)/64; i++) {
16122 __asm__ __volatile__ (
16123 - "1: prefetch 320(%0)\n"
16124 - "2: movq (%0), %%mm0\n"
16125 - " movntq %%mm0, (%1)\n"
16126 - " movq 8(%0), %%mm1\n"
16127 - " movntq %%mm1, 8(%1)\n"
16128 - " movq 16(%0), %%mm2\n"
16129 - " movntq %%mm2, 16(%1)\n"
16130 - " movq 24(%0), %%mm3\n"
16131 - " movntq %%mm3, 24(%1)\n"
16132 - " movq 32(%0), %%mm4\n"
16133 - " movntq %%mm4, 32(%1)\n"
16134 - " movq 40(%0), %%mm5\n"
16135 - " movntq %%mm5, 40(%1)\n"
16136 - " movq 48(%0), %%mm6\n"
16137 - " movntq %%mm6, 48(%1)\n"
16138 - " movq 56(%0), %%mm7\n"
16139 - " movntq %%mm7, 56(%1)\n"
16140 + "1: prefetch 320(%1)\n"
16141 + "2: movq (%1), %%mm0\n"
16142 + " movntq %%mm0, (%2)\n"
16143 + " movq 8(%1), %%mm1\n"
16144 + " movntq %%mm1, 8(%2)\n"
16145 + " movq 16(%1), %%mm2\n"
16146 + " movntq %%mm2, 16(%2)\n"
16147 + " movq 24(%1), %%mm3\n"
16148 + " movntq %%mm3, 24(%2)\n"
16149 + " movq 32(%1), %%mm4\n"
16150 + " movntq %%mm4, 32(%2)\n"
16151 + " movq 40(%1), %%mm5\n"
16152 + " movntq %%mm5, 40(%2)\n"
16153 + " movq 48(%1), %%mm6\n"
16154 + " movntq %%mm6, 48(%2)\n"
16155 + " movq 56(%1), %%mm7\n"
16156 + " movntq %%mm7, 56(%2)\n"
16157 ".section .fixup, \"ax\"\n"
16158 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16161 +#ifdef CONFIG_PAX_KERNEXEC
16162 + " movl %%cr0, %0\n"
16163 + " movl %0, %%eax\n"
16164 + " andl $0xFFFEFFFF, %%eax\n"
16165 + " movl %%eax, %%cr0\n"
16168 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16170 +#ifdef CONFIG_PAX_KERNEXEC
16171 + " movl %0, %%cr0\n"
16176 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16177 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16181 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16182 static void fast_copy_page(void *to, void *from)
16185 + unsigned long cr0;
16187 kernel_fpu_begin();
16189 __asm__ __volatile__ (
16190 - "1: prefetch (%0)\n"
16191 - " prefetch 64(%0)\n"
16192 - " prefetch 128(%0)\n"
16193 - " prefetch 192(%0)\n"
16194 - " prefetch 256(%0)\n"
16195 + "1: prefetch (%1)\n"
16196 + " prefetch 64(%1)\n"
16197 + " prefetch 128(%1)\n"
16198 + " prefetch 192(%1)\n"
16199 + " prefetch 256(%1)\n"
16201 ".section .fixup, \"ax\"\n"
16202 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16205 +#ifdef CONFIG_PAX_KERNEXEC
16206 + " movl %%cr0, %0\n"
16207 + " movl %0, %%eax\n"
16208 + " andl $0xFFFEFFFF, %%eax\n"
16209 + " movl %%eax, %%cr0\n"
16212 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16214 +#ifdef CONFIG_PAX_KERNEXEC
16215 + " movl %0, %%cr0\n"
16220 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16221 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16223 for (i = 0; i < 4096/64; i++) {
16224 __asm__ __volatile__ (
16225 - "1: prefetch 320(%0)\n"
16226 - "2: movq (%0), %%mm0\n"
16227 - " movq 8(%0), %%mm1\n"
16228 - " movq 16(%0), %%mm2\n"
16229 - " movq 24(%0), %%mm3\n"
16230 - " movq %%mm0, (%1)\n"
16231 - " movq %%mm1, 8(%1)\n"
16232 - " movq %%mm2, 16(%1)\n"
16233 - " movq %%mm3, 24(%1)\n"
16234 - " movq 32(%0), %%mm0\n"
16235 - " movq 40(%0), %%mm1\n"
16236 - " movq 48(%0), %%mm2\n"
16237 - " movq 56(%0), %%mm3\n"
16238 - " movq %%mm0, 32(%1)\n"
16239 - " movq %%mm1, 40(%1)\n"
16240 - " movq %%mm2, 48(%1)\n"
16241 - " movq %%mm3, 56(%1)\n"
16242 + "1: prefetch 320(%1)\n"
16243 + "2: movq (%1), %%mm0\n"
16244 + " movq 8(%1), %%mm1\n"
16245 + " movq 16(%1), %%mm2\n"
16246 + " movq 24(%1), %%mm3\n"
16247 + " movq %%mm0, (%2)\n"
16248 + " movq %%mm1, 8(%2)\n"
16249 + " movq %%mm2, 16(%2)\n"
16250 + " movq %%mm3, 24(%2)\n"
16251 + " movq 32(%1), %%mm0\n"
16252 + " movq 40(%1), %%mm1\n"
16253 + " movq 48(%1), %%mm2\n"
16254 + " movq 56(%1), %%mm3\n"
16255 + " movq %%mm0, 32(%2)\n"
16256 + " movq %%mm1, 40(%2)\n"
16257 + " movq %%mm2, 48(%2)\n"
16258 + " movq %%mm3, 56(%2)\n"
16259 ".section .fixup, \"ax\"\n"
16260 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16263 +#ifdef CONFIG_PAX_KERNEXEC
16264 + " movl %%cr0, %0\n"
16265 + " movl %0, %%eax\n"
16266 + " andl $0xFFFEFFFF, %%eax\n"
16267 + " movl %%eax, %%cr0\n"
16270 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16272 +#ifdef CONFIG_PAX_KERNEXEC
16273 + " movl %0, %%cr0\n"
16278 _ASM_EXTABLE(1b, 3b)
16279 - : : "r" (from), "r" (to) : "memory");
16280 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16284 diff -urNp linux-2.6.37/arch/x86/lib/putuser.S linux-2.6.37/arch/x86/lib/putuser.S
16285 --- linux-2.6.37/arch/x86/lib/putuser.S 2011-01-04 19:50:19.000000000 -0500
16286 +++ linux-2.6.37/arch/x86/lib/putuser.S 2011-01-17 02:41:01.000000000 -0500
16288 #include <asm/thread_info.h>
16289 #include <asm/errno.h>
16290 #include <asm/asm.h>
16292 +#include <asm/segment.h>
16293 +#include <asm/pgtable.h>
16297 @@ -29,52 +30,119 @@
16298 * as they get called from within inline assembly.
16301 -#define ENTER CFI_STARTPROC ; \
16302 - GET_THREAD_INFO(%_ASM_BX)
16303 +#define ENTER CFI_STARTPROC
16304 #define EXIT ret ; \
16307 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16308 +#define _DEST %_ASM_CX,%_ASM_BX
16310 +#define _DEST %_ASM_CX
16313 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16314 +#define __copyuser_seg %gs:
16316 +#define __copyuser_seg
16320 ENTRY(__put_user_1)
16323 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16324 + GET_THREAD_INFO(%_ASM_BX)
16325 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16327 -1: movb %al,(%_ASM_CX)
16329 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16330 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16331 + cmp %_ASM_BX,%_ASM_CX
16339 +1: movb %al,__copyuser_seg (_DEST)
16342 ENDPROC(__put_user_1)
16344 ENTRY(__put_user_2)
16347 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16348 + GET_THREAD_INFO(%_ASM_BX)
16349 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16351 cmp %_ASM_BX,%_ASM_CX
16353 -2: movw %ax,(%_ASM_CX)
16355 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16356 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16357 + cmp %_ASM_BX,%_ASM_CX
16365 +2: movw %ax,__copyuser_seg (_DEST)
16368 ENDPROC(__put_user_2)
16370 ENTRY(__put_user_4)
16373 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16374 + GET_THREAD_INFO(%_ASM_BX)
16375 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16377 cmp %_ASM_BX,%_ASM_CX
16379 -3: movl %eax,(%_ASM_CX)
16381 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16382 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16383 + cmp %_ASM_BX,%_ASM_CX
16391 +3: movl %eax,__copyuser_seg (_DEST)
16394 ENDPROC(__put_user_4)
16396 ENTRY(__put_user_8)
16399 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16400 + GET_THREAD_INFO(%_ASM_BX)
16401 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16403 cmp %_ASM_BX,%_ASM_CX
16405 -4: mov %_ASM_AX,(%_ASM_CX)
16407 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16408 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16409 + cmp %_ASM_BX,%_ASM_CX
16417 +4: mov %_ASM_AX,__copyuser_seg (_DEST)
16418 #ifdef CONFIG_X86_32
16419 -5: movl %edx,4(%_ASM_CX)
16420 +5: movl %edx,__copyuser_seg 4(_DEST)
16424 diff -urNp linux-2.6.37/arch/x86/lib/usercopy_32.c linux-2.6.37/arch/x86/lib/usercopy_32.c
16425 --- linux-2.6.37/arch/x86/lib/usercopy_32.c 2011-01-04 19:50:19.000000000 -0500
16426 +++ linux-2.6.37/arch/x86/lib/usercopy_32.c 2011-01-17 02:41:01.000000000 -0500
16427 @@ -43,7 +43,7 @@ do { \
16428 __asm__ __volatile__( \
16432 + "0: lodsb " __copyuser_seg" (%%esi)\n" \
16434 " testb %%al,%%al\n" \
16436 @@ -128,10 +128,12 @@ do { \
16439 __asm__ __volatile__( \
16440 + __COPYUSER_SET_ES \
16441 "0: rep; stosl\n" \
16443 "1: rep; stosb\n" \
16445 + __COPYUSER_RESTORE_ES \
16446 ".section .fixup,\"ax\"\n" \
16447 "3: lea 0(%2,%0,4),%0\n" \
16449 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
16452 __asm__ __volatile__(
16453 + __COPYUSER_SET_ES
16457 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
16461 + __COPYUSER_RESTORE_ES
16462 ".section .fixup,\"ax\"\n"
16463 "2: xorl %%eax,%%eax\n"
16465 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
16467 #ifdef CONFIG_X86_INTEL_USERCOPY
16468 static unsigned long
16469 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16470 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16473 __asm__ __volatile__(
16474 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
16476 "3: movl 0(%4), %%eax\n"
16477 "4: movl 4(%4), %%edx\n"
16478 - "5: movl %%eax, 0(%3)\n"
16479 - "6: movl %%edx, 4(%3)\n"
16480 + "5: movl %%eax, "__copyuser_seg" 0(%3)\n"
16481 + "6: movl %%edx, "__copyuser_seg" 4(%3)\n"
16482 "7: movl 8(%4), %%eax\n"
16483 "8: movl 12(%4),%%edx\n"
16484 - "9: movl %%eax, 8(%3)\n"
16485 - "10: movl %%edx, 12(%3)\n"
16486 + "9: movl %%eax, "__copyuser_seg" 8(%3)\n"
16487 + "10: movl %%edx, "__copyuser_seg" 12(%3)\n"
16488 "11: movl 16(%4), %%eax\n"
16489 "12: movl 20(%4), %%edx\n"
16490 - "13: movl %%eax, 16(%3)\n"
16491 - "14: movl %%edx, 20(%3)\n"
16492 + "13: movl %%eax, "__copyuser_seg" 16(%3)\n"
16493 + "14: movl %%edx, "__copyuser_seg" 20(%3)\n"
16494 "15: movl 24(%4), %%eax\n"
16495 "16: movl 28(%4), %%edx\n"
16496 - "17: movl %%eax, 24(%3)\n"
16497 - "18: movl %%edx, 28(%3)\n"
16498 + "17: movl %%eax, "__copyuser_seg" 24(%3)\n"
16499 + "18: movl %%edx, "__copyuser_seg" 28(%3)\n"
16500 "19: movl 32(%4), %%eax\n"
16501 "20: movl 36(%4), %%edx\n"
16502 - "21: movl %%eax, 32(%3)\n"
16503 - "22: movl %%edx, 36(%3)\n"
16504 + "21: movl %%eax, "__copyuser_seg" 32(%3)\n"
16505 + "22: movl %%edx, "__copyuser_seg" 36(%3)\n"
16506 "23: movl 40(%4), %%eax\n"
16507 "24: movl 44(%4), %%edx\n"
16508 - "25: movl %%eax, 40(%3)\n"
16509 - "26: movl %%edx, 44(%3)\n"
16510 + "25: movl %%eax, "__copyuser_seg" 40(%3)\n"
16511 + "26: movl %%edx, "__copyuser_seg" 44(%3)\n"
16512 "27: movl 48(%4), %%eax\n"
16513 "28: movl 52(%4), %%edx\n"
16514 - "29: movl %%eax, 48(%3)\n"
16515 - "30: movl %%edx, 52(%3)\n"
16516 + "29: movl %%eax, "__copyuser_seg" 48(%3)\n"
16517 + "30: movl %%edx, "__copyuser_seg" 52(%3)\n"
16518 "31: movl 56(%4), %%eax\n"
16519 "32: movl 60(%4), %%edx\n"
16520 - "33: movl %%eax, 56(%3)\n"
16521 - "34: movl %%edx, 60(%3)\n"
16522 + "33: movl %%eax, "__copyuser_seg" 56(%3)\n"
16523 + "34: movl %%edx, "__copyuser_seg" 60(%3)\n"
16527 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
16529 " andl $3, %%eax\n"
16531 + __COPYUSER_SET_ES
16533 "36: movl %%eax, %0\n"
16536 + __COPYUSER_RESTORE_ES
16537 + ".section .fixup,\"ax\"\n"
16538 + "101: lea 0(%%eax,%0,4),%0\n"
16541 + ".section __ex_table,\"a\"\n"
16543 + " .long 1b,100b\n"
16544 + " .long 2b,100b\n"
16545 + " .long 3b,100b\n"
16546 + " .long 4b,100b\n"
16547 + " .long 5b,100b\n"
16548 + " .long 6b,100b\n"
16549 + " .long 7b,100b\n"
16550 + " .long 8b,100b\n"
16551 + " .long 9b,100b\n"
16552 + " .long 10b,100b\n"
16553 + " .long 11b,100b\n"
16554 + " .long 12b,100b\n"
16555 + " .long 13b,100b\n"
16556 + " .long 14b,100b\n"
16557 + " .long 15b,100b\n"
16558 + " .long 16b,100b\n"
16559 + " .long 17b,100b\n"
16560 + " .long 18b,100b\n"
16561 + " .long 19b,100b\n"
16562 + " .long 20b,100b\n"
16563 + " .long 21b,100b\n"
16564 + " .long 22b,100b\n"
16565 + " .long 23b,100b\n"
16566 + " .long 24b,100b\n"
16567 + " .long 25b,100b\n"
16568 + " .long 26b,100b\n"
16569 + " .long 27b,100b\n"
16570 + " .long 28b,100b\n"
16571 + " .long 29b,100b\n"
16572 + " .long 30b,100b\n"
16573 + " .long 31b,100b\n"
16574 + " .long 32b,100b\n"
16575 + " .long 33b,100b\n"
16576 + " .long 34b,100b\n"
16577 + " .long 35b,100b\n"
16578 + " .long 36b,100b\n"
16579 + " .long 37b,100b\n"
16580 + " .long 99b,101b\n"
16582 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16583 + : "1"(to), "2"(from), "0"(size)
16584 + : "eax", "edx", "memory");
16588 +static unsigned long
16589 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16592 + __asm__ __volatile__(
16593 + " .align 2,0x90\n"
16594 + "1: movl "__copyuser_seg" 32(%4), %%eax\n"
16595 + " cmpl $67, %0\n"
16597 + "2: movl "__copyuser_seg" 64(%4), %%eax\n"
16598 + " .align 2,0x90\n"
16599 + "3: movl "__copyuser_seg" 0(%4), %%eax\n"
16600 + "4: movl "__copyuser_seg" 4(%4), %%edx\n"
16601 + "5: movl %%eax, 0(%3)\n"
16602 + "6: movl %%edx, 4(%3)\n"
16603 + "7: movl "__copyuser_seg" 8(%4), %%eax\n"
16604 + "8: movl "__copyuser_seg" 12(%4),%%edx\n"
16605 + "9: movl %%eax, 8(%3)\n"
16606 + "10: movl %%edx, 12(%3)\n"
16607 + "11: movl "__copyuser_seg" 16(%4), %%eax\n"
16608 + "12: movl "__copyuser_seg" 20(%4), %%edx\n"
16609 + "13: movl %%eax, 16(%3)\n"
16610 + "14: movl %%edx, 20(%3)\n"
16611 + "15: movl "__copyuser_seg" 24(%4), %%eax\n"
16612 + "16: movl "__copyuser_seg" 28(%4), %%edx\n"
16613 + "17: movl %%eax, 24(%3)\n"
16614 + "18: movl %%edx, 28(%3)\n"
16615 + "19: movl "__copyuser_seg" 32(%4), %%eax\n"
16616 + "20: movl "__copyuser_seg" 36(%4), %%edx\n"
16617 + "21: movl %%eax, 32(%3)\n"
16618 + "22: movl %%edx, 36(%3)\n"
16619 + "23: movl "__copyuser_seg" 40(%4), %%eax\n"
16620 + "24: movl "__copyuser_seg" 44(%4), %%edx\n"
16621 + "25: movl %%eax, 40(%3)\n"
16622 + "26: movl %%edx, 44(%3)\n"
16623 + "27: movl "__copyuser_seg" 48(%4), %%eax\n"
16624 + "28: movl "__copyuser_seg" 52(%4), %%edx\n"
16625 + "29: movl %%eax, 48(%3)\n"
16626 + "30: movl %%edx, 52(%3)\n"
16627 + "31: movl "__copyuser_seg" 56(%4), %%eax\n"
16628 + "32: movl "__copyuser_seg" 60(%4), %%edx\n"
16629 + "33: movl %%eax, 56(%3)\n"
16630 + "34: movl %%edx, 60(%3)\n"
16631 + " addl $-64, %0\n"
16632 + " addl $64, %4\n"
16633 + " addl $64, %3\n"
16634 + " cmpl $63, %0\n"
16636 + "35: movl %0, %%eax\n"
16638 + " andl $3, %%eax\n"
16640 + "99: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16641 + "36: movl %%eax, %0\n"
16642 + "37: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16644 ".section .fixup,\"ax\"\n"
16645 "101: lea 0(%%eax,%0,4),%0\n"
16647 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
16649 __asm__ __volatile__(
16651 - "0: movl 32(%4), %%eax\n"
16652 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16655 - "1: movl 64(%4), %%eax\n"
16656 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16658 - "2: movl 0(%4), %%eax\n"
16659 - "21: movl 4(%4), %%edx\n"
16660 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16661 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16662 " movl %%eax, 0(%3)\n"
16663 " movl %%edx, 4(%3)\n"
16664 - "3: movl 8(%4), %%eax\n"
16665 - "31: movl 12(%4),%%edx\n"
16666 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16667 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16668 " movl %%eax, 8(%3)\n"
16669 " movl %%edx, 12(%3)\n"
16670 - "4: movl 16(%4), %%eax\n"
16671 - "41: movl 20(%4), %%edx\n"
16672 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16673 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16674 " movl %%eax, 16(%3)\n"
16675 " movl %%edx, 20(%3)\n"
16676 - "10: movl 24(%4), %%eax\n"
16677 - "51: movl 28(%4), %%edx\n"
16678 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16679 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16680 " movl %%eax, 24(%3)\n"
16681 " movl %%edx, 28(%3)\n"
16682 - "11: movl 32(%4), %%eax\n"
16683 - "61: movl 36(%4), %%edx\n"
16684 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16685 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16686 " movl %%eax, 32(%3)\n"
16687 " movl %%edx, 36(%3)\n"
16688 - "12: movl 40(%4), %%eax\n"
16689 - "71: movl 44(%4), %%edx\n"
16690 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16691 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16692 " movl %%eax, 40(%3)\n"
16693 " movl %%edx, 44(%3)\n"
16694 - "13: movl 48(%4), %%eax\n"
16695 - "81: movl 52(%4), %%edx\n"
16696 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16697 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16698 " movl %%eax, 48(%3)\n"
16699 " movl %%edx, 52(%3)\n"
16700 - "14: movl 56(%4), %%eax\n"
16701 - "91: movl 60(%4), %%edx\n"
16702 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16703 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16704 " movl %%eax, 56(%3)\n"
16705 " movl %%edx, 60(%3)\n"
16707 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
16709 " andl $3, %%eax\n"
16711 - "6: rep; movsl\n"
16712 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16714 - "7: rep; movsb\n"
16715 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16717 ".section .fixup,\"ax\"\n"
16718 "9: lea 0(%%eax,%0,4),%0\n"
16719 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
16721 __asm__ __volatile__(
16723 - "0: movl 32(%4), %%eax\n"
16724 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16727 - "1: movl 64(%4), %%eax\n"
16728 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16730 - "2: movl 0(%4), %%eax\n"
16731 - "21: movl 4(%4), %%edx\n"
16732 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16733 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16734 " movnti %%eax, 0(%3)\n"
16735 " movnti %%edx, 4(%3)\n"
16736 - "3: movl 8(%4), %%eax\n"
16737 - "31: movl 12(%4),%%edx\n"
16738 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16739 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16740 " movnti %%eax, 8(%3)\n"
16741 " movnti %%edx, 12(%3)\n"
16742 - "4: movl 16(%4), %%eax\n"
16743 - "41: movl 20(%4), %%edx\n"
16744 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16745 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16746 " movnti %%eax, 16(%3)\n"
16747 " movnti %%edx, 20(%3)\n"
16748 - "10: movl 24(%4), %%eax\n"
16749 - "51: movl 28(%4), %%edx\n"
16750 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16751 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16752 " movnti %%eax, 24(%3)\n"
16753 " movnti %%edx, 28(%3)\n"
16754 - "11: movl 32(%4), %%eax\n"
16755 - "61: movl 36(%4), %%edx\n"
16756 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16757 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16758 " movnti %%eax, 32(%3)\n"
16759 " movnti %%edx, 36(%3)\n"
16760 - "12: movl 40(%4), %%eax\n"
16761 - "71: movl 44(%4), %%edx\n"
16762 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16763 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16764 " movnti %%eax, 40(%3)\n"
16765 " movnti %%edx, 44(%3)\n"
16766 - "13: movl 48(%4), %%eax\n"
16767 - "81: movl 52(%4), %%edx\n"
16768 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16769 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16770 " movnti %%eax, 48(%3)\n"
16771 " movnti %%edx, 52(%3)\n"
16772 - "14: movl 56(%4), %%eax\n"
16773 - "91: movl 60(%4), %%edx\n"
16774 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16775 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16776 " movnti %%eax, 56(%3)\n"
16777 " movnti %%edx, 60(%3)\n"
16779 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
16781 " andl $3, %%eax\n"
16783 - "6: rep; movsl\n"
16784 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16786 - "7: rep; movsb\n"
16787 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16789 ".section .fixup,\"ax\"\n"
16790 "9: lea 0(%%eax,%0,4),%0\n"
16791 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
16793 __asm__ __volatile__(
16795 - "0: movl 32(%4), %%eax\n"
16796 + "0: movl "__copyuser_seg" 32(%4), %%eax\n"
16799 - "1: movl 64(%4), %%eax\n"
16800 + "1: movl "__copyuser_seg" 64(%4), %%eax\n"
16802 - "2: movl 0(%4), %%eax\n"
16803 - "21: movl 4(%4), %%edx\n"
16804 + "2: movl "__copyuser_seg" 0(%4), %%eax\n"
16805 + "21: movl "__copyuser_seg" 4(%4), %%edx\n"
16806 " movnti %%eax, 0(%3)\n"
16807 " movnti %%edx, 4(%3)\n"
16808 - "3: movl 8(%4), %%eax\n"
16809 - "31: movl 12(%4),%%edx\n"
16810 + "3: movl "__copyuser_seg" 8(%4), %%eax\n"
16811 + "31: movl "__copyuser_seg" 12(%4),%%edx\n"
16812 " movnti %%eax, 8(%3)\n"
16813 " movnti %%edx, 12(%3)\n"
16814 - "4: movl 16(%4), %%eax\n"
16815 - "41: movl 20(%4), %%edx\n"
16816 + "4: movl "__copyuser_seg" 16(%4), %%eax\n"
16817 + "41: movl "__copyuser_seg" 20(%4), %%edx\n"
16818 " movnti %%eax, 16(%3)\n"
16819 " movnti %%edx, 20(%3)\n"
16820 - "10: movl 24(%4), %%eax\n"
16821 - "51: movl 28(%4), %%edx\n"
16822 + "10: movl "__copyuser_seg" 24(%4), %%eax\n"
16823 + "51: movl "__copyuser_seg" 28(%4), %%edx\n"
16824 " movnti %%eax, 24(%3)\n"
16825 " movnti %%edx, 28(%3)\n"
16826 - "11: movl 32(%4), %%eax\n"
16827 - "61: movl 36(%4), %%edx\n"
16828 + "11: movl "__copyuser_seg" 32(%4), %%eax\n"
16829 + "61: movl "__copyuser_seg" 36(%4), %%edx\n"
16830 " movnti %%eax, 32(%3)\n"
16831 " movnti %%edx, 36(%3)\n"
16832 - "12: movl 40(%4), %%eax\n"
16833 - "71: movl 44(%4), %%edx\n"
16834 + "12: movl "__copyuser_seg" 40(%4), %%eax\n"
16835 + "71: movl "__copyuser_seg" 44(%4), %%edx\n"
16836 " movnti %%eax, 40(%3)\n"
16837 " movnti %%edx, 44(%3)\n"
16838 - "13: movl 48(%4), %%eax\n"
16839 - "81: movl 52(%4), %%edx\n"
16840 + "13: movl "__copyuser_seg" 48(%4), %%eax\n"
16841 + "81: movl "__copyuser_seg" 52(%4), %%edx\n"
16842 " movnti %%eax, 48(%3)\n"
16843 " movnti %%edx, 52(%3)\n"
16844 - "14: movl 56(%4), %%eax\n"
16845 - "91: movl 60(%4), %%edx\n"
16846 + "14: movl "__copyuser_seg" 56(%4), %%eax\n"
16847 + "91: movl "__copyuser_seg" 60(%4), %%edx\n"
16848 " movnti %%eax, 56(%3)\n"
16849 " movnti %%edx, 60(%3)\n"
16851 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
16853 " andl $3, %%eax\n"
16855 - "6: rep; movsl\n"
16856 + "6: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n"
16858 - "7: rep; movsb\n"
16859 + "7: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n"
16861 ".section .fixup,\"ax\"\n"
16862 "9: lea 0(%%eax,%0,4),%0\n"
16863 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
16865 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16866 unsigned long size);
16867 -unsigned long __copy_user_intel(void __user *to, const void *from,
16868 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16869 + unsigned long size);
16870 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16871 unsigned long size);
16872 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16873 const void __user *from, unsigned long size);
16874 #endif /* CONFIG_X86_INTEL_USERCOPY */
16876 /* Generic arbitrary sized copy. */
16877 -#define __copy_user(to, from, size) \
16878 +#define __copy_user(to, from, size, prefix, set, restore) \
16880 int __d0, __d1, __d2; \
16881 __asm__ __volatile__( \
16889 - "4: rep; movsb\n" \
16890 + "4: rep; movsb "prefix" (%%esi), (%%edi)\n" \
16894 " .align 2,0x90\n" \
16895 - "0: rep; movsl\n" \
16896 + "0: rep; movsl "prefix" (%%esi), (%%edi)\n" \
16898 - "1: rep; movsb\n" \
16899 + "1: rep; movsb "prefix" (%%esi), (%%edi)\n" \
16902 ".section .fixup,\"ax\"\n" \
16903 "5: addl %3,%0\n" \
16905 @@ -682,14 +799,14 @@ do { \
16909 - "4: rep; movsb\n" \
16910 + "4: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n" \
16914 " .align 2,0x90\n" \
16915 - "0: rep; movsl\n" \
16916 + "0: rep; movsl "__copyuser_seg" (%%esi), (%%edi)\n" \
16918 - "1: rep; movsb\n" \
16919 + "1: rep; movsb "__copyuser_seg" (%%esi), (%%edi)\n" \
16921 ".section .fixup,\"ax\"\n" \
16922 "5: addl %3,%0\n" \
16923 @@ -775,9 +892,9 @@ survive:
16926 if (movsl_is_ok(to, from, n))
16927 - __copy_user(to, from, n);
16928 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
16930 - n = __copy_user_intel(to, from, n);
16931 + n = __generic_copy_to_user_intel(to, from, n);
16934 EXPORT_SYMBOL(__copy_to_user_ll);
16935 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
16938 if (movsl_is_ok(to, from, n))
16939 - __copy_user(to, from, n);
16940 + __copy_user(to, from, n, __copyuser_seg, "", "");
16942 - n = __copy_user_intel((void __user *)to,
16943 - (const void *)from, n);
16944 + n = __generic_copy_from_user_intel(to, from, n);
16947 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
16948 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
16949 if (n > 64 && cpu_has_xmm2)
16950 n = __copy_user_intel_nocache(to, from, n);
16952 - __copy_user(to, from, n);
16953 + __copy_user(to, from, n, __copyuser_seg, "", "");
16955 - __copy_user(to, from, n);
16956 + __copy_user(to, from, n, __copyuser_seg, "", "");
16960 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
16963 - * copy_to_user: - Copy a block of data into user space.
16964 - * @to: Destination address, in user space.
16965 - * @from: Source address, in kernel space.
16966 - * @n: Number of bytes to copy.
16968 - * Context: User context only. This function may sleep.
16970 - * Copy data from kernel space to user space.
16972 - * Returns number of bytes that could not be copied.
16973 - * On success, this will be zero.
16976 -copy_to_user(void __user *to, const void *from, unsigned long n)
16977 +void copy_from_user_overflow(void)
16979 - if (access_ok(VERIFY_WRITE, to, n))
16980 - n = __copy_to_user(to, from, n);
16982 + WARN(1, "Buffer overflow detected!\n");
16984 -EXPORT_SYMBOL(copy_to_user);
16985 +EXPORT_SYMBOL(copy_from_user_overflow);
16988 - * copy_from_user: - Copy a block of data from user space.
16989 - * @to: Destination address, in kernel space.
16990 - * @from: Source address, in user space.
16991 - * @n: Number of bytes to copy.
16993 - * Context: User context only. This function may sleep.
16995 - * Copy data from user space to kernel space.
16997 - * Returns number of bytes that could not be copied.
16998 - * On success, this will be zero.
17000 - * If some data could not be copied, this function will pad the copied
17001 - * data to the requested size using zero bytes.
17004 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17005 +void copy_to_user_overflow(void)
17007 - if (access_ok(VERIFY_READ, from, n))
17008 - n = __copy_from_user(to, from, n);
17010 - memset(to, 0, n);
17012 + WARN(1, "Buffer overflow detected!\n");
17014 -EXPORT_SYMBOL(_copy_from_user);
17015 +EXPORT_SYMBOL(copy_to_user_overflow);
17017 -void copy_from_user_overflow(void)
17018 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17019 +void __set_fs(mm_segment_t x)
17021 - WARN(1, "Buffer overflow detected!\n");
17024 + loadsegment(gs, 0);
17026 + case TASK_SIZE_MAX:
17027 + loadsegment(gs, __USER_DS);
17030 + loadsegment(gs, __KERNEL_DS);
17037 -EXPORT_SYMBOL(copy_from_user_overflow);
17039 +void set_fs(mm_segment_t x)
17041 + current_thread_info()->addr_limit = x;
17044 +EXPORT_SYMBOL(set_fs);
17046 diff -urNp linux-2.6.37/arch/x86/lib/usercopy_64.c linux-2.6.37/arch/x86/lib/usercopy_64.c
17047 --- linux-2.6.37/arch/x86/lib/usercopy_64.c 2011-01-04 19:50:19.000000000 -0500
17048 +++ linux-2.6.37/arch/x86/lib/usercopy_64.c 2011-01-17 02:41:01.000000000 -0500
17049 @@ -42,6 +42,8 @@ long
17050 __strncpy_from_user(char *dst, const char __user *src, long count)
17053 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17054 + src += PAX_USER_SHADOW_BASE;
17055 __do_strncpy_from_user(dst, src, count, res);
17058 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17062 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17063 + addr += PAX_USER_SHADOW_BASE;
17064 /* no memory constraint because it doesn't change any memory gcc knows
17067 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17069 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17071 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17072 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17073 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17074 + to += PAX_USER_SHADOW_BASE;
17075 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17076 + from += PAX_USER_SHADOW_BASE;
17077 return copy_user_generic((__force void *)to, (__force void *)from, len);
17083 EXPORT_SYMBOL(copy_in_user);
17085 diff -urNp linux-2.6.37/arch/x86/Makefile linux-2.6.37/arch/x86/Makefile
17086 --- linux-2.6.37/arch/x86/Makefile 2011-01-04 19:50:19.000000000 -0500
17087 +++ linux-2.6.37/arch/x86/Makefile 2011-01-17 02:41:01.000000000 -0500
17088 @@ -195,3 +195,12 @@ define archhelp
17089 echo ' FDARGS="..." arguments for the booted kernel'
17090 echo ' FDINITRD=file initrd for the booted kernel'
17095 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17096 +*** Please upgrade your binutils to 2.18 or newer
17100 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17101 diff -urNp linux-2.6.37/arch/x86/mm/extable.c linux-2.6.37/arch/x86/mm/extable.c
17102 --- linux-2.6.37/arch/x86/mm/extable.c 2011-01-04 19:50:19.000000000 -0500
17103 +++ linux-2.6.37/arch/x86/mm/extable.c 2011-01-17 02:41:01.000000000 -0500
17105 #include <linux/module.h>
17106 #include <linux/spinlock.h>
17107 +#include <linux/sort.h>
17108 #include <asm/uaccess.h>
17109 +#include <asm/pgtable.h>
17112 + * The exception table needs to be sorted so that the binary
17113 + * search that we use to find entries in it works properly.
17114 + * This is used both for the kernel exception table and for
17115 + * the exception tables of modules that get loaded.
17117 +static int cmp_ex(const void *a, const void *b)
17119 + const struct exception_table_entry *x = a, *y = b;
17121 + /* avoid overflow */
17122 + if (x->insn > y->insn)
17124 + if (x->insn < y->insn)
17129 +static void swap_ex(void *a, void *b, int size)
17131 + struct exception_table_entry t, *x = a, *y = b;
17135 + pax_open_kernel();
17138 + pax_close_kernel();
17141 +void sort_extable(struct exception_table_entry *start,
17142 + struct exception_table_entry *finish)
17144 + sort(start, finish - start, sizeof(struct exception_table_entry),
17145 + cmp_ex, swap_ex);
17148 +#ifdef CONFIG_MODULES
17150 + * If the exception table is sorted, any referring to the module init
17151 + * will be at the beginning or the end.
17153 +void trim_init_extable(struct module *m)
17155 + /*trim the beginning*/
17156 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17158 + m->num_exentries--;
17161 + while (m->num_exentries &&
17162 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17163 + m->num_exentries--;
17165 +#endif /* CONFIG_MODULES */
17167 int fixup_exception(struct pt_regs *regs)
17169 const struct exception_table_entry *fixup;
17171 #ifdef CONFIG_PNPBIOS
17172 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17173 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17174 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17175 extern u32 pnp_bios_is_utter_crap;
17176 pnp_bios_is_utter_crap = 1;
17177 diff -urNp linux-2.6.37/arch/x86/mm/fault.c linux-2.6.37/arch/x86/mm/fault.c
17178 --- linux-2.6.37/arch/x86/mm/fault.c 2011-01-04 19:50:19.000000000 -0500
17179 +++ linux-2.6.37/arch/x86/mm/fault.c 2011-01-17 02:41:01.000000000 -0500
17180 @@ -12,10 +12,18 @@
17181 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17182 #include <linux/perf_event.h> /* perf_sw_event */
17183 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17184 +#include <linux/unistd.h>
17185 +#include <linux/compiler.h>
17187 #include <asm/traps.h> /* dotraplinkage, ... */
17188 #include <asm/pgalloc.h> /* pgd_*(), ... */
17189 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17190 +#include <asm/vsyscall.h>
17191 +#include <asm/tlbflush.h>
17193 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17194 +#include <asm/stacktrace.h>
17198 * Page fault error code bits:
17199 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17202 /* kprobe_running() needs smp_processor_id() */
17203 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17204 + if (kprobes_built_in() && !user_mode(regs)) {
17206 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17208 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
17209 return !instr_lo || (instr_lo>>1) == 1;
17211 /* Prefetch instruction is 0x0F0D or 0x0F18 */
17212 - if (probe_kernel_address(instr, opcode))
17213 + if (user_mode(regs)) {
17214 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17216 + } else if (probe_kernel_address(instr, opcode))
17219 *prefetch = (instr_lo == 0xF) &&
17220 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
17221 while (instr < max_instr) {
17222 unsigned char opcode;
17224 - if (probe_kernel_address(instr, opcode))
17225 + if (user_mode(regs)) {
17226 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17228 + } else if (probe_kernel_address(instr, opcode))
17232 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
17233 force_sig_info(si_signo, &info, tsk);
17236 +#ifdef CONFIG_PAX_EMUTRAMP
17237 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17240 +#ifdef CONFIG_PAX_PAGEEXEC
17241 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17247 + pgd = pgd_offset(mm, address);
17248 + if (!pgd_present(*pgd))
17250 + pud = pud_offset(pgd, address);
17251 + if (!pud_present(*pud))
17253 + pmd = pmd_offset(pud, address);
17254 + if (!pmd_present(*pmd))
17260 DEFINE_SPINLOCK(pgd_lock);
17261 LIST_HEAD(pgd_list);
17263 @@ -231,18 +269,35 @@ void vmalloc_sync_all(void)
17264 address += PMD_SIZE) {
17266 unsigned long flags;
17268 +#ifdef CONFIG_PAX_PER_CPU_PGD
17269 + unsigned long cpu;
17274 spin_lock_irqsave(&pgd_lock, flags);
17276 +#ifdef CONFIG_PAX_PER_CPU_PGD
17277 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17278 + pgd_t *pgd = get_cpu_pgd(cpu);
17281 list_for_each_entry(page, &pgd_list, lru) {
17282 + pgd_t *pgd = page_address(page);
17283 spinlock_t *pgt_lock;
17286 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
17288 spin_lock(pgt_lock);
17289 - ret = vmalloc_sync_one(page_address(page), address);
17292 + ret = vmalloc_sync_one(pgd, address);
17294 +#ifndef CONFIG_PAX_PER_CPU_PGD
17295 spin_unlock(pgt_lock);
17300 @@ -276,6 +331,11 @@ static noinline __kprobes int vmalloc_fa
17301 * an interrupt in the middle of a task switch..
17303 pgd_paddr = read_cr3();
17305 +#ifdef CONFIG_PAX_PER_CPU_PGD
17306 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17309 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17312 @@ -371,7 +431,14 @@ static noinline __kprobes int vmalloc_fa
17313 * happen within a race in page table update. In the later
17317 +#ifdef CONFIG_PAX_PER_CPU_PGD
17318 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17319 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17321 pgd = pgd_offset(current->active_mm, address);
17324 pgd_ref = pgd_offset_k(address);
17325 if (pgd_none(*pgd_ref))
17327 @@ -533,7 +600,7 @@ static int is_errata93(struct pt_regs *r
17328 static int is_errata100(struct pt_regs *regs, unsigned long address)
17330 #ifdef CONFIG_X86_64
17331 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17332 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17336 @@ -560,7 +627,7 @@ static int is_f00f_bug(struct pt_regs *r
17339 static const char nx_warning[] = KERN_CRIT
17340 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17341 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17344 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17345 @@ -569,15 +636,26 @@ show_fault_oops(struct pt_regs *regs, un
17346 if (!oops_may_print())
17349 - if (error_code & PF_INSTR) {
17350 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17351 unsigned int level;
17353 pte_t *pte = lookup_address(address, &level);
17355 if (pte && pte_present(*pte) && !pte_exec(*pte))
17356 - printk(nx_warning, current_uid());
17357 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17360 +#ifdef CONFIG_PAX_KERNEXEC
17361 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17362 + if (current->signal->curr_ip)
17363 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17364 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17366 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17367 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17371 printk(KERN_ALERT "BUG: unable to handle kernel ");
17372 if (address < PAGE_SIZE)
17373 printk(KERN_CONT "NULL pointer dereference");
17374 @@ -702,6 +780,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17375 unsigned long address, int si_code)
17377 struct task_struct *tsk = current;
17378 + struct mm_struct *mm = tsk->mm;
17380 +#ifdef CONFIG_X86_64
17381 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17382 + if (regs->ip == (unsigned long)vgettimeofday) {
17383 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17385 + } else if (regs->ip == (unsigned long)vtime) {
17386 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17388 + } else if (regs->ip == (unsigned long)vgetcpu) {
17389 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17395 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17396 + if (mm && (error_code & PF_USER)) {
17397 + unsigned long ip = regs->ip;
17399 + if (v8086_mode(regs))
17400 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17403 + * It's possible to have interrupts off here:
17405 + local_irq_enable();
17407 +#ifdef CONFIG_PAX_PAGEEXEC
17408 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17409 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17411 +#ifdef CONFIG_PAX_EMUTRAMP
17412 + switch (pax_handle_fetch_fault(regs)) {
17418 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17419 + do_group_exit(SIGKILL);
17423 +#ifdef CONFIG_PAX_SEGMEXEC
17424 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17426 +#ifdef CONFIG_PAX_EMUTRAMP
17427 + switch (pax_handle_fetch_fault(regs)) {
17433 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17434 + do_group_exit(SIGKILL);
17441 /* User mode accesses just cause a SIGSEGV */
17442 if (error_code & PF_USER) {
17443 @@ -849,6 +989,99 @@ static int spurious_fault_check(unsigned
17447 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17448 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17453 + unsigned char pte_mask;
17455 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17456 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17459 + /* PaX: it's our fault, let's handle it if we can */
17461 + /* PaX: take a look at read faults before acquiring any locks */
17462 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17463 + /* instruction fetch attempt from a protected page in user mode */
17464 + up_read(&mm->mmap_sem);
17466 +#ifdef CONFIG_PAX_EMUTRAMP
17467 + switch (pax_handle_fetch_fault(regs)) {
17473 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17474 + do_group_exit(SIGKILL);
17477 + pmd = pax_get_pmd(mm, address);
17478 + if (unlikely(!pmd))
17481 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17482 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17483 + pte_unmap_unlock(pte, ptl);
17487 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17488 + /* write attempt to a protected page in user mode */
17489 + pte_unmap_unlock(pte, ptl);
17494 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17496 + if (likely(address > get_limit(regs->cs)))
17499 + set_pte(pte, pte_mkread(*pte));
17500 + __flush_tlb_one(address);
17501 + pte_unmap_unlock(pte, ptl);
17502 + up_read(&mm->mmap_sem);
17506 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17509 + * PaX: fill DTLB with user rights and retry
17511 + __asm__ __volatile__ (
17513 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17515 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17516 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17517 + * page fault when examined during a TLB load attempt. this is true not only
17518 + * for PTEs holding a non-present entry but also present entries that will
17519 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17520 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17521 + * for our target pages since their PTEs are simply not in the TLBs at all.
17523 + * the best thing in omitting it is that we gain around 15-20% speed in the
17524 + * fast path of the page fault handler and can get rid of tracing since we
17525 + * can no longer flush unintended entries.
17529 + "testb $0,"__copyuser_seg"(%0)\n"
17532 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
17533 + : "memory", "cc");
17534 + pte_unmap_unlock(pte, ptl);
17535 + up_read(&mm->mmap_sem);
17541 * Handle a spurious fault caused by a stale TLB entry.
17543 @@ -921,6 +1154,9 @@ int show_unhandled_signals = 1;
17545 access_error(unsigned long error_code, struct vm_area_struct *vma)
17547 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17550 if (error_code & PF_WRITE) {
17551 /* write, present and write, not present: */
17552 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17553 @@ -954,19 +1190,33 @@ do_page_fault(struct pt_regs *regs, unsi
17555 struct vm_area_struct *vma;
17556 struct task_struct *tsk;
17557 - unsigned long address;
17558 struct mm_struct *mm;
17560 int write = error_code & PF_WRITE;
17561 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
17562 (write ? FAULT_FLAG_WRITE : 0);
17564 + /* Get the faulting address: */
17565 + unsigned long address = read_cr2();
17567 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17568 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17569 + if (!search_exception_tables(regs->ip)) {
17570 + bad_area_nosemaphore(regs, error_code, address);
17573 + if (address < PAX_USER_SHADOW_BASE) {
17574 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17575 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
17576 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17578 + address -= PAX_USER_SHADOW_BASE;
17585 - /* Get the faulting address: */
17586 - address = read_cr2();
17589 * Detect and handle instructions that would cause a page fault for
17590 * both a tracked kernel page and a userspace page.
17591 @@ -1026,7 +1276,7 @@ do_page_fault(struct pt_regs *regs, unsi
17592 * User-mode registers count as a user access even for any
17593 * potential system fault or CPU buglet:
17595 - if (user_mode_vm(regs)) {
17596 + if (user_mode(regs)) {
17597 local_irq_enable();
17598 error_code |= PF_USER;
17600 @@ -1081,6 +1331,11 @@ retry:
17604 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17605 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17609 vma = find_vma(mm, address);
17610 if (unlikely(!vma)) {
17611 bad_area(regs, error_code, address);
17612 @@ -1092,18 +1347,24 @@ retry:
17613 bad_area(regs, error_code, address);
17616 - if (error_code & PF_USER) {
17618 - * Accessing the stack below %sp is always a bug.
17619 - * The large cushion allows instructions like enter
17620 - * and pusha to work. ("enter $65535, $31" pushes
17621 - * 32 pointers and then decrements %sp by 65535.)
17623 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17624 - bad_area(regs, error_code, address);
17628 + * Accessing the stack below %sp is always a bug.
17629 + * The large cushion allows instructions like enter
17630 + * and pusha to work. ("enter $65535, $31" pushes
17631 + * 32 pointers and then decrements %sp by 65535.)
17633 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17634 + bad_area(regs, error_code, address);
17638 +#ifdef CONFIG_PAX_SEGMEXEC
17639 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17640 + bad_area(regs, error_code, address);
17645 if (unlikely(expand_stack(vma, address))) {
17646 bad_area(regs, error_code, address);
17648 @@ -1158,3 +1419,199 @@ good_area:
17650 up_read(&mm->mmap_sem);
17653 +#ifdef CONFIG_PAX_EMUTRAMP
17654 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17658 + do { /* PaX: gcc trampoline emulation #1 */
17659 + unsigned char mov1, mov2;
17660 + unsigned short jmp;
17661 + unsigned int addr1, addr2;
17663 +#ifdef CONFIG_X86_64
17664 + if ((regs->ip + 11) >> 32)
17668 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17669 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17670 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17671 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17672 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17677 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17678 + regs->cx = addr1;
17679 + regs->ax = addr2;
17680 + regs->ip = addr2;
17685 + do { /* PaX: gcc trampoline emulation #2 */
17686 + unsigned char mov, jmp;
17687 + unsigned int addr1, addr2;
17689 +#ifdef CONFIG_X86_64
17690 + if ((regs->ip + 9) >> 32)
17694 + err = get_user(mov, (unsigned char __user *)regs->ip);
17695 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17696 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17697 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17702 + if (mov == 0xB9 && jmp == 0xE9) {
17703 + regs->cx = addr1;
17704 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17709 + return 1; /* PaX in action */
17712 +#ifdef CONFIG_X86_64
17713 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17717 + do { /* PaX: gcc trampoline emulation #1 */
17718 + unsigned short mov1, mov2, jmp1;
17719 + unsigned char jmp2;
17720 + unsigned int addr1;
17721 + unsigned long addr2;
17723 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17724 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17725 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17726 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17727 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17728 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17733 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17734 + regs->r11 = addr1;
17735 + regs->r10 = addr2;
17736 + regs->ip = addr1;
17741 + do { /* PaX: gcc trampoline emulation #2 */
17742 + unsigned short mov1, mov2, jmp1;
17743 + unsigned char jmp2;
17744 + unsigned long addr1, addr2;
17746 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17747 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17748 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17749 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17750 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17751 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17756 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17757 + regs->r11 = addr1;
17758 + regs->r10 = addr2;
17759 + regs->ip = addr1;
17764 + return 1; /* PaX in action */
17769 + * PaX: decide what to do with offenders (regs->ip = fault address)
17771 + * returns 1 when task should be killed
17772 + * 2 when gcc trampoline was detected
17774 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17776 + if (v8086_mode(regs))
17779 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17782 +#ifdef CONFIG_X86_32
17783 + return pax_handle_fetch_fault_32(regs);
17785 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17786 + return pax_handle_fetch_fault_32(regs);
17788 + return pax_handle_fetch_fault_64(regs);
17793 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17794 +void pax_report_insns(void *pc, void *sp)
17798 + printk(KERN_ERR "PAX: bytes at PC: ");
17799 + for (i = 0; i < 20; i++) {
17801 + if (get_user(c, (__force unsigned char __user *)pc+i))
17802 + printk(KERN_CONT "?? ");
17804 + printk(KERN_CONT "%02x ", c);
17808 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17809 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17811 + if (get_user(c, (__force unsigned long __user *)sp+i))
17812 +#ifdef CONFIG_X86_32
17813 + printk(KERN_CONT "???????? ");
17815 + printk(KERN_CONT "???????????????? ");
17818 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17825 + * probe_kernel_write(): safely attempt to write to a location
17826 + * @dst: address to write to
17827 + * @src: pointer to the data that shall be written
17828 + * @size: size of the data chunk
17830 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17831 + * happens, handle that and return -EFAULT.
17833 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17836 + mm_segment_t old_fs = get_fs();
17838 + set_fs(KERNEL_DS);
17839 + pagefault_disable();
17840 + pax_open_kernel();
17841 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17842 + pax_close_kernel();
17843 + pagefault_enable();
17846 + return ret ? -EFAULT : 0;
17848 diff -urNp linux-2.6.37/arch/x86/mm/gup.c linux-2.6.37/arch/x86/mm/gup.c
17849 --- linux-2.6.37/arch/x86/mm/gup.c 2011-01-04 19:50:19.000000000 -0500
17850 +++ linux-2.6.37/arch/x86/mm/gup.c 2011-01-17 02:41:01.000000000 -0500
17851 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
17853 len = (unsigned long) nr_pages << PAGE_SHIFT;
17855 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17856 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17857 (void __user *)start, len)))
17860 diff -urNp linux-2.6.37/arch/x86/mm/highmem_32.c linux-2.6.37/arch/x86/mm/highmem_32.c
17861 --- linux-2.6.37/arch/x86/mm/highmem_32.c 2011-01-04 19:50:19.000000000 -0500
17862 +++ linux-2.6.37/arch/x86/mm/highmem_32.c 2011-01-17 02:41:01.000000000 -0500
17863 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
17864 idx = type + KM_TYPE_NR*smp_processor_id();
17865 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17866 BUG_ON(!pte_none(*(kmap_pte-idx)));
17868 + pax_open_kernel();
17869 set_pte(kmap_pte-idx, mk_pte(page, prot));
17870 + pax_close_kernel();
17872 return (void *)vaddr;
17874 diff -urNp linux-2.6.37/arch/x86/mm/hugetlbpage.c linux-2.6.37/arch/x86/mm/hugetlbpage.c
17875 --- linux-2.6.37/arch/x86/mm/hugetlbpage.c 2011-01-04 19:50:19.000000000 -0500
17876 +++ linux-2.6.37/arch/x86/mm/hugetlbpage.c 2011-01-17 02:41:01.000000000 -0500
17877 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
17878 struct hstate *h = hstate_file(file);
17879 struct mm_struct *mm = current->mm;
17880 struct vm_area_struct *vma;
17881 - unsigned long start_addr;
17882 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17884 +#ifdef CONFIG_PAX_SEGMEXEC
17885 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17886 + pax_task_size = SEGMEXEC_TASK_SIZE;
17889 + pax_task_size -= PAGE_SIZE;
17891 if (len > mm->cached_hole_size) {
17892 - start_addr = mm->free_area_cache;
17893 + start_addr = mm->free_area_cache;
17895 - start_addr = TASK_UNMAPPED_BASE;
17896 - mm->cached_hole_size = 0;
17897 + start_addr = mm->mmap_base;
17898 + mm->cached_hole_size = 0;
17902 @@ -280,26 +287,27 @@ full_search:
17904 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17905 /* At this point: (!vma || addr < vma->vm_end). */
17906 - if (TASK_SIZE - len < addr) {
17907 + if (pax_task_size - len < addr) {
17909 * Start a new search - just in case we missed
17912 - if (start_addr != TASK_UNMAPPED_BASE) {
17913 - start_addr = TASK_UNMAPPED_BASE;
17914 + if (start_addr != mm->mmap_base) {
17915 + start_addr = mm->mmap_base;
17916 mm->cached_hole_size = 0;
17921 - if (!vma || addr + len <= vma->vm_start) {
17922 - mm->free_area_cache = addr + len;
17925 + if (check_heap_stack_gap(vma, addr, len))
17927 if (addr + mm->cached_hole_size < vma->vm_start)
17928 mm->cached_hole_size = vma->vm_start - addr;
17929 addr = ALIGN(vma->vm_end, huge_page_size(h));
17932 + mm->free_area_cache = addr + len;
17936 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
17937 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
17939 struct hstate *h = hstate_file(file);
17940 struct mm_struct *mm = current->mm;
17941 - struct vm_area_struct *vma, *prev_vma;
17942 - unsigned long base = mm->mmap_base, addr = addr0;
17943 + struct vm_area_struct *vma;
17944 + unsigned long base = mm->mmap_base, addr;
17945 unsigned long largest_hole = mm->cached_hole_size;
17946 - int first_time = 1;
17948 /* don't allow allocations above current base */
17949 if (mm->free_area_cache > base)
17950 @@ -321,7 +328,7 @@ static unsigned long hugetlb_get_unmappe
17952 mm->free_area_cache = base;
17956 /* make sure it can fit in the remaining address space */
17957 if (mm->free_area_cache < len)
17959 @@ -329,33 +336,27 @@ try_again:
17960 /* either no address requested or cant fit in requested address hole */
17961 addr = (mm->free_area_cache - len) & huge_page_mask(h);
17963 + vma = find_vma(mm, addr);
17965 * Lookup failure means no vma is above this address,
17966 * i.e. return with success:
17968 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
17972 * new region fits between prev_vma->vm_end and
17973 * vma->vm_start, use it:
17975 - if (addr + len <= vma->vm_start &&
17976 - (!prev_vma || (addr >= prev_vma->vm_end))) {
17977 + if (check_heap_stack_gap(vma, addr, len)) {
17978 /* remember the address as a hint for next time */
17979 - mm->cached_hole_size = largest_hole;
17980 - return (mm->free_area_cache = addr);
17982 - /* pull free_area_cache down to the first hole */
17983 - if (mm->free_area_cache == vma->vm_end) {
17984 - mm->free_area_cache = vma->vm_start;
17985 - mm->cached_hole_size = largest_hole;
17987 + mm->cached_hole_size = largest_hole;
17988 + return (mm->free_area_cache = addr);
17990 + /* pull free_area_cache down to the first hole */
17991 + if (mm->free_area_cache == vma->vm_end) {
17992 + mm->free_area_cache = vma->vm_start;
17993 + mm->cached_hole_size = largest_hole;
17996 /* remember the largest hole we saw so far */
17997 if (addr + largest_hole < vma->vm_start)
17998 - largest_hole = vma->vm_start - addr;
17999 + largest_hole = vma->vm_start - addr;
18001 /* try just below the current vma->vm_start */
18002 addr = (vma->vm_start - len) & huge_page_mask(h);
18003 @@ -363,22 +364,26 @@ try_again:
18007 - * if hint left us with no space for the requested
18008 - * mapping then try again:
18010 - if (first_time) {
18011 - mm->free_area_cache = base;
18012 - largest_hole = 0;
18017 * A failed mmap() very likely causes application failure,
18018 * so fall back to the bottom-up function here. This scenario
18019 * can happen with large stack limits and large mmap()
18022 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18024 +#ifdef CONFIG_PAX_SEGMEXEC
18025 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18026 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18030 + mm->mmap_base = TASK_UNMAPPED_BASE;
18032 +#ifdef CONFIG_PAX_RANDMMAP
18033 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18034 + mm->mmap_base += mm->delta_mmap;
18037 + mm->free_area_cache = mm->mmap_base;
18038 mm->cached_hole_size = ~0UL;
18039 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18040 len, pgoff, flags);
18041 @@ -386,6 +391,7 @@ fail:
18043 * Restore the topdown base:
18045 + mm->mmap_base = base;
18046 mm->free_area_cache = base;
18047 mm->cached_hole_size = ~0UL;
18049 @@ -399,10 +405,19 @@ hugetlb_get_unmapped_area(struct file *f
18050 struct hstate *h = hstate_file(file);
18051 struct mm_struct *mm = current->mm;
18052 struct vm_area_struct *vma;
18053 + unsigned long pax_task_size = TASK_SIZE;
18055 if (len & ~huge_page_mask(h))
18057 - if (len > TASK_SIZE)
18059 +#ifdef CONFIG_PAX_SEGMEXEC
18060 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18061 + pax_task_size = SEGMEXEC_TASK_SIZE;
18064 + pax_task_size -= PAGE_SIZE;
18066 + if (len > pax_task_size)
18069 if (flags & MAP_FIXED) {
18070 @@ -414,8 +429,7 @@ hugetlb_get_unmapped_area(struct file *f
18072 addr = ALIGN(addr, huge_page_size(h));
18073 vma = find_vma(mm, addr);
18074 - if (TASK_SIZE - len >= addr &&
18075 - (!vma || addr + len <= vma->vm_start))
18076 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18079 if (mm->get_unmapped_area == arch_get_unmapped_area)
18080 diff -urNp linux-2.6.37/arch/x86/mm/init_32.c linux-2.6.37/arch/x86/mm/init_32.c
18081 --- linux-2.6.37/arch/x86/mm/init_32.c 2011-01-04 19:50:19.000000000 -0500
18082 +++ linux-2.6.37/arch/x86/mm/init_32.c 2011-01-17 02:41:01.000000000 -0500
18083 @@ -73,36 +73,6 @@ static __init void *alloc_low_page(void)
18087 - * Creates a middle page table and puts a pointer to it in the
18088 - * given global directory entry. This only returns the gd entry
18089 - * in non-PAE compilation mode, since the middle layer is folded.
18091 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18094 - pmd_t *pmd_table;
18096 -#ifdef CONFIG_X86_PAE
18097 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18098 - if (after_bootmem)
18099 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18101 - pmd_table = (pmd_t *)alloc_low_page();
18102 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18103 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18104 - pud = pud_offset(pgd, 0);
18105 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18107 - return pmd_table;
18110 - pud = pud_offset(pgd, 0);
18111 - pmd_table = pmd_offset(pud, 0);
18113 - return pmd_table;
18117 * Create a page table and place a pointer to it in a middle page
18120 @@ -122,13 +92,28 @@ static pte_t * __init one_page_table_ini
18121 page_table = (pte_t *)alloc_low_page();
18123 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18124 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18125 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18127 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18129 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18132 return pte_offset_kernel(pmd, 0);
18135 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18138 + pmd_t *pmd_table;
18140 + pud = pud_offset(pgd, 0);
18141 + pmd_table = pmd_offset(pud, 0);
18143 + return pmd_table;
18146 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18148 int pgd_idx = pgd_index(vaddr);
18149 @@ -202,6 +187,7 @@ page_table_range_init(unsigned long star
18150 int pgd_idx, pmd_idx;
18151 unsigned long vaddr;
18157 @@ -211,8 +197,13 @@ page_table_range_init(unsigned long star
18158 pgd = pgd_base + pgd_idx;
18160 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18161 - pmd = one_md_table_init(pgd);
18162 - pmd = pmd + pmd_index(vaddr);
18163 + pud = pud_offset(pgd, vaddr);
18164 + pmd = pmd_offset(pud, vaddr);
18166 +#ifdef CONFIG_X86_PAE
18167 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18170 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18171 pmd++, pmd_idx++) {
18172 pte = page_table_kmap_check(one_page_table_init(pmd),
18173 @@ -224,11 +215,20 @@ page_table_range_init(unsigned long star
18177 -static inline int is_kernel_text(unsigned long addr)
18178 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18180 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18183 + if ((start > ktla_ktva((unsigned long)_etext) ||
18184 + end <= ktla_ktva((unsigned long)_stext)) &&
18185 + (start > ktla_ktva((unsigned long)_einittext) ||
18186 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18188 +#ifdef CONFIG_ACPI_SLEEP
18189 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18192 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18198 @@ -245,9 +245,10 @@ kernel_physical_mapping_init(unsigned lo
18199 unsigned long last_map_addr = end;
18200 unsigned long start_pfn, end_pfn;
18201 pgd_t *pgd_base = swapper_pg_dir;
18202 - int pgd_idx, pmd_idx, pte_ofs;
18203 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18209 unsigned pages_2m, pages_4k;
18210 @@ -280,8 +281,13 @@ repeat:
18212 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18213 pgd = pgd_base + pgd_idx;
18214 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18215 - pmd = one_md_table_init(pgd);
18216 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18217 + pud = pud_offset(pgd, 0);
18218 + pmd = pmd_offset(pud, 0);
18220 +#ifdef CONFIG_X86_PAE
18221 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18224 if (pfn >= end_pfn)
18226 @@ -293,14 +299,13 @@ repeat:
18228 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18229 pmd++, pmd_idx++) {
18230 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18231 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18234 * Map with big pages if possible, otherwise
18235 * create normal page tables:
18238 - unsigned int addr2;
18239 pgprot_t prot = PAGE_KERNEL_LARGE;
18241 * first pass will use the same initial
18242 @@ -310,11 +315,7 @@ repeat:
18243 __pgprot(PTE_IDENT_ATTR |
18246 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18247 - PAGE_OFFSET + PAGE_SIZE-1;
18249 - if (is_kernel_text(addr) ||
18250 - is_kernel_text(addr2))
18251 + if (is_kernel_text(address, address + PMD_SIZE))
18252 prot = PAGE_KERNEL_LARGE_EXEC;
18255 @@ -331,7 +332,7 @@ repeat:
18256 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18258 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18259 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18260 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18261 pgprot_t prot = PAGE_KERNEL;
18263 * first pass will use the same initial
18264 @@ -339,7 +340,7 @@ repeat:
18266 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18268 - if (is_kernel_text(addr))
18269 + if (is_kernel_text(address, address + PAGE_SIZE))
18270 prot = PAGE_KERNEL_EXEC;
18273 @@ -471,7 +472,7 @@ void __init native_pagetable_setup_start
18275 pud = pud_offset(pgd, va);
18276 pmd = pmd_offset(pud, va);
18277 - if (!pmd_present(*pmd))
18278 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18281 pte = pte_offset_kernel(pmd, va);
18282 @@ -523,12 +524,10 @@ void __init early_ioremap_page_table_ran
18284 static void __init pagetable_init(void)
18286 - pgd_t *pgd_base = swapper_pg_dir;
18288 - permanent_kmaps_init(pgd_base);
18289 + permanent_kmaps_init(swapper_pg_dir);
18292 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18293 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18294 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18296 /* user-defined highmem size */
18297 @@ -753,6 +752,12 @@ void __init mem_init(void)
18301 +#ifdef CONFIG_PAX_PER_CPU_PGD
18302 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18303 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18304 + KERNEL_PGD_PTRS);
18307 #ifdef CONFIG_FLATMEM
18310 @@ -770,7 +775,7 @@ void __init mem_init(void)
18311 set_highmem_pages_init();
18313 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18314 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18315 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18316 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18318 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18319 @@ -811,10 +816,10 @@ void __init mem_init(void)
18320 ((unsigned long)&__init_end -
18321 (unsigned long)&__init_begin) >> 10,
18323 - (unsigned long)&_etext, (unsigned long)&_edata,
18324 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18325 + (unsigned long)&_sdata, (unsigned long)&_edata,
18326 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18328 - (unsigned long)&_text, (unsigned long)&_etext,
18329 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18330 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18333 @@ -892,6 +897,7 @@ void set_kernel_text_rw(void)
18334 if (!kernel_set_to_readonly)
18337 + start = ktla_ktva(start);
18338 pr_debug("Set kernel text: %lx - %lx for read write\n",
18339 start, start+size);
18341 @@ -906,6 +912,7 @@ void set_kernel_text_ro(void)
18342 if (!kernel_set_to_readonly)
18345 + start = ktla_ktva(start);
18346 pr_debug("Set kernel text: %lx - %lx for read only\n",
18347 start, start+size);
18349 @@ -917,6 +924,7 @@ void mark_rodata_ro(void)
18350 unsigned long start = PFN_ALIGN(_text);
18351 unsigned long size = PFN_ALIGN(_etext) - start;
18353 + start = ktla_ktva(start);
18354 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18355 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18357 diff -urNp linux-2.6.37/arch/x86/mm/init_64.c linux-2.6.37/arch/x86/mm/init_64.c
18358 --- linux-2.6.37/arch/x86/mm/init_64.c 2011-01-04 19:50:19.000000000 -0500
18359 +++ linux-2.6.37/arch/x86/mm/init_64.c 2011-01-17 02:41:01.000000000 -0500
18360 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
18361 * around without checking the pgd every time.
18364 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18365 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18366 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18368 int force_personality32;
18369 @@ -106,12 +106,22 @@ void sync_global_pgds(unsigned long star
18370 for (address = start; address <= end; address += PGDIR_SIZE) {
18371 const pgd_t *pgd_ref = pgd_offset_k(address);
18372 unsigned long flags;
18374 +#ifdef CONFIG_PAX_PER_CPU_PGD
18375 + unsigned long cpu;
18380 if (pgd_none(*pgd_ref))
18383 spin_lock_irqsave(&pgd_lock, flags);
18385 +#ifdef CONFIG_PAX_PER_CPU_PGD
18386 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18387 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
18389 list_for_each_entry(page, &pgd_list, lru) {
18391 spinlock_t *pgt_lock;
18392 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
18393 pgd = (pgd_t *)page_address(page) + pgd_index(address);
18394 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18395 spin_lock(pgt_lock);
18398 if (pgd_none(*pgd))
18399 set_pgd(pgd, *pgd_ref);
18400 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
18401 BUG_ON(pgd_page_vaddr(*pgd)
18402 != pgd_page_vaddr(*pgd_ref));
18404 +#ifndef CONFIG_PAX_PER_CPU_PGD
18405 spin_unlock(pgt_lock);
18409 spin_unlock_irqrestore(&pgd_lock, flags);
18411 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18412 pmd = fill_pmd(pud, vaddr);
18413 pte = fill_pte(pmd, vaddr);
18415 + pax_open_kernel();
18416 set_pte(pte, new_pte);
18417 + pax_close_kernel();
18420 * It's enough to flush this one mapping.
18421 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
18422 pgd = pgd_offset_k((unsigned long)__va(phys));
18423 if (pgd_none(*pgd)) {
18424 pud = (pud_t *) spp_getpage();
18425 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18427 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18429 pud = pud_offset(pgd, (unsigned long)__va(phys));
18430 if (pud_none(*pud)) {
18431 pmd = (pmd_t *) spp_getpage();
18432 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18434 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18436 pmd = pmd_offset(pud, phys);
18437 BUG_ON(!pmd_none(*pmd));
18438 @@ -706,6 +720,12 @@ void __init mem_init(void)
18442 +#ifdef CONFIG_PAX_PER_CPU_PGD
18443 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18444 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18445 + KERNEL_PGD_PTRS);
18448 /* clear_bss() already clear the empty_zero_page */
18451 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
18452 static struct vm_area_struct gate_vma = {
18453 .vm_start = VSYSCALL_START,
18454 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18455 - .vm_page_prot = PAGE_READONLY_EXEC,
18456 - .vm_flags = VM_READ | VM_EXEC
18457 + .vm_page_prot = PAGE_READONLY,
18458 + .vm_flags = VM_READ
18461 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18462 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
18464 const char *arch_vma_name(struct vm_area_struct *vma)
18466 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18467 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18469 if (vma == &gate_vma)
18470 return "[vsyscall]";
18471 diff -urNp linux-2.6.37/arch/x86/mm/init.c linux-2.6.37/arch/x86/mm/init.c
18472 --- linux-2.6.37/arch/x86/mm/init.c 2011-01-04 19:50:19.000000000 -0500
18473 +++ linux-2.6.37/arch/x86/mm/init.c 2011-01-17 02:41:01.000000000 -0500
18474 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
18475 * cause a hotspot and fill up ZONE_DMA. The page tables
18476 * need roughly 0.5KB per GB.
18478 -#ifdef CONFIG_X86_32
18483 + start = 0x100000;
18484 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
18485 tables, PAGE_SIZE);
18486 if (base == MEMBLOCK_ERROR)
18487 @@ -323,7 +319,13 @@ unsigned long __init_refok init_memory_m
18489 int devmem_is_allowed(unsigned long pagenr)
18491 - if (pagenr <= 256)
18494 +#ifdef CONFIG_VM86
18495 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18498 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18500 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18502 @@ -382,6 +384,86 @@ void free_init_pages(char *what, unsigne
18504 void free_initmem(void)
18507 +#ifdef CONFIG_PAX_KERNEXEC
18508 +#ifdef CONFIG_X86_32
18509 + /* PaX: limit KERNEL_CS to actual size */
18510 + unsigned long addr, limit;
18511 + struct desc_struct d;
18514 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18515 + limit = (limit - 1UL) >> PAGE_SHIFT;
18517 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18518 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18519 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18520 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18523 + /* PaX: make KERNEL_CS read-only */
18524 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18525 + if (!paravirt_enabled())
18526 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18528 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18529 + pgd = pgd_offset_k(addr);
18530 + pud = pud_offset(pgd, addr);
18531 + pmd = pmd_offset(pud, addr);
18532 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18535 +#ifdef CONFIG_X86_PAE
18536 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18538 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18539 + pgd = pgd_offset_k(addr);
18540 + pud = pud_offset(pgd, addr);
18541 + pmd = pmd_offset(pud, addr);
18542 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18547 +#ifdef CONFIG_MODULES
18548 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18555 + unsigned long addr, end;
18557 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18558 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18559 + pgd = pgd_offset_k(addr);
18560 + pud = pud_offset(pgd, addr);
18561 + pmd = pmd_offset(pud, addr);
18562 + if (!pmd_present(*pmd))
18564 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18565 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18567 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18570 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18571 + end = addr + KERNEL_IMAGE_SIZE;
18572 + for (; addr < end; addr += PMD_SIZE) {
18573 + pgd = pgd_offset_k(addr);
18574 + pud = pud_offset(pgd, addr);
18575 + pmd = pmd_offset(pud, addr);
18576 + if (!pmd_present(*pmd))
18578 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18579 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18586 free_init_pages("unused kernel memory",
18587 (unsigned long)(&__init_begin),
18588 (unsigned long)(&__init_end));
18589 diff -urNp linux-2.6.37/arch/x86/mm/iomap_32.c linux-2.6.37/arch/x86/mm/iomap_32.c
18590 --- linux-2.6.37/arch/x86/mm/iomap_32.c 2011-01-04 19:50:19.000000000 -0500
18591 +++ linux-2.6.37/arch/x86/mm/iomap_32.c 2011-01-17 02:41:01.000000000 -0500
18592 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18593 type = kmap_atomic_idx_push();
18594 idx = type + KM_TYPE_NR * smp_processor_id();
18595 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18597 + pax_open_kernel();
18598 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18599 + pax_close_kernel();
18601 arch_flush_lazy_mmu_mode();
18603 return (void *)vaddr;
18604 diff -urNp linux-2.6.37/arch/x86/mm/ioremap.c linux-2.6.37/arch/x86/mm/ioremap.c
18605 --- linux-2.6.37/arch/x86/mm/ioremap.c 2011-01-04 19:50:19.000000000 -0500
18606 +++ linux-2.6.37/arch/x86/mm/ioremap.c 2011-01-17 02:41:01.000000000 -0500
18607 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
18608 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
18609 int is_ram = page_is_ram(pfn);
18611 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18612 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18614 WARN_ON_ONCE(is_ram);
18616 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
18617 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18619 static __initdata int after_paging_init;
18620 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18621 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18623 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18625 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
18626 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18628 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18629 - memset(bm_pte, 0, sizeof(bm_pte));
18630 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18631 + pmd_populate_user(&init_mm, pmd, bm_pte);
18634 * The boot-ioremap range spans multiple pmds, for which
18635 diff -urNp linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c
18636 --- linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c 2011-01-04 19:50:19.000000000 -0500
18637 +++ linux-2.6.37/arch/x86/mm/kmemcheck/kmemcheck.c 2011-01-17 02:41:01.000000000 -0500
18638 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18639 * memory (e.g. tracked pages)? For now, we need this to avoid
18640 * invoking kmemcheck for PnP BIOS calls.
18642 - if (regs->flags & X86_VM_MASK)
18643 + if (v8086_mode(regs))
18645 - if (regs->cs != __KERNEL_CS)
18646 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18649 pte = kmemcheck_pte_lookup(address);
18650 diff -urNp linux-2.6.37/arch/x86/mm/mmap.c linux-2.6.37/arch/x86/mm/mmap.c
18651 --- linux-2.6.37/arch/x86/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
18652 +++ linux-2.6.37/arch/x86/mm/mmap.c 2011-01-17 02:41:01.000000000 -0500
18653 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18654 * Leave an at least ~128 MB hole with possible stack randomization.
18656 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18657 -#define MAX_GAP (TASK_SIZE/6*5)
18658 +#define MAX_GAP (pax_task_size/6*5)
18661 * True on X86_32 or when emulating IA32 on X86_64
18662 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18663 return rnd << PAGE_SHIFT;
18666 -static unsigned long mmap_base(void)
18667 +static unsigned long mmap_base(struct mm_struct *mm)
18669 unsigned long gap = rlimit(RLIMIT_STACK);
18670 + unsigned long pax_task_size = TASK_SIZE;
18672 +#ifdef CONFIG_PAX_SEGMEXEC
18673 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18674 + pax_task_size = SEGMEXEC_TASK_SIZE;
18679 else if (gap > MAX_GAP)
18682 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18683 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18687 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18688 * does, but not when emulating X86_32
18690 -static unsigned long mmap_legacy_base(void)
18691 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18693 - if (mmap_is_ia32())
18694 + if (mmap_is_ia32()) {
18696 +#ifdef CONFIG_PAX_SEGMEXEC
18697 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18698 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18702 return TASK_UNMAPPED_BASE;
18705 return TASK_UNMAPPED_BASE + mmap_rnd();
18708 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18709 void arch_pick_mmap_layout(struct mm_struct *mm)
18711 if (mmap_is_legacy()) {
18712 - mm->mmap_base = mmap_legacy_base();
18713 + mm->mmap_base = mmap_legacy_base(mm);
18715 +#ifdef CONFIG_PAX_RANDMMAP
18716 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18717 + mm->mmap_base += mm->delta_mmap;
18720 mm->get_unmapped_area = arch_get_unmapped_area;
18721 mm->unmap_area = arch_unmap_area;
18723 - mm->mmap_base = mmap_base();
18724 + mm->mmap_base = mmap_base(mm);
18726 +#ifdef CONFIG_PAX_RANDMMAP
18727 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18728 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18731 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18732 mm->unmap_area = arch_unmap_area_topdown;
18734 diff -urNp linux-2.6.37/arch/x86/mm/numa_32.c linux-2.6.37/arch/x86/mm/numa_32.c
18735 --- linux-2.6.37/arch/x86/mm/numa_32.c 2011-01-04 19:50:19.000000000 -0500
18736 +++ linux-2.6.37/arch/x86/mm/numa_32.c 2011-01-17 02:41:01.000000000 -0500
18737 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
18741 -extern unsigned long find_max_low_pfn(void);
18742 extern unsigned long highend_pfn, highstart_pfn;
18744 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18745 diff -urNp linux-2.6.37/arch/x86/mm/pageattr.c linux-2.6.37/arch/x86/mm/pageattr.c
18746 --- linux-2.6.37/arch/x86/mm/pageattr.c 2011-01-04 19:50:19.000000000 -0500
18747 +++ linux-2.6.37/arch/x86/mm/pageattr.c 2011-01-17 02:41:01.000000000 -0500
18748 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
18749 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
18751 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18752 - pgprot_val(forbidden) |= _PAGE_NX;
18753 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18756 * The kernel text needs to be executable for obvious reasons
18757 * Does not cover __inittext since that is gone later on. On
18758 * 64bit we do not enforce !NX on the low mapping
18760 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18761 - pgprot_val(forbidden) |= _PAGE_NX;
18762 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18763 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18765 +#ifdef CONFIG_DEBUG_RODATA
18767 * The .rodata section needs to be read-only. Using the pfn
18768 * catches all aliases.
18769 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
18770 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18771 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18772 pgprot_val(forbidden) |= _PAGE_RW;
18775 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18777 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
18781 +#ifdef CONFIG_PAX_KERNEXEC
18782 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18783 + pgprot_val(forbidden) |= _PAGE_RW;
18784 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18788 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18791 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18792 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18794 /* change init_mm */
18795 + pax_open_kernel();
18796 set_pte_atomic(kpte, pte);
18798 #ifdef CONFIG_X86_32
18799 if (!SHARED_KERNEL_PMD) {
18801 +#ifdef CONFIG_PAX_PER_CPU_PGD
18802 + unsigned long cpu;
18807 +#ifdef CONFIG_PAX_PER_CPU_PGD
18808 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18809 + pgd_t *pgd = get_cpu_pgd(cpu);
18811 list_for_each_entry(page, &pgd_list, lru) {
18813 + pgd_t *pgd = (pgd_t *)page_address(page);
18819 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18820 + pgd += pgd_index(address);
18821 pud = pud_offset(pgd, address);
18822 pmd = pmd_offset(pud, address);
18823 set_pte_atomic((pte_t *)pmd, pte);
18827 + pax_close_kernel();
18831 diff -urNp linux-2.6.37/arch/x86/mm/pageattr-test.c linux-2.6.37/arch/x86/mm/pageattr-test.c
18832 --- linux-2.6.37/arch/x86/mm/pageattr-test.c 2011-01-04 19:50:19.000000000 -0500
18833 +++ linux-2.6.37/arch/x86/mm/pageattr-test.c 2011-01-17 02:41:01.000000000 -0500
18834 @@ -36,7 +36,7 @@ enum {
18836 static int pte_testbit(pte_t pte)
18838 - return pte_flags(pte) & _PAGE_UNUSED1;
18839 + return pte_flags(pte) & _PAGE_CPA_TEST;
18842 struct split_state {
18843 diff -urNp linux-2.6.37/arch/x86/mm/pat.c linux-2.6.37/arch/x86/mm/pat.c
18844 --- linux-2.6.37/arch/x86/mm/pat.c 2011-01-04 19:50:19.000000000 -0500
18845 +++ linux-2.6.37/arch/x86/mm/pat.c 2011-01-17 02:41:01.000000000 -0500
18846 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18849 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18850 - current->comm, current->pid, start, end);
18851 + current->comm, task_pid_nr(current), start, end);
18855 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18856 while (cursor < to) {
18857 if (!devmem_is_allowed(pfn)) {
18859 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18860 - current->comm, from, to);
18861 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18862 + current->comm, from, to, cursor);
18865 cursor += PAGE_SIZE;
18866 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18868 "%s:%d ioremap_change_attr failed %s "
18870 - current->comm, current->pid,
18871 + current->comm, task_pid_nr(current),
18873 base, (unsigned long long)(base + size));
18875 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18876 if (want_flags != flags) {
18877 printk(KERN_WARNING
18878 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
18879 - current->comm, current->pid,
18880 + current->comm, task_pid_nr(current),
18881 cattr_name(want_flags),
18882 (unsigned long long)paddr,
18883 (unsigned long long)(paddr + size),
18884 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
18885 free_memtype(paddr, paddr + size);
18886 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
18887 " for %Lx-%Lx, got %s\n",
18888 - current->comm, current->pid,
18889 + current->comm, task_pid_nr(current),
18890 cattr_name(want_flags),
18891 (unsigned long long)paddr,
18892 (unsigned long long)(paddr + size),
18893 diff -urNp linux-2.6.37/arch/x86/mm/pgtable_32.c linux-2.6.37/arch/x86/mm/pgtable_32.c
18894 --- linux-2.6.37/arch/x86/mm/pgtable_32.c 2011-01-04 19:50:19.000000000 -0500
18895 +++ linux-2.6.37/arch/x86/mm/pgtable_32.c 2011-01-17 02:41:01.000000000 -0500
18896 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
18899 pte = pte_offset_kernel(pmd, vaddr);
18901 + pax_open_kernel();
18902 if (pte_val(pteval))
18903 set_pte_at(&init_mm, vaddr, pte, pteval);
18905 pte_clear(&init_mm, vaddr, pte);
18906 + pax_close_kernel();
18909 * It's enough to flush this one mapping.
18910 diff -urNp linux-2.6.37/arch/x86/mm/pgtable.c linux-2.6.37/arch/x86/mm/pgtable.c
18911 --- linux-2.6.37/arch/x86/mm/pgtable.c 2011-01-04 19:50:19.000000000 -0500
18912 +++ linux-2.6.37/arch/x86/mm/pgtable.c 2011-01-17 02:41:01.000000000 -0500
18913 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
18914 list_del(&page->lru);
18917 -#define UNSHARED_PTRS_PER_PGD \
18918 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
18919 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18920 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
18922 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18925 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
18929 +#ifdef CONFIG_PAX_PER_CPU_PGD
18930 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18934 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18935 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
18943 +#ifdef CONFIG_PAX_PER_CPU_PGD
18944 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
18945 +static inline void pgd_dtor(pgd_t *pgd) {}
18946 +#ifdef CONFIG_X86_64
18947 +#define pxd_t pud_t
18948 +#define pyd_t pgd_t
18949 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
18950 +#define pxd_free(mm, pud) pud_free((mm), (pud))
18951 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
18952 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
18953 +#define PYD_SIZE PGDIR_SIZE
18955 +#define pxd_t pmd_t
18956 +#define pyd_t pud_t
18957 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18958 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
18959 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
18960 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18961 +#define PYD_SIZE PUD_SIZE
18964 +#define pxd_t pmd_t
18965 +#define pyd_t pud_t
18966 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18967 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
18968 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
18969 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18970 +#define PYD_SIZE PUD_SIZE
18972 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
18974 @@ -130,6 +179,7 @@ static void pgd_dtor(pgd_t *pgd)
18976 spin_unlock_irqrestore(&pgd_lock, flags);
18981 * List of all pgd's needed for non-PAE so it can invalidate entries
18982 @@ -142,7 +192,7 @@ static void pgd_dtor(pgd_t *pgd)
18986 -#ifdef CONFIG_X86_PAE
18987 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
18989 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
18990 * updating the top-level pagetable entries to guarantee the
18991 @@ -154,7 +204,7 @@ static void pgd_dtor(pgd_t *pgd)
18992 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
18993 * and initialize the kernel pmds here.
18995 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
18996 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
18998 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19000 @@ -173,36 +223,38 @@ void pud_populate(struct mm_struct *mm,
19001 if (mm == current->active_mm)
19002 write_cr3(read_cr3());
19004 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19005 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19006 #else /* !CONFIG_X86_PAE */
19008 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19009 -#define PREALLOCATED_PMDS 0
19010 +#define PREALLOCATED_PXDS 0
19012 #endif /* CONFIG_X86_PAE */
19014 -static void free_pmds(pmd_t *pmds[])
19015 +static void free_pxds(pxd_t *pxds[])
19019 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19021 - free_page((unsigned long)pmds[i]);
19022 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19024 + free_page((unsigned long)pxds[i]);
19027 -static int preallocate_pmds(pmd_t *pmds[])
19028 +static int preallocate_pxds(pxd_t *pxds[])
19031 bool failed = false;
19033 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19034 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19036 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19037 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19050 @@ -215,51 +267,56 @@ static int preallocate_pmds(pmd_t *pmds[
19051 * preallocate which never got a corresponding vma will need to be
19054 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19055 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19059 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19060 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19061 pgd_t pgd = pgdp[i];
19063 if (pgd_val(pgd) != 0) {
19064 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19065 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19067 - pgdp[i] = native_make_pgd(0);
19068 + set_pgd(pgdp + i, native_make_pgd(0));
19070 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19071 - pmd_free(mm, pmd);
19072 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19073 + pxd_free(mm, pxd);
19078 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19079 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19083 unsigned long addr;
19086 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19087 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19090 - pud = pud_offset(pgd, 0);
19091 +#ifdef CONFIG_X86_64
19092 + pyd = pyd_offset(mm, 0L);
19094 + pyd = pyd_offset(pgd, 0L);
19097 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19098 - i++, pud++, addr += PUD_SIZE) {
19099 - pmd_t *pmd = pmds[i];
19100 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19101 + i++, pyd++, addr += PYD_SIZE) {
19102 + pxd_t *pxd = pxds[i];
19104 if (i >= KERNEL_PGD_BOUNDARY)
19105 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19106 - sizeof(pmd_t) * PTRS_PER_PMD);
19107 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19108 + sizeof(pxd_t) * PTRS_PER_PMD);
19110 - pud_populate(mm, pud, pmd);
19111 + pyd_populate(mm, pyd, pxd);
19115 pgd_t *pgd_alloc(struct mm_struct *mm)
19118 - pmd_t *pmds[PREALLOCATED_PMDS];
19119 + pxd_t *pxds[PREALLOCATED_PXDS];
19121 unsigned long flags;
19123 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19124 @@ -269,11 +326,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19128 - if (preallocate_pmds(pmds) != 0)
19129 + if (preallocate_pxds(pxds) != 0)
19132 if (paravirt_pgd_alloc(mm) != 0)
19133 - goto out_free_pmds;
19134 + goto out_free_pxds;
19137 * Make sure that pre-populating the pmds is atomic with
19138 @@ -283,14 +340,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19139 spin_lock_irqsave(&pgd_lock, flags);
19142 - pgd_prepopulate_pmd(mm, pgd, pmds);
19143 + pgd_prepopulate_pxd(mm, pgd, pxds);
19145 spin_unlock_irqrestore(&pgd_lock, flags);
19154 free_page((unsigned long)pgd);
19156 @@ -299,7 +356,7 @@ out:
19158 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19160 - pgd_mop_up_pmds(mm, pgd);
19161 + pgd_mop_up_pxds(mm, pgd);
19163 paravirt_pgd_free(mm, pgd);
19164 free_page((unsigned long)pgd);
19165 diff -urNp linux-2.6.37/arch/x86/mm/setup_nx.c linux-2.6.37/arch/x86/mm/setup_nx.c
19166 --- linux-2.6.37/arch/x86/mm/setup_nx.c 2011-01-04 19:50:19.000000000 -0500
19167 +++ linux-2.6.37/arch/x86/mm/setup_nx.c 2011-01-17 02:41:01.000000000 -0500
19169 #include <asm/pgtable.h>
19170 #include <asm/proto.h>
19172 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19173 static int disable_nx __cpuinitdata;
19175 +#ifndef CONFIG_PAX_PAGEEXEC
19179 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19182 early_param("noexec", noexec_setup);
19187 void __cpuinit x86_configure_nx(void)
19189 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19190 if (cpu_has_nx && !disable_nx)
19191 __supported_pte_mask |= _PAGE_NX;
19194 __supported_pte_mask &= ~_PAGE_NX;
19197 diff -urNp linux-2.6.37/arch/x86/mm/tlb.c linux-2.6.37/arch/x86/mm/tlb.c
19198 --- linux-2.6.37/arch/x86/mm/tlb.c 2011-01-04 19:50:19.000000000 -0500
19199 +++ linux-2.6.37/arch/x86/mm/tlb.c 2011-01-17 02:41:01.000000000 -0500
19201 #include <asm/uv/uv.h>
19203 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19204 - = { &init_mm, 0, };
19205 + = { &init_mm, 0 };
19208 * Smarter SMP flushing macros.
19209 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
19211 cpumask_clear_cpu(cpu,
19212 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19214 +#ifndef CONFIG_PAX_PER_CPU_PGD
19215 load_cr3(swapper_pg_dir);
19219 EXPORT_SYMBOL_GPL(leave_mm);
19221 diff -urNp linux-2.6.37/arch/x86/oprofile/backtrace.c linux-2.6.37/arch/x86/oprofile/backtrace.c
19222 --- linux-2.6.37/arch/x86/oprofile/backtrace.c 2011-01-04 19:50:19.000000000 -0500
19223 +++ linux-2.6.37/arch/x86/oprofile/backtrace.c 2011-01-17 02:41:01.000000000 -0500
19224 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
19225 struct stack_frame_ia32 *fp;
19227 /* Also check accessibility of one struct frame_head beyond */
19228 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19229 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19231 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19233 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
19235 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
19237 - if (!user_mode_vm(regs)) {
19238 + if (!user_mode(regs)) {
19239 unsigned long stack = kernel_stack_pointer(regs);
19241 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19242 diff -urNp linux-2.6.37/arch/x86/oprofile/op_model_p4.c linux-2.6.37/arch/x86/oprofile/op_model_p4.c
19243 --- linux-2.6.37/arch/x86/oprofile/op_model_p4.c 2011-01-04 19:50:19.000000000 -0500
19244 +++ linux-2.6.37/arch/x86/oprofile/op_model_p4.c 2011-01-17 02:41:01.000000000 -0500
19245 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19249 -static int inline addr_increment(void)
19250 +static inline int addr_increment(void)
19253 return smp_num_siblings == 2 ? 2 : 1;
19254 diff -urNp linux-2.6.37/arch/x86/pci/common.c linux-2.6.37/arch/x86/pci/common.c
19255 --- linux-2.6.37/arch/x86/pci/common.c 2011-01-04 19:50:19.000000000 -0500
19256 +++ linux-2.6.37/arch/x86/pci/common.c 2011-01-17 02:41:01.000000000 -0500
19257 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19258 int pcibios_last_bus = -1;
19259 unsigned long pirq_table_addr;
19260 struct pci_bus *pci_root_bus;
19261 -struct pci_raw_ops *raw_pci_ops;
19262 -struct pci_raw_ops *raw_pci_ext_ops;
19263 +const struct pci_raw_ops *raw_pci_ops;
19264 +const struct pci_raw_ops *raw_pci_ext_ops;
19266 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19267 int reg, int len, u32 *val)
19268 @@ -382,7 +382,7 @@ static const struct dmi_system_id __devi
19269 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19273 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19276 void __init dmi_check_pciprobe(void)
19277 diff -urNp linux-2.6.37/arch/x86/pci/direct.c linux-2.6.37/arch/x86/pci/direct.c
19278 --- linux-2.6.37/arch/x86/pci/direct.c 2011-01-04 19:50:19.000000000 -0500
19279 +++ linux-2.6.37/arch/x86/pci/direct.c 2011-01-17 02:41:01.000000000 -0500
19280 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19282 #undef PCI_CONF1_ADDRESS
19284 -struct pci_raw_ops pci_direct_conf1 = {
19285 +const struct pci_raw_ops pci_direct_conf1 = {
19286 .read = pci_conf1_read,
19287 .write = pci_conf1_write,
19289 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19291 #undef PCI_CONF2_ADDRESS
19293 -struct pci_raw_ops pci_direct_conf2 = {
19294 +const struct pci_raw_ops pci_direct_conf2 = {
19295 .read = pci_conf2_read,
19296 .write = pci_conf2_write,
19298 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19299 * This should be close to trivial, but it isn't, because there are buggy
19300 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19302 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19303 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19307 diff -urNp linux-2.6.37/arch/x86/pci/fixup.c linux-2.6.37/arch/x86/pci/fixup.c
19308 --- linux-2.6.37/arch/x86/pci/fixup.c 2011-01-04 19:50:19.000000000 -0500
19309 +++ linux-2.6.37/arch/x86/pci/fixup.c 2011-01-17 02:41:01.000000000 -0500
19310 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19311 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19315 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19319 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19320 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19324 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19327 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19328 diff -urNp linux-2.6.37/arch/x86/pci/irq.c linux-2.6.37/arch/x86/pci/irq.c
19329 --- linux-2.6.37/arch/x86/pci/irq.c 2011-01-04 19:50:19.000000000 -0500
19330 +++ linux-2.6.37/arch/x86/pci/irq.c 2011-01-17 02:41:01.000000000 -0500
19331 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19332 static struct pci_device_id __initdata pirq_440gx[] = {
19333 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19334 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19336 + { PCI_DEVICE(0, 0) }
19339 /* 440GX has a proprietary PIRQ router -- don't use it */
19340 @@ -1114,7 +1114,7 @@ static struct dmi_system_id __initdata p
19341 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19345 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19348 void __init pcibios_irq_init(void)
19349 diff -urNp linux-2.6.37/arch/x86/pci/mmconfig_32.c linux-2.6.37/arch/x86/pci/mmconfig_32.c
19350 --- linux-2.6.37/arch/x86/pci/mmconfig_32.c 2011-01-04 19:50:19.000000000 -0500
19351 +++ linux-2.6.37/arch/x86/pci/mmconfig_32.c 2011-01-17 02:41:01.000000000 -0500
19352 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19356 -static struct pci_raw_ops pci_mmcfg = {
19357 +static const struct pci_raw_ops pci_mmcfg = {
19358 .read = pci_mmcfg_read,
19359 .write = pci_mmcfg_write,
19361 diff -urNp linux-2.6.37/arch/x86/pci/mmconfig_64.c linux-2.6.37/arch/x86/pci/mmconfig_64.c
19362 --- linux-2.6.37/arch/x86/pci/mmconfig_64.c 2011-01-04 19:50:19.000000000 -0500
19363 +++ linux-2.6.37/arch/x86/pci/mmconfig_64.c 2011-01-17 02:41:01.000000000 -0500
19364 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19368 -static struct pci_raw_ops pci_mmcfg = {
19369 +static const struct pci_raw_ops pci_mmcfg = {
19370 .read = pci_mmcfg_read,
19371 .write = pci_mmcfg_write,
19373 diff -urNp linux-2.6.37/arch/x86/pci/numaq_32.c linux-2.6.37/arch/x86/pci/numaq_32.c
19374 --- linux-2.6.37/arch/x86/pci/numaq_32.c 2011-01-04 19:50:19.000000000 -0500
19375 +++ linux-2.6.37/arch/x86/pci/numaq_32.c 2011-01-17 02:41:01.000000000 -0500
19376 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19378 #undef PCI_CONF1_MQ_ADDRESS
19380 -static struct pci_raw_ops pci_direct_conf1_mq = {
19381 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19382 .read = pci_conf1_mq_read,
19383 .write = pci_conf1_mq_write
19385 diff -urNp linux-2.6.37/arch/x86/pci/olpc.c linux-2.6.37/arch/x86/pci/olpc.c
19386 --- linux-2.6.37/arch/x86/pci/olpc.c 2011-01-04 19:50:19.000000000 -0500
19387 +++ linux-2.6.37/arch/x86/pci/olpc.c 2011-01-17 02:41:01.000000000 -0500
19388 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19392 -static struct pci_raw_ops pci_olpc_conf = {
19393 +static const struct pci_raw_ops pci_olpc_conf = {
19394 .read = pci_olpc_read,
19395 .write = pci_olpc_write,
19397 diff -urNp linux-2.6.37/arch/x86/pci/pcbios.c linux-2.6.37/arch/x86/pci/pcbios.c
19398 --- linux-2.6.37/arch/x86/pci/pcbios.c 2011-01-04 19:50:19.000000000 -0500
19399 +++ linux-2.6.37/arch/x86/pci/pcbios.c 2011-01-17 02:41:01.000000000 -0500
19400 @@ -57,50 +57,93 @@ union bios32 {
19402 unsigned long address;
19403 unsigned short segment;
19404 -} bios32_indirect = { 0, __KERNEL_CS };
19405 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19408 * Returns the entry point for the given service, NULL on error
19411 -static unsigned long bios32_service(unsigned long service)
19412 +static unsigned long __devinit bios32_service(unsigned long service)
19414 unsigned char return_code; /* %al */
19415 unsigned long address; /* %ebx */
19416 unsigned long length; /* %ecx */
19417 unsigned long entry; /* %edx */
19418 unsigned long flags;
19419 + struct desc_struct d, *gdt;
19421 local_irq_save(flags);
19422 - __asm__("lcall *(%%edi); cld"
19424 + gdt = get_cpu_gdt_table(smp_processor_id());
19426 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19427 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19428 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19429 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19431 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19432 : "=a" (return_code),
19438 - "D" (&bios32_indirect));
19439 + "D" (&bios32_indirect),
19440 + "r"(__PCIBIOS_DS)
19443 + pax_open_kernel();
19444 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19445 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19446 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19447 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19448 + pax_close_kernel();
19450 local_irq_restore(flags);
19452 switch (return_code) {
19454 - return address + entry;
19455 - case 0x80: /* Not present */
19456 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19458 - default: /* Shouldn't happen */
19459 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19460 - service, return_code);
19463 + unsigned char flags;
19465 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19466 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19467 + printk(KERN_WARNING "bios32_service: not valid\n");
19470 + address = address + PAGE_OFFSET;
19471 + length += 16UL; /* some BIOSs underreport this... */
19473 + if (length >= 64*1024*1024) {
19474 + length >>= PAGE_SHIFT;
19478 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19479 + gdt = get_cpu_gdt_table(cpu);
19480 + pack_descriptor(&d, address, length, 0x9b, flags);
19481 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19482 + pack_descriptor(&d, address, length, 0x93, flags);
19483 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19487 + case 0x80: /* Not present */
19488 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19490 + default: /* Shouldn't happen */
19491 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19492 + service, return_code);
19498 unsigned long address;
19499 unsigned short segment;
19500 -} pci_indirect = { 0, __KERNEL_CS };
19501 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19503 -static int pci_bios_present;
19504 +static int pci_bios_present __read_only;
19506 static int __devinit check_pcibios(void)
19508 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19509 unsigned long flags, pcibios_entry;
19511 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19512 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19513 + pci_indirect.address = pcibios_entry;
19515 local_irq_save(flags);
19517 - "lcall *(%%edi); cld\n\t"
19518 + __asm__("movw %w6, %%ds\n\t"
19519 + "lcall *%%ss:(%%edi); cld\n\t"
19525 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19528 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19529 - "D" (&pci_indirect)
19530 + "D" (&pci_indirect),
19531 + "r" (__PCIBIOS_DS)
19533 local_irq_restore(flags);
19535 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19539 - __asm__("lcall *(%%esi); cld\n\t"
19540 + __asm__("movw %w6, %%ds\n\t"
19541 + "lcall *%%ss:(%%esi); cld\n\t"
19547 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19548 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19551 - "S" (&pci_indirect));
19552 + "S" (&pci_indirect),
19553 + "r" (__PCIBIOS_DS));
19555 * Zero-extend the result beyond 8 bits, do not trust the
19556 * BIOS having done it:
19557 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19561 - __asm__("lcall *(%%esi); cld\n\t"
19562 + __asm__("movw %w6, %%ds\n\t"
19563 + "lcall *%%ss:(%%esi); cld\n\t"
19569 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19570 : "1" (PCIBIOS_READ_CONFIG_WORD),
19573 - "S" (&pci_indirect));
19574 + "S" (&pci_indirect),
19575 + "r" (__PCIBIOS_DS));
19577 * Zero-extend the result beyond 16 bits, do not trust the
19578 * BIOS having done it:
19579 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19583 - __asm__("lcall *(%%esi); cld\n\t"
19584 + __asm__("movw %w6, %%ds\n\t"
19585 + "lcall *%%ss:(%%esi); cld\n\t"
19591 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19592 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19595 - "S" (&pci_indirect));
19596 + "S" (&pci_indirect),
19597 + "r" (__PCIBIOS_DS));
19601 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19605 - __asm__("lcall *(%%esi); cld\n\t"
19606 + __asm__("movw %w6, %%ds\n\t"
19607 + "lcall *%%ss:(%%esi); cld\n\t"
19613 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19617 - "S" (&pci_indirect));
19618 + "S" (&pci_indirect),
19619 + "r" (__PCIBIOS_DS));
19622 - __asm__("lcall *(%%esi); cld\n\t"
19623 + __asm__("movw %w6, %%ds\n\t"
19624 + "lcall *%%ss:(%%esi); cld\n\t"
19630 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19634 - "S" (&pci_indirect));
19635 + "S" (&pci_indirect),
19636 + "r" (__PCIBIOS_DS));
19639 - __asm__("lcall *(%%esi); cld\n\t"
19640 + __asm__("movw %w6, %%ds\n\t"
19641 + "lcall *%%ss:(%%esi); cld\n\t"
19647 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19651 - "S" (&pci_indirect));
19652 + "S" (&pci_indirect),
19653 + "r" (__PCIBIOS_DS));
19657 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19658 * Function table for BIOS32 access
19661 -static struct pci_raw_ops pci_bios_access = {
19662 +static const struct pci_raw_ops pci_bios_access = {
19663 .read = pci_bios_read,
19664 .write = pci_bios_write
19666 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19667 * Try to find PCI BIOS.
19670 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19671 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19673 union bios32 *check;
19675 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19677 DBG("PCI: Fetching IRQ routing table... ");
19678 __asm__("push %%es\n\t"
19679 + "movw %w8, %%ds\n\t"
19682 - "lcall *(%%esi); cld\n\t"
19683 + "lcall *%%ss:(%%esi); cld\n\t"
19690 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19693 "S" (&pci_indirect),
19696 + "r" (__PCIBIOS_DS)
19698 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19700 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19704 - __asm__("lcall *(%%esi); cld\n\t"
19705 + __asm__("movw %w5, %%ds\n\t"
19706 + "lcall *%%ss:(%%esi); cld\n\t"
19712 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19713 : "0" (PCIBIOS_SET_PCI_HW_INT),
19714 "b" ((dev->bus->number << 8) | dev->devfn),
19715 "c" ((irq << 8) | (pin + 10)),
19716 - "S" (&pci_indirect));
19717 + "S" (&pci_indirect),
19718 + "r" (__PCIBIOS_DS));
19719 return !(ret & 0xff00);
19721 EXPORT_SYMBOL(pcibios_set_irq_routing);
19722 diff -urNp linux-2.6.37/arch/x86/platform/efi/efi_32.c linux-2.6.37/arch/x86/platform/efi/efi_32.c
19723 --- linux-2.6.37/arch/x86/platform/efi/efi_32.c 2011-01-04 19:50:19.000000000 -0500
19724 +++ linux-2.6.37/arch/x86/platform/efi/efi_32.c 2011-01-17 02:41:01.000000000 -0500
19725 @@ -38,70 +38,37 @@
19728 static unsigned long efi_rt_eflags;
19729 -static pgd_t efi_bak_pg_dir_pointer[2];
19730 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
19732 -void efi_call_phys_prelog(void)
19733 +void __init efi_call_phys_prelog(void)
19735 - unsigned long cr4;
19736 - unsigned long temp;
19737 struct desc_ptr gdt_descr;
19739 local_irq_save(efi_rt_eflags);
19742 - * If I don't have PAE, I should just duplicate two entries in page
19743 - * directory. If I have PAE, I just need to duplicate one entry in
19744 - * page directory.
19746 - cr4 = read_cr4_safe();
19748 - if (cr4 & X86_CR4_PAE) {
19749 - efi_bak_pg_dir_pointer[0].pgd =
19750 - swapper_pg_dir[pgd_index(0)].pgd;
19751 - swapper_pg_dir[0].pgd =
19752 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19754 - efi_bak_pg_dir_pointer[0].pgd =
19755 - swapper_pg_dir[pgd_index(0)].pgd;
19756 - efi_bak_pg_dir_pointer[1].pgd =
19757 - swapper_pg_dir[pgd_index(0x400000)].pgd;
19758 - swapper_pg_dir[pgd_index(0)].pgd =
19759 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19760 - temp = PAGE_OFFSET + 0x400000;
19761 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19762 - swapper_pg_dir[pgd_index(temp)].pgd;
19764 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
19765 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19766 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
19769 * After the lock is released, the original page table is restored.
19773 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
19774 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
19775 gdt_descr.size = GDT_SIZE - 1;
19776 load_gdt(&gdt_descr);
19779 -void efi_call_phys_epilog(void)
19780 +void __init efi_call_phys_epilog(void)
19782 - unsigned long cr4;
19783 struct desc_ptr gdt_descr;
19785 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
19786 + gdt_descr.address = get_cpu_gdt_table(0);
19787 gdt_descr.size = GDT_SIZE - 1;
19788 load_gdt(&gdt_descr);
19790 - cr4 = read_cr4_safe();
19792 - if (cr4 & X86_CR4_PAE) {
19793 - swapper_pg_dir[pgd_index(0)].pgd =
19794 - efi_bak_pg_dir_pointer[0].pgd;
19796 - swapper_pg_dir[pgd_index(0)].pgd =
19797 - efi_bak_pg_dir_pointer[0].pgd;
19798 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19799 - efi_bak_pg_dir_pointer[1].pgd;
19801 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
19804 * After the lock is released, the original page table is restored.
19805 diff -urNp linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S
19806 --- linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S 2011-01-04 19:50:19.000000000 -0500
19807 +++ linux-2.6.37/arch/x86/platform/efi/efi_stub_32.S 2011-01-17 02:41:01.000000000 -0500
19811 #include <linux/linkage.h>
19812 +#include <linux/init.h>
19813 #include <asm/page_types.h>
19817 * service functions will comply with gcc calling convention, too.
19822 ENTRY(efi_call_phys)
19824 * 0. The function can only be called in Linux kernel. So CS has been
19825 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
19826 * The mapping of lower virtual memory has been created in prelog and
19830 - subl $__PAGE_OFFSET, %edx
19832 + jmp 1f-__PAGE_OFFSET
19836 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
19837 * parameter 2, ..., param n. To make things easy, we save the return
19838 * address of efi_call_phys in a global variable.
19841 - movl %edx, saved_return_addr
19842 - /* get the function pointer into ECX*/
19844 - movl %ecx, efi_rt_function_ptr
19846 - subl $__PAGE_OFFSET, %edx
19848 + popl (saved_return_addr)
19849 + popl (efi_rt_function_ptr)
19852 * 3. Clear PG bit in %CR0.
19853 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
19855 * 5. Call the physical function.
19858 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
19862 * 6. After EFI runtime service returns, control will return to
19863 * following instruction. We'd better readjust stack pointer first.
19864 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
19866 orl $0x80000000, %edx
19872 * 8. Now restore the virtual mode from flat mode by
19873 * adding EIP with PAGE_OFFSET.
19877 + jmp 1f+__PAGE_OFFSET
19881 * 9. Balance the stack. And because EAX contain the return value,
19882 * we'd better not clobber it.
19884 - leal efi_rt_function_ptr, %edx
19885 - movl (%edx), %ecx
19887 + pushl (efi_rt_function_ptr)
19890 - * 10. Push the saved return address onto the stack and return.
19891 + * 10. Return to the saved return address.
19893 - leal saved_return_addr, %edx
19894 - movl (%edx), %ecx
19897 + jmpl *(saved_return_addr)
19898 ENDPROC(efi_call_phys)
19905 efi_rt_function_ptr:
19906 diff -urNp linux-2.6.37/arch/x86/power/cpu.c linux-2.6.37/arch/x86/power/cpu.c
19907 --- linux-2.6.37/arch/x86/power/cpu.c 2011-01-04 19:50:19.000000000 -0500
19908 +++ linux-2.6.37/arch/x86/power/cpu.c 2011-01-17 02:41:01.000000000 -0500
19909 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19910 static void fix_processor_context(void)
19912 int cpu = smp_processor_id();
19913 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19914 + struct tss_struct *t = init_tss + cpu;
19916 set_tss_desc(cpu, t); /*
19917 * This just modifies memory; should not be
19918 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19921 #ifdef CONFIG_X86_64
19922 + pax_open_kernel();
19923 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19924 + pax_close_kernel();
19926 syscall_init(); /* This sets MSR_*STAR and related */
19928 diff -urNp linux-2.6.37/arch/x86/vdso/Makefile linux-2.6.37/arch/x86/vdso/Makefile
19929 --- linux-2.6.37/arch/x86/vdso/Makefile 2011-01-04 19:50:19.000000000 -0500
19930 +++ linux-2.6.37/arch/x86/vdso/Makefile 2011-01-17 02:41:01.000000000 -0500
19931 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
19932 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
19933 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
19935 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19936 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19940 diff -urNp linux-2.6.37/arch/x86/vdso/vclock_gettime.c linux-2.6.37/arch/x86/vdso/vclock_gettime.c
19941 --- linux-2.6.37/arch/x86/vdso/vclock_gettime.c 2011-01-04 19:50:19.000000000 -0500
19942 +++ linux-2.6.37/arch/x86/vdso/vclock_gettime.c 2011-01-17 02:41:01.000000000 -0500
19943 @@ -22,24 +22,48 @@
19944 #include <asm/hpet.h>
19945 #include <asm/unistd.h>
19946 #include <asm/io.h>
19947 +#include <asm/fixmap.h>
19948 #include "vextern.h"
19950 #define gtod vdso_vsyscall_gtod_data
19952 +notrace noinline long __vdso_fallback_time(long *t)
19955 + asm volatile("syscall"
19957 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19961 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19964 asm("syscall" : "=a" (ret) :
19965 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
19966 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
19970 +notrace static inline cycle_t __vdso_vread_hpet(void)
19972 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
19975 +notrace static inline cycle_t __vdso_vread_tsc(void)
19977 + cycle_t ret = (cycle_t)vget_cycles();
19979 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
19982 notrace static inline long vgetns(void)
19985 - cycles_t (*vread)(void);
19986 - vread = gtod->clock.vread;
19987 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
19988 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
19989 + v = __vdso_vread_tsc();
19991 + v = __vdso_vread_hpet();
19992 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
19993 return (v * gtod->clock.mult) >> gtod->clock.shift;
19996 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
19998 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20000 - if (likely(gtod->sysctl_enabled))
20001 + if (likely(gtod->sysctl_enabled &&
20002 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20003 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20005 case CLOCK_REALTIME:
20006 if (likely(gtod->clock.vread))
20007 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20008 int clock_gettime(clockid_t, struct timespec *)
20009 __attribute__((weak, alias("__vdso_clock_gettime")));
20011 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20012 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20015 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20016 + asm("syscall" : "=a" (ret) :
20017 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20021 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20023 + if (likely(gtod->sysctl_enabled &&
20024 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20025 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20027 if (likely(tv != NULL)) {
20028 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20029 offsetof(struct timespec, tv_nsec) ||
20030 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20034 - asm("syscall" : "=a" (ret) :
20035 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20037 + return __vdso_fallback_gettimeofday(tv, tz);
20039 int gettimeofday(struct timeval *, struct timezone *)
20040 __attribute__((weak, alias("__vdso_gettimeofday")));
20041 diff -urNp linux-2.6.37/arch/x86/vdso/vdso32-setup.c linux-2.6.37/arch/x86/vdso/vdso32-setup.c
20042 --- linux-2.6.37/arch/x86/vdso/vdso32-setup.c 2011-01-04 19:50:19.000000000 -0500
20043 +++ linux-2.6.37/arch/x86/vdso/vdso32-setup.c 2011-01-17 02:41:01.000000000 -0500
20045 #include <asm/tlbflush.h>
20046 #include <asm/vdso.h>
20047 #include <asm/proto.h>
20048 +#include <asm/mman.h>
20052 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20053 void enable_sep_cpu(void)
20055 int cpu = get_cpu();
20056 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20057 + struct tss_struct *tss = init_tss + cpu;
20059 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20061 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20062 gate_vma.vm_start = FIXADDR_USER_START;
20063 gate_vma.vm_end = FIXADDR_USER_END;
20064 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20065 - gate_vma.vm_page_prot = __P101;
20066 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20068 * Make sure the vDSO gets into every core dump.
20069 * Dumping its contents makes post-mortem fully interpretable later
20070 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20072 addr = VDSO_HIGH_BASE;
20074 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20075 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20076 if (IS_ERR_VALUE(addr)) {
20082 - current->mm->context.vdso = (void *)addr;
20083 + current->mm->context.vdso = addr;
20085 if (compat_uses_vma || !compat) {
20087 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20090 current_thread_info()->sysenter_return =
20091 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20092 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20096 - current->mm->context.vdso = NULL;
20097 + current->mm->context.vdso = 0;
20099 up_write(&mm->mmap_sem);
20101 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20103 const char *arch_vma_name(struct vm_area_struct *vma)
20105 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20106 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20109 +#ifdef CONFIG_PAX_SEGMEXEC
20110 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20117 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20118 struct mm_struct *mm = tsk->mm;
20120 /* Check to see if this task was created in compat vdso mode */
20121 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20122 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20126 diff -urNp linux-2.6.37/arch/x86/vdso/vdso.lds.S linux-2.6.37/arch/x86/vdso/vdso.lds.S
20127 --- linux-2.6.37/arch/x86/vdso/vdso.lds.S 2011-01-04 19:50:19.000000000 -0500
20128 +++ linux-2.6.37/arch/x86/vdso/vdso.lds.S 2011-01-17 02:41:01.000000000 -0500
20129 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20130 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20131 #include "vextern.h"
20134 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20135 +VEXTERN(fallback_gettimeofday)
20136 +VEXTERN(fallback_time)
20139 diff -urNp linux-2.6.37/arch/x86/vdso/vextern.h linux-2.6.37/arch/x86/vdso/vextern.h
20140 --- linux-2.6.37/arch/x86/vdso/vextern.h 2011-01-04 19:50:19.000000000 -0500
20141 +++ linux-2.6.37/arch/x86/vdso/vextern.h 2011-01-17 02:41:01.000000000 -0500
20143 put into vextern.h and be referenced as a pointer with vdso prefix.
20144 The main kernel later fills in the values. */
20147 VEXTERN(vgetcpu_mode)
20148 VEXTERN(vsyscall_gtod_data)
20149 diff -urNp linux-2.6.37/arch/x86/vdso/vma.c linux-2.6.37/arch/x86/vdso/vma.c
20150 --- linux-2.6.37/arch/x86/vdso/vma.c 2011-01-04 19:50:19.000000000 -0500
20151 +++ linux-2.6.37/arch/x86/vdso/vma.c 2011-01-17 02:41:01.000000000 -0500
20152 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20156 - if (memcmp(vbase, "\177ELF", 4)) {
20157 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20158 printk("VDSO: I'm broken; not ELF\n");
20161 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20165 - current->mm->context.vdso = (void *)addr;
20166 + current->mm->context.vdso = addr;
20168 ret = install_special_mapping(mm, addr, vdso_size,
20170 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20174 - current->mm->context.vdso = NULL;
20175 + current->mm->context.vdso = 0;
20179 @@ -134,10 +134,3 @@ up_fail:
20180 up_write(&mm->mmap_sem);
20184 -static __init int vdso_setup(char *s)
20186 - vdso_enabled = simple_strtoul(s, NULL, 0);
20189 -__setup("vdso=", vdso_setup);
20190 diff -urNp linux-2.6.37/arch/x86/xen/enlighten.c linux-2.6.37/arch/x86/xen/enlighten.c
20191 --- linux-2.6.37/arch/x86/xen/enlighten.c 2011-01-04 19:50:19.000000000 -0500
20192 +++ linux-2.6.37/arch/x86/xen/enlighten.c 2011-01-17 02:41:01.000000000 -0500
20193 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20195 struct shared_info xen_dummy_shared_info;
20197 -void *xen_initial_gdt;
20199 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20200 __read_mostly int xen_have_vector_callback;
20201 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20202 @@ -574,7 +572,7 @@ static void xen_write_idt_entry(gate_des
20206 - start = __get_cpu_var(idt_desc).address;
20207 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20208 end = start + __get_cpu_var(idt_desc).size + 1;
20211 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
20212 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20214 /* Work out if we support NX */
20215 - x86_configure_nx();
20216 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20217 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20218 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20221 + __supported_pte_mask |= _PAGE_NX;
20222 + rdmsr(MSR_EFER, l, h);
20224 + wrmsr(MSR_EFER, l, h);
20228 xen_setup_features();
20230 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
20232 machine_ops = xen_machine_ops;
20235 - * The only reliable way to retain the initial address of the
20236 - * percpu gdt_page is to remember it here, so we can go and
20237 - * mark it RW later, when the initial percpu area is freed.
20239 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20243 pgd = (pgd_t *)xen_start_info->pt_base;
20244 diff -urNp linux-2.6.37/arch/x86/xen/mmu.c linux-2.6.37/arch/x86/xen/mmu.c
20245 --- linux-2.6.37/arch/x86/xen/mmu.c 2011-01-04 19:50:19.000000000 -0500
20246 +++ linux-2.6.37/arch/x86/xen/mmu.c 2011-01-17 02:41:01.000000000 -0500
20247 @@ -2084,6 +2084,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20248 convert_pfn_mfn(init_level4_pgt);
20249 convert_pfn_mfn(level3_ident_pgt);
20250 convert_pfn_mfn(level3_kernel_pgt);
20251 + convert_pfn_mfn(level3_vmalloc_pgt);
20252 + convert_pfn_mfn(level3_vmemmap_pgt);
20254 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20255 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20256 @@ -2102,7 +2104,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20257 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20258 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20259 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20260 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20261 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20262 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20263 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20264 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20265 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20267 diff -urNp linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c
20268 --- linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c 2011-01-04 19:50:19.000000000 -0500
20269 +++ linux-2.6.37/arch/x86/xen/pci-swiotlb-xen.c 2011-01-17 02:41:01.000000000 -0500
20272 int xen_swiotlb __read_mostly;
20274 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20275 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20276 .mapping_error = xen_swiotlb_dma_mapping_error,
20277 .alloc_coherent = xen_swiotlb_alloc_coherent,
20278 .free_coherent = xen_swiotlb_free_coherent,
20279 diff -urNp linux-2.6.37/arch/x86/xen/smp.c linux-2.6.37/arch/x86/xen/smp.c
20280 --- linux-2.6.37/arch/x86/xen/smp.c 2011-01-04 19:50:19.000000000 -0500
20281 +++ linux-2.6.37/arch/x86/xen/smp.c 2011-01-17 02:41:01.000000000 -0500
20282 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
20284 BUG_ON(smp_processor_id() != 0);
20285 native_smp_prepare_boot_cpu();
20287 - /* We've switched to the "real" per-cpu gdt, so make sure the
20288 - old memory can be recycled */
20289 - make_lowmem_page_readwrite(xen_initial_gdt);
20291 xen_filter_cpu_maps();
20292 xen_setup_vcpu_info_placement();
20294 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
20295 gdt = get_cpu_gdt_table(cpu);
20297 ctxt->flags = VGCF_IN_KERNEL;
20298 - ctxt->user_regs.ds = __USER_DS;
20299 - ctxt->user_regs.es = __USER_DS;
20300 + ctxt->user_regs.ds = __KERNEL_DS;
20301 + ctxt->user_regs.es = __KERNEL_DS;
20302 ctxt->user_regs.ss = __KERNEL_DS;
20303 #ifdef CONFIG_X86_32
20304 ctxt->user_regs.fs = __KERNEL_PERCPU;
20305 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
20306 + savesegment(gs, ctxt->user_regs.gs);
20308 ctxt->gs_base_kernel = per_cpu_offset(cpu);
20310 diff -urNp linux-2.6.37/arch/x86/xen/xen-head.S linux-2.6.37/arch/x86/xen/xen-head.S
20311 --- linux-2.6.37/arch/x86/xen/xen-head.S 2011-01-04 19:50:19.000000000 -0500
20312 +++ linux-2.6.37/arch/x86/xen/xen-head.S 2011-01-17 02:41:01.000000000 -0500
20313 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20314 #ifdef CONFIG_X86_32
20315 mov %esi,xen_start_info
20316 mov $init_thread_union+THREAD_SIZE,%esp
20318 + movl $cpu_gdt_table,%edi
20319 + movl $__per_cpu_load,%eax
20320 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20322 + movb %al,__KERNEL_PERCPU + 4(%edi)
20323 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20324 + movl $__per_cpu_end - 1,%eax
20325 + subl $__per_cpu_start,%eax
20326 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20329 mov %rsi,xen_start_info
20330 mov $init_thread_union+THREAD_SIZE,%rsp
20331 diff -urNp linux-2.6.37/arch/x86/xen/xen-ops.h linux-2.6.37/arch/x86/xen/xen-ops.h
20332 --- linux-2.6.37/arch/x86/xen/xen-ops.h 2011-01-04 19:50:19.000000000 -0500
20333 +++ linux-2.6.37/arch/x86/xen/xen-ops.h 2011-01-17 02:41:01.000000000 -0500
20335 extern const char xen_hypervisor_callback[];
20336 extern const char xen_failsafe_callback[];
20338 -extern void *xen_initial_gdt;
20341 void xen_copy_trap_info(struct trap_info *traps);
20343 diff -urNp linux-2.6.37/block/blk-iopoll.c linux-2.6.37/block/blk-iopoll.c
20344 --- linux-2.6.37/block/blk-iopoll.c 2011-01-04 19:50:19.000000000 -0500
20345 +++ linux-2.6.37/block/blk-iopoll.c 2011-01-17 02:41:01.000000000 -0500
20346 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20348 EXPORT_SYMBOL(blk_iopoll_complete);
20350 -static void blk_iopoll_softirq(struct softirq_action *h)
20351 +static void blk_iopoll_softirq(void)
20353 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20354 int rearm = 0, budget = blk_iopoll_budget;
20355 diff -urNp linux-2.6.37/block/blk-map.c linux-2.6.37/block/blk-map.c
20356 --- linux-2.6.37/block/blk-map.c 2011-01-04 19:50:19.000000000 -0500
20357 +++ linux-2.6.37/block/blk-map.c 2011-01-17 02:41:01.000000000 -0500
20358 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
20362 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
20363 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
20365 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20367 diff -urNp linux-2.6.37/block/blk-softirq.c linux-2.6.37/block/blk-softirq.c
20368 --- linux-2.6.37/block/blk-softirq.c 2011-01-04 19:50:19.000000000 -0500
20369 +++ linux-2.6.37/block/blk-softirq.c 2011-01-17 02:41:01.000000000 -0500
20370 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20371 * Softirq action handler - move entries to local list and loop over them
20372 * while passing them to the queue registered handler.
20374 -static void blk_done_softirq(struct softirq_action *h)
20375 +static void blk_done_softirq(void)
20377 struct list_head *cpu_list, local_list;
20379 diff -urNp linux-2.6.37/crypto/lrw.c linux-2.6.37/crypto/lrw.c
20380 --- linux-2.6.37/crypto/lrw.c 2011-01-04 19:50:19.000000000 -0500
20381 +++ linux-2.6.37/crypto/lrw.c 2011-01-17 02:41:01.000000000 -0500
20382 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20383 struct priv *ctx = crypto_tfm_ctx(parent);
20384 struct crypto_cipher *child = ctx->child;
20386 - be128 tmp = { 0 };
20387 + be128 tmp = { 0, 0 };
20388 int bsize = crypto_cipher_blocksize(child);
20390 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20391 diff -urNp linux-2.6.37/Documentation/dontdiff linux-2.6.37/Documentation/dontdiff
20392 --- linux-2.6.37/Documentation/dontdiff 2011-01-04 19:50:19.000000000 -0500
20393 +++ linux-2.6.37/Documentation/dontdiff 2011-01-17 02:41:01.000000000 -0500
20413 @@ -49,11 +52,16 @@
20430 @@ -62,6 +70,7 @@ aic7*reg_print.c*
20438 @@ -76,7 +85,10 @@ btfixupprep
20449 @@ -100,19 +112,23 @@ fore200e_mkfirm
20464 initramfs_data.cpio
20465 +initramfs_data.cpio.bz2
20466 initramfs_data.cpio.gz
20474 @@ -136,10 +152,13 @@ mkboot
20488 @@ -151,7 +170,9 @@ parse.h
20498 @@ -160,15 +181,18 @@ qconf
20517 @@ -189,14 +213,20 @@ version.h*
20538 diff -urNp linux-2.6.37/Documentation/filesystems/sysfs.txt linux-2.6.37/Documentation/filesystems/sysfs.txt
20539 --- linux-2.6.37/Documentation/filesystems/sysfs.txt 2011-01-04 19:50:19.000000000 -0500
20540 +++ linux-2.6.37/Documentation/filesystems/sysfs.txt 2011-01-17 02:41:01.000000000 -0500
20541 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20542 show and store methods of the attribute owners.
20545 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20546 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
20547 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20548 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
20551 [ Subsystems should have already defined a struct kobj_type as a
20552 diff -urNp linux-2.6.37/Documentation/kernel-parameters.txt linux-2.6.37/Documentation/kernel-parameters.txt
20553 --- linux-2.6.37/Documentation/kernel-parameters.txt 2011-01-04 19:50:19.000000000 -0500
20554 +++ linux-2.6.37/Documentation/kernel-parameters.txt 2011-01-17 02:41:01.000000000 -0500
20555 @@ -1849,6 +1849,13 @@ and is between 256 and 4096 characters.
20556 the specified number of seconds. This is to be used if
20557 your oopses keep scrolling off the screen.
20559 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
20560 + virtualization environments that don't cope well with the
20561 + expand down segment used by UDEREF on X86-32 or the frequent
20562 + page table updates on X86-64.
20564 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20569 diff -urNp linux-2.6.37/drivers/acpi/battery.c linux-2.6.37/drivers/acpi/battery.c
20570 --- linux-2.6.37/drivers/acpi/battery.c 2011-01-04 19:50:19.000000000 -0500
20571 +++ linux-2.6.37/drivers/acpi/battery.c 2011-01-17 02:41:01.000000000 -0500
20572 @@ -851,7 +851,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20575 static struct battery_file {
20576 - struct file_operations ops;
20577 + const struct file_operations ops;
20580 } acpi_battery_file[] = {
20581 diff -urNp linux-2.6.37/drivers/acpi/blacklist.c linux-2.6.37/drivers/acpi/blacklist.c
20582 --- linux-2.6.37/drivers/acpi/blacklist.c 2011-01-04 19:50:19.000000000 -0500
20583 +++ linux-2.6.37/drivers/acpi/blacklist.c 2011-01-17 02:41:01.000000000 -0500
20584 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20585 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20586 "Incorrect _ADR", 1},
20589 + {"", "", 0, NULL, all_versions, NULL, 0}
20592 #if CONFIG_ACPI_BLACKLIST_YEAR
20593 diff -urNp linux-2.6.37/drivers/acpi/dock.c linux-2.6.37/drivers/acpi/dock.c
20594 --- linux-2.6.37/drivers/acpi/dock.c 2011-01-04 19:50:19.000000000 -0500
20595 +++ linux-2.6.37/drivers/acpi/dock.c 2011-01-17 02:41:01.000000000 -0500
20596 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20597 struct list_head list;
20598 struct list_head hotplug_list;
20599 acpi_handle handle;
20600 - struct acpi_dock_ops *ops;
20601 + const struct acpi_dock_ops *ops;
20605 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20606 * the dock driver after _DCK is executed.
20609 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20610 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20613 struct dock_dependent_device *dd;
20614 diff -urNp linux-2.6.37/drivers/acpi/ec_sys.c linux-2.6.37/drivers/acpi/ec_sys.c
20615 --- linux-2.6.37/drivers/acpi/ec_sys.c 2011-01-04 19:50:19.000000000 -0500
20616 +++ linux-2.6.37/drivers/acpi/ec_sys.c 2011-01-17 02:41:01.000000000 -0500
20617 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
20621 -static struct file_operations acpi_ec_io_ops = {
20622 +static const struct file_operations acpi_ec_io_ops = {
20623 .owner = THIS_MODULE,
20624 .open = acpi_ec_open_io,
20625 .read = acpi_ec_read_io,
20626 diff -urNp linux-2.6.37/drivers/acpi/osl.c linux-2.6.37/drivers/acpi/osl.c
20627 --- linux-2.6.37/drivers/acpi/osl.c 2011-01-04 19:50:19.000000000 -0500
20628 +++ linux-2.6.37/drivers/acpi/osl.c 2011-01-17 02:41:01.000000000 -0500
20629 @@ -643,6 +643,8 @@ acpi_os_read_memory(acpi_physical_addres
20632 virt_addr = ioremap(phys_addr, size);
20634 + return AE_NO_MEMORY;
20638 @@ -679,6 +681,8 @@ acpi_os_write_memory(acpi_physical_addre
20641 virt_addr = ioremap(phys_addr, size);
20643 + return AE_NO_MEMORY;
20647 diff -urNp linux-2.6.37/drivers/acpi/power_meter.c linux-2.6.37/drivers/acpi/power_meter.c
20648 --- linux-2.6.37/drivers/acpi/power_meter.c 2011-01-04 19:50:19.000000000 -0500
20649 +++ linux-2.6.37/drivers/acpi/power_meter.c 2011-01-17 02:41:01.000000000 -0500
20650 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20657 mutex_lock(&resource->lock);
20658 resource->trip[attr->index - 7] = temp;
20659 diff -urNp linux-2.6.37/drivers/acpi/proc.c linux-2.6.37/drivers/acpi/proc.c
20660 --- linux-2.6.37/drivers/acpi/proc.c 2011-01-04 19:50:19.000000000 -0500
20661 +++ linux-2.6.37/drivers/acpi/proc.c 2011-01-17 02:41:01.000000000 -0500
20662 @@ -338,20 +338,15 @@ acpi_system_write_wakeup_device(struct f
20663 size_t count, loff_t * ppos)
20665 struct list_head *node, *next;
20667 - char str[5] = "";
20668 - unsigned int len = count;
20669 + char strbuf[5] = {0};
20670 struct acpi_device *found_dev = NULL;
20679 - if (copy_from_user(strbuf, buffer, len))
20680 + if (copy_from_user(strbuf, buffer, count))
20682 - strbuf[len] = '\0';
20683 - sscanf(strbuf, "%s", str);
20684 + strbuf[count] = '\0';
20686 mutex_lock(&acpi_device_lock);
20687 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20688 @@ -360,7 +355,7 @@ acpi_system_write_wakeup_device(struct f
20689 if (!dev->wakeup.flags.valid)
20692 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20693 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20694 dev->wakeup.state.enabled =
20695 dev->wakeup.state.enabled ? 0 : 1;
20697 diff -urNp linux-2.6.37/drivers/acpi/processor_driver.c linux-2.6.37/drivers/acpi/processor_driver.c
20698 --- linux-2.6.37/drivers/acpi/processor_driver.c 2011-01-04 19:50:19.000000000 -0500
20699 +++ linux-2.6.37/drivers/acpi/processor_driver.c 2011-01-17 02:41:01.000000000 -0500
20700 @@ -519,7 +519,7 @@ static int __cpuinit acpi_processor_add(
20704 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20705 + BUG_ON(pr->id >= nr_cpu_ids);
20709 diff -urNp linux-2.6.37/drivers/acpi/processor_idle.c linux-2.6.37/drivers/acpi/processor_idle.c
20710 --- linux-2.6.37/drivers/acpi/processor_idle.c 2011-01-04 19:50:19.000000000 -0500
20711 +++ linux-2.6.37/drivers/acpi/processor_idle.c 2011-01-17 02:41:01.000000000 -0500
20712 @@ -114,7 +114,7 @@ static struct dmi_system_id __cpuinitdat
20713 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20714 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20717 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20721 diff -urNp linux-2.6.37/drivers/acpi/sleep.c linux-2.6.37/drivers/acpi/sleep.c
20722 --- linux-2.6.37/drivers/acpi/sleep.c 2011-01-04 19:50:19.000000000 -0500
20723 +++ linux-2.6.37/drivers/acpi/sleep.c 2011-01-17 02:41:01.000000000 -0500
20724 @@ -319,7 +319,7 @@ static int acpi_suspend_state_valid(susp
20728 -static struct platform_suspend_ops acpi_suspend_ops = {
20729 +static const struct platform_suspend_ops acpi_suspend_ops = {
20730 .valid = acpi_suspend_state_valid,
20731 .begin = acpi_suspend_begin,
20732 .prepare_late = acpi_pm_prepare,
20733 @@ -347,7 +347,7 @@ static int acpi_suspend_begin_old(suspen
20734 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20737 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20738 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20739 .valid = acpi_suspend_state_valid,
20740 .begin = acpi_suspend_begin_old,
20741 .prepare_late = acpi_pm_pre_suspend,
20742 @@ -506,7 +506,7 @@ static void acpi_pm_thaw(void)
20743 acpi_enable_all_runtime_gpes();
20746 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20747 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20748 .begin = acpi_hibernation_begin,
20749 .end = acpi_pm_end,
20750 .pre_snapshot = acpi_pm_prepare,
20751 @@ -549,7 +549,7 @@ static int acpi_hibernation_begin_old(vo
20752 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20755 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20756 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20757 .begin = acpi_hibernation_begin_old,
20758 .end = acpi_pm_end,
20759 .pre_snapshot = acpi_pm_pre_suspend,
20760 diff -urNp linux-2.6.37/drivers/acpi/video.c linux-2.6.37/drivers/acpi/video.c
20761 --- linux-2.6.37/drivers/acpi/video.c 2011-01-04 19:50:19.000000000 -0500
20762 +++ linux-2.6.37/drivers/acpi/video.c 2011-01-17 02:41:01.000000000 -0500
20763 @@ -260,7 +260,7 @@ static int acpi_video_set_brightness(str
20764 vd->brightness->levels[request_level]);
20767 -static struct backlight_ops acpi_backlight_ops = {
20768 +static const struct backlight_ops acpi_backlight_ops = {
20769 .get_brightness = acpi_video_get_brightness,
20770 .update_status = acpi_video_set_brightness,
20772 diff -urNp linux-2.6.37/drivers/ata/ahci.c linux-2.6.37/drivers/ata/ahci.c
20773 --- linux-2.6.37/drivers/ata/ahci.c 2011-01-04 19:50:19.000000000 -0500
20774 +++ linux-2.6.37/drivers/ata/ahci.c 2011-01-17 02:41:01.000000000 -0500
20775 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
20779 -static struct ata_port_operations ahci_vt8251_ops = {
20780 +static const struct ata_port_operations ahci_vt8251_ops = {
20781 .inherits = &ahci_ops,
20782 .hardreset = ahci_vt8251_hardreset,
20785 -static struct ata_port_operations ahci_p5wdh_ops = {
20786 +static const struct ata_port_operations ahci_p5wdh_ops = {
20787 .inherits = &ahci_ops,
20788 .hardreset = ahci_p5wdh_hardreset,
20791 -static struct ata_port_operations ahci_sb600_ops = {
20792 +static const struct ata_port_operations ahci_sb600_ops = {
20793 .inherits = &ahci_ops,
20794 .softreset = ahci_sb600_softreset,
20795 .pmp_softreset = ahci_sb600_softreset,
20796 @@ -388,7 +388,7 @@ static const struct pci_device_id ahci_p
20797 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20798 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20800 - { } /* terminate list */
20801 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20805 diff -urNp linux-2.6.37/drivers/ata/ahci.h linux-2.6.37/drivers/ata/ahci.h
20806 --- linux-2.6.37/drivers/ata/ahci.h 2011-01-04 19:50:19.000000000 -0500
20807 +++ linux-2.6.37/drivers/ata/ahci.h 2011-01-17 02:41:01.000000000 -0500
20808 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
20809 .shost_attrs = ahci_shost_attrs, \
20810 .sdev_attrs = ahci_sdev_attrs
20812 -extern struct ata_port_operations ahci_ops;
20813 +extern const struct ata_port_operations ahci_ops;
20815 void ahci_save_initial_config(struct device *dev,
20816 struct ahci_host_priv *hpriv,
20817 diff -urNp linux-2.6.37/drivers/ata/ata_generic.c linux-2.6.37/drivers/ata/ata_generic.c
20818 --- linux-2.6.37/drivers/ata/ata_generic.c 2011-01-04 19:50:19.000000000 -0500
20819 +++ linux-2.6.37/drivers/ata/ata_generic.c 2011-01-17 02:41:01.000000000 -0500
20820 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
20821 ATA_BMDMA_SHT(DRV_NAME),
20824 -static struct ata_port_operations generic_port_ops = {
20825 +static const struct ata_port_operations generic_port_ops = {
20826 .inherits = &ata_bmdma_port_ops,
20827 .cable_detect = ata_cable_unknown,
20828 .set_mode = generic_set_mode,
20829 diff -urNp linux-2.6.37/drivers/ata/ata_piix.c linux-2.6.37/drivers/ata/ata_piix.c
20830 --- linux-2.6.37/drivers/ata/ata_piix.c 2011-01-04 19:50:19.000000000 -0500
20831 +++ linux-2.6.37/drivers/ata/ata_piix.c 2011-01-17 02:41:01.000000000 -0500
20832 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
20833 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
20834 /* SATA Controller IDE (PBG) */
20835 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20836 - { } /* terminate list */
20837 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20840 static struct pci_driver piix_pci_driver = {
20841 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
20842 ATA_BMDMA_SHT(DRV_NAME),
20845 -static struct ata_port_operations piix_sata_ops = {
20846 +static const struct ata_port_operations piix_sata_ops = {
20847 .inherits = &ata_bmdma32_port_ops,
20848 .sff_irq_check = piix_irq_check,
20851 -static struct ata_port_operations piix_pata_ops = {
20852 +static const struct ata_port_operations piix_pata_ops = {
20853 .inherits = &piix_sata_ops,
20854 .cable_detect = ata_cable_40wire,
20855 .set_piomode = piix_set_piomode,
20856 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
20857 .prereset = piix_pata_prereset,
20860 -static struct ata_port_operations piix_vmw_ops = {
20861 +static const struct ata_port_operations piix_vmw_ops = {
20862 .inherits = &piix_pata_ops,
20863 .bmdma_status = piix_vmw_bmdma_status,
20866 -static struct ata_port_operations ich_pata_ops = {
20867 +static const struct ata_port_operations ich_pata_ops = {
20868 .inherits = &piix_pata_ops,
20869 .cable_detect = ich_pata_cable_detect,
20870 .set_dmamode = ich_set_dmamode,
20871 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
20872 .shost_attrs = piix_sidpr_shost_attrs,
20875 -static struct ata_port_operations piix_sidpr_sata_ops = {
20876 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20877 .inherits = &piix_sata_ops,
20878 .hardreset = sata_std_hardreset,
20879 .scr_read = piix_sidpr_scr_read,
20880 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
20881 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20882 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20889 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
20893 - { } /* terminate list */
20894 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20896 static const char *oemstrs[] = {
20898 diff -urNp linux-2.6.37/drivers/ata/libahci.c linux-2.6.37/drivers/ata/libahci.c
20899 --- linux-2.6.37/drivers/ata/libahci.c 2011-01-04 19:50:19.000000000 -0500
20900 +++ linux-2.6.37/drivers/ata/libahci.c 2011-01-17 02:41:01.000000000 -0500
20901 @@ -140,7 +140,7 @@ struct device_attribute *ahci_sdev_attrs
20903 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
20905 -struct ata_port_operations ahci_ops = {
20906 +const struct ata_port_operations ahci_ops = {
20907 .inherits = &sata_pmp_port_ops,
20909 .qc_defer = ahci_pmp_qc_defer,
20910 diff -urNp linux-2.6.37/drivers/ata/libata-acpi.c linux-2.6.37/drivers/ata/libata-acpi.c
20911 --- linux-2.6.37/drivers/ata/libata-acpi.c 2011-01-04 19:50:19.000000000 -0500
20912 +++ linux-2.6.37/drivers/ata/libata-acpi.c 2011-01-17 02:41:01.000000000 -0500
20913 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
20914 ata_acpi_uevent(dev->link->ap, dev, event);
20917 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20918 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20919 .handler = ata_acpi_dev_notify_dock,
20920 .uevent = ata_acpi_dev_uevent,
20923 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20924 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20925 .handler = ata_acpi_ap_notify_dock,
20926 .uevent = ata_acpi_ap_uevent,
20928 diff -urNp linux-2.6.37/drivers/ata/libata-core.c linux-2.6.37/drivers/ata/libata-core.c
20929 --- linux-2.6.37/drivers/ata/libata-core.c 2011-01-04 19:50:19.000000000 -0500
20930 +++ linux-2.6.37/drivers/ata/libata-core.c 2011-01-17 02:41:01.000000000 -0500
20931 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
20932 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20933 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20934 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20940 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
20941 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20942 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20945 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20948 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20949 @@ -4140,7 +4140,7 @@ static const struct ata_blacklist_entry
20950 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20954 + { NULL, NULL, 0 }
20958 @@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *
20959 struct ata_port *ap;
20962 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20963 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20967 @@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued
20968 struct ata_port *ap;
20969 struct ata_link *link;
20971 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20972 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20973 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
20975 link = qc->dev->link;
20976 @@ -5754,7 +5754,7 @@ static void ata_host_stop(struct device
20980 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20981 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20983 static DEFINE_SPINLOCK(lock);
20984 const struct ata_port_operations *cur;
20985 @@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct
20989 + pax_open_kernel();
20991 for (cur = ops->inherits; cur; cur = cur->inherits) {
20992 void **inherit = (void **)cur;
20993 @@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct
20997 - ops->inherits = NULL;
20998 + ((struct ata_port_operations *)ops)->inherits = NULL;
21000 + pax_close_kernel();
21001 spin_unlock(&lock);
21004 @@ -5877,7 +5879,7 @@ int ata_host_start(struct ata_host *host
21006 /* KILLME - the only user left is ipr */
21007 void ata_host_init(struct ata_host *host, struct device *dev,
21008 - unsigned long flags, struct ata_port_operations *ops)
21009 + unsigned long flags, const struct ata_port_operations *ops)
21011 spin_lock_init(&host->lock);
21012 mutex_init(&host->eh_mutex);
21013 @@ -6583,7 +6585,7 @@ static void ata_dummy_error_handler(stru
21017 -struct ata_port_operations ata_dummy_port_ops = {
21018 +const struct ata_port_operations ata_dummy_port_ops = {
21019 .qc_prep = ata_noop_qc_prep,
21020 .qc_issue = ata_dummy_qc_issue,
21021 .error_handler = ata_dummy_error_handler,
21022 diff -urNp linux-2.6.37/drivers/ata/libata-eh.c linux-2.6.37/drivers/ata/libata-eh.c
21023 --- linux-2.6.37/drivers/ata/libata-eh.c 2011-01-04 19:50:19.000000000 -0500
21024 +++ linux-2.6.37/drivers/ata/libata-eh.c 2011-01-17 02:41:01.000000000 -0500
21025 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21027 void ata_std_error_handler(struct ata_port *ap)
21029 - struct ata_port_operations *ops = ap->ops;
21030 + const struct ata_port_operations *ops = ap->ops;
21031 ata_reset_fn_t hardreset = ops->hardreset;
21033 /* ignore built-in hardreset if SCR access is not available */
21034 diff -urNp linux-2.6.37/drivers/ata/libata-pmp.c linux-2.6.37/drivers/ata/libata-pmp.c
21035 --- linux-2.6.37/drivers/ata/libata-pmp.c 2011-01-04 19:50:19.000000000 -0500
21036 +++ linux-2.6.37/drivers/ata/libata-pmp.c 2011-01-17 02:41:01.000000000 -0500
21037 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
21039 static int sata_pmp_eh_recover(struct ata_port *ap)
21041 - struct ata_port_operations *ops = ap->ops;
21042 + const struct ata_port_operations *ops = ap->ops;
21043 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21044 struct ata_link *pmp_link = &ap->link;
21045 struct ata_device *pmp_dev = pmp_link->device;
21046 diff -urNp linux-2.6.37/drivers/ata/pata_acpi.c linux-2.6.37/drivers/ata/pata_acpi.c
21047 --- linux-2.6.37/drivers/ata/pata_acpi.c 2011-01-04 19:50:19.000000000 -0500
21048 +++ linux-2.6.37/drivers/ata/pata_acpi.c 2011-01-17 02:41:01.000000000 -0500
21049 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21050 ATA_BMDMA_SHT(DRV_NAME),
21053 -static struct ata_port_operations pacpi_ops = {
21054 +static const struct ata_port_operations pacpi_ops = {
21055 .inherits = &ata_bmdma_port_ops,
21056 .qc_issue = pacpi_qc_issue,
21057 .cable_detect = pacpi_cable_detect,
21058 diff -urNp linux-2.6.37/drivers/ata/pata_ali.c linux-2.6.37/drivers/ata/pata_ali.c
21059 --- linux-2.6.37/drivers/ata/pata_ali.c 2011-01-04 19:50:19.000000000 -0500
21060 +++ linux-2.6.37/drivers/ata/pata_ali.c 2011-01-17 02:41:01.000000000 -0500
21061 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21062 * Port operations for PIO only ALi
21065 -static struct ata_port_operations ali_early_port_ops = {
21066 +static const struct ata_port_operations ali_early_port_ops = {
21067 .inherits = &ata_sff_port_ops,
21068 .cable_detect = ata_cable_40wire,
21069 .set_piomode = ali_set_piomode,
21070 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21071 * Port operations for DMA capable ALi without cable
21074 -static struct ata_port_operations ali_20_port_ops = {
21075 +static const struct ata_port_operations ali_20_port_ops = {
21076 .inherits = &ali_dma_base_ops,
21077 .cable_detect = ata_cable_40wire,
21078 .mode_filter = ali_20_filter,
21079 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21081 * Port operations for DMA capable ALi with cable detect
21083 -static struct ata_port_operations ali_c2_port_ops = {
21084 +static const struct ata_port_operations ali_c2_port_ops = {
21085 .inherits = &ali_dma_base_ops,
21086 .check_atapi_dma = ali_check_atapi_dma,
21087 .cable_detect = ali_c2_cable_detect,
21088 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21090 * Port operations for DMA capable ALi with cable detect
21092 -static struct ata_port_operations ali_c4_port_ops = {
21093 +static const struct ata_port_operations ali_c4_port_ops = {
21094 .inherits = &ali_dma_base_ops,
21095 .check_atapi_dma = ali_check_atapi_dma,
21096 .cable_detect = ali_c2_cable_detect,
21097 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21099 * Port operations for DMA capable ALi with cable detect and LBA48
21101 -static struct ata_port_operations ali_c5_port_ops = {
21102 +static const struct ata_port_operations ali_c5_port_ops = {
21103 .inherits = &ali_dma_base_ops,
21104 .check_atapi_dma = ali_check_atapi_dma,
21105 .dev_config = ali_warn_atapi_dma,
21106 diff -urNp linux-2.6.37/drivers/ata/pata_amd.c linux-2.6.37/drivers/ata/pata_amd.c
21107 --- linux-2.6.37/drivers/ata/pata_amd.c 2011-01-04 19:50:19.000000000 -0500
21108 +++ linux-2.6.37/drivers/ata/pata_amd.c 2011-01-17 02:41:01.000000000 -0500
21109 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21110 .prereset = amd_pre_reset,
21113 -static struct ata_port_operations amd33_port_ops = {
21114 +static const struct ata_port_operations amd33_port_ops = {
21115 .inherits = &amd_base_port_ops,
21116 .cable_detect = ata_cable_40wire,
21117 .set_piomode = amd33_set_piomode,
21118 .set_dmamode = amd33_set_dmamode,
21121 -static struct ata_port_operations amd66_port_ops = {
21122 +static const struct ata_port_operations amd66_port_ops = {
21123 .inherits = &amd_base_port_ops,
21124 .cable_detect = ata_cable_unknown,
21125 .set_piomode = amd66_set_piomode,
21126 .set_dmamode = amd66_set_dmamode,
21129 -static struct ata_port_operations amd100_port_ops = {
21130 +static const struct ata_port_operations amd100_port_ops = {
21131 .inherits = &amd_base_port_ops,
21132 .cable_detect = ata_cable_unknown,
21133 .set_piomode = amd100_set_piomode,
21134 .set_dmamode = amd100_set_dmamode,
21137 -static struct ata_port_operations amd133_port_ops = {
21138 +static const struct ata_port_operations amd133_port_ops = {
21139 .inherits = &amd_base_port_ops,
21140 .cable_detect = amd_cable_detect,
21141 .set_piomode = amd133_set_piomode,
21142 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21143 .host_stop = nv_host_stop,
21146 -static struct ata_port_operations nv100_port_ops = {
21147 +static const struct ata_port_operations nv100_port_ops = {
21148 .inherits = &nv_base_port_ops,
21149 .set_piomode = nv100_set_piomode,
21150 .set_dmamode = nv100_set_dmamode,
21153 -static struct ata_port_operations nv133_port_ops = {
21154 +static const struct ata_port_operations nv133_port_ops = {
21155 .inherits = &nv_base_port_ops,
21156 .set_piomode = nv133_set_piomode,
21157 .set_dmamode = nv133_set_dmamode,
21158 diff -urNp linux-2.6.37/drivers/ata/pata_artop.c linux-2.6.37/drivers/ata/pata_artop.c
21159 --- linux-2.6.37/drivers/ata/pata_artop.c 2011-01-04 19:50:19.000000000 -0500
21160 +++ linux-2.6.37/drivers/ata/pata_artop.c 2011-01-17 02:41:01.000000000 -0500
21161 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21162 ATA_BMDMA_SHT(DRV_NAME),
21165 -static struct ata_port_operations artop6210_ops = {
21166 +static const struct ata_port_operations artop6210_ops = {
21167 .inherits = &ata_bmdma_port_ops,
21168 .cable_detect = ata_cable_40wire,
21169 .set_piomode = artop6210_set_piomode,
21170 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21171 .qc_defer = artop6210_qc_defer,
21174 -static struct ata_port_operations artop6260_ops = {
21175 +static const struct ata_port_operations artop6260_ops = {
21176 .inherits = &ata_bmdma_port_ops,
21177 .cable_detect = artop6260_cable_detect,
21178 .set_piomode = artop6260_set_piomode,
21179 diff -urNp linux-2.6.37/drivers/ata/pata_at32.c linux-2.6.37/drivers/ata/pata_at32.c
21180 --- linux-2.6.37/drivers/ata/pata_at32.c 2011-01-04 19:50:19.000000000 -0500
21181 +++ linux-2.6.37/drivers/ata/pata_at32.c 2011-01-17 02:41:01.000000000 -0500
21182 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21183 ATA_PIO_SHT(DRV_NAME),
21186 -static struct ata_port_operations at32_port_ops = {
21187 +static const struct ata_port_operations at32_port_ops = {
21188 .inherits = &ata_sff_port_ops,
21189 .cable_detect = ata_cable_40wire,
21190 .set_piomode = pata_at32_set_piomode,
21191 diff -urNp linux-2.6.37/drivers/ata/pata_at91.c linux-2.6.37/drivers/ata/pata_at91.c
21192 --- linux-2.6.37/drivers/ata/pata_at91.c 2011-01-04 19:50:19.000000000 -0500
21193 +++ linux-2.6.37/drivers/ata/pata_at91.c 2011-01-17 02:41:01.000000000 -0500
21194 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21195 ATA_PIO_SHT(DRV_NAME),
21198 -static struct ata_port_operations pata_at91_port_ops = {
21199 +static const struct ata_port_operations pata_at91_port_ops = {
21200 .inherits = &ata_sff_port_ops,
21202 .sff_data_xfer = pata_at91_data_xfer_noirq,
21203 diff -urNp linux-2.6.37/drivers/ata/pata_atiixp.c linux-2.6.37/drivers/ata/pata_atiixp.c
21204 --- linux-2.6.37/drivers/ata/pata_atiixp.c 2011-01-04 19:50:19.000000000 -0500
21205 +++ linux-2.6.37/drivers/ata/pata_atiixp.c 2011-01-17 02:41:01.000000000 -0500
21206 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21207 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21210 -static struct ata_port_operations atiixp_port_ops = {
21211 +static const struct ata_port_operations atiixp_port_ops = {
21212 .inherits = &ata_bmdma_port_ops,
21214 .qc_prep = ata_bmdma_dumb_qc_prep,
21215 diff -urNp linux-2.6.37/drivers/ata/pata_atp867x.c linux-2.6.37/drivers/ata/pata_atp867x.c
21216 --- linux-2.6.37/drivers/ata/pata_atp867x.c 2011-01-04 19:50:19.000000000 -0500
21217 +++ linux-2.6.37/drivers/ata/pata_atp867x.c 2011-01-17 02:41:01.000000000 -0500
21218 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21219 ATA_BMDMA_SHT(DRV_NAME),
21222 -static struct ata_port_operations atp867x_ops = {
21223 +static const struct ata_port_operations atp867x_ops = {
21224 .inherits = &ata_bmdma_port_ops,
21225 .cable_detect = atp867x_cable_detect,
21226 .set_piomode = atp867x_set_piomode,
21227 diff -urNp linux-2.6.37/drivers/ata/pata_bf54x.c linux-2.6.37/drivers/ata/pata_bf54x.c
21228 --- linux-2.6.37/drivers/ata/pata_bf54x.c 2011-01-04 19:50:19.000000000 -0500
21229 +++ linux-2.6.37/drivers/ata/pata_bf54x.c 2011-01-17 02:41:01.000000000 -0500
21230 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21231 .dma_boundary = ATA_DMA_BOUNDARY,
21234 -static struct ata_port_operations bfin_pata_ops = {
21235 +static const struct ata_port_operations bfin_pata_ops = {
21236 .inherits = &ata_bmdma_port_ops,
21238 .set_piomode = bfin_set_piomode,
21239 diff -urNp linux-2.6.37/drivers/ata/pata_cmd640.c linux-2.6.37/drivers/ata/pata_cmd640.c
21240 --- linux-2.6.37/drivers/ata/pata_cmd640.c 2011-01-04 19:50:19.000000000 -0500
21241 +++ linux-2.6.37/drivers/ata/pata_cmd640.c 2011-01-17 02:41:01.000000000 -0500
21242 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
21243 ATA_PIO_SHT(DRV_NAME),
21246 -static struct ata_port_operations cmd640_port_ops = {
21247 +static const struct ata_port_operations cmd640_port_ops = {
21248 .inherits = &ata_sff_port_ops,
21249 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21250 .sff_data_xfer = ata_sff_data_xfer_noirq,
21251 diff -urNp linux-2.6.37/drivers/ata/pata_cmd64x.c linux-2.6.37/drivers/ata/pata_cmd64x.c
21252 --- linux-2.6.37/drivers/ata/pata_cmd64x.c 2011-01-04 19:50:19.000000000 -0500
21253 +++ linux-2.6.37/drivers/ata/pata_cmd64x.c 2011-01-17 02:41:01.000000000 -0500
21254 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21255 .set_dmamode = cmd64x_set_dmamode,
21258 -static struct ata_port_operations cmd64x_port_ops = {
21259 +static const struct ata_port_operations cmd64x_port_ops = {
21260 .inherits = &cmd64x_base_ops,
21261 .cable_detect = ata_cable_40wire,
21264 -static struct ata_port_operations cmd646r1_port_ops = {
21265 +static const struct ata_port_operations cmd646r1_port_ops = {
21266 .inherits = &cmd64x_base_ops,
21267 .bmdma_stop = cmd646r1_bmdma_stop,
21268 .cable_detect = ata_cable_40wire,
21271 -static struct ata_port_operations cmd648_port_ops = {
21272 +static const struct ata_port_operations cmd648_port_ops = {
21273 .inherits = &cmd64x_base_ops,
21274 .bmdma_stop = cmd648_bmdma_stop,
21275 .cable_detect = cmd648_cable_detect,
21276 diff -urNp linux-2.6.37/drivers/ata/pata_cs5520.c linux-2.6.37/drivers/ata/pata_cs5520.c
21277 --- linux-2.6.37/drivers/ata/pata_cs5520.c 2011-01-04 19:50:19.000000000 -0500
21278 +++ linux-2.6.37/drivers/ata/pata_cs5520.c 2011-01-17 02:41:01.000000000 -0500
21279 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21280 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21283 -static struct ata_port_operations cs5520_port_ops = {
21284 +static const struct ata_port_operations cs5520_port_ops = {
21285 .inherits = &ata_bmdma_port_ops,
21286 .qc_prep = ata_bmdma_dumb_qc_prep,
21287 .cable_detect = ata_cable_40wire,
21288 diff -urNp linux-2.6.37/drivers/ata/pata_cs5530.c linux-2.6.37/drivers/ata/pata_cs5530.c
21289 --- linux-2.6.37/drivers/ata/pata_cs5530.c 2011-01-04 19:50:19.000000000 -0500
21290 +++ linux-2.6.37/drivers/ata/pata_cs5530.c 2011-01-17 02:41:01.000000000 -0500
21291 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21292 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21295 -static struct ata_port_operations cs5530_port_ops = {
21296 +static const struct ata_port_operations cs5530_port_ops = {
21297 .inherits = &ata_bmdma_port_ops,
21299 .qc_prep = ata_bmdma_dumb_qc_prep,
21300 diff -urNp linux-2.6.37/drivers/ata/pata_cs5535.c linux-2.6.37/drivers/ata/pata_cs5535.c
21301 --- linux-2.6.37/drivers/ata/pata_cs5535.c 2011-01-04 19:50:19.000000000 -0500
21302 +++ linux-2.6.37/drivers/ata/pata_cs5535.c 2011-01-17 02:41:01.000000000 -0500
21303 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21304 ATA_BMDMA_SHT(DRV_NAME),
21307 -static struct ata_port_operations cs5535_port_ops = {
21308 +static const struct ata_port_operations cs5535_port_ops = {
21309 .inherits = &ata_bmdma_port_ops,
21310 .cable_detect = cs5535_cable_detect,
21311 .set_piomode = cs5535_set_piomode,
21312 diff -urNp linux-2.6.37/drivers/ata/pata_cs5536.c linux-2.6.37/drivers/ata/pata_cs5536.c
21313 --- linux-2.6.37/drivers/ata/pata_cs5536.c 2011-01-04 19:50:19.000000000 -0500
21314 +++ linux-2.6.37/drivers/ata/pata_cs5536.c 2011-01-17 02:41:01.000000000 -0500
21315 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
21316 ATA_BMDMA_SHT(DRV_NAME),
21319 -static struct ata_port_operations cs5536_port_ops = {
21320 +static const struct ata_port_operations cs5536_port_ops = {
21321 .inherits = &ata_bmdma32_port_ops,
21322 .cable_detect = cs5536_cable_detect,
21323 .set_piomode = cs5536_set_piomode,
21324 diff -urNp linux-2.6.37/drivers/ata/pata_cypress.c linux-2.6.37/drivers/ata/pata_cypress.c
21325 --- linux-2.6.37/drivers/ata/pata_cypress.c 2011-01-04 19:50:19.000000000 -0500
21326 +++ linux-2.6.37/drivers/ata/pata_cypress.c 2011-01-17 02:41:01.000000000 -0500
21327 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21328 ATA_BMDMA_SHT(DRV_NAME),
21331 -static struct ata_port_operations cy82c693_port_ops = {
21332 +static const struct ata_port_operations cy82c693_port_ops = {
21333 .inherits = &ata_bmdma_port_ops,
21334 .cable_detect = ata_cable_40wire,
21335 .set_piomode = cy82c693_set_piomode,
21336 diff -urNp linux-2.6.37/drivers/ata/pata_efar.c linux-2.6.37/drivers/ata/pata_efar.c
21337 --- linux-2.6.37/drivers/ata/pata_efar.c 2011-01-04 19:50:19.000000000 -0500
21338 +++ linux-2.6.37/drivers/ata/pata_efar.c 2011-01-17 02:41:01.000000000 -0500
21339 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21340 ATA_BMDMA_SHT(DRV_NAME),
21343 -static struct ata_port_operations efar_ops = {
21344 +static const struct ata_port_operations efar_ops = {
21345 .inherits = &ata_bmdma_port_ops,
21346 .cable_detect = efar_cable_detect,
21347 .set_piomode = efar_set_piomode,
21348 diff -urNp linux-2.6.37/drivers/ata/pata_hpt366.c linux-2.6.37/drivers/ata/pata_hpt366.c
21349 --- linux-2.6.37/drivers/ata/pata_hpt366.c 2011-01-04 19:50:19.000000000 -0500
21350 +++ linux-2.6.37/drivers/ata/pata_hpt366.c 2011-01-17 02:41:01.000000000 -0500
21351 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21352 * Configuration for HPT366/68
21355 -static struct ata_port_operations hpt366_port_ops = {
21356 +static const struct ata_port_operations hpt366_port_ops = {
21357 .inherits = &ata_bmdma_port_ops,
21358 .cable_detect = hpt36x_cable_detect,
21359 .mode_filter = hpt366_filter,
21360 diff -urNp linux-2.6.37/drivers/ata/pata_hpt37x.c linux-2.6.37/drivers/ata/pata_hpt37x.c
21361 --- linux-2.6.37/drivers/ata/pata_hpt37x.c 2011-01-04 19:50:19.000000000 -0500
21362 +++ linux-2.6.37/drivers/ata/pata_hpt37x.c 2011-01-17 02:41:01.000000000 -0500
21363 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21364 * Configuration for HPT370
21367 -static struct ata_port_operations hpt370_port_ops = {
21368 +static const struct ata_port_operations hpt370_port_ops = {
21369 .inherits = &ata_bmdma_port_ops,
21371 .bmdma_stop = hpt370_bmdma_stop,
21372 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21373 * Configuration for HPT370A. Close to 370 but less filters
21376 -static struct ata_port_operations hpt370a_port_ops = {
21377 +static const struct ata_port_operations hpt370a_port_ops = {
21378 .inherits = &hpt370_port_ops,
21379 .mode_filter = hpt370a_filter,
21381 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21382 * and DMA mode setting functionality.
21385 -static struct ata_port_operations hpt372_port_ops = {
21386 +static const struct ata_port_operations hpt372_port_ops = {
21387 .inherits = &ata_bmdma_port_ops,
21389 .bmdma_stop = hpt37x_bmdma_stop,
21390 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21391 * but we have a different cable detection procedure for function 1.
21394 -static struct ata_port_operations hpt374_fn1_port_ops = {
21395 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21396 .inherits = &hpt372_port_ops,
21397 .cable_detect = hpt374_fn1_cable_detect,
21398 .prereset = hpt37x_pre_reset,
21399 diff -urNp linux-2.6.37/drivers/ata/pata_hpt3x2n.c linux-2.6.37/drivers/ata/pata_hpt3x2n.c
21400 --- linux-2.6.37/drivers/ata/pata_hpt3x2n.c 2011-01-04 19:50:19.000000000 -0500
21401 +++ linux-2.6.37/drivers/ata/pata_hpt3x2n.c 2011-01-17 02:41:01.000000000 -0500
21402 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21403 * Configuration for HPT3x2n.
21406 -static struct ata_port_operations hpt3x2n_port_ops = {
21407 +static const struct ata_port_operations hpt3x2n_port_ops = {
21408 .inherits = &ata_bmdma_port_ops,
21410 .bmdma_stop = hpt3x2n_bmdma_stop,
21411 diff -urNp linux-2.6.37/drivers/ata/pata_hpt3x3.c linux-2.6.37/drivers/ata/pata_hpt3x3.c
21412 --- linux-2.6.37/drivers/ata/pata_hpt3x3.c 2011-01-04 19:50:19.000000000 -0500
21413 +++ linux-2.6.37/drivers/ata/pata_hpt3x3.c 2011-01-17 02:41:01.000000000 -0500
21414 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21415 ATA_BMDMA_SHT(DRV_NAME),
21418 -static struct ata_port_operations hpt3x3_port_ops = {
21419 +static const struct ata_port_operations hpt3x3_port_ops = {
21420 .inherits = &ata_bmdma_port_ops,
21421 .cable_detect = ata_cable_40wire,
21422 .set_piomode = hpt3x3_set_piomode,
21423 diff -urNp linux-2.6.37/drivers/ata/pata_icside.c linux-2.6.37/drivers/ata/pata_icside.c
21424 --- linux-2.6.37/drivers/ata/pata_icside.c 2011-01-04 19:50:19.000000000 -0500
21425 +++ linux-2.6.37/drivers/ata/pata_icside.c 2011-01-17 02:41:01.000000000 -0500
21426 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21430 -static struct ata_port_operations pata_icside_port_ops = {
21431 +static const struct ata_port_operations pata_icside_port_ops = {
21432 .inherits = &ata_bmdma_port_ops,
21433 /* no need to build any PRD tables for DMA */
21434 .qc_prep = ata_noop_qc_prep,
21435 diff -urNp linux-2.6.37/drivers/ata/pata_isapnp.c linux-2.6.37/drivers/ata/pata_isapnp.c
21436 --- linux-2.6.37/drivers/ata/pata_isapnp.c 2011-01-04 19:50:19.000000000 -0500
21437 +++ linux-2.6.37/drivers/ata/pata_isapnp.c 2011-01-17 02:41:01.000000000 -0500
21438 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21439 ATA_PIO_SHT(DRV_NAME),
21442 -static struct ata_port_operations isapnp_port_ops = {
21443 +static const struct ata_port_operations isapnp_port_ops = {
21444 .inherits = &ata_sff_port_ops,
21445 .cable_detect = ata_cable_40wire,
21448 -static struct ata_port_operations isapnp_noalt_port_ops = {
21449 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21450 .inherits = &ata_sff_port_ops,
21451 .cable_detect = ata_cable_40wire,
21452 /* No altstatus so we don't want to use the lost interrupt poll */
21453 diff -urNp linux-2.6.37/drivers/ata/pata_it8213.c linux-2.6.37/drivers/ata/pata_it8213.c
21454 --- linux-2.6.37/drivers/ata/pata_it8213.c 2011-01-04 19:50:19.000000000 -0500
21455 +++ linux-2.6.37/drivers/ata/pata_it8213.c 2011-01-17 02:41:01.000000000 -0500
21456 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21460 -static struct ata_port_operations it8213_ops = {
21461 +static const struct ata_port_operations it8213_ops = {
21462 .inherits = &ata_bmdma_port_ops,
21463 .cable_detect = it8213_cable_detect,
21464 .set_piomode = it8213_set_piomode,
21465 diff -urNp linux-2.6.37/drivers/ata/pata_it821x.c linux-2.6.37/drivers/ata/pata_it821x.c
21466 --- linux-2.6.37/drivers/ata/pata_it821x.c 2011-01-04 19:50:19.000000000 -0500
21467 +++ linux-2.6.37/drivers/ata/pata_it821x.c 2011-01-17 02:41:01.000000000 -0500
21468 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21469 ATA_BMDMA_SHT(DRV_NAME),
21472 -static struct ata_port_operations it821x_smart_port_ops = {
21473 +static const struct ata_port_operations it821x_smart_port_ops = {
21474 .inherits = &ata_bmdma_port_ops,
21476 .check_atapi_dma= it821x_check_atapi_dma,
21477 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21478 .port_start = it821x_port_start,
21481 -static struct ata_port_operations it821x_passthru_port_ops = {
21482 +static const struct ata_port_operations it821x_passthru_port_ops = {
21483 .inherits = &ata_bmdma_port_ops,
21485 .check_atapi_dma= it821x_check_atapi_dma,
21486 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21487 .port_start = it821x_port_start,
21490 -static struct ata_port_operations it821x_rdc_port_ops = {
21491 +static const struct ata_port_operations it821x_rdc_port_ops = {
21492 .inherits = &ata_bmdma_port_ops,
21494 .check_atapi_dma= it821x_check_atapi_dma,
21495 diff -urNp linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c
21496 --- linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c 2011-01-04 19:50:19.000000000 -0500
21497 +++ linux-2.6.37/drivers/ata/pata_ixp4xx_cf.c 2011-01-17 02:41:01.000000000 -0500
21498 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21499 ATA_PIO_SHT(DRV_NAME),
21502 -static struct ata_port_operations ixp4xx_port_ops = {
21503 +static const struct ata_port_operations ixp4xx_port_ops = {
21504 .inherits = &ata_sff_port_ops,
21505 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21506 .cable_detect = ata_cable_40wire,
21507 diff -urNp linux-2.6.37/drivers/ata/pata_jmicron.c linux-2.6.37/drivers/ata/pata_jmicron.c
21508 --- linux-2.6.37/drivers/ata/pata_jmicron.c 2011-01-04 19:50:19.000000000 -0500
21509 +++ linux-2.6.37/drivers/ata/pata_jmicron.c 2011-01-17 02:41:01.000000000 -0500
21510 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21511 ATA_BMDMA_SHT(DRV_NAME),
21514 -static struct ata_port_operations jmicron_ops = {
21515 +static const struct ata_port_operations jmicron_ops = {
21516 .inherits = &ata_bmdma_port_ops,
21517 .prereset = jmicron_pre_reset,
21519 diff -urNp linux-2.6.37/drivers/ata/pata_legacy.c linux-2.6.37/drivers/ata/pata_legacy.c
21520 --- linux-2.6.37/drivers/ata/pata_legacy.c 2011-01-04 19:50:19.000000000 -0500
21521 +++ linux-2.6.37/drivers/ata/pata_legacy.c 2011-01-17 02:41:01.000000000 -0500
21522 @@ -116,7 +116,7 @@ struct legacy_probe {
21524 struct legacy_controller {
21526 - struct ata_port_operations *ops;
21527 + const struct ata_port_operations *ops;
21528 unsigned int pio_mask;
21529 unsigned int flags;
21530 unsigned int pflags;
21531 @@ -239,12 +239,12 @@ static const struct ata_port_operations
21532 * pio_mask as well.
21535 -static struct ata_port_operations simple_port_ops = {
21536 +static const struct ata_port_operations simple_port_ops = {
21537 .inherits = &legacy_base_port_ops,
21538 .sff_data_xfer = ata_sff_data_xfer_noirq,
21541 -static struct ata_port_operations legacy_port_ops = {
21542 +static const struct ata_port_operations legacy_port_ops = {
21543 .inherits = &legacy_base_port_ops,
21544 .sff_data_xfer = ata_sff_data_xfer_noirq,
21545 .set_mode = legacy_set_mode,
21546 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
21550 -static struct ata_port_operations pdc20230_port_ops = {
21551 +static const struct ata_port_operations pdc20230_port_ops = {
21552 .inherits = &legacy_base_port_ops,
21553 .set_piomode = pdc20230_set_piomode,
21554 .sff_data_xfer = pdc_data_xfer_vlb,
21555 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
21556 ioread8(ap->ioaddr.status_addr);
21559 -static struct ata_port_operations ht6560a_port_ops = {
21560 +static const struct ata_port_operations ht6560a_port_ops = {
21561 .inherits = &legacy_base_port_ops,
21562 .set_piomode = ht6560a_set_piomode,
21564 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
21565 ioread8(ap->ioaddr.status_addr);
21568 -static struct ata_port_operations ht6560b_port_ops = {
21569 +static const struct ata_port_operations ht6560b_port_ops = {
21570 .inherits = &legacy_base_port_ops,
21571 .set_piomode = ht6560b_set_piomode,
21573 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
21577 -static struct ata_port_operations opti82c611a_port_ops = {
21578 +static const struct ata_port_operations opti82c611a_port_ops = {
21579 .inherits = &legacy_base_port_ops,
21580 .set_piomode = opti82c611a_set_piomode,
21582 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
21583 return ata_sff_qc_issue(qc);
21586 -static struct ata_port_operations opti82c46x_port_ops = {
21587 +static const struct ata_port_operations opti82c46x_port_ops = {
21588 .inherits = &legacy_base_port_ops,
21589 .set_piomode = opti82c46x_set_piomode,
21590 .qc_issue = opti82c46x_qc_issue,
21591 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
21595 -static struct ata_port_operations qdi6500_port_ops = {
21596 +static const struct ata_port_operations qdi6500_port_ops = {
21597 .inherits = &legacy_base_port_ops,
21598 .set_piomode = qdi6500_set_piomode,
21599 .qc_issue = qdi_qc_issue,
21600 .sff_data_xfer = vlb32_data_xfer,
21603 -static struct ata_port_operations qdi6580_port_ops = {
21604 +static const struct ata_port_operations qdi6580_port_ops = {
21605 .inherits = &legacy_base_port_ops,
21606 .set_piomode = qdi6580_set_piomode,
21607 .sff_data_xfer = vlb32_data_xfer,
21610 -static struct ata_port_operations qdi6580dp_port_ops = {
21611 +static const struct ata_port_operations qdi6580dp_port_ops = {
21612 .inherits = &legacy_base_port_ops,
21613 .set_piomode = qdi6580dp_set_piomode,
21614 .qc_issue = qdi_qc_issue,
21615 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
21619 -static struct ata_port_operations winbond_port_ops = {
21620 +static const struct ata_port_operations winbond_port_ops = {
21621 .inherits = &legacy_base_port_ops,
21622 .set_piomode = winbond_set_piomode,
21623 .sff_data_xfer = vlb32_data_xfer,
21624 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
21625 int pio_modes = controller->pio_mask;
21626 unsigned long io = probe->port;
21627 u32 mask = (1 << probe->slot);
21628 - struct ata_port_operations *ops = controller->ops;
21629 + const struct ata_port_operations *ops = controller->ops;
21630 struct legacy_data *ld = &legacy_data[probe->slot];
21631 struct ata_host *host = NULL;
21632 struct ata_port *ap;
21633 diff -urNp linux-2.6.37/drivers/ata/pata_macio.c linux-2.6.37/drivers/ata/pata_macio.c
21634 --- linux-2.6.37/drivers/ata/pata_macio.c 2011-01-04 19:50:19.000000000 -0500
21635 +++ linux-2.6.37/drivers/ata/pata_macio.c 2011-01-17 02:41:01.000000000 -0500
21636 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21637 .slave_configure = pata_macio_slave_config,
21640 -static struct ata_port_operations pata_macio_ops = {
21641 +static const struct ata_port_operations pata_macio_ops = {
21642 .inherits = &ata_bmdma_port_ops,
21644 .freeze = pata_macio_freeze,
21645 .set_piomode = pata_macio_set_timings,
21646 .set_dmamode = pata_macio_set_timings,
21647 diff -urNp linux-2.6.37/drivers/ata/pata_marvell.c linux-2.6.37/drivers/ata/pata_marvell.c
21648 --- linux-2.6.37/drivers/ata/pata_marvell.c 2011-01-04 19:50:19.000000000 -0500
21649 +++ linux-2.6.37/drivers/ata/pata_marvell.c 2011-01-17 02:41:01.000000000 -0500
21650 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21651 ATA_BMDMA_SHT(DRV_NAME),
21654 -static struct ata_port_operations marvell_ops = {
21655 +static const struct ata_port_operations marvell_ops = {
21656 .inherits = &ata_bmdma_port_ops,
21657 .cable_detect = marvell_cable_detect,
21658 .prereset = marvell_pre_reset,
21659 diff -urNp linux-2.6.37/drivers/ata/pata_mpc52xx.c linux-2.6.37/drivers/ata/pata_mpc52xx.c
21660 --- linux-2.6.37/drivers/ata/pata_mpc52xx.c 2011-01-04 19:50:19.000000000 -0500
21661 +++ linux-2.6.37/drivers/ata/pata_mpc52xx.c 2011-01-17 02:41:01.000000000 -0500
21662 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21663 ATA_PIO_SHT(DRV_NAME),
21666 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21667 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21668 .inherits = &ata_sff_port_ops,
21669 .sff_dev_select = mpc52xx_ata_dev_select,
21670 .set_piomode = mpc52xx_ata_set_piomode,
21671 diff -urNp linux-2.6.37/drivers/ata/pata_mpiix.c linux-2.6.37/drivers/ata/pata_mpiix.c
21672 --- linux-2.6.37/drivers/ata/pata_mpiix.c 2011-01-04 19:50:19.000000000 -0500
21673 +++ linux-2.6.37/drivers/ata/pata_mpiix.c 2011-01-17 02:41:01.000000000 -0500
21674 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21675 ATA_PIO_SHT(DRV_NAME),
21678 -static struct ata_port_operations mpiix_port_ops = {
21679 +static const struct ata_port_operations mpiix_port_ops = {
21680 .inherits = &ata_sff_port_ops,
21681 .qc_issue = mpiix_qc_issue,
21682 .cable_detect = ata_cable_40wire,
21683 diff -urNp linux-2.6.37/drivers/ata/pata_netcell.c linux-2.6.37/drivers/ata/pata_netcell.c
21684 --- linux-2.6.37/drivers/ata/pata_netcell.c 2011-01-04 19:50:19.000000000 -0500
21685 +++ linux-2.6.37/drivers/ata/pata_netcell.c 2011-01-17 02:41:01.000000000 -0500
21686 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21687 ATA_BMDMA_SHT(DRV_NAME),
21690 -static struct ata_port_operations netcell_ops = {
21691 +static const struct ata_port_operations netcell_ops = {
21692 .inherits = &ata_bmdma_port_ops,
21693 .cable_detect = ata_cable_80wire,
21694 .read_id = netcell_read_id,
21695 diff -urNp linux-2.6.37/drivers/ata/pata_ninja32.c linux-2.6.37/drivers/ata/pata_ninja32.c
21696 --- linux-2.6.37/drivers/ata/pata_ninja32.c 2011-01-04 19:50:19.000000000 -0500
21697 +++ linux-2.6.37/drivers/ata/pata_ninja32.c 2011-01-17 02:41:01.000000000 -0500
21698 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21699 ATA_BMDMA_SHT(DRV_NAME),
21702 -static struct ata_port_operations ninja32_port_ops = {
21703 +static const struct ata_port_operations ninja32_port_ops = {
21704 .inherits = &ata_bmdma_port_ops,
21705 .sff_dev_select = ninja32_dev_select,
21706 .cable_detect = ata_cable_40wire,
21707 diff -urNp linux-2.6.37/drivers/ata/pata_ns87410.c linux-2.6.37/drivers/ata/pata_ns87410.c
21708 --- linux-2.6.37/drivers/ata/pata_ns87410.c 2011-01-04 19:50:19.000000000 -0500
21709 +++ linux-2.6.37/drivers/ata/pata_ns87410.c 2011-01-17 02:41:01.000000000 -0500
21710 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21711 ATA_PIO_SHT(DRV_NAME),
21714 -static struct ata_port_operations ns87410_port_ops = {
21715 +static const struct ata_port_operations ns87410_port_ops = {
21716 .inherits = &ata_sff_port_ops,
21717 .qc_issue = ns87410_qc_issue,
21718 .cable_detect = ata_cable_40wire,
21719 diff -urNp linux-2.6.37/drivers/ata/pata_ns87415.c linux-2.6.37/drivers/ata/pata_ns87415.c
21720 --- linux-2.6.37/drivers/ata/pata_ns87415.c 2011-01-04 19:50:19.000000000 -0500
21721 +++ linux-2.6.37/drivers/ata/pata_ns87415.c 2011-01-17 02:41:01.000000000 -0500
21722 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21724 #endif /* 87560 SuperIO Support */
21726 -static struct ata_port_operations ns87415_pata_ops = {
21727 +static const struct ata_port_operations ns87415_pata_ops = {
21728 .inherits = &ata_bmdma_port_ops,
21730 .check_atapi_dma = ns87415_check_atapi_dma,
21731 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21734 #if defined(CONFIG_SUPERIO)
21735 -static struct ata_port_operations ns87560_pata_ops = {
21736 +static const struct ata_port_operations ns87560_pata_ops = {
21737 .inherits = &ns87415_pata_ops,
21738 .sff_tf_read = ns87560_tf_read,
21739 .sff_check_status = ns87560_check_status,
21740 diff -urNp linux-2.6.37/drivers/ata/pata_octeon_cf.c linux-2.6.37/drivers/ata/pata_octeon_cf.c
21741 --- linux-2.6.37/drivers/ata/pata_octeon_cf.c 2011-01-04 19:50:19.000000000 -0500
21742 +++ linux-2.6.37/drivers/ata/pata_octeon_cf.c 2011-01-17 02:41:01.000000000 -0500
21743 @@ -780,6 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
21747 +/* cannot be const */
21748 static struct ata_port_operations octeon_cf_ops = {
21749 .inherits = &ata_sff_port_ops,
21750 .check_atapi_dma = octeon_cf_check_atapi_dma,
21751 diff -urNp linux-2.6.37/drivers/ata/pata_oldpiix.c linux-2.6.37/drivers/ata/pata_oldpiix.c
21752 --- linux-2.6.37/drivers/ata/pata_oldpiix.c 2011-01-04 19:50:19.000000000 -0500
21753 +++ linux-2.6.37/drivers/ata/pata_oldpiix.c 2011-01-17 02:41:01.000000000 -0500
21754 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21755 ATA_BMDMA_SHT(DRV_NAME),
21758 -static struct ata_port_operations oldpiix_pata_ops = {
21759 +static const struct ata_port_operations oldpiix_pata_ops = {
21760 .inherits = &ata_bmdma_port_ops,
21761 .qc_issue = oldpiix_qc_issue,
21762 .cable_detect = ata_cable_40wire,
21763 diff -urNp linux-2.6.37/drivers/ata/pata_opti.c linux-2.6.37/drivers/ata/pata_opti.c
21764 --- linux-2.6.37/drivers/ata/pata_opti.c 2011-01-04 19:50:19.000000000 -0500
21765 +++ linux-2.6.37/drivers/ata/pata_opti.c 2011-01-17 02:41:01.000000000 -0500
21766 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21767 ATA_PIO_SHT(DRV_NAME),
21770 -static struct ata_port_operations opti_port_ops = {
21771 +static const struct ata_port_operations opti_port_ops = {
21772 .inherits = &ata_sff_port_ops,
21773 .cable_detect = ata_cable_40wire,
21774 .set_piomode = opti_set_piomode,
21775 diff -urNp linux-2.6.37/drivers/ata/pata_optidma.c linux-2.6.37/drivers/ata/pata_optidma.c
21776 --- linux-2.6.37/drivers/ata/pata_optidma.c 2011-01-04 19:50:19.000000000 -0500
21777 +++ linux-2.6.37/drivers/ata/pata_optidma.c 2011-01-17 02:41:01.000000000 -0500
21778 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21779 ATA_BMDMA_SHT(DRV_NAME),
21782 -static struct ata_port_operations optidma_port_ops = {
21783 +static const struct ata_port_operations optidma_port_ops = {
21784 .inherits = &ata_bmdma_port_ops,
21785 .cable_detect = ata_cable_40wire,
21786 .set_piomode = optidma_set_pio_mode,
21787 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21788 .prereset = optidma_pre_reset,
21791 -static struct ata_port_operations optiplus_port_ops = {
21792 +static const struct ata_port_operations optiplus_port_ops = {
21793 .inherits = &optidma_port_ops,
21794 .set_piomode = optiplus_set_pio_mode,
21795 .set_dmamode = optiplus_set_dma_mode,
21796 diff -urNp linux-2.6.37/drivers/ata/pata_palmld.c linux-2.6.37/drivers/ata/pata_palmld.c
21797 --- linux-2.6.37/drivers/ata/pata_palmld.c 2011-01-04 19:50:19.000000000 -0500
21798 +++ linux-2.6.37/drivers/ata/pata_palmld.c 2011-01-17 02:41:01.000000000 -0500
21799 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21800 ATA_PIO_SHT(DRV_NAME),
21803 -static struct ata_port_operations palmld_port_ops = {
21804 +static const struct ata_port_operations palmld_port_ops = {
21805 .inherits = &ata_sff_port_ops,
21806 .sff_data_xfer = ata_sff_data_xfer_noirq,
21807 .cable_detect = ata_cable_40wire,
21808 diff -urNp linux-2.6.37/drivers/ata/pata_pcmcia.c linux-2.6.37/drivers/ata/pata_pcmcia.c
21809 --- linux-2.6.37/drivers/ata/pata_pcmcia.c 2011-01-04 19:50:19.000000000 -0500
21810 +++ linux-2.6.37/drivers/ata/pata_pcmcia.c 2011-01-17 02:41:01.000000000 -0500
21811 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
21812 ATA_PIO_SHT(DRV_NAME),
21815 -static struct ata_port_operations pcmcia_port_ops = {
21816 +static const struct ata_port_operations pcmcia_port_ops = {
21817 .inherits = &ata_sff_port_ops,
21818 .sff_data_xfer = ata_sff_data_xfer_noirq,
21819 .cable_detect = ata_cable_40wire,
21820 .set_mode = pcmcia_set_mode,
21823 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21824 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21825 .inherits = &ata_sff_port_ops,
21826 .sff_data_xfer = ata_data_xfer_8bit,
21827 .cable_detect = ata_cable_40wire,
21828 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
21829 unsigned long io_base, ctl_base;
21830 void __iomem *io_addr, *ctl_addr;
21832 - struct ata_port_operations *ops = &pcmcia_port_ops;
21833 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21835 /* Set up attributes in order to probe card and get resources */
21836 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
21837 diff -urNp linux-2.6.37/drivers/ata/pata_pdc2027x.c linux-2.6.37/drivers/ata/pata_pdc2027x.c
21838 --- linux-2.6.37/drivers/ata/pata_pdc2027x.c 2011-01-04 19:50:19.000000000 -0500
21839 +++ linux-2.6.37/drivers/ata/pata_pdc2027x.c 2011-01-17 02:41:01.000000000 -0500
21840 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21841 ATA_BMDMA_SHT(DRV_NAME),
21844 -static struct ata_port_operations pdc2027x_pata100_ops = {
21845 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21846 .inherits = &ata_bmdma_port_ops,
21847 .check_atapi_dma = pdc2027x_check_atapi_dma,
21848 .cable_detect = pdc2027x_cable_detect,
21849 .prereset = pdc2027x_prereset,
21852 -static struct ata_port_operations pdc2027x_pata133_ops = {
21853 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21854 .inherits = &pdc2027x_pata100_ops,
21855 .mode_filter = pdc2027x_mode_filter,
21856 .set_piomode = pdc2027x_set_piomode,
21857 diff -urNp linux-2.6.37/drivers/ata/pata_pdc202xx_old.c linux-2.6.37/drivers/ata/pata_pdc202xx_old.c
21858 --- linux-2.6.37/drivers/ata/pata_pdc202xx_old.c 2011-01-04 19:50:19.000000000 -0500
21859 +++ linux-2.6.37/drivers/ata/pata_pdc202xx_old.c 2011-01-17 02:41:01.000000000 -0500
21860 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
21861 ATA_BMDMA_SHT(DRV_NAME),
21864 -static struct ata_port_operations pdc2024x_port_ops = {
21865 +static const struct ata_port_operations pdc2024x_port_ops = {
21866 .inherits = &ata_bmdma_port_ops,
21868 .cable_detect = ata_cable_40wire,
21869 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
21870 .sff_irq_check = pdc202xx_irq_check,
21873 -static struct ata_port_operations pdc2026x_port_ops = {
21874 +static const struct ata_port_operations pdc2026x_port_ops = {
21875 .inherits = &pdc2024x_port_ops,
21877 .check_atapi_dma = pdc2026x_check_atapi_dma,
21878 diff -urNp linux-2.6.37/drivers/ata/pata_piccolo.c linux-2.6.37/drivers/ata/pata_piccolo.c
21879 --- linux-2.6.37/drivers/ata/pata_piccolo.c 2011-01-04 19:50:19.000000000 -0500
21880 +++ linux-2.6.37/drivers/ata/pata_piccolo.c 2011-01-17 02:41:01.000000000 -0500
21881 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21882 ATA_BMDMA_SHT(DRV_NAME),
21885 -static struct ata_port_operations tosh_port_ops = {
21886 +static const struct ata_port_operations tosh_port_ops = {
21887 .inherits = &ata_bmdma_port_ops,
21888 .cable_detect = ata_cable_unknown,
21889 .set_piomode = tosh_set_piomode,
21890 diff -urNp linux-2.6.37/drivers/ata/pata_platform.c linux-2.6.37/drivers/ata/pata_platform.c
21891 --- linux-2.6.37/drivers/ata/pata_platform.c 2011-01-04 19:50:19.000000000 -0500
21892 +++ linux-2.6.37/drivers/ata/pata_platform.c 2011-01-17 02:41:01.000000000 -0500
21893 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21894 ATA_PIO_SHT(DRV_NAME),
21897 -static struct ata_port_operations pata_platform_port_ops = {
21898 +static const struct ata_port_operations pata_platform_port_ops = {
21899 .inherits = &ata_sff_port_ops,
21900 .sff_data_xfer = ata_sff_data_xfer_noirq,
21901 .cable_detect = ata_cable_unknown,
21902 diff -urNp linux-2.6.37/drivers/ata/pata_pxa.c linux-2.6.37/drivers/ata/pata_pxa.c
21903 --- linux-2.6.37/drivers/ata/pata_pxa.c 2011-01-04 19:50:19.000000000 -0500
21904 +++ linux-2.6.37/drivers/ata/pata_pxa.c 2011-01-17 02:41:01.000000000 -0500
21905 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
21906 ATA_BMDMA_SHT(DRV_NAME),
21909 -static struct ata_port_operations pxa_ata_port_ops = {
21910 +static const struct ata_port_operations pxa_ata_port_ops = {
21911 .inherits = &ata_bmdma_port_ops,
21912 .cable_detect = ata_cable_40wire,
21914 diff -urNp linux-2.6.37/drivers/ata/pata_qdi.c linux-2.6.37/drivers/ata/pata_qdi.c
21915 --- linux-2.6.37/drivers/ata/pata_qdi.c 2011-01-04 19:50:19.000000000 -0500
21916 +++ linux-2.6.37/drivers/ata/pata_qdi.c 2011-01-17 02:41:01.000000000 -0500
21917 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21918 ATA_PIO_SHT(DRV_NAME),
21921 -static struct ata_port_operations qdi6500_port_ops = {
21922 +static const struct ata_port_operations qdi6500_port_ops = {
21923 .inherits = &ata_sff_port_ops,
21924 .qc_issue = qdi_qc_issue,
21925 .sff_data_xfer = qdi_data_xfer,
21926 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21927 .set_piomode = qdi6500_set_piomode,
21930 -static struct ata_port_operations qdi6580_port_ops = {
21931 +static const struct ata_port_operations qdi6580_port_ops = {
21932 .inherits = &qdi6500_port_ops,
21933 .set_piomode = qdi6580_set_piomode,
21935 diff -urNp linux-2.6.37/drivers/ata/pata_radisys.c linux-2.6.37/drivers/ata/pata_radisys.c
21936 --- linux-2.6.37/drivers/ata/pata_radisys.c 2011-01-04 19:50:19.000000000 -0500
21937 +++ linux-2.6.37/drivers/ata/pata_radisys.c 2011-01-17 02:41:01.000000000 -0500
21938 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21939 ATA_BMDMA_SHT(DRV_NAME),
21942 -static struct ata_port_operations radisys_pata_ops = {
21943 +static const struct ata_port_operations radisys_pata_ops = {
21944 .inherits = &ata_bmdma_port_ops,
21945 .qc_issue = radisys_qc_issue,
21946 .cable_detect = ata_cable_unknown,
21947 diff -urNp linux-2.6.37/drivers/ata/pata_rb532_cf.c linux-2.6.37/drivers/ata/pata_rb532_cf.c
21948 --- linux-2.6.37/drivers/ata/pata_rb532_cf.c 2011-01-04 19:50:19.000000000 -0500
21949 +++ linux-2.6.37/drivers/ata/pata_rb532_cf.c 2011-01-17 02:41:01.000000000 -0500
21950 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21951 return IRQ_HANDLED;
21954 -static struct ata_port_operations rb532_pata_port_ops = {
21955 +static const struct ata_port_operations rb532_pata_port_ops = {
21956 .inherits = &ata_sff_port_ops,
21957 .sff_data_xfer = ata_sff_data_xfer32,
21959 diff -urNp linux-2.6.37/drivers/ata/pata_rdc.c linux-2.6.37/drivers/ata/pata_rdc.c
21960 --- linux-2.6.37/drivers/ata/pata_rdc.c 2011-01-04 19:50:19.000000000 -0500
21961 +++ linux-2.6.37/drivers/ata/pata_rdc.c 2011-01-17 02:41:01.000000000 -0500
21962 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21963 pci_write_config_byte(dev, 0x48, udma_enable);
21966 -static struct ata_port_operations rdc_pata_ops = {
21967 +static const struct ata_port_operations rdc_pata_ops = {
21968 .inherits = &ata_bmdma32_port_ops,
21969 .cable_detect = rdc_pata_cable_detect,
21970 .set_piomode = rdc_set_piomode,
21971 diff -urNp linux-2.6.37/drivers/ata/pata_rz1000.c linux-2.6.37/drivers/ata/pata_rz1000.c
21972 --- linux-2.6.37/drivers/ata/pata_rz1000.c 2011-01-04 19:50:19.000000000 -0500
21973 +++ linux-2.6.37/drivers/ata/pata_rz1000.c 2011-01-17 02:41:01.000000000 -0500
21974 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21975 ATA_PIO_SHT(DRV_NAME),
21978 -static struct ata_port_operations rz1000_port_ops = {
21979 +static const struct ata_port_operations rz1000_port_ops = {
21980 .inherits = &ata_sff_port_ops,
21981 .cable_detect = ata_cable_40wire,
21982 .set_mode = rz1000_set_mode,
21983 diff -urNp linux-2.6.37/drivers/ata/pata_samsung_cf.c linux-2.6.37/drivers/ata/pata_samsung_cf.c
21984 --- linux-2.6.37/drivers/ata/pata_samsung_cf.c 2011-01-04 19:50:19.000000000 -0500
21985 +++ linux-2.6.37/drivers/ata/pata_samsung_cf.c 2011-01-17 02:41:01.000000000 -0500
21986 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
21987 ATA_PIO_SHT(DRV_NAME),
21990 -static struct ata_port_operations pata_s3c_port_ops = {
21991 +static const struct ata_port_operations pata_s3c_port_ops = {
21992 .inherits = &ata_sff_port_ops,
21993 .sff_check_status = pata_s3c_check_status,
21994 .sff_check_altstatus = pata_s3c_check_altstatus,
21995 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
21996 .set_piomode = pata_s3c_set_piomode,
21999 -static struct ata_port_operations pata_s5p_port_ops = {
22000 +static const struct ata_port_operations pata_s5p_port_ops = {
22001 .inherits = &ata_sff_port_ops,
22002 .set_piomode = pata_s3c_set_piomode,
22004 diff -urNp linux-2.6.37/drivers/ata/pata_sc1200.c linux-2.6.37/drivers/ata/pata_sc1200.c
22005 --- linux-2.6.37/drivers/ata/pata_sc1200.c 2011-01-04 19:50:19.000000000 -0500
22006 +++ linux-2.6.37/drivers/ata/pata_sc1200.c 2011-01-17 02:41:01.000000000 -0500
22007 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22008 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22011 -static struct ata_port_operations sc1200_port_ops = {
22012 +static const struct ata_port_operations sc1200_port_ops = {
22013 .inherits = &ata_bmdma_port_ops,
22014 .qc_prep = ata_bmdma_dumb_qc_prep,
22015 .qc_issue = sc1200_qc_issue,
22016 diff -urNp linux-2.6.37/drivers/ata/pata_scc.c linux-2.6.37/drivers/ata/pata_scc.c
22017 --- linux-2.6.37/drivers/ata/pata_scc.c 2011-01-04 19:50:19.000000000 -0500
22018 +++ linux-2.6.37/drivers/ata/pata_scc.c 2011-01-17 02:41:01.000000000 -0500
22019 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22020 ATA_BMDMA_SHT(DRV_NAME),
22023 -static struct ata_port_operations scc_pata_ops = {
22024 +static const struct ata_port_operations scc_pata_ops = {
22025 .inherits = &ata_bmdma_port_ops,
22027 .set_piomode = scc_set_piomode,
22028 diff -urNp linux-2.6.37/drivers/ata/pata_sch.c linux-2.6.37/drivers/ata/pata_sch.c
22029 --- linux-2.6.37/drivers/ata/pata_sch.c 2011-01-04 19:50:19.000000000 -0500
22030 +++ linux-2.6.37/drivers/ata/pata_sch.c 2011-01-17 02:41:01.000000000 -0500
22031 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22032 ATA_BMDMA_SHT(DRV_NAME),
22035 -static struct ata_port_operations sch_pata_ops = {
22036 +static const struct ata_port_operations sch_pata_ops = {
22037 .inherits = &ata_bmdma_port_ops,
22038 .cable_detect = ata_cable_unknown,
22039 .set_piomode = sch_set_piomode,
22040 diff -urNp linux-2.6.37/drivers/ata/pata_serverworks.c linux-2.6.37/drivers/ata/pata_serverworks.c
22041 --- linux-2.6.37/drivers/ata/pata_serverworks.c 2011-01-04 19:50:19.000000000 -0500
22042 +++ linux-2.6.37/drivers/ata/pata_serverworks.c 2011-01-17 02:41:01.000000000 -0500
22043 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22044 ATA_BMDMA_SHT(DRV_NAME),
22047 -static struct ata_port_operations serverworks_osb4_port_ops = {
22048 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22049 .inherits = &ata_bmdma_port_ops,
22050 .cable_detect = serverworks_cable_detect,
22051 .mode_filter = serverworks_osb4_filter,
22052 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22053 .set_dmamode = serverworks_set_dmamode,
22056 -static struct ata_port_operations serverworks_csb_port_ops = {
22057 +static const struct ata_port_operations serverworks_csb_port_ops = {
22058 .inherits = &serverworks_osb4_port_ops,
22059 .mode_filter = serverworks_csb_filter,
22061 diff -urNp linux-2.6.37/drivers/ata/pata_sil680.c linux-2.6.37/drivers/ata/pata_sil680.c
22062 --- linux-2.6.37/drivers/ata/pata_sil680.c 2011-01-04 19:50:19.000000000 -0500
22063 +++ linux-2.6.37/drivers/ata/pata_sil680.c 2011-01-17 02:41:01.000000000 -0500
22064 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22065 ATA_BMDMA_SHT(DRV_NAME),
22069 -static struct ata_port_operations sil680_port_ops = {
22070 +static const struct ata_port_operations sil680_port_ops = {
22071 .inherits = &ata_bmdma32_port_ops,
22072 .sff_exec_command = sil680_sff_exec_command,
22073 .sff_irq_check = sil680_sff_irq_check,
22074 diff -urNp linux-2.6.37/drivers/ata/pata_sis.c linux-2.6.37/drivers/ata/pata_sis.c
22075 --- linux-2.6.37/drivers/ata/pata_sis.c 2011-01-04 19:50:19.000000000 -0500
22076 +++ linux-2.6.37/drivers/ata/pata_sis.c 2011-01-17 02:41:01.000000000 -0500
22077 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22078 ATA_BMDMA_SHT(DRV_NAME),
22081 -static struct ata_port_operations sis_133_for_sata_ops = {
22082 +static const struct ata_port_operations sis_133_for_sata_ops = {
22083 .inherits = &ata_bmdma_port_ops,
22084 .set_piomode = sis_133_set_piomode,
22085 .set_dmamode = sis_133_set_dmamode,
22086 .cable_detect = sis_133_cable_detect,
22089 -static struct ata_port_operations sis_base_ops = {
22090 +static const struct ata_port_operations sis_base_ops = {
22091 .inherits = &ata_bmdma_port_ops,
22092 .prereset = sis_pre_reset,
22095 -static struct ata_port_operations sis_133_ops = {
22096 +static const struct ata_port_operations sis_133_ops = {
22097 .inherits = &sis_base_ops,
22098 .set_piomode = sis_133_set_piomode,
22099 .set_dmamode = sis_133_set_dmamode,
22100 .cable_detect = sis_133_cable_detect,
22103 -static struct ata_port_operations sis_133_early_ops = {
22104 +static const struct ata_port_operations sis_133_early_ops = {
22105 .inherits = &sis_base_ops,
22106 .set_piomode = sis_100_set_piomode,
22107 .set_dmamode = sis_133_early_set_dmamode,
22108 .cable_detect = sis_66_cable_detect,
22111 -static struct ata_port_operations sis_100_ops = {
22112 +static const struct ata_port_operations sis_100_ops = {
22113 .inherits = &sis_base_ops,
22114 .set_piomode = sis_100_set_piomode,
22115 .set_dmamode = sis_100_set_dmamode,
22116 .cable_detect = sis_66_cable_detect,
22119 -static struct ata_port_operations sis_66_ops = {
22120 +static const struct ata_port_operations sis_66_ops = {
22121 .inherits = &sis_base_ops,
22122 .set_piomode = sis_old_set_piomode,
22123 .set_dmamode = sis_66_set_dmamode,
22124 .cable_detect = sis_66_cable_detect,
22127 -static struct ata_port_operations sis_old_ops = {
22128 +static const struct ata_port_operations sis_old_ops = {
22129 .inherits = &sis_base_ops,
22130 .set_piomode = sis_old_set_piomode,
22131 .set_dmamode = sis_old_set_dmamode,
22132 diff -urNp linux-2.6.37/drivers/ata/pata_sl82c105.c linux-2.6.37/drivers/ata/pata_sl82c105.c
22133 --- linux-2.6.37/drivers/ata/pata_sl82c105.c 2011-01-04 19:50:19.000000000 -0500
22134 +++ linux-2.6.37/drivers/ata/pata_sl82c105.c 2011-01-17 02:41:01.000000000 -0500
22135 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
22136 ATA_BMDMA_SHT(DRV_NAME),
22139 -static struct ata_port_operations sl82c105_port_ops = {
22140 +static const struct ata_port_operations sl82c105_port_ops = {
22141 .inherits = &ata_bmdma_port_ops,
22142 .qc_defer = sl82c105_qc_defer,
22143 .bmdma_start = sl82c105_bmdma_start,
22144 diff -urNp linux-2.6.37/drivers/ata/pata_triflex.c linux-2.6.37/drivers/ata/pata_triflex.c
22145 --- linux-2.6.37/drivers/ata/pata_triflex.c 2011-01-04 19:50:19.000000000 -0500
22146 +++ linux-2.6.37/drivers/ata/pata_triflex.c 2011-01-17 02:41:01.000000000 -0500
22147 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22148 ATA_BMDMA_SHT(DRV_NAME),
22151 -static struct ata_port_operations triflex_port_ops = {
22152 +static const struct ata_port_operations triflex_port_ops = {
22153 .inherits = &ata_bmdma_port_ops,
22154 .bmdma_start = triflex_bmdma_start,
22155 .bmdma_stop = triflex_bmdma_stop,
22156 diff -urNp linux-2.6.37/drivers/ata/pata_via.c linux-2.6.37/drivers/ata/pata_via.c
22157 --- linux-2.6.37/drivers/ata/pata_via.c 2011-01-04 19:50:19.000000000 -0500
22158 +++ linux-2.6.37/drivers/ata/pata_via.c 2011-01-17 02:41:01.000000000 -0500
22159 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22160 ATA_BMDMA_SHT(DRV_NAME),
22163 -static struct ata_port_operations via_port_ops = {
22164 +static const struct ata_port_operations via_port_ops = {
22165 .inherits = &ata_bmdma_port_ops,
22166 .cable_detect = via_cable_detect,
22167 .set_piomode = via_set_piomode,
22168 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22169 .mode_filter = via_mode_filter,
22172 -static struct ata_port_operations via_port_ops_noirq = {
22173 +static const struct ata_port_operations via_port_ops_noirq = {
22174 .inherits = &via_port_ops,
22175 .sff_data_xfer = ata_sff_data_xfer_noirq,
22177 diff -urNp linux-2.6.37/drivers/ata/pdc_adma.c linux-2.6.37/drivers/ata/pdc_adma.c
22178 --- linux-2.6.37/drivers/ata/pdc_adma.c 2011-01-04 19:50:19.000000000 -0500
22179 +++ linux-2.6.37/drivers/ata/pdc_adma.c 2011-01-17 02:41:01.000000000 -0500
22180 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22181 .dma_boundary = ADMA_DMA_BOUNDARY,
22184 -static struct ata_port_operations adma_ata_ops = {
22185 +static const struct ata_port_operations adma_ata_ops = {
22186 .inherits = &ata_sff_port_ops,
22188 .lost_interrupt = ATA_OP_NULL,
22189 diff -urNp linux-2.6.37/drivers/ata/sata_dwc_460ex.c linux-2.6.37/drivers/ata/sata_dwc_460ex.c
22190 --- linux-2.6.37/drivers/ata/sata_dwc_460ex.c 2011-01-04 19:50:19.000000000 -0500
22191 +++ linux-2.6.37/drivers/ata/sata_dwc_460ex.c 2011-01-17 02:41:01.000000000 -0500
22192 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22193 .dma_boundary = ATA_DMA_BOUNDARY,
22196 -static struct ata_port_operations sata_dwc_ops = {
22197 +static const struct ata_port_operations sata_dwc_ops = {
22198 .inherits = &ata_sff_port_ops,
22200 .error_handler = sata_dwc_error_handler,
22201 diff -urNp linux-2.6.37/drivers/ata/sata_fsl.c linux-2.6.37/drivers/ata/sata_fsl.c
22202 --- linux-2.6.37/drivers/ata/sata_fsl.c 2011-01-04 19:50:19.000000000 -0500
22203 +++ linux-2.6.37/drivers/ata/sata_fsl.c 2011-01-17 02:41:01.000000000 -0500
22204 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
22205 .dma_boundary = ATA_DMA_BOUNDARY,
22208 -static struct ata_port_operations sata_fsl_ops = {
22209 +static const struct ata_port_operations sata_fsl_ops = {
22210 .inherits = &sata_pmp_port_ops,
22212 .qc_defer = ata_std_qc_defer,
22213 diff -urNp linux-2.6.37/drivers/ata/sata_inic162x.c linux-2.6.37/drivers/ata/sata_inic162x.c
22214 --- linux-2.6.37/drivers/ata/sata_inic162x.c 2011-01-04 19:50:19.000000000 -0500
22215 +++ linux-2.6.37/drivers/ata/sata_inic162x.c 2011-01-17 02:41:01.000000000 -0500
22216 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22220 -static struct ata_port_operations inic_port_ops = {
22221 +static const struct ata_port_operations inic_port_ops = {
22222 .inherits = &sata_port_ops,
22224 .check_atapi_dma = inic_check_atapi_dma,
22225 diff -urNp linux-2.6.37/drivers/ata/sata_mv.c linux-2.6.37/drivers/ata/sata_mv.c
22226 --- linux-2.6.37/drivers/ata/sata_mv.c 2011-01-04 19:50:19.000000000 -0500
22227 +++ linux-2.6.37/drivers/ata/sata_mv.c 2011-01-17 02:41:01.000000000 -0500
22228 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22229 .dma_boundary = MV_DMA_BOUNDARY,
22232 -static struct ata_port_operations mv5_ops = {
22233 +static const struct ata_port_operations mv5_ops = {
22234 .inherits = &ata_sff_port_ops,
22236 .lost_interrupt = ATA_OP_NULL,
22237 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22238 .port_stop = mv_port_stop,
22241 -static struct ata_port_operations mv6_ops = {
22242 +static const struct ata_port_operations mv6_ops = {
22243 .inherits = &ata_bmdma_port_ops,
22245 .lost_interrupt = ATA_OP_NULL,
22246 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22247 .port_stop = mv_port_stop,
22250 -static struct ata_port_operations mv_iie_ops = {
22251 +static const struct ata_port_operations mv_iie_ops = {
22252 .inherits = &mv6_ops,
22253 .dev_config = ATA_OP_NULL,
22254 .qc_prep = mv_qc_prep_iie,
22255 diff -urNp linux-2.6.37/drivers/ata/sata_nv.c linux-2.6.37/drivers/ata/sata_nv.c
22256 --- linux-2.6.37/drivers/ata/sata_nv.c 2011-01-04 19:50:19.000000000 -0500
22257 +++ linux-2.6.37/drivers/ata/sata_nv.c 2011-01-17 02:41:01.000000000 -0500
22258 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22259 * cases. Define nv_hardreset() which only kicks in for post-boot
22260 * probing and use it for all variants.
22262 -static struct ata_port_operations nv_generic_ops = {
22263 +static const struct ata_port_operations nv_generic_ops = {
22264 .inherits = &ata_bmdma_port_ops,
22265 .lost_interrupt = ATA_OP_NULL,
22266 .scr_read = nv_scr_read,
22267 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22268 .hardreset = nv_hardreset,
22271 -static struct ata_port_operations nv_nf2_ops = {
22272 +static const struct ata_port_operations nv_nf2_ops = {
22273 .inherits = &nv_generic_ops,
22274 .freeze = nv_nf2_freeze,
22275 .thaw = nv_nf2_thaw,
22278 -static struct ata_port_operations nv_ck804_ops = {
22279 +static const struct ata_port_operations nv_ck804_ops = {
22280 .inherits = &nv_generic_ops,
22281 .freeze = nv_ck804_freeze,
22282 .thaw = nv_ck804_thaw,
22283 .host_stop = nv_ck804_host_stop,
22286 -static struct ata_port_operations nv_adma_ops = {
22287 +static const struct ata_port_operations nv_adma_ops = {
22288 .inherits = &nv_ck804_ops,
22290 .check_atapi_dma = nv_adma_check_atapi_dma,
22291 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22292 .host_stop = nv_adma_host_stop,
22295 -static struct ata_port_operations nv_swncq_ops = {
22296 +static const struct ata_port_operations nv_swncq_ops = {
22297 .inherits = &nv_generic_ops,
22299 .qc_defer = ata_std_qc_defer,
22300 diff -urNp linux-2.6.37/drivers/ata/sata_promise.c linux-2.6.37/drivers/ata/sata_promise.c
22301 --- linux-2.6.37/drivers/ata/sata_promise.c 2011-01-04 19:50:19.000000000 -0500
22302 +++ linux-2.6.37/drivers/ata/sata_promise.c 2011-01-17 02:41:01.000000000 -0500
22303 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22304 .error_handler = pdc_error_handler,
22307 -static struct ata_port_operations pdc_sata_ops = {
22308 +static const struct ata_port_operations pdc_sata_ops = {
22309 .inherits = &pdc_common_ops,
22310 .cable_detect = pdc_sata_cable_detect,
22311 .freeze = pdc_sata_freeze,
22312 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22314 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22315 and ->freeze/thaw that ignore the hotplug controls. */
22316 -static struct ata_port_operations pdc_old_sata_ops = {
22317 +static const struct ata_port_operations pdc_old_sata_ops = {
22318 .inherits = &pdc_sata_ops,
22319 .freeze = pdc_freeze,
22321 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22324 -static struct ata_port_operations pdc_pata_ops = {
22325 +static const struct ata_port_operations pdc_pata_ops = {
22326 .inherits = &pdc_common_ops,
22327 .cable_detect = pdc_pata_cable_detect,
22328 .freeze = pdc_freeze,
22329 diff -urNp linux-2.6.37/drivers/ata/sata_qstor.c linux-2.6.37/drivers/ata/sata_qstor.c
22330 --- linux-2.6.37/drivers/ata/sata_qstor.c 2011-01-04 19:50:19.000000000 -0500
22331 +++ linux-2.6.37/drivers/ata/sata_qstor.c 2011-01-17 02:41:01.000000000 -0500
22332 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22333 .dma_boundary = QS_DMA_BOUNDARY,
22336 -static struct ata_port_operations qs_ata_ops = {
22337 +static const struct ata_port_operations qs_ata_ops = {
22338 .inherits = &ata_sff_port_ops,
22340 .check_atapi_dma = qs_check_atapi_dma,
22341 diff -urNp linux-2.6.37/drivers/ata/sata_sil24.c linux-2.6.37/drivers/ata/sata_sil24.c
22342 --- linux-2.6.37/drivers/ata/sata_sil24.c 2011-01-04 19:50:19.000000000 -0500
22343 +++ linux-2.6.37/drivers/ata/sata_sil24.c 2011-01-17 02:41:01.000000000 -0500
22344 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22345 .dma_boundary = ATA_DMA_BOUNDARY,
22348 -static struct ata_port_operations sil24_ops = {
22349 +static const struct ata_port_operations sil24_ops = {
22350 .inherits = &sata_pmp_port_ops,
22352 .qc_defer = sil24_qc_defer,
22353 diff -urNp linux-2.6.37/drivers/ata/sata_sil.c linux-2.6.37/drivers/ata/sata_sil.c
22354 --- linux-2.6.37/drivers/ata/sata_sil.c 2011-01-04 19:50:19.000000000 -0500
22355 +++ linux-2.6.37/drivers/ata/sata_sil.c 2011-01-17 02:41:01.000000000 -0500
22356 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22357 .sg_tablesize = ATA_MAX_PRD
22360 -static struct ata_port_operations sil_ops = {
22361 +static const struct ata_port_operations sil_ops = {
22362 .inherits = &ata_bmdma32_port_ops,
22363 .dev_config = sil_dev_config,
22364 .set_mode = sil_set_mode,
22365 diff -urNp linux-2.6.37/drivers/ata/sata_sis.c linux-2.6.37/drivers/ata/sata_sis.c
22366 --- linux-2.6.37/drivers/ata/sata_sis.c 2011-01-04 19:50:19.000000000 -0500
22367 +++ linux-2.6.37/drivers/ata/sata_sis.c 2011-01-17 02:41:01.000000000 -0500
22368 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22369 ATA_BMDMA_SHT(DRV_NAME),
22372 -static struct ata_port_operations sis_ops = {
22373 +static const struct ata_port_operations sis_ops = {
22374 .inherits = &ata_bmdma_port_ops,
22375 .scr_read = sis_scr_read,
22376 .scr_write = sis_scr_write,
22377 diff -urNp linux-2.6.37/drivers/ata/sata_svw.c linux-2.6.37/drivers/ata/sata_svw.c
22378 --- linux-2.6.37/drivers/ata/sata_svw.c 2011-01-04 19:50:19.000000000 -0500
22379 +++ linux-2.6.37/drivers/ata/sata_svw.c 2011-01-17 02:41:01.000000000 -0500
22380 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22384 -static struct ata_port_operations k2_sata_ops = {
22385 +static const struct ata_port_operations k2_sata_ops = {
22386 .inherits = &ata_bmdma_port_ops,
22387 .sff_tf_load = k2_sata_tf_load,
22388 .sff_tf_read = k2_sata_tf_read,
22389 diff -urNp linux-2.6.37/drivers/ata/sata_sx4.c linux-2.6.37/drivers/ata/sata_sx4.c
22390 --- linux-2.6.37/drivers/ata/sata_sx4.c 2011-01-04 19:50:19.000000000 -0500
22391 +++ linux-2.6.37/drivers/ata/sata_sx4.c 2011-01-17 02:41:01.000000000 -0500
22392 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22395 /* TODO: inherit from base port_ops after converting to new EH */
22396 -static struct ata_port_operations pdc_20621_ops = {
22397 +static const struct ata_port_operations pdc_20621_ops = {
22398 .inherits = &ata_sff_port_ops,
22400 .check_atapi_dma = pdc_check_atapi_dma,
22401 diff -urNp linux-2.6.37/drivers/ata/sata_uli.c linux-2.6.37/drivers/ata/sata_uli.c
22402 --- linux-2.6.37/drivers/ata/sata_uli.c 2011-01-04 19:50:19.000000000 -0500
22403 +++ linux-2.6.37/drivers/ata/sata_uli.c 2011-01-17 02:41:01.000000000 -0500
22404 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22405 ATA_BMDMA_SHT(DRV_NAME),
22408 -static struct ata_port_operations uli_ops = {
22409 +static const struct ata_port_operations uli_ops = {
22410 .inherits = &ata_bmdma_port_ops,
22411 .scr_read = uli_scr_read,
22412 .scr_write = uli_scr_write,
22413 diff -urNp linux-2.6.37/drivers/ata/sata_via.c linux-2.6.37/drivers/ata/sata_via.c
22414 --- linux-2.6.37/drivers/ata/sata_via.c 2011-01-04 19:50:19.000000000 -0500
22415 +++ linux-2.6.37/drivers/ata/sata_via.c 2011-01-17 02:41:01.000000000 -0500
22416 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22417 ATA_BMDMA_SHT(DRV_NAME),
22420 -static struct ata_port_operations svia_base_ops = {
22421 +static const struct ata_port_operations svia_base_ops = {
22422 .inherits = &ata_bmdma_port_ops,
22423 .sff_tf_load = svia_tf_load,
22426 -static struct ata_port_operations vt6420_sata_ops = {
22427 +static const struct ata_port_operations vt6420_sata_ops = {
22428 .inherits = &svia_base_ops,
22429 .freeze = svia_noop_freeze,
22430 .prereset = vt6420_prereset,
22431 .bmdma_start = vt6420_bmdma_start,
22434 -static struct ata_port_operations vt6421_pata_ops = {
22435 +static const struct ata_port_operations vt6421_pata_ops = {
22436 .inherits = &svia_base_ops,
22437 .cable_detect = vt6421_pata_cable_detect,
22438 .set_piomode = vt6421_set_pio_mode,
22439 .set_dmamode = vt6421_set_dma_mode,
22442 -static struct ata_port_operations vt6421_sata_ops = {
22443 +static const struct ata_port_operations vt6421_sata_ops = {
22444 .inherits = &svia_base_ops,
22445 .scr_read = svia_scr_read,
22446 .scr_write = svia_scr_write,
22449 -static struct ata_port_operations vt8251_ops = {
22450 +static const struct ata_port_operations vt8251_ops = {
22451 .inherits = &svia_base_ops,
22452 .hardreset = sata_std_hardreset,
22453 .scr_read = vt8251_scr_read,
22454 diff -urNp linux-2.6.37/drivers/ata/sata_vsc.c linux-2.6.37/drivers/ata/sata_vsc.c
22455 --- linux-2.6.37/drivers/ata/sata_vsc.c 2011-01-04 19:50:19.000000000 -0500
22456 +++ linux-2.6.37/drivers/ata/sata_vsc.c 2011-01-17 02:41:01.000000000 -0500
22457 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22461 -static struct ata_port_operations vsc_sata_ops = {
22462 +static const struct ata_port_operations vsc_sata_ops = {
22463 .inherits = &ata_bmdma_port_ops,
22464 /* The IRQ handling is not quite standard SFF behaviour so we
22465 cannot use the default lost interrupt handler */
22466 diff -urNp linux-2.6.37/drivers/atm/adummy.c linux-2.6.37/drivers/atm/adummy.c
22467 --- linux-2.6.37/drivers/atm/adummy.c 2011-01-04 19:50:19.000000000 -0500
22468 +++ linux-2.6.37/drivers/atm/adummy.c 2011-01-17 02:41:01.000000000 -0500
22469 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
22470 vcc->pop(vcc, skb);
22472 dev_kfree_skb_any(skb);
22473 - atomic_inc(&vcc->stats->tx);
22474 + atomic_inc_unchecked(&vcc->stats->tx);
22478 diff -urNp linux-2.6.37/drivers/atm/ambassador.c linux-2.6.37/drivers/atm/ambassador.c
22479 --- linux-2.6.37/drivers/atm/ambassador.c 2011-01-04 19:50:19.000000000 -0500
22480 +++ linux-2.6.37/drivers/atm/ambassador.c 2011-01-17 02:41:01.000000000 -0500
22481 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22482 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22485 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22486 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22488 // free the descriptor
22490 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22491 dump_skb ("<<<", vc, skb);
22494 - atomic_inc(&atm_vcc->stats->rx);
22495 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22496 __net_timestamp(skb);
22497 // end of our responsability
22498 atm_vcc->push (atm_vcc, skb);
22499 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22501 PRINTK (KERN_INFO, "dropped over-size frame");
22502 // should we count this?
22503 - atomic_inc(&atm_vcc->stats->rx_drop);
22504 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22508 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22511 if (check_area (skb->data, skb->len)) {
22512 - atomic_inc(&atm_vcc->stats->tx_err);
22513 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22514 return -ENOMEM; // ?
22517 diff -urNp linux-2.6.37/drivers/atm/atmtcp.c linux-2.6.37/drivers/atm/atmtcp.c
22518 --- linux-2.6.37/drivers/atm/atmtcp.c 2011-01-04 19:50:19.000000000 -0500
22519 +++ linux-2.6.37/drivers/atm/atmtcp.c 2011-01-17 02:41:01.000000000 -0500
22520 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22521 if (vcc->pop) vcc->pop(vcc,skb);
22522 else dev_kfree_skb(skb);
22523 if (dev_data) return 0;
22524 - atomic_inc(&vcc->stats->tx_err);
22525 + atomic_inc_unchecked(&vcc->stats->tx_err);
22528 size = skb->len+sizeof(struct atmtcp_hdr);
22529 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22531 if (vcc->pop) vcc->pop(vcc,skb);
22532 else dev_kfree_skb(skb);
22533 - atomic_inc(&vcc->stats->tx_err);
22534 + atomic_inc_unchecked(&vcc->stats->tx_err);
22537 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22538 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22539 if (vcc->pop) vcc->pop(vcc,skb);
22540 else dev_kfree_skb(skb);
22541 out_vcc->push(out_vcc,new_skb);
22542 - atomic_inc(&vcc->stats->tx);
22543 - atomic_inc(&out_vcc->stats->rx);
22544 + atomic_inc_unchecked(&vcc->stats->tx);
22545 + atomic_inc_unchecked(&out_vcc->stats->rx);
22549 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22550 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22551 read_unlock(&vcc_sklist_lock);
22553 - atomic_inc(&vcc->stats->tx_err);
22554 + atomic_inc_unchecked(&vcc->stats->tx_err);
22557 skb_pull(skb,sizeof(struct atmtcp_hdr));
22558 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22559 __net_timestamp(new_skb);
22560 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22561 out_vcc->push(out_vcc,new_skb);
22562 - atomic_inc(&vcc->stats->tx);
22563 - atomic_inc(&out_vcc->stats->rx);
22564 + atomic_inc_unchecked(&vcc->stats->tx);
22565 + atomic_inc_unchecked(&out_vcc->stats->rx);
22567 if (vcc->pop) vcc->pop(vcc,skb);
22568 else dev_kfree_skb(skb);
22569 diff -urNp linux-2.6.37/drivers/atm/eni.c linux-2.6.37/drivers/atm/eni.c
22570 --- linux-2.6.37/drivers/atm/eni.c 2011-01-04 19:50:19.000000000 -0500
22571 +++ linux-2.6.37/drivers/atm/eni.c 2011-01-17 02:41:01.000000000 -0500
22572 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22573 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22576 - atomic_inc(&vcc->stats->rx_err);
22577 + atomic_inc_unchecked(&vcc->stats->rx_err);
22580 length = ATM_CELL_SIZE-1; /* no HEC */
22581 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22585 - atomic_inc(&vcc->stats->rx_err);
22586 + atomic_inc_unchecked(&vcc->stats->rx_err);
22589 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22590 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22591 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22592 vcc->dev->number,vcc->vci,length,size << 2,descr);
22594 - atomic_inc(&vcc->stats->rx_err);
22595 + atomic_inc_unchecked(&vcc->stats->rx_err);
22598 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22599 @@ -771,7 +771,7 @@ rx_dequeued++;
22600 vcc->push(vcc,skb);
22603 - atomic_inc(&vcc->stats->rx);
22604 + atomic_inc_unchecked(&vcc->stats->rx);
22606 wake_up(&eni_dev->rx_wait);
22608 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22610 if (vcc->pop) vcc->pop(vcc,skb);
22611 else dev_kfree_skb_irq(skb);
22612 - atomic_inc(&vcc->stats->tx);
22613 + atomic_inc_unchecked(&vcc->stats->tx);
22614 wake_up(&eni_dev->tx_wait);
22617 diff -urNp linux-2.6.37/drivers/atm/firestream.c linux-2.6.37/drivers/atm/firestream.c
22618 --- linux-2.6.37/drivers/atm/firestream.c 2011-01-04 19:50:19.000000000 -0500
22619 +++ linux-2.6.37/drivers/atm/firestream.c 2011-01-17 02:41:01.000000000 -0500
22620 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22624 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22625 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22627 fs_dprintk (FS_DEBUG_TXMEM, "i");
22628 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22629 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22631 skb_put (skb, qe->p1 & 0xffff);
22632 ATM_SKB(skb)->vcc = atm_vcc;
22633 - atomic_inc(&atm_vcc->stats->rx);
22634 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22635 __net_timestamp(skb);
22636 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22637 atm_vcc->push (atm_vcc, skb);
22638 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22642 - atomic_inc(&atm_vcc->stats->rx_drop);
22643 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22645 case 0x1f: /* Reassembly abort: no buffers. */
22646 /* Silently increment error counter. */
22648 - atomic_inc(&atm_vcc->stats->rx_drop);
22649 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22651 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22652 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22653 diff -urNp linux-2.6.37/drivers/atm/fore200e.c linux-2.6.37/drivers/atm/fore200e.c
22654 --- linux-2.6.37/drivers/atm/fore200e.c 2011-01-04 19:50:19.000000000 -0500
22655 +++ linux-2.6.37/drivers/atm/fore200e.c 2011-01-17 02:41:01.000000000 -0500
22656 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22658 /* check error condition */
22659 if (*entry->status & STATUS_ERROR)
22660 - atomic_inc(&vcc->stats->tx_err);
22661 + atomic_inc_unchecked(&vcc->stats->tx_err);
22663 - atomic_inc(&vcc->stats->tx);
22664 + atomic_inc_unchecked(&vcc->stats->tx);
22668 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22670 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22672 - atomic_inc(&vcc->stats->rx_drop);
22673 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22677 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22679 dev_kfree_skb_any(skb);
22681 - atomic_inc(&vcc->stats->rx_drop);
22682 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22686 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22688 vcc->push(vcc, skb);
22689 - atomic_inc(&vcc->stats->rx);
22690 + atomic_inc_unchecked(&vcc->stats->rx);
22692 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22694 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22695 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22696 fore200e->atm_dev->number,
22697 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22698 - atomic_inc(&vcc->stats->rx_err);
22699 + atomic_inc_unchecked(&vcc->stats->rx_err);
22703 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22707 - atomic_inc(&vcc->stats->tx_err);
22708 + atomic_inc_unchecked(&vcc->stats->tx_err);
22710 fore200e->tx_sat++;
22711 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22712 diff -urNp linux-2.6.37/drivers/atm/he.c linux-2.6.37/drivers/atm/he.c
22713 --- linux-2.6.37/drivers/atm/he.c 2011-01-04 19:50:19.000000000 -0500
22714 +++ linux-2.6.37/drivers/atm/he.c 2011-01-17 02:41:01.000000000 -0500
22715 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22717 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22718 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22719 - atomic_inc(&vcc->stats->rx_drop);
22720 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22721 goto return_host_buffers;
22724 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22725 RBRQ_LEN_ERR(he_dev->rbrq_head)
22727 vcc->vpi, vcc->vci);
22728 - atomic_inc(&vcc->stats->rx_err);
22729 + atomic_inc_unchecked(&vcc->stats->rx_err);
22730 goto return_host_buffers;
22733 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22734 vcc->push(vcc, skb);
22735 spin_lock(&he_dev->global_lock);
22737 - atomic_inc(&vcc->stats->rx);
22738 + atomic_inc_unchecked(&vcc->stats->rx);
22740 return_host_buffers:
22742 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22743 tpd->vcc->pop(tpd->vcc, tpd->skb);
22745 dev_kfree_skb_any(tpd->skb);
22746 - atomic_inc(&tpd->vcc->stats->tx_err);
22747 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22749 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22751 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22752 vcc->pop(vcc, skb);
22754 dev_kfree_skb_any(skb);
22755 - atomic_inc(&vcc->stats->tx_err);
22756 + atomic_inc_unchecked(&vcc->stats->tx_err);
22760 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22761 vcc->pop(vcc, skb);
22763 dev_kfree_skb_any(skb);
22764 - atomic_inc(&vcc->stats->tx_err);
22765 + atomic_inc_unchecked(&vcc->stats->tx_err);
22769 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22770 vcc->pop(vcc, skb);
22772 dev_kfree_skb_any(skb);
22773 - atomic_inc(&vcc->stats->tx_err);
22774 + atomic_inc_unchecked(&vcc->stats->tx_err);
22775 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22778 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22779 vcc->pop(vcc, skb);
22781 dev_kfree_skb_any(skb);
22782 - atomic_inc(&vcc->stats->tx_err);
22783 + atomic_inc_unchecked(&vcc->stats->tx_err);
22784 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22787 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22788 __enqueue_tpd(he_dev, tpd, cid);
22789 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22791 - atomic_inc(&vcc->stats->tx);
22792 + atomic_inc_unchecked(&vcc->stats->tx);
22796 diff -urNp linux-2.6.37/drivers/atm/horizon.c linux-2.6.37/drivers/atm/horizon.c
22797 --- linux-2.6.37/drivers/atm/horizon.c 2011-01-04 19:50:19.000000000 -0500
22798 +++ linux-2.6.37/drivers/atm/horizon.c 2011-01-17 02:41:01.000000000 -0500
22799 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22801 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22803 - atomic_inc(&vcc->stats->rx);
22804 + atomic_inc_unchecked(&vcc->stats->rx);
22805 __net_timestamp(skb);
22806 // end of our responsability
22807 vcc->push (vcc, skb);
22808 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22809 dev->tx_iovec = NULL;
22812 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22813 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22816 hrz_kfree_skb (skb);
22817 diff -urNp linux-2.6.37/drivers/atm/idt77252.c linux-2.6.37/drivers/atm/idt77252.c
22818 --- linux-2.6.37/drivers/atm/idt77252.c 2011-01-04 19:50:19.000000000 -0500
22819 +++ linux-2.6.37/drivers/atm/idt77252.c 2011-01-17 02:41:01.000000000 -0500
22820 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22822 dev_kfree_skb(skb);
22824 - atomic_inc(&vcc->stats->tx);
22825 + atomic_inc_unchecked(&vcc->stats->tx);
22828 atomic_dec(&scq->used);
22829 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22830 if ((sb = dev_alloc_skb(64)) == NULL) {
22831 printk("%s: Can't allocate buffers for aal0.\n",
22833 - atomic_add(i, &vcc->stats->rx_drop);
22834 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22837 if (!atm_charge(vcc, sb->truesize)) {
22838 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22840 - atomic_add(i - 1, &vcc->stats->rx_drop);
22841 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22845 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22846 ATM_SKB(sb)->vcc = vcc;
22847 __net_timestamp(sb);
22848 vcc->push(vcc, sb);
22849 - atomic_inc(&vcc->stats->rx);
22850 + atomic_inc_unchecked(&vcc->stats->rx);
22852 cell += ATM_CELL_PAYLOAD;
22854 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22856 card->name, len, rpp->len, readl(SAR_REG_CDC));
22857 recycle_rx_pool_skb(card, rpp);
22858 - atomic_inc(&vcc->stats->rx_err);
22859 + atomic_inc_unchecked(&vcc->stats->rx_err);
22862 if (stat & SAR_RSQE_CRC) {
22863 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22864 recycle_rx_pool_skb(card, rpp);
22865 - atomic_inc(&vcc->stats->rx_err);
22866 + atomic_inc_unchecked(&vcc->stats->rx_err);
22869 if (skb_queue_len(&rpp->queue) > 1) {
22870 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22871 RXPRINTK("%s: Can't alloc RX skb.\n",
22873 recycle_rx_pool_skb(card, rpp);
22874 - atomic_inc(&vcc->stats->rx_err);
22875 + atomic_inc_unchecked(&vcc->stats->rx_err);
22878 if (!atm_charge(vcc, skb->truesize)) {
22879 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22880 __net_timestamp(skb);
22882 vcc->push(vcc, skb);
22883 - atomic_inc(&vcc->stats->rx);
22884 + atomic_inc_unchecked(&vcc->stats->rx);
22888 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22889 __net_timestamp(skb);
22891 vcc->push(vcc, skb);
22892 - atomic_inc(&vcc->stats->rx);
22893 + atomic_inc_unchecked(&vcc->stats->rx);
22895 if (skb->truesize > SAR_FB_SIZE_3)
22896 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22897 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22898 if (vcc->qos.aal != ATM_AAL0) {
22899 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22900 card->name, vpi, vci);
22901 - atomic_inc(&vcc->stats->rx_drop);
22902 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22906 if ((sb = dev_alloc_skb(64)) == NULL) {
22907 printk("%s: Can't allocate buffers for AAL0.\n",
22909 - atomic_inc(&vcc->stats->rx_err);
22910 + atomic_inc_unchecked(&vcc->stats->rx_err);
22914 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22915 ATM_SKB(sb)->vcc = vcc;
22916 __net_timestamp(sb);
22917 vcc->push(vcc, sb);
22918 - atomic_inc(&vcc->stats->rx);
22919 + atomic_inc_unchecked(&vcc->stats->rx);
22922 skb_pull(queue, 64);
22923 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22926 printk("%s: NULL connection in send().\n", card->name);
22927 - atomic_inc(&vcc->stats->tx_err);
22928 + atomic_inc_unchecked(&vcc->stats->tx_err);
22929 dev_kfree_skb(skb);
22932 if (!test_bit(VCF_TX, &vc->flags)) {
22933 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22934 - atomic_inc(&vcc->stats->tx_err);
22935 + atomic_inc_unchecked(&vcc->stats->tx_err);
22936 dev_kfree_skb(skb);
22939 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22942 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22943 - atomic_inc(&vcc->stats->tx_err);
22944 + atomic_inc_unchecked(&vcc->stats->tx_err);
22945 dev_kfree_skb(skb);
22949 if (skb_shinfo(skb)->nr_frags != 0) {
22950 printk("%s: No scatter-gather yet.\n", card->name);
22951 - atomic_inc(&vcc->stats->tx_err);
22952 + atomic_inc_unchecked(&vcc->stats->tx_err);
22953 dev_kfree_skb(skb);
22956 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22958 err = queue_skb(card, vc, skb, oam);
22960 - atomic_inc(&vcc->stats->tx_err);
22961 + atomic_inc_unchecked(&vcc->stats->tx_err);
22962 dev_kfree_skb(skb);
22965 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22966 skb = dev_alloc_skb(64);
22968 printk("%s: Out of memory in send_oam().\n", card->name);
22969 - atomic_inc(&vcc->stats->tx_err);
22970 + atomic_inc_unchecked(&vcc->stats->tx_err);
22973 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22974 diff -urNp linux-2.6.37/drivers/atm/iphase.c linux-2.6.37/drivers/atm/iphase.c
22975 --- linux-2.6.37/drivers/atm/iphase.c 2011-01-04 19:50:19.000000000 -0500
22976 +++ linux-2.6.37/drivers/atm/iphase.c 2011-01-17 02:41:01.000000000 -0500
22977 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22978 status = (u_short) (buf_desc_ptr->desc_mode);
22979 if (status & (RX_CER | RX_PTE | RX_OFL))
22981 - atomic_inc(&vcc->stats->rx_err);
22982 + atomic_inc_unchecked(&vcc->stats->rx_err);
22983 IF_ERR(printk("IA: bad packet, dropping it");)
22984 if (status & RX_CER) {
22985 IF_ERR(printk(" cause: packet CRC error\n");)
22986 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22987 len = dma_addr - buf_addr;
22988 if (len > iadev->rx_buf_sz) {
22989 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22990 - atomic_inc(&vcc->stats->rx_err);
22991 + atomic_inc_unchecked(&vcc->stats->rx_err);
22992 goto out_free_desc;
22995 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22996 ia_vcc = INPH_IA_VCC(vcc);
22997 if (ia_vcc == NULL)
22999 - atomic_inc(&vcc->stats->rx_err);
23000 + atomic_inc_unchecked(&vcc->stats->rx_err);
23001 dev_kfree_skb_any(skb);
23002 atm_return(vcc, atm_guess_pdu2truesize(len));
23004 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23005 if ((length > iadev->rx_buf_sz) || (length >
23006 (skb->len - sizeof(struct cpcs_trailer))))
23008 - atomic_inc(&vcc->stats->rx_err);
23009 + atomic_inc_unchecked(&vcc->stats->rx_err);
23010 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23011 length, skb->len);)
23012 dev_kfree_skb_any(skb);
23013 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23015 IF_RX(printk("rx_dle_intr: skb push");)
23016 vcc->push(vcc,skb);
23017 - atomic_inc(&vcc->stats->rx);
23018 + atomic_inc_unchecked(&vcc->stats->rx);
23019 iadev->rx_pkt_cnt++;
23022 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23024 struct k_sonet_stats *stats;
23025 stats = &PRIV(_ia_dev[board])->sonet_stats;
23026 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23027 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23028 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23029 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23030 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23031 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23032 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23033 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23034 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23035 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23036 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23037 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23038 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23039 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23040 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23041 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23042 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23043 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23045 ia_cmds.status = 0;
23047 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23048 if ((desc == 0) || (desc > iadev->num_tx_desc))
23050 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23051 - atomic_inc(&vcc->stats->tx);
23052 + atomic_inc_unchecked(&vcc->stats->tx);
23054 vcc->pop(vcc, skb);
23056 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23057 ATM_DESC(skb) = vcc->vci;
23058 skb_queue_tail(&iadev->tx_dma_q, skb);
23060 - atomic_inc(&vcc->stats->tx);
23061 + atomic_inc_unchecked(&vcc->stats->tx);
23062 iadev->tx_pkt_cnt++;
23063 /* Increment transaction counter */
23064 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23067 /* add flow control logic */
23068 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23069 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23070 if (iavcc->vc_desc_cnt > 10) {
23071 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23072 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23073 diff -urNp linux-2.6.37/drivers/atm/lanai.c linux-2.6.37/drivers/atm/lanai.c
23074 --- linux-2.6.37/drivers/atm/lanai.c 2011-01-04 19:50:19.000000000 -0500
23075 +++ linux-2.6.37/drivers/atm/lanai.c 2011-01-17 02:41:01.000000000 -0500
23076 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23077 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23078 lanai_endtx(lanai, lvcc);
23079 lanai_free_skb(lvcc->tx.atmvcc, skb);
23080 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23081 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23084 /* Try to fill the buffer - don't call unless there is backlog */
23085 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23086 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23087 __net_timestamp(skb);
23088 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23089 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23090 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23092 lvcc->rx.buf.ptr = end;
23093 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23094 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23095 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23096 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23097 lanai->stats.service_rxnotaal5++;
23098 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23099 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23102 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23103 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23105 read_unlock(&vcc_sklist_lock);
23106 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23107 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23108 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23109 lvcc->stats.x.aal5.service_trash++;
23110 bytes = (SERVICE_GET_END(s) * 16) -
23111 (((unsigned long) lvcc->rx.buf.ptr) -
23112 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23114 if (s & SERVICE_STREAM) {
23115 read_unlock(&vcc_sklist_lock);
23116 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23117 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23118 lvcc->stats.x.aal5.service_stream++;
23119 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23120 "PDU on VCI %d!\n", lanai->number, vci);
23121 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23124 DPRINTK("got rx crc error on vci %d\n", vci);
23125 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23126 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23127 lvcc->stats.x.aal5.service_rxcrc++;
23128 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23129 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23130 diff -urNp linux-2.6.37/drivers/atm/nicstar.c linux-2.6.37/drivers/atm/nicstar.c
23131 --- linux-2.6.37/drivers/atm/nicstar.c 2011-01-04 19:50:19.000000000 -0500
23132 +++ linux-2.6.37/drivers/atm/nicstar.c 2011-01-17 02:41:01.000000000 -0500
23133 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
23134 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23135 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23137 - atomic_inc(&vcc->stats->tx_err);
23138 + atomic_inc_unchecked(&vcc->stats->tx_err);
23139 dev_kfree_skb_any(skb);
23142 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
23144 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23146 - atomic_inc(&vcc->stats->tx_err);
23147 + atomic_inc_unchecked(&vcc->stats->tx_err);
23148 dev_kfree_skb_any(skb);
23151 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
23152 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23153 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23155 - atomic_inc(&vcc->stats->tx_err);
23156 + atomic_inc_unchecked(&vcc->stats->tx_err);
23157 dev_kfree_skb_any(skb);
23161 if (skb_shinfo(skb)->nr_frags != 0) {
23162 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23163 - atomic_inc(&vcc->stats->tx_err);
23164 + atomic_inc_unchecked(&vcc->stats->tx_err);
23165 dev_kfree_skb_any(skb);
23168 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
23171 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23172 - atomic_inc(&vcc->stats->tx_err);
23173 + atomic_inc_unchecked(&vcc->stats->tx_err);
23174 dev_kfree_skb_any(skb);
23177 - atomic_inc(&vcc->stats->tx);
23178 + atomic_inc_unchecked(&vcc->stats->tx);
23182 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
23184 ("nicstar%d: Can't allocate buffers for aal0.\n",
23186 - atomic_add(i, &vcc->stats->rx_drop);
23187 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23190 if (!atm_charge(vcc, sb->truesize)) {
23192 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23194 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23195 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23196 dev_kfree_skb_any(sb);
23199 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
23200 ATM_SKB(sb)->vcc = vcc;
23201 __net_timestamp(sb);
23202 vcc->push(vcc, sb);
23203 - atomic_inc(&vcc->stats->rx);
23204 + atomic_inc_unchecked(&vcc->stats->rx);
23205 cell += ATM_CELL_PAYLOAD;
23208 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
23209 if (iovb == NULL) {
23210 printk("nicstar%d: Out of iovec buffers.\n",
23212 - atomic_inc(&vcc->stats->rx_drop);
23213 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23214 recycle_rx_buf(card, skb);
23217 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
23218 small or large buffer itself. */
23219 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23220 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23221 - atomic_inc(&vcc->stats->rx_err);
23222 + atomic_inc_unchecked(&vcc->stats->rx_err);
23223 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23225 NS_PRV_IOVCNT(iovb) = 0;
23226 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
23227 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23229 which_list(card, skb);
23230 - atomic_inc(&vcc->stats->rx_err);
23231 + atomic_inc_unchecked(&vcc->stats->rx_err);
23232 recycle_rx_buf(card, skb);
23234 recycle_iov_buf(card, iovb);
23235 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
23236 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23238 which_list(card, skb);
23239 - atomic_inc(&vcc->stats->rx_err);
23240 + atomic_inc_unchecked(&vcc->stats->rx_err);
23241 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23242 NS_PRV_IOVCNT(iovb));
23244 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
23245 printk(" - PDU size mismatch.\n");
23248 - atomic_inc(&vcc->stats->rx_err);
23249 + atomic_inc_unchecked(&vcc->stats->rx_err);
23250 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23251 NS_PRV_IOVCNT(iovb));
23253 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
23254 /* skb points to a small buffer */
23255 if (!atm_charge(vcc, skb->truesize)) {
23256 push_rxbufs(card, skb);
23257 - atomic_inc(&vcc->stats->rx_drop);
23258 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23261 dequeue_sm_buf(card, skb);
23262 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
23263 ATM_SKB(skb)->vcc = vcc;
23264 __net_timestamp(skb);
23265 vcc->push(vcc, skb);
23266 - atomic_inc(&vcc->stats->rx);
23267 + atomic_inc_unchecked(&vcc->stats->rx);
23269 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23270 struct sk_buff *sb;
23271 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
23272 if (len <= NS_SMBUFSIZE) {
23273 if (!atm_charge(vcc, sb->truesize)) {
23274 push_rxbufs(card, sb);
23275 - atomic_inc(&vcc->stats->rx_drop);
23276 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23279 dequeue_sm_buf(card, sb);
23280 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
23281 ATM_SKB(sb)->vcc = vcc;
23282 __net_timestamp(sb);
23283 vcc->push(vcc, sb);
23284 - atomic_inc(&vcc->stats->rx);
23285 + atomic_inc_unchecked(&vcc->stats->rx);
23288 push_rxbufs(card, skb);
23289 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
23291 if (!atm_charge(vcc, skb->truesize)) {
23292 push_rxbufs(card, skb);
23293 - atomic_inc(&vcc->stats->rx_drop);
23294 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23296 dequeue_lg_buf(card, skb);
23297 #ifdef NS_USE_DESTRUCTORS
23298 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
23299 ATM_SKB(skb)->vcc = vcc;
23300 __net_timestamp(skb);
23301 vcc->push(vcc, skb);
23302 - atomic_inc(&vcc->stats->rx);
23303 + atomic_inc_unchecked(&vcc->stats->rx);
23306 push_rxbufs(card, sb);
23307 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
23309 ("nicstar%d: Out of huge buffers.\n",
23311 - atomic_inc(&vcc->stats->rx_drop);
23312 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23313 recycle_iovec_rx_bufs(card,
23316 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
23317 card->hbpool.count++;
23319 dev_kfree_skb_any(hb);
23320 - atomic_inc(&vcc->stats->rx_drop);
23321 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23323 /* Copy the small buffer to the huge buffer */
23324 sb = (struct sk_buff *)iov->iov_base;
23325 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
23326 #endif /* NS_USE_DESTRUCTORS */
23327 __net_timestamp(hb);
23328 vcc->push(vcc, hb);
23329 - atomic_inc(&vcc->stats->rx);
23330 + atomic_inc_unchecked(&vcc->stats->rx);
23334 diff -urNp linux-2.6.37/drivers/atm/solos-pci.c linux-2.6.37/drivers/atm/solos-pci.c
23335 --- linux-2.6.37/drivers/atm/solos-pci.c 2011-01-04 19:50:19.000000000 -0500
23336 +++ linux-2.6.37/drivers/atm/solos-pci.c 2011-01-17 02:41:01.000000000 -0500
23337 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23339 atm_charge(vcc, skb->truesize);
23340 vcc->push(vcc, skb);
23341 - atomic_inc(&vcc->stats->rx);
23342 + atomic_inc_unchecked(&vcc->stats->rx);
23346 @@ -1025,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
23347 vcc = SKB_CB(oldskb)->vcc;
23350 - atomic_inc(&vcc->stats->tx);
23351 + atomic_inc_unchecked(&vcc->stats->tx);
23352 solos_pop(vcc, oldskb);
23354 dev_kfree_skb_irq(oldskb);
23355 diff -urNp linux-2.6.37/drivers/atm/suni.c linux-2.6.37/drivers/atm/suni.c
23356 --- linux-2.6.37/drivers/atm/suni.c 2011-01-04 19:50:19.000000000 -0500
23357 +++ linux-2.6.37/drivers/atm/suni.c 2011-01-17 02:41:01.000000000 -0500
23358 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23361 #define ADD_LIMITED(s,v) \
23362 - atomic_add((v),&stats->s); \
23363 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23364 + atomic_add_unchecked((v),&stats->s); \
23365 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23368 static void suni_hz(unsigned long from_timer)
23369 diff -urNp linux-2.6.37/drivers/atm/uPD98402.c linux-2.6.37/drivers/atm/uPD98402.c
23370 --- linux-2.6.37/drivers/atm/uPD98402.c 2011-01-04 19:50:19.000000000 -0500
23371 +++ linux-2.6.37/drivers/atm/uPD98402.c 2011-01-17 02:41:01.000000000 -0500
23372 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23373 struct sonet_stats tmp;
23376 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23377 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23378 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23379 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23380 if (zero && !error) {
23381 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23384 #define ADD_LIMITED(s,v) \
23385 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23386 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23387 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23388 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23389 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23390 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23393 static void stat_event(struct atm_dev *dev)
23394 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23395 if (reason & uPD98402_INT_PFM) stat_event(dev);
23396 if (reason & uPD98402_INT_PCO) {
23397 (void) GET(PCOCR); /* clear interrupt cause */
23398 - atomic_add(GET(HECCT),
23399 + atomic_add_unchecked(GET(HECCT),
23400 &PRIV(dev)->sonet_stats.uncorr_hcs);
23402 if ((reason & uPD98402_INT_RFO) &&
23403 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23404 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23405 uPD98402_INT_LOS),PIMR); /* enable them */
23406 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23407 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23408 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23409 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23410 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23411 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23412 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23416 diff -urNp linux-2.6.37/drivers/atm/zatm.c linux-2.6.37/drivers/atm/zatm.c
23417 --- linux-2.6.37/drivers/atm/zatm.c 2011-01-04 19:50:19.000000000 -0500
23418 +++ linux-2.6.37/drivers/atm/zatm.c 2011-01-17 02:41:01.000000000 -0500
23419 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23422 dev_kfree_skb_irq(skb);
23423 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23424 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23427 if (!atm_charge(vcc,skb->truesize)) {
23428 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23430 ATM_SKB(skb)->vcc = vcc;
23431 vcc->push(vcc,skb);
23432 - atomic_inc(&vcc->stats->rx);
23433 + atomic_inc_unchecked(&vcc->stats->rx);
23435 zout(pos & 0xffff,MTA(mbx));
23436 #if 0 /* probably a stupid idea */
23437 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23438 skb_queue_head(&zatm_vcc->backlog,skb);
23441 - atomic_inc(&vcc->stats->tx);
23442 + atomic_inc_unchecked(&vcc->stats->tx);
23443 wake_up(&zatm_vcc->tx_wait);
23446 diff -urNp linux-2.6.37/drivers/block/cciss.c linux-2.6.37/drivers/block/cciss.c
23447 --- linux-2.6.37/drivers/block/cciss.c 2011-01-04 19:50:19.000000000 -0500
23448 +++ linux-2.6.37/drivers/block/cciss.c 2011-01-17 02:41:01.000000000 -0500
23449 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
23453 + memset(&arg64, 0, sizeof(arg64));
23457 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
23458 diff -urNp linux-2.6.37/drivers/char/agp/frontend.c linux-2.6.37/drivers/char/agp/frontend.c
23459 --- linux-2.6.37/drivers/char/agp/frontend.c 2011-01-04 19:50:19.000000000 -0500
23460 +++ linux-2.6.37/drivers/char/agp/frontend.c 2011-01-17 02:41:01.000000000 -0500
23461 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
23462 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23465 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23466 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23469 client = agp_find_client_by_pid(reserve.pid);
23470 diff -urNp linux-2.6.37/drivers/char/agp/intel-agp.c linux-2.6.37/drivers/char/agp/intel-agp.c
23471 --- linux-2.6.37/drivers/char/agp/intel-agp.c 2011-01-04 19:50:19.000000000 -0500
23472 +++ linux-2.6.37/drivers/char/agp/intel-agp.c 2011-01-17 02:41:01.000000000 -0500
23473 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
23474 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23475 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23476 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23478 + { 0, 0, 0, 0, 0, 0, 0 }
23481 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23482 diff -urNp linux-2.6.37/drivers/char/hpet.c linux-2.6.37/drivers/char/hpet.c
23483 --- linux-2.6.37/drivers/char/hpet.c 2011-01-04 19:50:19.000000000 -0500
23484 +++ linux-2.6.37/drivers/char/hpet.c 2011-01-17 02:41:01.000000000 -0500
23485 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23489 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
23490 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
23491 struct hpet_info *info)
23493 struct hpet_timer __iomem *timer;
23494 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
23498 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23499 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23501 static int __init hpet_init(void)
23503 diff -urNp linux-2.6.37/drivers/char/hvc_console.h linux-2.6.37/drivers/char/hvc_console.h
23504 --- linux-2.6.37/drivers/char/hvc_console.h 2011-01-04 19:50:19.000000000 -0500
23505 +++ linux-2.6.37/drivers/char/hvc_console.h 2011-01-17 02:41:01.000000000 -0500
23506 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23507 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23508 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23509 const struct hv_ops *ops, int outbuf_size);
23511 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23512 extern int hvc_remove(struct hvc_struct *hp);
23514 diff -urNp linux-2.6.37/drivers/char/hvcs.c linux-2.6.37/drivers/char/hvcs.c
23515 --- linux-2.6.37/drivers/char/hvcs.c 2011-01-04 19:50:19.000000000 -0500
23516 +++ linux-2.6.37/drivers/char/hvcs.c 2011-01-17 02:41:01.000000000 -0500
23517 @@ -270,7 +270,7 @@ struct hvcs_struct {
23518 unsigned int index;
23520 struct tty_struct *tty;
23522 + atomic_t open_count;
23525 * Used to tell the driver kernel_thread what operations need to take
23526 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23528 spin_lock_irqsave(&hvcsd->lock, flags);
23530 - if (hvcsd->open_count > 0) {
23531 + if (atomic_read(&hvcsd->open_count) > 0) {
23532 spin_unlock_irqrestore(&hvcsd->lock, flags);
23533 printk(KERN_INFO "HVCS: vterm state unchanged. "
23534 "The hvcs device node is still in use.\n");
23535 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23536 if ((retval = hvcs_partner_connect(hvcsd)))
23537 goto error_release;
23539 - hvcsd->open_count = 1;
23540 + atomic_set(&hvcsd->open_count, 1);
23542 tty->driver_data = hvcsd;
23544 @@ -1170,7 +1170,7 @@ fast_open:
23546 spin_lock_irqsave(&hvcsd->lock, flags);
23547 kref_get(&hvcsd->kref);
23548 - hvcsd->open_count++;
23549 + atomic_inc(&hvcsd->open_count);
23550 hvcsd->todo_mask |= HVCS_SCHED_READ;
23551 spin_unlock_irqrestore(&hvcsd->lock, flags);
23553 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23554 hvcsd = tty->driver_data;
23556 spin_lock_irqsave(&hvcsd->lock, flags);
23557 - if (--hvcsd->open_count == 0) {
23558 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23560 vio_disable_interrupts(hvcsd->vdev);
23562 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23563 free_irq(irq, hvcsd);
23564 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23566 - } else if (hvcsd->open_count < 0) {
23567 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23568 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23569 " is missmanaged.\n",
23570 - hvcsd->vdev->unit_address, hvcsd->open_count);
23571 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23574 spin_unlock_irqrestore(&hvcsd->lock, flags);
23575 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23577 spin_lock_irqsave(&hvcsd->lock, flags);
23578 /* Preserve this so that we know how many kref refs to put */
23579 - temp_open_count = hvcsd->open_count;
23580 + temp_open_count = atomic_read(&hvcsd->open_count);
23583 * Don't kref put inside the spinlock because the destruction
23584 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23585 hvcsd->tty->driver_data = NULL;
23588 - hvcsd->open_count = 0;
23589 + atomic_set(&hvcsd->open_count, 0);
23591 /* This will drop any buffered data on the floor which is OK in a hangup
23593 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23594 * the middle of a write operation? This is a crummy place to do this
23595 * but we want to keep it all in the spinlock.
23597 - if (hvcsd->open_count <= 0) {
23598 + if (atomic_read(&hvcsd->open_count) <= 0) {
23599 spin_unlock_irqrestore(&hvcsd->lock, flags);
23602 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23604 struct hvcs_struct *hvcsd = tty->driver_data;
23606 - if (!hvcsd || hvcsd->open_count <= 0)
23607 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23610 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23611 diff -urNp linux-2.6.37/drivers/char/hvc_xen.c linux-2.6.37/drivers/char/hvc_xen.c
23612 --- linux-2.6.37/drivers/char/hvc_xen.c 2011-01-04 19:50:19.000000000 -0500
23613 +++ linux-2.6.37/drivers/char/hvc_xen.c 2011-01-17 02:41:01.000000000 -0500
23614 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
23618 -static struct hv_ops domU_hvc_ops = {
23619 +static const struct hv_ops domU_hvc_ops = {
23620 .get_chars = domU_read_console,
23621 .put_chars = domU_write_console,
23622 .notifier_add = notifier_add_irq,
23623 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
23627 -static struct hv_ops dom0_hvc_ops = {
23628 +static const struct hv_ops dom0_hvc_ops = {
23629 .get_chars = dom0_read_console,
23630 .put_chars = dom0_write_console,
23631 .notifier_add = notifier_add_irq,
23632 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
23633 static int __init xen_hvc_init(void)
23635 struct hvc_struct *hp;
23636 - struct hv_ops *ops;
23637 + const struct hv_ops *ops;
23639 if (!xen_pv_domain())
23641 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
23643 static int xen_cons_init(void)
23645 - struct hv_ops *ops;
23646 + const struct hv_ops *ops;
23648 if (!xen_pv_domain())
23650 diff -urNp linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c
23651 --- linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c 2011-01-04 19:50:19.000000000 -0500
23652 +++ linux-2.6.37/drivers/char/ipmi/ipmi_msghandler.c 2011-01-17 02:41:01.000000000 -0500
23653 @@ -414,7 +414,7 @@ struct ipmi_smi {
23654 struct proc_dir_entry *proc_dir;
23655 char proc_dir_name[10];
23657 - atomic_t stats[IPMI_NUM_STATS];
23658 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23661 * run_to_completion duplicate of smb_info, smi_info
23662 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23665 #define ipmi_inc_stat(intf, stat) \
23666 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23667 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23668 #define ipmi_get_stat(intf, stat) \
23669 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23670 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23672 static int is_lan_addr(struct ipmi_addr *addr)
23674 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23675 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23676 init_waitqueue_head(&intf->waitq);
23677 for (i = 0; i < IPMI_NUM_STATS; i++)
23678 - atomic_set(&intf->stats[i], 0);
23679 + atomic_set_unchecked(&intf->stats[i], 0);
23681 intf->proc_dir = NULL;
23683 diff -urNp linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c
23684 --- linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c 2011-01-04 19:50:19.000000000 -0500
23685 +++ linux-2.6.37/drivers/char/ipmi/ipmi_si_intf.c 2011-01-17 02:41:01.000000000 -0500
23686 @@ -286,7 +286,7 @@ struct smi_info {
23687 unsigned char slave_addr;
23689 /* Counters and things for the proc filesystem. */
23690 - atomic_t stats[SI_NUM_STATS];
23691 + atomic_unchecked_t stats[SI_NUM_STATS];
23693 struct task_struct *thread;
23695 @@ -294,9 +294,9 @@ struct smi_info {
23698 #define smi_inc_stat(smi, stat) \
23699 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23700 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23701 #define smi_get_stat(smi, stat) \
23702 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23703 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23705 #define SI_MAX_PARMS 4
23707 @@ -3178,7 +3178,7 @@ static int try_smi_init(struct smi_info
23708 atomic_set(&new_smi->req_events, 0);
23709 new_smi->run_to_completion = 0;
23710 for (i = 0; i < SI_NUM_STATS; i++)
23711 - atomic_set(&new_smi->stats[i], 0);
23712 + atomic_set_unchecked(&new_smi->stats[i], 0);
23714 new_smi->interrupt_disabled = 1;
23715 atomic_set(&new_smi->stop_operation, 0);
23716 diff -urNp linux-2.6.37/drivers/char/mem.c linux-2.6.37/drivers/char/mem.c
23717 --- linux-2.6.37/drivers/char/mem.c 2011-01-04 19:50:19.000000000 -0500
23718 +++ linux-2.6.37/drivers/char/mem.c 2011-01-17 02:41:01.000000000 -0500
23720 #include <linux/raw.h>
23721 #include <linux/tty.h>
23722 #include <linux/capability.h>
23723 +#include <linux/security.h>
23724 #include <linux/ptrace.h>
23725 #include <linux/device.h>
23726 #include <linux/highmem.h>
23728 # include <linux/efi.h>
23731 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23732 +extern struct file_operations grsec_fops;
23735 static inline unsigned long size_inside_page(unsigned long start,
23736 unsigned long size)
23738 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23740 while (count > 0) {
23741 unsigned long remaining;
23744 sz = size_inside_page(p, count);
23746 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23750 - remaining = copy_to_user(buf, ptr, sz);
23751 +#ifdef CONFIG_PAX_USERCOPY
23752 + temp = kmalloc(sz, GFP_KERNEL);
23754 + unxlate_dev_mem_ptr(p, ptr);
23757 + memcpy(temp, ptr, sz);
23762 + remaining = copy_to_user(buf, temp, sz);
23764 +#ifdef CONFIG_PAX_USERCOPY
23768 unxlate_dev_mem_ptr(p, ptr);
23771 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23772 if (!valid_phys_addr_range(p, count))
23775 +#ifdef CONFIG_GRKERNSEC_KMEM
23776 + gr_handle_mem_write();
23782 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23783 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23784 &vma->vm_page_prot))
23787 +#ifdef CONFIG_GRKERNSEC_KMEM
23788 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23792 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23794 vma->vm_page_prot);
23795 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23796 size_t count, loff_t *ppos)
23798 unsigned long p = *ppos;
23799 - ssize_t low_count, read, sz;
23800 + ssize_t low_count, read, sz, err = 0;
23801 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23805 if (p < (unsigned long) high_memory) {
23806 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23809 while (low_count > 0) {
23812 sz = size_inside_page(p, low_count);
23815 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23817 kbuf = xlate_dev_kmem_ptr((char *)p);
23819 - if (copy_to_user(buf, kbuf, sz))
23820 +#ifdef CONFIG_PAX_USERCOPY
23821 + temp = kmalloc(sz, GFP_KERNEL);
23824 + memcpy(temp, kbuf, sz);
23829 + err = copy_to_user(buf, temp, sz);
23831 +#ifdef CONFIG_PAX_USERCOPY
23839 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23840 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23843 +#ifdef CONFIG_GRKERNSEC_KMEM
23844 + gr_handle_kmem_write();
23848 if (p < (unsigned long) high_memory) {
23849 unsigned long to_write = min_t(unsigned long, count,
23850 (unsigned long)high_memory - p);
23851 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23853 static int open_port(struct inode * inode, struct file * filp)
23855 +#ifdef CONFIG_GRKERNSEC_KMEM
23856 + gr_handle_open_port();
23860 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23863 +static int open_mem(struct inode * inode, struct file * filp)
23865 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23868 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23869 #define full_lseek null_lseek
23870 #define write_zero write_null
23871 #define read_full read_zero
23872 -#define open_mem open_port
23873 #define open_kmem open_mem
23874 #define open_oldmem open_mem
23876 @@ -857,6 +919,9 @@ static const struct memdev {
23877 #ifdef CONFIG_CRASH_DUMP
23878 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23880 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23881 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23885 static int memory_open(struct inode *inode, struct file *filp)
23886 diff -urNp linux-2.6.37/drivers/char/nvram.c linux-2.6.37/drivers/char/nvram.c
23887 --- linux-2.6.37/drivers/char/nvram.c 2011-01-04 19:50:19.000000000 -0500
23888 +++ linux-2.6.37/drivers/char/nvram.c 2011-01-17 02:41:01.000000000 -0500
23889 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
23891 spin_unlock_irq(&rtc_lock);
23893 - if (copy_to_user(buf, contents, tmp - contents))
23894 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23898 @@ -435,7 +435,10 @@ static const struct file_operations nvra
23899 static struct miscdevice nvram_dev = {
23909 static int __init nvram_init(void)
23910 diff -urNp linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c
23911 --- linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c 2011-01-04 19:50:19.000000000 -0500
23912 +++ linux-2.6.37/drivers/char/pcmcia/ipwireless/tty.c 2011-01-17 02:41:01.000000000 -0500
23913 @@ -51,7 +51,7 @@ struct ipw_tty {
23915 struct ipw_network *network;
23916 struct tty_struct *linux_tty;
23918 + atomic_t open_count;
23919 unsigned int control_lines;
23920 struct mutex ipw_tty_mutex;
23921 int tx_bytes_queued;
23922 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23923 mutex_unlock(&tty->ipw_tty_mutex);
23926 - if (tty->open_count == 0)
23927 + if (atomic_read(&tty->open_count) == 0)
23928 tty->tx_bytes_queued = 0;
23930 - tty->open_count++;
23931 + atomic_inc(&tty->open_count);
23933 tty->linux_tty = linux_tty;
23934 linux_tty->driver_data = tty;
23935 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23937 static void do_ipw_close(struct ipw_tty *tty)
23939 - tty->open_count--;
23941 - if (tty->open_count == 0) {
23942 + if (atomic_dec_return(&tty->open_count) == 0) {
23943 struct tty_struct *linux_tty = tty->linux_tty;
23945 if (linux_tty != NULL) {
23946 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23949 mutex_lock(&tty->ipw_tty_mutex);
23950 - if (tty->open_count == 0) {
23951 + if (atomic_read(&tty->open_count) == 0) {
23952 mutex_unlock(&tty->ipw_tty_mutex);
23955 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23959 - if (!tty->open_count) {
23960 + if (!atomic_read(&tty->open_count)) {
23961 mutex_unlock(&tty->ipw_tty_mutex);
23964 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23967 mutex_lock(&tty->ipw_tty_mutex);
23968 - if (!tty->open_count) {
23969 + if (!atomic_read(&tty->open_count)) {
23970 mutex_unlock(&tty->ipw_tty_mutex);
23973 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23977 - if (!tty->open_count)
23978 + if (!atomic_read(&tty->open_count))
23981 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23982 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23986 - if (!tty->open_count)
23987 + if (!atomic_read(&tty->open_count))
23990 return tty->tx_bytes_queued;
23991 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
23995 - if (!tty->open_count)
23996 + if (!atomic_read(&tty->open_count))
23999 return get_control_lines(tty);
24000 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24004 - if (!tty->open_count)
24005 + if (!atomic_read(&tty->open_count))
24008 return set_control_lines(tty, set, clear);
24009 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24013 - if (!tty->open_count)
24014 + if (!atomic_read(&tty->open_count))
24017 /* FIXME: Exactly how is the tty object locked here .. */
24018 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
24019 against a parallel ioctl etc */
24020 mutex_lock(&ttyj->ipw_tty_mutex);
24022 - while (ttyj->open_count)
24023 + while (atomic_read(&ttyj->open_count))
24024 do_ipw_close(ttyj);
24025 ipwireless_disassociate_network_ttys(network,
24026 ttyj->channel_idx);
24027 diff -urNp linux-2.6.37/drivers/char/random.c linux-2.6.37/drivers/char/random.c
24028 --- linux-2.6.37/drivers/char/random.c 2011-01-04 19:50:19.000000000 -0500
24029 +++ linux-2.6.37/drivers/char/random.c 2011-01-17 02:41:01.000000000 -0500
24030 @@ -254,8 +254,13 @@
24032 * Configuration information
24034 +#ifdef CONFIG_GRKERNSEC_RANDNET
24035 +#define INPUT_POOL_WORDS 512
24036 +#define OUTPUT_POOL_WORDS 128
24038 #define INPUT_POOL_WORDS 128
24039 #define OUTPUT_POOL_WORDS 32
24041 #define SEC_XFER_SIZE 512
24042 #define EXTRACT_SIZE 10
24044 @@ -293,10 +298,17 @@ static struct poolinfo {
24046 int tap1, tap2, tap3, tap4, tap5;
24047 } poolinfo_table[] = {
24048 +#ifdef CONFIG_GRKERNSEC_RANDNET
24049 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24050 + { 512, 411, 308, 208, 104, 1 },
24051 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24052 + { 128, 103, 76, 51, 25, 1 },
24054 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24055 { 128, 103, 76, 51, 25, 1 },
24056 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24057 { 32, 26, 20, 14, 7, 1 },
24060 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24061 { 2048, 1638, 1231, 819, 411, 1 },
24062 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24064 extract_buf(r, tmp);
24065 i = min_t(int, nbytes, EXTRACT_SIZE);
24066 - if (copy_to_user(buf, tmp, i)) {
24067 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24071 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24072 #include <linux/sysctl.h>
24074 static int min_read_thresh = 8, min_write_thresh;
24075 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24076 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24077 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24078 static char sysctl_bootid[16];
24080 diff -urNp linux-2.6.37/drivers/char/sonypi.c linux-2.6.37/drivers/char/sonypi.c
24081 --- linux-2.6.37/drivers/char/sonypi.c 2011-01-04 19:50:19.000000000 -0500
24082 +++ linux-2.6.37/drivers/char/sonypi.c 2011-01-17 02:41:01.000000000 -0500
24083 @@ -491,7 +491,7 @@ static struct sonypi_device {
24084 spinlock_t fifo_lock;
24085 wait_queue_head_t fifo_proc_list;
24086 struct fasync_struct *fifo_async;
24088 + atomic_t open_count;
24090 struct input_dev *input_jog_dev;
24091 struct input_dev *input_key_dev;
24092 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
24093 static int sonypi_misc_release(struct inode *inode, struct file *file)
24095 mutex_lock(&sonypi_device.lock);
24096 - sonypi_device.open_count--;
24097 + atomic_dec(&sonypi_device.open_count);
24098 mutex_unlock(&sonypi_device.lock);
24101 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
24103 mutex_lock(&sonypi_device.lock);
24104 /* Flush input queue on first open */
24105 - if (!sonypi_device.open_count)
24106 + if (!atomic_read(&sonypi_device.open_count))
24107 kfifo_reset(&sonypi_device.fifo);
24108 - sonypi_device.open_count++;
24109 + atomic_inc(&sonypi_device.open_count);
24110 mutex_unlock(&sonypi_device.lock);
24113 diff -urNp linux-2.6.37/drivers/char/tpm/tpm_bios.c linux-2.6.37/drivers/char/tpm/tpm_bios.c
24114 --- linux-2.6.37/drivers/char/tpm/tpm_bios.c 2011-01-04 19:50:19.000000000 -0500
24115 +++ linux-2.6.37/drivers/char/tpm/tpm_bios.c 2011-01-17 02:41:01.000000000 -0500
24116 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24119 if ((event->event_type == 0 && event->event_size == 0) ||
24120 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24121 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24125 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24128 if ((event->event_type == 0 && event->event_size == 0) ||
24129 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24130 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24134 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24137 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24138 - seq_putc(m, data[i]);
24139 + if (!seq_putc(m, data[i]))
24144 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24145 log->bios_event_log_end = log->bios_event_log + len;
24147 virt = acpi_os_map_memory(start, len);
24149 + kfree(log->bios_event_log);
24150 + log->bios_event_log = NULL;
24154 memcpy(log->bios_event_log, virt, len);
24156 diff -urNp linux-2.6.37/drivers/cpuidle/sysfs.c linux-2.6.37/drivers/cpuidle/sysfs.c
24157 --- linux-2.6.37/drivers/cpuidle/sysfs.c 2011-01-04 19:50:19.000000000 -0500
24158 +++ linux-2.6.37/drivers/cpuidle/sysfs.c 2011-01-17 02:41:01.000000000 -0500
24159 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24160 .release = cpuidle_state_sysfs_release,
24163 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24164 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24166 kobject_put(&device->kobjs[i]->kobj);
24167 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24168 diff -urNp linux-2.6.37/drivers/edac/edac_core.h linux-2.6.37/drivers/edac/edac_core.h
24169 --- linux-2.6.37/drivers/edac/edac_core.h 2011-01-04 19:50:19.000000000 -0500
24170 +++ linux-2.6.37/drivers/edac/edac_core.h 2011-01-17 02:41:01.000000000 -0500
24171 @@ -87,11 +87,11 @@ extern const char *edac_mem_types[];
24173 #else /* !CONFIG_EDAC_DEBUG */
24175 -#define debugf0( ... )
24176 -#define debugf1( ... )
24177 -#define debugf2( ... )
24178 -#define debugf3( ... )
24179 -#define debugf4( ... )
24180 +#define debugf0( ... ) do {} while (0)
24181 +#define debugf1( ... ) do {} while (0)
24182 +#define debugf2( ... ) do {} while (0)
24183 +#define debugf3( ... ) do {} while (0)
24184 +#define debugf4( ... ) do {} while (0)
24186 #endif /* !CONFIG_EDAC_DEBUG */
24188 diff -urNp linux-2.6.37/drivers/edac/edac_mc_sysfs.c linux-2.6.37/drivers/edac/edac_mc_sysfs.c
24189 --- linux-2.6.37/drivers/edac/edac_mc_sysfs.c 2011-01-04 19:50:19.000000000 -0500
24190 +++ linux-2.6.37/drivers/edac/edac_mc_sysfs.c 2011-01-17 02:41:01.000000000 -0500
24191 @@ -762,7 +762,7 @@ static void edac_inst_grp_release(struct
24194 /* Intermediate show/store table */
24195 -static struct sysfs_ops inst_grp_ops = {
24196 +static const struct sysfs_ops inst_grp_ops = {
24197 .show = inst_grp_show,
24198 .store = inst_grp_store
24200 diff -urNp linux-2.6.37/drivers/firewire/core-cdev.c linux-2.6.37/drivers/firewire/core-cdev.c
24201 --- linux-2.6.37/drivers/firewire/core-cdev.c 2011-01-04 19:50:19.000000000 -0500
24202 +++ linux-2.6.37/drivers/firewire/core-cdev.c 2011-01-17 02:41:01.000000000 -0500
24203 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
24206 if ((request->channels == 0 && request->bandwidth == 0) ||
24207 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24208 - request->bandwidth < 0)
24209 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24212 r = kmalloc(sizeof(*r), GFP_KERNEL);
24213 diff -urNp linux-2.6.37/drivers/firmware/dmi_scan.c linux-2.6.37/drivers/firmware/dmi_scan.c
24214 --- linux-2.6.37/drivers/firmware/dmi_scan.c 2011-01-04 19:50:19.000000000 -0500
24215 +++ linux-2.6.37/drivers/firmware/dmi_scan.c 2011-01-17 02:41:01.000000000 -0500
24216 @@ -442,11 +442,6 @@ void __init dmi_scan_machine(void)
24221 - * no iounmap() for that ioremap(); it would be a no-op, but
24222 - * it's so early in setup that sucker gets confused into doing
24223 - * what it shouldn't if we actually call it.
24225 p = dmi_ioremap(0xF0000, 0x10000);
24228 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c
24229 --- linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c 2011-01-04 19:50:19.000000000 -0500
24230 +++ linux-2.6.37/drivers/gpu/drm/drm_crtc_helper.c 2011-01-17 02:41:01.000000000 -0500
24231 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
24232 struct drm_crtc *tmp;
24235 - WARN(!crtc, "checking null crtc?\n");
24240 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_drv.c linux-2.6.37/drivers/gpu/drm/drm_drv.c
24241 --- linux-2.6.37/drivers/gpu/drm/drm_drv.c 2011-01-04 19:50:19.000000000 -0500
24242 +++ linux-2.6.37/drivers/gpu/drm/drm_drv.c 2011-01-17 02:41:01.000000000 -0500
24243 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
24245 dev = file_priv->minor->dev;
24246 atomic_inc(&dev->ioctl_count);
24247 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24248 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24249 ++file_priv->ioctl_count;
24251 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24252 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_fops.c linux-2.6.37/drivers/gpu/drm/drm_fops.c
24253 --- linux-2.6.37/drivers/gpu/drm/drm_fops.c 2011-01-04 19:50:19.000000000 -0500
24254 +++ linux-2.6.37/drivers/gpu/drm/drm_fops.c 2011-01-17 02:41:01.000000000 -0500
24255 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
24258 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24259 - atomic_set(&dev->counts[i], 0);
24260 + atomic_set_unchecked(&dev->counts[i], 0);
24262 dev->sigdata.lock = NULL;
24264 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
24266 retcode = drm_open_helper(inode, filp, dev);
24268 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24269 - if (!dev->open_count++)
24270 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24271 + if (atomic_inc_return(&dev->open_count) == 1)
24272 retcode = drm_setup(dev);
24275 @@ -470,7 +470,7 @@ int drm_release(struct inode *inode, str
24277 mutex_lock(&drm_global_mutex);
24279 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24280 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24282 if (dev->driver->preclose)
24283 dev->driver->preclose(dev, file_priv);
24284 @@ -482,7 +482,7 @@ int drm_release(struct inode *inode, str
24285 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24286 task_pid_nr(current),
24287 (long)old_encode_dev(file_priv->minor->device),
24288 - dev->open_count);
24289 + atomic_read(&dev->open_count));
24291 /* if the master has gone away we can't do anything with the lock */
24292 if (file_priv->minor->master)
24293 @@ -563,8 +563,8 @@ int drm_release(struct inode *inode, str
24294 * End inline drm_release
24297 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24298 - if (!--dev->open_count) {
24299 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24300 + if (atomic_dec_and_test(&dev->open_count)) {
24301 if (atomic_read(&dev->ioctl_count)) {
24302 DRM_ERROR("Device busy: %d\n",
24303 atomic_read(&dev->ioctl_count));
24304 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_global.c linux-2.6.37/drivers/gpu/drm/drm_global.c
24305 --- linux-2.6.37/drivers/gpu/drm/drm_global.c 2011-01-04 19:50:19.000000000 -0500
24306 +++ linux-2.6.37/drivers/gpu/drm/drm_global.c 2011-01-17 02:41:01.000000000 -0500
24308 struct drm_global_item {
24309 struct mutex mutex;
24312 + atomic_t refcount;
24315 static struct drm_global_item glob[DRM_GLOBAL_NUM];
24316 @@ -49,7 +49,7 @@ void drm_global_init(void)
24317 struct drm_global_item *item = &glob[i];
24318 mutex_init(&item->mutex);
24319 item->object = NULL;
24320 - item->refcount = 0;
24321 + atomic_set(&item->refcount, 0);
24325 @@ -59,7 +59,7 @@ void drm_global_release(void)
24326 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
24327 struct drm_global_item *item = &glob[i];
24328 BUG_ON(item->object != NULL);
24329 - BUG_ON(item->refcount != 0);
24330 + BUG_ON(atomic_read(&item->refcount) != 0);
24334 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
24337 mutex_lock(&item->mutex);
24338 - if (item->refcount == 0) {
24339 + if (atomic_read(&item->refcount) == 0) {
24340 item->object = kzalloc(ref->size, GFP_KERNEL);
24341 if (unlikely(item->object == NULL)) {
24343 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
24347 - ++item->refcount;
24348 + atomic_inc(&item->refcount);
24349 ref->object = item->object;
24350 object = item->object;
24351 mutex_unlock(&item->mutex);
24352 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
24353 struct drm_global_item *item = &glob[ref->global_type];
24355 mutex_lock(&item->mutex);
24356 - BUG_ON(item->refcount == 0);
24357 + BUG_ON(atomic_read(&item->refcount) == 0);
24358 BUG_ON(ref->object != item->object);
24359 - if (--item->refcount == 0) {
24360 + if (atomic_dec_and_test(&item->refcount)) {
24362 item->object = NULL;
24364 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_info.c linux-2.6.37/drivers/gpu/drm/drm_info.c
24365 --- linux-2.6.37/drivers/gpu/drm/drm_info.c 2011-01-04 19:50:19.000000000 -0500
24366 +++ linux-2.6.37/drivers/gpu/drm/drm_info.c 2011-01-17 02:41:01.000000000 -0500
24367 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
24368 struct drm_local_map *map;
24369 struct drm_map_list *r_list;
24371 - /* Hardcoded from _DRM_FRAME_BUFFER,
24372 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
24373 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
24374 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
24375 + static const char * const types[] = {
24376 + [_DRM_FRAME_BUFFER] = "FB",
24377 + [_DRM_REGISTERS] = "REG",
24378 + [_DRM_SHM] = "SHM",
24379 + [_DRM_AGP] = "AGP",
24380 + [_DRM_SCATTER_GATHER] = "SG",
24381 + [_DRM_CONSISTENT] = "PCI",
24382 + [_DRM_GEM] = "GEM" };
24386 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
24390 - if (map->type < 0 || map->type > 5)
24391 + if (map->type >= ARRAY_SIZE(types))
24394 type = types[map->type];
24395 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_ioctl.c linux-2.6.37/drivers/gpu/drm/drm_ioctl.c
24396 --- linux-2.6.37/drivers/gpu/drm/drm_ioctl.c 2011-01-04 19:50:19.000000000 -0500
24397 +++ linux-2.6.37/drivers/gpu/drm/drm_ioctl.c 2011-01-17 02:41:01.000000000 -0500
24398 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
24399 stats->data[i].value =
24400 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24402 - stats->data[i].value = atomic_read(&dev->counts[i]);
24403 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24404 stats->data[i].type = dev->types[i];
24407 diff -urNp linux-2.6.37/drivers/gpu/drm/drm_lock.c linux-2.6.37/drivers/gpu/drm/drm_lock.c
24408 --- linux-2.6.37/drivers/gpu/drm/drm_lock.c 2011-01-04 19:50:19.000000000 -0500
24409 +++ linux-2.6.37/drivers/gpu/drm/drm_lock.c 2011-01-17 02:41:01.000000000 -0500
24410 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
24411 if (drm_lock_take(&master->lock, lock->context)) {
24412 master->lock.file_priv = file_priv;
24413 master->lock.lock_time = jiffies;
24414 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24415 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24416 break; /* Got lock */
24419 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
24423 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24424 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24426 if (drm_lock_free(&master->lock, lock->context)) {
24427 /* FIXME: Should really bail out here. */
24428 diff -urNp linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c
24429 --- linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c 2011-01-04 19:50:19.000000000 -0500
24430 +++ linux-2.6.37/drivers/gpu/drm/i810/i810_dma.c 2011-01-17 02:41:01.000000000 -0500
24431 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24432 dma->buflist[vertex->idx],
24433 vertex->discard, vertex->used);
24435 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24436 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24437 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24438 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24439 sarea_priv->last_enqueue = dev_priv->counter - 1;
24440 sarea_priv->last_dispatch = (int)hw_status[5];
24442 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
24443 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24446 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24447 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24448 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24449 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24450 sarea_priv->last_enqueue = dev_priv->counter - 1;
24451 sarea_priv->last_dispatch = (int)hw_status[5];
24453 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c
24454 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c 2011-01-04 19:50:19.000000000 -0500
24455 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7017.c 2011-01-17 02:41:01.000000000 -0500
24456 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
24460 -struct intel_dvo_dev_ops ch7017_ops = {
24461 +const struct intel_dvo_dev_ops ch7017_ops = {
24462 .init = ch7017_init,
24463 .detect = ch7017_detect,
24464 .mode_valid = ch7017_mode_valid,
24465 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c
24466 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-01-04 19:50:19.000000000 -0500
24467 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-01-17 02:41:01.000000000 -0500
24468 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
24472 -struct intel_dvo_dev_ops ch7xxx_ops = {
24473 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24474 .init = ch7xxx_init,
24475 .detect = ch7xxx_detect,
24476 .mode_valid = ch7xxx_mode_valid,
24477 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo.h linux-2.6.37/drivers/gpu/drm/i915/dvo.h
24478 --- linux-2.6.37/drivers/gpu/drm/i915/dvo.h 2011-01-04 19:50:19.000000000 -0500
24479 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo.h 2011-01-17 02:41:01.000000000 -0500
24480 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
24482 * \return singly-linked list of modes or NULL if no modes found.
24484 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24485 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24488 * Clean up driver-specific bits of the output
24490 - void (*destroy) (struct intel_dvo_device *dvo);
24491 + void (* const destroy) (struct intel_dvo_device *dvo);
24494 * Debugging hook to dump device registers to log file
24496 - void (*dump_regs)(struct intel_dvo_device *dvo);
24497 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24500 -extern struct intel_dvo_dev_ops sil164_ops;
24501 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24502 -extern struct intel_dvo_dev_ops ivch_ops;
24503 -extern struct intel_dvo_dev_ops tfp410_ops;
24504 -extern struct intel_dvo_dev_ops ch7017_ops;
24505 +extern const struct intel_dvo_dev_ops sil164_ops;
24506 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24507 +extern const struct intel_dvo_dev_ops ivch_ops;
24508 +extern const struct intel_dvo_dev_ops tfp410_ops;
24509 +extern const struct intel_dvo_dev_ops ch7017_ops;
24511 #endif /* _INTEL_DVO_H */
24512 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c
24513 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c 2011-01-04 19:50:19.000000000 -0500
24514 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_ivch.c 2011-01-17 02:41:01.000000000 -0500
24515 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
24519 -struct intel_dvo_dev_ops ivch_ops= {
24520 +const struct intel_dvo_dev_ops ivch_ops= {
24523 .mode_valid = ivch_mode_valid,
24524 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c
24525 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c 2011-01-04 19:50:19.000000000 -0500
24526 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_sil164.c 2011-01-17 02:41:01.000000000 -0500
24527 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
24531 -struct intel_dvo_dev_ops sil164_ops = {
24532 +const struct intel_dvo_dev_ops sil164_ops = {
24533 .init = sil164_init,
24534 .detect = sil164_detect,
24535 .mode_valid = sil164_mode_valid,
24536 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c
24537 --- linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c 2011-01-04 19:50:19.000000000 -0500
24538 +++ linux-2.6.37/drivers/gpu/drm/i915/dvo_tfp410.c 2011-01-17 02:41:01.000000000 -0500
24539 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
24543 -struct intel_dvo_dev_ops tfp410_ops = {
24544 +const struct intel_dvo_dev_ops tfp410_ops = {
24545 .init = tfp410_init,
24546 .detect = tfp410_detect,
24547 .mode_valid = tfp410_mode_valid,
24548 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c
24549 --- linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c 2011-01-04 19:50:19.000000000 -0500
24550 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_dma.c 2011-01-17 02:41:01.000000000 -0500
24551 @@ -1191,7 +1191,7 @@ static bool i915_switcheroo_can_switch(s
24554 spin_lock(&dev->count_lock);
24555 - can_switch = (dev->open_count == 0);
24556 + can_switch = (atomic_read(&dev->open_count) == 0);
24557 spin_unlock(&dev->count_lock);
24560 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c
24561 --- linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c 2011-01-04 19:50:19.000000000 -0500
24562 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_drv.c 2011-01-17 02:41:01.000000000 -0500
24563 @@ -579,7 +579,7 @@ static const struct dev_pm_ops i915_pm_o
24564 .restore = i915_pm_resume,
24567 -static struct vm_operations_struct i915_gem_vm_ops = {
24568 +static const struct vm_operations_struct i915_gem_vm_ops = {
24569 .fault = i915_gem_fault,
24570 .open = drm_gem_vm_open,
24571 .close = drm_gem_vm_close,
24572 diff -urNp linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c
24573 --- linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c 2011-01-04 19:50:19.000000000 -0500
24574 +++ linux-2.6.37/drivers/gpu/drm/i915/i915_gem.c 2011-01-17 02:41:01.000000000 -0500
24575 @@ -587,6 +587,7 @@ i915_gem_pread_ioctl(struct drm_device *
24580 if (!i915_gem_object_needs_bit17_swizzle(obj))
24581 ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv);
24582 if (ret == -EFAULT)
24583 diff -urNp linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c
24584 --- linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c 2011-01-04 19:50:19.000000000 -0500
24585 +++ linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_backlight.c 2011-01-17 02:41:01.000000000 -0500
24586 @@ -59,7 +59,7 @@ static int nv40_set_intensity(struct bac
24590 -static struct backlight_ops nv40_bl_ops = {
24591 +static const struct backlight_ops nv40_bl_ops = {
24592 .options = BL_CORE_SUSPENDRESUME,
24593 .get_brightness = nv40_get_intensity,
24594 .update_status = nv40_set_intensity,
24595 @@ -82,7 +82,7 @@ static int nv50_set_intensity(struct bac
24599 -static struct backlight_ops nv50_bl_ops = {
24600 +static const struct backlight_ops nv50_bl_ops = {
24601 .options = BL_CORE_SUSPENDRESUME,
24602 .get_brightness = nv50_get_intensity,
24603 .update_status = nv50_set_intensity,
24604 diff -urNp linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c
24605 --- linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c 2011-01-04 19:50:19.000000000 -0500
24606 +++ linux-2.6.37/drivers/gpu/drm/nouveau/nouveau_state.c 2011-01-17 02:41:01.000000000 -0500
24607 @@ -546,7 +546,7 @@ static bool nouveau_switcheroo_can_switc
24610 spin_lock(&dev->count_lock);
24611 - can_switch = (dev->open_count == 0);
24612 + can_switch = (atomic_read(&dev->open_count) == 0);
24613 spin_unlock(&dev->count_lock);
24616 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c
24617 --- linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c 2011-01-04 19:50:19.000000000 -0500
24618 +++ linux-2.6.37/drivers/gpu/drm/radeon/mkregtable.c 2011-01-17 02:41:01.000000000 -0500
24619 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24621 regmatch_t match[4];
24629 struct offset *offset;
24630 char last_reg_s[10];
24632 + unsigned long last_reg;
24635 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24636 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c
24637 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c 2011-01-04 19:50:19.000000000 -0500
24638 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_device.c 2011-01-17 02:41:01.000000000 -0500
24639 @@ -659,7 +659,7 @@ static bool radeon_switcheroo_can_switch
24642 spin_lock(&dev->count_lock);
24643 - can_switch = (dev->open_count == 0);
24644 + can_switch = (atomic_read(&dev->open_count) == 0);
24645 spin_unlock(&dev->count_lock);
24648 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c
24649 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c 2011-01-04 19:50:19.000000000 -0500
24650 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_state.c 2011-01-17 02:41:01.000000000 -0500
24651 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24652 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24653 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24655 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24656 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24657 sarea_priv->nbox * sizeof(depth_boxes[0])))
24660 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24662 drm_radeon_private_t *dev_priv = dev->dev_private;
24663 drm_radeon_getparam_t *param = data;
24667 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24669 diff -urNp linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c
24670 --- linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c 2011-01-04 19:50:19.000000000 -0500
24671 +++ linux-2.6.37/drivers/gpu/drm/radeon/radeon_ttm.c 2011-01-17 02:41:01.000000000 -0500
24672 @@ -589,8 +589,9 @@ void radeon_ttm_fini(struct radeon_devic
24673 DRM_INFO("radeon: ttm finalized\n");
24676 -static struct vm_operations_struct radeon_ttm_vm_ops;
24677 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24678 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24679 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24680 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24682 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24684 @@ -598,17 +599,22 @@ static int radeon_ttm_fault(struct vm_ar
24685 struct radeon_device *rdev;
24688 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24689 - if (bo == NULL) {
24690 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24692 return VM_FAULT_NOPAGE;
24694 rdev = radeon_get_rdev(bo->bdev);
24695 mutex_lock(&rdev->vram_mutex);
24696 - r = ttm_vm_ops->fault(vma, vmf);
24697 + r = ttm_bo_vm_fault(vma, vmf);
24698 mutex_unlock(&rdev->vram_mutex);
24702 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24703 + .fault = radeon_ttm_fault,
24704 + .open = ttm_bo_vm_open,
24705 + .close = ttm_bo_vm_close
24708 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24710 struct drm_file *file_priv;
24711 @@ -621,18 +627,11 @@ int radeon_mmap(struct file *filp, struc
24713 file_priv = filp->private_data;
24714 rdev = file_priv->minor->dev->dev_private;
24715 - if (rdev == NULL) {
24719 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24720 - if (unlikely(r != 0)) {
24724 - if (unlikely(ttm_vm_ops == NULL)) {
24725 - ttm_vm_ops = vma->vm_ops;
24726 - radeon_ttm_vm_ops = *ttm_vm_ops;
24727 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24729 vma->vm_ops = &radeon_ttm_vm_ops;
24732 diff -urNp linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c
24733 --- linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c 2011-01-04 19:50:19.000000000 -0500
24734 +++ linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo.c 2011-01-17 02:41:01.000000000 -0500
24736 #include <asm/atomic.h>
24738 #define TTM_ASSERT_LOCKED(param)
24739 -#define TTM_DEBUG(fmt, arg...)
24740 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24741 #define TTM_BO_HASH_ORDER 13
24743 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24744 diff -urNp linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c
24745 --- linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-01-04 19:50:19.000000000 -0500
24746 +++ linux-2.6.37/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-01-17 02:41:01.000000000 -0500
24747 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24751 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24752 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24754 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24755 vma->vm_private_data;
24756 - struct ttm_bo_device *bdev = bo->bdev;
24757 + struct ttm_bo_device *bdev;
24758 unsigned long page_offset;
24759 unsigned long page_last;
24761 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24762 unsigned long address = (unsigned long)vmf->virtual_address;
24763 int retval = VM_FAULT_NOPAGE;
24766 + return VM_FAULT_NOPAGE;
24770 * Work around locking order reversal in fault / nopfn
24771 * between mmap_sem and bo_reserve: Perform a trylock operation
24772 @@ -212,22 +216,25 @@ out_unlock:
24773 ttm_bo_unreserve(bo);
24776 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24778 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24779 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24781 struct ttm_buffer_object *bo =
24782 (struct ttm_buffer_object *)vma->vm_private_data;
24784 (void)ttm_bo_reference(bo);
24786 +EXPORT_SYMBOL(ttm_bo_vm_open);
24788 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24789 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24791 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24794 vma->vm_private_data = NULL;
24796 +EXPORT_SYMBOL(ttm_bo_vm_close);
24798 static const struct vm_operations_struct ttm_bo_vm_ops = {
24799 .fault = ttm_bo_vm_fault,
24800 diff -urNp linux-2.6.37/drivers/hid/usbhid/hiddev.c linux-2.6.37/drivers/hid/usbhid/hiddev.c
24801 --- linux-2.6.37/drivers/hid/usbhid/hiddev.c 2011-01-04 19:50:19.000000000 -0500
24802 +++ linux-2.6.37/drivers/hid/usbhid/hiddev.c 2011-01-17 02:41:01.000000000 -0500
24803 @@ -611,7 +611,7 @@ static long hiddev_ioctl(struct file *fi
24804 return put_user(HID_VERSION, (int __user *)arg);
24806 case HIDIOCAPPLICATION:
24807 - if (arg < 0 || arg >= hid->maxapplication)
24808 + if (arg >= hid->maxapplication)
24811 for (i = 0; i < hid->maxcollection; i++)
24812 diff -urNp linux-2.6.37/drivers/hwmon/k8temp.c linux-2.6.37/drivers/hwmon/k8temp.c
24813 --- linux-2.6.37/drivers/hwmon/k8temp.c 2011-01-04 19:50:19.000000000 -0500
24814 +++ linux-2.6.37/drivers/hwmon/k8temp.c 2011-01-17 02:41:01.000000000 -0500
24815 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24817 static const struct pci_device_id k8temp_ids[] = {
24818 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24820 + { 0, 0, 0, 0, 0, 0, 0 },
24823 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24824 diff -urNp linux-2.6.37/drivers/hwmon/sis5595.c linux-2.6.37/drivers/hwmon/sis5595.c
24825 --- linux-2.6.37/drivers/hwmon/sis5595.c 2011-01-04 19:50:19.000000000 -0500
24826 +++ linux-2.6.37/drivers/hwmon/sis5595.c 2011-01-17 02:41:01.000000000 -0500
24827 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
24829 static const struct pci_device_id sis5595_pci_ids[] = {
24830 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24832 + { 0, 0, 0, 0, 0, 0, 0 }
24835 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24836 diff -urNp linux-2.6.37/drivers/hwmon/via686a.c linux-2.6.37/drivers/hwmon/via686a.c
24837 --- linux-2.6.37/drivers/hwmon/via686a.c 2011-01-04 19:50:19.000000000 -0500
24838 +++ linux-2.6.37/drivers/hwmon/via686a.c 2011-01-17 02:41:01.000000000 -0500
24839 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
24841 static const struct pci_device_id via686a_pci_ids[] = {
24842 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24844 + { 0, 0, 0, 0, 0, 0, 0 }
24847 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24848 diff -urNp linux-2.6.37/drivers/hwmon/vt8231.c linux-2.6.37/drivers/hwmon/vt8231.c
24849 --- linux-2.6.37/drivers/hwmon/vt8231.c 2011-01-04 19:50:19.000000000 -0500
24850 +++ linux-2.6.37/drivers/hwmon/vt8231.c 2011-01-17 02:41:01.000000000 -0500
24851 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
24853 static const struct pci_device_id vt8231_pci_ids[] = {
24854 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24856 + { 0, 0, 0, 0, 0, 0, 0 }
24859 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24860 diff -urNp linux-2.6.37/drivers/hwmon/w83791d.c linux-2.6.37/drivers/hwmon/w83791d.c
24861 --- linux-2.6.37/drivers/hwmon/w83791d.c 2011-01-04 19:50:19.000000000 -0500
24862 +++ linux-2.6.37/drivers/hwmon/w83791d.c 2011-01-17 02:41:01.000000000 -0500
24863 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24864 struct i2c_board_info *info);
24865 static int w83791d_remove(struct i2c_client *client);
24867 -static int w83791d_read(struct i2c_client *client, u8 register);
24868 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24869 +static int w83791d_read(struct i2c_client *client, u8 reg);
24870 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24871 static struct w83791d_data *w83791d_update_device(struct device *dev);
24874 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-i801.c linux-2.6.37/drivers/i2c/busses/i2c-i801.c
24875 --- linux-2.6.37/drivers/i2c/busses/i2c-i801.c 2011-01-04 19:50:19.000000000 -0500
24876 +++ linux-2.6.37/drivers/i2c/busses/i2c-i801.c 2011-01-17 02:41:01.000000000 -0500
24877 @@ -620,7 +620,7 @@ static const struct pci_device_id i801_i
24878 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
24879 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
24880 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
24882 + { 0, 0, 0, 0, 0, 0, 0 }
24885 MODULE_DEVICE_TABLE(pci, i801_ids);
24886 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-piix4.c linux-2.6.37/drivers/i2c/busses/i2c-piix4.c
24887 --- linux-2.6.37/drivers/i2c/busses/i2c-piix4.c 2011-01-04 19:50:19.000000000 -0500
24888 +++ linux-2.6.37/drivers/i2c/busses/i2c-piix4.c 2011-01-17 02:41:01.000000000 -0500
24889 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24891 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24894 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24897 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24898 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24899 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24900 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24901 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24903 + { 0, 0, 0, 0, 0, 0, 0 }
24906 MODULE_DEVICE_TABLE (pci, piix4_ids);
24907 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-sis630.c linux-2.6.37/drivers/i2c/busses/i2c-sis630.c
24908 --- linux-2.6.37/drivers/i2c/busses/i2c-sis630.c 2011-01-04 19:50:19.000000000 -0500
24909 +++ linux-2.6.37/drivers/i2c/busses/i2c-sis630.c 2011-01-17 02:41:01.000000000 -0500
24910 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24911 static const struct pci_device_id sis630_ids[] __devinitconst = {
24912 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24913 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24915 + { 0, 0, 0, 0, 0, 0, 0 }
24918 MODULE_DEVICE_TABLE (pci, sis630_ids);
24919 diff -urNp linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c
24920 --- linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c 2011-01-04 19:50:19.000000000 -0500
24921 +++ linux-2.6.37/drivers/i2c/busses/i2c-sis96x.c 2011-01-17 02:41:01.000000000 -0500
24922 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
24924 static const struct pci_device_id sis96x_ids[] = {
24925 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
24927 + { 0, 0, 0, 0, 0, 0, 0 }
24930 MODULE_DEVICE_TABLE (pci, sis96x_ids);
24931 diff -urNp linux-2.6.37/drivers/ide/ide-cd.c linux-2.6.37/drivers/ide/ide-cd.c
24932 --- linux-2.6.37/drivers/ide/ide-cd.c 2011-01-04 19:50:19.000000000 -0500
24933 +++ linux-2.6.37/drivers/ide/ide-cd.c 2011-01-17 02:41:01.000000000 -0500
24934 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
24935 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
24936 if ((unsigned long)buf & alignment
24937 || blk_rq_bytes(rq) & q->dma_pad_mask
24938 - || object_is_on_stack(buf))
24939 + || object_starts_on_stack(buf))
24943 diff -urNp linux-2.6.37/drivers/infiniband/core/cm.c linux-2.6.37/drivers/infiniband/core/cm.c
24944 --- linux-2.6.37/drivers/infiniband/core/cm.c 2011-01-04 19:50:19.000000000 -0500
24945 +++ linux-2.6.37/drivers/infiniband/core/cm.c 2011-01-17 02:41:01.000000000 -0500
24946 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
24948 struct cm_counter_group {
24949 struct kobject obj;
24950 - atomic_long_t counter[CM_ATTR_COUNT];
24951 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
24954 struct cm_counter_attribute {
24955 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
24956 struct ib_mad_send_buf *msg = NULL;
24959 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24960 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24961 counter[CM_REQ_COUNTER]);
24963 /* Quick state check to discard duplicate REQs. */
24964 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
24968 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24969 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24970 counter[CM_REP_COUNTER]);
24971 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
24973 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
24974 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
24975 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
24976 spin_unlock_irq(&cm_id_priv->lock);
24977 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24978 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24979 counter[CM_RTU_COUNTER]);
24982 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
24983 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
24984 dreq_msg->local_comm_id);
24986 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24987 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24988 counter[CM_DREQ_COUNTER]);
24989 cm_issue_drep(work->port, work->mad_recv_wc);
24991 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
24992 case IB_CM_MRA_REP_RCVD:
24994 case IB_CM_TIMEWAIT:
24995 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24996 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24997 counter[CM_DREQ_COUNTER]);
24998 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25000 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25003 case IB_CM_DREQ_RCVD:
25004 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25005 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25006 counter[CM_DREQ_COUNTER]);
25009 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
25010 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25011 cm_id_priv->msg, timeout)) {
25012 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25013 - atomic_long_inc(&work->port->
25014 + atomic_long_inc_unchecked(&work->port->
25015 counter_group[CM_RECV_DUPLICATES].
25016 counter[CM_MRA_COUNTER]);
25018 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
25020 case IB_CM_MRA_REQ_RCVD:
25021 case IB_CM_MRA_REP_RCVD:
25022 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25023 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25024 counter[CM_MRA_COUNTER]);
25027 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
25028 case IB_CM_LAP_IDLE:
25030 case IB_CM_MRA_LAP_SENT:
25031 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25032 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25033 counter[CM_LAP_COUNTER]);
25034 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25036 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
25039 case IB_CM_LAP_RCVD:
25040 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25041 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25042 counter[CM_LAP_COUNTER]);
25045 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
25046 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25047 if (cur_cm_id_priv) {
25048 spin_unlock_irq(&cm.lock);
25049 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25050 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25051 counter[CM_SIDR_REQ_COUNTER]);
25052 goto out; /* Duplicate message. */
25054 @@ -3186,10 +3186,10 @@ static void cm_send_handler(struct ib_ma
25055 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25058 - atomic_long_add(1 + msg->retries,
25059 + atomic_long_add_unchecked(1 + msg->retries,
25060 &port->counter_group[CM_XMIT].counter[attr_index]);
25062 - atomic_long_add(msg->retries,
25063 + atomic_long_add_unchecked(msg->retries,
25064 &port->counter_group[CM_XMIT_RETRIES].
25065 counter[attr_index]);
25067 @@ -3399,7 +3399,7 @@ static void cm_recv_handler(struct ib_ma
25070 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25071 - atomic_long_inc(&port->counter_group[CM_RECV].
25072 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25073 counter[attr_id - CM_ATTR_ID_OFFSET]);
25075 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25076 @@ -3597,7 +3597,7 @@ static ssize_t cm_show_counter(struct ko
25077 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25079 return sprintf(buf, "%ld\n",
25080 - atomic_long_read(&group->counter[cm_attr->index]));
25081 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25084 static const struct sysfs_ops cm_counter_ops = {
25085 diff -urNp linux-2.6.37/drivers/infiniband/hw/qib/qib.h linux-2.6.37/drivers/infiniband/hw/qib/qib.h
25086 --- linux-2.6.37/drivers/infiniband/hw/qib/qib.h 2011-01-04 19:50:19.000000000 -0500
25087 +++ linux-2.6.37/drivers/infiniband/hw/qib/qib.h 2011-01-17 02:41:01.000000000 -0500
25089 #include <linux/completion.h>
25090 #include <linux/kref.h>
25091 #include <linux/sched.h>
25092 +#include <linux/slab.h>
25094 #include "qib_common.h"
25095 #include "qib_verbs.h"
25096 diff -urNp linux-2.6.37/drivers/input/keyboard/atkbd.c linux-2.6.37/drivers/input/keyboard/atkbd.c
25097 --- linux-2.6.37/drivers/input/keyboard/atkbd.c 2011-01-04 19:50:19.000000000 -0500
25098 +++ linux-2.6.37/drivers/input/keyboard/atkbd.c 2011-01-17 02:41:01.000000000 -0500
25099 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
25101 .extra = SERIO_ANY,
25107 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25108 diff -urNp linux-2.6.37/drivers/input/mouse/lifebook.c linux-2.6.37/drivers/input/mouse/lifebook.c
25109 --- linux-2.6.37/drivers/input/mouse/lifebook.c 2011-01-04 19:50:19.000000000 -0500
25110 +++ linux-2.6.37/drivers/input/mouse/lifebook.c 2011-01-17 02:41:01.000000000 -0500
25111 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25112 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25116 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25119 void __init lifebook_module_init(void)
25120 diff -urNp linux-2.6.37/drivers/input/mouse/psmouse-base.c linux-2.6.37/drivers/input/mouse/psmouse-base.c
25121 --- linux-2.6.37/drivers/input/mouse/psmouse-base.c 2011-01-04 19:50:19.000000000 -0500
25122 +++ linux-2.6.37/drivers/input/mouse/psmouse-base.c 2011-01-17 02:41:01.000000000 -0500
25123 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
25125 .extra = SERIO_ANY,
25131 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25132 diff -urNp linux-2.6.37/drivers/input/mouse/synaptics.c linux-2.6.37/drivers/input/mouse/synaptics.c
25133 --- linux-2.6.37/drivers/input/mouse/synaptics.c 2011-01-04 19:50:19.000000000 -0500
25134 +++ linux-2.6.37/drivers/input/mouse/synaptics.c 2011-01-17 02:41:01.000000000 -0500
25135 @@ -499,7 +499,7 @@ static void synaptics_process_packet(str
25138 if (SYN_MODEL_PEN(priv->model_id))
25139 - ; /* Nothing, treat a pen as a single finger */
25140 + break; /* Nothing, treat a pen as a single finger */
25143 if (SYN_CAP_PALMDETECT(priv->capabilities))
25144 @@ -729,7 +729,6 @@ static const struct dmi_system_id __init
25145 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25146 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25151 /* Toshiba Portege M300 */
25152 @@ -738,9 +737,8 @@ static const struct dmi_system_id __init
25153 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25154 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25159 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25163 diff -urNp linux-2.6.37/drivers/input/mousedev.c linux-2.6.37/drivers/input/mousedev.c
25164 --- linux-2.6.37/drivers/input/mousedev.c 2011-01-04 19:50:19.000000000 -0500
25165 +++ linux-2.6.37/drivers/input/mousedev.c 2011-01-17 02:41:01.000000000 -0500
25166 @@ -762,7 +762,7 @@ static ssize_t mousedev_read(struct file
25168 spin_unlock_irq(&client->packet_lock);
25170 - if (copy_to_user(buffer, data, count))
25171 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25175 @@ -1065,7 +1065,7 @@ static struct input_handler mousedev_han
25177 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25178 static struct miscdevice psaux_mouse = {
25179 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25180 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25182 static int psaux_registered;
25184 diff -urNp linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h
25185 --- linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h 2011-01-04 19:50:19.000000000 -0500
25186 +++ linux-2.6.37/drivers/input/serio/i8042-x86ia64io.h 2011-01-17 02:41:01.000000000 -0500
25187 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25188 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25192 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25196 @@ -424,7 +424,7 @@ static const struct dmi_system_id __init
25197 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25201 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25204 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25205 @@ -498,7 +498,7 @@ static const struct dmi_system_id __init
25206 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25210 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25214 @@ -517,7 +517,7 @@ static const struct dmi_system_id __init
25215 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25219 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25222 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25223 @@ -541,7 +541,7 @@ static const struct dmi_system_id __init
25224 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25228 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25232 @@ -615,7 +615,7 @@ static const struct dmi_system_id __init
25233 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25237 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25240 #endif /* CONFIG_X86 */
25241 diff -urNp linux-2.6.37/drivers/input/serio/serio_raw.c linux-2.6.37/drivers/input/serio/serio_raw.c
25242 --- linux-2.6.37/drivers/input/serio/serio_raw.c 2011-01-04 19:50:19.000000000 -0500
25243 +++ linux-2.6.37/drivers/input/serio/serio_raw.c 2011-01-17 02:41:01.000000000 -0500
25244 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25246 .extra = SERIO_ANY,
25252 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25253 diff -urNp linux-2.6.37/drivers/isdn/gigaset/common.c linux-2.6.37/drivers/isdn/gigaset/common.c
25254 --- linux-2.6.37/drivers/isdn/gigaset/common.c 2011-01-04 19:50:19.000000000 -0500
25255 +++ linux-2.6.37/drivers/isdn/gigaset/common.c 2011-01-17 02:41:01.000000000 -0500
25256 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25257 cs->commands_pending = 0;
25258 cs->cur_at_seq = 0;
25260 - cs->open_count = 0;
25261 + atomic_set(&cs->open_count, 0);
25264 cs->tty_dev = NULL;
25265 diff -urNp linux-2.6.37/drivers/isdn/gigaset/gigaset.h linux-2.6.37/drivers/isdn/gigaset/gigaset.h
25266 --- linux-2.6.37/drivers/isdn/gigaset/gigaset.h 2011-01-04 19:50:19.000000000 -0500
25267 +++ linux-2.6.37/drivers/isdn/gigaset/gigaset.h 2011-01-17 02:41:01.000000000 -0500
25268 @@ -433,7 +433,7 @@ struct cardstate {
25269 spinlock_t cmdlock;
25270 unsigned curlen, cmdbytes;
25272 - unsigned open_count;
25273 + atomic_t open_count;
25274 struct tty_struct *tty;
25275 struct tasklet_struct if_wake_tasklet;
25276 unsigned control_state;
25277 diff -urNp linux-2.6.37/drivers/isdn/gigaset/interface.c linux-2.6.37/drivers/isdn/gigaset/interface.c
25278 --- linux-2.6.37/drivers/isdn/gigaset/interface.c 2011-01-04 19:50:19.000000000 -0500
25279 +++ linux-2.6.37/drivers/isdn/gigaset/interface.c 2011-01-17 02:41:01.000000000 -0500
25280 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25281 return -ERESTARTSYS;
25282 tty->driver_data = cs;
25284 - ++cs->open_count;
25286 - if (cs->open_count == 1) {
25287 + if (atomic_inc_return(&cs->open_count) == 1) {
25288 spin_lock_irqsave(&cs->lock, flags);
25290 spin_unlock_irqrestore(&cs->lock, flags);
25291 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25293 if (!cs->connected)
25294 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25295 - else if (!cs->open_count)
25296 + else if (!atomic_read(&cs->open_count))
25297 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25299 - if (!--cs->open_count) {
25300 + if (!atomic_dec_return(&cs->open_count)) {
25301 spin_lock_irqsave(&cs->lock, flags);
25303 spin_unlock_irqrestore(&cs->lock, flags);
25304 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25305 if (!cs->connected) {
25306 gig_dbg(DEBUG_IF, "not connected");
25308 - } else if (!cs->open_count)
25309 + } else if (!atomic_read(&cs->open_count))
25310 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25313 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
25317 - if (!cs->open_count) {
25318 + if (!atomic_read(&cs->open_count)) {
25319 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25322 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
25323 if (!cs->connected) {
25324 gig_dbg(DEBUG_IF, "not connected");
25326 - } else if (!cs->open_count)
25327 + } else if (!atomic_read(&cs->open_count))
25328 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25329 else if (cs->mstate != MS_LOCKED) {
25330 dev_warn(cs->dev, "can't write to unlocked device\n");
25331 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
25333 if (!cs->connected)
25334 gig_dbg(DEBUG_IF, "not connected");
25335 - else if (!cs->open_count)
25336 + else if (!atomic_read(&cs->open_count))
25337 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25338 else if (cs->mstate != MS_LOCKED)
25339 dev_warn(cs->dev, "can't write to unlocked device\n");
25340 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
25342 if (!cs->connected)
25343 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25344 - else if (!cs->open_count)
25345 + else if (!atomic_read(&cs->open_count))
25346 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25348 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25349 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
25351 if (!cs->connected)
25352 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25353 - else if (!cs->open_count)
25354 + else if (!atomic_read(&cs->open_count))
25355 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25357 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25358 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
25362 - if (!cs->open_count) {
25363 + if (!atomic_read(&cs->open_count)) {
25364 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25367 diff -urNp linux-2.6.37/drivers/isdn/hardware/avm/b1.c linux-2.6.37/drivers/isdn/hardware/avm/b1.c
25368 --- linux-2.6.37/drivers/isdn/hardware/avm/b1.c 2011-01-04 19:50:19.000000000 -0500
25369 +++ linux-2.6.37/drivers/isdn/hardware/avm/b1.c 2011-01-17 02:41:01.000000000 -0500
25370 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25373 if (t4file->user) {
25374 - if (copy_from_user(buf, dp, left))
25375 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25378 memcpy(buf, dp, left);
25379 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25382 if (config->user) {
25383 - if (copy_from_user(buf, dp, left))
25384 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25387 memcpy(buf, dp, left);
25388 diff -urNp linux-2.6.37/drivers/isdn/icn/icn.c linux-2.6.37/drivers/isdn/icn/icn.c
25389 --- linux-2.6.37/drivers/isdn/icn/icn.c 2011-01-04 19:50:19.000000000 -0500
25390 +++ linux-2.6.37/drivers/isdn/icn/icn.c 2011-01-17 02:41:01.000000000 -0500
25391 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25395 - if (copy_from_user(msg, buf, count))
25396 + if (count > sizeof msg || copy_from_user(msg, buf, count))
25399 memcpy(msg, buf, count);
25400 diff -urNp linux-2.6.37/drivers/lguest/core.c linux-2.6.37/drivers/lguest/core.c
25401 --- linux-2.6.37/drivers/lguest/core.c 2011-01-04 19:50:19.000000000 -0500
25402 +++ linux-2.6.37/drivers/lguest/core.c 2011-01-17 02:41:01.000000000 -0500
25403 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25404 * it's worked so far. The end address needs +1 because __get_vm_area
25405 * allocates an extra guard page, so we need space for that.
25408 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25409 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25410 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25411 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25413 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25414 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25415 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25418 if (!switcher_vma) {
25420 printk("lguest: could not map switcher pages high\n");
25421 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
25422 * Now the Switcher is mapped at the right address, we can't fail!
25423 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
25425 - memcpy(switcher_vma->addr, start_switcher_text,
25426 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
25427 end_switcher_text - start_switcher_text);
25429 printk(KERN_INFO "lguest: mapped switcher at %p\n",
25430 diff -urNp linux-2.6.37/drivers/lguest/x86/core.c linux-2.6.37/drivers/lguest/x86/core.c
25431 --- linux-2.6.37/drivers/lguest/x86/core.c 2011-01-04 19:50:19.000000000 -0500
25432 +++ linux-2.6.37/drivers/lguest/x86/core.c 2011-01-17 02:41:01.000000000 -0500
25433 @@ -59,7 +59,7 @@ static struct {
25434 /* Offset from where switcher.S was compiled to where we've copied it */
25435 static unsigned long switcher_offset(void)
25437 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
25438 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
25441 /* This cpu's struct lguest_pages. */
25442 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
25443 * These copies are pretty cheap, so we do them unconditionally: */
25444 /* Save the current Host top-level page directory.
25447 +#ifdef CONFIG_PAX_PER_CPU_PGD
25448 + pages->state.host_cr3 = read_cr3();
25450 pages->state.host_cr3 = __pa(current->mm->pgd);
25454 * Set up the Guest's page tables to see this CPU's pages (and no
25455 * other CPU's pages).
25456 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
25457 * compiled-in switcher code and the high-mapped copy we just made.
25459 for (i = 0; i < IDT_ENTRIES; i++)
25460 - default_idt_entries[i] += switcher_offset();
25461 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
25464 * Set up the Switcher's per-cpu areas.
25465 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
25466 * it will be undisturbed when we switch. To change %cs and jump we
25467 * need this structure to feed to Intel's "lcall" instruction.
25469 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
25470 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
25471 lguest_entry.segment = LGUEST_CS;
25474 diff -urNp linux-2.6.37/drivers/lguest/x86/switcher_32.S linux-2.6.37/drivers/lguest/x86/switcher_32.S
25475 --- linux-2.6.37/drivers/lguest/x86/switcher_32.S 2011-01-04 19:50:19.000000000 -0500
25476 +++ linux-2.6.37/drivers/lguest/x86/switcher_32.S 2011-01-17 02:41:01.000000000 -0500
25478 #include <asm/page.h>
25479 #include <asm/segment.h>
25480 #include <asm/lguest.h>
25481 +#include <asm/processor-flags.h>
25483 // We mark the start of the code to copy
25484 // It's placed in .text tho it's never run here
25485 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
25486 // Changes type when we load it: damn Intel!
25487 // For after we switch over our page tables
25488 // That entry will be read-only: we'd crash.
25490 +#ifdef CONFIG_PAX_KERNEXEC
25492 + xor $X86_CR0_WP, %edx
25496 movl $(GDT_ENTRY_TSS*8), %edx
25499 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
25500 // Let's clear it again for our return.
25501 // The GDT descriptor of the Host
25502 // Points to the table after two "size" bytes
25503 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
25504 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
25505 // Clear "used" from type field (byte 5, bit 2)
25506 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
25507 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
25509 +#ifdef CONFIG_PAX_KERNEXEC
25511 + xor $X86_CR0_WP, %eax
25515 // Once our page table's switched, the Guest is live!
25516 // The Host fades as we run this final step.
25517 @@ -295,13 +309,12 @@ deliver_to_host:
25518 // I consulted gcc, and it gave
25519 // These instructions, which I gladly credit:
25520 leal (%edx,%ebx,8), %eax
25521 - movzwl (%eax),%edx
25522 - movl 4(%eax), %eax
25525 + movl 4(%eax), %edx
25527 // Now the address of the handler's in %edx
25528 // We call it now: its "iret" drops us home.
25530 + ljmp $__KERNEL_CS, $1f
25533 // Every interrupt can come to us here
25534 // But we must truly tell each apart.
25535 diff -urNp linux-2.6.37/drivers/macintosh/via-pmu-backlight.c linux-2.6.37/drivers/macintosh/via-pmu-backlight.c
25536 --- linux-2.6.37/drivers/macintosh/via-pmu-backlight.c 2011-01-04 19:50:19.000000000 -0500
25537 +++ linux-2.6.37/drivers/macintosh/via-pmu-backlight.c 2011-01-17 02:41:01.000000000 -0500
25540 #define MAX_PMU_LEVEL 0xFF
25542 -static struct backlight_ops pmu_backlight_data;
25543 +static const struct backlight_ops pmu_backlight_data;
25544 static DEFINE_SPINLOCK(pmu_backlight_lock);
25545 static int sleeping, uses_pmu_bl;
25546 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25547 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25548 return bd->props.brightness;
25551 -static struct backlight_ops pmu_backlight_data = {
25552 +static const struct backlight_ops pmu_backlight_data = {
25553 .get_brightness = pmu_backlight_get_brightness,
25554 .update_status = pmu_backlight_update_status,
25556 diff -urNp linux-2.6.37/drivers/macintosh/via-pmu.c linux-2.6.37/drivers/macintosh/via-pmu.c
25557 --- linux-2.6.37/drivers/macintosh/via-pmu.c 2011-01-04 19:50:19.000000000 -0500
25558 +++ linux-2.6.37/drivers/macintosh/via-pmu.c 2011-01-17 02:41:01.000000000 -0500
25559 @@ -2257,7 +2257,7 @@ static int pmu_sleep_valid(suspend_state
25560 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25563 -static struct platform_suspend_ops pmu_pm_ops = {
25564 +static const struct platform_suspend_ops pmu_pm_ops = {
25565 .enter = powerbook_sleep,
25566 .valid = pmu_sleep_valid,
25568 diff -urNp linux-2.6.37/drivers/md/bitmap.c linux-2.6.37/drivers/md/bitmap.c
25569 --- linux-2.6.37/drivers/md/bitmap.c 2011-01-04 19:50:19.000000000 -0500
25570 +++ linux-2.6.37/drivers/md/bitmap.c 2011-01-17 02:41:01.000000000 -0500
25573 # define PRINTK(x...) printk(KERN_DEBUG x)
25575 -# define PRINTK(x...)
25576 +# define PRINTK(x...) do {} while (0)
25580 diff -urNp linux-2.6.37/drivers/md/dm-table.c linux-2.6.37/drivers/md/dm-table.c
25581 --- linux-2.6.37/drivers/md/dm-table.c 2011-01-04 19:50:19.000000000 -0500
25582 +++ linux-2.6.37/drivers/md/dm-table.c 2011-01-17 02:41:01.000000000 -0500
25583 @@ -366,7 +366,7 @@ static int device_area_is_invalid(struct
25587 - if ((start >= dev_size) || (start + len > dev_size)) {
25588 + if ((start >= dev_size) || (len > dev_size - start)) {
25589 DMWARN("%s: %s too small for target: "
25590 "start=%llu, len=%llu, dev_size=%llu",
25591 dm_device_name(ti->table->md), bdevname(bdev, b),
25592 diff -urNp linux-2.6.37/drivers/md/md.c linux-2.6.37/drivers/md/md.c
25593 --- linux-2.6.37/drivers/md/md.c 2011-01-04 19:50:19.000000000 -0500
25594 +++ linux-2.6.37/drivers/md/md.c 2011-01-17 02:41:01.000000000 -0500
25595 @@ -1875,7 +1875,7 @@ static int bind_rdev_to_array(mdk_rdev_t
25597 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
25598 if (sysfs_create_link(&rdev->kobj, ko, "block"))
25599 - /* failure here is OK */;
25600 + /* failure here is OK */{}
25601 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
25603 list_add_rcu(&rdev->same_set, &mddev->disks);
25604 @@ -2487,7 +2487,7 @@ slot_store(mdk_rdev_t *rdev, const char
25605 sysfs_notify_dirent_safe(rdev->sysfs_state);
25606 sprintf(nm, "rd%d", rdev->raid_disk);
25607 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
25608 - /* failure here is OK */;
25609 + /* failure here is OK */{}
25610 /* don't wakeup anyone, leave that to userspace. */
25612 if (slot >= rdev->mddev->raid_disks)
25613 @@ -4570,7 +4570,7 @@ int md_run(mddev_t *mddev)
25615 sprintf(nm, "rd%d", rdev->raid_disk);
25616 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
25617 - /* failure here is OK */;
25618 + /* failure here is OK */{}
25621 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
25622 @@ -6408,7 +6408,7 @@ static int md_seq_show(struct seq_file *
25623 chunk_kb ? "KB" : "B");
25624 if (bitmap->file) {
25625 seq_printf(seq, ", file: ");
25626 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25627 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25630 seq_printf(seq, "\n");
25631 @@ -6502,7 +6502,7 @@ static int is_mddev_idle(mddev_t *mddev,
25632 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25633 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25634 (int)part_stat_read(&disk->part0, sectors[1]) -
25635 - atomic_read(&disk->sync_io);
25636 + atomic_read_unchecked(&disk->sync_io);
25637 /* sync IO will cause sync_io to increase before the disk_stats
25638 * as sync_io is counted when a request starts, and
25639 * disk_stats is counted when it completes.
25640 @@ -7020,7 +7020,7 @@ static int remove_and_add_spares(mddev_t
25641 sprintf(nm, "rd%d", rdev->raid_disk);
25642 if (sysfs_create_link(&mddev->kobj,
25644 - /* failure here is OK */;
25645 + /* failure here is OK */{}
25647 md_new_event(mddev);
25648 set_bit(MD_CHANGE_DEVS, &mddev->flags);
25649 diff -urNp linux-2.6.37/drivers/md/md.h linux-2.6.37/drivers/md/md.h
25650 --- linux-2.6.37/drivers/md/md.h 2011-01-04 19:50:19.000000000 -0500
25651 +++ linux-2.6.37/drivers/md/md.h 2011-01-17 02:41:01.000000000 -0500
25652 @@ -353,7 +353,7 @@ static inline void rdev_dec_pending(mdk_
25654 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25656 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25657 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25660 struct mdk_personality
25661 diff -urNp linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c
25662 --- linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c 2011-01-04 19:50:19.000000000 -0500
25663 +++ linux-2.6.37/drivers/media/dvb/dvb-core/dvbdev.c 2011-01-17 02:41:01.000000000 -0500
25664 @@ -192,6 +192,7 @@ int dvb_register_device(struct dvb_adapt
25665 const struct dvb_device *template, void *priv, int type)
25667 struct dvb_device *dvbdev;
25668 + /* cannot be const, see this function */
25669 struct file_operations *dvbdevfops;
25670 struct device *clsdev;
25672 diff -urNp linux-2.6.37/drivers/media/IR/ir-lirc-codec.c linux-2.6.37/drivers/media/IR/ir-lirc-codec.c
25673 --- linux-2.6.37/drivers/media/IR/ir-lirc-codec.c 2011-01-04 19:50:19.000000000 -0500
25674 +++ linux-2.6.37/drivers/media/IR/ir-lirc-codec.c 2011-01-17 02:41:01.000000000 -0500
25675 @@ -275,7 +275,7 @@ static void ir_lirc_close(void *data)
25679 -static struct file_operations lirc_fops = {
25680 +static const struct file_operations lirc_fops = {
25681 .owner = THIS_MODULE,
25682 .write = ir_lirc_transmit_ir,
25683 .unlocked_ioctl = ir_lirc_ioctl,
25684 diff -urNp linux-2.6.37/drivers/media/IR/lirc_dev.c linux-2.6.37/drivers/media/IR/lirc_dev.c
25685 --- linux-2.6.37/drivers/media/IR/lirc_dev.c 2011-01-04 19:50:19.000000000 -0500
25686 +++ linux-2.6.37/drivers/media/IR/lirc_dev.c 2011-01-17 02:41:01.000000000 -0500
25687 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
25691 -static struct file_operations lirc_dev_fops = {
25692 +static const struct file_operations lirc_dev_fops = {
25693 .owner = THIS_MODULE,
25694 .read = lirc_dev_fop_read,
25695 .write = lirc_dev_fop_write,
25696 diff -urNp linux-2.6.37/drivers/media/radio/radio-cadet.c linux-2.6.37/drivers/media/radio/radio-cadet.c
25697 --- linux-2.6.37/drivers/media/radio/radio-cadet.c 2011-01-04 19:50:19.000000000 -0500
25698 +++ linux-2.6.37/drivers/media/radio/radio-cadet.c 2011-01-17 02:41:01.000000000 -0500
25699 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
25700 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25701 mutex_unlock(&dev->lock);
25703 - if (copy_to_user(data, readbuf, i))
25704 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
25708 diff -urNp linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c
25709 --- linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c 2011-01-04 19:50:19.000000000 -0500
25710 +++ linux-2.6.37/drivers/media/video/saa7164/saa7164-core.c 2011-01-17 02:41:01.000000000 -0500
25711 @@ -1169,7 +1169,7 @@ static int saa7164_proc_open(struct inod
25712 return single_open(filp, saa7164_proc_show, NULL);
25715 -static struct file_operations saa7164_proc_fops = {
25716 +static const struct file_operations saa7164_proc_fops = {
25717 .open = saa7164_proc_open,
25719 .llseek = seq_lseek,
25720 diff -urNp linux-2.6.37/drivers/message/fusion/mptbase.c linux-2.6.37/drivers/message/fusion/mptbase.c
25721 --- linux-2.6.37/drivers/message/fusion/mptbase.c 2011-01-04 19:50:19.000000000 -0500
25722 +++ linux-2.6.37/drivers/message/fusion/mptbase.c 2011-01-17 02:41:01.000000000 -0500
25723 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
25724 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25725 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25727 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25728 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
25730 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25731 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25735 * Rounding UP to nearest 4-kB boundary here...
25737 diff -urNp linux-2.6.37/drivers/message/fusion/mptdebug.h linux-2.6.37/drivers/message/fusion/mptdebug.h
25738 --- linux-2.6.37/drivers/message/fusion/mptdebug.h 2011-01-04 19:50:19.000000000 -0500
25739 +++ linux-2.6.37/drivers/message/fusion/mptdebug.h 2011-01-17 02:41:01.000000000 -0500
25744 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25745 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25749 diff -urNp linux-2.6.37/drivers/message/fusion/mptsas.c linux-2.6.37/drivers/message/fusion/mptsas.c
25750 --- linux-2.6.37/drivers/message/fusion/mptsas.c 2011-01-04 19:50:19.000000000 -0500
25751 +++ linux-2.6.37/drivers/message/fusion/mptsas.c 2011-01-17 02:41:01.000000000 -0500
25752 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
25756 +static inline void
25757 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25759 + if (phy_info->port_details) {
25760 + phy_info->port_details->rphy = rphy;
25761 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25762 + ioc->name, rphy));
25766 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25767 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25768 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25769 + ioc->name, rphy, rphy->dev.release));
25775 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25776 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25780 -static inline void
25781 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25783 - if (phy_info->port_details) {
25784 - phy_info->port_details->rphy = rphy;
25785 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25786 - ioc->name, rphy));
25790 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25791 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25792 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25793 - ioc->name, rphy, rphy->dev.release));
25797 static inline struct sas_port *
25798 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25800 diff -urNp linux-2.6.37/drivers/message/fusion/mptscsih.c linux-2.6.37/drivers/message/fusion/mptscsih.c
25801 --- linux-2.6.37/drivers/message/fusion/mptscsih.c 2011-01-04 19:50:19.000000000 -0500
25802 +++ linux-2.6.37/drivers/message/fusion/mptscsih.c 2011-01-17 02:41:01.000000000 -0500
25803 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
25805 h = shost_priv(SChost);
25808 - if (h->info_kbuf == NULL)
25809 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25810 - return h->info_kbuf;
25811 - h->info_kbuf[0] = '\0';
25815 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25816 - h->info_kbuf[size-1] = '\0';
25818 + if (h->info_kbuf == NULL)
25819 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25820 + return h->info_kbuf;
25821 + h->info_kbuf[0] = '\0';
25823 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25824 + h->info_kbuf[size-1] = '\0';
25826 return h->info_kbuf;
25828 diff -urNp linux-2.6.37/drivers/message/i2o/i2o_proc.c linux-2.6.37/drivers/message/i2o/i2o_proc.c
25829 --- linux-2.6.37/drivers/message/i2o/i2o_proc.c 2011-01-04 19:50:19.000000000 -0500
25830 +++ linux-2.6.37/drivers/message/i2o/i2o_proc.c 2011-01-17 02:41:01.000000000 -0500
25831 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25832 "Array Controller Device"
25835 -static char *chtostr(u8 * chars, int n)
25839 - return strncat(tmp, (char *)chars, n);
25842 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25845 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25847 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25848 seq_printf(seq, "%-#8x", ddm_table.module_id);
25849 - seq_printf(seq, "%-29s",
25850 - chtostr(ddm_table.module_name_version, 28));
25851 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25852 seq_printf(seq, "%9d ", ddm_table.data_size);
25853 seq_printf(seq, "%8d", ddm_table.code_size);
25855 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25857 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25858 seq_printf(seq, "%-#8x", dst->module_id);
25859 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25860 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25861 + seq_printf(seq, "%-.28s", dst->module_name_version);
25862 + seq_printf(seq, "%-.8s", dst->date);
25863 seq_printf(seq, "%8d ", dst->module_size);
25864 seq_printf(seq, "%8d ", dst->mpb_size);
25865 seq_printf(seq, "0x%04x", dst->module_flags);
25866 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25867 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25868 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25869 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25870 - seq_printf(seq, "Vendor info : %s\n",
25871 - chtostr((u8 *) (work32 + 2), 16));
25872 - seq_printf(seq, "Product info : %s\n",
25873 - chtostr((u8 *) (work32 + 6), 16));
25874 - seq_printf(seq, "Description : %s\n",
25875 - chtostr((u8 *) (work32 + 10), 16));
25876 - seq_printf(seq, "Product rev. : %s\n",
25877 - chtostr((u8 *) (work32 + 14), 8));
25878 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25879 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25880 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25881 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25883 seq_printf(seq, "Serial number : ");
25884 print_serial_number(seq, (u8 *) (work32 + 16),
25885 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25888 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25889 - seq_printf(seq, "Module name : %s\n",
25890 - chtostr(result.module_name, 24));
25891 - seq_printf(seq, "Module revision : %s\n",
25892 - chtostr(result.module_rev, 8));
25893 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25894 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25896 seq_printf(seq, "Serial number : ");
25897 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25898 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25902 - seq_printf(seq, "Device name : %s\n",
25903 - chtostr(result.device_name, 64));
25904 - seq_printf(seq, "Service name : %s\n",
25905 - chtostr(result.service_name, 64));
25906 - seq_printf(seq, "Physical name : %s\n",
25907 - chtostr(result.physical_location, 64));
25908 - seq_printf(seq, "Instance number : %s\n",
25909 - chtostr(result.instance_number, 4));
25910 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25911 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25912 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25913 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25917 diff -urNp linux-2.6.37/drivers/mfd/janz-cmodio.c linux-2.6.37/drivers/mfd/janz-cmodio.c
25918 --- linux-2.6.37/drivers/mfd/janz-cmodio.c 2011-01-04 19:50:19.000000000 -0500
25919 +++ linux-2.6.37/drivers/mfd/janz-cmodio.c 2011-01-17 02:41:01.000000000 -0500
25922 #include <linux/kernel.h>
25923 #include <linux/module.h>
25924 +#include <linux/slab.h>
25925 #include <linux/init.h>
25926 #include <linux/pci.h>
25927 #include <linux/interrupt.h>
25928 diff -urNp linux-2.6.37/drivers/misc/kgdbts.c linux-2.6.37/drivers/misc/kgdbts.c
25929 --- linux-2.6.37/drivers/misc/kgdbts.c 2011-01-04 19:50:19.000000000 -0500
25930 +++ linux-2.6.37/drivers/misc/kgdbts.c 2011-01-17 02:41:01.000000000 -0500
25931 @@ -118,7 +118,7 @@
25933 #define MAX_CONFIG_LEN 40
25935 -static struct kgdb_io kgdbts_io_ops;
25936 +static const struct kgdb_io kgdbts_io_ops;
25937 static char get_buf[BUFMAX];
25938 static int get_buf_cnt;
25939 static char put_buf[BUFMAX];
25940 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
25941 module_put(THIS_MODULE);
25944 -static struct kgdb_io kgdbts_io_ops = {
25945 +static const struct kgdb_io kgdbts_io_ops = {
25947 .read_char = kgdbts_get_char,
25948 .write_char = kgdbts_put_char,
25949 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c
25950 --- linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c 2011-01-04 19:50:19.000000000 -0500
25951 +++ linux-2.6.37/drivers/misc/sgi-gru/gruhandles.c 2011-01-17 02:41:01.000000000 -0500
25952 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25953 unsigned long nsec;
25955 nsec = CLKS2NSEC(clks);
25956 - atomic_long_inc(&mcs_op_statistics[op].count);
25957 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25958 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25959 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25960 if (mcs_op_statistics[op].max < nsec)
25961 mcs_op_statistics[op].max = nsec;
25963 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c
25964 --- linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c 2011-01-04 19:50:19.000000000 -0500
25965 +++ linux-2.6.37/drivers/misc/sgi-gru/gruprocfs.c 2011-01-17 02:41:01.000000000 -0500
25968 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25970 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25971 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25973 - unsigned long val = atomic_long_read(v);
25974 + unsigned long val = atomic_long_read_unchecked(v);
25976 seq_printf(s, "%16lu %s\n", val, id);
25978 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25980 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25981 for (op = 0; op < mcsop_last; op++) {
25982 - count = atomic_long_read(&mcs_op_statistics[op].count);
25983 - total = atomic_long_read(&mcs_op_statistics[op].total);
25984 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25985 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25986 max = mcs_op_statistics[op].max;
25987 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25988 count ? total / count : 0, max);
25989 diff -urNp linux-2.6.37/drivers/misc/sgi-gru/grutables.h linux-2.6.37/drivers/misc/sgi-gru/grutables.h
25990 --- linux-2.6.37/drivers/misc/sgi-gru/grutables.h 2011-01-04 19:50:19.000000000 -0500
25991 +++ linux-2.6.37/drivers/misc/sgi-gru/grutables.h 2011-01-17 02:41:01.000000000 -0500
25992 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25995 struct gru_stats_s {
25996 - atomic_long_t vdata_alloc;
25997 - atomic_long_t vdata_free;
25998 - atomic_long_t gts_alloc;
25999 - atomic_long_t gts_free;
26000 - atomic_long_t gms_alloc;
26001 - atomic_long_t gms_free;
26002 - atomic_long_t gts_double_allocate;
26003 - atomic_long_t assign_context;
26004 - atomic_long_t assign_context_failed;
26005 - atomic_long_t free_context;
26006 - atomic_long_t load_user_context;
26007 - atomic_long_t load_kernel_context;
26008 - atomic_long_t lock_kernel_context;
26009 - atomic_long_t unlock_kernel_context;
26010 - atomic_long_t steal_user_context;
26011 - atomic_long_t steal_kernel_context;
26012 - atomic_long_t steal_context_failed;
26013 - atomic_long_t nopfn;
26014 - atomic_long_t asid_new;
26015 - atomic_long_t asid_next;
26016 - atomic_long_t asid_wrap;
26017 - atomic_long_t asid_reuse;
26018 - atomic_long_t intr;
26019 - atomic_long_t intr_cbr;
26020 - atomic_long_t intr_tfh;
26021 - atomic_long_t intr_spurious;
26022 - atomic_long_t intr_mm_lock_failed;
26023 - atomic_long_t call_os;
26024 - atomic_long_t call_os_wait_queue;
26025 - atomic_long_t user_flush_tlb;
26026 - atomic_long_t user_unload_context;
26027 - atomic_long_t user_exception;
26028 - atomic_long_t set_context_option;
26029 - atomic_long_t check_context_retarget_intr;
26030 - atomic_long_t check_context_unload;
26031 - atomic_long_t tlb_dropin;
26032 - atomic_long_t tlb_preload_page;
26033 - atomic_long_t tlb_dropin_fail_no_asid;
26034 - atomic_long_t tlb_dropin_fail_upm;
26035 - atomic_long_t tlb_dropin_fail_invalid;
26036 - atomic_long_t tlb_dropin_fail_range_active;
26037 - atomic_long_t tlb_dropin_fail_idle;
26038 - atomic_long_t tlb_dropin_fail_fmm;
26039 - atomic_long_t tlb_dropin_fail_no_exception;
26040 - atomic_long_t tfh_stale_on_fault;
26041 - atomic_long_t mmu_invalidate_range;
26042 - atomic_long_t mmu_invalidate_page;
26043 - atomic_long_t flush_tlb;
26044 - atomic_long_t flush_tlb_gru;
26045 - atomic_long_t flush_tlb_gru_tgh;
26046 - atomic_long_t flush_tlb_gru_zero_asid;
26048 - atomic_long_t copy_gpa;
26049 - atomic_long_t read_gpa;
26051 - atomic_long_t mesq_receive;
26052 - atomic_long_t mesq_receive_none;
26053 - atomic_long_t mesq_send;
26054 - atomic_long_t mesq_send_failed;
26055 - atomic_long_t mesq_noop;
26056 - atomic_long_t mesq_send_unexpected_error;
26057 - atomic_long_t mesq_send_lb_overflow;
26058 - atomic_long_t mesq_send_qlimit_reached;
26059 - atomic_long_t mesq_send_amo_nacked;
26060 - atomic_long_t mesq_send_put_nacked;
26061 - atomic_long_t mesq_page_overflow;
26062 - atomic_long_t mesq_qf_locked;
26063 - atomic_long_t mesq_qf_noop_not_full;
26064 - atomic_long_t mesq_qf_switch_head_failed;
26065 - atomic_long_t mesq_qf_unexpected_error;
26066 - atomic_long_t mesq_noop_unexpected_error;
26067 - atomic_long_t mesq_noop_lb_overflow;
26068 - atomic_long_t mesq_noop_qlimit_reached;
26069 - atomic_long_t mesq_noop_amo_nacked;
26070 - atomic_long_t mesq_noop_put_nacked;
26071 - atomic_long_t mesq_noop_page_overflow;
26072 + atomic_long_unchecked_t vdata_alloc;
26073 + atomic_long_unchecked_t vdata_free;
26074 + atomic_long_unchecked_t gts_alloc;
26075 + atomic_long_unchecked_t gts_free;
26076 + atomic_long_unchecked_t gms_alloc;
26077 + atomic_long_unchecked_t gms_free;
26078 + atomic_long_unchecked_t gts_double_allocate;
26079 + atomic_long_unchecked_t assign_context;
26080 + atomic_long_unchecked_t assign_context_failed;
26081 + atomic_long_unchecked_t free_context;
26082 + atomic_long_unchecked_t load_user_context;
26083 + atomic_long_unchecked_t load_kernel_context;
26084 + atomic_long_unchecked_t lock_kernel_context;
26085 + atomic_long_unchecked_t unlock_kernel_context;
26086 + atomic_long_unchecked_t steal_user_context;
26087 + atomic_long_unchecked_t steal_kernel_context;
26088 + atomic_long_unchecked_t steal_context_failed;
26089 + atomic_long_unchecked_t nopfn;
26090 + atomic_long_unchecked_t asid_new;
26091 + atomic_long_unchecked_t asid_next;
26092 + atomic_long_unchecked_t asid_wrap;
26093 + atomic_long_unchecked_t asid_reuse;
26094 + atomic_long_unchecked_t intr;
26095 + atomic_long_unchecked_t intr_cbr;
26096 + atomic_long_unchecked_t intr_tfh;
26097 + atomic_long_unchecked_t intr_spurious;
26098 + atomic_long_unchecked_t intr_mm_lock_failed;
26099 + atomic_long_unchecked_t call_os;
26100 + atomic_long_unchecked_t call_os_wait_queue;
26101 + atomic_long_unchecked_t user_flush_tlb;
26102 + atomic_long_unchecked_t user_unload_context;
26103 + atomic_long_unchecked_t user_exception;
26104 + atomic_long_unchecked_t set_context_option;
26105 + atomic_long_unchecked_t check_context_retarget_intr;
26106 + atomic_long_unchecked_t check_context_unload;
26107 + atomic_long_unchecked_t tlb_dropin;
26108 + atomic_long_unchecked_t tlb_preload_page;
26109 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26110 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26111 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26112 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26113 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26114 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26115 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26116 + atomic_long_unchecked_t tfh_stale_on_fault;
26117 + atomic_long_unchecked_t mmu_invalidate_range;
26118 + atomic_long_unchecked_t mmu_invalidate_page;
26119 + atomic_long_unchecked_t flush_tlb;
26120 + atomic_long_unchecked_t flush_tlb_gru;
26121 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26122 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26124 + atomic_long_unchecked_t copy_gpa;
26125 + atomic_long_unchecked_t read_gpa;
26127 + atomic_long_unchecked_t mesq_receive;
26128 + atomic_long_unchecked_t mesq_receive_none;
26129 + atomic_long_unchecked_t mesq_send;
26130 + atomic_long_unchecked_t mesq_send_failed;
26131 + atomic_long_unchecked_t mesq_noop;
26132 + atomic_long_unchecked_t mesq_send_unexpected_error;
26133 + atomic_long_unchecked_t mesq_send_lb_overflow;
26134 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26135 + atomic_long_unchecked_t mesq_send_amo_nacked;
26136 + atomic_long_unchecked_t mesq_send_put_nacked;
26137 + atomic_long_unchecked_t mesq_page_overflow;
26138 + atomic_long_unchecked_t mesq_qf_locked;
26139 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26140 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26141 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26142 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26143 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26144 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26145 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26146 + atomic_long_unchecked_t mesq_noop_put_nacked;
26147 + atomic_long_unchecked_t mesq_noop_page_overflow;
26151 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26152 tghop_invalidate, mcsop_last};
26154 struct mcs_op_statistic {
26155 - atomic_long_t count;
26156 - atomic_long_t total;
26157 + atomic_long_unchecked_t count;
26158 + atomic_long_unchecked_t total;
26162 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26164 #define STAT(id) do { \
26165 if (gru_options & OPT_STATS) \
26166 - atomic_long_inc(&gru_stats.id); \
26167 + atomic_long_inc_unchecked(&gru_stats.id); \
26170 #ifdef CONFIG_SGI_GRU_DEBUG
26171 diff -urNp linux-2.6.37/drivers/mtd/devices/doc2000.c linux-2.6.37/drivers/mtd/devices/doc2000.c
26172 --- linux-2.6.37/drivers/mtd/devices/doc2000.c 2011-01-04 19:50:19.000000000 -0500
26173 +++ linux-2.6.37/drivers/mtd/devices/doc2000.c 2011-01-17 02:41:01.000000000 -0500
26174 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26176 /* The ECC will not be calculated correctly if less than 512 is written */
26178 - if (len != 0x200 && eccbuf)
26179 + if (len != 0x200)
26180 printk(KERN_WARNING
26181 "ECC needs a full sector write (adr: %lx size %lx)\n",
26182 (long) to, (long) len);
26183 diff -urNp linux-2.6.37/drivers/mtd/devices/doc2001.c linux-2.6.37/drivers/mtd/devices/doc2001.c
26184 --- linux-2.6.37/drivers/mtd/devices/doc2001.c 2011-01-04 19:50:19.000000000 -0500
26185 +++ linux-2.6.37/drivers/mtd/devices/doc2001.c 2011-01-17 02:41:01.000000000 -0500
26186 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26187 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26189 /* Don't allow read past end of device */
26190 - if (from >= this->totlen)
26191 + if (from >= this->totlen || !len)
26194 /* Don't allow a single read to cross a 512-byte block boundary */
26195 diff -urNp linux-2.6.37/drivers/mtd/nand/denali.c linux-2.6.37/drivers/mtd/nand/denali.c
26196 --- linux-2.6.37/drivers/mtd/nand/denali.c 2011-01-04 19:50:19.000000000 -0500
26197 +++ linux-2.6.37/drivers/mtd/nand/denali.c 2011-01-17 02:41:01.000000000 -0500
26199 #include <linux/pci.h>
26200 #include <linux/mtd/mtd.h>
26201 #include <linux/module.h>
26202 +#include <linux/slab.h>
26204 #include "denali.h"
26206 diff -urNp linux-2.6.37/drivers/mtd/ubi/build.c linux-2.6.37/drivers/mtd/ubi/build.c
26207 --- linux-2.6.37/drivers/mtd/ubi/build.c 2011-01-04 19:50:19.000000000 -0500
26208 +++ linux-2.6.37/drivers/mtd/ubi/build.c 2011-01-17 02:41:01.000000000 -0500
26209 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
26210 static int __init bytes_str_to_int(const char *str)
26213 - unsigned long result;
26214 + unsigned long result, scale = 1;
26216 result = simple_strtoul(str, &endp, 0);
26217 if (str == endp || result >= INT_MAX) {
26218 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
26230 if (endp[1] == 'i' && endp[2] == 'B')
26233 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
26238 + if ((intoverflow_t)result*scale >= INT_MAX) {
26239 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26244 + return result*scale;
26248 diff -urNp linux-2.6.37/drivers/net/e1000e/82571.c linux-2.6.37/drivers/net/e1000e/82571.c
26249 --- linux-2.6.37/drivers/net/e1000e/82571.c 2011-01-04 19:50:19.000000000 -0500
26250 +++ linux-2.6.37/drivers/net/e1000e/82571.c 2011-01-17 02:41:01.000000000 -0500
26251 @@ -211,6 +211,7 @@ static s32 e1000_init_mac_params_82571(s
26253 struct e1000_hw *hw = &adapter->hw;
26254 struct e1000_mac_info *mac = &hw->mac;
26255 + /* cannot be const */
26256 struct e1000_mac_operations *func = &mac->ops;
26259 @@ -1740,7 +1741,7 @@ static void e1000_clear_hw_cntrs_82571(s
26263 -static struct e1000_mac_operations e82571_mac_ops = {
26264 +static const struct e1000_mac_operations e82571_mac_ops = {
26265 /* .check_mng_mode: mac type dependent */
26266 /* .check_for_link: media type dependent */
26267 .id_led_init = e1000e_id_led_init,
26268 @@ -1762,7 +1763,7 @@ static struct e1000_mac_operations e8257
26269 .read_mac_addr = e1000_read_mac_addr_82571,
26272 -static struct e1000_phy_operations e82_phy_ops_igp = {
26273 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26274 .acquire = e1000_get_hw_semaphore_82571,
26275 .check_polarity = e1000_check_polarity_igp,
26276 .check_reset_block = e1000e_check_reset_block_generic,
26277 @@ -1780,7 +1781,7 @@ static struct e1000_phy_operations e82_p
26278 .cfg_on_link_up = NULL,
26281 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26282 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26283 .acquire = e1000_get_hw_semaphore_82571,
26284 .check_polarity = e1000_check_polarity_m88,
26285 .check_reset_block = e1000e_check_reset_block_generic,
26286 @@ -1798,7 +1799,7 @@ static struct e1000_phy_operations e82_p
26287 .cfg_on_link_up = NULL,
26290 -static struct e1000_phy_operations e82_phy_ops_bm = {
26291 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26292 .acquire = e1000_get_hw_semaphore_82571,
26293 .check_polarity = e1000_check_polarity_m88,
26294 .check_reset_block = e1000e_check_reset_block_generic,
26295 @@ -1816,7 +1817,7 @@ static struct e1000_phy_operations e82_p
26296 .cfg_on_link_up = NULL,
26299 -static struct e1000_nvm_operations e82571_nvm_ops = {
26300 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26301 .acquire = e1000_acquire_nvm_82571,
26302 .read = e1000e_read_nvm_eerd,
26303 .release = e1000_release_nvm_82571,
26304 diff -urNp linux-2.6.37/drivers/net/e1000e/e1000.h linux-2.6.37/drivers/net/e1000e/e1000.h
26305 --- linux-2.6.37/drivers/net/e1000e/e1000.h 2011-01-04 19:50:19.000000000 -0500
26306 +++ linux-2.6.37/drivers/net/e1000e/e1000.h 2011-01-17 02:41:01.000000000 -0500
26307 @@ -407,9 +407,9 @@ struct e1000_info {
26309 u32 max_hw_frame_size;
26310 s32 (*get_variants)(struct e1000_adapter *);
26311 - struct e1000_mac_operations *mac_ops;
26312 - struct e1000_phy_operations *phy_ops;
26313 - struct e1000_nvm_operations *nvm_ops;
26314 + const struct e1000_mac_operations *mac_ops;
26315 + const struct e1000_phy_operations *phy_ops;
26316 + const struct e1000_nvm_operations *nvm_ops;
26319 /* hardware capability, feature, and workaround flags */
26320 diff -urNp linux-2.6.37/drivers/net/e1000e/es2lan.c linux-2.6.37/drivers/net/e1000e/es2lan.c
26321 --- linux-2.6.37/drivers/net/e1000e/es2lan.c 2011-01-04 19:50:19.000000000 -0500
26322 +++ linux-2.6.37/drivers/net/e1000e/es2lan.c 2011-01-17 02:41:01.000000000 -0500
26323 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26325 struct e1000_hw *hw = &adapter->hw;
26326 struct e1000_mac_info *mac = &hw->mac;
26327 + /* cannot be const */
26328 struct e1000_mac_operations *func = &mac->ops;
26330 /* Set media type */
26331 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26335 -static struct e1000_mac_operations es2_mac_ops = {
26336 +static const struct e1000_mac_operations es2_mac_ops = {
26337 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26338 .id_led_init = e1000e_id_led_init,
26339 .check_mng_mode = e1000e_check_mng_mode_generic,
26340 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26341 .setup_led = e1000e_setup_led_generic,
26344 -static struct e1000_phy_operations es2_phy_ops = {
26345 +static const struct e1000_phy_operations es2_phy_ops = {
26346 .acquire = e1000_acquire_phy_80003es2lan,
26347 .check_polarity = e1000_check_polarity_m88,
26348 .check_reset_block = e1000e_check_reset_block_generic,
26349 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26350 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26353 -static struct e1000_nvm_operations es2_nvm_ops = {
26354 +static const struct e1000_nvm_operations es2_nvm_ops = {
26355 .acquire = e1000_acquire_nvm_80003es2lan,
26356 .read = e1000e_read_nvm_eerd,
26357 .release = e1000_release_nvm_80003es2lan,
26358 diff -urNp linux-2.6.37/drivers/net/e1000e/hw.h linux-2.6.37/drivers/net/e1000e/hw.h
26359 --- linux-2.6.37/drivers/net/e1000e/hw.h 2011-01-04 19:50:19.000000000 -0500
26360 +++ linux-2.6.37/drivers/net/e1000e/hw.h 2011-01-17 02:41:01.000000000 -0500
26361 @@ -800,16 +800,17 @@ struct e1000_phy_operations {
26363 /* Function pointers for the NVM. */
26364 struct e1000_nvm_operations {
26365 - s32 (*acquire)(struct e1000_hw *);
26366 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26367 - void (*release)(struct e1000_hw *);
26368 - s32 (*update)(struct e1000_hw *);
26369 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26370 - s32 (*validate)(struct e1000_hw *);
26371 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26372 + s32 (* const acquire)(struct e1000_hw *);
26373 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26374 + void (* const release)(struct e1000_hw *);
26375 + s32 (* const update)(struct e1000_hw *);
26376 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26377 + s32 (* const validate)(struct e1000_hw *);
26378 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26381 struct e1000_mac_info {
26382 + /* cannot be const see e1000_init_mac_params_ich8lan */
26383 struct e1000_mac_operations ops;
26386 @@ -852,6 +853,7 @@ struct e1000_mac_info {
26389 struct e1000_phy_info {
26390 + /* Cannot be const see e1000_init_phy_params_82571() */
26391 struct e1000_phy_operations ops;
26393 enum e1000_phy_type type;
26394 @@ -886,6 +888,7 @@ struct e1000_phy_info {
26397 struct e1000_nvm_info {
26398 + /* cannot be const */
26399 struct e1000_nvm_operations ops;
26401 enum e1000_nvm_type type;
26402 diff -urNp linux-2.6.37/drivers/net/e1000e/ich8lan.c linux-2.6.37/drivers/net/e1000e/ich8lan.c
26403 --- linux-2.6.37/drivers/net/e1000e/ich8lan.c 2011-01-04 19:50:19.000000000 -0500
26404 +++ linux-2.6.37/drivers/net/e1000e/ich8lan.c 2011-01-17 02:41:01.000000000 -0500
26405 @@ -3856,7 +3856,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26409 -static struct e1000_mac_operations ich8_mac_ops = {
26410 +static const struct e1000_mac_operations ich8_mac_ops = {
26411 .id_led_init = e1000e_id_led_init,
26412 /* check_mng_mode dependent on mac type */
26413 .check_for_link = e1000_check_for_copper_link_ich8lan,
26414 @@ -3875,7 +3875,7 @@ static struct e1000_mac_operations ich8_
26415 /* id_led_init dependent on mac type */
26418 -static struct e1000_phy_operations ich8_phy_ops = {
26419 +static const struct e1000_phy_operations ich8_phy_ops = {
26420 .acquire = e1000_acquire_swflag_ich8lan,
26421 .check_reset_block = e1000_check_reset_block_ich8lan,
26423 @@ -3889,7 +3889,7 @@ static struct e1000_phy_operations ich8_
26424 .write_reg = e1000e_write_phy_reg_igp,
26427 -static struct e1000_nvm_operations ich8_nvm_ops = {
26428 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26429 .acquire = e1000_acquire_nvm_ich8lan,
26430 .read = e1000_read_nvm_ich8lan,
26431 .release = e1000_release_nvm_ich8lan,
26432 diff -urNp linux-2.6.37/drivers/net/igb/e1000_82575.c linux-2.6.37/drivers/net/igb/e1000_82575.c
26433 --- linux-2.6.37/drivers/net/igb/e1000_82575.c 2011-01-04 19:50:19.000000000 -0500
26434 +++ linux-2.6.37/drivers/net/igb/e1000_82575.c 2011-01-17 02:41:01.000000000 -0500
26435 @@ -1712,7 +1712,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26439 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26440 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26441 .init_hw = igb_init_hw_82575,
26442 .check_for_link = igb_check_for_link_82575,
26443 .rar_set = igb_rar_set,
26444 @@ -1720,13 +1720,13 @@ static struct e1000_mac_operations e1000
26445 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26448 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26449 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26450 .acquire = igb_acquire_phy_82575,
26451 .get_cfg_done = igb_get_cfg_done_82575,
26452 .release = igb_release_phy_82575,
26455 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26456 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26457 .acquire = igb_acquire_nvm_82575,
26458 .read = igb_read_nvm_eerd,
26459 .release = igb_release_nvm_82575,
26460 diff -urNp linux-2.6.37/drivers/net/igb/e1000_hw.h linux-2.6.37/drivers/net/igb/e1000_hw.h
26461 --- linux-2.6.37/drivers/net/igb/e1000_hw.h 2011-01-04 19:50:19.000000000 -0500
26462 +++ linux-2.6.37/drivers/net/igb/e1000_hw.h 2011-01-17 02:41:01.000000000 -0500
26463 @@ -325,22 +325,23 @@ struct e1000_phy_operations {
26466 struct e1000_nvm_operations {
26467 - s32 (*acquire)(struct e1000_hw *);
26468 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26469 - void (*release)(struct e1000_hw *);
26470 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26471 + s32 (* const acquire)(struct e1000_hw *);
26472 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26473 + void (* const release)(struct e1000_hw *);
26474 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26477 struct e1000_info {
26478 s32 (*get_invariants)(struct e1000_hw *);
26479 - struct e1000_mac_operations *mac_ops;
26480 - struct e1000_phy_operations *phy_ops;
26481 - struct e1000_nvm_operations *nvm_ops;
26482 + const struct e1000_mac_operations *mac_ops;
26483 + const struct e1000_phy_operations *phy_ops;
26484 + const struct e1000_nvm_operations *nvm_ops;
26487 extern const struct e1000_info e1000_82575_info;
26489 struct e1000_mac_info {
26490 + /* cannot be const see igb_get_invariants_82575() */
26491 struct e1000_mac_operations ops;
26494 @@ -379,6 +380,7 @@ struct e1000_mac_info {
26497 struct e1000_phy_info {
26498 + /* cannot be const see igb_get_invariants_82575() */
26499 struct e1000_phy_operations ops;
26501 enum e1000_phy_type type;
26502 @@ -414,6 +416,7 @@ struct e1000_phy_info {
26505 struct e1000_nvm_info {
26506 + /* cannot be const */
26507 struct e1000_nvm_operations ops;
26509 enum e1000_nvm_type type;
26510 diff -urNp linux-2.6.37/drivers/net/igbvf/vf.h linux-2.6.37/drivers/net/igbvf/vf.h
26511 --- linux-2.6.37/drivers/net/igbvf/vf.h 2011-01-04 19:50:19.000000000 -0500
26512 +++ linux-2.6.37/drivers/net/igbvf/vf.h 2011-01-17 02:41:01.000000000 -0500
26513 @@ -189,6 +189,7 @@ struct e1000_mac_operations {
26516 struct e1000_mac_info {
26517 + /* cannot be const see e1000_init_mac_params_vf() */
26518 struct e1000_mac_operations ops;
26521 diff -urNp linux-2.6.37/drivers/net/irda/vlsi_ir.c linux-2.6.37/drivers/net/irda/vlsi_ir.c
26522 --- linux-2.6.37/drivers/net/irda/vlsi_ir.c 2011-01-04 19:50:19.000000000 -0500
26523 +++ linux-2.6.37/drivers/net/irda/vlsi_ir.c 2011-01-17 02:41:01.000000000 -0500
26524 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26525 /* no race - tx-ring already empty */
26526 vlsi_set_baud(idev, iobase);
26527 netif_wake_queue(ndev);
26532 /* keep the speed change pending like it would
26533 * for any len>0 packet. tx completion interrupt
26534 * will apply it when the tx ring becomes empty.
26537 spin_unlock_irqrestore(&idev->lock, flags);
26538 dev_kfree_skb_any(skb);
26539 return NETDEV_TX_OK;
26540 diff -urNp linux-2.6.37/drivers/net/macvtap.c linux-2.6.37/drivers/net/macvtap.c
26541 --- linux-2.6.37/drivers/net/macvtap.c 2011-01-04 19:50:19.000000000 -0500
26542 +++ linux-2.6.37/drivers/net/macvtap.c 2011-01-17 02:41:01.000000000 -0500
26543 @@ -529,8 +529,9 @@ static ssize_t macvtap_get_user(struct m
26544 vnet_hdr_len = q->vnet_hdr_sz;
26547 - if ((len -= vnet_hdr_len) < 0)
26548 + if (len < vnet_hdr_len)
26550 + len -= vnet_hdr_len;
26552 err = memcpy_fromiovecend((void *)&vnet_hdr, iv, 0,
26554 diff -urNp linux-2.6.37/drivers/net/pcnet32.c linux-2.6.37/drivers/net/pcnet32.c
26555 --- linux-2.6.37/drivers/net/pcnet32.c 2011-01-04 19:50:19.000000000 -0500
26556 +++ linux-2.6.37/drivers/net/pcnet32.c 2011-01-17 02:41:01.000000000 -0500
26557 @@ -82,7 +82,7 @@ static int cards_found;
26559 * VLB I/O addresses
26561 -static unsigned int pcnet32_portlist[] __initdata =
26562 +static unsigned int pcnet32_portlist[] __devinitdata =
26563 { 0x300, 0x320, 0x340, 0x360, 0 };
26565 static int pcnet32_debug;
26566 diff -urNp linux-2.6.37/drivers/net/ppp_generic.c linux-2.6.37/drivers/net/ppp_generic.c
26567 --- linux-2.6.37/drivers/net/ppp_generic.c 2011-01-04 19:50:19.000000000 -0500
26568 +++ linux-2.6.37/drivers/net/ppp_generic.c 2011-01-17 02:41:01.000000000 -0500
26569 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
26570 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26571 struct ppp_stats stats;
26572 struct ppp_comp_stats cstats;
26576 case SIOCGPPPSTATS:
26577 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
26581 - vers = PPP_VERSION;
26582 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26583 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26587 diff -urNp linux-2.6.37/drivers/net/tg3.h linux-2.6.37/drivers/net/tg3.h
26588 --- linux-2.6.37/drivers/net/tg3.h 2011-01-04 19:50:19.000000000 -0500
26589 +++ linux-2.6.37/drivers/net/tg3.h 2011-01-17 02:41:01.000000000 -0500
26590 @@ -131,6 +131,7 @@
26591 #define CHIPREV_ID_5750_A0 0x4000
26592 #define CHIPREV_ID_5750_A1 0x4001
26593 #define CHIPREV_ID_5750_A3 0x4003
26594 +#define CHIPREV_ID_5750_C1 0x4201
26595 #define CHIPREV_ID_5750_C2 0x4202
26596 #define CHIPREV_ID_5752_A0_HW 0x5000
26597 #define CHIPREV_ID_5752_A0 0x6000
26598 diff -urNp linux-2.6.37/drivers/net/tulip/de4x5.c linux-2.6.37/drivers/net/tulip/de4x5.c
26599 --- linux-2.6.37/drivers/net/tulip/de4x5.c 2011-01-04 19:50:19.000000000 -0500
26600 +++ linux-2.6.37/drivers/net/tulip/de4x5.c 2011-01-17 02:41:01.000000000 -0500
26601 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26602 for (i=0; i<ETH_ALEN; i++) {
26603 tmp.addr[i] = dev->dev_addr[i];
26605 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26606 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26609 case DE4X5_SET_HWADDR: /* Set the hardware address */
26610 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26611 spin_lock_irqsave(&lp->lock, flags);
26612 memcpy(&statbuf, &lp->pktStats, ioc->len);
26613 spin_unlock_irqrestore(&lp->lock, flags);
26614 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26615 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
26619 diff -urNp linux-2.6.37/drivers/net/usb/hso.c linux-2.6.37/drivers/net/usb/hso.c
26620 --- linux-2.6.37/drivers/net/usb/hso.c 2011-01-04 19:50:19.000000000 -0500
26621 +++ linux-2.6.37/drivers/net/usb/hso.c 2011-01-17 02:41:01.000000000 -0500
26622 @@ -257,7 +257,7 @@ struct hso_serial {
26624 /* from usb_serial_port */
26625 struct tty_struct *tty;
26627 + atomic_t open_count;
26628 spinlock_t serial_lock;
26630 int (*write_data) (struct hso_serial *serial);
26631 @@ -1187,7 +1187,7 @@ static void put_rxbuf_data_and_resubmit_
26634 urb = serial->rx_urb[0];
26635 - if (serial->open_count > 0) {
26636 + if (atomic_read(&serial->open_count) > 0) {
26637 count = put_rxbuf_data(urb, serial);
26640 @@ -1223,7 +1223,7 @@ static void hso_std_serial_read_bulk_cal
26641 DUMP1(urb->transfer_buffer, urb->actual_length);
26643 /* Anyone listening? */
26644 - if (serial->open_count == 0)
26645 + if (atomic_read(&serial->open_count) == 0)
26649 @@ -1318,8 +1318,7 @@ static int hso_serial_open(struct tty_st
26650 spin_unlock_irq(&serial->serial_lock);
26652 /* check for port already opened, if not set the termios */
26653 - serial->open_count++;
26654 - if (serial->open_count == 1) {
26655 + if (atomic_inc_return(&serial->open_count) == 1) {
26656 serial->rx_state = RX_IDLE;
26657 /* Force default termio settings */
26658 _hso_serial_set_termios(tty, NULL);
26659 @@ -1331,7 +1330,7 @@ static int hso_serial_open(struct tty_st
26660 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26662 hso_stop_serial_device(serial->parent);
26663 - serial->open_count--;
26664 + atomic_dec(&serial->open_count);
26665 kref_put(&serial->parent->ref, hso_serial_ref_free);
26668 @@ -1368,10 +1367,10 @@ static void hso_serial_close(struct tty_
26670 /* reset the rts and dtr */
26671 /* do the actual close */
26672 - serial->open_count--;
26673 + atomic_dec(&serial->open_count);
26675 - if (serial->open_count <= 0) {
26676 - serial->open_count = 0;
26677 + if (atomic_read(&serial->open_count) <= 0) {
26678 + atomic_set(&serial->open_count, 0);
26679 spin_lock_irq(&serial->serial_lock);
26680 if (serial->tty == tty) {
26681 serial->tty->driver_data = NULL;
26682 @@ -1453,7 +1452,7 @@ static void hso_serial_set_termios(struc
26684 /* the actual setup */
26685 spin_lock_irqsave(&serial->serial_lock, flags);
26686 - if (serial->open_count)
26687 + if (atomic_read(&serial->open_count))
26688 _hso_serial_set_termios(tty, old);
26690 tty->termios = old;
26691 @@ -1913,7 +1912,7 @@ static void intr_callback(struct urb *ur
26692 D1("Pending read interrupt on port %d\n", i);
26693 spin_lock(&serial->serial_lock);
26694 if (serial->rx_state == RX_IDLE &&
26695 - serial->open_count > 0) {
26696 + atomic_read(&serial->open_count) > 0) {
26697 /* Setup and send a ctrl req read on
26699 if (!serial->rx_urb_filled[0]) {
26700 @@ -3105,7 +3104,7 @@ static int hso_resume(struct usb_interfa
26701 /* Start all serial ports */
26702 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26703 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26704 - if (dev2ser(serial_table[i])->open_count) {
26705 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26707 hso_start_serial_device(serial_table[i], GFP_NOIO);
26708 hso_kick_transmit(dev2ser(serial_table[i]));
26709 diff -urNp linux-2.6.37/drivers/net/wireless/b43/debugfs.c linux-2.6.37/drivers/net/wireless/b43/debugfs.c
26710 --- linux-2.6.37/drivers/net/wireless/b43/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26711 +++ linux-2.6.37/drivers/net/wireless/b43/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26712 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26713 struct b43_debugfs_fops {
26714 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26715 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26716 - struct file_operations fops;
26717 + const struct file_operations fops;
26718 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26719 size_t file_struct_offset;
26721 diff -urNp linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c
26722 --- linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26723 +++ linux-2.6.37/drivers/net/wireless/b43legacy/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26724 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26725 struct b43legacy_debugfs_fops {
26726 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26727 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26728 - struct file_operations fops;
26729 + const struct file_operations fops;
26730 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26731 size_t file_struct_offset;
26732 /* Take wl->irq_lock before calling read/write? */
26733 diff -urNp linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h
26734 --- linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-01-04 19:50:19.000000000 -0500
26735 +++ linux-2.6.37/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-01-17 02:41:01.000000000 -0500
26736 @@ -68,8 +68,8 @@ do {
26740 -#define IWL_DEBUG(__priv, level, fmt, args...)
26741 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26742 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26743 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26744 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26745 const void *p, u32 len)
26747 diff -urNp linux-2.6.37/drivers/net/wireless/libertas/debugfs.c linux-2.6.37/drivers/net/wireless/libertas/debugfs.c
26748 --- linux-2.6.37/drivers/net/wireless/libertas/debugfs.c 2011-01-04 19:50:19.000000000 -0500
26749 +++ linux-2.6.37/drivers/net/wireless/libertas/debugfs.c 2011-01-17 02:41:01.000000000 -0500
26750 @@ -702,7 +702,7 @@ out_unlock:
26751 struct lbs_debugfs_files {
26754 - struct file_operations fops;
26755 + const struct file_operations fops;
26758 static const struct lbs_debugfs_files debugfs_files[] = {
26759 diff -urNp linux-2.6.37/drivers/net/wireless/rndis_wlan.c linux-2.6.37/drivers/net/wireless/rndis_wlan.c
26760 --- linux-2.6.37/drivers/net/wireless/rndis_wlan.c 2011-01-04 19:50:19.000000000 -0500
26761 +++ linux-2.6.37/drivers/net/wireless/rndis_wlan.c 2011-01-17 02:41:01.000000000 -0500
26762 @@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbn
26764 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26766 - if (rts_threshold < 0 || rts_threshold > 2347)
26767 + if (rts_threshold > 2347)
26768 rts_threshold = 2347;
26770 tmp = cpu_to_le32(rts_threshold);
26771 diff -urNp linux-2.6.37/drivers/oprofile/buffer_sync.c linux-2.6.37/drivers/oprofile/buffer_sync.c
26772 --- linux-2.6.37/drivers/oprofile/buffer_sync.c 2011-01-04 19:50:19.000000000 -0500
26773 +++ linux-2.6.37/drivers/oprofile/buffer_sync.c 2011-01-17 02:41:01.000000000 -0500
26774 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26775 if (cookie == NO_COOKIE)
26777 if (cookie == INVALID_COOKIE) {
26778 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26779 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26782 if (cookie != last_cookie) {
26783 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26784 /* add userspace sample */
26787 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26788 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26792 cookie = lookup_dcookie(mm, s->eip, &offset);
26794 if (cookie == INVALID_COOKIE) {
26795 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26796 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26800 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26801 /* ignore backtraces if failed to add a sample */
26802 if (state == sb_bt_start) {
26803 state = sb_bt_ignore;
26804 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26805 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26809 diff -urNp linux-2.6.37/drivers/oprofile/event_buffer.c linux-2.6.37/drivers/oprofile/event_buffer.c
26810 --- linux-2.6.37/drivers/oprofile/event_buffer.c 2011-01-04 19:50:19.000000000 -0500
26811 +++ linux-2.6.37/drivers/oprofile/event_buffer.c 2011-01-17 02:41:01.000000000 -0500
26812 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26815 if (buffer_pos == buffer_size) {
26816 - atomic_inc(&oprofile_stats.event_lost_overflow);
26817 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26821 diff -urNp linux-2.6.37/drivers/oprofile/oprof.c linux-2.6.37/drivers/oprofile/oprof.c
26822 --- linux-2.6.37/drivers/oprofile/oprof.c 2011-01-04 19:50:19.000000000 -0500
26823 +++ linux-2.6.37/drivers/oprofile/oprof.c 2011-01-17 02:41:01.000000000 -0500
26824 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26825 if (oprofile_ops.switch_events())
26828 - atomic_inc(&oprofile_stats.multiplex_counter);
26829 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26830 start_switch_worker();
26833 diff -urNp linux-2.6.37/drivers/oprofile/oprofilefs.c linux-2.6.37/drivers/oprofile/oprofilefs.c
26834 --- linux-2.6.37/drivers/oprofile/oprofilefs.c 2011-01-04 19:50:19.000000000 -0500
26835 +++ linux-2.6.37/drivers/oprofile/oprofilefs.c 2011-01-17 02:41:01.000000000 -0500
26836 @@ -186,7 +186,7 @@ static const struct file_operations atom
26839 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26840 - char const *name, atomic_t *val)
26841 + char const *name, atomic_unchecked_t *val)
26843 return __oprofilefs_create_file(sb, root, name,
26844 &atomic_ro_fops, 0444, val);
26845 diff -urNp linux-2.6.37/drivers/oprofile/oprofile_stats.c linux-2.6.37/drivers/oprofile/oprofile_stats.c
26846 --- linux-2.6.37/drivers/oprofile/oprofile_stats.c 2011-01-04 19:50:19.000000000 -0500
26847 +++ linux-2.6.37/drivers/oprofile/oprofile_stats.c 2011-01-17 02:41:01.000000000 -0500
26848 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26849 cpu_buf->sample_invalid_eip = 0;
26852 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26853 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26854 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26855 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26856 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26857 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26858 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26859 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26860 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26861 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26865 diff -urNp linux-2.6.37/drivers/oprofile/oprofile_stats.h linux-2.6.37/drivers/oprofile/oprofile_stats.h
26866 --- linux-2.6.37/drivers/oprofile/oprofile_stats.h 2011-01-04 19:50:19.000000000 -0500
26867 +++ linux-2.6.37/drivers/oprofile/oprofile_stats.h 2011-01-17 02:41:01.000000000 -0500
26868 @@ -13,11 +13,11 @@
26869 #include <asm/atomic.h>
26871 struct oprofile_stat_struct {
26872 - atomic_t sample_lost_no_mm;
26873 - atomic_t sample_lost_no_mapping;
26874 - atomic_t bt_lost_no_mapping;
26875 - atomic_t event_lost_overflow;
26876 - atomic_t multiplex_counter;
26877 + atomic_unchecked_t sample_lost_no_mm;
26878 + atomic_unchecked_t sample_lost_no_mapping;
26879 + atomic_unchecked_t bt_lost_no_mapping;
26880 + atomic_unchecked_t event_lost_overflow;
26881 + atomic_unchecked_t multiplex_counter;
26884 extern struct oprofile_stat_struct oprofile_stats;
26885 diff -urNp linux-2.6.37/drivers/parport/procfs.c linux-2.6.37/drivers/parport/procfs.c
26886 --- linux-2.6.37/drivers/parport/procfs.c 2011-01-04 19:50:19.000000000 -0500
26887 +++ linux-2.6.37/drivers/parport/procfs.c 2011-01-17 02:41:01.000000000 -0500
26888 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26892 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26893 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26896 #ifdef CONFIG_PARPORT_1284
26897 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26901 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26902 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26904 #endif /* IEEE1284.3 support. */
26906 diff -urNp linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c
26907 --- linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c 2011-01-04 19:50:19.000000000 -0500
26908 +++ linux-2.6.37/drivers/pci/hotplug/acpiphp_glue.c 2011-01-17 02:41:01.000000000 -0500
26909 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26913 -static struct acpi_dock_ops acpiphp_dock_ops = {
26914 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26915 .handler = handle_hotplug_event_func,
26918 diff -urNp linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c
26919 --- linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c 2011-01-04 19:50:19.000000000 -0500
26920 +++ linux-2.6.37/drivers/pci/hotplug/cpqphp_nvram.c 2011-01-17 02:41:01.000000000 -0500
26921 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26923 void compaq_nvram_init (void __iomem *rom_start)
26926 +#ifndef CONFIG_PAX_KERNEXEC
26928 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26932 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26934 /* initialize our int15 lock */
26935 diff -urNp linux-2.6.37/drivers/pci/intel-iommu.c linux-2.6.37/drivers/pci/intel-iommu.c
26936 --- linux-2.6.37/drivers/pci/intel-iommu.c 2011-01-04 19:50:19.000000000 -0500
26937 +++ linux-2.6.37/drivers/pci/intel-iommu.c 2011-01-17 02:41:01.000000000 -0500
26938 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
26942 -struct dma_map_ops intel_dma_ops = {
26943 +const struct dma_map_ops intel_dma_ops = {
26944 .alloc_coherent = intel_alloc_coherent,
26945 .free_coherent = intel_free_coherent,
26946 .map_sg = intel_map_sg,
26947 diff -urNp linux-2.6.37/drivers/pci/pcie/portdrv_pci.c linux-2.6.37/drivers/pci/pcie/portdrv_pci.c
26948 --- linux-2.6.37/drivers/pci/pcie/portdrv_pci.c 2011-01-04 19:50:19.000000000 -0500
26949 +++ linux-2.6.37/drivers/pci/pcie/portdrv_pci.c 2011-01-17 02:41:01.000000000 -0500
26950 @@ -276,7 +276,7 @@ static void pcie_portdrv_err_resume(stru
26951 static const struct pci_device_id port_pci_ids[] = { {
26952 /* handle any PCI-Express port */
26953 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26954 - }, { /* end: all zeroes */ }
26955 + }, { 0, 0, 0, 0, 0, 0, 0 }
26957 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26959 diff -urNp linux-2.6.37/drivers/pci/probe.c linux-2.6.37/drivers/pci/probe.c
26960 --- linux-2.6.37/drivers/pci/probe.c 2011-01-04 19:50:19.000000000 -0500
26961 +++ linux-2.6.37/drivers/pci/probe.c 2011-01-17 02:41:01.000000000 -0500
26962 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26966 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26967 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26968 struct device_attribute *attr,
26971 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26974 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26975 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26976 struct device_attribute *attr,
26979 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
26983 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
26984 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
26986 if (!dev->mmio_always_on) {
26987 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
26988 diff -urNp linux-2.6.37/drivers/pci/proc.c linux-2.6.37/drivers/pci/proc.c
26989 --- linux-2.6.37/drivers/pci/proc.c 2011-01-04 19:50:19.000000000 -0500
26990 +++ linux-2.6.37/drivers/pci/proc.c 2011-01-17 02:41:01.000000000 -0500
26991 @@ -476,7 +476,16 @@ static const struct file_operations proc
26992 static int __init pci_proc_init(void)
26994 struct pci_dev *dev = NULL;
26996 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26997 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26998 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
26999 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27000 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27003 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27005 proc_create("devices", 0, proc_bus_pci_dir,
27006 &proc_bus_pci_dev_operations);
27007 proc_initialized = 1;
27008 diff -urNp linux-2.6.37/drivers/pcmcia/ti113x.h linux-2.6.37/drivers/pcmcia/ti113x.h
27009 --- linux-2.6.37/drivers/pcmcia/ti113x.h 2011-01-04 19:50:19.000000000 -0500
27010 +++ linux-2.6.37/drivers/pcmcia/ti113x.h 2011-01-17 02:41:01.000000000 -0500
27011 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27012 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27013 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27016 + { 0, 0, 0, 0, 0, 0, 0 }
27019 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27020 diff -urNp linux-2.6.37/drivers/pcmcia/yenta_socket.c linux-2.6.37/drivers/pcmcia/yenta_socket.c
27021 --- linux-2.6.37/drivers/pcmcia/yenta_socket.c 2011-01-04 19:50:19.000000000 -0500
27022 +++ linux-2.6.37/drivers/pcmcia/yenta_socket.c 2011-01-17 02:41:01.000000000 -0500
27023 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27025 /* match any cardbus bridge */
27026 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27027 - { /* all zeroes */ }
27028 + { 0, 0, 0, 0, 0, 0, 0 }
27030 MODULE_DEVICE_TABLE(pci, yenta_table);
27032 diff -urNp linux-2.6.37/drivers/platform/x86/acer-wmi.c linux-2.6.37/drivers/platform/x86/acer-wmi.c
27033 --- linux-2.6.37/drivers/platform/x86/acer-wmi.c 2011-01-04 19:50:19.000000000 -0500
27034 +++ linux-2.6.37/drivers/platform/x86/acer-wmi.c 2011-01-17 02:41:01.000000000 -0500
27035 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
27039 -static struct backlight_ops acer_bl_ops = {
27040 +static const struct backlight_ops acer_bl_ops = {
27041 .get_brightness = read_brightness,
27042 .update_status = update_bl_status,
27044 diff -urNp linux-2.6.37/drivers/platform/x86/asus_acpi.c linux-2.6.37/drivers/platform/x86/asus_acpi.c
27045 --- linux-2.6.37/drivers/platform/x86/asus_acpi.c 2011-01-04 19:50:19.000000000 -0500
27046 +++ linux-2.6.37/drivers/platform/x86/asus_acpi.c 2011-01-17 02:41:01.000000000 -0500
27047 @@ -1467,7 +1467,7 @@ static int asus_hotk_remove(struct acpi_
27051 -static struct backlight_ops asus_backlight_data = {
27052 +static const struct backlight_ops asus_backlight_data = {
27053 .get_brightness = read_brightness,
27054 .update_status = set_brightness_status,
27056 diff -urNp linux-2.6.37/drivers/platform/x86/asus-laptop.c linux-2.6.37/drivers/platform/x86/asus-laptop.c
27057 --- linux-2.6.37/drivers/platform/x86/asus-laptop.c 2011-01-04 19:50:19.000000000 -0500
27058 +++ linux-2.6.37/drivers/platform/x86/asus-laptop.c 2011-01-17 02:41:01.000000000 -0500
27059 @@ -243,7 +243,6 @@ struct asus_laptop {
27060 struct asus_led gled;
27061 struct asus_led kled;
27062 struct workqueue_struct *led_workqueue;
27064 int wireless_status;
27067 @@ -640,7 +639,7 @@ static int update_bl_status(struct backl
27068 return asus_lcd_set(asus, value);
27071 -static struct backlight_ops asusbl_ops = {
27072 +static const struct backlight_ops asusbl_ops = {
27073 .get_brightness = asus_read_brightness,
27074 .update_status = update_bl_status,
27076 diff -urNp linux-2.6.37/drivers/platform/x86/dell-laptop.c linux-2.6.37/drivers/platform/x86/dell-laptop.c
27077 --- linux-2.6.37/drivers/platform/x86/dell-laptop.c 2011-01-04 19:50:19.000000000 -0500
27078 +++ linux-2.6.37/drivers/platform/x86/dell-laptop.c 2011-01-17 02:41:01.000000000 -0500
27079 @@ -546,7 +546,7 @@ out:
27080 return buffer->output[1];
27083 -static struct backlight_ops dell_ops = {
27084 +static const struct backlight_ops dell_ops = {
27085 .get_brightness = dell_get_intensity,
27086 .update_status = dell_send_intensity,
27088 diff -urNp linux-2.6.37/drivers/platform/x86/eeepc-laptop.c linux-2.6.37/drivers/platform/x86/eeepc-laptop.c
27089 --- linux-2.6.37/drivers/platform/x86/eeepc-laptop.c 2011-01-04 19:50:19.000000000 -0500
27090 +++ linux-2.6.37/drivers/platform/x86/eeepc-laptop.c 2011-01-17 02:41:01.000000000 -0500
27091 @@ -1115,7 +1115,7 @@ static int update_bl_status(struct backl
27092 return set_brightness(bd, bd->props.brightness);
27095 -static struct backlight_ops eeepcbl_ops = {
27096 +static const struct backlight_ops eeepcbl_ops = {
27097 .get_brightness = read_brightness,
27098 .update_status = update_bl_status,
27100 diff -urNp linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c
27101 --- linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c 2011-01-04 19:50:19.000000000 -0500
27102 +++ linux-2.6.37/drivers/platform/x86/fujitsu-laptop.c 2011-01-17 02:41:01.000000000 -0500
27103 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27107 -static struct backlight_ops fujitsubl_ops = {
27108 +static const struct backlight_ops fujitsubl_ops = {
27109 .get_brightness = bl_get_brightness,
27110 .update_status = bl_update_status,
27112 diff -urNp linux-2.6.37/drivers/platform/x86/sony-laptop.c linux-2.6.37/drivers/platform/x86/sony-laptop.c
27113 --- linux-2.6.37/drivers/platform/x86/sony-laptop.c 2011-01-04 19:50:19.000000000 -0500
27114 +++ linux-2.6.37/drivers/platform/x86/sony-laptop.c 2011-01-17 02:41:01.000000000 -0500
27115 @@ -856,7 +856,7 @@ static int sony_backlight_get_brightness
27118 static struct backlight_device *sony_backlight_device;
27119 -static struct backlight_ops sony_backlight_ops = {
27120 +static const struct backlight_ops sony_backlight_ops = {
27121 .update_status = sony_backlight_update_status,
27122 .get_brightness = sony_backlight_get_brightness,
27124 diff -urNp linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c
27125 --- linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c 2011-01-04 19:50:19.000000000 -0500
27126 +++ linux-2.6.37/drivers/platform/x86/thinkpad_acpi.c 2011-01-17 02:41:01.000000000 -0500
27127 @@ -6109,7 +6109,7 @@ static void tpacpi_brightness_notify_cha
27128 BACKLIGHT_UPDATE_HOTKEY);
27131 -static struct backlight_ops ibm_backlight_data = {
27132 +static const struct backlight_ops ibm_backlight_data = {
27133 .get_brightness = brightness_get,
27134 .update_status = brightness_update_status,
27136 diff -urNp linux-2.6.37/drivers/platform/x86/toshiba_acpi.c linux-2.6.37/drivers/platform/x86/toshiba_acpi.c
27137 --- linux-2.6.37/drivers/platform/x86/toshiba_acpi.c 2011-01-04 19:50:19.000000000 -0500
27138 +++ linux-2.6.37/drivers/platform/x86/toshiba_acpi.c 2011-01-17 02:41:01.000000000 -0500
27139 @@ -841,7 +841,7 @@ static void remove_toshiba_proc_entries(
27140 remove_proc_entry("version", toshiba_proc_dir);
27143 -static struct backlight_ops toshiba_backlight_data = {
27144 +static const struct backlight_ops toshiba_backlight_data = {
27145 .get_brightness = get_lcd,
27146 .update_status = set_lcd_status,
27148 diff -urNp linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c
27149 --- linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c 2011-01-04 19:50:19.000000000 -0500
27150 +++ linux-2.6.37/drivers/pnp/pnpbios/bioscalls.c 2011-01-17 02:41:01.000000000 -0500
27151 @@ -59,7 +59,7 @@ do { \
27152 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27155 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27156 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27157 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27160 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27163 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27165 + pax_open_kernel();
27166 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27167 + pax_close_kernel();
27169 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27170 spin_lock_irqsave(&pnp_bios_lock, flags);
27171 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27173 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27175 + pax_open_kernel();
27176 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27177 + pax_close_kernel();
27181 /* If we get here and this is set then the PnP BIOS faulted on us. */
27182 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27186 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27187 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27191 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27192 pnp_bios_callpoint.offset = header->fields.pm16offset;
27193 pnp_bios_callpoint.segment = PNP_CS16;
27195 + pax_open_kernel();
27197 for_each_possible_cpu(i) {
27198 struct desc_struct *gdt = get_cpu_gdt_table(i);
27200 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27201 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27202 (unsigned long)__va(header->fields.pm16dseg));
27205 + pax_close_kernel();
27207 diff -urNp linux-2.6.37/drivers/pnp/quirks.c linux-2.6.37/drivers/pnp/quirks.c
27208 --- linux-2.6.37/drivers/pnp/quirks.c 2011-01-04 19:50:19.000000000 -0500
27209 +++ linux-2.6.37/drivers/pnp/quirks.c 2011-01-17 02:41:01.000000000 -0500
27210 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27211 /* PnP resources that might overlap PCI BARs */
27212 {"PNP0c01", quirk_system_pci_resources},
27213 {"PNP0c02", quirk_system_pci_resources},
27218 void pnp_fixup_device(struct pnp_dev *dev)
27219 diff -urNp linux-2.6.37/drivers/pnp/resource.c linux-2.6.37/drivers/pnp/resource.c
27220 --- linux-2.6.37/drivers/pnp/resource.c 2011-01-04 19:50:19.000000000 -0500
27221 +++ linux-2.6.37/drivers/pnp/resource.c 2011-01-17 02:41:01.000000000 -0500
27222 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27225 /* check if the resource is valid */
27226 - if (*irq < 0 || *irq > 15)
27230 /* check if the resource is reserved */
27231 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27234 /* check if the resource is valid */
27235 - if (*dma < 0 || *dma == 4 || *dma > 7)
27236 + if (*dma == 4 || *dma > 7)
27239 /* check if the resource is reserved */
27240 diff -urNp linux-2.6.37/drivers/rtc/rtc-dev.c linux-2.6.37/drivers/rtc/rtc-dev.c
27241 --- linux-2.6.37/drivers/rtc/rtc-dev.c 2011-01-04 19:50:19.000000000 -0500
27242 +++ linux-2.6.37/drivers/rtc/rtc-dev.c 2011-01-17 02:41:01.000000000 -0500
27244 #include <linux/module.h>
27245 #include <linux/rtc.h>
27246 #include <linux/sched.h>
27247 +#include <linux/grsecurity.h>
27248 #include "rtc-core.h"
27250 static dev_t rtc_devt;
27251 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
27252 if (copy_from_user(&tm, uarg, sizeof(tm)))
27255 + gr_log_timechange();
27257 return rtc_set_time(rtc, &tm);
27260 diff -urNp linux-2.6.37/drivers/s390/cio/qdio_debug.c linux-2.6.37/drivers/s390/cio/qdio_debug.c
27261 --- linux-2.6.37/drivers/s390/cio/qdio_debug.c 2011-01-04 19:50:19.000000000 -0500
27262 +++ linux-2.6.37/drivers/s390/cio/qdio_debug.c 2011-01-17 02:41:01.000000000 -0500
27263 @@ -224,7 +224,7 @@ static int qperf_seq_open(struct inode *
27264 filp->f_path.dentry->d_inode->i_private);
27267 -static struct file_operations debugfs_perf_fops = {
27268 +static const struct file_operations debugfs_perf_fops = {
27269 .owner = THIS_MODULE,
27270 .open = qperf_seq_open,
27272 diff -urNp linux-2.6.37/drivers/scsi/hpsa.c linux-2.6.37/drivers/scsi/hpsa.c
27273 --- linux-2.6.37/drivers/scsi/hpsa.c 2011-01-04 19:50:19.000000000 -0500
27274 +++ linux-2.6.37/drivers/scsi/hpsa.c 2011-01-17 02:41:01.000000000 -0500
27275 @@ -2292,6 +2292,8 @@ static int hpsa_ioctl32_passthru(struct
27279 + memset(&arg64, 0, sizeof(arg64));
27282 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27283 sizeof(arg64.LUN_info));
27284 diff -urNp linux-2.6.37/drivers/scsi/ipr.c linux-2.6.37/drivers/scsi/ipr.c
27285 --- linux-2.6.37/drivers/scsi/ipr.c 2011-01-04 19:50:19.000000000 -0500
27286 +++ linux-2.6.37/drivers/scsi/ipr.c 2011-01-17 02:41:01.000000000 -0500
27287 @@ -6202,7 +6202,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27291 -static struct ata_port_operations ipr_sata_ops = {
27292 +static const struct ata_port_operations ipr_sata_ops = {
27293 .phy_reset = ipr_ata_phy_reset,
27294 .hardreset = ipr_sata_reset,
27295 .post_internal_cmd = ipr_ata_post_internal,
27296 diff -urNp linux-2.6.37/drivers/scsi/libfc/fc_exch.c linux-2.6.37/drivers/scsi/libfc/fc_exch.c
27297 --- linux-2.6.37/drivers/scsi/libfc/fc_exch.c 2011-01-04 19:50:19.000000000 -0500
27298 +++ linux-2.6.37/drivers/scsi/libfc/fc_exch.c 2011-01-17 02:41:01.000000000 -0500
27299 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27300 * all together if not used XXX
27303 - atomic_t no_free_exch;
27304 - atomic_t no_free_exch_xid;
27305 - atomic_t xid_not_found;
27306 - atomic_t xid_busy;
27307 - atomic_t seq_not_found;
27308 - atomic_t non_bls_resp;
27309 + atomic_unchecked_t no_free_exch;
27310 + atomic_unchecked_t no_free_exch_xid;
27311 + atomic_unchecked_t xid_not_found;
27312 + atomic_unchecked_t xid_busy;
27313 + atomic_unchecked_t seq_not_found;
27314 + atomic_unchecked_t non_bls_resp;
27317 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27318 @@ -670,7 +670,7 @@ static struct fc_exch *fc_exch_em_alloc(
27319 /* allocate memory for exchange */
27320 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27322 - atomic_inc(&mp->stats.no_free_exch);
27323 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27326 memset(ep, 0, sizeof(*ep));
27327 @@ -718,7 +718,7 @@ out:
27330 spin_unlock_bh(&pool->lock);
27331 - atomic_inc(&mp->stats.no_free_exch_xid);
27332 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27333 mempool_free(ep, mp->ep_pool);
27336 @@ -863,7 +863,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27337 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27338 ep = fc_exch_find(mp, xid);
27340 - atomic_inc(&mp->stats.xid_not_found);
27341 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27342 reject = FC_RJT_OX_ID;
27345 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27346 ep = fc_exch_find(mp, xid);
27347 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27349 - atomic_inc(&mp->stats.xid_busy);
27350 + atomic_inc_unchecked(&mp->stats.xid_busy);
27351 reject = FC_RJT_RX_ID;
27354 @@ -904,7 +904,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27356 xid = ep->xid; /* get our XID */
27358 - atomic_inc(&mp->stats.xid_not_found);
27359 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27360 reject = FC_RJT_RX_ID; /* XID not found */
27363 @@ -921,7 +921,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27366 if (sp->id != fh->fh_seq_id) {
27367 - atomic_inc(&mp->stats.seq_not_found);
27368 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27369 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27372 @@ -1338,22 +1338,22 @@ static void fc_exch_recv_seq_resp(struct
27374 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27376 - atomic_inc(&mp->stats.xid_not_found);
27377 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27380 if (ep->esb_stat & ESB_ST_COMPLETE) {
27381 - atomic_inc(&mp->stats.xid_not_found);
27382 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27385 if (ep->rxid == FC_XID_UNKNOWN)
27386 ep->rxid = ntohs(fh->fh_rx_id);
27387 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27388 - atomic_inc(&mp->stats.xid_not_found);
27389 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27392 if (ep->did != ntoh24(fh->fh_s_id) &&
27393 ep->did != FC_FID_FLOGI) {
27394 - atomic_inc(&mp->stats.xid_not_found);
27395 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27399 @@ -1362,7 +1362,7 @@ static void fc_exch_recv_seq_resp(struct
27400 sp->ssb_stat |= SSB_ST_RESP;
27401 sp->id = fh->fh_seq_id;
27402 } else if (sp->id != fh->fh_seq_id) {
27403 - atomic_inc(&mp->stats.seq_not_found);
27404 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27408 @@ -1425,9 +1425,9 @@ static void fc_exch_recv_resp(struct fc_
27409 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27412 - atomic_inc(&mp->stats.xid_not_found);
27413 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27415 - atomic_inc(&mp->stats.non_bls_resp);
27416 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27420 diff -urNp linux-2.6.37/drivers/scsi/libsas/sas_ata.c linux-2.6.37/drivers/scsi/libsas/sas_ata.c
27421 --- linux-2.6.37/drivers/scsi/libsas/sas_ata.c 2011-01-04 19:50:19.000000000 -0500
27422 +++ linux-2.6.37/drivers/scsi/libsas/sas_ata.c 2011-01-17 02:41:01.000000000 -0500
27423 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
27427 -static struct ata_port_operations sas_sata_ops = {
27428 +static const struct ata_port_operations sas_sata_ops = {
27429 .phy_reset = sas_ata_phy_reset,
27430 .post_internal_cmd = sas_ata_post_internal,
27431 - .qc_defer = ata_std_qc_defer,
27432 + .qc_defer = ata_std_qc_defer,
27433 .qc_prep = ata_noop_qc_prep,
27434 .qc_issue = sas_ata_qc_issue,
27435 .qc_fill_rtf = sas_ata_qc_fill_rtf,
27436 diff -urNp linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h
27437 --- linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-01-04 19:50:19.000000000 -0500
27438 +++ linux-2.6.37/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-01-17 02:41:01.000000000 -0500
27443 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27444 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27445 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27448 diff -urNp linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c
27449 --- linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c 2011-01-04 19:50:19.000000000 -0500
27450 +++ linux-2.6.37/drivers/scsi/qla2xxx/qla_os.c 2011-01-17 02:41:01.000000000 -0500
27451 @@ -4083,7 +4083,7 @@ static struct pci_driver qla2xxx_pci_dri
27452 .err_handler = &qla2xxx_err_handler,
27455 -static struct file_operations apidev_fops = {
27456 +static const struct file_operations apidev_fops = {
27457 .owner = THIS_MODULE,
27458 .llseek = noop_llseek,
27460 diff -urNp linux-2.6.37/drivers/scsi/scsi_logging.h linux-2.6.37/drivers/scsi/scsi_logging.h
27461 --- linux-2.6.37/drivers/scsi/scsi_logging.h 2011-01-04 19:50:19.000000000 -0500
27462 +++ linux-2.6.37/drivers/scsi/scsi_logging.h 2011-01-17 02:41:01.000000000 -0500
27463 @@ -51,7 +51,7 @@ do { \
27467 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27468 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27469 #endif /* CONFIG_SCSI_LOGGING */
27472 diff -urNp linux-2.6.37/drivers/scsi/sg.c linux-2.6.37/drivers/scsi/sg.c
27473 --- linux-2.6.37/drivers/scsi/sg.c 2011-01-04 19:50:19.000000000 -0500
27474 +++ linux-2.6.37/drivers/scsi/sg.c 2011-01-17 02:41:01.000000000 -0500
27475 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
27476 const struct file_operations * fops;
27479 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27480 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27481 {"allow_dio", &adio_fops},
27482 {"debug", &debug_fops},
27483 {"def_reserved_size", &dressz_fops},
27484 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
27487 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27488 - struct sg_proc_leaf * leaf;
27489 + const struct sg_proc_leaf * leaf;
27491 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27493 diff -urNp linux-2.6.37/drivers/serial/8250_pci.c linux-2.6.37/drivers/serial/8250_pci.c
27494 --- linux-2.6.37/drivers/serial/8250_pci.c 2011-01-04 19:50:19.000000000 -0500
27495 +++ linux-2.6.37/drivers/serial/8250_pci.c 2011-01-17 02:41:01.000000000 -0500
27496 @@ -3782,7 +3782,7 @@ static struct pci_device_id serial_pci_t
27497 PCI_ANY_ID, PCI_ANY_ID,
27498 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27499 0xffff00, pbn_default },
27501 + { 0, 0, 0, 0, 0, 0, 0 }
27504 static struct pci_driver serial_pci_driver = {
27505 diff -urNp linux-2.6.37/drivers/serial/kgdboc.c linux-2.6.37/drivers/serial/kgdboc.c
27506 --- linux-2.6.37/drivers/serial/kgdboc.c 2011-01-04 19:50:19.000000000 -0500
27507 +++ linux-2.6.37/drivers/serial/kgdboc.c 2011-01-17 02:41:01.000000000 -0500
27510 #define MAX_CONFIG_LEN 40
27512 -static struct kgdb_io kgdboc_io_ops;
27513 +/* cannot be const, see configure_kgdboc() */
27514 +static struct kgdb_io kgdboc_io_ops;
27516 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27517 static int configured = -1;
27518 @@ -293,6 +294,7 @@ static void kgdboc_post_exp_handler(void
27519 kgdboc_restore_input();
27522 +/* cannot be const, see configure_kgdboc() */
27523 static struct kgdb_io kgdboc_io_ops = {
27525 .read_char = kgdboc_get_char,
27526 diff -urNp linux-2.6.37/drivers/staging/bcm/Bcmchar.c linux-2.6.37/drivers/staging/bcm/Bcmchar.c
27527 --- linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-04 19:50:19.000000000 -0500
27528 +++ linux-2.6.37/drivers/staging/bcm/Bcmchar.c 2011-01-17 02:41:01.000000000 -0500
27529 @@ -2386,7 +2386,7 @@ static long bcm_char_ioctl(struct file *
27533 -static struct file_operations bcm_fops = {
27534 +static const struct file_operations bcm_fops = {
27535 .owner = THIS_MODULE,
27536 .open = bcm_char_open,
27537 .release = bcm_char_release,
27538 diff -urNp linux-2.6.37/drivers/staging/bcm/InterfaceInit.c linux-2.6.37/drivers/staging/bcm/InterfaceInit.c
27539 --- linux-2.6.37/drivers/staging/bcm/InterfaceInit.c 2011-01-04 19:50:19.000000000 -0500
27540 +++ linux-2.6.37/drivers/staging/bcm/InterfaceInit.c 2011-01-17 02:41:01.000000000 -0500
27541 @@ -157,7 +157,7 @@ VOID ConfigureEndPointTypesThroughEEPROM
27545 -static struct file_operations usbbcm_fops = {
27546 +static const struct file_operations usbbcm_fops = {
27547 .open = usbbcm_open,
27548 .release = usbbcm_release,
27549 .read = usbbcm_read,
27550 diff -urNp linux-2.6.37/drivers/staging/comedi/comedi_fops.c linux-2.6.37/drivers/staging/comedi/comedi_fops.c
27551 --- linux-2.6.37/drivers/staging/comedi/comedi_fops.c 2011-01-04 19:50:19.000000000 -0500
27552 +++ linux-2.6.37/drivers/staging/comedi/comedi_fops.c 2011-01-17 02:41:01.000000000 -0500
27553 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
27554 mutex_unlock(&dev->mutex);
27557 -static struct vm_operations_struct comedi_vm_ops = {
27558 +static const struct vm_operations_struct comedi_vm_ops = {
27559 .close = comedi_unmap,
27562 diff -urNp linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c
27563 --- linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c 2011-01-04 19:50:19.000000000 -0500
27564 +++ linux-2.6.37/drivers/staging/ft1000/ft1000-usb/ft1000_chdev.c 2011-01-17 02:41:01.000000000 -0500
27565 @@ -69,7 +69,7 @@ int numofmsgbuf = 0;
27567 // Table of entry-point routines for char device
27569 -static struct file_operations ft1000fops =
27570 +static const struct file_operations ft1000fops =
27572 .unlocked_ioctl = ft1000_ChIoctl,
27573 .poll = ft1000_ChPoll,
27574 diff -urNp linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c
27575 --- linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c 2011-01-04 19:50:19.000000000 -0500
27576 +++ linux-2.6.37/drivers/staging/go7007/go7007-v4l2.c 2011-01-17 02:41:01.000000000 -0500
27577 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
27581 -static struct vm_operations_struct go7007_vm_ops = {
27582 +static const struct vm_operations_struct go7007_vm_ops = {
27583 .open = go7007_vm_open,
27584 .close = go7007_vm_close,
27585 .fault = go7007_vm_fault,
27586 diff -urNp linux-2.6.37/drivers/staging/hv/hv.c linux-2.6.37/drivers/staging/hv/hv.c
27587 --- linux-2.6.37/drivers/staging/hv/hv.c 2011-01-04 19:50:19.000000000 -0500
27588 +++ linux-2.6.37/drivers/staging/hv/hv.c 2011-01-17 02:41:01.000000000 -0500
27589 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27590 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27591 u32 outputAddressHi = outputAddress >> 32;
27592 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27593 - volatile void *hypercallPage = gHvContext.HypercallPage;
27594 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27596 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27597 Control, Input, Output);
27598 diff -urNp linux-2.6.37/drivers/staging/msm/msm_fb_bl.c linux-2.6.37/drivers/staging/msm/msm_fb_bl.c
27599 --- linux-2.6.37/drivers/staging/msm/msm_fb_bl.c 2011-01-04 19:50:19.000000000 -0500
27600 +++ linux-2.6.37/drivers/staging/msm/msm_fb_bl.c 2011-01-17 02:41:01.000000000 -0500
27601 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27605 -static struct backlight_ops msm_fb_bl_ops = {
27606 +static const struct backlight_ops msm_fb_bl_ops = {
27607 .get_brightness = msm_fb_bl_get_brightness,
27608 .update_status = msm_fb_bl_update_status,
27610 diff -urNp linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c
27611 --- linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c 2011-01-04 19:50:19.000000000 -0500
27612 +++ linux-2.6.37/drivers/staging/olpc_dcon/olpc_dcon.c 2011-01-17 02:41:01.000000000 -0500
27613 @@ -615,7 +615,7 @@ static struct device_attribute dcon_devi
27614 __ATTR(resumeline, 0644, dcon_resumeline_show, dcon_resumeline_store),
27617 -static struct backlight_ops dcon_bl_ops = {
27618 +static const struct backlight_ops dcon_bl_ops = {
27619 .get_brightness = dconbl_get,
27620 .update_status = dconbl_set
27622 diff -urNp linux-2.6.37/drivers/staging/phison/phison.c linux-2.6.37/drivers/staging/phison/phison.c
27623 --- linux-2.6.37/drivers/staging/phison/phison.c 2011-01-04 19:50:19.000000000 -0500
27624 +++ linux-2.6.37/drivers/staging/phison/phison.c 2011-01-17 02:41:01.000000000 -0500
27625 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27626 ATA_BMDMA_SHT(DRV_NAME),
27629 -static struct ata_port_operations phison_ops = {
27630 +static const struct ata_port_operations phison_ops = {
27631 .inherits = &ata_bmdma_port_ops,
27632 .prereset = phison_pre_reset,
27634 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/inode.c linux-2.6.37/drivers/staging/pohmelfs/inode.c
27635 --- linux-2.6.37/drivers/staging/pohmelfs/inode.c 2011-01-04 19:50:19.000000000 -0500
27636 +++ linux-2.6.37/drivers/staging/pohmelfs/inode.c 2011-01-17 02:41:01.000000000 -0500
27637 @@ -1848,7 +1848,7 @@ static int pohmelfs_fill_super(struct su
27638 mutex_init(&psb->mcache_lock);
27639 psb->mcache_root = RB_ROOT;
27640 psb->mcache_timeout = msecs_to_jiffies(5000);
27641 - atomic_long_set(&psb->mcache_gen, 0);
27642 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27644 psb->trans_max_pages = 100;
27646 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/mcache.c linux-2.6.37/drivers/staging/pohmelfs/mcache.c
27647 --- linux-2.6.37/drivers/staging/pohmelfs/mcache.c 2011-01-04 19:50:19.000000000 -0500
27648 +++ linux-2.6.37/drivers/staging/pohmelfs/mcache.c 2011-01-17 02:41:01.000000000 -0500
27649 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27653 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27654 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27656 mutex_lock(&psb->mcache_lock);
27657 err = pohmelfs_mcache_insert(psb, m);
27658 diff -urNp linux-2.6.37/drivers/staging/pohmelfs/netfs.h linux-2.6.37/drivers/staging/pohmelfs/netfs.h
27659 --- linux-2.6.37/drivers/staging/pohmelfs/netfs.h 2011-01-04 19:50:19.000000000 -0500
27660 +++ linux-2.6.37/drivers/staging/pohmelfs/netfs.h 2011-01-17 02:41:01.000000000 -0500
27661 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27662 struct pohmelfs_sb {
27663 struct rb_root mcache_root;
27664 struct mutex mcache_lock;
27665 - atomic_long_t mcache_gen;
27666 + atomic_long_unchecked_t mcache_gen;
27667 unsigned long mcache_timeout;
27670 diff -urNp linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c
27671 --- linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c 2011-01-04 19:50:19.000000000 -0500
27672 +++ linux-2.6.37/drivers/staging/rtl8192u/ieee80211/proc.c 2011-01-17 02:41:01.000000000 -0500
27673 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27674 return seq_open(file, &crypto_seq_ops);
27677 -static struct file_operations proc_crypto_ops = {
27678 +static const struct file_operations proc_crypto_ops = {
27679 .open = crypto_info_open,
27681 .llseek = seq_lseek,
27682 diff -urNp linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c
27683 --- linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c 2011-01-04 19:50:19.000000000 -0500
27684 +++ linux-2.6.37/drivers/staging/samsung-laptop/samsung-laptop.c 2011-01-17 02:41:01.000000000 -0500
27685 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27689 -static struct backlight_ops backlight_ops = {
27690 +static const struct backlight_ops backlight_ops = {
27691 .get_brightness = get_brightness,
27692 .update_status = update_status,
27694 diff -urNp linux-2.6.37/drivers/staging/spectra/ffsport.c linux-2.6.37/drivers/staging/spectra/ffsport.c
27695 --- linux-2.6.37/drivers/staging/spectra/ffsport.c 2011-01-04 19:50:19.000000000 -0500
27696 +++ linux-2.6.37/drivers/staging/spectra/ffsport.c 2011-01-17 02:41:01.000000000 -0500
27697 @@ -603,7 +603,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
27701 -static struct block_device_operations GLOB_SBD_ops = {
27702 +static const struct block_device_operations GLOB_SBD_ops = {
27703 .owner = THIS_MODULE,
27704 .open = GLOB_SBD_open,
27705 .release = GLOB_SBD_release,
27706 diff -urNp linux-2.6.37/drivers/staging/vme/devices/vme_user.c linux-2.6.37/drivers/staging/vme/devices/vme_user.c
27707 --- linux-2.6.37/drivers/staging/vme/devices/vme_user.c 2011-01-04 19:50:19.000000000 -0500
27708 +++ linux-2.6.37/drivers/staging/vme/devices/vme_user.c 2011-01-17 02:41:01.000000000 -0500
27709 @@ -137,7 +137,7 @@ static long vme_user_unlocked_ioctl(stru
27710 static int __init vme_user_probe(struct device *, int, int);
27711 static int __exit vme_user_remove(struct device *, int, int);
27713 -static struct file_operations vme_user_fops = {
27714 +static const struct file_operations vme_user_fops = {
27715 .open = vme_user_open,
27716 .release = vme_user_release,
27717 .read = vme_user_read,
27718 diff -urNp linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
27719 --- linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-01-04 19:50:19.000000000 -0500
27720 +++ linux-2.6.37/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-01-17 02:41:01.000000000 -0500
27721 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
27724 /*standard block device driver interface */
27725 -static struct block_device_operations cyasblkdev_bdops = {
27726 +static const struct block_device_operations cyasblkdev_bdops = {
27727 .open = cyasblkdev_blk_open,
27728 .release = cyasblkdev_blk_release,
27729 .ioctl = cyasblkdev_blk_ioctl,
27730 diff -urNp linux-2.6.37/drivers/tty/n_gsm.c linux-2.6.37/drivers/tty/n_gsm.c
27731 --- linux-2.6.37/drivers/tty/n_gsm.c 2011-01-04 19:50:19.000000000 -0500
27732 +++ linux-2.6.37/drivers/tty/n_gsm.c 2011-01-17 02:41:01.000000000 -0500
27733 @@ -1579,7 +1579,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
27735 spin_lock_init(&dlci->lock);
27736 dlci->fifo = &dlci->_fifo;
27737 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
27738 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
27742 diff -urNp linux-2.6.37/drivers/tty/n_tty.c linux-2.6.37/drivers/tty/n_tty.c
27743 --- linux-2.6.37/drivers/tty/n_tty.c 2011-01-04 19:50:19.000000000 -0500
27744 +++ linux-2.6.37/drivers/tty/n_tty.c 2011-01-17 02:41:01.000000000 -0500
27745 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
27747 *ops = tty_ldisc_N_TTY;
27749 - ops->refcount = ops->flags = 0;
27750 + atomic_set(&ops->refcount, 0);
27753 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
27754 diff -urNp linux-2.6.37/drivers/tty/pty.c linux-2.6.37/drivers/tty/pty.c
27755 --- linux-2.6.37/drivers/tty/pty.c 2011-01-04 19:50:19.000000000 -0500
27756 +++ linux-2.6.37/drivers/tty/pty.c 2011-01-17 02:41:01.000000000 -0500
27757 @@ -700,7 +700,18 @@ out:
27761 -static struct file_operations ptmx_fops;
27762 +static const struct file_operations ptmx_fops = {
27763 + .llseek = no_llseek,
27764 + .read = tty_read,
27765 + .write = tty_write,
27766 + .poll = tty_poll,
27767 + .unlocked_ioctl = tty_ioctl,
27768 + .compat_ioctl = tty_compat_ioctl,
27769 + .open = ptmx_open,
27770 + .release = tty_release,
27771 + .fasync = tty_fasync,
27775 static void __init unix98_pty_init(void)
27777 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
27779 register_sysctl_table(pty_root_table);
27781 - /* Now create the /dev/ptmx special device */
27782 - tty_default_fops(&ptmx_fops);
27783 - ptmx_fops.open = ptmx_open;
27785 cdev_init(&ptmx_cdev, &ptmx_fops);
27786 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
27787 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
27788 diff -urNp linux-2.6.37/drivers/tty/tty_io.c linux-2.6.37/drivers/tty/tty_io.c
27789 --- linux-2.6.37/drivers/tty/tty_io.c 2011-01-04 19:50:19.000000000 -0500
27790 +++ linux-2.6.37/drivers/tty/tty_io.c 2011-01-17 02:41:01.000000000 -0500
27791 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
27792 /* Spinlock to protect the tty->tty_files list */
27793 DEFINE_SPINLOCK(tty_files_lock);
27795 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
27796 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
27797 ssize_t redirected_tty_write(struct file *, const char __user *,
27799 -static unsigned int tty_poll(struct file *, poll_table *);
27800 static int tty_open(struct inode *, struct file *);
27801 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
27802 -#ifdef CONFIG_COMPAT
27803 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27804 - unsigned long arg);
27806 -#define tty_compat_ioctl NULL
27808 static int __tty_fasync(int fd, struct file *filp, int on);
27809 -static int tty_fasync(int fd, struct file *filp, int on);
27810 static void release_tty(struct tty_struct *tty, int idx);
27811 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27812 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27813 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
27814 * read calls may be outstanding in parallel.
27817 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27818 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27822 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
27826 +EXPORT_SYMBOL(tty_read);
27828 void tty_write_unlock(struct tty_struct *tty)
27830 mutex_unlock(&tty->atomic_write_lock);
27831 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
27832 * write method will not be invoked in parallel for each device.
27835 -static ssize_t tty_write(struct file *file, const char __user *buf,
27836 +ssize_t tty_write(struct file *file, const char __user *buf,
27837 size_t count, loff_t *ppos)
27839 struct inode *inode = file->f_path.dentry->d_inode;
27840 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
27844 +EXPORT_SYMBOL(tty_write);
27846 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
27847 size_t count, loff_t *ppos)
27849 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
27853 +EXPORT_SYMBOL(tty_release);
27856 * tty_open - open a tty device
27857 * @inode: inode of device file
27858 @@ -1969,7 +1965,7 @@ got_driver:
27859 * may be re-entered freely by other callers.
27862 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
27863 +unsigned int tty_poll(struct file *filp, poll_table *wait)
27865 struct tty_struct *tty = file_tty(filp);
27866 struct tty_ldisc *ld;
27867 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
27871 +EXPORT_SYMBOL(tty_poll);
27873 static int __tty_fasync(int fd, struct file *filp, int on)
27875 struct tty_struct *tty = file_tty(filp);
27876 @@ -2026,7 +2024,7 @@ out:
27880 -static int tty_fasync(int fd, struct file *filp, int on)
27881 +int tty_fasync(int fd, struct file *filp, int on)
27885 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
27889 +EXPORT_SYMBOL(tty_fasync);
27892 * tiocsti - fake input character
27893 * @tty: tty to fake input into
27894 @@ -2687,8 +2687,10 @@ long tty_ioctl(struct file *file, unsign
27898 +EXPORT_SYMBOL(tty_ioctl);
27900 #ifdef CONFIG_COMPAT
27901 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27902 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
27905 struct inode *inode = file->f_dentry->d_inode;
27906 @@ -2712,6 +2714,9 @@ static long tty_compat_ioctl(struct file
27911 +EXPORT_SYMBOL(tty_compat_ioctl);
27916 @@ -3190,11 +3195,6 @@ struct tty_struct *get_current_tty(void)
27918 EXPORT_SYMBOL_GPL(get_current_tty);
27920 -void tty_default_fops(struct file_operations *fops)
27922 - *fops = tty_fops;
27926 * Initialize the console device. This is called *early*, so
27927 * we can't necessarily depend on lots of kernel help here.
27928 diff -urNp linux-2.6.37/drivers/tty/tty_ldisc.c linux-2.6.37/drivers/tty/tty_ldisc.c
27929 --- linux-2.6.37/drivers/tty/tty_ldisc.c 2011-01-04 19:50:19.000000000 -0500
27930 +++ linux-2.6.37/drivers/tty/tty_ldisc.c 2011-01-17 02:41:01.000000000 -0500
27931 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
27932 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
27933 struct tty_ldisc_ops *ldo = ld->ops;
27936 + atomic_dec(&ldo->refcount);
27937 module_put(ldo->owner);
27938 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27940 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
27941 spin_lock_irqsave(&tty_ldisc_lock, flags);
27942 tty_ldiscs[disc] = new_ldisc;
27943 new_ldisc->num = disc;
27944 - new_ldisc->refcount = 0;
27945 + atomic_set(&new_ldisc->refcount, 0);
27946 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27949 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
27952 spin_lock_irqsave(&tty_ldisc_lock, flags);
27953 - if (tty_ldiscs[disc]->refcount)
27954 + if (atomic_read(&tty_ldiscs[disc]->refcount))
27957 tty_ldiscs[disc] = NULL;
27958 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
27960 ret = ERR_PTR(-EAGAIN);
27961 if (try_module_get(ldops->owner)) {
27962 - ldops->refcount++;
27963 + atomic_inc(&ldops->refcount);
27967 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
27968 unsigned long flags;
27970 spin_lock_irqsave(&tty_ldisc_lock, flags);
27971 - ldops->refcount--;
27972 + atomic_dec(&ldops->refcount);
27973 module_put(ldops->owner);
27974 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27976 diff -urNp linux-2.6.37/drivers/tty/vt/keyboard.c linux-2.6.37/drivers/tty/vt/keyboard.c
27977 --- linux-2.6.37/drivers/tty/vt/keyboard.c 2011-01-04 19:50:19.000000000 -0500
27978 +++ linux-2.6.37/drivers/tty/vt/keyboard.c 2011-01-17 02:41:01.000000000 -0500
27979 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
27980 kbd->kbdmode == VC_MEDIUMRAW) &&
27981 value != KVAL(K_SAK))
27982 return; /* SAK is allowed even in raw mode */
27984 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
27986 + void *func = fn_handler[value];
27987 + if (func == fn_show_state || func == fn_show_ptregs ||
27988 + func == fn_show_mem)
27993 fn_handler[value](vc);
27996 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
27997 .evbit = { BIT_MASK(EV_SND) },
28000 - { }, /* Terminating entry */
28001 + { 0 }, /* Terminating entry */
28004 MODULE_DEVICE_TABLE(input, kbd_ids);
28005 diff -urNp linux-2.6.37/drivers/tty/vt/vt_ioctl.c linux-2.6.37/drivers/tty/vt/vt_ioctl.c
28006 --- linux-2.6.37/drivers/tty/vt/vt_ioctl.c 2011-01-04 19:50:19.000000000 -0500
28007 +++ linux-2.6.37/drivers/tty/vt/vt_ioctl.c 2011-01-17 02:41:01.000000000 -0500
28008 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28009 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28012 - if (!capable(CAP_SYS_TTY_CONFIG))
28017 key_map = key_maps[s];
28018 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28019 val = (i ? K_HOLE : K_NOSUCHMAP);
28020 return put_user(val, &user_kbe->kb_value);
28022 + if (!capable(CAP_SYS_TTY_CONFIG))
28027 if (!i && v == K_NOSUCHMAP) {
28028 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28032 - if (!capable(CAP_SYS_TTY_CONFIG))
28035 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28038 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28040 return ((p && *p) ? -EOVERFLOW : 0);
28042 + if (!capable(CAP_SYS_TTY_CONFIG))
28048 diff -urNp linux-2.6.37/drivers/usb/atm/cxacru.c linux-2.6.37/drivers/usb/atm/cxacru.c
28049 --- linux-2.6.37/drivers/usb/atm/cxacru.c 2011-01-04 19:50:19.000000000 -0500
28050 +++ linux-2.6.37/drivers/usb/atm/cxacru.c 2011-01-17 02:41:01.000000000 -0500
28051 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28052 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28055 - if (index < 0 || index > 0x7f)
28056 + if (index > 0x7f)
28060 diff -urNp linux-2.6.37/drivers/usb/atm/usbatm.c linux-2.6.37/drivers/usb/atm/usbatm.c
28061 --- linux-2.6.37/drivers/usb/atm/usbatm.c 2011-01-04 19:50:19.000000000 -0500
28062 +++ linux-2.6.37/drivers/usb/atm/usbatm.c 2011-01-17 02:41:01.000000000 -0500
28063 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28064 if (printk_ratelimit())
28065 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28066 __func__, vpi, vci);
28067 - atomic_inc(&vcc->stats->rx_err);
28068 + atomic_inc_unchecked(&vcc->stats->rx_err);
28072 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28073 if (length > ATM_MAX_AAL5_PDU) {
28074 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28075 __func__, length, vcc);
28076 - atomic_inc(&vcc->stats->rx_err);
28077 + atomic_inc_unchecked(&vcc->stats->rx_err);
28081 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28082 if (sarb->len < pdu_length) {
28083 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28084 __func__, pdu_length, sarb->len, vcc);
28085 - atomic_inc(&vcc->stats->rx_err);
28086 + atomic_inc_unchecked(&vcc->stats->rx_err);
28090 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28091 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28093 - atomic_inc(&vcc->stats->rx_err);
28094 + atomic_inc_unchecked(&vcc->stats->rx_err);
28098 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28099 if (printk_ratelimit())
28100 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28102 - atomic_inc(&vcc->stats->rx_drop);
28103 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28107 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28109 vcc->push(vcc, skb);
28111 - atomic_inc(&vcc->stats->rx);
28112 + atomic_inc_unchecked(&vcc->stats->rx);
28116 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28117 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28119 usbatm_pop(vcc, skb);
28120 - atomic_inc(&vcc->stats->tx);
28121 + atomic_inc_unchecked(&vcc->stats->tx);
28123 skb = skb_dequeue(&instance->sndqueue);
28125 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28127 return sprintf(page,
28128 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28129 - atomic_read(&atm_dev->stats.aal5.tx),
28130 - atomic_read(&atm_dev->stats.aal5.tx_err),
28131 - atomic_read(&atm_dev->stats.aal5.rx),
28132 - atomic_read(&atm_dev->stats.aal5.rx_err),
28133 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28134 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28135 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28136 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28137 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28138 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28141 if (instance->disconnected)
28142 diff -urNp linux-2.6.37/drivers/usb/class/cdc-acm.c linux-2.6.37/drivers/usb/class/cdc-acm.c
28143 --- linux-2.6.37/drivers/usb/class/cdc-acm.c 2011-01-04 19:50:19.000000000 -0500
28144 +++ linux-2.6.37/drivers/usb/class/cdc-acm.c 2011-01-17 02:41:01.000000000 -0500
28145 @@ -1634,7 +1634,7 @@ static const struct usb_device_id acm_id
28146 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28147 USB_CDC_ACM_PROTO_AT_CDMA) },
28150 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28153 MODULE_DEVICE_TABLE(usb, acm_ids);
28154 diff -urNp linux-2.6.37/drivers/usb/class/cdc-wdm.c linux-2.6.37/drivers/usb/class/cdc-wdm.c
28155 --- linux-2.6.37/drivers/usb/class/cdc-wdm.c 2011-01-04 19:50:19.000000000 -0500
28156 +++ linux-2.6.37/drivers/usb/class/cdc-wdm.c 2011-01-17 02:41:01.000000000 -0500
28157 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28161 - if (!file->f_flags && O_NONBLOCK)
28162 + if (!(file->f_flags & O_NONBLOCK))
28163 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28166 diff -urNp linux-2.6.37/drivers/usb/class/usblp.c linux-2.6.37/drivers/usb/class/usblp.c
28167 --- linux-2.6.37/drivers/usb/class/usblp.c 2011-01-04 19:50:19.000000000 -0500
28168 +++ linux-2.6.37/drivers/usb/class/usblp.c 2011-01-17 02:41:01.000000000 -0500
28169 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28170 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28171 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28172 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28177 static int usblp_wwait(struct usblp *usblp, int nonblock);
28178 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28179 { USB_INTERFACE_INFO(7, 1, 2) },
28180 { USB_INTERFACE_INFO(7, 1, 3) },
28181 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28182 - { } /* Terminating entry */
28183 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28186 MODULE_DEVICE_TABLE(usb, usblp_ids);
28187 diff -urNp linux-2.6.37/drivers/usb/core/hcd.c linux-2.6.37/drivers/usb/core/hcd.c
28188 --- linux-2.6.37/drivers/usb/core/hcd.c 2011-01-04 19:50:19.000000000 -0500
28189 +++ linux-2.6.37/drivers/usb/core/hcd.c 2011-01-17 02:41:01.000000000 -0500
28190 @@ -2431,7 +2431,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28192 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28194 -struct usb_mon_operations *mon_ops;
28195 +const struct usb_mon_operations *mon_ops;
28198 * The registration is unlocked.
28199 @@ -2441,7 +2441,7 @@ struct usb_mon_operations *mon_ops;
28200 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28203 -int usb_mon_register (struct usb_mon_operations *ops)
28204 +int usb_mon_register (const struct usb_mon_operations *ops)
28208 diff -urNp linux-2.6.37/drivers/usb/core/hub.c linux-2.6.37/drivers/usb/core/hub.c
28209 --- linux-2.6.37/drivers/usb/core/hub.c 2011-01-04 19:50:19.000000000 -0500
28210 +++ linux-2.6.37/drivers/usb/core/hub.c 2011-01-17 02:41:01.000000000 -0500
28211 @@ -3461,7 +3461,7 @@ static const struct usb_device_id hub_id
28212 .bDeviceClass = USB_CLASS_HUB},
28213 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28214 .bInterfaceClass = USB_CLASS_HUB},
28215 - { } /* Terminating entry */
28216 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28219 MODULE_DEVICE_TABLE (usb, hub_id_table);
28220 diff -urNp linux-2.6.37/drivers/usb/core/message.c linux-2.6.37/drivers/usb/core/message.c
28221 --- linux-2.6.37/drivers/usb/core/message.c 2011-01-04 19:50:19.000000000 -0500
28222 +++ linux-2.6.37/drivers/usb/core/message.c 2011-01-17 02:41:01.000000000 -0500
28223 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28224 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28226 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28228 - smallbuf = kmalloc(++len, GFP_NOIO);
28230 + smallbuf = kmalloc(len, GFP_NOIO);
28233 memcpy(smallbuf, buf, len);
28234 diff -urNp linux-2.6.37/drivers/usb/early/ehci-dbgp.c linux-2.6.37/drivers/usb/early/ehci-dbgp.c
28235 --- linux-2.6.37/drivers/usb/early/ehci-dbgp.c 2011-01-04 19:50:19.000000000 -0500
28236 +++ linux-2.6.37/drivers/usb/early/ehci-dbgp.c 2011-01-17 02:41:01.000000000 -0500
28237 @@ -96,6 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28241 +/* cannot be const, see kgdbdbgp_parse_config */
28242 static struct kgdb_io kgdbdbgp_io_ops;
28243 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28245 @@ -1026,6 +1027,7 @@ static void kgdbdbgp_write_char(u8 chr)
28246 early_dbgp_write(NULL, &chr, 1);
28249 +/* cannot be const, see kgdbdbgp_parse_config() */
28250 static struct kgdb_io kgdbdbgp_io_ops = {
28251 .name = "kgdbdbgp",
28252 .read_char = kgdbdbgp_read_char,
28253 diff -urNp linux-2.6.37/drivers/usb/host/ehci-pci.c linux-2.6.37/drivers/usb/host/ehci-pci.c
28254 --- linux-2.6.37/drivers/usb/host/ehci-pci.c 2011-01-04 19:50:19.000000000 -0500
28255 +++ linux-2.6.37/drivers/usb/host/ehci-pci.c 2011-01-17 02:41:01.000000000 -0500
28256 @@ -470,7 +470,7 @@ static const struct pci_device_id pci_id
28257 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28258 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28260 - { /* end: all zeroes */ }
28261 + { 0, 0, 0, 0, 0, 0, 0 }
28263 MODULE_DEVICE_TABLE(pci, pci_ids);
28265 diff -urNp linux-2.6.37/drivers/usb/host/uhci-hcd.c linux-2.6.37/drivers/usb/host/uhci-hcd.c
28266 --- linux-2.6.37/drivers/usb/host/uhci-hcd.c 2011-01-04 19:50:19.000000000 -0500
28267 +++ linux-2.6.37/drivers/usb/host/uhci-hcd.c 2011-01-17 02:41:01.000000000 -0500
28268 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28269 /* handle any USB UHCI controller */
28270 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28271 .driver_data = (unsigned long) &uhci_driver,
28272 - }, { /* end: all zeroes */ }
28273 + }, { 0, 0, 0, 0, 0, 0, 0 }
28276 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28277 diff -urNp linux-2.6.37/drivers/usb/mon/mon_main.c linux-2.6.37/drivers/usb/mon/mon_main.c
28278 --- linux-2.6.37/drivers/usb/mon/mon_main.c 2011-01-04 19:50:19.000000000 -0500
28279 +++ linux-2.6.37/drivers/usb/mon/mon_main.c 2011-01-17 02:41:01.000000000 -0500
28280 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
28284 -static struct usb_mon_operations mon_ops_0 = {
28285 +static const struct usb_mon_operations mon_ops_0 = {
28286 .urb_submit = mon_submit,
28287 .urb_submit_error = mon_submit_error,
28288 .urb_complete = mon_complete,
28289 diff -urNp linux-2.6.37/drivers/usb/storage/debug.h linux-2.6.37/drivers/usb/storage/debug.h
28290 --- linux-2.6.37/drivers/usb/storage/debug.h 2011-01-04 19:50:19.000000000 -0500
28291 +++ linux-2.6.37/drivers/usb/storage/debug.h 2011-01-17 02:41:01.000000000 -0500
28292 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28293 #define US_DEBUGPX(x...) printk( x )
28294 #define US_DEBUG(x) x
28296 -#define US_DEBUGP(x...)
28297 -#define US_DEBUGPX(x...)
28298 -#define US_DEBUG(x)
28299 +#define US_DEBUGP(x...) do {} while (0)
28300 +#define US_DEBUGPX(x...) do {} while (0)
28301 +#define US_DEBUG(x) do {} while (0)
28305 diff -urNp linux-2.6.37/drivers/usb/storage/usb.c linux-2.6.37/drivers/usb/storage/usb.c
28306 --- linux-2.6.37/drivers/usb/storage/usb.c 2011-01-04 19:50:19.000000000 -0500
28307 +++ linux-2.6.37/drivers/usb/storage/usb.c 2011-01-17 02:41:01.000000000 -0500
28308 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28310 static struct us_unusual_dev us_unusual_dev_list[] = {
28311 # include "unusual_devs.h"
28312 - { } /* Terminating entry */
28313 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28317 diff -urNp linux-2.6.37/drivers/usb/storage/usual-tables.c linux-2.6.37/drivers/usb/storage/usual-tables.c
28318 --- linux-2.6.37/drivers/usb/storage/usual-tables.c 2011-01-04 19:50:19.000000000 -0500
28319 +++ linux-2.6.37/drivers/usb/storage/usual-tables.c 2011-01-17 02:41:01.000000000 -0500
28322 struct usb_device_id usb_storage_usb_ids[] = {
28323 # include "unusual_devs.h"
28324 - { } /* Terminating entry */
28325 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28327 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28329 diff -urNp linux-2.6.37/drivers/vhost/vhost.c linux-2.6.37/drivers/vhost/vhost.c
28330 --- linux-2.6.37/drivers/vhost/vhost.c 2011-01-04 19:50:19.000000000 -0500
28331 +++ linux-2.6.37/drivers/vhost/vhost.c 2011-01-17 02:41:01.000000000 -0500
28332 @@ -560,7 +560,7 @@ static int init_used(struct vhost_virtqu
28333 return get_user(vq->last_used_idx, &used->idx);
28336 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28337 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28339 struct file *eventfp, *filep = NULL,
28340 *pollstart = NULL, *pollstop = NULL;
28341 diff -urNp linux-2.6.37/drivers/video/atmel_lcdfb.c linux-2.6.37/drivers/video/atmel_lcdfb.c
28342 --- linux-2.6.37/drivers/video/atmel_lcdfb.c 2011-01-04 19:50:19.000000000 -0500
28343 +++ linux-2.6.37/drivers/video/atmel_lcdfb.c 2011-01-17 02:41:01.000000000 -0500
28344 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28345 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28348 -static struct backlight_ops atmel_lcdc_bl_ops = {
28349 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28350 .update_status = atmel_bl_update_status,
28351 .get_brightness = atmel_bl_get_brightness,
28353 diff -urNp linux-2.6.37/drivers/video/aty/aty128fb.c linux-2.6.37/drivers/video/aty/aty128fb.c
28354 --- linux-2.6.37/drivers/video/aty/aty128fb.c 2011-01-04 19:50:19.000000000 -0500
28355 +++ linux-2.6.37/drivers/video/aty/aty128fb.c 2011-01-17 02:41:01.000000000 -0500
28356 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28357 return bd->props.brightness;
28360 -static struct backlight_ops aty128_bl_data = {
28361 +static const struct backlight_ops aty128_bl_data = {
28362 .get_brightness = aty128_bl_get_brightness,
28363 .update_status = aty128_bl_update_status,
28365 diff -urNp linux-2.6.37/drivers/video/aty/atyfb_base.c linux-2.6.37/drivers/video/aty/atyfb_base.c
28366 --- linux-2.6.37/drivers/video/aty/atyfb_base.c 2011-01-04 19:50:19.000000000 -0500
28367 +++ linux-2.6.37/drivers/video/aty/atyfb_base.c 2011-01-17 02:41:01.000000000 -0500
28368 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28369 return bd->props.brightness;
28372 -static struct backlight_ops aty_bl_data = {
28373 +static const struct backlight_ops aty_bl_data = {
28374 .get_brightness = aty_bl_get_brightness,
28375 .update_status = aty_bl_update_status,
28377 diff -urNp linux-2.6.37/drivers/video/aty/radeon_backlight.c linux-2.6.37/drivers/video/aty/radeon_backlight.c
28378 --- linux-2.6.37/drivers/video/aty/radeon_backlight.c 2011-01-04 19:50:19.000000000 -0500
28379 +++ linux-2.6.37/drivers/video/aty/radeon_backlight.c 2011-01-17 02:41:01.000000000 -0500
28380 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28381 return bd->props.brightness;
28384 -static struct backlight_ops radeon_bl_data = {
28385 +static const struct backlight_ops radeon_bl_data = {
28386 .get_brightness = radeon_bl_get_brightness,
28387 .update_status = radeon_bl_update_status,
28389 diff -urNp linux-2.6.37/drivers/video/backlight/88pm860x_bl.c linux-2.6.37/drivers/video/backlight/88pm860x_bl.c
28390 --- linux-2.6.37/drivers/video/backlight/88pm860x_bl.c 2011-01-04 19:50:19.000000000 -0500
28391 +++ linux-2.6.37/drivers/video/backlight/88pm860x_bl.c 2011-01-17 02:41:01.000000000 -0500
28392 @@ -155,7 +155,7 @@ out:
28396 -static struct backlight_ops pm860x_backlight_ops = {
28397 +static const struct backlight_ops pm860x_backlight_ops = {
28398 .options = BL_CORE_SUSPENDRESUME,
28399 .update_status = pm860x_backlight_update_status,
28400 .get_brightness = pm860x_backlight_get_brightness,
28401 diff -urNp linux-2.6.37/drivers/video/backlight/max8925_bl.c linux-2.6.37/drivers/video/backlight/max8925_bl.c
28402 --- linux-2.6.37/drivers/video/backlight/max8925_bl.c 2011-01-04 19:50:19.000000000 -0500
28403 +++ linux-2.6.37/drivers/video/backlight/max8925_bl.c 2011-01-17 02:41:01.000000000 -0500
28404 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28408 -static struct backlight_ops max8925_backlight_ops = {
28409 +static const struct backlight_ops max8925_backlight_ops = {
28410 .options = BL_CORE_SUSPENDRESUME,
28411 .update_status = max8925_backlight_update_status,
28412 .get_brightness = max8925_backlight_get_brightness,
28413 diff -urNp linux-2.6.37/drivers/video/fbcmap.c linux-2.6.37/drivers/video/fbcmap.c
28414 --- linux-2.6.37/drivers/video/fbcmap.c 2011-01-04 19:50:19.000000000 -0500
28415 +++ linux-2.6.37/drivers/video/fbcmap.c 2011-01-17 02:41:01.000000000 -0500
28416 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28420 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28421 - !info->fbops->fb_setcmap)) {
28422 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28426 diff -urNp linux-2.6.37/drivers/video/fbmem.c linux-2.6.37/drivers/video/fbmem.c
28427 --- linux-2.6.37/drivers/video/fbmem.c 2011-01-04 19:50:19.000000000 -0500
28428 +++ linux-2.6.37/drivers/video/fbmem.c 2011-01-17 02:41:01.000000000 -0500
28429 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28430 image->dx += image->width + 8;
28432 } else if (rotate == FB_ROTATE_UD) {
28433 - for (x = 0; x < num && image->dx >= 0; x++) {
28434 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28435 info->fbops->fb_imageblit(info, image);
28436 image->dx -= image->width + 8;
28438 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28439 image->dy += image->height + 8;
28441 } else if (rotate == FB_ROTATE_CCW) {
28442 - for (x = 0; x < num && image->dy >= 0; x++) {
28443 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28444 info->fbops->fb_imageblit(info, image);
28445 image->dy -= image->height + 8;
28447 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
28449 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28451 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28452 + if (con2fb.framebuffer >= FB_MAX)
28454 if (!registered_fb[con2fb.framebuffer])
28455 request_module("fb%d", con2fb.framebuffer);
28456 diff -urNp linux-2.6.37/drivers/video/fbmon.c linux-2.6.37/drivers/video/fbmon.c
28457 --- linux-2.6.37/drivers/video/fbmon.c 2011-01-04 19:50:19.000000000 -0500
28458 +++ linux-2.6.37/drivers/video/fbmon.c 2011-01-17 02:41:01.000000000 -0500
28461 #define DPRINTK(fmt, args...) printk(fmt,## args)
28463 -#define DPRINTK(fmt, args...)
28464 +#define DPRINTK(fmt, args...) do {} while (0)
28467 #define FBMON_FIX_HEADER 1
28468 diff -urNp linux-2.6.37/drivers/video/i810/i810_accel.c linux-2.6.37/drivers/video/i810/i810_accel.c
28469 --- linux-2.6.37/drivers/video/i810/i810_accel.c 2011-01-04 19:50:19.000000000 -0500
28470 +++ linux-2.6.37/drivers/video/i810/i810_accel.c 2011-01-17 02:41:01.000000000 -0500
28471 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28474 printk("ringbuffer lockup!!!\n");
28475 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28476 i810_report_error(mmio);
28477 par->dev_flags |= LOCKUP;
28478 info->pixmap.scan_align = 1;
28479 diff -urNp linux-2.6.37/drivers/video/i810/i810_main.c linux-2.6.37/drivers/video/i810/i810_main.c
28480 --- linux-2.6.37/drivers/video/i810/i810_main.c 2011-01-04 19:50:19.000000000 -0500
28481 +++ linux-2.6.37/drivers/video/i810/i810_main.c 2011-01-17 02:41:01.000000000 -0500
28482 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28483 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28484 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28485 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28487 + { 0, 0, 0, 0, 0, 0, 0 },
28490 static struct pci_driver i810fb_driver = {
28491 diff -urNp linux-2.6.37/drivers/video/modedb.c linux-2.6.37/drivers/video/modedb.c
28492 --- linux-2.6.37/drivers/video/modedb.c 2011-01-04 19:50:19.000000000 -0500
28493 +++ linux-2.6.37/drivers/video/modedb.c 2011-01-17 02:41:01.000000000 -0500
28494 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28496 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28497 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28498 - 0, FB_VMODE_NONINTERLACED
28499 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28501 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28502 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28503 - 0, FB_VMODE_NONINTERLACED
28504 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28506 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28507 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28508 - 0, FB_VMODE_NONINTERLACED
28509 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28511 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28512 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28513 - 0, FB_VMODE_INTERLACED
28514 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28516 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28517 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28518 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28519 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28521 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28522 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28523 - 0, FB_VMODE_NONINTERLACED
28524 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28526 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28527 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28528 - 0, FB_VMODE_NONINTERLACED
28529 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28531 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28532 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28533 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28534 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28536 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28537 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28538 - 0, FB_VMODE_NONINTERLACED
28539 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28541 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28542 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28543 - 0, FB_VMODE_INTERLACED
28544 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28546 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28547 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28548 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28549 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28551 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28552 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28553 - 0, FB_VMODE_NONINTERLACED
28554 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28556 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28557 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28558 - 0, FB_VMODE_NONINTERLACED
28559 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28561 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28562 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28563 - 0, FB_VMODE_NONINTERLACED
28564 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28566 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28567 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28568 - 0, FB_VMODE_NONINTERLACED
28569 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28571 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28572 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28573 - 0, FB_VMODE_NONINTERLACED
28574 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28576 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28577 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28578 - 0, FB_VMODE_INTERLACED
28579 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28581 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28582 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28583 - 0, FB_VMODE_NONINTERLACED
28584 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28586 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28587 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28588 - 0, FB_VMODE_NONINTERLACED
28589 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28591 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28592 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28593 - 0, FB_VMODE_NONINTERLACED
28594 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28596 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28597 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28598 - 0, FB_VMODE_NONINTERLACED
28599 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28601 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28602 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28603 - 0, FB_VMODE_NONINTERLACED
28604 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28606 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28607 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28608 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28609 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28611 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28612 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28613 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28614 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28616 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28617 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28618 - 0, FB_VMODE_NONINTERLACED
28619 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28621 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28622 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28623 - 0, FB_VMODE_NONINTERLACED
28624 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28626 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28627 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28628 - 0, FB_VMODE_NONINTERLACED
28629 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28631 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28632 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28633 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28634 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28636 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28637 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28638 - 0, FB_VMODE_NONINTERLACED
28639 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28641 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28642 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28643 - 0, FB_VMODE_NONINTERLACED
28644 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28646 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28647 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28648 - 0, FB_VMODE_NONINTERLACED
28649 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28651 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28652 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28653 - 0, FB_VMODE_NONINTERLACED
28654 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28656 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28657 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28658 - 0, FB_VMODE_NONINTERLACED
28659 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28661 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28662 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28663 - 0, FB_VMODE_NONINTERLACED
28664 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28666 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28667 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28668 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28669 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28671 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28672 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28673 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28674 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28676 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28677 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28678 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28679 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28681 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28682 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28683 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28684 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28686 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28687 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28688 - 0, FB_VMODE_NONINTERLACED
28689 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28691 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28692 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28693 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28694 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28696 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28697 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28698 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28699 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28701 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28702 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28703 - 0, FB_VMODE_NONINTERLACED
28704 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28706 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28707 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28708 - 0, FB_VMODE_NONINTERLACED
28709 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28711 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28712 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28713 - 0, FB_VMODE_DOUBLE
28714 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28716 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28717 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28718 - 0, FB_VMODE_DOUBLE
28719 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28721 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28722 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28723 - 0, FB_VMODE_DOUBLE
28724 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28726 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28727 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28728 - 0, FB_VMODE_DOUBLE
28729 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28731 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28732 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28733 - 0, FB_VMODE_DOUBLE
28734 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28736 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28737 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28738 - 0, FB_VMODE_DOUBLE
28739 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28741 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28742 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28743 - 0, FB_VMODE_DOUBLE
28744 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28746 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28747 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28748 - 0, FB_VMODE_DOUBLE
28749 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28751 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28752 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28753 - 0, FB_VMODE_DOUBLE
28754 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28756 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28757 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28758 - 0, FB_VMODE_DOUBLE
28759 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28761 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28762 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28763 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28764 - FB_VMODE_NONINTERLACED
28765 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28767 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28768 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28769 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28770 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28772 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28773 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28774 - 0, FB_VMODE_NONINTERLACED
28775 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28777 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28778 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28779 - 0, FB_VMODE_NONINTERLACED
28780 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28782 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28783 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28784 - 0, FB_VMODE_INTERLACED
28785 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28787 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28788 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28789 - 0, FB_VMODE_INTERLACED
28790 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28794 diff -urNp linux-2.6.37/drivers/video/nvidia/nv_backlight.c linux-2.6.37/drivers/video/nvidia/nv_backlight.c
28795 --- linux-2.6.37/drivers/video/nvidia/nv_backlight.c 2011-01-04 19:50:19.000000000 -0500
28796 +++ linux-2.6.37/drivers/video/nvidia/nv_backlight.c 2011-01-17 02:41:01.000000000 -0500
28797 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28798 return bd->props.brightness;
28801 -static struct backlight_ops nvidia_bl_ops = {
28802 +static const struct backlight_ops nvidia_bl_ops = {
28803 .get_brightness = nvidia_bl_get_brightness,
28804 .update_status = nvidia_bl_update_status,
28806 diff -urNp linux-2.6.37/drivers/video/omap2/displays/panel-taal.c linux-2.6.37/drivers/video/omap2/displays/panel-taal.c
28807 --- linux-2.6.37/drivers/video/omap2/displays/panel-taal.c 2011-01-04 19:50:19.000000000 -0500
28808 +++ linux-2.6.37/drivers/video/omap2/displays/panel-taal.c 2011-01-17 02:41:01.000000000 -0500
28809 @@ -465,7 +465,7 @@ static int taal_bl_get_intensity(struct
28813 -static struct backlight_ops taal_bl_ops = {
28814 +static const struct backlight_ops taal_bl_ops = {
28815 .get_brightness = taal_bl_get_intensity,
28816 .update_status = taal_bl_update_status,
28818 diff -urNp linux-2.6.37/drivers/video/riva/fbdev.c linux-2.6.37/drivers/video/riva/fbdev.c
28819 --- linux-2.6.37/drivers/video/riva/fbdev.c 2011-01-04 19:50:19.000000000 -0500
28820 +++ linux-2.6.37/drivers/video/riva/fbdev.c 2011-01-17 02:41:01.000000000 -0500
28821 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28822 return bd->props.brightness;
28825 -static struct backlight_ops riva_bl_ops = {
28826 +static const struct backlight_ops riva_bl_ops = {
28827 .get_brightness = riva_bl_get_brightness,
28828 .update_status = riva_bl_update_status,
28830 diff -urNp linux-2.6.37/drivers/video/uvesafb.c linux-2.6.37/drivers/video/uvesafb.c
28831 --- linux-2.6.37/drivers/video/uvesafb.c 2011-01-04 19:50:19.000000000 -0500
28832 +++ linux-2.6.37/drivers/video/uvesafb.c 2011-01-17 02:41:01.000000000 -0500
28834 #include <linux/io.h>
28835 #include <linux/mutex.h>
28836 #include <linux/slab.h>
28837 +#include <linux/moduleloader.h>
28838 #include <video/edid.h>
28839 #include <video/uvesafb.h>
28841 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28845 - return call_usermodehelper(v86d_path, argv, envp, 1);
28846 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28850 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28851 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28852 par->pmi_setpal = par->ypan = 0;
28855 +#ifdef CONFIG_PAX_KERNEXEC
28856 +#ifdef CONFIG_MODULES
28857 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28859 + if (!par->pmi_code) {
28860 + par->pmi_setpal = par->ypan = 0;
28865 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28866 + task->t.regs.edi);
28868 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28869 + pax_open_kernel();
28870 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28871 + pax_close_kernel();
28873 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28874 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28876 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28877 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28880 printk(KERN_INFO "uvesafb: protected mode interface info at "
28882 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28883 @@ -1800,6 +1823,11 @@ out:
28884 if (par->vbe_modes)
28885 kfree(par->vbe_modes);
28887 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28888 + if (par->pmi_code)
28889 + module_free_exec(NULL, par->pmi_code);
28892 framebuffer_release(info);
28895 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28896 kfree(par->vbe_state_orig);
28897 if (par->vbe_state_saved)
28898 kfree(par->vbe_state_saved);
28900 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28901 + if (par->pmi_code)
28902 + module_free_exec(NULL, par->pmi_code);
28907 framebuffer_release(info);
28908 diff -urNp linux-2.6.37/drivers/video/vesafb.c linux-2.6.37/drivers/video/vesafb.c
28909 --- linux-2.6.37/drivers/video/vesafb.c 2011-01-04 19:50:19.000000000 -0500
28910 +++ linux-2.6.37/drivers/video/vesafb.c 2011-01-17 02:41:01.000000000 -0500
28914 #include <linux/module.h>
28915 +#include <linux/moduleloader.h>
28916 #include <linux/kernel.h>
28917 #include <linux/errno.h>
28918 #include <linux/string.h>
28919 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28920 static int vram_total __initdata; /* Set total amount of memory */
28921 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28922 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28923 -static void (*pmi_start)(void) __read_mostly;
28924 -static void (*pmi_pal) (void) __read_mostly;
28925 +static void (*pmi_start)(void) __read_only;
28926 +static void (*pmi_pal) (void) __read_only;
28927 static int depth __read_mostly;
28928 static int vga_compat __read_mostly;
28929 /* --------------------------------------------------------------------- */
28930 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
28931 unsigned int size_vmode;
28932 unsigned int size_remap;
28933 unsigned int size_total;
28934 + void *pmi_code = NULL;
28936 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28938 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
28939 size_remap = size_total;
28940 vesafb_fix.smem_len = size_remap;
28943 - screen_info.vesapm_seg = 0;
28946 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28947 printk(KERN_WARNING
28948 "vesafb: cannot reserve video memory at 0x%lx\n",
28949 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
28950 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28951 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28955 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28956 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
28958 +#elif !defined(CONFIG_PAX_KERNEXEC)
28963 + screen_info.vesapm_seg = 0;
28965 if (screen_info.vesapm_seg) {
28966 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28967 - screen_info.vesapm_seg,screen_info.vesapm_off);
28968 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28969 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28972 if (screen_info.vesapm_seg < 0xc000)
28973 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
28975 if (ypan || pmi_setpal) {
28976 unsigned short *pmi_base;
28977 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28978 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28979 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28981 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28983 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28984 + pax_open_kernel();
28985 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28987 + pmi_code = pmi_base;
28990 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28991 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28993 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28994 + pmi_start = ktva_ktla(pmi_start);
28995 + pmi_pal = ktva_ktla(pmi_pal);
28996 + pax_close_kernel();
28999 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29001 printk(KERN_INFO "vesafb: pmi: ports = ");
29002 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29003 info->node, info->fix.id);
29007 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29008 + module_free_exec(NULL, pmi_code);
29011 if (info->screen_base)
29012 iounmap(info->screen_base);
29013 framebuffer_release(info);
29014 diff -urNp linux-2.6.37/fs/9p/vfs_inode.c linux-2.6.37/fs/9p/vfs_inode.c
29015 --- linux-2.6.37/fs/9p/vfs_inode.c 2011-01-04 19:50:19.000000000 -0500
29016 +++ linux-2.6.37/fs/9p/vfs_inode.c 2011-01-17 02:41:01.000000000 -0500
29017 @@ -1598,7 +1598,7 @@ static void *v9fs_vfs_follow_link(struct
29019 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29021 - char *s = nd_get_link(nd);
29022 + const char *s = nd_get_link(nd);
29024 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29025 IS_ERR(s) ? "<error>" : s);
29026 diff -urNp linux-2.6.37/fs/aio.c linux-2.6.37/fs/aio.c
29027 --- linux-2.6.37/fs/aio.c 2011-01-04 19:50:19.000000000 -0500
29028 +++ linux-2.6.37/fs/aio.c 2011-01-17 02:41:01.000000000 -0500
29029 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29030 size += sizeof(struct io_event) * nr_events;
29031 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29033 - if (nr_pages < 0)
29034 + if (nr_pages <= 0)
29037 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29038 diff -urNp linux-2.6.37/fs/attr.c linux-2.6.37/fs/attr.c
29039 --- linux-2.6.37/fs/attr.c 2011-01-04 19:50:19.000000000 -0500
29040 +++ linux-2.6.37/fs/attr.c 2011-01-17 02:41:01.000000000 -0500
29041 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29042 unsigned long limit;
29044 limit = rlimit(RLIMIT_FSIZE);
29045 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29046 if (limit != RLIM_INFINITY && offset > limit)
29048 if (offset > inode->i_sb->s_maxbytes)
29049 diff -urNp linux-2.6.37/fs/autofs4/symlink.c linux-2.6.37/fs/autofs4/symlink.c
29050 --- linux-2.6.37/fs/autofs4/symlink.c 2011-01-04 19:50:19.000000000 -0500
29051 +++ linux-2.6.37/fs/autofs4/symlink.c 2011-01-17 02:41:01.000000000 -0500
29053 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
29055 struct autofs_info *ino = autofs4_dentry_ino(dentry);
29056 - nd_set_link(nd, (char *)ino->u.symlink);
29057 + nd_set_link(nd, ino->u.symlink);
29061 diff -urNp linux-2.6.37/fs/befs/linuxvfs.c linux-2.6.37/fs/befs/linuxvfs.c
29062 --- linux-2.6.37/fs/befs/linuxvfs.c 2011-01-04 19:50:19.000000000 -0500
29063 +++ linux-2.6.37/fs/befs/linuxvfs.c 2011-01-17 02:41:01.000000000 -0500
29064 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
29066 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29067 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29068 - char *link = nd_get_link(nd);
29069 + const char *link = nd_get_link(nd);
29073 diff -urNp linux-2.6.37/fs/binfmt_aout.c linux-2.6.37/fs/binfmt_aout.c
29074 --- linux-2.6.37/fs/binfmt_aout.c 2011-01-04 19:50:19.000000000 -0500
29075 +++ linux-2.6.37/fs/binfmt_aout.c 2011-01-17 02:41:01.000000000 -0500
29077 #include <linux/string.h>
29078 #include <linux/fs.h>
29079 #include <linux/file.h>
29080 +#include <linux/security.h>
29081 #include <linux/stat.h>
29082 #include <linux/fcntl.h>
29083 #include <linux/ptrace.h>
29084 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29086 # define START_STACK(u) ((void __user *)u.start_stack)
29088 + memset(&dump, 0, sizeof(dump));
29093 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29095 /* If the size of the dump file exceeds the rlimit, then see what would happen
29096 if we wrote the stack, but not the data area. */
29097 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29098 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29101 /* Make sure we have enough room to write the stack and data areas. */
29102 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29103 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29106 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29107 rlim = rlimit(RLIMIT_DATA);
29108 if (rlim >= RLIM_INFINITY)
29111 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29112 if (ex.a_data + ex.a_bss > rlim)
29115 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29116 install_exec_creds(bprm);
29117 current->flags &= ~PF_FORKNOEXEC;
29119 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29120 + current->mm->pax_flags = 0UL;
29123 +#ifdef CONFIG_PAX_PAGEEXEC
29124 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29125 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29127 +#ifdef CONFIG_PAX_EMUTRAMP
29128 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29129 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29132 +#ifdef CONFIG_PAX_MPROTECT
29133 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29134 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29140 if (N_MAGIC(ex) == OMAGIC) {
29141 unsigned long text_addr, map_size;
29143 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29145 down_write(¤t->mm->mmap_sem);
29146 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29147 - PROT_READ | PROT_WRITE | PROT_EXEC,
29148 + PROT_READ | PROT_WRITE,
29149 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29150 fd_offset + ex.a_text);
29151 up_write(¤t->mm->mmap_sem);
29152 diff -urNp linux-2.6.37/fs/binfmt_elf.c linux-2.6.37/fs/binfmt_elf.c
29153 --- linux-2.6.37/fs/binfmt_elf.c 2011-01-04 19:50:19.000000000 -0500
29154 +++ linux-2.6.37/fs/binfmt_elf.c 2011-01-17 02:41:01.000000000 -0500
29155 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29156 #define elf_core_dump NULL
29159 +#ifdef CONFIG_PAX_MPROTECT
29160 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29163 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29164 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29166 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29167 .load_binary = load_elf_binary,
29168 .load_shlib = load_elf_library,
29169 .core_dump = elf_core_dump,
29171 +#ifdef CONFIG_PAX_MPROTECT
29172 + .handle_mprotect= elf_handle_mprotect,
29175 .min_coredump = ELF_EXEC_PAGESIZE,
29178 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29180 static int set_brk(unsigned long start, unsigned long end)
29182 + unsigned long e = end;
29184 start = ELF_PAGEALIGN(start);
29185 end = ELF_PAGEALIGN(end);
29187 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29188 if (BAD_ADDR(addr))
29191 - current->mm->start_brk = current->mm->brk = end;
29192 + current->mm->start_brk = current->mm->brk = e;
29196 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29197 elf_addr_t __user *u_rand_bytes;
29198 const char *k_platform = ELF_PLATFORM;
29199 const char *k_base_platform = ELF_BASE_PLATFORM;
29200 - unsigned char k_rand_bytes[16];
29201 + u32 k_rand_bytes[4];
29203 elf_addr_t *elf_info;
29205 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29206 * Generate 16 random bytes for userspace PRNG seeding.
29208 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29209 - u_rand_bytes = (elf_addr_t __user *)
29210 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29211 + srandom32(k_rand_bytes[0] ^ random32());
29212 + srandom32(k_rand_bytes[1] ^ random32());
29213 + srandom32(k_rand_bytes[2] ^ random32());
29214 + srandom32(k_rand_bytes[3] ^ random32());
29215 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29216 + u_rand_bytes = (elf_addr_t __user *) p;
29217 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29220 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29222 struct elf_phdr *elf_phdata;
29223 struct elf_phdr *eppnt;
29224 - unsigned long load_addr = 0;
29225 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29226 int load_addr_set = 0;
29227 unsigned long last_bss = 0, elf_bss = 0;
29228 - unsigned long error = ~0UL;
29229 + unsigned long error = -EINVAL;
29230 unsigned long total_size;
29231 int retval, i, size;
29233 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29237 +#ifdef CONFIG_PAX_SEGMEXEC
29238 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29239 + pax_task_size = SEGMEXEC_TASK_SIZE;
29242 eppnt = elf_phdata;
29243 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29244 if (eppnt->p_type == PT_LOAD) {
29245 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29246 k = load_addr + eppnt->p_vaddr;
29248 eppnt->p_filesz > eppnt->p_memsz ||
29249 - eppnt->p_memsz > TASK_SIZE ||
29250 - TASK_SIZE - eppnt->p_memsz < k) {
29251 + eppnt->p_memsz > pax_task_size ||
29252 + pax_task_size - eppnt->p_memsz < k) {
29256 @@ -533,6 +553,177 @@ out:
29260 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29261 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29263 + unsigned long pax_flags = 0UL;
29265 +#ifdef CONFIG_PAX_PAGEEXEC
29266 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29267 + pax_flags |= MF_PAX_PAGEEXEC;
29270 +#ifdef CONFIG_PAX_SEGMEXEC
29271 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29272 + pax_flags |= MF_PAX_SEGMEXEC;
29275 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29276 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29277 + if ((__supported_pte_mask & _PAGE_NX))
29278 + pax_flags &= ~MF_PAX_SEGMEXEC;
29280 + pax_flags &= ~MF_PAX_PAGEEXEC;
29284 +#ifdef CONFIG_PAX_EMUTRAMP
29285 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29286 + pax_flags |= MF_PAX_EMUTRAMP;
29289 +#ifdef CONFIG_PAX_MPROTECT
29290 + if (elf_phdata->p_flags & PF_MPROTECT)
29291 + pax_flags |= MF_PAX_MPROTECT;
29294 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29295 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29296 + pax_flags |= MF_PAX_RANDMMAP;
29299 + return pax_flags;
29303 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29304 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29306 + unsigned long pax_flags = 0UL;
29308 +#ifdef CONFIG_PAX_PAGEEXEC
29309 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29310 + pax_flags |= MF_PAX_PAGEEXEC;
29313 +#ifdef CONFIG_PAX_SEGMEXEC
29314 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29315 + pax_flags |= MF_PAX_SEGMEXEC;
29318 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29319 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29320 + if ((__supported_pte_mask & _PAGE_NX))
29321 + pax_flags &= ~MF_PAX_SEGMEXEC;
29323 + pax_flags &= ~MF_PAX_PAGEEXEC;
29327 +#ifdef CONFIG_PAX_EMUTRAMP
29328 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29329 + pax_flags |= MF_PAX_EMUTRAMP;
29332 +#ifdef CONFIG_PAX_MPROTECT
29333 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29334 + pax_flags |= MF_PAX_MPROTECT;
29337 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29338 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29339 + pax_flags |= MF_PAX_RANDMMAP;
29342 + return pax_flags;
29346 +#ifdef CONFIG_PAX_EI_PAX
29347 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29349 + unsigned long pax_flags = 0UL;
29351 +#ifdef CONFIG_PAX_PAGEEXEC
29352 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29353 + pax_flags |= MF_PAX_PAGEEXEC;
29356 +#ifdef CONFIG_PAX_SEGMEXEC
29357 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29358 + pax_flags |= MF_PAX_SEGMEXEC;
29361 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29362 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29363 + if ((__supported_pte_mask & _PAGE_NX))
29364 + pax_flags &= ~MF_PAX_SEGMEXEC;
29366 + pax_flags &= ~MF_PAX_PAGEEXEC;
29370 +#ifdef CONFIG_PAX_EMUTRAMP
29371 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29372 + pax_flags |= MF_PAX_EMUTRAMP;
29375 +#ifdef CONFIG_PAX_MPROTECT
29376 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29377 + pax_flags |= MF_PAX_MPROTECT;
29380 +#ifdef CONFIG_PAX_ASLR
29381 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29382 + pax_flags |= MF_PAX_RANDMMAP;
29385 + return pax_flags;
29389 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29390 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29392 + unsigned long pax_flags = 0UL;
29394 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29398 +#ifdef CONFIG_PAX_EI_PAX
29399 + pax_flags = pax_parse_ei_pax(elf_ex);
29402 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29403 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29404 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29405 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29406 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29407 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29408 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29409 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29412 +#ifdef CONFIG_PAX_SOFTMODE
29413 + if (pax_softmode)
29414 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29418 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29423 + if (0 > pax_check_flags(&pax_flags))
29426 + current->mm->pax_flags = pax_flags;
29432 * These are the functions used to load ELF style executables and shared
29433 * libraries. There is no binary dependent code anywhere else.
29434 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29436 unsigned int random_variable = 0;
29438 +#ifdef CONFIG_PAX_RANDUSTACK
29439 + if (randomize_va_space)
29440 + return stack_top - current->mm->delta_stack;
29443 if ((current->flags & PF_RANDOMIZE) &&
29444 !(current->personality & ADDR_NO_RANDOMIZE)) {
29445 random_variable = get_random_int() & STACK_RND_MASK;
29446 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29447 unsigned long load_addr = 0, load_bias = 0;
29448 int load_addr_set = 0;
29449 char * elf_interpreter = NULL;
29450 - unsigned long error;
29451 + unsigned long error = 0;
29452 struct elf_phdr *elf_ppnt, *elf_phdata;
29453 unsigned long elf_bss, elf_brk;
29455 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29456 unsigned long start_code, end_code, start_data, end_data;
29457 unsigned long reloc_func_desc = 0;
29458 int executable_stack = EXSTACK_DEFAULT;
29459 - unsigned long def_flags = 0;
29461 struct elfhdr elf_ex;
29462 struct elfhdr interp_elf_ex;
29464 + unsigned long pax_task_size = TASK_SIZE;
29466 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29468 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29470 /* OK, This is the point of no return */
29471 current->flags &= ~PF_FORKNOEXEC;
29472 - current->mm->def_flags = def_flags;
29474 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29475 + current->mm->pax_flags = 0UL;
29478 +#ifdef CONFIG_PAX_DLRESOLVE
29479 + current->mm->call_dl_resolve = 0UL;
29482 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29483 + current->mm->call_syscall = 0UL;
29486 +#ifdef CONFIG_PAX_ASLR
29487 + current->mm->delta_mmap = 0UL;
29488 + current->mm->delta_stack = 0UL;
29491 + current->mm->def_flags = 0;
29493 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29494 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29495 + send_sig(SIGKILL, current, 0);
29496 + goto out_free_dentry;
29500 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29501 + pax_set_initial_flags(bprm);
29502 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29503 + if (pax_set_initial_flags_func)
29504 + (pax_set_initial_flags_func)(bprm);
29507 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29508 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29509 + current->mm->context.user_cs_limit = PAGE_SIZE;
29510 + current->mm->def_flags |= VM_PAGEEXEC;
29514 +#ifdef CONFIG_PAX_SEGMEXEC
29515 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29516 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29517 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29518 + pax_task_size = SEGMEXEC_TASK_SIZE;
29522 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29523 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29524 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29529 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29530 may depend on the personality. */
29531 SET_PERSONALITY(loc->elf_ex);
29533 +#ifdef CONFIG_PAX_ASLR
29534 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29535 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29536 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29540 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29541 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29542 + executable_stack = EXSTACK_DISABLE_X;
29543 + current->personality &= ~READ_IMPLIES_EXEC;
29547 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29548 current->personality |= READ_IMPLIES_EXEC;
29550 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29552 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29555 +#ifdef CONFIG_PAX_RANDMMAP
29556 + /* PaX: randomize base address at the default exe base if requested */
29557 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29558 +#ifdef CONFIG_SPARC64
29559 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29561 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29563 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29564 + elf_flags |= MAP_FIXED;
29570 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29571 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29572 * allowed task size. Note that p_filesz must always be
29573 * <= p_memsz so it is only necessary to check p_memsz.
29575 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29576 - elf_ppnt->p_memsz > TASK_SIZE ||
29577 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29578 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29579 + elf_ppnt->p_memsz > pax_task_size ||
29580 + pax_task_size - elf_ppnt->p_memsz < k) {
29581 /* set_brk can never work. Avoid overflows. */
29582 send_sig(SIGKILL, current, 0);
29584 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29585 start_data += load_bias;
29586 end_data += load_bias;
29588 +#ifdef CONFIG_PAX_RANDMMAP
29589 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29590 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29593 /* Calling set_brk effectively mmaps the pages that we need
29594 * for the bss and break sections. We must do this before
29595 * mapping in the interpreter, to make sure it doesn't wind
29596 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29597 goto out_free_dentry;
29599 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29600 - send_sig(SIGSEGV, current, 0);
29601 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29602 - goto out_free_dentry;
29604 + * This bss-zeroing can fail if the ELF
29605 + * file specifies odd protections. So
29606 + * we don't check the return value
29610 if (elf_interpreter) {
29611 @@ -1091,7 +1377,7 @@ out:
29612 * Decide what to dump of a segment, part, all or none.
29614 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29615 - unsigned long mm_flags)
29616 + unsigned long mm_flags, long signr)
29618 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29620 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29621 if (vma->vm_file == NULL)
29624 - if (FILTER(MAPPED_PRIVATE))
29625 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29629 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29631 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29636 - while (auxv[i - 2] != AT_NULL);
29637 + } while (auxv[i - 2] != AT_NULL);
29638 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29641 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29644 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29645 - unsigned long mm_flags)
29646 + struct coredump_params *cprm)
29648 struct vm_area_struct *vma;
29651 for (vma = first_vma(current, gate_vma); vma != NULL;
29652 vma = next_vma(vma, gate_vma))
29653 - size += vma_dump_size(vma, mm_flags);
29654 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29658 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29660 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29662 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29663 + offset += elf_core_vma_data_size(gate_vma, cprm);
29664 offset += elf_core_extra_data_size();
29667 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29670 size += sizeof(*elf);
29671 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29672 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29675 size += sizeof(*phdr4note);
29676 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29677 if (size > cprm->limit
29678 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29680 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29681 phdr.p_offset = offset;
29682 phdr.p_vaddr = vma->vm_start;
29684 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29685 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29686 phdr.p_memsz = vma->vm_end - vma->vm_start;
29687 offset += phdr.p_filesz;
29688 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29689 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29690 phdr.p_align = ELF_EXEC_PAGESIZE;
29692 size += sizeof(phdr);
29693 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29694 if (size > cprm->limit
29695 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29697 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29698 unsigned long addr;
29701 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29702 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29704 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29706 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29707 page = get_dump_page(addr);
29709 void *kaddr = kmap(page);
29710 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29711 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29712 !dump_write(cprm->file, kaddr,
29714 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29716 if (e_phnum == PN_XNUM) {
29717 size += sizeof(*shdr4extnum);
29718 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29719 if (size > cprm->limit
29720 || !dump_write(cprm->file, shdr4extnum,
29721 sizeof(*shdr4extnum)))
29722 @@ -2068,6 +2359,97 @@ out:
29724 #endif /* CONFIG_ELF_CORE */
29726 +#ifdef CONFIG_PAX_MPROTECT
29727 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29728 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29729 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29731 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29732 + * basis because we want to allow the common case and not the special ones.
29734 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29736 + struct elfhdr elf_h;
29737 + struct elf_phdr elf_p;
29739 + unsigned long oldflags;
29740 + bool is_textrel_rw, is_textrel_rx, is_relro;
29742 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29745 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29746 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29748 +#ifdef CONFIG_PAX_ELFRELOCS
29749 + /* possible TEXTREL */
29750 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29751 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29753 + is_textrel_rw = false;
29754 + is_textrel_rx = false;
29757 + /* possible RELRO */
29758 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29760 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29763 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29764 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29766 +#ifdef CONFIG_PAX_ETEXECRELOCS
29767 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29769 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29772 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29773 + !elf_check_arch(&elf_h) ||
29774 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29775 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29778 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29779 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29781 + switch (elf_p.p_type) {
29783 + if (!is_textrel_rw && !is_textrel_rx)
29786 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29789 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29791 + if (dyn.d_tag == DT_NULL)
29793 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29794 + gr_log_textrel(vma);
29795 + if (is_textrel_rw)
29796 + vma->vm_flags |= VM_MAYWRITE;
29798 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29799 + vma->vm_flags &= ~VM_MAYWRITE;
29806 + case PT_GNU_RELRO:
29809 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29810 + vma->vm_flags &= ~VM_MAYWRITE;
29817 static int __init init_elf_binfmt(void)
29819 return register_binfmt(&elf_format);
29820 diff -urNp linux-2.6.37/fs/binfmt_flat.c linux-2.6.37/fs/binfmt_flat.c
29821 --- linux-2.6.37/fs/binfmt_flat.c 2011-01-04 19:50:19.000000000 -0500
29822 +++ linux-2.6.37/fs/binfmt_flat.c 2011-01-17 02:41:01.000000000 -0500
29823 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29824 realdatastart = (unsigned long) -ENOMEM;
29825 printk("Unable to allocate RAM for process data, errno %d\n",
29826 (int)-realdatastart);
29827 + down_write(¤t->mm->mmap_sem);
29828 do_munmap(current->mm, textpos, text_len);
29829 + up_write(¤t->mm->mmap_sem);
29830 ret = realdatastart;
29833 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29835 if (IS_ERR_VALUE(result)) {
29836 printk("Unable to read data+bss, errno %d\n", (int)-result);
29837 + down_write(¤t->mm->mmap_sem);
29838 do_munmap(current->mm, textpos, text_len);
29839 do_munmap(current->mm, realdatastart, len);
29840 + up_write(¤t->mm->mmap_sem);
29844 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29846 if (IS_ERR_VALUE(result)) {
29847 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29848 + down_write(¤t->mm->mmap_sem);
29849 do_munmap(current->mm, textpos, text_len + data_len + extra +
29850 MAX_SHARED_LIBS * sizeof(unsigned long));
29851 + up_write(¤t->mm->mmap_sem);
29855 diff -urNp linux-2.6.37/fs/binfmt_misc.c linux-2.6.37/fs/binfmt_misc.c
29856 --- linux-2.6.37/fs/binfmt_misc.c 2011-01-04 19:50:19.000000000 -0500
29857 +++ linux-2.6.37/fs/binfmt_misc.c 2011-01-17 02:41:01.000000000 -0500
29858 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
29859 static struct tree_descr bm_files[] = {
29860 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29861 [3] = {"register", &bm_register_operations, S_IWUSR},
29862 - /* last one */ {""}
29863 + /* last one */ {"", NULL, 0}
29865 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29867 diff -urNp linux-2.6.37/fs/bio.c linux-2.6.37/fs/bio.c
29868 --- linux-2.6.37/fs/bio.c 2011-01-04 19:50:19.000000000 -0500
29869 +++ linux-2.6.37/fs/bio.c 2011-01-17 02:41:01.000000000 -0500
29870 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
29871 const int read = bio_data_dir(bio) == READ;
29872 struct bio_map_data *bmd = bio->bi_private;
29874 - char *p = bmd->sgvecs[0].iov_base;
29875 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29877 __bio_for_each_segment(bvec, bio, i, 0) {
29878 char *addr = page_address(bvec->bv_page);
29879 diff -urNp linux-2.6.37/fs/block_dev.c linux-2.6.37/fs/block_dev.c
29880 --- linux-2.6.37/fs/block_dev.c 2011-01-04 19:50:19.000000000 -0500
29881 +++ linux-2.6.37/fs/block_dev.c 2011-01-17 02:41:01.000000000 -0500
29882 @@ -662,7 +662,7 @@ static bool bd_may_claim(struct block_de
29883 else if (bdev->bd_contains == bdev)
29884 return true; /* is a whole device which isn't held */
29886 - else if (whole->bd_holder == bd_claim)
29887 + else if (whole->bd_holder == (void *)bd_claim)
29888 return true; /* is a partition of a device that is being partitioned */
29889 else if (whole->bd_holder != NULL)
29890 return false; /* is a partition of a held device */
29891 diff -urNp linux-2.6.37/fs/btrfs/ctree.c linux-2.6.37/fs/btrfs/ctree.c
29892 --- linux-2.6.37/fs/btrfs/ctree.c 2011-01-04 19:50:19.000000000 -0500
29893 +++ linux-2.6.37/fs/btrfs/ctree.c 2011-01-17 02:41:01.000000000 -0500
29894 @@ -466,9 +466,12 @@ static noinline int __btrfs_cow_block(st
29895 free_extent_buffer(buf);
29896 add_root_to_dirty_list(root);
29898 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
29899 - parent_start = parent->start;
29901 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
29903 + parent_start = parent->start;
29905 + parent_start = 0;
29909 WARN_ON(trans->transid != btrfs_header_generation(parent));
29910 @@ -3768,7 +3771,6 @@ setup_items_for_insert(struct btrfs_tran
29914 - struct btrfs_disk_key disk_key;
29915 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29916 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29918 diff -urNp linux-2.6.37/fs/btrfs/disk-io.c linux-2.6.37/fs/btrfs/disk-io.c
29919 --- linux-2.6.37/fs/btrfs/disk-io.c 2011-01-04 19:50:19.000000000 -0500
29920 +++ linux-2.6.37/fs/btrfs/disk-io.c 2011-01-17 02:41:01.000000000 -0500
29922 #include "tree-log.h"
29923 #include "free-space-cache.h"
29925 -static struct extent_io_ops btree_extent_io_ops;
29926 +static const struct extent_io_ops btree_extent_io_ops;
29927 static void end_workqueue_fn(struct btrfs_work *work);
29928 static void free_fs_root(struct btrfs_root *root);
29930 @@ -2619,7 +2619,7 @@ out:
29934 -static struct extent_io_ops btree_extent_io_ops = {
29935 +static const struct extent_io_ops btree_extent_io_ops = {
29936 .write_cache_pages_lock_hook = btree_lock_page_hook,
29937 .readpage_end_io_hook = btree_readpage_end_io_hook,
29938 .submit_bio_hook = btree_submit_bio_hook,
29939 diff -urNp linux-2.6.37/fs/btrfs/extent_io.h linux-2.6.37/fs/btrfs/extent_io.h
29940 --- linux-2.6.37/fs/btrfs/extent_io.h 2011-01-04 19:50:19.000000000 -0500
29941 +++ linux-2.6.37/fs/btrfs/extent_io.h 2011-01-17 02:41:01.000000000 -0500
29942 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
29943 struct bio *bio, int mirror_num,
29944 unsigned long bio_flags, u64 bio_offset);
29945 struct extent_io_ops {
29946 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29947 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29948 u64 start, u64 end, int *page_started,
29949 unsigned long *nr_written);
29950 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29951 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29952 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29953 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29954 extent_submit_bio_hook_t *submit_bio_hook;
29955 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
29956 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29957 size_t size, struct bio *bio,
29958 unsigned long bio_flags);
29959 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29960 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29961 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29962 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29963 u64 start, u64 end,
29964 struct extent_state *state);
29965 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29966 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29967 u64 start, u64 end,
29968 struct extent_state *state);
29969 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29970 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29971 struct extent_state *state);
29972 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29973 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29974 struct extent_state *state, int uptodate);
29975 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29976 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29978 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29979 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
29981 - int (*merge_extent_hook)(struct inode *inode,
29982 + int (* const merge_extent_hook)(struct inode *inode,
29983 struct extent_state *new,
29984 struct extent_state *other);
29985 - int (*split_extent_hook)(struct inode *inode,
29986 + int (* const split_extent_hook)(struct inode *inode,
29987 struct extent_state *orig, u64 split);
29988 - int (*write_cache_pages_lock_hook)(struct page *page);
29989 + int (* const write_cache_pages_lock_hook)(struct page *page);
29992 struct extent_io_tree {
29993 @@ -90,7 +90,7 @@ struct extent_io_tree {
29996 spinlock_t buffer_lock;
29997 - struct extent_io_ops *ops;
29998 + const struct extent_io_ops *ops;
30001 struct extent_state {
30002 diff -urNp linux-2.6.37/fs/btrfs/free-space-cache.c linux-2.6.37/fs/btrfs/free-space-cache.c
30003 --- linux-2.6.37/fs/btrfs/free-space-cache.c 2011-01-04 19:50:19.000000000 -0500
30004 +++ linux-2.6.37/fs/btrfs/free-space-cache.c 2011-01-17 02:41:01.000000000 -0500
30005 @@ -1828,8 +1828,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30008 if (entry->bytes < bytes || entry->offset < min_start) {
30009 - struct rb_node *node;
30011 node = rb_next(&entry->offset_index);
30014 @@ -1980,7 +1978,7 @@ again:
30016 while (entry->bitmap || found_bitmap ||
30017 (!entry->bitmap && entry->bytes < min_bytes)) {
30018 - struct rb_node *node = rb_next(&entry->offset_index);
30019 + node = rb_next(&entry->offset_index);
30021 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30022 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30023 diff -urNp linux-2.6.37/fs/btrfs/inode.c linux-2.6.37/fs/btrfs/inode.c
30024 --- linux-2.6.37/fs/btrfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30025 +++ linux-2.6.37/fs/btrfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30026 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30027 static const struct address_space_operations btrfs_aops;
30028 static const struct address_space_operations btrfs_symlink_aops;
30029 static const struct file_operations btrfs_dir_file_operations;
30030 -static struct extent_io_ops btrfs_extent_io_ops;
30031 +static const struct extent_io_ops btrfs_extent_io_ops;
30033 static struct kmem_cache *btrfs_inode_cachep;
30034 struct kmem_cache *btrfs_trans_handle_cachep;
30035 @@ -7246,7 +7246,7 @@ static const struct file_operations btrf
30036 .fsync = btrfs_sync_file,
30039 -static struct extent_io_ops btrfs_extent_io_ops = {
30040 +static const struct extent_io_ops btrfs_extent_io_ops = {
30041 .fill_delalloc = run_delalloc_range,
30042 .submit_bio_hook = btrfs_submit_bio_hook,
30043 .merge_bio_hook = btrfs_merge_bio_hook,
30044 diff -urNp linux-2.6.37/fs/btrfs/relocation.c linux-2.6.37/fs/btrfs/relocation.c
30045 --- linux-2.6.37/fs/btrfs/relocation.c 2011-01-04 19:50:19.000000000 -0500
30046 +++ linux-2.6.37/fs/btrfs/relocation.c 2011-01-17 02:41:01.000000000 -0500
30047 @@ -1238,7 +1238,7 @@ static int __update_reloc_root(struct bt
30049 spin_unlock(&rc->reloc_root_tree.lock);
30051 - BUG_ON((struct btrfs_root *)node->data != root);
30052 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30055 spin_lock(&rc->reloc_root_tree.lock);
30056 diff -urNp linux-2.6.37/fs/cachefiles/bind.c linux-2.6.37/fs/cachefiles/bind.c
30057 --- linux-2.6.37/fs/cachefiles/bind.c 2011-01-04 19:50:19.000000000 -0500
30058 +++ linux-2.6.37/fs/cachefiles/bind.c 2011-01-17 02:41:01.000000000 -0500
30059 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30062 /* start by checking things over */
30063 - ASSERT(cache->fstop_percent >= 0 &&
30064 - cache->fstop_percent < cache->fcull_percent &&
30065 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30066 cache->fcull_percent < cache->frun_percent &&
30067 cache->frun_percent < 100);
30069 - ASSERT(cache->bstop_percent >= 0 &&
30070 - cache->bstop_percent < cache->bcull_percent &&
30071 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30072 cache->bcull_percent < cache->brun_percent &&
30073 cache->brun_percent < 100);
30075 diff -urNp linux-2.6.37/fs/cachefiles/daemon.c linux-2.6.37/fs/cachefiles/daemon.c
30076 --- linux-2.6.37/fs/cachefiles/daemon.c 2011-01-04 19:50:19.000000000 -0500
30077 +++ linux-2.6.37/fs/cachefiles/daemon.c 2011-01-17 02:41:01.000000000 -0500
30078 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
30082 - if (copy_to_user(_buffer, buffer, n) != 0)
30083 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30087 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
30088 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30091 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30092 + if (datalen > PAGE_SIZE - 1)
30093 return -EOPNOTSUPP;
30095 /* drag the command string into the kernel so we can parse it */
30096 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
30097 if (args[0] != '%' || args[1] != '\0')
30100 - if (fstop < 0 || fstop >= cache->fcull_percent)
30101 + if (fstop >= cache->fcull_percent)
30102 return cachefiles_daemon_range_error(cache, args);
30104 cache->fstop_percent = fstop;
30105 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
30106 if (args[0] != '%' || args[1] != '\0')
30109 - if (bstop < 0 || bstop >= cache->bcull_percent)
30110 + if (bstop >= cache->bcull_percent)
30111 return cachefiles_daemon_range_error(cache, args);
30113 cache->bstop_percent = bstop;
30114 diff -urNp linux-2.6.37/fs/cachefiles/rdwr.c linux-2.6.37/fs/cachefiles/rdwr.c
30115 --- linux-2.6.37/fs/cachefiles/rdwr.c 2011-01-04 19:50:19.000000000 -0500
30116 +++ linux-2.6.37/fs/cachefiles/rdwr.c 2011-01-17 02:41:01.000000000 -0500
30117 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30120 ret = file->f_op->write(
30121 - file, (const void __user *) data, len, &pos);
30122 + file, (__force const void __user *) data, len, &pos);
30126 diff -urNp linux-2.6.37/fs/ceph/dir.c linux-2.6.37/fs/ceph/dir.c
30127 --- linux-2.6.37/fs/ceph/dir.c 2011-01-04 19:50:19.000000000 -0500
30128 +++ linux-2.6.37/fs/ceph/dir.c 2011-01-17 02:41:01.000000000 -0500
30129 @@ -223,7 +223,7 @@ static int ceph_readdir(struct file *fil
30130 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
30131 struct ceph_mds_client *mdsc = fsc->mdsc;
30132 unsigned frag = fpos_frag(filp->f_pos);
30133 - int off = fpos_off(filp->f_pos);
30134 + unsigned int off = fpos_off(filp->f_pos);
30137 struct ceph_mds_reply_info_parsed *rinfo;
30138 @@ -355,7 +355,7 @@ more:
30139 rinfo = &fi->last_readdir->r_reply_info;
30140 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30141 rinfo->dir_nr, off, fi->offset);
30142 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30143 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30144 u64 pos = ceph_make_fpos(frag, off);
30145 struct ceph_mds_reply_inode *in =
30146 rinfo->dir_in[off - fi->offset].in;
30147 diff -urNp linux-2.6.37/fs/cifs/cifs_uniupr.h linux-2.6.37/fs/cifs/cifs_uniupr.h
30148 --- linux-2.6.37/fs/cifs/cifs_uniupr.h 2011-01-04 19:50:19.000000000 -0500
30149 +++ linux-2.6.37/fs/cifs/cifs_uniupr.h 2011-01-17 02:41:01.000000000 -0500
30150 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30151 {0x0490, 0x04cc, UniCaseRangeU0490},
30152 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30153 {0xff40, 0xff5a, UniCaseRangeUff40},
30159 diff -urNp linux-2.6.37/fs/cifs/link.c linux-2.6.37/fs/cifs/link.c
30160 --- linux-2.6.37/fs/cifs/link.c 2011-01-04 19:50:19.000000000 -0500
30161 +++ linux-2.6.37/fs/cifs/link.c 2011-01-17 02:41:01.000000000 -0500
30162 @@ -540,7 +540,7 @@ symlink_exit:
30164 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30166 - char *p = nd_get_link(nd);
30167 + const char *p = nd_get_link(nd);
30171 diff -urNp linux-2.6.37/fs/compat_binfmt_elf.c linux-2.6.37/fs/compat_binfmt_elf.c
30172 --- linux-2.6.37/fs/compat_binfmt_elf.c 2011-01-04 19:50:19.000000000 -0500
30173 +++ linux-2.6.37/fs/compat_binfmt_elf.c 2011-01-17 02:41:01.000000000 -0500
30174 @@ -30,11 +30,13 @@
30180 #define elfhdr elf32_hdr
30181 #define elf_phdr elf32_phdr
30182 #define elf_shdr elf32_shdr
30183 #define elf_note elf32_note
30184 +#define elf_dyn Elf32_Dyn
30185 #define elf_addr_t Elf32_Addr
30188 diff -urNp linux-2.6.37/fs/compat.c linux-2.6.37/fs/compat.c
30189 --- linux-2.6.37/fs/compat.c 2011-01-04 19:50:19.000000000 -0500
30190 +++ linux-2.6.37/fs/compat.c 2011-01-17 02:41:01.000000000 -0500
30191 @@ -592,7 +592,7 @@ ssize_t compat_rw_copy_check_uvector(int
30195 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30196 + if (nr_segs > UIO_MAXIOV)
30198 if (nr_segs > fast_segs) {
30200 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
30202 struct compat_readdir_callback {
30203 struct compat_old_linux_dirent __user *dirent;
30204 + struct file * file;
30208 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
30209 buf->result = -EOVERFLOW;
30213 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30217 dirent = buf->dirent;
30218 if (!access_ok(VERIFY_WRITE, dirent,
30219 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
30222 buf.dirent = dirent;
30225 error = vfs_readdir(file, compat_fillonedir, &buf);
30227 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
30228 struct compat_getdents_callback {
30229 struct compat_linux_dirent __user *current_dir;
30230 struct compat_linux_dirent __user *previous;
30231 + struct file * file;
30235 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
30236 buf->error = -EOVERFLOW;
30240 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30243 dirent = buf->previous;
30245 if (__put_user(offset, &dirent->d_off))
30246 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
30247 buf.previous = NULL;
30252 error = vfs_readdir(file, compat_filldir, &buf);
30254 @@ -1034,6 +1046,7 @@ out:
30255 struct compat_getdents_callback64 {
30256 struct linux_dirent64 __user *current_dir;
30257 struct linux_dirent64 __user *previous;
30258 + struct file * file;
30262 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
30263 buf->error = -EINVAL; /* only used if we fail.. */
30264 if (reclen > buf->count)
30267 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30270 dirent = buf->previous;
30273 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
30274 buf.previous = NULL;
30279 error = vfs_readdir(file, compat_filldir64, &buf);
30281 @@ -1419,6 +1437,7 @@ static int compat_copy_strings(int argc,
30283 page = get_arg_page(bprm, pos, 1);
30285 + /* We've exceed the stack rlimit. */
30289 @@ -1460,6 +1479,11 @@ int compat_do_execve(char * filename,
30290 compat_uptr_t __user *envp,
30291 struct pt_regs * regs)
30293 +#ifdef CONFIG_GRKERNSEC
30294 + struct file *old_exec_file;
30295 + struct acl_subject_label *old_acl;
30296 + struct rlimit old_rlim[RLIM_NLIMITS];
30298 struct linux_binprm *bprm;
30300 struct files_struct *displaced;
30301 @@ -1496,6 +1520,14 @@ int compat_do_execve(char * filename,
30302 bprm->filename = filename;
30303 bprm->interp = filename;
30305 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30306 + retval = -EAGAIN;
30307 + if (gr_handle_nproc())
30309 + retval = -EACCES;
30310 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30313 retval = bprm_mm_init(bprm);
30316 @@ -1525,9 +1557,40 @@ int compat_do_execve(char * filename,
30320 + if (!gr_tpe_allow(file)) {
30321 + retval = -EACCES;
30325 + if (gr_check_crash_exec(file)) {
30326 + retval = -EACCES;
30330 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30332 + gr_handle_exec_args_compat(bprm, argv);
30334 +#ifdef CONFIG_GRKERNSEC
30335 + old_acl = current->acl;
30336 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30337 + old_exec_file = current->exec_file;
30339 + current->exec_file = file;
30342 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30343 + bprm->unsafe & LSM_UNSAFE_SHARE);
30347 retval = search_binary_handler(bprm, regs);
30351 +#ifdef CONFIG_GRKERNSEC
30352 + if (old_exec_file)
30353 + fput(old_exec_file);
30356 /* execve succeeded */
30357 current->fs->in_exec = 0;
30358 @@ -1538,6 +1601,14 @@ int compat_do_execve(char * filename,
30359 put_files_struct(displaced);
30363 +#ifdef CONFIG_GRKERNSEC
30364 + current->acl = old_acl;
30365 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30366 + fput(current->exec_file);
30367 + current->exec_file = old_exec_file;
30372 acct_arg_size(bprm, 0);
30373 diff -urNp linux-2.6.37/fs/compat_ioctl.c linux-2.6.37/fs/compat_ioctl.c
30374 --- linux-2.6.37/fs/compat_ioctl.c 2011-01-04 19:50:19.000000000 -0500
30375 +++ linux-2.6.37/fs/compat_ioctl.c 2011-01-17 02:41:01.000000000 -0500
30376 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
30378 err = get_user(palp, &up->palette);
30379 err |= get_user(length, &up->length);
30383 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30384 err = put_user(compat_ptr(palp), &up_native->palette);
30385 @@ -1637,8 +1639,8 @@ asmlinkage long compat_sys_ioctl(unsigne
30386 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
30389 - a = *(unsigned int *)p;
30390 - b = *(unsigned int *)q;
30391 + a = *(const unsigned int *)p;
30392 + b = *(const unsigned int *)q;
30396 diff -urNp linux-2.6.37/fs/debugfs/inode.c linux-2.6.37/fs/debugfs/inode.c
30397 --- linux-2.6.37/fs/debugfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30398 +++ linux-2.6.37/fs/debugfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30399 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
30401 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30403 - static struct tree_descr debug_files[] = {{""}};
30404 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30406 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30408 diff -urNp linux-2.6.37/fs/dlm/lockspace.c linux-2.6.37/fs/dlm/lockspace.c
30409 --- linux-2.6.37/fs/dlm/lockspace.c 2011-01-04 19:50:19.000000000 -0500
30410 +++ linux-2.6.37/fs/dlm/lockspace.c 2011-01-17 02:41:01.000000000 -0500
30411 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30415 -static struct kset_uevent_ops dlm_uevent_ops = {
30416 +static const struct kset_uevent_ops dlm_uevent_ops = {
30417 .uevent = dlm_uevent,
30420 diff -urNp linux-2.6.37/fs/ecryptfs/inode.c linux-2.6.37/fs/ecryptfs/inode.c
30421 --- linux-2.6.37/fs/ecryptfs/inode.c 2011-01-04 19:50:19.000000000 -0500
30422 +++ linux-2.6.37/fs/ecryptfs/inode.c 2011-01-17 02:41:01.000000000 -0500
30423 @@ -745,7 +745,7 @@ static int ecryptfs_readlink_lower(struc
30426 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30427 - (char __user *)lower_buf,
30428 + (__force char __user *)lower_buf,
30432 @@ -791,7 +791,7 @@ static void *ecryptfs_follow_link(struct
30436 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30437 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30441 @@ -806,7 +806,7 @@ out:
30443 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30445 - char *buf = nd_get_link(nd);
30446 + const char *buf = nd_get_link(nd);
30447 if (!IS_ERR(buf)) {
30448 /* Free the char* */
30450 diff -urNp linux-2.6.37/fs/ecryptfs/miscdev.c linux-2.6.37/fs/ecryptfs/miscdev.c
30451 --- linux-2.6.37/fs/ecryptfs/miscdev.c 2011-01-04 19:50:19.000000000 -0500
30452 +++ linux-2.6.37/fs/ecryptfs/miscdev.c 2011-01-17 02:41:01.000000000 -0500
30453 @@ -328,7 +328,7 @@ check_list:
30454 goto out_unlock_msg_ctx;
30456 if (msg_ctx->msg) {
30457 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30458 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30459 goto out_unlock_msg_ctx;
30460 i += packet_length_size;
30461 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30462 diff -urNp linux-2.6.37/fs/exec.c linux-2.6.37/fs/exec.c
30463 --- linux-2.6.37/fs/exec.c 2011-01-04 19:50:19.000000000 -0500
30464 +++ linux-2.6.37/fs/exec.c 2011-01-17 02:41:01.000000000 -0500
30465 @@ -55,12 +55,24 @@
30466 #include <linux/fs_struct.h>
30467 #include <linux/pipe_fs_i.h>
30468 #include <linux/oom.h>
30469 +#include <linux/random.h>
30470 +#include <linux/seq_file.h>
30472 +#ifdef CONFIG_PAX_REFCOUNT
30473 +#include <linux/kallsyms.h>
30474 +#include <linux/kdebug.h>
30477 #include <asm/uaccess.h>
30478 #include <asm/mmu_context.h>
30479 #include <asm/tlb.h>
30480 #include "internal.h"
30482 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30483 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30484 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30488 char core_pattern[CORENAME_MAX_SIZE] = "core";
30489 unsigned int core_pipe_limit;
30490 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30493 file = do_filp_open(AT_FDCWD, tmp,
30494 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30495 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30496 MAY_READ | MAY_EXEC | MAY_OPEN);
30498 error = PTR_ERR(file);
30499 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
30505 -#ifdef CONFIG_STACK_GROWSUP
30507 - ret = expand_stack_downwards(bprm->vma, pos);
30512 - ret = get_user_pages(current, bprm->mm, pos,
30513 - 1, write, 1, &page, NULL);
30515 + if (0 > expand_stack_downwards(bprm->vma, pos))
30517 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30521 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
30522 vma->vm_end = STACK_TOP_MAX;
30523 vma->vm_start = vma->vm_end - PAGE_SIZE;
30524 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30526 +#ifdef CONFIG_PAX_SEGMEXEC
30527 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30530 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30531 INIT_LIST_HEAD(&vma->anon_vma_chain);
30533 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
30534 mm->stack_vm = mm->total_vm = 1;
30535 up_write(&mm->mmap_sem);
30536 bprm->p = vma->vm_end - sizeof(void *);
30538 +#ifdef CONFIG_PAX_RANDUSTACK
30539 + if (randomize_va_space)
30540 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30545 up_write(&mm->mmap_sem);
30546 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
30548 mm_segment_t oldfs = get_fs();
30550 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
30551 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
30555 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
30556 unsigned long new_end = old_end - shift;
30557 struct mmu_gather *tlb;
30559 - BUG_ON(new_start > new_end);
30560 + if (new_start >= new_end || new_start < mmap_min_addr)
30564 * ensure there are no vmas between where we want to go
30565 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
30566 if (vma != find_vma(mm, new_start))
30569 +#ifdef CONFIG_PAX_SEGMEXEC
30570 + BUG_ON(pax_find_mirror_vma(vma));
30574 * cover the whole range: [new_start, old_end)
30576 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
30577 stack_top = arch_align_stack(stack_top);
30578 stack_top = PAGE_ALIGN(stack_top);
30580 - if (unlikely(stack_top < mmap_min_addr) ||
30581 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
30584 stack_shift = vma->vm_end - stack_top;
30586 bprm->p -= stack_shift;
30587 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
30588 bprm->exec -= stack_shift;
30590 down_write(&mm->mmap_sem);
30592 + /* Move stack pages down in memory. */
30593 + if (stack_shift) {
30594 + ret = shift_arg_pages(vma, stack_shift);
30599 vm_flags = VM_STACK_FLAGS;
30601 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30602 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30603 + vm_flags &= ~VM_EXEC;
30605 +#ifdef CONFIG_PAX_MPROTECT
30606 + if (mm->pax_flags & MF_PAX_MPROTECT)
30607 + vm_flags &= ~VM_MAYEXEC;
30614 * Adjust stack execute permissions; explicitly enable for
30615 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30616 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
30618 BUG_ON(prev != vma);
30620 - /* Move stack pages down in memory. */
30621 - if (stack_shift) {
30622 - ret = shift_arg_pages(vma, stack_shift);
30627 /* mprotect_fixup is overkill to remove the temporary stack flags */
30628 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30630 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
30633 file = do_filp_open(AT_FDCWD, name,
30634 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30635 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30636 MAY_EXEC | MAY_OPEN);
30639 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
30642 /* The cast to a user pointer is valid due to the set_fs() */
30643 - result = vfs_read(file, (void __user *)addr, count, &pos);
30644 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30648 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
30652 - if (p->fs->users > n_fs) {
30653 + if (atomic_read(&p->fs->users) > n_fs) {
30654 bprm->unsafe |= LSM_UNSAFE_SHARE;
30657 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
30658 const char __user *const __user *envp,
30659 struct pt_regs * regs)
30661 +#ifdef CONFIG_GRKERNSEC
30662 + struct file *old_exec_file;
30663 + struct acl_subject_label *old_acl;
30664 + struct rlimit old_rlim[RLIM_NLIMITS];
30666 struct linux_binprm *bprm;
30668 struct files_struct *displaced;
30669 @@ -1414,6 +1448,18 @@ int do_execve(const char * filename,
30670 bprm->filename = filename;
30671 bprm->interp = filename;
30673 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30675 + if (gr_handle_nproc()) {
30676 + retval = -EAGAIN;
30680 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30681 + retval = -EACCES;
30685 retval = bprm_mm_init(bprm);
30688 @@ -1443,9 +1489,40 @@ int do_execve(const char * filename,
30692 + if (!gr_tpe_allow(file)) {
30693 + retval = -EACCES;
30697 + if (gr_check_crash_exec(file)) {
30698 + retval = -EACCES;
30702 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30704 + gr_handle_exec_args(bprm, argv);
30706 +#ifdef CONFIG_GRKERNSEC
30707 + old_acl = current->acl;
30708 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30709 + old_exec_file = current->exec_file;
30711 + current->exec_file = file;
30714 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30715 + bprm->unsafe & LSM_UNSAFE_SHARE);
30719 retval = search_binary_handler(bprm,regs);
30723 +#ifdef CONFIG_GRKERNSEC
30724 + if (old_exec_file)
30725 + fput(old_exec_file);
30728 /* execve succeeded */
30729 current->fs->in_exec = 0;
30730 @@ -1456,6 +1533,14 @@ int do_execve(const char * filename,
30731 put_files_struct(displaced);
30735 +#ifdef CONFIG_GRKERNSEC
30736 + current->acl = old_acl;
30737 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30738 + fput(current->exec_file);
30739 + current->exec_file = old_exec_file;
30744 acct_arg_size(bprm, 0);
30745 @@ -1642,6 +1727,217 @@ out:
30749 +int pax_check_flags(unsigned long *flags)
30753 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30754 + if (*flags & MF_PAX_SEGMEXEC)
30756 + *flags &= ~MF_PAX_SEGMEXEC;
30757 + retval = -EINVAL;
30761 + if ((*flags & MF_PAX_PAGEEXEC)
30763 +#ifdef CONFIG_PAX_PAGEEXEC
30764 + && (*flags & MF_PAX_SEGMEXEC)
30769 + *flags &= ~MF_PAX_PAGEEXEC;
30770 + retval = -EINVAL;
30773 + if ((*flags & MF_PAX_MPROTECT)
30775 +#ifdef CONFIG_PAX_MPROTECT
30776 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30781 + *flags &= ~MF_PAX_MPROTECT;
30782 + retval = -EINVAL;
30785 + if ((*flags & MF_PAX_EMUTRAMP)
30787 +#ifdef CONFIG_PAX_EMUTRAMP
30788 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30793 + *flags &= ~MF_PAX_EMUTRAMP;
30794 + retval = -EINVAL;
30800 +EXPORT_SYMBOL(pax_check_flags);
30802 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30803 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30805 + struct task_struct *tsk = current;
30806 + struct mm_struct *mm = current->mm;
30807 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30808 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30809 + char *path_exec = NULL;
30810 + char *path_fault = NULL;
30811 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30813 + if (buffer_exec && buffer_fault) {
30814 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30816 + down_read(&mm->mmap_sem);
30818 + while (vma && (!vma_exec || !vma_fault)) {
30819 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30821 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30823 + vma = vma->vm_next;
30826 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30827 + if (IS_ERR(path_exec))
30828 + path_exec = "<path too long>";
30830 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30833 + path_exec = buffer_exec;
30835 + path_exec = "<path too long>";
30839 + start = vma_fault->vm_start;
30840 + end = vma_fault->vm_end;
30841 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30842 + if (vma_fault->vm_file) {
30843 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30844 + if (IS_ERR(path_fault))
30845 + path_fault = "<path too long>";
30847 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30848 + if (path_fault) {
30850 + path_fault = buffer_fault;
30852 + path_fault = "<path too long>";
30855 + path_fault = "<anonymous mapping>";
30857 + up_read(&mm->mmap_sem);
30859 + if (tsk->signal->curr_ip)
30860 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30862 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30863 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30864 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30865 + task_uid(tsk), task_euid(tsk), pc, sp);
30866 + free_page((unsigned long)buffer_exec);
30867 + free_page((unsigned long)buffer_fault);
30868 + pax_report_insns(pc, sp);
30869 + do_coredump(SIGKILL, SIGKILL, regs);
30873 +#ifdef CONFIG_PAX_REFCOUNT
30874 +void pax_report_refcount_overflow(struct pt_regs *regs)
30876 + if (current->signal->curr_ip)
30877 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30878 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30880 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30881 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30882 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30884 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30888 +#ifdef CONFIG_PAX_USERCOPY
30889 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
30890 +int object_is_on_stack(const void *obj, unsigned long len)
30892 + const void * const stack = task_stack_page(current);
30893 + const void * const stackend = stack + THREAD_SIZE;
30895 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30896 + const void *frame = NULL;
30897 + const void *oldframe;
30900 + if (obj + len < obj)
30903 + if (obj + len <= stack || stackend <= obj)
30906 + if (obj < stack || stackend < obj + len)
30909 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30910 + oldframe = __builtin_frame_address(1);
30912 + frame = __builtin_frame_address(2);
30914 + low ----------------------------------------------> high
30915 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
30916 + ^----------------^
30917 + allow copies only within here
30919 + while (stack <= frame && frame < stackend) {
30920 + /* if obj + len extends past the last frame, this
30921 + check won't pass and the next frame will be 0,
30922 + causing us to bail out and correctly report
30923 + the copy as invalid
30925 + if (obj + len <= frame)
30926 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
30927 + oldframe = frame;
30928 + frame = *(const void * const *)frame;
30937 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
30939 + if (current->signal->curr_ip)
30940 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30941 + ¤t->signal->curr_ip, ptr, len);
30943 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30945 + do_group_exit(SIGKILL);
30948 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30950 + if (current->signal->curr_ip)
30951 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30952 + ¤t->signal->curr_ip, ptr, len);
30954 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
30956 + do_group_exit(SIGKILL);
30960 static int zap_process(struct task_struct *start, int exit_code)
30962 struct task_struct *t;
30963 @@ -1852,17 +2148,17 @@ static void wait_for_dump_helpers(struct
30964 pipe = file->f_path.dentry->d_inode->i_pipe;
30969 + atomic_inc(&pipe->readers);
30970 + atomic_dec(&pipe->writers);
30972 - while ((pipe->readers > 1) && (!signal_pending(current))) {
30973 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30974 wake_up_interruptible_sync(&pipe->wait);
30975 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30981 + atomic_dec(&pipe->readers);
30982 + atomic_inc(&pipe->writers);
30986 @@ -1978,6 +2274,10 @@ void do_coredump(long signr, int exit_co
30987 goto fail_corename;
30990 + if (signr == SIGKILL || signr == SIGILL)
30991 + gr_handle_brute_attach(current);
30992 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30996 char **helper_argv;
30997 diff -urNp linux-2.6.37/fs/ext2/balloc.c linux-2.6.37/fs/ext2/balloc.c
30998 --- linux-2.6.37/fs/ext2/balloc.c 2011-01-04 19:50:19.000000000 -0500
30999 +++ linux-2.6.37/fs/ext2/balloc.c 2011-01-17 02:41:01.000000000 -0500
31000 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
31002 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31003 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31004 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31005 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31006 sbi->s_resuid != current_fsuid() &&
31007 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31009 diff -urNp linux-2.6.37/fs/ext2/xattr.c linux-2.6.37/fs/ext2/xattr.c
31010 --- linux-2.6.37/fs/ext2/xattr.c 2011-01-04 19:50:19.000000000 -0500
31011 +++ linux-2.6.37/fs/ext2/xattr.c 2011-01-17 02:41:01.000000000 -0500
31016 -# define ea_idebug(f...)
31017 -# define ea_bdebug(f...)
31018 +# define ea_idebug(inode, f...) do {} while (0)
31019 +# define ea_bdebug(bh, f...) do {} while (0)
31022 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31023 diff -urNp linux-2.6.37/fs/ext3/balloc.c linux-2.6.37/fs/ext3/balloc.c
31024 --- linux-2.6.37/fs/ext3/balloc.c 2011-01-04 19:50:19.000000000 -0500
31025 +++ linux-2.6.37/fs/ext3/balloc.c 2011-01-17 02:41:01.000000000 -0500
31026 @@ -1425,7 +1425,7 @@ static int ext3_has_free_blocks(struct e
31028 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31029 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31030 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31031 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31032 sbi->s_resuid != current_fsuid() &&
31033 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31035 diff -urNp linux-2.6.37/fs/ext3/namei.c linux-2.6.37/fs/ext3/namei.c
31036 --- linux-2.6.37/fs/ext3/namei.c 2011-01-04 19:50:19.000000000 -0500
31037 +++ linux-2.6.37/fs/ext3/namei.c 2011-01-17 02:41:01.000000000 -0500
31038 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
31039 char *data1 = (*bh)->b_data, *data2;
31040 unsigned split, move, size;
31041 struct ext3_dir_entry_2 *de = NULL, *de2;
31045 bh2 = ext3_append (handle, dir, &newblock, &err);
31047 diff -urNp linux-2.6.37/fs/ext3/xattr.c linux-2.6.37/fs/ext3/xattr.c
31048 --- linux-2.6.37/fs/ext3/xattr.c 2011-01-04 19:50:19.000000000 -0500
31049 +++ linux-2.6.37/fs/ext3/xattr.c 2011-01-17 02:41:01.000000000 -0500
31054 -# define ea_idebug(f...)
31055 -# define ea_bdebug(f...)
31056 +# define ea_idebug(f...) do {} while (0)
31057 +# define ea_bdebug(f...) do {} while (0)
31060 static void ext3_xattr_cache_insert(struct buffer_head *);
31061 diff -urNp linux-2.6.37/fs/ext4/balloc.c linux-2.6.37/fs/ext4/balloc.c
31062 --- linux-2.6.37/fs/ext4/balloc.c 2011-01-04 19:50:19.000000000 -0500
31063 +++ linux-2.6.37/fs/ext4/balloc.c 2011-01-17 02:41:01.000000000 -0500
31064 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
31065 /* Hm, nope. Are (enough) root reserved blocks available? */
31066 if (sbi->s_resuid == current_fsuid() ||
31067 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31068 - capable(CAP_SYS_RESOURCE)) {
31069 + capable_nolog(CAP_SYS_RESOURCE)) {
31070 if (free_blocks >= (nblocks + dirty_blocks))
31073 diff -urNp linux-2.6.37/fs/ext4/ext4.h linux-2.6.37/fs/ext4/ext4.h
31074 --- linux-2.6.37/fs/ext4/ext4.h 2011-01-04 19:50:19.000000000 -0500
31075 +++ linux-2.6.37/fs/ext4/ext4.h 2011-01-17 02:41:01.000000000 -0500
31076 @@ -1164,19 +1164,19 @@ struct ext4_sb_info {
31077 unsigned long s_mb_last_start;
31079 /* stats for buddy allocator */
31080 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
31081 - atomic_t s_bal_success; /* we found long enough chunks */
31082 - atomic_t s_bal_allocated; /* in blocks */
31083 - atomic_t s_bal_ex_scanned; /* total extents scanned */
31084 - atomic_t s_bal_goals; /* goal hits */
31085 - atomic_t s_bal_breaks; /* too long searches */
31086 - atomic_t s_bal_2orders; /* 2^order hits */
31087 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
31088 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
31089 + atomic_unchecked_t s_bal_allocated; /* in blocks */
31090 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
31091 + atomic_unchecked_t s_bal_goals; /* goal hits */
31092 + atomic_unchecked_t s_bal_breaks; /* too long searches */
31093 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
31094 spinlock_t s_bal_lock;
31095 unsigned long s_mb_buddies_generated;
31096 unsigned long long s_mb_generation_time;
31097 - atomic_t s_mb_lost_chunks;
31098 - atomic_t s_mb_preallocated;
31099 - atomic_t s_mb_discarded;
31100 + atomic_unchecked_t s_mb_lost_chunks;
31101 + atomic_unchecked_t s_mb_preallocated;
31102 + atomic_unchecked_t s_mb_discarded;
31103 atomic_t s_lock_busy;
31105 /* locality groups */
31106 diff -urNp linux-2.6.37/fs/ext4/mballoc.c linux-2.6.37/fs/ext4/mballoc.c
31107 --- linux-2.6.37/fs/ext4/mballoc.c 2011-01-04 19:50:19.000000000 -0500
31108 +++ linux-2.6.37/fs/ext4/mballoc.c 2011-01-17 02:41:01.000000000 -0500
31109 @@ -1841,7 +1841,7 @@ void ext4_mb_simple_scan_group(struct ex
31110 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
31112 if (EXT4_SB(sb)->s_mb_stats)
31113 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
31114 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
31118 @@ -2135,7 +2135,7 @@ repeat:
31119 ac->ac_status = AC_STATUS_CONTINUE;
31120 ac->ac_flags |= EXT4_MB_HINT_FIRST;
31122 - atomic_inc(&sbi->s_mb_lost_chunks);
31123 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
31127 @@ -2577,25 +2577,25 @@ int ext4_mb_release(struct super_block *
31128 if (sbi->s_mb_stats) {
31130 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
31131 - atomic_read(&sbi->s_bal_allocated),
31132 - atomic_read(&sbi->s_bal_reqs),
31133 - atomic_read(&sbi->s_bal_success));
31134 + atomic_read_unchecked(&sbi->s_bal_allocated),
31135 + atomic_read_unchecked(&sbi->s_bal_reqs),
31136 + atomic_read_unchecked(&sbi->s_bal_success));
31138 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
31139 "%u 2^N hits, %u breaks, %u lost\n",
31140 - atomic_read(&sbi->s_bal_ex_scanned),
31141 - atomic_read(&sbi->s_bal_goals),
31142 - atomic_read(&sbi->s_bal_2orders),
31143 - atomic_read(&sbi->s_bal_breaks),
31144 - atomic_read(&sbi->s_mb_lost_chunks));
31145 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
31146 + atomic_read_unchecked(&sbi->s_bal_goals),
31147 + atomic_read_unchecked(&sbi->s_bal_2orders),
31148 + atomic_read_unchecked(&sbi->s_bal_breaks),
31149 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
31151 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
31152 sbi->s_mb_buddies_generated++,
31153 sbi->s_mb_generation_time);
31155 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
31156 - atomic_read(&sbi->s_mb_preallocated),
31157 - atomic_read(&sbi->s_mb_discarded));
31158 + atomic_read_unchecked(&sbi->s_mb_preallocated),
31159 + atomic_read_unchecked(&sbi->s_mb_discarded));
31162 free_percpu(sbi->s_locality_groups);
31163 @@ -3080,16 +3080,16 @@ static void ext4_mb_collect_stats(struct
31164 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
31166 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
31167 - atomic_inc(&sbi->s_bal_reqs);
31168 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31169 + atomic_inc_unchecked(&sbi->s_bal_reqs);
31170 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31171 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
31172 - atomic_inc(&sbi->s_bal_success);
31173 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
31174 + atomic_inc_unchecked(&sbi->s_bal_success);
31175 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
31176 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
31177 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
31178 - atomic_inc(&sbi->s_bal_goals);
31179 + atomic_inc_unchecked(&sbi->s_bal_goals);
31180 if (ac->ac_found > sbi->s_mb_max_to_scan)
31181 - atomic_inc(&sbi->s_bal_breaks);
31182 + atomic_inc_unchecked(&sbi->s_bal_breaks);
31185 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
31186 @@ -3487,7 +3487,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
31187 trace_ext4_mb_new_inode_pa(ac, pa);
31189 ext4_mb_use_inode_pa(ac, pa);
31190 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31191 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31193 ei = EXT4_I(ac->ac_inode);
31194 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31195 @@ -3547,7 +3547,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
31196 trace_ext4_mb_new_group_pa(ac, pa);
31198 ext4_mb_use_group_pa(ac, pa);
31199 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31200 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31202 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31204 @@ -3634,7 +3634,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
31205 * from the bitmap and continue.
31208 - atomic_add(free, &sbi->s_mb_discarded);
31209 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
31213 @@ -3652,7 +3652,7 @@ ext4_mb_release_group_pa(struct ext4_bud
31214 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
31215 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
31216 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
31217 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31218 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31219 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
31222 diff -urNp linux-2.6.37/fs/ext4/namei.c linux-2.6.37/fs/ext4/namei.c
31223 --- linux-2.6.37/fs/ext4/namei.c 2011-01-04 19:50:19.000000000 -0500
31224 +++ linux-2.6.37/fs/ext4/namei.c 2011-01-17 02:41:01.000000000 -0500
31225 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
31226 char *data1 = (*bh)->b_data, *data2;
31227 unsigned split, move, size;
31228 struct ext4_dir_entry_2 *de = NULL, *de2;
31232 bh2 = ext4_append (handle, dir, &newblock, &err);
31234 diff -urNp linux-2.6.37/fs/ext4/xattr.c linux-2.6.37/fs/ext4/xattr.c
31235 --- linux-2.6.37/fs/ext4/xattr.c 2011-01-04 19:50:19.000000000 -0500
31236 +++ linux-2.6.37/fs/ext4/xattr.c 2011-01-17 02:41:01.000000000 -0500
31241 -# define ea_idebug(f...)
31242 -# define ea_bdebug(f...)
31243 +# define ea_idebug(inode, f...) do {} while (0)
31244 +# define ea_bdebug(bh, f...) do {} while (0)
31247 static void ext4_xattr_cache_insert(struct buffer_head *);
31248 diff -urNp linux-2.6.37/fs/fcntl.c linux-2.6.37/fs/fcntl.c
31249 --- linux-2.6.37/fs/fcntl.c 2011-01-04 19:50:19.000000000 -0500
31250 +++ linux-2.6.37/fs/fcntl.c 2011-01-17 02:53:49.000000000 -0500
31251 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31255 + if (gr_handle_chroot_fowner(pid, type))
31257 + if (gr_check_protected_task_fowner(pid, type))
31260 f_modown(filp, pid, type, force);
31263 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31266 case F_DUPFD_CLOEXEC:
31267 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31268 if (arg >= rlimit(RLIMIT_NOFILE))
31270 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31271 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
31272 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
31273 * is defined as O_NONBLOCK on some platforms and not on others.
31275 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31276 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31277 O_RDONLY | O_WRONLY | O_RDWR |
31278 O_CREAT | O_EXCL | O_NOCTTY |
31279 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
31280 __O_SYNC | O_DSYNC | FASYNC |
31281 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
31282 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
31284 + FMODE_EXEC | FMODE_GREXEC
31287 fasync_cache = kmem_cache_create("fasync_cache",
31288 diff -urNp linux-2.6.37/fs/fifo.c linux-2.6.37/fs/fifo.c
31289 --- linux-2.6.37/fs/fifo.c 2011-01-04 19:50:19.000000000 -0500
31290 +++ linux-2.6.37/fs/fifo.c 2011-01-17 02:41:01.000000000 -0500
31291 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31293 filp->f_op = &read_pipefifo_fops;
31295 - if (pipe->readers++ == 0)
31296 + if (atomic_inc_return(&pipe->readers) == 1)
31297 wake_up_partner(inode);
31299 - if (!pipe->writers) {
31300 + if (!atomic_read(&pipe->writers)) {
31301 if ((filp->f_flags & O_NONBLOCK)) {
31302 /* suppress POLLHUP until we have
31304 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31305 * errno=ENXIO when there is no process reading the FIFO.
31308 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31309 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31312 filp->f_op = &write_pipefifo_fops;
31314 - if (!pipe->writers++)
31315 + if (atomic_inc_return(&pipe->writers) == 1)
31316 wake_up_partner(inode);
31318 - if (!pipe->readers) {
31319 + if (!atomic_read(&pipe->readers)) {
31320 wait_for_partner(inode, &pipe->r_counter);
31321 if (signal_pending(current))
31323 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31325 filp->f_op = &rdwr_pipefifo_fops;
31329 + atomic_inc(&pipe->readers);
31330 + atomic_inc(&pipe->writers);
31333 - if (pipe->readers == 1 || pipe->writers == 1)
31334 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31335 wake_up_partner(inode);
31338 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31342 - if (!--pipe->readers)
31343 + if (atomic_dec_and_test(&pipe->readers))
31344 wake_up_interruptible(&pipe->wait);
31345 ret = -ERESTARTSYS;
31349 - if (!--pipe->writers)
31350 + if (atomic_dec_and_test(&pipe->writers))
31351 wake_up_interruptible(&pipe->wait);
31352 ret = -ERESTARTSYS;
31356 - if (!pipe->readers && !pipe->writers)
31357 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31358 free_pipe_info(inode);
31361 diff -urNp linux-2.6.37/fs/file.c linux-2.6.37/fs/file.c
31362 --- linux-2.6.37/fs/file.c 2011-01-04 19:50:19.000000000 -0500
31363 +++ linux-2.6.37/fs/file.c 2011-01-17 02:41:01.000000000 -0500
31365 #include <linux/slab.h>
31366 #include <linux/vmalloc.h>
31367 #include <linux/file.h>
31368 +#include <linux/security.h>
31369 #include <linux/fdtable.h>
31370 #include <linux/bitops.h>
31371 #include <linux/interrupt.h>
31372 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31373 * N.B. For clone tasks sharing a files structure, this test
31374 * will limit the total number of files that can be opened.
31376 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31377 if (nr >= rlimit(RLIMIT_NOFILE))
31380 diff -urNp linux-2.6.37/fs/fs_struct.c linux-2.6.37/fs/fs_struct.c
31381 --- linux-2.6.37/fs/fs_struct.c 2011-01-04 19:50:19.000000000 -0500
31382 +++ linux-2.6.37/fs/fs_struct.c 2011-01-17 02:41:01.000000000 -0500
31384 #include <linux/path.h>
31385 #include <linux/slab.h>
31386 #include <linux/fs_struct.h>
31387 +#include <linux/grsecurity.h>
31390 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
31391 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
31392 old_root = fs->root;
31395 + gr_set_chroot_entries(current, path);
31396 spin_unlock(&fs->lock);
31397 if (old_root.dentry)
31398 path_put(&old_root);
31399 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
31400 && fs->root.mnt == old_root->mnt) {
31401 path_get(new_root);
31402 fs->root = *new_root;
31403 + gr_set_chroot_entries(p, new_root);
31406 if (fs->pwd.dentry == old_root->dentry
31407 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
31409 spin_lock(&fs->lock);
31411 - kill = !--fs->users;
31412 + gr_clear_chroot_entries(tsk);
31413 + kill = !atomic_dec_return(&fs->users);
31414 spin_unlock(&fs->lock);
31417 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31418 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31419 /* We don't need to lock fs - think why ;-) */
31422 + atomic_set(&fs->users, 1);
31424 spin_lock_init(&fs->lock);
31425 fs->umask = old->umask;
31426 @@ -122,8 +126,9 @@ int unshare_fs_struct(void)
31428 task_lock(current);
31429 spin_lock(&fs->lock);
31430 - kill = !--fs->users;
31431 + kill = !atomic_dec_return(&fs->users);
31432 current->fs = new_fs;
31433 + gr_set_chroot_entries(current, &new_fs->root);
31434 spin_unlock(&fs->lock);
31435 task_unlock(current);
31437 @@ -142,7 +147,7 @@ EXPORT_SYMBOL(current_umask);
31439 /* to be mentioned only in INIT_TASK */
31440 struct fs_struct init_fs = {
31442 + .users = ATOMIC_INIT(1),
31443 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31446 @@ -157,12 +162,13 @@ void daemonize_fs_struct(void)
31447 task_lock(current);
31449 spin_lock(&init_fs.lock);
31451 + atomic_inc(&init_fs.users);
31452 spin_unlock(&init_fs.lock);
31454 spin_lock(&fs->lock);
31455 current->fs = &init_fs;
31456 - kill = !--fs->users;
31457 + gr_set_chroot_entries(current, ¤t->fs->root);
31458 + kill = !atomic_dec_return(&fs->users);
31459 spin_unlock(&fs->lock);
31461 task_unlock(current);
31462 diff -urNp linux-2.6.37/fs/fuse/control.c linux-2.6.37/fs/fuse/control.c
31463 --- linux-2.6.37/fs/fuse/control.c 2011-01-04 19:50:19.000000000 -0500
31464 +++ linux-2.6.37/fs/fuse/control.c 2011-01-17 02:41:01.000000000 -0500
31465 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31467 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31469 - struct tree_descr empty_descr = {""};
31470 + struct tree_descr empty_descr = {"", NULL, 0};
31471 struct fuse_conn *fc;
31474 diff -urNp linux-2.6.37/fs/fuse/cuse.c linux-2.6.37/fs/fuse/cuse.c
31475 --- linux-2.6.37/fs/fuse/cuse.c 2011-01-04 19:50:19.000000000 -0500
31476 +++ linux-2.6.37/fs/fuse/cuse.c 2011-01-17 02:41:01.000000000 -0500
31477 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
31481 -static struct file_operations cuse_channel_fops; /* initialized during init */
31483 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31484 + .owner = THIS_MODULE,
31485 + .llseek = no_llseek,
31486 + .read = do_sync_read,
31487 + .aio_read = fuse_dev_read,
31488 + .write = do_sync_write,
31489 + .aio_write = fuse_dev_write,
31490 + .poll = fuse_dev_poll,
31491 + .open = cuse_channel_open,
31492 + .release = cuse_channel_release,
31493 + .fasync = fuse_dev_fasync,
31496 /**************************************************************************
31497 * Misc stuff and module initializatiion
31498 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
31499 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31500 INIT_LIST_HEAD(&cuse_conntbl[i]);
31502 - /* inherit and extend fuse_dev_operations */
31503 - cuse_channel_fops = fuse_dev_operations;
31504 - cuse_channel_fops.owner = THIS_MODULE;
31505 - cuse_channel_fops.open = cuse_channel_open;
31506 - cuse_channel_fops.release = cuse_channel_release;
31508 cuse_class = class_create(THIS_MODULE, "cuse");
31509 if (IS_ERR(cuse_class))
31510 return PTR_ERR(cuse_class);
31511 diff -urNp linux-2.6.37/fs/fuse/dev.c linux-2.6.37/fs/fuse/dev.c
31512 --- linux-2.6.37/fs/fuse/dev.c 2011-01-04 19:50:19.000000000 -0500
31513 +++ linux-2.6.37/fs/fuse/dev.c 2011-01-17 02:41:01.000000000 -0500
31514 @@ -1047,7 +1047,7 @@ static ssize_t fuse_dev_do_read(struct f
31518 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31519 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31520 unsigned long nr_segs, loff_t pos)
31522 struct fuse_copy_state cs;
31523 @@ -1061,6 +1061,8 @@ static ssize_t fuse_dev_read(struct kioc
31524 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31527 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31529 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31530 struct pipe_buffer *buf)
31532 @@ -1104,7 +1106,7 @@ static ssize_t fuse_dev_splice_read(stru
31536 - if (!pipe->readers) {
31537 + if (!atomic_read(&pipe->readers)) {
31538 send_sig(SIGPIPE, current, 0);
31541 @@ -1597,7 +1599,7 @@ static ssize_t fuse_dev_do_write(struct
31545 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31546 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31547 unsigned long nr_segs, loff_t pos)
31549 struct fuse_copy_state cs;
31550 @@ -1610,6 +1612,8 @@ static ssize_t fuse_dev_write(struct kio
31551 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31554 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31556 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31557 struct file *out, loff_t *ppos,
31558 size_t len, unsigned int flags)
31559 @@ -1688,7 +1692,7 @@ out:
31563 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31564 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31566 unsigned mask = POLLOUT | POLLWRNORM;
31567 struct fuse_conn *fc = fuse_get_conn(file);
31568 @@ -1707,6 +1711,8 @@ static unsigned fuse_dev_poll(struct fil
31572 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31575 * Abort all requests on the given list (pending or processing)
31577 @@ -1824,7 +1830,7 @@ int fuse_dev_release(struct inode *inode
31579 EXPORT_SYMBOL_GPL(fuse_dev_release);
31581 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31582 +int fuse_dev_fasync(int fd, struct file *file, int on)
31584 struct fuse_conn *fc = fuse_get_conn(file);
31586 @@ -1834,6 +1840,8 @@ static int fuse_dev_fasync(int fd, struc
31587 return fasync_helper(fd, file, on, &fc->fasync);
31590 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31592 const struct file_operations fuse_dev_operations = {
31593 .owner = THIS_MODULE,
31594 .llseek = no_llseek,
31595 diff -urNp linux-2.6.37/fs/fuse/dir.c linux-2.6.37/fs/fuse/dir.c
31596 --- linux-2.6.37/fs/fuse/dir.c 2011-01-04 19:50:19.000000000 -0500
31597 +++ linux-2.6.37/fs/fuse/dir.c 2011-01-17 02:41:01.000000000 -0500
31598 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31602 -static void free_link(char *link)
31603 +static void free_link(const char *link)
31606 free_page((unsigned long) link);
31607 diff -urNp linux-2.6.37/fs/fuse/fuse_i.h linux-2.6.37/fs/fuse/fuse_i.h
31608 --- linux-2.6.37/fs/fuse/fuse_i.h 2011-01-04 19:50:19.000000000 -0500
31609 +++ linux-2.6.37/fs/fuse/fuse_i.h 2011-01-17 02:41:01.000000000 -0500
31610 @@ -525,6 +525,16 @@ extern const struct file_operations fuse
31612 extern const struct dentry_operations fuse_dentry_operations;
31614 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31615 + unsigned long nr_segs, loff_t pos);
31617 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31618 + unsigned long nr_segs, loff_t pos);
31620 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31622 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31625 * Inode to nodeid comparison.
31627 diff -urNp linux-2.6.37/fs/hfs/inode.c linux-2.6.37/fs/hfs/inode.c
31628 --- linux-2.6.37/fs/hfs/inode.c 2011-01-04 19:50:19.000000000 -0500
31629 +++ linux-2.6.37/fs/hfs/inode.c 2011-01-17 02:41:01.000000000 -0500
31630 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
31632 if (S_ISDIR(main_inode->i_mode)) {
31633 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31636 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31637 sizeof(struct hfs_cat_dir));
31638 if (rec.type != HFS_CDR_DIR ||
31639 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
31640 sizeof(struct hfs_cat_file));
31642 if (fd.entrylength < sizeof(struct hfs_cat_file))
31645 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31646 sizeof(struct hfs_cat_file));
31647 if (rec.type != HFS_CDR_FIL ||
31648 diff -urNp linux-2.6.37/fs/hfsplus/inode.c linux-2.6.37/fs/hfsplus/inode.c
31649 --- linux-2.6.37/fs/hfsplus/inode.c 2011-01-04 19:50:19.000000000 -0500
31650 +++ linux-2.6.37/fs/hfsplus/inode.c 2011-01-17 02:41:01.000000000 -0500
31651 @@ -478,7 +478,7 @@ int hfsplus_cat_read_inode(struct inode
31652 struct hfsplus_cat_folder *folder = &entry.folder;
31654 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31657 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31658 sizeof(struct hfsplus_cat_folder));
31659 hfsplus_get_perms(inode, &folder->permissions, 1);
31660 @@ -495,7 +495,7 @@ int hfsplus_cat_read_inode(struct inode
31661 struct hfsplus_cat_file *file = &entry.file;
31663 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31666 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31667 sizeof(struct hfsplus_cat_file));
31669 @@ -551,7 +551,7 @@ int hfsplus_cat_write_inode(struct inode
31670 struct hfsplus_cat_folder *folder = &entry.folder;
31672 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31675 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31676 sizeof(struct hfsplus_cat_folder));
31677 /* simple node checks? */
31678 @@ -573,7 +573,7 @@ int hfsplus_cat_write_inode(struct inode
31679 struct hfsplus_cat_file *file = &entry.file;
31681 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31684 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31685 sizeof(struct hfsplus_cat_file));
31686 hfsplus_inode_write_fork(inode, &file->data_fork);
31687 diff -urNp linux-2.6.37/fs/hugetlbfs/inode.c linux-2.6.37/fs/hugetlbfs/inode.c
31688 --- linux-2.6.37/fs/hugetlbfs/inode.c 2011-01-04 19:50:19.000000000 -0500
31689 +++ linux-2.6.37/fs/hugetlbfs/inode.c 2011-01-17 02:41:01.000000000 -0500
31690 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31691 .kill_sb = kill_litter_super,
31694 -static struct vfsmount *hugetlbfs_vfsmount;
31695 +struct vfsmount *hugetlbfs_vfsmount;
31697 static int can_do_hugetlb_shm(void)
31699 diff -urNp linux-2.6.37/fs/ioctl.c linux-2.6.37/fs/ioctl.c
31700 --- linux-2.6.37/fs/ioctl.c 2011-01-04 19:50:19.000000000 -0500
31701 +++ linux-2.6.37/fs/ioctl.c 2011-01-17 02:41:01.000000000 -0500
31702 @@ -86,7 +86,7 @@ int fiemap_fill_next_extent(struct fiema
31703 u64 phys, u64 len, u32 flags)
31705 struct fiemap_extent extent;
31706 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31707 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31709 /* only count the extents */
31710 if (fieinfo->fi_extents_max == 0) {
31711 @@ -196,7 +196,7 @@ static int ioctl_fiemap(struct file *fil
31713 fieinfo.fi_flags = fiemap.fm_flags;
31714 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31715 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31716 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31718 if (fiemap.fm_extent_count != 0 &&
31719 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31720 @@ -209,7 +209,7 @@ static int ioctl_fiemap(struct file *fil
31721 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31722 fiemap.fm_flags = fieinfo.fi_flags;
31723 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31724 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31725 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31729 diff -urNp linux-2.6.37/fs/jffs2/debug.h linux-2.6.37/fs/jffs2/debug.h
31730 --- linux-2.6.37/fs/jffs2/debug.h 2011-01-04 19:50:19.000000000 -0500
31731 +++ linux-2.6.37/fs/jffs2/debug.h 2011-01-17 02:41:01.000000000 -0500
31732 @@ -53,13 +53,13 @@
31733 #if CONFIG_JFFS2_FS_DEBUG > 0
31737 +#define D1(x) do {} while (0);
31740 #if CONFIG_JFFS2_FS_DEBUG > 1
31744 +#define D2(x) do {} while (0);
31747 /* The prefixes of JFFS2 messages */
31748 @@ -115,73 +115,73 @@
31749 #ifdef JFFS2_DBG_READINODE_MESSAGES
31750 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31752 -#define dbg_readinode(fmt, ...)
31753 +#define dbg_readinode(fmt, ...) do {} while (0)
31755 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31756 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31758 -#define dbg_readinode2(fmt, ...)
31759 +#define dbg_readinode2(fmt, ...) do {} while (0)
31762 /* Fragtree build debugging messages */
31763 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31764 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31766 -#define dbg_fragtree(fmt, ...)
31767 +#define dbg_fragtree(fmt, ...) do {} while (0)
31769 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31770 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31772 -#define dbg_fragtree2(fmt, ...)
31773 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31776 /* Directory entry list manilulation debugging messages */
31777 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31778 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31780 -#define dbg_dentlist(fmt, ...)
31781 +#define dbg_dentlist(fmt, ...) do {} while (0)
31784 /* Print the messages about manipulating node_refs */
31785 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31786 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31788 -#define dbg_noderef(fmt, ...)
31789 +#define dbg_noderef(fmt, ...) do {} while (0)
31792 /* Manipulations with the list of inodes (JFFS2 inocache) */
31793 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31794 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31796 -#define dbg_inocache(fmt, ...)
31797 +#define dbg_inocache(fmt, ...) do {} while (0)
31800 /* Summary debugging messages */
31801 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31802 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31804 -#define dbg_summary(fmt, ...)
31805 +#define dbg_summary(fmt, ...) do {} while (0)
31808 /* File system build messages */
31809 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31810 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31812 -#define dbg_fsbuild(fmt, ...)
31813 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31816 /* Watch the object allocations */
31817 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31818 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31820 -#define dbg_memalloc(fmt, ...)
31821 +#define dbg_memalloc(fmt, ...) do {} while (0)
31824 /* Watch the XATTR subsystem */
31825 #ifdef JFFS2_DBG_XATTR_MESSAGES
31826 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31828 -#define dbg_xattr(fmt, ...)
31829 +#define dbg_xattr(fmt, ...) do {} while (0)
31832 /* "Sanity" checks */
31833 diff -urNp linux-2.6.37/fs/jffs2/erase.c linux-2.6.37/fs/jffs2/erase.c
31834 --- linux-2.6.37/fs/jffs2/erase.c 2011-01-04 19:50:19.000000000 -0500
31835 +++ linux-2.6.37/fs/jffs2/erase.c 2011-01-17 02:41:01.000000000 -0500
31836 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
31837 struct jffs2_unknown_node marker = {
31838 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31839 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31840 - .totlen = cpu_to_je32(c->cleanmarker_size)
31841 + .totlen = cpu_to_je32(c->cleanmarker_size),
31842 + .hdr_crc = cpu_to_je32(0)
31845 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31846 diff -urNp linux-2.6.37/fs/jffs2/summary.h linux-2.6.37/fs/jffs2/summary.h
31847 --- linux-2.6.37/fs/jffs2/summary.h 2011-01-04 19:50:19.000000000 -0500
31848 +++ linux-2.6.37/fs/jffs2/summary.h 2011-01-17 02:41:01.000000000 -0500
31849 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31851 #define jffs2_sum_active() (0)
31852 #define jffs2_sum_init(a) (0)
31853 -#define jffs2_sum_exit(a)
31854 -#define jffs2_sum_disable_collecting(a)
31855 +#define jffs2_sum_exit(a) do {} while (0)
31856 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31857 #define jffs2_sum_is_disabled(a) (0)
31858 -#define jffs2_sum_reset_collected(a)
31859 +#define jffs2_sum_reset_collected(a) do {} while (0)
31860 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31861 -#define jffs2_sum_move_collected(a,b)
31862 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31863 #define jffs2_sum_write_sumnode(a) (0)
31864 -#define jffs2_sum_add_padding_mem(a,b)
31865 -#define jffs2_sum_add_inode_mem(a,b,c)
31866 -#define jffs2_sum_add_dirent_mem(a,b,c)
31867 -#define jffs2_sum_add_xattr_mem(a,b,c)
31868 -#define jffs2_sum_add_xref_mem(a,b,c)
31869 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31870 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31871 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31872 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31873 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31874 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31876 #endif /* CONFIG_JFFS2_SUMMARY */
31877 diff -urNp linux-2.6.37/fs/jffs2/wbuf.c linux-2.6.37/fs/jffs2/wbuf.c
31878 --- linux-2.6.37/fs/jffs2/wbuf.c 2011-01-04 19:50:19.000000000 -0500
31879 +++ linux-2.6.37/fs/jffs2/wbuf.c 2011-01-17 02:41:01.000000000 -0500
31880 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31882 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31883 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31884 - .totlen = constant_cpu_to_je32(8)
31885 + .totlen = constant_cpu_to_je32(8),
31886 + .hdr_crc = constant_cpu_to_je32(0)
31890 diff -urNp linux-2.6.37/fs/Kconfig.binfmt linux-2.6.37/fs/Kconfig.binfmt
31891 --- linux-2.6.37/fs/Kconfig.binfmt 2011-01-04 19:50:19.000000000 -0500
31892 +++ linux-2.6.37/fs/Kconfig.binfmt 2011-01-17 02:41:01.000000000 -0500
31893 @@ -86,7 +86,7 @@ config HAVE_AOUT
31896 tristate "Kernel support for a.out and ECOFF binaries"
31897 - depends on HAVE_AOUT
31898 + depends on HAVE_AOUT && BROKEN
31900 A.out (Assembler.OUTput) is a set of formats for libraries and
31901 executables used in the earliest versions of UNIX. Linux used
31902 diff -urNp linux-2.6.37/fs/lockd/svc.c linux-2.6.37/fs/lockd/svc.c
31903 --- linux-2.6.37/fs/lockd/svc.c 2011-01-04 19:50:19.000000000 -0500
31904 +++ linux-2.6.37/fs/lockd/svc.c 2011-01-17 02:41:01.000000000 -0500
31907 static struct svc_program nlmsvc_program;
31909 -struct nlmsvc_binding * nlmsvc_ops;
31910 +const struct nlmsvc_binding * nlmsvc_ops;
31911 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31913 static DEFINE_MUTEX(nlmsvc_mutex);
31914 diff -urNp linux-2.6.37/fs/locks.c linux-2.6.37/fs/locks.c
31915 --- linux-2.6.37/fs/locks.c 2011-01-04 19:50:19.000000000 -0500
31916 +++ linux-2.6.37/fs/locks.c 2011-01-17 02:41:01.000000000 -0500
31917 @@ -2050,16 +2050,16 @@ void locks_remove_flock(struct file *fil
31920 if (filp->f_op && filp->f_op->flock) {
31921 - struct file_lock fl = {
31922 + struct file_lock flock = {
31923 .fl_pid = current->tgid,
31925 .fl_flags = FL_FLOCK,
31926 .fl_type = F_UNLCK,
31927 .fl_end = OFFSET_MAX,
31929 - filp->f_op->flock(filp, F_SETLKW, &fl);
31930 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31931 - fl.fl_ops->fl_release_private(&fl);
31932 + filp->f_op->flock(filp, F_SETLKW, &flock);
31933 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31934 + flock.fl_ops->fl_release_private(&flock);
31938 diff -urNp linux-2.6.37/fs/namei.c linux-2.6.37/fs/namei.c
31939 --- linux-2.6.37/fs/namei.c 2011-01-04 19:50:19.000000000 -0500
31940 +++ linux-2.6.37/fs/namei.c 2011-01-17 02:46:52.000000000 -0500
31941 @@ -221,14 +221,6 @@ int generic_permission(struct inode *ino
31945 - * Read/write DACs are always overridable.
31946 - * Executable DACs are overridable if at least one exec bit is set.
31948 - if (!(mask & MAY_EXEC) || execute_ok(inode))
31949 - if (capable(CAP_DAC_OVERRIDE))
31953 * Searching includes executable on directories, else just read.
31955 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
31956 @@ -236,6 +228,14 @@ int generic_permission(struct inode *ino
31957 if (capable(CAP_DAC_READ_SEARCH))
31961 + * Read/write DACs are always overridable.
31962 + * Executable DACs are overridable if at least one exec bit is set.
31964 + if (!(mask & MAY_EXEC) || execute_ok(inode))
31965 + if (capable(CAP_DAC_OVERRIDE))
31971 @@ -473,7 +473,8 @@ static int exec_permission(struct inode
31975 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
31976 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
31977 + capable(CAP_DAC_OVERRIDE))
31981 @@ -542,7 +543,7 @@ __do_follow_link(struct path *path, stru
31982 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31983 error = PTR_ERR(*p);
31985 - char *s = nd_get_link(nd);
31986 + const char *s = nd_get_link(nd);
31989 error = __vfs_follow_link(nd, s);
31990 @@ -575,6 +576,13 @@ static inline int do_follow_link(struct
31991 err = security_inode_follow_link(path->dentry, nd);
31995 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31996 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32001 current->link_count++;
32002 current->total_link_count++;
32004 @@ -967,11 +975,18 @@ return_reval:
32008 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32009 + path_put(&nd->path);
32014 path_put_conditional(&next, nd);
32017 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32020 path_put(&nd->path);
32023 @@ -1397,6 +1412,30 @@ int vfs_create(struct inode *dir, struct
32028 + * Note that while the flag value (low two bits) for sys_open means:
32030 + * 01 - write-only
32031 + * 10 - read-write
32033 + * it is changed into
32034 + * 00 - no permissions needed
32035 + * 01 - read-permission
32036 + * 10 - write-permission
32037 + * 11 - read-write
32038 + * for the internal routines (ie open_namei()/follow_link() etc)
32039 + * This is more logical, and also allows the 00 "no perm needed"
32040 + * to be used for symlinks (where the permissions are checked
32044 +static inline int open_to_namei_flags(int flag)
32046 + if ((flag+1) & O_ACCMODE)
32051 int may_open(struct path *path, int acc_mode, int flag)
32053 struct dentry *dentry = path->dentry;
32054 @@ -1445,7 +1484,26 @@ int may_open(struct path *path, int acc_
32056 * Ensure there are no outstanding leases on the file.
32058 - return break_lease(inode, flag);
32059 + error = break_lease(inode, flag);
32063 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
32068 + if (gr_handle_rawio(inode)) {
32073 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
32081 static int handle_truncate(struct path *path)
32082 @@ -1479,6 +1537,12 @@ static int __open_namei_create(struct na
32085 struct dentry *dir = nd->path.dentry;
32086 + int flag = open_to_namei_flags(open_flag);
32088 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
32093 if (!IS_POSIXACL(dir->d_inode))
32094 mode &= ~current_umask();
32095 @@ -1486,6 +1550,8 @@ static int __open_namei_create(struct na
32098 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32100 + gr_handle_create(path->dentry, nd->path.mnt);
32102 mutex_unlock(&dir->d_inode->i_mutex);
32103 dput(nd->path.dentry);
32104 @@ -1496,30 +1562,6 @@ out_unlock:
32105 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
32109 - * Note that while the flag value (low two bits) for sys_open means:
32111 - * 01 - write-only
32112 - * 10 - read-write
32114 - * it is changed into
32115 - * 00 - no permissions needed
32116 - * 01 - read-permission
32117 - * 10 - write-permission
32118 - * 11 - read-write
32119 - * for the internal routines (ie open_namei()/follow_link() etc)
32120 - * This is more logical, and also allows the 00 "no perm needed"
32121 - * to be used for symlinks (where the permissions are checked
32125 -static inline int open_to_namei_flags(int flag)
32127 - if ((flag+1) & O_ACCMODE)
32132 static int open_will_truncate(int flag, struct inode *inode)
32135 @@ -1589,6 +1631,7 @@ static struct file *do_last(struct namei
32136 int mode, const char *pathname)
32138 struct dentry *dir = nd->path.dentry;
32139 + int flag = open_to_namei_flags(open_flag);
32141 int error = -EISDIR;
32143 @@ -1690,6 +1733,14 @@ static struct file *do_last(struct namei
32145 * It already exists.
32148 + /* only check if O_CREAT is specified, all other checks need to go
32150 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
32152 + goto exit_mutex_unlock;
32155 mutex_unlock(&dir->d_inode->i_mutex);
32156 audit_inode(pathname, path->dentry);
32158 @@ -2013,6 +2064,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32159 error = may_mknod(mode);
32163 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32168 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32173 error = mnt_want_write(nd.path.mnt);
32176 @@ -2033,6 +2095,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32179 mnt_drop_write(nd.path.mnt);
32182 + gr_handle_create(dentry, nd.path.mnt);
32186 @@ -2085,6 +2150,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32187 if (IS_ERR(dentry))
32190 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32195 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32196 mode &= ~current_umask();
32197 error = mnt_want_write(nd.path.mnt);
32198 @@ -2096,6 +2166,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32199 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32201 mnt_drop_write(nd.path.mnt);
32204 + gr_handle_create(dentry, nd.path.mnt);
32209 @@ -2177,6 +2251,8 @@ static long do_rmdir(int dfd, const char
32211 struct dentry *dentry;
32212 struct nameidata nd;
32213 + ino_t saved_ino = 0;
32214 + dev_t saved_dev = 0;
32216 error = user_path_parent(dfd, pathname, &nd, &name);
32218 @@ -2201,6 +2277,19 @@ static long do_rmdir(int dfd, const char
32219 error = PTR_ERR(dentry);
32220 if (IS_ERR(dentry))
32223 + if (dentry->d_inode != NULL) {
32224 + if (dentry->d_inode->i_nlink <= 1) {
32225 + saved_ino = dentry->d_inode->i_ino;
32226 + saved_dev = dentry->d_inode->i_sb->s_dev;
32229 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32235 error = mnt_want_write(nd.path.mnt);
32238 @@ -2208,6 +2297,8 @@ static long do_rmdir(int dfd, const char
32241 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32242 + if (!error && (saved_dev || saved_ino))
32243 + gr_handle_delete(saved_ino, saved_dev);
32245 mnt_drop_write(nd.path.mnt);
32247 @@ -2270,6 +2361,8 @@ static long do_unlinkat(int dfd, const c
32248 struct dentry *dentry;
32249 struct nameidata nd;
32250 struct inode *inode = NULL;
32251 + ino_t saved_ino = 0;
32252 + dev_t saved_dev = 0;
32254 error = user_path_parent(dfd, pathname, &nd, &name);
32256 @@ -2289,8 +2382,17 @@ static long do_unlinkat(int dfd, const c
32257 if (nd.last.name[nd.last.len])
32259 inode = dentry->d_inode;
32263 + if (inode->i_nlink <= 1) {
32264 + saved_ino = inode->i_ino;
32265 + saved_dev = inode->i_sb->s_dev;
32267 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32272 error = mnt_want_write(nd.path.mnt);
32275 @@ -2298,6 +2400,8 @@ static long do_unlinkat(int dfd, const c
32278 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32279 + if (!error && (saved_ino || saved_dev))
32280 + gr_handle_delete(saved_ino, saved_dev);
32282 mnt_drop_write(nd.path.mnt);
32284 @@ -2375,6 +2479,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32285 if (IS_ERR(dentry))
32288 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32293 error = mnt_want_write(nd.path.mnt);
32296 @@ -2382,6 +2491,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32298 goto out_drop_write;
32299 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32301 + gr_handle_create(dentry, nd.path.mnt);
32303 mnt_drop_write(nd.path.mnt);
32305 @@ -2474,6 +2585,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32306 error = PTR_ERR(new_dentry);
32307 if (IS_ERR(new_dentry))
32310 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32311 + old_path.dentry->d_inode,
32312 + old_path.dentry->d_inode->i_mode, to)) {
32317 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32318 + old_path.dentry, old_path.mnt, to)) {
32323 error = mnt_want_write(nd.path.mnt);
32326 @@ -2481,6 +2606,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32328 goto out_drop_write;
32329 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32331 + gr_handle_create(new_dentry, nd.path.mnt);
32333 mnt_drop_write(nd.path.mnt);
32335 @@ -2714,6 +2841,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32336 if (new_dentry == trap)
32339 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32340 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32345 error = mnt_want_write(oldnd.path.mnt);
32348 @@ -2723,6 +2856,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32350 error = vfs_rename(old_dir->d_inode, old_dentry,
32351 new_dir->d_inode, new_dentry);
32353 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32354 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32356 mnt_drop_write(oldnd.path.mnt);
32358 diff -urNp linux-2.6.37/fs/namespace.c linux-2.6.37/fs/namespace.c
32359 --- linux-2.6.37/fs/namespace.c 2011-01-04 19:50:19.000000000 -0500
32360 +++ linux-2.6.37/fs/namespace.c 2011-01-17 02:41:01.000000000 -0500
32361 @@ -1141,6 +1141,9 @@ static int do_umount(struct vfsmount *mn
32362 if (!(sb->s_flags & MS_RDONLY))
32363 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32364 up_write(&sb->s_umount);
32366 + gr_log_remount(mnt->mnt_devname, retval);
32371 @@ -1160,6 +1163,9 @@ static int do_umount(struct vfsmount *mn
32372 br_write_unlock(vfsmount_lock);
32373 up_write(&namespace_sem);
32374 release_mounts(&umount_list);
32376 + gr_log_unmount(mnt->mnt_devname, retval);
32381 @@ -2053,6 +2059,16 @@ long do_mount(char *dev_name, char *dir_
32382 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32385 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32390 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32395 if (flags & MS_REMOUNT)
32396 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32398 @@ -2067,6 +2083,9 @@ long do_mount(char *dev_name, char *dir_
32399 dev_name, data_page);
32403 + gr_log_mount(dev_name, dir_name, retval);
32408 @@ -2273,6 +2292,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32412 + if (gr_handle_chroot_pivot()) {
32418 get_fs_root(current->fs, &root);
32419 down_write(&namespace_sem);
32420 mutex_lock(&old.dentry->d_inode->i_mutex);
32421 diff -urNp linux-2.6.37/fs/nfs/inode.c linux-2.6.37/fs/nfs/inode.c
32422 --- linux-2.6.37/fs/nfs/inode.c 2011-01-04 19:50:19.000000000 -0500
32423 +++ linux-2.6.37/fs/nfs/inode.c 2011-01-17 02:41:01.000000000 -0500
32424 @@ -985,16 +985,16 @@ static int nfs_size_need_update(const st
32425 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32428 -static atomic_long_t nfs_attr_generation_counter;
32429 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32431 static unsigned long nfs_read_attr_generation_counter(void)
32433 - return atomic_long_read(&nfs_attr_generation_counter);
32434 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32437 unsigned long nfs_inc_attr_generation_counter(void)
32439 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32440 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32443 void nfs_fattr_init(struct nfs_fattr *fattr)
32444 diff -urNp linux-2.6.37/fs/nfs/nfs4proc.c linux-2.6.37/fs/nfs/nfs4proc.c
32445 --- linux-2.6.37/fs/nfs/nfs4proc.c 2011-01-04 19:50:19.000000000 -0500
32446 +++ linux-2.6.37/fs/nfs/nfs4proc.c 2011-01-17 02:41:01.000000000 -0500
32447 @@ -1184,7 +1184,7 @@ static int _nfs4_do_open_reclaim(struct
32448 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32450 struct nfs_server *server = NFS_SERVER(state->inode);
32451 - struct nfs4_exception exception = { };
32452 + struct nfs4_exception exception = {0, 0};
32455 err = _nfs4_do_open_reclaim(ctx, state);
32456 @@ -1226,7 +1226,7 @@ static int _nfs4_open_delegation_recall(
32458 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32460 - struct nfs4_exception exception = { };
32461 + struct nfs4_exception exception = {0, 0};
32462 struct nfs_server *server = NFS_SERVER(state->inode);
32465 @@ -1602,7 +1602,7 @@ static int _nfs4_open_expired(struct nfs
32466 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32468 struct nfs_server *server = NFS_SERVER(state->inode);
32469 - struct nfs4_exception exception = { };
32470 + struct nfs4_exception exception = {0, 0};
32474 @@ -1717,7 +1717,7 @@ out_err:
32476 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32478 - struct nfs4_exception exception = { };
32479 + struct nfs4_exception exception = {0, 0};
32480 struct nfs4_state *res;
32483 @@ -1808,7 +1808,7 @@ static int nfs4_do_setattr(struct inode
32484 struct nfs4_state *state)
32486 struct nfs_server *server = NFS_SERVER(inode);
32487 - struct nfs4_exception exception = { };
32488 + struct nfs4_exception exception = {0, 0};
32491 err = nfs4_handle_exception(server,
32492 @@ -2081,7 +2081,7 @@ static int _nfs4_server_capabilities(str
32494 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32496 - struct nfs4_exception exception = { };
32497 + struct nfs4_exception exception = {0, 0};
32500 err = nfs4_handle_exception(server,
32501 @@ -2115,7 +2115,7 @@ static int _nfs4_lookup_root(struct nfs_
32502 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32503 struct nfs_fsinfo *info)
32505 - struct nfs4_exception exception = { };
32506 + struct nfs4_exception exception = {0, 0};
32509 err = nfs4_handle_exception(server,
32510 @@ -2203,7 +2203,7 @@ static int _nfs4_proc_getattr(struct nfs
32512 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32514 - struct nfs4_exception exception = { };
32515 + struct nfs4_exception exception = {0, 0};
32518 err = nfs4_handle_exception(server,
32519 @@ -2291,7 +2291,7 @@ static int nfs4_proc_lookupfh(struct nfs
32520 struct qstr *name, struct nfs_fh *fhandle,
32521 struct nfs_fattr *fattr)
32523 - struct nfs4_exception exception = { };
32524 + struct nfs4_exception exception = {0, 0};
32527 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32528 @@ -2320,7 +2320,7 @@ static int _nfs4_proc_lookup(struct inod
32530 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32532 - struct nfs4_exception exception = { };
32533 + struct nfs4_exception exception = {0, 0};
32536 err = nfs4_handle_exception(NFS_SERVER(dir),
32537 @@ -2387,7 +2387,7 @@ static int _nfs4_proc_access(struct inod
32539 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32541 - struct nfs4_exception exception = { };
32542 + struct nfs4_exception exception = {0, 0};
32545 err = nfs4_handle_exception(NFS_SERVER(inode),
32546 @@ -2443,7 +2443,7 @@ static int _nfs4_proc_readlink(struct in
32547 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32548 unsigned int pgbase, unsigned int pglen)
32550 - struct nfs4_exception exception = { };
32551 + struct nfs4_exception exception = {0, 0};
32554 err = nfs4_handle_exception(NFS_SERVER(inode),
32555 @@ -2537,7 +2537,7 @@ out:
32557 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32559 - struct nfs4_exception exception = { };
32560 + struct nfs4_exception exception = {0, 0};
32563 err = nfs4_handle_exception(NFS_SERVER(dir),
32564 @@ -2642,7 +2642,7 @@ out:
32565 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32566 struct inode *new_dir, struct qstr *new_name)
32568 - struct nfs4_exception exception = { };
32569 + struct nfs4_exception exception = {0, 0};
32572 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32573 @@ -2691,7 +2691,7 @@ out:
32575 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32577 - struct nfs4_exception exception = { };
32578 + struct nfs4_exception exception = {0, 0};
32581 err = nfs4_handle_exception(NFS_SERVER(inode),
32582 @@ -2783,7 +2783,7 @@ out:
32583 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32584 struct page *page, unsigned int len, struct iattr *sattr)
32586 - struct nfs4_exception exception = { };
32587 + struct nfs4_exception exception = {0, 0};
32590 err = nfs4_handle_exception(NFS_SERVER(dir),
32591 @@ -2814,7 +2814,7 @@ out:
32592 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32593 struct iattr *sattr)
32595 - struct nfs4_exception exception = { };
32596 + struct nfs4_exception exception = {0, 0};
32599 err = nfs4_handle_exception(NFS_SERVER(dir),
32600 @@ -2866,7 +2866,7 @@ static int _nfs4_proc_readdir(struct den
32601 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32602 u64 cookie, struct page **pages, unsigned int count, int plus)
32604 - struct nfs4_exception exception = { };
32605 + struct nfs4_exception exception = {0, 0};
32608 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32609 @@ -2914,7 +2914,7 @@ out:
32610 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32611 struct iattr *sattr, dev_t rdev)
32613 - struct nfs4_exception exception = { };
32614 + struct nfs4_exception exception = {0, 0};
32617 err = nfs4_handle_exception(NFS_SERVER(dir),
32618 @@ -2946,7 +2946,7 @@ static int _nfs4_proc_statfs(struct nfs_
32620 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32622 - struct nfs4_exception exception = { };
32623 + struct nfs4_exception exception = {0, 0};
32626 err = nfs4_handle_exception(server,
32627 @@ -2977,7 +2977,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32629 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32631 - struct nfs4_exception exception = { };
32632 + struct nfs4_exception exception = {0, 0};
32636 @@ -3023,7 +3023,7 @@ static int _nfs4_proc_pathconf(struct nf
32637 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32638 struct nfs_pathconf *pathconf)
32640 - struct nfs4_exception exception = { };
32641 + struct nfs4_exception exception = {0, 0};
32645 @@ -3340,7 +3340,7 @@ out_free:
32647 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32649 - struct nfs4_exception exception = { };
32650 + struct nfs4_exception exception = {0, 0};
32653 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32654 @@ -3405,7 +3405,7 @@ static int __nfs4_proc_set_acl(struct in
32656 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32658 - struct nfs4_exception exception = { };
32659 + struct nfs4_exception exception = {0, 0};
32662 err = nfs4_handle_exception(NFS_SERVER(inode),
32663 @@ -3685,7 +3685,7 @@ out:
32664 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32666 struct nfs_server *server = NFS_SERVER(inode);
32667 - struct nfs4_exception exception = { };
32668 + struct nfs4_exception exception = {0, 0};
32671 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32672 @@ -3758,7 +3758,7 @@ out:
32674 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32676 - struct nfs4_exception exception = { };
32677 + struct nfs4_exception exception = {0, 0};
32681 @@ -4167,7 +4167,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32682 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32684 struct nfs_server *server = NFS_SERVER(state->inode);
32685 - struct nfs4_exception exception = { };
32686 + struct nfs4_exception exception = {0, 0};
32690 @@ -4185,7 +4185,7 @@ static int nfs4_lock_reclaim(struct nfs4
32691 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32693 struct nfs_server *server = NFS_SERVER(state->inode);
32694 - struct nfs4_exception exception = { };
32695 + struct nfs4_exception exception = {0, 0};
32698 err = nfs4_set_lock_state(state, request);
32699 @@ -4249,7 +4249,7 @@ out:
32701 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32703 - struct nfs4_exception exception = { };
32704 + struct nfs4_exception exception = {0, 0};
32708 @@ -4309,7 +4309,7 @@ nfs4_proc_lock(struct file *filp, int cm
32709 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32711 struct nfs_server *server = NFS_SERVER(state->inode);
32712 - struct nfs4_exception exception = { };
32713 + struct nfs4_exception exception = {0, 0};
32716 err = nfs4_set_lock_state(state, fl);
32717 diff -urNp linux-2.6.37/fs/nfsd/lockd.c linux-2.6.37/fs/nfsd/lockd.c
32718 --- linux-2.6.37/fs/nfsd/lockd.c 2011-01-04 19:50:19.000000000 -0500
32719 +++ linux-2.6.37/fs/nfsd/lockd.c 2011-01-17 02:41:01.000000000 -0500
32720 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32724 -static struct nlmsvc_binding nfsd_nlm_ops = {
32725 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32726 .fopen = nlm_fopen, /* open file for locking */
32727 .fclose = nlm_fclose, /* close file */
32729 diff -urNp linux-2.6.37/fs/nfsd/nfsctl.c linux-2.6.37/fs/nfsd/nfsctl.c
32730 --- linux-2.6.37/fs/nfsd/nfsctl.c 2011-01-04 19:50:19.000000000 -0500
32731 +++ linux-2.6.37/fs/nfsd/nfsctl.c 2011-01-17 02:41:01.000000000 -0500
32732 @@ -178,7 +178,7 @@ static int export_features_open(struct i
32733 return single_open(file, export_features_show, NULL);
32736 -static struct file_operations export_features_operations = {
32737 +static const struct file_operations export_features_operations = {
32738 .open = export_features_open,
32740 .llseek = seq_lseek,
32741 diff -urNp linux-2.6.37/fs/nfsd/vfs.c linux-2.6.37/fs/nfsd/vfs.c
32742 --- linux-2.6.37/fs/nfsd/vfs.c 2011-01-04 19:50:19.000000000 -0500
32743 +++ linux-2.6.37/fs/nfsd/vfs.c 2011-01-17 02:41:01.000000000 -0500
32744 @@ -916,7 +916,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32748 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32749 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32753 @@ -1029,7 +1029,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32755 /* Write the data. */
32756 oldfs = get_fs(); set_fs(KERNEL_DS);
32757 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32758 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32762 @@ -1546,7 +1546,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32765 oldfs = get_fs(); set_fs(KERNEL_DS);
32766 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32767 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32771 diff -urNp linux-2.6.37/fs/nls/nls_base.c linux-2.6.37/fs/nls/nls_base.c
32772 --- linux-2.6.37/fs/nls/nls_base.c 2011-01-04 19:50:19.000000000 -0500
32773 +++ linux-2.6.37/fs/nls/nls_base.c 2011-01-17 02:41:01.000000000 -0500
32774 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32775 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32776 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32777 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32778 - {0, /* end of table */}
32779 + {0, 0, 0, 0, 0, /* end of table */}
32782 #define UNICODE_MAX 0x0010ffff
32783 diff -urNp linux-2.6.37/fs/ntfs/dir.c linux-2.6.37/fs/ntfs/dir.c
32784 --- linux-2.6.37/fs/ntfs/dir.c 2011-01-04 19:50:19.000000000 -0500
32785 +++ linux-2.6.37/fs/ntfs/dir.c 2011-01-17 02:41:01.000000000 -0500
32786 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32787 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32788 ~(s64)(ndir->itype.index.block_size - 1)));
32789 /* Bounds checks. */
32790 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32791 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32792 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
32793 "inode 0x%lx or driver bug.", vdir->i_ino);
32795 diff -urNp linux-2.6.37/fs/ntfs/file.c linux-2.6.37/fs/ntfs/file.c
32796 --- linux-2.6.37/fs/ntfs/file.c 2011-01-04 19:50:19.000000000 -0500
32797 +++ linux-2.6.37/fs/ntfs/file.c 2011-01-17 02:41:01.000000000 -0500
32798 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32799 #endif /* NTFS_RW */
32802 -const struct file_operations ntfs_empty_file_ops = {};
32803 +const struct file_operations ntfs_empty_file_ops __read_only;
32805 -const struct inode_operations ntfs_empty_inode_ops = {};
32806 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32807 diff -urNp linux-2.6.37/fs/ocfs2/localalloc.c linux-2.6.37/fs/ocfs2/localalloc.c
32808 --- linux-2.6.37/fs/ocfs2/localalloc.c 2011-01-04 19:50:19.000000000 -0500
32809 +++ linux-2.6.37/fs/ocfs2/localalloc.c 2011-01-17 02:41:01.000000000 -0500
32810 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32814 - atomic_inc(&osb->alloc_stats.moves);
32815 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32819 diff -urNp linux-2.6.37/fs/ocfs2/ocfs2.h linux-2.6.37/fs/ocfs2/ocfs2.h
32820 --- linux-2.6.37/fs/ocfs2/ocfs2.h 2011-01-04 19:50:19.000000000 -0500
32821 +++ linux-2.6.37/fs/ocfs2/ocfs2.h 2011-01-17 02:41:01.000000000 -0500
32822 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
32824 struct ocfs2_alloc_stats
32827 - atomic_t local_data;
32828 - atomic_t bitmap_data;
32829 - atomic_t bg_allocs;
32830 - atomic_t bg_extends;
32831 + atomic_unchecked_t moves;
32832 + atomic_unchecked_t local_data;
32833 + atomic_unchecked_t bitmap_data;
32834 + atomic_unchecked_t bg_allocs;
32835 + atomic_unchecked_t bg_extends;
32838 enum ocfs2_local_alloc_state
32839 diff -urNp linux-2.6.37/fs/ocfs2/suballoc.c linux-2.6.37/fs/ocfs2/suballoc.c
32840 --- linux-2.6.37/fs/ocfs2/suballoc.c 2011-01-04 19:50:19.000000000 -0500
32841 +++ linux-2.6.37/fs/ocfs2/suballoc.c 2011-01-17 02:41:01.000000000 -0500
32842 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
32843 mlog_errno(status);
32846 - atomic_inc(&osb->alloc_stats.bg_extends);
32847 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32849 /* You should never ask for this much metadata */
32850 BUG_ON(bits_wanted >
32851 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
32852 mlog_errno(status);
32855 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32856 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32858 *suballoc_loc = res.sr_bg_blkno;
32859 *suballoc_bit_start = res.sr_bit_offset;
32860 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32861 mlog_errno(status);
32864 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32865 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32867 BUG_ON(res.sr_bits != 1);
32869 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
32873 - atomic_inc(&osb->alloc_stats.local_data);
32874 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32876 if (min_clusters > (osb->bitmap_cpg - 1)) {
32877 /* The only paths asking for contiguousness
32878 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
32879 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32881 res.sr_bit_offset);
32882 - atomic_inc(&osb->alloc_stats.bitmap_data);
32883 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32884 *num_clusters = res.sr_bits;
32887 diff -urNp linux-2.6.37/fs/ocfs2/super.c linux-2.6.37/fs/ocfs2/super.c
32888 --- linux-2.6.37/fs/ocfs2/super.c 2011-01-04 19:50:19.000000000 -0500
32889 +++ linux-2.6.37/fs/ocfs2/super.c 2011-01-17 02:41:01.000000000 -0500
32890 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32891 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32892 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32894 - atomic_read(&osb->alloc_stats.bitmap_data),
32895 - atomic_read(&osb->alloc_stats.local_data),
32896 - atomic_read(&osb->alloc_stats.bg_allocs),
32897 - atomic_read(&osb->alloc_stats.moves),
32898 - atomic_read(&osb->alloc_stats.bg_extends));
32899 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32900 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32901 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32902 + atomic_read_unchecked(&osb->alloc_stats.moves),
32903 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32905 out += snprintf(buf + out, len - out,
32906 "%10s => State: %u Descriptor: %llu Size: %u bits "
32907 @@ -2122,11 +2122,11 @@ static int ocfs2_initialize_super(struct
32908 spin_lock_init(&osb->osb_xattr_lock);
32909 ocfs2_init_steal_slots(osb);
32911 - atomic_set(&osb->alloc_stats.moves, 0);
32912 - atomic_set(&osb->alloc_stats.local_data, 0);
32913 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32914 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32915 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32916 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32917 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32918 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32919 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32920 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32922 /* Copy the blockcheck stats from the superblock probe */
32923 osb->osb_ecc_stats = *stats;
32924 diff -urNp linux-2.6.37/fs/ocfs2/symlink.c linux-2.6.37/fs/ocfs2/symlink.c
32925 --- linux-2.6.37/fs/ocfs2/symlink.c 2011-01-04 19:50:19.000000000 -0500
32926 +++ linux-2.6.37/fs/ocfs2/symlink.c 2011-01-17 02:41:01.000000000 -0500
32927 @@ -148,7 +148,7 @@ bail:
32929 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32931 - char *link = nd_get_link(nd);
32932 + const char *link = nd_get_link(nd);
32936 diff -urNp linux-2.6.37/fs/open.c linux-2.6.37/fs/open.c
32937 --- linux-2.6.37/fs/open.c 2011-01-04 19:50:19.000000000 -0500
32938 +++ linux-2.6.37/fs/open.c 2011-01-17 02:49:14.000000000 -0500
32939 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
32940 error = locks_verify_truncate(inode, NULL, length);
32942 error = security_path_truncate(&path);
32944 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
32948 error = do_truncate(path.dentry, length, 0, NULL);
32950 @@ -345,6 +349,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32951 if (__mnt_is_readonly(path.mnt))
32954 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32960 @@ -371,6 +378,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32964 + gr_log_chdir(path.dentry, path.mnt);
32966 set_fs_pwd(current->fs, &path);
32969 @@ -397,6 +406,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32972 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
32974 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32978 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32981 set_fs_pwd(current->fs, &file->f_path);
32983 @@ -425,7 +441,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32987 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32988 + goto dput_and_out;
32990 + if (gr_handle_chroot_caps(&path)) {
32992 + goto dput_and_out;
32995 set_fs_root(current->fs, &path);
32997 + gr_handle_chroot_chdir(&path);
33002 @@ -453,12 +480,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33003 err = mnt_want_write_file(file);
33007 mutex_lock(&inode->i_mutex);
33009 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33014 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33017 if (mode == (mode_t) -1)
33018 mode = inode->i_mode;
33020 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33025 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33026 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33027 err = notify_change(dentry, &newattrs);
33028 @@ -486,12 +526,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33029 error = mnt_want_write(path.mnt);
33033 mutex_lock(&inode->i_mutex);
33035 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33040 error = security_path_chmod(path.dentry, path.mnt, mode);
33043 if (mode == (mode_t) -1)
33044 mode = inode->i_mode;
33046 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33051 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33052 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33053 error = notify_change(path.dentry, &newattrs);
33054 @@ -515,6 +568,9 @@ static int chown_common(struct path *pat
33056 struct iattr newattrs;
33058 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33061 newattrs.ia_valid = ATTR_CTIME;
33062 if (user != (uid_t) -1) {
33063 newattrs.ia_valid |= ATTR_UID;
33064 @@ -883,7 +939,10 @@ long do_sys_open(int dfd, const char __u
33065 if (!IS_ERR(tmp)) {
33066 fd = get_unused_fd_flags(flags);
33068 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
33070 + /* don't allow to be set by userland */
33071 + flags &= ~FMODE_GREXEC;
33072 + f = do_filp_open(dfd, tmp, flags, mode, 0);
33076 diff -urNp linux-2.6.37/fs/pipe.c linux-2.6.37/fs/pipe.c
33077 --- linux-2.6.37/fs/pipe.c 2011-01-04 19:50:19.000000000 -0500
33078 +++ linux-2.6.37/fs/pipe.c 2011-01-17 02:41:01.000000000 -0500
33079 @@ -420,9 +420,9 @@ redo:
33081 if (bufs) /* More to do? */
33083 - if (!pipe->writers)
33084 + if (!atomic_read(&pipe->writers))
33086 - if (!pipe->waiting_writers) {
33087 + if (!atomic_read(&pipe->waiting_writers)) {
33088 /* syscall merging: Usually we must not sleep
33089 * if O_NONBLOCK is set, or if we got some data.
33090 * But if a writer sleeps in kernel space, then
33091 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33092 mutex_lock(&inode->i_mutex);
33093 pipe = inode->i_pipe;
33095 - if (!pipe->readers) {
33096 + if (!atomic_read(&pipe->readers)) {
33097 send_sig(SIGPIPE, current, 0);
33100 @@ -530,7 +530,7 @@ redo1:
33104 - if (!pipe->readers) {
33105 + if (!atomic_read(&pipe->readers)) {
33106 send_sig(SIGPIPE, current, 0);
33109 @@ -616,9 +616,9 @@ redo2:
33110 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33113 - pipe->waiting_writers++;
33114 + atomic_inc(&pipe->waiting_writers);
33116 - pipe->waiting_writers--;
33117 + atomic_dec(&pipe->waiting_writers);
33120 mutex_unlock(&inode->i_mutex);
33121 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33123 if (filp->f_mode & FMODE_READ) {
33124 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33125 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33126 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33130 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33131 * Most Unices do not set POLLERR for FIFOs but on Linux they
33132 * behave exactly like pipes for poll().
33134 - if (!pipe->readers)
33135 + if (!atomic_read(&pipe->readers))
33139 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33141 mutex_lock(&inode->i_mutex);
33142 pipe = inode->i_pipe;
33143 - pipe->readers -= decr;
33144 - pipe->writers -= decw;
33145 + atomic_sub(decr, &pipe->readers);
33146 + atomic_sub(decw, &pipe->writers);
33148 - if (!pipe->readers && !pipe->writers) {
33149 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33150 free_pipe_info(inode);
33152 wake_up_interruptible_sync(&pipe->wait);
33153 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33155 if (inode->i_pipe) {
33157 - inode->i_pipe->readers++;
33158 + atomic_inc(&inode->i_pipe->readers);
33161 mutex_unlock(&inode->i_mutex);
33162 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33164 if (inode->i_pipe) {
33166 - inode->i_pipe->writers++;
33167 + atomic_inc(&inode->i_pipe->writers);
33170 mutex_unlock(&inode->i_mutex);
33171 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33172 if (inode->i_pipe) {
33174 if (filp->f_mode & FMODE_READ)
33175 - inode->i_pipe->readers++;
33176 + atomic_inc(&inode->i_pipe->readers);
33177 if (filp->f_mode & FMODE_WRITE)
33178 - inode->i_pipe->writers++;
33179 + atomic_inc(&inode->i_pipe->writers);
33182 mutex_unlock(&inode->i_mutex);
33183 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33184 inode->i_pipe = NULL;
33187 -static struct vfsmount *pipe_mnt __read_mostly;
33188 +struct vfsmount *pipe_mnt __read_mostly;
33191 * pipefs_dname() is called from d_path().
33192 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
33194 inode->i_pipe = pipe;
33196 - pipe->readers = pipe->writers = 1;
33197 + atomic_set(&pipe->readers, 1);
33198 + atomic_set(&pipe->writers, 1);
33199 inode->i_fop = &rdwr_pipefifo_fops;
33202 diff -urNp linux-2.6.37/fs/proc/array.c linux-2.6.37/fs/proc/array.c
33203 --- linux-2.6.37/fs/proc/array.c 2011-01-04 19:50:19.000000000 -0500
33204 +++ linux-2.6.37/fs/proc/array.c 2011-01-17 02:41:01.000000000 -0500
33206 #include <linux/tty.h>
33207 #include <linux/string.h>
33208 #include <linux/mman.h>
33209 +#include <linux/grsecurity.h>
33210 #include <linux/proc_fs.h>
33211 #include <linux/ioport.h>
33212 #include <linux/uaccess.h>
33213 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33214 seq_printf(m, "\n");
33217 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33218 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33221 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33222 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33223 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33224 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33225 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33226 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33228 + seq_printf(m, "PaX:\t-----\n");
33232 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33233 struct pid *pid, struct task_struct *task)
33235 @@ -357,9 +373,24 @@ int proc_pid_status(struct seq_file *m,
33236 task_show_regs(m, task);
33238 task_context_switch_counts(m, task);
33240 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33241 + task_pax(m, task);
33244 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33245 + task_grsec_rbac(m, task);
33251 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33252 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33253 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33254 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33257 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33258 struct pid *pid, struct task_struct *task, int whole)
33260 @@ -452,6 +483,19 @@ static int do_task_stat(struct seq_file
33261 gtime = task->gtime;
33264 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33265 + if (PAX_RAND_FLAGS(mm)) {
33271 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33277 /* scale priority and nice values from timeslices to -20..20 */
33278 /* to make it look like a "normal" Unix priority/nice value */
33279 priority = task_prio(task);
33280 @@ -492,9 +536,15 @@ static int do_task_stat(struct seq_file
33282 mm ? get_mm_rss(mm) : 0,
33284 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33285 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33286 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33287 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33289 mm ? mm->start_code : 0,
33290 mm ? mm->end_code : 0,
33291 (permitted && mm) ? mm->start_stack : 0,
33295 /* The signal information here is obsolete.
33296 @@ -547,3 +597,10 @@ int proc_pid_statm(struct seq_file *m, s
33301 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33302 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33304 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33307 diff -urNp linux-2.6.37/fs/proc/base.c linux-2.6.37/fs/proc/base.c
33308 --- linux-2.6.37/fs/proc/base.c 2011-01-04 19:50:19.000000000 -0500
33309 +++ linux-2.6.37/fs/proc/base.c 2011-01-17 02:41:01.000000000 -0500
33310 @@ -104,6 +104,22 @@ struct pid_entry {
33314 +struct getdents_callback {
33315 + struct linux_dirent __user * current_dir;
33316 + struct linux_dirent __user * previous;
33317 + struct file * file;
33322 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33323 + loff_t offset, u64 ino, unsigned int d_type)
33325 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33326 + buf->error = -EINVAL;
33330 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33332 .len = sizeof(NAME) - 1, \
33333 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33334 if (task == current)
33337 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33341 * If current is actively ptrace'ing, and would also be
33342 * permitted to freshly attach with ptrace now, permit it.
33343 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33345 goto out_mm; /* Shh! No looking before we're done */
33347 + if (gr_acl_handle_procpidmem(task))
33350 len = mm->arg_end - mm->arg_start;
33352 if (len > PAGE_SIZE)
33353 @@ -277,12 +299,28 @@ out:
33357 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33358 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33359 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33360 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33363 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33366 struct mm_struct *mm = get_task_mm(task);
33368 unsigned int nwords = 0;
33370 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33371 + /* allow if we're currently ptracing this task */
33372 + if (PAX_RAND_FLAGS(mm) &&
33373 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33381 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33382 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33386 -#ifdef CONFIG_KALLSYMS
33387 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33389 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33390 * Returns the resolved symbol. If that fails, simply return the address.
33391 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33393 #endif /* CONFIG_KALLSYMS */
33395 -#ifdef CONFIG_STACKTRACE
33396 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33398 #define MAX_STACK_TRACE_DEPTH 64
33400 @@ -509,7 +547,7 @@ static int proc_pid_limits(struct task_s
33404 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33405 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33406 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33409 @@ -930,6 +968,9 @@ static ssize_t environ_read(struct file
33413 + if (gr_acl_handle_procpidmem(task))
33416 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33419 @@ -1663,7 +1704,11 @@ static struct inode *proc_pid_make_inode
33421 cred = __task_cred(task);
33422 inode->i_uid = cred->euid;
33423 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33424 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33426 inode->i_gid = cred->egid;
33430 security_task_to_inode(task, inode);
33431 @@ -1681,6 +1726,9 @@ static int pid_getattr(struct vfsmount *
33432 struct inode *inode = dentry->d_inode;
33433 struct task_struct *task;
33434 const struct cred *cred;
33435 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33436 + const struct cred *tmpcred = current_cred();
33439 generic_fillattr(inode, stat);
33441 @@ -1688,12 +1736,34 @@ static int pid_getattr(struct vfsmount *
33444 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33446 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33447 + rcu_read_unlock();
33452 + cred = __task_cred(task);
33453 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33454 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33455 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33456 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33460 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33461 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33462 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33463 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33464 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33466 task_dumpable(task)) {
33467 - cred = __task_cred(task);
33468 stat->uid = cred->euid;
33469 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33470 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33472 stat->gid = cred->egid;
33477 @@ -1725,11 +1795,20 @@ static int pid_revalidate(struct dentry
33480 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33481 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33482 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33483 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33484 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33486 task_dumpable(task)) {
33488 cred = __task_cred(task);
33489 inode->i_uid = cred->euid;
33490 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33491 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33493 inode->i_gid = cred->egid;
33498 @@ -1850,7 +1929,8 @@ static int proc_fd_info(struct inode *in
33499 int fd = proc_fd(inode);
33502 - files = get_files_struct(task);
33503 + if (!gr_acl_handle_procpidmem(task))
33504 + files = get_files_struct(task);
33505 put_task_struct(task);
33508 @@ -2104,12 +2184,22 @@ static const struct file_operations proc
33509 static int proc_fd_permission(struct inode *inode, int mask)
33512 + struct task_struct *task;
33514 rv = generic_permission(inode, mask, NULL);
33518 if (task_pid(current) == proc_pid(inode))
33521 + task = get_proc_task(inode);
33522 + if (task == NULL)
33525 + if (gr_acl_handle_procpidmem(task))
33528 + put_task_struct(task);
33533 @@ -2219,6 +2309,9 @@ static struct dentry *proc_pident_lookup
33537 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33541 * Yes, it does not scale. And it should not. Don't add
33542 * new entries into /proc/<tgid>/ without very good reasons.
33543 @@ -2263,6 +2356,9 @@ static int proc_pident_readdir(struct fi
33547 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33553 @@ -2533,7 +2629,7 @@ static void *proc_self_follow_link(struc
33554 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33557 - char *s = nd_get_link(nd);
33558 + const char *s = nd_get_link(nd);
33562 @@ -2734,7 +2830,7 @@ static const struct pid_entry tgid_base_
33563 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33565 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33566 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33567 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33568 INF("syscall", S_IRUSR, proc_pid_syscall),
33570 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33571 @@ -2759,10 +2855,10 @@ static const struct pid_entry tgid_base_
33572 #ifdef CONFIG_SECURITY
33573 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33575 -#ifdef CONFIG_KALLSYMS
33576 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33577 INF("wchan", S_IRUGO, proc_pid_wchan),
33579 -#ifdef CONFIG_STACKTRACE
33580 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33581 ONE("stack", S_IRUSR, proc_pid_stack),
33583 #ifdef CONFIG_SCHEDSTATS
33584 @@ -2793,6 +2889,9 @@ static const struct pid_entry tgid_base_
33585 #ifdef CONFIG_TASK_IO_ACCOUNTING
33586 INF("io", S_IRUGO, proc_tgid_io_accounting),
33588 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33589 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33593 static int proc_tgid_base_readdir(struct file * filp,
33594 @@ -2918,7 +3017,14 @@ static struct dentry *proc_pid_instantia
33598 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33599 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33600 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33601 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33602 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33604 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33606 inode->i_op = &proc_tgid_base_inode_operations;
33607 inode->i_fop = &proc_tgid_base_operations;
33608 inode->i_flags|=S_IMMUTABLE;
33609 @@ -2960,7 +3066,11 @@ struct dentry *proc_pid_lookup(struct in
33613 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33614 + goto out_put_task;
33616 result = proc_pid_instantiate(dir, dentry, task, NULL);
33618 put_task_struct(task);
33621 @@ -3025,6 +3135,11 @@ int proc_pid_readdir(struct file * filp,
33623 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33624 struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
33625 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33626 + const struct cred *tmpcred = current_cred();
33627 + const struct cred *itercred;
33629 + filldir_t __filldir = filldir;
33630 struct tgid_iter iter;
33631 struct pid_namespace *ns;
33633 @@ -3043,8 +3158,27 @@ int proc_pid_readdir(struct file * filp,
33634 for (iter = next_tgid(ns, iter);
33636 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33637 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33639 + itercred = __task_cred(iter.task);
33641 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33642 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33643 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33644 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33645 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33650 + __filldir = &gr_fake_filldir;
33652 + __filldir = filldir;
33653 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33654 + rcu_read_unlock();
33656 filp->f_pos = iter.tgid + TGID_OFFSET;
33657 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33658 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33659 put_task_struct(iter.task);
33662 @@ -3071,7 +3205,7 @@ static const struct pid_entry tid_base_s
33663 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33665 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33666 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33667 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33668 INF("syscall", S_IRUSR, proc_pid_syscall),
33670 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33671 @@ -3095,10 +3229,10 @@ static const struct pid_entry tid_base_s
33672 #ifdef CONFIG_SECURITY
33673 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33675 -#ifdef CONFIG_KALLSYMS
33676 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33677 INF("wchan", S_IRUGO, proc_pid_wchan),
33679 -#ifdef CONFIG_STACKTRACE
33680 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33681 ONE("stack", S_IRUSR, proc_pid_stack),
33683 #ifdef CONFIG_SCHEDSTATS
33684 diff -urNp linux-2.6.37/fs/proc/cmdline.c linux-2.6.37/fs/proc/cmdline.c
33685 --- linux-2.6.37/fs/proc/cmdline.c 2011-01-04 19:50:19.000000000 -0500
33686 +++ linux-2.6.37/fs/proc/cmdline.c 2011-01-17 02:41:01.000000000 -0500
33687 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33689 static int __init proc_cmdline_init(void)
33691 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33692 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33694 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33698 module_init(proc_cmdline_init);
33699 diff -urNp linux-2.6.37/fs/proc/devices.c linux-2.6.37/fs/proc/devices.c
33700 --- linux-2.6.37/fs/proc/devices.c 2011-01-04 19:50:19.000000000 -0500
33701 +++ linux-2.6.37/fs/proc/devices.c 2011-01-17 02:41:01.000000000 -0500
33702 @@ -64,7 +64,11 @@ static const struct file_operations proc
33704 static int __init proc_devices_init(void)
33706 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33707 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33709 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33713 module_init(proc_devices_init);
33714 diff -urNp linux-2.6.37/fs/proc/inode.c linux-2.6.37/fs/proc/inode.c
33715 --- linux-2.6.37/fs/proc/inode.c 2011-01-04 19:50:19.000000000 -0500
33716 +++ linux-2.6.37/fs/proc/inode.c 2011-01-17 02:41:01.000000000 -0500
33717 @@ -425,7 +425,11 @@ struct inode *proc_get_inode(struct supe
33719 inode->i_mode = de->mode;
33720 inode->i_uid = de->uid;
33721 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33722 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33724 inode->i_gid = de->gid;
33728 inode->i_size = de->size;
33729 diff -urNp linux-2.6.37/fs/proc/internal.h linux-2.6.37/fs/proc/internal.h
33730 --- linux-2.6.37/fs/proc/internal.h 2011-01-04 19:50:19.000000000 -0500
33731 +++ linux-2.6.37/fs/proc/internal.h 2011-01-17 02:41:01.000000000 -0500
33732 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33733 struct pid *pid, struct task_struct *task);
33734 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
33735 struct pid *pid, struct task_struct *task);
33736 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33737 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33739 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33741 extern const struct file_operations proc_maps_operations;
33742 diff -urNp linux-2.6.37/fs/proc/Kconfig linux-2.6.37/fs/proc/Kconfig
33743 --- linux-2.6.37/fs/proc/Kconfig 2011-01-04 19:50:19.000000000 -0500
33744 +++ linux-2.6.37/fs/proc/Kconfig 2011-01-17 02:41:01.000000000 -0500
33745 @@ -30,12 +30,12 @@ config PROC_FS
33748 bool "/proc/kcore support" if !ARM
33749 - depends on PROC_FS && MMU
33750 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33753 bool "/proc/vmcore support"
33754 - depends on PROC_FS && CRASH_DUMP
33756 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33759 Exports the dump image of crashed kernel in ELF format.
33761 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33764 config PROC_PAGE_MONITOR
33766 - depends on PROC_FS && MMU
33768 + depends on PROC_FS && MMU && !GRKERNSEC
33769 bool "Enable /proc page monitoring" if EMBEDDED
33771 Various /proc files exist to monitor process memory utilization:
33772 diff -urNp linux-2.6.37/fs/proc/kcore.c linux-2.6.37/fs/proc/kcore.c
33773 --- linux-2.6.37/fs/proc/kcore.c 2011-01-04 19:50:19.000000000 -0500
33774 +++ linux-2.6.37/fs/proc/kcore.c 2011-01-17 02:41:01.000000000 -0500
33775 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33776 * the addresses in the elf_phdr on our list.
33778 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33779 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33780 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33781 + if (tsz > buflen)
33786 struct kcore_list *m;
33788 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
33791 if (kern_addr_valid(start)) {
33794 + mm_segment_t oldfs;
33796 - n = copy_to_user(buffer, (char *)start, tsz);
33798 - * We cannot distingush between fault on source
33799 - * and fault on destination. When this happens
33800 - * we clear too and hope it will trigger the
33804 - if (clear_user(buffer + tsz - n,
33806 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33809 + oldfs = get_fs();
33810 + set_fs(KERNEL_DS);
33811 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33813 + if (copy_to_user(buffer, elf_buf, tsz)) {
33821 if (clear_user(buffer, tsz))
33823 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
33825 static int open_kcore(struct inode *inode, struct file *filp)
33827 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33830 if (!capable(CAP_SYS_RAWIO))
33832 if (kcore_need_update)
33833 diff -urNp linux-2.6.37/fs/proc/meminfo.c linux-2.6.37/fs/proc/meminfo.c
33834 --- linux-2.6.37/fs/proc/meminfo.c 2011-01-04 19:50:19.000000000 -0500
33835 +++ linux-2.6.37/fs/proc/meminfo.c 2011-01-17 02:41:01.000000000 -0500
33836 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33838 vmi.largest_chunk >> 10
33839 #ifdef CONFIG_MEMORY_FAILURE
33840 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33841 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33845 diff -urNp linux-2.6.37/fs/proc/nommu.c linux-2.6.37/fs/proc/nommu.c
33846 --- linux-2.6.37/fs/proc/nommu.c 2011-01-04 19:50:19.000000000 -0500
33847 +++ linux-2.6.37/fs/proc/nommu.c 2011-01-17 02:41:01.000000000 -0500
33848 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33851 seq_printf(m, "%*c", len, ' ');
33852 - seq_path(m, &file->f_path, "");
33853 + seq_path(m, &file->f_path, "\n\\");
33857 diff -urNp linux-2.6.37/fs/proc/proc_net.c linux-2.6.37/fs/proc/proc_net.c
33858 --- linux-2.6.37/fs/proc/proc_net.c 2011-01-04 19:50:19.000000000 -0500
33859 +++ linux-2.6.37/fs/proc/proc_net.c 2011-01-17 02:41:01.000000000 -0500
33860 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33861 struct task_struct *task;
33862 struct nsproxy *ns;
33863 struct net *net = NULL;
33864 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33865 + const struct cred *cred = current_cred();
33868 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33871 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33872 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33877 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33878 diff -urNp linux-2.6.37/fs/proc/proc_sysctl.c linux-2.6.37/fs/proc/proc_sysctl.c
33879 --- linux-2.6.37/fs/proc/proc_sysctl.c 2011-01-04 19:50:19.000000000 -0500
33880 +++ linux-2.6.37/fs/proc/proc_sysctl.c 2011-01-17 02:41:01.000000000 -0500
33882 #include <linux/security.h>
33883 #include "internal.h"
33885 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33887 static const struct dentry_operations proc_sys_dentry_operations;
33888 static const struct file_operations proc_sys_file_operations;
33889 static const struct inode_operations proc_sys_inode_operations;
33890 @@ -111,6 +113,9 @@ static struct dentry *proc_sys_lookup(st
33894 + if (gr_handle_sysctl(p, MAY_EXEC))
33897 err = ERR_PTR(-ENOMEM);
33898 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33900 @@ -230,6 +235,9 @@ static int scan(struct ctl_table_header
33901 if (*pos < file->f_pos)
33904 + if (gr_handle_sysctl(table, 0))
33907 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33910 @@ -355,6 +363,9 @@ static int proc_sys_getattr(struct vfsmo
33912 return PTR_ERR(head);
33914 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33917 generic_fillattr(inode, stat);
33919 stat->mode = (stat->mode & S_IFMT) | table->mode;
33920 diff -urNp linux-2.6.37/fs/proc/root.c linux-2.6.37/fs/proc/root.c
33921 --- linux-2.6.37/fs/proc/root.c 2011-01-04 19:50:19.000000000 -0500
33922 +++ linux-2.6.37/fs/proc/root.c 2011-01-17 02:41:01.000000000 -0500
33923 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
33924 #ifdef CONFIG_PROC_DEVICETREE
33925 proc_device_tree_init();
33927 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33928 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33929 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33930 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33931 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33934 proc_mkdir("bus", NULL);
33939 diff -urNp linux-2.6.37/fs/proc/task_mmu.c linux-2.6.37/fs/proc/task_mmu.c
33940 --- linux-2.6.37/fs/proc/task_mmu.c 2011-01-04 19:50:19.000000000 -0500
33941 +++ linux-2.6.37/fs/proc/task_mmu.c 2011-01-17 02:41:01.000000000 -0500
33942 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33943 "VmExe:\t%8lu kB\n"
33944 "VmLib:\t%8lu kB\n"
33945 "VmPTE:\t%8lu kB\n"
33946 - "VmSwap:\t%8lu kB\n",
33947 - hiwater_vm << (PAGE_SHIFT-10),
33948 + "VmSwap:\t%8lu kB\n"
33950 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33951 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33954 + ,hiwater_vm << (PAGE_SHIFT-10),
33955 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33956 mm->locked_vm << (PAGE_SHIFT-10),
33957 hiwater_rss << (PAGE_SHIFT-10),
33958 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33959 data << (PAGE_SHIFT-10),
33960 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33961 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33962 - swap << (PAGE_SHIFT-10));
33963 + swap << (PAGE_SHIFT-10)
33965 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33966 + , mm->context.user_cs_base, mm->context.user_cs_limit
33972 unsigned long task_vsize(struct mm_struct *mm)
33973 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33977 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33978 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33979 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33980 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33983 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33985 struct mm_struct *mm = vma->vm_mm;
33986 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33987 int flags = vma->vm_flags;
33988 unsigned long ino = 0;
33989 unsigned long long pgoff = 0;
33990 - unsigned long start;
33994 @@ -221,20 +237,24 @@ static void show_map_vma(struct seq_file
33995 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33998 - /* We don't show the stack guard page in /proc/maps */
33999 - start = vma->vm_start;
34000 - if (vma->vm_flags & VM_GROWSDOWN)
34001 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34002 - start += PAGE_SIZE;
34004 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34006 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34007 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34008 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34013 flags & VM_READ ? 'r' : '-',
34014 flags & VM_WRITE ? 'w' : '-',
34015 flags & VM_EXEC ? 'x' : '-',
34016 flags & VM_MAYSHARE ? 's' : 'p',
34017 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34018 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34022 MAJOR(dev), MINOR(dev), ino, &len);
34025 @@ -243,16 +263,16 @@ static void show_map_vma(struct seq_file
34028 pad_len_spaces(m, len);
34029 - seq_path(m, &file->f_path, "\n");
34030 + seq_path(m, &file->f_path, "\n\\");
34032 const char *name = arch_vma_name(vma);
34035 - if (vma->vm_start <= mm->start_brk &&
34036 - vma->vm_end >= mm->brk) {
34037 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34039 - } else if (vma->vm_start <= mm->start_stack &&
34040 - vma->vm_end >= mm->start_stack) {
34041 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34042 + (vma->vm_start <= mm->start_stack &&
34043 + vma->vm_end >= mm->start_stack)) {
34047 @@ -398,11 +418,16 @@ static int show_smap(struct seq_file *m,
34050 memset(&mss, 0, sizeof mss);
34052 - /* mmap_sem is held in m_start */
34053 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34054 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34056 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34057 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34060 + /* mmap_sem is held in m_start */
34061 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34062 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34063 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34066 show_map_vma(m, vma);
34069 @@ -418,7 +443,11 @@ static int show_smap(struct seq_file *m,
34071 "KernelPageSize: %8lu kB\n"
34072 "MMUPageSize: %8lu kB\n",
34073 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34074 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34076 (vma->vm_end - vma->vm_start) >> 10,
34078 mss.resident >> 10,
34079 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34080 mss.shared_clean >> 10,
34081 diff -urNp linux-2.6.37/fs/proc/task_nommu.c linux-2.6.37/fs/proc/task_nommu.c
34082 --- linux-2.6.37/fs/proc/task_nommu.c 2011-01-04 19:50:19.000000000 -0500
34083 +++ linux-2.6.37/fs/proc/task_nommu.c 2011-01-17 02:41:01.000000000 -0500
34084 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34086 bytes += kobjsize(mm);
34088 - if (current->fs && current->fs->users > 1)
34089 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34090 sbytes += kobjsize(current->fs);
34092 bytes += kobjsize(current->fs);
34093 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
34096 pad_len_spaces(m, len);
34097 - seq_path(m, &file->f_path, "");
34098 + seq_path(m, &file->f_path, "\n\\");
34100 if (vma->vm_start <= mm->start_stack &&
34101 vma->vm_end >= mm->start_stack) {
34102 diff -urNp linux-2.6.37/fs/readdir.c linux-2.6.37/fs/readdir.c
34103 --- linux-2.6.37/fs/readdir.c 2011-01-04 19:50:19.000000000 -0500
34104 +++ linux-2.6.37/fs/readdir.c 2011-01-17 02:41:01.000000000 -0500
34106 #include <linux/security.h>
34107 #include <linux/syscalls.h>
34108 #include <linux/unistd.h>
34109 +#include <linux/namei.h>
34111 #include <asm/uaccess.h>
34113 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34115 struct readdir_callback {
34116 struct old_linux_dirent __user * dirent;
34117 + struct file * file;
34121 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34122 buf->result = -EOVERFLOW;
34126 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34130 dirent = buf->dirent;
34131 if (!access_ok(VERIFY_WRITE, dirent,
34132 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34135 buf.dirent = dirent;
34138 error = vfs_readdir(file, fillonedir, &buf);
34140 @@ -142,6 +149,7 @@ struct linux_dirent {
34141 struct getdents_callback {
34142 struct linux_dirent __user * current_dir;
34143 struct linux_dirent __user * previous;
34144 + struct file * file;
34148 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34149 buf->error = -EOVERFLOW;
34153 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34156 dirent = buf->previous;
34158 if (__put_user(offset, &dirent->d_off))
34159 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34160 buf.previous = NULL;
34165 error = vfs_readdir(file, filldir, &buf);
34167 @@ -229,6 +242,7 @@ out:
34168 struct getdents_callback64 {
34169 struct linux_dirent64 __user * current_dir;
34170 struct linux_dirent64 __user * previous;
34171 + struct file *file;
34175 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34176 buf->error = -EINVAL; /* only used if we fail.. */
34177 if (reclen > buf->count)
34180 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34183 dirent = buf->previous;
34185 if (__put_user(offset, &dirent->d_off))
34186 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34188 buf.current_dir = dirent;
34189 buf.previous = NULL;
34194 diff -urNp linux-2.6.37/fs/reiserfs/do_balan.c linux-2.6.37/fs/reiserfs/do_balan.c
34195 --- linux-2.6.37/fs/reiserfs/do_balan.c 2011-01-04 19:50:19.000000000 -0500
34196 +++ linux-2.6.37/fs/reiserfs/do_balan.c 2011-01-17 02:41:02.000000000 -0500
34197 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34201 - atomic_inc(&(fs_generation(tb->tb_sb)));
34202 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34203 do_balance_starts(tb);
34205 /* balance leaf returns 0 except if combining L R and S into
34206 diff -urNp linux-2.6.37/fs/reiserfs/item_ops.c linux-2.6.37/fs/reiserfs/item_ops.c
34207 --- linux-2.6.37/fs/reiserfs/item_ops.c 2011-01-04 19:50:19.000000000 -0500
34208 +++ linux-2.6.37/fs/reiserfs/item_ops.c 2011-01-17 02:41:02.000000000 -0500
34209 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34210 vi->vi_index, vi->vi_type, vi->vi_ih);
34213 -static struct item_operations stat_data_ops = {
34214 +static const struct item_operations stat_data_ops = {
34215 .bytes_number = sd_bytes_number,
34216 .decrement_key = sd_decrement_key,
34217 .is_left_mergeable = sd_is_left_mergeable,
34218 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34219 vi->vi_index, vi->vi_type, vi->vi_ih);
34222 -static struct item_operations direct_ops = {
34223 +static const struct item_operations direct_ops = {
34224 .bytes_number = direct_bytes_number,
34225 .decrement_key = direct_decrement_key,
34226 .is_left_mergeable = direct_is_left_mergeable,
34227 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34228 vi->vi_index, vi->vi_type, vi->vi_ih);
34231 -static struct item_operations indirect_ops = {
34232 +static const struct item_operations indirect_ops = {
34233 .bytes_number = indirect_bytes_number,
34234 .decrement_key = indirect_decrement_key,
34235 .is_left_mergeable = indirect_is_left_mergeable,
34236 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34240 -static struct item_operations direntry_ops = {
34241 +static const struct item_operations direntry_ops = {
34242 .bytes_number = direntry_bytes_number,
34243 .decrement_key = direntry_decrement_key,
34244 .is_left_mergeable = direntry_is_left_mergeable,
34245 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34246 "Invalid item type observed, run fsck ASAP");
34249 -static struct item_operations errcatch_ops = {
34250 +static const struct item_operations errcatch_ops = {
34251 errcatch_bytes_number,
34252 errcatch_decrement_key,
34253 errcatch_is_left_mergeable,
34254 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34255 #error Item types must use disk-format assigned values.
34258 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34259 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34263 diff -urNp linux-2.6.37/fs/reiserfs/procfs.c linux-2.6.37/fs/reiserfs/procfs.c
34264 --- linux-2.6.37/fs/reiserfs/procfs.c 2011-01-04 19:50:19.000000000 -0500
34265 +++ linux-2.6.37/fs/reiserfs/procfs.c 2011-01-17 02:41:02.000000000 -0500
34266 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34267 "SMALL_TAILS " : "NO_TAILS ",
34268 replay_only(sb) ? "REPLAY_ONLY " : "",
34269 convert_reiserfs(sb) ? "CONV " : "",
34270 - atomic_read(&r->s_generation_counter),
34271 + atomic_read_unchecked(&r->s_generation_counter),
34272 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34273 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34274 SF(s_good_search_by_key_reada), SF(s_bmaps),
34275 diff -urNp linux-2.6.37/fs/select.c linux-2.6.37/fs/select.c
34276 --- linux-2.6.37/fs/select.c 2011-01-04 19:50:19.000000000 -0500
34277 +++ linux-2.6.37/fs/select.c 2011-01-17 02:41:02.000000000 -0500
34279 #include <linux/module.h>
34280 #include <linux/slab.h>
34281 #include <linux/poll.h>
34282 +#include <linux/security.h>
34283 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34284 #include <linux/file.h>
34285 #include <linux/fdtable.h>
34286 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
34287 struct poll_list *walk = head;
34288 unsigned long todo = nfds;
34290 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34291 if (nfds > rlimit(RLIMIT_NOFILE))
34294 diff -urNp linux-2.6.37/fs/seq_file.c linux-2.6.37/fs/seq_file.c
34295 --- linux-2.6.37/fs/seq_file.c 2011-01-04 19:50:19.000000000 -0500
34296 +++ linux-2.6.37/fs/seq_file.c 2011-01-17 02:41:02.000000000 -0500
34297 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34301 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34302 + m->size = PAGE_SIZE;
34303 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34307 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34311 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34313 + m->buf = kmalloc(m->size, GFP_KERNEL);
34314 return !m->buf ? -ENOMEM : -EAGAIN;
34317 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34318 m->version = file->f_version;
34319 /* grab buffer if we didn't have one */
34321 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34322 + m->size = PAGE_SIZE;
34323 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34327 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34331 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34333 + m->buf = kmalloc(m->size, GFP_KERNEL);
34337 diff -urNp linux-2.6.37/fs/splice.c linux-2.6.37/fs/splice.c
34338 --- linux-2.6.37/fs/splice.c 2011-01-04 19:50:19.000000000 -0500
34339 +++ linux-2.6.37/fs/splice.c 2011-01-17 02:41:02.000000000 -0500
34340 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34344 - if (!pipe->readers) {
34345 + if (!atomic_read(&pipe->readers)) {
34346 send_sig(SIGPIPE, current, 0);
34349 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34353 - pipe->waiting_writers++;
34354 + atomic_inc(&pipe->waiting_writers);
34356 - pipe->waiting_writers--;
34357 + atomic_dec(&pipe->waiting_writers);
34361 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34364 /* The cast to a user pointer is valid due to the set_fs() */
34365 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34366 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34370 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34373 /* The cast to a user pointer is valid due to the set_fs() */
34374 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34375 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34379 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34382 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34383 - vec[i].iov_base = (void __user *) page_address(page);
34384 + vec[i].iov_base = (__force void __user *) page_address(page);
34385 vec[i].iov_len = this_len;
34386 spd.pages[i] = page;
34388 @@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34389 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34391 while (!pipe->nrbufs) {
34392 - if (!pipe->writers)
34393 + if (!atomic_read(&pipe->writers))
34396 - if (!pipe->waiting_writers && sd->num_spliced)
34397 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34400 if (sd->flags & SPLICE_F_NONBLOCK)
34401 @@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct fi
34402 * out of the pipe right after the splice_to_pipe(). So set
34403 * PIPE_READERS appropriately.
34405 - pipe->readers = 1;
34406 + atomic_set(&pipe->readers, 1);
34408 current->splice_pipe = pipe;
34410 @@ -1745,9 +1745,9 @@ static int ipipe_prep(struct pipe_inode_
34411 ret = -ERESTARTSYS;
34414 - if (!pipe->writers)
34415 + if (!atomic_read(&pipe->writers))
34417 - if (!pipe->waiting_writers) {
34418 + if (!atomic_read(&pipe->waiting_writers)) {
34419 if (flags & SPLICE_F_NONBLOCK) {
34422 @@ -1779,7 +1779,7 @@ static int opipe_prep(struct pipe_inode_
34425 while (pipe->nrbufs >= pipe->buffers) {
34426 - if (!pipe->readers) {
34427 + if (!atomic_read(&pipe->readers)) {
34428 send_sig(SIGPIPE, current, 0);
34431 @@ -1792,9 +1792,9 @@ static int opipe_prep(struct pipe_inode_
34432 ret = -ERESTARTSYS;
34435 - pipe->waiting_writers++;
34436 + atomic_inc(&pipe->waiting_writers);
34438 - pipe->waiting_writers--;
34439 + atomic_dec(&pipe->waiting_writers);
34443 @@ -1830,14 +1830,14 @@ retry:
34444 pipe_double_lock(ipipe, opipe);
34447 - if (!opipe->readers) {
34448 + if (!atomic_read(&opipe->readers)) {
34449 send_sig(SIGPIPE, current, 0);
34455 - if (!ipipe->nrbufs && !ipipe->writers)
34456 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34460 @@ -1937,7 +1937,7 @@ static int link_pipe(struct pipe_inode_i
34461 pipe_double_lock(ipipe, opipe);
34464 - if (!opipe->readers) {
34465 + if (!atomic_read(&opipe->readers)) {
34466 send_sig(SIGPIPE, current, 0);
34469 @@ -1982,7 +1982,7 @@ static int link_pipe(struct pipe_inode_i
34470 * return EAGAIN if we have the potential of some data in the
34471 * future, otherwise just return 0
34473 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34474 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34477 pipe_unlock(ipipe);
34478 diff -urNp linux-2.6.37/fs/sysfs/symlink.c linux-2.6.37/fs/sysfs/symlink.c
34479 --- linux-2.6.37/fs/sysfs/symlink.c 2011-01-04 19:50:19.000000000 -0500
34480 +++ linux-2.6.37/fs/sysfs/symlink.c 2011-01-17 02:41:02.000000000 -0500
34481 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34483 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34485 - char *page = nd_get_link(nd);
34486 + const char *page = nd_get_link(nd);
34488 free_page((unsigned long)page);
34490 diff -urNp linux-2.6.37/fs/udf/misc.c linux-2.6.37/fs/udf/misc.c
34491 --- linux-2.6.37/fs/udf/misc.c 2011-01-04 19:50:19.000000000 -0500
34492 +++ linux-2.6.37/fs/udf/misc.c 2011-01-17 02:41:02.000000000 -0500
34493 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34494 iinfo->i_lenEAttr += size;
34495 return (struct genericFormat *)&ea[offset];
34499 + if (loc & 0x02) {
34504 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
34506 u8 udf_tag_checksum(const struct tag *t)
34508 - u8 *data = (u8 *)t;
34509 + const u8 *data = (const u8 *)t;
34512 for (i = 0; i < sizeof(struct tag); ++i)
34513 diff -urNp linux-2.6.37/fs/udf/udfdecl.h linux-2.6.37/fs/udf/udfdecl.h
34514 --- linux-2.6.37/fs/udf/udfdecl.h 2011-01-04 19:50:19.000000000 -0500
34515 +++ linux-2.6.37/fs/udf/udfdecl.h 2011-01-17 02:41:02.000000000 -0500
34516 @@ -26,7 +26,7 @@ do { \
34520 -#define udf_debug(f, a...) /**/
34521 +#define udf_debug(f, a...) do {} while (0)
34524 #define udf_info(f, a...) \
34525 diff -urNp linux-2.6.37/fs/utimes.c linux-2.6.37/fs/utimes.c
34526 --- linux-2.6.37/fs/utimes.c 2011-01-04 19:50:19.000000000 -0500
34527 +++ linux-2.6.37/fs/utimes.c 2011-01-17 02:41:02.000000000 -0500
34529 #include <linux/compiler.h>
34530 #include <linux/file.h>
34531 #include <linux/fs.h>
34532 +#include <linux/security.h>
34533 #include <linux/linkage.h>
34534 #include <linux/mount.h>
34535 #include <linux/namei.h>
34536 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34537 goto mnt_drop_write_and_out;
34541 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34543 + goto mnt_drop_write_and_out;
34546 mutex_lock(&inode->i_mutex);
34547 error = notify_change(path->dentry, &newattrs);
34548 mutex_unlock(&inode->i_mutex);
34549 diff -urNp linux-2.6.37/fs/xattr_acl.c linux-2.6.37/fs/xattr_acl.c
34550 --- linux-2.6.37/fs/xattr_acl.c 2011-01-04 19:50:19.000000000 -0500
34551 +++ linux-2.6.37/fs/xattr_acl.c 2011-01-17 02:41:02.000000000 -0500
34554 posix_acl_from_xattr(const void *value, size_t size)
34556 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
34557 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
34558 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
34559 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
34561 struct posix_acl *acl;
34562 struct posix_acl_entry *acl_e;
34563 diff -urNp linux-2.6.37/fs/xattr.c linux-2.6.37/fs/xattr.c
34564 --- linux-2.6.37/fs/xattr.c 2011-01-04 19:50:19.000000000 -0500
34565 +++ linux-2.6.37/fs/xattr.c 2011-01-17 02:41:02.000000000 -0500
34566 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
34567 * Extended attribute SET operations
34570 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
34571 +setxattr(struct path *path, const char __user *name, const void __user *value,
34572 size_t size, int flags)
34575 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
34576 return PTR_ERR(kvalue);
34579 - error = vfs_setxattr(d, kname, kvalue, size, flags);
34580 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
34585 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
34590 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
34592 error = mnt_want_write(path.mnt);
34594 - error = setxattr(path.dentry, name, value, size, flags);
34595 + error = setxattr(&path, name, value, size, flags);
34596 mnt_drop_write(path.mnt);
34599 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
34601 error = mnt_want_write(path.mnt);
34603 - error = setxattr(path.dentry, name, value, size, flags);
34604 + error = setxattr(&path, name, value, size, flags);
34605 mnt_drop_write(path.mnt);
34608 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
34609 const void __user *,value, size_t, size, int, flags)
34612 - struct dentry *dentry;
34613 int error = -EBADF;
34618 - dentry = f->f_path.dentry;
34619 - audit_inode(NULL, dentry);
34620 + audit_inode(NULL, f->f_path.dentry);
34621 error = mnt_want_write_file(f);
34623 - error = setxattr(dentry, name, value, size, flags);
34624 + error = setxattr(&f->f_path, name, value, size, flags);
34625 mnt_drop_write(f->f_path.mnt);
34628 diff -urNp linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c
34629 --- linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c 2011-01-04 19:50:19.000000000 -0500
34630 +++ linux-2.6.37/fs/xfs/linux-2.6/xfs_ioctl.c 2011-01-17 02:41:02.000000000 -0500
34631 @@ -127,7 +127,7 @@ xfs_find_handle(
34635 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34636 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
34637 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34640 diff -urNp linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c
34641 --- linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c 2011-01-04 19:50:19.000000000 -0500
34642 +++ linux-2.6.37/fs/xfs/linux-2.6/xfs_iops.c 2011-01-17 02:41:02.000000000 -0500
34643 @@ -437,7 +437,7 @@ xfs_vn_put_link(
34644 struct nameidata *nd,
34647 - char *s = nd_get_link(nd);
34648 + const char *s = nd_get_link(nd);
34652 diff -urNp linux-2.6.37/fs/xfs/xfs_bmap.c linux-2.6.37/fs/xfs/xfs_bmap.c
34653 --- linux-2.6.37/fs/xfs/xfs_bmap.c 2011-01-04 19:50:19.000000000 -0500
34654 +++ linux-2.6.37/fs/xfs/xfs_bmap.c 2011-01-17 02:41:02.000000000 -0500
34655 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
34659 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34660 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34664 diff -urNp linux-2.6.37/grsecurity/gracl_alloc.c linux-2.6.37/grsecurity/gracl_alloc.c
34665 --- linux-2.6.37/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34666 +++ linux-2.6.37/grsecurity/gracl_alloc.c 2011-01-17 02:41:02.000000000 -0500
34668 +#include <linux/kernel.h>
34669 +#include <linux/mm.h>
34670 +#include <linux/slab.h>
34671 +#include <linux/vmalloc.h>
34672 +#include <linux/gracl.h>
34673 +#include <linux/grsecurity.h>
34675 +static unsigned long alloc_stack_next = 1;
34676 +static unsigned long alloc_stack_size = 1;
34677 +static void **alloc_stack;
34679 +static __inline__ int
34682 + if (alloc_stack_next == 1)
34685 + kfree(alloc_stack[alloc_stack_next - 2]);
34687 + alloc_stack_next--;
34692 +static __inline__ int
34693 +alloc_push(void *buf)
34695 + if (alloc_stack_next >= alloc_stack_size)
34698 + alloc_stack[alloc_stack_next - 1] = buf;
34700 + alloc_stack_next++;
34706 +acl_alloc(unsigned long len)
34708 + void *ret = NULL;
34710 + if (!len || len > PAGE_SIZE)
34713 + ret = kmalloc(len, GFP_KERNEL);
34716 + if (alloc_push(ret)) {
34727 +acl_alloc_num(unsigned long num, unsigned long len)
34729 + if (!len || (num > (PAGE_SIZE / len)))
34732 + return acl_alloc(num * len);
34736 +acl_free_all(void)
34738 + if (gr_acl_is_enabled() || !alloc_stack)
34741 + while (alloc_pop()) ;
34743 + if (alloc_stack) {
34744 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34745 + kfree(alloc_stack);
34747 + vfree(alloc_stack);
34750 + alloc_stack = NULL;
34751 + alloc_stack_size = 1;
34752 + alloc_stack_next = 1;
34758 +acl_alloc_stack_init(unsigned long size)
34760 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34762 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34764 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34766 + alloc_stack_size = size;
34768 + if (!alloc_stack)
34773 diff -urNp linux-2.6.37/grsecurity/gracl.c linux-2.6.37/grsecurity/gracl.c
34774 --- linux-2.6.37/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34775 +++ linux-2.6.37/grsecurity/gracl.c 2011-01-17 02:41:02.000000000 -0500
34777 +#include <linux/kernel.h>
34778 +#include <linux/module.h>
34779 +#include <linux/sched.h>
34780 +#include <linux/mm.h>
34781 +#include <linux/file.h>
34782 +#include <linux/fs.h>
34783 +#include <linux/namei.h>
34784 +#include <linux/mount.h>
34785 +#include <linux/tty.h>
34786 +#include <linux/proc_fs.h>
34787 +#include <linux/smp_lock.h>
34788 +#include <linux/lglock.h>
34789 +#include <linux/slab.h>
34790 +#include <linux/vmalloc.h>
34791 +#include <linux/types.h>
34792 +#include <linux/sysctl.h>
34793 +#include <linux/netdevice.h>
34794 +#include <linux/ptrace.h>
34795 +#include <linux/gracl.h>
34796 +#include <linux/gralloc.h>
34797 +#include <linux/grsecurity.h>
34798 +#include <linux/grinternal.h>
34799 +#include <linux/pid_namespace.h>
34800 +#include <linux/fdtable.h>
34801 +#include <linux/percpu.h>
34803 +#include <asm/uaccess.h>
34804 +#include <asm/errno.h>
34805 +#include <asm/mman.h>
34807 +static struct acl_role_db acl_role_set;
34808 +static struct name_db name_set;
34809 +static struct inodev_db inodev_set;
34811 +/* for keeping track of userspace pointers used for subjects, so we
34812 + can share references in the kernel as well
34815 +static struct path real_root;
34817 +static struct acl_subj_map_db subj_map_set;
34819 +static struct acl_role_label *default_role;
34821 +static struct acl_role_label *role_list;
34823 +static u16 acl_sp_role_value;
34825 +extern char *gr_shared_page[4];
34826 +static DEFINE_MUTEX(gr_dev_mutex);
34827 +DEFINE_RWLOCK(gr_inode_lock);
34829 +struct gr_arg *gr_usermode;
34831 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34833 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34834 +extern void gr_clear_learn_entries(void);
34836 +#ifdef CONFIG_GRKERNSEC_RESLOG
34837 +extern void gr_log_resource(const struct task_struct *task,
34838 + const int res, const unsigned long wanted, const int gt);
34841 +unsigned char *gr_system_salt;
34842 +unsigned char *gr_system_sum;
34844 +static struct sprole_pw **acl_special_roles = NULL;
34845 +static __u16 num_sprole_pws = 0;
34847 +static struct acl_role_label *kernel_role = NULL;
34849 +static unsigned int gr_auth_attempts = 0;
34850 +static unsigned long gr_auth_expires = 0UL;
34852 +extern struct vfsmount *sock_mnt;
34853 +extern struct vfsmount *pipe_mnt;
34854 +extern struct vfsmount *shm_mnt;
34855 +#ifdef CONFIG_HUGETLBFS
34856 +extern struct vfsmount *hugetlbfs_vfsmount;
34859 +static struct acl_object_label *fakefs_obj;
34861 +extern int gr_init_uidset(void);
34862 +extern void gr_free_uidset(void);
34863 +extern void gr_remove_uid(uid_t uid);
34864 +extern int gr_find_uid(uid_t uid);
34866 +DECLARE_BRLOCK(vfsmount_lock);
34869 +gr_acl_is_enabled(void)
34871 + return (gr_status & GR_READY);
34874 +static char gr_task_roletype_to_char(struct task_struct *task)
34876 + switch (task->role->roletype &
34877 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34878 + GR_ROLE_SPECIAL)) {
34879 + case GR_ROLE_DEFAULT:
34881 + case GR_ROLE_USER:
34883 + case GR_ROLE_GROUP:
34885 + case GR_ROLE_SPECIAL:
34892 +char gr_roletype_to_char(void)
34894 + return gr_task_roletype_to_char(current);
34898 +gr_acl_tpe_check(void)
34900 + if (unlikely(!(gr_status & GR_READY)))
34902 + if (current->role->roletype & GR_ROLE_TPE)
34909 +gr_handle_rawio(const struct inode *inode)
34911 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34912 + if (inode && S_ISBLK(inode->i_mode) &&
34913 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34914 + !capable(CAP_SYS_RAWIO))
34921 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34923 + if (likely(lena != lenb))
34926 + return !memcmp(a, b, lena);
34929 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
34931 + *buflen -= namelen;
34933 + return -ENAMETOOLONG;
34934 + *buffer -= namelen;
34935 + memcpy(*buffer, str, namelen);
34939 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
34941 + return prepend(buffer, buflen, name->name, name->len);
34944 +static int prepend_path(const struct path *path, struct path *root,
34945 + char **buffer, int *buflen)
34947 + struct dentry *dentry = path->dentry;
34948 + struct vfsmount *vfsmnt = path->mnt;
34949 + bool slash = false;
34952 + while (dentry != root->dentry || vfsmnt != root->mnt) {
34953 + struct dentry * parent;
34955 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34956 + /* Global root? */
34957 + if (vfsmnt->mnt_parent == vfsmnt) {
34960 + dentry = vfsmnt->mnt_mountpoint;
34961 + vfsmnt = vfsmnt->mnt_parent;
34964 + parent = dentry->d_parent;
34965 + prefetch(parent);
34966 + error = prepend_name(buffer, buflen, &dentry->d_name);
34968 + error = prepend(buffer, buflen, "/", 1);
34977 + if (!error && !slash)
34978 + error = prepend(buffer, buflen, "/", 1);
34983 +/* this must be called with vfsmount_lock and dcache_lock held */
34985 +static char *__our_d_path(const struct path *path, struct path *root,
34986 + char *buf, int buflen)
34988 + char *res = buf + buflen;
34991 + prepend(&res, &buflen, "\0", 1);
34992 + error = prepend_path(path, root, &res, &buflen);
34994 + return ERR_PTR(error);
35000 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35004 + retval = __our_d_path(path, root, buf, buflen);
35005 + if (unlikely(IS_ERR(retval)))
35006 + retval = strcpy(buf, "<path too long>");
35007 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35008 + retval[1] = '\0';
35014 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35015 + char *buf, int buflen)
35017 + struct path path;
35020 + path.dentry = (struct dentry *)dentry;
35021 + path.mnt = (struct vfsmount *)vfsmnt;
35023 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35024 + by the RBAC system */
35025 + res = gen_full_path(&path, &real_root, buf, buflen);
35031 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35032 + char *buf, int buflen)
35035 + struct path path;
35036 + struct path root;
35037 + struct task_struct *reaper = &init_task;
35039 + path.dentry = (struct dentry *)dentry;
35040 + path.mnt = (struct vfsmount *)vfsmnt;
35042 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35043 + get_fs_root(reaper->fs, &root);
35045 + spin_lock(&dcache_lock);
35046 + br_read_lock(vfsmount_lock);
35047 + res = gen_full_path(&path, &root, buf, buflen);
35048 + br_read_unlock(vfsmount_lock);
35049 + spin_unlock(&dcache_lock);
35056 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35059 + spin_lock(&dcache_lock);
35060 + br_read_lock(vfsmount_lock);
35061 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35063 + br_read_unlock(vfsmount_lock);
35064 + spin_unlock(&dcache_lock);
35069 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35071 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35076 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35078 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35083 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35085 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35090 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35092 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35097 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35099 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35104 +to_gr_audit(const __u32 reqmode)
35106 + /* masks off auditable permission flags, then shifts them to create
35107 + auditing flags, and adds the special case of append auditing if
35108 + we're requesting write */
35109 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35112 +struct acl_subject_label *
35113 +lookup_subject_map(const struct acl_subject_label *userp)
35115 + unsigned int index = shash(userp, subj_map_set.s_size);
35116 + struct subject_map *match;
35118 + match = subj_map_set.s_hash[index];
35120 + while (match && match->user != userp)
35121 + match = match->next;
35123 + if (match != NULL)
35124 + return match->kernel;
35130 +insert_subj_map_entry(struct subject_map *subjmap)
35132 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35133 + struct subject_map **curr;
35135 + subjmap->prev = NULL;
35137 + curr = &subj_map_set.s_hash[index];
35138 + if (*curr != NULL)
35139 + (*curr)->prev = subjmap;
35141 + subjmap->next = *curr;
35147 +static struct acl_role_label *
35148 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35151 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35152 + struct acl_role_label *match;
35153 + struct role_allowed_ip *ipp;
35155 + u32 curr_ip = task->signal->curr_ip;
35157 + task->signal->saved_ip = curr_ip;
35159 + match = acl_role_set.r_hash[index];
35162 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35163 + for (x = 0; x < match->domain_child_num; x++) {
35164 + if (match->domain_children[x] == uid)
35167 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35169 + match = match->next;
35172 + if (match == NULL) {
35174 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35175 + match = acl_role_set.r_hash[index];
35178 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35179 + for (x = 0; x < match->domain_child_num; x++) {
35180 + if (match->domain_children[x] == gid)
35183 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35185 + match = match->next;
35188 + if (match == NULL)
35189 + match = default_role;
35190 + if (match->allowed_ips == NULL)
35193 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35195 + ((ntohl(curr_ip) & ipp->netmask) ==
35196 + (ntohl(ipp->addr) & ipp->netmask)))
35199 + match = default_role;
35201 + } else if (match->allowed_ips == NULL) {
35204 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35206 + ((ntohl(curr_ip) & ipp->netmask) ==
35207 + (ntohl(ipp->addr) & ipp->netmask)))
35216 +struct acl_subject_label *
35217 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35218 + const struct acl_role_label *role)
35220 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35221 + struct acl_subject_label *match;
35223 + match = role->subj_hash[index];
35225 + while (match && (match->inode != ino || match->device != dev ||
35226 + (match->mode & GR_DELETED))) {
35227 + match = match->next;
35230 + if (match && !(match->mode & GR_DELETED))
35236 +struct acl_subject_label *
35237 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35238 + const struct acl_role_label *role)
35240 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35241 + struct acl_subject_label *match;
35243 + match = role->subj_hash[index];
35245 + while (match && (match->inode != ino || match->device != dev ||
35246 + !(match->mode & GR_DELETED))) {
35247 + match = match->next;
35250 + if (match && (match->mode & GR_DELETED))
35256 +static struct acl_object_label *
35257 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35258 + const struct acl_subject_label *subj)
35260 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35261 + struct acl_object_label *match;
35263 + match = subj->obj_hash[index];
35265 + while (match && (match->inode != ino || match->device != dev ||
35266 + (match->mode & GR_DELETED))) {
35267 + match = match->next;
35270 + if (match && !(match->mode & GR_DELETED))
35276 +static struct acl_object_label *
35277 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35278 + const struct acl_subject_label *subj)
35280 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35281 + struct acl_object_label *match;
35283 + match = subj->obj_hash[index];
35285 + while (match && (match->inode != ino || match->device != dev ||
35286 + !(match->mode & GR_DELETED))) {
35287 + match = match->next;
35290 + if (match && (match->mode & GR_DELETED))
35293 + match = subj->obj_hash[index];
35295 + while (match && (match->inode != ino || match->device != dev ||
35296 + (match->mode & GR_DELETED))) {
35297 + match = match->next;
35300 + if (match && !(match->mode & GR_DELETED))
35306 +static struct name_entry *
35307 +lookup_name_entry(const char *name)
35309 + unsigned int len = strlen(name);
35310 + unsigned int key = full_name_hash(name, len);
35311 + unsigned int index = key % name_set.n_size;
35312 + struct name_entry *match;
35314 + match = name_set.n_hash[index];
35316 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35317 + match = match->next;
35322 +static struct name_entry *
35323 +lookup_name_entry_create(const char *name)
35325 + unsigned int len = strlen(name);
35326 + unsigned int key = full_name_hash(name, len);
35327 + unsigned int index = key % name_set.n_size;
35328 + struct name_entry *match;
35330 + match = name_set.n_hash[index];
35332 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35333 + !match->deleted))
35334 + match = match->next;
35336 + if (match && match->deleted)
35339 + match = name_set.n_hash[index];
35341 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35343 + match = match->next;
35345 + if (match && !match->deleted)
35351 +static struct inodev_entry *
35352 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35354 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35355 + struct inodev_entry *match;
35357 + match = inodev_set.i_hash[index];
35359 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35360 + match = match->next;
35366 +insert_inodev_entry(struct inodev_entry *entry)
35368 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35369 + inodev_set.i_size);
35370 + struct inodev_entry **curr;
35372 + entry->prev = NULL;
35374 + curr = &inodev_set.i_hash[index];
35375 + if (*curr != NULL)
35376 + (*curr)->prev = entry;
35378 + entry->next = *curr;
35385 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35387 + unsigned int index =
35388 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35389 + struct acl_role_label **curr;
35390 + struct acl_role_label *tmp;
35392 + curr = &acl_role_set.r_hash[index];
35394 + /* if role was already inserted due to domains and already has
35395 + a role in the same bucket as it attached, then we need to
35396 + combine these two buckets
35398 + if (role->next) {
35399 + tmp = role->next;
35400 + while (tmp->next)
35402 + tmp->next = *curr;
35404 + role->next = *curr;
35411 +insert_acl_role_label(struct acl_role_label *role)
35415 + if (role_list == NULL) {
35416 + role_list = role;
35417 + role->prev = NULL;
35419 + role->prev = role_list;
35420 + role_list = role;
35423 + /* used for hash chains */
35424 + role->next = NULL;
35426 + if (role->roletype & GR_ROLE_DOMAIN) {
35427 + for (i = 0; i < role->domain_child_num; i++)
35428 + __insert_acl_role_label(role, role->domain_children[i]);
35430 + __insert_acl_role_label(role, role->uidgid);
35434 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35436 + struct name_entry **curr, *nentry;
35437 + struct inodev_entry *ientry;
35438 + unsigned int len = strlen(name);
35439 + unsigned int key = full_name_hash(name, len);
35440 + unsigned int index = key % name_set.n_size;
35442 + curr = &name_set.n_hash[index];
35444 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35445 + curr = &((*curr)->next);
35447 + if (*curr != NULL)
35450 + nentry = acl_alloc(sizeof (struct name_entry));
35451 + if (nentry == NULL)
35453 + ientry = acl_alloc(sizeof (struct inodev_entry));
35454 + if (ientry == NULL)
35456 + ientry->nentry = nentry;
35458 + nentry->key = key;
35459 + nentry->name = name;
35460 + nentry->inode = inode;
35461 + nentry->device = device;
35462 + nentry->len = len;
35463 + nentry->deleted = deleted;
35465 + nentry->prev = NULL;
35466 + curr = &name_set.n_hash[index];
35467 + if (*curr != NULL)
35468 + (*curr)->prev = nentry;
35469 + nentry->next = *curr;
35472 + /* insert us into the table searchable by inode/dev */
35473 + insert_inodev_entry(ientry);
35479 +insert_acl_obj_label(struct acl_object_label *obj,
35480 + struct acl_subject_label *subj)
35482 + unsigned int index =
35483 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35484 + struct acl_object_label **curr;
35487 + obj->prev = NULL;
35489 + curr = &subj->obj_hash[index];
35490 + if (*curr != NULL)
35491 + (*curr)->prev = obj;
35493 + obj->next = *curr;
35500 +insert_acl_subj_label(struct acl_subject_label *obj,
35501 + struct acl_role_label *role)
35503 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35504 + struct acl_subject_label **curr;
35506 + obj->prev = NULL;
35508 + curr = &role->subj_hash[index];
35509 + if (*curr != NULL)
35510 + (*curr)->prev = obj;
35512 + obj->next = *curr;
35518 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35521 +create_table(__u32 * len, int elementsize)
35523 + unsigned int table_sizes[] = {
35524 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35525 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35526 + 4194301, 8388593, 16777213, 33554393, 67108859
35528 + void *newtable = NULL;
35529 + unsigned int pwr = 0;
35531 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35532 + table_sizes[pwr] <= *len)
35535 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35538 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35540 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35542 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35544 + *len = table_sizes[pwr];
35550 +init_variables(const struct gr_arg *arg)
35552 + struct task_struct *reaper = &init_task;
35553 + unsigned int stacksize;
35555 + subj_map_set.s_size = arg->role_db.num_subjects;
35556 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35557 + name_set.n_size = arg->role_db.num_objects;
35558 + inodev_set.i_size = arg->role_db.num_objects;
35560 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35561 + !name_set.n_size || !inodev_set.i_size)
35564 + if (!gr_init_uidset())
35567 + /* set up the stack that holds allocation info */
35569 + stacksize = arg->role_db.num_pointers + 5;
35571 + if (!acl_alloc_stack_init(stacksize))
35574 + /* grab reference for the real root dentry and vfsmount */
35575 + get_fs_root(reaper->fs, &real_root);
35577 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35578 + if (fakefs_obj == NULL)
35580 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35582 + subj_map_set.s_hash =
35583 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35584 + acl_role_set.r_hash =
35585 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35586 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35587 + inodev_set.i_hash =
35588 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35590 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35591 + !name_set.n_hash || !inodev_set.i_hash)
35594 + memset(subj_map_set.s_hash, 0,
35595 + sizeof(struct subject_map *) * subj_map_set.s_size);
35596 + memset(acl_role_set.r_hash, 0,
35597 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35598 + memset(name_set.n_hash, 0,
35599 + sizeof (struct name_entry *) * name_set.n_size);
35600 + memset(inodev_set.i_hash, 0,
35601 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35606 +/* free information not needed after startup
35607 + currently contains user->kernel pointer mappings for subjects
35611 +free_init_variables(void)
35615 + if (subj_map_set.s_hash) {
35616 + for (i = 0; i < subj_map_set.s_size; i++) {
35617 + if (subj_map_set.s_hash[i]) {
35618 + kfree(subj_map_set.s_hash[i]);
35619 + subj_map_set.s_hash[i] = NULL;
35623 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35625 + kfree(subj_map_set.s_hash);
35627 + vfree(subj_map_set.s_hash);
35634 +free_variables(void)
35636 + struct acl_subject_label *s;
35637 + struct acl_role_label *r;
35638 + struct task_struct *task, *task2;
35641 + gr_clear_learn_entries();
35643 + read_lock(&tasklist_lock);
35644 + do_each_thread(task2, task) {
35645 + task->acl_sp_role = 0;
35646 + task->acl_role_id = 0;
35647 + task->acl = NULL;
35648 + task->role = NULL;
35649 + } while_each_thread(task2, task);
35650 + read_unlock(&tasklist_lock);
35652 + /* release the reference to the real root dentry and vfsmount */
35653 + path_put(&real_root);
35655 + /* free all object hash tables */
35657 + FOR_EACH_ROLE_START(r)
35658 + if (r->subj_hash == NULL)
35660 + FOR_EACH_SUBJECT_START(r, s, x)
35661 + if (s->obj_hash == NULL)
35663 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35664 + kfree(s->obj_hash);
35666 + vfree(s->obj_hash);
35667 + FOR_EACH_SUBJECT_END(s, x)
35668 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35669 + if (s->obj_hash == NULL)
35671 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35672 + kfree(s->obj_hash);
35674 + vfree(s->obj_hash);
35675 + FOR_EACH_NESTED_SUBJECT_END(s)
35676 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35677 + kfree(r->subj_hash);
35679 + vfree(r->subj_hash);
35680 + r->subj_hash = NULL;
35682 + FOR_EACH_ROLE_END(r)
35686 + if (acl_role_set.r_hash) {
35687 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35689 + kfree(acl_role_set.r_hash);
35691 + vfree(acl_role_set.r_hash);
35693 + if (name_set.n_hash) {
35694 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35696 + kfree(name_set.n_hash);
35698 + vfree(name_set.n_hash);
35701 + if (inodev_set.i_hash) {
35702 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35704 + kfree(inodev_set.i_hash);
35706 + vfree(inodev_set.i_hash);
35709 + gr_free_uidset();
35711 + memset(&name_set, 0, sizeof (struct name_db));
35712 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35713 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35714 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35716 + default_role = NULL;
35717 + role_list = NULL;
35723 +count_user_objs(struct acl_object_label *userp)
35725 + struct acl_object_label o_tmp;
35729 + if (copy_from_user(&o_tmp, userp,
35730 + sizeof (struct acl_object_label)))
35733 + userp = o_tmp.prev;
35740 +static struct acl_subject_label *
35741 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35744 +copy_user_glob(struct acl_object_label *obj)
35746 + struct acl_object_label *g_tmp, **guser;
35747 + unsigned int len;
35750 + if (obj->globbed == NULL)
35753 + guser = &obj->globbed;
35755 + g_tmp = (struct acl_object_label *)
35756 + acl_alloc(sizeof (struct acl_object_label));
35757 + if (g_tmp == NULL)
35760 + if (copy_from_user(g_tmp, *guser,
35761 + sizeof (struct acl_object_label)))
35764 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35766 + if (!len || len >= PATH_MAX)
35769 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35772 + if (copy_from_user(tmp, g_tmp->filename, len))
35774 + tmp[len-1] = '\0';
35775 + g_tmp->filename = tmp;
35778 + guser = &(g_tmp->next);
35785 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35786 + struct acl_role_label *role)
35788 + struct acl_object_label *o_tmp;
35789 + unsigned int len;
35794 + if ((o_tmp = (struct acl_object_label *)
35795 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35798 + if (copy_from_user(o_tmp, userp,
35799 + sizeof (struct acl_object_label)))
35802 + userp = o_tmp->prev;
35804 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35806 + if (!len || len >= PATH_MAX)
35809 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35812 + if (copy_from_user(tmp, o_tmp->filename, len))
35814 + tmp[len-1] = '\0';
35815 + o_tmp->filename = tmp;
35817 + insert_acl_obj_label(o_tmp, subj);
35818 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35819 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35822 + ret = copy_user_glob(o_tmp);
35826 + if (o_tmp->nested) {
35827 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35828 + if (IS_ERR(o_tmp->nested))
35829 + return PTR_ERR(o_tmp->nested);
35831 + /* insert into nested subject list */
35832 + o_tmp->nested->next = role->hash->first;
35833 + role->hash->first = o_tmp->nested;
35841 +count_user_subjs(struct acl_subject_label *userp)
35843 + struct acl_subject_label s_tmp;
35847 + if (copy_from_user(&s_tmp, userp,
35848 + sizeof (struct acl_subject_label)))
35851 + userp = s_tmp.prev;
35852 + /* do not count nested subjects against this count, since
35853 + they are not included in the hash table, but are
35854 + attached to objects. We have already counted
35855 + the subjects in userspace for the allocation
35858 + if (!(s_tmp.mode & GR_NESTED))
35866 +copy_user_allowedips(struct acl_role_label *rolep)
35868 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35870 + ruserip = rolep->allowed_ips;
35872 + while (ruserip) {
35875 + if ((rtmp = (struct role_allowed_ip *)
35876 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35879 + if (copy_from_user(rtmp, ruserip,
35880 + sizeof (struct role_allowed_ip)))
35883 + ruserip = rtmp->prev;
35886 + rtmp->prev = NULL;
35887 + rolep->allowed_ips = rtmp;
35889 + rlast->next = rtmp;
35890 + rtmp->prev = rlast;
35894 + rtmp->next = NULL;
35901 +copy_user_transitions(struct acl_role_label *rolep)
35903 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35905 + unsigned int len;
35908 + rusertp = rolep->transitions;
35910 + while (rusertp) {
35913 + if ((rtmp = (struct role_transition *)
35914 + acl_alloc(sizeof (struct role_transition))) == NULL)
35917 + if (copy_from_user(rtmp, rusertp,
35918 + sizeof (struct role_transition)))
35921 + rusertp = rtmp->prev;
35923 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35925 + if (!len || len >= GR_SPROLE_LEN)
35928 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35931 + if (copy_from_user(tmp, rtmp->rolename, len))
35933 + tmp[len-1] = '\0';
35934 + rtmp->rolename = tmp;
35937 + rtmp->prev = NULL;
35938 + rolep->transitions = rtmp;
35940 + rlast->next = rtmp;
35941 + rtmp->prev = rlast;
35945 + rtmp->next = NULL;
35951 +static struct acl_subject_label *
35952 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35954 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35955 + unsigned int len;
35958 + struct acl_ip_label **i_tmp, *i_utmp2;
35959 + struct gr_hash_struct ghash;
35960 + struct subject_map *subjmap;
35961 + unsigned int i_num;
35964 + s_tmp = lookup_subject_map(userp);
35966 + /* we've already copied this subject into the kernel, just return
35967 + the reference to it, and don't copy it over again
35972 + if ((s_tmp = (struct acl_subject_label *)
35973 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35974 + return ERR_PTR(-ENOMEM);
35976 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35977 + if (subjmap == NULL)
35978 + return ERR_PTR(-ENOMEM);
35980 + subjmap->user = userp;
35981 + subjmap->kernel = s_tmp;
35982 + insert_subj_map_entry(subjmap);
35984 + if (copy_from_user(s_tmp, userp,
35985 + sizeof (struct acl_subject_label)))
35986 + return ERR_PTR(-EFAULT);
35988 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35990 + if (!len || len >= PATH_MAX)
35991 + return ERR_PTR(-EINVAL);
35993 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35994 + return ERR_PTR(-ENOMEM);
35996 + if (copy_from_user(tmp, s_tmp->filename, len))
35997 + return ERR_PTR(-EFAULT);
35998 + tmp[len-1] = '\0';
35999 + s_tmp->filename = tmp;
36001 + if (!strcmp(s_tmp->filename, "/"))
36002 + role->root_label = s_tmp;
36004 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36005 + return ERR_PTR(-EFAULT);
36007 + /* copy user and group transition tables */
36009 + if (s_tmp->user_trans_num) {
36012 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36013 + if (uidlist == NULL)
36014 + return ERR_PTR(-ENOMEM);
36015 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36016 + return ERR_PTR(-EFAULT);
36018 + s_tmp->user_transitions = uidlist;
36021 + if (s_tmp->group_trans_num) {
36024 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36025 + if (gidlist == NULL)
36026 + return ERR_PTR(-ENOMEM);
36027 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36028 + return ERR_PTR(-EFAULT);
36030 + s_tmp->group_transitions = gidlist;
36033 + /* set up object hash table */
36034 + num_objs = count_user_objs(ghash.first);
36036 + s_tmp->obj_hash_size = num_objs;
36037 + s_tmp->obj_hash =
36038 + (struct acl_object_label **)
36039 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36041 + if (!s_tmp->obj_hash)
36042 + return ERR_PTR(-ENOMEM);
36044 + memset(s_tmp->obj_hash, 0,
36045 + s_tmp->obj_hash_size *
36046 + sizeof (struct acl_object_label *));
36048 + /* add in objects */
36049 + err = copy_user_objs(ghash.first, s_tmp, role);
36052 + return ERR_PTR(err);
36054 + /* set pointer for parent subject */
36055 + if (s_tmp->parent_subject) {
36056 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36058 + if (IS_ERR(s_tmp2))
36061 + s_tmp->parent_subject = s_tmp2;
36064 + /* add in ip acls */
36066 + if (!s_tmp->ip_num) {
36067 + s_tmp->ips = NULL;
36072 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36073 + sizeof (struct acl_ip_label *));
36076 + return ERR_PTR(-ENOMEM);
36078 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36079 + *(i_tmp + i_num) =
36080 + (struct acl_ip_label *)
36081 + acl_alloc(sizeof (struct acl_ip_label));
36082 + if (!*(i_tmp + i_num))
36083 + return ERR_PTR(-ENOMEM);
36085 + if (copy_from_user
36086 + (&i_utmp2, s_tmp->ips + i_num,
36087 + sizeof (struct acl_ip_label *)))
36088 + return ERR_PTR(-EFAULT);
36090 + if (copy_from_user
36091 + (*(i_tmp + i_num), i_utmp2,
36092 + sizeof (struct acl_ip_label)))
36093 + return ERR_PTR(-EFAULT);
36095 + if ((*(i_tmp + i_num))->iface == NULL)
36098 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36099 + if (!len || len >= IFNAMSIZ)
36100 + return ERR_PTR(-EINVAL);
36101 + tmp = acl_alloc(len);
36103 + return ERR_PTR(-ENOMEM);
36104 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36105 + return ERR_PTR(-EFAULT);
36106 + (*(i_tmp + i_num))->iface = tmp;
36109 + s_tmp->ips = i_tmp;
36112 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36113 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36114 + return ERR_PTR(-ENOMEM);
36120 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36122 + struct acl_subject_label s_pre;
36123 + struct acl_subject_label * ret;
36127 + if (copy_from_user(&s_pre, userp,
36128 + sizeof (struct acl_subject_label)))
36131 + /* do not add nested subjects here, add
36132 + while parsing objects
36135 + if (s_pre.mode & GR_NESTED) {
36136 + userp = s_pre.prev;
36140 + ret = do_copy_user_subj(userp, role);
36142 + err = PTR_ERR(ret);
36146 + insert_acl_subj_label(ret, role);
36148 + userp = s_pre.prev;
36155 +copy_user_acl(struct gr_arg *arg)
36157 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36158 + struct sprole_pw *sptmp;
36159 + struct gr_hash_struct *ghash;
36160 + uid_t *domainlist;
36161 + unsigned int r_num;
36162 + unsigned int len;
36168 + /* we need a default and kernel role */
36169 + if (arg->role_db.num_roles < 2)
36172 + /* copy special role authentication info from userspace */
36174 + num_sprole_pws = arg->num_sprole_pws;
36175 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36177 + if (!acl_special_roles) {
36182 + for (i = 0; i < num_sprole_pws; i++) {
36183 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36188 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36189 + sizeof (struct sprole_pw))) {
36195 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36197 + if (!len || len >= GR_SPROLE_LEN) {
36202 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36207 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36211 + tmp[len-1] = '\0';
36212 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36213 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36215 + sptmp->rolename = tmp;
36216 + acl_special_roles[i] = sptmp;
36219 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36221 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36222 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36229 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36230 + sizeof (struct acl_role_label *))) {
36235 + if (copy_from_user(r_tmp, r_utmp2,
36236 + sizeof (struct acl_role_label))) {
36241 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36243 + if (!len || len >= PATH_MAX) {
36248 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36252 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36256 + tmp[len-1] = '\0';
36257 + r_tmp->rolename = tmp;
36259 + if (!strcmp(r_tmp->rolename, "default")
36260 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36261 + default_role = r_tmp;
36262 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36263 + kernel_role = r_tmp;
36266 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36270 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36275 + r_tmp->hash = ghash;
36277 + num_subjs = count_user_subjs(r_tmp->hash->first);
36279 + r_tmp->subj_hash_size = num_subjs;
36280 + r_tmp->subj_hash =
36281 + (struct acl_subject_label **)
36282 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36284 + if (!r_tmp->subj_hash) {
36289 + err = copy_user_allowedips(r_tmp);
36293 + /* copy domain info */
36294 + if (r_tmp->domain_children != NULL) {
36295 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36296 + if (domainlist == NULL) {
36300 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36304 + r_tmp->domain_children = domainlist;
36307 + err = copy_user_transitions(r_tmp);
36311 + memset(r_tmp->subj_hash, 0,
36312 + r_tmp->subj_hash_size *
36313 + sizeof (struct acl_subject_label *));
36315 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36320 + /* set nested subject list to null */
36321 + r_tmp->hash->first = NULL;
36323 + insert_acl_role_label(r_tmp);
36328 + free_variables();
36335 +gracl_init(struct gr_arg *args)
36339 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36340 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36342 + if (init_variables(args)) {
36343 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36345 + free_variables();
36349 + error = copy_user_acl(args);
36350 + free_init_variables();
36352 + free_variables();
36356 + if ((error = gr_set_acls(0))) {
36357 + free_variables();
36361 + pax_open_kernel();
36362 + gr_status |= GR_READY;
36363 + pax_close_kernel();
36369 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36372 +glob_match(const char *p, const char *n)
36376 + while ((c = *p++) != '\0') {
36381 + else if (*n == '/')
36389 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36392 + else if (c == '?') {
36402 + const char *endp;
36404 + if ((endp = strchr(n, '/')) == NULL)
36405 + endp = n + strlen(n);
36408 + for (--p; n < endp; ++n)
36409 + if (!glob_match(p, n))
36411 + } else if (c == '/') {
36412 + while (*n != '\0' && *n != '/')
36414 + if (*n == '/' && !glob_match(p, n + 1))
36417 + for (--p; n < endp; ++n)
36418 + if (*n == c && !glob_match(p, n))
36429 + if (*n == '\0' || *n == '/')
36432 + not = (*p == '!' || *p == '^');
36438 + unsigned char fn = (unsigned char)*n;
36448 + if (c == '-' && *p != ']') {
36449 + unsigned char cend = *p++;
36451 + if (cend == '\0')
36454 + if (cold <= fn && fn <= cend)
36468 + while (c != ']') {
36495 +static struct acl_object_label *
36496 +chk_glob_label(struct acl_object_label *globbed,
36497 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36499 + struct acl_object_label *tmp;
36501 + if (*path == NULL)
36502 + *path = gr_to_filename_nolock(dentry, mnt);
36507 + if (!glob_match(tmp->filename, *path))
36515 +static struct acl_object_label *
36516 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36517 + const ino_t curr_ino, const dev_t curr_dev,
36518 + const struct acl_subject_label *subj, char **path, const int checkglob)
36520 + struct acl_subject_label *tmpsubj;
36521 + struct acl_object_label *retval;
36522 + struct acl_object_label *retval2;
36524 + tmpsubj = (struct acl_subject_label *) subj;
36525 + read_lock(&gr_inode_lock);
36527 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36529 + if (checkglob && retval->globbed) {
36530 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36531 + (struct vfsmount *)orig_mnt, path);
36533 + retval = retval2;
36537 + } while ((tmpsubj = tmpsubj->parent_subject));
36538 + read_unlock(&gr_inode_lock);
36543 +static __inline__ struct acl_object_label *
36544 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36545 + const struct dentry *curr_dentry,
36546 + const struct acl_subject_label *subj, char **path, const int checkglob)
36548 + int newglob = checkglob;
36550 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
36551 + as we don't want a / * rule to match instead of the / object
36552 + don't do this for create lookups that call this function though, since they're looking up
36553 + on the parent and thus need globbing checks on all paths
36555 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
36556 + newglob = GR_NO_GLOB;
36558 + return __full_lookup(orig_dentry, orig_mnt,
36559 + curr_dentry->d_inode->i_ino,
36560 + curr_dentry->d_inode->i_sb->s_dev, subj, path, newglob);
36563 +static struct acl_object_label *
36564 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36565 + const struct acl_subject_label *subj, char *path, const int checkglob)
36567 + struct dentry *dentry = (struct dentry *) l_dentry;
36568 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36569 + struct acl_object_label *retval;
36571 + spin_lock(&dcache_lock);
36572 + br_read_lock(vfsmount_lock);
36574 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36575 +#ifdef CONFIG_HUGETLBFS
36576 + mnt == hugetlbfs_vfsmount ||
36578 + /* ignore Eric Biederman */
36579 + IS_PRIVATE(l_dentry->d_inode))) {
36580 + retval = fakefs_obj;
36585 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36588 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36589 + if (mnt->mnt_parent == mnt)
36592 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36593 + if (retval != NULL)
36596 + dentry = mnt->mnt_mountpoint;
36597 + mnt = mnt->mnt_parent;
36601 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36602 + if (retval != NULL)
36605 + dentry = dentry->d_parent;
36608 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36610 + if (retval == NULL)
36611 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
36613 + br_read_unlock(vfsmount_lock);
36614 + spin_unlock(&dcache_lock);
36616 + BUG_ON(retval == NULL);
36621 +static __inline__ struct acl_object_label *
36622 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36623 + const struct acl_subject_label *subj)
36625 + char *path = NULL;
36626 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
36629 +static __inline__ struct acl_object_label *
36630 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36631 + const struct acl_subject_label *subj)
36633 + char *path = NULL;
36634 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
36637 +static __inline__ struct acl_object_label *
36638 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36639 + const struct acl_subject_label *subj, char *path)
36641 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
36644 +static struct acl_subject_label *
36645 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36646 + const struct acl_role_label *role)
36648 + struct dentry *dentry = (struct dentry *) l_dentry;
36649 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36650 + struct acl_subject_label *retval;
36652 + spin_lock(&dcache_lock);
36653 + br_read_lock(vfsmount_lock);
36656 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36658 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36659 + if (mnt->mnt_parent == mnt)
36662 + read_lock(&gr_inode_lock);
36664 + lookup_acl_subj_label(dentry->d_inode->i_ino,
36665 + dentry->d_inode->i_sb->s_dev, role);
36666 + read_unlock(&gr_inode_lock);
36667 + if (retval != NULL)
36670 + dentry = mnt->mnt_mountpoint;
36671 + mnt = mnt->mnt_parent;
36675 + read_lock(&gr_inode_lock);
36676 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36677 + dentry->d_inode->i_sb->s_dev, role);
36678 + read_unlock(&gr_inode_lock);
36679 + if (retval != NULL)
36682 + dentry = dentry->d_parent;
36685 + read_lock(&gr_inode_lock);
36686 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36687 + dentry->d_inode->i_sb->s_dev, role);
36688 + read_unlock(&gr_inode_lock);
36690 + if (unlikely(retval == NULL)) {
36691 + read_lock(&gr_inode_lock);
36692 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
36693 + real_root.dentry->d_inode->i_sb->s_dev, role);
36694 + read_unlock(&gr_inode_lock);
36697 + br_read_unlock(vfsmount_lock);
36698 + spin_unlock(&dcache_lock);
36700 + BUG_ON(retval == NULL);
36706 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36708 + struct task_struct *task = current;
36709 + const struct cred *cred = current_cred();
36711 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36712 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36713 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36714 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
36720 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36722 + struct task_struct *task = current;
36723 + const struct cred *cred = current_cred();
36725 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36726 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36727 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36728 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
36734 +gr_log_learn_id_change(const char type, const unsigned int real,
36735 + const unsigned int effective, const unsigned int fs)
36737 + struct task_struct *task = current;
36738 + const struct cred *cred = current_cred();
36740 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36741 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36742 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36743 + type, real, effective, fs, &task->signal->saved_ip);
36749 +gr_check_link(const struct dentry * new_dentry,
36750 + const struct dentry * parent_dentry,
36751 + const struct vfsmount * parent_mnt,
36752 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36754 + struct acl_object_label *obj;
36755 + __u32 oldmode, newmode;
36758 + if (unlikely(!(gr_status & GR_READY)))
36759 + return (GR_CREATE | GR_LINK);
36761 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36762 + oldmode = obj->mode;
36764 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36765 + oldmode |= (GR_CREATE | GR_LINK);
36767 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36768 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36769 + needmode |= GR_SETID | GR_AUDIT_SETID;
36772 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36773 + oldmode | needmode);
36775 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36776 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36777 + GR_INHERIT | GR_AUDIT_INHERIT);
36779 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36782 + if ((oldmode & needmode) != needmode)
36785 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36786 + if ((newmode & needmode) != needmode)
36789 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36792 + needmode = oldmode;
36793 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36794 + needmode |= GR_SETID;
36796 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36797 + gr_log_learn(old_dentry, old_mnt, needmode);
36798 + return (GR_CREATE | GR_LINK);
36799 + } else if (newmode & GR_SUPPRESS)
36800 + return GR_SUPPRESS;
36806 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36807 + const struct vfsmount * mnt)
36809 + __u32 retval = mode;
36810 + struct acl_subject_label *curracl;
36811 + struct acl_object_label *currobj;
36813 + if (unlikely(!(gr_status & GR_READY)))
36814 + return (mode & ~GR_AUDITS);
36816 + curracl = current->acl;
36818 + currobj = chk_obj_label(dentry, mnt, curracl);
36819 + retval = currobj->mode & mode;
36822 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36823 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36824 + __u32 new_mode = mode;
36826 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36828 + retval = new_mode;
36830 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36831 + new_mode |= GR_INHERIT;
36833 + if (!(mode & GR_NOLEARN))
36834 + gr_log_learn(dentry, mnt, new_mode);
36841 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36842 + const struct vfsmount * mnt, const __u32 mode)
36844 + struct name_entry *match;
36845 + struct acl_object_label *matchpo;
36846 + struct acl_subject_label *curracl;
36850 + if (unlikely(!(gr_status & GR_READY)))
36851 + return (mode & ~GR_AUDITS);
36853 + preempt_disable();
36854 + path = gr_to_filename_rbac(new_dentry, mnt);
36855 + match = lookup_name_entry_create(path);
36858 + goto check_parent;
36860 + curracl = current->acl;
36862 + read_lock(&gr_inode_lock);
36863 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36864 + read_unlock(&gr_inode_lock);
36867 + if ((matchpo->mode & mode) !=
36868 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36869 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36870 + __u32 new_mode = mode;
36872 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36874 + gr_log_learn(new_dentry, mnt, new_mode);
36876 + preempt_enable();
36879 + preempt_enable();
36880 + return (matchpo->mode & mode);
36884 + curracl = current->acl;
36886 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36887 + retval = matchpo->mode & mode;
36889 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36890 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36891 + __u32 new_mode = mode;
36893 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36895 + gr_log_learn(new_dentry, mnt, new_mode);
36896 + preempt_enable();
36900 + preempt_enable();
36905 +gr_check_hidden_task(const struct task_struct *task)
36907 + if (unlikely(!(gr_status & GR_READY)))
36910 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36917 +gr_check_protected_task(const struct task_struct *task)
36919 + if (unlikely(!(gr_status & GR_READY) || !task))
36922 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36923 + task->acl != current->acl)
36930 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36932 + struct task_struct *p;
36935 + if (unlikely(!(gr_status & GR_READY) || !pid))
36938 + read_lock(&tasklist_lock);
36939 + do_each_pid_task(pid, type, p) {
36940 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36941 + p->acl != current->acl) {
36945 + } while_each_pid_task(pid, type, p);
36947 + read_unlock(&tasklist_lock);
36953 +gr_copy_label(struct task_struct *tsk)
36955 + tsk->signal->used_accept = 0;
36956 + tsk->acl_sp_role = 0;
36957 + tsk->acl_role_id = current->acl_role_id;
36958 + tsk->acl = current->acl;
36959 + tsk->role = current->role;
36960 + tsk->signal->curr_ip = current->signal->curr_ip;
36961 + tsk->signal->saved_ip = current->signal->saved_ip;
36962 + if (current->exec_file)
36963 + get_file(current->exec_file);
36964 + tsk->exec_file = current->exec_file;
36965 + tsk->is_writable = current->is_writable;
36966 + if (unlikely(current->signal->used_accept)) {
36967 + current->signal->curr_ip = 0;
36968 + current->signal->saved_ip = 0;
36975 +gr_set_proc_res(struct task_struct *task)
36977 + struct acl_subject_label *proc;
36978 + unsigned short i;
36980 + proc = task->acl;
36982 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36985 + for (i = 0; i < RLIM_NLIMITS; i++) {
36986 + if (!(proc->resmask & (1 << i)))
36989 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36990 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36997 +gr_check_user_change(int real, int effective, int fs)
37004 + int effectiveok = 0;
37007 + if (unlikely(!(gr_status & GR_READY)))
37010 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37011 + gr_log_learn_id_change('u', real, effective, fs);
37013 + num = current->acl->user_trans_num;
37014 + uidlist = current->acl->user_transitions;
37016 + if (uidlist == NULL)
37021 + if (effective == -1)
37026 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37027 + for (i = 0; i < num; i++) {
37028 + curuid = (int)uidlist[i];
37029 + if (real == curuid)
37031 + if (effective == curuid)
37033 + if (fs == curuid)
37036 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37037 + for (i = 0; i < num; i++) {
37038 + curuid = (int)uidlist[i];
37039 + if (real == curuid)
37041 + if (effective == curuid)
37043 + if (fs == curuid)
37046 + /* not in deny list */
37054 + if (realok && effectiveok && fsok)
37057 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37063 +gr_check_group_change(int real, int effective, int fs)
37070 + int effectiveok = 0;
37073 + if (unlikely(!(gr_status & GR_READY)))
37076 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37077 + gr_log_learn_id_change('g', real, effective, fs);
37079 + num = current->acl->group_trans_num;
37080 + gidlist = current->acl->group_transitions;
37082 + if (gidlist == NULL)
37087 + if (effective == -1)
37092 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37093 + for (i = 0; i < num; i++) {
37094 + curgid = (int)gidlist[i];
37095 + if (real == curgid)
37097 + if (effective == curgid)
37099 + if (fs == curgid)
37102 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37103 + for (i = 0; i < num; i++) {
37104 + curgid = (int)gidlist[i];
37105 + if (real == curgid)
37107 + if (effective == curgid)
37109 + if (fs == curgid)
37112 + /* not in deny list */
37120 + if (realok && effectiveok && fsok)
37123 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37129 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37131 + struct acl_role_label *role = task->role;
37132 + struct acl_subject_label *subj = NULL;
37133 + struct acl_object_label *obj;
37134 + struct file *filp;
37136 + if (unlikely(!(gr_status & GR_READY)))
37139 + filp = task->exec_file;
37141 + /* kernel process, we'll give them the kernel role */
37142 + if (unlikely(!filp)) {
37143 + task->role = kernel_role;
37144 + task->acl = kernel_role->root_label;
37146 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37147 + role = lookup_acl_role_label(task, uid, gid);
37149 + /* perform subject lookup in possibly new role
37150 + we can use this result below in the case where role == task->role
37152 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37154 + /* if we changed uid/gid, but result in the same role
37155 + and are using inheritance, don't lose the inherited subject
37156 + if current subject is other than what normal lookup
37157 + would result in, we arrived via inheritance, don't
37160 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37161 + (subj == task->acl)))
37162 + task->acl = subj;
37164 + task->role = role;
37166 + task->is_writable = 0;
37168 + /* ignore additional mmap checks for processes that are writable
37169 + by the default ACL */
37170 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37171 + if (unlikely(obj->mode & GR_WRITE))
37172 + task->is_writable = 1;
37173 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37174 + if (unlikely(obj->mode & GR_WRITE))
37175 + task->is_writable = 1;
37177 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37178 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37181 + gr_set_proc_res(task);
37187 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37188 + const int unsafe_share)
37190 + struct task_struct *task = current;
37191 + struct acl_subject_label *newacl;
37192 + struct acl_object_label *obj;
37195 + if (unlikely(!(gr_status & GR_READY)))
37198 + newacl = chk_subj_label(dentry, mnt, task->role);
37201 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37202 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37203 + !(task->role->roletype & GR_ROLE_GOD) &&
37204 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37205 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37206 + task_unlock(task);
37207 + if (unsafe_share)
37208 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37210 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37213 + task_unlock(task);
37215 + obj = chk_obj_label(dentry, mnt, task->acl);
37216 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37218 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37219 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37221 + task->acl = obj->nested;
37223 + task->acl = newacl;
37224 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37225 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37227 + task->is_writable = 0;
37229 + /* ignore additional mmap checks for processes that are writable
37230 + by the default ACL */
37231 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37232 + if (unlikely(obj->mode & GR_WRITE))
37233 + task->is_writable = 1;
37234 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37235 + if (unlikely(obj->mode & GR_WRITE))
37236 + task->is_writable = 1;
37238 + gr_set_proc_res(task);
37240 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37241 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37246 +/* always called with valid inodev ptr */
37248 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37250 + struct acl_object_label *matchpo;
37251 + struct acl_subject_label *matchps;
37252 + struct acl_subject_label *subj;
37253 + struct acl_role_label *role;
37256 + FOR_EACH_ROLE_START(role)
37257 + FOR_EACH_SUBJECT_START(role, subj, x)
37258 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37259 + matchpo->mode |= GR_DELETED;
37260 + FOR_EACH_SUBJECT_END(subj,x)
37261 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37262 + if (subj->inode == ino && subj->device == dev)
37263 + subj->mode |= GR_DELETED;
37264 + FOR_EACH_NESTED_SUBJECT_END(subj)
37265 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37266 + matchps->mode |= GR_DELETED;
37267 + FOR_EACH_ROLE_END(role)
37269 + inodev->nentry->deleted = 1;
37275 +gr_handle_delete(const ino_t ino, const dev_t dev)
37277 + struct inodev_entry *inodev;
37279 + if (unlikely(!(gr_status & GR_READY)))
37282 + write_lock(&gr_inode_lock);
37283 + inodev = lookup_inodev_entry(ino, dev);
37284 + if (inodev != NULL)
37285 + do_handle_delete(inodev, ino, dev);
37286 + write_unlock(&gr_inode_lock);
37292 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37293 + const ino_t newinode, const dev_t newdevice,
37294 + struct acl_subject_label *subj)
37296 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37297 + struct acl_object_label *match;
37299 + match = subj->obj_hash[index];
37301 + while (match && (match->inode != oldinode ||
37302 + match->device != olddevice ||
37303 + !(match->mode & GR_DELETED)))
37304 + match = match->next;
37306 + if (match && (match->inode == oldinode)
37307 + && (match->device == olddevice)
37308 + && (match->mode & GR_DELETED)) {
37309 + if (match->prev == NULL) {
37310 + subj->obj_hash[index] = match->next;
37311 + if (match->next != NULL)
37312 + match->next->prev = NULL;
37314 + match->prev->next = match->next;
37315 + if (match->next != NULL)
37316 + match->next->prev = match->prev;
37318 + match->prev = NULL;
37319 + match->next = NULL;
37320 + match->inode = newinode;
37321 + match->device = newdevice;
37322 + match->mode &= ~GR_DELETED;
37324 + insert_acl_obj_label(match, subj);
37331 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37332 + const ino_t newinode, const dev_t newdevice,
37333 + struct acl_role_label *role)
37335 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37336 + struct acl_subject_label *match;
37338 + match = role->subj_hash[index];
37340 + while (match && (match->inode != oldinode ||
37341 + match->device != olddevice ||
37342 + !(match->mode & GR_DELETED)))
37343 + match = match->next;
37345 + if (match && (match->inode == oldinode)
37346 + && (match->device == olddevice)
37347 + && (match->mode & GR_DELETED)) {
37348 + if (match->prev == NULL) {
37349 + role->subj_hash[index] = match->next;
37350 + if (match->next != NULL)
37351 + match->next->prev = NULL;
37353 + match->prev->next = match->next;
37354 + if (match->next != NULL)
37355 + match->next->prev = match->prev;
37357 + match->prev = NULL;
37358 + match->next = NULL;
37359 + match->inode = newinode;
37360 + match->device = newdevice;
37361 + match->mode &= ~GR_DELETED;
37363 + insert_acl_subj_label(match, role);
37370 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37371 + const ino_t newinode, const dev_t newdevice)
37373 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37374 + struct inodev_entry *match;
37376 + match = inodev_set.i_hash[index];
37378 + while (match && (match->nentry->inode != oldinode ||
37379 + match->nentry->device != olddevice || !match->nentry->deleted))
37380 + match = match->next;
37382 + if (match && (match->nentry->inode == oldinode)
37383 + && (match->nentry->device == olddevice) &&
37384 + match->nentry->deleted) {
37385 + if (match->prev == NULL) {
37386 + inodev_set.i_hash[index] = match->next;
37387 + if (match->next != NULL)
37388 + match->next->prev = NULL;
37390 + match->prev->next = match->next;
37391 + if (match->next != NULL)
37392 + match->next->prev = match->prev;
37394 + match->prev = NULL;
37395 + match->next = NULL;
37396 + match->nentry->inode = newinode;
37397 + match->nentry->device = newdevice;
37398 + match->nentry->deleted = 0;
37400 + insert_inodev_entry(match);
37407 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37408 + const struct vfsmount *mnt)
37410 + struct acl_subject_label *subj;
37411 + struct acl_role_label *role;
37414 + FOR_EACH_ROLE_START(role)
37415 + update_acl_subj_label(matchn->inode, matchn->device,
37416 + dentry->d_inode->i_ino,
37417 + dentry->d_inode->i_sb->s_dev, role);
37419 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37420 + if ((subj->inode == dentry->d_inode->i_ino) &&
37421 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
37422 + subj->inode = dentry->d_inode->i_ino;
37423 + subj->device = dentry->d_inode->i_sb->s_dev;
37425 + FOR_EACH_NESTED_SUBJECT_END(subj)
37426 + FOR_EACH_SUBJECT_START(role, subj, x)
37427 + update_acl_obj_label(matchn->inode, matchn->device,
37428 + dentry->d_inode->i_ino,
37429 + dentry->d_inode->i_sb->s_dev, subj);
37430 + FOR_EACH_SUBJECT_END(subj,x)
37431 + FOR_EACH_ROLE_END(role)
37433 + update_inodev_entry(matchn->inode, matchn->device,
37434 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
37440 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37442 + struct name_entry *matchn;
37444 + if (unlikely(!(gr_status & GR_READY)))
37447 + preempt_disable();
37448 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37450 + if (unlikely((unsigned long)matchn)) {
37451 + write_lock(&gr_inode_lock);
37452 + do_handle_create(matchn, dentry, mnt);
37453 + write_unlock(&gr_inode_lock);
37455 + preempt_enable();
37461 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37462 + struct dentry *old_dentry,
37463 + struct dentry *new_dentry,
37464 + struct vfsmount *mnt, const __u8 replace)
37466 + struct name_entry *matchn;
37467 + struct inodev_entry *inodev;
37469 + /* vfs_rename swaps the name and parent link for old_dentry and
37471 + at this point, old_dentry has the new name, parent link, and inode
37472 + for the renamed file
37473 + if a file is being replaced by a rename, new_dentry has the inode
37474 + and name for the replaced file
37477 + if (unlikely(!(gr_status & GR_READY)))
37480 + preempt_disable();
37481 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37483 + /* we wouldn't have to check d_inode if it weren't for
37484 + NFS silly-renaming
37487 + write_lock(&gr_inode_lock);
37488 + if (unlikely(replace && new_dentry->d_inode)) {
37489 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
37490 + new_dentry->d_inode->i_sb->s_dev);
37491 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37492 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
37493 + new_dentry->d_inode->i_sb->s_dev);
37496 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
37497 + old_dentry->d_inode->i_sb->s_dev);
37498 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37499 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
37500 + old_dentry->d_inode->i_sb->s_dev);
37502 + if (unlikely((unsigned long)matchn))
37503 + do_handle_create(matchn, old_dentry, mnt);
37505 + write_unlock(&gr_inode_lock);
37506 + preempt_enable();
37512 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37513 + unsigned char **sum)
37515 + struct acl_role_label *r;
37516 + struct role_allowed_ip *ipp;
37517 + struct role_transition *trans;
37520 + u32 curr_ip = current->signal->curr_ip;
37522 + current->signal->saved_ip = curr_ip;
37524 + /* check transition table */
37526 + for (trans = current->role->transitions; trans; trans = trans->next) {
37527 + if (!strcmp(rolename, trans->rolename)) {
37536 + /* handle special roles that do not require authentication
37539 + FOR_EACH_ROLE_START(r)
37540 + if (!strcmp(rolename, r->rolename) &&
37541 + (r->roletype & GR_ROLE_SPECIAL)) {
37543 + if (r->allowed_ips != NULL) {
37544 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37545 + if ((ntohl(curr_ip) & ipp->netmask) ==
37546 + (ntohl(ipp->addr) & ipp->netmask))
37554 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37555 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37561 + FOR_EACH_ROLE_END(r)
37563 + for (i = 0; i < num_sprole_pws; i++) {
37564 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37565 + *salt = acl_special_roles[i]->salt;
37566 + *sum = acl_special_roles[i]->sum;
37575 +assign_special_role(char *rolename)
37577 + struct acl_object_label *obj;
37578 + struct acl_role_label *r;
37579 + struct acl_role_label *assigned = NULL;
37580 + struct task_struct *tsk;
37581 + struct file *filp;
37583 + FOR_EACH_ROLE_START(r)
37584 + if (!strcmp(rolename, r->rolename) &&
37585 + (r->roletype & GR_ROLE_SPECIAL)) {
37589 + FOR_EACH_ROLE_END(r)
37594 + read_lock(&tasklist_lock);
37595 + read_lock(&grsec_exec_file_lock);
37597 + tsk = current->real_parent;
37601 + filp = tsk->exec_file;
37602 + if (filp == NULL)
37605 + tsk->is_writable = 0;
37607 + tsk->acl_sp_role = 1;
37608 + tsk->acl_role_id = ++acl_sp_role_value;
37609 + tsk->role = assigned;
37610 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37612 + /* ignore additional mmap checks for processes that are writable
37613 + by the default ACL */
37614 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37615 + if (unlikely(obj->mode & GR_WRITE))
37616 + tsk->is_writable = 1;
37617 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37618 + if (unlikely(obj->mode & GR_WRITE))
37619 + tsk->is_writable = 1;
37621 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37622 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37626 + read_unlock(&grsec_exec_file_lock);
37627 + read_unlock(&tasklist_lock);
37631 +int gr_check_secure_terminal(struct task_struct *task)
37633 + struct task_struct *p, *p2, *p3;
37634 + struct files_struct *files;
37635 + struct fdtable *fdt;
37636 + struct file *our_file = NULL, *file;
37639 + if (task->signal->tty == NULL)
37642 + files = get_files_struct(task);
37643 + if (files != NULL) {
37645 + fdt = files_fdtable(files);
37646 + for (i=0; i < fdt->max_fds; i++) {
37647 + file = fcheck_files(files, i);
37648 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
37653 + rcu_read_unlock();
37654 + put_files_struct(files);
37657 + if (our_file == NULL)
37660 + read_lock(&tasklist_lock);
37661 + do_each_thread(p2, p) {
37662 + files = get_files_struct(p);
37663 + if (files == NULL ||
37664 + (p->signal && p->signal->tty == task->signal->tty)) {
37665 + if (files != NULL)
37666 + put_files_struct(files);
37670 + fdt = files_fdtable(files);
37671 + for (i=0; i < fdt->max_fds; i++) {
37672 + file = fcheck_files(files, i);
37673 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
37674 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
37676 + while (p3->pid > 0) {
37679 + p3 = p3->real_parent;
37683 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
37684 + gr_handle_alertkill(p);
37685 + rcu_read_unlock();
37686 + put_files_struct(files);
37687 + read_unlock(&tasklist_lock);
37692 + rcu_read_unlock();
37693 + put_files_struct(files);
37694 + } while_each_thread(p2, p);
37695 + read_unlock(&tasklist_lock);
37702 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37704 + struct gr_arg_wrapper uwrap;
37705 + unsigned char *sprole_salt = NULL;
37706 + unsigned char *sprole_sum = NULL;
37707 + int error = sizeof (struct gr_arg_wrapper);
37710 + mutex_lock(&gr_dev_mutex);
37712 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37717 + if (count != sizeof (struct gr_arg_wrapper)) {
37718 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37724 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37725 + gr_auth_expires = 0;
37726 + gr_auth_attempts = 0;
37729 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37734 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37739 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37744 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37745 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37746 + time_after(gr_auth_expires, get_seconds())) {
37751 + /* if non-root trying to do anything other than use a special role,
37752 + do not attempt authentication, do not count towards authentication
37756 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37757 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37763 + /* ensure pw and special role name are null terminated */
37765 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37766 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37769 + * We have our enough of the argument structure..(we have yet
37770 + * to copy_from_user the tables themselves) . Copy the tables
37771 + * only if we need them, i.e. for loading operations. */
37773 + switch (gr_usermode->mode) {
37775 + if (gr_status & GR_READY) {
37777 + if (!gr_check_secure_terminal(current))
37782 + case GR_SHUTDOWN:
37783 + if ((gr_status & GR_READY)
37784 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37785 + pax_open_kernel();
37786 + gr_status &= ~GR_READY;
37787 + pax_close_kernel();
37789 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37790 + free_variables();
37791 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37792 + memset(gr_system_salt, 0, GR_SALT_LEN);
37793 + memset(gr_system_sum, 0, GR_SHA_LEN);
37794 + } else if (gr_status & GR_READY) {
37795 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37798 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37803 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37804 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37806 + if (gr_status & GR_READY)
37810 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37814 + if (!(gr_status & GR_READY)) {
37815 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37817 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37820 + pax_open_kernel();
37821 + gr_status &= ~GR_READY;
37822 + pax_close_kernel();
37824 + free_variables();
37825 + if (!(error2 = gracl_init(gr_usermode))) {
37827 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37831 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37834 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37839 + if (unlikely(!(gr_status & GR_READY))) {
37840 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37845 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37846 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37847 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37848 + struct acl_subject_label *segvacl;
37850 + lookup_acl_subj_label(gr_usermode->segv_inode,
37851 + gr_usermode->segv_device,
37854 + segvacl->crashes = 0;
37855 + segvacl->expires = 0;
37857 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37858 + gr_remove_uid(gr_usermode->segv_uid);
37861 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37866 + case GR_SPROLEPAM:
37867 + if (unlikely(!(gr_status & GR_READY))) {
37868 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37873 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37874 + current->role->expires = 0;
37875 + current->role->auth_attempts = 0;
37878 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37879 + time_after(current->role->expires, get_seconds())) {
37884 + if (lookup_special_role_auth
37885 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37886 + && ((!sprole_salt && !sprole_sum)
37887 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37889 + assign_special_role(gr_usermode->sp_role);
37890 + read_lock(&tasklist_lock);
37891 + if (current->real_parent)
37892 + p = current->real_parent->role->rolename;
37893 + read_unlock(&tasklist_lock);
37894 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37895 + p, acl_sp_role_value);
37897 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37899 + if(!(current->role->auth_attempts++))
37900 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37905 + case GR_UNSPROLE:
37906 + if (unlikely(!(gr_status & GR_READY))) {
37907 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37912 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37916 + read_lock(&tasklist_lock);
37917 + if (current->real_parent) {
37918 + p = current->real_parent->role->rolename;
37919 + i = current->real_parent->acl_role_id;
37921 + read_unlock(&tasklist_lock);
37923 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37931 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37936 + if (error != -EPERM)
37939 + if(!(gr_auth_attempts++))
37940 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37943 + mutex_unlock(&gr_dev_mutex);
37948 +gr_set_acls(const int type)
37950 + struct acl_object_label *obj;
37951 + struct task_struct *task, *task2;
37952 + struct file *filp;
37953 + struct acl_role_label *role = current->role;
37954 + __u16 acl_role_id = current->acl_role_id;
37955 + const struct cred *cred;
37957 + struct name_entry *nmatch;
37958 + struct acl_subject_label *tmpsubj;
37961 + read_lock(&tasklist_lock);
37962 + read_lock(&grsec_exec_file_lock);
37963 + do_each_thread(task2, task) {
37964 + /* check to see if we're called from the exit handler,
37965 + if so, only replace ACLs that have inherited the admin
37968 + if (type && (task->role != role ||
37969 + task->acl_role_id != acl_role_id))
37972 + task->acl_role_id = 0;
37973 + task->acl_sp_role = 0;
37975 + if ((filp = task->exec_file)) {
37976 + cred = __task_cred(task);
37977 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37979 + /* the following is to apply the correct subject
37980 + on binaries running when the RBAC system
37981 + is enabled, when the binaries have been
37982 + replaced or deleted since their execution
37984 + when the RBAC system starts, the inode/dev
37985 + from exec_file will be one the RBAC system
37986 + is unaware of. It only knows the inode/dev
37987 + of the present file on disk, or the absence
37990 + preempt_disable();
37991 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37993 + nmatch = lookup_name_entry(tmpname);
37994 + preempt_enable();
37997 + if (nmatch->deleted)
37998 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38000 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38001 + if (tmpsubj != NULL)
38002 + task->acl = tmpsubj;
38004 + if (tmpsubj == NULL)
38005 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38008 + struct acl_subject_label *curr;
38009 + curr = task->acl;
38011 + task->is_writable = 0;
38012 + /* ignore additional mmap checks for processes that are writable
38013 + by the default ACL */
38014 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38015 + if (unlikely(obj->mode & GR_WRITE))
38016 + task->is_writable = 1;
38017 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38018 + if (unlikely(obj->mode & GR_WRITE))
38019 + task->is_writable = 1;
38021 + gr_set_proc_res(task);
38023 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
38024 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38027 + read_unlock(&grsec_exec_file_lock);
38028 + read_unlock(&tasklist_lock);
38029 + rcu_read_unlock();
38030 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38034 + // it's a kernel process
38035 + task->role = kernel_role;
38036 + task->acl = kernel_role->root_label;
38037 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38038 + task->acl->mode &= ~GR_PROCFIND;
38041 + } while_each_thread(task2, task);
38042 + read_unlock(&grsec_exec_file_lock);
38043 + read_unlock(&tasklist_lock);
38044 + rcu_read_unlock();
38050 +gr_learn_resource(const struct task_struct *task,
38051 + const int res, const unsigned long wanted, const int gt)
38053 + struct acl_subject_label *acl;
38054 + const struct cred *cred;
38056 + if (unlikely((gr_status & GR_READY) &&
38057 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38058 + goto skip_reslog;
38060 +#ifdef CONFIG_GRKERNSEC_RESLOG
38061 + gr_log_resource(task, res, wanted, gt);
38065 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38070 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38071 + !(acl->resmask & (1 << (unsigned short) res))))
38074 + if (wanted >= acl->res[res].rlim_cur) {
38075 + unsigned long res_add;
38077 + res_add = wanted;
38080 + res_add += GR_RLIM_CPU_BUMP;
38082 + case RLIMIT_FSIZE:
38083 + res_add += GR_RLIM_FSIZE_BUMP;
38085 + case RLIMIT_DATA:
38086 + res_add += GR_RLIM_DATA_BUMP;
38088 + case RLIMIT_STACK:
38089 + res_add += GR_RLIM_STACK_BUMP;
38091 + case RLIMIT_CORE:
38092 + res_add += GR_RLIM_CORE_BUMP;
38095 + res_add += GR_RLIM_RSS_BUMP;
38097 + case RLIMIT_NPROC:
38098 + res_add += GR_RLIM_NPROC_BUMP;
38100 + case RLIMIT_NOFILE:
38101 + res_add += GR_RLIM_NOFILE_BUMP;
38103 + case RLIMIT_MEMLOCK:
38104 + res_add += GR_RLIM_MEMLOCK_BUMP;
38107 + res_add += GR_RLIM_AS_BUMP;
38109 + case RLIMIT_LOCKS:
38110 + res_add += GR_RLIM_LOCKS_BUMP;
38112 + case RLIMIT_SIGPENDING:
38113 + res_add += GR_RLIM_SIGPENDING_BUMP;
38115 + case RLIMIT_MSGQUEUE:
38116 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38118 + case RLIMIT_NICE:
38119 + res_add += GR_RLIM_NICE_BUMP;
38121 + case RLIMIT_RTPRIO:
38122 + res_add += GR_RLIM_RTPRIO_BUMP;
38124 + case RLIMIT_RTTIME:
38125 + res_add += GR_RLIM_RTTIME_BUMP;
38129 + acl->res[res].rlim_cur = res_add;
38131 + if (wanted > acl->res[res].rlim_max)
38132 + acl->res[res].rlim_max = res_add;
38134 + /* only log the subject filename, since resource logging is supported for
38135 + single-subject learning only */
38137 + cred = __task_cred(task);
38138 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38139 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38140 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38141 + "", (unsigned long) res, &task->signal->saved_ip);
38142 + rcu_read_unlock();
38148 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38150 +pax_set_initial_flags(struct linux_binprm *bprm)
38152 + struct task_struct *task = current;
38153 + struct acl_subject_label *proc;
38154 + unsigned long flags;
38156 + if (unlikely(!(gr_status & GR_READY)))
38159 + flags = pax_get_flags(task);
38161 + proc = task->acl;
38163 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38164 + flags &= ~MF_PAX_PAGEEXEC;
38165 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38166 + flags &= ~MF_PAX_SEGMEXEC;
38167 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38168 + flags &= ~MF_PAX_RANDMMAP;
38169 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38170 + flags &= ~MF_PAX_EMUTRAMP;
38171 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38172 + flags &= ~MF_PAX_MPROTECT;
38174 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38175 + flags |= MF_PAX_PAGEEXEC;
38176 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38177 + flags |= MF_PAX_SEGMEXEC;
38178 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38179 + flags |= MF_PAX_RANDMMAP;
38180 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38181 + flags |= MF_PAX_EMUTRAMP;
38182 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38183 + flags |= MF_PAX_MPROTECT;
38185 + pax_set_flags(task, flags);
38191 +#ifdef CONFIG_SYSCTL
38192 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38193 + system to save 35kb of memory */
38195 +/* we modify the passed in filename, but adjust it back before returning */
38196 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38198 + struct name_entry *nmatch;
38199 + char *p, *lastp = NULL;
38200 + struct acl_object_label *obj = NULL, *tmp;
38201 + struct acl_subject_label *tmpsubj;
38204 + read_lock(&gr_inode_lock);
38206 + p = name + len - 1;
38208 + nmatch = lookup_name_entry(name);
38209 + if (lastp != NULL)
38212 + if (nmatch == NULL)
38213 + goto next_component;
38214 + tmpsubj = current->acl;
38216 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38217 + if (obj != NULL) {
38218 + tmp = obj->globbed;
38220 + if (!glob_match(tmp->filename, name)) {
38228 + } while ((tmpsubj = tmpsubj->parent_subject));
38234 + while (*p != '/')
38246 + read_unlock(&gr_inode_lock);
38247 + /* obj returned will always be non-null */
38251 +/* returns 0 when allowing, non-zero on error
38252 + op of 0 is used for readdir, so we don't log the names of hidden files
38255 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38257 + struct ctl_table *tmp;
38258 + const char *proc_sys = "/proc/sys";
38260 + struct acl_object_label *obj;
38261 + unsigned short len = 0, pos = 0, depth = 0, i;
38265 + if (unlikely(!(gr_status & GR_READY)))
38268 + /* for now, ignore operations on non-sysctl entries if it's not a
38270 + if (table->child != NULL && op != 0)
38274 + /* it's only a read if it's an entry, read on dirs is for readdir */
38275 + if (op & MAY_READ)
38277 + if (op & MAY_WRITE)
38278 + mode |= GR_WRITE;
38280 + preempt_disable();
38282 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38284 + /* it's only a read/write if it's an actual entry, not a dir
38285 + (which are opened for readdir)
38288 + /* convert the requested sysctl entry into a pathname */
38290 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38291 + len += strlen(tmp->procname);
38296 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38301 + memset(path, 0, PAGE_SIZE);
38303 + memcpy(path, proc_sys, strlen(proc_sys));
38305 + pos += strlen(proc_sys);
38307 + for (; depth > 0; depth--) {
38310 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38311 + if (depth == i) {
38312 + memcpy(path + pos, tmp->procname,
38313 + strlen(tmp->procname));
38314 + pos += strlen(tmp->procname);
38320 + obj = gr_lookup_by_name(path, pos);
38321 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38323 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38324 + ((err & mode) != mode))) {
38325 + __u32 new_mode = mode;
38327 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38330 + gr_log_learn_sysctl(path, new_mode);
38331 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38332 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38334 + } else if (!(err & GR_FIND)) {
38336 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38337 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38338 + path, (mode & GR_READ) ? " reading" : "",
38339 + (mode & GR_WRITE) ? " writing" : "");
38341 + } else if ((err & mode) != mode) {
38343 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38344 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38345 + path, (mode & GR_READ) ? " reading" : "",
38346 + (mode & GR_WRITE) ? " writing" : "");
38352 + preempt_enable();
38359 +gr_handle_proc_ptrace(struct task_struct *task)
38361 + struct file *filp;
38362 + struct task_struct *tmp = task;
38363 + struct task_struct *curtemp = current;
38366 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38367 + if (unlikely(!(gr_status & GR_READY)))
38371 + read_lock(&tasklist_lock);
38372 + read_lock(&grsec_exec_file_lock);
38373 + filp = task->exec_file;
38375 + while (tmp->pid > 0) {
38376 + if (tmp == curtemp)
38378 + tmp = tmp->real_parent;
38381 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38382 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38383 + read_unlock(&grsec_exec_file_lock);
38384 + read_unlock(&tasklist_lock);
38388 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38389 + if (!(gr_status & GR_READY)) {
38390 + read_unlock(&grsec_exec_file_lock);
38391 + read_unlock(&tasklist_lock);
38396 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38397 + read_unlock(&grsec_exec_file_lock);
38398 + read_unlock(&tasklist_lock);
38400 + if (retmode & GR_NOPTRACE)
38403 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38404 + && (current->acl != task->acl || (current->acl != current->role->root_label
38405 + && current->pid != task->pid)))
38411 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38413 + if (unlikely(!(gr_status & GR_READY)))
38416 + if (!(current->role->roletype & GR_ROLE_GOD))
38419 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38420 + p->role->rolename, gr_task_roletype_to_char(p),
38421 + p->acl->filename);
38425 +gr_handle_ptrace(struct task_struct *task, const long request)
38427 + struct task_struct *tmp = task;
38428 + struct task_struct *curtemp = current;
38431 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38432 + if (unlikely(!(gr_status & GR_READY)))
38436 + read_lock(&tasklist_lock);
38437 + while (tmp->pid > 0) {
38438 + if (tmp == curtemp)
38440 + tmp = tmp->real_parent;
38443 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38444 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38445 + read_unlock(&tasklist_lock);
38446 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38449 + read_unlock(&tasklist_lock);
38451 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38452 + if (!(gr_status & GR_READY))
38456 + read_lock(&grsec_exec_file_lock);
38457 + if (unlikely(!task->exec_file)) {
38458 + read_unlock(&grsec_exec_file_lock);
38462 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38463 + read_unlock(&grsec_exec_file_lock);
38465 + if (retmode & GR_NOPTRACE) {
38466 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38470 + if (retmode & GR_PTRACERD) {
38471 + switch (request) {
38472 + case PTRACE_POKETEXT:
38473 + case PTRACE_POKEDATA:
38474 + case PTRACE_POKEUSR:
38475 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38476 + case PTRACE_SETREGS:
38477 + case PTRACE_SETFPREGS:
38480 + case PTRACE_SETFPXREGS:
38482 +#ifdef CONFIG_ALTIVEC
38483 + case PTRACE_SETVRREGS:
38489 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38490 + !(current->role->roletype & GR_ROLE_GOD) &&
38491 + (current->acl != task->acl)) {
38492 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38499 +static int is_writable_mmap(const struct file *filp)
38501 + struct task_struct *task = current;
38502 + struct acl_object_label *obj, *obj2;
38504 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38505 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38506 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38507 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38508 + task->role->root_label);
38509 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38510 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38518 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38522 + if (unlikely(!file || !(prot & PROT_EXEC)))
38525 + if (is_writable_mmap(file))
38529 + gr_search_file(file->f_path.dentry,
38530 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38531 + file->f_path.mnt);
38533 + if (!gr_tpe_allow(file))
38536 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38537 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38539 + } else if (unlikely(!(mode & GR_EXEC))) {
38541 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38542 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38550 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38554 + if (unlikely(!file || !(prot & PROT_EXEC)))
38557 + if (is_writable_mmap(file))
38561 + gr_search_file(file->f_path.dentry,
38562 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38563 + file->f_path.mnt);
38565 + if (!gr_tpe_allow(file))
38568 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38569 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38571 + } else if (unlikely(!(mode & GR_EXEC))) {
38573 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38574 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38582 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38584 + unsigned long runtime;
38585 + unsigned long cputime;
38586 + unsigned int wday, cday;
38590 + struct timespec timeval;
38592 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38593 + !(task->acl->mode & GR_PROCACCT)))
38596 + do_posix_clock_monotonic_gettime(&timeval);
38597 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38598 + wday = runtime / (3600 * 24);
38599 + runtime -= wday * (3600 * 24);
38600 + whr = runtime / 3600;
38601 + runtime -= whr * 3600;
38602 + wmin = runtime / 60;
38603 + runtime -= wmin * 60;
38606 + cputime = (task->utime + task->stime) / HZ;
38607 + cday = cputime / (3600 * 24);
38608 + cputime -= cday * (3600 * 24);
38609 + chr = cputime / 3600;
38610 + cputime -= chr * 3600;
38611 + cmin = cputime / 60;
38612 + cputime -= cmin * 60;
38615 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
38620 +void gr_set_kernel_label(struct task_struct *task)
38622 + if (gr_status & GR_READY) {
38623 + task->role = kernel_role;
38624 + task->acl = kernel_role->root_label;
38629 +#ifdef CONFIG_TASKSTATS
38630 +int gr_is_taskstats_denied(int pid)
38632 + struct task_struct *task;
38633 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38634 + const struct cred *cred;
38638 + /* restrict taskstats viewing to un-chrooted root users
38639 + who have the 'view' subject flag if the RBAC system is enabled
38643 + read_lock(&tasklist_lock);
38644 + task = find_task_by_vpid(pid);
38646 +#ifdef CONFIG_GRKERNSEC_CHROOT
38647 + if (proc_is_chrooted(task))
38650 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38651 + cred = __task_cred(task);
38652 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38653 + if (cred->uid != 0)
38655 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38656 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
38660 + if (gr_status & GR_READY) {
38661 + if (!(task->acl->mode & GR_VIEW))
38667 + read_unlock(&tasklist_lock);
38668 + rcu_read_unlock();
38674 +/* AUXV entries are filled via a descendant of search_binary_handler
38675 + after we've already applied the subject for the target
38677 +int gr_acl_enable_at_secure(void)
38679 + if (unlikely(!(gr_status & GR_READY)))
38682 + if (current->acl->mode & GR_ATSECURE)
38688 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
38690 + struct task_struct *task = current;
38691 + struct dentry *dentry = file->f_path.dentry;
38692 + struct vfsmount *mnt = file->f_path.mnt;
38693 + struct acl_object_label *obj, *tmp;
38694 + struct acl_subject_label *subj;
38695 + unsigned int bufsize;
38699 + if (unlikely(!(gr_status & GR_READY)))
38702 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38705 + /* ignore Eric Biederman */
38706 + if (IS_PRIVATE(dentry->d_inode))
38709 + subj = task->acl;
38711 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
38713 + return (obj->mode & GR_FIND) ? 1 : 0;
38714 + } while ((subj = subj->parent_subject));
38716 + /* this is purely an optimization since we're looking for an object
38717 + for the directory we're doing a readdir on
38718 + if it's possible for any globbed object to match the entry we're
38719 + filling into the directory, then the object we find here will be
38720 + an anchor point with attached globbed objects
38722 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38723 + if (obj->globbed == NULL)
38724 + return (obj->mode & GR_FIND) ? 1 : 0;
38726 + is_not_root = ((obj->filename[0] == '/') &&
38727 + (obj->filename[1] == '\0')) ? 0 : 1;
38728 + bufsize = PAGE_SIZE - namelen - is_not_root;
38730 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38731 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38734 + preempt_disable();
38735 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38738 + bufsize = strlen(path);
38740 + /* if base is "/", don't append an additional slash */
38742 + *(path + bufsize) = '/';
38743 + memcpy(path + bufsize + is_not_root, name, namelen);
38744 + *(path + bufsize + namelen + is_not_root) = '\0';
38746 + tmp = obj->globbed;
38748 + if (!glob_match(tmp->filename, path)) {
38749 + preempt_enable();
38750 + return (tmp->mode & GR_FIND) ? 1 : 0;
38754 + preempt_enable();
38755 + return (obj->mode & GR_FIND) ? 1 : 0;
38758 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
38759 +EXPORT_SYMBOL(gr_acl_is_enabled);
38761 +EXPORT_SYMBOL(gr_learn_resource);
38762 +EXPORT_SYMBOL(gr_set_kernel_label);
38763 +#ifdef CONFIG_SECURITY
38764 +EXPORT_SYMBOL(gr_check_user_change);
38765 +EXPORT_SYMBOL(gr_check_group_change);
38768 diff -urNp linux-2.6.37/grsecurity/gracl_cap.c linux-2.6.37/grsecurity/gracl_cap.c
38769 --- linux-2.6.37/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38770 +++ linux-2.6.37/grsecurity/gracl_cap.c 2011-01-17 02:41:02.000000000 -0500
38772 +#include <linux/kernel.h>
38773 +#include <linux/module.h>
38774 +#include <linux/sched.h>
38775 +#include <linux/gracl.h>
38776 +#include <linux/grsecurity.h>
38777 +#include <linux/grinternal.h>
38779 +static const char *captab_log[] = {
38781 + "CAP_DAC_OVERRIDE",
38782 + "CAP_DAC_READ_SEARCH",
38789 + "CAP_LINUX_IMMUTABLE",
38790 + "CAP_NET_BIND_SERVICE",
38791 + "CAP_NET_BROADCAST",
38796 + "CAP_SYS_MODULE",
38798 + "CAP_SYS_CHROOT",
38799 + "CAP_SYS_PTRACE",
38804 + "CAP_SYS_RESOURCE",
38806 + "CAP_SYS_TTY_CONFIG",
38809 + "CAP_AUDIT_WRITE",
38810 + "CAP_AUDIT_CONTROL",
38812 + "CAP_MAC_OVERRIDE",
38816 +EXPORT_SYMBOL(gr_is_capable);
38817 +EXPORT_SYMBOL(gr_is_capable_nolog);
38820 +gr_is_capable(const int cap)
38822 + struct task_struct *task = current;
38823 + const struct cred *cred = current_cred();
38824 + struct acl_subject_label *curracl;
38825 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38826 + kernel_cap_t cap_audit = __cap_empty_set;
38828 + if (!gr_acl_is_enabled())
38831 + curracl = task->acl;
38833 + cap_drop = curracl->cap_lower;
38834 + cap_mask = curracl->cap_mask;
38835 + cap_audit = curracl->cap_invert_audit;
38837 + while ((curracl = curracl->parent_subject)) {
38838 + /* if the cap isn't specified in the current computed mask but is specified in the
38839 + current level subject, and is lowered in the current level subject, then add
38840 + it to the set of dropped capabilities
38841 + otherwise, add the current level subject's mask to the current computed mask
38843 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38844 + cap_raise(cap_mask, cap);
38845 + if (cap_raised(curracl->cap_lower, cap))
38846 + cap_raise(cap_drop, cap);
38847 + if (cap_raised(curracl->cap_invert_audit, cap))
38848 + cap_raise(cap_audit, cap);
38852 + if (!cap_raised(cap_drop, cap)) {
38853 + if (cap_raised(cap_audit, cap))
38854 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38858 + curracl = task->acl;
38860 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38861 + && cap_raised(cred->cap_effective, cap)) {
38862 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38863 + task->role->roletype, cred->uid,
38864 + cred->gid, task->exec_file ?
38865 + gr_to_filename(task->exec_file->f_path.dentry,
38866 + task->exec_file->f_path.mnt) : curracl->filename,
38867 + curracl->filename, 0UL,
38868 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
38872 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38873 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38878 +gr_is_capable_nolog(const int cap)
38880 + struct acl_subject_label *curracl;
38881 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38883 + if (!gr_acl_is_enabled())
38886 + curracl = current->acl;
38888 + cap_drop = curracl->cap_lower;
38889 + cap_mask = curracl->cap_mask;
38891 + while ((curracl = curracl->parent_subject)) {
38892 + /* if the cap isn't specified in the current computed mask but is specified in the
38893 + current level subject, and is lowered in the current level subject, then add
38894 + it to the set of dropped capabilities
38895 + otherwise, add the current level subject's mask to the current computed mask
38897 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38898 + cap_raise(cap_mask, cap);
38899 + if (cap_raised(curracl->cap_lower, cap))
38900 + cap_raise(cap_drop, cap);
38904 + if (!cap_raised(cap_drop, cap))
38910 diff -urNp linux-2.6.37/grsecurity/gracl_fs.c linux-2.6.37/grsecurity/gracl_fs.c
38911 --- linux-2.6.37/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38912 +++ linux-2.6.37/grsecurity/gracl_fs.c 2011-01-17 02:41:02.000000000 -0500
38914 +#include <linux/kernel.h>
38915 +#include <linux/sched.h>
38916 +#include <linux/types.h>
38917 +#include <linux/fs.h>
38918 +#include <linux/file.h>
38919 +#include <linux/stat.h>
38920 +#include <linux/grsecurity.h>
38921 +#include <linux/grinternal.h>
38922 +#include <linux/gracl.h>
38925 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38926 + const struct vfsmount * mnt)
38930 + if (unlikely(!dentry->d_inode))
38934 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38936 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38937 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38939 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38940 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38942 + } else if (unlikely(!(mode & GR_FIND)))
38949 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38952 + __u32 reqmode = GR_FIND;
38955 + if (unlikely(!dentry->d_inode))
38958 + if (unlikely(fmode & O_APPEND))
38959 + reqmode |= GR_APPEND;
38960 + else if (unlikely(fmode & FMODE_WRITE))
38961 + reqmode |= GR_WRITE;
38962 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38963 + reqmode |= GR_READ;
38964 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38965 + reqmode &= ~GR_READ;
38967 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38970 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38971 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38972 + reqmode & GR_READ ? " reading" : "",
38973 + reqmode & GR_WRITE ? " writing" : reqmode &
38974 + GR_APPEND ? " appending" : "");
38977 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38979 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38980 + reqmode & GR_READ ? " reading" : "",
38981 + reqmode & GR_WRITE ? " writing" : reqmode &
38982 + GR_APPEND ? " appending" : "");
38984 + } else if (unlikely((mode & reqmode) != reqmode))
38991 +gr_acl_handle_creat(const struct dentry * dentry,
38992 + const struct dentry * p_dentry,
38993 + const struct vfsmount * p_mnt, const int fmode,
38996 + __u32 reqmode = GR_WRITE | GR_CREATE;
38999 + if (unlikely(fmode & O_APPEND))
39000 + reqmode |= GR_APPEND;
39001 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39002 + reqmode |= GR_READ;
39003 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39004 + reqmode |= GR_SETID;
39007 + gr_check_create(dentry, p_dentry, p_mnt,
39008 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39010 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39011 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39012 + reqmode & GR_READ ? " reading" : "",
39013 + reqmode & GR_WRITE ? " writing" : reqmode &
39014 + GR_APPEND ? " appending" : "");
39017 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39019 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39020 + reqmode & GR_READ ? " reading" : "",
39021 + reqmode & GR_WRITE ? " writing" : reqmode &
39022 + GR_APPEND ? " appending" : "");
39024 + } else if (unlikely((mode & reqmode) != reqmode))
39031 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39034 + __u32 mode, reqmode = GR_FIND;
39036 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39037 + reqmode |= GR_EXEC;
39038 + if (fmode & S_IWOTH)
39039 + reqmode |= GR_WRITE;
39040 + if (fmode & S_IROTH)
39041 + reqmode |= GR_READ;
39044 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39047 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39048 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39049 + reqmode & GR_READ ? " reading" : "",
39050 + reqmode & GR_WRITE ? " writing" : "",
39051 + reqmode & GR_EXEC ? " executing" : "");
39054 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39056 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39057 + reqmode & GR_READ ? " reading" : "",
39058 + reqmode & GR_WRITE ? " writing" : "",
39059 + reqmode & GR_EXEC ? " executing" : "");
39061 + } else if (unlikely((mode & reqmode) != reqmode))
39067 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39071 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39073 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39074 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39076 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39077 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39079 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39082 + return (reqmode);
39086 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39088 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39092 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39094 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39098 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39100 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39104 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39106 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39110 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39113 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39116 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39117 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39118 + GR_FCHMOD_ACL_MSG);
39120 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39125 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39128 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39129 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39130 + GR_CHMOD_ACL_MSG);
39132 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39137 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39139 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39143 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39145 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39149 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39151 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39155 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39157 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39158 + GR_UNIXCONNECT_ACL_MSG);
39161 +/* hardlinks require at minimum create permission,
39162 + any additional privilege required is based on the
39163 + privilege of the file being linked to
39166 +gr_acl_handle_link(const struct dentry * new_dentry,
39167 + const struct dentry * parent_dentry,
39168 + const struct vfsmount * parent_mnt,
39169 + const struct dentry * old_dentry,
39170 + const struct vfsmount * old_mnt, const char *to)
39173 + __u32 needmode = GR_CREATE | GR_LINK;
39174 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39177 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39180 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39181 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39183 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39184 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39186 + } else if (unlikely((mode & needmode) != needmode))
39193 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39194 + const struct dentry * parent_dentry,
39195 + const struct vfsmount * parent_mnt, const char *from)
39197 + __u32 needmode = GR_WRITE | GR_CREATE;
39201 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39202 + GR_CREATE | GR_AUDIT_CREATE |
39203 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39205 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39206 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39208 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39209 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39211 + } else if (unlikely((mode & needmode) != needmode))
39214 + return (GR_WRITE | GR_CREATE);
39217 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39221 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39223 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39224 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39226 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39227 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39229 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39232 + return (reqmode);
39236 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39237 + const struct dentry * parent_dentry,
39238 + const struct vfsmount * parent_mnt,
39241 + __u32 reqmode = GR_WRITE | GR_CREATE;
39242 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39243 + reqmode |= GR_SETID;
39245 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39246 + reqmode, GR_MKNOD_ACL_MSG);
39250 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39251 + const struct dentry *parent_dentry,
39252 + const struct vfsmount *parent_mnt)
39254 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39255 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39258 +#define RENAME_CHECK_SUCCESS(old, new) \
39259 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39260 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39263 +gr_acl_handle_rename(struct dentry *new_dentry,
39264 + struct dentry *parent_dentry,
39265 + const struct vfsmount *parent_mnt,
39266 + struct dentry *old_dentry,
39267 + struct inode *old_parent_inode,
39268 + struct vfsmount *old_mnt, const char *newname)
39270 + __u32 comp1, comp2;
39273 + if (unlikely(!gr_acl_is_enabled()))
39276 + if (!new_dentry->d_inode) {
39277 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39278 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39279 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39280 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39281 + GR_DELETE | GR_AUDIT_DELETE |
39282 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39283 + GR_SUPPRESS, old_mnt);
39285 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39286 + GR_CREATE | GR_DELETE |
39287 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39288 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39289 + GR_SUPPRESS, parent_mnt);
39291 + gr_search_file(old_dentry,
39292 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39293 + GR_DELETE | GR_AUDIT_DELETE |
39294 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39297 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39298 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39299 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39300 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39301 + && !(comp2 & GR_SUPPRESS)) {
39302 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39304 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39311 +gr_acl_handle_exit(void)
39315 + struct file *exec_file;
39317 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
39318 + id = current->acl_role_id;
39319 + rolename = current->role->rolename;
39321 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39324 + write_lock(&grsec_exec_file_lock);
39325 + exec_file = current->exec_file;
39326 + current->exec_file = NULL;
39327 + write_unlock(&grsec_exec_file_lock);
39334 +gr_acl_handle_procpidmem(const struct task_struct *task)
39336 + if (unlikely(!gr_acl_is_enabled()))
39339 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39344 diff -urNp linux-2.6.37/grsecurity/gracl_ip.c linux-2.6.37/grsecurity/gracl_ip.c
39345 --- linux-2.6.37/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39346 +++ linux-2.6.37/grsecurity/gracl_ip.c 2011-01-17 02:41:02.000000000 -0500
39348 +#include <linux/kernel.h>
39349 +#include <asm/uaccess.h>
39350 +#include <asm/errno.h>
39351 +#include <net/sock.h>
39352 +#include <linux/file.h>
39353 +#include <linux/fs.h>
39354 +#include <linux/net.h>
39355 +#include <linux/in.h>
39356 +#include <linux/skbuff.h>
39357 +#include <linux/ip.h>
39358 +#include <linux/udp.h>
39359 +#include <linux/smp_lock.h>
39360 +#include <linux/types.h>
39361 +#include <linux/sched.h>
39362 +#include <linux/netdevice.h>
39363 +#include <linux/inetdevice.h>
39364 +#include <linux/gracl.h>
39365 +#include <linux/grsecurity.h>
39366 +#include <linux/grinternal.h>
39368 +#define GR_BIND 0x01
39369 +#define GR_CONNECT 0x02
39370 +#define GR_INVERT 0x04
39371 +#define GR_BINDOVERRIDE 0x08
39372 +#define GR_CONNECTOVERRIDE 0x10
39373 +#define GR_SOCK_FAMILY 0x20
39375 +static const char * gr_protocols[IPPROTO_MAX] = {
39376 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39377 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39378 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39379 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39380 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39381 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39382 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39383 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39384 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39385 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39386 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39387 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39388 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39389 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39390 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39391 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39392 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39393 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39394 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39395 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39396 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39397 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39398 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39399 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39400 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39401 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39402 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39403 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39404 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39405 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39406 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39407 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39410 +static const char * gr_socktypes[SOCK_MAX] = {
39411 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39412 + "unknown:7", "unknown:8", "unknown:9", "packet"
39415 +static const char * gr_sockfamilies[AF_MAX+1] = {
39416 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39417 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
39418 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "tipc", "bluetooth",
39419 + "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39423 +gr_proto_to_name(unsigned char proto)
39425 + return gr_protocols[proto];
39429 +gr_socktype_to_name(unsigned char type)
39431 + return gr_socktypes[type];
39435 +gr_sockfamily_to_name(unsigned char family)
39437 + return gr_sockfamilies[family];
39441 +gr_search_socket(const int domain, const int type, const int protocol)
39443 + struct acl_subject_label *curr;
39444 + const struct cred *cred = current_cred();
39446 + if (unlikely(!gr_acl_is_enabled()))
39449 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39450 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39451 + goto exit; // let the kernel handle it
39453 + curr = current->acl;
39455 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39456 + /* the family is allowed, if this is PF_INET allow it only if
39457 + the extra sock type/protocol checks pass */
39458 + if (domain == PF_INET)
39462 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39463 + __u32 fakeip = 0;
39464 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39465 + current->role->roletype, cred->uid,
39466 + cred->gid, current->exec_file ?
39467 + gr_to_filename(current->exec_file->f_path.dentry,
39468 + current->exec_file->f_path.mnt) :
39469 + curr->filename, curr->filename,
39470 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39471 + ¤t->signal->saved_ip);
39478 + /* the rest of this checking is for IPv4 only */
39482 + if ((curr->ip_type & (1 << type)) &&
39483 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39486 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39487 + /* we don't place acls on raw sockets , and sometimes
39488 + dgram/ip sockets are opened for ioctl and not
39489 + bind/connect, so we'll fake a bind learn log */
39490 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39491 + __u32 fakeip = 0;
39492 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39493 + current->role->roletype, cred->uid,
39494 + cred->gid, current->exec_file ?
39495 + gr_to_filename(current->exec_file->f_path.dentry,
39496 + current->exec_file->f_path.mnt) :
39497 + curr->filename, curr->filename,
39498 + &fakeip, 0, type,
39499 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39500 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39501 + __u32 fakeip = 0;
39502 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39503 + current->role->roletype, cred->uid,
39504 + cred->gid, current->exec_file ?
39505 + gr_to_filename(current->exec_file->f_path.dentry,
39506 + current->exec_file->f_path.mnt) :
39507 + curr->filename, curr->filename,
39508 + &fakeip, 0, type,
39509 + protocol, GR_BIND, ¤t->signal->saved_ip);
39511 + /* we'll log when they use connect or bind */
39516 + if (domain == PF_INET)
39517 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39518 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39520 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
39521 + gr_socktype_to_name(type), protocol);
39528 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39530 + if ((ip->mode & mode) &&
39531 + (ip_port >= ip->low) &&
39532 + (ip_port <= ip->high) &&
39533 + ((ntohl(ip_addr) & our_netmask) ==
39534 + (ntohl(our_addr) & our_netmask))
39535 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39536 + && (ip->type & (1 << type))) {
39537 + if (ip->mode & GR_INVERT)
39538 + return 2; // specifically denied
39540 + return 1; // allowed
39543 + return 0; // not specifically allowed, may continue parsing
39547 +gr_search_connectbind(const int full_mode, struct sock *sk,
39548 + struct sockaddr_in *addr, const int type)
39550 + char iface[IFNAMSIZ] = {0};
39551 + struct acl_subject_label *curr;
39552 + struct acl_ip_label *ip;
39553 + struct inet_sock *isk;
39554 + struct net_device *dev;
39555 + struct in_device *idev;
39558 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39559 + __u32 ip_addr = 0;
39561 + __u32 our_netmask;
39563 + __u16 ip_port = 0;
39564 + const struct cred *cred = current_cred();
39566 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39569 + curr = current->acl;
39570 + isk = inet_sk(sk);
39572 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39573 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39574 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39575 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39576 + struct sockaddr_in saddr;
39579 + saddr.sin_family = AF_INET;
39580 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39581 + saddr.sin_port = isk->inet_sport;
39583 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39587 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39595 + ip_addr = addr->sin_addr.s_addr;
39596 + ip_port = ntohs(addr->sin_port);
39598 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39599 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39600 + current->role->roletype, cred->uid,
39601 + cred->gid, current->exec_file ?
39602 + gr_to_filename(current->exec_file->f_path.dentry,
39603 + current->exec_file->f_path.mnt) :
39604 + curr->filename, curr->filename,
39605 + &ip_addr, ip_port, type,
39606 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
39610 + for (i = 0; i < curr->ip_num; i++) {
39611 + ip = *(curr->ips + i);
39612 + if (ip->iface != NULL) {
39613 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
39614 + p = strchr(iface, ':');
39617 + dev = dev_get_by_name(sock_net(sk), iface);
39620 + idev = in_dev_get(dev);
39621 + if (idev == NULL) {
39627 + if (!strcmp(ip->iface, ifa->ifa_label)) {
39628 + our_addr = ifa->ifa_address;
39629 + our_netmask = 0xffffffff;
39630 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39632 + rcu_read_unlock();
39633 + in_dev_put(idev);
39636 + } else if (ret == 2) {
39637 + rcu_read_unlock();
39638 + in_dev_put(idev);
39643 + } endfor_ifa(idev);
39644 + rcu_read_unlock();
39645 + in_dev_put(idev);
39648 + our_addr = ip->addr;
39649 + our_netmask = ip->netmask;
39650 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39653 + else if (ret == 2)
39659 + if (mode == GR_BIND)
39660 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39661 + else if (mode == GR_CONNECT)
39662 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39668 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
39670 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
39674 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
39676 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
39679 +int gr_search_listen(struct socket *sock)
39681 + struct sock *sk = sock->sk;
39682 + struct sockaddr_in addr;
39684 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39685 + addr.sin_port = inet_sk(sk)->inet_sport;
39687 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39690 +int gr_search_accept(struct socket *sock)
39692 + struct sock *sk = sock->sk;
39693 + struct sockaddr_in addr;
39695 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39696 + addr.sin_port = inet_sk(sk)->inet_sport;
39698 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39702 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
39705 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
39707 + struct sockaddr_in sin;
39708 + const struct inet_sock *inet = inet_sk(sk);
39710 + sin.sin_addr.s_addr = inet->inet_daddr;
39711 + sin.sin_port = inet->inet_dport;
39713 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39718 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
39720 + struct sockaddr_in sin;
39722 + if (unlikely(skb->len < sizeof (struct udphdr)))
39723 + return 0; // skip this packet
39725 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
39726 + sin.sin_port = udp_hdr(skb)->source;
39728 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39730 diff -urNp linux-2.6.37/grsecurity/gracl_learn.c linux-2.6.37/grsecurity/gracl_learn.c
39731 --- linux-2.6.37/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
39732 +++ linux-2.6.37/grsecurity/gracl_learn.c 2011-01-17 02:41:02.000000000 -0500
39734 +#include <linux/kernel.h>
39735 +#include <linux/mm.h>
39736 +#include <linux/sched.h>
39737 +#include <linux/poll.h>
39738 +#include <linux/smp_lock.h>
39739 +#include <linux/string.h>
39740 +#include <linux/file.h>
39741 +#include <linux/types.h>
39742 +#include <linux/vmalloc.h>
39743 +#include <linux/grinternal.h>
39745 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
39746 + size_t count, loff_t *ppos);
39747 +extern int gr_acl_is_enabled(void);
39749 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
39750 +static int gr_learn_attached;
39752 +/* use a 512k buffer */
39753 +#define LEARN_BUFFER_SIZE (512 * 1024)
39755 +static DEFINE_SPINLOCK(gr_learn_lock);
39756 +static DEFINE_MUTEX(gr_learn_user_mutex);
39758 +/* we need to maintain two buffers, so that the kernel context of grlearn
39759 + uses a semaphore around the userspace copying, and the other kernel contexts
39760 + use a spinlock when copying into the buffer, since they cannot sleep
39762 +static char *learn_buffer;
39763 +static char *learn_buffer_user;
39764 +static int learn_buffer_len;
39765 +static int learn_buffer_user_len;
39768 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
39770 + DECLARE_WAITQUEUE(wait, current);
39771 + ssize_t retval = 0;
39773 + add_wait_queue(&learn_wait, &wait);
39774 + set_current_state(TASK_INTERRUPTIBLE);
39776 + mutex_lock(&gr_learn_user_mutex);
39777 + spin_lock(&gr_learn_lock);
39778 + if (learn_buffer_len)
39780 + spin_unlock(&gr_learn_lock);
39781 + mutex_unlock(&gr_learn_user_mutex);
39782 + if (file->f_flags & O_NONBLOCK) {
39783 + retval = -EAGAIN;
39786 + if (signal_pending(current)) {
39787 + retval = -ERESTARTSYS;
39794 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39795 + learn_buffer_user_len = learn_buffer_len;
39796 + retval = learn_buffer_len;
39797 + learn_buffer_len = 0;
39799 + spin_unlock(&gr_learn_lock);
39801 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39802 + retval = -EFAULT;
39804 + mutex_unlock(&gr_learn_user_mutex);
39806 + set_current_state(TASK_RUNNING);
39807 + remove_wait_queue(&learn_wait, &wait);
39811 +static unsigned int
39812 +poll_learn(struct file * file, poll_table * wait)
39814 + poll_wait(file, &learn_wait, wait);
39816 + if (learn_buffer_len)
39817 + return (POLLIN | POLLRDNORM);
39823 +gr_clear_learn_entries(void)
39827 + mutex_lock(&gr_learn_user_mutex);
39828 + if (learn_buffer != NULL) {
39829 + spin_lock(&gr_learn_lock);
39830 + tmp = learn_buffer;
39831 + learn_buffer = NULL;
39832 + spin_unlock(&gr_learn_lock);
39833 + vfree(learn_buffer);
39835 + if (learn_buffer_user != NULL) {
39836 + vfree(learn_buffer_user);
39837 + learn_buffer_user = NULL;
39839 + learn_buffer_len = 0;
39840 + mutex_unlock(&gr_learn_user_mutex);
39846 +gr_add_learn_entry(const char *fmt, ...)
39849 + unsigned int len;
39851 + if (!gr_learn_attached)
39854 + spin_lock(&gr_learn_lock);
39856 + /* leave a gap at the end so we know when it's "full" but don't have to
39857 + compute the exact length of the string we're trying to append
39859 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39860 + spin_unlock(&gr_learn_lock);
39861 + wake_up_interruptible(&learn_wait);
39864 + if (learn_buffer == NULL) {
39865 + spin_unlock(&gr_learn_lock);
39869 + va_start(args, fmt);
39870 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39873 + learn_buffer_len += len + 1;
39875 + spin_unlock(&gr_learn_lock);
39876 + wake_up_interruptible(&learn_wait);
39882 +open_learn(struct inode *inode, struct file *file)
39884 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39886 + if (file->f_mode & FMODE_READ) {
39888 + mutex_lock(&gr_learn_user_mutex);
39889 + if (learn_buffer == NULL)
39890 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39891 + if (learn_buffer_user == NULL)
39892 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39893 + if (learn_buffer == NULL) {
39894 + retval = -ENOMEM;
39897 + if (learn_buffer_user == NULL) {
39898 + retval = -ENOMEM;
39901 + learn_buffer_len = 0;
39902 + learn_buffer_user_len = 0;
39903 + gr_learn_attached = 1;
39905 + mutex_unlock(&gr_learn_user_mutex);
39912 +close_learn(struct inode *inode, struct file *file)
39916 + if (file->f_mode & FMODE_READ) {
39917 + mutex_lock(&gr_learn_user_mutex);
39918 + if (learn_buffer != NULL) {
39919 + spin_lock(&gr_learn_lock);
39920 + tmp = learn_buffer;
39921 + learn_buffer = NULL;
39922 + spin_unlock(&gr_learn_lock);
39925 + if (learn_buffer_user != NULL) {
39926 + vfree(learn_buffer_user);
39927 + learn_buffer_user = NULL;
39929 + learn_buffer_len = 0;
39930 + learn_buffer_user_len = 0;
39931 + gr_learn_attached = 0;
39932 + mutex_unlock(&gr_learn_user_mutex);
39938 +const struct file_operations grsec_fops = {
39939 + .read = read_learn,
39940 + .write = write_grsec_handler,
39941 + .open = open_learn,
39942 + .release = close_learn,
39943 + .poll = poll_learn,
39945 diff -urNp linux-2.6.37/grsecurity/gracl_res.c linux-2.6.37/grsecurity/gracl_res.c
39946 --- linux-2.6.37/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39947 +++ linux-2.6.37/grsecurity/gracl_res.c 2011-01-17 02:41:02.000000000 -0500
39949 +#include <linux/kernel.h>
39950 +#include <linux/sched.h>
39951 +#include <linux/gracl.h>
39952 +#include <linux/grinternal.h>
39954 +static const char *restab_log[] = {
39955 + [RLIMIT_CPU] = "RLIMIT_CPU",
39956 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39957 + [RLIMIT_DATA] = "RLIMIT_DATA",
39958 + [RLIMIT_STACK] = "RLIMIT_STACK",
39959 + [RLIMIT_CORE] = "RLIMIT_CORE",
39960 + [RLIMIT_RSS] = "RLIMIT_RSS",
39961 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39962 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39963 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39964 + [RLIMIT_AS] = "RLIMIT_AS",
39965 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39966 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39967 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39968 + [RLIMIT_NICE] = "RLIMIT_NICE",
39969 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39970 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39971 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39975 +gr_log_resource(const struct task_struct *task,
39976 + const int res, const unsigned long wanted, const int gt)
39978 + const struct cred *cred;
39979 + unsigned long rlim;
39981 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39984 + // not yet supported resource
39985 + if (unlikely(!restab_log[res]))
39988 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39989 + rlim = task_rlimit_max(task, res);
39991 + rlim = task_rlimit(task, res);
39993 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39997 + cred = __task_cred(task);
39999 + if (res == RLIMIT_NPROC &&
40000 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40001 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40002 + goto out_rcu_unlock;
40003 + else if (res == RLIMIT_MEMLOCK &&
40004 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40005 + goto out_rcu_unlock;
40006 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40007 + goto out_rcu_unlock;
40008 + rcu_read_unlock();
40010 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40014 + rcu_read_unlock();
40017 diff -urNp linux-2.6.37/grsecurity/gracl_segv.c linux-2.6.37/grsecurity/gracl_segv.c
40018 --- linux-2.6.37/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40019 +++ linux-2.6.37/grsecurity/gracl_segv.c 2011-01-17 02:41:02.000000000 -0500
40021 +#include <linux/kernel.h>
40022 +#include <linux/mm.h>
40023 +#include <asm/uaccess.h>
40024 +#include <asm/errno.h>
40025 +#include <asm/mman.h>
40026 +#include <net/sock.h>
40027 +#include <linux/file.h>
40028 +#include <linux/fs.h>
40029 +#include <linux/net.h>
40030 +#include <linux/in.h>
40031 +#include <linux/smp_lock.h>
40032 +#include <linux/slab.h>
40033 +#include <linux/types.h>
40034 +#include <linux/sched.h>
40035 +#include <linux/timer.h>
40036 +#include <linux/gracl.h>
40037 +#include <linux/grsecurity.h>
40038 +#include <linux/grinternal.h>
40040 +static struct crash_uid *uid_set;
40041 +static unsigned short uid_used;
40042 +static DEFINE_SPINLOCK(gr_uid_lock);
40043 +extern rwlock_t gr_inode_lock;
40044 +extern struct acl_subject_label *
40045 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40046 + struct acl_role_label *role);
40047 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40050 +gr_init_uidset(void)
40053 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40056 + return uid_set ? 1 : 0;
40060 +gr_free_uidset(void)
40069 +gr_find_uid(const uid_t uid)
40071 + struct crash_uid *tmp = uid_set;
40073 + int low = 0, high = uid_used - 1, mid;
40075 + while (high >= low) {
40076 + mid = (low + high) >> 1;
40077 + buid = tmp[mid].uid;
40089 +static __inline__ void
40090 +gr_insertsort(void)
40092 + unsigned short i, j;
40093 + struct crash_uid index;
40095 + for (i = 1; i < uid_used; i++) {
40096 + index = uid_set[i];
40098 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40099 + uid_set[j] = uid_set[j - 1];
40102 + uid_set[j] = index;
40108 +static __inline__ void
40109 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40113 + if (uid_used == GR_UIDTABLE_MAX)
40116 + loc = gr_find_uid(uid);
40119 + uid_set[loc].expires = expires;
40123 + uid_set[uid_used].uid = uid;
40124 + uid_set[uid_used].expires = expires;
40133 +gr_remove_uid(const unsigned short loc)
40135 + unsigned short i;
40137 + for (i = loc + 1; i < uid_used; i++)
40138 + uid_set[i - 1] = uid_set[i];
40146 +gr_check_crash_uid(const uid_t uid)
40151 + if (unlikely(!gr_acl_is_enabled()))
40154 + spin_lock(&gr_uid_lock);
40155 + loc = gr_find_uid(uid);
40160 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40161 + gr_remove_uid(loc);
40166 + spin_unlock(&gr_uid_lock);
40170 +static __inline__ int
40171 +proc_is_setxid(const struct cred *cred)
40173 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40174 + cred->uid != cred->fsuid)
40176 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40177 + cred->gid != cred->fsgid)
40182 +static __inline__ int
40183 +gr_fake_force_sig(int sig, struct task_struct *t)
40185 + unsigned long int flags;
40186 + int ret, blocked, ignored;
40187 + struct k_sigaction *action;
40189 + spin_lock_irqsave(&t->sighand->siglock, flags);
40190 + action = &t->sighand->action[sig-1];
40191 + ignored = action->sa.sa_handler == SIG_IGN;
40192 + blocked = sigismember(&t->blocked, sig);
40193 + if (blocked || ignored) {
40194 + action->sa.sa_handler = SIG_DFL;
40196 + sigdelset(&t->blocked, sig);
40197 + recalc_sigpending_and_wake(t);
40200 + if (action->sa.sa_handler == SIG_DFL)
40201 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40202 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40204 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40210 +gr_handle_crash(struct task_struct *task, const int sig)
40212 + struct acl_subject_label *curr;
40213 + struct acl_subject_label *curr2;
40214 + struct task_struct *tsk, *tsk2;
40215 + const struct cred *cred;
40216 + const struct cred *cred2;
40218 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40221 + if (unlikely(!gr_acl_is_enabled()))
40224 + curr = task->acl;
40226 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40229 + if (time_before_eq(curr->expires, get_seconds())) {
40230 + curr->expires = 0;
40231 + curr->crashes = 0;
40236 + if (!curr->expires)
40237 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40239 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40240 + time_after(curr->expires, get_seconds())) {
40242 + cred = __task_cred(task);
40243 + if (cred->uid && proc_is_setxid(cred)) {
40244 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40245 + spin_lock(&gr_uid_lock);
40246 + gr_insert_uid(cred->uid, curr->expires);
40247 + spin_unlock(&gr_uid_lock);
40248 + curr->expires = 0;
40249 + curr->crashes = 0;
40250 + read_lock(&tasklist_lock);
40251 + do_each_thread(tsk2, tsk) {
40252 + cred2 = __task_cred(tsk);
40253 + if (tsk != task && cred2->uid == cred->uid)
40254 + gr_fake_force_sig(SIGKILL, tsk);
40255 + } while_each_thread(tsk2, tsk);
40256 + read_unlock(&tasklist_lock);
40258 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40259 + read_lock(&tasklist_lock);
40260 + do_each_thread(tsk2, tsk) {
40261 + if (likely(tsk != task)) {
40262 + curr2 = tsk->acl;
40264 + if (curr2->device == curr->device &&
40265 + curr2->inode == curr->inode)
40266 + gr_fake_force_sig(SIGKILL, tsk);
40268 + } while_each_thread(tsk2, tsk);
40269 + read_unlock(&tasklist_lock);
40271 + rcu_read_unlock();
40278 +gr_check_crash_exec(const struct file *filp)
40280 + struct acl_subject_label *curr;
40282 + if (unlikely(!gr_acl_is_enabled()))
40285 + read_lock(&gr_inode_lock);
40286 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40287 + filp->f_path.dentry->d_inode->i_sb->s_dev,
40289 + read_unlock(&gr_inode_lock);
40291 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40292 + (!curr->crashes && !curr->expires))
40295 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40296 + time_after(curr->expires, get_seconds()))
40298 + else if (time_before_eq(curr->expires, get_seconds())) {
40299 + curr->crashes = 0;
40300 + curr->expires = 0;
40307 +gr_handle_alertkill(struct task_struct *task)
40309 + struct acl_subject_label *curracl;
40311 + struct task_struct *p, *p2;
40313 + if (unlikely(!gr_acl_is_enabled()))
40316 + curracl = task->acl;
40317 + curr_ip = task->signal->curr_ip;
40319 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40320 + read_lock(&tasklist_lock);
40321 + do_each_thread(p2, p) {
40322 + if (p->signal->curr_ip == curr_ip)
40323 + gr_fake_force_sig(SIGKILL, p);
40324 + } while_each_thread(p2, p);
40325 + read_unlock(&tasklist_lock);
40326 + } else if (curracl->mode & GR_KILLPROC)
40327 + gr_fake_force_sig(SIGKILL, task);
40331 diff -urNp linux-2.6.37/grsecurity/gracl_shm.c linux-2.6.37/grsecurity/gracl_shm.c
40332 --- linux-2.6.37/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40333 +++ linux-2.6.37/grsecurity/gracl_shm.c 2011-01-17 02:41:02.000000000 -0500
40335 +#include <linux/kernel.h>
40336 +#include <linux/mm.h>
40337 +#include <linux/sched.h>
40338 +#include <linux/file.h>
40339 +#include <linux/ipc.h>
40340 +#include <linux/gracl.h>
40341 +#include <linux/grsecurity.h>
40342 +#include <linux/grinternal.h>
40345 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40346 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40348 + struct task_struct *task;
40350 + if (!gr_acl_is_enabled())
40354 + read_lock(&tasklist_lock);
40356 + task = find_task_by_vpid(shm_cprid);
40358 + if (unlikely(!task))
40359 + task = find_task_by_vpid(shm_lapid);
40361 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40362 + (task->pid == shm_lapid)) &&
40363 + (task->acl->mode & GR_PROTSHM) &&
40364 + (task->acl != current->acl))) {
40365 + read_unlock(&tasklist_lock);
40366 + rcu_read_unlock();
40367 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40370 + read_unlock(&tasklist_lock);
40371 + rcu_read_unlock();
40375 diff -urNp linux-2.6.37/grsecurity/grsec_chdir.c linux-2.6.37/grsecurity/grsec_chdir.c
40376 --- linux-2.6.37/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40377 +++ linux-2.6.37/grsecurity/grsec_chdir.c 2011-01-17 02:41:02.000000000 -0500
40379 +#include <linux/kernel.h>
40380 +#include <linux/sched.h>
40381 +#include <linux/fs.h>
40382 +#include <linux/file.h>
40383 +#include <linux/grsecurity.h>
40384 +#include <linux/grinternal.h>
40387 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40389 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40390 + if ((grsec_enable_chdir && grsec_enable_group &&
40391 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40392 + !grsec_enable_group)) {
40393 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40398 diff -urNp linux-2.6.37/grsecurity/grsec_chroot.c linux-2.6.37/grsecurity/grsec_chroot.c
40399 --- linux-2.6.37/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40400 +++ linux-2.6.37/grsecurity/grsec_chroot.c 2011-01-17 02:41:02.000000000 -0500
40402 +#include <linux/kernel.h>
40403 +#include <linux/module.h>
40404 +#include <linux/sched.h>
40405 +#include <linux/file.h>
40406 +#include <linux/fs.h>
40407 +#include <linux/mount.h>
40408 +#include <linux/types.h>
40409 +#include <linux/pid_namespace.h>
40410 +#include <linux/grsecurity.h>
40411 +#include <linux/grinternal.h>
40413 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40415 +#ifdef CONFIG_GRKERNSEC
40416 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40417 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40418 + task->gr_is_chrooted = 1;
40420 + task->gr_is_chrooted = 0;
40422 + task->gr_chroot_dentry = path->dentry;
40427 +void gr_clear_chroot_entries(struct task_struct *task)
40429 +#ifdef CONFIG_GRKERNSEC
40430 + task->gr_is_chrooted = 0;
40431 + task->gr_chroot_dentry = NULL;
40437 +gr_handle_chroot_unix(struct pid *pid)
40439 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40440 + struct task_struct *p;
40442 + if (unlikely(!grsec_enable_chroot_unix))
40445 + if (likely(!proc_is_chrooted(current)))
40449 + read_lock(&tasklist_lock);
40450 + p = pid_task(pid, PIDTYPE_PID);
40451 + if (unlikely(!have_same_root(current, p))) {
40452 + read_unlock(&tasklist_lock);
40453 + rcu_read_unlock();
40454 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40457 + read_unlock(&tasklist_lock);
40458 + rcu_read_unlock();
40464 +gr_handle_chroot_nice(void)
40466 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40467 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40468 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40476 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40478 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40479 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40480 + && proc_is_chrooted(current)) {
40481 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40489 +gr_handle_chroot_rawio(const struct inode *inode)
40491 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40492 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40493 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40500 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40502 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40503 + struct task_struct *p;
40505 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40508 + read_lock(&tasklist_lock);
40509 + do_each_pid_task(pid, type, p) {
40510 + if (!have_same_root(current, p)) {
40514 + } while_each_pid_task(pid, type, p);
40516 + read_unlock(&tasklist_lock);
40523 +gr_pid_is_chrooted(struct task_struct *p)
40525 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40526 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40529 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40530 + !have_same_root(current, p)) {
40537 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40539 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40540 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40542 + struct dentry *dentry = (struct dentry *)u_dentry;
40543 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
40544 + struct path realroot, currentroot;
40545 + struct task_struct *reaper = &init_task;
40548 + get_fs_root(reaper->fs, &realroot);
40549 + get_fs_root(current->fs, ¤troot);
40551 + spin_lock(&dcache_lock);
40553 + if (unlikely((dentry == realroot.dentry && mnt == realroot.mnt)
40554 + || (dentry == currentroot.dentry && mnt == currentroot.mnt)))
40556 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
40557 + if (mnt->mnt_parent == mnt)
40559 + dentry = mnt->mnt_mountpoint;
40560 + mnt = mnt->mnt_parent;
40563 + dentry = dentry->d_parent;
40565 + spin_unlock(&dcache_lock);
40567 + path_put(¤troot);
40569 + /* access is outside of chroot */
40570 + if (dentry == realroot.dentry && mnt == realroot.mnt)
40573 + path_put(&realroot);
40579 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40581 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40582 + if (!grsec_enable_chroot_fchdir)
40585 + if (!proc_is_chrooted(current))
40587 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40588 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40596 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40597 + const time_t shm_createtime)
40599 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40600 + struct pid *pid = NULL;
40601 + time_t starttime;
40603 + if (unlikely(!grsec_enable_chroot_shmat))
40606 + if (likely(!proc_is_chrooted(current)))
40610 + read_lock(&tasklist_lock);
40612 + pid = find_vpid(shm_cprid);
40614 + struct task_struct *p;
40615 + p = pid_task(pid, PIDTYPE_PID);
40616 + starttime = p->start_time.tv_sec;
40617 + if (unlikely(!have_same_root(current, p) &&
40618 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
40619 + read_unlock(&tasklist_lock);
40620 + rcu_read_unlock();
40621 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40625 + pid = find_vpid(shm_lapid);
40627 + struct task_struct *p;
40628 + p = pid_task(pid, PIDTYPE_PID);
40629 + if (unlikely(!have_same_root(current, p))) {
40630 + read_unlock(&tasklist_lock);
40631 + rcu_read_unlock();
40632 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40638 + read_unlock(&tasklist_lock);
40639 + rcu_read_unlock();
40645 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
40647 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40648 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
40649 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
40655 +gr_handle_chroot_mknod(const struct dentry *dentry,
40656 + const struct vfsmount *mnt, const int mode)
40658 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40659 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
40660 + proc_is_chrooted(current)) {
40661 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
40669 +gr_handle_chroot_mount(const struct dentry *dentry,
40670 + const struct vfsmount *mnt, const char *dev_name)
40672 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40673 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
40674 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
40682 +gr_handle_chroot_pivot(void)
40684 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40685 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
40686 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
40694 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
40696 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40697 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
40698 + !gr_is_outside_chroot(dentry, mnt)) {
40699 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
40707 +gr_handle_chroot_caps(struct path *path)
40709 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40710 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
40711 + (init_task.fs->root.dentry != path->dentry) &&
40712 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
40714 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
40715 + const struct cred *old = current_cred();
40716 + struct cred *new = prepare_creds();
40720 + new->cap_permitted = cap_drop(old->cap_permitted,
40722 + new->cap_inheritable = cap_drop(old->cap_inheritable,
40724 + new->cap_effective = cap_drop(old->cap_effective,
40727 + commit_creds(new);
40736 +gr_handle_chroot_sysctl(const int op)
40738 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40739 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
40740 + proc_is_chrooted(current))
40747 +gr_handle_chroot_chdir(struct path *path)
40749 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40750 + if (grsec_enable_chroot_chdir)
40751 + set_fs_pwd(current->fs, path);
40757 +gr_handle_chroot_chmod(const struct dentry *dentry,
40758 + const struct vfsmount *mnt, const int mode)
40760 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40761 + /* allow chmod +s on directories, but not files */
40762 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
40763 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40764 + proc_is_chrooted(current)) {
40765 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40772 +#ifdef CONFIG_SECURITY
40773 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40775 diff -urNp linux-2.6.37/grsecurity/grsec_disabled.c linux-2.6.37/grsecurity/grsec_disabled.c
40776 --- linux-2.6.37/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40777 +++ linux-2.6.37/grsecurity/grsec_disabled.c 2011-01-17 02:41:02.000000000 -0500
40779 +#include <linux/kernel.h>
40780 +#include <linux/module.h>
40781 +#include <linux/sched.h>
40782 +#include <linux/file.h>
40783 +#include <linux/fs.h>
40784 +#include <linux/kdev_t.h>
40785 +#include <linux/net.h>
40786 +#include <linux/in.h>
40787 +#include <linux/ip.h>
40788 +#include <linux/skbuff.h>
40789 +#include <linux/sysctl.h>
40791 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40793 +pax_set_initial_flags(struct linux_binprm *bprm)
40799 +#ifdef CONFIG_SYSCTL
40801 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40807 +#ifdef CONFIG_TASKSTATS
40808 +int gr_is_taskstats_denied(int pid)
40815 +gr_acl_is_enabled(void)
40821 +gr_handle_rawio(const struct inode *inode)
40827 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40833 +gr_handle_ptrace(struct task_struct *task, const long request)
40839 +gr_handle_proc_ptrace(struct task_struct *task)
40845 +gr_learn_resource(const struct task_struct *task,
40846 + const int res, const unsigned long wanted, const int gt)
40852 +gr_set_acls(const int type)
40858 +gr_check_hidden_task(const struct task_struct *tsk)
40864 +gr_check_protected_task(const struct task_struct *task)
40870 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40876 +gr_copy_label(struct task_struct *tsk)
40882 +gr_set_pax_flags(struct task_struct *task)
40888 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40889 + const int unsafe_share)
40895 +gr_handle_delete(const ino_t ino, const dev_t dev)
40901 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40907 +gr_handle_crash(struct task_struct *task, const int sig)
40913 +gr_check_crash_exec(const struct file *filp)
40919 +gr_check_crash_uid(const uid_t uid)
40925 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40926 + struct dentry *old_dentry,
40927 + struct dentry *new_dentry,
40928 + struct vfsmount *mnt, const __u8 replace)
40934 +gr_search_socket(const int family, const int type, const int protocol)
40940 +gr_search_connectbind(const int mode, const struct socket *sock,
40941 + const struct sockaddr_in *addr)
40947 +gr_is_capable(const int cap)
40953 +gr_is_capable_nolog(const int cap)
40959 +gr_handle_alertkill(struct task_struct *task)
40965 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40971 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40972 + const struct vfsmount * mnt)
40978 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40985 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40991 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40997 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40998 + unsigned int *vm_flags)
41004 +gr_acl_handle_truncate(const struct dentry * dentry,
41005 + const struct vfsmount * mnt)
41011 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41017 +gr_acl_handle_access(const struct dentry * dentry,
41018 + const struct vfsmount * mnt, const int fmode)
41024 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41031 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41038 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41044 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41050 +grsecurity_init(void)
41056 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41057 + const struct dentry * parent_dentry,
41058 + const struct vfsmount * parent_mnt,
41065 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41066 + const struct dentry * parent_dentry,
41067 + const struct vfsmount * parent_mnt)
41073 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41074 + const struct dentry * parent_dentry,
41075 + const struct vfsmount * parent_mnt, const char *from)
41081 +gr_acl_handle_link(const struct dentry * new_dentry,
41082 + const struct dentry * parent_dentry,
41083 + const struct vfsmount * parent_mnt,
41084 + const struct dentry * old_dentry,
41085 + const struct vfsmount * old_mnt, const char *to)
41091 +gr_acl_handle_rename(const struct dentry *new_dentry,
41092 + const struct dentry *parent_dentry,
41093 + const struct vfsmount *parent_mnt,
41094 + const struct dentry *old_dentry,
41095 + const struct inode *old_parent_inode,
41096 + const struct vfsmount *old_mnt, const char *newname)
41102 +gr_acl_handle_filldir(const struct file *file, const char *name,
41103 + const int namelen, const ino_t ino)
41109 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41110 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41116 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41122 +gr_search_accept(const struct socket *sock)
41128 +gr_search_listen(const struct socket *sock)
41134 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41140 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41146 +gr_acl_handle_creat(const struct dentry * dentry,
41147 + const struct dentry * p_dentry,
41148 + const struct vfsmount * p_mnt, const int fmode,
41155 +gr_acl_handle_exit(void)
41161 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41167 +gr_set_role_label(const uid_t uid, const gid_t gid)
41173 +gr_acl_handle_procpidmem(const struct task_struct *task)
41179 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41185 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41191 +gr_set_kernel_label(struct task_struct *task)
41197 +gr_check_user_change(int real, int effective, int fs)
41203 +gr_check_group_change(int real, int effective, int fs)
41208 +int gr_acl_enable_at_secure(void)
41213 +EXPORT_SYMBOL(gr_is_capable);
41214 +EXPORT_SYMBOL(gr_is_capable_nolog);
41215 +EXPORT_SYMBOL(gr_learn_resource);
41216 +EXPORT_SYMBOL(gr_set_kernel_label);
41217 +#ifdef CONFIG_SECURITY
41218 +EXPORT_SYMBOL(gr_check_user_change);
41219 +EXPORT_SYMBOL(gr_check_group_change);
41221 diff -urNp linux-2.6.37/grsecurity/grsec_exec.c linux-2.6.37/grsecurity/grsec_exec.c
41222 --- linux-2.6.37/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41223 +++ linux-2.6.37/grsecurity/grsec_exec.c 2011-01-17 02:41:02.000000000 -0500
41225 +#include <linux/kernel.h>
41226 +#include <linux/sched.h>
41227 +#include <linux/file.h>
41228 +#include <linux/binfmts.h>
41229 +#include <linux/smp_lock.h>
41230 +#include <linux/fs.h>
41231 +#include <linux/types.h>
41232 +#include <linux/grdefs.h>
41233 +#include <linux/grinternal.h>
41234 +#include <linux/capability.h>
41235 +#include <linux/compat.h>
41237 +#include <asm/uaccess.h>
41239 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41240 +static char gr_exec_arg_buf[132];
41241 +static DEFINE_MUTEX(gr_exec_arg_mutex);
41245 +gr_handle_nproc(void)
41247 +#ifdef CONFIG_GRKERNSEC_EXECVE
41248 + const struct cred *cred = current_cred();
41249 + if (grsec_enable_execve && cred->user &&
41250 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41251 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41252 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41260 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41262 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41263 + char *grarg = gr_exec_arg_buf;
41264 + unsigned int i, x, execlen = 0;
41267 + if (!((grsec_enable_execlog && grsec_enable_group &&
41268 + in_group_p(grsec_audit_gid))
41269 + || (grsec_enable_execlog && !grsec_enable_group)))
41272 + mutex_lock(&gr_exec_arg_mutex);
41273 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41275 + if (unlikely(argv == NULL))
41278 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41279 + const char __user *p;
41280 + unsigned int len;
41282 + if (copy_from_user(&p, argv + i, sizeof(p)))
41286 + len = strnlen_user(p, 128 - execlen);
41287 + if (len > 128 - execlen)
41288 + len = 128 - execlen;
41289 + else if (len > 0)
41291 + if (copy_from_user(grarg + execlen, p, len))
41294 + /* rewrite unprintable characters */
41295 + for (x = 0; x < len; x++) {
41296 + c = *(grarg + execlen + x);
41297 + if (c < 32 || c > 126)
41298 + *(grarg + execlen + x) = ' ';
41302 + *(grarg + execlen) = ' ';
41303 + *(grarg + execlen + 1) = '\0';
41308 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41309 + bprm->file->f_path.mnt, grarg);
41310 + mutex_unlock(&gr_exec_arg_mutex);
41315 +#ifdef CONFIG_COMPAT
41317 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
41319 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41320 + char *grarg = gr_exec_arg_buf;
41321 + unsigned int i, x, execlen = 0;
41324 + if (!((grsec_enable_execlog && grsec_enable_group &&
41325 + in_group_p(grsec_audit_gid))
41326 + || (grsec_enable_execlog && !grsec_enable_group)))
41329 + mutex_lock(&gr_exec_arg_mutex);
41330 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41332 + if (unlikely(argv == NULL))
41335 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41337 + unsigned int len;
41339 + if (get_user(p, argv + i))
41341 + len = strnlen_user(compat_ptr(p), 128 - execlen);
41342 + if (len > 128 - execlen)
41343 + len = 128 - execlen;
41344 + else if (len > 0)
41348 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
41351 + /* rewrite unprintable characters */
41352 + for (x = 0; x < len; x++) {
41353 + c = *(grarg + execlen + x);
41354 + if (c < 32 || c > 126)
41355 + *(grarg + execlen + x) = ' ';
41359 + *(grarg + execlen) = ' ';
41360 + *(grarg + execlen + 1) = '\0';
41365 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41366 + bprm->file->f_path.mnt, grarg);
41367 + mutex_unlock(&gr_exec_arg_mutex);
41372 diff -urNp linux-2.6.37/grsecurity/grsec_fifo.c linux-2.6.37/grsecurity/grsec_fifo.c
41373 --- linux-2.6.37/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41374 +++ linux-2.6.37/grsecurity/grsec_fifo.c 2011-01-17 02:41:02.000000000 -0500
41376 +#include <linux/kernel.h>
41377 +#include <linux/sched.h>
41378 +#include <linux/fs.h>
41379 +#include <linux/file.h>
41380 +#include <linux/grinternal.h>
41383 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41384 + const struct dentry *dir, const int flag, const int acc_mode)
41386 +#ifdef CONFIG_GRKERNSEC_FIFO
41387 + const struct cred *cred = current_cred();
41389 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41390 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41391 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41392 + (cred->fsuid != dentry->d_inode->i_uid)) {
41393 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
41394 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41400 diff -urNp linux-2.6.37/grsecurity/grsec_fork.c linux-2.6.37/grsecurity/grsec_fork.c
41401 --- linux-2.6.37/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41402 +++ linux-2.6.37/grsecurity/grsec_fork.c 2011-01-17 02:41:02.000000000 -0500
41404 +#include <linux/kernel.h>
41405 +#include <linux/sched.h>
41406 +#include <linux/grsecurity.h>
41407 +#include <linux/grinternal.h>
41408 +#include <linux/errno.h>
41411 +gr_log_forkfail(const int retval)
41413 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41414 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41415 + switch (retval) {
41417 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41420 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41427 diff -urNp linux-2.6.37/grsecurity/grsec_init.c linux-2.6.37/grsecurity/grsec_init.c
41428 --- linux-2.6.37/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41429 +++ linux-2.6.37/grsecurity/grsec_init.c 2011-01-17 02:41:02.000000000 -0500
41431 +#include <linux/kernel.h>
41432 +#include <linux/sched.h>
41433 +#include <linux/mm.h>
41434 +#include <linux/smp_lock.h>
41435 +#include <linux/gracl.h>
41436 +#include <linux/slab.h>
41437 +#include <linux/vmalloc.h>
41438 +#include <linux/percpu.h>
41439 +#include <linux/module.h>
41441 +int grsec_enable_link;
41442 +int grsec_enable_dmesg;
41443 +int grsec_enable_harden_ptrace;
41444 +int grsec_enable_fifo;
41445 +int grsec_enable_execve;
41446 +int grsec_enable_execlog;
41447 +int grsec_enable_signal;
41448 +int grsec_enable_forkfail;
41449 +int grsec_enable_audit_ptrace;
41450 +int grsec_enable_time;
41451 +int grsec_enable_audit_textrel;
41452 +int grsec_enable_group;
41453 +int grsec_audit_gid;
41454 +int grsec_enable_chdir;
41455 +int grsec_enable_mount;
41456 +int grsec_enable_rofs;
41457 +int grsec_enable_chroot_findtask;
41458 +int grsec_enable_chroot_mount;
41459 +int grsec_enable_chroot_shmat;
41460 +int grsec_enable_chroot_fchdir;
41461 +int grsec_enable_chroot_double;
41462 +int grsec_enable_chroot_pivot;
41463 +int grsec_enable_chroot_chdir;
41464 +int grsec_enable_chroot_chmod;
41465 +int grsec_enable_chroot_mknod;
41466 +int grsec_enable_chroot_nice;
41467 +int grsec_enable_chroot_execlog;
41468 +int grsec_enable_chroot_caps;
41469 +int grsec_enable_chroot_sysctl;
41470 +int grsec_enable_chroot_unix;
41471 +int grsec_enable_tpe;
41472 +int grsec_tpe_gid;
41473 +int grsec_enable_blackhole;
41474 +#ifdef CONFIG_IPV6_MODULE
41475 +EXPORT_SYMBOL(grsec_enable_blackhole);
41477 +int grsec_lastack_retries;
41478 +int grsec_enable_tpe_all;
41479 +int grsec_enable_tpe_invert;
41480 +int grsec_enable_socket_all;
41481 +int grsec_socket_all_gid;
41482 +int grsec_enable_socket_client;
41483 +int grsec_socket_client_gid;
41484 +int grsec_enable_socket_server;
41485 +int grsec_socket_server_gid;
41486 +int grsec_resource_logging;
41487 +int grsec_disable_privio;
41488 +int grsec_enable_log_rwxmaps;
41491 +DEFINE_SPINLOCK(grsec_alert_lock);
41492 +unsigned long grsec_alert_wtime = 0;
41493 +unsigned long grsec_alert_fyet = 0;
41495 +DEFINE_SPINLOCK(grsec_audit_lock);
41497 +DEFINE_RWLOCK(grsec_exec_file_lock);
41499 +char *gr_shared_page[4];
41501 +char *gr_alert_log_fmt;
41502 +char *gr_audit_log_fmt;
41503 +char *gr_alert_log_buf;
41504 +char *gr_audit_log_buf;
41506 +extern struct gr_arg *gr_usermode;
41507 +extern unsigned char *gr_system_salt;
41508 +extern unsigned char *gr_system_sum;
41511 +grsecurity_init(void)
41514 + /* create the per-cpu shared pages */
41517 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41520 + for (j = 0; j < 4; j++) {
41521 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41522 + if (gr_shared_page[j] == NULL) {
41523 + panic("Unable to allocate grsecurity shared page");
41528 + /* allocate log buffers */
41529 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41530 + if (!gr_alert_log_fmt) {
41531 + panic("Unable to allocate grsecurity alert log format buffer");
41534 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41535 + if (!gr_audit_log_fmt) {
41536 + panic("Unable to allocate grsecurity audit log format buffer");
41539 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41540 + if (!gr_alert_log_buf) {
41541 + panic("Unable to allocate grsecurity alert log buffer");
41544 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41545 + if (!gr_audit_log_buf) {
41546 + panic("Unable to allocate grsecurity audit log buffer");
41550 + /* allocate memory for authentication structure */
41551 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41552 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41553 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41555 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41556 + panic("Unable to allocate grsecurity authentication structure");
41561 +#ifdef CONFIG_GRKERNSEC_IO
41562 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41563 + grsec_disable_privio = 1;
41564 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41565 + grsec_disable_privio = 1;
41567 + grsec_disable_privio = 0;
41571 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41572 + /* for backward compatibility, tpe_invert always defaults to on if
41573 + enabled in the kernel
41575 + grsec_enable_tpe_invert = 1;
41578 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41579 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41583 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41584 + grsec_enable_audit_textrel = 1;
41586 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41587 + grsec_enable_log_rwxmaps = 1;
41589 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41590 + grsec_enable_group = 1;
41591 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41593 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41594 + grsec_enable_chdir = 1;
41596 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41597 + grsec_enable_harden_ptrace = 1;
41599 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41600 + grsec_enable_mount = 1;
41602 +#ifdef CONFIG_GRKERNSEC_LINK
41603 + grsec_enable_link = 1;
41605 +#ifdef CONFIG_GRKERNSEC_DMESG
41606 + grsec_enable_dmesg = 1;
41608 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41609 + grsec_enable_blackhole = 1;
41610 + grsec_lastack_retries = 4;
41612 +#ifdef CONFIG_GRKERNSEC_FIFO
41613 + grsec_enable_fifo = 1;
41615 +#ifdef CONFIG_GRKERNSEC_EXECVE
41616 + grsec_enable_execve = 1;
41618 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41619 + grsec_enable_execlog = 1;
41621 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41622 + grsec_enable_signal = 1;
41624 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41625 + grsec_enable_forkfail = 1;
41627 +#ifdef CONFIG_GRKERNSEC_TIME
41628 + grsec_enable_time = 1;
41630 +#ifdef CONFIG_GRKERNSEC_RESLOG
41631 + grsec_resource_logging = 1;
41633 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41634 + grsec_enable_chroot_findtask = 1;
41636 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41637 + grsec_enable_chroot_unix = 1;
41639 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41640 + grsec_enable_chroot_mount = 1;
41642 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41643 + grsec_enable_chroot_fchdir = 1;
41645 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41646 + grsec_enable_chroot_shmat = 1;
41648 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41649 + grsec_enable_audit_ptrace = 1;
41651 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41652 + grsec_enable_chroot_double = 1;
41654 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41655 + grsec_enable_chroot_pivot = 1;
41657 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41658 + grsec_enable_chroot_chdir = 1;
41660 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41661 + grsec_enable_chroot_chmod = 1;
41663 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41664 + grsec_enable_chroot_mknod = 1;
41666 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41667 + grsec_enable_chroot_nice = 1;
41669 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41670 + grsec_enable_chroot_execlog = 1;
41672 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41673 + grsec_enable_chroot_caps = 1;
41675 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41676 + grsec_enable_chroot_sysctl = 1;
41678 +#ifdef CONFIG_GRKERNSEC_TPE
41679 + grsec_enable_tpe = 1;
41680 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
41681 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41682 + grsec_enable_tpe_all = 1;
41685 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41686 + grsec_enable_socket_all = 1;
41687 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
41689 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41690 + grsec_enable_socket_client = 1;
41691 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
41693 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41694 + grsec_enable_socket_server = 1;
41695 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
41701 diff -urNp linux-2.6.37/grsecurity/grsec_link.c linux-2.6.37/grsecurity/grsec_link.c
41702 --- linux-2.6.37/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
41703 +++ linux-2.6.37/grsecurity/grsec_link.c 2011-01-17 02:41:02.000000000 -0500
41705 +#include <linux/kernel.h>
41706 +#include <linux/sched.h>
41707 +#include <linux/fs.h>
41708 +#include <linux/file.h>
41709 +#include <linux/grinternal.h>
41712 +gr_handle_follow_link(const struct inode *parent,
41713 + const struct inode *inode,
41714 + const struct dentry *dentry, const struct vfsmount *mnt)
41716 +#ifdef CONFIG_GRKERNSEC_LINK
41717 + const struct cred *cred = current_cred();
41719 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
41720 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
41721 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
41722 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
41730 +gr_handle_hardlink(const struct dentry *dentry,
41731 + const struct vfsmount *mnt,
41732 + struct inode *inode, const int mode, const char *to)
41734 +#ifdef CONFIG_GRKERNSEC_LINK
41735 + const struct cred *cred = current_cred();
41737 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
41738 + (!S_ISREG(mode) || (mode & S_ISUID) ||
41739 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
41740 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
41741 + !capable(CAP_FOWNER) && cred->uid) {
41742 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
41748 diff -urNp linux-2.6.37/grsecurity/grsec_log.c linux-2.6.37/grsecurity/grsec_log.c
41749 --- linux-2.6.37/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
41750 +++ linux-2.6.37/grsecurity/grsec_log.c 2011-01-17 02:41:02.000000000 -0500
41752 +#include <linux/kernel.h>
41753 +#include <linux/sched.h>
41754 +#include <linux/file.h>
41755 +#include <linux/tty.h>
41756 +#include <linux/fs.h>
41757 +#include <linux/grinternal.h>
41759 +#ifdef CONFIG_TREE_PREEMPT_RCU
41760 +#define DISABLE_PREEMPT() preempt_disable()
41761 +#define ENABLE_PREEMPT() preempt_enable()
41763 +#define DISABLE_PREEMPT()
41764 +#define ENABLE_PREEMPT()
41767 +#define BEGIN_LOCKS(x) \
41768 + DISABLE_PREEMPT(); \
41769 + rcu_read_lock(); \
41770 + read_lock(&tasklist_lock); \
41771 + read_lock(&grsec_exec_file_lock); \
41772 + if (x != GR_DO_AUDIT) \
41773 + spin_lock(&grsec_alert_lock); \
41775 + spin_lock(&grsec_audit_lock)
41777 +#define END_LOCKS(x) \
41778 + if (x != GR_DO_AUDIT) \
41779 + spin_unlock(&grsec_alert_lock); \
41781 + spin_unlock(&grsec_audit_lock); \
41782 + read_unlock(&grsec_exec_file_lock); \
41783 + read_unlock(&tasklist_lock); \
41784 + rcu_read_unlock(); \
41785 + ENABLE_PREEMPT(); \
41786 + if (x == GR_DONT_AUDIT) \
41787 + gr_handle_alertkill(current)
41794 +extern char *gr_alert_log_fmt;
41795 +extern char *gr_audit_log_fmt;
41796 +extern char *gr_alert_log_buf;
41797 +extern char *gr_audit_log_buf;
41799 +static int gr_log_start(int audit)
41801 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
41802 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
41803 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41805 + if (audit == GR_DO_AUDIT)
41808 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
41809 + grsec_alert_wtime = jiffies;
41810 + grsec_alert_fyet = 0;
41811 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
41812 + grsec_alert_fyet++;
41813 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
41814 + grsec_alert_wtime = jiffies;
41815 + grsec_alert_fyet++;
41816 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
41818 + } else return FLOODING;
41821 + memset(buf, 0, PAGE_SIZE);
41822 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
41823 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
41824 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41825 + } else if (current->signal->curr_ip) {
41826 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
41827 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
41828 + } else if (gr_acl_is_enabled()) {
41829 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
41830 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41832 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
41833 + strcpy(buf, fmt);
41836 + return NO_FLOODING;
41839 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41840 + __attribute__ ((format (printf, 2, 0)));
41842 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41844 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41845 + unsigned int len = strlen(buf);
41847 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41852 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41853 + __attribute__ ((format (printf, 2, 3)));
41855 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41857 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41858 + unsigned int len = strlen(buf);
41861 + va_start(ap, msg);
41862 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41868 +static void gr_log_end(int audit)
41870 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41871 + unsigned int len = strlen(buf);
41873 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
41874 + printk("%s\n", buf);
41879 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41882 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41883 + char *str1, *str2, *str3;
41886 + unsigned long ulong1, ulong2;
41887 + struct dentry *dentry;
41888 + struct vfsmount *mnt;
41889 + struct file *file;
41890 + struct task_struct *task;
41891 + const struct cred *cred, *pcred;
41894 + BEGIN_LOCKS(audit);
41895 + logtype = gr_log_start(audit);
41896 + if (logtype == FLOODING) {
41897 + END_LOCKS(audit);
41900 + va_start(ap, argtypes);
41901 + switch (argtypes) {
41902 + case GR_TTYSNIFF:
41903 + task = va_arg(ap, struct task_struct *);
41904 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
41906 + case GR_SYSCTL_HIDDEN:
41907 + str1 = va_arg(ap, char *);
41908 + gr_log_middle_varargs(audit, msg, result, str1);
41911 + dentry = va_arg(ap, struct dentry *);
41912 + mnt = va_arg(ap, struct vfsmount *);
41913 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41915 + case GR_RBAC_STR:
41916 + dentry = va_arg(ap, struct dentry *);
41917 + mnt = va_arg(ap, struct vfsmount *);
41918 + str1 = va_arg(ap, char *);
41919 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41921 + case GR_STR_RBAC:
41922 + str1 = va_arg(ap, char *);
41923 + dentry = va_arg(ap, struct dentry *);
41924 + mnt = va_arg(ap, struct vfsmount *);
41925 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41927 + case GR_RBAC_MODE2:
41928 + dentry = va_arg(ap, struct dentry *);
41929 + mnt = va_arg(ap, struct vfsmount *);
41930 + str1 = va_arg(ap, char *);
41931 + str2 = va_arg(ap, char *);
41932 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41934 + case GR_RBAC_MODE3:
41935 + dentry = va_arg(ap, struct dentry *);
41936 + mnt = va_arg(ap, struct vfsmount *);
41937 + str1 = va_arg(ap, char *);
41938 + str2 = va_arg(ap, char *);
41939 + str3 = va_arg(ap, char *);
41940 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41942 + case GR_FILENAME:
41943 + dentry = va_arg(ap, struct dentry *);
41944 + mnt = va_arg(ap, struct vfsmount *);
41945 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41947 + case GR_STR_FILENAME:
41948 + str1 = va_arg(ap, char *);
41949 + dentry = va_arg(ap, struct dentry *);
41950 + mnt = va_arg(ap, struct vfsmount *);
41951 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41953 + case GR_FILENAME_STR:
41954 + dentry = va_arg(ap, struct dentry *);
41955 + mnt = va_arg(ap, struct vfsmount *);
41956 + str1 = va_arg(ap, char *);
41957 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41959 + case GR_FILENAME_TWO_INT:
41960 + dentry = va_arg(ap, struct dentry *);
41961 + mnt = va_arg(ap, struct vfsmount *);
41962 + num1 = va_arg(ap, int);
41963 + num2 = va_arg(ap, int);
41964 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41966 + case GR_FILENAME_TWO_INT_STR:
41967 + dentry = va_arg(ap, struct dentry *);
41968 + mnt = va_arg(ap, struct vfsmount *);
41969 + num1 = va_arg(ap, int);
41970 + num2 = va_arg(ap, int);
41971 + str1 = va_arg(ap, char *);
41972 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41975 + file = va_arg(ap, struct file *);
41976 + ulong1 = va_arg(ap, unsigned long);
41977 + ulong2 = va_arg(ap, unsigned long);
41978 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41981 + task = va_arg(ap, struct task_struct *);
41982 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41984 + case GR_RESOURCE:
41985 + task = va_arg(ap, struct task_struct *);
41986 + cred = __task_cred(task);
41987 + pcred = __task_cred(task->real_parent);
41988 + ulong1 = va_arg(ap, unsigned long);
41989 + str1 = va_arg(ap, char *);
41990 + ulong2 = va_arg(ap, unsigned long);
41991 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41994 + task = va_arg(ap, struct task_struct *);
41995 + cred = __task_cred(task);
41996 + pcred = __task_cred(task->real_parent);
41997 + str1 = va_arg(ap, char *);
41998 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42001 + str1 = va_arg(ap, char *);
42002 + voidptr = va_arg(ap, void *);
42003 + gr_log_middle_varargs(audit, msg, str1, voidptr);
42006 + task = va_arg(ap, struct task_struct *);
42007 + cred = __task_cred(task);
42008 + pcred = __task_cred(task->real_parent);
42009 + num1 = va_arg(ap, int);
42010 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42013 + task = va_arg(ap, struct task_struct *);
42014 + cred = __task_cred(task);
42015 + pcred = __task_cred(task->real_parent);
42016 + ulong1 = va_arg(ap, unsigned long);
42017 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
42020 + task = va_arg(ap, struct task_struct *);
42021 + cred = __task_cred(task);
42022 + pcred = __task_cred(task->real_parent);
42023 + ulong1 = va_arg(ap, unsigned long);
42024 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
42027 + file = va_arg(ap, struct file *);
42028 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42032 + unsigned int wday, cday;
42036 + char cur_tty[64] = { 0 };
42037 + char parent_tty[64] = { 0 };
42039 + task = va_arg(ap, struct task_struct *);
42040 + wday = va_arg(ap, unsigned int);
42041 + cday = va_arg(ap, unsigned int);
42042 + whr = va_arg(ap, int);
42043 + chr = va_arg(ap, int);
42044 + wmin = va_arg(ap, int);
42045 + cmin = va_arg(ap, int);
42046 + wsec = va_arg(ap, int);
42047 + csec = va_arg(ap, int);
42048 + ulong1 = va_arg(ap, unsigned long);
42049 + cred = __task_cred(task);
42050 + pcred = __task_cred(task->real_parent);
42052 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42056 + gr_log_middle(audit, msg, ap);
42059 + gr_log_end(audit);
42060 + END_LOCKS(audit);
42062 diff -urNp linux-2.6.37/grsecurity/grsec_mem.c linux-2.6.37/grsecurity/grsec_mem.c
42063 --- linux-2.6.37/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42064 +++ linux-2.6.37/grsecurity/grsec_mem.c 2011-01-17 02:41:02.000000000 -0500
42066 +#include <linux/kernel.h>
42067 +#include <linux/sched.h>
42068 +#include <linux/mm.h>
42069 +#include <linux/mman.h>
42070 +#include <linux/grinternal.h>
42073 +gr_handle_ioperm(void)
42075 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42080 +gr_handle_iopl(void)
42082 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42087 +gr_handle_mem_write(void)
42089 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42094 +gr_handle_kmem_write(void)
42096 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42101 +gr_handle_open_port(void)
42103 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42108 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42110 + unsigned long start, end;
42113 + end = start + vma->vm_end - vma->vm_start;
42115 + if (start > end) {
42116 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42120 + /* allowed ranges : ISA I/O BIOS */
42121 + if ((start >= __pa(high_memory))
42122 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42123 + || (start >= 0x000a0000 && end <= 0x00100000)
42124 + || (start >= 0x00000000 && end <= 0x00001000)
42129 + if (vma->vm_flags & VM_WRITE) {
42130 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42133 + vma->vm_flags &= ~VM_MAYWRITE;
42139 +gr_log_nonroot_mod_load(const char *modname)
42141 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42146 +gr_handle_vm86(void)
42148 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42151 diff -urNp linux-2.6.37/grsecurity/grsec_mount.c linux-2.6.37/grsecurity/grsec_mount.c
42152 --- linux-2.6.37/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42153 +++ linux-2.6.37/grsecurity/grsec_mount.c 2011-01-17 02:41:02.000000000 -0500
42155 +#include <linux/kernel.h>
42156 +#include <linux/sched.h>
42157 +#include <linux/mount.h>
42158 +#include <linux/grsecurity.h>
42159 +#include <linux/grinternal.h>
42162 +gr_log_remount(const char *devname, const int retval)
42164 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42165 + if (grsec_enable_mount && (retval >= 0))
42166 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42172 +gr_log_unmount(const char *devname, const int retval)
42174 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42175 + if (grsec_enable_mount && (retval >= 0))
42176 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42182 +gr_log_mount(const char *from, const char *to, const int retval)
42184 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42185 + if (grsec_enable_mount && (retval >= 0))
42186 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42192 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42194 +#ifdef CONFIG_GRKERNSEC_ROFS
42195 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42196 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42205 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42207 +#ifdef CONFIG_GRKERNSEC_ROFS
42208 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42209 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42210 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42217 diff -urNp linux-2.6.37/grsecurity/grsec_pax.c linux-2.6.37/grsecurity/grsec_pax.c
42218 --- linux-2.6.37/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42219 +++ linux-2.6.37/grsecurity/grsec_pax.c 2011-01-17 02:41:02.000000000 -0500
42221 +#include <linux/kernel.h>
42222 +#include <linux/sched.h>
42223 +#include <linux/mm.h>
42224 +#include <linux/file.h>
42225 +#include <linux/grinternal.h>
42226 +#include <linux/grsecurity.h>
42229 +gr_log_textrel(struct vm_area_struct * vma)
42231 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42232 + if (grsec_enable_audit_textrel)
42233 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42239 +gr_log_rwxmmap(struct file *file)
42241 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42242 + if (grsec_enable_log_rwxmaps)
42243 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42249 +gr_log_rwxmprotect(struct file *file)
42251 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42252 + if (grsec_enable_log_rwxmaps)
42253 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42257 diff -urNp linux-2.6.37/grsecurity/grsec_ptrace.c linux-2.6.37/grsecurity/grsec_ptrace.c
42258 --- linux-2.6.37/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42259 +++ linux-2.6.37/grsecurity/grsec_ptrace.c 2011-01-17 02:41:02.000000000 -0500
42261 +#include <linux/kernel.h>
42262 +#include <linux/sched.h>
42263 +#include <linux/grinternal.h>
42264 +#include <linux/grsecurity.h>
42267 +gr_audit_ptrace(struct task_struct *task)
42269 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42270 + if (grsec_enable_audit_ptrace)
42271 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42275 diff -urNp linux-2.6.37/grsecurity/grsec_sig.c linux-2.6.37/grsecurity/grsec_sig.c
42276 --- linux-2.6.37/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42277 +++ linux-2.6.37/grsecurity/grsec_sig.c 2011-01-17 02:41:02.000000000 -0500
42279 +#include <linux/kernel.h>
42280 +#include <linux/sched.h>
42281 +#include <linux/delay.h>
42282 +#include <linux/grsecurity.h>
42283 +#include <linux/grinternal.h>
42285 +char *signames[] = {
42286 + [SIGSEGV] = "Segmentation fault",
42287 + [SIGILL] = "Illegal instruction",
42288 + [SIGABRT] = "Abort",
42289 + [SIGBUS] = "Invalid alignment/Bus error"
42293 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42295 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42296 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42297 + (sig == SIGABRT) || (sig == SIGBUS))) {
42298 + if (t->pid == current->pid) {
42299 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42301 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42309 +gr_handle_signal(const struct task_struct *p, const int sig)
42311 +#ifdef CONFIG_GRKERNSEC
42312 + if (current->pid > 1 && gr_check_protected_task(p)) {
42313 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42315 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42322 +void gr_handle_brute_attach(struct task_struct *p)
42324 +#ifdef CONFIG_GRKERNSEC_BRUTE
42325 + read_lock(&tasklist_lock);
42326 + read_lock(&grsec_exec_file_lock);
42327 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42328 + p->real_parent->brute = 1;
42329 + read_unlock(&grsec_exec_file_lock);
42330 + read_unlock(&tasklist_lock);
42335 +void gr_handle_brute_check(void)
42337 +#ifdef CONFIG_GRKERNSEC_BRUTE
42338 + if (current->brute)
42339 + msleep(30 * 1000);
42344 diff -urNp linux-2.6.37/grsecurity/grsec_sock.c linux-2.6.37/grsecurity/grsec_sock.c
42345 --- linux-2.6.37/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42346 +++ linux-2.6.37/grsecurity/grsec_sock.c 2011-01-17 02:41:02.000000000 -0500
42348 +#include <linux/kernel.h>
42349 +#include <linux/module.h>
42350 +#include <linux/sched.h>
42351 +#include <linux/file.h>
42352 +#include <linux/net.h>
42353 +#include <linux/in.h>
42354 +#include <linux/ip.h>
42355 +#include <net/sock.h>
42356 +#include <net/inet_sock.h>
42357 +#include <linux/grsecurity.h>
42358 +#include <linux/grinternal.h>
42359 +#include <linux/gracl.h>
42361 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42362 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42364 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42365 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42367 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42368 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42370 +#ifdef CONFIG_UNIX_MODULE
42371 +EXPORT_SYMBOL(gr_acl_handle_unix);
42372 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42373 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42374 +EXPORT_SYMBOL(gr_handle_create);
42377 +#ifdef CONFIG_GRKERNSEC
42378 +#define gr_conn_table_size 32749
42379 +struct conn_table_entry {
42380 + struct conn_table_entry *next;
42381 + struct signal_struct *sig;
42384 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42385 +DEFINE_SPINLOCK(gr_conn_table_lock);
42387 +extern const char * gr_socktype_to_name(unsigned char type);
42388 +extern const char * gr_proto_to_name(unsigned char proto);
42389 +extern const char * gr_sockfamily_to_name(unsigned char family);
42391 +static __inline__ int
42392 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42394 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42397 +static __inline__ int
42398 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42399 + __u16 sport, __u16 dport)
42401 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42402 + sig->gr_sport == sport && sig->gr_dport == dport))
42408 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42410 + struct conn_table_entry **match;
42411 + unsigned int index;
42413 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42414 + sig->gr_sport, sig->gr_dport,
42415 + gr_conn_table_size);
42417 + newent->sig = sig;
42419 + match = &gr_conn_table[index];
42420 + newent->next = *match;
42426 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42428 + struct conn_table_entry *match, *last = NULL;
42429 + unsigned int index;
42431 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42432 + sig->gr_sport, sig->gr_dport,
42433 + gr_conn_table_size);
42435 + match = gr_conn_table[index];
42436 + while (match && !conn_match(match->sig,
42437 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42438 + sig->gr_dport)) {
42440 + match = match->next;
42445 + last->next = match->next;
42447 + gr_conn_table[index] = NULL;
42454 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42455 + __u16 sport, __u16 dport)
42457 + struct conn_table_entry *match;
42458 + unsigned int index;
42460 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42462 + match = gr_conn_table[index];
42463 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42464 + match = match->next;
42467 + return match->sig;
42474 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42476 +#ifdef CONFIG_GRKERNSEC
42477 + struct signal_struct *sig = task->signal;
42478 + struct conn_table_entry *newent;
42480 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42481 + if (newent == NULL)
42483 + /* no bh lock needed since we are called with bh disabled */
42484 + spin_lock(&gr_conn_table_lock);
42485 + gr_del_task_from_ip_table_nolock(sig);
42486 + sig->gr_saddr = inet->inet_rcv_saddr;
42487 + sig->gr_daddr = inet->inet_daddr;
42488 + sig->gr_sport = inet->inet_sport;
42489 + sig->gr_dport = inet->inet_dport;
42490 + gr_add_to_task_ip_table_nolock(sig, newent);
42491 + spin_unlock(&gr_conn_table_lock);
42496 +void gr_del_task_from_ip_table(struct task_struct *task)
42498 +#ifdef CONFIG_GRKERNSEC
42499 + spin_lock_bh(&gr_conn_table_lock);
42500 + gr_del_task_from_ip_table_nolock(task->signal);
42501 + spin_unlock_bh(&gr_conn_table_lock);
42507 +gr_attach_curr_ip(const struct sock *sk)
42509 +#ifdef CONFIG_GRKERNSEC
42510 + struct signal_struct *p, *set;
42511 + const struct inet_sock *inet = inet_sk(sk);
42513 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42516 + set = current->signal;
42518 + spin_lock_bh(&gr_conn_table_lock);
42519 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42520 + inet->inet_dport, inet->inet_sport);
42521 + if (unlikely(p != NULL)) {
42522 + set->curr_ip = p->curr_ip;
42523 + set->used_accept = 1;
42524 + gr_del_task_from_ip_table_nolock(p);
42525 + spin_unlock_bh(&gr_conn_table_lock);
42528 + spin_unlock_bh(&gr_conn_table_lock);
42530 + set->curr_ip = inet->inet_daddr;
42531 + set->used_accept = 1;
42537 +gr_handle_sock_all(const int family, const int type, const int protocol)
42539 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42540 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42541 + (family != AF_UNIX)) {
42542 + if (family == AF_INET)
42543 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
42545 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
42553 +gr_handle_sock_server(const struct sockaddr *sck)
42555 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42556 + if (grsec_enable_socket_server &&
42557 + in_group_p(grsec_socket_server_gid) &&
42558 + sck && (sck->sa_family != AF_UNIX) &&
42559 + (sck->sa_family != AF_LOCAL)) {
42560 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42568 +gr_handle_sock_server_other(const struct sock *sck)
42570 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42571 + if (grsec_enable_socket_server &&
42572 + in_group_p(grsec_socket_server_gid) &&
42573 + sck && (sck->sk_family != AF_UNIX) &&
42574 + (sck->sk_family != AF_LOCAL)) {
42575 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42583 +gr_handle_sock_client(const struct sockaddr *sck)
42585 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42586 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42587 + sck && (sck->sa_family != AF_UNIX) &&
42588 + (sck->sa_family != AF_LOCAL)) {
42589 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42597 +gr_cap_rtnetlink(struct sock *sock)
42599 +#ifdef CONFIG_GRKERNSEC
42600 + if (!gr_acl_is_enabled())
42601 + return current_cap();
42602 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42603 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42604 + gr_is_capable(CAP_SYS_ADMIN))
42605 + return current_cap();
42606 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42607 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42608 + gr_is_capable(CAP_AUDIT_WRITE) &&
42609 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42610 + gr_is_capable(CAP_AUDIT_CONTROL))
42611 + return current_cap();
42612 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42613 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42614 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42615 + gr_is_capable(CAP_NET_ADMIN)))
42616 + return current_cap();
42618 + return __cap_empty_set;
42620 + return current_cap();
42623 diff -urNp linux-2.6.37/grsecurity/grsec_sysctl.c linux-2.6.37/grsecurity/grsec_sysctl.c
42624 --- linux-2.6.37/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42625 +++ linux-2.6.37/grsecurity/grsec_sysctl.c 2011-01-17 02:41:02.000000000 -0500
42627 +#include <linux/kernel.h>
42628 +#include <linux/sched.h>
42629 +#include <linux/sysctl.h>
42630 +#include <linux/grsecurity.h>
42631 +#include <linux/grinternal.h>
42634 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
42636 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42637 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
42638 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
42645 +#ifdef CONFIG_GRKERNSEC_ROFS
42646 +static int __maybe_unused one = 1;
42649 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
42650 +struct ctl_table grsecurity_table[] = {
42651 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42652 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
42653 +#ifdef CONFIG_GRKERNSEC_IO
42655 + .procname = "disable_priv_io",
42656 + .data = &grsec_disable_privio,
42657 + .maxlen = sizeof(int),
42659 + .proc_handler = &proc_dointvec,
42663 +#ifdef CONFIG_GRKERNSEC_LINK
42665 + .procname = "linking_restrictions",
42666 + .data = &grsec_enable_link,
42667 + .maxlen = sizeof(int),
42669 + .proc_handler = &proc_dointvec,
42672 +#ifdef CONFIG_GRKERNSEC_FIFO
42674 + .procname = "fifo_restrictions",
42675 + .data = &grsec_enable_fifo,
42676 + .maxlen = sizeof(int),
42678 + .proc_handler = &proc_dointvec,
42681 +#ifdef CONFIG_GRKERNSEC_EXECVE
42683 + .procname = "execve_limiting",
42684 + .data = &grsec_enable_execve,
42685 + .maxlen = sizeof(int),
42687 + .proc_handler = &proc_dointvec,
42690 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42692 + .procname = "ip_blackhole",
42693 + .data = &grsec_enable_blackhole,
42694 + .maxlen = sizeof(int),
42696 + .proc_handler = &proc_dointvec,
42699 + .procname = "lastack_retries",
42700 + .data = &grsec_lastack_retries,
42701 + .maxlen = sizeof(int),
42703 + .proc_handler = &proc_dointvec,
42706 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42708 + .procname = "exec_logging",
42709 + .data = &grsec_enable_execlog,
42710 + .maxlen = sizeof(int),
42712 + .proc_handler = &proc_dointvec,
42715 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42717 + .procname = "rwxmap_logging",
42718 + .data = &grsec_enable_log_rwxmaps,
42719 + .maxlen = sizeof(int),
42721 + .proc_handler = &proc_dointvec,
42724 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42726 + .procname = "signal_logging",
42727 + .data = &grsec_enable_signal,
42728 + .maxlen = sizeof(int),
42730 + .proc_handler = &proc_dointvec,
42733 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42735 + .procname = "forkfail_logging",
42736 + .data = &grsec_enable_forkfail,
42737 + .maxlen = sizeof(int),
42739 + .proc_handler = &proc_dointvec,
42742 +#ifdef CONFIG_GRKERNSEC_TIME
42744 + .procname = "timechange_logging",
42745 + .data = &grsec_enable_time,
42746 + .maxlen = sizeof(int),
42748 + .proc_handler = &proc_dointvec,
42751 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42753 + .procname = "chroot_deny_shmat",
42754 + .data = &grsec_enable_chroot_shmat,
42755 + .maxlen = sizeof(int),
42757 + .proc_handler = &proc_dointvec,
42760 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42762 + .procname = "chroot_deny_unix",
42763 + .data = &grsec_enable_chroot_unix,
42764 + .maxlen = sizeof(int),
42766 + .proc_handler = &proc_dointvec,
42769 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42771 + .procname = "chroot_deny_mount",
42772 + .data = &grsec_enable_chroot_mount,
42773 + .maxlen = sizeof(int),
42775 + .proc_handler = &proc_dointvec,
42778 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42780 + .procname = "chroot_deny_fchdir",
42781 + .data = &grsec_enable_chroot_fchdir,
42782 + .maxlen = sizeof(int),
42784 + .proc_handler = &proc_dointvec,
42787 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42789 + .procname = "chroot_deny_chroot",
42790 + .data = &grsec_enable_chroot_double,
42791 + .maxlen = sizeof(int),
42793 + .proc_handler = &proc_dointvec,
42796 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42798 + .procname = "chroot_deny_pivot",
42799 + .data = &grsec_enable_chroot_pivot,
42800 + .maxlen = sizeof(int),
42802 + .proc_handler = &proc_dointvec,
42805 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42807 + .procname = "chroot_enforce_chdir",
42808 + .data = &grsec_enable_chroot_chdir,
42809 + .maxlen = sizeof(int),
42811 + .proc_handler = &proc_dointvec,
42814 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42816 + .procname = "chroot_deny_chmod",
42817 + .data = &grsec_enable_chroot_chmod,
42818 + .maxlen = sizeof(int),
42820 + .proc_handler = &proc_dointvec,
42823 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42825 + .procname = "chroot_deny_mknod",
42826 + .data = &grsec_enable_chroot_mknod,
42827 + .maxlen = sizeof(int),
42829 + .proc_handler = &proc_dointvec,
42832 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
42834 + .procname = "chroot_restrict_nice",
42835 + .data = &grsec_enable_chroot_nice,
42836 + .maxlen = sizeof(int),
42838 + .proc_handler = &proc_dointvec,
42841 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42843 + .procname = "chroot_execlog",
42844 + .data = &grsec_enable_chroot_execlog,
42845 + .maxlen = sizeof(int),
42847 + .proc_handler = &proc_dointvec,
42850 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42852 + .procname = "chroot_caps",
42853 + .data = &grsec_enable_chroot_caps,
42854 + .maxlen = sizeof(int),
42856 + .proc_handler = &proc_dointvec,
42859 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42861 + .procname = "chroot_deny_sysctl",
42862 + .data = &grsec_enable_chroot_sysctl,
42863 + .maxlen = sizeof(int),
42865 + .proc_handler = &proc_dointvec,
42868 +#ifdef CONFIG_GRKERNSEC_TPE
42870 + .procname = "tpe",
42871 + .data = &grsec_enable_tpe,
42872 + .maxlen = sizeof(int),
42874 + .proc_handler = &proc_dointvec,
42877 + .procname = "tpe_gid",
42878 + .data = &grsec_tpe_gid,
42879 + .maxlen = sizeof(int),
42881 + .proc_handler = &proc_dointvec,
42884 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42886 + .procname = "tpe_invert",
42887 + .data = &grsec_enable_tpe_invert,
42888 + .maxlen = sizeof(int),
42890 + .proc_handler = &proc_dointvec,
42893 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42895 + .procname = "tpe_restrict_all",
42896 + .data = &grsec_enable_tpe_all,
42897 + .maxlen = sizeof(int),
42899 + .proc_handler = &proc_dointvec,
42902 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42904 + .procname = "socket_all",
42905 + .data = &grsec_enable_socket_all,
42906 + .maxlen = sizeof(int),
42908 + .proc_handler = &proc_dointvec,
42911 + .procname = "socket_all_gid",
42912 + .data = &grsec_socket_all_gid,
42913 + .maxlen = sizeof(int),
42915 + .proc_handler = &proc_dointvec,
42918 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42920 + .procname = "socket_client",
42921 + .data = &grsec_enable_socket_client,
42922 + .maxlen = sizeof(int),
42924 + .proc_handler = &proc_dointvec,
42927 + .procname = "socket_client_gid",
42928 + .data = &grsec_socket_client_gid,
42929 + .maxlen = sizeof(int),
42931 + .proc_handler = &proc_dointvec,
42934 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42936 + .procname = "socket_server",
42937 + .data = &grsec_enable_socket_server,
42938 + .maxlen = sizeof(int),
42940 + .proc_handler = &proc_dointvec,
42943 + .procname = "socket_server_gid",
42944 + .data = &grsec_socket_server_gid,
42945 + .maxlen = sizeof(int),
42947 + .proc_handler = &proc_dointvec,
42950 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42952 + .procname = "audit_group",
42953 + .data = &grsec_enable_group,
42954 + .maxlen = sizeof(int),
42956 + .proc_handler = &proc_dointvec,
42959 + .procname = "audit_gid",
42960 + .data = &grsec_audit_gid,
42961 + .maxlen = sizeof(int),
42963 + .proc_handler = &proc_dointvec,
42966 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42968 + .procname = "audit_chdir",
42969 + .data = &grsec_enable_chdir,
42970 + .maxlen = sizeof(int),
42972 + .proc_handler = &proc_dointvec,
42975 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42977 + .procname = "audit_mount",
42978 + .data = &grsec_enable_mount,
42979 + .maxlen = sizeof(int),
42981 + .proc_handler = &proc_dointvec,
42984 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42986 + .procname = "audit_textrel",
42987 + .data = &grsec_enable_audit_textrel,
42988 + .maxlen = sizeof(int),
42990 + .proc_handler = &proc_dointvec,
42993 +#ifdef CONFIG_GRKERNSEC_DMESG
42995 + .procname = "dmesg",
42996 + .data = &grsec_enable_dmesg,
42997 + .maxlen = sizeof(int),
42999 + .proc_handler = &proc_dointvec,
43002 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43004 + .procname = "chroot_findtask",
43005 + .data = &grsec_enable_chroot_findtask,
43006 + .maxlen = sizeof(int),
43008 + .proc_handler = &proc_dointvec,
43011 +#ifdef CONFIG_GRKERNSEC_RESLOG
43013 + .procname = "resource_logging",
43014 + .data = &grsec_resource_logging,
43015 + .maxlen = sizeof(int),
43017 + .proc_handler = &proc_dointvec,
43020 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43022 + .procname = "audit_ptrace",
43023 + .data = &grsec_enable_audit_ptrace,
43024 + .maxlen = sizeof(int),
43026 + .proc_handler = &proc_dointvec,
43029 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
43031 + .procname = "harden_ptrace",
43032 + .data = &grsec_enable_harden_ptrace,
43033 + .maxlen = sizeof(int),
43035 + .proc_handler = &proc_dointvec,
43039 + .procname = "grsec_lock",
43040 + .data = &grsec_lock,
43041 + .maxlen = sizeof(int),
43043 + .proc_handler = &proc_dointvec,
43046 +#ifdef CONFIG_GRKERNSEC_ROFS
43048 + .procname = "romount_protect",
43049 + .data = &grsec_enable_rofs,
43050 + .maxlen = sizeof(int),
43052 + .proc_handler = &proc_dointvec_minmax,
43060 diff -urNp linux-2.6.37/grsecurity/grsec_time.c linux-2.6.37/grsecurity/grsec_time.c
43061 --- linux-2.6.37/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43062 +++ linux-2.6.37/grsecurity/grsec_time.c 2011-01-17 02:41:02.000000000 -0500
43064 +#include <linux/kernel.h>
43065 +#include <linux/sched.h>
43066 +#include <linux/grinternal.h>
43067 +#include <linux/module.h>
43070 +gr_log_timechange(void)
43072 +#ifdef CONFIG_GRKERNSEC_TIME
43073 + if (grsec_enable_time)
43074 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43079 +EXPORT_SYMBOL(gr_log_timechange);
43080 diff -urNp linux-2.6.37/grsecurity/grsec_tpe.c linux-2.6.37/grsecurity/grsec_tpe.c
43081 --- linux-2.6.37/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43082 +++ linux-2.6.37/grsecurity/grsec_tpe.c 2011-01-17 02:41:02.000000000 -0500
43084 +#include <linux/kernel.h>
43085 +#include <linux/sched.h>
43086 +#include <linux/file.h>
43087 +#include <linux/fs.h>
43088 +#include <linux/grinternal.h>
43090 +extern int gr_acl_tpe_check(void);
43093 +gr_tpe_allow(const struct file *file)
43095 +#ifdef CONFIG_GRKERNSEC
43096 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43097 + const struct cred *cred = current_cred();
43099 + if (cred->uid && ((grsec_enable_tpe &&
43100 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43101 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43102 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43104 + in_group_p(grsec_tpe_gid)
43106 + ) || gr_acl_tpe_check()) &&
43107 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43108 + (inode->i_mode & S_IWOTH))))) {
43109 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43112 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43113 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43114 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43115 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43116 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43123 diff -urNp linux-2.6.37/grsecurity/grsum.c linux-2.6.37/grsecurity/grsum.c
43124 --- linux-2.6.37/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43125 +++ linux-2.6.37/grsecurity/grsum.c 2011-01-17 02:41:02.000000000 -0500
43127 +#include <linux/err.h>
43128 +#include <linux/kernel.h>
43129 +#include <linux/sched.h>
43130 +#include <linux/mm.h>
43131 +#include <linux/scatterlist.h>
43132 +#include <linux/crypto.h>
43133 +#include <linux/gracl.h>
43136 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43137 +#error "crypto and sha256 must be built into the kernel"
43141 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43144 + struct crypto_hash *tfm;
43145 + struct hash_desc desc;
43146 + struct scatterlist sg;
43147 + unsigned char temp_sum[GR_SHA_LEN];
43148 + volatile int retval = 0;
43149 + volatile int dummy = 0;
43152 + sg_init_table(&sg, 1);
43154 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43155 + if (IS_ERR(tfm)) {
43156 + /* should never happen, since sha256 should be built in */
43163 + crypto_hash_init(&desc);
43166 + sg_set_buf(&sg, p, GR_SALT_LEN);
43167 + crypto_hash_update(&desc, &sg, sg.length);
43170 + sg_set_buf(&sg, p, strlen(p));
43172 + crypto_hash_update(&desc, &sg, sg.length);
43174 + crypto_hash_final(&desc, temp_sum);
43176 + memset(entry->pw, 0, GR_PW_LEN);
43178 + for (i = 0; i < GR_SHA_LEN; i++)
43179 + if (sum[i] != temp_sum[i])
43182 + dummy = 1; // waste a cycle
43184 + crypto_free_hash(tfm);
43188 diff -urNp linux-2.6.37/grsecurity/Kconfig linux-2.6.37/grsecurity/Kconfig
43189 --- linux-2.6.37/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43190 +++ linux-2.6.37/grsecurity/Kconfig 2011-01-17 02:41:02.000000000 -0500
43193 +# grecurity configuration
43199 + bool "Grsecurity"
43201 + select CRYPTO_SHA256
43203 + If you say Y here, you will be able to configure many features
43204 + that will enhance the security of your system. It is highly
43205 + recommended that you say Y here and read through the help
43206 + for each option so that you fully understand the features and
43207 + can evaluate their usefulness for your machine.
43210 + prompt "Security Level"
43211 + depends on GRKERNSEC
43212 + default GRKERNSEC_CUSTOM
43214 +config GRKERNSEC_LOW
43216 + select GRKERNSEC_LINK
43217 + select GRKERNSEC_FIFO
43218 + select GRKERNSEC_EXECVE
43219 + select GRKERNSEC_RANDNET
43220 + select GRKERNSEC_DMESG
43221 + select GRKERNSEC_CHROOT
43222 + select GRKERNSEC_CHROOT_CHDIR
43225 + If you choose this option, several of the grsecurity options will
43226 + be enabled that will give you greater protection against a number
43227 + of attacks, while assuring that none of your software will have any
43228 + conflicts with the additional security measures. If you run a lot
43229 + of unusual software, or you are having problems with the higher
43230 + security levels, you should say Y here. With this option, the
43231 + following features are enabled:
43233 + - Linking restrictions
43234 + - FIFO restrictions
43235 + - Enforcing RLIMIT_NPROC on execve
43236 + - Restricted dmesg
43237 + - Enforced chdir("/") on chroot
43238 + - Runtime module disabling
43240 +config GRKERNSEC_MEDIUM
43243 + select PAX_EI_PAX
43244 + select PAX_PT_PAX_FLAGS
43245 + select PAX_HAVE_ACL_FLAGS
43246 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43247 + select GRKERNSEC_CHROOT
43248 + select GRKERNSEC_CHROOT_SYSCTL
43249 + select GRKERNSEC_LINK
43250 + select GRKERNSEC_FIFO
43251 + select GRKERNSEC_EXECVE
43252 + select GRKERNSEC_DMESG
43253 + select GRKERNSEC_RANDNET
43254 + select GRKERNSEC_FORKFAIL
43255 + select GRKERNSEC_TIME
43256 + select GRKERNSEC_SIGNAL
43257 + select GRKERNSEC_CHROOT
43258 + select GRKERNSEC_CHROOT_UNIX
43259 + select GRKERNSEC_CHROOT_MOUNT
43260 + select GRKERNSEC_CHROOT_PIVOT
43261 + select GRKERNSEC_CHROOT_DOUBLE
43262 + select GRKERNSEC_CHROOT_CHDIR
43263 + select GRKERNSEC_CHROOT_MKNOD
43264 + select GRKERNSEC_PROC
43265 + select GRKERNSEC_PROC_USERGROUP
43266 + select PAX_RANDUSTACK
43268 + select PAX_RANDMMAP
43269 + select PAX_REFCOUNT if (X86 || SPARC64)
43270 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43273 + If you say Y here, several features in addition to those included
43274 + in the low additional security level will be enabled. These
43275 + features provide even more security to your system, though in rare
43276 + cases they may be incompatible with very old or poorly written
43277 + software. If you enable this option, make sure that your auth
43278 + service (identd) is running as gid 1001. With this option,
43279 + the following features (in addition to those provided in the
43280 + low additional security level) will be enabled:
43282 + - Failed fork logging
43283 + - Time change logging
43285 + - Deny mounts in chroot
43286 + - Deny double chrooting
43287 + - Deny sysctl writes in chroot
43288 + - Deny mknod in chroot
43289 + - Deny access to abstract AF_UNIX sockets out of chroot
43290 + - Deny pivot_root in chroot
43291 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43292 + - /proc restrictions with special GID set to 10 (usually wheel)
43293 + - Address Space Layout Randomization (ASLR)
43294 + - Prevent exploitation of most refcount overflows
43295 + - Bounds checking of copying between the kernel and userland
43297 +config GRKERNSEC_HIGH
43299 + select GRKERNSEC_LINK
43300 + select GRKERNSEC_FIFO
43301 + select GRKERNSEC_EXECVE
43302 + select GRKERNSEC_DMESG
43303 + select GRKERNSEC_FORKFAIL
43304 + select GRKERNSEC_TIME
43305 + select GRKERNSEC_SIGNAL
43306 + select GRKERNSEC_CHROOT
43307 + select GRKERNSEC_CHROOT_SHMAT
43308 + select GRKERNSEC_CHROOT_UNIX
43309 + select GRKERNSEC_CHROOT_MOUNT
43310 + select GRKERNSEC_CHROOT_FCHDIR
43311 + select GRKERNSEC_CHROOT_PIVOT
43312 + select GRKERNSEC_CHROOT_DOUBLE
43313 + select GRKERNSEC_CHROOT_CHDIR
43314 + select GRKERNSEC_CHROOT_MKNOD
43315 + select GRKERNSEC_CHROOT_CAPS
43316 + select GRKERNSEC_CHROOT_SYSCTL
43317 + select GRKERNSEC_CHROOT_FINDTASK
43318 + select GRKERNSEC_PROC
43319 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43320 + select GRKERNSEC_HIDESYM
43321 + select GRKERNSEC_BRUTE
43322 + select GRKERNSEC_PROC_USERGROUP
43323 + select GRKERNSEC_KMEM
43324 + select GRKERNSEC_RESLOG
43325 + select GRKERNSEC_RANDNET
43326 + select GRKERNSEC_PROC_ADD
43327 + select GRKERNSEC_CHROOT_CHMOD
43328 + select GRKERNSEC_CHROOT_NICE
43329 + select GRKERNSEC_AUDIT_MOUNT
43330 + select GRKERNSEC_MODHARDEN if (MODULES)
43331 + select GRKERNSEC_HARDEN_PTRACE
43332 + select GRKERNSEC_VM86 if (X86_32)
43334 + select PAX_RANDUSTACK
43336 + select PAX_RANDMMAP
43337 + select PAX_NOEXEC
43338 + select PAX_MPROTECT
43339 + select PAX_EI_PAX
43340 + select PAX_PT_PAX_FLAGS
43341 + select PAX_HAVE_ACL_FLAGS
43342 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43343 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43344 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43345 + select PAX_SEGMEXEC if (X86_32)
43346 + select PAX_PAGEEXEC
43347 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43348 + select PAX_EMUTRAMP if (PARISC)
43349 + select PAX_EMUSIGRT if (PARISC)
43350 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43351 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43352 + select PAX_REFCOUNT if (X86 || SPARC64)
43353 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43355 + If you say Y here, many of the features of grsecurity will be
43356 + enabled, which will protect you against many kinds of attacks
43357 + against your system. The heightened security comes at a cost
43358 + of an increased chance of incompatibilities with rare software
43359 + on your machine. Since this security level enables PaX, you should
43360 + view <http://pax.grsecurity.net> and read about the PaX
43361 + project. While you are there, download chpax and run it on
43362 + binaries that cause problems with PaX. Also remember that
43363 + since the /proc restrictions are enabled, you must run your
43364 + identd as gid 1001. This security level enables the following
43365 + features in addition to those listed in the low and medium
43368 + - Additional /proc restrictions
43369 + - Chmod restrictions in chroot
43370 + - No signals, ptrace, or viewing of processes outside of chroot
43371 + - Capability restrictions in chroot
43372 + - Deny fchdir out of chroot
43373 + - Priority restrictions in chroot
43374 + - Segmentation-based implementation of PaX
43375 + - Mprotect restrictions
43376 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43377 + - Kernel stack randomization
43378 + - Mount/unmount/remount logging
43379 + - Kernel symbol hiding
43380 + - Prevention of memory exhaustion-based exploits
43381 + - Hardening of module auto-loading
43382 + - Ptrace restrictions
43383 + - Restricted vm86 mode
43385 +config GRKERNSEC_CUSTOM
43388 + If you say Y here, you will be able to configure every grsecurity
43389 + option, which allows you to enable many more features that aren't
43390 + covered in the basic security levels. These additional features
43391 + include TPE, socket restrictions, and the sysctl system for
43392 + grsecurity. It is advised that you read through the help for
43393 + each option to determine its usefulness in your situation.
43397 +menu "Address Space Protection"
43398 +depends on GRKERNSEC
43400 +config GRKERNSEC_KMEM
43401 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43403 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43404 + be written to via mmap or otherwise to modify the running kernel.
43405 + /dev/port will also not be allowed to be opened. If you have module
43406 + support disabled, enabling this will close up four ways that are
43407 + currently used to insert malicious code into the running kernel.
43408 + Even with all these features enabled, we still highly recommend that
43409 + you use the RBAC system, as it is still possible for an attacker to
43410 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43411 + If you are not using XFree86, you may be able to stop this additional
43412 + case by enabling the 'Disable privileged I/O' option. Though nothing
43413 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43414 + but only to video memory, which is the only writing we allow in this
43415 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43416 + not be allowed to mprotect it with PROT_WRITE later.
43417 + It is highly recommended that you say Y here if you meet all the
43418 + conditions above.
43420 +config GRKERNSEC_VM86
43421 + bool "Restrict VM86 mode"
43422 + depends on X86_32
43425 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43426 + make use of a special execution mode on 32bit x86 processors called
43427 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43428 + video cards and will still work with this option enabled. The purpose
43429 + of the option is to prevent exploitation of emulation errors in
43430 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43431 + Nearly all users should be able to enable this option.
43433 +config GRKERNSEC_IO
43434 + bool "Disable privileged I/O"
43437 + select RTC_INTF_DEV
43438 + select RTC_DRV_CMOS
43441 + If you say Y here, all ioperm and iopl calls will return an error.
43442 + Ioperm and iopl can be used to modify the running kernel.
43443 + Unfortunately, some programs need this access to operate properly,
43444 + the most notable of which are XFree86 and hwclock. hwclock can be
43445 + remedied by having RTC support in the kernel, so real-time
43446 + clock support is enabled if this option is enabled, to ensure
43447 + that hwclock operates correctly. XFree86 still will not
43448 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43449 + IF YOU USE XFree86. If you use XFree86 and you still want to
43450 + protect your kernel against modification, use the RBAC system.
43452 +config GRKERNSEC_PROC_MEMMAP
43453 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43454 + default y if (PAX_NOEXEC || PAX_ASLR)
43455 + depends on PAX_NOEXEC || PAX_ASLR
43457 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43458 + give no information about the addresses of its mappings if
43459 + PaX features that rely on random addresses are enabled on the task.
43460 + If you use PaX it is greatly recommended that you say Y here as it
43461 + closes up a hole that makes the full ASLR useless for suid
43464 +config GRKERNSEC_BRUTE
43465 + bool "Deter exploit bruteforcing"
43467 + If you say Y here, attempts to bruteforce exploits against forking
43468 + daemons such as apache or sshd will be deterred. When a child of a
43469 + forking daemon is killed by PaX or crashes due to an illegal
43470 + instruction, the parent process will be delayed 30 seconds upon every
43471 + subsequent fork until the administrator is able to assess the
43472 + situation and restart the daemon. It is recommended that you also
43473 + enable signal logging in the auditing section so that logs are
43474 + generated when a process performs an illegal instruction.
43476 +config GRKERNSEC_MODHARDEN
43477 + bool "Harden module auto-loading"
43478 + depends on MODULES
43480 + If you say Y here, module auto-loading in response to use of some
43481 + feature implemented by an unloaded module will be restricted to
43482 + root users. Enabling this option helps defend against attacks
43483 + by unprivileged users who abuse the auto-loading behavior to
43484 + cause a vulnerable module to load that is then exploited.
43486 + If this option prevents a legitimate use of auto-loading for a
43487 + non-root user, the administrator can execute modprobe manually
43488 + with the exact name of the module mentioned in the alert log.
43489 + Alternatively, the administrator can add the module to the list
43490 + of modules loaded at boot by modifying init scripts.
43492 + Modification of init scripts will most likely be needed on
43493 + Ubuntu servers with encrypted home directory support enabled,
43494 + as the first non-root user logging in will cause the ecb(aes),
43495 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43497 +config GRKERNSEC_HIDESYM
43498 + bool "Hide kernel symbols"
43500 + If you say Y here, getting information on loaded modules, and
43501 + displaying all kernel symbols through a syscall will be restricted
43502 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43503 + /proc/kallsyms will be restricted to the root user. The RBAC
43504 + system can hide that entry even from root.
43506 + This option also prevents leaking of kernel addresses through
43507 + several /proc entries.
43509 + Note that this option is only effective provided the following
43510 + conditions are met:
43511 + 1) The kernel using grsecurity is not precompiled by some distribution
43512 + 2) You have also enabled GRKERNSEC_DMESG
43513 + 3) You are using the RBAC system and hiding other files such as your
43514 + kernel image and System.map. Alternatively, enabling this option
43515 + causes the permissions on /boot, /lib/modules, and the kernel
43516 + source directory to change at compile time to prevent
43517 + reading by non-root users.
43518 + If the above conditions are met, this option will aid in providing a
43519 + useful protection against local kernel exploitation of overflows
43520 + and arbitrary read/write vulnerabilities.
43523 +menu "Role Based Access Control Options"
43524 +depends on GRKERNSEC
43526 +config GRKERNSEC_NO_RBAC
43527 + bool "Disable RBAC system"
43529 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43530 + preventing the RBAC system from being enabled. You should only say Y
43531 + here if you have no intention of using the RBAC system, so as to prevent
43532 + an attacker with root access from misusing the RBAC system to hide files
43533 + and processes when loadable module support and /dev/[k]mem have been
43536 +config GRKERNSEC_ACL_HIDEKERN
43537 + bool "Hide kernel processes"
43539 + If you say Y here, all kernel threads will be hidden to all
43540 + processes but those whose subject has the "view hidden processes"
43543 +config GRKERNSEC_ACL_MAXTRIES
43544 + int "Maximum tries before password lockout"
43547 + This option enforces the maximum number of times a user can attempt
43548 + to authorize themselves with the grsecurity RBAC system before being
43549 + denied the ability to attempt authorization again for a specified time.
43550 + The lower the number, the harder it will be to brute-force a password.
43552 +config GRKERNSEC_ACL_TIMEOUT
43553 + int "Time to wait after max password tries, in seconds"
43556 + This option specifies the time the user must wait after attempting to
43557 + authorize to the RBAC system with the maximum number of invalid
43558 + passwords. The higher the number, the harder it will be to brute-force
43562 +menu "Filesystem Protections"
43563 +depends on GRKERNSEC
43565 +config GRKERNSEC_PROC
43566 + bool "Proc restrictions"
43568 + If you say Y here, the permissions of the /proc filesystem
43569 + will be altered to enhance system security and privacy. You MUST
43570 + choose either a user only restriction or a user and group restriction.
43571 + Depending upon the option you choose, you can either restrict users to
43572 + see only the processes they themselves run, or choose a group that can
43573 + view all processes and files normally restricted to root if you choose
43574 + the "restrict to user only" option. NOTE: If you're running identd as
43575 + a non-root user, you will have to run it as the group you specify here.
43577 +config GRKERNSEC_PROC_USER
43578 + bool "Restrict /proc to user only"
43579 + depends on GRKERNSEC_PROC
43581 + If you say Y here, non-root users will only be able to view their own
43582 + processes, and restricts them from viewing network-related information,
43583 + and viewing kernel symbol and module information.
43585 +config GRKERNSEC_PROC_USERGROUP
43586 + bool "Allow special group"
43587 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43589 + If you say Y here, you will be able to select a group that will be
43590 + able to view all processes and network-related information. If you've
43591 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
43592 + remain hidden. This option is useful if you want to run identd as
43595 +config GRKERNSEC_PROC_GID
43596 + int "GID for special group"
43597 + depends on GRKERNSEC_PROC_USERGROUP
43600 +config GRKERNSEC_PROC_ADD
43601 + bool "Additional restrictions"
43602 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43604 + If you say Y here, additional restrictions will be placed on
43605 + /proc that keep normal users from viewing device information and
43606 + slabinfo information that could be useful for exploits.
43608 +config GRKERNSEC_LINK
43609 + bool "Linking restrictions"
43611 + If you say Y here, /tmp race exploits will be prevented, since users
43612 + will no longer be able to follow symlinks owned by other users in
43613 + world-writable +t directories (i.e. /tmp), unless the owner of the
43614 + symlink is the owner of the directory. users will also not be
43615 + able to hardlink to files they do not own. If the sysctl option is
43616 + enabled, a sysctl option with name "linking_restrictions" is created.
43618 +config GRKERNSEC_FIFO
43619 + bool "FIFO restrictions"
43621 + If you say Y here, users will not be able to write to FIFOs they don't
43622 + own in world-writable +t directories (i.e. /tmp), unless the owner of
43623 + the FIFO is the same owner of the directory it's held in. If the sysctl
43624 + option is enabled, a sysctl option with name "fifo_restrictions" is
43627 +config GRKERNSEC_ROFS
43628 + bool "Runtime read-only mount protection"
43630 + If you say Y here, a sysctl option with name "romount_protect" will
43631 + be created. By setting this option to 1 at runtime, filesystems
43632 + will be protected in the following ways:
43633 + * No new writable mounts will be allowed
43634 + * Existing read-only mounts won't be able to be remounted read/write
43635 + * Write operations will be denied on all block devices
43636 + This option acts independently of grsec_lock: once it is set to 1,
43637 + it cannot be turned off. Therefore, please be mindful of the resulting
43638 + behavior if this option is enabled in an init script on a read-only
43639 + filesystem. This feature is mainly intended for secure embedded systems.
43641 +config GRKERNSEC_CHROOT
43642 + bool "Chroot jail restrictions"
43644 + If you say Y here, you will be able to choose several options that will
43645 + make breaking out of a chrooted jail much more difficult. If you
43646 + encounter no software incompatibilities with the following options, it
43647 + is recommended that you enable each one.
43649 +config GRKERNSEC_CHROOT_MOUNT
43650 + bool "Deny mounts"
43651 + depends on GRKERNSEC_CHROOT
43653 + If you say Y here, processes inside a chroot will not be able to
43654 + mount or remount filesystems. If the sysctl option is enabled, a
43655 + sysctl option with name "chroot_deny_mount" is created.
43657 +config GRKERNSEC_CHROOT_DOUBLE
43658 + bool "Deny double-chroots"
43659 + depends on GRKERNSEC_CHROOT
43661 + If you say Y here, processes inside a chroot will not be able to chroot
43662 + again outside the chroot. This is a widely used method of breaking
43663 + out of a chroot jail and should not be allowed. If the sysctl
43664 + option is enabled, a sysctl option with name
43665 + "chroot_deny_chroot" is created.
43667 +config GRKERNSEC_CHROOT_PIVOT
43668 + bool "Deny pivot_root in chroot"
43669 + depends on GRKERNSEC_CHROOT
43671 + If you say Y here, processes inside a chroot will not be able to use
43672 + a function called pivot_root() that was introduced in Linux 2.3.41. It
43673 + works similar to chroot in that it changes the root filesystem. This
43674 + function could be misused in a chrooted process to attempt to break out
43675 + of the chroot, and therefore should not be allowed. If the sysctl
43676 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
43679 +config GRKERNSEC_CHROOT_CHDIR
43680 + bool "Enforce chdir(\"/\") on all chroots"
43681 + depends on GRKERNSEC_CHROOT
43683 + If you say Y here, the current working directory of all newly-chrooted
43684 + applications will be set to the the root directory of the chroot.
43685 + The man page on chroot(2) states:
43686 + Note that this call does not change the current working
43687 + directory, so that `.' can be outside the tree rooted at
43688 + `/'. In particular, the super-user can escape from a
43689 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
43691 + It is recommended that you say Y here, since it's not known to break
43692 + any software. If the sysctl option is enabled, a sysctl option with
43693 + name "chroot_enforce_chdir" is created.
43695 +config GRKERNSEC_CHROOT_CHMOD
43696 + bool "Deny (f)chmod +s"
43697 + depends on GRKERNSEC_CHROOT
43699 + If you say Y here, processes inside a chroot will not be able to chmod
43700 + or fchmod files to make them have suid or sgid bits. This protects
43701 + against another published method of breaking a chroot. If the sysctl
43702 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
43705 +config GRKERNSEC_CHROOT_FCHDIR
43706 + bool "Deny fchdir out of chroot"
43707 + depends on GRKERNSEC_CHROOT
43709 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
43710 + to a file descriptor of the chrooting process that points to a directory
43711 + outside the filesystem will be stopped. If the sysctl option
43712 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
43714 +config GRKERNSEC_CHROOT_MKNOD
43715 + bool "Deny mknod"
43716 + depends on GRKERNSEC_CHROOT
43718 + If you say Y here, processes inside a chroot will not be allowed to
43719 + mknod. The problem with using mknod inside a chroot is that it
43720 + would allow an attacker to create a device entry that is the same
43721 + as one on the physical root of your system, which could range from
43722 + anything from the console device to a device for your harddrive (which
43723 + they could then use to wipe the drive or steal data). It is recommended
43724 + that you say Y here, unless you run into software incompatibilities.
43725 + If the sysctl option is enabled, a sysctl option with name
43726 + "chroot_deny_mknod" is created.
43728 +config GRKERNSEC_CHROOT_SHMAT
43729 + bool "Deny shmat() out of chroot"
43730 + depends on GRKERNSEC_CHROOT
43732 + If you say Y here, processes inside a chroot will not be able to attach
43733 + to shared memory segments that were created outside of the chroot jail.
43734 + It is recommended that you say Y here. If the sysctl option is enabled,
43735 + a sysctl option with name "chroot_deny_shmat" is created.
43737 +config GRKERNSEC_CHROOT_UNIX
43738 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
43739 + depends on GRKERNSEC_CHROOT
43741 + If you say Y here, processes inside a chroot will not be able to
43742 + connect to abstract (meaning not belonging to a filesystem) Unix
43743 + domain sockets that were bound outside of a chroot. It is recommended
43744 + that you say Y here. If the sysctl option is enabled, a sysctl option
43745 + with name "chroot_deny_unix" is created.
43747 +config GRKERNSEC_CHROOT_FINDTASK
43748 + bool "Protect outside processes"
43749 + depends on GRKERNSEC_CHROOT
43751 + If you say Y here, processes inside a chroot will not be able to
43752 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
43753 + getsid, or view any process outside of the chroot. If the sysctl
43754 + option is enabled, a sysctl option with name "chroot_findtask" is
43757 +config GRKERNSEC_CHROOT_NICE
43758 + bool "Restrict priority changes"
43759 + depends on GRKERNSEC_CHROOT
43761 + If you say Y here, processes inside a chroot will not be able to raise
43762 + the priority of processes in the chroot, or alter the priority of
43763 + processes outside the chroot. This provides more security than simply
43764 + removing CAP_SYS_NICE from the process' capability set. If the
43765 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
43768 +config GRKERNSEC_CHROOT_SYSCTL
43769 + bool "Deny sysctl writes"
43770 + depends on GRKERNSEC_CHROOT
43772 + If you say Y here, an attacker in a chroot will not be able to
43773 + write to sysctl entries, either by sysctl(2) or through a /proc
43774 + interface. It is strongly recommended that you say Y here. If the
43775 + sysctl option is enabled, a sysctl option with name
43776 + "chroot_deny_sysctl" is created.
43778 +config GRKERNSEC_CHROOT_CAPS
43779 + bool "Capability restrictions"
43780 + depends on GRKERNSEC_CHROOT
43782 + If you say Y here, the capabilities on all root processes within a
43783 + chroot jail will be lowered to stop module insertion, raw i/o,
43784 + system and net admin tasks, rebooting the system, modifying immutable
43785 + files, modifying IPC owned by another, and changing the system time.
43786 + This is left an option because it can break some apps. Disable this
43787 + if your chrooted apps are having problems performing those kinds of
43788 + tasks. If the sysctl option is enabled, a sysctl option with
43789 + name "chroot_caps" is created.
43792 +menu "Kernel Auditing"
43793 +depends on GRKERNSEC
43795 +config GRKERNSEC_AUDIT_GROUP
43796 + bool "Single group for auditing"
43798 + If you say Y here, the exec, chdir, and (un)mount logging features
43799 + will only operate on a group you specify. This option is recommended
43800 + if you only want to watch certain users instead of having a large
43801 + amount of logs from the entire system. If the sysctl option is enabled,
43802 + a sysctl option with name "audit_group" is created.
43804 +config GRKERNSEC_AUDIT_GID
43805 + int "GID for auditing"
43806 + depends on GRKERNSEC_AUDIT_GROUP
43809 +config GRKERNSEC_EXECLOG
43810 + bool "Exec logging"
43812 + If you say Y here, all execve() calls will be logged (since the
43813 + other exec*() calls are frontends to execve(), all execution
43814 + will be logged). Useful for shell-servers that like to keep track
43815 + of their users. If the sysctl option is enabled, a sysctl option with
43816 + name "exec_logging" is created.
43817 + WARNING: This option when enabled will produce a LOT of logs, especially
43818 + on an active system.
43820 +config GRKERNSEC_RESLOG
43821 + bool "Resource logging"
43823 + If you say Y here, all attempts to overstep resource limits will
43824 + be logged with the resource name, the requested size, and the current
43825 + limit. It is highly recommended that you say Y here. If the sysctl
43826 + option is enabled, a sysctl option with name "resource_logging" is
43827 + created. If the RBAC system is enabled, the sysctl value is ignored.
43829 +config GRKERNSEC_CHROOT_EXECLOG
43830 + bool "Log execs within chroot"
43832 + If you say Y here, all executions inside a chroot jail will be logged
43833 + to syslog. This can cause a large amount of logs if certain
43834 + applications (eg. djb's daemontools) are installed on the system, and
43835 + is therefore left as an option. If the sysctl option is enabled, a
43836 + sysctl option with name "chroot_execlog" is created.
43838 +config GRKERNSEC_AUDIT_PTRACE
43839 + bool "Ptrace logging"
43841 + If you say Y here, all attempts to attach to a process via ptrace
43842 + will be logged. If the sysctl option is enabled, a sysctl option
43843 + with name "audit_ptrace" is created.
43845 +config GRKERNSEC_AUDIT_CHDIR
43846 + bool "Chdir logging"
43848 + If you say Y here, all chdir() calls will be logged. If the sysctl
43849 + option is enabled, a sysctl option with name "audit_chdir" is created.
43851 +config GRKERNSEC_AUDIT_MOUNT
43852 + bool "(Un)Mount logging"
43854 + If you say Y here, all mounts and unmounts will be logged. If the
43855 + sysctl option is enabled, a sysctl option with name "audit_mount" is
43858 +config GRKERNSEC_SIGNAL
43859 + bool "Signal logging"
43861 + If you say Y here, certain important signals will be logged, such as
43862 + SIGSEGV, which will as a result inform you of when a error in a program
43863 + occurred, which in some cases could mean a possible exploit attempt.
43864 + If the sysctl option is enabled, a sysctl option with name
43865 + "signal_logging" is created.
43867 +config GRKERNSEC_FORKFAIL
43868 + bool "Fork failure logging"
43870 + If you say Y here, all failed fork() attempts will be logged.
43871 + This could suggest a fork bomb, or someone attempting to overstep
43872 + their process limit. If the sysctl option is enabled, a sysctl option
43873 + with name "forkfail_logging" is created.
43875 +config GRKERNSEC_TIME
43876 + bool "Time change logging"
43878 + If you say Y here, any changes of the system clock will be logged.
43879 + If the sysctl option is enabled, a sysctl option with name
43880 + "timechange_logging" is created.
43882 +config GRKERNSEC_PROC_IPADDR
43883 + bool "/proc/<pid>/ipaddr support"
43885 + If you say Y here, a new entry will be added to each /proc/<pid>
43886 + directory that contains the IP address of the person using the task.
43887 + The IP is carried across local TCP and AF_UNIX stream sockets.
43888 + This information can be useful for IDS/IPSes to perform remote response
43889 + to a local attack. The entry is readable by only the owner of the
43890 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43891 + the RBAC system), and thus does not create privacy concerns.
43893 +config GRKERNSEC_RWXMAP_LOG
43894 + bool 'Denied RWX mmap/mprotect logging'
43895 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
43897 + If you say Y here, calls to mmap() and mprotect() with explicit
43898 + usage of PROT_WRITE and PROT_EXEC together will be logged when
43899 + denied by the PAX_MPROTECT feature. If the sysctl option is
43900 + enabled, a sysctl option with name "rwxmap_logging" is created.
43902 +config GRKERNSEC_AUDIT_TEXTREL
43903 + bool 'ELF text relocations logging (READ HELP)'
43904 + depends on PAX_MPROTECT
43906 + If you say Y here, text relocations will be logged with the filename
43907 + of the offending library or binary. The purpose of the feature is
43908 + to help Linux distribution developers get rid of libraries and
43909 + binaries that need text relocations which hinder the future progress
43910 + of PaX. Only Linux distribution developers should say Y here, and
43911 + never on a production machine, as this option creates an information
43912 + leak that could aid an attacker in defeating the randomization of
43913 + a single memory region. If the sysctl option is enabled, a sysctl
43914 + option with name "audit_textrel" is created.
43918 +menu "Executable Protections"
43919 +depends on GRKERNSEC
43921 +config GRKERNSEC_EXECVE
43922 + bool "Enforce RLIMIT_NPROC on execs"
43924 + If you say Y here, users with a resource limit on processes will
43925 + have the value checked during execve() calls. The current system
43926 + only checks the system limit during fork() calls. If the sysctl option
43927 + is enabled, a sysctl option with name "execve_limiting" is created.
43929 +config GRKERNSEC_DMESG
43930 + bool "Dmesg(8) restriction"
43932 + If you say Y here, non-root users will not be able to use dmesg(8)
43933 + to view up to the last 4kb of messages in the kernel's log buffer.
43934 + The kernel's log buffer often contains kernel addresses and other
43935 + identifying information useful to an attacker in fingerprinting a
43936 + system for a targeted exploit.
43937 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43940 +config GRKERNSEC_HARDEN_PTRACE
43941 + bool "Deter ptrace-based process snooping"
43943 + If you say Y here, TTY sniffers and other malicious monitoring
43944 + programs implemented through ptrace will be defeated. If you
43945 + have been using the RBAC system, this option has already been
43946 + enabled for several years for all users, with the ability to make
43947 + fine-grained exceptions.
43949 + This option only affects the ability of non-root users to ptrace
43950 + processes that are not a descendent of the ptracing process.
43951 + This means that strace ./binary and gdb ./binary will still work,
43952 + but attaching to arbitrary processes will not. If the sysctl
43953 + option is enabled, a sysctl option with name "harden_ptrace" is
43956 +config GRKERNSEC_TPE
43957 + bool "Trusted Path Execution (TPE)"
43959 + If you say Y here, you will be able to choose a gid to add to the
43960 + supplementary groups of users you want to mark as "untrusted."
43961 + These users will not be able to execute any files that are not in
43962 + root-owned directories writable only by root. If the sysctl option
43963 + is enabled, a sysctl option with name "tpe" is created.
43965 +config GRKERNSEC_TPE_ALL
43966 + bool "Partially restrict all non-root users"
43967 + depends on GRKERNSEC_TPE
43969 + If you say Y here, all non-root users will be covered under
43970 + a weaker TPE restriction. This is separate from, and in addition to,
43971 + the main TPE options that you have selected elsewhere. Thus, if a
43972 + "trusted" GID is chosen, this restriction applies to even that GID.
43973 + Under this restriction, all non-root users will only be allowed to
43974 + execute files in directories they own that are not group or
43975 + world-writable, or in directories owned by root and writable only by
43976 + root. If the sysctl option is enabled, a sysctl option with name
43977 + "tpe_restrict_all" is created.
43979 +config GRKERNSEC_TPE_INVERT
43980 + bool "Invert GID option"
43981 + depends on GRKERNSEC_TPE
43983 + If you say Y here, the group you specify in the TPE configuration will
43984 + decide what group TPE restrictions will be *disabled* for. This
43985 + option is useful if you want TPE restrictions to be applied to most
43986 + users on the system. If the sysctl option is enabled, a sysctl option
43987 + with name "tpe_invert" is created. Unlike other sysctl options, this
43988 + entry will default to on for backward-compatibility.
43990 +config GRKERNSEC_TPE_GID
43991 + int "GID for untrusted users"
43992 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43995 + Setting this GID determines what group TPE restrictions will be
43996 + *enabled* for. If the sysctl option is enabled, a sysctl option
43997 + with name "tpe_gid" is created.
43999 +config GRKERNSEC_TPE_GID
44000 + int "GID for trusted users"
44001 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
44004 + Setting this GID determines what group TPE restrictions will be
44005 + *disabled* for. If the sysctl option is enabled, a sysctl option
44006 + with name "tpe_gid" is created.
44009 +menu "Network Protections"
44010 +depends on GRKERNSEC
44012 +config GRKERNSEC_RANDNET
44013 + bool "Larger entropy pools"
44015 + If you say Y here, the entropy pools used for many features of Linux
44016 + and grsecurity will be doubled in size. Since several grsecurity
44017 + features use additional randomness, it is recommended that you say Y
44018 + here. Saying Y here has a similar effect as modifying
44019 + /proc/sys/kernel/random/poolsize.
44021 +config GRKERNSEC_BLACKHOLE
44022 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
44024 + If you say Y here, neither TCP resets nor ICMP
44025 + destination-unreachable packets will be sent in response to packets
44026 + sent to ports for which no associated listening process exists.
44027 + This feature supports both IPV4 and IPV6 and exempts the
44028 + loopback interface from blackholing. Enabling this feature
44029 + makes a host more resilient to DoS attacks and reduces network
44030 + visibility against scanners.
44032 + The blackhole feature as-implemented is equivalent to the FreeBSD
44033 + blackhole feature, as it prevents RST responses to all packets, not
44034 + just SYNs. Under most application behavior this causes no
44035 + problems, but applications (like haproxy) may not close certain
44036 + connections in a way that cleanly terminates them on the remote
44037 + end, leaving the remote host in LAST_ACK state. Because of this
44038 + side-effect and to prevent intentional LAST_ACK DoSes, this
44039 + feature also adds automatic mitigation against such attacks.
44040 + The mitigation drastically reduces the amount of time a socket
44041 + can spend in LAST_ACK state. If you're using haproxy and not
44042 + all servers it connects to have this option enabled, consider
44043 + disabling this feature on the haproxy host.
44045 + If the sysctl option is enabled, two sysctl options with names
44046 + "ip_blackhole" and "lastack_retries" will be created.
44047 + While "ip_blackhole" takes the standard zero/non-zero on/off
44048 + toggle, "lastack_retries" uses the same kinds of values as
44049 + "tcp_retries1" and "tcp_retries2". The default value of 4
44050 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44053 +config GRKERNSEC_SOCKET
44054 + bool "Socket restrictions"
44056 + If you say Y here, you will be able to choose from several options.
44057 + If you assign a GID on your system and add it to the supplementary
44058 + groups of users you want to restrict socket access to, this patch
44059 + will perform up to three things, based on the option(s) you choose.
44061 +config GRKERNSEC_SOCKET_ALL
44062 + bool "Deny any sockets to group"
44063 + depends on GRKERNSEC_SOCKET
44065 + If you say Y here, you will be able to choose a GID of whose users will
44066 + be unable to connect to other hosts from your machine or run server
44067 + applications from your machine. If the sysctl option is enabled, a
44068 + sysctl option with name "socket_all" is created.
44070 +config GRKERNSEC_SOCKET_ALL_GID
44071 + int "GID to deny all sockets for"
44072 + depends on GRKERNSEC_SOCKET_ALL
44075 + Here you can choose the GID to disable socket access for. Remember to
44076 + add the users you want socket access disabled for to the GID
44077 + specified here. If the sysctl option is enabled, a sysctl option
44078 + with name "socket_all_gid" is created.
44080 +config GRKERNSEC_SOCKET_CLIENT
44081 + bool "Deny client sockets to group"
44082 + depends on GRKERNSEC_SOCKET
44084 + If you say Y here, you will be able to choose a GID of whose users will
44085 + be unable to connect to other hosts from your machine, but will be
44086 + able to run servers. If this option is enabled, all users in the group
44087 + you specify will have to use passive mode when initiating ftp transfers
44088 + from the shell on your machine. If the sysctl option is enabled, a
44089 + sysctl option with name "socket_client" is created.
44091 +config GRKERNSEC_SOCKET_CLIENT_GID
44092 + int "GID to deny client sockets for"
44093 + depends on GRKERNSEC_SOCKET_CLIENT
44096 + Here you can choose the GID to disable client socket access for.
44097 + Remember to add the users you want client socket access disabled for to
44098 + the GID specified here. If the sysctl option is enabled, a sysctl
44099 + option with name "socket_client_gid" is created.
44101 +config GRKERNSEC_SOCKET_SERVER
44102 + bool "Deny server sockets to group"
44103 + depends on GRKERNSEC_SOCKET
44105 + If you say Y here, you will be able to choose a GID of whose users will
44106 + be unable to run server applications from your machine. If the sysctl
44107 + option is enabled, a sysctl option with name "socket_server" is created.
44109 +config GRKERNSEC_SOCKET_SERVER_GID
44110 + int "GID to deny server sockets for"
44111 + depends on GRKERNSEC_SOCKET_SERVER
44114 + Here you can choose the GID to disable server socket access for.
44115 + Remember to add the users you want server socket access disabled for to
44116 + the GID specified here. If the sysctl option is enabled, a sysctl
44117 + option with name "socket_server_gid" is created.
44120 +menu "Sysctl support"
44121 +depends on GRKERNSEC && SYSCTL
44123 +config GRKERNSEC_SYSCTL
44124 + bool "Sysctl support"
44126 + If you say Y here, you will be able to change the options that
44127 + grsecurity runs with at bootup, without having to recompile your
44128 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44129 + to enable (1) or disable (0) various features. All the sysctl entries
44130 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44131 + All features enabled in the kernel configuration are disabled at boot
44132 + if you do not say Y to the "Turn on features by default" option.
44133 + All options should be set at startup, and the grsec_lock entry should
44134 + be set to a non-zero value after all the options are set.
44135 + *THIS IS EXTREMELY IMPORTANT*
44137 +config GRKERNSEC_SYSCTL_DISTRO
44138 + bool "Extra sysctl support for distro makers (READ HELP)"
44139 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44141 + If you say Y here, additional sysctl options will be created
44142 + for features that affect processes running as root. Therefore,
44143 + it is critical when using this option that the grsec_lock entry be
44144 + enabled after boot. Only distros with prebuilt kernel packages
44145 + with this option enabled that can ensure grsec_lock is enabled
44146 + after boot should use this option.
44147 + *Failure to set grsec_lock after boot makes all grsec features
44148 + this option covers useless*
44150 + Currently this option creates the following sysctl entries:
44151 + "Disable Privileged I/O": "disable_priv_io"
44153 +config GRKERNSEC_SYSCTL_ON
44154 + bool "Turn on features by default"
44155 + depends on GRKERNSEC_SYSCTL
44157 + If you say Y here, instead of having all features enabled in the
44158 + kernel configuration disabled at boot time, the features will be
44159 + enabled at boot time. It is recommended you say Y here unless
44160 + there is some reason you would want all sysctl-tunable features to
44161 + be disabled by default. As mentioned elsewhere, it is important
44162 + to enable the grsec_lock entry once you have finished modifying
44163 + the sysctl entries.
44166 +menu "Logging Options"
44167 +depends on GRKERNSEC
44169 +config GRKERNSEC_FLOODTIME
44170 + int "Seconds in between log messages (minimum)"
44173 + This option allows you to enforce the number of seconds between
44174 + grsecurity log messages. The default should be suitable for most
44175 + people, however, if you choose to change it, choose a value small enough
44176 + to allow informative logs to be produced, but large enough to
44177 + prevent flooding.
44179 +config GRKERNSEC_FLOODBURST
44180 + int "Number of messages in a burst (maximum)"
44183 + This option allows you to choose the maximum number of messages allowed
44184 + within the flood time interval you chose in a separate option. The
44185 + default should be suitable for most people, however if you find that
44186 + many of your logs are being interpreted as flooding, you may want to
44187 + raise this value.
44192 diff -urNp linux-2.6.37/grsecurity/Makefile linux-2.6.37/grsecurity/Makefile
44193 --- linux-2.6.37/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44194 +++ linux-2.6.37/grsecurity/Makefile 2011-01-17 02:41:02.000000000 -0500
44196 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44197 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44198 +# into an RBAC system
44200 +# All code in this directory and various hooks inserted throughout the kernel
44201 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44202 +# under the GPL v2 or higher
44204 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44205 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44206 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44208 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44209 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44210 + gracl_learn.o grsec_log.o
44211 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44213 +ifndef CONFIG_GRKERNSEC
44214 +obj-y += grsec_disabled.o
44217 +ifdef CONFIG_GRKERNSEC_HIDESYM
44218 +extra-y := grsec_hidesym.o
44219 +$(obj)/grsec_hidesym.o:
44220 + @-chmod -f 500 /boot
44221 + @-chmod -f 500 /lib/modules
44223 + @echo ' grsec: protected kernel image paths'
44225 diff -urNp linux-2.6.37/include/acpi/acoutput.h linux-2.6.37/include/acpi/acoutput.h
44226 --- linux-2.6.37/include/acpi/acoutput.h 2011-01-04 19:50:19.000000000 -0500
44227 +++ linux-2.6.37/include/acpi/acoutput.h 2011-01-17 02:41:02.000000000 -0500
44228 @@ -269,8 +269,8 @@
44229 * leaving no executable debug code!
44231 #define ACPI_FUNCTION_NAME(a)
44232 -#define ACPI_DEBUG_PRINT(pl)
44233 -#define ACPI_DEBUG_PRINT_RAW(pl)
44234 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44235 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44237 #endif /* ACPI_DEBUG_OUTPUT */
44239 diff -urNp linux-2.6.37/include/acpi/acpi_drivers.h linux-2.6.37/include/acpi/acpi_drivers.h
44240 --- linux-2.6.37/include/acpi/acpi_drivers.h 2011-01-04 19:50:19.000000000 -0500
44241 +++ linux-2.6.37/include/acpi/acpi_drivers.h 2011-01-17 02:41:02.000000000 -0500
44242 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
44244 -------------------------------------------------------------------------- */
44245 struct acpi_dock_ops {
44246 - acpi_notify_handler handler;
44247 - acpi_notify_handler uevent;
44248 + const acpi_notify_handler handler;
44249 + const acpi_notify_handler uevent;
44252 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44253 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
44254 extern int register_dock_notifier(struct notifier_block *nb);
44255 extern void unregister_dock_notifier(struct notifier_block *nb);
44256 extern int register_hotplug_dock_device(acpi_handle handle,
44257 - struct acpi_dock_ops *ops,
44258 + const struct acpi_dock_ops *ops,
44260 extern void unregister_hotplug_dock_device(acpi_handle handle);
44262 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
44265 static inline int register_hotplug_dock_device(acpi_handle handle,
44266 - struct acpi_dock_ops *ops,
44267 + const struct acpi_dock_ops *ops,
44271 diff -urNp linux-2.6.37/include/asm-generic/atomic-long.h linux-2.6.37/include/asm-generic/atomic-long.h
44272 --- linux-2.6.37/include/asm-generic/atomic-long.h 2011-01-04 19:50:19.000000000 -0500
44273 +++ linux-2.6.37/include/asm-generic/atomic-long.h 2011-01-17 02:41:02.000000000 -0500
44276 typedef atomic64_t atomic_long_t;
44278 +#ifdef CONFIG_PAX_REFCOUNT
44279 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44281 +typedef atomic64_t atomic_long_unchecked_t;
44284 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44286 static inline long atomic_long_read(atomic_long_t *l)
44287 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44288 return (long)atomic64_read(v);
44291 +#ifdef CONFIG_PAX_REFCOUNT
44292 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44294 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44296 + return (long)atomic64_read_unchecked(v);
44300 static inline void atomic_long_set(atomic_long_t *l, long i)
44302 atomic64_t *v = (atomic64_t *)l;
44303 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44304 atomic64_set(v, i);
44307 +#ifdef CONFIG_PAX_REFCOUNT
44308 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44310 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44312 + atomic64_set_unchecked(v, i);
44316 static inline void atomic_long_inc(atomic_long_t *l)
44318 atomic64_t *v = (atomic64_t *)l;
44319 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44323 +#ifdef CONFIG_PAX_REFCOUNT
44324 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44326 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44328 + atomic64_inc_unchecked(v);
44332 static inline void atomic_long_dec(atomic_long_t *l)
44334 atomic64_t *v = (atomic64_t *)l;
44335 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44339 +#ifdef CONFIG_PAX_REFCOUNT
44340 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44342 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44344 + atomic64_dec_unchecked(v);
44348 static inline void atomic_long_add(long i, atomic_long_t *l)
44350 atomic64_t *v = (atomic64_t *)l;
44351 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44352 atomic64_add(i, v);
44355 +#ifdef CONFIG_PAX_REFCOUNT
44356 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44358 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44360 + atomic64_add_unchecked(i, v);
44364 static inline void atomic_long_sub(long i, atomic_long_t *l)
44366 atomic64_t *v = (atomic64_t *)l;
44367 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44368 atomic64_sub(i, v);
44371 +#ifdef CONFIG_PAX_REFCOUNT
44372 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44374 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44376 + atomic64_sub_unchecked(i, v);
44380 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44382 atomic64_t *v = (atomic64_t *)l;
44383 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44384 return (long)atomic64_inc_return(v);
44387 +#ifdef CONFIG_PAX_REFCOUNT
44388 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44390 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44392 + return (long)atomic64_inc_return_unchecked(v);
44396 static inline long atomic_long_dec_return(atomic_long_t *l)
44398 atomic64_t *v = (atomic64_t *)l;
44399 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44401 typedef atomic_t atomic_long_t;
44403 +#ifdef CONFIG_PAX_REFCOUNT
44404 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44406 +typedef atomic_t atomic_long_unchecked_t;
44409 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44410 static inline long atomic_long_read(atomic_long_t *l)
44412 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44413 return (long)atomic_read(v);
44416 +#ifdef CONFIG_PAX_REFCOUNT
44417 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44419 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44421 + return (long)atomic_read_unchecked(v);
44425 static inline void atomic_long_set(atomic_long_t *l, long i)
44427 atomic_t *v = (atomic_t *)l;
44428 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44432 +#ifdef CONFIG_PAX_REFCOUNT
44433 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44435 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44437 + atomic_set_unchecked(v, i);
44441 static inline void atomic_long_inc(atomic_long_t *l)
44443 atomic_t *v = (atomic_t *)l;
44444 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44448 +#ifdef CONFIG_PAX_REFCOUNT
44449 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44451 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44453 + atomic_inc_unchecked(v);
44457 static inline void atomic_long_dec(atomic_long_t *l)
44459 atomic_t *v = (atomic_t *)l;
44460 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44464 +#ifdef CONFIG_PAX_REFCOUNT
44465 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44467 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44469 + atomic_dec_unchecked(v);
44473 static inline void atomic_long_add(long i, atomic_long_t *l)
44475 atomic_t *v = (atomic_t *)l;
44476 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44480 +#ifdef CONFIG_PAX_REFCOUNT
44481 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44483 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44485 + atomic_add_unchecked(i, v);
44489 static inline void atomic_long_sub(long i, atomic_long_t *l)
44491 atomic_t *v = (atomic_t *)l;
44492 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44496 +#ifdef CONFIG_PAX_REFCOUNT
44497 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44499 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44501 + atomic_sub_unchecked(i, v);
44505 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44507 atomic_t *v = (atomic_t *)l;
44508 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44509 return (long)atomic_inc_return(v);
44512 +#ifdef CONFIG_PAX_REFCOUNT
44513 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44515 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44517 + return (long)atomic_inc_return_unchecked(v);
44521 static inline long atomic_long_dec_return(atomic_long_t *l)
44523 atomic_t *v = (atomic_t *)l;
44524 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44526 #endif /* BITS_PER_LONG == 64 */
44528 +#ifdef CONFIG_PAX_REFCOUNT
44529 +static inline void pax_refcount_needs_these_functions(void)
44531 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44532 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44533 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44534 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44535 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44536 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44537 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44539 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44540 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44541 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44542 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44543 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44544 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44545 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44548 +#define atomic_read_unchecked(v) atomic_read(v)
44549 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44550 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44551 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44552 +#define atomic_inc_unchecked(v) atomic_inc(v)
44553 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44554 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44556 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44557 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44558 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44559 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44560 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44561 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44562 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44565 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44566 diff -urNp linux-2.6.37/include/asm-generic/dma-mapping-common.h linux-2.6.37/include/asm-generic/dma-mapping-common.h
44567 --- linux-2.6.37/include/asm-generic/dma-mapping-common.h 2011-01-04 19:50:19.000000000 -0500
44568 +++ linux-2.6.37/include/asm-generic/dma-mapping-common.h 2011-01-17 02:41:02.000000000 -0500
44569 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44570 enum dma_data_direction dir,
44571 struct dma_attrs *attrs)
44573 - struct dma_map_ops *ops = get_dma_ops(dev);
44574 + const struct dma_map_ops *ops = get_dma_ops(dev);
44577 kmemcheck_mark_initialized(ptr, size);
44578 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44579 enum dma_data_direction dir,
44580 struct dma_attrs *attrs)
44582 - struct dma_map_ops *ops = get_dma_ops(dev);
44583 + const struct dma_map_ops *ops = get_dma_ops(dev);
44585 BUG_ON(!valid_dma_direction(dir));
44586 if (ops->unmap_page)
44587 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44588 int nents, enum dma_data_direction dir,
44589 struct dma_attrs *attrs)
44591 - struct dma_map_ops *ops = get_dma_ops(dev);
44592 + const struct dma_map_ops *ops = get_dma_ops(dev);
44594 struct scatterlist *s;
44596 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44597 int nents, enum dma_data_direction dir,
44598 struct dma_attrs *attrs)
44600 - struct dma_map_ops *ops = get_dma_ops(dev);
44601 + const struct dma_map_ops *ops = get_dma_ops(dev);
44603 BUG_ON(!valid_dma_direction(dir));
44604 debug_dma_unmap_sg(dev, sg, nents, dir);
44605 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44606 size_t offset, size_t size,
44607 enum dma_data_direction dir)
44609 - struct dma_map_ops *ops = get_dma_ops(dev);
44610 + const struct dma_map_ops *ops = get_dma_ops(dev);
44613 kmemcheck_mark_initialized(page_address(page) + offset, size);
44614 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44615 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44616 size_t size, enum dma_data_direction dir)
44618 - struct dma_map_ops *ops = get_dma_ops(dev);
44619 + const struct dma_map_ops *ops = get_dma_ops(dev);
44621 BUG_ON(!valid_dma_direction(dir));
44622 if (ops->unmap_page)
44623 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44625 enum dma_data_direction dir)
44627 - struct dma_map_ops *ops = get_dma_ops(dev);
44628 + const struct dma_map_ops *ops = get_dma_ops(dev);
44630 BUG_ON(!valid_dma_direction(dir));
44631 if (ops->sync_single_for_cpu)
44632 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
44633 dma_addr_t addr, size_t size,
44634 enum dma_data_direction dir)
44636 - struct dma_map_ops *ops = get_dma_ops(dev);
44637 + const struct dma_map_ops *ops = get_dma_ops(dev);
44639 BUG_ON(!valid_dma_direction(dir));
44640 if (ops->sync_single_for_device)
44641 @@ -139,7 +139,7 @@ static inline void
44642 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
44643 int nelems, enum dma_data_direction dir)
44645 - struct dma_map_ops *ops = get_dma_ops(dev);
44646 + const struct dma_map_ops *ops = get_dma_ops(dev);
44648 BUG_ON(!valid_dma_direction(dir));
44649 if (ops->sync_sg_for_cpu)
44650 @@ -151,7 +151,7 @@ static inline void
44651 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
44652 int nelems, enum dma_data_direction dir)
44654 - struct dma_map_ops *ops = get_dma_ops(dev);
44655 + const struct dma_map_ops *ops = get_dma_ops(dev);
44657 BUG_ON(!valid_dma_direction(dir));
44658 if (ops->sync_sg_for_device)
44659 diff -urNp linux-2.6.37/include/asm-generic/futex.h linux-2.6.37/include/asm-generic/futex.h
44660 --- linux-2.6.37/include/asm-generic/futex.h 2011-01-04 19:50:19.000000000 -0500
44661 +++ linux-2.6.37/include/asm-generic/futex.h 2011-01-17 02:41:02.000000000 -0500
44663 #include <asm/errno.h>
44666 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
44667 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
44669 int op = (encoded_op >> 28) & 7;
44670 int cmp = (encoded_op >> 24) & 15;
44671 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
44675 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
44676 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
44680 diff -urNp linux-2.6.37/include/asm-generic/int-l64.h linux-2.6.37/include/asm-generic/int-l64.h
44681 --- linux-2.6.37/include/asm-generic/int-l64.h 2011-01-04 19:50:19.000000000 -0500
44682 +++ linux-2.6.37/include/asm-generic/int-l64.h 2011-01-17 02:41:02.000000000 -0500
44683 @@ -46,6 +46,8 @@ typedef unsigned int u32;
44684 typedef signed long s64;
44685 typedef unsigned long u64;
44687 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
44690 #define U8_C(x) x ## U
44692 diff -urNp linux-2.6.37/include/asm-generic/int-ll64.h linux-2.6.37/include/asm-generic/int-ll64.h
44693 --- linux-2.6.37/include/asm-generic/int-ll64.h 2011-01-04 19:50:19.000000000 -0500
44694 +++ linux-2.6.37/include/asm-generic/int-ll64.h 2011-01-17 02:41:02.000000000 -0500
44695 @@ -51,6 +51,8 @@ typedef unsigned int u32;
44696 typedef signed long long s64;
44697 typedef unsigned long long u64;
44699 +typedef unsigned long long intoverflow_t;
44702 #define U8_C(x) x ## U
44704 diff -urNp linux-2.6.37/include/asm-generic/kmap_types.h linux-2.6.37/include/asm-generic/kmap_types.h
44705 --- linux-2.6.37/include/asm-generic/kmap_types.h 2011-01-04 19:50:19.000000000 -0500
44706 +++ linux-2.6.37/include/asm-generic/kmap_types.h 2011-01-17 02:41:02.000000000 -0500
44707 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
44709 KMAP_D(18) KM_NMI_PTE,
44711 +KMAP_D(20) KM_CLEARPAGE,
44713 * Remember to update debug_kmap_atomic() when adding new kmap types!
44715 -KMAP_D(20) KM_TYPE_NR
44716 +KMAP_D(21) KM_TYPE_NR
44720 diff -urNp linux-2.6.37/include/asm-generic/pgtable.h linux-2.6.37/include/asm-generic/pgtable.h
44721 --- linux-2.6.37/include/asm-generic/pgtable.h 2011-01-04 19:50:19.000000000 -0500
44722 +++ linux-2.6.37/include/asm-generic/pgtable.h 2011-01-17 02:41:02.000000000 -0500
44723 @@ -348,6 +348,14 @@ extern void untrack_pfn_vma(struct vm_ar
44724 unsigned long size);
44727 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
44728 +static inline unsigned long pax_open_kernel(void) { return 0; }
44731 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
44732 +static inline unsigned long pax_close_kernel(void) { return 0; }
44735 #endif /* !__ASSEMBLY__ */
44737 #endif /* _ASM_GENERIC_PGTABLE_H */
44738 diff -urNp linux-2.6.37/include/asm-generic/pgtable-nopmd.h linux-2.6.37/include/asm-generic/pgtable-nopmd.h
44739 --- linux-2.6.37/include/asm-generic/pgtable-nopmd.h 2011-01-04 19:50:19.000000000 -0500
44740 +++ linux-2.6.37/include/asm-generic/pgtable-nopmd.h 2011-01-17 02:41:02.000000000 -0500
44742 #ifndef _PGTABLE_NOPMD_H
44743 #define _PGTABLE_NOPMD_H
44745 -#ifndef __ASSEMBLY__
44747 #include <asm-generic/pgtable-nopud.h>
44751 #define __PAGETABLE_PMD_FOLDED
44753 +#define PMD_SHIFT PUD_SHIFT
44754 +#define PTRS_PER_PMD 1
44755 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
44756 +#define PMD_MASK (~(PMD_SIZE-1))
44758 +#ifndef __ASSEMBLY__
44763 * Having the pmd type consist of a pud gets the size right, and allows
44764 * us to conceptually access the pud entry that this pmd is folded into
44765 @@ -16,11 +21,6 @@ struct mm_struct;
44767 typedef struct { pud_t pud; } pmd_t;
44769 -#define PMD_SHIFT PUD_SHIFT
44770 -#define PTRS_PER_PMD 1
44771 -#define PMD_SIZE (1UL << PMD_SHIFT)
44772 -#define PMD_MASK (~(PMD_SIZE-1))
44775 * The "pud_xxx()" functions here are trivial for a folded two-level
44776 * setup: the pmd is never bad, and a pmd always exists (as it's folded
44777 diff -urNp linux-2.6.37/include/asm-generic/pgtable-nopud.h linux-2.6.37/include/asm-generic/pgtable-nopud.h
44778 --- linux-2.6.37/include/asm-generic/pgtable-nopud.h 2011-01-04 19:50:19.000000000 -0500
44779 +++ linux-2.6.37/include/asm-generic/pgtable-nopud.h 2011-01-17 02:41:02.000000000 -0500
44781 #ifndef _PGTABLE_NOPUD_H
44782 #define _PGTABLE_NOPUD_H
44784 -#ifndef __ASSEMBLY__
44786 #define __PAGETABLE_PUD_FOLDED
44788 +#define PUD_SHIFT PGDIR_SHIFT
44789 +#define PTRS_PER_PUD 1
44790 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
44791 +#define PUD_MASK (~(PUD_SIZE-1))
44793 +#ifndef __ASSEMBLY__
44796 * Having the pud type consist of a pgd gets the size right, and allows
44797 * us to conceptually access the pgd entry that this pud is folded into
44800 typedef struct { pgd_t pgd; } pud_t;
44802 -#define PUD_SHIFT PGDIR_SHIFT
44803 -#define PTRS_PER_PUD 1
44804 -#define PUD_SIZE (1UL << PUD_SHIFT)
44805 -#define PUD_MASK (~(PUD_SIZE-1))
44808 * The "pgd_xxx()" functions here are trivial for a folded two-level
44809 * setup: the pud is never bad, and a pud always exists (as it's folded
44810 diff -urNp linux-2.6.37/include/asm-generic/vmlinux.lds.h linux-2.6.37/include/asm-generic/vmlinux.lds.h
44811 --- linux-2.6.37/include/asm-generic/vmlinux.lds.h 2011-01-04 19:50:19.000000000 -0500
44812 +++ linux-2.6.37/include/asm-generic/vmlinux.lds.h 2011-01-17 02:41:02.000000000 -0500
44813 @@ -210,6 +210,7 @@
44814 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
44815 VMLINUX_SYMBOL(__start_rodata) = .; \
44816 *(.rodata) *(.rodata.*) \
44817 + *(.data..read_only) \
44818 *(__vermagic) /* Kernel version magic */ \
44819 *(__markers_strings) /* Markers: strings */ \
44820 *(__tracepoints_strings)/* Tracepoints: strings */ \
44821 @@ -679,14 +680,15 @@
44822 * section in the linker script will go there too. @phdr should have
44825 - * Note that this macros defines __per_cpu_load as an absolute symbol.
44826 + * Note that this macros defines per_cpu_load as an absolute symbol.
44827 * If there is no need to put the percpu section at a predetermined
44828 * address, use PERCPU().
44830 #define PERCPU_VADDR(vaddr, phdr) \
44831 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
44832 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
44833 + per_cpu_load = .; \
44834 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
44836 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
44837 VMLINUX_SYMBOL(__per_cpu_start) = .; \
44838 *(.data..percpu..first) \
44839 . = ALIGN(PAGE_SIZE); \
44840 @@ -696,7 +698,7 @@
44841 *(.data..percpu..shared_aligned) \
44842 VMLINUX_SYMBOL(__per_cpu_end) = .; \
44844 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
44845 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
44848 * PERCPU - define output section for percpu area, simple version
44849 diff -urNp linux-2.6.37/include/drm/drm_pciids.h linux-2.6.37/include/drm/drm_pciids.h
44850 --- linux-2.6.37/include/drm/drm_pciids.h 2011-01-04 19:50:19.000000000 -0500
44851 +++ linux-2.6.37/include/drm/drm_pciids.h 2011-01-17 02:41:02.000000000 -0500
44852 @@ -419,7 +419,7 @@
44853 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44854 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44855 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44857 + {0, 0, 0, 0, 0, 0}
44859 #define r128_PCI_IDS \
44860 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44861 @@ -459,14 +459,14 @@
44862 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44863 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44864 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44866 + {0, 0, 0, 0, 0, 0}
44868 #define mga_PCI_IDS \
44869 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44870 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44871 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
44872 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
44874 + {0, 0, 0, 0, 0, 0}
44876 #define mach64_PCI_IDS \
44877 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44878 @@ -489,7 +489,7 @@
44879 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44880 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44881 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44883 + {0, 0, 0, 0, 0, 0}
44885 #define sisdrv_PCI_IDS \
44886 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44887 @@ -500,7 +500,7 @@
44888 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44889 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44890 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44892 + {0, 0, 0, 0, 0, 0}
44894 #define tdfx_PCI_IDS \
44895 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44896 @@ -509,7 +509,7 @@
44897 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44898 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44899 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44901 + {0, 0, 0, 0, 0, 0}
44903 #define viadrv_PCI_IDS \
44904 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44905 @@ -521,14 +521,14 @@
44906 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44907 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
44908 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
44910 + {0, 0, 0, 0, 0, 0}
44912 #define i810_PCI_IDS \
44913 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44914 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44915 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44916 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44918 + {0, 0, 0, 0, 0, 0}
44920 #define i830_PCI_IDS \
44921 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44922 @@ -536,11 +536,11 @@
44923 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44924 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44925 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44927 + {0, 0, 0, 0, 0, 0}
44929 #define gamma_PCI_IDS \
44930 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44932 + {0, 0, 0, 0, 0, 0}
44934 #define savage_PCI_IDS \
44935 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44936 @@ -566,10 +566,10 @@
44937 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44938 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44939 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44941 + {0, 0, 0, 0, 0, 0}
44943 #define ffb_PCI_IDS \
44945 + {0, 0, 0, 0, 0, 0}
44947 #define i915_PCI_IDS \
44948 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44949 @@ -603,4 +603,4 @@
44950 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44951 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44952 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44954 + {0, 0, 0, 0, 0, 0}
44955 diff -urNp linux-2.6.37/include/drm/drmP.h linux-2.6.37/include/drm/drmP.h
44956 --- linux-2.6.37/include/drm/drmP.h 2011-01-04 19:50:19.000000000 -0500
44957 +++ linux-2.6.37/include/drm/drmP.h 2011-01-17 02:41:02.000000000 -0500
44958 @@ -804,7 +804,7 @@ struct drm_driver {
44959 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44961 /* Driver private ops for this object */
44962 - struct vm_operations_struct *gem_vm_ops;
44963 + const struct vm_operations_struct *gem_vm_ops;
44967 @@ -817,7 +817,7 @@ struct drm_driver {
44969 struct drm_ioctl_desc *ioctls;
44971 - struct file_operations fops;
44972 + const struct file_operations fops;
44973 struct pci_driver pci_driver;
44974 struct platform_device *platform_device;
44975 /* List of devices hanging off this driver */
44976 @@ -914,7 +914,7 @@ struct drm_device {
44978 /** \name Usage Counters */
44980 - int open_count; /**< Outstanding files open */
44981 + atomic_t open_count; /**< Outstanding files open */
44982 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44983 atomic_t vma_count; /**< Outstanding vma areas open */
44984 int buf_use; /**< Buffers in use -- cannot alloc */
44985 @@ -925,7 +925,7 @@ struct drm_device {
44987 unsigned long counters;
44988 enum drm_stat_type types[15];
44989 - atomic_t counts[15];
44990 + atomic_unchecked_t counts[15];
44993 struct list_head filelist;
44994 diff -urNp linux-2.6.37/include/linux/a.out.h linux-2.6.37/include/linux/a.out.h
44995 --- linux-2.6.37/include/linux/a.out.h 2011-01-04 19:50:19.000000000 -0500
44996 +++ linux-2.6.37/include/linux/a.out.h 2011-01-17 02:41:02.000000000 -0500
44997 @@ -39,6 +39,14 @@ enum machine_type {
44998 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
45001 +/* Constants for the N_FLAGS field */
45002 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45003 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
45004 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
45005 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
45006 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45007 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45009 #if !defined (N_MAGIC)
45010 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
45012 diff -urNp linux-2.6.37/include/linux/atmdev.h linux-2.6.37/include/linux/atmdev.h
45013 --- linux-2.6.37/include/linux/atmdev.h 2011-01-04 19:50:19.000000000 -0500
45014 +++ linux-2.6.37/include/linux/atmdev.h 2011-01-17 02:41:02.000000000 -0500
45015 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
45018 struct k_atm_aal_stats {
45019 -#define __HANDLE_ITEM(i) atomic_t i
45020 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
45022 #undef __HANDLE_ITEM
45024 diff -urNp linux-2.6.37/include/linux/binfmts.h linux-2.6.37/include/linux/binfmts.h
45025 --- linux-2.6.37/include/linux/binfmts.h 2011-01-04 19:50:19.000000000 -0500
45026 +++ linux-2.6.37/include/linux/binfmts.h 2011-01-17 02:41:02.000000000 -0500
45027 @@ -92,6 +92,7 @@ struct linux_binfmt {
45028 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
45029 int (*load_shlib)(struct file *);
45030 int (*core_dump)(struct coredump_params *cprm);
45031 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
45032 unsigned long min_coredump; /* minimal dump size */
45035 diff -urNp linux-2.6.37/include/linux/blkdev.h linux-2.6.37/include/linux/blkdev.h
45036 --- linux-2.6.37/include/linux/blkdev.h 2011-01-04 19:50:19.000000000 -0500
45037 +++ linux-2.6.37/include/linux/blkdev.h 2011-01-17 02:41:02.000000000 -0500
45038 @@ -1250,19 +1250,19 @@ queue_max_integrity_segments(struct requ
45039 #endif /* CONFIG_BLK_DEV_INTEGRITY */
45041 struct block_device_operations {
45042 - int (*open) (struct block_device *, fmode_t);
45043 - int (*release) (struct gendisk *, fmode_t);
45044 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45045 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45046 - int (*direct_access) (struct block_device *, sector_t,
45047 + int (* const open) (struct block_device *, fmode_t);
45048 + int (* const release) (struct gendisk *, fmode_t);
45049 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45050 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45051 + int (* const direct_access) (struct block_device *, sector_t,
45052 void **, unsigned long *);
45053 - int (*media_changed) (struct gendisk *);
45054 - void (*unlock_native_capacity) (struct gendisk *);
45055 - int (*revalidate_disk) (struct gendisk *);
45056 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45057 + int (* const media_changed) (struct gendisk *);
45058 + void (* const unlock_native_capacity) (struct gendisk *);
45059 + int (* const revalidate_disk) (struct gendisk *);
45060 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45061 /* this callback is with swap_lock and sometimes page table lock held */
45062 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45063 - struct module *owner;
45064 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45065 + struct module * const owner;
45068 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45069 diff -urNp linux-2.6.37/include/linux/byteorder/little_endian.h linux-2.6.37/include/linux/byteorder/little_endian.h
45070 --- linux-2.6.37/include/linux/byteorder/little_endian.h 2011-01-04 19:50:19.000000000 -0500
45071 +++ linux-2.6.37/include/linux/byteorder/little_endian.h 2011-01-17 02:41:02.000000000 -0500
45072 @@ -42,51 +42,51 @@
45074 static inline __le64 __cpu_to_le64p(const __u64 *p)
45076 - return (__force __le64)*p;
45077 + return (__force const __le64)*p;
45079 static inline __u64 __le64_to_cpup(const __le64 *p)
45081 - return (__force __u64)*p;
45082 + return (__force const __u64)*p;
45084 static inline __le32 __cpu_to_le32p(const __u32 *p)
45086 - return (__force __le32)*p;
45087 + return (__force const __le32)*p;
45089 static inline __u32 __le32_to_cpup(const __le32 *p)
45091 - return (__force __u32)*p;
45092 + return (__force const __u32)*p;
45094 static inline __le16 __cpu_to_le16p(const __u16 *p)
45096 - return (__force __le16)*p;
45097 + return (__force const __le16)*p;
45099 static inline __u16 __le16_to_cpup(const __le16 *p)
45101 - return (__force __u16)*p;
45102 + return (__force const __u16)*p;
45104 static inline __be64 __cpu_to_be64p(const __u64 *p)
45106 - return (__force __be64)__swab64p(p);
45107 + return (__force const __be64)__swab64p(p);
45109 static inline __u64 __be64_to_cpup(const __be64 *p)
45111 - return __swab64p((__u64 *)p);
45112 + return __swab64p((const __u64 *)p);
45114 static inline __be32 __cpu_to_be32p(const __u32 *p)
45116 - return (__force __be32)__swab32p(p);
45117 + return (__force const __be32)__swab32p(p);
45119 static inline __u32 __be32_to_cpup(const __be32 *p)
45121 - return __swab32p((__u32 *)p);
45122 + return __swab32p((const __u32 *)p);
45124 static inline __be16 __cpu_to_be16p(const __u16 *p)
45126 - return (__force __be16)__swab16p(p);
45127 + return (__force const __be16)__swab16p(p);
45129 static inline __u16 __be16_to_cpup(const __be16 *p)
45131 - return __swab16p((__u16 *)p);
45132 + return __swab16p((const __u16 *)p);
45134 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
45135 #define __le64_to_cpus(x) do { (void)(x); } while (0)
45136 diff -urNp linux-2.6.37/include/linux/cache.h linux-2.6.37/include/linux/cache.h
45137 --- linux-2.6.37/include/linux/cache.h 2011-01-04 19:50:19.000000000 -0500
45138 +++ linux-2.6.37/include/linux/cache.h 2011-01-17 02:41:02.000000000 -0500
45140 #define __read_mostly
45143 +#ifndef __read_only
45144 +#define __read_only __read_mostly
45147 #ifndef ____cacheline_aligned
45148 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45150 diff -urNp linux-2.6.37/include/linux/capability.h linux-2.6.37/include/linux/capability.h
45151 --- linux-2.6.37/include/linux/capability.h 2011-01-04 19:50:19.000000000 -0500
45152 +++ linux-2.6.37/include/linux/capability.h 2011-01-17 02:41:02.000000000 -0500
45153 @@ -558,6 +558,7 @@ extern const kernel_cap_t __cap_init_eff
45154 (security_real_capable_noaudit((t), (cap)) == 0)
45156 extern int capable(int cap);
45157 +int capable_nolog(int cap);
45159 /* audit system wants to get cap info from files as well */
45161 diff -urNp linux-2.6.37/include/linux/compiler-gcc4.h linux-2.6.37/include/linux/compiler-gcc4.h
45162 --- linux-2.6.37/include/linux/compiler-gcc4.h 2011-01-04 19:50:19.000000000 -0500
45163 +++ linux-2.6.37/include/linux/compiler-gcc4.h 2011-01-17 02:41:02.000000000 -0500
45168 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45169 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45170 +#define __bos0(ptr) __bos((ptr), 0)
45171 +#define __bos1(ptr) __bos((ptr), 1)
45174 #if __GNUC_MINOR__ > 0
45175 diff -urNp linux-2.6.37/include/linux/compiler.h linux-2.6.37/include/linux/compiler.h
45176 --- linux-2.6.37/include/linux/compiler.h 2011-01-04 19:50:19.000000000 -0500
45177 +++ linux-2.6.37/include/linux/compiler.h 2011-01-17 02:41:02.000000000 -0500
45178 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
45182 +#ifndef __alloc_size
45183 +#define __alloc_size
45198 /* Simple shorthand for a section definition */
45200 # define __section(S) __attribute__ ((__section__(#S)))
45201 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
45202 * use is to mediate communication between process-level code and irq/NMI
45203 * handlers, all running on the same CPU.
45205 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
45206 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
45207 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
45209 #endif /* __LINUX_COMPILER_H */
45210 diff -urNp linux-2.6.37/include/linux/cpuset.h linux-2.6.37/include/linux/cpuset.h
45211 --- linux-2.6.37/include/linux/cpuset.h 2011-01-04 19:50:19.000000000 -0500
45212 +++ linux-2.6.37/include/linux/cpuset.h 2011-01-17 02:41:02.000000000 -0500
45213 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
45217 - --ACCESS_ONCE(current->mems_allowed_change_disable);
45218 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
45221 static inline void set_mems_allowed(nodemask_t nodemask)
45222 diff -urNp linux-2.6.37/include/linux/decompress/mm.h linux-2.6.37/include/linux/decompress/mm.h
45223 --- linux-2.6.37/include/linux/decompress/mm.h 2011-01-04 19:50:19.000000000 -0500
45224 +++ linux-2.6.37/include/linux/decompress/mm.h 2011-01-17 02:41:02.000000000 -0500
45225 @@ -78,7 +78,7 @@ static void free(void *where)
45226 * warnings when not needed (indeed large_malloc / large_free are not
45227 * needed by inflate */
45229 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45230 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45231 #define free(a) kfree(a)
45233 #define large_malloc(a) vmalloc(a)
45234 diff -urNp linux-2.6.37/include/linux/dma-mapping.h linux-2.6.37/include/linux/dma-mapping.h
45235 --- linux-2.6.37/include/linux/dma-mapping.h 2011-01-04 19:50:19.000000000 -0500
45236 +++ linux-2.6.37/include/linux/dma-mapping.h 2011-01-17 02:41:02.000000000 -0500
45237 @@ -16,40 +16,40 @@ enum dma_data_direction {
45240 struct dma_map_ops {
45241 - void* (*alloc_coherent)(struct device *dev, size_t size,
45242 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45243 dma_addr_t *dma_handle, gfp_t gfp);
45244 - void (*free_coherent)(struct device *dev, size_t size,
45245 + void (* const free_coherent)(struct device *dev, size_t size,
45246 void *vaddr, dma_addr_t dma_handle);
45247 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45248 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45249 unsigned long offset, size_t size,
45250 enum dma_data_direction dir,
45251 struct dma_attrs *attrs);
45252 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45253 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45254 size_t size, enum dma_data_direction dir,
45255 struct dma_attrs *attrs);
45256 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45257 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45258 int nents, enum dma_data_direction dir,
45259 struct dma_attrs *attrs);
45260 - void (*unmap_sg)(struct device *dev,
45261 + void (* const unmap_sg)(struct device *dev,
45262 struct scatterlist *sg, int nents,
45263 enum dma_data_direction dir,
45264 struct dma_attrs *attrs);
45265 - void (*sync_single_for_cpu)(struct device *dev,
45266 + void (* const sync_single_for_cpu)(struct device *dev,
45267 dma_addr_t dma_handle, size_t size,
45268 enum dma_data_direction dir);
45269 - void (*sync_single_for_device)(struct device *dev,
45270 + void (* const sync_single_for_device)(struct device *dev,
45271 dma_addr_t dma_handle, size_t size,
45272 enum dma_data_direction dir);
45273 - void (*sync_sg_for_cpu)(struct device *dev,
45274 + void (* const sync_sg_for_cpu)(struct device *dev,
45275 struct scatterlist *sg, int nents,
45276 enum dma_data_direction dir);
45277 - void (*sync_sg_for_device)(struct device *dev,
45278 + void (* const sync_sg_for_device)(struct device *dev,
45279 struct scatterlist *sg, int nents,
45280 enum dma_data_direction dir);
45281 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45282 - int (*dma_supported)(struct device *dev, u64 mask);
45283 - int (*set_dma_mask)(struct device *dev, u64 mask);
45285 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45286 + int (* const dma_supported)(struct device *dev, u64 mask);
45287 + int (* set_dma_mask)(struct device *dev, u64 mask);
45288 + const int is_phys;
45291 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45292 diff -urNp linux-2.6.37/include/linux/elf.h linux-2.6.37/include/linux/elf.h
45293 --- linux-2.6.37/include/linux/elf.h 2011-01-04 19:50:19.000000000 -0500
45294 +++ linux-2.6.37/include/linux/elf.h 2011-01-17 02:41:02.000000000 -0500
45295 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45296 #define PT_GNU_EH_FRAME 0x6474e550
45298 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45299 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45301 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45303 +/* Constants for the e_flags field */
45304 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45305 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45306 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45307 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45308 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45309 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45312 * Extended Numbering
45313 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45314 #define DT_DEBUG 21
45315 #define DT_TEXTREL 22
45316 #define DT_JMPREL 23
45317 +#define DT_FLAGS 30
45318 + #define DF_TEXTREL 0x00000004
45319 #define DT_ENCODING 32
45320 #define OLD_DT_LOOS 0x60000000
45321 #define DT_LOOS 0x6000000d
45322 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45326 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45327 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45328 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45329 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45330 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45331 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45332 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45333 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45334 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45335 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45336 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45337 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45339 typedef struct elf32_phdr{
45341 Elf32_Off p_offset;
45342 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45348 #define ELFMAG0 0x7f /* EI_MAG */
45349 #define ELFMAG1 'E'
45350 #define ELFMAG2 'L'
45351 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45352 #define elf_note elf32_note
45353 #define elf_addr_t Elf32_Off
45354 #define Elf_Half Elf32_Half
45355 +#define elf_dyn Elf32_Dyn
45359 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45360 #define elf_note elf64_note
45361 #define elf_addr_t Elf64_Off
45362 #define Elf_Half Elf64_Half
45363 +#define elf_dyn Elf64_Dyn
45367 diff -urNp linux-2.6.37/include/linux/fs.h linux-2.6.37/include/linux/fs.h
45368 --- linux-2.6.37/include/linux/fs.h 2011-01-04 19:50:19.000000000 -0500
45369 +++ linux-2.6.37/include/linux/fs.h 2011-01-17 02:43:32.000000000 -0500
45370 @@ -105,6 +105,11 @@ struct inodes_stat_t {
45371 /* File was opened by fanotify and shouldn't generate fanotify events */
45372 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45374 +/* Hack for grsec so as not to require read permission simply to execute
45377 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
45380 * The below are the various read and write types that we support. Some of
45381 * them include behavioral modifiers that send information down to the
45382 @@ -578,42 +583,42 @@ typedef int (*read_actor_t)(read_descrip
45383 unsigned long, unsigned long);
45385 struct address_space_operations {
45386 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45387 - int (*readpage)(struct file *, struct page *);
45388 - void (*sync_page)(struct page *);
45389 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45390 + int (* const readpage)(struct file *, struct page *);
45391 + void (* const sync_page)(struct page *);
45393 /* Write back some dirty pages from this mapping. */
45394 - int (*writepages)(struct address_space *, struct writeback_control *);
45395 + int (* const writepages)(struct address_space *, struct writeback_control *);
45397 /* Set a page dirty. Return true if this dirtied it */
45398 - int (*set_page_dirty)(struct page *page);
45399 + int (* const set_page_dirty)(struct page *page);
45401 - int (*readpages)(struct file *filp, struct address_space *mapping,
45402 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45403 struct list_head *pages, unsigned nr_pages);
45405 - int (*write_begin)(struct file *, struct address_space *mapping,
45406 + int (* const write_begin)(struct file *, struct address_space *mapping,
45407 loff_t pos, unsigned len, unsigned flags,
45408 struct page **pagep, void **fsdata);
45409 - int (*write_end)(struct file *, struct address_space *mapping,
45410 + int (* const write_end)(struct file *, struct address_space *mapping,
45411 loff_t pos, unsigned len, unsigned copied,
45412 struct page *page, void *fsdata);
45414 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45415 - sector_t (*bmap)(struct address_space *, sector_t);
45416 - void (*invalidatepage) (struct page *, unsigned long);
45417 - int (*releasepage) (struct page *, gfp_t);
45418 - void (*freepage)(struct page *);
45419 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45420 + sector_t (* const bmap)(struct address_space *, sector_t);
45421 + void (* const invalidatepage) (struct page *, unsigned long);
45422 + int (* const releasepage) (struct page *, gfp_t);
45423 + void (* const freepage)(struct page *);
45424 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45425 loff_t offset, unsigned long nr_segs);
45426 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45427 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45428 void **, unsigned long *);
45429 /* migrate the contents of a page to the specified target */
45430 - int (*migratepage) (struct address_space *,
45431 + int (* const migratepage) (struct address_space *,
45432 struct page *, struct page *);
45433 - int (*launder_page) (struct page *);
45434 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45435 + int (* const launder_page) (struct page *);
45436 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45438 - int (*error_remove_page)(struct address_space *, struct page *);
45439 + int (* const error_remove_page)(struct address_space *, struct page *);
45443 @@ -1049,18 +1054,18 @@ static inline int file_check_writeable(s
45444 typedef struct files_struct *fl_owner_t;
45446 struct file_lock_operations {
45447 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45448 - void (*fl_release_private)(struct file_lock *);
45449 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45450 + void (* const fl_release_private)(struct file_lock *);
45453 struct lock_manager_operations {
45454 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45455 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45456 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45457 - void (*fl_release_private)(struct file_lock *);
45458 - void (*fl_break)(struct file_lock *);
45459 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
45460 - int (*fl_change)(struct file_lock **, int);
45461 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45462 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45463 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45464 + void (* const fl_release_private)(struct file_lock *);
45465 + void (* const fl_break)(struct file_lock *);
45466 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
45467 + int (* const fl_change)(struct file_lock **, int);
45470 struct lock_manager {
45471 @@ -1474,7 +1479,7 @@ struct fiemap_extent_info {
45472 unsigned int fi_flags; /* Flags as passed from user */
45473 unsigned int fi_extents_mapped; /* Number of mapped extents */
45474 unsigned int fi_extents_max; /* Size of fiemap_extent array */
45475 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
45476 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
45479 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
45480 @@ -1590,29 +1595,29 @@ extern ssize_t vfs_writev(struct file *,
45481 unsigned long, loff_t *);
45483 struct super_operations {
45484 - struct inode *(*alloc_inode)(struct super_block *sb);
45485 - void (*destroy_inode)(struct inode *);
45486 + struct inode *(* const alloc_inode)(struct super_block *sb);
45487 + void (* const destroy_inode)(struct inode *);
45489 - void (*dirty_inode) (struct inode *);
45490 - int (*write_inode) (struct inode *, struct writeback_control *wbc);
45491 - int (*drop_inode) (struct inode *);
45492 - void (*evict_inode) (struct inode *);
45493 - void (*put_super) (struct super_block *);
45494 - void (*write_super) (struct super_block *);
45495 - int (*sync_fs)(struct super_block *sb, int wait);
45496 - int (*freeze_fs) (struct super_block *);
45497 - int (*unfreeze_fs) (struct super_block *);
45498 - int (*statfs) (struct dentry *, struct kstatfs *);
45499 - int (*remount_fs) (struct super_block *, int *, char *);
45500 - void (*umount_begin) (struct super_block *);
45501 + void (* const dirty_inode) (struct inode *);
45502 + int (* const write_inode) (struct inode *, struct writeback_control *wbc);
45503 + int (* const drop_inode) (struct inode *);
45504 + void (* const evict_inode) (struct inode *);
45505 + void (* const put_super) (struct super_block *);
45506 + void (* const write_super) (struct super_block *);
45507 + int (* const sync_fs)(struct super_block *sb, int wait);
45508 + int (* const freeze_fs) (struct super_block *);
45509 + int (* const unfreeze_fs) (struct super_block *);
45510 + int (* const statfs) (struct dentry *, struct kstatfs *);
45511 + int (* const remount_fs) (struct super_block *, int *, char *);
45512 + void (* const umount_begin) (struct super_block *);
45514 - int (*show_options)(struct seq_file *, struct vfsmount *);
45515 - int (*show_stats)(struct seq_file *, struct vfsmount *);
45516 + int (* const show_options)(struct seq_file *, struct vfsmount *);
45517 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
45518 #ifdef CONFIG_QUOTA
45519 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
45520 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
45521 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
45522 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
45524 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
45525 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
45529 diff -urNp linux-2.6.37/include/linux/fs_struct.h linux-2.6.37/include/linux/fs_struct.h
45530 --- linux-2.6.37/include/linux/fs_struct.h 2011-01-04 19:50:19.000000000 -0500
45531 +++ linux-2.6.37/include/linux/fs_struct.h 2011-01-17 02:41:02.000000000 -0500
45533 #include <linux/path.h>
45541 diff -urNp linux-2.6.37/include/linux/genhd.h linux-2.6.37/include/linux/genhd.h
45542 --- linux-2.6.37/include/linux/genhd.h 2011-01-04 19:50:19.000000000 -0500
45543 +++ linux-2.6.37/include/linux/genhd.h 2011-01-17 02:41:02.000000000 -0500
45544 @@ -172,7 +172,7 @@ struct gendisk {
45546 struct timer_rand_state *random;
45548 - atomic_t sync_io; /* RAID */
45549 + atomic_unchecked_t sync_io; /* RAID */
45550 struct work_struct async_notify;
45551 #ifdef CONFIG_BLK_DEV_INTEGRITY
45552 struct blk_integrity *integrity;
45553 diff -urNp linux-2.6.37/include/linux/gracl.h linux-2.6.37/include/linux/gracl.h
45554 --- linux-2.6.37/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45555 +++ linux-2.6.37/include/linux/gracl.h 2011-01-17 02:41:02.000000000 -0500
45560 +#include <linux/grdefs.h>
45561 +#include <linux/resource.h>
45562 +#include <linux/capability.h>
45563 +#include <linux/dcache.h>
45564 +#include <asm/resource.h>
45566 +/* Major status information */
45568 +#define GR_VERSION "grsecurity 2.2.1"
45569 +#define GRSECURITY_VERSION 0x2201
45580 + GR_SPROLEPAM = 8,
45583 +/* Password setup definitions
45584 + * kernel/grhash.c */
45587 + GR_SALT_LEN = 16,
45592 + GR_SPROLE_LEN = 64,
45601 +#define GR_NLIMITS 32
45603 +/* Begin Data Structures */
45605 +struct sprole_pw {
45606 + unsigned char *rolename;
45607 + unsigned char salt[GR_SALT_LEN];
45608 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45611 +struct name_entry {
45618 + struct name_entry *prev;
45619 + struct name_entry *next;
45622 +struct inodev_entry {
45623 + struct name_entry *nentry;
45624 + struct inodev_entry *prev;
45625 + struct inodev_entry *next;
45628 +struct acl_role_db {
45629 + struct acl_role_label **r_hash;
45633 +struct inodev_db {
45634 + struct inodev_entry **i_hash;
45639 + struct name_entry **n_hash;
45643 +struct crash_uid {
45645 + unsigned long expires;
45648 +struct gr_hash_struct {
45650 + void **nametable;
45652 + __u32 table_size;
45657 +/* Userspace Grsecurity ACL data structures */
45659 +struct acl_subject_label {
45664 + kernel_cap_t cap_mask;
45665 + kernel_cap_t cap_lower;
45666 + kernel_cap_t cap_invert_audit;
45668 + struct rlimit res[GR_NLIMITS];
45671 + __u8 user_trans_type;
45672 + __u8 group_trans_type;
45673 + uid_t *user_transitions;
45674 + gid_t *group_transitions;
45675 + __u16 user_trans_num;
45676 + __u16 group_trans_num;
45678 + __u32 sock_families[2];
45679 + __u32 ip_proto[8];
45681 + struct acl_ip_label **ips;
45683 + __u32 inaddr_any_override;
45686 + unsigned long expires;
45688 + struct acl_subject_label *parent_subject;
45689 + struct gr_hash_struct *hash;
45690 + struct acl_subject_label *prev;
45691 + struct acl_subject_label *next;
45693 + struct acl_object_label **obj_hash;
45694 + __u32 obj_hash_size;
45698 +struct role_allowed_ip {
45702 + struct role_allowed_ip *prev;
45703 + struct role_allowed_ip *next;
45706 +struct role_transition {
45709 + struct role_transition *prev;
45710 + struct role_transition *next;
45713 +struct acl_role_label {
45718 + __u16 auth_attempts;
45719 + unsigned long expires;
45721 + struct acl_subject_label *root_label;
45722 + struct gr_hash_struct *hash;
45724 + struct acl_role_label *prev;
45725 + struct acl_role_label *next;
45727 + struct role_transition *transitions;
45728 + struct role_allowed_ip *allowed_ips;
45729 + uid_t *domain_children;
45730 + __u16 domain_child_num;
45732 + struct acl_subject_label **subj_hash;
45733 + __u32 subj_hash_size;
45736 +struct user_acl_role_db {
45737 + struct acl_role_label **r_table;
45738 + __u32 num_pointers; /* Number of allocations to track */
45739 + __u32 num_roles; /* Number of roles */
45740 + __u32 num_domain_children; /* Number of domain children */
45741 + __u32 num_subjects; /* Number of subjects */
45742 + __u32 num_objects; /* Number of objects */
45745 +struct acl_object_label {
45751 + struct acl_subject_label *nested;
45752 + struct acl_object_label *globbed;
45754 + /* next two structures not used */
45756 + struct acl_object_label *prev;
45757 + struct acl_object_label *next;
45760 +struct acl_ip_label {
45769 + /* next two structures not used */
45771 + struct acl_ip_label *prev;
45772 + struct acl_ip_label *next;
45776 + struct user_acl_role_db role_db;
45777 + unsigned char pw[GR_PW_LEN];
45778 + unsigned char salt[GR_SALT_LEN];
45779 + unsigned char sum[GR_SHA_LEN];
45780 + unsigned char sp_role[GR_SPROLE_LEN];
45781 + struct sprole_pw *sprole_pws;
45782 + dev_t segv_device;
45783 + ino_t segv_inode;
45785 + __u16 num_sprole_pws;
45789 +struct gr_arg_wrapper {
45790 + struct gr_arg *arg;
45795 +struct subject_map {
45796 + struct acl_subject_label *user;
45797 + struct acl_subject_label *kernel;
45798 + struct subject_map *prev;
45799 + struct subject_map *next;
45802 +struct acl_subj_map_db {
45803 + struct subject_map **s_hash;
45807 +/* End Data Structures Section */
45809 +/* Hash functions generated by empirical testing by Brad Spengler
45810 + Makes good use of the low bits of the inode. Generally 0-1 times
45811 + in loop for successful match. 0-3 for unsuccessful match.
45812 + Shift/add algorithm with modulus of table size and an XOR*/
45814 +static __inline__ unsigned int
45815 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
45817 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
45820 + static __inline__ unsigned int
45821 +shash(const struct acl_subject_label *userp, const unsigned int sz)
45823 + return ((const unsigned long)userp % sz);
45826 +static __inline__ unsigned int
45827 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
45829 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
45832 +static __inline__ unsigned int
45833 +nhash(const char *name, const __u16 len, const unsigned int sz)
45835 + return full_name_hash((const unsigned char *)name, len) % sz;
45838 +#define FOR_EACH_ROLE_START(role) \
45839 + role = role_list; \
45842 +#define FOR_EACH_ROLE_END(role) \
45843 + role = role->prev; \
45846 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
45849 + while (iter < role->subj_hash_size) { \
45850 + if (subj == NULL) \
45851 + subj = role->subj_hash[iter]; \
45852 + if (subj == NULL) { \
45857 +#define FOR_EACH_SUBJECT_END(subj,iter) \
45858 + subj = subj->next; \
45859 + if (subj == NULL) \
45864 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
45865 + subj = role->hash->first; \
45866 + while (subj != NULL) {
45868 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
45869 + subj = subj->next; \
45874 diff -urNp linux-2.6.37/include/linux/gralloc.h linux-2.6.37/include/linux/gralloc.h
45875 --- linux-2.6.37/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
45876 +++ linux-2.6.37/include/linux/gralloc.h 2011-01-17 02:41:02.000000000 -0500
45878 +#ifndef __GRALLOC_H
45879 +#define __GRALLOC_H
45881 +void acl_free_all(void);
45882 +int acl_alloc_stack_init(unsigned long size);
45883 +void *acl_alloc(unsigned long len);
45884 +void *acl_alloc_num(unsigned long num, unsigned long len);
45887 diff -urNp linux-2.6.37/include/linux/grdefs.h linux-2.6.37/include/linux/grdefs.h
45888 --- linux-2.6.37/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
45889 +++ linux-2.6.37/include/linux/grdefs.h 2011-01-17 02:41:02.000000000 -0500
45894 +/* Begin grsecurity status declarations */
45898 + GR_STATUS_INIT = 0x00 // disabled state
45901 +/* Begin ACL declarations */
45906 + GR_ROLE_USER = 0x0001,
45907 + GR_ROLE_GROUP = 0x0002,
45908 + GR_ROLE_DEFAULT = 0x0004,
45909 + GR_ROLE_SPECIAL = 0x0008,
45910 + GR_ROLE_AUTH = 0x0010,
45911 + GR_ROLE_NOPW = 0x0020,
45912 + GR_ROLE_GOD = 0x0040,
45913 + GR_ROLE_LEARN = 0x0080,
45914 + GR_ROLE_TPE = 0x0100,
45915 + GR_ROLE_DOMAIN = 0x0200,
45916 + GR_ROLE_PAM = 0x0400
45919 +/* ACL Subject and Object mode flags */
45921 + GR_DELETED = 0x80000000
45924 +/* ACL Object-only mode flags */
45926 + GR_READ = 0x00000001,
45927 + GR_APPEND = 0x00000002,
45928 + GR_WRITE = 0x00000004,
45929 + GR_EXEC = 0x00000008,
45930 + GR_FIND = 0x00000010,
45931 + GR_INHERIT = 0x00000020,
45932 + GR_SETID = 0x00000040,
45933 + GR_CREATE = 0x00000080,
45934 + GR_DELETE = 0x00000100,
45935 + GR_LINK = 0x00000200,
45936 + GR_AUDIT_READ = 0x00000400,
45937 + GR_AUDIT_APPEND = 0x00000800,
45938 + GR_AUDIT_WRITE = 0x00001000,
45939 + GR_AUDIT_EXEC = 0x00002000,
45940 + GR_AUDIT_FIND = 0x00004000,
45941 + GR_AUDIT_INHERIT= 0x00008000,
45942 + GR_AUDIT_SETID = 0x00010000,
45943 + GR_AUDIT_CREATE = 0x00020000,
45944 + GR_AUDIT_DELETE = 0x00040000,
45945 + GR_AUDIT_LINK = 0x00080000,
45946 + GR_PTRACERD = 0x00100000,
45947 + GR_NOPTRACE = 0x00200000,
45948 + GR_SUPPRESS = 0x00400000,
45949 + GR_NOLEARN = 0x00800000
45952 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
45953 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
45954 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
45956 +/* ACL subject-only mode flags */
45958 + GR_KILL = 0x00000001,
45959 + GR_VIEW = 0x00000002,
45960 + GR_PROTECTED = 0x00000004,
45961 + GR_LEARN = 0x00000008,
45962 + GR_OVERRIDE = 0x00000010,
45963 + /* just a placeholder, this mode is only used in userspace */
45964 + GR_DUMMY = 0x00000020,
45965 + GR_PROTSHM = 0x00000040,
45966 + GR_KILLPROC = 0x00000080,
45967 + GR_KILLIPPROC = 0x00000100,
45968 + /* just a placeholder, this mode is only used in userspace */
45969 + GR_NOTROJAN = 0x00000200,
45970 + GR_PROTPROCFD = 0x00000400,
45971 + GR_PROCACCT = 0x00000800,
45972 + GR_RELAXPTRACE = 0x00001000,
45973 + GR_NESTED = 0x00002000,
45974 + GR_INHERITLEARN = 0x00004000,
45975 + GR_PROCFIND = 0x00008000,
45976 + GR_POVERRIDE = 0x00010000,
45977 + GR_KERNELAUTH = 0x00020000,
45978 + GR_ATSECURE = 0x00040000
45982 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
45983 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
45984 + GR_PAX_ENABLE_MPROTECT = 0x0004,
45985 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
45986 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
45987 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
45988 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
45989 + GR_PAX_DISABLE_MPROTECT = 0x0400,
45990 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
45991 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
45995 + GR_ID_USER = 0x01,
45996 + GR_ID_GROUP = 0x02,
46000 + GR_ID_ALLOW = 0x01,
46001 + GR_ID_DENY = 0x02,
46004 +#define GR_CRASH_RES 31
46005 +#define GR_UIDTABLE_MAX 500
46007 +/* begin resource learning section */
46009 + GR_RLIM_CPU_BUMP = 60,
46010 + GR_RLIM_FSIZE_BUMP = 50000,
46011 + GR_RLIM_DATA_BUMP = 10000,
46012 + GR_RLIM_STACK_BUMP = 1000,
46013 + GR_RLIM_CORE_BUMP = 10000,
46014 + GR_RLIM_RSS_BUMP = 500000,
46015 + GR_RLIM_NPROC_BUMP = 1,
46016 + GR_RLIM_NOFILE_BUMP = 5,
46017 + GR_RLIM_MEMLOCK_BUMP = 50000,
46018 + GR_RLIM_AS_BUMP = 500000,
46019 + GR_RLIM_LOCKS_BUMP = 2,
46020 + GR_RLIM_SIGPENDING_BUMP = 5,
46021 + GR_RLIM_MSGQUEUE_BUMP = 10000,
46022 + GR_RLIM_NICE_BUMP = 1,
46023 + GR_RLIM_RTPRIO_BUMP = 1,
46024 + GR_RLIM_RTTIME_BUMP = 1000000
46028 diff -urNp linux-2.6.37/include/linux/grinternal.h linux-2.6.37/include/linux/grinternal.h
46029 --- linux-2.6.37/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
46030 +++ linux-2.6.37/include/linux/grinternal.h 2011-01-17 02:41:02.000000000 -0500
46032 +#ifndef __GRINTERNAL_H
46033 +#define __GRINTERNAL_H
46035 +#ifdef CONFIG_GRKERNSEC
46037 +#include <linux/fs.h>
46038 +#include <linux/mnt_namespace.h>
46039 +#include <linux/nsproxy.h>
46040 +#include <linux/gracl.h>
46041 +#include <linux/grdefs.h>
46042 +#include <linux/grmsg.h>
46044 +void gr_add_learn_entry(const char *fmt, ...)
46045 + __attribute__ ((format (printf, 1, 2)));
46046 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
46047 + const struct vfsmount *mnt);
46048 +__u32 gr_check_create(const struct dentry *new_dentry,
46049 + const struct dentry *parent,
46050 + const struct vfsmount *mnt, const __u32 mode);
46051 +int gr_check_protected_task(const struct task_struct *task);
46052 +__u32 to_gr_audit(const __u32 reqmode);
46053 +int gr_set_acls(const int type);
46055 +int gr_acl_is_enabled(void);
46056 +char gr_roletype_to_char(void);
46058 +void gr_handle_alertkill(struct task_struct *task);
46059 +char *gr_to_filename(const struct dentry *dentry,
46060 + const struct vfsmount *mnt);
46061 +char *gr_to_filename1(const struct dentry *dentry,
46062 + const struct vfsmount *mnt);
46063 +char *gr_to_filename2(const struct dentry *dentry,
46064 + const struct vfsmount *mnt);
46065 +char *gr_to_filename3(const struct dentry *dentry,
46066 + const struct vfsmount *mnt);
46068 +extern int grsec_enable_harden_ptrace;
46069 +extern int grsec_enable_link;
46070 +extern int grsec_enable_fifo;
46071 +extern int grsec_enable_execve;
46072 +extern int grsec_enable_shm;
46073 +extern int grsec_enable_execlog;
46074 +extern int grsec_enable_signal;
46075 +extern int grsec_enable_audit_ptrace;
46076 +extern int grsec_enable_forkfail;
46077 +extern int grsec_enable_time;
46078 +extern int grsec_enable_rofs;
46079 +extern int grsec_enable_chroot_shmat;
46080 +extern int grsec_enable_chroot_findtask;
46081 +extern int grsec_enable_chroot_mount;
46082 +extern int grsec_enable_chroot_double;
46083 +extern int grsec_enable_chroot_pivot;
46084 +extern int grsec_enable_chroot_chdir;
46085 +extern int grsec_enable_chroot_chmod;
46086 +extern int grsec_enable_chroot_mknod;
46087 +extern int grsec_enable_chroot_fchdir;
46088 +extern int grsec_enable_chroot_nice;
46089 +extern int grsec_enable_chroot_execlog;
46090 +extern int grsec_enable_chroot_caps;
46091 +extern int grsec_enable_chroot_sysctl;
46092 +extern int grsec_enable_chroot_unix;
46093 +extern int grsec_enable_tpe;
46094 +extern int grsec_tpe_gid;
46095 +extern int grsec_enable_tpe_all;
46096 +extern int grsec_enable_tpe_invert;
46097 +extern int grsec_enable_socket_all;
46098 +extern int grsec_socket_all_gid;
46099 +extern int grsec_enable_socket_client;
46100 +extern int grsec_socket_client_gid;
46101 +extern int grsec_enable_socket_server;
46102 +extern int grsec_socket_server_gid;
46103 +extern int grsec_audit_gid;
46104 +extern int grsec_enable_group;
46105 +extern int grsec_enable_audit_textrel;
46106 +extern int grsec_enable_log_rwxmaps;
46107 +extern int grsec_enable_mount;
46108 +extern int grsec_enable_chdir;
46109 +extern int grsec_resource_logging;
46110 +extern int grsec_enable_blackhole;
46111 +extern int grsec_lastack_retries;
46112 +extern int grsec_lock;
46114 +extern spinlock_t grsec_alert_lock;
46115 +extern unsigned long grsec_alert_wtime;
46116 +extern unsigned long grsec_alert_fyet;
46118 +extern spinlock_t grsec_audit_lock;
46120 +extern rwlock_t grsec_exec_file_lock;
46122 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
46123 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
46124 + (tsk)->exec_file->f_vfsmnt) : "/")
46126 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
46127 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
46128 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46130 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
46131 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
46132 + (tsk)->exec_file->f_vfsmnt) : "/")
46134 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
46135 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
46136 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46138 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
46140 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
46142 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
46143 + (task)->pid, (cred)->uid, \
46144 + (cred)->euid, (cred)->gid, (cred)->egid, \
46145 + gr_parent_task_fullpath(task), \
46146 + (task)->real_parent->comm, (task)->real_parent->pid, \
46147 + (pcred)->uid, (pcred)->euid, \
46148 + (pcred)->gid, (pcred)->egid
46150 +#define GR_CHROOT_CAPS {{ \
46151 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
46152 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
46153 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
46154 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
46155 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
46156 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
46158 +#define security_learn(normal_msg,args...) \
46160 + read_lock(&grsec_exec_file_lock); \
46161 + gr_add_learn_entry(normal_msg "\n", ## args); \
46162 + read_unlock(&grsec_exec_file_lock); \
46168 + GR_DONT_AUDIT_GOOD
46179 + GR_SYSCTL_HIDDEN,
46182 + GR_ONE_INT_TWO_STR,
46188 + GR_FIVE_INT_TWO_STR,
46194 + GR_FILENAME_TWO_INT,
46195 + GR_FILENAME_TWO_INT_STR,
46208 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46209 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46210 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46211 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46212 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46213 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46214 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46215 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46216 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46217 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46218 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46219 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46220 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46221 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46222 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46223 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46224 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46225 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
46226 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46227 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46228 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46229 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46230 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46231 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46232 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46233 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46234 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46235 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46236 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46237 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46238 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46239 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46240 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46241 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46243 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46248 diff -urNp linux-2.6.37/include/linux/grmsg.h linux-2.6.37/include/linux/grmsg.h
46249 --- linux-2.6.37/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46250 +++ linux-2.6.37/include/linux/grmsg.h 2011-01-17 02:41:02.000000000 -0500
46252 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46253 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46254 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46255 +#define GR_STOPMOD_MSG "denied modification of module state by "
46256 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46257 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46258 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46259 +#define GR_IOPL_MSG "denied use of iopl() by "
46260 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46261 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46262 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46263 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46264 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46265 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46266 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46267 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46268 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46269 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46270 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46271 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46272 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46273 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46274 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46275 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46276 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46277 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46278 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46279 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46280 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46281 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46282 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46283 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46284 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46285 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46286 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46287 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46288 +#define GR_NPROC_MSG "denied overstep of process limit by "
46289 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46290 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46291 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46292 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46293 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46294 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46295 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46296 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46297 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46298 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46299 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46300 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46301 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46302 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46303 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46304 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46305 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46306 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46307 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46308 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46309 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46310 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46311 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46312 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46313 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46314 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46315 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46316 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46317 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46318 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46319 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46320 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46321 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46322 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46323 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46324 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46325 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46326 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46327 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46328 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46329 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46330 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46331 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46332 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46333 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46334 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46335 +#define GR_TIME_MSG "time set by "
46336 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46337 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46338 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46339 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46340 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
46341 +#define GR_BIND_MSG "denied bind() by "
46342 +#define GR_CONNECT_MSG "denied connect() by "
46343 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46344 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46345 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46346 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46347 +#define GR_CAP_ACL_MSG "use of %s denied for "
46348 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46349 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46350 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46351 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46352 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46353 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46354 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46355 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46356 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46357 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46358 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46359 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46360 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46361 +#define GR_VM86_MSG "denied use of vm86 by "
46362 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46363 diff -urNp linux-2.6.37/include/linux/grsecurity.h linux-2.6.37/include/linux/grsecurity.h
46364 --- linux-2.6.37/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46365 +++ linux-2.6.37/include/linux/grsecurity.h 2011-01-17 02:41:02.000000000 -0500
46367 +#ifndef GR_SECURITY_H
46368 +#define GR_SECURITY_H
46369 +#include <linux/fs.h>
46370 +#include <linux/fs_struct.h>
46371 +#include <linux/binfmts.h>
46372 +#include <linux/gracl.h>
46373 +#include <linux/compat.h>
46375 +/* notify of brain-dead configs */
46376 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46377 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46379 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46380 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46382 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46383 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46385 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46386 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46388 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46389 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46392 +void gr_handle_brute_attach(struct task_struct *p);
46393 +void gr_handle_brute_check(void);
46395 +char gr_roletype_to_char(void);
46397 +int gr_acl_enable_at_secure(void);
46399 +int gr_check_user_change(int real, int effective, int fs);
46400 +int gr_check_group_change(int real, int effective, int fs);
46402 +void gr_del_task_from_ip_table(struct task_struct *p);
46404 +int gr_pid_is_chrooted(struct task_struct *p);
46405 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46406 +int gr_handle_chroot_nice(void);
46407 +int gr_handle_chroot_sysctl(const int op);
46408 +int gr_handle_chroot_setpriority(struct task_struct *p,
46409 + const int niceval);
46410 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46411 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46412 + const struct vfsmount *mnt);
46413 +int gr_handle_chroot_caps(struct path *path);
46414 +void gr_handle_chroot_chdir(struct path *path);
46415 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46416 + const struct vfsmount *mnt, const int mode);
46417 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46418 + const struct vfsmount *mnt, const int mode);
46419 +int gr_handle_chroot_mount(const struct dentry *dentry,
46420 + const struct vfsmount *mnt,
46421 + const char *dev_name);
46422 +int gr_handle_chroot_pivot(void);
46423 +int gr_handle_chroot_unix(struct pid *pid);
46425 +int gr_handle_rawio(const struct inode *inode);
46426 +int gr_handle_nproc(void);
46428 +void gr_handle_ioperm(void);
46429 +void gr_handle_iopl(void);
46431 +int gr_tpe_allow(const struct file *file);
46433 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46434 +void gr_clear_chroot_entries(struct task_struct *task);
46436 +void gr_log_forkfail(const int retval);
46437 +void gr_log_timechange(void);
46438 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46439 +void gr_log_chdir(const struct dentry *dentry,
46440 + const struct vfsmount *mnt);
46441 +void gr_log_chroot_exec(const struct dentry *dentry,
46442 + const struct vfsmount *mnt);
46443 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46444 +#ifdef CONFIG_COMPAT
46445 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
46447 +void gr_log_remount(const char *devname, const int retval);
46448 +void gr_log_unmount(const char *devname, const int retval);
46449 +void gr_log_mount(const char *from, const char *to, const int retval);
46450 +void gr_log_textrel(struct vm_area_struct *vma);
46451 +void gr_log_rwxmmap(struct file *file);
46452 +void gr_log_rwxmprotect(struct file *file);
46454 +int gr_handle_follow_link(const struct inode *parent,
46455 + const struct inode *inode,
46456 + const struct dentry *dentry,
46457 + const struct vfsmount *mnt);
46458 +int gr_handle_fifo(const struct dentry *dentry,
46459 + const struct vfsmount *mnt,
46460 + const struct dentry *dir, const int flag,
46461 + const int acc_mode);
46462 +int gr_handle_hardlink(const struct dentry *dentry,
46463 + const struct vfsmount *mnt,
46464 + struct inode *inode,
46465 + const int mode, const char *to);
46467 +int gr_is_capable(const int cap);
46468 +int gr_is_capable_nolog(const int cap);
46469 +void gr_learn_resource(const struct task_struct *task, const int limit,
46470 + const unsigned long wanted, const int gt);
46471 +void gr_copy_label(struct task_struct *tsk);
46472 +void gr_handle_crash(struct task_struct *task, const int sig);
46473 +int gr_handle_signal(const struct task_struct *p, const int sig);
46474 +int gr_check_crash_uid(const uid_t uid);
46475 +int gr_check_protected_task(const struct task_struct *task);
46476 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46477 +int gr_acl_handle_mmap(const struct file *file,
46478 + const unsigned long prot);
46479 +int gr_acl_handle_mprotect(const struct file *file,
46480 + const unsigned long prot);
46481 +int gr_check_hidden_task(const struct task_struct *tsk);
46482 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46483 + const struct vfsmount *mnt);
46484 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46485 + const struct vfsmount *mnt);
46486 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46487 + const struct vfsmount *mnt, const int fmode);
46488 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46489 + const struct vfsmount *mnt, mode_t mode);
46490 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46491 + const struct vfsmount *mnt, mode_t mode);
46492 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46493 + const struct vfsmount *mnt);
46494 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46495 + const struct vfsmount *mnt);
46496 +int gr_handle_ptrace(struct task_struct *task, const long request);
46497 +int gr_handle_proc_ptrace(struct task_struct *task);
46498 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46499 + const struct vfsmount *mnt);
46500 +int gr_check_crash_exec(const struct file *filp);
46501 +int gr_acl_is_enabled(void);
46502 +void gr_set_kernel_label(struct task_struct *task);
46503 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46504 + const gid_t gid);
46505 +int gr_set_proc_label(const struct dentry *dentry,
46506 + const struct vfsmount *mnt,
46507 + const int unsafe_share);
46508 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46509 + const struct vfsmount *mnt);
46510 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46511 + const struct vfsmount *mnt, const int fmode);
46512 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46513 + const struct dentry *p_dentry,
46514 + const struct vfsmount *p_mnt, const int fmode,
46515 + const int imode);
46516 +void gr_handle_create(const struct dentry *dentry,
46517 + const struct vfsmount *mnt);
46518 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46519 + const struct dentry *parent_dentry,
46520 + const struct vfsmount *parent_mnt,
46522 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46523 + const struct dentry *parent_dentry,
46524 + const struct vfsmount *parent_mnt);
46525 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46526 + const struct vfsmount *mnt);
46527 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46528 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46529 + const struct vfsmount *mnt);
46530 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46531 + const struct dentry *parent_dentry,
46532 + const struct vfsmount *parent_mnt,
46533 + const char *from);
46534 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46535 + const struct dentry *parent_dentry,
46536 + const struct vfsmount *parent_mnt,
46537 + const struct dentry *old_dentry,
46538 + const struct vfsmount *old_mnt, const char *to);
46539 +int gr_acl_handle_rename(struct dentry *new_dentry,
46540 + struct dentry *parent_dentry,
46541 + const struct vfsmount *parent_mnt,
46542 + struct dentry *old_dentry,
46543 + struct inode *old_parent_inode,
46544 + struct vfsmount *old_mnt, const char *newname);
46545 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46546 + struct dentry *old_dentry,
46547 + struct dentry *new_dentry,
46548 + struct vfsmount *mnt, const __u8 replace);
46549 +__u32 gr_check_link(const struct dentry *new_dentry,
46550 + const struct dentry *parent_dentry,
46551 + const struct vfsmount *parent_mnt,
46552 + const struct dentry *old_dentry,
46553 + const struct vfsmount *old_mnt);
46554 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46555 + const unsigned int namelen, const ino_t ino);
46557 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46558 + const struct vfsmount *mnt);
46559 +void gr_acl_handle_exit(void);
46560 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46561 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46562 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46563 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46564 +void gr_audit_ptrace(struct task_struct *task);
46566 +#ifdef CONFIG_GRKERNSEC
46567 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46568 +void gr_log_nonroot_mod_load(const char *modname);
46569 +void gr_handle_vm86(void);
46570 +void gr_handle_mem_write(void);
46571 +void gr_handle_kmem_write(void);
46572 +void gr_handle_open_port(void);
46573 +int gr_handle_mem_mmap(const unsigned long offset,
46574 + struct vm_area_struct *vma);
46576 +extern int grsec_enable_dmesg;
46577 +extern int grsec_disable_privio;
46581 diff -urNp linux-2.6.37/include/linux/grsock.h linux-2.6.37/include/linux/grsock.h
46582 --- linux-2.6.37/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46583 +++ linux-2.6.37/include/linux/grsock.h 2011-01-17 02:41:02.000000000 -0500
46585 +#ifndef __GRSOCK_H
46586 +#define __GRSOCK_H
46588 +extern void gr_attach_curr_ip(const struct sock *sk);
46589 +extern int gr_handle_sock_all(const int family, const int type,
46590 + const int protocol);
46591 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46592 +extern int gr_handle_sock_server_other(const struct sock *sck);
46593 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46594 +extern int gr_search_connect(struct socket * sock,
46595 + struct sockaddr_in * addr);
46596 +extern int gr_search_bind(struct socket * sock,
46597 + struct sockaddr_in * addr);
46598 +extern int gr_search_listen(struct socket * sock);
46599 +extern int gr_search_accept(struct socket * sock);
46600 +extern int gr_search_socket(const int domain, const int type,
46601 + const int protocol);
46604 diff -urNp linux-2.6.37/include/linux/highmem.h linux-2.6.37/include/linux/highmem.h
46605 --- linux-2.6.37/include/linux/highmem.h 2011-01-04 19:50:19.000000000 -0500
46606 +++ linux-2.6.37/include/linux/highmem.h 2011-01-17 02:41:02.000000000 -0500
46607 @@ -182,6 +182,18 @@ static inline void clear_highpage(struct
46608 kunmap_atomic(kaddr, KM_USER0);
46611 +static inline void sanitize_highpage(struct page *page)
46614 + unsigned long flags;
46616 + local_irq_save(flags);
46617 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
46618 + clear_page(kaddr);
46619 + kunmap_atomic(kaddr, KM_CLEARPAGE);
46620 + local_irq_restore(flags);
46623 static inline void zero_user_segments(struct page *page,
46624 unsigned start1, unsigned end1,
46625 unsigned start2, unsigned end2)
46626 diff -urNp linux-2.6.37/include/linux/init.h linux-2.6.37/include/linux/init.h
46627 --- linux-2.6.37/include/linux/init.h 2011-01-04 19:50:19.000000000 -0500
46628 +++ linux-2.6.37/include/linux/init.h 2011-01-17 02:41:02.000000000 -0500
46629 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
46631 /* Each module must use one module_init(). */
46632 #define module_init(initfn) \
46633 - static inline initcall_t __inittest(void) \
46634 + static inline __used initcall_t __inittest(void) \
46635 { return initfn; } \
46636 int init_module(void) __attribute__((alias(#initfn)));
46638 /* This is only required if you want to be unloadable. */
46639 #define module_exit(exitfn) \
46640 - static inline exitcall_t __exittest(void) \
46641 + static inline __used exitcall_t __exittest(void) \
46642 { return exitfn; } \
46643 void cleanup_module(void) __attribute__((alias(#exitfn)));
46645 diff -urNp linux-2.6.37/include/linux/interrupt.h linux-2.6.37/include/linux/interrupt.h
46646 --- linux-2.6.37/include/linux/interrupt.h 2011-01-04 19:50:19.000000000 -0500
46647 +++ linux-2.6.37/include/linux/interrupt.h 2011-01-17 02:41:02.000000000 -0500
46648 @@ -393,7 +393,7 @@ enum
46649 /* map softirq index to softirq name. update 'softirq_to_name' in
46650 * kernel/softirq.c when adding a new softirq.
46652 -extern char *softirq_to_name[NR_SOFTIRQS];
46653 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46655 /* softirq mask and active fields moved to irq_cpustat_t in
46656 * asm/hardirq.h to get better cache usage. KAO
46657 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46659 struct softirq_action
46661 - void (*action)(struct softirq_action *);
46662 + void (*action)(void);
46665 asmlinkage void do_softirq(void);
46666 asmlinkage void __do_softirq(void);
46667 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46668 +extern void open_softirq(int nr, void (*action)(void));
46669 extern void softirq_init(void);
46670 static inline void __raise_softirq_irqoff(unsigned int nr)
46672 diff -urNp linux-2.6.37/include/linux/jbd2.h linux-2.6.37/include/linux/jbd2.h
46673 --- linux-2.6.37/include/linux/jbd2.h 2011-01-04 19:50:19.000000000 -0500
46674 +++ linux-2.6.37/include/linux/jbd2.h 2011-01-17 02:41:02.000000000 -0500
46675 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46679 -#define jbd_debug(f, a...) /**/
46680 +#define jbd_debug(f, a...) do {} while (0)
46683 extern void *jbd2_alloc(size_t size, gfp_t flags);
46684 diff -urNp linux-2.6.37/include/linux/jbd.h linux-2.6.37/include/linux/jbd.h
46685 --- linux-2.6.37/include/linux/jbd.h 2011-01-04 19:50:19.000000000 -0500
46686 +++ linux-2.6.37/include/linux/jbd.h 2011-01-17 02:41:02.000000000 -0500
46687 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46691 -#define jbd_debug(f, a...) /**/
46692 +#define jbd_debug(f, a...) do {} while (0)
46695 static inline void *jbd_alloc(size_t size, gfp_t flags)
46696 diff -urNp linux-2.6.37/include/linux/kallsyms.h linux-2.6.37/include/linux/kallsyms.h
46697 --- linux-2.6.37/include/linux/kallsyms.h 2011-01-04 19:50:19.000000000 -0500
46698 +++ linux-2.6.37/include/linux/kallsyms.h 2011-01-17 02:41:02.000000000 -0500
46703 -#ifdef CONFIG_KALLSYMS
46704 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
46705 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46706 /* Lookup the address for a symbol. Returns 0 if not found. */
46707 unsigned long kallsyms_lookup_name(const char *name);
46709 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
46710 /* Stupid that this does nothing, but I didn't create this mess. */
46711 #define __print_symbol(fmt, addr)
46712 #endif /*CONFIG_KALLSYMS*/
46713 +#else /* when included by kallsyms.c, vsnprintf.c, or
46714 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
46715 +extern void __print_symbol(const char *fmt, unsigned long address);
46716 +extern int sprint_symbol(char *buffer, unsigned long address);
46717 +const char *kallsyms_lookup(unsigned long addr,
46718 + unsigned long *symbolsize,
46719 + unsigned long *offset,
46720 + char **modname, char *namebuf);
46723 /* This macro allows us to keep printk typechecking */
46724 static void __check_printsym_format(const char *fmt, ...)
46725 diff -urNp linux-2.6.37/include/linux/kgdb.h linux-2.6.37/include/linux/kgdb.h
46726 --- linux-2.6.37/include/linux/kgdb.h 2011-01-04 19:50:19.000000000 -0500
46727 +++ linux-2.6.37/include/linux/kgdb.h 2011-01-17 02:41:02.000000000 -0500
46728 @@ -269,22 +269,22 @@ struct kgdb_arch {
46732 - int (*read_char) (void);
46733 - void (*write_char) (u8);
46734 - void (*flush) (void);
46735 - int (*init) (void);
46736 - void (*pre_exception) (void);
46737 - void (*post_exception) (void);
46738 + int (* const read_char) (void);
46739 + void (* const write_char) (u8);
46740 + void (* const flush) (void);
46741 + int (* const init) (void);
46742 + void (* const pre_exception) (void);
46743 + void (* const post_exception) (void);
46747 -extern struct kgdb_arch arch_kgdb_ops;
46748 +extern const struct kgdb_arch arch_kgdb_ops;
46750 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
46752 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
46753 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
46754 -extern struct kgdb_io *dbg_io_ops;
46755 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
46756 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
46757 +extern const struct kgdb_io *dbg_io_ops;
46759 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
46760 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
46761 diff -urNp linux-2.6.37/include/linux/kvm_host.h linux-2.6.37/include/linux/kvm_host.h
46762 --- linux-2.6.37/include/linux/kvm_host.h 2011-01-04 19:50:19.000000000 -0500
46763 +++ linux-2.6.37/include/linux/kvm_host.h 2011-01-17 02:41:02.000000000 -0500
46764 @@ -246,7 +246,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
46765 void vcpu_load(struct kvm_vcpu *vcpu);
46766 void vcpu_put(struct kvm_vcpu *vcpu);
46768 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46769 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46770 struct module *module);
46771 void kvm_exit(void);
46773 @@ -375,7 +375,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
46774 struct kvm_guest_debug *dbg);
46775 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
46777 -int kvm_arch_init(void *opaque);
46778 +int kvm_arch_init(const void *opaque);
46779 void kvm_arch_exit(void);
46781 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
46782 diff -urNp linux-2.6.37/include/linux/libata.h linux-2.6.37/include/linux/libata.h
46783 --- linux-2.6.37/include/linux/libata.h 2011-01-04 19:50:19.000000000 -0500
46784 +++ linux-2.6.37/include/linux/libata.h 2011-01-17 02:41:02.000000000 -0500
46785 @@ -65,11 +65,11 @@
46786 #ifdef ATA_VERBOSE_DEBUG
46787 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46789 -#define VPRINTK(fmt, args...)
46790 +#define VPRINTK(fmt, args...) do {} while (0)
46791 #endif /* ATA_VERBOSE_DEBUG */
46793 -#define DPRINTK(fmt, args...)
46794 -#define VPRINTK(fmt, args...)
46795 +#define DPRINTK(fmt, args...) do {} while (0)
46796 +#define VPRINTK(fmt, args...) do {} while (0)
46797 #endif /* ATA_DEBUG */
46799 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46800 @@ -530,11 +530,11 @@ struct ata_ioports {
46804 - struct device *dev;
46805 + struct device *dev;
46806 void __iomem * const *iomap;
46807 unsigned int n_ports;
46808 void *private_data;
46809 - struct ata_port_operations *ops;
46810 + const struct ata_port_operations *ops;
46811 unsigned long flags;
46813 struct mutex eh_mutex;
46814 @@ -725,7 +725,7 @@ struct ata_link {
46817 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
46818 - struct ata_port_operations *ops;
46819 + const struct ata_port_operations *ops;
46821 /* Flags owned by the EH context. Only EH should touch these once the
46823 @@ -913,7 +913,7 @@ struct ata_port_info {
46824 unsigned long pio_mask;
46825 unsigned long mwdma_mask;
46826 unsigned long udma_mask;
46827 - struct ata_port_operations *port_ops;
46828 + const struct ata_port_operations *port_ops;
46829 void *private_data;
46832 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
46833 extern const unsigned long sata_deb_timing_hotplug[];
46834 extern const unsigned long sata_deb_timing_long[];
46836 -extern struct ata_port_operations ata_dummy_port_ops;
46837 +extern const struct ata_port_operations ata_dummy_port_ops;
46838 extern const struct ata_port_info ata_dummy_port_info;
46840 static inline const unsigned long *
46841 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
46842 struct scsi_host_template *sht);
46843 extern void ata_host_detach(struct ata_host *host);
46844 extern void ata_host_init(struct ata_host *, struct device *,
46845 - unsigned long, struct ata_port_operations *);
46846 + unsigned long, const struct ata_port_operations *);
46847 extern int ata_scsi_detect(struct scsi_host_template *sht);
46848 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
46849 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
46850 diff -urNp linux-2.6.37/include/linux/lockd/bind.h linux-2.6.37/include/linux/lockd/bind.h
46851 --- linux-2.6.37/include/linux/lockd/bind.h 2011-01-04 19:50:19.000000000 -0500
46852 +++ linux-2.6.37/include/linux/lockd/bind.h 2011-01-17 02:41:02.000000000 -0500
46853 @@ -23,13 +23,13 @@ struct svc_rqst;
46854 * This is the set of functions for lockd->nfsd communication
46856 struct nlmsvc_binding {
46857 - __be32 (*fopen)(struct svc_rqst *,
46858 + __be32 (* const fopen)(struct svc_rqst *,
46861 - void (*fclose)(struct file *);
46862 + void (* const fclose)(struct file *);
46865 -extern struct nlmsvc_binding * nlmsvc_ops;
46866 +extern const struct nlmsvc_binding * nlmsvc_ops;
46869 * Similar to nfs_client_initdata, but without the NFS-specific
46870 diff -urNp linux-2.6.37/include/linux/mm.h linux-2.6.37/include/linux/mm.h
46871 --- linux-2.6.37/include/linux/mm.h 2011-01-04 19:50:19.000000000 -0500
46872 +++ linux-2.6.37/include/linux/mm.h 2011-01-17 02:41:02.000000000 -0500
46873 @@ -107,7 +107,14 @@ extern unsigned int kobjsize(const void
46875 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
46876 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
46878 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
46879 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
46880 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
46882 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
46885 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
46886 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
46888 @@ -875,12 +882,6 @@ int set_page_dirty(struct page *page);
46889 int set_page_dirty_lock(struct page *page);
46890 int clear_page_dirty_for_io(struct page *page);
46892 -/* Is the vma a continuation of the stack vma above it? */
46893 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
46895 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
46898 extern unsigned long move_page_tables(struct vm_area_struct *vma,
46899 unsigned long old_addr, struct vm_area_struct *new_vma,
46900 unsigned long new_addr, unsigned long len);
46901 @@ -1032,6 +1033,15 @@ struct shrinker {
46902 extern void register_shrinker(struct shrinker *);
46903 extern void unregister_shrinker(struct shrinker *);
46906 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
46908 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
46910 + return __pgprot(0);
46914 int vma_wants_writenotify(struct vm_area_struct *vma);
46916 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
46917 @@ -1318,6 +1328,7 @@ out:
46920 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
46921 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
46923 extern unsigned long do_brk(unsigned long, unsigned long);
46925 @@ -1374,6 +1385,10 @@ extern struct vm_area_struct * find_vma(
46926 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
46927 struct vm_area_struct **pprev);
46929 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
46930 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
46931 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
46933 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
46934 NULL if none. Assume start_addr < end_addr. */
46935 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
46936 @@ -1390,15 +1405,6 @@ static inline unsigned long vma_pages(st
46937 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
46941 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
46943 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
46945 - return __pgprot(0);
46949 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
46950 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
46951 unsigned long pfn, unsigned long size, pgprot_t);
46952 @@ -1505,7 +1511,7 @@ extern int unpoison_memory(unsigned long
46953 extern int sysctl_memory_failure_early_kill;
46954 extern int sysctl_memory_failure_recovery;
46955 extern void shake_page(struct page *p, int access);
46956 -extern atomic_long_t mce_bad_pages;
46957 +extern atomic_long_unchecked_t mce_bad_pages;
46958 extern int soft_offline_page(struct page *page, int flags);
46959 #ifdef CONFIG_MEMORY_FAILURE
46960 int is_hwpoison_address(unsigned long addr);
46961 @@ -1518,5 +1524,11 @@ static inline int is_hwpoison_address(un
46963 extern void dump_page(struct page *page);
46965 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46966 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
46968 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
46971 #endif /* __KERNEL__ */
46972 #endif /* _LINUX_MM_H */
46973 diff -urNp linux-2.6.37/include/linux/mm_types.h linux-2.6.37/include/linux/mm_types.h
46974 --- linux-2.6.37/include/linux/mm_types.h 2011-01-04 19:50:19.000000000 -0500
46975 +++ linux-2.6.37/include/linux/mm_types.h 2011-01-17 02:41:02.000000000 -0500
46976 @@ -183,6 +183,8 @@ struct vm_area_struct {
46978 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
46981 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
46984 struct core_thread {
46985 @@ -312,6 +314,24 @@ struct mm_struct {
46987 /* How many tasks sharing this mm are OOM_DISABLE */
46988 atomic_t oom_disable_count;
46990 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46991 + unsigned long pax_flags;
46994 +#ifdef CONFIG_PAX_DLRESOLVE
46995 + unsigned long call_dl_resolve;
46998 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
46999 + unsigned long call_syscall;
47002 +#ifdef CONFIG_PAX_ASLR
47003 + unsigned long delta_mmap; /* randomized offset */
47004 + unsigned long delta_stack; /* randomized offset */
47009 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
47010 diff -urNp linux-2.6.37/include/linux/mmu_notifier.h linux-2.6.37/include/linux/mmu_notifier.h
47011 --- linux-2.6.37/include/linux/mmu_notifier.h 2011-01-04 19:50:19.000000000 -0500
47012 +++ linux-2.6.37/include/linux/mmu_notifier.h 2011-01-17 02:41:02.000000000 -0500
47013 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
47015 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
47019 struct vm_area_struct *___vma = __vma; \
47020 unsigned long ___address = __address; \
47021 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
47022 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
47023 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
47028 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
47029 diff -urNp linux-2.6.37/include/linux/mmzone.h linux-2.6.37/include/linux/mmzone.h
47030 --- linux-2.6.37/include/linux/mmzone.h 2011-01-04 19:50:19.000000000 -0500
47031 +++ linux-2.6.37/include/linux/mmzone.h 2011-01-17 02:41:02.000000000 -0500
47032 @@ -354,7 +354,7 @@ struct zone {
47033 unsigned long flags; /* zone flags, see below */
47035 /* Zone statistics */
47036 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47037 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47040 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
47041 diff -urNp linux-2.6.37/include/linux/mod_devicetable.h linux-2.6.37/include/linux/mod_devicetable.h
47042 --- linux-2.6.37/include/linux/mod_devicetable.h 2011-01-04 19:50:19.000000000 -0500
47043 +++ linux-2.6.37/include/linux/mod_devicetable.h 2011-01-17 02:41:02.000000000 -0500
47045 typedef unsigned long kernel_ulong_t;
47048 -#define PCI_ANY_ID (~0)
47049 +#define PCI_ANY_ID ((__u16)~0)
47051 struct pci_device_id {
47052 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
47053 @@ -131,7 +131,7 @@ struct usb_device_id {
47054 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
47055 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
47057 -#define HID_ANY_ID (~0)
47058 +#define HID_ANY_ID (~0U)
47060 struct hid_device_id {
47062 diff -urNp linux-2.6.37/include/linux/module.h linux-2.6.37/include/linux/module.h
47063 --- linux-2.6.37/include/linux/module.h 2011-01-04 19:50:19.000000000 -0500
47064 +++ linux-2.6.37/include/linux/module.h 2011-01-17 02:41:02.000000000 -0500
47065 @@ -297,16 +297,16 @@ struct module
47068 /* If this is non-NULL, vfree after init() returns */
47069 - void *module_init;
47070 + void *module_init_rx, *module_init_rw;
47072 /* Here is the actual code + data, vfree'd on unload. */
47073 - void *module_core;
47074 + void *module_core_rx, *module_core_rw;
47076 /* Here are the sizes of the init and core sections */
47077 - unsigned int init_size, core_size;
47078 + unsigned int init_size_rw, core_size_rw;
47080 /* The size of the executable code in each section. */
47081 - unsigned int init_text_size, core_text_size;
47082 + unsigned int init_size_rx, core_size_rx;
47084 /* Arch-specific module values */
47085 struct mod_arch_specific arch;
47086 @@ -411,16 +411,46 @@ bool is_module_address(unsigned long add
47087 bool is_module_percpu_address(unsigned long addr);
47088 bool is_module_text_address(unsigned long addr);
47090 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
47093 +#ifdef CONFIG_PAX_KERNEXEC
47094 + if (ktla_ktva(addr) >= (unsigned long)start &&
47095 + ktla_ktva(addr) < (unsigned long)start + size)
47099 + return ((void *)addr >= start && (void *)addr < start + size);
47102 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
47104 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
47107 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
47109 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
47112 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
47114 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
47117 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
47119 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
47122 static inline int within_module_core(unsigned long addr, struct module *mod)
47124 - return (unsigned long)mod->module_core <= addr &&
47125 - addr < (unsigned long)mod->module_core + mod->core_size;
47126 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
47129 static inline int within_module_init(unsigned long addr, struct module *mod)
47131 - return (unsigned long)mod->module_init <= addr &&
47132 - addr < (unsigned long)mod->module_init + mod->init_size;
47133 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
47136 /* Search for module by name: must hold module_mutex. */
47137 diff -urNp linux-2.6.37/include/linux/moduleloader.h linux-2.6.37/include/linux/moduleloader.h
47138 --- linux-2.6.37/include/linux/moduleloader.h 2011-01-04 19:50:19.000000000 -0500
47139 +++ linux-2.6.37/include/linux/moduleloader.h 2011-01-17 02:41:02.000000000 -0500
47140 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
47141 sections. Returns NULL on failure. */
47142 void *module_alloc(unsigned long size);
47144 +#ifdef CONFIG_PAX_KERNEXEC
47145 +void *module_alloc_exec(unsigned long size);
47147 +#define module_alloc_exec(x) module_alloc(x)
47150 /* Free memory returned from module_alloc. */
47151 void module_free(struct module *mod, void *module_region);
47153 +#ifdef CONFIG_PAX_KERNEXEC
47154 +void module_free_exec(struct module *mod, void *module_region);
47156 +#define module_free_exec(x, y) module_free((x), (y))
47159 /* Apply the given relocation to the (simplified) ELF. Return -error
47161 int apply_relocate(Elf_Shdr *sechdrs,
47162 diff -urNp linux-2.6.37/include/linux/moduleparam.h linux-2.6.37/include/linux/moduleparam.h
47163 --- linux-2.6.37/include/linux/moduleparam.h 2011-01-04 19:50:19.000000000 -0500
47164 +++ linux-2.6.37/include/linux/moduleparam.h 2011-01-17 02:41:02.000000000 -0500
47165 @@ -253,7 +253,7 @@ static inline void __kernel_param_unlock
47166 * @len is usually just sizeof(string).
47168 #define module_param_string(name, string, len, perm) \
47169 - static const struct kparam_string __param_string_##name \
47170 + static const struct kparam_string __param_string_##name __used \
47171 = { len, string }; \
47172 __module_param_call(MODULE_PARAM_PREFIX, name, \
47173 ¶m_ops_string, \
47174 @@ -368,7 +368,7 @@ extern int param_get_invbool(char *buffe
47175 * module_param_named() for why this might be necessary.
47177 #define module_param_array_named(name, array, type, nump, perm) \
47178 - static const struct kparam_array __param_arr_##name \
47179 + static const struct kparam_array __param_arr_##name __used \
47180 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
47181 sizeof(array[0]), array }; \
47182 __module_param_call(MODULE_PARAM_PREFIX, name, \
47183 diff -urNp linux-2.6.37/include/linux/namei.h linux-2.6.37/include/linux/namei.h
47184 --- linux-2.6.37/include/linux/namei.h 2011-01-04 19:50:19.000000000 -0500
47185 +++ linux-2.6.37/include/linux/namei.h 2011-01-17 02:41:02.000000000 -0500
47186 @@ -22,7 +22,7 @@ struct nameidata {
47187 unsigned int flags;
47190 - char *saved_names[MAX_NESTED_LINKS + 1];
47191 + const char *saved_names[MAX_NESTED_LINKS + 1];
47195 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
47196 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
47197 extern void unlock_rename(struct dentry *, struct dentry *);
47199 -static inline void nd_set_link(struct nameidata *nd, char *path)
47200 +static inline void nd_set_link(struct nameidata *nd, const char *path)
47202 nd->saved_names[nd->depth] = path;
47205 -static inline char *nd_get_link(struct nameidata *nd)
47206 +static inline const char *nd_get_link(const struct nameidata *nd)
47208 return nd->saved_names[nd->depth];
47210 diff -urNp linux-2.6.37/include/linux/netfilter/xt_gradm.h linux-2.6.37/include/linux/netfilter/xt_gradm.h
47211 --- linux-2.6.37/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47212 +++ linux-2.6.37/include/linux/netfilter/xt_gradm.h 2011-01-17 02:41:02.000000000 -0500
47214 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47215 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47217 +struct xt_gradm_mtinfo {
47223 diff -urNp linux-2.6.37/include/linux/oprofile.h linux-2.6.37/include/linux/oprofile.h
47224 --- linux-2.6.37/include/linux/oprofile.h 2011-01-04 19:50:19.000000000 -0500
47225 +++ linux-2.6.37/include/linux/oprofile.h 2011-01-17 02:41:02.000000000 -0500
47226 @@ -130,9 +130,9 @@ int oprofilefs_create_ulong(struct super
47227 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47228 char const * name, ulong * val);
47230 -/** Create a file for read-only access to an atomic_t. */
47231 +/** Create a file for read-only access to an atomic_unchecked_t. */
47232 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47233 - char const * name, atomic_t * val);
47234 + char const * name, atomic_unchecked_t * val);
47236 /** create a directory */
47237 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47238 diff -urNp linux-2.6.37/include/linux/pipe_fs_i.h linux-2.6.37/include/linux/pipe_fs_i.h
47239 --- linux-2.6.37/include/linux/pipe_fs_i.h 2011-01-04 19:50:19.000000000 -0500
47240 +++ linux-2.6.37/include/linux/pipe_fs_i.h 2011-01-17 02:41:02.000000000 -0500
47241 @@ -45,9 +45,9 @@ struct pipe_buffer {
47242 struct pipe_inode_info {
47243 wait_queue_head_t wait;
47244 unsigned int nrbufs, curbuf, buffers;
47245 - unsigned int readers;
47246 - unsigned int writers;
47247 - unsigned int waiting_writers;
47248 + atomic_t readers;
47249 + atomic_t writers;
47250 + atomic_t waiting_writers;
47251 unsigned int r_counter;
47252 unsigned int w_counter;
47253 struct page *tmp_page;
47254 diff -urNp linux-2.6.37/include/linux/pm_runtime.h linux-2.6.37/include/linux/pm_runtime.h
47255 --- linux-2.6.37/include/linux/pm_runtime.h 2011-01-04 19:50:19.000000000 -0500
47256 +++ linux-2.6.37/include/linux/pm_runtime.h 2011-01-17 02:41:02.000000000 -0500
47257 @@ -83,7 +83,7 @@ static inline bool pm_runtime_suspended(
47259 static inline void pm_runtime_mark_last_busy(struct device *dev)
47261 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
47262 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
47265 #else /* !CONFIG_PM_RUNTIME */
47266 diff -urNp linux-2.6.37/include/linux/poison.h linux-2.6.37/include/linux/poison.h
47267 --- linux-2.6.37/include/linux/poison.h 2011-01-04 19:50:19.000000000 -0500
47268 +++ linux-2.6.37/include/linux/poison.h 2011-01-17 02:41:02.000000000 -0500
47270 * under normal circumstances, used to verify that nobody uses
47271 * non-initialized list entries.
47273 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47274 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47275 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47276 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47278 /********** include/linux/timer.h **********/
47280 diff -urNp linux-2.6.37/include/linux/proc_fs.h linux-2.6.37/include/linux/proc_fs.h
47281 --- linux-2.6.37/include/linux/proc_fs.h 2011-01-04 19:50:19.000000000 -0500
47282 +++ linux-2.6.37/include/linux/proc_fs.h 2011-01-17 02:41:02.000000000 -0500
47283 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47284 return proc_create_data(name, mode, parent, proc_fops, NULL);
47287 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47288 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47290 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47291 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47292 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47293 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47295 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47300 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47301 mode_t mode, struct proc_dir_entry *base,
47302 read_proc_t *read_proc, void * data)
47303 diff -urNp linux-2.6.37/include/linux/random.h linux-2.6.37/include/linux/random.h
47304 --- linux-2.6.37/include/linux/random.h 2011-01-04 19:50:19.000000000 -0500
47305 +++ linux-2.6.37/include/linux/random.h 2011-01-17 02:41:02.000000000 -0500
47306 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47308 u32 prandom32(struct rnd_state *);
47310 +static inline unsigned long pax_get_random_long(void)
47312 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47316 * Handle minimum values for seeds
47318 static inline u32 __seed(u32 x, u32 m)
47320 - return (x < m) ? x + m : x;
47321 + return (x <= m) ? x + m + 1 : x;
47325 diff -urNp linux-2.6.37/include/linux/reiserfs_fs.h linux-2.6.37/include/linux/reiserfs_fs.h
47326 --- linux-2.6.37/include/linux/reiserfs_fs.h 2011-01-04 19:50:19.000000000 -0500
47327 +++ linux-2.6.37/include/linux/reiserfs_fs.h 2011-01-17 02:41:02.000000000 -0500
47328 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
47329 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47331 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47332 -#define get_generation(s) atomic_read (&fs_generation(s))
47333 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47334 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47335 #define __fs_changed(gen,s) (gen != get_generation (s))
47336 #define fs_changed(gen,s) \
47337 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
47340 struct item_operations {
47341 - int (*bytes_number) (struct item_head * ih, int block_size);
47342 - void (*decrement_key) (struct cpu_key *);
47343 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47344 + int (* const bytes_number) (struct item_head * ih, int block_size);
47345 + void (* const decrement_key) (struct cpu_key *);
47346 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47347 unsigned long bsize);
47348 - void (*print_item) (struct item_head *, char *item);
47349 - void (*check_item) (struct item_head *, char *item);
47350 + void (* const print_item) (struct item_head *, char *item);
47351 + void (* const check_item) (struct item_head *, char *item);
47353 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47354 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47355 int is_affected, int insert_size);
47356 - int (*check_left) (struct virtual_item * vi, int free,
47357 + int (* const check_left) (struct virtual_item * vi, int free,
47358 int start_skip, int end_skip);
47359 - int (*check_right) (struct virtual_item * vi, int free);
47360 - int (*part_size) (struct virtual_item * vi, int from, int to);
47361 - int (*unit_num) (struct virtual_item * vi);
47362 - void (*print_vi) (struct virtual_item * vi);
47363 + int (* const check_right) (struct virtual_item * vi, int free);
47364 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47365 + int (* const unit_num) (struct virtual_item * vi);
47366 + void (* const print_vi) (struct virtual_item * vi);
47369 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47370 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47372 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47373 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47374 diff -urNp linux-2.6.37/include/linux/reiserfs_fs_sb.h linux-2.6.37/include/linux/reiserfs_fs_sb.h
47375 --- linux-2.6.37/include/linux/reiserfs_fs_sb.h 2011-01-04 19:50:19.000000000 -0500
47376 +++ linux-2.6.37/include/linux/reiserfs_fs_sb.h 2011-01-17 02:41:02.000000000 -0500
47377 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47378 /* Comment? -Hans */
47379 wait_queue_head_t s_wait;
47380 /* To be obsoleted soon by per buffer seals.. -Hans */
47381 - atomic_t s_generation_counter; // increased by one every time the
47382 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47383 // tree gets re-balanced
47384 unsigned long s_properties; /* File system properties. Currently holds
47385 on-disk FS format */
47386 diff -urNp linux-2.6.37/include/linux/rmap.h linux-2.6.37/include/linux/rmap.h
47387 --- linux-2.6.37/include/linux/rmap.h 2011-01-04 19:50:19.000000000 -0500
47388 +++ linux-2.6.37/include/linux/rmap.h 2011-01-17 02:41:02.000000000 -0500
47389 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47390 void anon_vma_init(void); /* create anon_vma_cachep */
47391 int anon_vma_prepare(struct vm_area_struct *);
47392 void unlink_anon_vmas(struct vm_area_struct *);
47393 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47394 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47395 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47396 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47397 void __anon_vma_link(struct vm_area_struct *);
47398 void anon_vma_free(struct anon_vma *);
47400 diff -urNp linux-2.6.37/include/linux/sched.h linux-2.6.37/include/linux/sched.h
47401 --- linux-2.6.37/include/linux/sched.h 2011-01-04 19:50:19.000000000 -0500
47402 +++ linux-2.6.37/include/linux/sched.h 2011-01-17 02:41:02.000000000 -0500
47403 @@ -100,6 +100,7 @@ struct robust_list_head;
47406 struct perf_event_context;
47407 +struct linux_binprm;
47410 * List of flags we want to share for kernel threads,
47411 @@ -377,10 +378,12 @@ struct user_namespace;
47412 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47414 extern int sysctl_max_map_count;
47415 +extern unsigned long sysctl_heap_stack_gap;
47417 #include <linux/aio.h>
47420 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47421 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47422 extern unsigned long
47423 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47424 @@ -624,6 +627,16 @@ struct signal_struct {
47425 struct tty_audit_buf *tty_audit_buf;
47428 +#ifdef CONFIG_GRKERNSEC
47435 + u8 used_accept:1;
47438 int oom_adj; /* OOM kill score adjustment (bit shift) */
47439 int oom_score_adj; /* OOM kill score adjustment */
47441 @@ -1181,7 +1194,7 @@ enum perf_event_task_context {
47443 struct task_struct {
47444 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47446 + struct thread_info *stack;
47448 unsigned int flags; /* per process flags, defined below */
47449 unsigned int ptrace;
47450 @@ -1291,8 +1304,8 @@ struct task_struct {
47451 struct list_head thread_group;
47453 struct completion *vfork_done; /* for vfork() */
47454 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47455 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47456 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47457 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47459 cputime_t utime, stime, utimescaled, stimescaled;
47461 @@ -1308,13 +1321,6 @@ struct task_struct {
47462 struct task_cputime cputime_expires;
47463 struct list_head cpu_timers[3];
47465 -/* process credentials */
47466 - const struct cred __rcu *real_cred; /* objective and real subjective task
47467 - * credentials (COW) */
47468 - const struct cred __rcu *cred; /* effective (overridable) subjective task
47469 - * credentials (COW) */
47470 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47472 char comm[TASK_COMM_LEN]; /* executable name excluding path
47473 - access with [gs]et_task_comm (which lock
47474 it with task_lock())
47475 @@ -1333,6 +1339,10 @@ struct task_struct {
47476 struct thread_struct thread;
47477 /* filesystem information */
47478 struct fs_struct *fs;
47480 + const struct cred __rcu *cred; /* effective (overridable) subjective task
47481 + * credentials (COW) */
47483 /* open file information */
47484 struct files_struct *files;
47486 @@ -1379,6 +1389,11 @@ struct task_struct {
47487 struct rt_mutex_waiter *pi_blocked_on;
47490 +/* process credentials */
47491 + const struct cred __rcu *real_cred; /* objective and real subjective task
47492 + * credentials (COW) */
47493 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47495 #ifdef CONFIG_DEBUG_MUTEXES
47496 /* mutex deadlock detection */
47497 struct mutex_waiter *blocked_on;
47498 @@ -1483,6 +1498,20 @@ struct task_struct {
47499 unsigned long default_timer_slack_ns;
47501 struct list_head *scm_work_list;
47503 +#ifdef CONFIG_GRKERNSEC
47505 + struct dentry *gr_chroot_dentry;
47506 + struct acl_subject_label *acl;
47507 + struct acl_role_label *role;
47508 + struct file *exec_file;
47513 + u8 gr_is_chrooted;
47516 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47517 /* Index of current stored address in ret_stack */
47518 int curr_ret_stack;
47519 @@ -1514,6 +1543,52 @@ struct task_struct {
47523 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47524 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47525 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47526 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47527 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47528 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47530 +#ifdef CONFIG_PAX_SOFTMODE
47531 +extern unsigned int pax_softmode;
47534 +extern int pax_check_flags(unsigned long *);
47536 +/* if tsk != current then task_lock must be held on it */
47537 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47538 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47540 + if (likely(tsk->mm))
47541 + return tsk->mm->pax_flags;
47546 +/* if tsk != current then task_lock must be held on it */
47547 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47549 + if (likely(tsk->mm)) {
47550 + tsk->mm->pax_flags = flags;
47557 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47558 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47559 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47560 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47563 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47564 +void pax_report_insns(void *pc, void *sp);
47565 +void pax_report_refcount_overflow(struct pt_regs *regs);
47566 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47567 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47569 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47570 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47572 @@ -2134,7 +2209,7 @@ extern void __cleanup_sighand(struct sig
47573 extern void exit_itimers(struct signal_struct *);
47574 extern void flush_itimer_signals(void);
47576 -extern NORET_TYPE void do_group_exit(int);
47577 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47579 extern void daemonize(const char *, ...);
47580 extern int allow_signal(int);
47581 @@ -2259,8 +2334,8 @@ static inline void unlock_task_sighand(s
47583 #ifndef __HAVE_THREAD_FUNCTIONS
47585 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47586 -#define task_stack_page(task) ((task)->stack)
47587 +#define task_thread_info(task) ((task)->stack)
47588 +#define task_stack_page(task) ((void *)(task)->stack)
47590 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
47592 @@ -2275,13 +2350,17 @@ static inline unsigned long *end_of_stac
47596 -static inline int object_is_on_stack(void *obj)
47597 +static inline int object_starts_on_stack(void *obj)
47599 - void *stack = task_stack_page(current);
47600 + const void *stack = task_stack_page(current);
47602 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
47605 +#ifdef CONFIG_PAX_USERCOPY
47606 +extern int object_is_on_stack(const void *obj, unsigned long len);
47609 extern void thread_info_cache_init(void);
47611 #ifdef CONFIG_DEBUG_STACK_USAGE
47612 diff -urNp linux-2.6.37/include/linux/screen_info.h linux-2.6.37/include/linux/screen_info.h
47613 --- linux-2.6.37/include/linux/screen_info.h 2011-01-04 19:50:19.000000000 -0500
47614 +++ linux-2.6.37/include/linux/screen_info.h 2011-01-17 02:41:02.000000000 -0500
47615 @@ -43,7 +43,8 @@ struct screen_info {
47616 __u16 pages; /* 0x32 */
47617 __u16 vesa_attributes; /* 0x34 */
47618 __u32 capabilities; /* 0x36 */
47619 - __u8 _reserved[6]; /* 0x3a */
47620 + __u16 vesapm_size; /* 0x3a */
47621 + __u8 _reserved[4]; /* 0x3c */
47622 } __attribute__((packed));
47624 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
47625 diff -urNp linux-2.6.37/include/linux/security.h linux-2.6.37/include/linux/security.h
47626 --- linux-2.6.37/include/linux/security.h 2011-01-04 19:50:19.000000000 -0500
47627 +++ linux-2.6.37/include/linux/security.h 2011-01-17 02:41:02.000000000 -0500
47629 #include <linux/key.h>
47630 #include <linux/xfrm.h>
47631 #include <linux/slab.h>
47632 +#include <linux/grsecurity.h>
47633 #include <net/flow.h>
47635 /* Maximum number of letters for an LSM name string */
47636 diff -urNp linux-2.6.37/include/linux/shm.h linux-2.6.37/include/linux/shm.h
47637 --- linux-2.6.37/include/linux/shm.h 2011-01-04 19:50:19.000000000 -0500
47638 +++ linux-2.6.37/include/linux/shm.h 2011-01-17 02:41:02.000000000 -0500
47639 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
47642 struct user_struct *mlock_user;
47643 +#ifdef CONFIG_GRKERNSEC
47644 + time_t shm_createtime;
47649 /* shm_mode upper byte flags */
47650 diff -urNp linux-2.6.37/include/linux/skbuff.h linux-2.6.37/include/linux/skbuff.h
47651 --- linux-2.6.37/include/linux/skbuff.h 2011-01-04 19:50:19.000000000 -0500
47652 +++ linux-2.6.37/include/linux/skbuff.h 2011-01-17 02:41:02.000000000 -0500
47653 @@ -581,7 +581,7 @@ static inline struct skb_shared_hwtstamp
47655 static inline int skb_queue_empty(const struct sk_buff_head *list)
47657 - return list->next == (struct sk_buff *)list;
47658 + return list->next == (const struct sk_buff *)list;
47662 @@ -594,7 +594,7 @@ static inline int skb_queue_empty(const
47663 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
47664 const struct sk_buff *skb)
47666 - return skb->next == (struct sk_buff *)list;
47667 + return skb->next == (const struct sk_buff *)list;
47671 @@ -607,7 +607,7 @@ static inline bool skb_queue_is_last(con
47672 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
47673 const struct sk_buff *skb)
47675 - return skb->prev == (struct sk_buff *)list;
47676 + return skb->prev == (const struct sk_buff *)list;
47680 diff -urNp linux-2.6.37/include/linux/slab.h linux-2.6.37/include/linux/slab.h
47681 --- linux-2.6.37/include/linux/slab.h 2011-01-04 19:50:19.000000000 -0500
47682 +++ linux-2.6.37/include/linux/slab.h 2011-01-17 02:41:02.000000000 -0500
47685 #include <linux/gfp.h>
47686 #include <linux/types.h>
47687 +#include <linux/err.h>
47690 * Flags to pass to kmem_cache_create().
47691 @@ -87,10 +88,13 @@
47692 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
47693 * Both make kfree a no-op.
47695 -#define ZERO_SIZE_PTR ((void *)16)
47696 +#define ZERO_SIZE_PTR \
47698 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
47699 + (void *)(-MAX_ERRNO-1L); \
47702 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
47703 - (unsigned long)ZERO_SIZE_PTR)
47704 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
47707 * struct kmem_cache related prototypes
47708 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
47709 void kfree(const void *);
47710 void kzfree(const void *);
47711 size_t ksize(const void *);
47712 +void check_object_size(const void *ptr, unsigned long n, bool to);
47715 * Allocator specific definitions. These are mainly used to establish optimized
47716 @@ -336,4 +341,37 @@ static inline void *kzalloc_node(size_t
47718 void __init kmem_cache_init_late(void);
47720 +#define kmalloc(x, y) \
47722 + void *___retval; \
47723 + intoverflow_t ___x = (intoverflow_t)x; \
47724 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
47725 + ___retval = NULL; \
47727 + ___retval = kmalloc((size_t)___x, (y)); \
47731 +#define kmalloc_node(x, y, z) \
47733 + void *___retval; \
47734 + intoverflow_t ___x = (intoverflow_t)x; \
47735 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47736 + ___retval = NULL; \
47738 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
47742 +#define kzalloc(x, y) \
47744 + void *___retval; \
47745 + intoverflow_t ___x = (intoverflow_t)x; \
47746 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
47747 + ___retval = NULL; \
47749 + ___retval = kzalloc((size_t)___x, (y)); \
47753 #endif /* _LINUX_SLAB_H */
47754 diff -urNp linux-2.6.37/include/linux/slub_def.h linux-2.6.37/include/linux/slub_def.h
47755 --- linux-2.6.37/include/linux/slub_def.h 2011-01-04 19:50:19.000000000 -0500
47756 +++ linux-2.6.37/include/linux/slub_def.h 2011-01-17 02:41:02.000000000 -0500
47757 @@ -80,7 +80,7 @@ struct kmem_cache {
47758 struct kmem_cache_order_objects max;
47759 struct kmem_cache_order_objects min;
47760 gfp_t allocflags; /* gfp flags to use on each alloc */
47761 - int refcount; /* Refcount for slab cache destroy */
47762 + atomic_t refcount; /* Refcount for slab cache destroy */
47763 void (*ctor)(void *);
47764 int inuse; /* Offset to metadata */
47765 int align; /* Alignment */
47766 diff -urNp linux-2.6.37/include/linux/sonet.h linux-2.6.37/include/linux/sonet.h
47767 --- linux-2.6.37/include/linux/sonet.h 2011-01-04 19:50:19.000000000 -0500
47768 +++ linux-2.6.37/include/linux/sonet.h 2011-01-17 02:41:02.000000000 -0500
47769 @@ -61,7 +61,7 @@ struct sonet_stats {
47770 #include <asm/atomic.h>
47772 struct k_sonet_stats {
47773 -#define __HANDLE_ITEM(i) atomic_t i
47774 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
47776 #undef __HANDLE_ITEM
47778 diff -urNp linux-2.6.37/include/linux/sunrpc/clnt.h linux-2.6.37/include/linux/sunrpc/clnt.h
47779 --- linux-2.6.37/include/linux/sunrpc/clnt.h 2011-01-04 19:50:19.000000000 -0500
47780 +++ linux-2.6.37/include/linux/sunrpc/clnt.h 2011-01-17 02:41:02.000000000 -0500
47781 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
47783 switch (sap->sa_family) {
47785 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
47786 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
47788 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
47789 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
47793 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
47794 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
47795 const struct sockaddr *src)
47797 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
47798 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
47799 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
47801 dsin->sin_family = ssin->sin_family;
47802 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
47803 if (sa->sa_family != AF_INET6)
47806 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
47807 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
47810 #endif /* __KERNEL__ */
47811 diff -urNp linux-2.6.37/include/linux/suspend.h linux-2.6.37/include/linux/suspend.h
47812 --- linux-2.6.37/include/linux/suspend.h 2011-01-04 19:50:19.000000000 -0500
47813 +++ linux-2.6.37/include/linux/suspend.h 2011-01-17 02:41:02.000000000 -0500
47814 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
47815 * which require special recovery actions in that situation.
47817 struct platform_suspend_ops {
47818 - int (*valid)(suspend_state_t state);
47819 - int (*begin)(suspend_state_t state);
47820 - int (*prepare)(void);
47821 - int (*prepare_late)(void);
47822 - int (*enter)(suspend_state_t state);
47823 - void (*wake)(void);
47824 - void (*finish)(void);
47825 - void (*end)(void);
47826 - void (*recover)(void);
47827 + int (* const valid)(suspend_state_t state);
47828 + int (* const begin)(suspend_state_t state);
47829 + int (* const prepare)(void);
47830 + int (* const prepare_late)(void);
47831 + int (* const enter)(suspend_state_t state);
47832 + void (* const wake)(void);
47833 + void (* const finish)(void);
47834 + void (* const end)(void);
47835 + void (* const recover)(void);
47838 #ifdef CONFIG_SUSPEND
47839 @@ -122,7 +122,7 @@ struct platform_suspend_ops {
47840 * suspend_set_ops - set platform dependent suspend operations
47841 * @ops: The new suspend operations to set.
47843 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
47844 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
47845 extern int suspend_valid_only_mem(suspend_state_t state);
47848 @@ -147,7 +147,7 @@ extern int pm_suspend(suspend_state_t st
47849 #else /* !CONFIG_SUSPEND */
47850 #define suspend_valid_only_mem NULL
47852 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
47853 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
47854 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
47855 #endif /* !CONFIG_SUSPEND */
47857 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
47858 * platforms which require special recovery actions in that situation.
47860 struct platform_hibernation_ops {
47861 - int (*begin)(void);
47862 - void (*end)(void);
47863 - int (*pre_snapshot)(void);
47864 - void (*finish)(void);
47865 - int (*prepare)(void);
47866 - int (*enter)(void);
47867 - void (*leave)(void);
47868 - int (*pre_restore)(void);
47869 - void (*restore_cleanup)(void);
47870 - void (*recover)(void);
47871 + int (* const begin)(void);
47872 + void (* const end)(void);
47873 + int (* const pre_snapshot)(void);
47874 + void (* const finish)(void);
47875 + int (* const prepare)(void);
47876 + int (* const enter)(void);
47877 + void (* const leave)(void);
47878 + int (* const pre_restore)(void);
47879 + void (* const restore_cleanup)(void);
47880 + void (* const recover)(void);
47883 #ifdef CONFIG_HIBERNATION
47884 @@ -245,7 +245,7 @@ extern void swsusp_set_page_free(struct
47885 extern void swsusp_unset_page_free(struct page *);
47886 extern unsigned long get_safe_page(gfp_t gfp_mask);
47888 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
47889 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
47890 extern int hibernate(void);
47891 extern bool system_entering_hibernation(void);
47892 #else /* CONFIG_HIBERNATION */
47893 @@ -253,7 +253,7 @@ static inline int swsusp_page_is_forbidd
47894 static inline void swsusp_set_page_free(struct page *p) {}
47895 static inline void swsusp_unset_page_free(struct page *p) {}
47897 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
47898 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
47899 static inline int hibernate(void) { return -ENOSYS; }
47900 static inline bool system_entering_hibernation(void) { return false; }
47901 #endif /* CONFIG_HIBERNATION */
47902 diff -urNp linux-2.6.37/include/linux/sysctl.h linux-2.6.37/include/linux/sysctl.h
47903 --- linux-2.6.37/include/linux/sysctl.h 2011-01-04 19:50:19.000000000 -0500
47904 +++ linux-2.6.37/include/linux/sysctl.h 2011-01-17 02:41:02.000000000 -0500
47905 @@ -155,7 +155,11 @@ enum
47906 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
47910 +#ifdef CONFIG_PAX_SOFTMODE
47912 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
47916 /* CTL_VM names: */
47918 @@ -966,6 +970,8 @@ typedef int proc_handler (struct ctl_tab
47920 extern int proc_dostring(struct ctl_table *, int,
47921 void __user *, size_t *, loff_t *);
47922 +extern int proc_dostring_modpriv(struct ctl_table *, int,
47923 + void __user *, size_t *, loff_t *);
47924 extern int proc_dointvec(struct ctl_table *, int,
47925 void __user *, size_t *, loff_t *);
47926 extern int proc_dointvec_minmax(struct ctl_table *, int,
47927 diff -urNp linux-2.6.37/include/linux/sysfs.h linux-2.6.37/include/linux/sysfs.h
47928 --- linux-2.6.37/include/linux/sysfs.h 2011-01-04 19:50:19.000000000 -0500
47929 +++ linux-2.6.37/include/linux/sysfs.h 2011-01-17 02:41:02.000000000 -0500
47930 @@ -110,8 +110,8 @@ struct bin_attribute {
47931 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
47934 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
47935 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
47936 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
47937 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
47940 struct sysfs_dirent;
47941 diff -urNp linux-2.6.37/include/linux/tty.h linux-2.6.37/include/linux/tty.h
47942 --- linux-2.6.37/include/linux/tty.h 2011-01-04 19:50:19.000000000 -0500
47943 +++ linux-2.6.37/include/linux/tty.h 2011-01-17 02:41:02.000000000 -0500
47945 #include <linux/tty_driver.h>
47946 #include <linux/tty_ldisc.h>
47947 #include <linux/mutex.h>
47948 +#include <linux/poll.h>
47949 +#include <linux/smp_lock.h>
47951 #include <asm/system.h>
47953 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
47954 extern dev_t tty_devnum(struct tty_struct *tty);
47955 extern void proc_clear_tty(struct task_struct *p);
47956 extern struct tty_struct *get_current_tty(void);
47957 -extern void tty_default_fops(struct file_operations *fops);
47958 extern struct tty_struct *alloc_tty_struct(void);
47959 extern int tty_add_file(struct tty_struct *tty, struct file *file);
47960 extern void free_tty_struct(struct tty_struct *tty);
47961 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
47962 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
47963 extern void tty_ldisc_enable(struct tty_struct *tty);
47966 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
47967 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
47968 +extern unsigned int tty_poll(struct file *, poll_table *);
47969 +#ifdef CONFIG_COMPAT
47970 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
47971 + unsigned long arg);
47973 +#define tty_compat_ioctl NULL
47975 +extern int tty_release(struct inode *, struct file *);
47976 +extern int tty_fasync(int fd, struct file *filp, int on);
47979 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
47980 diff -urNp linux-2.6.37/include/linux/tty_ldisc.h linux-2.6.37/include/linux/tty_ldisc.h
47981 --- linux-2.6.37/include/linux/tty_ldisc.h 2011-01-04 19:50:19.000000000 -0500
47982 +++ linux-2.6.37/include/linux/tty_ldisc.h 2011-01-17 02:41:02.000000000 -0500
47983 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
47985 struct module *owner;
47988 + atomic_t refcount;
47992 diff -urNp linux-2.6.37/include/linux/types.h linux-2.6.37/include/linux/types.h
47993 --- linux-2.6.37/include/linux/types.h 2011-01-04 19:50:19.000000000 -0500
47994 +++ linux-2.6.37/include/linux/types.h 2011-01-17 02:41:02.000000000 -0500
47995 @@ -207,10 +207,26 @@ typedef struct {
47999 +#ifdef CONFIG_PAX_REFCOUNT
48002 +} atomic_unchecked_t;
48004 +typedef atomic_t atomic_unchecked_t;
48007 #ifdef CONFIG_64BIT
48012 +#ifdef CONFIG_PAX_REFCOUNT
48015 +} atomic64_unchecked_t;
48017 +typedef atomic64_t atomic64_unchecked_t;
48022 diff -urNp linux-2.6.37/include/linux/u64_stats_sync.h linux-2.6.37/include/linux/u64_stats_sync.h
48023 --- linux-2.6.37/include/linux/u64_stats_sync.h 2011-01-04 19:50:19.000000000 -0500
48024 +++ linux-2.6.37/include/linux/u64_stats_sync.h 2011-01-17 02:41:02.000000000 -0500
48025 @@ -67,21 +67,21 @@ struct u64_stats_sync {
48029 -static void inline u64_stats_update_begin(struct u64_stats_sync *syncp)
48030 +static inline void u64_stats_update_begin(struct u64_stats_sync *syncp)
48032 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48033 write_seqcount_begin(&syncp->seq);
48037 -static void inline u64_stats_update_end(struct u64_stats_sync *syncp)
48038 +static inline void u64_stats_update_end(struct u64_stats_sync *syncp)
48040 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48041 write_seqcount_end(&syncp->seq);
48045 -static unsigned int inline u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48046 +static inline unsigned int u64_stats_fetch_begin(const struct u64_stats_sync *syncp)
48048 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48049 return read_seqcount_begin(&syncp->seq);
48050 @@ -93,7 +93,7 @@ static unsigned int inline u64_stats_fet
48054 -static bool inline u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48055 +static inline bool u64_stats_fetch_retry(const struct u64_stats_sync *syncp,
48056 unsigned int start)
48058 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48059 @@ -112,7 +112,7 @@ static bool inline u64_stats_fetch_retry
48060 * - UP 32bit must disable BH.
48061 * - 64bit have no problem atomically reading u64 values, irq safe.
48063 -static unsigned int inline u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48064 +static inline unsigned int u64_stats_fetch_begin_bh(const struct u64_stats_sync *syncp)
48066 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48067 return read_seqcount_begin(&syncp->seq);
48068 @@ -124,7 +124,7 @@ static unsigned int inline u64_stats_fet
48072 -static bool inline u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48073 +static inline bool u64_stats_fetch_retry_bh(const struct u64_stats_sync *syncp,
48074 unsigned int start)
48076 #if BITS_PER_LONG==32 && defined(CONFIG_SMP)
48077 diff -urNp linux-2.6.37/include/linux/uaccess.h linux-2.6.37/include/linux/uaccess.h
48078 --- linux-2.6.37/include/linux/uaccess.h 2011-01-04 19:50:19.000000000 -0500
48079 +++ linux-2.6.37/include/linux/uaccess.h 2011-01-17 02:41:02.000000000 -0500
48080 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
48082 mm_segment_t old_fs = get_fs(); \
48084 - set_fs(KERNEL_DS); \
48085 pagefault_disable(); \
48086 + set_fs(KERNEL_DS); \
48087 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
48088 - pagefault_enable(); \
48090 + pagefault_enable(); \
48094 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
48095 * Safely read from address @src to the buffer at @dst. If a kernel fault
48096 * happens, handle that and return -EFAULT.
48098 -extern long probe_kernel_read(void *dst, void *src, size_t size);
48099 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
48100 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
48101 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
48104 * probe_kernel_write(): safely attempt to write to a location
48105 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
48106 * Safely write to address @dst from the buffer at @src. If a kernel fault
48107 * happens, handle that and return -EFAULT.
48109 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
48110 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
48111 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
48112 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
48114 #endif /* __LINUX_UACCESS_H__ */
48115 diff -urNp linux-2.6.37/include/linux/unaligned/access_ok.h linux-2.6.37/include/linux/unaligned/access_ok.h
48116 --- linux-2.6.37/include/linux/unaligned/access_ok.h 2011-01-04 19:50:19.000000000 -0500
48117 +++ linux-2.6.37/include/linux/unaligned/access_ok.h 2011-01-17 02:41:02.000000000 -0500
48120 static inline u16 get_unaligned_le16(const void *p)
48122 - return le16_to_cpup((__le16 *)p);
48123 + return le16_to_cpup((const __le16 *)p);
48126 static inline u32 get_unaligned_le32(const void *p)
48128 - return le32_to_cpup((__le32 *)p);
48129 + return le32_to_cpup((const __le32 *)p);
48132 static inline u64 get_unaligned_le64(const void *p)
48134 - return le64_to_cpup((__le64 *)p);
48135 + return le64_to_cpup((const __le64 *)p);
48138 static inline u16 get_unaligned_be16(const void *p)
48140 - return be16_to_cpup((__be16 *)p);
48141 + return be16_to_cpup((const __be16 *)p);
48144 static inline u32 get_unaligned_be32(const void *p)
48146 - return be32_to_cpup((__be32 *)p);
48147 + return be32_to_cpup((const __be32 *)p);
48150 static inline u64 get_unaligned_be64(const void *p)
48152 - return be64_to_cpup((__be64 *)p);
48153 + return be64_to_cpup((const __be64 *)p);
48156 static inline void put_unaligned_le16(u16 val, void *p)
48157 diff -urNp linux-2.6.37/include/linux/usb/hcd.h linux-2.6.37/include/linux/usb/hcd.h
48158 --- linux-2.6.37/include/linux/usb/hcd.h 2011-01-04 19:50:19.000000000 -0500
48159 +++ linux-2.6.37/include/linux/usb/hcd.h 2011-01-17 02:41:02.000000000 -0500
48160 @@ -580,7 +580,7 @@ struct usb_mon_operations {
48161 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
48164 -extern struct usb_mon_operations *mon_ops;
48165 +extern const struct usb_mon_operations *mon_ops;
48167 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
48169 @@ -602,7 +602,7 @@ static inline void usbmon_urb_complete(s
48170 (*mon_ops->urb_complete)(bus, urb, status);
48173 -int usb_mon_register(struct usb_mon_operations *ops);
48174 +int usb_mon_register(const struct usb_mon_operations *ops);
48175 void usb_mon_deregister(void);
48178 diff -urNp linux-2.6.37/include/linux/vmalloc.h linux-2.6.37/include/linux/vmalloc.h
48179 --- linux-2.6.37/include/linux/vmalloc.h 2011-01-04 19:50:19.000000000 -0500
48180 +++ linux-2.6.37/include/linux/vmalloc.h 2011-01-17 02:41:02.000000000 -0500
48181 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
48182 #define VM_MAP 0x00000004 /* vmap()ed pages */
48183 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
48184 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
48186 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
48187 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
48190 /* bits [20..32] reserved for arch specific ioremap internals */
48193 @@ -125,4 +130,103 @@ struct vm_struct **pcpu_get_vm_areas(con
48194 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
48197 +#define vmalloc(x) \
48199 + void *___retval; \
48200 + intoverflow_t ___x = (intoverflow_t)x; \
48201 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
48202 + ___retval = NULL; \
48204 + ___retval = vmalloc((unsigned long)___x); \
48208 +#define vzalloc(x) \
48210 + void *___retval; \
48211 + intoverflow_t ___x = (intoverflow_t)x; \
48212 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
48213 + ___retval = NULL; \
48215 + ___retval = vzalloc((unsigned long)___x); \
48219 +#define __vmalloc(x, y, z) \
48221 + void *___retval; \
48222 + intoverflow_t ___x = (intoverflow_t)x; \
48223 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
48224 + ___retval = NULL; \
48226 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
48230 +#define vmalloc_user(x) \
48232 + void *___retval; \
48233 + intoverflow_t ___x = (intoverflow_t)x; \
48234 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
48235 + ___retval = NULL; \
48237 + ___retval = vmalloc_user((unsigned long)___x); \
48241 +#define vmalloc_exec(x) \
48243 + void *___retval; \
48244 + intoverflow_t ___x = (intoverflow_t)x; \
48245 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
48246 + ___retval = NULL; \
48248 + ___retval = vmalloc_exec((unsigned long)___x); \
48252 +#define vmalloc_node(x, y) \
48254 + void *___retval; \
48255 + intoverflow_t ___x = (intoverflow_t)x; \
48256 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
48257 + ___retval = NULL; \
48259 + ___retval = vmalloc_node((unsigned long)___x, (y));\
48263 +#define vzalloc_node(x, y) \
48265 + void *___retval; \
48266 + intoverflow_t ___x = (intoverflow_t)x; \
48267 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
48268 + ___retval = NULL; \
48270 + ___retval = vzalloc_node((unsigned long)___x, (y));\
48274 +#define vmalloc_32(x) \
48276 + void *___retval; \
48277 + intoverflow_t ___x = (intoverflow_t)x; \
48278 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
48279 + ___retval = NULL; \
48281 + ___retval = vmalloc_32((unsigned long)___x); \
48285 +#define vmalloc_32_user(x) \
48287 +void *___retval; \
48288 + intoverflow_t ___x = (intoverflow_t)x; \
48289 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
48290 + ___retval = NULL; \
48292 + ___retval = vmalloc_32_user((unsigned long)___x);\
48296 #endif /* _LINUX_VMALLOC_H */
48297 diff -urNp linux-2.6.37/include/linux/vmstat.h linux-2.6.37/include/linux/vmstat.h
48298 --- linux-2.6.37/include/linux/vmstat.h 2011-01-04 19:50:19.000000000 -0500
48299 +++ linux-2.6.37/include/linux/vmstat.h 2011-01-17 02:41:02.000000000 -0500
48300 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
48302 * Zone based page accounting with per cpu differentials.
48304 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48305 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48307 static inline void zone_page_state_add(long x, struct zone *zone,
48308 enum zone_stat_item item)
48310 - atomic_long_add(x, &zone->vm_stat[item]);
48311 - atomic_long_add(x, &vm_stat[item]);
48312 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
48313 + atomic_long_add_unchecked(x, &vm_stat[item]);
48316 static inline unsigned long global_page_state(enum zone_stat_item item)
48318 - long x = atomic_long_read(&vm_stat[item]);
48319 + long x = atomic_long_read_unchecked(&vm_stat[item]);
48323 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
48324 static inline unsigned long zone_page_state(struct zone *zone,
48325 enum zone_stat_item item)
48327 - long x = atomic_long_read(&zone->vm_stat[item]);
48328 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48332 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
48333 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
48334 enum zone_stat_item item)
48336 - long x = atomic_long_read(&zone->vm_stat[item]);
48337 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48341 @@ -268,8 +268,8 @@ static inline void __mod_zone_page_state
48343 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
48345 - atomic_long_inc(&zone->vm_stat[item]);
48346 - atomic_long_inc(&vm_stat[item]);
48347 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
48348 + atomic_long_inc_unchecked(&vm_stat[item]);
48351 static inline void __inc_zone_page_state(struct page *page,
48352 @@ -280,8 +280,8 @@ static inline void __inc_zone_page_state
48354 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
48356 - atomic_long_dec(&zone->vm_stat[item]);
48357 - atomic_long_dec(&vm_stat[item]);
48358 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
48359 + atomic_long_dec_unchecked(&vm_stat[item]);
48362 static inline void __dec_zone_page_state(struct page *page,
48363 diff -urNp linux-2.6.37/include/net/inetpeer.h linux-2.6.37/include/net/inetpeer.h
48364 --- linux-2.6.37/include/net/inetpeer.h 2011-01-04 19:50:19.000000000 -0500
48365 +++ linux-2.6.37/include/net/inetpeer.h 2011-01-17 02:41:02.000000000 -0500
48366 @@ -30,8 +30,8 @@ struct inet_peer {
48370 - atomic_t rid; /* Frag reception counter */
48371 - atomic_t ip_id_count; /* IP ID for the next packet */
48372 + atomic_unchecked_t rid; /* Frag reception counter */
48373 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
48375 __u32 tcp_ts_stamp;
48377 @@ -62,7 +62,7 @@ static inline __u16 inet_getid(struct in
48380 inet_peer_refcheck(p);
48381 - return atomic_add_return(more, &p->ip_id_count) - more;
48382 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48385 #endif /* _NET_INETPEER_H */
48386 diff -urNp linux-2.6.37/include/net/irda/ircomm_tty.h linux-2.6.37/include/net/irda/ircomm_tty.h
48387 --- linux-2.6.37/include/net/irda/ircomm_tty.h 2011-01-04 19:50:19.000000000 -0500
48388 +++ linux-2.6.37/include/net/irda/ircomm_tty.h 2011-01-17 02:41:02.000000000 -0500
48389 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
48390 unsigned short close_delay;
48391 unsigned short closing_wait; /* time to wait before closing */
48394 - int blocked_open; /* # of blocked opens */
48395 + atomic_t open_count;
48396 + atomic_t blocked_open; /* # of blocked opens */
48398 /* Protect concurent access to :
48399 * o self->open_count
48400 diff -urNp linux-2.6.37/include/net/neighbour.h linux-2.6.37/include/net/neighbour.h
48401 --- linux-2.6.37/include/net/neighbour.h 2011-01-04 19:50:19.000000000 -0500
48402 +++ linux-2.6.37/include/net/neighbour.h 2011-01-17 02:41:02.000000000 -0500
48403 @@ -118,12 +118,12 @@ struct neighbour {
48407 - void (*solicit)(struct neighbour *, struct sk_buff*);
48408 - void (*error_report)(struct neighbour *, struct sk_buff*);
48409 - int (*output)(struct sk_buff*);
48410 - int (*connected_output)(struct sk_buff*);
48411 - int (*hh_output)(struct sk_buff*);
48412 - int (*queue_xmit)(struct sk_buff*);
48413 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48414 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48415 + int (* const output)(struct sk_buff*);
48416 + int (* const connected_output)(struct sk_buff*);
48417 + int (* const hh_output)(struct sk_buff*);
48418 + int (* const queue_xmit)(struct sk_buff*);
48421 struct pneigh_entry {
48422 diff -urNp linux-2.6.37/include/net/netlink.h linux-2.6.37/include/net/netlink.h
48423 --- linux-2.6.37/include/net/netlink.h 2011-01-04 19:50:19.000000000 -0500
48424 +++ linux-2.6.37/include/net/netlink.h 2011-01-17 02:41:02.000000000 -0500
48425 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
48426 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
48429 - skb_trim(skb, (unsigned char *) mark - skb->data);
48430 + skb_trim(skb, (const unsigned char *) mark - skb->data);
48434 diff -urNp linux-2.6.37/include/net/sctp/sctp.h linux-2.6.37/include/net/sctp/sctp.h
48435 --- linux-2.6.37/include/net/sctp/sctp.h 2011-01-04 19:50:19.000000000 -0500
48436 +++ linux-2.6.37/include/net/sctp/sctp.h 2011-01-17 02:41:02.000000000 -0500
48437 @@ -316,9 +316,9 @@ do { \
48439 #else /* SCTP_DEBUG */
48441 -#define SCTP_DEBUG_PRINTK(whatever...)
48442 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
48443 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48444 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48445 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
48446 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48447 #define SCTP_ENABLE_DEBUG
48448 #define SCTP_DISABLE_DEBUG
48449 #define SCTP_ASSERT(expr, str, func)
48450 diff -urNp linux-2.6.37/include/net/tcp.h linux-2.6.37/include/net/tcp.h
48451 --- linux-2.6.37/include/net/tcp.h 2011-01-04 19:50:19.000000000 -0500
48452 +++ linux-2.6.37/include/net/tcp.h 2011-01-17 02:41:02.000000000 -0500
48453 @@ -1380,6 +1380,7 @@ enum tcp_seq_states {
48454 struct tcp_seq_afinfo {
48456 sa_family_t family;
48457 + /* cannot be const */
48458 struct file_operations seq_fops;
48459 struct seq_operations seq_ops;
48461 diff -urNp linux-2.6.37/include/net/udp.h linux-2.6.37/include/net/udp.h
48462 --- linux-2.6.37/include/net/udp.h 2011-01-04 19:50:19.000000000 -0500
48463 +++ linux-2.6.37/include/net/udp.h 2011-01-17 02:41:02.000000000 -0500
48464 @@ -223,6 +223,7 @@ struct udp_seq_afinfo {
48466 sa_family_t family;
48467 struct udp_table *udp_table;
48468 + /* cannot be const */
48469 struct file_operations seq_fops;
48470 struct seq_operations seq_ops;
48472 diff -urNp linux-2.6.37/include/sound/ac97_codec.h linux-2.6.37/include/sound/ac97_codec.h
48473 --- linux-2.6.37/include/sound/ac97_codec.h 2011-01-04 19:50:19.000000000 -0500
48474 +++ linux-2.6.37/include/sound/ac97_codec.h 2011-01-17 02:41:02.000000000 -0500
48475 @@ -419,15 +419,15 @@
48478 struct snd_ac97_build_ops {
48479 - int (*build_3d) (struct snd_ac97 *ac97);
48480 - int (*build_specific) (struct snd_ac97 *ac97);
48481 - int (*build_spdif) (struct snd_ac97 *ac97);
48482 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48483 + int (* const build_3d) (struct snd_ac97 *ac97);
48484 + int (* const build_specific) (struct snd_ac97 *ac97);
48485 + int (* const build_spdif) (struct snd_ac97 *ac97);
48486 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48488 - void (*suspend) (struct snd_ac97 *ac97);
48489 - void (*resume) (struct snd_ac97 *ac97);
48490 + void (* const suspend) (struct snd_ac97 *ac97);
48491 + void (* const resume) (struct snd_ac97 *ac97);
48493 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48494 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48497 struct snd_ac97_bus_ops {
48498 @@ -477,7 +477,7 @@ struct snd_ac97_template {
48501 /* -- lowlevel (hardware) driver specific -- */
48502 - struct snd_ac97_build_ops * build_ops;
48503 + const struct snd_ac97_build_ops * build_ops;
48504 void *private_data;
48505 void (*private_free) (struct snd_ac97 *ac97);
48507 diff -urNp linux-2.6.37/include/trace/events/irq.h linux-2.6.37/include/trace/events/irq.h
48508 --- linux-2.6.37/include/trace/events/irq.h 2011-01-04 19:50:19.000000000 -0500
48509 +++ linux-2.6.37/include/trace/events/irq.h 2011-01-17 02:41:02.000000000 -0500
48510 @@ -36,7 +36,7 @@ struct softirq_action;
48512 TRACE_EVENT(irq_handler_entry,
48514 - TP_PROTO(int irq, struct irqaction *action),
48515 + TP_PROTO(int irq, const struct irqaction *action),
48517 TP_ARGS(irq, action),
48519 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
48521 TRACE_EVENT(irq_handler_exit,
48523 - TP_PROTO(int irq, struct irqaction *action, int ret),
48524 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48526 TP_ARGS(irq, action, ret),
48528 diff -urNp linux-2.6.37/include/video/uvesafb.h linux-2.6.37/include/video/uvesafb.h
48529 --- linux-2.6.37/include/video/uvesafb.h 2011-01-04 19:50:19.000000000 -0500
48530 +++ linux-2.6.37/include/video/uvesafb.h 2011-01-17 02:41:02.000000000 -0500
48531 @@ -177,6 +177,7 @@ struct uvesafb_par {
48532 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48533 u8 pmi_setpal; /* PMI for palette changes */
48534 u16 *pmi_base; /* protected mode interface location */
48535 + u8 *pmi_code; /* protected mode code location */
48538 u8 *vbe_state_orig; /*
48539 diff -urNp linux-2.6.37/init/do_mounts.c linux-2.6.37/init/do_mounts.c
48540 --- linux-2.6.37/init/do_mounts.c 2011-01-04 19:50:19.000000000 -0500
48541 +++ linux-2.6.37/init/do_mounts.c 2011-01-17 02:41:02.000000000 -0500
48542 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
48544 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48546 - int err = sys_mount(name, "/root", fs, flags, data);
48547 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48551 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
48552 va_start(args, fmt);
48553 vsprintf(buf, fmt, args);
48555 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48556 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48558 sys_ioctl(fd, FDEJECT, 0);
48561 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48562 - fd = sys_open("/dev/console", O_RDWR, 0);
48563 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48565 sys_ioctl(fd, TCGETS, (long)&termios);
48566 termios.c_lflag &= ~ICANON;
48567 sys_ioctl(fd, TCSETSF, (long)&termios);
48568 - sys_read(fd, &c, 1);
48569 + sys_read(fd, (char __user *)&c, 1);
48570 termios.c_lflag |= ICANON;
48571 sys_ioctl(fd, TCSETSF, (long)&termios);
48573 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
48576 devtmpfs_mount("dev");
48577 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48578 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48579 sys_chroot((const char __user __force *)".");
48581 diff -urNp linux-2.6.37/init/do_mounts.h linux-2.6.37/init/do_mounts.h
48582 --- linux-2.6.37/init/do_mounts.h 2011-01-04 19:50:19.000000000 -0500
48583 +++ linux-2.6.37/init/do_mounts.h 2011-01-17 02:41:02.000000000 -0500
48584 @@ -15,15 +15,15 @@ extern int root_mountflags;
48586 static inline int create_dev(char *name, dev_t dev)
48588 - sys_unlink(name);
48589 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48590 + sys_unlink((__force char __user *)name);
48591 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48594 #if BITS_PER_LONG == 32
48595 static inline u32 bstat(char *name)
48597 struct stat64 stat;
48598 - if (sys_stat64(name, &stat) != 0)
48599 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48601 if (!S_ISBLK(stat.st_mode))
48603 diff -urNp linux-2.6.37/init/do_mounts_initrd.c linux-2.6.37/init/do_mounts_initrd.c
48604 --- linux-2.6.37/init/do_mounts_initrd.c 2011-01-04 19:50:19.000000000 -0500
48605 +++ linux-2.6.37/init/do_mounts_initrd.c 2011-01-17 02:41:02.000000000 -0500
48606 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48607 create_dev("/dev/root.old", Root_RAM0);
48608 /* mount initrd on rootfs' /root */
48609 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48610 - sys_mkdir("/old", 0700);
48611 - root_fd = sys_open("/", 0, 0);
48612 - old_fd = sys_open("/old", 0, 0);
48613 + sys_mkdir((__force const char __user *)"/old", 0700);
48614 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48615 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48616 /* move initrd over / and chdir/chroot in initrd root */
48617 - sys_chdir("/root");
48618 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48620 + sys_chdir((__force const char __user *)"/root");
48621 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48622 + sys_chroot((__force const char __user *)".");
48625 * In case that a resume from disk is carried out by linuxrc or one of
48626 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48628 /* move initrd to rootfs' /old */
48629 sys_fchdir(old_fd);
48630 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48631 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48632 /* switch root and cwd back to / of rootfs */
48633 sys_fchdir(root_fd);
48635 + sys_chroot((__force const char __user *)".");
48637 sys_close(root_fd);
48639 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48640 - sys_chdir("/old");
48641 + sys_chdir((__force const char __user *)"/old");
48645 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48648 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48649 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48650 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48654 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48655 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48656 if (error == -ENOENT)
48657 printk("/initrd does not exist. Ignored.\n");
48659 printk("failed\n");
48660 printk(KERN_NOTICE "Unmounting old root\n");
48661 - sys_umount("/old", MNT_DETACH);
48662 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48663 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48666 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48667 * mounted in the normal path.
48669 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48670 - sys_unlink("/initrd.image");
48671 + sys_unlink((__force const char __user *)"/initrd.image");
48676 - sys_unlink("/initrd.image");
48677 + sys_unlink((__force const char __user *)"/initrd.image");
48680 diff -urNp linux-2.6.37/init/do_mounts_md.c linux-2.6.37/init/do_mounts_md.c
48681 --- linux-2.6.37/init/do_mounts_md.c 2011-01-04 19:50:19.000000000 -0500
48682 +++ linux-2.6.37/init/do_mounts_md.c 2011-01-17 02:41:02.000000000 -0500
48683 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
48684 partitioned ? "_d" : "", minor,
48685 md_setup_args[ent].device_names);
48687 - fd = sys_open(name, 0, 0);
48688 + fd = sys_open((__force char __user *)name, 0, 0);
48690 printk(KERN_ERR "md: open failed - cannot start "
48691 "array %s\n", name);
48692 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
48696 - fd = sys_open(name, 0, 0);
48697 + fd = sys_open((__force char __user *)name, 0, 0);
48698 sys_ioctl(fd, BLKRRPART, 0);
48701 diff -urNp linux-2.6.37/init/initramfs.c linux-2.6.37/init/initramfs.c
48702 --- linux-2.6.37/init/initramfs.c 2011-01-04 19:50:19.000000000 -0500
48703 +++ linux-2.6.37/init/initramfs.c 2011-01-17 02:41:02.000000000 -0500
48704 @@ -74,7 +74,7 @@ static void __init free_hash(void)
48708 -static long __init do_utime(char __user *filename, time_t mtime)
48709 +static long __init do_utime(__force char __user *filename, time_t mtime)
48711 struct timespec t[2];
48713 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
48714 struct dir_entry *de, *tmp;
48715 list_for_each_entry_safe(de, tmp, &dir_list, list) {
48716 list_del(&de->list);
48717 - do_utime(de->name, de->mtime);
48718 + do_utime((__force char __user *)de->name, de->mtime);
48722 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
48724 char *old = find_link(major, minor, ino, mode, collected);
48726 - return (sys_link(old, collected) < 0) ? -1 : 1;
48727 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
48731 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
48735 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
48736 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
48737 if (S_ISDIR(st.st_mode))
48739 + sys_rmdir((__force char __user *)path);
48741 - sys_unlink(path);
48742 + sys_unlink((__force char __user *)path);
48746 @@ -305,7 +305,7 @@ static int __init do_name(void)
48747 int openflags = O_WRONLY|O_CREAT;
48749 openflags |= O_TRUNC;
48750 - wfd = sys_open(collected, openflags, mode);
48751 + wfd = sys_open((__force char __user *)collected, openflags, mode);
48754 sys_fchown(wfd, uid, gid);
48755 @@ -317,17 +317,17 @@ static int __init do_name(void)
48758 } else if (S_ISDIR(mode)) {
48759 - sys_mkdir(collected, mode);
48760 - sys_chown(collected, uid, gid);
48761 - sys_chmod(collected, mode);
48762 + sys_mkdir((__force char __user *)collected, mode);
48763 + sys_chown((__force char __user *)collected, uid, gid);
48764 + sys_chmod((__force char __user *)collected, mode);
48765 dir_add(collected, mtime);
48766 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
48767 S_ISFIFO(mode) || S_ISSOCK(mode)) {
48768 if (maybe_link() == 0) {
48769 - sys_mknod(collected, mode, rdev);
48770 - sys_chown(collected, uid, gid);
48771 - sys_chmod(collected, mode);
48772 - do_utime(collected, mtime);
48773 + sys_mknod((__force char __user *)collected, mode, rdev);
48774 + sys_chown((__force char __user *)collected, uid, gid);
48775 + sys_chmod((__force char __user *)collected, mode);
48776 + do_utime((__force char __user *)collected, mtime);
48780 @@ -336,15 +336,15 @@ static int __init do_name(void)
48781 static int __init do_copy(void)
48783 if (count >= body_len) {
48784 - sys_write(wfd, victim, body_len);
48785 + sys_write(wfd, (__force char __user *)victim, body_len);
48787 - do_utime(vcollected, mtime);
48788 + do_utime((__force char __user *)vcollected, mtime);
48794 - sys_write(wfd, victim, count);
48795 + sys_write(wfd, (__force char __user *)victim, count);
48799 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
48801 collected[N_ALIGN(name_len) + body_len] = '\0';
48802 clean_path(collected, 0);
48803 - sys_symlink(collected + N_ALIGN(name_len), collected);
48804 - sys_lchown(collected, uid, gid);
48805 - do_utime(collected, mtime);
48806 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
48807 + sys_lchown((__force char __user *)collected, uid, gid);
48808 + do_utime((__force char __user *)collected, mtime);
48810 next_state = Reset;
48812 diff -urNp linux-2.6.37/init/Kconfig linux-2.6.37/init/Kconfig
48813 --- linux-2.6.37/init/Kconfig 2011-01-04 19:50:19.000000000 -0500
48814 +++ linux-2.6.37/init/Kconfig 2011-01-17 02:41:02.000000000 -0500
48815 @@ -1108,7 +1108,7 @@ config SLUB_DEBUG
48818 bool "Disable heap randomization"
48822 Randomizing heap placement makes heap exploits harder, but it
48823 also breaks ancient binaries (including anything libc5 based).
48824 diff -urNp linux-2.6.37/init/main.c linux-2.6.37/init/main.c
48825 --- linux-2.6.37/init/main.c 2011-01-04 19:50:19.000000000 -0500
48826 +++ linux-2.6.37/init/main.c 2011-01-17 02:41:02.000000000 -0500
48827 @@ -94,6 +94,7 @@ static inline void mark_rodata_ro(void)
48829 extern void tc_init(void);
48831 +extern void grsecurity_init(void);
48833 enum system_states system_state __read_mostly;
48834 EXPORT_SYMBOL(system_state);
48835 @@ -196,6 +197,47 @@ static int __init set_reset_devices(char
48837 __setup("reset_devices", set_reset_devices);
48839 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
48840 +extern char pax_enter_kernel_user[];
48841 +extern char pax_exit_kernel_user[];
48842 +extern pgdval_t clone_pgd_mask;
48845 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
48846 +static int __init setup_pax_nouderef(char *str)
48848 +#ifdef CONFIG_X86_32
48849 + unsigned int cpu;
48851 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
48852 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
48853 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
48854 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
48855 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
48857 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
48859 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
48860 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
48861 + clone_pgd_mask = ~(pgdval_t)0UL;
48866 +early_param("pax_nouderef", setup_pax_nouderef);
48869 +#ifdef CONFIG_PAX_SOFTMODE
48870 +unsigned int pax_softmode;
48872 +static int __init setup_pax_softmode(char *str)
48874 + get_option(&str, &pax_softmode);
48877 +__setup("pax_softmode=", setup_pax_softmode);
48880 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
48881 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
48882 static const char *panic_later, *panic_param;
48883 @@ -740,6 +782,7 @@ int __init_or_module do_one_initcall(ini
48885 int count = preempt_count();
48887 + const char *msg1 = "", *msg2 = "";
48889 if (initcall_debug)
48890 ret = do_one_initcall_debug(fn);
48891 @@ -752,15 +795,15 @@ int __init_or_module do_one_initcall(ini
48892 sprintf(msgbuf, "error code %d ", ret);
48894 if (preempt_count() != count) {
48895 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
48896 + msg1 = " preemption imbalance";
48897 preempt_count() = count;
48899 if (irqs_disabled()) {
48900 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
48901 + msg2 = " disabled interrupts";
48902 local_irq_enable();
48905 - printk("initcall %pF returned with %s\n", fn, msgbuf);
48906 + if (msgbuf[0] || *msg1 || *msg2) {
48907 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
48911 @@ -889,7 +932,7 @@ static int __init kernel_init(void * unu
48914 /* Open the /dev/console on the rootfs, this should never fail */
48915 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
48916 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
48917 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
48920 @@ -902,11 +945,13 @@ static int __init kernel_init(void * unu
48921 if (!ramdisk_execute_command)
48922 ramdisk_execute_command = "/init";
48924 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
48925 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
48926 ramdisk_execute_command = NULL;
48927 prepare_namespace();
48930 + grsecurity_init();
48933 * Ok, we have completed the initial bootup, and
48934 * we're essentially up and running. Get rid of the
48935 diff -urNp linux-2.6.37/ipc/mqueue.c linux-2.6.37/ipc/mqueue.c
48936 --- linux-2.6.37/ipc/mqueue.c 2011-01-04 19:50:19.000000000 -0500
48937 +++ linux-2.6.37/ipc/mqueue.c 2011-01-17 02:41:02.000000000 -0500
48938 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
48939 mq_bytes = (mq_msg_tblsz +
48940 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
48942 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
48943 spin_lock(&mq_lock);
48944 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
48945 u->mq_bytes + mq_bytes >
48946 diff -urNp linux-2.6.37/ipc/shm.c linux-2.6.37/ipc/shm.c
48947 --- linux-2.6.37/ipc/shm.c 2011-01-04 19:50:19.000000000 -0500
48948 +++ linux-2.6.37/ipc/shm.c 2011-01-17 02:41:02.000000000 -0500
48949 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
48950 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
48953 +#ifdef CONFIG_GRKERNSEC
48954 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48955 + const time_t shm_createtime, const uid_t cuid,
48956 + const int shmid);
48957 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48958 + const time_t shm_createtime);
48961 void shm_init_ns(struct ipc_namespace *ns)
48963 ns->shm_ctlmax = SHMMAX;
48964 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
48965 shp->shm_lprid = 0;
48966 shp->shm_atim = shp->shm_dtim = 0;
48967 shp->shm_ctim = get_seconds();
48968 +#ifdef CONFIG_GRKERNSEC
48970 + struct timespec timeval;
48971 + do_posix_clock_monotonic_gettime(&timeval);
48973 + shp->shm_createtime = timeval.tv_sec;
48976 shp->shm_segsz = size;
48977 shp->shm_nattch = 0;
48978 shp->shm_file = file;
48979 @@ -895,9 +911,21 @@ long do_shmat(int shmid, char __user *sh
48983 +#ifdef CONFIG_GRKERNSEC
48984 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
48985 + shp->shm_perm.cuid, shmid) ||
48986 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
48992 path = shp->shm_file->f_path;
48995 +#ifdef CONFIG_GRKERNSEC
48996 + shp->shm_lapid = current->pid;
48998 size = i_size_read(path.dentry->d_inode);
49001 diff -urNp linux-2.6.37/kernel/acct.c linux-2.6.37/kernel/acct.c
49002 --- linux-2.6.37/kernel/acct.c 2011-01-04 19:50:19.000000000 -0500
49003 +++ linux-2.6.37/kernel/acct.c 2011-01-17 02:41:02.000000000 -0500
49004 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
49006 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
49007 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
49008 - file->f_op->write(file, (char *)&ac,
49009 + file->f_op->write(file, (__force char __user *)&ac,
49010 sizeof(acct_t), &file->f_pos);
49011 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
49013 diff -urNp linux-2.6.37/kernel/capability.c linux-2.6.37/kernel/capability.c
49014 --- linux-2.6.37/kernel/capability.c 2011-01-04 19:50:19.000000000 -0500
49015 +++ linux-2.6.37/kernel/capability.c 2011-01-17 02:41:02.000000000 -0500
49016 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
49017 * before modification is attempted and the application
49020 + if (tocopy > ARRAY_SIZE(kdata))
49023 if (copy_to_user(dataptr, kdata, tocopy
49024 * sizeof(struct __user_cap_data_struct))) {
49026 @@ -306,10 +309,26 @@ int capable(int cap)
49030 - if (security_capable(cap) == 0) {
49031 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
49032 current->flags |= PF_SUPERPRIV;
49038 +int capable_nolog(int cap)
49040 + if (unlikely(!cap_valid(cap))) {
49041 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
49045 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
49046 + current->flags |= PF_SUPERPRIV;
49052 EXPORT_SYMBOL(capable);
49053 +EXPORT_SYMBOL(capable_nolog);
49054 diff -urNp linux-2.6.37/kernel/compat.c linux-2.6.37/kernel/compat.c
49055 --- linux-2.6.37/kernel/compat.c 2011-01-04 19:50:19.000000000 -0500
49056 +++ linux-2.6.37/kernel/compat.c 2011-01-17 02:41:02.000000000 -0500
49059 #include <linux/linkage.h>
49060 #include <linux/compat.h>
49061 +#include <linux/module.h>
49062 #include <linux/errno.h>
49063 #include <linux/time.h>
49064 #include <linux/signal.h>
49065 diff -urNp linux-2.6.37/kernel/configs.c linux-2.6.37/kernel/configs.c
49066 --- linux-2.6.37/kernel/configs.c 2011-01-04 19:50:19.000000000 -0500
49067 +++ linux-2.6.37/kernel/configs.c 2011-01-17 02:41:02.000000000 -0500
49068 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
49069 struct proc_dir_entry *entry;
49071 /* create the current config file */
49072 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49073 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
49074 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
49075 + &ikconfig_file_ops);
49076 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49077 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
49078 + &ikconfig_file_ops);
49081 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
49082 &ikconfig_file_ops);
49088 diff -urNp linux-2.6.37/kernel/cred.c linux-2.6.37/kernel/cred.c
49089 --- linux-2.6.37/kernel/cred.c 2011-01-04 19:50:19.000000000 -0500
49090 +++ linux-2.6.37/kernel/cred.c 2011-01-17 02:41:02.000000000 -0500
49091 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
49093 get_cred(new); /* we will require a ref for the subj creds too */
49095 + gr_set_role_label(task, new->uid, new->gid);
49097 /* dumpability changes */
49098 if (old->euid != new->euid ||
49099 old->egid != new->egid ||
49100 diff -urNp linux-2.6.37/kernel/debug/debug_core.c linux-2.6.37/kernel/debug/debug_core.c
49101 --- linux-2.6.37/kernel/debug/debug_core.c 2011-01-04 19:50:19.000000000 -0500
49102 +++ linux-2.6.37/kernel/debug/debug_core.c 2011-01-17 02:41:02.000000000 -0500
49103 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
49104 /* Guard for recursive entry */
49105 static int exception_level;
49107 -struct kgdb_io *dbg_io_ops;
49108 +const struct kgdb_io *dbg_io_ops;
49109 static DEFINE_SPINLOCK(kgdb_registration_lock);
49111 /* kgdb console driver is loaded */
49112 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
49114 * Register it with the KGDB core.
49116 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
49117 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
49121 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
49123 * Unregister it with the KGDB core.
49125 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
49126 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
49128 BUG_ON(kgdb_connected);
49130 diff -urNp linux-2.6.37/kernel/debug/kdb/kdb_main.c linux-2.6.37/kernel/debug/kdb/kdb_main.c
49131 --- linux-2.6.37/kernel/debug/kdb/kdb_main.c 2011-01-04 19:50:19.000000000 -0500
49132 +++ linux-2.6.37/kernel/debug/kdb/kdb_main.c 2011-01-17 02:41:02.000000000 -0500
49133 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
49134 list_for_each_entry(mod, kdb_modules, list) {
49136 kdb_printf("%-20s%8u 0x%p ", mod->name,
49137 - mod->core_size, (void *)mod);
49138 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
49139 #ifdef CONFIG_MODULE_UNLOAD
49140 kdb_printf("%4d ", module_refcount(mod));
49142 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
49143 kdb_printf(" (Loading)");
49145 kdb_printf(" (Live)");
49146 - kdb_printf(" 0x%p", mod->module_core);
49147 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49149 #ifdef CONFIG_MODULE_UNLOAD
49151 diff -urNp linux-2.6.37/kernel/exit.c linux-2.6.37/kernel/exit.c
49152 --- linux-2.6.37/kernel/exit.c 2011-01-04 19:50:19.000000000 -0500
49153 +++ linux-2.6.37/kernel/exit.c 2011-01-17 02:41:02.000000000 -0500
49155 #include <asm/pgtable.h>
49156 #include <asm/mmu_context.h>
49158 +#ifdef CONFIG_GRKERNSEC
49159 +extern rwlock_t grsec_exec_file_lock;
49162 static void exit_mm(struct task_struct * tsk);
49164 static void __unhash_process(struct task_struct *p, bool group_dead)
49165 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
49166 struct task_struct *leader;
49169 + gr_del_task_from_ip_table(p);
49171 tracehook_prepare_release_task(p);
49172 /* don't need to get the RCU readlock here - the process is dead and
49173 * can't be modifying its own credentials. But shut RCU-lockdep up */
49174 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
49176 write_lock_irq(&tasklist_lock);
49178 +#ifdef CONFIG_GRKERNSEC
49179 + write_lock(&grsec_exec_file_lock);
49180 + if (current->exec_file) {
49181 + fput(current->exec_file);
49182 + current->exec_file = NULL;
49184 + write_unlock(&grsec_exec_file_lock);
49187 ptrace_unlink(current);
49188 /* Reparent to init */
49189 current->real_parent = current->parent = kthreadd_task;
49190 list_move_tail(¤t->sibling, ¤t->real_parent->children);
49192 + gr_set_kernel_label(current);
49194 /* Set the exit signal to SIGCHLD so we signal init on exit */
49195 current->exit_signal = SIGCHLD;
49197 @@ -394,7 +411,7 @@ int allow_signal(int sig)
49198 * know it'll be handled, so that they don't get converted to
49199 * SIGKILL or just silently dropped.
49201 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
49202 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
49203 recalc_sigpending();
49204 spin_unlock_irq(¤t->sighand->siglock);
49206 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
49207 vsnprintf(current->comm, sizeof(current->comm), name, args);
49210 +#ifdef CONFIG_GRKERNSEC
49211 + write_lock(&grsec_exec_file_lock);
49212 + if (current->exec_file) {
49213 + fput(current->exec_file);
49214 + current->exec_file = NULL;
49216 + write_unlock(&grsec_exec_file_lock);
49219 + gr_set_kernel_label(current);
49222 * If we were started as result of loading a module, close all of the
49223 * user space pages. We don't need them, and if we didn't close them
49224 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
49225 struct task_struct *tsk = current;
49228 - profile_task_exit(tsk);
49230 - WARN_ON(atomic_read(&tsk->fs_excl));
49233 + * Check this first since set_fs() below depends on
49234 + * current_thread_info(), which we better not access when we're in
49235 + * interrupt context. Other than that, we want to do the set_fs()
49236 + * as early as possible.
49238 if (unlikely(in_interrupt()))
49239 panic("Aiee, killing interrupt handler!");
49240 - if (unlikely(!tsk->pid))
49241 - panic("Attempted to kill the idle task!");
49244 - * If do_exit is called because this processes oopsed, it's possible
49245 + * If do_exit is called because this processes Oops'ed, it's possible
49246 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
49247 * continuing. Amongst other possible reasons, this is to prevent
49248 * mm_release()->clear_child_tid() from writing to a user-controlled
49249 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
49253 + profile_task_exit(tsk);
49255 + WARN_ON(atomic_read(&tsk->fs_excl));
49257 + if (unlikely(!tsk->pid))
49258 + panic("Attempted to kill the idle task!");
49260 tracehook_report_exit(&code);
49262 validate_creds_for_do_exit(tsk);
49263 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
49264 tsk->exit_code = code;
49265 taskstats_exit(tsk, group_dead);
49267 + gr_acl_handle_psacct(tsk, code);
49268 + gr_acl_handle_exit();
49273 diff -urNp linux-2.6.37/kernel/fork.c linux-2.6.37/kernel/fork.c
49274 --- linux-2.6.37/kernel/fork.c 2011-01-04 19:50:19.000000000 -0500
49275 +++ linux-2.6.37/kernel/fork.c 2011-01-17 02:41:02.000000000 -0500
49276 @@ -278,7 +278,7 @@ static struct task_struct *dup_task_stru
49277 *stackend = STACK_END_MAGIC; /* for overflow detection */
49279 #ifdef CONFIG_CC_STACKPROTECTOR
49280 - tsk->stack_canary = get_random_int();
49281 + tsk->stack_canary = pax_get_random_long();
49284 /* One for us, one for whoever does the "release_task()" (usually parent) */
49285 @@ -300,13 +300,78 @@ out:
49289 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
49291 + struct vm_area_struct *tmp;
49292 + unsigned long charge;
49293 + struct mempolicy *pol;
49294 + struct file *file;
49297 + if (mpnt->vm_flags & VM_ACCOUNT) {
49298 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49299 + if (security_vm_enough_memory(len))
49303 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49308 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
49309 + pol = mpol_dup(vma_policy(mpnt));
49311 + goto fail_nomem_policy;
49312 + vma_set_policy(tmp, pol);
49313 + if (anon_vma_fork(tmp, mpnt))
49314 + goto fail_nomem_anon_vma_fork;
49315 + tmp->vm_flags &= ~VM_LOCKED;
49316 + tmp->vm_next = tmp->vm_prev = NULL;
49317 + tmp->vm_mirror = NULL;
49318 + file = tmp->vm_file;
49320 + struct inode *inode = file->f_path.dentry->d_inode;
49321 + struct address_space *mapping = file->f_mapping;
49324 + if (tmp->vm_flags & VM_DENYWRITE)
49325 + atomic_dec(&inode->i_writecount);
49326 + spin_lock(&mapping->i_mmap_lock);
49327 + if (tmp->vm_flags & VM_SHARED)
49328 + mapping->i_mmap_writable++;
49329 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49330 + flush_dcache_mmap_lock(mapping);
49331 + /* insert tmp into the share list, just after mpnt */
49332 + vma_prio_tree_add(tmp, mpnt);
49333 + flush_dcache_mmap_unlock(mapping);
49334 + spin_unlock(&mapping->i_mmap_lock);
49338 + * Clear hugetlb-related page reserves for children. This only
49339 + * affects MAP_PRIVATE mappings. Faults generated by the child
49340 + * are not guaranteed to succeed, even if read-only
49342 + if (is_vm_hugetlb_page(tmp))
49343 + reset_vma_resv_huge_pages(tmp);
49347 +fail_nomem_anon_vma_fork:
49349 +fail_nomem_policy:
49350 + kmem_cache_free(vm_area_cachep, tmp);
49352 + vm_unacct_memory(charge);
49356 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49358 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49359 struct rb_node **rb_link, *rb_parent;
49361 - unsigned long charge;
49362 - struct mempolicy *pol;
49364 down_write(&oldmm->mmap_sem);
49365 flush_cache_dup_mm(oldmm);
49366 @@ -318,8 +383,8 @@ static int dup_mmap(struct mm_struct *mm
49369 mm->mmap_cache = NULL;
49370 - mm->free_area_cache = oldmm->mmap_base;
49371 - mm->cached_hole_size = ~0UL;
49372 + mm->free_area_cache = oldmm->free_area_cache;
49373 + mm->cached_hole_size = oldmm->cached_hole_size;
49375 cpumask_clear(mm_cpumask(mm));
49376 mm->mm_rb = RB_ROOT;
49377 @@ -332,8 +397,6 @@ static int dup_mmap(struct mm_struct *mm
49380 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49381 - struct file *file;
49383 if (mpnt->vm_flags & VM_DONTCOPY) {
49384 long pages = vma_pages(mpnt);
49385 mm->total_vm -= pages;
49386 @@ -341,56 +404,13 @@ static int dup_mmap(struct mm_struct *mm
49391 - if (mpnt->vm_flags & VM_ACCOUNT) {
49392 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49393 - if (security_vm_enough_memory(len))
49397 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49401 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49402 - pol = mpol_dup(vma_policy(mpnt));
49403 - retval = PTR_ERR(pol);
49405 - goto fail_nomem_policy;
49406 - vma_set_policy(tmp, pol);
49408 - if (anon_vma_fork(tmp, mpnt))
49409 - goto fail_nomem_anon_vma_fork;
49410 - tmp->vm_flags &= ~VM_LOCKED;
49411 - tmp->vm_next = tmp->vm_prev = NULL;
49412 - file = tmp->vm_file;
49414 - struct inode *inode = file->f_path.dentry->d_inode;
49415 - struct address_space *mapping = file->f_mapping;
49418 - if (tmp->vm_flags & VM_DENYWRITE)
49419 - atomic_dec(&inode->i_writecount);
49420 - spin_lock(&mapping->i_mmap_lock);
49421 - if (tmp->vm_flags & VM_SHARED)
49422 - mapping->i_mmap_writable++;
49423 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49424 - flush_dcache_mmap_lock(mapping);
49425 - /* insert tmp into the share list, just after mpnt */
49426 - vma_prio_tree_add(tmp, mpnt);
49427 - flush_dcache_mmap_unlock(mapping);
49428 - spin_unlock(&mapping->i_mmap_lock);
49429 + tmp = dup_vma(mm, mpnt);
49431 + retval = -ENOMEM;
49436 - * Clear hugetlb-related page reserves for children. This only
49437 - * affects MAP_PRIVATE mappings. Faults generated by the child
49438 - * are not guaranteed to succeed, even if read-only
49440 - if (is_vm_hugetlb_page(tmp))
49441 - reset_vma_resv_huge_pages(tmp);
49444 * Link in the new vma and copy the page table entries.
49447 @@ -411,6 +431,31 @@ static int dup_mmap(struct mm_struct *mm
49452 +#ifdef CONFIG_PAX_SEGMEXEC
49453 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49454 + struct vm_area_struct *mpnt_m;
49456 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49457 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49459 + if (!mpnt->vm_mirror)
49462 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49463 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49464 + mpnt->vm_mirror = mpnt_m;
49466 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49467 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49468 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49469 + mpnt->vm_mirror->vm_mirror = mpnt;
49476 /* a new mm has just been created */
49477 arch_dup_mmap(oldmm, mm);
49479 @@ -419,14 +464,6 @@ out:
49480 flush_tlb_mm(oldmm);
49481 up_write(&oldmm->mmap_sem);
49483 -fail_nomem_anon_vma_fork:
49485 -fail_nomem_policy:
49486 - kmem_cache_free(vm_area_cachep, tmp);
49488 - retval = -ENOMEM;
49489 - vm_unacct_memory(charge);
49493 static inline int mm_alloc_pgd(struct mm_struct * mm)
49494 @@ -765,13 +802,14 @@ static int copy_fs(unsigned long clone_f
49495 spin_unlock(&fs->lock);
49499 + atomic_inc(&fs->users);
49500 spin_unlock(&fs->lock);
49503 tsk->fs = copy_fs_struct(fs);
49506 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49510 @@ -1027,10 +1065,13 @@ static struct task_struct *copy_process(
49511 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
49515 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49517 if (atomic_read(&p->real_cred->user->processes) >=
49518 task_rlimit(p, RLIMIT_NPROC)) {
49519 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49520 - p->real_cred->user != INIT_USER)
49521 + if (p->real_cred->user != INIT_USER &&
49522 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49523 goto bad_fork_free;
49526 @@ -1184,6 +1225,8 @@ static struct task_struct *copy_process(
49527 goto bad_fork_free_pid;
49530 + gr_copy_label(p);
49532 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49534 * Clear TID on mm_release()?
49535 @@ -1341,6 +1384,8 @@ bad_fork_cleanup_count:
49539 + gr_log_forkfail(retval);
49541 return ERR_PTR(retval);
49544 @@ -1446,6 +1491,8 @@ long do_fork(unsigned long clone_flags,
49545 if (clone_flags & CLONE_PARENT_SETTID)
49546 put_user(nr, parent_tidptr);
49548 + gr_handle_brute_check();
49550 if (clone_flags & CLONE_VFORK) {
49551 p->vfork_done = &vfork;
49552 init_completion(&vfork);
49553 @@ -1570,7 +1617,7 @@ static int unshare_fs(unsigned long unsh
49556 /* don't need lock here; in the worst case we'll do useless copy */
49557 - if (fs->users == 1)
49558 + if (atomic_read(&fs->users) == 1)
49561 *new_fsp = copy_fs_struct(fs);
49562 @@ -1693,7 +1740,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49564 spin_lock(&fs->lock);
49565 current->fs = new_fs;
49567 + gr_set_chroot_entries(current, ¤t->fs->root);
49568 + if (atomic_dec_return(&fs->users))
49572 diff -urNp linux-2.6.37/kernel/futex.c linux-2.6.37/kernel/futex.c
49573 --- linux-2.6.37/kernel/futex.c 2011-01-04 19:50:19.000000000 -0500
49574 +++ linux-2.6.37/kernel/futex.c 2011-01-17 02:41:02.000000000 -0500
49576 #include <linux/mount.h>
49577 #include <linux/pagemap.h>
49578 #include <linux/syscalls.h>
49579 +#include <linux/ptrace.h>
49580 #include <linux/signal.h>
49581 #include <linux/module.h>
49582 #include <linux/magic.h>
49583 @@ -222,6 +223,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49587 +#ifdef CONFIG_PAX_SEGMEXEC
49588 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49593 * The futex address must be "naturally" aligned.
49595 @@ -2384,7 +2390,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49597 struct robust_list_head __user *head;
49599 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49600 const struct cred *cred = current_cred(), *pcred;
49603 if (!futex_cmpxchg_enabled)
49605 @@ -2400,11 +2408,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49609 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49610 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49613 pcred = __task_cred(p);
49614 if (cred->euid != pcred->euid &&
49615 cred->euid != pcred->uid &&
49616 !capable(CAP_SYS_PTRACE))
49619 head = p->robust_list;
49622 @@ -2648,6 +2661,7 @@ static int __init futex_init(void)
49626 + mm_segment_t oldfs;
49629 * This will fail and we want it. Some arch implementations do
49630 @@ -2659,7 +2673,10 @@ static int __init futex_init(void)
49631 * implementation, the non-functional ones will return
49634 + oldfs = get_fs();
49636 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
49638 if (curval == -EFAULT)
49639 futex_cmpxchg_enabled = 1;
49641 diff -urNp linux-2.6.37/kernel/futex_compat.c linux-2.6.37/kernel/futex_compat.c
49642 --- linux-2.6.37/kernel/futex_compat.c 2011-01-04 19:50:19.000000000 -0500
49643 +++ linux-2.6.37/kernel/futex_compat.c 2011-01-17 02:41:02.000000000 -0500
49645 #include <linux/compat.h>
49646 #include <linux/nsproxy.h>
49647 #include <linux/futex.h>
49648 +#include <linux/ptrace.h>
49650 #include <asm/uaccess.h>
49652 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
49654 struct compat_robust_list_head __user *head;
49656 - const struct cred *cred = current_cred(), *pcred;
49657 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49658 + const struct cred *cred = current_cred();
49659 + const struct cred *pcred;
49662 if (!futex_cmpxchg_enabled)
49664 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
49668 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49669 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49672 pcred = __task_cred(p);
49673 if (cred->euid != pcred->euid &&
49674 cred->euid != pcred->uid &&
49675 !capable(CAP_SYS_PTRACE))
49678 head = p->compat_robust_list;
49681 diff -urNp linux-2.6.37/kernel/gcov/base.c linux-2.6.37/kernel/gcov/base.c
49682 --- linux-2.6.37/kernel/gcov/base.c 2011-01-04 19:50:19.000000000 -0500
49683 +++ linux-2.6.37/kernel/gcov/base.c 2011-01-17 02:41:02.000000000 -0500
49684 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
49687 #ifdef CONFIG_MODULES
49688 -static inline int within(void *addr, void *start, unsigned long size)
49690 - return ((addr >= start) && (addr < start + size));
49693 /* Update list and generate events when modules are unloaded. */
49694 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
49696 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
49698 /* Remove entries located in module from linked list. */
49699 for (info = gcov_info_head; info; info = info->next) {
49700 - if (within(info, mod->module_core, mod->core_size)) {
49701 + if (within_module_core_rw((unsigned long)info, mod)) {
49703 prev->next = info->next;
49705 diff -urNp linux-2.6.37/kernel/hrtimer.c linux-2.6.37/kernel/hrtimer.c
49706 --- linux-2.6.37/kernel/hrtimer.c 2011-01-04 19:50:19.000000000 -0500
49707 +++ linux-2.6.37/kernel/hrtimer.c 2011-01-17 02:41:02.000000000 -0500
49708 @@ -1401,7 +1401,7 @@ void hrtimer_peek_ahead_timers(void)
49709 local_irq_restore(flags);
49712 -static void run_hrtimer_softirq(struct softirq_action *h)
49713 +static void run_hrtimer_softirq(void)
49715 hrtimer_peek_ahead_timers();
49717 diff -urNp linux-2.6.37/kernel/jump_label.c linux-2.6.37/kernel/jump_label.c
49718 --- linux-2.6.37/kernel/jump_label.c 2011-01-04 19:50:19.000000000 -0500
49719 +++ linux-2.6.37/kernel/jump_label.c 2011-01-17 02:41:02.000000000 -0500
49720 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
49721 mutex_unlock(&jump_label_mutex);
49724 +static void jump_label_swap(void *a, void *b, int size)
49726 + struct jump_entry t;
49728 + t = *(struct jump_entry *)a;
49729 + pax_open_kernel();
49730 + *(struct jump_entry *)a = *(struct jump_entry *)b;
49731 + *(struct jump_entry *)b = t;
49732 + pax_close_kernel();
49735 static int jump_label_cmp(const void *a, const void *b)
49737 const struct jump_entry *jea = a;
49738 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
49740 size = (((unsigned long)stop - (unsigned long)start)
49741 / sizeof(struct jump_entry));
49742 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
49743 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
49746 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
49747 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
49748 count = e_module->nr_entries;
49749 iter = e_module->table;
49751 - if (within_module_init(iter->code, mod))
49752 + if (within_module_init(iter->code, mod)) {
49753 + pax_open_kernel();
49755 + pax_close_kernel();
49760 diff -urNp linux-2.6.37/kernel/kallsyms.c linux-2.6.37/kernel/kallsyms.c
49761 --- linux-2.6.37/kernel/kallsyms.c 2011-01-04 19:50:19.000000000 -0500
49762 +++ linux-2.6.37/kernel/kallsyms.c 2011-01-17 02:41:02.000000000 -0500
49764 * Changed the compression method from stem compression to "table lookup"
49765 * compression (see scripts/kallsyms.c for a more complete description)
49767 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49768 +#define __INCLUDED_BY_HIDESYM 1
49770 #include <linux/kallsyms.h>
49771 #include <linux/module.h>
49772 #include <linux/init.h>
49773 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
49775 static inline int is_kernel_inittext(unsigned long addr)
49777 + if (system_state != SYSTEM_BOOTING)
49780 if (addr >= (unsigned long)_sinittext
49781 && addr <= (unsigned long)_einittext)
49786 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49787 +#ifdef CONFIG_MODULES
49788 +static inline int is_module_text(unsigned long addr)
49790 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
49793 + addr = ktla_ktva(addr);
49794 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
49797 +static inline int is_module_text(unsigned long addr)
49804 static inline int is_kernel_text(unsigned long addr)
49806 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
49807 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
49809 static inline int is_kernel(unsigned long addr)
49812 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49813 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
49816 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
49818 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
49822 return in_gate_area_no_task(addr);
49825 static int is_ksym_addr(unsigned long addr)
49828 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49829 + if (is_module_text(addr))
49834 return is_kernel(addr);
49836 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
49838 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
49840 - iter->name[0] = '\0';
49841 iter->nameoff = get_symbol_offset(new_pos);
49842 iter->pos = new_pos;
49844 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
49846 struct kallsym_iter *iter = m->private;
49848 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49849 + if (current_uid())
49853 /* Some debugging symbols have no name. Ignore them. */
49854 if (!iter->name[0])
49856 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
49857 struct kallsym_iter *iter;
49860 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
49861 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
49864 reset_iter(iter, 0);
49865 diff -urNp linux-2.6.37/kernel/kmod.c linux-2.6.37/kernel/kmod.c
49866 --- linux-2.6.37/kernel/kmod.c 2011-01-04 19:50:19.000000000 -0500
49867 +++ linux-2.6.37/kernel/kmod.c 2011-01-17 02:41:02.000000000 -0500
49868 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
49872 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
49873 + /* we could do a tighter check here, but some distros
49874 + are taking it upon themselves to remove CAP_SYS_MODULE
49875 + from even root-running apps which cause modules to be
49878 + if (current_uid()) {
49879 + gr_log_nonroot_mod_load(module_name);
49884 /* If modprobe needs a service that is in a module, we get a recursive
49885 * loop. Limit the number of running kmod threads to max_threads/2 or
49886 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
49887 diff -urNp linux-2.6.37/kernel/kprobes.c linux-2.6.37/kernel/kprobes.c
49888 --- linux-2.6.37/kernel/kprobes.c 2011-01-04 19:50:19.000000000 -0500
49889 +++ linux-2.6.37/kernel/kprobes.c 2011-01-17 02:41:02.000000000 -0500
49890 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
49891 * kernel image and loaded module images reside. This is required
49892 * so x86_64 can correctly handle the %rip-relative fixups.
49894 - kip->insns = module_alloc(PAGE_SIZE);
49895 + kip->insns = module_alloc_exec(PAGE_SIZE);
49899 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
49901 if (!list_is_singular(&kip->list)) {
49902 list_del(&kip->list);
49903 - module_free(NULL, kip->insns);
49904 + module_free_exec(NULL, kip->insns);
49908 @@ -1724,7 +1724,7 @@ static int __init init_kprobes(void)
49911 unsigned long offset = 0, size = 0;
49912 - char *modname, namebuf[128];
49913 + char *modname, namebuf[KSYM_NAME_LEN];
49914 const char *symbol_name;
49916 struct kprobe_blackpoint *kb;
49917 @@ -1850,7 +1850,7 @@ static int __kprobes show_kprobe_addr(st
49918 const char *sym = NULL;
49919 unsigned int i = *(loff_t *) v;
49920 unsigned long offset = 0;
49921 - char *modname, namebuf[128];
49922 + char *modname, namebuf[KSYM_NAME_LEN];
49924 head = &kprobe_table[i];
49926 diff -urNp linux-2.6.37/kernel/lockdep.c linux-2.6.37/kernel/lockdep.c
49927 --- linux-2.6.37/kernel/lockdep.c 2011-01-04 19:50:19.000000000 -0500
49928 +++ linux-2.6.37/kernel/lockdep.c 2011-01-17 02:41:02.000000000 -0500
49929 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
49930 end = (unsigned long) &_end,
49931 addr = (unsigned long) obj;
49933 +#ifdef CONFIG_PAX_KERNEXEC
49934 + start = ktla_ktva(start);
49940 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
49941 if (!static_obj(lock->key)) {
49943 printk("INFO: trying to register non-static key.\n");
49944 + printk("lock:%pS key:%pS.\n", lock, lock->key);
49945 printk("the code is fine but needs lockdep annotation.\n");
49946 printk("turning off the locking correctness validator.\n");
49948 @@ -2768,7 +2773,7 @@ static int __lock_acquire(struct lockdep
49952 - atomic_inc((atomic_t *)&class->ops);
49953 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
49954 if (very_verbose(class)) {
49955 printk("\nacquire class [%p] %s", class->key, class->name);
49956 if (class->name_version > 1)
49957 diff -urNp linux-2.6.37/kernel/lockdep_proc.c linux-2.6.37/kernel/lockdep_proc.c
49958 --- linux-2.6.37/kernel/lockdep_proc.c 2011-01-04 19:50:19.000000000 -0500
49959 +++ linux-2.6.37/kernel/lockdep_proc.c 2011-01-17 02:41:02.000000000 -0500
49960 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
49962 static void print_name(struct seq_file *m, struct lock_class *class)
49965 + char str[KSYM_NAME_LEN];
49966 const char *name = class->name;
49969 diff -urNp linux-2.6.37/kernel/module.c linux-2.6.37/kernel/module.c
49970 --- linux-2.6.37/kernel/module.c 2011-01-04 19:50:19.000000000 -0500
49971 +++ linux-2.6.37/kernel/module.c 2011-01-17 02:41:02.000000000 -0500
49972 @@ -97,7 +97,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
49974 /* Bounds of module allocation, for speeding __module_address.
49975 * Protected by module_mutex. */
49976 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
49977 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
49978 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
49980 int register_module_notifier(struct notifier_block * nb)
49982 @@ -261,7 +262,7 @@ bool each_symbol(bool (*fn)(const struct
49985 list_for_each_entry_rcu(mod, &modules, list) {
49986 - struct symsearch arr[] = {
49987 + struct symsearch modarr[] = {
49988 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
49989 NOT_GPL_ONLY, false },
49990 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
49991 @@ -283,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
49995 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
49996 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
50000 @@ -394,7 +395,7 @@ static inline void __percpu *mod_percpu(
50001 static int percpu_modalloc(struct module *mod,
50002 unsigned long size, unsigned long align)
50004 - if (align > PAGE_SIZE) {
50005 + if (align-1 >= PAGE_SIZE) {
50006 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
50007 mod->name, align, PAGE_SIZE);
50009 @@ -1566,15 +1567,18 @@ static void free_module(struct module *m
50010 destroy_params(mod->kp, mod->num_kp);
50012 /* This may be NULL, but that's OK */
50013 - module_free(mod, mod->module_init);
50014 + module_free(mod, mod->module_init_rw);
50015 + module_free_exec(mod, mod->module_init_rx);
50017 percpu_modfree(mod);
50019 /* Free lock-classes: */
50020 - lockdep_free_key_range(mod->module_core, mod->core_size);
50021 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
50022 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
50024 /* Finally, free the core (containing the module structure) */
50025 - module_free(mod, mod->module_core);
50026 + module_free_exec(mod, mod->module_core_rx);
50027 + module_free(mod, mod->module_core_rw);
50030 update_protections(current->mm);
50031 @@ -1667,7 +1671,9 @@ static int simplify_symbols(struct modul
50032 ksym = resolve_symbol_wait(mod, info, name);
50033 /* Ok if resolved. */
50034 if (ksym && !IS_ERR(ksym)) {
50035 + pax_open_kernel();
50036 sym[i].st_value = ksym->value;
50037 + pax_close_kernel();
50041 @@ -1686,7 +1692,9 @@ static int simplify_symbols(struct modul
50042 secbase = (unsigned long)mod_percpu(mod);
50044 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
50045 + pax_open_kernel();
50046 sym[i].st_value += secbase;
50047 + pax_close_kernel();
50051 @@ -1774,11 +1782,12 @@ static void layout_sections(struct modul
50052 || s->sh_entsize != ~0UL
50053 || strstarts(sname, ".init"))
50055 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
50056 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50057 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
50059 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
50060 DEBUGP("\t%s\n", name);
50063 - mod->core_text_size = mod->core_size;
50066 DEBUGP("Init section allocation order:\n");
50067 @@ -1792,12 +1801,13 @@ static void layout_sections(struct modul
50068 || s->sh_entsize != ~0UL
50069 || !strstarts(sname, ".init"))
50071 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
50072 - | INIT_OFFSET_MASK);
50073 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50074 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
50076 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
50077 + s->sh_entsize |= INIT_OFFSET_MASK;
50078 DEBUGP("\t%s\n", sname);
50081 - mod->init_text_size = mod->init_size;
50085 @@ -1965,7 +1975,7 @@ static void layout_symtab(struct module
50087 /* Put symbol section at end of init part of module. */
50088 symsect->sh_flags |= SHF_ALLOC;
50089 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
50090 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
50091 info->index.sym) | INIT_OFFSET_MASK;
50092 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
50094 @@ -1982,19 +1992,19 @@ static void layout_symtab(struct module
50097 /* Append room for core symbols at end of core part. */
50098 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
50099 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
50100 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
50101 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
50103 /* Put string table section at end of init part of module. */
50104 strsect->sh_flags |= SHF_ALLOC;
50105 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
50106 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
50107 info->index.str) | INIT_OFFSET_MASK;
50108 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
50110 /* Append room for core symbols' strings at end of core part. */
50111 - info->stroffs = mod->core_size;
50112 + info->stroffs = mod->core_size_rx;
50113 __set_bit(0, info->strmap);
50114 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
50115 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
50118 static void add_kallsyms(struct module *mod, const struct load_info *info)
50119 @@ -2010,11 +2020,13 @@ static void add_kallsyms(struct module *
50120 /* Make sure we get permanent strtab: don't use info->strtab. */
50121 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
50123 + pax_open_kernel();
50125 /* Set types up while we still have access to sections. */
50126 for (i = 0; i < mod->num_symtab; i++)
50127 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
50129 - mod->core_symtab = dst = mod->module_core + info->symoffs;
50130 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
50133 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
50134 @@ -2027,10 +2039,12 @@ static void add_kallsyms(struct module *
50136 mod->core_num_syms = ndst;
50138 - mod->core_strtab = s = mod->module_core + info->stroffs;
50139 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
50140 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
50141 if (test_bit(i, info->strmap))
50142 *++s = mod->strtab[i];
50144 + pax_close_kernel();
50147 static inline void layout_symtab(struct module *mod, struct load_info *info)
50148 @@ -2059,17 +2073,33 @@ static void dynamic_debug_remove(struct
50149 ddebug_remove_module(debug->modname);
50152 -static void *module_alloc_update_bounds(unsigned long size)
50153 +static void *module_alloc_update_bounds_rw(unsigned long size)
50155 void *ret = module_alloc(size);
50158 mutex_lock(&module_mutex);
50159 /* Update module bounds. */
50160 - if ((unsigned long)ret < module_addr_min)
50161 - module_addr_min = (unsigned long)ret;
50162 - if ((unsigned long)ret + size > module_addr_max)
50163 - module_addr_max = (unsigned long)ret + size;
50164 + if ((unsigned long)ret < module_addr_min_rw)
50165 + module_addr_min_rw = (unsigned long)ret;
50166 + if ((unsigned long)ret + size > module_addr_max_rw)
50167 + module_addr_max_rw = (unsigned long)ret + size;
50168 + mutex_unlock(&module_mutex);
50173 +static void *module_alloc_update_bounds_rx(unsigned long size)
50175 + void *ret = module_alloc_exec(size);
50178 + mutex_lock(&module_mutex);
50179 + /* Update module bounds. */
50180 + if ((unsigned long)ret < module_addr_min_rx)
50181 + module_addr_min_rx = (unsigned long)ret;
50182 + if ((unsigned long)ret + size > module_addr_max_rx)
50183 + module_addr_max_rx = (unsigned long)ret + size;
50184 mutex_unlock(&module_mutex);
50187 @@ -2362,7 +2392,7 @@ static int move_module(struct module *mo
50190 /* Do the allocs. */
50191 - ptr = module_alloc_update_bounds(mod->core_size);
50192 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
50194 * The pointer to this block is stored in the module structure
50195 * which is inside the block. Just mark it as not being a
50196 @@ -2372,23 +2402,50 @@ static int move_module(struct module *mo
50200 - memset(ptr, 0, mod->core_size);
50201 - mod->module_core = ptr;
50202 + memset(ptr, 0, mod->core_size_rw);
50203 + mod->module_core_rw = ptr;
50205 - ptr = module_alloc_update_bounds(mod->init_size);
50206 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
50208 * The pointer to this block is stored in the module structure
50209 * which is inside the block. This block doesn't need to be
50210 * scanned as it contains data and code that will be freed
50211 * after the module is initialized.
50213 - kmemleak_ignore(ptr);
50214 - if (!ptr && mod->init_size) {
50215 - module_free(mod, mod->module_core);
50216 + kmemleak_not_leak(ptr);
50217 + if (!ptr && mod->init_size_rw) {
50218 + module_free(mod, mod->module_core_rw);
50221 + memset(ptr, 0, mod->init_size_rw);
50222 + mod->module_init_rw = ptr;
50224 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
50225 + kmemleak_not_leak(ptr);
50227 + module_free(mod, mod->module_init_rw);
50228 + module_free(mod, mod->module_core_rw);
50231 - memset(ptr, 0, mod->init_size);
50232 - mod->module_init = ptr;
50234 + pax_open_kernel();
50235 + memset(ptr, 0, mod->core_size_rx);
50236 + pax_close_kernel();
50237 + mod->module_core_rx = ptr;
50239 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
50240 + kmemleak_not_leak(ptr);
50241 + if (!ptr && mod->init_size_rx) {
50242 + module_free_exec(mod, mod->module_core_rx);
50243 + module_free(mod, mod->module_init_rw);
50244 + module_free(mod, mod->module_core_rw);
50248 + pax_open_kernel();
50249 + memset(ptr, 0, mod->init_size_rx);
50250 + pax_close_kernel();
50251 + mod->module_init_rx = ptr;
50253 /* Transfer each section which specifies SHF_ALLOC */
50254 DEBUGP("final section addresses:\n");
50255 @@ -2399,16 +2456,45 @@ static int move_module(struct module *mo
50256 if (!(shdr->sh_flags & SHF_ALLOC))
50259 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
50260 - dest = mod->module_init
50261 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50263 - dest = mod->module_core + shdr->sh_entsize;
50264 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
50265 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50266 + dest = mod->module_init_rw
50267 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50269 + dest = mod->module_init_rx
50270 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50272 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50273 + dest = mod->module_core_rw + shdr->sh_entsize;
50275 + dest = mod->module_core_rx + shdr->sh_entsize;
50278 + if (shdr->sh_type != SHT_NOBITS) {
50280 +#ifdef CONFIG_PAX_KERNEXEC
50281 +#ifdef CONFIG_X86_64
50282 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
50283 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
50285 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
50286 + pax_open_kernel();
50287 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50288 + pax_close_kernel();
50292 - if (shdr->sh_type != SHT_NOBITS)
50293 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50295 /* Update sh_addr to point to copy in image. */
50296 - shdr->sh_addr = (unsigned long)dest;
50298 +#ifdef CONFIG_PAX_KERNEXEC
50299 + if (shdr->sh_flags & SHF_EXECINSTR)
50300 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
50304 + shdr->sh_addr = (unsigned long)dest;
50305 DEBUGP("\t0x%lx %s\n",
50306 shdr->sh_addr, info->secstrings + shdr->sh_name);
50308 @@ -2459,12 +2545,12 @@ static void flush_module_icache(const st
50309 * Do it before processing of module parameters, so the module
50310 * can provide parameter accessor functions of its own.
50312 - if (mod->module_init)
50313 - flush_icache_range((unsigned long)mod->module_init,
50314 - (unsigned long)mod->module_init
50315 - + mod->init_size);
50316 - flush_icache_range((unsigned long)mod->module_core,
50317 - (unsigned long)mod->module_core + mod->core_size);
50318 + if (mod->module_init_rx)
50319 + flush_icache_range((unsigned long)mod->module_init_rx,
50320 + (unsigned long)mod->module_init_rx
50321 + + mod->init_size_rx);
50322 + flush_icache_range((unsigned long)mod->module_core_rx,
50323 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
50327 @@ -2536,8 +2622,10 @@ static void module_deallocate(struct mod
50329 kfree(info->strmap);
50330 percpu_modfree(mod);
50331 - module_free(mod, mod->module_init);
50332 - module_free(mod, mod->module_core);
50333 + module_free_exec(mod, mod->module_init_rx);
50334 + module_free_exec(mod, mod->module_core_rx);
50335 + module_free(mod, mod->module_init_rw);
50336 + module_free(mod, mod->module_core_rw);
50339 static int post_relocation(struct module *mod, const struct load_info *info)
50340 @@ -2765,10 +2853,12 @@ SYSCALL_DEFINE3(init_module, void __user
50341 mod->symtab = mod->core_symtab;
50342 mod->strtab = mod->core_strtab;
50344 - module_free(mod, mod->module_init);
50345 - mod->module_init = NULL;
50346 - mod->init_size = 0;
50347 - mod->init_text_size = 0;
50348 + module_free(mod, mod->module_init_rw);
50349 + module_free_exec(mod, mod->module_init_rx);
50350 + mod->module_init_rw = NULL;
50351 + mod->module_init_rx = NULL;
50352 + mod->init_size_rw = 0;
50353 + mod->init_size_rx = 0;
50354 mutex_unlock(&module_mutex);
50357 @@ -2799,10 +2889,16 @@ static const char *get_ksymbol(struct mo
50358 unsigned long nextval;
50360 /* At worse, next value is at end of module */
50361 - if (within_module_init(addr, mod))
50362 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
50363 + if (within_module_init_rx(addr, mod))
50364 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
50365 + else if (within_module_init_rw(addr, mod))
50366 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
50367 + else if (within_module_core_rx(addr, mod))
50368 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50369 + else if (within_module_core_rw(addr, mod))
50370 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50372 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50375 /* Scan for closest preceeding symbol, and next symbol. (ELF
50376 starts real symbols at 1). */
50377 @@ -3048,7 +3144,7 @@ static int m_show(struct seq_file *m, vo
50380 seq_printf(m, "%s %u",
50381 - mod->name, mod->init_size + mod->core_size);
50382 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50383 print_unload_info(m, mod);
50385 /* Informative for users. */
50386 @@ -3057,7 +3153,7 @@ static int m_show(struct seq_file *m, vo
50387 mod->state == MODULE_STATE_COMING ? "Loading":
50389 /* Used by oprofile and other similar tools. */
50390 - seq_printf(m, " 0x%p", mod->module_core);
50391 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50395 @@ -3093,7 +3189,17 @@ static const struct file_operations proc
50397 static int __init proc_modules_init(void)
50399 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50400 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50401 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50402 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50403 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50405 proc_create("modules", 0, NULL, &proc_modules_operations);
50408 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50412 module_init(proc_modules_init);
50413 @@ -3152,12 +3258,12 @@ struct module *__module_address(unsigned
50415 struct module *mod;
50417 - if (addr < module_addr_min || addr > module_addr_max)
50418 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50419 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50422 list_for_each_entry_rcu(mod, &modules, list)
50423 - if (within_module_core(addr, mod)
50424 - || within_module_init(addr, mod))
50425 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50429 @@ -3191,11 +3297,20 @@ bool is_module_text_address(unsigned lon
50431 struct module *__module_text_address(unsigned long addr)
50433 - struct module *mod = __module_address(addr);
50434 + struct module *mod;
50436 +#ifdef CONFIG_X86_32
50437 + addr = ktla_ktva(addr);
50440 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50443 + mod = __module_address(addr);
50446 /* Make sure it's within the text section. */
50447 - if (!within(addr, mod->module_init, mod->init_text_size)
50448 - && !within(addr, mod->module_core, mod->core_text_size))
50449 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50453 diff -urNp linux-2.6.37/kernel/panic.c linux-2.6.37/kernel/panic.c
50454 --- linux-2.6.37/kernel/panic.c 2011-01-04 19:50:19.000000000 -0500
50455 +++ linux-2.6.37/kernel/panic.c 2011-01-17 02:41:02.000000000 -0500
50456 @@ -368,7 +368,7 @@ static void warn_slowpath_common(const c
50459 printk(KERN_WARNING "------------[ cut here ]------------\n");
50460 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50461 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50462 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50464 printk(KERN_WARNING "Hardware name: %s\n", board);
50465 @@ -423,7 +423,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50467 void __stack_chk_fail(void)
50469 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50471 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50472 __builtin_return_address(0));
50474 EXPORT_SYMBOL(__stack_chk_fail);
50475 diff -urNp linux-2.6.37/kernel/pid.c linux-2.6.37/kernel/pid.c
50476 --- linux-2.6.37/kernel/pid.c 2011-01-04 19:50:19.000000000 -0500
50477 +++ linux-2.6.37/kernel/pid.c 2011-01-17 02:41:02.000000000 -0500
50479 #include <linux/rculist.h>
50480 #include <linux/bootmem.h>
50481 #include <linux/hash.h>
50482 +#include <linux/security.h>
50483 #include <linux/pid_namespace.h>
50484 #include <linux/init_task.h>
50485 #include <linux/syscalls.h>
50486 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50488 int pid_max = PID_MAX_DEFAULT;
50490 -#define RESERVED_PIDS 300
50491 +#define RESERVED_PIDS 500
50493 int pid_max_min = RESERVED_PIDS + 1;
50494 int pid_max_max = PID_MAX_LIMIT;
50495 @@ -416,8 +417,15 @@ EXPORT_SYMBOL(pid_task);
50497 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50499 + struct task_struct *task;
50501 rcu_lockdep_assert(rcu_read_lock_held());
50502 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
50503 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
50505 + if (gr_pid_is_chrooted(task))
50511 struct task_struct *find_task_by_vpid(pid_t vnr)
50512 diff -urNp linux-2.6.37/kernel/posix-cpu-timers.c linux-2.6.37/kernel/posix-cpu-timers.c
50513 --- linux-2.6.37/kernel/posix-cpu-timers.c 2011-01-04 19:50:19.000000000 -0500
50514 +++ linux-2.6.37/kernel/posix-cpu-timers.c 2011-01-17 02:41:02.000000000 -0500
50516 #include <linux/posix-timers.h>
50517 #include <linux/errno.h>
50518 #include <linux/math64.h>
50519 +#include <linux/security.h>
50520 #include <asm/uaccess.h>
50521 #include <linux/kernel_stat.h>
50522 #include <trace/events/timer.h>
50523 diff -urNp linux-2.6.37/kernel/posix-timers.c linux-2.6.37/kernel/posix-timers.c
50524 --- linux-2.6.37/kernel/posix-timers.c 2011-01-04 19:50:19.000000000 -0500
50525 +++ linux-2.6.37/kernel/posix-timers.c 2011-01-17 02:41:02.000000000 -0500
50527 #include <linux/compiler.h>
50528 #include <linux/idr.h>
50529 #include <linux/posix-timers.h>
50530 +#include <linux/grsecurity.h>
50531 #include <linux/syscalls.h>
50532 #include <linux/wait.h>
50533 #include <linux/workqueue.h>
50534 @@ -949,6 +950,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
50535 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
50538 + /* only the CLOCK_REALTIME clock can be set, all other clocks
50539 + have their clock_set fptr set to a nosettime dummy function
50540 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
50541 + call common_clock_set, which calls do_sys_settimeofday, which
50545 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
50548 diff -urNp linux-2.6.37/kernel/power/hibernate.c linux-2.6.37/kernel/power/hibernate.c
50549 --- linux-2.6.37/kernel/power/hibernate.c 2011-01-04 19:50:19.000000000 -0500
50550 +++ linux-2.6.37/kernel/power/hibernate.c 2011-01-17 02:41:02.000000000 -0500
50551 @@ -51,14 +51,14 @@ enum {
50553 static int hibernation_mode = HIBERNATION_SHUTDOWN;
50555 -static struct platform_hibernation_ops *hibernation_ops;
50556 +static const struct platform_hibernation_ops *hibernation_ops;
50559 * hibernation_set_ops - set the global hibernate operations
50560 * @ops: the hibernation operations to use in subsequent hibernation transitions
50563 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
50564 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
50566 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
50567 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
50568 diff -urNp linux-2.6.37/kernel/power/poweroff.c linux-2.6.37/kernel/power/poweroff.c
50569 --- linux-2.6.37/kernel/power/poweroff.c 2011-01-04 19:50:19.000000000 -0500
50570 +++ linux-2.6.37/kernel/power/poweroff.c 2011-01-17 02:41:02.000000000 -0500
50571 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
50572 .enable_mask = SYSRQ_ENABLE_BOOT,
50575 -static int pm_sysrq_init(void)
50576 +static int __init pm_sysrq_init(void)
50578 register_sysrq_key('o', &sysrq_poweroff_op);
50580 diff -urNp linux-2.6.37/kernel/power/process.c linux-2.6.37/kernel/power/process.c
50581 --- linux-2.6.37/kernel/power/process.c 2011-01-04 19:50:19.000000000 -0500
50582 +++ linux-2.6.37/kernel/power/process.c 2011-01-17 02:41:02.000000000 -0500
50583 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
50584 u64 elapsed_csecs64;
50585 unsigned int elapsed_csecs;
50586 bool wakeup = false;
50587 + bool timedout = false;
50589 do_gettimeofday(&start);
50591 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
50595 + if (time_after(jiffies, end_time))
50597 read_lock(&tasklist_lock);
50598 do_each_thread(g, p) {
50599 if (frozen(p) || !freezeable(p))
50600 @@ -65,9 +68,13 @@ static int try_to_freeze_tasks(bool sig_
50601 * It is "frozen enough". If the task does wake
50602 * up, it will immediately call try_to_freeze.
50604 - if (!task_is_stopped_or_traced(p) &&
50605 - !freezer_should_skip(p))
50606 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
50609 + printk(KERN_ERR "Task refusing to freeze:\n");
50610 + sched_show_task(p);
50613 } while_each_thread(g, p);
50614 read_unlock(&tasklist_lock);
50616 @@ -76,7 +83,7 @@ static int try_to_freeze_tasks(bool sig_
50620 - if (!todo || time_after(jiffies, end_time))
50621 + if (!todo || timedout)
50624 if (!pm_check_wakeup_events()) {
50625 diff -urNp linux-2.6.37/kernel/power/suspend.c linux-2.6.37/kernel/power/suspend.c
50626 --- linux-2.6.37/kernel/power/suspend.c 2011-01-04 19:50:19.000000000 -0500
50627 +++ linux-2.6.37/kernel/power/suspend.c 2011-01-17 02:41:02.000000000 -0500
50628 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
50629 [PM_SUSPEND_MEM] = "mem",
50632 -static struct platform_suspend_ops *suspend_ops;
50633 +static const struct platform_suspend_ops *suspend_ops;
50636 * suspend_set_ops - Set the global suspend method table.
50637 * @ops: Pointer to ops structure.
50639 -void suspend_set_ops(struct platform_suspend_ops *ops)
50640 +void suspend_set_ops(const struct platform_suspend_ops *ops)
50642 mutex_lock(&pm_mutex);
50644 diff -urNp linux-2.6.37/kernel/printk.c linux-2.6.37/kernel/printk.c
50645 --- linux-2.6.37/kernel/printk.c 2011-01-04 19:50:19.000000000 -0500
50646 +++ linux-2.6.37/kernel/printk.c 2011-01-17 02:41:02.000000000 -0500
50647 @@ -274,6 +274,11 @@ int do_syslog(int type, char __user *buf
50651 +#ifdef CONFIG_GRKERNSEC_DMESG
50652 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
50657 * If this is from /proc/kmsg we only do the capabilities checks
50659 diff -urNp linux-2.6.37/kernel/ptrace.c linux-2.6.37/kernel/ptrace.c
50660 --- linux-2.6.37/kernel/ptrace.c 2011-01-04 19:50:19.000000000 -0500
50661 +++ linux-2.6.37/kernel/ptrace.c 2011-01-17 02:41:02.000000000 -0500
50662 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
50663 cred->gid != tcred->egid ||
50664 cred->gid != tcred->sgid ||
50665 cred->gid != tcred->gid) &&
50666 - !capable(CAP_SYS_PTRACE)) {
50667 + !capable_nolog(CAP_SYS_PTRACE)) {
50671 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
50674 dumpable = get_dumpable(task->mm);
50675 - if (!dumpable && !capable(CAP_SYS_PTRACE))
50676 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
50679 return security_ptrace_access_check(task, mode);
50680 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
50681 goto unlock_tasklist;
50683 task->ptrace = PT_PTRACED;
50684 - if (capable(CAP_SYS_PTRACE))
50685 + if (capable_nolog(CAP_SYS_PTRACE))
50686 task->ptrace |= PT_PTRACE_CAP;
50688 __ptrace_link(task, current);
50689 @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct *
50693 - if (copy_to_user(dst, buf, retval))
50694 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
50698 @@ -565,7 +565,7 @@ int ptrace_request(struct task_struct *c
50702 - void __user *datavp = (void __user *) data;
50703 + void __user *datavp = (__force void __user *) data;
50704 unsigned long __user *datalp = datavp;
50707 @@ -713,14 +713,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
50711 + if (gr_handle_ptrace(child, request)) {
50713 + goto out_put_task_struct;
50716 if (request == PTRACE_ATTACH) {
50717 ret = ptrace_attach(child);
50719 * Some architectures need to do book-keeping after
50724 arch_ptrace_attach(child);
50725 + gr_audit_ptrace(child);
50727 goto out_put_task_struct;
50730 @@ -745,7 +752,7 @@ int generic_ptrace_peekdata(struct task_
50731 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
50732 if (copied != sizeof(tmp))
50734 - return put_user(tmp, (unsigned long __user *)data);
50735 + return put_user(tmp, (__force unsigned long __user *)data);
50738 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
50739 @@ -855,14 +862,21 @@ asmlinkage long compat_sys_ptrace(compat
50743 + if (gr_handle_ptrace(child, request)) {
50745 + goto out_put_task_struct;
50748 if (request == PTRACE_ATTACH) {
50749 ret = ptrace_attach(child);
50751 * Some architectures need to do book-keeping after
50756 arch_ptrace_attach(child);
50757 + gr_audit_ptrace(child);
50759 goto out_put_task_struct;
50762 diff -urNp linux-2.6.37/kernel/rcutree.c linux-2.6.37/kernel/rcutree.c
50763 --- linux-2.6.37/kernel/rcutree.c 2011-01-04 19:50:19.000000000 -0500
50764 +++ linux-2.6.37/kernel/rcutree.c 2011-01-17 02:41:02.000000000 -0500
50765 @@ -1394,7 +1394,7 @@ __rcu_process_callbacks(struct rcu_state
50767 * Do softirq processing for the current CPU.
50769 -static void rcu_process_callbacks(struct softirq_action *unused)
50770 +static void rcu_process_callbacks(void)
50773 * Memory references from any prior RCU read-side critical sections
50774 diff -urNp linux-2.6.37/kernel/rcutree_plugin.h linux-2.6.37/kernel/rcutree_plugin.h
50775 --- linux-2.6.37/kernel/rcutree_plugin.h 2011-01-04 19:50:19.000000000 -0500
50776 +++ linux-2.6.37/kernel/rcutree_plugin.h 2011-01-17 02:41:02.000000000 -0500
50777 @@ -729,7 +729,7 @@ void synchronize_rcu_expedited(void)
50779 /* Clean up and exit. */
50780 smp_mb(); /* ensure expedited GP seen before counter increment. */
50781 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
50782 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
50784 mutex_unlock(&sync_rcu_preempt_exp_mutex);
50786 diff -urNp linux-2.6.37/kernel/resource.c linux-2.6.37/kernel/resource.c
50787 --- linux-2.6.37/kernel/resource.c 2011-01-04 19:50:19.000000000 -0500
50788 +++ linux-2.6.37/kernel/resource.c 2011-01-17 02:41:02.000000000 -0500
50789 @@ -133,8 +133,18 @@ static const struct file_operations proc
50791 static int __init ioresources_init(void)
50793 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50794 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50795 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
50796 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
50797 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50798 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
50799 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
50802 proc_create("ioports", 0, NULL, &proc_ioports_operations);
50803 proc_create("iomem", 0, NULL, &proc_iomem_operations);
50807 __initcall(ioresources_init);
50808 diff -urNp linux-2.6.37/kernel/rtmutex.c linux-2.6.37/kernel/rtmutex.c
50809 --- linux-2.6.37/kernel/rtmutex.c 2011-01-04 19:50:19.000000000 -0500
50810 +++ linux-2.6.37/kernel/rtmutex.c 2011-01-17 02:41:02.000000000 -0500
50811 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
50813 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
50815 - WARN_ON(!pendowner->pi_blocked_on);
50816 + BUG_ON(!pendowner->pi_blocked_on);
50817 WARN_ON(pendowner->pi_blocked_on != waiter);
50818 WARN_ON(pendowner->pi_blocked_on->lock != lock);
50820 diff -urNp linux-2.6.37/kernel/sched.c linux-2.6.37/kernel/sched.c
50821 --- linux-2.6.37/kernel/sched.c 2011-01-04 19:50:19.000000000 -0500
50822 +++ linux-2.6.37/kernel/sched.c 2011-01-17 02:41:02.000000000 -0500
50823 @@ -4770,6 +4770,8 @@ int can_nice(const struct task_struct *p
50824 /* convert nice value [19,-20] to rlimit style value [1,40] */
50825 int nice_rlim = 20 - nice;
50827 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
50829 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
50830 capable(CAP_SYS_NICE));
50832 @@ -4803,7 +4805,8 @@ SYSCALL_DEFINE1(nice, int, increment)
50836 - if (increment < 0 && !can_nice(current, nice))
50837 + if (increment < 0 && (!can_nice(current, nice) ||
50838 + gr_handle_chroot_nice()))
50841 retval = security_task_setnice(current, nice);
50842 @@ -4946,6 +4949,7 @@ recheck:
50843 unsigned long rlim_rtprio =
50844 task_rlimit(p, RLIMIT_RTPRIO);
50846 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
50847 /* can't set/change the rt policy */
50848 if (policy != p->policy && !rlim_rtprio)
50850 @@ -7155,7 +7159,7 @@ static void init_sched_groups_power(int
50854 - WARN_ON(!sd || !sd->groups);
50855 + BUG_ON(!sd || !sd->groups);
50857 if (cpu != group_first_cpu(sd->groups))
50859 diff -urNp linux-2.6.37/kernel/sched_fair.c linux-2.6.37/kernel/sched_fair.c
50860 --- linux-2.6.37/kernel/sched_fair.c 2011-01-04 19:50:19.000000000 -0500
50861 +++ linux-2.6.37/kernel/sched_fair.c 2011-01-17 02:41:02.000000000 -0500
50862 @@ -3724,7 +3724,7 @@ static void nohz_idle_balance(int this_c
50863 * run_rebalance_domains is triggered when needed from the scheduler tick.
50864 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
50866 -static void run_rebalance_domains(struct softirq_action *h)
50867 +static void run_rebalance_domains(void)
50869 int this_cpu = smp_processor_id();
50870 struct rq *this_rq = cpu_rq(this_cpu);
50871 diff -urNp linux-2.6.37/kernel/signal.c linux-2.6.37/kernel/signal.c
50872 --- linux-2.6.37/kernel/signal.c 2011-01-04 19:50:19.000000000 -0500
50873 +++ linux-2.6.37/kernel/signal.c 2011-01-17 02:41:02.000000000 -0500
50874 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
50876 int print_fatal_signals __read_mostly;
50878 -static void __user *sig_handler(struct task_struct *t, int sig)
50879 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
50881 return t->sighand->action[sig - 1].sa.sa_handler;
50884 -static int sig_handler_ignored(void __user *handler, int sig)
50885 +static int sig_handler_ignored(__sighandler_t handler, int sig)
50887 /* Is it explicitly or implicitly ignored? */
50888 return handler == SIG_IGN ||
50889 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
50890 static int sig_task_ignored(struct task_struct *t, int sig,
50891 int from_ancestor_ns)
50893 - void __user *handler;
50894 + __sighandler_t handler;
50896 handler = sig_handler(t, sig);
50898 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
50899 atomic_inc(&user->sigpending);
50902 + if (!override_rlimit)
50903 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
50905 if (override_rlimit ||
50906 atomic_read(&user->sigpending) <=
50907 task_rlimit(t, RLIMIT_SIGPENDING)) {
50908 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
50910 int unhandled_signal(struct task_struct *tsk, int sig)
50912 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
50913 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
50914 if (is_global_init(tsk))
50916 if (handler != SIG_IGN && handler != SIG_DFL)
50917 @@ -678,6 +681,9 @@ static int check_kill_permission(int sig
50921 + if (gr_handle_signal(t, sig))
50924 return security_task_kill(t, info, sig, 0);
50927 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
50928 return send_signal(sig, info, p, 1);
50933 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
50935 return send_signal(sig, info, t, 0);
50936 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
50937 ret = specific_send_sig_info(sig, info, t);
50938 spin_unlock_irqrestore(&t->sighand->siglock, flags);
50940 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
50941 + gr_handle_crash(t, sig);
50946 @@ -1137,8 +1146,11 @@ int group_send_sig_info(int sig, struct
50947 ret = check_kill_permission(sig, info, p);
50951 + if (!ret && sig) {
50952 ret = do_send_sig_info(sig, info, p, true);
50954 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
50959 diff -urNp linux-2.6.37/kernel/smp.c linux-2.6.37/kernel/smp.c
50960 --- linux-2.6.37/kernel/smp.c 2011-01-04 19:50:19.000000000 -0500
50961 +++ linux-2.6.37/kernel/smp.c 2011-01-17 02:41:02.000000000 -0500
50962 @@ -510,22 +510,22 @@ int smp_call_function(smp_call_func_t fu
50964 EXPORT_SYMBOL(smp_call_function);
50966 -void ipi_call_lock(void)
50967 +void ipi_call_lock(void) __acquires(call_function.lock)
50969 raw_spin_lock(&call_function.lock);
50972 -void ipi_call_unlock(void)
50973 +void ipi_call_unlock(void) __releases(call_function.lock)
50975 raw_spin_unlock(&call_function.lock);
50978 -void ipi_call_lock_irq(void)
50979 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
50981 raw_spin_lock_irq(&call_function.lock);
50984 -void ipi_call_unlock_irq(void)
50985 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
50987 raw_spin_unlock_irq(&call_function.lock);
50989 diff -urNp linux-2.6.37/kernel/softirq.c linux-2.6.37/kernel/softirq.c
50990 --- linux-2.6.37/kernel/softirq.c 2011-01-04 19:50:19.000000000 -0500
50991 +++ linux-2.6.37/kernel/softirq.c 2011-01-17 02:41:02.000000000 -0500
50992 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
50994 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
50996 -char *softirq_to_name[NR_SOFTIRQS] = {
50997 +const char * const softirq_to_name[NR_SOFTIRQS] = {
50998 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
50999 "TASKLET", "SCHED", "HRTIMER", "RCU"
51001 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
51003 asmlinkage void __do_softirq(void)
51005 - struct softirq_action *h;
51006 + const struct softirq_action *h;
51008 int max_restart = MAX_SOFTIRQ_RESTART;
51010 @@ -235,7 +235,7 @@ restart:
51011 kstat_incr_softirqs_this_cpu(vec_nr);
51013 trace_softirq_entry(vec_nr);
51016 trace_softirq_exit(vec_nr);
51017 if (unlikely(prev_count != preempt_count())) {
51018 printk(KERN_ERR "huh, entered softirq %u %s %p"
51019 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
51020 local_irq_restore(flags);
51023 -void open_softirq(int nr, void (*action)(struct softirq_action *))
51024 +void open_softirq(int nr, void (*action)(void))
51026 softirq_vec[nr].action = action;
51028 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
51030 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
51032 -static void tasklet_action(struct softirq_action *a)
51033 +static void tasklet_action(void)
51035 struct tasklet_struct *list;
51037 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
51041 -static void tasklet_hi_action(struct softirq_action *a)
51042 +static void tasklet_hi_action(void)
51044 struct tasklet_struct *list;
51046 diff -urNp linux-2.6.37/kernel/sys.c linux-2.6.37/kernel/sys.c
51047 --- linux-2.6.37/kernel/sys.c 2011-01-04 19:50:19.000000000 -0500
51048 +++ linux-2.6.37/kernel/sys.c 2011-01-17 02:41:02.000000000 -0500
51049 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
51054 + if (gr_handle_chroot_setpriority(p, niceval)) {
51059 no_nice = security_task_setnice(p, niceval);
51062 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
51066 + if (gr_check_group_change(new->gid, new->egid, -1))
51069 if (rgid != (gid_t) -1 ||
51070 (egid != (gid_t) -1 && egid != old->gid))
51071 new->sgid = new->egid;
51072 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
51073 old = current_cred();
51077 + if (gr_check_group_change(gid, gid, gid))
51080 if (capable(CAP_SETGID))
51081 new->gid = new->egid = new->sgid = new->fsgid = gid;
51082 else if (gid == old->gid || gid == old->sgid)
51083 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
51087 + if (gr_check_user_change(new->uid, new->euid, -1))
51090 if (new->uid != old->uid) {
51091 retval = set_user(new);
51093 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
51094 old = current_cred();
51098 + if (gr_check_crash_uid(uid))
51100 + if (gr_check_user_change(uid, uid, uid))
51103 if (capable(CAP_SETUID)) {
51104 new->suid = new->uid = uid;
51105 if (uid != old->uid) {
51106 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
51110 + if (gr_check_user_change(ruid, euid, -1))
51113 if (ruid != (uid_t) -1) {
51115 if (ruid != old->uid) {
51116 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
51120 + if (gr_check_group_change(rgid, egid, -1))
51123 if (rgid != (gid_t) -1)
51125 if (egid != (gid_t) -1)
51126 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51127 old = current_cred();
51128 old_fsuid = old->fsuid;
51130 + if (gr_check_user_change(-1, -1, uid))
51133 if (uid == old->uid || uid == old->euid ||
51134 uid == old->suid || uid == old->fsuid ||
51135 capable(CAP_SETUID)) {
51136 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51144 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
51145 if (gid == old->gid || gid == old->egid ||
51146 gid == old->sgid || gid == old->fsgid ||
51147 capable(CAP_SETGID)) {
51148 + if (gr_check_group_change(-1, -1, gid))
51151 if (gid != old_fsgid) {
51161 @@ -1607,7 +1643,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
51162 error = get_dumpable(me->mm);
51164 case PR_SET_DUMPABLE:
51165 - if (arg2 < 0 || arg2 > 1) {
51170 diff -urNp linux-2.6.37/kernel/sysctl.c linux-2.6.37/kernel/sysctl.c
51171 --- linux-2.6.37/kernel/sysctl.c 2011-01-04 19:50:19.000000000 -0500
51172 +++ linux-2.6.37/kernel/sysctl.c 2011-01-17 02:41:02.000000000 -0500
51176 #if defined(CONFIG_SYSCTL)
51177 +#include <linux/grsecurity.h>
51178 +#include <linux/grinternal.h>
51180 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
51181 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
51183 +extern int gr_handle_chroot_sysctl(const int op);
51185 /* External variables not in a header file. */
51186 extern int sysctl_overcommit_memory;
51187 @@ -188,6 +195,7 @@ static int sysrq_sysctl_handler(ctl_tabl
51191 +extern struct ctl_table grsecurity_table[];
51193 static struct ctl_table root_table[];
51194 static struct ctl_table_root sysctl_table_root;
51195 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
51196 int sysctl_legacy_va_layout;
51199 +#ifdef CONFIG_PAX_SOFTMODE
51200 +static ctl_table pax_table[] = {
51202 + .procname = "softmode",
51203 + .data = &pax_softmode,
51204 + .maxlen = sizeof(unsigned int),
51206 + .proc_handler = &proc_dointvec,
51213 /* The default sysctl tables: */
51215 static struct ctl_table root_table[] = {
51216 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
51219 static struct ctl_table kern_table[] = {
51220 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51222 + .procname = "grsecurity",
51224 + .child = grsecurity_table,
51228 +#ifdef CONFIG_PAX_SOFTMODE
51230 + .procname = "pax",
51232 + .child = pax_table,
51237 .procname = "sched_child_runs_first",
51238 .data = &sysctl_sched_child_runs_first,
51239 @@ -549,7 +587,7 @@ static struct ctl_table kern_table[] = {
51240 .data = &modprobe_path,
51241 .maxlen = KMOD_PATH_LEN,
51243 - .proc_handler = proc_dostring,
51244 + .proc_handler = proc_dostring_modpriv,
51247 .procname = "modules_disabled",
51248 @@ -1180,6 +1218,13 @@ static struct ctl_table vm_table[] = {
51249 .proc_handler = proc_dointvec_minmax,
51253 + .procname = "heap_stack_gap",
51254 + .data = &sysctl_heap_stack_gap,
51255 + .maxlen = sizeof(sysctl_heap_stack_gap),
51257 + .proc_handler = proc_doulongvec_minmax,
51261 .procname = "nr_trim_pages",
51262 @@ -1695,6 +1740,16 @@ int sysctl_perm(struct ctl_table_root *r
51266 + if (table->parent != NULL && table->parent->procname != NULL &&
51267 + table->procname != NULL &&
51268 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
51270 + if (gr_handle_chroot_sysctl(op))
51272 + error = gr_handle_sysctl(table, op);
51276 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
51279 @@ -2102,6 +2157,16 @@ int proc_dostring(struct ctl_table *tabl
51280 buffer, lenp, ppos);
51283 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51284 + void __user *buffer, size_t *lenp, loff_t *ppos)
51286 + if (write && !capable(CAP_SYS_MODULE))
51289 + return _proc_do_string(table->data, table->maxlen, write,
51290 + buffer, lenp, ppos);
51293 static size_t proc_skip_spaces(char **buf)
51296 @@ -2207,6 +2272,8 @@ static int proc_put_long(void __user **b
51300 + if (len > sizeof(tmp))
51301 + len = sizeof(tmp);
51302 if (copy_to_user(*buf, tmp, len))
51305 @@ -2512,8 +2579,11 @@ static int __do_proc_doulongvec_minmax(v
51308 val = convdiv * (*i) / convmul;
51311 err = proc_put_char(&buffer, &left, '\t');
51315 err = proc_put_long(&buffer, &left, val, false);
51318 @@ -2908,6 +2978,12 @@ int proc_dostring(struct ctl_table *tabl
51322 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51323 + void __user *buffer, size_t *lenp, loff_t *ppos)
51328 int proc_dointvec(struct ctl_table *table, int write,
51329 void __user *buffer, size_t *lenp, loff_t *ppos)
51331 @@ -2964,6 +3040,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
51332 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
51333 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
51334 EXPORT_SYMBOL(proc_dostring);
51335 +EXPORT_SYMBOL(proc_dostring_modpriv);
51336 EXPORT_SYMBOL(proc_doulongvec_minmax);
51337 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
51338 EXPORT_SYMBOL(register_sysctl_table);
51339 diff -urNp linux-2.6.37/kernel/sysctl_check.c linux-2.6.37/kernel/sysctl_check.c
51340 --- linux-2.6.37/kernel/sysctl_check.c 2011-01-04 19:50:19.000000000 -0500
51341 +++ linux-2.6.37/kernel/sysctl_check.c 2011-01-17 02:41:02.000000000 -0500
51342 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
51343 set_fail(&fail, table, "Directory with extra2");
51345 if ((table->proc_handler == proc_dostring) ||
51346 + (table->proc_handler == proc_dostring_modpriv) ||
51347 (table->proc_handler == proc_dointvec) ||
51348 (table->proc_handler == proc_dointvec_minmax) ||
51349 (table->proc_handler == proc_dointvec_jiffies) ||
51350 diff -urNp linux-2.6.37/kernel/taskstats.c linux-2.6.37/kernel/taskstats.c
51351 --- linux-2.6.37/kernel/taskstats.c 2011-01-04 19:50:19.000000000 -0500
51352 +++ linux-2.6.37/kernel/taskstats.c 2011-01-17 02:41:02.000000000 -0500
51354 #include <linux/cgroup.h>
51355 #include <linux/fs.h>
51356 #include <linux/file.h>
51357 +#include <linux/grsecurity.h>
51358 #include <net/genetlink.h>
51359 #include <asm/atomic.h>
51361 +extern int gr_is_taskstats_denied(int pid);
51364 * Maximum length of a cpumask that can be specified in
51365 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
51366 @@ -550,6 +553,9 @@ err:
51368 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
51370 + if (gr_is_taskstats_denied(current->pid))
51373 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
51374 return cmd_attr_register_cpumask(info);
51375 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
51376 diff -urNp linux-2.6.37/kernel/time/tick-broadcast.c linux-2.6.37/kernel/time/tick-broadcast.c
51377 --- linux-2.6.37/kernel/time/tick-broadcast.c 2011-01-04 19:50:19.000000000 -0500
51378 +++ linux-2.6.37/kernel/time/tick-broadcast.c 2011-01-17 02:41:02.000000000 -0500
51379 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
51380 * then clear the broadcast bit.
51382 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
51383 - int cpu = smp_processor_id();
51384 + cpu = smp_processor_id();
51386 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
51387 tick_broadcast_clear_oneshot(cpu);
51388 diff -urNp linux-2.6.37/kernel/time/timekeeping.c linux-2.6.37/kernel/time/timekeeping.c
51389 --- linux-2.6.37/kernel/time/timekeeping.c 2011-01-04 19:50:19.000000000 -0500
51390 +++ linux-2.6.37/kernel/time/timekeeping.c 2011-01-17 02:41:02.000000000 -0500
51392 #include <linux/init.h>
51393 #include <linux/mm.h>
51394 #include <linux/sched.h>
51395 +#include <linux/grsecurity.h>
51396 #include <linux/sysdev.h>
51397 #include <linux/clocksource.h>
51398 #include <linux/jiffies.h>
51399 @@ -314,6 +315,8 @@ int do_settimeofday(struct timespec *tv)
51400 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
51403 + gr_log_timechange();
51405 write_seqlock_irqsave(&xtime_lock, flags);
51407 timekeeping_forward_now();
51408 diff -urNp linux-2.6.37/kernel/time/timer_list.c linux-2.6.37/kernel/time/timer_list.c
51409 --- linux-2.6.37/kernel/time/timer_list.c 2011-01-04 19:50:19.000000000 -0500
51410 +++ linux-2.6.37/kernel/time/timer_list.c 2011-01-17 02:41:02.000000000 -0500
51411 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
51413 static void print_name_offset(struct seq_file *m, void *sym)
51415 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51416 + SEQ_printf(m, "<%p>", NULL);
51418 char symname[KSYM_NAME_LEN];
51420 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
51421 SEQ_printf(m, "<%p>", sym);
51423 SEQ_printf(m, "%s", symname);
51428 @@ -112,7 +116,11 @@ next_one:
51430 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
51432 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51433 + SEQ_printf(m, " .base: %p\n", NULL);
51435 SEQ_printf(m, " .base: %p\n", base);
51437 SEQ_printf(m, " .index: %d\n",
51439 SEQ_printf(m, " .resolution: %Lu nsecs\n",
51440 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
51442 struct proc_dir_entry *pe;
51444 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51445 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
51447 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
51452 diff -urNp linux-2.6.37/kernel/time/timer_stats.c linux-2.6.37/kernel/time/timer_stats.c
51453 --- linux-2.6.37/kernel/time/timer_stats.c 2011-01-04 19:50:19.000000000 -0500
51454 +++ linux-2.6.37/kernel/time/timer_stats.c 2011-01-17 02:41:02.000000000 -0500
51455 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
51457 static void print_name_offset(struct seq_file *m, unsigned long addr)
51459 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51460 + seq_printf(m, "<%p>", NULL);
51462 char symname[KSYM_NAME_LEN];
51464 if (lookup_symbol_name(addr, symname) < 0)
51465 seq_printf(m, "<%p>", (void *)addr);
51467 seq_printf(m, "%s", symname);
51471 static int tstats_show(struct seq_file *m, void *v)
51472 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
51474 struct proc_dir_entry *pe;
51476 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51477 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
51479 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
51484 diff -urNp linux-2.6.37/kernel/time.c linux-2.6.37/kernel/time.c
51485 --- linux-2.6.37/kernel/time.c 2011-01-04 19:50:19.000000000 -0500
51486 +++ linux-2.6.37/kernel/time.c 2011-01-17 02:41:02.000000000 -0500
51487 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
51491 + /* we log in do_settimeofday called below, so don't log twice
51494 + gr_log_timechange();
51496 /* SMP safe, global irq locking makes it work. */
51498 update_vsyscall_tz();
51499 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
51500 * Avoid unnecessary multiplications/divisions in the
51501 * two most common HZ cases:
51503 -unsigned int inline jiffies_to_msecs(const unsigned long j)
51504 +inline unsigned int jiffies_to_msecs(const unsigned long j)
51506 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
51507 return (MSEC_PER_SEC / HZ) * j;
51508 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
51510 EXPORT_SYMBOL(jiffies_to_msecs);
51512 -unsigned int inline jiffies_to_usecs(const unsigned long j)
51513 +inline unsigned int jiffies_to_usecs(const unsigned long j)
51515 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
51516 return (USEC_PER_SEC / HZ) * j;
51517 diff -urNp linux-2.6.37/kernel/timer.c linux-2.6.37/kernel/timer.c
51518 --- linux-2.6.37/kernel/timer.c 2011-01-04 19:50:19.000000000 -0500
51519 +++ linux-2.6.37/kernel/timer.c 2011-01-17 02:41:02.000000000 -0500
51520 @@ -1296,7 +1296,7 @@ void update_process_times(int user_tick)
51522 * This function runs timers and the timer-tq in bottom half context.
51524 -static void run_timer_softirq(struct softirq_action *h)
51525 +static void run_timer_softirq(void)
51527 struct tvec_base *base = __get_cpu_var(tvec_bases);
51529 diff -urNp linux-2.6.37/kernel/trace/ftrace.c linux-2.6.37/kernel/trace/ftrace.c
51530 --- linux-2.6.37/kernel/trace/ftrace.c 2011-01-04 19:50:19.000000000 -0500
51531 +++ linux-2.6.37/kernel/trace/ftrace.c 2011-01-17 02:41:02.000000000 -0500
51532 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
51536 + ret = ftrace_arch_code_modify_prepare();
51537 + FTRACE_WARN_ON(ret);
51541 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
51542 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
51544 ftrace_bug(ret, ip);
51545 rec->flags |= FTRACE_FL_FAILED;
51549 + return ret ? 0 : 1;
51553 diff -urNp linux-2.6.37/kernel/trace/ring_buffer.c linux-2.6.37/kernel/trace/ring_buffer.c
51554 --- linux-2.6.37/kernel/trace/ring_buffer.c 2011-01-04 19:50:19.000000000 -0500
51555 +++ linux-2.6.37/kernel/trace/ring_buffer.c 2011-01-17 02:41:02.000000000 -0500
51556 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
51557 * the reader page). But if the next page is a header page,
51558 * its flags will be non zero.
51562 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
51563 struct buffer_page *page, struct list_head *list)
51565 diff -urNp linux-2.6.37/kernel/trace/trace.c linux-2.6.37/kernel/trace/trace.c
51566 --- linux-2.6.37/kernel/trace/trace.c 2011-01-04 19:50:19.000000000 -0500
51567 +++ linux-2.6.37/kernel/trace/trace.c 2011-01-17 02:41:02.000000000 -0500
51568 @@ -3969,10 +3969,9 @@ static const struct file_operations trac
51572 -static struct dentry *d_tracer;
51574 struct dentry *tracing_init_dentry(void)
51576 + static struct dentry *d_tracer;
51580 @@ -3992,10 +3991,9 @@ struct dentry *tracing_init_dentry(void)
51584 -static struct dentry *d_percpu;
51586 struct dentry *tracing_dentry_percpu(void)
51588 + static struct dentry *d_percpu;
51590 struct dentry *d_tracer;
51592 diff -urNp linux-2.6.37/kernel/trace/trace_events.c linux-2.6.37/kernel/trace/trace_events.c
51593 --- linux-2.6.37/kernel/trace/trace_events.c 2011-01-04 19:50:19.000000000 -0500
51594 +++ linux-2.6.37/kernel/trace/trace_events.c 2011-01-17 02:41:02.000000000 -0500
51595 @@ -1231,6 +1231,7 @@ static LIST_HEAD(ftrace_module_file_list
51596 * Modules must own their file_operations to keep up with
51597 * reference counting.
51599 +/* cannot be const, see trace_create_file_ops() */
51600 struct ftrace_module_file_ops {
51601 struct list_head list;
51602 struct module *mod;
51603 diff -urNp linux-2.6.37/kernel/trace/trace_output.c linux-2.6.37/kernel/trace/trace_output.c
51604 --- linux-2.6.37/kernel/trace/trace_output.c 2011-01-04 19:50:19.000000000 -0500
51605 +++ linux-2.6.37/kernel/trace/trace_output.c 2011-01-17 02:41:02.000000000 -0500
51606 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
51608 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
51610 - p = mangle_path(s->buffer + s->len, p, "\n");
51611 + p = mangle_path(s->buffer + s->len, p, "\n\\");
51613 s->len = p - s->buffer;
51615 diff -urNp linux-2.6.37/kernel/trace/trace_stack.c linux-2.6.37/kernel/trace/trace_stack.c
51616 --- linux-2.6.37/kernel/trace/trace_stack.c 2011-01-04 19:50:19.000000000 -0500
51617 +++ linux-2.6.37/kernel/trace/trace_stack.c 2011-01-17 02:41:02.000000000 -0500
51618 @@ -50,7 +50,7 @@ static inline void check_stack(void)
51621 /* we do not handle interrupt stacks yet */
51622 - if (!object_is_on_stack(&this_size))
51623 + if (!object_starts_on_stack(&this_size))
51626 local_irq_save(flags);
51627 diff -urNp linux-2.6.37/lib/bug.c linux-2.6.37/lib/bug.c
51628 --- linux-2.6.37/lib/bug.c 2011-01-04 19:50:19.000000000 -0500
51629 +++ linux-2.6.37/lib/bug.c 2011-01-17 02:41:02.000000000 -0500
51630 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
51631 return BUG_TRAP_TYPE_NONE;
51633 bug = find_bug(bugaddr);
51635 + return BUG_TRAP_TYPE_NONE;
51639 diff -urNp linux-2.6.37/lib/debugobjects.c linux-2.6.37/lib/debugobjects.c
51640 --- linux-2.6.37/lib/debugobjects.c 2011-01-04 19:50:19.000000000 -0500
51641 +++ linux-2.6.37/lib/debugobjects.c 2011-01-17 02:41:02.000000000 -0500
51642 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
51646 - is_on_stack = object_is_on_stack(addr);
51647 + is_on_stack = object_starts_on_stack(addr);
51648 if (is_on_stack == onstack)
51651 diff -urNp linux-2.6.37/lib/dma-debug.c linux-2.6.37/lib/dma-debug.c
51652 --- linux-2.6.37/lib/dma-debug.c 2011-01-04 19:50:19.000000000 -0500
51653 +++ linux-2.6.37/lib/dma-debug.c 2011-01-17 02:41:02.000000000 -0500
51654 @@ -862,7 +862,7 @@ out:
51656 static void check_for_stack(struct device *dev, void *addr)
51658 - if (object_is_on_stack(addr))
51659 + if (object_starts_on_stack(addr))
51660 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
51661 "stack [addr=%p]\n", addr);
51663 diff -urNp linux-2.6.37/lib/inflate.c linux-2.6.37/lib/inflate.c
51664 --- linux-2.6.37/lib/inflate.c 2011-01-04 19:50:19.000000000 -0500
51665 +++ linux-2.6.37/lib/inflate.c 2011-01-17 02:41:02.000000000 -0500
51666 @@ -269,7 +269,7 @@ static void free(void *where)
51667 malloc_ptr = free_mem_ptr;
51670 -#define malloc(a) kmalloc(a, GFP_KERNEL)
51671 +#define malloc(a) kmalloc((a), GFP_KERNEL)
51672 #define free(a) kfree(a)
51675 diff -urNp linux-2.6.37/lib/Kconfig.debug linux-2.6.37/lib/Kconfig.debug
51676 --- linux-2.6.37/lib/Kconfig.debug 2011-01-04 19:50:19.000000000 -0500
51677 +++ linux-2.6.37/lib/Kconfig.debug 2011-01-17 02:41:02.000000000 -0500
51678 @@ -1065,6 +1065,7 @@ config LATENCYTOP
51679 depends on DEBUG_KERNEL
51680 depends on STACKTRACE_SUPPORT
51682 + depends on !GRKERNSEC_HIDESYM
51683 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
51685 select KALLSYMS_ALL
51686 diff -urNp linux-2.6.37/lib/kref.c linux-2.6.37/lib/kref.c
51687 --- linux-2.6.37/lib/kref.c 2011-01-04 19:50:19.000000000 -0500
51688 +++ linux-2.6.37/lib/kref.c 2011-01-17 02:41:02.000000000 -0500
51689 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
51691 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
51693 - WARN_ON(release == NULL);
51694 + BUG_ON(release == NULL);
51695 WARN_ON(release == (void (*)(struct kref *))kfree);
51697 if (atomic_dec_and_test(&kref->refcount)) {
51698 diff -urNp linux-2.6.37/lib/radix-tree.c linux-2.6.37/lib/radix-tree.c
51699 --- linux-2.6.37/lib/radix-tree.c 2011-01-04 19:50:19.000000000 -0500
51700 +++ linux-2.6.37/lib/radix-tree.c 2011-01-17 02:41:02.000000000 -0500
51701 @@ -80,7 +80,7 @@ struct radix_tree_preload {
51703 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
51705 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
51706 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
51708 static inline void *ptr_to_indirect(void *ptr)
51710 diff -urNp linux-2.6.37/lib/vsprintf.c linux-2.6.37/lib/vsprintf.c
51711 --- linux-2.6.37/lib/vsprintf.c 2011-01-04 19:50:19.000000000 -0500
51712 +++ linux-2.6.37/lib/vsprintf.c 2011-01-17 02:41:02.000000000 -0500
51714 * - scnprintf and vscnprintf
51717 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51718 +#define __INCLUDED_BY_HIDESYM 1
51720 #include <stdarg.h>
51721 #include <linux/module.h>
51722 #include <linux/types.h>
51723 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
51724 unsigned long value = (unsigned long) ptr;
51725 #ifdef CONFIG_KALLSYMS
51726 char sym[KSYM_SYMBOL_LEN];
51727 - if (ext != 'f' && ext != 's')
51728 + if (ext != 'f' && ext != 's' && ext != 'a')
51729 sprint_symbol(sym, value);
51731 kallsyms_lookup(value, NULL, NULL, NULL, sym);
51732 @@ -947,6 +950,8 @@ char *uuid_string(char *buf, char *end,
51733 * - 'f' For simple symbolic function names without offset
51734 * - 'S' For symbolic direct pointers with offset
51735 * - 's' For symbolic direct pointers without offset
51736 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
51737 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
51738 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
51739 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
51740 * - 'M' For a 6-byte MAC address, it prints the address in the
51741 @@ -990,12 +995,12 @@ char *pointer(const char *fmt, char *buf
51745 - * Print (null) with the same width as a pointer so it makes
51746 + * Print (nil) with the same width as a pointer so it makes
51747 * tabular output look nice.
51749 if (spec.field_width == -1)
51750 spec.field_width = 2 * sizeof(void *);
51751 - return string(buf, end, "(null)", spec);
51752 + return string(buf, end, "(nil)", spec);
51756 @@ -1005,6 +1010,13 @@ char *pointer(const char *fmt, char *buf
51760 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51763 + return symbol_string(buf, end, ptr, spec, *fmt);
51767 return symbol_string(buf, end, ptr, spec, *fmt);
51770 @@ -1750,11 +1762,11 @@ int bstr_printf(char *buf, size_t size,
51771 typeof(type) value; \
51772 if (sizeof(type) == 8) { \
51773 args = PTR_ALIGN(args, sizeof(u32)); \
51774 - *(u32 *)&value = *(u32 *)args; \
51775 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
51776 + *(u32 *)&value = *(const u32 *)args; \
51777 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
51779 args = PTR_ALIGN(args, sizeof(type)); \
51780 - value = *(typeof(type) *)args; \
51781 + value = *(const typeof(type) *)args; \
51783 args += sizeof(type); \
51785 @@ -1817,7 +1829,7 @@ int bstr_printf(char *buf, size_t size,
51786 case FORMAT_TYPE_STR: {
51787 const char *str_arg = args;
51788 args += strlen(str_arg) + 1;
51789 - str = string(str, end, (char *)str_arg, spec);
51790 + str = string(str, end, str_arg, spec);
51794 diff -urNp linux-2.6.37/localversion-grsec linux-2.6.37/localversion-grsec
51795 --- linux-2.6.37/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
51796 +++ linux-2.6.37/localversion-grsec 2011-01-17 02:41:02.000000000 -0500
51799 diff -urNp linux-2.6.37/Makefile linux-2.6.37/Makefile
51800 --- linux-2.6.37/Makefile 2011-01-04 19:50:19.000000000 -0500
51801 +++ linux-2.6.37/Makefile 2011-01-17 02:41:02.000000000 -0500
51802 @@ -232,8 +232,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
51806 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
51807 -HOSTCXXFLAGS = -O2
51808 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
51809 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
51811 # Decide whether to build built-in, modular, or both.
51812 # Normally, just do built-in.
51813 @@ -680,7 +680,7 @@ export mod_strip_cmd
51816 ifeq ($(KBUILD_EXTMOD),)
51817 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
51818 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
51820 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
51821 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
51822 diff -urNp linux-2.6.37/mm/bootmem.c linux-2.6.37/mm/bootmem.c
51823 --- linux-2.6.37/mm/bootmem.c 2011-01-04 19:50:19.000000000 -0500
51824 +++ linux-2.6.37/mm/bootmem.c 2011-01-17 02:41:02.000000000 -0500
51825 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
51826 unsigned long __init free_all_memory_core_early(int nodeid)
51830 + u64 start, end, startrange, endrange;
51831 unsigned long count = 0;
51832 - struct range *range = NULL;
51833 + struct range *range = NULL, rangerange = { 0, 0 };
51836 nr_range = get_free_all_memory_range(&range, nodeid);
51837 + startrange = __pa(range) >> PAGE_SHIFT;
51838 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
51840 for (i = 0; i < nr_range; i++) {
51841 start = range[i].start;
51842 end = range[i].end;
51843 + if (start <= endrange && startrange < end) {
51844 + BUG_ON(rangerange.start | rangerange.end);
51845 + rangerange = range[i];
51848 count += end - start;
51849 __free_pages_memory(start, end);
51851 + start = rangerange.start;
51852 + end = rangerange.end;
51853 + count += end - start;
51854 + __free_pages_memory(start, end);
51858 diff -urNp linux-2.6.37/mm/filemap.c linux-2.6.37/mm/filemap.c
51859 --- linux-2.6.37/mm/filemap.c 2011-01-04 19:50:19.000000000 -0500
51860 +++ linux-2.6.37/mm/filemap.c 2011-01-17 02:41:02.000000000 -0500
51861 @@ -1660,7 +1660,7 @@ int generic_file_mmap(struct file * file
51862 struct address_space *mapping = file->f_mapping;
51864 if (!mapping->a_ops->readpage)
51867 file_accessed(file);
51868 vma->vm_ops = &generic_file_vm_ops;
51869 vma->vm_flags |= VM_CAN_NONLINEAR;
51870 @@ -2056,6 +2056,7 @@ inline int generic_write_checks(struct f
51871 *pos = i_size_read(inode);
51873 if (limit != RLIM_INFINITY) {
51874 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
51875 if (*pos >= limit) {
51876 send_sig(SIGXFSZ, current, 0);
51878 diff -urNp linux-2.6.37/mm/fremap.c linux-2.6.37/mm/fremap.c
51879 --- linux-2.6.37/mm/fremap.c 2011-01-04 19:50:19.000000000 -0500
51880 +++ linux-2.6.37/mm/fremap.c 2011-01-17 02:41:02.000000000 -0500
51881 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
51883 vma = find_vma(mm, start);
51885 +#ifdef CONFIG_PAX_SEGMEXEC
51886 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
51891 * Make sure the vma is shared, that it supports prefaulting,
51892 * and that the remapped range is valid and fully within
51893 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
51895 * drop PG_Mlocked flag for over-mapped range
51897 - unsigned int saved_flags = vma->vm_flags;
51898 + unsigned long saved_flags = vma->vm_flags;
51899 munlock_vma_pages_range(vma, start, start + size);
51900 vma->vm_flags = saved_flags;
51902 diff -urNp linux-2.6.37/mm/highmem.c linux-2.6.37/mm/highmem.c
51903 --- linux-2.6.37/mm/highmem.c 2011-01-04 19:50:19.000000000 -0500
51904 +++ linux-2.6.37/mm/highmem.c 2011-01-17 02:41:02.000000000 -0500
51905 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
51906 * So no dangers, even with speculative execution.
51908 page = pte_page(pkmap_page_table[i]);
51909 + pax_open_kernel();
51910 pte_clear(&init_mm, (unsigned long)page_address(page),
51911 &pkmap_page_table[i]);
51913 + pax_close_kernel();
51914 set_page_address(page, NULL);
51917 @@ -186,9 +187,11 @@ start:
51920 vaddr = PKMAP_ADDR(last_pkmap_nr);
51922 + pax_open_kernel();
51923 set_pte_at(&init_mm, vaddr,
51924 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
51926 + pax_close_kernel();
51927 pkmap_count[last_pkmap_nr] = 1;
51928 set_page_address(page, (void *)vaddr);
51930 diff -urNp linux-2.6.37/mm/hugetlb.c linux-2.6.37/mm/hugetlb.c
51931 --- linux-2.6.37/mm/hugetlb.c 2011-01-04 19:50:19.000000000 -0500
51932 +++ linux-2.6.37/mm/hugetlb.c 2011-01-17 02:41:02.000000000 -0500
51933 @@ -2373,6 +2373,27 @@ static int unmap_ref_private(struct mm_s
51937 +#ifdef CONFIG_PAX_SEGMEXEC
51938 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
51940 + struct mm_struct *mm = vma->vm_mm;
51941 + struct vm_area_struct *vma_m;
51942 + unsigned long address_m;
51945 + vma_m = pax_find_mirror_vma(vma);
51949 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51950 + address_m = address + SEGMEXEC_TASK_SIZE;
51951 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
51952 + get_page(page_m);
51953 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
51954 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
51959 * Hugetlb_cow() should be called with page lock of the original hugepage held.
51961 @@ -2473,6 +2494,11 @@ retry_avoidcopy:
51962 make_huge_pte(vma, new_page, 1));
51963 page_remove_rmap(old_page);
51964 hugepage_add_new_anon_rmap(new_page, vma, address);
51966 +#ifdef CONFIG_PAX_SEGMEXEC
51967 + pax_mirror_huge_pte(vma, address, new_page);
51970 /* Make the old page be freed below */
51971 new_page = old_page;
51972 mmu_notifier_invalidate_range_end(mm,
51973 @@ -2624,6 +2650,10 @@ retry:
51974 && (vma->vm_flags & VM_SHARED)));
51975 set_huge_pte_at(mm, address, ptep, new_pte);
51977 +#ifdef CONFIG_PAX_SEGMEXEC
51978 + pax_mirror_huge_pte(vma, address, page);
51981 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
51982 /* Optimization, do the COW without a second fault */
51983 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
51984 @@ -2653,6 +2683,10 @@ int hugetlb_fault(struct mm_struct *mm,
51985 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
51986 struct hstate *h = hstate_vma(vma);
51988 +#ifdef CONFIG_PAX_SEGMEXEC
51989 + struct vm_area_struct *vma_m;
51992 ptep = huge_pte_offset(mm, address);
51994 entry = huge_ptep_get(ptep);
51995 @@ -2664,6 +2698,26 @@ int hugetlb_fault(struct mm_struct *mm,
51996 VM_FAULT_SET_HINDEX(h - hstates);
51999 +#ifdef CONFIG_PAX_SEGMEXEC
52000 + vma_m = pax_find_mirror_vma(vma);
52002 + unsigned long address_m;
52004 + if (vma->vm_start > vma_m->vm_start) {
52005 + address_m = address;
52006 + address -= SEGMEXEC_TASK_SIZE;
52008 + h = hstate_vma(vma);
52010 + address_m = address + SEGMEXEC_TASK_SIZE;
52012 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
52013 + return VM_FAULT_OOM;
52014 + address_m &= HPAGE_MASK;
52015 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
52019 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
52021 return VM_FAULT_OOM;
52022 diff -urNp linux-2.6.37/mm/Kconfig linux-2.6.37/mm/Kconfig
52023 --- linux-2.6.37/mm/Kconfig 2011-01-04 19:50:19.000000000 -0500
52024 +++ linux-2.6.37/mm/Kconfig 2011-01-17 02:41:02.000000000 -0500
52025 @@ -240,7 +240,7 @@ config KSM
52026 config DEFAULT_MMAP_MIN_ADDR
52027 int "Low address space to protect from user allocation"
52032 This is the portion of low virtual memory which should be protected
52033 from userspace allocation. Keeping a user from writing to low pages
52034 diff -urNp linux-2.6.37/mm/kmemleak.c linux-2.6.37/mm/kmemleak.c
52035 --- linux-2.6.37/mm/kmemleak.c 2011-01-04 19:50:19.000000000 -0500
52036 +++ linux-2.6.37/mm/kmemleak.c 2011-01-17 02:41:02.000000000 -0500
52037 @@ -355,7 +355,7 @@ static void print_unreferenced(struct se
52039 for (i = 0; i < object->trace_len; i++) {
52040 void *ptr = (void *)object->trace[i];
52041 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
52042 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
52046 diff -urNp linux-2.6.37/mm/maccess.c linux-2.6.37/mm/maccess.c
52047 --- linux-2.6.37/mm/maccess.c 2011-01-04 19:50:19.000000000 -0500
52048 +++ linux-2.6.37/mm/maccess.c 2011-01-17 02:41:02.000000000 -0500
52049 @@ -15,10 +15,10 @@
52050 * happens, handle that and return -EFAULT.
52053 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
52054 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
52055 __attribute__((alias("__probe_kernel_read")));
52057 -long __probe_kernel_read(void *dst, void *src, size_t size)
52058 +long __probe_kernel_read(void *dst, const void *src, size_t size)
52061 mm_segment_t old_fs = get_fs();
52062 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
52063 * Safely write to address @dst from the buffer at @src. If a kernel fault
52064 * happens, handle that and return -EFAULT.
52066 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
52067 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
52068 __attribute__((alias("__probe_kernel_write")));
52070 -long __probe_kernel_write(void *dst, void *src, size_t size)
52071 +long __probe_kernel_write(void *dst, const void *src, size_t size)
52074 mm_segment_t old_fs = get_fs();
52075 diff -urNp linux-2.6.37/mm/madvise.c linux-2.6.37/mm/madvise.c
52076 --- linux-2.6.37/mm/madvise.c 2011-01-04 19:50:19.000000000 -0500
52077 +++ linux-2.6.37/mm/madvise.c 2011-01-17 02:41:02.000000000 -0500
52078 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
52080 unsigned long new_flags = vma->vm_flags;
52082 +#ifdef CONFIG_PAX_SEGMEXEC
52083 + struct vm_area_struct *vma_m;
52086 switch (behavior) {
52088 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
52089 @@ -104,6 +108,13 @@ success:
52091 * vm_flags is protected by the mmap_sem held in write mode.
52094 +#ifdef CONFIG_PAX_SEGMEXEC
52095 + vma_m = pax_find_mirror_vma(vma);
52097 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
52100 vma->vm_flags = new_flags;
52103 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
52104 struct vm_area_struct ** prev,
52105 unsigned long start, unsigned long end)
52108 +#ifdef CONFIG_PAX_SEGMEXEC
52109 + struct vm_area_struct *vma_m;
52113 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
52115 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
52116 zap_page_range(vma, start, end - start, &details);
52118 zap_page_range(vma, start, end - start, NULL);
52120 +#ifdef CONFIG_PAX_SEGMEXEC
52121 + vma_m = pax_find_mirror_vma(vma);
52123 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
52124 + struct zap_details details = {
52125 + .nonlinear_vma = vma_m,
52126 + .last_index = ULONG_MAX,
52128 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
52130 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
52137 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
52141 +#ifdef CONFIG_PAX_SEGMEXEC
52142 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52143 + if (end > SEGMEXEC_TASK_SIZE)
52148 + if (end > TASK_SIZE)
52154 diff -urNp linux-2.6.37/mm/memory.c linux-2.6.37/mm/memory.c
52155 --- linux-2.6.37/mm/memory.c 2011-01-04 19:50:19.000000000 -0500
52156 +++ linux-2.6.37/mm/memory.c 2011-01-17 02:41:02.000000000 -0500
52157 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
52160 pmd = pmd_offset(pud, start);
52162 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
52164 pmd_free_tlb(tlb, pmd, start);
52169 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
52170 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
52171 if (end - 1 > ceiling - 1)
52174 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
52175 pud = pud_offset(pgd, start);
52177 pud_free_tlb(tlb, pud, start);
52183 @@ -1361,10 +1368,10 @@ int __get_user_pages(struct task_struct
52184 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
52188 + while (nr_pages) {
52189 struct vm_area_struct *vma;
52191 - vma = find_extend_vma(mm, start);
52192 + vma = find_vma(mm, start);
52193 if (!vma && in_gate_area(tsk, start)) {
52194 unsigned long pg = start & PAGE_MASK;
52195 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
52196 @@ -1416,7 +1423,7 @@ int __get_user_pages(struct task_struct
52201 + if (!vma || start < vma->vm_start ||
52202 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
52203 !(vm_flags & vma->vm_flags))
52204 return i ? : -EFAULT;
52205 @@ -1492,7 +1499,7 @@ int __get_user_pages(struct task_struct
52206 start += PAGE_SIZE;
52208 } while (nr_pages && start < vma->vm_end);
52209 - } while (nr_pages);
52214 @@ -1637,6 +1644,10 @@ static int insert_page(struct vm_area_st
52215 page_add_file_rmap(page);
52216 set_pte_at(mm, addr, pte, mk_pte(page, prot));
52218 +#ifdef CONFIG_PAX_SEGMEXEC
52219 + pax_mirror_file_pte(vma, addr, page, ptl);
52223 pte_unmap_unlock(pte, ptl);
52225 @@ -1671,10 +1682,22 @@ out:
52226 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
52230 +#ifdef CONFIG_PAX_SEGMEXEC
52231 + struct vm_area_struct *vma_m;
52234 if (addr < vma->vm_start || addr >= vma->vm_end)
52236 if (!page_count(page))
52239 +#ifdef CONFIG_PAX_SEGMEXEC
52240 + vma_m = pax_find_mirror_vma(vma);
52242 + vma_m->vm_flags |= VM_INSERTPAGE;
52245 vma->vm_flags |= VM_INSERTPAGE;
52246 return insert_page(vma, addr, page, vma->vm_page_prot);
52248 @@ -1760,6 +1783,7 @@ int vm_insert_mixed(struct vm_area_struc
52251 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
52252 + BUG_ON(vma->vm_mirror);
52254 if (addr < vma->vm_start || addr >= vma->vm_end)
52256 @@ -2087,6 +2111,186 @@ static inline void cow_user_page(struct
52257 copy_user_highpage(dst, src, va, vma);
52260 +#ifdef CONFIG_PAX_SEGMEXEC
52261 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
52263 + struct mm_struct *mm = vma->vm_mm;
52265 + pte_t *pte, entry;
52267 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
52269 + if (!pte_present(entry)) {
52270 + if (!pte_none(entry)) {
52271 + BUG_ON(pte_file(entry));
52272 + free_swap_and_cache(pte_to_swp_entry(entry));
52273 + pte_clear_not_present_full(mm, address, pte, 0);
52276 + struct page *page;
52278 + flush_cache_page(vma, address, pte_pfn(entry));
52279 + entry = ptep_clear_flush(vma, address, pte);
52280 + BUG_ON(pte_dirty(entry));
52281 + page = vm_normal_page(vma, address, entry);
52283 + update_hiwater_rss(mm);
52284 + if (PageAnon(page))
52285 + dec_mm_counter_fast(mm, MM_ANONPAGES);
52287 + dec_mm_counter_fast(mm, MM_FILEPAGES);
52288 + page_remove_rmap(page);
52289 + page_cache_release(page);
52292 + pte_unmap_unlock(pte, ptl);
52295 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
52297 + * the ptl of the lower mapped page is held on entry and is not released on exit
52298 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
52300 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52302 + struct mm_struct *mm = vma->vm_mm;
52303 + unsigned long address_m;
52304 + spinlock_t *ptl_m;
52305 + struct vm_area_struct *vma_m;
52307 + pte_t *pte_m, entry_m;
52309 + BUG_ON(!page_m || !PageAnon(page_m));
52311 + vma_m = pax_find_mirror_vma(vma);
52315 + BUG_ON(!PageLocked(page_m));
52316 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52317 + address_m = address + SEGMEXEC_TASK_SIZE;
52318 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52319 + pte_m = pte_offset_map(pmd_m, address_m);
52320 + ptl_m = pte_lockptr(mm, pmd_m);
52321 + if (ptl != ptl_m) {
52322 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52323 + if (!pte_none(*pte_m))
52327 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52328 + page_cache_get(page_m);
52329 + page_add_anon_rmap(page_m, vma_m, address_m);
52330 + inc_mm_counter_fast(mm, MM_ANONPAGES);
52331 + set_pte_at(mm, address_m, pte_m, entry_m);
52332 + update_mmu_cache(vma_m, address_m, entry_m);
52334 + if (ptl != ptl_m)
52335 + spin_unlock(ptl_m);
52336 + pte_unmap(pte_m);
52337 + unlock_page(page_m);
52340 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52342 + struct mm_struct *mm = vma->vm_mm;
52343 + unsigned long address_m;
52344 + spinlock_t *ptl_m;
52345 + struct vm_area_struct *vma_m;
52347 + pte_t *pte_m, entry_m;
52349 + BUG_ON(!page_m || PageAnon(page_m));
52351 + vma_m = pax_find_mirror_vma(vma);
52355 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52356 + address_m = address + SEGMEXEC_TASK_SIZE;
52357 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52358 + pte_m = pte_offset_map(pmd_m, address_m);
52359 + ptl_m = pte_lockptr(mm, pmd_m);
52360 + if (ptl != ptl_m) {
52361 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52362 + if (!pte_none(*pte_m))
52366 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52367 + page_cache_get(page_m);
52368 + page_add_file_rmap(page_m);
52369 + inc_mm_counter_fast(mm, MM_FILEPAGES);
52370 + set_pte_at(mm, address_m, pte_m, entry_m);
52371 + update_mmu_cache(vma_m, address_m, entry_m);
52373 + if (ptl != ptl_m)
52374 + spin_unlock(ptl_m);
52375 + pte_unmap(pte_m);
52378 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
52380 + struct mm_struct *mm = vma->vm_mm;
52381 + unsigned long address_m;
52382 + spinlock_t *ptl_m;
52383 + struct vm_area_struct *vma_m;
52385 + pte_t *pte_m, entry_m;
52387 + vma_m = pax_find_mirror_vma(vma);
52391 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52392 + address_m = address + SEGMEXEC_TASK_SIZE;
52393 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52394 + pte_m = pte_offset_map(pmd_m, address_m);
52395 + ptl_m = pte_lockptr(mm, pmd_m);
52396 + if (ptl != ptl_m) {
52397 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52398 + if (!pte_none(*pte_m))
52402 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
52403 + set_pte_at(mm, address_m, pte_m, entry_m);
52405 + if (ptl != ptl_m)
52406 + spin_unlock(ptl_m);
52407 + pte_unmap(pte_m);
52410 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
52412 + struct page *page_m;
52415 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
52419 + page_m = vm_normal_page(vma, address, entry);
52421 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
52422 + else if (PageAnon(page_m)) {
52423 + if (pax_find_mirror_vma(vma)) {
52424 + pte_unmap_unlock(pte, ptl);
52425 + lock_page(page_m);
52426 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
52427 + if (pte_same(entry, *pte))
52428 + pax_mirror_anon_pte(vma, address, page_m, ptl);
52430 + unlock_page(page_m);
52433 + pax_mirror_file_pte(vma, address, page_m, ptl);
52436 + pte_unmap_unlock(pte, ptl);
52441 * This routine handles present pages, when users try to write
52442 * to a shared page. It is done by copying the page to a new address
52443 @@ -2274,6 +2478,12 @@ gotten:
52445 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52446 if (likely(pte_same(*page_table, orig_pte))) {
52448 +#ifdef CONFIG_PAX_SEGMEXEC
52449 + if (pax_find_mirror_vma(vma))
52450 + BUG_ON(!trylock_page(new_page));
52454 if (!PageAnon(old_page)) {
52455 dec_mm_counter_fast(mm, MM_FILEPAGES);
52456 @@ -2325,6 +2535,10 @@ gotten:
52457 page_remove_rmap(old_page);
52460 +#ifdef CONFIG_PAX_SEGMEXEC
52461 + pax_mirror_anon_pte(vma, address, new_page, ptl);
52464 /* Free the old page.. */
52465 new_page = old_page;
52466 ret |= VM_FAULT_WRITE;
52467 @@ -2756,6 +2970,11 @@ static int do_swap_page(struct mm_struct
52469 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
52470 try_to_free_swap(page);
52472 +#ifdef CONFIG_PAX_SEGMEXEC
52473 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
52479 @@ -2779,6 +2998,11 @@ static int do_swap_page(struct mm_struct
52481 /* No need to invalidate - it was non-present before */
52482 update_mmu_cache(vma, address, page_table);
52484 +#ifdef CONFIG_PAX_SEGMEXEC
52485 + pax_mirror_anon_pte(vma, address, page, ptl);
52489 pte_unmap_unlock(page_table, ptl);
52491 @@ -2798,40 +3022,6 @@ out_release:
52495 - * This is like a special single-page "expand_{down|up}wards()",
52496 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
52497 - * doesn't hit another vma.
52499 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
52501 - address &= PAGE_MASK;
52502 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
52503 - struct vm_area_struct *prev = vma->vm_prev;
52506 - * Is there a mapping abutting this one below?
52508 - * That's only ok if it's the same stack mapping
52509 - * that has gotten split..
52511 - if (prev && prev->vm_end == address)
52512 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
52514 - expand_stack(vma, address - PAGE_SIZE);
52516 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
52517 - struct vm_area_struct *next = vma->vm_next;
52519 - /* As VM_GROWSDOWN but s/below/above/ */
52520 - if (next && next->vm_start == address + PAGE_SIZE)
52521 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
52523 - expand_upwards(vma, address + PAGE_SIZE);
52529 * We enter with non-exclusive mmap_sem (to exclude vma changes,
52530 * but allow concurrent faults), and pte mapped but not yet locked.
52531 * We return with mmap_sem still held, but pte unmapped and unlocked.
52532 @@ -2840,27 +3030,23 @@ static int do_anonymous_page(struct mm_s
52533 unsigned long address, pte_t *page_table, pmd_t *pmd,
52534 unsigned int flags)
52536 - struct page *page;
52537 + struct page *page = NULL;
52541 - pte_unmap(page_table);
52543 - /* Check if we need to add a guard page to the stack */
52544 - if (check_stack_guard_page(vma, address) < 0)
52545 - return VM_FAULT_SIGBUS;
52547 - /* Use the zero-page for reads */
52548 if (!(flags & FAULT_FLAG_WRITE)) {
52549 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
52550 vma->vm_page_prot));
52551 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52552 + ptl = pte_lockptr(mm, pmd);
52554 if (!pte_none(*page_table))
52559 /* Allocate our own private page. */
52560 + pte_unmap(page_table);
52562 if (unlikely(anon_vma_prepare(vma)))
52564 page = alloc_zeroed_user_highpage_movable(vma, address);
52565 @@ -2879,6 +3065,11 @@ static int do_anonymous_page(struct mm_s
52566 if (!pte_none(*page_table))
52569 +#ifdef CONFIG_PAX_SEGMEXEC
52570 + if (pax_find_mirror_vma(vma))
52571 + BUG_ON(!trylock_page(page));
52574 inc_mm_counter_fast(mm, MM_ANONPAGES);
52575 page_add_new_anon_rmap(page, vma, address);
52577 @@ -2886,6 +3077,12 @@ setpte:
52579 /* No need to invalidate - it was non-present before */
52580 update_mmu_cache(vma, address, page_table);
52582 +#ifdef CONFIG_PAX_SEGMEXEC
52584 + pax_mirror_anon_pte(vma, address, page, ptl);
52588 pte_unmap_unlock(page_table, ptl);
52590 @@ -3029,6 +3226,12 @@ static int __do_fault(struct mm_struct *
52592 /* Only go through if we didn't race with anybody else... */
52593 if (likely(pte_same(*page_table, orig_pte))) {
52595 +#ifdef CONFIG_PAX_SEGMEXEC
52596 + if (anon && pax_find_mirror_vma(vma))
52597 + BUG_ON(!trylock_page(page));
52600 flush_icache_page(vma, page);
52601 entry = mk_pte(page, vma->vm_page_prot);
52602 if (flags & FAULT_FLAG_WRITE)
52603 @@ -3048,6 +3251,14 @@ static int __do_fault(struct mm_struct *
52605 /* no need to invalidate: a not-present page won't be cached */
52606 update_mmu_cache(vma, address, page_table);
52608 +#ifdef CONFIG_PAX_SEGMEXEC
52610 + pax_mirror_anon_pte(vma, address, page, ptl);
52612 + pax_mirror_file_pte(vma, address, page, ptl);
52617 mem_cgroup_uncharge_page(page);
52618 @@ -3195,6 +3406,12 @@ static inline int handle_pte_fault(struc
52619 if (flags & FAULT_FLAG_WRITE)
52620 flush_tlb_fix_spurious_fault(vma, address);
52623 +#ifdef CONFIG_PAX_SEGMEXEC
52624 + pax_mirror_pte(vma, address, pte, pmd, ptl);
52629 pte_unmap_unlock(pte, ptl);
52631 @@ -3211,6 +3428,10 @@ int handle_mm_fault(struct mm_struct *mm
52635 +#ifdef CONFIG_PAX_SEGMEXEC
52636 + struct vm_area_struct *vma_m;
52639 __set_current_state(TASK_RUNNING);
52641 count_vm_event(PGFAULT);
52642 @@ -3221,6 +3442,34 @@ int handle_mm_fault(struct mm_struct *mm
52643 if (unlikely(is_vm_hugetlb_page(vma)))
52644 return hugetlb_fault(mm, vma, address, flags);
52646 +#ifdef CONFIG_PAX_SEGMEXEC
52647 + vma_m = pax_find_mirror_vma(vma);
52649 + unsigned long address_m;
52654 + if (vma->vm_start > vma_m->vm_start) {
52655 + address_m = address;
52656 + address -= SEGMEXEC_TASK_SIZE;
52659 + address_m = address + SEGMEXEC_TASK_SIZE;
52661 + pgd_m = pgd_offset(mm, address_m);
52662 + pud_m = pud_alloc(mm, pgd_m, address_m);
52664 + return VM_FAULT_OOM;
52665 + pmd_m = pmd_alloc(mm, pud_m, address_m);
52667 + return VM_FAULT_OOM;
52668 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
52669 + return VM_FAULT_OOM;
52670 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
52674 pgd = pgd_offset(mm, address);
52675 pud = pud_alloc(mm, pgd, address);
52677 @@ -3318,7 +3567,7 @@ static int __init gate_vma_init(void)
52678 gate_vma.vm_start = FIXADDR_USER_START;
52679 gate_vma.vm_end = FIXADDR_USER_END;
52680 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
52681 - gate_vma.vm_page_prot = __P101;
52682 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
52684 * Make sure the vDSO gets into every core dump.
52685 * Dumping its contents makes post-mortem fully interpretable later
52686 diff -urNp linux-2.6.37/mm/memory-failure.c linux-2.6.37/mm/memory-failure.c
52687 --- linux-2.6.37/mm/memory-failure.c 2011-01-04 19:50:19.000000000 -0500
52688 +++ linux-2.6.37/mm/memory-failure.c 2011-01-17 02:41:02.000000000 -0500
52689 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
52691 int sysctl_memory_failure_recovery __read_mostly = 1;
52693 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52694 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52696 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
52698 @@ -967,7 +967,7 @@ int __memory_failure(unsigned long pfn,
52701 nr_pages = 1 << compound_order(hpage);
52702 - atomic_long_add(nr_pages, &mce_bad_pages);
52703 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
52706 * We need/can do nothing about count=0 pages.
52707 @@ -997,7 +997,7 @@ int __memory_failure(unsigned long pfn,
52708 if (!PageHWPoison(hpage)
52709 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
52710 || (p != hpage && TestSetPageHWPoison(hpage))) {
52711 - atomic_long_sub(nr_pages, &mce_bad_pages);
52712 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52715 set_page_hwpoison_huge_page(hpage);
52716 @@ -1052,7 +1052,7 @@ int __memory_failure(unsigned long pfn,
52718 if (hwpoison_filter(p)) {
52719 if (TestClearPageHWPoison(p))
52720 - atomic_long_sub(nr_pages, &mce_bad_pages);
52721 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52722 unlock_page(hpage);
52725 @@ -1178,7 +1178,7 @@ int unpoison_memory(unsigned long pfn)
52728 if (TestClearPageHWPoison(p))
52729 - atomic_long_sub(nr_pages, &mce_bad_pages);
52730 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52731 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
52734 @@ -1192,7 +1192,7 @@ int unpoison_memory(unsigned long pfn)
52736 if (TestClearPageHWPoison(page)) {
52737 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
52738 - atomic_long_sub(nr_pages, &mce_bad_pages);
52739 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52741 if (PageHuge(page))
52742 clear_page_hwpoison_huge_page(page);
52743 @@ -1301,7 +1301,7 @@ static int soft_offline_huge_page(struct
52746 if (!PageHWPoison(hpage))
52747 - atomic_long_add(1 << compound_order(hpage), &mce_bad_pages);
52748 + atomic_long_add_unchecked(1 << compound_order(hpage), &mce_bad_pages);
52749 set_page_hwpoison_huge_page(hpage);
52750 dequeue_hwpoisoned_huge_page(hpage);
52751 /* keep elevated page count for bad page */
52752 @@ -1428,7 +1428,7 @@ int soft_offline_page(struct page *page,
52756 - atomic_long_add(1, &mce_bad_pages);
52757 + atomic_long_add_unchecked(1, &mce_bad_pages);
52758 SetPageHWPoison(page);
52759 /* keep elevated page count for bad page */
52761 diff -urNp linux-2.6.37/mm/mempolicy.c linux-2.6.37/mm/mempolicy.c
52762 --- linux-2.6.37/mm/mempolicy.c 2011-01-04 19:50:19.000000000 -0500
52763 +++ linux-2.6.37/mm/mempolicy.c 2011-01-17 02:41:02.000000000 -0500
52764 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
52765 unsigned long vmstart;
52766 unsigned long vmend;
52768 +#ifdef CONFIG_PAX_SEGMEXEC
52769 + struct vm_area_struct *vma_m;
52772 vma = find_vma_prev(mm, start, &prev);
52773 if (!vma || vma->vm_start > start)
52775 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
52776 err = policy_vma(vma, new_pol);
52780 +#ifdef CONFIG_PAX_SEGMEXEC
52781 + vma_m = pax_find_mirror_vma(vma);
52783 + err = policy_vma(vma_m, new_pol);
52792 @@ -1104,6 +1118,17 @@ static long do_mbind(unsigned long start
52797 +#ifdef CONFIG_PAX_SEGMEXEC
52798 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52799 + if (end > SEGMEXEC_TASK_SIZE)
52804 + if (end > TASK_SIZE)
52810 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52814 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52815 + if (mm != current->mm &&
52816 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
52823 * Check if this process has the right to modify the specified
52824 * process. The right exists if the process has administrative
52825 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52827 tcred = __task_cred(task);
52828 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
52829 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
52830 - !capable(CAP_SYS_NICE)) {
52831 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
52835 @@ -2632,7 +2664,7 @@ int show_numa_map(struct seq_file *m, vo
52838 seq_printf(m, " file=");
52839 - seq_path(m, &file->f_path, "\n\t= ");
52840 + seq_path(m, &file->f_path, "\n\t\\= ");
52841 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
52842 seq_printf(m, " heap");
52843 } else if (vma->vm_start <= mm->start_stack &&
52844 diff -urNp linux-2.6.37/mm/migrate.c linux-2.6.37/mm/migrate.c
52845 --- linux-2.6.37/mm/migrate.c 2011-01-04 19:50:19.000000000 -0500
52846 +++ linux-2.6.37/mm/migrate.c 2011-01-17 02:41:02.000000000 -0500
52847 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
52851 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52852 + if (mm != current->mm &&
52853 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
52860 * Check if this process has the right to modify the specified
52861 * process. The right exists if the process has administrative
52862 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
52864 tcred = __task_cred(task);
52865 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
52866 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
52867 - !capable(CAP_SYS_NICE)) {
52868 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
52872 diff -urNp linux-2.6.37/mm/mlock.c linux-2.6.37/mm/mlock.c
52873 --- linux-2.6.37/mm/mlock.c 2011-01-04 19:50:19.000000000 -0500
52874 +++ linux-2.6.37/mm/mlock.c 2011-01-17 02:41:02.000000000 -0500
52876 #include <linux/pagemap.h>
52877 #include <linux/mempolicy.h>
52878 #include <linux/syscalls.h>
52879 +#include <linux/security.h>
52880 #include <linux/sched.h>
52881 #include <linux/module.h>
52882 #include <linux/rmap.h>
52883 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
52887 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
52889 - return (vma->vm_flags & VM_GROWSDOWN) &&
52890 - (vma->vm_start == addr) &&
52891 - !vma_stack_continue(vma->vm_prev, addr);
52895 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
52897 @@ -174,12 +168,6 @@ static long __mlock_vma_pages_range(stru
52898 if (vma->vm_flags & VM_WRITE)
52899 gup_flags |= FOLL_WRITE;
52901 - /* We don't try to access the guard page of a stack vma */
52902 - if (stack_guard_page(vma, start)) {
52903 - addr += PAGE_SIZE;
52907 while (nr_pages > 0) {
52910 @@ -445,6 +433,9 @@ static int do_mlock(unsigned long start,
52914 + if (end > TASK_SIZE)
52917 vma = find_vma_prev(current->mm, start, &prev);
52918 if (!vma || vma->vm_start > start)
52920 @@ -455,6 +446,11 @@ static int do_mlock(unsigned long start,
52921 for (nstart = start ; ; ) {
52922 unsigned int newflags;
52924 +#ifdef CONFIG_PAX_SEGMEXEC
52925 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
52929 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
52931 newflags = vma->vm_flags | VM_LOCKED;
52932 @@ -504,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
52933 lock_limit >>= PAGE_SHIFT;
52935 /* check against resource limits */
52936 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
52937 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
52938 error = do_mlock(start, len, 1);
52939 up_write(¤t->mm->mmap_sem);
52940 @@ -525,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
52941 static int do_mlockall(int flags)
52943 struct vm_area_struct * vma, * prev = NULL;
52944 - unsigned int def_flags = 0;
52946 if (flags & MCL_FUTURE)
52947 - def_flags = VM_LOCKED;
52948 - current->mm->def_flags = def_flags;
52949 + current->mm->def_flags |= VM_LOCKED;
52951 + current->mm->def_flags &= ~VM_LOCKED;
52952 if (flags == MCL_FUTURE)
52955 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
52956 - unsigned int newflags;
52957 + unsigned long newflags;
52959 +#ifdef CONFIG_PAX_SEGMEXEC
52960 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
52964 + BUG_ON(vma->vm_end > TASK_SIZE);
52965 newflags = vma->vm_flags | VM_LOCKED;
52966 if (!(flags & MCL_CURRENT))
52967 newflags &= ~VM_LOCKED;
52968 @@ -567,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
52969 lock_limit >>= PAGE_SHIFT;
52972 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
52973 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
52974 capable(CAP_IPC_LOCK))
52975 ret = do_mlockall(flags);
52976 diff -urNp linux-2.6.37/mm/mmap.c linux-2.6.37/mm/mmap.c
52977 --- linux-2.6.37/mm/mmap.c 2011-01-04 19:50:19.000000000 -0500
52978 +++ linux-2.6.37/mm/mmap.c 2011-01-17 02:41:02.000000000 -0500
52980 #define arch_rebalance_pgtables(addr, len) (addr)
52983 +static inline void verify_mm_writelocked(struct mm_struct *mm)
52985 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
52986 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52987 + up_read(&mm->mmap_sem);
52993 static void unmap_region(struct mm_struct *mm,
52994 struct vm_area_struct *vma, struct vm_area_struct *prev,
52995 unsigned long start, unsigned long end);
52996 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
52997 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
53000 -pgprot_t protection_map[16] = {
53001 +pgprot_t protection_map[16] __read_only = {
53002 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
53003 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
53006 pgprot_t vm_get_page_prot(unsigned long vm_flags)
53008 - return __pgprot(pgprot_val(protection_map[vm_flags &
53009 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
53010 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
53011 pgprot_val(arch_vm_get_page_prot(vm_flags)));
53013 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53014 + if (!(__supported_pte_mask & _PAGE_NX) &&
53015 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
53016 + (vm_flags & (VM_READ | VM_WRITE)))
53017 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
53022 EXPORT_SYMBOL(vm_get_page_prot);
53024 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
53025 int sysctl_overcommit_ratio = 50; /* default is 50% */
53026 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
53027 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
53028 struct percpu_counter vm_committed_as;
53031 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
53032 struct vm_area_struct *next = vma->vm_next;
53035 + BUG_ON(vma->vm_mirror);
53036 if (vma->vm_ops && vma->vm_ops->close)
53037 vma->vm_ops->close(vma);
53038 if (vma->vm_file) {
53039 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
53040 * not page aligned -Ram Gupta
53042 rlim = rlimit(RLIMIT_DATA);
53043 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
53044 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
53045 (mm->end_data - mm->start_data) > rlim)
53047 @@ -708,6 +730,12 @@ static int
53048 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
53049 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53052 +#ifdef CONFIG_PAX_SEGMEXEC
53053 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
53057 if (is_mergeable_vma(vma, file, vm_flags) &&
53058 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53059 if (vma->vm_pgoff == vm_pgoff)
53060 @@ -727,6 +755,12 @@ static int
53061 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
53062 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53065 +#ifdef CONFIG_PAX_SEGMEXEC
53066 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
53070 if (is_mergeable_vma(vma, file, vm_flags) &&
53071 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53073 @@ -769,13 +803,20 @@ can_vma_merge_after(struct vm_area_struc
53074 struct vm_area_struct *vma_merge(struct mm_struct *mm,
53075 struct vm_area_struct *prev, unsigned long addr,
53076 unsigned long end, unsigned long vm_flags,
53077 - struct anon_vma *anon_vma, struct file *file,
53078 + struct anon_vma *anon_vma, struct file *file,
53079 pgoff_t pgoff, struct mempolicy *policy)
53081 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
53082 struct vm_area_struct *area, *next;
53085 +#ifdef CONFIG_PAX_SEGMEXEC
53086 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
53087 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
53089 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
53093 * We later require that vma->vm_flags == vm_flags,
53094 * so this tests vma->vm_flags & VM_SPECIAL, too.
53095 @@ -791,6 +832,15 @@ struct vm_area_struct *vma_merge(struct
53096 if (next && next->vm_end == end) /* cases 6, 7, 8 */
53097 next = next->vm_next;
53099 +#ifdef CONFIG_PAX_SEGMEXEC
53101 + prev_m = pax_find_mirror_vma(prev);
53103 + area_m = pax_find_mirror_vma(area);
53105 + next_m = pax_find_mirror_vma(next);
53109 * Can it merge with the predecessor?
53111 @@ -810,9 +860,24 @@ struct vm_area_struct *vma_merge(struct
53113 err = vma_adjust(prev, prev->vm_start,
53114 next->vm_end, prev->vm_pgoff, NULL);
53115 - } else /* cases 2, 5, 7 */
53117 +#ifdef CONFIG_PAX_SEGMEXEC
53118 + if (!err && prev_m)
53119 + err = vma_adjust(prev_m, prev_m->vm_start,
53120 + next_m->vm_end, prev_m->vm_pgoff, NULL);
53123 + } else { /* cases 2, 5, 7 */
53124 err = vma_adjust(prev, prev->vm_start,
53125 end, prev->vm_pgoff, NULL);
53127 +#ifdef CONFIG_PAX_SEGMEXEC
53128 + if (!err && prev_m)
53129 + err = vma_adjust(prev_m, prev_m->vm_start,
53130 + end_m, prev_m->vm_pgoff, NULL);
53137 @@ -825,12 +890,27 @@ struct vm_area_struct *vma_merge(struct
53138 mpol_equal(policy, vma_policy(next)) &&
53139 can_vma_merge_before(next, vm_flags,
53140 anon_vma, file, pgoff+pglen)) {
53141 - if (prev && addr < prev->vm_end) /* case 4 */
53142 + if (prev && addr < prev->vm_end) { /* case 4 */
53143 err = vma_adjust(prev, prev->vm_start,
53144 addr, prev->vm_pgoff, NULL);
53145 - else /* cases 3, 8 */
53147 +#ifdef CONFIG_PAX_SEGMEXEC
53148 + if (!err && prev_m)
53149 + err = vma_adjust(prev_m, prev_m->vm_start,
53150 + addr_m, prev_m->vm_pgoff, NULL);
53153 + } else { /* cases 3, 8 */
53154 err = vma_adjust(area, addr, next->vm_end,
53155 next->vm_pgoff - pglen, NULL);
53157 +#ifdef CONFIG_PAX_SEGMEXEC
53158 + if (!err && area_m)
53159 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
53160 + next_m->vm_pgoff - pglen, NULL);
53167 @@ -945,14 +1025,11 @@ none:
53168 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
53169 struct file *file, long pages)
53171 - const unsigned long stack_flags
53172 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
53175 mm->shared_vm += pages;
53176 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
53177 mm->exec_vm += pages;
53178 - } else if (flags & stack_flags)
53179 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
53180 mm->stack_vm += pages;
53181 if (flags & (VM_RESERVED|VM_IO))
53182 mm->reserved_vm += pages;
53183 @@ -979,7 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
53184 * (the exception is when the underlying filesystem is noexec
53185 * mounted, in which case we dont add PROT_EXEC.)
53187 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53188 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53189 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
53192 @@ -1005,7 +1082,7 @@ unsigned long do_mmap_pgoff(struct file
53193 /* Obtain the address to map to. we verify (or select) it and ensure
53194 * that it represents a valid section of the address space.
53196 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
53197 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
53198 if (addr & ~PAGE_MASK)
53201 @@ -1016,6 +1093,31 @@ unsigned long do_mmap_pgoff(struct file
53202 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
53203 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
53205 +#ifdef CONFIG_PAX_MPROTECT
53206 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53207 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
53208 + gr_log_rwxmmap(file);
53210 +#ifdef CONFIG_PAX_EMUPLT
53211 + vm_flags &= ~VM_EXEC;
53218 + if (!(vm_flags & VM_EXEC))
53219 + vm_flags &= ~VM_MAYEXEC;
53221 + vm_flags &= ~VM_MAYWRITE;
53225 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53226 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
53227 + vm_flags &= ~VM_PAGEEXEC;
53230 if (flags & MAP_LOCKED)
53231 if (!can_do_mlock())
53233 @@ -1027,6 +1129,7 @@ unsigned long do_mmap_pgoff(struct file
53234 locked += mm->locked_vm;
53235 lock_limit = rlimit(RLIMIT_MEMLOCK);
53236 lock_limit >>= PAGE_SHIFT;
53237 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53238 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
53241 @@ -1097,6 +1200,9 @@ unsigned long do_mmap_pgoff(struct file
53245 + if (!gr_acl_handle_mmap(file, prot))
53248 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
53250 EXPORT_SYMBOL(do_mmap_pgoff);
53251 @@ -1174,10 +1280,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
53253 int vma_wants_writenotify(struct vm_area_struct *vma)
53255 - unsigned int vm_flags = vma->vm_flags;
53256 + unsigned long vm_flags = vma->vm_flags;
53258 /* If it was private or non-writable, the write bit is already clear */
53259 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
53260 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
53263 /* The backer wishes to know when pages are first written to? */
53264 @@ -1226,14 +1332,24 @@ unsigned long mmap_region(struct file *f
53265 unsigned long charged = 0;
53266 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
53268 +#ifdef CONFIG_PAX_SEGMEXEC
53269 + struct vm_area_struct *vma_m = NULL;
53273 + * mm->mmap_sem is required to protect against another thread
53274 + * changing the mappings in case we sleep.
53276 + verify_mm_writelocked(mm);
53278 /* Clear old maps */
53281 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53282 if (vma && vma->vm_start < addr + len) {
53283 if (do_munmap(mm, addr, len))
53285 - goto munmap_back;
53286 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53287 + BUG_ON(vma && vma->vm_start < addr + len);
53290 /* Check against address space limit. */
53291 @@ -1282,6 +1398,16 @@ munmap_back:
53295 +#ifdef CONFIG_PAX_SEGMEXEC
53296 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
53297 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53306 vma->vm_start = addr;
53307 vma->vm_end = addr + len;
53308 @@ -1305,6 +1431,19 @@ munmap_back:
53309 error = file->f_op->mmap(file, vma);
53311 goto unmap_and_free_vma;
53313 +#ifdef CONFIG_PAX_SEGMEXEC
53314 + if (vma_m && (vm_flags & VM_EXECUTABLE))
53315 + added_exe_file_vma(mm);
53318 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53319 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
53320 + vma->vm_flags |= VM_PAGEEXEC;
53321 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53325 if (vm_flags & VM_EXECUTABLE)
53326 added_exe_file_vma(mm);
53328 @@ -1340,6 +1479,11 @@ munmap_back:
53329 vma_link(mm, vma, prev, rb_link, rb_parent);
53330 file = vma->vm_file;
53332 +#ifdef CONFIG_PAX_SEGMEXEC
53334 + BUG_ON(pax_mirror_vma(vma_m, vma));
53337 /* Once vma denies write, undo our temporary denial count */
53338 if (correct_wcount)
53339 atomic_inc(&inode->i_writecount);
53340 @@ -1348,6 +1492,7 @@ out:
53342 mm->total_vm += len >> PAGE_SHIFT;
53343 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
53344 + track_exec_limit(mm, addr, addr + len, vm_flags);
53345 if (vm_flags & VM_LOCKED) {
53346 if (!mlock_vma_pages_range(vma, addr, addr + len))
53347 mm->locked_vm += (len >> PAGE_SHIFT);
53348 @@ -1365,6 +1510,12 @@ unmap_and_free_vma:
53349 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
53353 +#ifdef CONFIG_PAX_SEGMEXEC
53355 + kmem_cache_free(vm_area_cachep, vma_m);
53358 kmem_cache_free(vm_area_cachep, vma);
53361 @@ -1372,6 +1523,33 @@ unacct_error:
53365 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
53368 +#ifdef CONFIG_STACK_GROWSUP
53369 + if (addr > sysctl_heap_stack_gap)
53370 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
53372 + vma = find_vma(current->mm, 0);
53373 + if (vma && (vma->vm_flags & VM_GROWSUP))
53379 + if (addr + len > vma->vm_start)
53382 + if (vma->vm_flags & VM_GROWSDOWN)
53383 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
53384 +#ifdef CONFIG_STACK_GROWSUP
53385 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
53386 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
53392 /* Get an address range which is currently unmapped.
53393 * For shmat() with addr=0.
53395 @@ -1398,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp
53396 if (flags & MAP_FIXED)
53399 +#ifdef CONFIG_PAX_RANDMMAP
53400 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53404 addr = PAGE_ALIGN(addr);
53405 - vma = find_vma(mm, addr);
53406 - if (TASK_SIZE - len >= addr &&
53407 - (!vma || addr + len <= vma->vm_start))
53409 + if (TASK_SIZE - len >= addr) {
53410 + vma = find_vma(mm, addr);
53411 + if (check_heap_stack_gap(vma, addr, len))
53415 if (len > mm->cached_hole_size) {
53416 - start_addr = addr = mm->free_area_cache;
53417 + start_addr = addr = mm->free_area_cache;
53419 - start_addr = addr = TASK_UNMAPPED_BASE;
53420 - mm->cached_hole_size = 0;
53421 + start_addr = addr = mm->mmap_base;
53422 + mm->cached_hole_size = 0;
53426 @@ -1420,34 +1603,40 @@ full_search:
53427 * Start a new search - just in case we missed
53430 - if (start_addr != TASK_UNMAPPED_BASE) {
53431 - addr = TASK_UNMAPPED_BASE;
53432 - start_addr = addr;
53433 + if (start_addr != mm->mmap_base) {
53434 + start_addr = addr = mm->mmap_base;
53435 mm->cached_hole_size = 0;
53440 - if (!vma || addr + len <= vma->vm_start) {
53442 - * Remember the place where we stopped the search:
53444 - mm->free_area_cache = addr + len;
53447 + if (check_heap_stack_gap(vma, addr, len))
53449 if (addr + mm->cached_hole_size < vma->vm_start)
53450 mm->cached_hole_size = vma->vm_start - addr;
53451 addr = vma->vm_end;
53455 + * Remember the place where we stopped the search:
53457 + mm->free_area_cache = addr + len;
53462 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
53465 +#ifdef CONFIG_PAX_SEGMEXEC
53466 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53471 * Is this a new hole at the lowest possible address?
53473 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
53474 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
53475 mm->free_area_cache = addr;
53476 mm->cached_hole_size = ~0UL;
53478 @@ -1465,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi
53480 struct vm_area_struct *vma;
53481 struct mm_struct *mm = current->mm;
53482 - unsigned long addr = addr0;
53483 + unsigned long base = mm->mmap_base, addr = addr0;
53485 /* requested length too big for entire address space */
53486 if (len > TASK_SIZE)
53487 @@ -1474,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi
53488 if (flags & MAP_FIXED)
53491 +#ifdef CONFIG_PAX_RANDMMAP
53492 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53495 /* requesting a specific address */
53497 addr = PAGE_ALIGN(addr);
53498 - vma = find_vma(mm, addr);
53499 - if (TASK_SIZE - len >= addr &&
53500 - (!vma || addr + len <= vma->vm_start))
53502 + if (TASK_SIZE - len >= addr) {
53503 + vma = find_vma(mm, addr);
53504 + if (check_heap_stack_gap(vma, addr, len))
53509 /* check if free_area_cache is useful for us */
53510 @@ -1495,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
53511 /* make sure it can fit in the remaining address space */
53513 vma = find_vma(mm, addr-len);
53514 - if (!vma || addr <= vma->vm_start)
53515 + if (check_heap_stack_gap(vma, addr - len, len))
53516 /* remember the address as a hint for next time */
53517 return (mm->free_area_cache = addr-len);
53519 @@ -1512,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi
53520 * return with success:
53522 vma = find_vma(mm, addr);
53523 - if (!vma || addr+len <= vma->vm_start)
53524 + if (check_heap_stack_gap(vma, addr, len))
53525 /* remember the address as a hint for next time */
53526 return (mm->free_area_cache = addr);
53528 @@ -1531,13 +1725,21 @@ bottomup:
53529 * can happen with large stack limits and large mmap()
53532 + mm->mmap_base = TASK_UNMAPPED_BASE;
53534 +#ifdef CONFIG_PAX_RANDMMAP
53535 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53536 + mm->mmap_base += mm->delta_mmap;
53539 + mm->free_area_cache = mm->mmap_base;
53540 mm->cached_hole_size = ~0UL;
53541 - mm->free_area_cache = TASK_UNMAPPED_BASE;
53542 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
53544 * Restore the topdown base:
53546 - mm->free_area_cache = mm->mmap_base;
53547 + mm->mmap_base = base;
53548 + mm->free_area_cache = base;
53549 mm->cached_hole_size = ~0UL;
53552 @@ -1546,6 +1748,12 @@ bottomup:
53554 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
53557 +#ifdef CONFIG_PAX_SEGMEXEC
53558 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53563 * Is this a new hole at the highest possible address?
53565 @@ -1553,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s
53566 mm->free_area_cache = addr;
53568 /* dont allow allocations above current base */
53569 - if (mm->free_area_cache > mm->mmap_base)
53570 + if (mm->free_area_cache > mm->mmap_base) {
53571 mm->free_area_cache = mm->mmap_base;
53572 + mm->cached_hole_size = ~0UL;
53577 @@ -1662,6 +1872,28 @@ out:
53578 return prev ? prev->vm_next : vma;
53581 +#ifdef CONFIG_PAX_SEGMEXEC
53582 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
53584 + struct vm_area_struct *vma_m;
53586 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
53587 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
53588 + BUG_ON(vma->vm_mirror);
53591 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
53592 + vma_m = vma->vm_mirror;
53593 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
53594 + BUG_ON(vma->vm_file != vma_m->vm_file);
53595 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
53596 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
53597 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
53598 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
53604 * Verify that the stack growth is acceptable and
53605 * update accounting. This is shared with both the
53606 @@ -1678,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
53609 /* Stack limit test */
53610 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
53611 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
53614 @@ -1688,6 +1921,7 @@ static int acct_stack_growth(struct vm_a
53615 locked = mm->locked_vm + grow;
53616 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
53617 limit >>= PAGE_SHIFT;
53618 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53619 if (locked > limit && !capable(CAP_IPC_LOCK))
53622 @@ -1718,37 +1952,48 @@ static int acct_stack_growth(struct vm_a
53623 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
53624 * vma is the last one with address > vma->vm_end. Have to extend vma.
53626 +#ifndef CONFIG_IA64
53629 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
53634 if (!(vma->vm_flags & VM_GROWSUP))
53637 + /* Also guard against wrapping around to address 0. */
53638 + if (address < PAGE_ALIGN(address+1))
53639 + address = PAGE_ALIGN(address+1);
53644 * We must make sure the anon_vma is allocated
53645 * so that the anon_vma locking is not a noop.
53647 if (unlikely(anon_vma_prepare(vma)))
53649 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
53650 + if (locknext && anon_vma_prepare(vma->vm_next))
53652 vma_lock_anon_vma(vma);
53654 + vma_lock_anon_vma(vma->vm_next);
53657 * vma->vm_start/vm_end cannot change under us because the caller
53658 * is required to hold the mmap_sem in read mode. We need the
53659 - * anon_vma lock to serialize against concurrent expand_stacks.
53660 - * Also guard against wrapping around to address 0.
53661 + * anon_vma locks to serialize against concurrent expand_stacks
53662 + * and expand_upwards.
53664 - if (address < PAGE_ALIGN(address+4))
53665 - address = PAGE_ALIGN(address+4);
53667 - vma_unlock_anon_vma(vma);
53672 /* Somebody else might have raced and expanded it already */
53673 - if (address > vma->vm_end) {
53674 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
53676 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
53677 unsigned long size, grow;
53679 size = address - vma->vm_start;
53680 @@ -1760,6 +2005,8 @@ int expand_upwards(struct vm_area_struct
53681 perf_event_mmap(vma);
53685 + vma_unlock_anon_vma(vma->vm_next);
53686 vma_unlock_anon_vma(vma);
53689 @@ -1772,6 +2019,8 @@ static int expand_downwards(struct vm_ar
53690 unsigned long address)
53693 + bool lockprev = false;
53694 + struct vm_area_struct *prev;
53697 * We must make sure the anon_vma is allocated
53698 @@ -1785,6 +2034,15 @@ static int expand_downwards(struct vm_ar
53702 + prev = vma->vm_prev;
53703 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
53704 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
53706 + if (lockprev && anon_vma_prepare(prev))
53709 + vma_lock_anon_vma(prev);
53711 vma_lock_anon_vma(vma);
53714 @@ -1794,9 +2052,17 @@ static int expand_downwards(struct vm_ar
53717 /* Somebody else might have raced and expanded it already */
53718 - if (address < vma->vm_start) {
53719 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
53721 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
53722 unsigned long size, grow;
53724 +#ifdef CONFIG_PAX_SEGMEXEC
53725 + struct vm_area_struct *vma_m;
53727 + vma_m = pax_find_mirror_vma(vma);
53730 size = vma->vm_end - address;
53731 grow = (vma->vm_start - address) >> PAGE_SHIFT;
53733 @@ -1804,10 +2070,21 @@ static int expand_downwards(struct vm_ar
53735 vma->vm_start = address;
53736 vma->vm_pgoff -= grow;
53737 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
53739 +#ifdef CONFIG_PAX_SEGMEXEC
53741 + vma_m->vm_start -= grow << PAGE_SHIFT;
53742 + vma_m->vm_pgoff -= grow;
53746 perf_event_mmap(vma);
53749 vma_unlock_anon_vma(vma);
53751 + vma_unlock_anon_vma(prev);
53755 @@ -1881,6 +2158,13 @@ static void remove_vma_list(struct mm_st
53757 long nrpages = vma_pages(vma);
53759 +#ifdef CONFIG_PAX_SEGMEXEC
53760 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
53761 + vma = remove_vma(vma);
53766 mm->total_vm -= nrpages;
53767 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
53768 vma = remove_vma(vma);
53769 @@ -1926,6 +2210,16 @@ detach_vmas_to_be_unmapped(struct mm_str
53770 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
53771 vma->vm_prev = NULL;
53774 +#ifdef CONFIG_PAX_SEGMEXEC
53775 + if (vma->vm_mirror) {
53776 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
53777 + vma->vm_mirror->vm_mirror = NULL;
53778 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
53779 + vma->vm_mirror = NULL;
53783 rb_erase(&vma->vm_rb, &mm->mm_rb);
53786 @@ -1954,14 +2248,33 @@ static int __split_vma(struct mm_struct
53787 struct vm_area_struct *new;
53790 +#ifdef CONFIG_PAX_SEGMEXEC
53791 + struct vm_area_struct *vma_m, *new_m = NULL;
53792 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
53795 if (is_vm_hugetlb_page(vma) && (addr &
53796 ~(huge_page_mask(hstate_vma(vma)))))
53799 +#ifdef CONFIG_PAX_SEGMEXEC
53800 + vma_m = pax_find_mirror_vma(vma);
53803 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53807 +#ifdef CONFIG_PAX_SEGMEXEC
53809 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53811 + kmem_cache_free(vm_area_cachep, new);
53817 /* most fields are the same, copy all, and then fixup */
53820 @@ -1974,6 +2287,22 @@ static int __split_vma(struct mm_struct
53821 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
53824 +#ifdef CONFIG_PAX_SEGMEXEC
53827 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
53828 + new_m->vm_mirror = new;
53829 + new->vm_mirror = new_m;
53832 + new_m->vm_end = addr_m;
53834 + new_m->vm_start = addr_m;
53835 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
53840 pol = mpol_dup(vma_policy(vma));
53842 err = PTR_ERR(pol);
53843 @@ -1999,6 +2328,42 @@ static int __split_vma(struct mm_struct
53845 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
53847 +#ifdef CONFIG_PAX_SEGMEXEC
53848 + if (!err && vma_m) {
53849 + if (anon_vma_clone(new_m, vma_m))
53850 + goto out_free_mpol;
53853 + vma_set_policy(new_m, pol);
53855 + if (new_m->vm_file) {
53856 + get_file(new_m->vm_file);
53857 + if (vma_m->vm_flags & VM_EXECUTABLE)
53858 + added_exe_file_vma(mm);
53861 + if (new_m->vm_ops && new_m->vm_ops->open)
53862 + new_m->vm_ops->open(new_m);
53865 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
53866 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
53868 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
53871 + if (new_m->vm_ops && new_m->vm_ops->close)
53872 + new_m->vm_ops->close(new_m);
53873 + if (new_m->vm_file) {
53874 + if (vma_m->vm_flags & VM_EXECUTABLE)
53875 + removed_exe_file_vma(mm);
53876 + fput(new_m->vm_file);
53886 @@ -2011,10 +2376,18 @@ static int __split_vma(struct mm_struct
53887 removed_exe_file_vma(mm);
53888 fput(new->vm_file);
53890 - unlink_anon_vmas(new);
53895 +#ifdef CONFIG_PAX_SEGMEXEC
53897 + unlink_anon_vmas(new_m);
53898 + kmem_cache_free(vm_area_cachep, new_m);
53902 + unlink_anon_vmas(new);
53903 kmem_cache_free(vm_area_cachep, new);
53906 @@ -2027,6 +2400,15 @@ static int __split_vma(struct mm_struct
53907 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
53908 unsigned long addr, int new_below)
53911 +#ifdef CONFIG_PAX_SEGMEXEC
53912 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
53913 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
53914 + if (mm->map_count >= sysctl_max_map_count-1)
53919 if (mm->map_count >= sysctl_max_map_count)
53922 @@ -2038,11 +2420,30 @@ int split_vma(struct mm_struct *mm, stru
53923 * work. This now handles partial unmappings.
53924 * Jeremy Fitzhardinge <jeremy@goop.org>
53926 +#ifdef CONFIG_PAX_SEGMEXEC
53927 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53929 + int ret = __do_munmap(mm, start, len);
53930 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
53933 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
53936 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53938 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53942 struct vm_area_struct *vma, *prev, *last;
53945 + * mm->mmap_sem is required to protect against another thread
53946 + * changing the mappings in case we sleep.
53948 + verify_mm_writelocked(mm);
53950 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
53953 @@ -2116,6 +2517,8 @@ int do_munmap(struct mm_struct *mm, unsi
53954 /* Fix up all other VM information */
53955 remove_vma_list(mm, vma);
53957 + track_exec_limit(mm, start, end, 0UL);
53962 @@ -2128,22 +2531,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
53964 profile_munmap(addr);
53966 +#ifdef CONFIG_PAX_SEGMEXEC
53967 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
53968 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
53972 down_write(&mm->mmap_sem);
53973 ret = do_munmap(mm, addr, len);
53974 up_write(&mm->mmap_sem);
53978 -static inline void verify_mm_writelocked(struct mm_struct *mm)
53980 -#ifdef CONFIG_DEBUG_VM
53981 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53983 - up_read(&mm->mmap_sem);
53989 * this is really a simplified "do_mmap". it only handles
53990 * anonymous maps. eventually we may be able to do some
53991 @@ -2157,6 +2556,7 @@ unsigned long do_brk(unsigned long addr,
53992 struct rb_node ** rb_link, * rb_parent;
53993 pgoff_t pgoff = addr >> PAGE_SHIFT;
53995 + unsigned long charged;
53997 len = PAGE_ALIGN(len);
53999 @@ -2168,16 +2568,30 @@ unsigned long do_brk(unsigned long addr,
54001 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
54003 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
54004 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
54005 + flags &= ~VM_EXEC;
54007 +#ifdef CONFIG_PAX_MPROTECT
54008 + if (mm->pax_flags & MF_PAX_MPROTECT)
54009 + flags &= ~VM_MAYEXEC;
54015 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
54016 if (error & ~PAGE_MASK)
54019 + charged = len >> PAGE_SHIFT;
54022 * mlock MCL_FUTURE?
54024 if (mm->def_flags & VM_LOCKED) {
54025 unsigned long locked, lock_limit;
54026 - locked = len >> PAGE_SHIFT;
54027 + locked = charged;
54028 locked += mm->locked_vm;
54029 lock_limit = rlimit(RLIMIT_MEMLOCK);
54030 lock_limit >>= PAGE_SHIFT;
54031 @@ -2194,22 +2608,22 @@ unsigned long do_brk(unsigned long addr,
54033 * Clear old maps. this also does some error checking for us
54036 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54037 if (vma && vma->vm_start < addr + len) {
54038 if (do_munmap(mm, addr, len))
54040 - goto munmap_back;
54041 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54042 + BUG_ON(vma && vma->vm_start < addr + len);
54045 /* Check against address space limits *after* clearing old maps... */
54046 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
54047 + if (!may_expand_vm(mm, charged))
54050 if (mm->map_count > sysctl_max_map_count)
54053 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
54054 + if (security_vm_enough_memory(charged))
54057 /* Can we just expand an old private anonymous mapping? */
54058 @@ -2223,7 +2637,7 @@ unsigned long do_brk(unsigned long addr,
54060 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54062 - vm_unacct_memory(len >> PAGE_SHIFT);
54063 + vm_unacct_memory(charged);
54067 @@ -2237,11 +2651,12 @@ unsigned long do_brk(unsigned long addr,
54068 vma_link(mm, vma, prev, rb_link, rb_parent);
54070 perf_event_mmap(vma);
54071 - mm->total_vm += len >> PAGE_SHIFT;
54072 + mm->total_vm += charged;
54073 if (flags & VM_LOCKED) {
54074 if (!mlock_vma_pages_range(vma, addr, addr + len))
54075 - mm->locked_vm += (len >> PAGE_SHIFT);
54076 + mm->locked_vm += charged;
54078 + track_exec_limit(mm, addr, addr + len, flags);
54082 @@ -2288,8 +2703,10 @@ void exit_mmap(struct mm_struct *mm)
54083 * Walk the list again, actually closing and freeing it,
54084 * with preemption enabled, without holding any MM locks.
54088 + vma->vm_mirror = NULL;
54089 vma = remove_vma(vma);
54092 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
54094 @@ -2303,6 +2720,13 @@ int insert_vm_struct(struct mm_struct *
54095 struct vm_area_struct * __vma, * prev;
54096 struct rb_node ** rb_link, * rb_parent;
54098 +#ifdef CONFIG_PAX_SEGMEXEC
54099 + struct vm_area_struct *vma_m = NULL;
54102 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
54106 * The vm_pgoff of a purely anonymous vma should be irrelevant
54107 * until its first write fault, when page's anon_vma and index
54108 @@ -2325,7 +2749,22 @@ int insert_vm_struct(struct mm_struct *
54109 if ((vma->vm_flags & VM_ACCOUNT) &&
54110 security_vm_enough_memory_mm(mm, vma_pages(vma)))
54113 +#ifdef CONFIG_PAX_SEGMEXEC
54114 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
54115 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54121 vma_link(mm, vma, prev, rb_link, rb_parent);
54123 +#ifdef CONFIG_PAX_SEGMEXEC
54125 + BUG_ON(pax_mirror_vma(vma_m, vma));
54131 @@ -2343,6 +2782,8 @@ struct vm_area_struct *copy_vma(struct v
54132 struct rb_node **rb_link, *rb_parent;
54133 struct mempolicy *pol;
54135 + BUG_ON(vma->vm_mirror);
54138 * If anonymous vma has not yet been faulted, update new pgoff
54139 * to match new location, to increase its chance of merging.
54140 @@ -2392,6 +2833,39 @@ struct vm_area_struct *copy_vma(struct v
54141 kmem_cache_free(vm_area_cachep, new_vma);
54145 +#ifdef CONFIG_PAX_SEGMEXEC
54146 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
54148 + struct vm_area_struct *prev_m;
54149 + struct rb_node **rb_link_m, *rb_parent_m;
54150 + struct mempolicy *pol_m;
54152 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
54153 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
54154 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
54156 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
54157 + if (anon_vma_clone(vma_m, vma))
54159 + pol_m = vma_policy(vma_m);
54161 + vma_set_policy(vma_m, pol_m);
54162 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
54163 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
54164 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
54165 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
54166 + if (vma_m->vm_file)
54167 + get_file(vma_m->vm_file);
54168 + if (vma_m->vm_ops && vma_m->vm_ops->open)
54169 + vma_m->vm_ops->open(vma_m);
54170 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
54171 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
54172 + vma_m->vm_mirror = vma;
54173 + vma->vm_mirror = vma_m;
54179 * Return true if the calling process may expand its vm space by the passed
54180 @@ -2403,7 +2877,7 @@ int may_expand_vm(struct mm_struct *mm,
54183 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
54185 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
54186 if (cur + npages > lim)
54189 @@ -2474,6 +2948,17 @@ int install_special_mapping(struct mm_st
54190 vma->vm_start = addr;
54191 vma->vm_end = addr + len;
54193 +#ifdef CONFIG_PAX_MPROTECT
54194 + if (mm->pax_flags & MF_PAX_MPROTECT) {
54195 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
54197 + if (!(vm_flags & VM_EXEC))
54198 + vm_flags &= ~VM_MAYEXEC;
54200 + vm_flags &= ~VM_MAYWRITE;
54204 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
54205 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
54207 diff -urNp linux-2.6.37/mm/mprotect.c linux-2.6.37/mm/mprotect.c
54208 --- linux-2.6.37/mm/mprotect.c 2011-01-04 19:50:19.000000000 -0500
54209 +++ linux-2.6.37/mm/mprotect.c 2011-01-17 02:41:02.000000000 -0500
54210 @@ -23,10 +23,16 @@
54211 #include <linux/mmu_notifier.h>
54212 #include <linux/migrate.h>
54213 #include <linux/perf_event.h>
54215 +#ifdef CONFIG_PAX_MPROTECT
54216 +#include <linux/elf.h>
54219 #include <asm/uaccess.h>
54220 #include <asm/pgtable.h>
54221 #include <asm/cacheflush.h>
54222 #include <asm/tlbflush.h>
54223 +#include <asm/mmu_context.h>
54225 #ifndef pgprot_modify
54226 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
54227 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
54228 flush_tlb_range(vma, start, end);
54231 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54232 +/* called while holding the mmap semaphor for writing except stack expansion */
54233 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
54235 + unsigned long oldlimit, newlimit = 0UL;
54237 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
54240 + spin_lock(&mm->page_table_lock);
54241 + oldlimit = mm->context.user_cs_limit;
54242 + if ((prot & VM_EXEC) && oldlimit < end)
54243 + /* USER_CS limit moved up */
54245 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
54246 + /* USER_CS limit moved down */
54247 + newlimit = start;
54250 + mm->context.user_cs_limit = newlimit;
54254 + cpus_clear(mm->context.cpu_user_cs_mask);
54255 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
54258 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
54260 + spin_unlock(&mm->page_table_lock);
54261 + if (newlimit == end) {
54262 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
54264 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
54265 + if (is_vm_hugetlb_page(vma))
54266 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
54268 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
54274 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
54275 unsigned long start, unsigned long end, unsigned long newflags)
54276 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
54278 int dirty_accountable = 0;
54280 +#ifdef CONFIG_PAX_SEGMEXEC
54281 + struct vm_area_struct *vma_m = NULL;
54282 + unsigned long start_m, end_m;
54284 + start_m = start + SEGMEXEC_TASK_SIZE;
54285 + end_m = end + SEGMEXEC_TASK_SIZE;
54288 if (newflags == oldflags) {
54293 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
54294 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
54296 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
54299 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
54304 * If we make a private mapping writable we increase our commit;
54305 * but (without finer accounting) cannot reduce our commit if we
54306 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
54310 +#ifdef CONFIG_PAX_SEGMEXEC
54311 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
54312 + if (start != vma->vm_start) {
54313 + error = split_vma(mm, vma, start, 1);
54316 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
54317 + *pprev = (*pprev)->vm_next;
54320 + if (end != vma->vm_end) {
54321 + error = split_vma(mm, vma, end, 0);
54326 + if (pax_find_mirror_vma(vma)) {
54327 + error = __do_munmap(mm, start_m, end_m - start_m);
54331 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54336 + vma->vm_flags = newflags;
54337 + error = pax_mirror_vma(vma_m, vma);
54339 + vma->vm_flags = oldflags;
54347 * First try to merge with previous and/or next vma.
54349 @@ -194,9 +296,21 @@ success:
54350 * vm_flags and vm_page_prot are protected by the mmap_sem
54351 * held in write mode.
54354 +#ifdef CONFIG_PAX_SEGMEXEC
54355 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
54356 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
54359 vma->vm_flags = newflags;
54361 +#ifdef CONFIG_PAX_MPROTECT
54362 + if (mm->binfmt && mm->binfmt->handle_mprotect)
54363 + mm->binfmt->handle_mprotect(vma, newflags);
54366 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
54367 - vm_get_page_prot(newflags));
54368 + vm_get_page_prot(vma->vm_flags));
54370 if (vma_wants_writenotify(vma)) {
54371 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
54372 @@ -238,6 +352,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54377 +#ifdef CONFIG_PAX_SEGMEXEC
54378 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54379 + if (end > SEGMEXEC_TASK_SIZE)
54384 + if (end > TASK_SIZE)
54387 if (!arch_validate_prot(prot))
54390 @@ -245,7 +370,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54392 * Does the application expect PROT_READ to imply PROT_EXEC:
54394 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
54395 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
54398 vm_flags = calc_vm_prot_bits(prot);
54399 @@ -277,6 +402,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54400 if (start > vma->vm_start)
54403 +#ifdef CONFIG_PAX_MPROTECT
54404 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
54405 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
54408 for (nstart = start ; ; ) {
54409 unsigned long newflags;
54411 @@ -286,6 +416,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54413 /* newflags >> 4 shift VM_MAY% in place of VM_% */
54414 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
54415 + if (prot & (PROT_WRITE | PROT_EXEC))
54416 + gr_log_rwxmprotect(vma->vm_file);
54422 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
54426 @@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54427 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
54431 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
54435 if (nstart < prev->vm_end)
54436 diff -urNp linux-2.6.37/mm/mremap.c linux-2.6.37/mm/mremap.c
54437 --- linux-2.6.37/mm/mremap.c 2011-01-04 19:50:19.000000000 -0500
54438 +++ linux-2.6.37/mm/mremap.c 2011-01-17 02:41:02.000000000 -0500
54439 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
54441 pte = ptep_clear_flush(vma, old_addr, old_pte);
54442 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
54444 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54445 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
54446 + pte = pte_exprotect(pte);
54449 set_pte_at(mm, new_addr, new_pte, pte);
54452 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
54453 if (is_vm_hugetlb_page(vma))
54456 +#ifdef CONFIG_PAX_SEGMEXEC
54457 + if (pax_find_mirror_vma(vma))
54461 /* We can't remap across vm area boundaries */
54462 if (old_len > vma->vm_end - addr)
54464 @@ -321,20 +332,25 @@ static unsigned long mremap_to(unsigned
54465 unsigned long ret = -EINVAL;
54466 unsigned long charged = 0;
54467 unsigned long map_flags;
54468 + unsigned long pax_task_size = TASK_SIZE;
54470 if (new_addr & ~PAGE_MASK)
54473 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
54474 +#ifdef CONFIG_PAX_SEGMEXEC
54475 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54476 + pax_task_size = SEGMEXEC_TASK_SIZE;
54479 + pax_task_size -= PAGE_SIZE;
54481 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
54484 /* Check if the location we're moving into overlaps the
54485 * old location at all, and fail if it does.
54487 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
54490 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
54491 + if (addr + old_len > new_addr && new_addr + new_len > addr)
54494 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54495 @@ -406,6 +422,7 @@ unsigned long do_mremap(unsigned long ad
54496 struct vm_area_struct *vma;
54497 unsigned long ret = -EINVAL;
54498 unsigned long charged = 0;
54499 + unsigned long pax_task_size = TASK_SIZE;
54501 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
54503 @@ -424,6 +441,17 @@ unsigned long do_mremap(unsigned long ad
54507 +#ifdef CONFIG_PAX_SEGMEXEC
54508 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54509 + pax_task_size = SEGMEXEC_TASK_SIZE;
54512 + pax_task_size -= PAGE_SIZE;
54514 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
54515 + old_len > pax_task_size || addr > pax_task_size-old_len)
54518 if (flags & MREMAP_FIXED) {
54519 if (flags & MREMAP_MAYMOVE)
54520 ret = mremap_to(addr, old_len, new_addr, new_len);
54521 @@ -473,6 +501,7 @@ unsigned long do_mremap(unsigned long ad
54525 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
54529 @@ -499,7 +528,13 @@ unsigned long do_mremap(unsigned long ad
54530 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54534 + map_flags = vma->vm_flags;
54535 ret = move_vma(vma, addr, old_len, new_len, new_addr);
54536 + if (!(ret & ~PAGE_MASK)) {
54537 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
54538 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
54542 if (ret & ~PAGE_MASK)
54543 diff -urNp linux-2.6.37/mm/nommu.c linux-2.6.37/mm/nommu.c
54544 --- linux-2.6.37/mm/nommu.c 2011-01-04 19:50:19.000000000 -0500
54545 +++ linux-2.6.37/mm/nommu.c 2011-01-17 02:41:02.000000000 -0500
54546 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
54547 int sysctl_overcommit_ratio = 50; /* default is 50% */
54548 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
54549 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
54550 -int heap_stack_gap = 0;
54552 atomic_long_t mmap_pages_allocated;
54554 @@ -831,15 +830,6 @@ struct vm_area_struct *find_vma(struct m
54555 EXPORT_SYMBOL(find_vma);
54559 - * - we don't extend stack VMAs under NOMMU conditions
54561 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
54563 - return find_vma(mm, addr);
54567 * expand a stack to a given address
54568 * - not supported under NOMMU conditions
54570 @@ -1561,6 +1551,7 @@ int split_vma(struct mm_struct *mm, stru
54572 /* most fields are the same, copy all, and then fixup */
54574 + INIT_LIST_HEAD(&new->anon_vma_chain);
54575 *region = *vma->vm_region;
54576 new->vm_region = region;
54578 diff -urNp linux-2.6.37/mm/page_alloc.c linux-2.6.37/mm/page_alloc.c
54579 --- linux-2.6.37/mm/page_alloc.c 2011-01-04 19:50:19.000000000 -0500
54580 +++ linux-2.6.37/mm/page_alloc.c 2011-01-17 02:41:02.000000000 -0500
54581 @@ -648,6 +648,10 @@ static bool free_pages_prepare(struct pa
54585 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54586 + unsigned long index = 1UL << order;
54589 trace_mm_page_free_direct(page, order);
54590 kmemcheck_free_shadow(page, order);
54592 @@ -666,6 +670,12 @@ static bool free_pages_prepare(struct pa
54593 debug_check_no_obj_freed(page_address(page),
54594 PAGE_SIZE << order);
54597 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54598 + for (; index; --index)
54599 + sanitize_highpage(page + index - 1);
54602 arch_free_page(page, order);
54603 kernel_map_pages(page, 1 << order, 0);
54605 @@ -780,8 +790,10 @@ static int prep_new_page(struct page *pa
54606 arch_alloc_page(page, order);
54607 kernel_map_pages(page, 1 << order, 1);
54609 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
54610 if (gfp_flags & __GFP_ZERO)
54611 prep_zero_page(page, order, gfp_flags);
54614 if (order && (gfp_flags & __GFP_COMP))
54615 prep_compound_page(page, order);
54616 @@ -4014,7 +4026,7 @@ static void __init setup_usemap(struct p
54617 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
54620 -static void inline setup_usemap(struct pglist_data *pgdat,
54621 +static inline void setup_usemap(struct pglist_data *pgdat,
54622 struct zone *zone, unsigned long zonesize) {}
54623 #endif /* CONFIG_SPARSEMEM */
54625 diff -urNp linux-2.6.37/mm/percpu.c linux-2.6.37/mm/percpu.c
54626 --- linux-2.6.37/mm/percpu.c 2011-01-04 19:50:19.000000000 -0500
54627 +++ linux-2.6.37/mm/percpu.c 2011-01-17 02:41:02.000000000 -0500
54628 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
54629 static unsigned int pcpu_last_unit_cpu __read_mostly;
54631 /* the address of the first chunk which starts with the kernel static area */
54632 -void *pcpu_base_addr __read_mostly;
54633 +void *pcpu_base_addr __read_only;
54634 EXPORT_SYMBOL_GPL(pcpu_base_addr);
54636 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
54637 diff -urNp linux-2.6.37/mm/rmap.c linux-2.6.37/mm/rmap.c
54638 --- linux-2.6.37/mm/rmap.c 2011-01-04 19:50:19.000000000 -0500
54639 +++ linux-2.6.37/mm/rmap.c 2011-01-17 02:41:02.000000000 -0500
54640 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
54641 struct anon_vma *anon_vma = vma->anon_vma;
54642 struct anon_vma_chain *avc;
54644 +#ifdef CONFIG_PAX_SEGMEXEC
54645 + struct anon_vma_chain *avc_m = NULL;
54649 if (unlikely(!anon_vma)) {
54650 struct mm_struct *mm = vma->vm_mm;
54651 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
54655 +#ifdef CONFIG_PAX_SEGMEXEC
54656 + avc_m = anon_vma_chain_alloc();
54658 + goto out_enomem_free_avc;
54661 anon_vma = find_mergeable_anon_vma(vma);
54664 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
54665 /* page_table_lock to protect against threads */
54666 spin_lock(&mm->page_table_lock);
54667 if (likely(!vma->anon_vma)) {
54669 +#ifdef CONFIG_PAX_SEGMEXEC
54670 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
54673 + BUG_ON(vma_m->anon_vma);
54674 + vma_m->anon_vma = anon_vma;
54675 + avc_m->anon_vma = anon_vma;
54676 + avc_m->vma = vma;
54677 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
54678 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
54683 vma->anon_vma = anon_vma;
54684 avc->anon_vma = anon_vma;
54686 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
54688 if (unlikely(allocated))
54689 anon_vma_free(allocated);
54691 +#ifdef CONFIG_PAX_SEGMEXEC
54692 + if (unlikely(avc_m))
54693 + anon_vma_chain_free(avc_m);
54697 anon_vma_chain_free(avc);
54701 out_enomem_free_avc:
54703 +#ifdef CONFIG_PAX_SEGMEXEC
54705 + anon_vma_chain_free(avc_m);
54708 anon_vma_chain_free(avc);
54711 @@ -185,7 +222,7 @@ static void anon_vma_chain_link(struct v
54712 * Attach the anon_vmas from src to dst.
54713 * Returns 0 on success, -ENOMEM on failure.
54715 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
54716 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
54718 struct anon_vma_chain *avc, *pavc;
54720 @@ -207,7 +244,7 @@ int anon_vma_clone(struct vm_area_struct
54721 * the corresponding VMA in the parent process is attached to.
54722 * Returns 0 on success, non-zero on failure.
54724 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
54725 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
54727 struct anon_vma_chain *avc;
54728 struct anon_vma *anon_vma;
54729 diff -urNp linux-2.6.37/mm/shmem.c linux-2.6.37/mm/shmem.c
54730 --- linux-2.6.37/mm/shmem.c 2011-01-04 19:50:19.000000000 -0500
54731 +++ linux-2.6.37/mm/shmem.c 2011-01-17 02:41:02.000000000 -0500
54733 #include <linux/percpu_counter.h>
54734 #include <linux/swap.h>
54736 -static struct vfsmount *shm_mnt;
54737 +struct vfsmount *shm_mnt;
54739 #ifdef CONFIG_SHMEM
54741 diff -urNp linux-2.6.37/mm/slab.c linux-2.6.37/mm/slab.c
54742 --- linux-2.6.37/mm/slab.c 2011-01-04 19:50:19.000000000 -0500
54743 +++ linux-2.6.37/mm/slab.c 2011-01-17 02:41:02.000000000 -0500
54744 @@ -284,7 +284,7 @@ struct kmem_list3 {
54745 * Need this for bootstrapping a per node allocator.
54747 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
54748 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
54749 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
54750 #define CACHE_CACHE 0
54751 #define SIZE_AC MAX_NUMNODES
54752 #define SIZE_L3 (2 * MAX_NUMNODES)
54753 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
54754 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
54756 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
54757 - const struct slab *slab, void *obj)
54758 + const struct slab *slab, const void *obj)
54760 u32 offset = (obj - slab->s_mem);
54761 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
54762 @@ -560,14 +560,14 @@ struct cache_names {
54763 static struct cache_names __initdata cache_names[] = {
54764 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
54765 #include <linux/kmalloc_sizes.h>
54771 static struct arraycache_init initarray_cache __initdata =
54772 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54773 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54774 static struct arraycache_init initarray_generic =
54775 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54776 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54778 /* internal cache of cache description objs */
54779 static struct kmem_cache cache_cache = {
54780 @@ -4557,15 +4557,66 @@ static const struct file_operations proc
54782 static int __init slab_proc_init(void)
54784 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
54785 + mode_t gr_mode = S_IRUGO;
54787 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54788 + gr_mode = S_IRUSR;
54791 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
54792 #ifdef CONFIG_DEBUG_SLAB_LEAK
54793 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
54794 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
54798 module_init(slab_proc_init);
54801 +void check_object_size(const void *ptr, unsigned long n, bool to)
54804 +#ifdef CONFIG_PAX_USERCOPY
54805 + struct kmem_cache *cachep;
54806 + struct slab *slabp;
54807 + struct page *page;
54808 + unsigned int objnr;
54809 + unsigned long offset;
54814 + if (ZERO_OR_NULL_PTR(ptr))
54817 + if (!virt_addr_valid(ptr))
54820 + page = virt_to_head_page(ptr);
54822 + if (!PageSlab(page)) {
54823 + if (object_is_on_stack(ptr, n) == -1)
54828 + cachep = page_get_cache(page);
54829 + slabp = page_get_slab(page);
54830 + objnr = obj_to_index(cachep, slabp, ptr);
54831 + BUG_ON(objnr >= cachep->num);
54832 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
54833 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
54838 + pax_report_leak_to_user(ptr, n);
54840 + pax_report_overflow_from_user(ptr, n);
54844 +EXPORT_SYMBOL(check_object_size);
54847 * ksize - get the actual amount of memory allocated for a given object
54848 * @objp: Pointer to the object
54849 diff -urNp linux-2.6.37/mm/slob.c linux-2.6.37/mm/slob.c
54850 --- linux-2.6.37/mm/slob.c 2011-01-04 19:50:19.000000000 -0500
54851 +++ linux-2.6.37/mm/slob.c 2011-01-17 02:41:02.000000000 -0500
54853 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
54854 * alloc_pages() directly, allocating compound pages so the page order
54855 * does not have to be separately tracked, and also stores the exact
54856 - * allocation size in page->private so that it can be used to accurately
54857 + * allocation size in slob_page->size so that it can be used to accurately
54858 * provide ksize(). These objects are detected in kfree() because slob_page()
54859 * is false for them.
54864 #include <linux/kernel.h>
54865 +#include <linux/sched.h>
54866 #include <linux/slab.h>
54867 #include <linux/mm.h>
54868 #include <linux/swap.h> /* struct reclaim_state */
54869 @@ -102,7 +103,8 @@ struct slob_page {
54870 unsigned long flags; /* mandatory */
54871 atomic_t _count; /* mandatory */
54872 slobidx_t units; /* free units left in page */
54873 - unsigned long pad[2];
54874 + unsigned long pad[1];
54875 + unsigned long size; /* size when >=PAGE_SIZE */
54876 slob_t *free; /* first free slob_t in page */
54877 struct list_head list; /* linked list of free pages */
54879 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
54881 static inline int is_slob_page(struct slob_page *sp)
54883 - return PageSlab((struct page *)sp);
54884 + return PageSlab((struct page *)sp) && !sp->size;
54887 static inline void set_slob_page(struct slob_page *sp)
54888 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
54890 static inline struct slob_page *slob_page(const void *addr)
54892 - return (struct slob_page *)virt_to_page(addr);
54893 + return (struct slob_page *)virt_to_head_page(addr);
54897 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
54899 * Return the size of a slob block.
54901 -static slobidx_t slob_units(slob_t *s)
54902 +static slobidx_t slob_units(const slob_t *s)
54906 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
54908 * Return the next free slob block pointer after this one.
54910 -static slob_t *slob_next(slob_t *s)
54911 +static slob_t *slob_next(const slob_t *s)
54913 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
54915 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
54917 * Returns true if s is the last free block in its page.
54919 -static int slob_last(slob_t *s)
54920 +static int slob_last(const slob_t *s)
54922 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
54924 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
54928 + set_slob_page(page);
54929 return page_address(page);
54932 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
54936 - set_slob_page(sp);
54938 spin_lock_irqsave(&slob_lock, flags);
54939 sp->units = SLOB_UNITS(PAGE_SIZE);
54942 INIT_LIST_HEAD(&sp->list);
54943 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
54944 set_slob_page_free(sp, slob_list);
54945 @@ -476,10 +479,9 @@ out:
54946 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
54949 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
54950 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
54953 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54957 lockdep_trace_alloc(gfp);
54958 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
54963 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
54964 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
54965 + m[0].units = size;
54966 + m[1].units = align;
54967 ret = (void *)m + align;
54969 trace_kmalloc_node(_RET_IP_, ret,
54970 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
54972 ret = slob_new_pages(gfp, order, node);
54974 - struct page *page;
54975 - page = virt_to_page(ret);
54976 - page->private = size;
54977 + struct slob_page *sp;
54978 + sp = slob_page(ret);
54982 trace_kmalloc_node(_RET_IP_, ret,
54983 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
54984 kmemleak_alloc(ret, size, 1, gfp);
54988 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
54990 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54992 + return __kmalloc_node_align(size, gfp, node, align);
54994 EXPORT_SYMBOL(__kmalloc_node);
54996 void kfree(const void *block)
54997 @@ -531,13 +543,84 @@ void kfree(const void *block)
54998 sp = slob_page(block);
54999 if (is_slob_page(sp)) {
55000 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55001 - unsigned int *m = (unsigned int *)(block - align);
55002 - slob_free(m, *m + align);
55004 + slob_t *m = (slob_t *)(block - align);
55005 + slob_free(m, m[0].units + align);
55007 + clear_slob_page(sp);
55008 + free_slob_page(sp);
55010 put_page(&sp->page);
55013 EXPORT_SYMBOL(kfree);
55015 +void check_object_size(const void *ptr, unsigned long n, bool to)
55018 +#ifdef CONFIG_PAX_USERCOPY
55019 + struct slob_page *sp;
55020 + const slob_t *free;
55021 + const void *base;
55026 + if (ZERO_OR_NULL_PTR(ptr))
55029 + if (!virt_addr_valid(ptr))
55032 + sp = slob_page(ptr);
55033 + if (!PageSlab((struct page*)sp)) {
55034 + if (object_is_on_stack(ptr, n) == -1)
55040 + base = page_address(&sp->page);
55041 + if (base <= ptr && n <= sp->size - (ptr - base))
55046 + /* some tricky double walking to find the chunk */
55047 + base = (void *)((unsigned long)ptr & PAGE_MASK);
55050 + while (!slob_last(free) && (void *)free <= ptr) {
55051 + base = free + slob_units(free);
55052 + free = slob_next(free);
55055 + while (base < (void *)free) {
55056 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
55057 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
55060 + if (ptr < base + align)
55063 + offset = ptr - base - align;
55064 + if (offset < m) {
55065 + if (n <= m - offset)
55074 + pax_report_leak_to_user(ptr, n);
55076 + pax_report_overflow_from_user(ptr, n);
55080 +EXPORT_SYMBOL(check_object_size);
55082 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
55083 size_t ksize(const void *block)
55085 @@ -550,10 +633,10 @@ size_t ksize(const void *block)
55086 sp = slob_page(block);
55087 if (is_slob_page(sp)) {
55088 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55089 - unsigned int *m = (unsigned int *)(block - align);
55090 - return SLOB_UNITS(*m) * SLOB_UNIT;
55091 + slob_t *m = (slob_t *)(block - align);
55092 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
55094 - return sp->page.private;
55097 EXPORT_SYMBOL(ksize);
55099 @@ -608,17 +691,25 @@ void *kmem_cache_alloc_node(struct kmem_
55103 +#ifdef CONFIG_PAX_USERCOPY
55104 + b = __kmalloc_node_align(c->size, flags, node, c->align);
55106 if (c->size < PAGE_SIZE) {
55107 b = slob_alloc(c->size, flags, c->align, node);
55108 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55109 SLOB_UNITS(c->size) * SLOB_UNIT,
55112 + struct slob_page *sp;
55114 b = slob_new_pages(flags, get_order(c->size), node);
55115 + sp = slob_page(b);
55116 + sp->size = c->size;
55117 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55118 PAGE_SIZE << get_order(c->size),
55125 @@ -630,10 +721,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
55127 static void __kmem_cache_free(void *b, int size)
55129 - if (size < PAGE_SIZE)
55130 + struct slob_page *sp = slob_page(b);
55132 + if (is_slob_page(sp))
55133 slob_free(b, size);
55136 + clear_slob_page(sp);
55137 + free_slob_page(sp);
55139 slob_free_pages(b, get_order(size));
55143 static void kmem_rcu_free(struct rcu_head *head)
55144 @@ -646,14 +743,23 @@ static void kmem_rcu_free(struct rcu_hea
55146 void kmem_cache_free(struct kmem_cache *c, void *b)
55148 + int size = c->size;
55150 +#ifdef CONFIG_PAX_USERCOPY
55151 + if (size + c->align < PAGE_SIZE) {
55152 + size += c->align;
55157 kmemleak_free_recursive(b, c->flags);
55158 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
55159 struct slob_rcu *slob_rcu;
55160 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
55161 - slob_rcu->size = c->size;
55162 + slob_rcu = b + (size - sizeof(struct slob_rcu));
55163 + slob_rcu->size = size;
55164 call_rcu(&slob_rcu->head, kmem_rcu_free);
55166 - __kmem_cache_free(b, c->size);
55167 + __kmem_cache_free(b, size);
55170 trace_kmem_cache_free(_RET_IP_, b);
55171 diff -urNp linux-2.6.37/mm/slub.c linux-2.6.37/mm/slub.c
55172 --- linux-2.6.37/mm/slub.c 2011-01-04 19:50:19.000000000 -0500
55173 +++ linux-2.6.37/mm/slub.c 2011-01-17 02:41:02.000000000 -0500
55174 @@ -388,7 +388,7 @@ static void print_track(const char *s, s
55178 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
55179 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
55180 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
55183 @@ -1911,6 +1911,8 @@ void kmem_cache_free(struct kmem_cache *
55185 page = virt_to_head_page(x);
55187 + BUG_ON(!PageSlab(page));
55189 slab_free(s, page, x, _RET_IP_);
55191 trace_kmem_cache_free(_RET_IP_, x);
55192 @@ -1955,7 +1957,7 @@ static int slub_min_objects;
55193 * Merge control. If this is set then no merging of slab caches will occur.
55194 * (Could be removed. This was introduced to pacify the merge skeptics.)
55196 -static int slub_nomerge;
55197 +static int slub_nomerge = 1;
55200 * Calculate the order of allocation given an slab object size.
55201 @@ -2365,7 +2367,7 @@ static int kmem_cache_open(struct kmem_c
55202 * list to avoid pounding the page allocator excessively.
55204 set_min_partial(s, ilog2(s->size));
55206 + atomic_set(&s->refcount, 1);
55208 s->remote_node_defrag_ratio = 1000;
55210 @@ -2506,8 +2508,7 @@ static inline int kmem_cache_close(struc
55211 void kmem_cache_destroy(struct kmem_cache *s)
55213 down_write(&slub_lock);
55215 - if (!s->refcount) {
55216 + if (atomic_dec_and_test(&s->refcount)) {
55217 list_del(&s->list);
55218 if (kmem_cache_close(s)) {
55219 printk(KERN_ERR "SLUB %s: %s called for cache that "
55220 @@ -2717,6 +2718,46 @@ void *__kmalloc_node(size_t size, gfp_t
55221 EXPORT_SYMBOL(__kmalloc_node);
55224 +void check_object_size(const void *ptr, unsigned long n, bool to)
55227 +#ifdef CONFIG_PAX_USERCOPY
55228 + struct page *page;
55229 + struct kmem_cache *s;
55230 + unsigned long offset;
55235 + if (ZERO_OR_NULL_PTR(ptr))
55238 + if (!virt_addr_valid(ptr))
55241 + page = get_object_page(ptr);
55244 + if (object_is_on_stack(ptr, n) == -1)
55250 + offset = (ptr - page_address(page)) % s->size;
55251 + if (offset <= s->objsize && n <= s->objsize - offset)
55256 + pax_report_leak_to_user(ptr, n);
55258 + pax_report_overflow_from_user(ptr, n);
55262 +EXPORT_SYMBOL(check_object_size);
55264 size_t ksize(const void *object)
55267 @@ -2982,7 +3023,7 @@ static void __init kmem_cache_bootstrap_
55270 list_add(&s->list, &slab_caches);
55271 - s->refcount = -1;
55272 + atomic_set(&s->refcount, -1);
55274 for_each_node_state(node, N_NORMAL_MEMORY) {
55275 struct kmem_cache_node *n = get_node(s, node);
55276 @@ -3177,7 +3218,7 @@ static int slab_unmergeable(struct kmem_
55278 * We may have set a slab to be unmergeable during bootstrap.
55280 - if (s->refcount < 0)
55281 + if (atomic_read(&s->refcount) < 0)
55285 @@ -3236,7 +3277,7 @@ struct kmem_cache *kmem_cache_create(con
55286 down_write(&slub_lock);
55287 s = find_mergeable(size, align, flags, name, ctor);
55290 + atomic_inc(&s->refcount);
55292 * Adjust the object sizes so that we clear
55293 * the complete object on kzalloc.
55294 @@ -3245,7 +3286,7 @@ struct kmem_cache *kmem_cache_create(con
55295 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
55297 if (sysfs_slab_alias(s, name)) {
55299 + atomic_dec(&s->refcount);
55302 up_write(&slub_lock);
55303 @@ -3981,7 +4022,7 @@ SLAB_ATTR_RO(ctor);
55305 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
55307 - return sprintf(buf, "%d\n", s->refcount - 1);
55308 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
55310 SLAB_ATTR_RO(aliases);
55312 @@ -4718,7 +4759,13 @@ static const struct file_operations proc
55314 static int __init slab_proc_init(void)
55316 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
55317 + mode_t gr_mode = S_IRUGO;
55319 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55320 + gr_mode = S_IRUSR;
55323 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
55326 module_init(slab_proc_init);
55327 diff -urNp linux-2.6.37/mm/util.c linux-2.6.37/mm/util.c
55328 --- linux-2.6.37/mm/util.c 2011-01-04 19:50:19.000000000 -0500
55329 +++ linux-2.6.37/mm/util.c 2011-01-17 02:41:02.000000000 -0500
55330 @@ -240,6 +240,12 @@ EXPORT_SYMBOL(strndup_user);
55331 void arch_pick_mmap_layout(struct mm_struct *mm)
55333 mm->mmap_base = TASK_UNMAPPED_BASE;
55335 +#ifdef CONFIG_PAX_RANDMMAP
55336 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55337 + mm->mmap_base += mm->delta_mmap;
55340 mm->get_unmapped_area = arch_get_unmapped_area;
55341 mm->unmap_area = arch_unmap_area;
55343 diff -urNp linux-2.6.37/mm/vmalloc.c linux-2.6.37/mm/vmalloc.c
55344 --- linux-2.6.37/mm/vmalloc.c 2011-01-04 19:50:19.000000000 -0500
55345 +++ linux-2.6.37/mm/vmalloc.c 2011-01-17 02:41:02.000000000 -0500
55346 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
55348 pte = pte_offset_kernel(pmd, addr);
55350 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55351 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55353 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55354 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
55355 + BUG_ON(!pte_exec(*pte));
55356 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
55362 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55363 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55365 } while (pte++, addr += PAGE_SIZE, addr != end);
55368 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
55369 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
55372 + int ret = -ENOMEM;
55375 * nr is a running index into the array which helps higher level
55376 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
55377 pte = pte_alloc_kernel(pmd, addr);
55381 + pax_open_kernel();
55383 struct page *page = pages[*nr];
55385 - if (WARN_ON(!pte_none(*pte)))
55387 - if (WARN_ON(!page))
55389 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55390 + if (pgprot_val(prot) & _PAGE_NX)
55393 + if (WARN_ON(!pte_none(*pte))) {
55397 + if (WARN_ON(!page)) {
55401 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
55403 } while (pte++, addr += PAGE_SIZE, addr != end);
55407 + pax_close_kernel();
55411 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
55412 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
55413 * and fall back on vmalloc() if that fails. Others
55414 * just put it in the vmalloc space.
55416 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
55417 +#ifdef CONFIG_MODULES
55418 +#ifdef MODULES_VADDR
55419 unsigned long addr = (unsigned long)x;
55420 if (addr >= MODULES_VADDR && addr < MODULES_END)
55424 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55425 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
55431 return is_vmalloc_addr(x);
55434 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
55436 if (!pgd_none(*pgd)) {
55437 pud_t *pud = pud_offset(pgd, addr);
55439 + if (!pud_large(*pud))
55441 if (!pud_none(*pud)) {
55442 pmd_t *pmd = pmd_offset(pud, addr);
55444 + if (!pmd_large(*pmd))
55446 if (!pmd_none(*pmd)) {
55449 @@ -1243,6 +1283,16 @@ static struct vm_struct *__get_vm_area_n
55450 struct vm_struct *area;
55452 BUG_ON(in_interrupt());
55454 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55455 + if (flags & VM_KERNEXEC) {
55456 + if (start != VMALLOC_START || end != VMALLOC_END)
55458 + start = (unsigned long)MODULES_EXEC_VADDR;
55459 + end = (unsigned long)MODULES_EXEC_END;
55463 if (flags & VM_IOREMAP) {
55464 int bit = fls(size);
55466 @@ -1468,6 +1518,11 @@ void *vmap(struct page **pages, unsigned
55467 if (count > totalram_pages)
55470 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55471 + if (!(pgprot_val(prot) & _PAGE_NX))
55472 + flags |= VM_KERNEXEC;
55475 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
55476 __builtin_return_address(0));
55478 @@ -1577,6 +1632,13 @@ static void *__vmalloc_node(unsigned lon
55479 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
55482 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55483 + if (!(pgprot_val(prot) & _PAGE_NX))
55484 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
55485 + node, gfp_mask, caller);
55489 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
55490 VMALLOC_END, node, gfp_mask, caller);
55492 @@ -1595,6 +1657,7 @@ static void *__vmalloc_node(unsigned lon
55497 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
55499 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
55500 @@ -1618,6 +1681,7 @@ static inline void *__vmalloc_node_flags
55501 * For tight control over page level allocator and protection flags
55502 * use __vmalloc() instead.
55505 void *vmalloc(unsigned long size)
55507 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
55508 @@ -1634,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc);
55509 * For tight control over page level allocator and protection flags
55510 * use __vmalloc() instead.
55513 void *vzalloc(unsigned long size)
55515 return __vmalloc_node_flags(size, -1,
55516 @@ -1648,6 +1713,7 @@ EXPORT_SYMBOL(vzalloc);
55517 * The resulting memory area is zeroed so it can be mapped to userspace
55518 * without leaking data.
55520 +#undef vmalloc_user
55521 void *vmalloc_user(unsigned long size)
55523 struct vm_struct *area;
55524 @@ -1675,6 +1741,7 @@ EXPORT_SYMBOL(vmalloc_user);
55525 * For tight control over page level allocator and protection flags
55526 * use __vmalloc() instead.
55528 +#undef vmalloc_node
55529 void *vmalloc_node(unsigned long size, int node)
55531 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55532 @@ -1694,6 +1761,7 @@ EXPORT_SYMBOL(vmalloc_node);
55533 * For tight control over page level allocator and protection flags
55534 * use __vmalloc_node() instead.
55536 +#undef vzalloc_node
55537 void *vzalloc_node(unsigned long size, int node)
55539 return __vmalloc_node_flags(size, node,
55540 @@ -1716,10 +1784,10 @@ EXPORT_SYMBOL(vzalloc_node);
55541 * For tight control over page level allocator and protection flags
55542 * use __vmalloc() instead.
55545 +#undef vmalloc_exec
55546 void *vmalloc_exec(unsigned long size)
55548 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
55549 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
55550 -1, __builtin_return_address(0));
55553 @@ -1738,6 +1806,7 @@ void *vmalloc_exec(unsigned long size)
55554 * Allocate enough 32bit PA addressable pages to cover @size from the
55555 * page level allocator and map them into contiguous kernel virtual space.
55558 void *vmalloc_32(unsigned long size)
55560 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
55561 @@ -1752,6 +1821,7 @@ EXPORT_SYMBOL(vmalloc_32);
55562 * The resulting memory area is 32bit addressable and zeroed so it can be
55563 * mapped to userspace without leaking data.
55565 +#undef vmalloc_32_user
55566 void *vmalloc_32_user(unsigned long size)
55568 struct vm_struct *area;
55569 @@ -2016,6 +2086,8 @@ int remap_vmalloc_range(struct vm_area_s
55570 unsigned long uaddr = vma->vm_start;
55571 unsigned long usize = vma->vm_end - vma->vm_start;
55573 + BUG_ON(vma->vm_mirror);
55575 if ((PAGE_SIZE-1) & (unsigned long)addr)
55578 diff -urNp linux-2.6.37/mm/vmstat.c linux-2.6.37/mm/vmstat.c
55579 --- linux-2.6.37/mm/vmstat.c 2011-01-04 19:50:19.000000000 -0500
55580 +++ linux-2.6.37/mm/vmstat.c 2011-01-17 02:41:02.000000000 -0500
55581 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
55583 * vm_stat contains the global counters
55585 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55586 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55587 EXPORT_SYMBOL(vm_stat);
55590 @@ -330,7 +330,7 @@ void refresh_cpu_vm_stats(int cpu)
55591 v = p->vm_stat_diff[i];
55592 p->vm_stat_diff[i] = 0;
55593 local_irq_restore(flags);
55594 - atomic_long_add(v, &zone->vm_stat[i]);
55595 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
55596 global_diff[i] += v;
55598 /* 3 seconds idle till flush */
55599 @@ -368,7 +368,7 @@ void refresh_cpu_vm_stats(int cpu)
55601 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
55602 if (global_diff[i])
55603 - atomic_long_add(global_diff[i], &vm_stat[i]);
55604 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
55608 @@ -1066,10 +1066,20 @@ static int __init setup_vmstat(void)
55609 start_cpu_timer(cpu);
55611 #ifdef CONFIG_PROC_FS
55612 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
55613 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
55614 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
55615 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
55617 + mode_t gr_mode = S_IRUGO;
55618 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55619 + gr_mode = S_IRUSR;
55621 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
55622 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
55623 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55624 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
55626 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
55628 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
55633 diff -urNp linux-2.6.37/net/8021q/vlan.c linux-2.6.37/net/8021q/vlan.c
55634 --- linux-2.6.37/net/8021q/vlan.c 2011-01-04 19:50:19.000000000 -0500
55635 +++ linux-2.6.37/net/8021q/vlan.c 2011-01-17 02:41:02.000000000 -0500
55636 @@ -588,8 +588,7 @@ static int vlan_ioctl_handler(struct net
55638 if (!capable(CAP_NET_ADMIN))
55640 - if ((args.u.name_type >= 0) &&
55641 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
55642 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
55643 struct vlan_net *vn;
55645 vn = net_generic(net, vlan_net_id);
55646 diff -urNp linux-2.6.37/net/atm/atm_misc.c linux-2.6.37/net/atm/atm_misc.c
55647 --- linux-2.6.37/net/atm/atm_misc.c 2011-01-04 19:50:19.000000000 -0500
55648 +++ linux-2.6.37/net/atm/atm_misc.c 2011-01-17 02:41:02.000000000 -0500
55649 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
55650 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
55652 atm_return(vcc, truesize);
55653 - atomic_inc(&vcc->stats->rx_drop);
55654 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55657 EXPORT_SYMBOL(atm_charge);
55658 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
55661 atm_return(vcc, guess);
55662 - atomic_inc(&vcc->stats->rx_drop);
55663 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55666 EXPORT_SYMBOL(atm_alloc_charge);
55667 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
55669 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55671 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55672 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55674 #undef __HANDLE_ITEM
55676 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
55678 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55680 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55681 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
55683 #undef __HANDLE_ITEM
55685 diff -urNp linux-2.6.37/net/atm/proc.c linux-2.6.37/net/atm/proc.c
55686 --- linux-2.6.37/net/atm/proc.c 2011-01-04 19:50:19.000000000 -0500
55687 +++ linux-2.6.37/net/atm/proc.c 2011-01-17 02:41:02.000000000 -0500
55688 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
55689 const struct k_atm_aal_stats *stats)
55691 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
55692 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
55693 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
55694 - atomic_read(&stats->rx_drop));
55695 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
55696 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
55697 + atomic_read_unchecked(&stats->rx_drop));
55700 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
55701 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
55703 struct sock *sk = sk_atm(vcc);
55705 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55706 + seq_printf(seq, "%p ", NULL);
55708 seq_printf(seq, "%p ", vcc);
55712 seq_printf(seq, "Unassigned ");
55714 diff -urNp linux-2.6.37/net/atm/resources.c linux-2.6.37/net/atm/resources.c
55715 --- linux-2.6.37/net/atm/resources.c 2011-01-04 19:50:19.000000000 -0500
55716 +++ linux-2.6.37/net/atm/resources.c 2011-01-17 02:41:02.000000000 -0500
55717 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
55718 static void copy_aal_stats(struct k_atm_aal_stats *from,
55719 struct atm_aal_stats *to)
55721 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55722 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55724 #undef __HANDLE_ITEM
55726 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
55727 static void subtract_aal_stats(struct k_atm_aal_stats *from,
55728 struct atm_aal_stats *to)
55730 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55731 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
55733 #undef __HANDLE_ITEM
55735 diff -urNp linux-2.6.37/net/ax25/af_ax25.c linux-2.6.37/net/ax25/af_ax25.c
55736 --- linux-2.6.37/net/ax25/af_ax25.c 2011-01-04 19:50:19.000000000 -0500
55737 +++ linux-2.6.37/net/ax25/af_ax25.c 2011-01-17 02:41:02.000000000 -0500
55738 @@ -1392,7 +1392,7 @@ static int ax25_getname(struct socket *s
55742 - memset(fsa, 0, sizeof(fsa));
55743 + memset(fsa, 0, sizeof(*fsa));
55745 ax25 = ax25_sk(sk);
55747 diff -urNp linux-2.6.37/net/bridge/br_multicast.c linux-2.6.37/net/bridge/br_multicast.c
55748 --- linux-2.6.37/net/bridge/br_multicast.c 2011-01-04 19:50:19.000000000 -0500
55749 +++ linux-2.6.37/net/bridge/br_multicast.c 2011-01-17 02:41:02.000000000 -0500
55750 @@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct
55751 nexthdr = ip6h->nexthdr;
55752 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
55754 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
55755 + if (nexthdr != IPPROTO_ICMPV6)
55758 /* Okay, we found ICMPv6 header */
55759 diff -urNp linux-2.6.37/net/bridge/br_stp_if.c linux-2.6.37/net/bridge/br_stp_if.c
55760 --- linux-2.6.37/net/bridge/br_stp_if.c 2011-01-04 19:50:19.000000000 -0500
55761 +++ linux-2.6.37/net/bridge/br_stp_if.c 2011-01-17 02:41:02.000000000 -0500
55762 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
55763 char *envp[] = { NULL };
55765 if (br->stp_enabled == BR_USER_STP) {
55766 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
55767 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
55768 br_info(br, "userspace STP stopped, return code %d\n", r);
55770 /* To start timers on any ports left in blocking */
55771 diff -urNp linux-2.6.37/net/bridge/netfilter/ebtables.c linux-2.6.37/net/bridge/netfilter/ebtables.c
55772 --- linux-2.6.37/net/bridge/netfilter/ebtables.c 2011-01-04 19:50:19.000000000 -0500
55773 +++ linux-2.6.37/net/bridge/netfilter/ebtables.c 2011-01-17 02:41:02.000000000 -0500
55774 @@ -1511,7 +1511,7 @@ static int do_ebt_get_ctl(struct sock *s
55775 tmp.valid_hooks = t->table->valid_hooks;
55777 mutex_unlock(&ebt_mutex);
55778 - if (copy_to_user(user, &tmp, *len) != 0){
55779 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
55780 BUGPRINT("c2u Didn't work\n");
55783 diff -urNp linux-2.6.37/net/core/dev.c linux-2.6.37/net/core/dev.c
55784 --- linux-2.6.37/net/core/dev.c 2011-01-04 19:50:19.000000000 -0500
55785 +++ linux-2.6.37/net/core/dev.c 2011-01-17 02:41:02.000000000 -0500
55786 @@ -2654,7 +2654,7 @@ int netif_rx_ni(struct sk_buff *skb)
55788 EXPORT_SYMBOL(netif_rx_ni);
55790 -static void net_tx_action(struct softirq_action *h)
55791 +static void net_tx_action(void)
55793 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55795 @@ -3570,7 +3570,7 @@ void netif_napi_del(struct napi_struct *
55797 EXPORT_SYMBOL(netif_napi_del);
55799 -static void net_rx_action(struct softirq_action *h)
55800 +static void net_rx_action(void)
55802 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55803 unsigned long time_limit = jiffies + 2;
55804 diff -urNp linux-2.6.37/net/core/sock.c linux-2.6.37/net/core/sock.c
55805 --- linux-2.6.37/net/core/sock.c 2011-01-04 19:50:19.000000000 -0500
55806 +++ linux-2.6.37/net/core/sock.c 2011-01-17 02:41:02.000000000 -0500
55807 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
55811 - if (copy_to_user(optval, address, len))
55812 + if (len > sizeof(address) || copy_to_user(optval, address, len))
55816 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
55820 - if (copy_to_user(optval, &v, len))
55821 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
55824 if (put_user(len, optlen))
55825 diff -urNp linux-2.6.37/net/dccp/ccids/ccid3.c linux-2.6.37/net/dccp/ccids/ccid3.c
55826 --- linux-2.6.37/net/dccp/ccids/ccid3.c 2011-01-04 19:50:19.000000000 -0500
55827 +++ linux-2.6.37/net/dccp/ccids/ccid3.c 2011-01-17 02:41:02.000000000 -0500
55829 static int ccid3_debug;
55830 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
55832 -#define ccid3_pr_debug(format, a...)
55833 +#define ccid3_pr_debug(format, a...) do {} while (0)
55837 diff -urNp linux-2.6.37/net/dccp/dccp.h linux-2.6.37/net/dccp/dccp.h
55838 --- linux-2.6.37/net/dccp/dccp.h 2011-01-04 19:50:19.000000000 -0500
55839 +++ linux-2.6.37/net/dccp/dccp.h 2011-01-17 02:41:02.000000000 -0500
55840 @@ -44,9 +44,9 @@ extern int dccp_debug;
55841 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
55842 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
55844 -#define dccp_pr_debug(format, a...)
55845 -#define dccp_pr_debug_cat(format, a...)
55846 -#define dccp_debug(format, a...)
55847 +#define dccp_pr_debug(format, a...) do {} while (0)
55848 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
55849 +#define dccp_debug(format, a...) do {} while (0)
55852 extern struct inet_hashinfo dccp_hashinfo;
55853 diff -urNp linux-2.6.37/net/decnet/sysctl_net_decnet.c linux-2.6.37/net/decnet/sysctl_net_decnet.c
55854 --- linux-2.6.37/net/decnet/sysctl_net_decnet.c 2011-01-04 19:50:19.000000000 -0500
55855 +++ linux-2.6.37/net/decnet/sysctl_net_decnet.c 2011-01-17 02:41:02.000000000 -0500
55856 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
55858 if (len > *lenp) len = *lenp;
55860 - if (copy_to_user(buffer, addr, len))
55861 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
55865 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
55867 if (len > *lenp) len = *lenp;
55869 - if (copy_to_user(buffer, devname, len))
55870 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
55874 diff -urNp linux-2.6.37/net/econet/Kconfig linux-2.6.37/net/econet/Kconfig
55875 --- linux-2.6.37/net/econet/Kconfig 2011-01-04 19:50:19.000000000 -0500
55876 +++ linux-2.6.37/net/econet/Kconfig 2011-01-17 02:41:02.000000000 -0500
55880 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
55881 - depends on EXPERIMENTAL && INET
55882 + depends on EXPERIMENTAL && INET && BROKEN
55884 Econet is a fairly old and slow networking protocol mainly used by
55885 Acorn computers to access file and print servers. It uses native
55886 diff -urNp linux-2.6.37/net/ipv4/inet_diag.c linux-2.6.37/net/ipv4/inet_diag.c
55887 --- linux-2.6.37/net/ipv4/inet_diag.c 2011-01-04 19:50:19.000000000 -0500
55888 +++ linux-2.6.37/net/ipv4/inet_diag.c 2011-01-17 02:41:02.000000000 -0500
55889 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
55890 r->idiag_retrans = 0;
55892 r->id.idiag_if = sk->sk_bound_dev_if;
55894 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55895 + r->id.idiag_cookie[0] = 0;
55896 + r->id.idiag_cookie[1] = 0;
55898 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
55899 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
55902 r->id.idiag_sport = inet->inet_sport;
55903 r->id.idiag_dport = inet->inet_dport;
55904 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
55905 r->idiag_family = tw->tw_family;
55906 r->idiag_retrans = 0;
55907 r->id.idiag_if = tw->tw_bound_dev_if;
55909 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55910 + r->id.idiag_cookie[0] = 0;
55911 + r->id.idiag_cookie[1] = 0;
55913 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
55914 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
55917 r->id.idiag_sport = tw->tw_sport;
55918 r->id.idiag_dport = tw->tw_dport;
55919 r->id.idiag_src[0] = tw->tw_rcv_saddr;
55920 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
55924 +#ifndef CONFIG_GRKERNSEC_HIDESYM
55926 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
55927 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
55928 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
55929 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
55934 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
55935 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
55936 r->idiag_retrans = req->retrans;
55938 r->id.idiag_if = sk->sk_bound_dev_if;
55940 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55941 + r->id.idiag_cookie[0] = 0;
55942 + r->id.idiag_cookie[1] = 0;
55944 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
55945 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
55948 tmo = req->expires - jiffies;
55950 diff -urNp linux-2.6.37/net/ipv4/inet_hashtables.c linux-2.6.37/net/ipv4/inet_hashtables.c
55951 --- linux-2.6.37/net/ipv4/inet_hashtables.c 2011-01-04 19:50:19.000000000 -0500
55952 +++ linux-2.6.37/net/ipv4/inet_hashtables.c 2011-01-17 02:41:02.000000000 -0500
55953 @@ -18,11 +18,14 @@
55954 #include <linux/sched.h>
55955 #include <linux/slab.h>
55956 #include <linux/wait.h>
55957 +#include <linux/security.h>
55959 #include <net/inet_connection_sock.h>
55960 #include <net/inet_hashtables.h>
55961 #include <net/ip.h>
55963 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
55966 * Allocate and initialize a new local port bind bucket.
55967 * The bindhash mutex for snum's hash chain must be held here.
55968 @@ -529,6 +532,8 @@ ok:
55969 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
55970 spin_unlock(&head->lock);
55972 + gr_update_task_in_ip_table(current, inet_sk(sk));
55975 inet_twsk_deschedule(tw, death_row);
55977 diff -urNp linux-2.6.37/net/ipv4/inetpeer.c linux-2.6.37/net/ipv4/inetpeer.c
55978 --- linux-2.6.37/net/ipv4/inetpeer.c 2011-01-04 19:50:19.000000000 -0500
55979 +++ linux-2.6.37/net/ipv4/inetpeer.c 2011-01-17 02:41:02.000000000 -0500
55980 @@ -469,8 +469,8 @@ struct inet_peer *inet_getpeer(__be32 da
55982 p->v4daddr = daddr;
55983 atomic_set(&p->refcnt, 1);
55984 - atomic_set(&p->rid, 0);
55985 - atomic_set(&p->ip_id_count, secure_ip_id(daddr));
55986 + atomic_set_unchecked(&p->rid, 0);
55987 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr));
55988 p->tcp_ts_stamp = 0;
55989 INIT_LIST_HEAD(&p->unused);
55991 diff -urNp linux-2.6.37/net/ipv4/ip_fragment.c linux-2.6.37/net/ipv4/ip_fragment.c
55992 --- linux-2.6.37/net/ipv4/ip_fragment.c 2011-01-04 19:50:19.000000000 -0500
55993 +++ linux-2.6.37/net/ipv4/ip_fragment.c 2011-01-17 02:41:02.000000000 -0500
55994 @@ -279,7 +279,7 @@ static inline int ip_frag_too_far(struct
55998 - end = atomic_inc_return(&peer->rid);
55999 + end = atomic_inc_return_unchecked(&peer->rid);
56002 rc = qp->q.fragments && (end - start) > max;
56003 diff -urNp linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c
56004 --- linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-01-04 19:50:19.000000000 -0500
56005 +++ linux-2.6.37/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-01-17 02:41:02.000000000 -0500
56006 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
56010 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
56011 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
56012 if (*octets == NULL) {
56013 if (net_ratelimit())
56014 pr_notice("OOM in bsalg (%d)\n", __LINE__);
56015 diff -urNp linux-2.6.37/net/ipv4/route.c linux-2.6.37/net/ipv4/route.c
56016 --- linux-2.6.37/net/ipv4/route.c 2011-01-04 19:50:19.000000000 -0500
56017 +++ linux-2.6.37/net/ipv4/route.c 2011-01-17 02:41:02.000000000 -0500
56018 @@ -2876,7 +2876,7 @@ static int rt_fill_info(struct net *net,
56019 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
56021 inet_peer_refcheck(rt->peer);
56022 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
56023 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
56024 if (rt->peer->tcp_ts_stamp) {
56025 ts = rt->peer->tcp_ts;
56026 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
56027 diff -urNp linux-2.6.37/net/ipv4/tcp_ipv4.c linux-2.6.37/net/ipv4/tcp_ipv4.c
56028 --- linux-2.6.37/net/ipv4/tcp_ipv4.c 2011-01-04 19:50:19.000000000 -0500
56029 +++ linux-2.6.37/net/ipv4/tcp_ipv4.c 2011-01-17 02:41:02.000000000 -0500
56030 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
56031 int sysctl_tcp_low_latency __read_mostly;
56032 EXPORT_SYMBOL(sysctl_tcp_low_latency);
56034 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56035 +extern int grsec_enable_blackhole;
56038 #ifdef CONFIG_TCP_MD5SIG
56039 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
56040 @@ -1599,6 +1602,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
56044 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56045 + if (!grsec_enable_blackhole)
56047 tcp_v4_send_reset(rsk, skb);
56050 @@ -1661,12 +1667,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
56051 TCP_SKB_CB(skb)->sacked = 0;
56053 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56056 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56059 goto no_tcp_socket;
56063 - if (sk->sk_state == TCP_TIME_WAIT)
56064 + if (sk->sk_state == TCP_TIME_WAIT) {
56065 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56071 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
56072 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56073 @@ -1716,6 +1729,10 @@ no_tcp_socket:
56075 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56077 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56078 + if (!grsec_enable_blackhole || (ret == 1 &&
56079 + (skb->dev->flags & IFF_LOOPBACK)))
56081 tcp_v4_send_reset(NULL, skb);
56084 @@ -2404,7 +2421,11 @@ static void get_openreq4(struct sock *sk
56085 0, /* non standard timer */
56086 0, /* open_requests have no inode */
56087 atomic_read(&sk->sk_refcnt),
56088 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56096 @@ -2454,7 +2475,12 @@ static void get_tcp4_sock(struct sock *s
56098 icsk->icsk_probes_out,
56100 - atomic_read(&sk->sk_refcnt), sk,
56101 + atomic_read(&sk->sk_refcnt),
56102 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56107 jiffies_to_clock_t(icsk->icsk_rto),
56108 jiffies_to_clock_t(icsk->icsk_ack.ato),
56109 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
56110 @@ -2482,7 +2508,13 @@ static void get_timewait4_sock(struct in
56111 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
56112 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
56113 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56114 - atomic_read(&tw->tw_refcnt), tw, len);
56115 + atomic_read(&tw->tw_refcnt),
56116 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56125 diff -urNp linux-2.6.37/net/ipv4/tcp_minisocks.c linux-2.6.37/net/ipv4/tcp_minisocks.c
56126 --- linux-2.6.37/net/ipv4/tcp_minisocks.c 2011-01-04 19:50:19.000000000 -0500
56127 +++ linux-2.6.37/net/ipv4/tcp_minisocks.c 2011-01-17 02:41:02.000000000 -0500
56129 #include <net/inet_common.h>
56130 #include <net/xfrm.h>
56132 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56133 +extern int grsec_enable_blackhole;
56136 int sysctl_tcp_syncookies __read_mostly = 1;
56137 EXPORT_SYMBOL(sysctl_tcp_syncookies);
56139 @@ -700,6 +704,10 @@ listen_overflow:
56142 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
56144 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56145 + if (!grsec_enable_blackhole)
56147 if (!(flg & TCP_FLAG_RST))
56148 req->rsk_ops->send_reset(sk, skb);
56150 diff -urNp linux-2.6.37/net/ipv4/tcp_probe.c linux-2.6.37/net/ipv4/tcp_probe.c
56151 --- linux-2.6.37/net/ipv4/tcp_probe.c 2011-01-04 19:50:19.000000000 -0500
56152 +++ linux-2.6.37/net/ipv4/tcp_probe.c 2011-01-17 02:41:02.000000000 -0500
56153 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
56154 if (cnt + width >= len)
56157 - if (copy_to_user(buf + cnt, tbuf, width))
56158 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
56162 diff -urNp linux-2.6.37/net/ipv4/tcp_timer.c linux-2.6.37/net/ipv4/tcp_timer.c
56163 --- linux-2.6.37/net/ipv4/tcp_timer.c 2011-01-04 19:50:19.000000000 -0500
56164 +++ linux-2.6.37/net/ipv4/tcp_timer.c 2011-01-17 02:41:02.000000000 -0500
56166 #include <linux/gfp.h>
56167 #include <net/tcp.h>
56169 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56170 +extern int grsec_lastack_retries;
56173 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
56174 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
56175 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
56176 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
56180 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56181 + if ((sk->sk_state == TCP_LAST_ACK) &&
56182 + (grsec_lastack_retries > 0) &&
56183 + (grsec_lastack_retries < retry_until))
56184 + retry_until = grsec_lastack_retries;
56187 if (retransmits_timed_out(sk, retry_until,
56188 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
56189 /* Has it gone just too far? */
56190 diff -urNp linux-2.6.37/net/ipv4/udp.c linux-2.6.37/net/ipv4/udp.c
56191 --- linux-2.6.37/net/ipv4/udp.c 2011-01-04 19:50:19.000000000 -0500
56192 +++ linux-2.6.37/net/ipv4/udp.c 2011-01-17 02:41:02.000000000 -0500
56194 #include <linux/types.h>
56195 #include <linux/fcntl.h>
56196 #include <linux/module.h>
56197 +#include <linux/security.h>
56198 #include <linux/socket.h>
56199 #include <linux/sockios.h>
56200 #include <linux/igmp.h>
56201 @@ -107,6 +108,10 @@
56202 #include <net/xfrm.h>
56203 #include "udp_impl.h"
56205 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56206 +extern int grsec_enable_blackhole;
56209 struct udp_table udp_table __read_mostly;
56210 EXPORT_SYMBOL(udp_table);
56212 @@ -564,6 +569,9 @@ found:
56216 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
56217 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
56220 * This routine is called by the ICMP module when it gets some
56221 * sort of error condition. If err < 0 then the socket should
56222 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
56223 dport = usin->sin_port;
56227 + err = gr_search_udp_sendmsg(sk, usin);
56231 if (sk->sk_state != TCP_ESTABLISHED)
56232 return -EDESTADDRREQ;
56234 + err = gr_search_udp_sendmsg(sk, NULL);
56238 daddr = inet->inet_daddr;
56239 dport = inet->inet_dport;
56240 /* Open fast path for connected socket.
56241 @@ -1141,6 +1158,10 @@ try_again:
56245 + err = gr_search_udp_recvmsg(sk, skb);
56249 ulen = skb->len - sizeof(struct udphdr);
56252 @@ -1625,6 +1646,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
56255 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
56256 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56257 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56259 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
56262 @@ -2052,7 +2076,12 @@ static void udp4_format_sock(struct sock
56263 sk_wmem_alloc_get(sp),
56264 sk_rmem_alloc_get(sp),
56265 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
56266 - atomic_read(&sp->sk_refcnt), sp,
56267 + atomic_read(&sp->sk_refcnt),
56268 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56273 atomic_read(&sp->sk_drops), len);
56276 diff -urNp linux-2.6.37/net/ipv6/exthdrs.c linux-2.6.37/net/ipv6/exthdrs.c
56277 --- linux-2.6.37/net/ipv6/exthdrs.c 2011-01-04 19:50:19.000000000 -0500
56278 +++ linux-2.6.37/net/ipv6/exthdrs.c 2011-01-17 02:41:02.000000000 -0500
56279 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
56280 .type = IPV6_TLV_JUMBO,
56281 .func = ipv6_hop_jumbo,
56287 int ipv6_parse_hopopts(struct sk_buff *skb)
56288 diff -urNp linux-2.6.37/net/ipv6/raw.c linux-2.6.37/net/ipv6/raw.c
56289 --- linux-2.6.37/net/ipv6/raw.c 2011-01-04 19:50:19.000000000 -0500
56290 +++ linux-2.6.37/net/ipv6/raw.c 2011-01-17 02:41:02.000000000 -0500
56291 @@ -601,7 +601,7 @@ out:
56295 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
56296 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
56297 struct flowi *fl, struct dst_entry **dstp,
56298 unsigned int flags)
56300 @@ -1243,7 +1243,13 @@ static void raw6_sock_seq_show(struct se
56304 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
56305 + atomic_read(&sp->sk_refcnt),
56306 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56311 + atomic_read(&sp->sk_drops));
56314 static int raw6_seq_show(struct seq_file *seq, void *v)
56315 diff -urNp linux-2.6.37/net/ipv6/tcp_ipv6.c linux-2.6.37/net/ipv6/tcp_ipv6.c
56316 --- linux-2.6.37/net/ipv6/tcp_ipv6.c 2011-01-04 19:50:19.000000000 -0500
56317 +++ linux-2.6.37/net/ipv6/tcp_ipv6.c 2011-01-17 02:41:02.000000000 -0500
56318 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
56322 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56323 +extern int grsec_enable_blackhole;
56326 static void tcp_v6_hash(struct sock *sk)
56328 if (sk->sk_state != TCP_CLOSE) {
56329 @@ -1631,6 +1635,9 @@ static int tcp_v6_do_rcv(struct sock *sk
56333 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56334 + if (!grsec_enable_blackhole)
56336 tcp_v6_send_reset(sk, skb);
56339 @@ -1710,12 +1717,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
56340 TCP_SKB_CB(skb)->sacked = 0;
56342 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56345 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56348 goto no_tcp_socket;
56352 - if (sk->sk_state == TCP_TIME_WAIT)
56353 + if (sk->sk_state == TCP_TIME_WAIT) {
56354 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56360 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
56361 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56362 @@ -1763,6 +1778,10 @@ no_tcp_socket:
56364 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56366 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56367 + if (!grsec_enable_blackhole || (ret == 1 &&
56368 + (skb->dev->flags & IFF_LOOPBACK)))
56370 tcp_v6_send_reset(NULL, skb);
56373 @@ -1991,7 +2010,13 @@ static void get_openreq6(struct seq_file
56375 0, /* non standard timer */
56376 0, /* open_requests have no inode */
56379 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56387 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
56388 @@ -2041,7 +2066,12 @@ static void get_tcp6_sock(struct seq_fil
56390 icsk->icsk_probes_out,
56392 - atomic_read(&sp->sk_refcnt), sp,
56393 + atomic_read(&sp->sk_refcnt),
56394 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56399 jiffies_to_clock_t(icsk->icsk_rto),
56400 jiffies_to_clock_t(icsk->icsk_ack.ato),
56401 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
56402 @@ -2076,7 +2106,13 @@ static void get_timewait6_sock(struct se
56403 dest->s6_addr32[2], dest->s6_addr32[3], destp,
56404 tw->tw_substate, 0, 0,
56405 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56406 - atomic_read(&tw->tw_refcnt), tw);
56407 + atomic_read(&tw->tw_refcnt),
56408 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56416 static int tcp6_seq_show(struct seq_file *seq, void *v)
56417 diff -urNp linux-2.6.37/net/ipv6/udp.c linux-2.6.37/net/ipv6/udp.c
56418 --- linux-2.6.37/net/ipv6/udp.c 2011-01-04 19:50:19.000000000 -0500
56419 +++ linux-2.6.37/net/ipv6/udp.c 2011-01-17 02:41:02.000000000 -0500
56421 #include <linux/seq_file.h>
56422 #include "udp_impl.h"
56424 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56425 +extern int grsec_enable_blackhole;
56428 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
56430 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
56431 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
56432 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
56433 proto == IPPROTO_UDPLITE);
56435 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56436 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56438 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
56441 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
56445 - atomic_read(&sp->sk_refcnt), sp,
56446 + atomic_read(&sp->sk_refcnt),
56447 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56452 atomic_read(&sp->sk_drops));
56455 diff -urNp linux-2.6.37/net/irda/ircomm/ircomm_tty.c linux-2.6.37/net/irda/ircomm/ircomm_tty.c
56456 --- linux-2.6.37/net/irda/ircomm/ircomm_tty.c 2011-01-04 19:50:19.000000000 -0500
56457 +++ linux-2.6.37/net/irda/ircomm/ircomm_tty.c 2011-01-17 02:41:02.000000000 -0500
56458 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
56459 add_wait_queue(&self->open_wait, &wait);
56461 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
56462 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56463 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56465 /* As far as I can see, we protect open_count - Jean II */
56466 spin_lock_irqsave(&self->spinlock, flags);
56467 if (!tty_hung_up_p(filp)) {
56469 - self->open_count--;
56470 + atomic_dec(&self->open_count);
56472 spin_unlock_irqrestore(&self->spinlock, flags);
56473 - self->blocked_open++;
56474 + atomic_inc(&self->blocked_open);
56477 if (tty->termios->c_cflag & CBAUD) {
56478 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
56481 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
56482 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56483 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56487 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
56489 /* ++ is not atomic, so this should be protected - Jean II */
56490 spin_lock_irqsave(&self->spinlock, flags);
56491 - self->open_count++;
56492 + atomic_inc(&self->open_count);
56493 spin_unlock_irqrestore(&self->spinlock, flags);
56495 - self->blocked_open--;
56496 + atomic_dec(&self->blocked_open);
56498 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
56499 - __FILE__,__LINE__, tty->driver->name, self->open_count);
56500 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
56503 self->flags |= ASYNC_NORMAL_ACTIVE;
56504 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
56506 /* ++ is not atomic, so this should be protected - Jean II */
56507 spin_lock_irqsave(&self->spinlock, flags);
56508 - self->open_count++;
56509 + atomic_inc(&self->open_count);
56511 tty->driver_data = self;
56513 spin_unlock_irqrestore(&self->spinlock, flags);
56515 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
56516 - self->line, self->open_count);
56517 + self->line, atomic_read(&self->open_count));
56519 /* Not really used by us, but lets do it anyway */
56520 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
56521 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
56525 - if ((tty->count == 1) && (self->open_count != 1)) {
56526 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
56528 * Uh, oh. tty->count is 1, which means that the tty
56529 * structure will be freed. state->count should always
56530 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
56532 IRDA_DEBUG(0, "%s(), bad serial port count; "
56533 "tty->count is 1, state->count is %d\n", __func__ ,
56534 - self->open_count);
56535 - self->open_count = 1;
56536 + atomic_read(&self->open_count));
56537 + atomic_set(&self->open_count, 1);
56540 - if (--self->open_count < 0) {
56541 + if (atomic_dec_return(&self->open_count) < 0) {
56542 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
56543 - __func__, self->line, self->open_count);
56544 - self->open_count = 0;
56545 + __func__, self->line, atomic_read(&self->open_count));
56546 + atomic_set(&self->open_count, 0);
56548 - if (self->open_count) {
56549 + if (atomic_read(&self->open_count)) {
56550 spin_unlock_irqrestore(&self->spinlock, flags);
56552 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
56553 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
56557 - if (self->blocked_open) {
56558 + if (atomic_read(&self->blocked_open)) {
56559 if (self->close_delay)
56560 schedule_timeout_interruptible(self->close_delay);
56561 wake_up_interruptible(&self->open_wait);
56562 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
56563 spin_lock_irqsave(&self->spinlock, flags);
56564 self->flags &= ~ASYNC_NORMAL_ACTIVE;
56566 - self->open_count = 0;
56567 + atomic_set(&self->open_count, 0);
56568 spin_unlock_irqrestore(&self->spinlock, flags);
56570 wake_up_interruptible(&self->open_wait);
56571 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
56574 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
56575 - seq_printf(m, "Open count: %d\n", self->open_count);
56576 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
56577 seq_printf(m, "Max data size: %d\n", self->max_data_size);
56578 seq_printf(m, "Max header size: %d\n", self->max_header_size);
56580 diff -urNp linux-2.6.37/net/key/af_key.c linux-2.6.37/net/key/af_key.c
56581 --- linux-2.6.37/net/key/af_key.c 2011-01-04 19:50:19.000000000 -0500
56582 +++ linux-2.6.37/net/key/af_key.c 2011-01-17 02:41:02.000000000 -0500
56583 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
56584 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
56586 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
56587 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56592 atomic_read(&s->sk_refcnt),
56593 sk_rmem_alloc_get(s),
56594 sk_wmem_alloc_get(s),
56595 diff -urNp linux-2.6.37/net/mac80211/ieee80211_i.h linux-2.6.37/net/mac80211/ieee80211_i.h
56596 --- linux-2.6.37/net/mac80211/ieee80211_i.h 2011-01-04 19:50:19.000000000 -0500
56597 +++ linux-2.6.37/net/mac80211/ieee80211_i.h 2011-01-17 02:41:02.000000000 -0500
56598 @@ -704,7 +704,7 @@ struct ieee80211_local {
56599 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
56600 spinlock_t queue_stop_reason_lock;
56603 + atomic_t open_count;
56604 int monitors, cooked_mntrs;
56605 /* number of interfaces with corresponding FIF_ flags */
56606 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
56607 diff -urNp linux-2.6.37/net/mac80211/iface.c linux-2.6.37/net/mac80211/iface.c
56608 --- linux-2.6.37/net/mac80211/iface.c 2011-01-04 19:50:19.000000000 -0500
56609 +++ linux-2.6.37/net/mac80211/iface.c 2011-01-17 02:41:02.000000000 -0500
56610 @@ -216,7 +216,7 @@ static int ieee80211_do_open(struct net_
56614 - if (local->open_count == 0) {
56615 + if (atomic_read(&local->open_count) == 0) {
56616 res = drv_start(local);
56619 @@ -238,7 +238,7 @@ static int ieee80211_do_open(struct net_
56620 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
56622 if (!is_valid_ether_addr(dev->dev_addr)) {
56623 - if (!local->open_count)
56624 + if (!atomic_read(&local->open_count))
56626 return -EADDRNOTAVAIL;
56628 @@ -335,7 +335,7 @@ static int ieee80211_do_open(struct net_
56629 mutex_unlock(&local->mtx);
56632 - local->open_count++;
56633 + atomic_inc(&local->open_count);
56635 if (hw_reconf_flags) {
56636 ieee80211_hw_config(local, hw_reconf_flags);
56637 @@ -355,7 +355,7 @@ static int ieee80211_do_open(struct net_
56639 drv_remove_interface(local, &sdata->vif);
56641 - if (!local->open_count)
56642 + if (!atomic_read(&local->open_count))
56646 @@ -481,7 +481,7 @@ static void ieee80211_do_stop(struct iee
56650 - local->open_count--;
56651 + atomic_dec(&local->open_count);
56653 switch (sdata->vif.type) {
56654 case NL80211_IFTYPE_AP_VLAN:
56655 @@ -552,7 +552,7 @@ static void ieee80211_do_stop(struct iee
56657 ieee80211_recalc_ps(local, -1);
56659 - if (local->open_count == 0) {
56660 + if (atomic_read(&local->open_count) == 0) {
56661 if (local->ops->napi_poll)
56662 napi_disable(&local->napi);
56663 ieee80211_clear_tx_pending(local);
56664 diff -urNp linux-2.6.37/net/mac80211/main.c linux-2.6.37/net/mac80211/main.c
56665 --- linux-2.6.37/net/mac80211/main.c 2011-01-04 19:50:19.000000000 -0500
56666 +++ linux-2.6.37/net/mac80211/main.c 2011-01-17 02:41:02.000000000 -0500
56667 @@ -159,7 +159,7 @@ int ieee80211_hw_config(struct ieee80211
56668 local->hw.conf.power_level = power;
56671 - if (changed && local->open_count) {
56672 + if (changed && atomic_read(&local->open_count)) {
56673 ret = drv_config(local, changed);
56676 diff -urNp linux-2.6.37/net/mac80211/pm.c linux-2.6.37/net/mac80211/pm.c
56677 --- linux-2.6.37/net/mac80211/pm.c 2011-01-04 19:50:19.000000000 -0500
56678 +++ linux-2.6.37/net/mac80211/pm.c 2011-01-17 02:41:02.000000000 -0500
56679 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
56682 /* stop hardware - this must stop RX */
56683 - if (local->open_count)
56684 + if (atomic_read(&local->open_count))
56685 ieee80211_stop_device(local);
56687 local->suspended = true;
56688 diff -urNp linux-2.6.37/net/mac80211/rate.c linux-2.6.37/net/mac80211/rate.c
56689 --- linux-2.6.37/net/mac80211/rate.c 2011-01-04 19:50:19.000000000 -0500
56690 +++ linux-2.6.37/net/mac80211/rate.c 2011-01-17 02:41:02.000000000 -0500
56691 @@ -361,7 +361,7 @@ int ieee80211_init_rate_ctrl_alg(struct
56695 - if (local->open_count)
56696 + if (atomic_read(&local->open_count))
56699 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
56700 diff -urNp linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c
56701 --- linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c 2011-01-04 19:50:19.000000000 -0500
56702 +++ linux-2.6.37/net/mac80211/rc80211_pid_debugfs.c 2011-01-17 02:41:02.000000000 -0500
56703 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
56705 spin_unlock_irqrestore(&events->lock, status);
56707 - if (copy_to_user(buf, pb, p))
56708 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
56712 diff -urNp linux-2.6.37/net/mac80211/tx.c linux-2.6.37/net/mac80211/tx.c
56713 --- linux-2.6.37/net/mac80211/tx.c 2011-01-04 19:50:19.000000000 -0500
56714 +++ linux-2.6.37/net/mac80211/tx.c 2011-01-17 02:41:02.000000000 -0500
56715 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
56716 return cpu_to_le16(dur);
56719 -static int inline is_ieee80211_device(struct ieee80211_local *local,
56720 +static inline int is_ieee80211_device(struct ieee80211_local *local,
56721 struct net_device *dev)
56723 return local == wdev_priv(dev->ieee80211_ptr);
56724 diff -urNp linux-2.6.37/net/mac80211/util.c linux-2.6.37/net/mac80211/util.c
56725 --- linux-2.6.37/net/mac80211/util.c 2011-01-04 19:50:19.000000000 -0500
56726 +++ linux-2.6.37/net/mac80211/util.c 2011-01-17 02:41:02.000000000 -0500
56727 @@ -1111,7 +1111,7 @@ int ieee80211_reconfig(struct ieee80211_
56728 local->resuming = true;
56730 /* restart hardware */
56731 - if (local->open_count) {
56732 + if (atomic_read(&local->open_count)) {
56734 * Upon resume hardware can sometimes be goofy due to
56735 * various platform / driver / bus issues, so restarting
56736 diff -urNp linux-2.6.37/net/netfilter/Kconfig linux-2.6.37/net/netfilter/Kconfig
56737 --- linux-2.6.37/net/netfilter/Kconfig 2011-01-04 19:50:19.000000000 -0500
56738 +++ linux-2.6.37/net/netfilter/Kconfig 2011-01-17 02:41:02.000000000 -0500
56739 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
56741 To compile it as a module, choose M here. If unsure, say N.
56743 +config NETFILTER_XT_MATCH_GRADM
56744 + tristate '"gradm" match support'
56745 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
56746 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
56748 + The gradm match allows to match on grsecurity RBAC being enabled.
56749 + It is useful when iptables rules are applied early on bootup to
56750 + prevent connections to the machine (except from a trusted host)
56751 + while the RBAC system is disabled.
56753 config NETFILTER_XT_MATCH_HASHLIMIT
56754 tristate '"hashlimit" match support'
56755 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
56756 diff -urNp linux-2.6.37/net/netfilter/Makefile linux-2.6.37/net/netfilter/Makefile
56757 --- linux-2.6.37/net/netfilter/Makefile 2011-01-04 19:50:19.000000000 -0500
56758 +++ linux-2.6.37/net/netfilter/Makefile 2011-01-17 02:41:02.000000000 -0500
56759 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
56760 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
56761 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
56762 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
56763 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
56764 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
56765 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
56766 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
56767 diff -urNp linux-2.6.37/net/netfilter/nf_conntrack_netlink.c linux-2.6.37/net/netfilter/nf_conntrack_netlink.c
56768 --- linux-2.6.37/net/netfilter/nf_conntrack_netlink.c 2011-01-04 19:50:19.000000000 -0500
56769 +++ linux-2.6.37/net/netfilter/nf_conntrack_netlink.c 2011-01-17 02:41:02.000000000 -0500
56770 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
56772 ctnetlink_parse_tuple(const struct nlattr * const cda[],
56773 struct nf_conntrack_tuple *tuple,
56774 - enum ctattr_tuple type, u_int8_t l3num)
56775 + enum ctattr_type type, u_int8_t l3num)
56777 struct nlattr *tb[CTA_TUPLE_MAX+1];
56779 diff -urNp linux-2.6.37/net/netfilter/xt_gradm.c linux-2.6.37/net/netfilter/xt_gradm.c
56780 --- linux-2.6.37/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
56781 +++ linux-2.6.37/net/netfilter/xt_gradm.c 2011-01-17 02:41:02.000000000 -0500
56784 + * gradm match for netfilter
56785 + * Copyright © Zbigniew Krzystolik, 2010
56787 + * This program is free software; you can redistribute it and/or modify
56788 + * it under the terms of the GNU General Public License; either version
56789 + * 2 or 3 as published by the Free Software Foundation.
56791 +#include <linux/module.h>
56792 +#include <linux/moduleparam.h>
56793 +#include <linux/skbuff.h>
56794 +#include <linux/netfilter/x_tables.h>
56795 +#include <linux/grsecurity.h>
56796 +#include <linux/netfilter/xt_gradm.h>
56799 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
56801 + const struct xt_gradm_mtinfo *info = par->matchinfo;
56802 + bool retval = false;
56803 + if (gr_acl_is_enabled())
56805 + return retval ^ info->invflags;
56808 +static struct xt_match gradm_mt_reg __read_mostly = {
56811 + .family = NFPROTO_UNSPEC,
56812 + .match = gradm_mt,
56813 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
56814 + .me = THIS_MODULE,
56817 +static int __init gradm_mt_init(void)
56819 + return xt_register_match(&gradm_mt_reg);
56822 +static void __exit gradm_mt_exit(void)
56824 + xt_unregister_match(&gradm_mt_reg);
56827 +module_init(gradm_mt_init);
56828 +module_exit(gradm_mt_exit);
56829 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
56830 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
56831 +MODULE_LICENSE("GPL");
56832 +MODULE_ALIAS("ipt_gradm");
56833 +MODULE_ALIAS("ip6t_gradm");
56834 diff -urNp linux-2.6.37/net/netlink/af_netlink.c linux-2.6.37/net/netlink/af_netlink.c
56835 --- linux-2.6.37/net/netlink/af_netlink.c 2011-01-04 19:50:19.000000000 -0500
56836 +++ linux-2.6.37/net/netlink/af_netlink.c 2011-01-17 02:41:02.000000000 -0500
56837 @@ -1991,13 +1991,21 @@ static int netlink_seq_show(struct seq_f
56838 struct netlink_sock *nlk = nlk_sk(s);
56840 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
56841 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56848 nlk->groups ? (u32)nlk->groups[0] : 0,
56849 sk_rmem_alloc_get(s),
56850 sk_wmem_alloc_get(s),
56851 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56856 atomic_read(&s->sk_refcnt),
56857 atomic_read(&s->sk_drops),
56859 diff -urNp linux-2.6.37/net/netrom/af_netrom.c linux-2.6.37/net/netrom/af_netrom.c
56860 --- linux-2.6.37/net/netrom/af_netrom.c 2011-01-04 19:50:19.000000000 -0500
56861 +++ linux-2.6.37/net/netrom/af_netrom.c 2011-01-17 02:41:02.000000000 -0500
56862 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
56863 struct sock *sk = sock->sk;
56864 struct nr_sock *nr = nr_sk(sk);
56866 + memset(sax, 0, sizeof(*sax));
56869 if (sk->sk_state != TCP_ESTABLISHED) {
56870 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
56871 *uaddr_len = sizeof(struct full_sockaddr_ax25);
56873 sax->fsa_ax25.sax25_family = AF_NETROM;
56874 - sax->fsa_ax25.sax25_ndigis = 0;
56875 sax->fsa_ax25.sax25_call = nr->source_addr;
56876 *uaddr_len = sizeof(struct sockaddr_ax25);
56878 diff -urNp linux-2.6.37/net/packet/af_packet.c linux-2.6.37/net/packet/af_packet.c
56879 --- linux-2.6.37/net/packet/af_packet.c 2011-01-04 19:50:19.000000000 -0500
56880 +++ linux-2.6.37/net/packet/af_packet.c 2011-01-17 02:41:02.000000000 -0500
56881 @@ -2123,7 +2123,7 @@ static int packet_getsockopt(struct sock
56882 case PACKET_HDRLEN:
56883 if (len > sizeof(int))
56885 - if (copy_from_user(&val, optval, len))
56886 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
56890 @@ -2161,7 +2161,7 @@ static int packet_getsockopt(struct sock
56892 if (put_user(len, optlen))
56894 - if (copy_to_user(optval, data, len))
56895 + if (len > sizeof(st) || copy_to_user(optval, data, len))
56899 @@ -2640,7 +2640,11 @@ static int packet_seq_show(struct seq_fi
56902 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
56903 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56908 atomic_read(&s->sk_refcnt),
56911 diff -urNp linux-2.6.37/net/phonet/af_phonet.c linux-2.6.37/net/phonet/af_phonet.c
56912 --- linux-2.6.37/net/phonet/af_phonet.c 2011-01-04 19:50:19.000000000 -0500
56913 +++ linux-2.6.37/net/phonet/af_phonet.c 2011-01-17 02:41:02.000000000 -0500
56914 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
56916 struct phonet_protocol *pp;
56918 - if (protocol >= PHONET_NPROTO)
56919 + if (protocol < 0 || protocol >= PHONET_NPROTO)
56923 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
56927 - if (protocol >= PHONET_NPROTO)
56928 + if (protocol < 0 || protocol >= PHONET_NPROTO)
56931 err = proto_register(pp->prot, 1);
56932 diff -urNp linux-2.6.37/net/phonet/socket.c linux-2.6.37/net/phonet/socket.c
56933 --- linux-2.6.37/net/phonet/socket.c 2011-01-04 19:50:19.000000000 -0500
56934 +++ linux-2.6.37/net/phonet/socket.c 2011-01-17 02:41:02.000000000 -0500
56935 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
56937 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
56938 sock_i_uid(sk), sock_i_ino(sk),
56939 - atomic_read(&sk->sk_refcnt), sk,
56940 + atomic_read(&sk->sk_refcnt),
56941 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56946 atomic_read(&sk->sk_drops), &len);
56948 seq_printf(seq, "%*s\n", 127 - len, "");
56949 diff -urNp linux-2.6.37/net/sctp/proc.c linux-2.6.37/net/sctp/proc.c
56950 --- linux-2.6.37/net/sctp/proc.c 2011-01-04 19:50:19.000000000 -0500
56951 +++ linux-2.6.37/net/sctp/proc.c 2011-01-17 02:41:02.000000000 -0500
56952 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
56953 sctp_for_each_hentry(epb, node, &head->chain) {
56956 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
56957 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
56958 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56963 sctp_sk(sk)->type, sk->sk_state, hash,
56964 epb->bind_addr.port,
56965 sock_i_uid(sk), sock_i_ino(sk));
56966 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
56968 "%8p %8p %-3d %-3d %-2d %-4d "
56969 "%4d %8d %8d %7d %5lu %-5d %5d ",
56970 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
56971 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56976 + sctp_sk(sk)->type, sk->sk_state,
56977 assoc->state, hash,
56979 assoc->sndbuf_used,
56980 diff -urNp linux-2.6.37/net/sctp/socket.c linux-2.6.37/net/sctp/socket.c
56981 --- linux-2.6.37/net/sctp/socket.c 2011-01-04 19:50:19.000000000 -0500
56982 +++ linux-2.6.37/net/sctp/socket.c 2011-01-17 02:41:02.000000000 -0500
56983 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
56984 struct sctp_sndrcvinfo *sinfo;
56985 struct sctp_initmsg *sinit;
56986 sctp_assoc_t associd = 0;
56987 - sctp_cmsgs_t cmsgs = { NULL };
56988 + sctp_cmsgs_t cmsgs = { NULL, NULL };
56990 sctp_scope_t scope;
56992 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
56993 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
56994 if (space_left < addrlen)
56996 - if (copy_to_user(to, &temp, addrlen))
56997 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
57001 diff -urNp linux-2.6.37/net/socket.c linux-2.6.37/net/socket.c
57002 --- linux-2.6.37/net/socket.c 2011-01-04 19:50:19.000000000 -0500
57003 +++ linux-2.6.37/net/socket.c 2011-01-17 02:41:02.000000000 -0500
57005 #include <linux/nsproxy.h>
57006 #include <linux/magic.h>
57007 #include <linux/slab.h>
57008 +#include <linux/in.h>
57010 #include <asm/uaccess.h>
57011 #include <asm/unistd.h>
57012 @@ -105,6 +106,8 @@
57013 #include <linux/sockios.h>
57014 #include <linux/atalk.h>
57016 +#include <linux/grsock.h>
57018 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
57019 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
57020 unsigned long nr_segs, loff_t pos);
57021 @@ -311,7 +314,7 @@ static struct dentry *sockfs_mount(struc
57022 return mount_pseudo(fs_type, "socket:", &sockfs_ops, SOCKFS_MAGIC);
57025 -static struct vfsmount *sock_mnt __read_mostly;
57026 +struct vfsmount *sock_mnt __read_mostly;
57028 static struct file_system_type sock_fs_type = {
57030 @@ -1173,6 +1176,8 @@ int __sock_create(struct net *net, int f
57031 return -EAFNOSUPPORT;
57032 if (type < 0 || type >= SOCK_MAX)
57034 + if (protocol < 0)
57039 @@ -1305,6 +1310,16 @@ SYSCALL_DEFINE3(socket, int, family, int
57040 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
57041 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
57043 + if(!gr_search_socket(family, type, protocol)) {
57044 + retval = -EACCES;
57048 + if (gr_handle_sock_all(family, type, protocol)) {
57049 + retval = -EACCES;
57053 retval = sock_create(family, type, protocol, &sock);
57056 @@ -1417,6 +1432,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57058 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
57060 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
57064 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
57068 err = security_socket_bind(sock,
57069 (struct sockaddr *)&address,
57071 @@ -1425,6 +1448,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57072 (struct sockaddr *)
57073 &address, addrlen);
57076 fput_light(sock->file, fput_needed);
57079 @@ -1448,10 +1472,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
57080 if ((unsigned)backlog > somaxconn)
57081 backlog = somaxconn;
57083 + if (gr_handle_sock_server_other(sock->sk)) {
57088 + err = gr_search_listen(sock);
57092 err = security_socket_listen(sock, backlog);
57094 err = sock->ops->listen(sock, backlog);
57097 fput_light(sock->file, fput_needed);
57100 @@ -1495,6 +1529,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57101 newsock->type = sock->type;
57102 newsock->ops = sock->ops;
57104 + if (gr_handle_sock_server_other(sock->sk)) {
57106 + sock_release(newsock);
57110 + err = gr_search_accept(sock);
57112 + sock_release(newsock);
57117 * We don't need try_module_get here, as the listening socket (sock)
57118 * has the protocol module (sock->ops->owner) held.
57119 @@ -1533,6 +1579,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57120 fd_install(newfd, newfile);
57123 + gr_attach_curr_ip(newsock->sk);
57126 fput_light(sock->file, fput_needed);
57128 @@ -1565,6 +1613,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57131 struct socket *sock;
57132 + struct sockaddr *sck;
57133 struct sockaddr_storage address;
57134 int err, fput_needed;
57136 @@ -1575,6 +1624,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57140 + sck = (struct sockaddr *)&address;
57142 + if (gr_handle_sock_client(sck)) {
57147 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
57152 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
57154 diff -urNp linux-2.6.37/net/sunrpc/sched.c linux-2.6.37/net/sunrpc/sched.c
57155 --- linux-2.6.37/net/sunrpc/sched.c 2011-01-04 19:50:19.000000000 -0500
57156 +++ linux-2.6.37/net/sunrpc/sched.c 2011-01-17 02:41:02.000000000 -0500
57157 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
57159 static void rpc_task_set_debuginfo(struct rpc_task *task)
57161 - static atomic_t rpc_pid;
57162 + static atomic_unchecked_t rpc_pid;
57164 - task->tk_pid = atomic_inc_return(&rpc_pid);
57165 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
57168 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
57169 diff -urNp linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c
57170 --- linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c 2011-01-04 19:50:19.000000000 -0500
57171 +++ linux-2.6.37/net/sunrpc/xprtrdma/svc_rdma.c 2011-01-17 02:41:02.000000000 -0500
57172 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
57176 - if (len && copy_to_user(buffer, str_buf, len))
57177 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
57181 diff -urNp linux-2.6.37/net/sysctl_net.c linux-2.6.37/net/sysctl_net.c
57182 --- linux-2.6.37/net/sysctl_net.c 2011-01-04 19:50:19.000000000 -0500
57183 +++ linux-2.6.37/net/sysctl_net.c 2011-01-17 02:41:02.000000000 -0500
57184 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
57185 struct ctl_table *table)
57187 /* Allow network administrator to have same access as root. */
57188 - if (capable(CAP_NET_ADMIN)) {
57189 + if (capable_nolog(CAP_NET_ADMIN)) {
57190 int mode = (table->mode >> 6) & 7;
57191 return (mode << 6) | (mode << 3) | mode;
57193 diff -urNp linux-2.6.37/net/tipc/socket.c linux-2.6.37/net/tipc/socket.c
57194 --- linux-2.6.37/net/tipc/socket.c 2011-01-04 19:50:19.000000000 -0500
57195 +++ linux-2.6.37/net/tipc/socket.c 2011-01-17 02:41:02.000000000 -0500
57196 @@ -1475,8 +1475,9 @@ static int connect(struct socket *sock,
57201 - ; /* leave "res" unchanged */
57203 + /* leave "res" unchanged */
57205 sock->state = SS_DISCONNECTING;
57208 diff -urNp linux-2.6.37/net/unix/af_unix.c linux-2.6.37/net/unix/af_unix.c
57209 --- linux-2.6.37/net/unix/af_unix.c 2011-01-04 19:50:19.000000000 -0500
57210 +++ linux-2.6.37/net/unix/af_unix.c 2011-01-17 02:41:02.000000000 -0500
57211 @@ -764,6 +764,12 @@ static struct sock *unix_find_other(stru
57212 err = -ECONNREFUSED;
57213 if (!S_ISSOCK(inode->i_mode))
57216 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
57221 u = unix_find_socket_byinode(inode);
57224 @@ -784,6 +790,13 @@ static struct sock *unix_find_other(stru
57226 struct dentry *dentry;
57227 dentry = unix_sk(u)->dentry;
57229 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
57236 touch_atime(unix_sk(u)->mnt, dentry);
57238 @@ -869,11 +882,18 @@ static int unix_bind(struct socket *sock
57239 err = security_path_mknod(&nd.path, dentry, mode, 0);
57241 goto out_mknod_drop_write;
57242 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
57244 + goto out_mknod_drop_write;
57246 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
57247 out_mknod_drop_write:
57248 mnt_drop_write(nd.path.mnt);
57250 goto out_mknod_dput;
57252 + gr_handle_create(dentry, nd.path.mnt);
57254 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
57255 dput(nd.path.dentry);
57256 nd.path.dentry = dentry;
57257 @@ -891,6 +911,11 @@ out_mknod_drop_write:
57261 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57262 + put_pid(sk->sk_peer_pid);
57263 + sk->sk_peer_pid = get_pid(task_tgid(current));
57266 list = &unix_socket_table[addr->hash];
57268 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57269 @@ -2226,7 +2251,11 @@ static int unix_seq_show(struct seq_file
57270 unix_state_lock(s);
57272 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
57273 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57278 atomic_read(&s->sk_refcnt),
57280 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
57281 diff -urNp linux-2.6.37/net/wireless/reg.c linux-2.6.37/net/wireless/reg.c
57282 --- linux-2.6.37/net/wireless/reg.c 2011-01-04 19:50:19.000000000 -0500
57283 +++ linux-2.6.37/net/wireless/reg.c 2011-01-17 02:41:02.000000000 -0500
57285 printk(KERN_DEBUG format , ## args); \
57288 -#define REG_DBG_PRINT(args...)
57289 +#define REG_DBG_PRINT(args...) do {} while (0)
57292 /* Receipt of information from last regulatory request */
57293 diff -urNp linux-2.6.37/net/wireless/wext-core.c linux-2.6.37/net/wireless/wext-core.c
57294 --- linux-2.6.37/net/wireless/wext-core.c 2011-01-04 19:50:19.000000000 -0500
57295 +++ linux-2.6.37/net/wireless/wext-core.c 2011-01-17 02:41:02.000000000 -0500
57296 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
57299 /* Support for very large requests */
57300 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
57301 - (user_length > descr->max_tokens)) {
57302 + if (user_length > descr->max_tokens) {
57303 /* Allow userspace to GET more than max so
57304 * we can support any size GET requests.
57305 * There is still a limit : -ENOMEM.
57306 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
57310 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
57312 - * If this is a GET, but not NOMAX, it means that the extra
57313 - * data is not bounded by userspace, but by max_tokens. Thus
57314 - * set the length to max_tokens. This matches the extra data
57316 - * The driver should fill it with the number of tokens it
57317 - * provided, and it may check iwp->length rather than having
57318 - * knowledge of max_tokens. If the driver doesn't change the
57319 - * iwp->length, this ioctl just copies back max_token tokens
57320 - * filled with zeroes. Hopefully the driver isn't claiming
57321 - * them to be valid data.
57323 - iwp->length = descr->max_tokens;
57326 err = handler(dev, info, (union iwreq_data *) iwp, extra);
57328 iwp->length += essid_compat;
57329 diff -urNp linux-2.6.37/net/x25/x25_facilities.c linux-2.6.37/net/x25/x25_facilities.c
57330 --- linux-2.6.37/net/x25/x25_facilities.c 2011-01-04 19:50:19.000000000 -0500
57331 +++ linux-2.6.37/net/x25/x25_facilities.c 2011-01-17 02:41:02.000000000 -0500
57332 @@ -157,7 +157,8 @@ int x25_parse_facilities(struct sk_buff
57335 printk(KERN_DEBUG "X.25: unknown facility %02X,"
57336 - "length %d\n", p[0], p[1]);
57337 + "length %d, values %02X, %02X\n",
57338 + p[0], p[1], p[2], p[3]);
57342 diff -urNp linux-2.6.37/net/xfrm/xfrm_policy.c linux-2.6.37/net/xfrm/xfrm_policy.c
57343 --- linux-2.6.37/net/xfrm/xfrm_policy.c 2011-01-04 19:50:19.000000000 -0500
57344 +++ linux-2.6.37/net/xfrm/xfrm_policy.c 2011-01-17 02:41:02.000000000 -0500
57345 @@ -1504,7 +1504,7 @@ free_dst:
57351 xfrm_dst_alloc_copy(void **target, void *src, int size)
57354 @@ -1516,7 +1516,7 @@ xfrm_dst_alloc_copy(void **target, void
57360 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57362 #ifdef CONFIG_XFRM_SUB_POLICY
57363 @@ -1528,7 +1528,7 @@ xfrm_dst_update_parent(struct dst_entry
57369 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57371 #ifdef CONFIG_XFRM_SUB_POLICY
57372 diff -urNp linux-2.6.37/scripts/basic/fixdep.c linux-2.6.37/scripts/basic/fixdep.c
57373 --- linux-2.6.37/scripts/basic/fixdep.c 2011-01-04 19:50:19.000000000 -0500
57374 +++ linux-2.6.37/scripts/basic/fixdep.c 2011-01-17 02:41:02.000000000 -0500
57375 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
57377 static void parse_config_file(char *map, size_t len)
57379 - int *end = (int *) (map + len);
57380 + unsigned int *end = (unsigned int *) (map + len);
57381 /* start at +1, so that p can never be < map */
57382 - int *m = (int *) map + 1;
57383 + unsigned int *m = (unsigned int *) map + 1;
57386 for (; m < end; m++) {
57387 @@ -371,7 +371,7 @@ static void print_deps(void)
57388 static void traps(void)
57390 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57391 - int *p = (int *)test;
57392 + unsigned int *p = (unsigned int *)test;
57394 if (*p != INT_CONF) {
57395 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57396 diff -urNp linux-2.6.37/scripts/kallsyms.c linux-2.6.37/scripts/kallsyms.c
57397 --- linux-2.6.37/scripts/kallsyms.c 2011-01-04 19:50:19.000000000 -0500
57398 +++ linux-2.6.37/scripts/kallsyms.c 2011-01-17 02:41:02.000000000 -0500
57399 @@ -43,10 +43,10 @@ struct text_range {
57401 static unsigned long long _text;
57402 static struct text_range text_ranges[] = {
57403 - { "_stext", "_etext" },
57404 - { "_sinittext", "_einittext" },
57405 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57406 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57407 + { "_stext", "_etext", 0, 0 },
57408 + { "_sinittext", "_einittext", 0, 0 },
57409 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
57410 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
57412 #define text_range_text (&text_ranges[0])
57413 #define text_range_inittext (&text_ranges[1])
57414 diff -urNp linux-2.6.37/scripts/mod/file2alias.c linux-2.6.37/scripts/mod/file2alias.c
57415 --- linux-2.6.37/scripts/mod/file2alias.c 2011-01-04 19:50:19.000000000 -0500
57416 +++ linux-2.6.37/scripts/mod/file2alias.c 2011-01-17 02:41:02.000000000 -0500
57417 @@ -72,7 +72,7 @@ static void device_id_check(const char *
57418 unsigned long size, unsigned long id_size,
57424 if (size % id_size || size < id_size) {
57425 if (cross_build != 0)
57426 @@ -102,7 +102,7 @@ static void device_id_check(const char *
57427 /* USB is special because the bcdDevice can be matched against a numeric range */
57428 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
57429 static void do_usb_entry(struct usb_device_id *id,
57430 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
57431 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
57432 unsigned char range_lo, unsigned char range_hi,
57433 unsigned char max, struct module *mod)
57435 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
57436 for (i = 0; i < count; i++) {
57437 const char *id = (char *)devs[i].id;
57438 char acpi_id[sizeof(devs[0].id)];
57442 buf_printf(&mod->dev_table_buf,
57443 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57444 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
57446 for (j = 0; j < PNP_MAX_DEVICES; j++) {
57447 const char *id = (char *)card->devs[j].id;
57449 + unsigned int i2, j2;
57453 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
57454 /* add an individual alias for every device entry */
57456 char acpi_id[sizeof(card->devs[0].id)];
57460 buf_printf(&mod->dev_table_buf,
57461 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57462 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
57463 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
57467 + unsigned int i, j;
57469 sprintf(alias, "dmi*");
57471 diff -urNp linux-2.6.37/scripts/mod/modpost.c linux-2.6.37/scripts/mod/modpost.c
57472 --- linux-2.6.37/scripts/mod/modpost.c 2011-01-04 19:50:19.000000000 -0500
57473 +++ linux-2.6.37/scripts/mod/modpost.c 2011-01-17 02:41:02.000000000 -0500
57474 @@ -895,6 +895,7 @@ enum mismatch {
57475 ANY_INIT_TO_ANY_EXIT,
57476 ANY_EXIT_TO_ANY_INIT,
57477 EXPORT_TO_INIT_EXIT,
57481 struct sectioncheck {
57482 @@ -1003,6 +1004,12 @@ const struct sectioncheck sectioncheck[]
57483 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57484 .mismatch = EXPORT_TO_INIT_EXIT,
57485 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
57487 +/* Do not reference code from writable data */
57489 + .fromsec = { DATA_SECTIONS, NULL },
57490 + .tosec = { TEXT_SECTIONS, NULL },
57491 + .mismatch = DATA_TO_TEXT
57495 @@ -1125,10 +1132,10 @@ static Elf_Sym *find_elf_symbol(struct e
57497 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
57499 - if (sym->st_value == addr)
57501 /* Find a symbol nearby - addr are maybe negative */
57502 d = sym->st_value - addr;
57506 d = addr - sym->st_value;
57507 if (d < distance) {
57508 @@ -1400,6 +1407,14 @@ static void report_sec_mismatch(const ch
57509 tosym, prl_to, prl_to, tosym);
57512 + case DATA_TO_TEXT:
57515 + "The variable %s references\n"
57516 + "the %s %s%s%s\n",
57517 + fromsym, to, sec2annotation(tosec), tosym, to_p);
57521 fprintf(stderr, "\n");
57523 @@ -1723,7 +1738,7 @@ void __attribute__((format(printf, 2, 3)
57527 -void buf_write(struct buffer *buf, const char *s, int len)
57528 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
57530 if (buf->size - buf->pos < len) {
57531 buf->size += len + SZ;
57532 @@ -1935,7 +1950,7 @@ static void write_if_changed(struct buff
57533 if (fstat(fileno(file), &st) < 0)
57536 - if (st.st_size != b->pos)
57537 + if (st.st_size != (off_t)b->pos)
57540 tmp = NOFAIL(malloc(b->pos));
57541 diff -urNp linux-2.6.37/scripts/mod/modpost.h linux-2.6.37/scripts/mod/modpost.h
57542 --- linux-2.6.37/scripts/mod/modpost.h 2011-01-04 19:50:19.000000000 -0500
57543 +++ linux-2.6.37/scripts/mod/modpost.h 2011-01-17 02:41:02.000000000 -0500
57544 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
57550 + unsigned int pos;
57551 + unsigned int size;
57554 void __attribute__((format(printf, 2, 3)))
57555 buf_printf(struct buffer *buf, const char *fmt, ...);
57558 -buf_write(struct buffer *buf, const char *s, int len);
57559 +buf_write(struct buffer *buf, const char *s, unsigned int len);
57562 struct module *next;
57563 diff -urNp linux-2.6.37/scripts/mod/sumversion.c linux-2.6.37/scripts/mod/sumversion.c
57564 --- linux-2.6.37/scripts/mod/sumversion.c 2011-01-04 19:50:19.000000000 -0500
57565 +++ linux-2.6.37/scripts/mod/sumversion.c 2011-01-17 02:41:02.000000000 -0500
57566 @@ -455,7 +455,7 @@ static void write_version(const char *fi
57570 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
57571 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
57572 warn("writing sum in %s failed: %s\n",
57573 filename, strerror(errno));
57575 diff -urNp linux-2.6.37/scripts/pnmtologo.c linux-2.6.37/scripts/pnmtologo.c
57576 --- linux-2.6.37/scripts/pnmtologo.c 2011-01-04 19:50:19.000000000 -0500
57577 +++ linux-2.6.37/scripts/pnmtologo.c 2011-01-17 02:41:02.000000000 -0500
57578 @@ -237,14 +237,14 @@ static void write_header(void)
57579 fprintf(out, " * Linux logo %s\n", logoname);
57580 fputs(" */\n\n", out);
57581 fputs("#include <linux/linux_logo.h>\n\n", out);
57582 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
57583 + fprintf(out, "static unsigned char %s_data[] = {\n",
57587 static void write_footer(void)
57589 fputs("\n};\n\n", out);
57590 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
57591 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
57592 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
57593 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
57594 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
57595 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
57596 fputs("\n};\n\n", out);
57598 /* write logo clut */
57599 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
57600 + fprintf(out, "static unsigned char %s_clut[] = {\n",
57603 for (i = 0; i < logo_clutsize; i++) {
57604 diff -urNp linux-2.6.37/security/apparmor/lsm.c linux-2.6.37/security/apparmor/lsm.c
57605 --- linux-2.6.37/security/apparmor/lsm.c 2011-01-04 19:50:19.000000000 -0500
57606 +++ linux-2.6.37/security/apparmor/lsm.c 2011-01-17 02:41:02.000000000 -0500
57607 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
57611 -static struct security_operations apparmor_ops = {
57612 +static struct security_operations apparmor_ops __read_only = {
57613 .name = "apparmor",
57615 .ptrace_access_check = apparmor_ptrace_access_check,
57616 diff -urNp linux-2.6.37/security/commoncap.c linux-2.6.37/security/commoncap.c
57617 --- linux-2.6.37/security/commoncap.c 2011-01-04 19:50:19.000000000 -0500
57618 +++ linux-2.6.37/security/commoncap.c 2011-01-17 02:41:02.000000000 -0500
57620 #include <linux/sched.h>
57621 #include <linux/prctl.h>
57622 #include <linux/securebits.h>
57623 +#include <net/sock.h>
57626 * If a non-root user executes a setuid-root binary in
57627 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
57631 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
57633 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
57635 - NETLINK_CB(skb).eff_cap = current_cap();
57636 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
57640 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
57642 const struct cred *cred = current_cred();
57644 + if (gr_acl_enable_at_secure())
57647 if (cred->uid != 0) {
57648 if (bprm->cap_effective)
57650 diff -urNp linux-2.6.37/security/integrity/ima/ima_api.c linux-2.6.37/security/integrity/ima/ima_api.c
57651 --- linux-2.6.37/security/integrity/ima/ima_api.c 2011-01-04 19:50:19.000000000 -0500
57652 +++ linux-2.6.37/security/integrity/ima/ima_api.c 2011-01-17 02:41:02.000000000 -0500
57653 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
57656 /* can overflow, only indicator */
57657 - atomic_long_inc(&ima_htable.violations);
57658 + atomic_long_inc_unchecked(&ima_htable.violations);
57660 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
57662 diff -urNp linux-2.6.37/security/integrity/ima/ima_fs.c linux-2.6.37/security/integrity/ima/ima_fs.c
57663 --- linux-2.6.37/security/integrity/ima/ima_fs.c 2011-01-04 19:50:19.000000000 -0500
57664 +++ linux-2.6.37/security/integrity/ima/ima_fs.c 2011-01-17 02:41:02.000000000 -0500
57665 @@ -28,12 +28,12 @@
57666 static int valid_policy = 1;
57667 #define TMPBUFLEN 12
57668 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
57669 - loff_t *ppos, atomic_long_t *val)
57670 + loff_t *ppos, atomic_long_unchecked_t *val)
57672 char tmpbuf[TMPBUFLEN];
57675 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
57676 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
57677 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
57680 diff -urNp linux-2.6.37/security/integrity/ima/ima.h linux-2.6.37/security/integrity/ima/ima.h
57681 --- linux-2.6.37/security/integrity/ima/ima.h 2011-01-04 19:50:19.000000000 -0500
57682 +++ linux-2.6.37/security/integrity/ima/ima.h 2011-01-17 02:41:02.000000000 -0500
57683 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
57684 extern spinlock_t ima_queue_lock;
57686 struct ima_h_table {
57687 - atomic_long_t len; /* number of stored measurements in the list */
57688 - atomic_long_t violations;
57689 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
57690 + atomic_long_unchecked_t violations;
57691 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
57693 extern struct ima_h_table ima_htable;
57694 diff -urNp linux-2.6.37/security/integrity/ima/ima_queue.c linux-2.6.37/security/integrity/ima/ima_queue.c
57695 --- linux-2.6.37/security/integrity/ima/ima_queue.c 2011-01-04 19:50:19.000000000 -0500
57696 +++ linux-2.6.37/security/integrity/ima/ima_queue.c 2011-01-17 02:41:02.000000000 -0500
57697 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
57698 INIT_LIST_HEAD(&qe->later);
57699 list_add_tail_rcu(&qe->later, &ima_measurements);
57701 - atomic_long_inc(&ima_htable.len);
57702 + atomic_long_inc_unchecked(&ima_htable.len);
57703 key = ima_hash_key(entry->digest);
57704 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
57706 diff -urNp linux-2.6.37/security/Kconfig linux-2.6.37/security/Kconfig
57707 --- linux-2.6.37/security/Kconfig 2011-01-04 19:50:19.000000000 -0500
57708 +++ linux-2.6.37/security/Kconfig 2011-01-17 02:41:02.000000000 -0500
57711 menu "Security options"
57713 +source grsecurity/Kconfig
57717 + config ARCH_TRACK_EXEC_LIMIT
57720 + config PAX_PER_CPU_PGD
57723 + config TASK_SIZE_MAX_SHIFT
57725 + depends on X86_64
57726 + default 47 if !PAX_PER_CPU_PGD
57727 + default 42 if PAX_PER_CPU_PGD
57729 + config PAX_ENABLE_PAE
57731 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
57734 + bool "Enable various PaX features"
57735 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
57737 + This allows you to enable various PaX features. PaX adds
57738 + intrusion prevention mechanisms to the kernel that reduce
57739 + the risks posed by exploitable memory corruption bugs.
57741 +menu "PaX Control"
57744 +config PAX_SOFTMODE
57745 + bool 'Support soft mode'
57746 + select PAX_PT_PAX_FLAGS
57748 + Enabling this option will allow you to run PaX in soft mode, that
57749 + is, PaX features will not be enforced by default, only on executables
57750 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
57751 + is the only way to mark executables for soft mode use.
57753 + Soft mode can be activated by using the "pax_softmode=1" kernel command
57754 + line option on boot. Furthermore you can control various PaX features
57755 + at runtime via the entries in /proc/sys/kernel/pax.
57758 + bool 'Use legacy ELF header marking'
57760 + Enabling this option will allow you to control PaX features on
57761 + a per executable basis via the 'chpax' utility available at
57762 + http://pax.grsecurity.net/. The control flags will be read from
57763 + an otherwise reserved part of the ELF header. This marking has
57764 + numerous drawbacks (no support for soft-mode, toolchain does not
57765 + know about the non-standard use of the ELF header) therefore it
57766 + has been deprecated in favour of PT_PAX_FLAGS support.
57768 + If you have applications not marked by the PT_PAX_FLAGS ELF
57769 + program header then you MUST enable this option otherwise they
57770 + will not get any protection.
57772 + Note that if you enable PT_PAX_FLAGS marking support as well,
57773 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
57775 +config PAX_PT_PAX_FLAGS
57776 + bool 'Use ELF program header marking'
57778 + Enabling this option will allow you to control PaX features on
57779 + a per executable basis via the 'paxctl' utility available at
57780 + http://pax.grsecurity.net/. The control flags will be read from
57781 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
57782 + has the benefits of supporting both soft mode and being fully
57783 + integrated into the toolchain (the binutils patch is available
57784 + from http://pax.grsecurity.net).
57786 + If you have applications not marked by the PT_PAX_FLAGS ELF
57787 + program header then you MUST enable the EI_PAX marking support
57788 + otherwise they will not get any protection.
57790 + Note that if you enable the legacy EI_PAX marking support as well,
57791 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
57794 + prompt 'MAC system integration'
57795 + default PAX_HAVE_ACL_FLAGS
57797 + Mandatory Access Control systems have the option of controlling
57798 + PaX flags on a per executable basis, choose the method supported
57799 + by your particular system.
57801 + - "none": if your MAC system does not interact with PaX,
57802 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
57803 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
57805 + NOTE: this option is for developers/integrators only.
57807 + config PAX_NO_ACL_FLAGS
57810 + config PAX_HAVE_ACL_FLAGS
57813 + config PAX_HOOK_ACL_FLAGS
57819 +menu "Non-executable pages"
57823 + bool "Enforce non-executable pages"
57824 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
57826 + By design some architectures do not allow for protecting memory
57827 + pages against execution or even if they do, Linux does not make
57828 + use of this feature. In practice this means that if a page is
57829 + readable (such as the stack or heap) it is also executable.
57831 + There is a well known exploit technique that makes use of this
57832 + fact and a common programming mistake where an attacker can
57833 + introduce code of his choice somewhere in the attacked program's
57834 + memory (typically the stack or the heap) and then execute it.
57836 + If the attacked program was running with different (typically
57837 + higher) privileges than that of the attacker, then he can elevate
57838 + his own privilege level (e.g. get a root shell, write to files for
57839 + which he does not have write access to, etc).
57841 + Enabling this option will let you choose from various features
57842 + that prevent the injection and execution of 'foreign' code in
57845 + This will also break programs that rely on the old behaviour and
57846 + expect that dynamically allocated memory via the malloc() family
57847 + of functions is executable (which it is not). Notable examples
57848 + are the XFree86 4.x server, the java runtime and wine.
57850 +config PAX_PAGEEXEC
57851 + bool "Paging based non-executable pages"
57852 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
57853 + select S390_SWITCH_AMODE if S390
57854 + select S390_EXEC_PROTECT if S390
57855 + select ARCH_TRACK_EXEC_LIMIT if X86_32
57857 + This implementation is based on the paging feature of the CPU.
57858 + On i386 without hardware non-executable bit support there is a
57859 + variable but usually low performance impact, however on Intel's
57860 + P4 core based CPUs it is very high so you should not enable this
57861 + for kernels meant to be used on such CPUs.
57863 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
57864 + with hardware non-executable bit support there is no performance
57865 + impact, on ppc the impact is negligible.
57867 + Note that several architectures require various emulations due to
57868 + badly designed userland ABIs, this will cause a performance impact
57869 + but will disappear as soon as userland is fixed. For example, ppc
57870 + userland MUST have been built with secure-plt by a recent toolchain.
57872 +config PAX_SEGMEXEC
57873 + bool "Segmentation based non-executable pages"
57874 + depends on PAX_NOEXEC && X86_32
57876 + This implementation is based on the segmentation feature of the
57877 + CPU and has a very small performance impact, however applications
57878 + will be limited to a 1.5 GB address space instead of the normal
57881 +config PAX_EMUTRAMP
57882 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
57883 + default y if PARISC
57885 + There are some programs and libraries that for one reason or
57886 + another attempt to execute special small code snippets from
57887 + non-executable memory pages. Most notable examples are the
57888 + signal handler return code generated by the kernel itself and
57889 + the GCC trampolines.
57891 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
57892 + such programs will no longer work under your kernel.
57894 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
57895 + utilities to enable trampoline emulation for the affected programs
57896 + yet still have the protection provided by the non-executable pages.
57898 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
57899 + your system will not even boot.
57901 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
57902 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
57903 + for the affected files.
57905 + NOTE: enabling this feature *may* open up a loophole in the
57906 + protection provided by non-executable pages that an attacker
57907 + could abuse. Therefore the best solution is to not have any
57908 + files on your system that would require this option. This can
57909 + be achieved by not using libc5 (which relies on the kernel
57910 + signal handler return code) and not using or rewriting programs
57911 + that make use of the nested function implementation of GCC.
57912 + Skilled users can just fix GCC itself so that it implements
57913 + nested function calls in a way that does not interfere with PaX.
57915 +config PAX_EMUSIGRT
57916 + bool "Automatically emulate sigreturn trampolines"
57917 + depends on PAX_EMUTRAMP && PARISC
57920 + Enabling this option will have the kernel automatically detect
57921 + and emulate signal return trampolines executing on the stack
57922 + that would otherwise lead to task termination.
57924 + This solution is intended as a temporary one for users with
57925 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
57926 + Modula-3 runtime, etc) or executables linked to such, basically
57927 + everything that does not specify its own SA_RESTORER function in
57928 + normal executable memory like glibc 2.1+ does.
57930 + On parisc you MUST enable this option, otherwise your system will
57933 + NOTE: this feature cannot be disabled on a per executable basis
57934 + and since it *does* open up a loophole in the protection provided
57935 + by non-executable pages, the best solution is to not have any
57936 + files on your system that would require this option.
57938 +config PAX_MPROTECT
57939 + bool "Restrict mprotect()"
57940 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
57942 + Enabling this option will prevent programs from
57943 + - changing the executable status of memory pages that were
57944 + not originally created as executable,
57945 + - making read-only executable pages writable again,
57946 + - creating executable pages from anonymous memory,
57947 + - making read-only-after-relocations (RELRO) data pages writable again.
57949 + You should say Y here to complete the protection provided by
57950 + the enforcement of non-executable pages.
57952 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
57953 + this feature on a per file basis.
57955 +config PAX_ELFRELOCS
57956 + bool "Allow ELF text relocations (read help)"
57957 + depends on PAX_MPROTECT
57960 + Non-executable pages and mprotect() restrictions are effective
57961 + in preventing the introduction of new executable code into an
57962 + attacked task's address space. There remain only two venues
57963 + for this kind of attack: if the attacker can execute already
57964 + existing code in the attacked task then he can either have it
57965 + create and mmap() a file containing his code or have it mmap()
57966 + an already existing ELF library that does not have position
57967 + independent code in it and use mprotect() on it to make it
57968 + writable and copy his code there. While protecting against
57969 + the former approach is beyond PaX, the latter can be prevented
57970 + by having only PIC ELF libraries on one's system (which do not
57971 + need to relocate their code). If you are sure this is your case,
57972 + as is the case with all modern Linux distributions, then leave
57973 + this option disabled. You should say 'n' here.
57975 +config PAX_ETEXECRELOCS
57976 + bool "Allow ELF ET_EXEC text relocations"
57977 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
57978 + select PAX_ELFRELOCS
57981 + On some architectures there are incorrectly created applications
57982 + that require text relocations and would not work without enabling
57983 + this option. If you are an alpha, ia64 or parisc user, you should
57984 + enable this option and disable it once you have made sure that
57985 + none of your applications need it.
57988 + bool "Automatically emulate ELF PLT"
57989 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
57992 + Enabling this option will have the kernel automatically detect
57993 + and emulate the Procedure Linkage Table entries in ELF files.
57994 + On some architectures such entries are in writable memory, and
57995 + become non-executable leading to task termination. Therefore
57996 + it is mandatory that you enable this option on alpha, parisc,
57997 + sparc and sparc64, otherwise your system would not even boot.
57999 + NOTE: this feature *does* open up a loophole in the protection
58000 + provided by the non-executable pages, therefore the proper
58001 + solution is to modify the toolchain to produce a PLT that does
58002 + not need to be writable.
58004 +config PAX_DLRESOLVE
58005 + bool 'Emulate old glibc resolver stub'
58006 + depends on PAX_EMUPLT && SPARC
58009 + This option is needed if userland has an old glibc (before 2.4)
58010 + that puts a 'save' instruction into the runtime generated resolver
58011 + stub that needs special emulation.
58013 +config PAX_KERNEXEC
58014 + bool "Enforce non-executable kernel pages"
58015 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58016 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58018 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
58019 + that is, enabling this option will make it harder to inject
58020 + and execute 'foreign' code in kernel memory itself.
58022 +config PAX_KERNEXEC_MODULE_TEXT
58023 + int "Minimum amount of memory reserved for module code"
58025 + depends on PAX_KERNEXEC && X86_32 && MODULES
58027 + Due to implementation details the kernel must reserve a fixed
58028 + amount of memory for module code at compile time that cannot be
58029 + changed at runtime. Here you can specify the minimum amount
58030 + in MB that will be reserved. Due to the same implementation
58031 + details this size will always be rounded up to the next 2/4 MB
58032 + boundary (depends on PAE) so the actually available memory for
58033 + module code will usually be more than this minimum.
58035 + The default 4 MB should be enough for most users but if you have
58036 + an excessive number of modules (e.g., most distribution configs
58037 + compile many drivers as modules) or use huge modules such as
58038 + nvidia's kernel driver, you will need to adjust this amount.
58039 + A good rule of thumb is to look at your currently loaded kernel
58040 + modules and add up their sizes.
58044 +menu "Address Space Layout Randomization"
58048 + bool "Address Space Layout Randomization"
58049 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
58051 + Many if not most exploit techniques rely on the knowledge of
58052 + certain addresses in the attacked program. The following options
58053 + will allow the kernel to apply a certain amount of randomization
58054 + to specific parts of the program thereby forcing an attacker to
58055 + guess them in most cases. Any failed guess will most likely crash
58056 + the attacked program which allows the kernel to detect such attempts
58057 + and react on them. PaX itself provides no reaction mechanisms,
58058 + instead it is strongly encouraged that you make use of Nergal's
58059 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
58060 + (http://www.grsecurity.net/) built-in crash detection features or
58061 + develop one yourself.
58063 + By saying Y here you can choose to randomize the following areas:
58064 + - top of the task's kernel stack
58065 + - top of the task's userland stack
58066 + - base address for mmap() requests that do not specify one
58067 + (this includes all libraries)
58068 + - base address of the main executable
58070 + It is strongly recommended to say Y here as address space layout
58071 + randomization has negligible impact on performance yet it provides
58072 + a very effective protection.
58074 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58075 + this feature on a per file basis.
58077 +config PAX_RANDKSTACK
58078 + bool "Randomize kernel stack base"
58079 + depends on PAX_ASLR && X86_TSC && X86_32
58081 + By saying Y here the kernel will randomize every task's kernel
58082 + stack on every system call. This will not only force an attacker
58083 + to guess it but also prevent him from making use of possible
58084 + leaked information about it.
58086 + Since the kernel stack is a rather scarce resource, randomization
58087 + may cause unexpected stack overflows, therefore you should very
58088 + carefully test your system. Note that once enabled in the kernel
58089 + configuration, this feature cannot be disabled on a per file basis.
58091 +config PAX_RANDUSTACK
58092 + bool "Randomize user stack base"
58093 + depends on PAX_ASLR
58095 + By saying Y here the kernel will randomize every task's userland
58096 + stack. The randomization is done in two steps where the second
58097 + one may apply a big amount of shift to the top of the stack and
58098 + cause problems for programs that want to use lots of memory (more
58099 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
58100 + For this reason the second step can be controlled by 'chpax' or
58101 + 'paxctl' on a per file basis.
58103 +config PAX_RANDMMAP
58104 + bool "Randomize mmap() base"
58105 + depends on PAX_ASLR
58107 + By saying Y here the kernel will use a randomized base address for
58108 + mmap() requests that do not specify one themselves. As a result
58109 + all dynamically loaded libraries will appear at random addresses
58110 + and therefore be harder to exploit by a technique where an attacker
58111 + attempts to execute library code for his purposes (e.g. spawn a
58112 + shell from an exploited program that is running at an elevated
58113 + privilege level).
58115 + Furthermore, if a program is relinked as a dynamic ELF file, its
58116 + base address will be randomized as well, completing the full
58117 + randomization of the address space layout. Attacking such programs
58118 + becomes a guess game. You can find an example of doing this at
58119 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
58120 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
58122 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
58123 + feature on a per file basis.
58127 +menu "Miscellaneous hardening features"
58129 +config PAX_MEMORY_SANITIZE
58130 + bool "Sanitize all freed memory"
58132 + By saying Y here the kernel will erase memory pages as soon as they
58133 + are freed. This in turn reduces the lifetime of data stored in the
58134 + pages, making it less likely that sensitive information such as
58135 + passwords, cryptographic secrets, etc stay in memory for too long.
58137 + This is especially useful for programs whose runtime is short, long
58138 + lived processes and the kernel itself benefit from this as long as
58139 + they operate on whole memory pages and ensure timely freeing of pages
58140 + that may hold sensitive information.
58142 + The tradeoff is performance impact, on a single CPU system kernel
58143 + compilation sees a 3% slowdown, other systems and workloads may vary
58144 + and you are advised to test this feature on your expected workload
58145 + before deploying it.
58147 + Note that this feature does not protect data stored in live pages,
58148 + e.g., process memory swapped to disk may stay there for a long time.
58150 +config PAX_MEMORY_UDEREF
58151 + bool "Prevent invalid userland pointer dereference"
58152 + depends on X86 && !UML_X86 && !XEN
58153 + select PAX_PER_CPU_PGD if X86_64
58155 + By saying Y here the kernel will be prevented from dereferencing
58156 + userland pointers in contexts where the kernel expects only kernel
58157 + pointers. This is both a useful runtime debugging feature and a
58158 + security measure that prevents exploiting a class of kernel bugs.
58160 + The tradeoff is that some virtualization solutions may experience
58161 + a huge slowdown and therefore you should not enable this feature
58162 + for kernels meant to run in such environments. Whether a given VM
58163 + solution is affected or not is best determined by simply trying it
58164 + out, the performance impact will be obvious right on boot as this
58165 + mechanism engages from very early on. A good rule of thumb is that
58166 + VMs running on CPUs without hardware virtualization support (i.e.,
58167 + the majority of IA-32 CPUs) will likely experience the slowdown.
58169 +config PAX_REFCOUNT
58170 + bool "Prevent various kernel object reference counter overflows"
58171 + depends on GRKERNSEC && (X86 || SPARC64)
58173 + By saying Y here the kernel will detect and prevent overflowing
58174 + various (but not all) kinds of object reference counters. Such
58175 + overflows can normally occur due to bugs only and are often, if
58176 + not always, exploitable.
58178 + The tradeoff is that data structures protected by an overflowed
58179 + refcount will never be freed and therefore will leak memory. Note
58180 + that this leak also happens even without this protection but in
58181 + that case the overflow can eventually trigger the freeing of the
58182 + data structure while it is still being used elsewhere, resulting
58183 + in the exploitable situation that this feature prevents.
58185 + Since this has a negligible performance impact, you should enable
58188 +config PAX_USERCOPY
58189 + bool "Bounds check heap object copies between kernel and userland"
58190 + depends on X86 || PPC || SPARC
58191 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
58193 + By saying Y here the kernel will enforce the size of heap objects
58194 + when they are copied in either direction between the kernel and
58195 + userland, even if only a part of the heap object is copied.
58197 + Specifically, this checking prevents information leaking from the
58198 + kernel heap during kernel to userland copies (if the kernel heap
58199 + object is otherwise fully initialized) and prevents kernel heap
58200 + overflows during userland to kernel copies.
58202 + Note that the current implementation provides the strictest checks
58203 + for the SLUB allocator.
58205 + If frame pointers are enabled on x86, this option will also restrict
58206 + copies into and out of the kernel stack to local variables within a
58209 + Since this has a negligible performance impact, you should enable
58217 bool "Enable access key retention support"
58219 @@ -136,7 +639,7 @@ config INTEL_TXT
58220 config LSM_MMAP_MIN_ADDR
58221 int "Low address space for LSM to protect from user allocation"
58222 depends on SECURITY && SECURITY_SELINUX
58226 This is the portion of low virtual memory which should be protected
58227 from userspace allocation. Keeping a user from writing to low pages
58228 diff -urNp linux-2.6.37/security/min_addr.c linux-2.6.37/security/min_addr.c
58229 --- linux-2.6.37/security/min_addr.c 2011-01-04 19:50:19.000000000 -0500
58230 +++ linux-2.6.37/security/min_addr.c 2011-01-17 02:41:02.000000000 -0500
58231 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
58233 static void update_mmap_min_addr(void)
58236 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
58237 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
58238 mmap_min_addr = dac_mmap_min_addr;
58239 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
58241 mmap_min_addr = dac_mmap_min_addr;
58247 diff -urNp linux-2.6.37/security/security.c linux-2.6.37/security/security.c
58248 --- linux-2.6.37/security/security.c 2011-01-04 19:50:19.000000000 -0500
58249 +++ linux-2.6.37/security/security.c 2011-01-17 02:41:02.000000000 -0500
58250 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
58251 /* things that live in capability.c */
58252 extern void __init security_fixup_ops(struct security_operations *ops);
58254 -static struct security_operations *security_ops;
58255 -static struct security_operations default_security_ops = {
58256 +static struct security_operations *security_ops __read_only;
58257 +static struct security_operations default_security_ops __read_only = {
58261 @@ -67,7 +67,9 @@ int __init security_init(void)
58263 void reset_security_ops(void)
58265 + pax_open_kernel();
58266 security_ops = &default_security_ops;
58267 + pax_close_kernel();
58270 /* Save user chosen LSM */
58271 diff -urNp linux-2.6.37/security/selinux/hooks.c linux-2.6.37/security/selinux/hooks.c
58272 --- linux-2.6.37/security/selinux/hooks.c 2011-01-04 19:50:19.000000000 -0500
58273 +++ linux-2.6.37/security/selinux/hooks.c 2011-01-17 02:41:02.000000000 -0500
58275 #define NUM_SEL_MNT_OPTS 5
58277 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
58278 -extern struct security_operations *security_ops;
58280 /* SECMARK reference count */
58281 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
58282 @@ -5388,7 +5387,7 @@ static int selinux_key_getsecurity(struc
58286 -static struct security_operations selinux_ops = {
58287 +static struct security_operations selinux_ops __read_only = {
58290 .ptrace_access_check = selinux_ptrace_access_check,
58291 diff -urNp linux-2.6.37/security/smack/smack_lsm.c linux-2.6.37/security/smack/smack_lsm.c
58292 --- linux-2.6.37/security/smack/smack_lsm.c 2011-01-04 19:50:19.000000000 -0500
58293 +++ linux-2.6.37/security/smack/smack_lsm.c 2011-01-17 02:41:02.000000000 -0500
58294 @@ -3052,7 +3052,7 @@ static int smack_inode_getsecctx(struct
58298 -struct security_operations smack_ops = {
58299 +struct security_operations smack_ops __read_only = {
58302 .ptrace_access_check = smack_ptrace_access_check,
58303 diff -urNp linux-2.6.37/security/tomoyo/tomoyo.c linux-2.6.37/security/tomoyo/tomoyo.c
58304 --- linux-2.6.37/security/tomoyo/tomoyo.c 2011-01-04 19:50:19.000000000 -0500
58305 +++ linux-2.6.37/security/tomoyo/tomoyo.c 2011-01-17 02:41:02.000000000 -0500
58306 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
58307 * tomoyo_security_ops is a "struct security_operations" which is used for
58308 * registering TOMOYO.
58310 -static struct security_operations tomoyo_security_ops = {
58311 +static struct security_operations tomoyo_security_ops __read_only = {
58313 .cred_alloc_blank = tomoyo_cred_alloc_blank,
58314 .cred_prepare = tomoyo_cred_prepare,
58315 diff -urNp linux-2.6.37/sound/aoa/codecs/onyx.c linux-2.6.37/sound/aoa/codecs/onyx.c
58316 --- linux-2.6.37/sound/aoa/codecs/onyx.c 2011-01-04 19:50:19.000000000 -0500
58317 +++ linux-2.6.37/sound/aoa/codecs/onyx.c 2011-01-17 02:41:02.000000000 -0500
58318 @@ -54,7 +54,7 @@ struct onyx {
58323 + atomic_t open_count;
58324 struct codec_info *codec_info;
58326 /* mutex serializes concurrent access to the device
58327 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58328 struct onyx *onyx = cii->codec_data;
58330 mutex_lock(&onyx->mutex);
58331 - onyx->open_count++;
58332 + atomic_inc(&onyx->open_count);
58333 mutex_unlock(&onyx->mutex);
58336 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58337 struct onyx *onyx = cii->codec_data;
58339 mutex_lock(&onyx->mutex);
58340 - onyx->open_count--;
58341 - if (!onyx->open_count)
58342 + if (atomic_dec_and_test(&onyx->open_count))
58343 onyx->spdif_locked = onyx->analog_locked = 0;
58344 mutex_unlock(&onyx->mutex);
58346 diff -urNp linux-2.6.37/sound/core/oss/pcm_oss.c linux-2.6.37/sound/core/oss/pcm_oss.c
58347 --- linux-2.6.37/sound/core/oss/pcm_oss.c 2011-01-04 19:50:19.000000000 -0500
58348 +++ linux-2.6.37/sound/core/oss/pcm_oss.c 2011-01-17 02:41:02.000000000 -0500
58349 @@ -2969,8 +2969,8 @@ static void snd_pcm_oss_proc_done(struct
58352 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58353 -#define snd_pcm_oss_proc_init(pcm)
58354 -#define snd_pcm_oss_proc_done(pcm)
58355 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58356 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58357 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58360 diff -urNp linux-2.6.37/sound/core/seq/seq_lock.h linux-2.6.37/sound/core/seq/seq_lock.h
58361 --- linux-2.6.37/sound/core/seq/seq_lock.h 2011-01-04 19:50:19.000000000 -0500
58362 +++ linux-2.6.37/sound/core/seq/seq_lock.h 2011-01-17 02:41:02.000000000 -0500
58363 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58364 #else /* SMP || CONFIG_SND_DEBUG */
58366 typedef spinlock_t snd_use_lock_t; /* dummy */
58367 -#define snd_use_lock_init(lockp) /**/
58368 -#define snd_use_lock_use(lockp) /**/
58369 -#define snd_use_lock_free(lockp) /**/
58370 -#define snd_use_lock_sync(lockp) /**/
58371 +#define snd_use_lock_init(lockp) do {} while (0)
58372 +#define snd_use_lock_use(lockp) do {} while (0)
58373 +#define snd_use_lock_free(lockp) do {} while (0)
58374 +#define snd_use_lock_sync(lockp) do {} while (0)
58376 #endif /* SMP || CONFIG_SND_DEBUG */
58378 diff -urNp linux-2.6.37/sound/drivers/mts64.c linux-2.6.37/sound/drivers/mts64.c
58379 --- linux-2.6.37/sound/drivers/mts64.c 2011-01-04 19:50:19.000000000 -0500
58380 +++ linux-2.6.37/sound/drivers/mts64.c 2011-01-17 02:41:02.000000000 -0500
58381 @@ -66,7 +66,7 @@ struct mts64 {
58382 struct pardevice *pardev;
58383 int pardev_claimed;
58386 + atomic_t open_count;
58387 int current_midi_output_port;
58388 int current_midi_input_port;
58389 u8 mode[MTS64_NUM_INPUT_PORTS];
58390 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
58392 struct mts64 *mts = substream->rmidi->private_data;
58394 - if (mts->open_count == 0) {
58395 + if (atomic_read(&mts->open_count) == 0) {
58396 /* We don't need a spinlock here, because this is just called
58397 if the device has not been opened before.
58398 So there aren't any IRQs from the device */
58399 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
58403 - ++(mts->open_count);
58404 + atomic_inc(&mts->open_count);
58408 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
58409 struct mts64 *mts = substream->rmidi->private_data;
58410 unsigned long flags;
58412 - --(mts->open_count);
58413 - if (mts->open_count == 0) {
58414 + if (atomic_dec_return(&mts->open_count) == 0) {
58415 /* We need the spinlock_irqsave here because we can still
58416 have IRQs at this point */
58417 spin_lock_irqsave(&mts->lock, flags);
58418 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
58422 - } else if (mts->open_count < 0)
58423 - mts->open_count = 0;
58424 + } else if (atomic_read(&mts->open_count) < 0)
58425 + atomic_set(&mts->open_count, 0);
58429 diff -urNp linux-2.6.37/sound/drivers/portman2x4.c linux-2.6.37/sound/drivers/portman2x4.c
58430 --- linux-2.6.37/sound/drivers/portman2x4.c 2011-01-04 19:50:19.000000000 -0500
58431 +++ linux-2.6.37/sound/drivers/portman2x4.c 2011-01-17 02:41:02.000000000 -0500
58432 @@ -84,7 +84,7 @@ struct portman {
58433 struct pardevice *pardev;
58434 int pardev_claimed;
58437 + atomic_t open_count;
58438 int mode[PORTMAN_NUM_INPUT_PORTS];
58439 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
58441 diff -urNp linux-2.6.37/sound/oss/sb_audio.c linux-2.6.37/sound/oss/sb_audio.c
58442 --- linux-2.6.37/sound/oss/sb_audio.c 2011-01-04 19:50:19.000000000 -0500
58443 +++ linux-2.6.37/sound/oss/sb_audio.c 2011-01-17 02:41:02.000000000 -0500
58444 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
58445 buf16 = (signed short *)(localbuf + localoffs);
58448 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58449 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58450 if (copy_from_user(lbuf8,
58451 userbuf+useroffs + p,
58453 diff -urNp linux-2.6.37/sound/oss/swarm_cs4297a.c linux-2.6.37/sound/oss/swarm_cs4297a.c
58454 --- linux-2.6.37/sound/oss/swarm_cs4297a.c 2011-01-04 19:50:19.000000000 -0500
58455 +++ linux-2.6.37/sound/oss/swarm_cs4297a.c 2011-01-17 02:41:02.000000000 -0500
58456 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
58458 struct cs4297a_state *s;
58462 #ifndef CONFIG_BCM_CS4297A_CSWARM
58464 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
58466 char *sb1250_duart_present;
58473 val = SOUND_MASK_LINE;
58474 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
58475 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
58476 val = initvol[i].vol;
58477 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
58480 // cs4297a_write_ac97(s, 0x18, 0x0808);
58482 // cs4297a_write_ac97(s, 0x5e, 0x180);
58483 cs4297a_write_ac97(s, 0x02, 0x0808);
58484 cs4297a_write_ac97(s, 0x18, 0x0808);
58488 list_add(&s->list, &cs4297a_devs);
58490 diff -urNp linux-2.6.37/sound/pci/ac97/ac97_codec.c linux-2.6.37/sound/pci/ac97/ac97_codec.c
58491 --- linux-2.6.37/sound/pci/ac97/ac97_codec.c 2011-01-04 19:50:19.000000000 -0500
58492 +++ linux-2.6.37/sound/pci/ac97/ac97_codec.c 2011-01-17 02:41:02.000000000 -0500
58493 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
58496 /* build_ops to do nothing */
58497 -static struct snd_ac97_build_ops null_build_ops;
58498 +static const struct snd_ac97_build_ops null_build_ops;
58500 #ifdef CONFIG_SND_AC97_POWER_SAVE
58501 static void do_update_power(struct work_struct *work)
58502 diff -urNp linux-2.6.37/sound/pci/ac97/ac97_patch.c linux-2.6.37/sound/pci/ac97/ac97_patch.c
58503 --- linux-2.6.37/sound/pci/ac97/ac97_patch.c 2011-01-04 19:50:19.000000000 -0500
58504 +++ linux-2.6.37/sound/pci/ac97/ac97_patch.c 2011-01-17 02:41:02.000000000 -0500
58505 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
58509 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58510 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58511 .build_spdif = patch_yamaha_ymf743_build_spdif,
58512 .build_3d = patch_yamaha_ymf7x3_3d,
58514 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
58518 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58519 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58520 .build_3d = patch_yamaha_ymf7x3_3d,
58521 .build_post_spdif = patch_yamaha_ymf753_post_spdif
58523 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
58527 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58528 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58529 .build_specific = patch_wolfson_wm9703_specific,
58532 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
58536 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58537 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58538 .build_specific = patch_wolfson_wm9704_specific,
58541 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
58545 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58546 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58547 .build_specific = patch_wolfson_wm9711_specific,
58550 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
58554 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58555 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58556 .build_specific = patch_wolfson_wm9713_specific,
58557 .build_3d = patch_wolfson_wm9713_3d,
58559 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
58563 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58564 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58565 .build_3d = patch_sigmatel_stac9700_3d,
58566 .build_specific = patch_sigmatel_stac97xx_specific
58568 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
58569 return patch_sigmatel_stac97xx_specific(ac97);
58572 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58573 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58574 .build_3d = patch_sigmatel_stac9708_3d,
58575 .build_specific = patch_sigmatel_stac9708_specific
58577 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
58581 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58582 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58583 .build_3d = patch_sigmatel_stac9700_3d,
58584 .build_specific = patch_sigmatel_stac9758_specific
58586 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
58590 -static struct snd_ac97_build_ops patch_cirrus_ops = {
58591 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
58592 .build_spdif = patch_cirrus_build_spdif
58595 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
58599 -static struct snd_ac97_build_ops patch_conexant_ops = {
58600 +static const struct snd_ac97_build_ops patch_conexant_ops = {
58601 .build_spdif = patch_conexant_build_spdif
58604 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58605 { AC97_VIDEO, 0x9f1f },
58606 { AC97_AUX, 0x9f1f },
58607 { AC97_PCM, 0x9f1f },
58608 - { } /* terminator */
58609 + { 0, 0 } /* terminator */
58612 static int patch_ad1819(struct snd_ac97 * ac97)
58613 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
58617 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
58618 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
58620 .resume = ad18xx_resume
58622 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
58626 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
58627 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
58628 .build_specific = &patch_ad1885_specific,
58630 .resume = ad18xx_resume
58631 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
58635 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
58636 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
58637 .build_specific = &patch_ad1886_specific,
58639 .resume = ad18xx_resume
58640 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
58641 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58644 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58645 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58646 .build_post_spdif = patch_ad198x_post_spdif,
58647 .build_specific = patch_ad1981a_specific,
58649 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
58650 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58653 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58654 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58655 .build_post_spdif = patch_ad198x_post_spdif,
58656 .build_specific = patch_ad1981b_specific,
58658 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
58659 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
58662 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
58663 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
58664 .build_post_spdif = patch_ad198x_post_spdif,
58665 .build_specific = patch_ad1888_specific,
58667 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
58668 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
58671 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
58672 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
58673 .build_post_spdif = patch_ad198x_post_spdif,
58674 .build_specific = patch_ad1980_specific,
58676 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
58677 ARRAY_SIZE(snd_ac97_ad1985_controls));
58680 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
58681 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
58682 .build_post_spdif = patch_ad198x_post_spdif,
58683 .build_specific = patch_ad1985_specific,
58685 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
58686 ARRAY_SIZE(snd_ac97_ad1985_controls));
58689 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
58690 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
58691 .build_post_spdif = patch_ad198x_post_spdif,
58692 .build_specific = patch_ad1986_specific,
58694 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
58698 -static struct snd_ac97_build_ops patch_alc650_ops = {
58699 +static const struct snd_ac97_build_ops patch_alc650_ops = {
58700 .build_specific = patch_alc650_specific,
58701 .update_jacks = alc650_update_jacks
58703 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
58707 -static struct snd_ac97_build_ops patch_alc655_ops = {
58708 +static const struct snd_ac97_build_ops patch_alc655_ops = {
58709 .build_specific = patch_alc655_specific,
58710 .update_jacks = alc655_update_jacks
58712 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
58716 -static struct snd_ac97_build_ops patch_alc850_ops = {
58717 +static const struct snd_ac97_build_ops patch_alc850_ops = {
58718 .build_specific = patch_alc850_specific,
58719 .update_jacks = alc850_update_jacks
58721 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
58722 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
58725 -static struct snd_ac97_build_ops patch_cm9738_ops = {
58726 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
58727 .build_specific = patch_cm9738_specific,
58728 .update_jacks = cm9738_update_jacks
58730 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
58731 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
58734 -static struct snd_ac97_build_ops patch_cm9739_ops = {
58735 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
58736 .build_specific = patch_cm9739_specific,
58737 .build_post_spdif = patch_cm9739_post_spdif,
58738 .update_jacks = cm9739_update_jacks
58739 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
58740 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
58743 -static struct snd_ac97_build_ops patch_cm9761_ops = {
58744 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
58745 .build_specific = patch_cm9761_specific,
58746 .build_post_spdif = patch_cm9761_post_spdif,
58747 .update_jacks = cm9761_update_jacks
58748 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
58749 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
58752 -static struct snd_ac97_build_ops patch_cm9780_ops = {
58753 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
58754 .build_specific = patch_cm9780_specific,
58755 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
58757 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
58761 -static struct snd_ac97_build_ops patch_vt1616_ops = {
58762 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
58763 .build_specific = patch_vt1616_specific
58766 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
58770 -static struct snd_ac97_build_ops patch_it2646_ops = {
58771 +static const struct snd_ac97_build_ops patch_it2646_ops = {
58772 .build_specific = patch_it2646_specific,
58773 .update_jacks = it2646_update_jacks
58775 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
58779 -static struct snd_ac97_build_ops patch_si3036_ops = {
58780 +static const struct snd_ac97_build_ops patch_si3036_ops = {
58781 .build_specific = patch_si3036_specific,
58784 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
58785 { AC97_AUX, 0x1f1f },
58786 { AC97_PCM, 0x1f1f },
58787 { AC97_REC_GAIN, 0x0f0f },
58788 - { } /* terminator */
58789 + { 0, 0 } /* terminator */
58792 static int patch_lm4550(struct snd_ac97 *ac97)
58793 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
58797 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
58798 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
58799 .build_specific = patch_ucb1400_specific,
58802 diff -urNp linux-2.6.37/sound/pci/ens1370.c linux-2.6.37/sound/pci/ens1370.c
58803 --- linux-2.6.37/sound/pci/ens1370.c 2011-01-04 19:50:19.000000000 -0500
58804 +++ linux-2.6.37/sound/pci/ens1370.c 2011-01-17 02:41:02.000000000 -0500
58805 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
58806 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
58807 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
58810 + { 0, 0, 0, 0, 0, 0, 0 }
58813 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
58814 diff -urNp linux-2.6.37/sound/pci/hda/patch_hdmi.c linux-2.6.37/sound/pci/hda/patch_hdmi.c
58815 --- linux-2.6.37/sound/pci/hda/patch_hdmi.c 2011-01-04 19:50:19.000000000 -0500
58816 +++ linux-2.6.37/sound/pci/hda/patch_hdmi.c 2011-01-17 02:41:02.000000000 -0500
58817 @@ -726,10 +726,10 @@ static void hdmi_non_intrinsic_event(str
58832 diff -urNp linux-2.6.37/sound/pci/intel8x0.c linux-2.6.37/sound/pci/intel8x0.c
58833 --- linux-2.6.37/sound/pci/intel8x0.c 2011-01-04 19:50:19.000000000 -0500
58834 +++ linux-2.6.37/sound/pci/intel8x0.c 2011-01-17 02:41:02.000000000 -0500
58835 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58836 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
58837 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
58838 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
58840 + { 0, 0, 0, 0, 0, 0, 0 }
58843 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
58844 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
58845 .type = AC97_TUNE_HP_ONLY
58848 - { } /* terminator */
58849 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
58852 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
58853 diff -urNp linux-2.6.37/sound/pci/intel8x0m.c linux-2.6.37/sound/pci/intel8x0m.c
58854 --- linux-2.6.37/sound/pci/intel8x0m.c 2011-01-04 19:50:19.000000000 -0500
58855 +++ linux-2.6.37/sound/pci/intel8x0m.c 2011-01-17 02:41:02.000000000 -0500
58856 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58857 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
58858 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
58861 + { 0, 0, 0, 0, 0, 0, 0 }
58864 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
58865 @@ -1264,7 +1264,7 @@ static struct shortname_table {
58866 { 0x5455, "ALi M5455" },
58867 { 0x746d, "AMD AMD8111" },
58873 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
58874 diff -urNp linux-2.6.37/usr/gen_init_cpio.c linux-2.6.37/usr/gen_init_cpio.c
58875 --- linux-2.6.37/usr/gen_init_cpio.c 2011-01-04 19:50:19.000000000 -0500
58876 +++ linux-2.6.37/usr/gen_init_cpio.c 2011-01-17 02:41:02.000000000 -0500
58877 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
58886 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
58887 *env_var = *expanded = '\0';
58888 strncat(env_var, start + 2, end - start - 2);
58889 strncat(expanded, new_location, start - new_location);
58890 - strncat(expanded, getenv(env_var), PATH_MAX);
58891 - strncat(expanded, end + 1, PATH_MAX);
58892 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
58893 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
58894 strncpy(new_location, expanded, PATH_MAX);
58895 + new_location[PATH_MAX] = 0;
58899 diff -urNp linux-2.6.37/virt/kvm/kvm_main.c linux-2.6.37/virt/kvm/kvm_main.c
58900 --- linux-2.6.37/virt/kvm/kvm_main.c 2011-01-04 19:50:19.000000000 -0500
58901 +++ linux-2.6.37/virt/kvm/kvm_main.c 2011-01-17 02:41:02.000000000 -0500
58902 @@ -1344,6 +1344,7 @@ static int kvm_vcpu_release(struct inode
58906 +/* cannot be const */
58907 static struct file_operations kvm_vcpu_fops = {
58908 .release = kvm_vcpu_release,
58909 .unlocked_ioctl = kvm_vcpu_ioctl,
58910 @@ -1812,6 +1813,7 @@ static int kvm_vm_mmap(struct file *file
58914 +/* cannot be const */
58915 static struct file_operations kvm_vm_fops = {
58916 .release = kvm_vm_release,
58917 .unlocked_ioctl = kvm_vm_ioctl,
58918 @@ -1910,6 +1912,7 @@ out:
58922 +/* cannot be const */
58923 static struct file_operations kvm_chardev_ops = {
58924 .unlocked_ioctl = kvm_dev_ioctl,
58925 .compat_ioctl = kvm_dev_ioctl,
58926 @@ -1920,6 +1923,9 @@ static struct miscdevice kvm_dev = {
58935 static void hardware_enable(void *junk)
58936 @@ -2259,7 +2265,7 @@ static void kvm_sched_out(struct preempt
58937 kvm_arch_vcpu_put(vcpu);
58940 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58941 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58942 struct module *module)
projects / ipfire-3.x.git / blob