1 diff --git a/Documentation/dontdiff b/Documentation/dontdiff
2 index b89a739..79768fb 100644
3 --- a/Documentation/dontdiff
4 +++ b/Documentation/dontdiff
44 @@ -69,9 +75,11 @@ Image
56 @@ -80,6 +88,7 @@ aic7*seq.h*
64 @@ -92,19 +101,24 @@ bounds.h
89 @@ -115,9 +129,11 @@ devlist.h*
97 +exception_policy.conf
101 @@ -125,12 +141,15 @@ fore200e_pca_fw.c*
117 @@ -145,14 +164,14 @@ int32.c
134 @@ -162,14 +181,15 @@ mach-types.h
151 @@ -185,6 +205,8 @@ oui.c*
160 @@ -194,6 +216,7 @@ perf-archive
168 @@ -203,7 +226,10 @@ r200_reg_safe.h
179 @@ -213,8 +239,12 @@ series
184 +size_overflow_hash.h
192 @@ -224,6 +254,7 @@ tftpboot.img
200 @@ -235,13 +266,17 @@ vdso32.lds
218 @@ -249,9 +284,12 @@ vsyscall_32.lds
231 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
232 index 2fe6e76..889ee23 100644
233 --- a/Documentation/kernel-parameters.txt
234 +++ b/Documentation/kernel-parameters.txt
235 @@ -976,6 +976,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
236 Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0.
239 + grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
240 + ignore grsecurity's /proc restrictions
243 hashdist= [KNL,NUMA] Large hashes allocated during boot
244 are distributed across NUMA nodes. Defaults on
245 for 64-bit NUMA, off otherwise.
246 @@ -1928,6 +1932,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
247 noexec=on: enable non-executable mappings (default)
248 noexec=off: disable non-executable mappings
251 + Disable PCID (Process-Context IDentifier) even if it
252 + is supported by the processor.
255 Disable SMAP (Supervisor Mode Access Prevention)
256 even if it is supported by processor.
257 @@ -2195,6 +2203,25 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
258 the specified number of seconds. This is to be used if
259 your oopses keep scrolling off the screen.
261 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
262 + virtualization environments that don't cope well with the
263 + expand down segment used by UDEREF on X86-32 or the frequent
264 + page table updates on X86-64.
267 + 0/1 to disable/enable slab object sanitization (enabled by
270 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
272 + pax_extra_latent_entropy
273 + Enable a very simple form of latent entropy extraction
274 + from the first 4GB of memory as the bootmem allocator
275 + passes the memory pages to the buddy allocator.
277 + pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
278 + when the processor supports PCID.
283 diff --git a/Makefile b/Makefile
284 index 4b31d62..ac99d49 100644
287 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
291 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
293 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
294 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
295 +HOSTCXXFLAGS = -O2 -Wall -W -fno-delete-null-pointer-checks
297 # Decide whether to build built-in, modular, or both.
298 # Normally, just do built-in.
299 @@ -414,8 +415,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
300 # Rules shared between *config targets and build targets
302 # Basic helpers built in scripts/
303 -PHONY += scripts_basic
305 +PHONY += scripts_basic gcc-plugins
306 +scripts_basic: gcc-plugins
307 $(Q)$(MAKE) $(build)=scripts/basic
308 $(Q)rm -f .tmp_quiet_recordmcount
310 @@ -576,6 +577,65 @@ else
314 +ifndef DISABLE_PAX_PLUGINS
315 +ifeq ($(call cc-ifversion, -ge, 0408, y), y)
316 +PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)")
318 +PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)")
320 +ifneq ($(PLUGINCC),)
321 +ifdef CONFIG_PAX_CONSTIFY_PLUGIN
322 +CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
324 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
325 +STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
326 +STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
328 +ifdef CONFIG_KALLOCSTAT_PLUGIN
329 +KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
331 +ifdef CONFIG_PAX_KERNEXEC_PLUGIN
332 +KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
333 +KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN
334 +KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN
336 +ifdef CONFIG_CHECKER_PLUGIN
337 +ifeq ($(call cc-ifversion, -ge, 0406, y), y)
338 +CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
341 +COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
342 +ifdef CONFIG_PAX_SIZE_OVERFLOW
343 +SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
345 +ifdef CONFIG_PAX_LATENT_ENTROPY
346 +LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN
348 +ifdef CONFIG_PAX_MEMORY_STRUCTLEAK
349 +STRUCTLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/structleak_plugin.so -DSTRUCTLEAK_PLUGIN
351 +GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
352 +GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
353 +GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) $(STRUCTLEAK_PLUGIN_CFLAGS)
354 +GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
355 +export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS CONSTIFY_PLUGIN
356 +ifeq ($(KBUILD_EXTMOD),)
358 + $(Q)$(MAKE) $(build)=tools/gcc
364 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
365 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
367 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
369 + $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
373 include $(srctree)/arch/$(SRCARCH)/Makefile
375 ifdef CONFIG_READABLE_ASM
376 @@ -733,7 +793,7 @@ export mod_sign_cmd
379 ifeq ($(KBUILD_EXTMOD),)
380 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
381 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
383 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
384 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
385 @@ -782,6 +842,8 @@ endif
387 # The actual objects are generated when descending,
388 # make sure no implicit rule kicks in
389 +$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
390 +$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
391 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
393 # Handle descending into subdirectories listed in $(vmlinux-dirs)
394 @@ -791,7 +853,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
395 # Error messages still appears in the original language
397 PHONY += $(vmlinux-dirs)
398 -$(vmlinux-dirs): prepare scripts
399 +$(vmlinux-dirs): gcc-plugins prepare scripts
400 $(Q)$(MAKE) $(build)=$@
402 # Store (new) KERNELRELASE string in include/config/kernel.release
403 @@ -835,6 +897,7 @@ prepare0: archprepare FORCE
404 $(Q)$(MAKE) $(build)=.
406 # All the preparing..
407 +prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
410 # Generate some files
411 @@ -942,6 +1005,8 @@ all: modules
412 # using awk while concatenating to the final file.
415 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
416 +modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
417 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
418 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
419 @$(kecho) ' Building modules, stage 2.';
420 @@ -957,7 +1022,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
422 # Target to prepare building external modules
423 PHONY += modules_prepare
424 -modules_prepare: prepare scripts
425 +modules_prepare: gcc-plugins prepare scripts
427 # Target to install modules
428 PHONY += modules_install
429 @@ -1023,7 +1088,7 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
430 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
431 signing_key.priv signing_key.x509 x509.genkey \
432 extra_certificates signing_key.x509.keyid \
433 - signing_key.x509.signer
434 + signing_key.x509.signer tools/gcc/size_overflow_hash.h
436 # clean - Delete most, but leave enough to build external modules
438 @@ -1063,6 +1128,7 @@ distclean: mrproper
439 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
440 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
442 + -o -name '.*.rej' -o -name '*.so' \
443 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
444 -type f -print | xargs rm -f
446 @@ -1223,6 +1289,8 @@ PHONY += $(module-dirs) modules
447 $(module-dirs): crmodverdir $(objtree)/Module.symvers
448 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
450 +modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
451 +modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
452 modules: $(module-dirs)
453 @$(kecho) ' Building modules, stage 2.';
454 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
455 @@ -1359,17 +1427,21 @@ else
456 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
459 -%.s: %.c prepare scripts FORCE
460 +%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
461 +%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
462 +%.s: %.c gcc-plugins prepare scripts FORCE
463 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
464 %.i: %.c prepare scripts FORCE
465 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
466 -%.o: %.c prepare scripts FORCE
467 +%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
468 +%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
469 +%.o: %.c gcc-plugins prepare scripts FORCE
470 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
471 %.lst: %.c prepare scripts FORCE
472 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
473 -%.s: %.S prepare scripts FORCE
474 +%.s: %.S gcc-plugins prepare scripts FORCE
475 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
476 -%.o: %.S prepare scripts FORCE
477 +%.o: %.S gcc-plugins prepare scripts FORCE
478 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
479 %.symtypes: %.c prepare scripts FORCE
480 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
481 @@ -1379,11 +1451,15 @@ endif
483 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
484 $(build)=$(build-dir)
485 -%/: prepare scripts FORCE
486 +%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
487 +%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
488 +%/: gcc-plugins prepare scripts FORCE
490 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
491 $(build)=$(build-dir)
492 -%.ko: prepare scripts FORCE
493 +%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
494 +%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
495 +%.ko: gcc-plugins prepare scripts FORCE
497 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
498 $(build)=$(build-dir) $(@:.ko=.o)
499 diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h
500 index c2cbe4f..f7264b4 100644
501 --- a/arch/alpha/include/asm/atomic.h
502 +++ b/arch/alpha/include/asm/atomic.h
503 @@ -250,6 +250,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
504 #define atomic_dec(v) atomic_sub(1,(v))
505 #define atomic64_dec(v) atomic64_sub(1,(v))
507 +#define atomic64_read_unchecked(v) atomic64_read(v)
508 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
509 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
510 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
511 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
512 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
513 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
514 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
515 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
517 #define smp_mb__before_atomic_dec() smp_mb()
518 #define smp_mb__after_atomic_dec() smp_mb()
519 #define smp_mb__before_atomic_inc() smp_mb()
520 diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h
521 index ad368a9..fbe0f25 100644
522 --- a/arch/alpha/include/asm/cache.h
523 +++ b/arch/alpha/include/asm/cache.h
525 #ifndef __ARCH_ALPHA_CACHE_H
526 #define __ARCH_ALPHA_CACHE_H
528 +#include <linux/const.h>
530 /* Bytes per L1 (data) cache line. */
531 #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6)
532 -# define L1_CACHE_BYTES 64
533 # define L1_CACHE_SHIFT 6
535 /* Both EV4 and EV5 are write-through, read-allocate,
536 direct-mapped, physical.
538 -# define L1_CACHE_BYTES 32
539 # define L1_CACHE_SHIFT 5
542 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
543 #define SMP_CACHE_BYTES L1_CACHE_BYTES
546 diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
547 index 968d999..d36b2df 100644
548 --- a/arch/alpha/include/asm/elf.h
549 +++ b/arch/alpha/include/asm/elf.h
550 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
552 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
554 +#ifdef CONFIG_PAX_ASLR
555 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
557 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
558 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
561 /* $0 is set by ld.so to a pointer to a function which might be
562 registered using atexit. This provides a mean for the dynamic
563 linker to call DT_FINI functions for shared libraries that have
564 diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h
565 index bc2a0da..8ad11ee 100644
566 --- a/arch/alpha/include/asm/pgalloc.h
567 +++ b/arch/alpha/include/asm/pgalloc.h
568 @@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
573 +pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
575 + pgd_populate(mm, pgd, pmd);
578 extern pgd_t *pgd_alloc(struct mm_struct *mm);
581 diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
582 index 81a4342..348b927 100644
583 --- a/arch/alpha/include/asm/pgtable.h
584 +++ b/arch/alpha/include/asm/pgtable.h
585 @@ -102,6 +102,17 @@ struct vm_area_struct;
586 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
587 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
588 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
592 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
593 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
595 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
596 +# define PAGE_COPY_NOEXEC PAGE_COPY
597 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
600 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
602 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
603 diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c
604 index 2fd00b7..cfd5069 100644
605 --- a/arch/alpha/kernel/module.c
606 +++ b/arch/alpha/kernel/module.c
607 @@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
609 /* The small sections were sorted to the end of the segment.
610 The following should definitely cover them. */
611 - gp = (u64)me->module_core + me->core_size - 0x8000;
612 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
613 got = sechdrs[me->arch.gotsecindex].sh_addr;
615 for (i = 0; i < n; i++) {
616 diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
617 index b9e37ad..44c24e7 100644
618 --- a/arch/alpha/kernel/osf_sys.c
619 +++ b/arch/alpha/kernel/osf_sys.c
620 @@ -1297,10 +1297,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
621 generic version except that we know how to honor ADDR_LIMIT_32BIT. */
624 -arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
625 - unsigned long limit)
626 +arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len,
627 + unsigned long limit, unsigned long flags)
629 struct vm_unmapped_area_info info;
630 + unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
634 @@ -1308,6 +1309,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
635 info.high_limit = limit;
637 info.align_offset = 0;
638 + info.threadstack_offset = offset;
639 return vm_unmapped_area(&info);
642 @@ -1340,20 +1342,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
643 merely specific addresses, but regions of memory -- perhaps
644 this feature should be incorporated into all ports? */
646 +#ifdef CONFIG_PAX_RANDMMAP
647 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
651 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
652 + addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags);
653 if (addr != (unsigned long) -ENOMEM)
657 /* Next, try allocating at TASK_UNMAPPED_BASE. */
658 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
660 + addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags);
662 if (addr != (unsigned long) -ENOMEM)
665 /* Finally, try allocating in low memory. */
666 - addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit);
667 + addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags);
671 diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
672 index 0c4132d..88f0d53 100644
673 --- a/arch/alpha/mm/fault.c
674 +++ b/arch/alpha/mm/fault.c
675 @@ -53,6 +53,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
676 __reload_thread(pcb);
679 +#ifdef CONFIG_PAX_PAGEEXEC
681 + * PaX: decide what to do with offenders (regs->pc = fault address)
683 + * returns 1 when task should be killed
684 + * 2 when patched PLT trampoline was detected
685 + * 3 when unpatched PLT trampoline was detected
687 +static int pax_handle_fetch_fault(struct pt_regs *regs)
690 +#ifdef CONFIG_PAX_EMUPLT
693 + do { /* PaX: patched PLT emulation #1 */
694 + unsigned int ldah, ldq, jmp;
696 + err = get_user(ldah, (unsigned int *)regs->pc);
697 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
698 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
703 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
704 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
705 + jmp == 0x6BFB0000U)
707 + unsigned long r27, addr;
708 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
709 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
711 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
712 + err = get_user(r27, (unsigned long *)addr);
722 + do { /* PaX: patched PLT emulation #2 */
723 + unsigned int ldah, lda, br;
725 + err = get_user(ldah, (unsigned int *)regs->pc);
726 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
727 + err |= get_user(br, (unsigned int *)(regs->pc+8));
732 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
733 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
734 + (br & 0xFFE00000U) == 0xC3E00000U)
736 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
737 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
738 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
740 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
741 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
746 + do { /* PaX: unpatched PLT emulation */
749 + err = get_user(br, (unsigned int *)regs->pc);
751 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
752 + unsigned int br2, ldq, nop, jmp;
753 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
755 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
756 + err = get_user(br2, (unsigned int *)addr);
757 + err |= get_user(ldq, (unsigned int *)(addr+4));
758 + err |= get_user(nop, (unsigned int *)(addr+8));
759 + err |= get_user(jmp, (unsigned int *)(addr+12));
760 + err |= get_user(resolver, (unsigned long *)(addr+16));
765 + if (br2 == 0xC3600000U &&
766 + ldq == 0xA77B000CU &&
767 + nop == 0x47FF041FU &&
768 + jmp == 0x6B7B0000U)
770 + regs->r28 = regs->pc+4;
771 + regs->r27 = addr+16;
772 + regs->pc = resolver;
782 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
786 + printk(KERN_ERR "PAX: bytes at PC: ");
787 + for (i = 0; i < 5; i++) {
789 + if (get_user(c, (unsigned int *)pc+i))
790 + printk(KERN_CONT "???????? ");
792 + printk(KERN_CONT "%08x ", c);
799 * This routine handles page faults. It determines the address,
800 @@ -133,8 +251,29 @@ retry:
802 si_code = SEGV_ACCERR;
804 - if (!(vma->vm_flags & VM_EXEC))
805 + if (!(vma->vm_flags & VM_EXEC)) {
807 +#ifdef CONFIG_PAX_PAGEEXEC
808 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
811 + up_read(&mm->mmap_sem);
812 + switch (pax_handle_fetch_fault(regs)) {
814 +#ifdef CONFIG_PAX_EMUPLT
821 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
822 + do_group_exit(SIGKILL);
829 /* Allow reads even for write-only mappings */
830 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
831 diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
832 index 18a9f5e..ca910b7 100644
833 --- a/arch/arm/Kconfig
834 +++ b/arch/arm/Kconfig
835 @@ -1766,7 +1766,7 @@ config ALIGNMENT_TRAP
837 config UACCESS_WITH_MEMCPY
838 bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
840 + depends on MMU && !PAX_MEMORY_UDEREF
841 default y if CPU_FEROCEON
843 Implement faster copy_to_user and clear_user methods for CPU
844 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
845 index da1c77d..2ee6056 100644
846 --- a/arch/arm/include/asm/atomic.h
847 +++ b/arch/arm/include/asm/atomic.h
849 #include <asm/barrier.h>
850 #include <asm/cmpxchg.h>
852 +#ifdef CONFIG_GENERIC_ATOMIC64
853 +#include <asm-generic/atomic64.h>
856 #define ATOMIC_INIT(i) { (i) }
860 +#define _ASM_EXTABLE(from, to) \
861 +" .pushsection __ex_table,\"a\"\n"\
863 +" .long " #from ", " #to"\n" \
867 * On ARM, ordinary assignment (str instruction) doesn't clear the local
868 * strex/ldrex monitor on some implementations. The reason we can use it for
869 * atomic_set() is the clrex or dummy strex done on every exception return.
871 #define atomic_read(v) (*(volatile int *)&(v)->counter)
872 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
876 #define atomic_set(v,i) (((v)->counter) = (i))
877 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
882 #if __LINUX_ARM_ARCH__ >= 6
884 @@ -42,6 +60,35 @@ static inline void atomic_add(int i, atomic_t *v)
887 __asm__ __volatile__("@ atomic_add\n"
888 +"1: ldrex %1, [%3]\n"
889 +" adds %0, %1, %4\n"
891 +#ifdef CONFIG_PAX_REFCOUNT
897 +" strex %1, %0, [%3]\n"
901 +#ifdef CONFIG_PAX_REFCOUNT
903 + _ASM_EXTABLE(2b, 4b)
906 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
907 + : "r" (&v->counter), "Ir" (i)
911 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
916 + __asm__ __volatile__("@ atomic_add_unchecked\n"
917 "1: ldrex %0, [%3]\n"
919 " strex %1, %0, [%3]\n"
920 @@ -60,6 +107,42 @@ static inline int atomic_add_return(int i, atomic_t *v)
923 __asm__ __volatile__("@ atomic_add_return\n"
924 +"1: ldrex %1, [%3]\n"
925 +" adds %0, %1, %4\n"
927 +#ifdef CONFIG_PAX_REFCOUNT
934 +" strex %1, %0, [%3]\n"
938 +#ifdef CONFIG_PAX_REFCOUNT
940 + _ASM_EXTABLE(2b, 4b)
943 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
944 + : "r" (&v->counter), "Ir" (i)
952 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
959 + __asm__ __volatile__("@ atomic_add_return_unchecked\n"
960 "1: ldrex %0, [%3]\n"
962 " strex %1, %0, [%3]\n"
963 @@ -80,6 +163,35 @@ static inline void atomic_sub(int i, atomic_t *v)
966 __asm__ __volatile__("@ atomic_sub\n"
967 +"1: ldrex %1, [%3]\n"
968 +" subs %0, %1, %4\n"
970 +#ifdef CONFIG_PAX_REFCOUNT
976 +" strex %1, %0, [%3]\n"
980 +#ifdef CONFIG_PAX_REFCOUNT
982 + _ASM_EXTABLE(2b, 4b)
985 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
986 + : "r" (&v->counter), "Ir" (i)
990 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
995 + __asm__ __volatile__("@ atomic_sub_unchecked\n"
996 "1: ldrex %0, [%3]\n"
998 " strex %1, %0, [%3]\n"
999 @@ -98,11 +210,25 @@ static inline int atomic_sub_return(int i, atomic_t *v)
1002 __asm__ __volatile__("@ atomic_sub_return\n"
1003 -"1: ldrex %0, [%3]\n"
1004 -" sub %0, %0, %4\n"
1005 +"1: ldrex %1, [%3]\n"
1006 +" subs %0, %1, %4\n"
1008 +#ifdef CONFIG_PAX_REFCOUNT
1015 " strex %1, %0, [%3]\n"
1019 +#ifdef CONFIG_PAX_REFCOUNT
1021 + _ASM_EXTABLE(2b, 4b)
1024 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1025 : "r" (&v->counter), "Ir" (i)
1027 @@ -134,6 +260,28 @@ static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
1031 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new)
1033 + unsigned long oldval, res;
1038 + __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n"
1039 + "ldrex %1, [%3]\n"
1042 + "strexeq %0, %5, [%3]\n"
1043 + : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1044 + : "r" (&ptr->counter), "Ir" (old), "r" (new)
1053 static inline void atomic_clear_mask(unsigned long mask, unsigned long *addr)
1055 unsigned long tmp, tmp2;
1056 @@ -167,7 +315,17 @@ static inline int atomic_add_return(int i, atomic_t *v)
1061 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
1063 + return atomic_add_return(i, v);
1066 #define atomic_add(i, v) (void) atomic_add_return(i, v)
1067 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
1069 + (void) atomic_add_return(i, v);
1072 static inline int atomic_sub_return(int i, atomic_t *v)
1074 @@ -182,6 +340,10 @@ static inline int atomic_sub_return(int i, atomic_t *v)
1077 #define atomic_sub(i, v) (void) atomic_sub_return(i, v)
1078 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
1080 + (void) atomic_sub_return(i, v);
1083 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1085 @@ -197,6 +359,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1089 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
1091 + return atomic_cmpxchg(v, old, new);
1094 static inline void atomic_clear_mask(unsigned long mask, unsigned long *addr)
1096 unsigned long flags;
1097 @@ -209,6 +376,10 @@ static inline void atomic_clear_mask(unsigned long mask, unsigned long *addr)
1098 #endif /* __LINUX_ARM_ARCH__ */
1100 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
1101 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
1103 + return xchg(&v->counter, new);
1106 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1108 @@ -221,11 +392,27 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1111 #define atomic_inc(v) atomic_add(1, v)
1112 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1114 + atomic_add_unchecked(1, v);
1116 #define atomic_dec(v) atomic_sub(1, v)
1117 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
1119 + atomic_sub_unchecked(1, v);
1122 #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0)
1123 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
1125 + return atomic_add_return_unchecked(1, v) == 0;
1127 #define atomic_dec_and_test(v) (atomic_sub_return(1, v) == 0)
1128 #define atomic_inc_return(v) (atomic_add_return(1, v))
1129 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
1131 + return atomic_add_return_unchecked(1, v);
1133 #define atomic_dec_return(v) (atomic_sub_return(1, v))
1134 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
1136 @@ -241,6 +428,14 @@ typedef struct {
1137 u64 __aligned(8) counter;
1140 +#ifdef CONFIG_PAX_REFCOUNT
1142 + u64 __aligned(8) counter;
1143 +} atomic64_unchecked_t;
1145 +typedef atomic64_t atomic64_unchecked_t;
1148 #define ATOMIC64_INIT(i) { (i) }
1150 #ifdef CONFIG_ARM_LPAE
1151 @@ -257,6 +452,19 @@ static inline u64 atomic64_read(const atomic64_t *v)
1155 +static inline u64 atomic64_read_unchecked(const atomic64_unchecked_t *v)
1159 + __asm__ __volatile__("@ atomic64_read_unchecked\n"
1160 +" ldrd %0, %H0, [%1]"
1162 + : "r" (&v->counter), "Qo" (v->counter)
1168 static inline void atomic64_set(atomic64_t *v, u64 i)
1170 __asm__ __volatile__("@ atomic64_set\n"
1171 @@ -265,6 +473,15 @@ static inline void atomic64_set(atomic64_t *v, u64 i)
1172 : "r" (&v->counter), "r" (i)
1176 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, u64 i)
1178 + __asm__ __volatile__("@ atomic64_set_unchecked\n"
1179 +" strd %2, %H2, [%1]"
1180 + : "=Qo" (v->counter)
1181 + : "r" (&v->counter), "r" (i)
1185 static inline u64 atomic64_read(const atomic64_t *v)
1187 @@ -279,6 +496,19 @@ static inline u64 atomic64_read(const atomic64_t *v)
1191 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *v)
1195 + __asm__ __volatile__("@ atomic64_read_unchecked\n"
1196 +" ldrexd %0, %H0, [%1]"
1198 + : "r" (&v->counter), "Qo" (v->counter)
1204 static inline void atomic64_set(atomic64_t *v, u64 i)
1207 @@ -292,6 +522,21 @@ static inline void atomic64_set(atomic64_t *v, u64 i)
1208 : "r" (&v->counter), "r" (i)
1212 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, u64 i)
1216 + __asm__ __volatile__("@ atomic64_set_unchecked\n"
1217 +"1: ldrexd %0, %H0, [%2]\n"
1218 +" strexd %0, %3, %H3, [%2]\n"
1221 + : "=&r" (tmp), "=Qo" (v->counter)
1222 + : "r" (&v->counter), "r" (i)
1228 static inline void atomic64_add(u64 i, atomic64_t *v)
1229 @@ -302,6 +547,36 @@ static inline void atomic64_add(u64 i, atomic64_t *v)
1230 __asm__ __volatile__("@ atomic64_add\n"
1231 "1: ldrexd %0, %H0, [%3]\n"
1232 " adds %0, %0, %4\n"
1233 +" adcs %H0, %H0, %H4\n"
1235 +#ifdef CONFIG_PAX_REFCOUNT
1241 +" strexd %1, %0, %H0, [%3]\n"
1245 +#ifdef CONFIG_PAX_REFCOUNT
1247 + _ASM_EXTABLE(2b, 4b)
1250 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1251 + : "r" (&v->counter), "r" (i)
1255 +static inline void atomic64_add_unchecked(u64 i, atomic64_unchecked_t *v)
1258 + unsigned long tmp;
1260 + __asm__ __volatile__("@ atomic64_add_unchecked\n"
1261 +"1: ldrexd %0, %H0, [%3]\n"
1262 +" adds %0, %0, %4\n"
1263 " adc %H0, %H0, %H4\n"
1264 " strexd %1, %0, %H0, [%3]\n"
1266 @@ -313,12 +588,49 @@ static inline void atomic64_add(u64 i, atomic64_t *v)
1268 static inline u64 atomic64_add_return(u64 i, atomic64_t *v)
1271 - unsigned long tmp;
1276 __asm__ __volatile__("@ atomic64_add_return\n"
1277 +"1: ldrexd %1, %H1, [%3]\n"
1278 +" adds %0, %1, %4\n"
1279 +" adcs %H0, %H1, %H4\n"
1281 +#ifdef CONFIG_PAX_REFCOUNT
1289 +" strexd %1, %0, %H0, [%3]\n"
1293 +#ifdef CONFIG_PAX_REFCOUNT
1295 + _ASM_EXTABLE(2b, 4b)
1298 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1299 + : "r" (&v->counter), "r" (i)
1307 +static inline u64 atomic64_add_return_unchecked(u64 i, atomic64_unchecked_t *v)
1310 + unsigned long tmp;
1314 + __asm__ __volatile__("@ atomic64_add_return_unchecked\n"
1315 "1: ldrexd %0, %H0, [%3]\n"
1316 " adds %0, %0, %4\n"
1317 " adc %H0, %H0, %H4\n"
1318 @@ -342,6 +654,36 @@ static inline void atomic64_sub(u64 i, atomic64_t *v)
1319 __asm__ __volatile__("@ atomic64_sub\n"
1320 "1: ldrexd %0, %H0, [%3]\n"
1321 " subs %0, %0, %4\n"
1322 +" sbcs %H0, %H0, %H4\n"
1324 +#ifdef CONFIG_PAX_REFCOUNT
1330 +" strexd %1, %0, %H0, [%3]\n"
1334 +#ifdef CONFIG_PAX_REFCOUNT
1336 + _ASM_EXTABLE(2b, 4b)
1339 + : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1340 + : "r" (&v->counter), "r" (i)
1344 +static inline void atomic64_sub_unchecked(u64 i, atomic64_unchecked_t *v)
1347 + unsigned long tmp;
1349 + __asm__ __volatile__("@ atomic64_sub_unchecked\n"
1350 +"1: ldrexd %0, %H0, [%3]\n"
1351 +" subs %0, %0, %4\n"
1352 " sbc %H0, %H0, %H4\n"
1353 " strexd %1, %0, %H0, [%3]\n"
1355 @@ -353,18 +695,32 @@ static inline void atomic64_sub(u64 i, atomic64_t *v)
1357 static inline u64 atomic64_sub_return(u64 i, atomic64_t *v)
1360 - unsigned long tmp;
1365 __asm__ __volatile__("@ atomic64_sub_return\n"
1366 -"1: ldrexd %0, %H0, [%3]\n"
1367 -" subs %0, %0, %4\n"
1368 -" sbc %H0, %H0, %H4\n"
1369 +"1: ldrexd %1, %H1, [%3]\n"
1370 +" subs %0, %1, %4\n"
1371 +" sbcs %H0, %H1, %H4\n"
1373 +#ifdef CONFIG_PAX_REFCOUNT
1381 " strexd %1, %0, %H0, [%3]\n"
1385 +#ifdef CONFIG_PAX_REFCOUNT
1387 + _ASM_EXTABLE(2b, 4b)
1390 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1391 : "r" (&v->counter), "r" (i)
1393 @@ -398,6 +754,30 @@ static inline u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old, u64 new)
1397 +static inline u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old, u64 new)
1400 + unsigned long res;
1405 + __asm__ __volatile__("@ atomic64_cmpxchg_unchecked\n"
1406 + "ldrexd %1, %H1, [%3]\n"
1409 + "teqeq %H1, %H4\n"
1410 + "strexdeq %0, %5, %H5, [%3]"
1411 + : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1412 + : "r" (&ptr->counter), "r" (old), "r" (new)
1421 static inline u64 atomic64_xchg(atomic64_t *ptr, u64 new)
1424 @@ -421,21 +801,34 @@ static inline u64 atomic64_xchg(atomic64_t *ptr, u64 new)
1426 static inline u64 atomic64_dec_if_positive(atomic64_t *v)
1429 - unsigned long tmp;
1434 __asm__ __volatile__("@ atomic64_dec_if_positive\n"
1435 -"1: ldrexd %0, %H0, [%3]\n"
1436 -" subs %0, %0, #1\n"
1437 -" sbc %H0, %H0, #0\n"
1438 +"1: ldrexd %1, %H1, [%3]\n"
1439 +" subs %0, %1, #1\n"
1440 +" sbcs %H0, %H1, #0\n"
1442 +#ifdef CONFIG_PAX_REFCOUNT
1453 " strexd %1, %0, %H0, [%3]\n"
1459 +#ifdef CONFIG_PAX_REFCOUNT
1460 + _ASM_EXTABLE(2b, 4b)
1463 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1466 @@ -458,13 +851,25 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u)
1472 " adds %0, %0, %6\n"
1473 -" adc %H0, %H0, %H6\n"
1474 +" adcs %H0, %H0, %H6\n"
1476 +#ifdef CONFIG_PAX_REFCOUNT
1482 " strexd %2, %0, %H0, [%4]\n"
1488 +#ifdef CONFIG_PAX_REFCOUNT
1489 + _ASM_EXTABLE(2b, 4b)
1492 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
1493 : "r" (&v->counter), "r" (u), "r" (a)
1495 @@ -477,10 +882,13 @@ static inline int atomic64_add_unless(atomic64_t *v, u64 a, u64 u)
1497 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
1498 #define atomic64_inc(v) atomic64_add(1LL, (v))
1499 +#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1LL, (v))
1500 #define atomic64_inc_return(v) atomic64_add_return(1LL, (v))
1501 +#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1LL, (v))
1502 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
1503 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
1504 #define atomic64_dec(v) atomic64_sub(1LL, (v))
1505 +#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1LL, (v))
1506 #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v))
1507 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
1508 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
1509 diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h
1510 index 75fe66b..ba3dee4 100644
1511 --- a/arch/arm/include/asm/cache.h
1512 +++ b/arch/arm/include/asm/cache.h
1514 #ifndef __ASMARM_CACHE_H
1515 #define __ASMARM_CACHE_H
1517 +#include <linux/const.h>
1519 #define L1_CACHE_SHIFT CONFIG_ARM_L1_CACHE_SHIFT
1520 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
1521 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
1524 * Memory returned by kmalloc() may be used for DMA, so we must make
1528 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
1529 +#define __read_only __attribute__ ((__section__(".data..read_only")))
1532 diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
1533 index 17d0ae8..014e350 100644
1534 --- a/arch/arm/include/asm/cacheflush.h
1535 +++ b/arch/arm/include/asm/cacheflush.h
1536 @@ -116,7 +116,7 @@ struct cpu_cache_fns {
1537 void (*dma_unmap_area)(const void *, size_t, int);
1539 void (*dma_flush_range)(const void *, const void *);
1544 * Select the calling method
1545 diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h
1546 index 6dcc164..b14d917 100644
1547 --- a/arch/arm/include/asm/checksum.h
1548 +++ b/arch/arm/include/asm/checksum.h
1549 @@ -37,7 +37,19 @@ __wsum
1550 csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum);
1553 -csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1554 +__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1556 +static inline __wsum
1557 +csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr)
1560 + pax_open_userland();
1561 + ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
1562 + pax_close_userland();
1569 * Fold a partial checksum without adding pseudo headers
1570 diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h
1571 index 4f009c1..466c59b 100644
1572 --- a/arch/arm/include/asm/cmpxchg.h
1573 +++ b/arch/arm/include/asm/cmpxchg.h
1574 @@ -102,6 +102,8 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
1576 #define xchg(ptr,x) \
1577 ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
1578 +#define xchg_unchecked(ptr,x) \
1579 + ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr))))
1581 #include <asm-generic/cmpxchg-local.h>
1583 diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
1584 index 6ddbe44..b5e38b1 100644
1585 --- a/arch/arm/include/asm/domain.h
1586 +++ b/arch/arm/include/asm/domain.h
1590 #define DOMAIN_NOACCESS 0
1591 -#define DOMAIN_CLIENT 1
1592 #ifdef CONFIG_CPU_USE_DOMAINS
1593 +#define DOMAIN_USERCLIENT 1
1594 +#define DOMAIN_KERNELCLIENT 1
1595 #define DOMAIN_MANAGER 3
1596 +#define DOMAIN_VECTORS DOMAIN_USER
1599 +#ifdef CONFIG_PAX_KERNEXEC
1600 #define DOMAIN_MANAGER 1
1601 +#define DOMAIN_KERNEXEC 3
1603 +#define DOMAIN_MANAGER 1
1606 +#ifdef CONFIG_PAX_MEMORY_UDEREF
1607 +#define DOMAIN_USERCLIENT 0
1608 +#define DOMAIN_UDEREF 1
1609 +#define DOMAIN_VECTORS DOMAIN_KERNEL
1611 +#define DOMAIN_USERCLIENT 1
1612 +#define DOMAIN_VECTORS DOMAIN_USER
1614 +#define DOMAIN_KERNELCLIENT 1
1618 #define domain_val(dom,type) ((type) << (2*(dom)))
1620 #ifndef __ASSEMBLY__
1622 -#ifdef CONFIG_CPU_USE_DOMAINS
1623 +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1624 static inline void set_domain(unsigned val)
1627 @@ -68,15 +87,7 @@ static inline void set_domain(unsigned val)
1631 -#define modify_domain(dom,type) \
1633 - struct thread_info *thread = current_thread_info(); \
1634 - unsigned int domain = thread->cpu_domain; \
1635 - domain &= ~domain_val(dom, DOMAIN_MANAGER); \
1636 - thread->cpu_domain = domain | domain_val(dom, type); \
1637 - set_domain(thread->cpu_domain); \
1640 +extern void modify_domain(unsigned int dom, unsigned int type);
1642 static inline void set_domain(unsigned val) { }
1643 static inline void modify_domain(unsigned dom, unsigned type) { }
1644 diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
1645 index 56211f2..17e8a25 100644
1646 --- a/arch/arm/include/asm/elf.h
1647 +++ b/arch/arm/include/asm/elf.h
1648 @@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1649 the loader. We need to make sure that it is out of the way of the program
1650 that it will "exec", and that there is sufficient room for the brk. */
1652 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
1653 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1655 +#ifdef CONFIG_PAX_ASLR
1656 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
1658 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1659 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1662 /* When the program starts, a1 contains a pointer to a function to be
1663 registered with atexit, as per the SVR4 ABI. A value of 0 means we
1664 @@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1665 extern void elf_set_personality(const struct elf32_hdr *);
1666 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
1669 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1670 -#define arch_randomize_brk arch_randomize_brk
1673 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1674 struct linux_binprm;
1675 diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
1676 index de53547..52b9a28 100644
1677 --- a/arch/arm/include/asm/fncpy.h
1678 +++ b/arch/arm/include/asm/fncpy.h
1680 BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) || \
1681 (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \
1683 + pax_open_kernel(); \
1684 memcpy(dest_buf, (void const *)(__funcp_address & ~1), size); \
1685 + pax_close_kernel(); \
1686 flush_icache_range((unsigned long)(dest_buf), \
1687 (unsigned long)(dest_buf) + (size)); \
1689 diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
1690 index e42cf59..7b94b8f 100644
1691 --- a/arch/arm/include/asm/futex.h
1692 +++ b/arch/arm/include/asm/futex.h
1693 @@ -50,6 +50,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1694 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1697 + pax_open_userland();
1700 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
1701 "1: ldrex %1, [%4]\n"
1702 @@ -65,6 +67,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1706 + pax_close_userland();
1711 @@ -95,6 +99,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1712 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1715 + pax_open_userland();
1717 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
1718 "1: " TUSER(ldr) " %1, [%4]\n"
1720 @@ -105,6 +111,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1721 : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT)
1724 + pax_close_userland();
1729 @@ -127,6 +135,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1732 pagefault_disable(); /* implies preempt_disable() */
1733 + pax_open_userland();
1737 @@ -148,6 +157,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1741 + pax_close_userland();
1742 pagefault_enable(); /* subsumes preempt_enable() */
1745 diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
1746 index 83eb2f7..ed77159 100644
1747 --- a/arch/arm/include/asm/kmap_types.h
1748 +++ b/arch/arm/include/asm/kmap_types.h
1751 * This is the "bare minimum". AIO seems to require this.
1753 -#define KM_TYPE_NR 16
1754 +#define KM_TYPE_NR 17
1757 diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h
1758 index 9e614a1..3302cca 100644
1759 --- a/arch/arm/include/asm/mach/dma.h
1760 +++ b/arch/arm/include/asm/mach/dma.h
1761 @@ -22,7 +22,7 @@ struct dma_ops {
1762 int (*residue)(unsigned int, dma_t *); /* optional */
1763 int (*setspeed)(unsigned int, dma_t *, int); /* optional */
1769 void *addr; /* single DMA address */
1770 diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
1771 index 2fe141f..192dc01 100644
1772 --- a/arch/arm/include/asm/mach/map.h
1773 +++ b/arch/arm/include/asm/mach/map.h
1774 @@ -27,13 +27,16 @@ struct map_desc {
1775 #define MT_MINICLEAN 6
1776 #define MT_LOW_VECTORS 7
1777 #define MT_HIGH_VECTORS 8
1778 -#define MT_MEMORY 9
1779 +#define MT_MEMORY_RWX 9
1781 -#define MT_MEMORY_NONCACHED 11
1782 +#define MT_MEMORY_NONCACHED_RX 11
1783 #define MT_MEMORY_DTCM 12
1784 #define MT_MEMORY_ITCM 13
1785 #define MT_MEMORY_SO 14
1786 #define MT_MEMORY_DMA_READY 15
1787 +#define MT_MEMORY_RW 16
1788 +#define MT_MEMORY_RX 17
1789 +#define MT_MEMORY_NONCACHED_RW 18
1792 extern void iotable_init(struct map_desc *, int);
1793 diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
1794 index 12f71a1..04e063c 100644
1795 --- a/arch/arm/include/asm/outercache.h
1796 +++ b/arch/arm/include/asm/outercache.h
1797 @@ -35,7 +35,7 @@ struct outer_cache_fns {
1799 void (*set_debug)(unsigned long);
1800 void (*resume)(void);
1804 #ifdef CONFIG_OUTER_CACHE
1806 diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
1807 index cbdc7a2..32f44fe 100644
1808 --- a/arch/arm/include/asm/page.h
1809 +++ b/arch/arm/include/asm/page.h
1810 @@ -114,7 +114,7 @@ struct cpu_user_fns {
1811 void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr);
1812 void (*cpu_copy_user_highpage)(struct page *to, struct page *from,
1813 unsigned long vaddr, struct vm_area_struct *vma);
1818 extern struct cpu_user_fns cpu_user;
1819 diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h
1820 index 943504f..c37a730 100644
1821 --- a/arch/arm/include/asm/pgalloc.h
1822 +++ b/arch/arm/include/asm/pgalloc.h
1824 #include <asm/processor.h>
1825 #include <asm/cacheflush.h>
1826 #include <asm/tlbflush.h>
1827 +#include <asm/system_info.h>
1829 #define check_pgt_cache() do { } while (0)
1831 @@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1832 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
1835 +static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1837 + pud_populate(mm, pud, pmd);
1840 #else /* !CONFIG_ARM_LPAE */
1843 @@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1844 #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); })
1845 #define pmd_free(mm, pmd) do { } while (0)
1846 #define pud_populate(mm,pmd,pte) BUG()
1847 +#define pud_populate_kernel(mm,pmd,pte) BUG()
1849 #endif /* CONFIG_ARM_LPAE */
1851 @@ -126,6 +133,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte)
1855 +static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot)
1857 +#ifdef CONFIG_ARM_LPAE
1858 + pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1860 + if (addr & SECTION_SIZE)
1861 + pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot);
1863 + pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1865 + flush_pmd_entry(pmdp);
1868 static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte,
1871 @@ -155,7 +175,7 @@ pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmdp, pte_t *ptep)
1873 pmd_populate(struct mm_struct *mm, pmd_t *pmdp, pgtable_t ptep)
1875 - __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE);
1876 + __pmd_populate(pmdp, page_to_phys(ptep), _PAGE_USER_TABLE | __supported_pmd_mask);
1878 #define pmd_pgtable(pmd) pmd_page(pmd)
1880 diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h
1881 index 5cfba15..f415e1a 100644
1882 --- a/arch/arm/include/asm/pgtable-2level-hwdef.h
1883 +++ b/arch/arm/include/asm/pgtable-2level-hwdef.h
1885 #define PMD_TYPE_FAULT (_AT(pmdval_t, 0) << 0)
1886 #define PMD_TYPE_TABLE (_AT(pmdval_t, 1) << 0)
1887 #define PMD_TYPE_SECT (_AT(pmdval_t, 2) << 0)
1888 +#define PMD_PXNTABLE (_AT(pmdval_t, 1) << 2) /* v7 */
1889 #define PMD_BIT4 (_AT(pmdval_t, 1) << 4)
1890 #define PMD_DOMAIN(x) (_AT(pmdval_t, (x)) << 5)
1891 #define PMD_PROTECTION (_AT(pmdval_t, 1) << 9) /* v5 */
1896 +#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1897 #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
1898 #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
1899 #define PMD_SECT_XN (_AT(pmdval_t, 1) << 4) /* v6 */
1901 #define PMD_SECT_nG (_AT(pmdval_t, 1) << 17) /* v6 */
1902 #define PMD_SECT_SUPER (_AT(pmdval_t, 1) << 18) /* v6 */
1903 #define PMD_SECT_AF (_AT(pmdval_t, 0))
1904 +#define PMD_SECT_RDONLY (_AT(pmdval_t, 0))
1906 #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0))
1907 #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE)
1909 * - extended small page/tiny page
1911 #define PTE_EXT_XN (_AT(pteval_t, 1) << 0) /* v6 */
1912 +#define PTE_EXT_PXN (_AT(pteval_t, 1) << 2) /* v7 */
1913 #define PTE_EXT_AP_MASK (_AT(pteval_t, 3) << 4)
1914 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
1915 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
1916 diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
1917 index f97ee02..cc9fe9e 100644
1918 --- a/arch/arm/include/asm/pgtable-2level.h
1919 +++ b/arch/arm/include/asm/pgtable-2level.h
1921 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */
1922 #define L_PTE_NONE (_AT(pteval_t, 1) << 11)
1924 +/* Two-level page tables only have PXN in the PGD, not in the PTE. */
1925 +#define L_PTE_PXN (_AT(pteval_t, 0))
1928 * These are the memory types, defined to be compatible with
1929 * pre-ARMv6 CPUs cacheable and bufferable bits: XXCB
1930 diff --git a/arch/arm/include/asm/pgtable-3level-hwdef.h b/arch/arm/include/asm/pgtable-3level-hwdef.h
1931 index 18f5cef..25b8f43 100644
1932 --- a/arch/arm/include/asm/pgtable-3level-hwdef.h
1933 +++ b/arch/arm/include/asm/pgtable-3level-hwdef.h
1936 #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
1937 #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
1938 +#define PMD_SECT_RDONLY (_AT(pmdval_t, 1) << 7)
1939 #define PMD_SECT_S (_AT(pmdval_t, 3) << 8)
1940 #define PMD_SECT_AF (_AT(pmdval_t, 1) << 10)
1941 #define PMD_SECT_nG (_AT(pmdval_t, 1) << 11)
1943 #define PTE_EXT_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
1944 #define PTE_EXT_AF (_AT(pteval_t, 1) << 10) /* Access Flag */
1945 #define PTE_EXT_NG (_AT(pteval_t, 1) << 11) /* nG */
1946 +#define PTE_EXT_PXN (_AT(pteval_t, 1) << 53) /* PXN */
1947 #define PTE_EXT_XN (_AT(pteval_t, 1) << 54) /* XN */
1950 diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
1951 index 86b8fe3..e25f975 100644
1952 --- a/arch/arm/include/asm/pgtable-3level.h
1953 +++ b/arch/arm/include/asm/pgtable-3level.h
1955 #define L_PTE_RDONLY (_AT(pteval_t, 1) << 7) /* AP[2] */
1956 #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
1957 #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */
1958 +#define L_PTE_PXN (_AT(pteval_t, 1) << 53) /* PXN */
1959 #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */
1960 #define L_PTE_DIRTY (_AT(pteval_t, 1) << 55) /* unused */
1961 #define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56) /* unused */
1964 * To be used in assembly code with the upper page attributes.
1966 +#define L_PTE_PXN_HIGH (1 << (53 - 32))
1967 #define L_PTE_XN_HIGH (1 << (54 - 32))
1968 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
1970 diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
1971 index 9bcd262..fba731c 100644
1972 --- a/arch/arm/include/asm/pgtable.h
1973 +++ b/arch/arm/include/asm/pgtable.h
1975 #include <asm/pgtable-2level.h>
1978 +#define ktla_ktva(addr) (addr)
1979 +#define ktva_ktla(addr) (addr)
1982 * Just any arbitrary offset to the start of the vmalloc VM area: the
1983 * current 8MB value just means that there will be a 8MB "hole" after the
1985 #define LIBRARY_TEXT_START 0x0c000000
1987 #ifndef __ASSEMBLY__
1988 +extern pteval_t __supported_pte_mask;
1989 +extern pmdval_t __supported_pmd_mask;
1991 extern void __pte_error(const char *file, int line, pte_t);
1992 extern void __pmd_error(const char *file, int line, pmd_t);
1993 extern void __pgd_error(const char *file, int line, pgd_t);
1994 @@ -53,6 +59,50 @@ extern void __pgd_error(const char *file, int line, pgd_t);
1995 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
1996 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
1998 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
1999 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
2001 +#ifdef CONFIG_PAX_KERNEXEC
2002 +#include <asm/domain.h>
2003 +#include <linux/thread_info.h>
2004 +#include <linux/preempt.h>
2007 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2008 +static inline int test_domain(int domain, int domaintype)
2010 + return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
2014 +#ifdef CONFIG_PAX_KERNEXEC
2015 +static inline unsigned long pax_open_kernel(void) {
2016 +#ifdef CONFIG_ARM_LPAE
2019 + preempt_disable();
2020 + BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC));
2021 + modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC);
2026 +static inline unsigned long pax_close_kernel(void) {
2027 +#ifdef CONFIG_ARM_LPAE
2030 + BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER));
2031 + /* DOMAIN_MANAGER = "client" under KERNEXEC */
2032 + modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER);
2033 + preempt_enable_no_resched();
2038 +static inline unsigned long pax_open_kernel(void) { return 0; }
2039 +static inline unsigned long pax_close_kernel(void) { return 0; }
2043 * This is the lowest virtual address we can permit any user space
2044 * mapping to be mapped at. This is particularly important for
2045 @@ -72,8 +122,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2047 * The pgprot_* and protection_map entries will be fixed up in runtime
2048 * to include the cachable and bufferable bits based on memory policy,
2049 - * as well as any architecture dependent bits like global/ASID and SMP
2050 - * shared mapping bits.
2051 + * as well as any architecture dependent bits like global/ASID, PXN,
2052 + * and SMP shared mapping bits.
2054 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
2056 @@ -257,7 +307,7 @@ static inline pte_t pte_mkspecial(pte_t pte) { return pte; }
2057 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
2059 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
2060 - L_PTE_NONE | L_PTE_VALID;
2061 + L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
2062 pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
2065 diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
2066 index f3628fb..a0672dd 100644
2067 --- a/arch/arm/include/asm/proc-fns.h
2068 +++ b/arch/arm/include/asm/proc-fns.h
2069 @@ -75,7 +75,7 @@ extern struct processor {
2070 unsigned int suspend_size;
2071 void (*do_suspend)(void *);
2072 void (*do_resume)(void *);
2074 +} __do_const processor;
2077 extern void cpu_proc_init(void);
2078 diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
2079 index ce0dbe7..c085b6f 100644
2080 --- a/arch/arm/include/asm/psci.h
2081 +++ b/arch/arm/include/asm/psci.h
2082 @@ -29,7 +29,7 @@ struct psci_operations {
2083 int (*cpu_off)(struct psci_power_state state);
2084 int (*cpu_on)(unsigned long cpuid, unsigned long entry_point);
2085 int (*migrate)(unsigned long cpuid);
2089 extern struct psci_operations psci_ops;
2091 diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
2092 index d3a22be..3a69ad5 100644
2093 --- a/arch/arm/include/asm/smp.h
2094 +++ b/arch/arm/include/asm/smp.h
2095 @@ -107,7 +107,7 @@ struct smp_operations {
2096 int (*cpu_disable)(unsigned int cpu);
2103 * set platform specific SMP operations
2104 diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
2105 index f00b569..aa5bb41 100644
2106 --- a/arch/arm/include/asm/thread_info.h
2107 +++ b/arch/arm/include/asm/thread_info.h
2108 @@ -77,9 +77,9 @@ struct thread_info {
2110 .preempt_count = INIT_PREEMPT_COUNT, \
2111 .addr_limit = KERNEL_DS, \
2112 - .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2113 - domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2114 - domain_val(DOMAIN_IO, DOMAIN_CLIENT), \
2115 + .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
2116 + domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
2117 + domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \
2118 .restart_block = { \
2119 .fn = do_no_restart_syscall, \
2121 @@ -152,7 +152,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2122 #define TIF_SYSCALL_AUDIT 9
2123 #define TIF_SYSCALL_TRACEPOINT 10
2124 #define TIF_SECCOMP 11 /* seccomp syscall filtering active */
2125 -#define TIF_NOHZ 12 /* in adaptive nohz mode */
2126 +/* within 8 bits of TIF_SYSCALL_TRACE
2127 + * to meet flexible second operand requirements
2129 +#define TIF_GRSEC_SETXID 12
2130 +#define TIF_NOHZ 13 /* in adaptive nohz mode */
2131 #define TIF_USING_IWMMXT 17
2132 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
2133 #define TIF_RESTORE_SIGMASK 20
2134 @@ -165,10 +169,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2135 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
2136 #define _TIF_SECCOMP (1 << TIF_SECCOMP)
2137 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
2138 +#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
2140 /* Checks for any syscall work in entry-common.S */
2141 #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
2142 - _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
2143 + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID)
2146 * Change these and you break ASM code in entry-common.S
2147 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
2148 index 7e1f760..de33b13 100644
2149 --- a/arch/arm/include/asm/uaccess.h
2150 +++ b/arch/arm/include/asm/uaccess.h
2152 #include <asm/domain.h>
2153 #include <asm/unified.h>
2154 #include <asm/compiler.h>
2155 +#include <asm/pgtable.h>
2157 #define VERIFY_READ 0
2158 #define VERIFY_WRITE 1
2159 @@ -63,11 +64,38 @@ extern int __put_user_bad(void);
2160 static inline void set_fs(mm_segment_t fs)
2162 current_thread_info()->addr_limit = fs;
2163 - modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
2164 + modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
2167 #define segment_eq(a,b) ((a) == (b))
2169 +#define __HAVE_ARCH_PAX_OPEN_USERLAND
2170 +#define __HAVE_ARCH_PAX_CLOSE_USERLAND
2172 +static inline void pax_open_userland(void)
2175 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2176 + if (segment_eq(get_fs(), USER_DS)) {
2177 + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
2178 + modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
2184 +static inline void pax_close_userland(void)
2187 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2188 + if (segment_eq(get_fs(), USER_DS)) {
2189 + BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
2190 + modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
2196 #define __addr_ok(addr) ({ \
2197 unsigned long flag; \
2198 __asm__("cmp %2, %0; movlo %0, #0" \
2199 @@ -143,8 +171,12 @@ extern int __get_user_4(void *);
2201 #define get_user(x,p) \
2205 - __get_user_check(x,p); \
2206 + pax_open_userland(); \
2207 + __e = __get_user_check(x,p); \
2208 + pax_close_userland(); \
2212 extern int __put_user_1(void *, unsigned int);
2213 @@ -188,8 +220,12 @@ extern int __put_user_8(void *, unsigned long long);
2215 #define put_user(x,p) \
2219 - __put_user_check(x,p); \
2220 + pax_open_userland(); \
2221 + __e = __put_user_check(x,p); \
2222 + pax_close_userland(); \
2226 #else /* CONFIG_MMU */
2227 @@ -230,13 +266,17 @@ static inline void set_fs(mm_segment_t fs)
2228 #define __get_user(x,ptr) \
2230 long __gu_err = 0; \
2231 + pax_open_userland(); \
2232 __get_user_err((x),(ptr),__gu_err); \
2233 + pax_close_userland(); \
2237 #define __get_user_error(x,ptr,err) \
2239 + pax_open_userland(); \
2240 __get_user_err((x),(ptr),err); \
2241 + pax_close_userland(); \
2245 @@ -312,13 +352,17 @@ do { \
2246 #define __put_user(x,ptr) \
2248 long __pu_err = 0; \
2249 + pax_open_userland(); \
2250 __put_user_err((x),(ptr),__pu_err); \
2251 + pax_close_userland(); \
2255 #define __put_user_error(x,ptr,err) \
2257 + pax_open_userland(); \
2258 __put_user_err((x),(ptr),err); \
2259 + pax_close_userland(); \
2263 @@ -418,11 +462,44 @@ do { \
2267 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
2268 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
2269 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
2270 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
2272 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
2274 + unsigned long ret;
2276 + check_object_size(to, n, false);
2277 + pax_open_userland();
2278 + ret = ___copy_from_user(to, from, n);
2279 + pax_close_userland();
2283 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
2285 + unsigned long ret;
2287 + check_object_size(from, n, true);
2288 + pax_open_userland();
2289 + ret = ___copy_to_user(to, from, n);
2290 + pax_close_userland();
2294 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2295 -extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
2296 +extern unsigned long __must_check ___clear_user(void __user *addr, unsigned long n);
2297 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
2299 +static inline unsigned long __must_check __clear_user(void __user *addr, unsigned long n)
2301 + unsigned long ret;
2302 + pax_open_userland();
2303 + ret = ___clear_user(addr, n);
2304 + pax_close_userland();
2309 #define __copy_from_user(to,from,n) (memcpy(to, (void __force *)from, n), 0)
2310 #define __copy_to_user(to,from,n) (memcpy((void __force *)to, from, n), 0)
2311 @@ -431,6 +508,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l
2313 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2318 if (access_ok(VERIFY_READ, from, n))
2319 n = __copy_from_user(to, from, n);
2320 else /* security hole - plug it */
2321 @@ -440,6 +520,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
2323 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2328 if (access_ok(VERIFY_WRITE, to, n))
2329 n = __copy_to_user(to, from, n);
2331 diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h
2332 index 96ee092..37f1844 100644
2333 --- a/arch/arm/include/uapi/asm/ptrace.h
2334 +++ b/arch/arm/include/uapi/asm/ptrace.h
2336 * ARMv7 groups of PSR bits
2338 #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */
2339 -#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */
2340 +#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */
2341 #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */
2342 #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */
2344 diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
2345 index 60d3b73..e5a0f22 100644
2346 --- a/arch/arm/kernel/armksyms.c
2347 +++ b/arch/arm/kernel/armksyms.c
2348 @@ -53,7 +53,7 @@ EXPORT_SYMBOL(arm_delay_ops);
2351 EXPORT_SYMBOL(csum_partial);
2352 -EXPORT_SYMBOL(csum_partial_copy_from_user);
2353 +EXPORT_SYMBOL(__csum_partial_copy_from_user);
2354 EXPORT_SYMBOL(csum_partial_copy_nocheck);
2355 EXPORT_SYMBOL(__csum_ipv6_magic);
2357 @@ -89,9 +89,9 @@ EXPORT_SYMBOL(__memzero);
2359 EXPORT_SYMBOL(copy_page);
2361 -EXPORT_SYMBOL(__copy_from_user);
2362 -EXPORT_SYMBOL(__copy_to_user);
2363 -EXPORT_SYMBOL(__clear_user);
2364 +EXPORT_SYMBOL(___copy_from_user);
2365 +EXPORT_SYMBOL(___copy_to_user);
2366 +EXPORT_SYMBOL(___clear_user);
2368 EXPORT_SYMBOL(__get_user_1);
2369 EXPORT_SYMBOL(__get_user_2);
2370 diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
2371 index d43c7e5..257c050 100644
2372 --- a/arch/arm/kernel/entry-armv.S
2373 +++ b/arch/arm/kernel/entry-armv.S
2378 + .macro pax_enter_kernel
2379 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2380 + @ make aligned space for saved DACR
2383 + stmdb sp!, {r1, r2}
2384 + @ read DACR from cpu_domain into r1
2386 + @ assume 8K pages, since we have to split the immediate in two
2387 + bic r2, r2, #(0x1fc0)
2388 + bic r2, r2, #(0x3f)
2389 + ldr r1, [r2, #TI_CPU_DOMAIN]
2390 + @ store old DACR on stack
2392 +#ifdef CONFIG_PAX_KERNEXEC
2393 + @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2394 + bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2395 + orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2397 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2398 + @ set current DOMAIN_USER to DOMAIN_NOACCESS
2399 + bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2401 + @ write r1 to current_thread_info()->cpu_domain
2402 + str r1, [r2, #TI_CPU_DOMAIN]
2403 + @ write r1 to DACR
2404 + mcr p15, 0, r1, c3, c0, 0
2405 + @ instruction sync
2408 + ldmia sp!, {r1, r2}
2412 + .macro pax_open_userland
2413 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2415 + stmdb sp!, {r0, r1}
2416 + @ read DACR from cpu_domain into r1
2418 + @ assume 8K pages, since we have to split the immediate in two
2419 + bic r0, r0, #(0x1fc0)
2420 + bic r0, r0, #(0x3f)
2421 + ldr r1, [r0, #TI_CPU_DOMAIN]
2422 + @ set current DOMAIN_USER to DOMAIN_CLIENT
2423 + bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2424 + orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2425 + @ write r1 to current_thread_info()->cpu_domain
2426 + str r1, [r0, #TI_CPU_DOMAIN]
2427 + @ write r1 to DACR
2428 + mcr p15, 0, r1, c3, c0, 0
2429 + @ instruction sync
2432 + ldmia sp!, {r0, r1}
2436 + .macro pax_close_userland
2437 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2439 + stmdb sp!, {r0, r1}
2440 + @ read DACR from cpu_domain into r1
2442 + @ assume 8K pages, since we have to split the immediate in two
2443 + bic r0, r0, #(0x1fc0)
2444 + bic r0, r0, #(0x3f)
2445 + ldr r1, [r0, #TI_CPU_DOMAIN]
2446 + @ set current DOMAIN_USER to DOMAIN_NOACCESS
2447 + bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2448 + @ write r1 to current_thread_info()->cpu_domain
2449 + str r1, [r0, #TI_CPU_DOMAIN]
2450 + @ write r1 to DACR
2451 + mcr p15, 0, r1, c3, c0, 0
2452 + @ instruction sync
2455 + ldmia sp!, {r0, r1}
2460 @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5
2462 @@ -89,11 +170,15 @@
2463 * Invalid mode handlers
2465 .macro inv_entry, reason
2469 sub sp, sp, #S_FRAME_SIZE
2470 ARM( stmib sp, {r1 - lr} )
2471 THUMB( stmia sp, {r0 - r12} )
2472 THUMB( str sp, [sp, #S_SP] )
2473 THUMB( str lr, [sp, #S_LR] )
2478 @@ -149,7 +234,11 @@ ENDPROC(__und_invalid)
2479 .macro svc_entry, stack_hole=0
2481 UNWIND(.save {r0 - pc} )
2485 sub sp, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2487 #ifdef CONFIG_THUMB2_KERNEL
2488 SPFIX( str r0, [sp] ) @ temporarily saved
2490 @@ -164,7 +253,12 @@ ENDPROC(__und_invalid)
2492 add r7, sp, #S_SP - 4 @ here for interlock avoidance
2493 mov r6, #-1 @ "" "" "" ""
2494 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2495 + @ offset sp by 8 as done in pax_enter_kernel
2496 + add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4)
2498 add r2, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2500 SPFIX( addeq r2, r2, #4 )
2501 str r3, [sp, #-4]! @ save the "real" r0 copied
2502 @ from the exception stack
2503 @@ -316,6 +410,9 @@ ENDPROC(__pabt_svc)
2506 UNWIND(.cantunwind ) @ don't unwind the user space
2508 + pax_enter_kernel_user
2510 sub sp, sp, #S_FRAME_SIZE
2511 ARM( stmib sp, {r1 - r12} )
2512 THUMB( stmia sp, {r0 - r12} )
2513 @@ -357,7 +454,8 @@ ENDPROC(__pabt_svc)
2516 .macro kuser_cmpxchg_check
2517 -#if !defined(CONFIG_CPU_32v6K) && !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG)
2518 +#if !defined(CONFIG_CPU_32v6K) && defined(CONFIG_KUSER_HELPERS) && \
2519 + !defined(CONFIG_NEEDS_SYSCALL_FOR_CMPXCHG)
2521 #warning "NPTL on non MMU needs fixing"
2523 @@ -414,7 +512,9 @@ __und_usr:
2524 tst r3, #PSR_T_BIT @ Thumb mode?
2526 sub r4, r2, #4 @ ARM instr at LR - 4
2529 + pax_close_userland
2530 #ifdef CONFIG_CPU_ENDIAN_BE8
2531 rev r0, r0 @ little endian instruction
2533 @@ -449,10 +549,14 @@ __und_usr_thumb:
2539 + pax_close_userland
2540 cmp r5, #0xe800 @ 32bit instruction if xx != 0
2541 blo __und_usr_fault_16 @ 16bit undefined instruction
2544 + pax_close_userland
2545 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
2546 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
2547 orr r0, r0, r5, lsl #16
2548 @@ -481,7 +585,8 @@ ENDPROC(__und_usr)
2550 .pushsection .fixup, "ax"
2553 +4: pax_close_userland
2556 .pushsection __ex_table,"a"
2558 @@ -690,7 +795,7 @@ ENTRY(__switch_to)
2559 THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack
2560 THUMB( str sp, [ip], #4 )
2561 THUMB( str lr, [ip], #4 )
2562 -#ifdef CONFIG_CPU_USE_DOMAINS
2563 +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2564 ldr r6, [r2, #TI_CPU_DOMAIN]
2567 @@ -699,7 +804,7 @@ ENTRY(__switch_to)
2568 ldr r8, =__stack_chk_guard
2569 ldr r7, [r7, #TSK_STACK_CANARY]
2571 -#ifdef CONFIG_CPU_USE_DOMAINS
2572 +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2573 mcr p15, 0, r6, c3, c0, 0 @ Set domain register
2576 diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
2577 index bc5bc0a..d0998ca 100644
2578 --- a/arch/arm/kernel/entry-common.S
2579 +++ b/arch/arm/kernel/entry-common.S
2582 #include <asm/unistd.h>
2583 #include <asm/ftrace.h>
2584 +#include <asm/domain.h>
2585 #include <asm/unwind.h>
2587 +#include "entry-header.S"
2589 #ifdef CONFIG_NEED_RET_TO_USER
2590 #include <mach/entry-macro.S>
2592 .macro arch_ret_to_user, tmp1, tmp2
2593 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2595 + stmdb sp!, {r1, r2}
2596 + @ read DACR from cpu_domain into r1
2598 + @ assume 8K pages, since we have to split the immediate in two
2599 + bic r2, r2, #(0x1fc0)
2600 + bic r2, r2, #(0x3f)
2601 + ldr r1, [r2, #TI_CPU_DOMAIN]
2602 +#ifdef CONFIG_PAX_KERNEXEC
2603 + @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2604 + bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2605 + orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2607 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2608 + @ set current DOMAIN_USER to DOMAIN_UDEREF
2609 + bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2610 + orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2612 + @ write r1 to current_thread_info()->cpu_domain
2613 + str r1, [r2, #TI_CPU_DOMAIN]
2614 + @ write r1 to DACR
2615 + mcr p15, 0, r1, c3, c0, 0
2616 + @ instruction sync
2619 + ldmia sp!, {r1, r2}
2624 -#include "entry-header.S"
2629 * This is the fast syscall return path. We do as little as
2630 @@ -350,6 +378,7 @@ ENDPROC(ftrace_stub)
2635 sub sp, sp, #S_FRAME_SIZE
2636 stmia sp, {r0 - r12} @ Calling r0 - r12
2637 ARM( add r8, sp, #S_PC )
2638 @@ -399,6 +428,12 @@ ENTRY(vector_swi)
2639 ldr scno, [lr, #-4] @ get SWI instruction
2643 + * do this here to avoid a performance hit of wrapping the code above
2644 + * that directly dereferences userland to parse the SWI instruction
2646 + pax_enter_kernel_user
2648 #ifdef CONFIG_ALIGNMENT_TRAP
2649 ldr ip, __cr_alignment
2651 diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
2652 index 160f337..db67ee4 100644
2653 --- a/arch/arm/kernel/entry-header.S
2654 +++ b/arch/arm/kernel/entry-header.S
2656 msr cpsr_c, \rtemp @ switch back to the SVC mode
2659 + .macro pax_enter_kernel_user
2660 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2662 + stmdb sp!, {r0, r1}
2663 + @ read DACR from cpu_domain into r1
2665 + @ assume 8K pages, since we have to split the immediate in two
2666 + bic r0, r0, #(0x1fc0)
2667 + bic r0, r0, #(0x3f)
2668 + ldr r1, [r0, #TI_CPU_DOMAIN]
2669 +#ifdef CONFIG_PAX_MEMORY_UDEREF
2670 + @ set current DOMAIN_USER to DOMAIN_NOACCESS
2671 + bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2673 +#ifdef CONFIG_PAX_KERNEXEC
2674 + @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2675 + bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2676 + orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2678 + @ write r1 to current_thread_info()->cpu_domain
2679 + str r1, [r0, #TI_CPU_DOMAIN]
2680 + @ write r1 to DACR
2681 + mcr p15, 0, r1, c3, c0, 0
2682 + @ instruction sync
2685 + ldmia sp!, {r0, r1}
2689 + .macro pax_exit_kernel
2690 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2692 + stmdb sp!, {r0, r1}
2693 + @ read old DACR from stack into r1
2694 + ldr r1, [sp, #(8 + S_SP)]
2698 + @ write r1 to current_thread_info()->cpu_domain
2700 + @ assume 8K pages, since we have to split the immediate in two
2701 + bic r0, r0, #(0x1fc0)
2702 + bic r0, r0, #(0x3f)
2703 + str r1, [r0, #TI_CPU_DOMAIN]
2704 + @ write r1 to DACR
2705 + mcr p15, 0, r1, c3, c0, 0
2706 + @ instruction sync
2709 + ldmia sp!, {r0, r1}
2713 #ifndef CONFIG_THUMB2_KERNEL
2714 .macro svc_exit, rpsr, irq = 0
2717 blne trace_hardirqs_off
2723 msr spsr_cxsf, \rpsr
2724 #if defined(CONFIG_CPU_V6)
2727 blne trace_hardirqs_off
2733 ldr lr, [sp, #S_SP] @ top of the stack
2734 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc
2735 clrex @ clear the exclusive monitor
2736 diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
2737 index 25442f4..d4948fc 100644
2738 --- a/arch/arm/kernel/fiq.c
2739 +++ b/arch/arm/kernel/fiq.c
2740 @@ -84,17 +84,16 @@ int show_fiq_list(struct seq_file *p, int prec)
2742 void set_fiq_handler(void *start, unsigned int length)
2744 -#if defined(CONFIG_CPU_USE_DOMAINS)
2745 - void *base = (void *)0xffff0000;
2747 void *base = vectors_page;
2749 unsigned offset = FIQ_OFFSET;
2751 + pax_open_kernel();
2752 memcpy(base + offset, start, length);
2753 + pax_close_kernel();
2755 + if (!cache_is_vipt_nonaliasing())
2756 + flush_icache_range(base + offset, offset + length);
2757 flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length);
2758 - if (!vectors_high())
2759 - flush_icache_range(offset, offset + length);
2762 int claim_fiq(struct fiq_handler *f)
2763 diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
2764 index 8bac553..caee108 100644
2765 --- a/arch/arm/kernel/head.S
2766 +++ b/arch/arm/kernel/head.S
2768 .equ swapper_pg_dir, KERNEL_RAM_VADDR - PG_DIR_SIZE
2770 .macro pgtbl, rd, phys
2771 - add \rd, \phys, #TEXT_OFFSET - PG_DIR_SIZE
2772 + mov \rd, #TEXT_OFFSET
2773 + sub \rd, #PG_DIR_SIZE
2774 + add \rd, \rd, \phys
2778 @@ -434,7 +436,7 @@ __enable_mmu:
2779 mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2780 domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2781 domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
2782 - domain_val(DOMAIN_IO, DOMAIN_CLIENT))
2783 + domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
2784 mcr p15, 0, r5, c3, c0, 0 @ load domain access register
2785 mcr p15, 0, r4, c2, c0, 0 @ load page table pointer
2787 diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
2788 index 1fd749e..47adb08 100644
2789 --- a/arch/arm/kernel/hw_breakpoint.c
2790 +++ b/arch/arm/kernel/hw_breakpoint.c
2791 @@ -1029,7 +1029,7 @@ static int __cpuinit dbg_reset_notify(struct notifier_block *self,
2795 -static struct notifier_block __cpuinitdata dbg_reset_nb = {
2796 +static struct notifier_block dbg_reset_nb = {
2797 .notifier_call = dbg_reset_notify,
2800 diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
2801 index 1e9be5d..03edbc2 100644
2802 --- a/arch/arm/kernel/module.c
2803 +++ b/arch/arm/kernel/module.c
2808 -void *module_alloc(unsigned long size)
2809 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
2811 + if (!size || PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR)
2813 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2814 - GFP_KERNEL, PAGE_KERNEL_EXEC, -1,
2815 + GFP_KERNEL, prot, -1,
2816 __builtin_return_address(0));
2819 +void *module_alloc(unsigned long size)
2822 +#ifdef CONFIG_PAX_KERNEXEC
2823 + return __module_alloc(size, PAGE_KERNEL);
2825 + return __module_alloc(size, PAGE_KERNEL_EXEC);
2830 +#ifdef CONFIG_PAX_KERNEXEC
2831 +void module_free_exec(struct module *mod, void *module_region)
2833 + module_free(mod, module_region);
2836 +void *module_alloc_exec(unsigned long size)
2838 + return __module_alloc(size, PAGE_KERNEL_EXEC);
2844 diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
2845 index 07314af..c46655c 100644
2846 --- a/arch/arm/kernel/patch.c
2847 +++ b/arch/arm/kernel/patch.c
2848 @@ -18,6 +18,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
2849 bool thumb2 = IS_ENABLED(CONFIG_THUMB2_KERNEL);
2852 + pax_open_kernel();
2853 if (thumb2 && __opcode_is_thumb16(insn)) {
2854 *(u16 *)addr = __opcode_to_mem_thumb16(insn);
2856 @@ -39,6 +40,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
2857 *(u32 *)addr = insn;
2860 + pax_close_kernel();
2862 flush_icache_range((uintptr_t)(addr),
2863 (uintptr_t)(addr) + size);
2864 diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
2865 index e19edc6..e186ee1 100644
2866 --- a/arch/arm/kernel/perf_event.c
2867 +++ b/arch/arm/kernel/perf_event.c
2868 @@ -56,7 +56,7 @@ armpmu_map_hw_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
2871 if (config >= PERF_COUNT_HW_MAX)
2875 mapping = (*event_map)[config];
2876 return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
2877 diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c
2878 index 1f2740e..b36e225 100644
2879 --- a/arch/arm/kernel/perf_event_cpu.c
2880 +++ b/arch/arm/kernel/perf_event_cpu.c
2881 @@ -171,7 +171,7 @@ static int __cpuinit cpu_pmu_notify(struct notifier_block *b,
2885 -static struct notifier_block __cpuinitdata cpu_pmu_hotplug_notifier = {
2886 +static struct notifier_block cpu_pmu_hotplug_notifier = {
2887 .notifier_call = cpu_pmu_notify,
2890 diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
2891 index 5bc2615..dcd439f 100644
2892 --- a/arch/arm/kernel/process.c
2893 +++ b/arch/arm/kernel/process.c
2894 @@ -223,6 +223,7 @@ void machine_power_off(void)
2902 @@ -236,7 +237,7 @@ void machine_power_off(void)
2903 * executing pre-reset code, and using RAM that the primary CPU's code wishes
2904 * to use. Implementing such co-ordination would be essentially impossible.
2906 -void machine_restart(char *cmd)
2907 +__noreturn void machine_restart(char *cmd)
2911 @@ -258,8 +259,8 @@ void __show_regs(struct pt_regs *regs)
2913 show_regs_print_info(KERN_DEFAULT);
2915 - print_symbol("PC is at %s\n", instruction_pointer(regs));
2916 - print_symbol("LR is at %s\n", regs->ARM_lr);
2917 + printk("PC is at %pA\n", (void *)instruction_pointer(regs));
2918 + printk("LR is at %pA\n", (void *)regs->ARM_lr);
2919 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
2920 "sp : %08lx ip : %08lx fp : %08lx\n",
2921 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
2922 @@ -426,12 +427,6 @@ unsigned long get_wchan(struct task_struct *p)
2926 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2928 - unsigned long range_end = mm->brk + 0x02000000;
2929 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
2933 #ifdef CONFIG_KUSER_HELPERS
2935 @@ -447,7 +442,7 @@ static struct vm_area_struct gate_vma = {
2937 static int __init gate_vma_init(void)
2939 - gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
2940 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
2943 arch_initcall(gate_vma_init);
2944 @@ -466,48 +461,23 @@ int in_gate_area_no_mm(unsigned long addr)
2946 return in_gate_area(NULL, addr);
2948 -#define is_gate_vma(vma) ((vma) = &gate_vma)
2949 +#define is_gate_vma(vma) ((vma) == &gate_vma)
2951 #define is_gate_vma(vma) 0
2954 const char *arch_vma_name(struct vm_area_struct *vma)
2956 - return is_gate_vma(vma) ? "[vectors]" :
2957 - (vma->vm_mm && vma->vm_start == vma->vm_mm->context.sigpage) ?
2958 - "[sigpage]" : NULL;
2959 + return is_gate_vma(vma) ? "[vectors]" : NULL;
2962 -static struct page *signal_page;
2963 -extern struct page *get_signal_page(void);
2965 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
2967 struct mm_struct *mm = current->mm;
2968 - unsigned long addr;
2972 - signal_page = get_signal_page();
2976 down_write(&mm->mmap_sem);
2977 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
2978 - if (IS_ERR_VALUE(addr)) {
2983 - ret = install_special_mapping(mm, addr, PAGE_SIZE,
2984 - VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
2988 - mm->context.sigpage = addr;
2991 + mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
2992 up_write(&mm->mmap_sem);
2997 diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
2998 index 3653164..d83e55d 100644
2999 --- a/arch/arm/kernel/psci.c
3000 +++ b/arch/arm/kernel/psci.c
3002 #include <asm/opcodes-virt.h>
3003 #include <asm/psci.h>
3005 -struct psci_operations psci_ops;
3006 +struct psci_operations psci_ops __read_only;
3008 static int (*invoke_psci_fn)(u32, u32, u32, u32);
3010 diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
3011 index 03deeff..741ce88 100644
3012 --- a/arch/arm/kernel/ptrace.c
3013 +++ b/arch/arm/kernel/ptrace.c
3014 @@ -937,10 +937,19 @@ static int tracehook_report_syscall(struct pt_regs *regs,
3015 return current_thread_info()->syscall;
3018 +#ifdef CONFIG_GRKERNSEC_SETXID
3019 +extern void gr_delayed_cred_worker(void);
3022 asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
3024 current_thread_info()->syscall = scno;
3026 +#ifdef CONFIG_GRKERNSEC_SETXID
3027 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
3028 + gr_delayed_cred_worker();
3031 /* Do the secure computing check first; failures should be fast. */
3032 if (secure_computing(scno) == -1)
3034 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
3035 index b4b1d39..efdc9be 100644
3036 --- a/arch/arm/kernel/setup.c
3037 +++ b/arch/arm/kernel/setup.c
3038 @@ -97,21 +97,23 @@ EXPORT_SYMBOL(system_serial_high);
3039 unsigned int elf_hwcap __read_mostly;
3040 EXPORT_SYMBOL(elf_hwcap);
3042 +pteval_t __supported_pte_mask __read_only;
3043 +pmdval_t __supported_pmd_mask __read_only;
3046 -struct processor processor __read_mostly;
3047 +struct processor processor;
3050 -struct cpu_tlb_fns cpu_tlb __read_mostly;
3051 +struct cpu_tlb_fns cpu_tlb __read_only;
3054 -struct cpu_user_fns cpu_user __read_mostly;
3055 +struct cpu_user_fns cpu_user __read_only;
3058 -struct cpu_cache_fns cpu_cache __read_mostly;
3059 +struct cpu_cache_fns cpu_cache __read_only;
3061 #ifdef CONFIG_OUTER_CACHE
3062 -struct outer_cache_fns outer_cache __read_mostly;
3063 +struct outer_cache_fns outer_cache __read_only;
3064 EXPORT_SYMBOL(outer_cache);
3067 @@ -236,9 +238,13 @@ static int __get_cpu_architecture(void)
3068 asm("mrc p15, 0, %0, c0, c1, 4"
3070 if ((mmfr0 & 0x0000000f) >= 0x00000003 ||
3071 - (mmfr0 & 0x000000f0) >= 0x00000030)
3072 + (mmfr0 & 0x000000f0) >= 0x00000030) {
3073 cpu_arch = CPU_ARCH_ARMv7;
3074 - else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3075 + if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) {
3076 + __supported_pte_mask |= L_PTE_PXN;
3077 + __supported_pmd_mask |= PMD_PXNTABLE;
3079 + } else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3080 (mmfr0 & 0x000000f0) == 0x00000020)
3081 cpu_arch = CPU_ARCH_ARMv6;
3083 @@ -479,7 +485,7 @@ static void __init setup_processor(void)
3084 __cpu_architecture = __get_cpu_architecture();
3087 - processor = *list->proc;
3088 + memcpy((void *)&processor, list->proc, sizeof processor);
3091 cpu_tlb = *list->tlb;
3092 diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
3093 index 5a42c12..a2bb7c6 100644
3094 --- a/arch/arm/kernel/signal.c
3095 +++ b/arch/arm/kernel/signal.c
3096 @@ -45,8 +45,6 @@ static const unsigned long sigreturn_codes[7] = {
3097 MOV_R7_NR_RT_SIGRETURN, SWI_SYS_RT_SIGRETURN, SWI_THUMB_RT_SIGRETURN,
3100 -static unsigned long signal_return_offset;
3102 #ifdef CONFIG_CRUNCH
3103 static int preserve_crunch_context(struct crunch_sigframe __user *frame)
3105 @@ -406,8 +404,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
3106 * except when the MPU has protected the vectors
3109 - retcode = mm->context.sigpage + signal_return_offset +
3110 - (idx << 2) + thumb;
3111 + retcode = mm->context.sigpage + (idx << 2) + thumb;
3115 @@ -611,33 +608,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
3116 } while (thread_flags & _TIF_WORK_MASK);
3120 -struct page *get_signal_page(void)
3122 - unsigned long ptr;
3124 - struct page *page;
3127 - page = alloc_pages(GFP_KERNEL, 0);
3132 - addr = page_address(page);
3134 - /* Give the signal return code some randomness */
3135 - offset = 0x200 + (get_random_int() & 0x7fc);
3136 - signal_return_offset = offset;
3139 - * Copy signal return handlers into the vector page, and
3140 - * set sigreturn to be a pointer to these.
3142 - memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
3144 - ptr = (unsigned long)addr + offset;
3145 - flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
3149 diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
3150 index 5919eb4..b5d6dfe 100644
3151 --- a/arch/arm/kernel/smp.c
3152 +++ b/arch/arm/kernel/smp.c
3153 @@ -70,7 +70,7 @@ enum ipi_msg_type {
3155 static DECLARE_COMPLETION(cpu_running);
3157 -static struct smp_operations smp_ops;
3158 +static struct smp_operations smp_ops __read_only;
3160 void __init smp_set_ops(struct smp_operations *ops)
3162 diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
3163 index 6b9567e..b8af2d6 100644
3164 --- a/arch/arm/kernel/traps.c
3165 +++ b/arch/arm/kernel/traps.c
3166 @@ -55,7 +55,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
3167 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
3169 #ifdef CONFIG_KALLSYMS
3170 - printk("[<%08lx>] (%pS) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
3171 + printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
3173 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
3175 @@ -257,6 +257,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
3176 static int die_owner = -1;
3177 static unsigned int die_nest_count;
3179 +extern void gr_handle_kernel_exploit(void);
3181 static unsigned long oops_begin(void)
3184 @@ -299,6 +301,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
3185 panic("Fatal exception in interrupt");
3187 panic("Fatal exception");
3189 + gr_handle_kernel_exploit();
3194 @@ -592,7 +597,9 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
3195 * The user helper at 0xffff0fe0 must be used instead.
3196 * (see entry-armv.S for details)
3198 + pax_open_kernel();
3199 *((unsigned int *)0xffff0ff0) = regs->ARM_r0;
3200 + pax_close_kernel();
3204 @@ -848,5 +855,9 @@ void __init early_trap_init(void *vectors_base)
3205 kuser_init(vectors_base);
3207 flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
3208 - modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
3210 +#ifndef CONFIG_PAX_MEMORY_UDEREF
3211 + modify_domain(DOMAIN_USER, DOMAIN_USERCLIENT);
3215 diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
3216 index 33f2ea3..0b91824 100644
3217 --- a/arch/arm/kernel/vmlinux.lds.S
3218 +++ b/arch/arm/kernel/vmlinux.lds.S
3220 #include <asm/thread_info.h>
3221 #include <asm/memory.h>
3222 #include <asm/page.h>
3225 +#ifdef CONFIG_PAX_KERNEXEC
3226 +#include <asm/pgtable.h>
3231 VMLINUX_SYMBOL(__proc_info_begin) = .; \
3232 @@ -94,6 +98,11 @@ SECTIONS
3237 +#ifdef CONFIG_PAX_KERNEXEC
3238 + . = ALIGN(1<<SECTION_SHIFT);
3241 .text : { /* Real text segment */
3242 _stext = .; /* Text and read-only data */
3243 __exception_text_start = .;
3244 @@ -116,6 +125,8 @@ SECTIONS
3245 ARM_CPU_KEEP(PROC_INFO)
3248 + _etext = .; /* End of text section */
3253 @@ -146,7 +157,9 @@ SECTIONS
3257 - _etext = .; /* End of text and rodata section */
3258 +#ifdef CONFIG_PAX_KERNEXEC
3259 + . = ALIGN(1<<SECTION_SHIFT);
3262 #ifndef CONFIG_XIP_KERNEL
3263 . = ALIGN(PAGE_SIZE);
3264 @@ -224,6 +237,11 @@ SECTIONS
3265 . = PAGE_OFFSET + TEXT_OFFSET;
3269 +#ifdef CONFIG_PAX_KERNEXEC
3270 + . = ALIGN(1<<SECTION_SHIFT);
3273 . = ALIGN(THREAD_SIZE);
3276 diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
3277 index 14a0d98..7771a7d 100644
3278 --- a/arch/arm/lib/clear_user.S
3279 +++ b/arch/arm/lib/clear_user.S
3284 -/* Prototype: int __clear_user(void *addr, size_t sz)
3285 +/* Prototype: int ___clear_user(void *addr, size_t sz)
3286 * Purpose : clear some user memory
3287 * Params : addr - user memory address to clear
3288 * : sz - number of bytes to clear
3289 * Returns : number of bytes NOT cleared
3291 ENTRY(__clear_user_std)
3293 +WEAK(___clear_user)
3297 @@ -44,7 +44,7 @@ WEAK(__clear_user)
3298 USER( strnebt r2, [r0])
3301 -ENDPROC(__clear_user)
3302 +ENDPROC(___clear_user)
3303 ENDPROC(__clear_user_std)
3305 .pushsection .fixup,"ax"
3306 diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
3307 index 66a477a..bee61d3 100644
3308 --- a/arch/arm/lib/copy_from_user.S
3309 +++ b/arch/arm/lib/copy_from_user.S
3314 - * size_t __copy_from_user(void *to, const void *from, size_t n)
3315 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
3323 -ENTRY(__copy_from_user)
3324 +ENTRY(___copy_from_user)
3326 #include "copy_template.S"
3328 -ENDPROC(__copy_from_user)
3329 +ENDPROC(___copy_from_user)
3331 .pushsection .fixup,"ax"
3333 diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S
3334 index 6ee2f67..d1cce76 100644
3335 --- a/arch/arm/lib/copy_page.S
3336 +++ b/arch/arm/lib/copy_page.S
3338 * ASM optimised string functions
3340 #include <linux/linkage.h>
3341 +#include <linux/const.h>
3342 #include <asm/assembler.h>
3343 #include <asm/asm-offsets.h>
3344 #include <asm/cache.h>
3345 diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
3346 index d066df6..df28194 100644
3347 --- a/arch/arm/lib/copy_to_user.S
3348 +++ b/arch/arm/lib/copy_to_user.S
3353 - * size_t __copy_to_user(void *to, const void *from, size_t n)
3354 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
3361 ENTRY(__copy_to_user_std)
3362 -WEAK(__copy_to_user)
3363 +WEAK(___copy_to_user)
3365 #include "copy_template.S"
3367 -ENDPROC(__copy_to_user)
3368 +ENDPROC(___copy_to_user)
3369 ENDPROC(__copy_to_user_std)
3371 .pushsection .fixup,"ax"
3372 diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
3373 index 7d08b43..f7ca7ea 100644
3374 --- a/arch/arm/lib/csumpartialcopyuser.S
3375 +++ b/arch/arm/lib/csumpartialcopyuser.S
3377 * Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT
3380 -#define FN_ENTRY ENTRY(csum_partial_copy_from_user)
3381 -#define FN_EXIT ENDPROC(csum_partial_copy_from_user)
3382 +#define FN_ENTRY ENTRY(__csum_partial_copy_from_user)
3383 +#define FN_EXIT ENDPROC(__csum_partial_copy_from_user)
3385 #include "csumpartialcopygeneric.S"
3387 diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
3388 index 64dbfa5..84a3fd9 100644
3389 --- a/arch/arm/lib/delay.c
3390 +++ b/arch/arm/lib/delay.c
3393 * Default to the loop-based delay implementation.
3395 -struct arm_delay_ops arm_delay_ops = {
3396 +struct arm_delay_ops arm_delay_ops __read_only = {
3397 .delay = __loop_delay,
3398 .const_udelay = __loop_const_udelay,
3399 .udelay = __loop_udelay,
3400 diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
3401 index 025f742..8432b08 100644
3402 --- a/arch/arm/lib/uaccess_with_memcpy.c
3403 +++ b/arch/arm/lib/uaccess_with_memcpy.c
3404 @@ -104,7 +104,7 @@ out:
3408 -__copy_to_user(void __user *to, const void *from, unsigned long n)
3409 +___copy_to_user(void __user *to, const void *from, unsigned long n)
3412 * This test is stubbed out of the main function above to keep
3413 diff --git a/arch/arm/mach-kirkwood/common.c b/arch/arm/mach-kirkwood/common.c
3414 index f389228..592ef66 100644
3415 --- a/arch/arm/mach-kirkwood/common.c
3416 +++ b/arch/arm/mach-kirkwood/common.c
3417 @@ -149,7 +149,16 @@ static void clk_gate_fn_disable(struct clk_hw *hw)
3418 clk_gate_ops.disable(hw);
3421 -static struct clk_ops clk_gate_fn_ops;
3422 +static int clk_gate_fn_is_enabled(struct clk_hw *hw)
3424 + return clk_gate_ops.is_enabled(hw);
3427 +static struct clk_ops clk_gate_fn_ops = {
3428 + .enable = clk_gate_fn_enable,
3429 + .disable = clk_gate_fn_disable,
3430 + .is_enabled = clk_gate_fn_is_enabled,
3433 static struct clk __init *clk_register_gate_fn(struct device *dev,
3435 @@ -183,14 +192,6 @@ static struct clk __init *clk_register_gate_fn(struct device *dev,
3436 gate_fn->fn_en = fn_en;
3437 gate_fn->fn_dis = fn_dis;
3439 - /* ops is the gate ops, but with our enable/disable functions */
3440 - if (clk_gate_fn_ops.enable != clk_gate_fn_enable ||
3441 - clk_gate_fn_ops.disable != clk_gate_fn_disable) {
3442 - clk_gate_fn_ops = clk_gate_ops;
3443 - clk_gate_fn_ops.enable = clk_gate_fn_enable;
3444 - clk_gate_fn_ops.disable = clk_gate_fn_disable;
3447 clk = clk_register(dev, &gate_fn->gate.hw);
3450 diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
3451 index f6eeb87..cc90868 100644
3452 --- a/arch/arm/mach-omap2/board-n8x0.c
3453 +++ b/arch/arm/mach-omap2/board-n8x0.c
3454 @@ -631,7 +631,7 @@ static int n8x0_menelaus_late_init(struct device *dev)
3458 -static struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = {
3459 +static struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = {
3460 .late_init = n8x0_menelaus_late_init,
3463 diff --git a/arch/arm/mach-omap2/gpmc.c b/arch/arm/mach-omap2/gpmc.c
3464 index 6c4da12..d9ca72d 100644
3465 --- a/arch/arm/mach-omap2/gpmc.c
3466 +++ b/arch/arm/mach-omap2/gpmc.c
3467 @@ -147,7 +147,6 @@ struct omap3_gpmc_regs {
3470 static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
3471 -static struct irq_chip gpmc_irq_chip;
3472 static unsigned gpmc_irq_start;
3474 static struct resource gpmc_mem_root;
3475 @@ -711,6 +710,18 @@ static void gpmc_irq_noop(struct irq_data *data) { }
3477 static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
3479 +static struct irq_chip gpmc_irq_chip = {
3481 + .irq_startup = gpmc_irq_noop_ret,
3482 + .irq_enable = gpmc_irq_enable,
3483 + .irq_disable = gpmc_irq_disable,
3484 + .irq_shutdown = gpmc_irq_noop,
3485 + .irq_ack = gpmc_irq_noop,
3486 + .irq_mask = gpmc_irq_noop,
3487 + .irq_unmask = gpmc_irq_noop,
3491 static int gpmc_setup_irq(void)
3494 @@ -725,15 +736,6 @@ static int gpmc_setup_irq(void)
3495 return gpmc_irq_start;
3498 - gpmc_irq_chip.name = "gpmc";
3499 - gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
3500 - gpmc_irq_chip.irq_enable = gpmc_irq_enable;
3501 - gpmc_irq_chip.irq_disable = gpmc_irq_disable;
3502 - gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
3503 - gpmc_irq_chip.irq_ack = gpmc_irq_noop;
3504 - gpmc_irq_chip.irq_mask = gpmc_irq_noop;
3505 - gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
3507 gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
3508 gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
3510 diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
3511 index f8bb3b9..831e7b8 100644
3512 --- a/arch/arm/mach-omap2/omap-wakeupgen.c
3513 +++ b/arch/arm/mach-omap2/omap-wakeupgen.c
3514 @@ -339,7 +339,7 @@ static int __cpuinit irq_cpu_hotplug_notify(struct notifier_block *self,
3518 -static struct notifier_block __refdata irq_hotplug_notifier = {
3519 +static struct notifier_block irq_hotplug_notifier = {
3520 .notifier_call = irq_cpu_hotplug_notify,
3523 diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
3524 index e6d2307..d057195 100644
3525 --- a/arch/arm/mach-omap2/omap_device.c
3526 +++ b/arch/arm/mach-omap2/omap_device.c
3527 @@ -499,7 +499,7 @@ void omap_device_delete(struct omap_device *od)
3528 struct platform_device __init *omap_device_build(const char *pdev_name,
3530 struct omap_hwmod *oh,
3531 - void *pdata, int pdata_len)
3532 + const void *pdata, int pdata_len)
3534 struct omap_hwmod *ohs[] = { oh };
3536 @@ -527,7 +527,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name,
3537 struct platform_device __init *omap_device_build_ss(const char *pdev_name,
3539 struct omap_hwmod **ohs,
3540 - int oh_cnt, void *pdata,
3541 + int oh_cnt, const void *pdata,
3545 diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
3546 index 044c31d..2ee0861 100644
3547 --- a/arch/arm/mach-omap2/omap_device.h
3548 +++ b/arch/arm/mach-omap2/omap_device.h
3549 @@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev);
3550 /* Core code interface */
3552 struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
3553 - struct omap_hwmod *oh, void *pdata,
3554 + struct omap_hwmod *oh, const void *pdata,
3557 struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
3558 struct omap_hwmod **oh, int oh_cnt,
3559 - void *pdata, int pdata_len);
3560 + const void *pdata, int pdata_len);
3562 struct omap_device *omap_device_alloc(struct platform_device *pdev,
3563 struct omap_hwmod **ohs, int oh_cnt);
3564 diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
3565 index 7341eff..fd75e34 100644
3566 --- a/arch/arm/mach-omap2/omap_hwmod.c
3567 +++ b/arch/arm/mach-omap2/omap_hwmod.c
3568 @@ -194,10 +194,10 @@ struct omap_hwmod_soc_ops {
3569 int (*init_clkdm)(struct omap_hwmod *oh);
3570 void (*update_context_lost)(struct omap_hwmod *oh);
3571 int (*get_context_lost)(struct omap_hwmod *oh);
3575 /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */
3576 -static struct omap_hwmod_soc_ops soc_ops;
3577 +static struct omap_hwmod_soc_ops soc_ops __read_only;
3579 /* omap_hwmod_list contains all registered struct omap_hwmods */
3580 static LIST_HEAD(omap_hwmod_list);
3581 diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
3582 index d15c7bb..b2d1f0c 100644
3583 --- a/arch/arm/mach-omap2/wd_timer.c
3584 +++ b/arch/arm/mach-omap2/wd_timer.c
3585 @@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
3586 struct omap_hwmod *oh;
3587 char *oh_name = "wd_timer2";
3588 char *dev_name = "omap_wdt";
3589 - struct omap_wd_timer_platform_data pdata;
3590 + static struct omap_wd_timer_platform_data pdata = {
3591 + .read_reset_sources = prm_read_reset_sources
3594 if (!cpu_class_is_omap2() || of_have_populated_dt())
3596 @@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
3600 - pdata.read_reset_sources = prm_read_reset_sources;
3602 pdev = omap_device_build(dev_name, id, oh, &pdata,
3603 sizeof(struct omap_wd_timer_platform_data));
3604 WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
3605 diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
3606 index 0cdba8d..297993e 100644
3607 --- a/arch/arm/mach-tegra/cpuidle-tegra20.c
3608 +++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
3609 @@ -181,7 +181,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
3610 bool entered_lp2 = false;
3612 if (tegra_pending_sgi())
3613 - ACCESS_ONCE(abort_flag) = true;
3614 + ACCESS_ONCE_RW(abort_flag) = true;
3616 cpuidle_coupled_parallel_barrier(dev, &abort_barrier);
3618 diff --git a/arch/arm/mach-ux500/setup.h b/arch/arm/mach-ux500/setup.h
3619 index cad3ca86..1d79e0f 100644
3620 --- a/arch/arm/mach-ux500/setup.h
3621 +++ b/arch/arm/mach-ux500/setup.h
3622 @@ -37,13 +37,6 @@ extern void ux500_timer_init(void);
3623 .type = MT_DEVICE, \
3626 -#define __MEM_DEV_DESC(x, sz) { \
3627 - .virtual = IO_ADDRESS(x), \
3628 - .pfn = __phys_to_pfn(x), \
3630 - .type = MT_MEMORY, \
3633 extern struct smp_operations ux500_smp_ops;
3634 extern void ux500_cpu_die(unsigned int cpu);
3636 diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
3637 index 2950082..d0f0782 100644
3638 --- a/arch/arm/mm/Kconfig
3639 +++ b/arch/arm/mm/Kconfig
3640 @@ -436,7 +436,7 @@ config CPU_32v5
3644 - select CPU_USE_DOMAINS if CPU_V6 && MMU
3645 + select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3646 select TLS_REG_EMUL if !CPU_32v6K && !MMU
3649 @@ -585,6 +585,7 @@ config CPU_CP15_MPU
3651 config CPU_USE_DOMAINS
3653 + depends on !ARM_LPAE && !PAX_KERNEXEC
3655 This option enables or disables the use of domain switching
3656 via the set_fs() function.
3657 @@ -780,6 +781,7 @@ config NEED_KUSER_HELPERS
3658 config KUSER_HELPERS
3659 bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
3661 + depends on !(CPU_V6 || CPU_V6K || CPU_V7)
3663 Warning: disabling this option may break user programs.
3665 @@ -790,7 +792,7 @@ config KUSER_HELPERS
3666 run on ARMv4 through to ARMv7 without modification.
3668 However, the fixed address nature of these helpers can be used
3669 - by ROP (return orientated programming) authors when creating
3670 + by ROP (Return Oriented Programming) authors when creating
3673 If all of the binaries and libraries which run on your platform
3674 diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
3675 index 6f4585b..7b6f52b 100644
3676 --- a/arch/arm/mm/alignment.c
3677 +++ b/arch/arm/mm/alignment.c
3678 @@ -211,10 +211,12 @@ union offset_union {
3679 #define __get16_unaligned_check(ins,val,addr) \
3681 unsigned int err = 0, v, a = addr; \
3682 + pax_open_userland(); \
3683 __get8_unaligned_check(ins,v,a,err); \
3684 val = v << ((BE) ? 8 : 0); \
3685 __get8_unaligned_check(ins,v,a,err); \
3686 val |= v << ((BE) ? 0 : 8); \
3687 + pax_close_userland(); \
3691 @@ -228,6 +230,7 @@ union offset_union {
3692 #define __get32_unaligned_check(ins,val,addr) \
3694 unsigned int err = 0, v, a = addr; \
3695 + pax_open_userland(); \
3696 __get8_unaligned_check(ins,v,a,err); \
3697 val = v << ((BE) ? 24 : 0); \
3698 __get8_unaligned_check(ins,v,a,err); \
3699 @@ -236,6 +239,7 @@ union offset_union {
3700 val |= v << ((BE) ? 8 : 16); \
3701 __get8_unaligned_check(ins,v,a,err); \
3702 val |= v << ((BE) ? 0 : 24); \
3703 + pax_close_userland(); \
3707 @@ -249,6 +253,7 @@ union offset_union {
3708 #define __put16_unaligned_check(ins,val,addr) \
3710 unsigned int err = 0, v = val, a = addr; \
3711 + pax_open_userland(); \
3712 __asm__( FIRST_BYTE_16 \
3713 ARM( "1: "ins" %1, [%2], #1\n" ) \
3714 THUMB( "1: "ins" %1, [%2]\n" ) \
3715 @@ -268,6 +273,7 @@ union offset_union {
3717 : "=r" (err), "=&r" (v), "=&r" (a) \
3718 : "0" (err), "1" (v), "2" (a)); \
3719 + pax_close_userland(); \
3723 @@ -281,6 +287,7 @@ union offset_union {
3724 #define __put32_unaligned_check(ins,val,addr) \
3726 unsigned int err = 0, v = val, a = addr; \
3727 + pax_open_userland(); \
3728 __asm__( FIRST_BYTE_32 \
3729 ARM( "1: "ins" %1, [%2], #1\n" ) \
3730 THUMB( "1: "ins" %1, [%2]\n" ) \
3731 @@ -310,6 +317,7 @@ union offset_union {
3733 : "=r" (err), "=&r" (v), "=&r" (a) \
3734 : "0" (err), "1" (v), "2" (a)); \
3735 + pax_close_userland(); \
3739 diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
3740 index 5dbf13f..ee1ec24 100644
3741 --- a/arch/arm/mm/fault.c
3742 +++ b/arch/arm/mm/fault.c
3744 #include <asm/system_misc.h>
3745 #include <asm/system_info.h>
3746 #include <asm/tlbflush.h>
3747 +#include <asm/sections.h>
3751 @@ -138,6 +139,20 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
3752 if (fixup_exception(regs))
3755 +#ifdef CONFIG_PAX_KERNEXEC
3756 + if ((fsr & FSR_WRITE) &&
3757 + (((unsigned long)_stext <= addr && addr < init_mm.end_code) ||
3758 + (MODULES_VADDR <= addr && addr < MODULES_END)))
3760 + if (current->signal->curr_ip)
3761 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current),
3762 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
3764 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
3765 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
3770 * No handler, we'll have to terminate things with extreme prejudice.
3772 @@ -174,6 +189,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
3776 +#ifdef CONFIG_PAX_PAGEEXEC
3777 + if (fsr & FSR_LNX_PF) {
3778 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
3779 + do_group_exit(SIGKILL);
3783 tsk->thread.address = addr;
3784 tsk->thread.error_code = fsr;
3785 tsk->thread.trap_no = 14;
3786 @@ -398,6 +420,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
3788 #endif /* CONFIG_MMU */
3790 +#ifdef CONFIG_PAX_PAGEEXEC
3791 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
3795 + printk(KERN_ERR "PAX: bytes at PC: ");
3796 + for (i = 0; i < 20; i++) {
3798 + if (get_user(c, (__force unsigned char __user *)pc+i))
3799 + printk(KERN_CONT "?? ");
3801 + printk(KERN_CONT "%02x ", c);
3805 + printk(KERN_ERR "PAX: bytes at SP-4: ");
3806 + for (i = -1; i < 20; i++) {
3808 + if (get_user(c, (__force unsigned long __user *)sp+i))
3809 + printk(KERN_CONT "???????? ");
3811 + printk(KERN_CONT "%08lx ", c);
3818 * First Level Translation Fault Handler
3820 @@ -543,9 +592,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
3821 const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
3822 struct siginfo info;
3824 +#ifdef CONFIG_PAX_MEMORY_UDEREF
3825 + if (addr < TASK_SIZE && is_domain_fault(fsr)) {
3826 + if (current->signal->curr_ip)
3827 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current),
3828 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
3830 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
3831 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
3836 if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
3840 printk(KERN_ALERT "Unhandled fault: %s (0x%03x) at 0x%08lx\n",
3841 inf->name, fsr, addr);
3843 @@ -569,15 +631,67 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
3844 ifsr_info[nr].name = name;
3847 +asmlinkage int sys_sigreturn(struct pt_regs *regs);
3848 +asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
3850 asmlinkage void __exception
3851 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
3853 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
3854 struct siginfo info;
3856 + if (user_mode(regs)) {
3857 + unsigned long sigpage = current->mm->context.sigpage;
3859 + if (sigpage <= addr && addr < sigpage + 7*4) {
3860 + if (addr < sigpage + 3*4)
3861 + sys_sigreturn(regs);
3863 + sys_rt_sigreturn(regs);
3866 + if (addr == 0xffff0fe0UL) {
3868 + * PaX: __kuser_get_tls emulation
3870 + regs->ARM_r0 = current_thread_info()->tp_value;
3871 + regs->ARM_pc = regs->ARM_lr;
3876 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
3877 + else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
3878 + if (current->signal->curr_ip)
3879 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", ¤t->signal->curr_ip, current->comm, task_pid_nr(current),
3880 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
3881 + addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
3883 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
3884 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
3885 + addr >= TASK_SIZE ? "non-executable kernel" : "userland", addr);
3890 +#ifdef CONFIG_PAX_REFCOUNT
3891 + if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
3892 + unsigned int bkpt;
3894 + if (!probe_kernel_address((unsigned int *)addr, bkpt) && bkpt == 0xe12f1073) {
3895 + current->thread.error_code = ifsr;
3896 + current->thread.trap_no = 0;
3897 + pax_report_refcount_overflow(regs);
3898 + fixup_exception(regs);
3904 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
3908 printk(KERN_ALERT "Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
3909 inf->name, ifsr, addr);
3911 diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
3912 index cf08bdf..772656c 100644
3913 --- a/arch/arm/mm/fault.h
3914 +++ b/arch/arm/mm/fault.h
3918 * Fault status register encodings. We steal bit 31 for our own purposes.
3919 + * Set when the FSR value is from an instruction fault.
3921 #define FSR_LNX_PF (1 << 31)
3922 #define FSR_WRITE (1 << 11)
3923 @@ -22,6 +23,17 @@ static inline int fsr_fs(unsigned int fsr)
3927 +/* valid for LPAE and !LPAE */
3928 +static inline int is_xn_fault(unsigned int fsr)
3930 + return ((fsr_fs(fsr) & 0x3c) == 0xc);
3933 +static inline int is_domain_fault(unsigned int fsr)
3935 + return ((fsr_fs(fsr) & 0xD) == 0x9);
3938 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
3939 unsigned long search_exception_table(unsigned long addr);
3941 diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
3942 index 0ecc43f..190b956 100644
3943 --- a/arch/arm/mm/init.c
3944 +++ b/arch/arm/mm/init.c
3946 #include <asm/setup.h>
3947 #include <asm/tlb.h>
3948 #include <asm/fixmap.h>
3949 +#include <asm/system_info.h>
3950 +#include <asm/cp15.h>
3952 #include <asm/mach/arch.h>
3953 #include <asm/mach/map.h>
3954 @@ -726,7 +728,46 @@ void free_initmem(void)
3956 #ifdef CONFIG_HAVE_TCM
3957 extern char __tcm_start, __tcm_end;
3960 +#ifdef CONFIG_PAX_KERNEXEC
3961 + unsigned long addr;
3965 + int cpu_arch = cpu_architecture();
3966 + unsigned int cr = get_cr();
3968 + if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) {
3969 + /* make pages tables, etc before .text NX */
3970 + for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) {
3971 + pgd = pgd_offset_k(addr);
3972 + pud = pud_offset(pgd, addr);
3973 + pmd = pmd_offset(pud, addr);
3974 + __section_update(pmd, addr, PMD_SECT_XN);
3976 + /* make init NX */
3977 + for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) {
3978 + pgd = pgd_offset_k(addr);
3979 + pud = pud_offset(pgd, addr);
3980 + pmd = pmd_offset(pud, addr);
3981 + __section_update(pmd, addr, PMD_SECT_XN);
3983 + /* make kernel code/rodata RX */
3984 + for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) {
3985 + pgd = pgd_offset_k(addr);
3986 + pud = pud_offset(pgd, addr);
3987 + pmd = pmd_offset(pud, addr);
3988 +#ifdef CONFIG_ARM_LPAE
3989 + __section_update(pmd, addr, PMD_SECT_RDONLY);
3991 + __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE);
3997 +#ifdef CONFIG_HAVE_TCM
3998 poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start);
3999 free_reserved_area(&__tcm_start, &__tcm_end, 0, "TCM link");
4001 diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
4002 index 04d9006..c547d85 100644
4003 --- a/arch/arm/mm/ioremap.c
4004 +++ b/arch/arm/mm/ioremap.c
4005 @@ -392,9 +392,9 @@ __arm_ioremap_exec(unsigned long phys_addr, size_t size, bool cached)
4009 - mtype = MT_MEMORY;
4010 + mtype = MT_MEMORY_RX;
4012 - mtype = MT_MEMORY_NONCACHED;
4013 + mtype = MT_MEMORY_NONCACHED_RX;
4015 return __arm_ioremap_caller(phys_addr, size, mtype,
4016 __builtin_return_address(0));
4017 diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
4018 index 10062ce..8695745 100644
4019 --- a/arch/arm/mm/mmap.c
4020 +++ b/arch/arm/mm/mmap.c
4021 @@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4022 struct vm_area_struct *vma;
4024 int aliasing = cache_is_vipt_aliasing();
4025 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4026 struct vm_unmapped_area_info info;
4029 @@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4030 if (len > TASK_SIZE)
4033 +#ifdef CONFIG_PAX_RANDMMAP
4034 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4039 addr = COLOUR_ALIGN(addr, pgoff);
4040 @@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4041 addr = PAGE_ALIGN(addr);
4043 vma = find_vma(mm, addr);
4044 - if (TASK_SIZE - len >= addr &&
4045 - (!vma || addr + len <= vma->vm_start))
4046 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4050 @@ -99,6 +103,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4051 info.high_limit = TASK_SIZE;
4052 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4053 info.align_offset = pgoff << PAGE_SHIFT;
4054 + info.threadstack_offset = offset;
4055 return vm_unmapped_area(&info);
4058 @@ -112,6 +117,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4059 unsigned long addr = addr0;
4061 int aliasing = cache_is_vipt_aliasing();
4062 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4063 struct vm_unmapped_area_info info;
4066 @@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4070 +#ifdef CONFIG_PAX_RANDMMAP
4071 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4074 /* requesting a specific address */
4077 @@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4079 addr = PAGE_ALIGN(addr);
4080 vma = find_vma(mm, addr);
4081 - if (TASK_SIZE - len >= addr &&
4082 - (!vma || addr + len <= vma->vm_start))
4083 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4087 @@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4088 info.high_limit = mm->mmap_base;
4089 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4090 info.align_offset = pgoff << PAGE_SHIFT;
4091 + info.threadstack_offset = offset;
4092 addr = vm_unmapped_area(&info);
4095 @@ -173,6 +183,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
4097 unsigned long random_factor = 0UL;
4099 +#ifdef CONFIG_PAX_RANDMMAP
4100 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4103 /* 8 bits of randomness in 20 address space bits */
4104 if ((current->flags & PF_RANDOMIZE) &&
4105 !(current->personality & ADDR_NO_RANDOMIZE))
4106 @@ -180,10 +194,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
4108 if (mmap_is_legacy()) {
4109 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4111 +#ifdef CONFIG_PAX_RANDMMAP
4112 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4113 + mm->mmap_base += mm->delta_mmap;
4116 mm->get_unmapped_area = arch_get_unmapped_area;
4117 mm->unmap_area = arch_unmap_area;
4119 mm->mmap_base = mmap_base(random_factor);
4121 +#ifdef CONFIG_PAX_RANDMMAP
4122 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4123 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4126 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4127 mm->unmap_area = arch_unmap_area_topdown;
4129 diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
4130 index daf336f..4e6392c 100644
4131 --- a/arch/arm/mm/mmu.c
4132 +++ b/arch/arm/mm/mmu.c
4137 +#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4138 +void modify_domain(unsigned int dom, unsigned int type)
4140 + struct thread_info *thread = current_thread_info();
4141 + unsigned int domain = thread->cpu_domain;
4143 + * DOMAIN_MANAGER might be defined to some other value,
4144 + * use the arch-defined constant
4146 + domain &= ~domain_val(dom, 3);
4147 + thread->cpu_domain = domain | domain_val(dom, type);
4148 + set_domain(thread->cpu_domain);
4150 +EXPORT_SYMBOL(modify_domain);
4154 * empty_zero_page is a special page that is used for
4155 * zero-initialized data and COW.
4156 @@ -228,10 +244,18 @@ __setup("noalign", noalign_setup);
4158 #endif /* ifdef CONFIG_CPU_CP15 / else */
4160 -#define PROT_PTE_DEVICE L_PTE_PRESENT|L_PTE_YOUNG|L_PTE_DIRTY|L_PTE_XN
4161 +#define PROT_PTE_DEVICE L_PTE_PRESENT|L_PTE_YOUNG|L_PTE_DIRTY
4162 #define PROT_SECT_DEVICE PMD_TYPE_SECT|PMD_SECT_AP_WRITE
4164 -static struct mem_type mem_types[] = {
4165 +#ifdef CONFIG_PAX_KERNEXEC
4166 +#define L_PTE_KERNEXEC L_PTE_RDONLY
4167 +#define PMD_SECT_KERNEXEC PMD_SECT_RDONLY
4169 +#define L_PTE_KERNEXEC L_PTE_DIRTY
4170 +#define PMD_SECT_KERNEXEC PMD_SECT_AP_WRITE
4173 +static struct mem_type mem_types[] __read_only = {
4174 [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */
4175 .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED |
4177 @@ -260,16 +284,16 @@ static struct mem_type mem_types[] = {
4179 .prot_pte = PROT_PTE_DEVICE,
4180 .prot_l1 = PMD_TYPE_TABLE,
4181 - .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4182 + .prot_sect = PROT_SECT_DEVICE,
4183 .domain = DOMAIN_IO,
4186 - .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4187 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4188 .domain = DOMAIN_KERNEL,
4190 #ifndef CONFIG_ARM_LPAE
4192 - .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE,
4193 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_RDONLY,
4194 .domain = DOMAIN_KERNEL,
4197 @@ -277,36 +301,54 @@ static struct mem_type mem_types[] = {
4198 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4200 .prot_l1 = PMD_TYPE_TABLE,
4201 - .domain = DOMAIN_USER,
4202 + .domain = DOMAIN_VECTORS,
4204 [MT_HIGH_VECTORS] = {
4205 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4206 L_PTE_USER | L_PTE_RDONLY,
4207 .prot_l1 = PMD_TYPE_TABLE,
4208 - .domain = DOMAIN_USER,
4209 + .domain = DOMAIN_VECTORS,
4212 + [MT_MEMORY_RWX] = {
4213 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4214 .prot_l1 = PMD_TYPE_TABLE,
4215 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4216 .domain = DOMAIN_KERNEL,
4218 + [MT_MEMORY_RW] = {
4219 + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4220 + .prot_l1 = PMD_TYPE_TABLE,
4221 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4222 + .domain = DOMAIN_KERNEL,
4224 + [MT_MEMORY_RX] = {
4225 + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4226 + .prot_l1 = PMD_TYPE_TABLE,
4227 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4228 + .domain = DOMAIN_KERNEL,
4231 - .prot_sect = PMD_TYPE_SECT,
4232 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4233 .domain = DOMAIN_KERNEL,
4235 - [MT_MEMORY_NONCACHED] = {
4236 + [MT_MEMORY_NONCACHED_RW] = {
4237 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4238 L_PTE_MT_BUFFERABLE,
4239 .prot_l1 = PMD_TYPE_TABLE,
4240 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4241 .domain = DOMAIN_KERNEL,
4243 + [MT_MEMORY_NONCACHED_RX] = {
4244 + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC |
4245 + L_PTE_MT_BUFFERABLE,
4246 + .prot_l1 = PMD_TYPE_TABLE,
4247 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4248 + .domain = DOMAIN_KERNEL,
4250 [MT_MEMORY_DTCM] = {
4251 - .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4253 + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4254 .prot_l1 = PMD_TYPE_TABLE,
4255 - .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4256 + .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4257 .domain = DOMAIN_KERNEL,
4259 [MT_MEMORY_ITCM] = {
4260 @@ -316,10 +358,10 @@ static struct mem_type mem_types[] = {
4263 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4264 - L_PTE_MT_UNCACHED | L_PTE_XN,
4265 + L_PTE_MT_UNCACHED,
4266 .prot_l1 = PMD_TYPE_TABLE,
4267 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE | PMD_SECT_S |
4268 - PMD_SECT_UNCACHED | PMD_SECT_XN,
4269 + PMD_SECT_UNCACHED,
4270 .domain = DOMAIN_KERNEL,
4272 [MT_MEMORY_DMA_READY] = {
4273 @@ -405,9 +447,35 @@ static void __init build_mem_type_table(void)
4274 * to prevent speculative instruction fetches.
4276 mem_types[MT_DEVICE].prot_sect |= PMD_SECT_XN;
4277 + mem_types[MT_DEVICE].prot_pte |= L_PTE_XN;
4278 mem_types[MT_DEVICE_NONSHARED].prot_sect |= PMD_SECT_XN;
4279 + mem_types[MT_DEVICE_NONSHARED].prot_pte |= L_PTE_XN;
4280 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_XN;
4281 + mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_XN;
4282 mem_types[MT_DEVICE_WC].prot_sect |= PMD_SECT_XN;
4283 + mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_XN;
4285 + /* Mark other regions on ARMv6+ as execute-never */
4287 +#ifdef CONFIG_PAX_KERNEXEC
4288 + mem_types[MT_UNCACHED].prot_sect |= PMD_SECT_XN;
4289 + mem_types[MT_UNCACHED].prot_pte |= L_PTE_XN;
4290 + mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_XN;
4291 + mem_types[MT_CACHECLEAN].prot_pte |= L_PTE_XN;
4292 +#ifndef CONFIG_ARM_LPAE
4293 + mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_XN;
4294 + mem_types[MT_MINICLEAN].prot_pte |= L_PTE_XN;
4296 + mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_XN;
4297 + mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_XN;
4298 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |= PMD_SECT_XN;
4299 + mem_types[MT_MEMORY_NONCACHED_RW].prot_pte |= PMD_SECT_XN;
4300 + mem_types[MT_MEMORY_DTCM].prot_sect |= PMD_SECT_XN;
4301 + mem_types[MT_MEMORY_DTCM].prot_pte |= L_PTE_XN;
4304 + mem_types[MT_MEMORY_SO].prot_sect |= PMD_SECT_XN;
4305 + mem_types[MT_MEMORY_SO].prot_pte |= L_PTE_XN;
4307 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4309 @@ -468,6 +536,9 @@ static void __init build_mem_type_table(void)
4310 * from SVC mode and no access from userspace.
4312 mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4313 +#ifdef CONFIG_PAX_KERNEXEC
4314 + mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4316 mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4317 mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4319 @@ -485,11 +556,17 @@ static void __init build_mem_type_table(void)
4320 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
4321 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
4322 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
4323 - mem_types[MT_MEMORY].prot_sect |= PMD_SECT_S;
4324 - mem_types[MT_MEMORY].prot_pte |= L_PTE_SHARED;
4325 + mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4326 + mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4327 + mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S;
4328 + mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED;
4329 + mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S;
4330 + mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED;
4331 mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED;
4332 - mem_types[MT_MEMORY_NONCACHED].prot_sect |= PMD_SECT_S;
4333 - mem_types[MT_MEMORY_NONCACHED].prot_pte |= L_PTE_SHARED;
4334 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |= PMD_SECT_S;
4335 + mem_types[MT_MEMORY_NONCACHED_RW].prot_pte |= L_PTE_SHARED;
4336 + mem_types[MT_MEMORY_NONCACHED_RX].prot_sect |= PMD_SECT_S;
4337 + mem_types[MT_MEMORY_NONCACHED_RX].prot_pte |= L_PTE_SHARED;
4341 @@ -500,15 +577,20 @@ static void __init build_mem_type_table(void)
4342 if (cpu_arch >= CPU_ARCH_ARMv6) {
4343 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4344 /* Non-cacheable Normal is XCB = 001 */
4345 - mem_types[MT_MEMORY_NONCACHED].prot_sect |=
4346 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |=
4347 + PMD_SECT_BUFFERED;
4348 + mem_types[MT_MEMORY_NONCACHED_RX].prot_sect |=
4351 /* For both ARMv6 and non-TEX-remapping ARMv7 */
4352 - mem_types[MT_MEMORY_NONCACHED].prot_sect |=
4353 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |=
4355 + mem_types[MT_MEMORY_NONCACHED_RX].prot_sect |=
4359 - mem_types[MT_MEMORY_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4360 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |= PMD_SECT_BUFFERABLE;
4361 + mem_types[MT_MEMORY_NONCACHED_RX].prot_sect |= PMD_SECT_BUFFERABLE;
4364 #ifdef CONFIG_ARM_LPAE
4365 @@ -524,6 +606,8 @@ static void __init build_mem_type_table(void)
4366 vecs_pgprot |= PTE_EXT_AF;
4369 + user_pgprot |= __supported_pte_mask;
4371 for (i = 0; i < 16; i++) {
4372 pteval_t v = pgprot_val(protection_map[i]);
4373 protection_map[i] = __pgprot(v | user_pgprot);
4374 @@ -541,10 +625,15 @@ static void __init build_mem_type_table(void)
4376 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
4377 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
4378 - mem_types[MT_MEMORY].prot_sect |= ecc_mask | cp->pmd;
4379 - mem_types[MT_MEMORY].prot_pte |= kern_pgprot;
4380 + mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4381 + mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4382 + mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
4383 + mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;
4384 + mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd;
4385 + mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot;
4386 mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot;
4387 - mem_types[MT_MEMORY_NONCACHED].prot_sect |= ecc_mask;
4388 + mem_types[MT_MEMORY_NONCACHED_RW].prot_sect |= ecc_mask;
4389 + mem_types[MT_MEMORY_NONCACHED_RX].prot_sect |= ecc_mask;
4390 mem_types[MT_ROM].prot_sect |= cp->pmd;
4393 @@ -1166,18 +1255,15 @@ void __init arm_mm_memblock_reserve(void)
4394 * called function. This means you can't use any function or debugging
4395 * method which may touch any device, otherwise the kernel _will_ crash.
4398 +static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
4400 static void __init devicemaps_init(struct machine_desc *mdesc)
4402 struct map_desc map;
4407 - * Allocate the vector page early.
4409 - vectors = early_alloc(PAGE_SIZE * 2);
4411 - early_trap_init(vectors);
4412 + early_trap_init(&vectors);
4414 for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
4415 pmd_clear(pmd_off_k(addr));
4416 @@ -1217,7 +1303,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc)
4417 * location (0xffff0000). If we aren't using high-vectors, also
4418 * create a mapping at the low-vectors virtual address.
4420 - map.pfn = __phys_to_pfn(virt_to_phys(vectors));
4421 + map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
4422 map.virtual = 0xffff0000;
4423 map.length = PAGE_SIZE;
4424 #ifdef CONFIG_KUSER_HELPERS
4425 @@ -1287,8 +1373,39 @@ static void __init map_lowmem(void)
4426 map.pfn = __phys_to_pfn(start);
4427 map.virtual = __phys_to_virt(start);
4428 map.length = end - start;
4429 - map.type = MT_MEMORY;
4431 +#ifdef CONFIG_PAX_KERNEXEC
4432 + if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) {
4433 + struct map_desc kernel;
4434 + struct map_desc initmap;
4436 + /* when freeing initmem we will make this RW */
4437 + initmap.pfn = __phys_to_pfn(__pa(__init_begin));
4438 + initmap.virtual = (unsigned long)__init_begin;
4439 + initmap.length = _sdata - __init_begin;
4440 + initmap.type = MT_MEMORY_RWX;
4441 + create_mapping(&initmap);
4443 + /* when freeing initmem we will make this RX */
4444 + kernel.pfn = __phys_to_pfn(__pa(_stext));
4445 + kernel.virtual = (unsigned long)_stext;
4446 + kernel.length = __init_begin - _stext;
4447 + kernel.type = MT_MEMORY_RWX;
4448 + create_mapping(&kernel);
4450 + if (map.virtual < (unsigned long)_stext) {
4451 + map.length = (unsigned long)_stext - map.virtual;
4452 + map.type = MT_MEMORY_RWX;
4453 + create_mapping(&map);
4456 + map.pfn = __phys_to_pfn(__pa(_sdata));
4457 + map.virtual = (unsigned long)_sdata;
4458 + map.length = end - __pa(_sdata);
4462 + map.type = MT_MEMORY_RW;
4463 create_mapping(&map);
4466 diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
4467 index a5bc92d..0bb4730 100644
4468 --- a/arch/arm/plat-omap/sram.c
4469 +++ b/arch/arm/plat-omap/sram.c
4470 @@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size,
4471 * Looks like we need to preserve some bootloader code at the
4472 * beginning of SRAM for jumping to flash for reboot to work...
4474 + pax_open_kernel();
4475 memset_io(omap_sram_base + omap_sram_skip, 0,
4476 omap_sram_size - omap_sram_skip);
4477 + pax_close_kernel();
4479 diff --git a/arch/arm/plat-samsung/include/plat/dma-ops.h b/arch/arm/plat-samsung/include/plat/dma-ops.h
4480 index ce6d763..cfea917 100644
4481 --- a/arch/arm/plat-samsung/include/plat/dma-ops.h
4482 +++ b/arch/arm/plat-samsung/include/plat/dma-ops.h
4483 @@ -47,7 +47,7 @@ struct samsung_dma_ops {
4484 int (*started)(unsigned ch);
4485 int (*flush)(unsigned ch);
4486 int (*stop)(unsigned ch);
4490 extern void *samsung_dmadev_get_ops(void);
4491 extern void *s3c_dma_get_ops(void);
4492 diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
4493 index f4726dc..39ed646 100644
4494 --- a/arch/arm64/kernel/debug-monitors.c
4495 +++ b/arch/arm64/kernel/debug-monitors.c
4496 @@ -149,7 +149,7 @@ static int __cpuinit os_lock_notify(struct notifier_block *self,
4500 -static struct notifier_block __cpuinitdata os_lock_nb = {
4501 +static struct notifier_block os_lock_nb = {
4502 .notifier_call = os_lock_notify,
4505 diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
4506 index 5ab825c..96aaec8 100644
4507 --- a/arch/arm64/kernel/hw_breakpoint.c
4508 +++ b/arch/arm64/kernel/hw_breakpoint.c
4509 @@ -831,7 +831,7 @@ static int __cpuinit hw_breakpoint_reset_notify(struct notifier_block *self,
4513 -static struct notifier_block __cpuinitdata hw_breakpoint_reset_nb = {
4514 +static struct notifier_block hw_breakpoint_reset_nb = {
4515 .notifier_call = hw_breakpoint_reset_notify,
4518 diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
4519 index c3a58a1..78fbf54 100644
4520 --- a/arch/avr32/include/asm/cache.h
4521 +++ b/arch/avr32/include/asm/cache.h
4523 #ifndef __ASM_AVR32_CACHE_H
4524 #define __ASM_AVR32_CACHE_H
4526 +#include <linux/const.h>
4528 #define L1_CACHE_SHIFT 5
4529 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
4530 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4533 * Memory returned by kmalloc() may be used for DMA, so we must make
4534 diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
4535 index d232888..87c8df1 100644
4536 --- a/arch/avr32/include/asm/elf.h
4537 +++ b/arch/avr32/include/asm/elf.h
4538 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
4539 the loader. We need to make sure that it is out of the way of the program
4540 that it will "exec", and that there is sufficient room for the brk. */
4542 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
4543 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
4545 +#ifdef CONFIG_PAX_ASLR
4546 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
4548 +#define PAX_DELTA_MMAP_LEN 15
4549 +#define PAX_DELTA_STACK_LEN 15
4552 /* This yields a mask that user programs can use to figure out what
4553 instruction set this CPU supports. This could be done in user space,
4554 diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h
4555 index 479330b..53717a8 100644
4556 --- a/arch/avr32/include/asm/kmap_types.h
4557 +++ b/arch/avr32/include/asm/kmap_types.h
4559 #define __ASM_AVR32_KMAP_TYPES_H
4561 #ifdef CONFIG_DEBUG_HIGHMEM
4562 -# define KM_TYPE_NR 29
4563 +# define KM_TYPE_NR 30
4565 -# define KM_TYPE_NR 14
4566 +# define KM_TYPE_NR 15
4569 #endif /* __ASM_AVR32_KMAP_TYPES_H */
4570 diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
4571 index b2f2d2d..d1c85cb 100644
4572 --- a/arch/avr32/mm/fault.c
4573 +++ b/arch/avr32/mm/fault.c
4574 @@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
4576 int exception_trace = 1;
4578 +#ifdef CONFIG_PAX_PAGEEXEC
4579 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4583 + printk(KERN_ERR "PAX: bytes at PC: ");
4584 + for (i = 0; i < 20; i++) {
4586 + if (get_user(c, (unsigned char *)pc+i))
4587 + printk(KERN_CONT "???????? ");
4589 + printk(KERN_CONT "%02x ", c);
4596 * This routine handles page faults. It determines the address and the
4597 * problem, and then passes it off to one of the appropriate routines.
4598 @@ -174,6 +191,16 @@ bad_area:
4599 up_read(&mm->mmap_sem);
4601 if (user_mode(regs)) {
4603 +#ifdef CONFIG_PAX_PAGEEXEC
4604 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
4605 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
4606 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
4607 + do_group_exit(SIGKILL);
4612 if (exception_trace && printk_ratelimit())
4613 printk("%s%s[%d]: segfault at %08lx pc %08lx "
4614 "sp %08lx ecr %lu\n",
4615 diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h
4616 index 568885a..f8008df 100644
4617 --- a/arch/blackfin/include/asm/cache.h
4618 +++ b/arch/blackfin/include/asm/cache.h
4620 #ifndef __ARCH_BLACKFIN_CACHE_H
4621 #define __ARCH_BLACKFIN_CACHE_H
4623 +#include <linux/const.h>
4624 #include <linux/linkage.h> /* for asmlinkage */
4628 * Blackfin loads 32 bytes for cache
4630 #define L1_CACHE_SHIFT 5
4631 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
4632 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4633 #define SMP_CACHE_BYTES L1_CACHE_BYTES
4635 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
4636 diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h
4637 index aea2718..3639a60 100644
4638 --- a/arch/cris/include/arch-v10/arch/cache.h
4639 +++ b/arch/cris/include/arch-v10/arch/cache.h
4641 #ifndef _ASM_ARCH_CACHE_H
4642 #define _ASM_ARCH_CACHE_H
4644 +#include <linux/const.h>
4645 /* Etrax 100LX have 32-byte cache-lines. */
4646 -#define L1_CACHE_BYTES 32
4647 #define L1_CACHE_SHIFT 5
4648 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4650 #endif /* _ASM_ARCH_CACHE_H */
4651 diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h
4652 index 7caf25d..ee65ac5 100644
4653 --- a/arch/cris/include/arch-v32/arch/cache.h
4654 +++ b/arch/cris/include/arch-v32/arch/cache.h
4656 #ifndef _ASM_CRIS_ARCH_CACHE_H
4657 #define _ASM_CRIS_ARCH_CACHE_H
4659 +#include <linux/const.h>
4660 #include <arch/hwregs/dma.h>
4662 /* A cache-line is 32 bytes. */
4663 -#define L1_CACHE_BYTES 32
4664 #define L1_CACHE_SHIFT 5
4665 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4667 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
4669 diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h
4670 index b86329d..6709906 100644
4671 --- a/arch/frv/include/asm/atomic.h
4672 +++ b/arch/frv/include/asm/atomic.h
4673 @@ -186,6 +186,16 @@ static inline void atomic64_dec(atomic64_t *v)
4674 #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter))
4675 #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter))
4677 +#define atomic64_read_unchecked(v) atomic64_read(v)
4678 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
4679 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
4680 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
4681 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
4682 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
4683 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
4684 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
4685 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
4687 static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
4690 diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h
4691 index 2797163..c2a401d 100644
4692 --- a/arch/frv/include/asm/cache.h
4693 +++ b/arch/frv/include/asm/cache.h
4695 #ifndef __ASM_CACHE_H
4696 #define __ASM_CACHE_H
4698 +#include <linux/const.h>
4700 /* bytes per L1 cache line */
4701 #define L1_CACHE_SHIFT (CONFIG_FRV_L1_CACHE_SHIFT)
4702 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
4703 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4705 #define __cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
4706 #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
4707 diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h
4708 index 43901f2..0d8b865 100644
4709 --- a/arch/frv/include/asm/kmap_types.h
4710 +++ b/arch/frv/include/asm/kmap_types.h
4712 #ifndef _ASM_KMAP_TYPES_H
4713 #define _ASM_KMAP_TYPES_H
4715 -#define KM_TYPE_NR 17
4716 +#define KM_TYPE_NR 18
4719 diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
4720 index 836f147..4cf23f5 100644
4721 --- a/arch/frv/mm/elf-fdpic.c
4722 +++ b/arch/frv/mm/elf-fdpic.c
4723 @@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
4725 struct vm_area_struct *vma;
4726 struct vm_unmapped_area_info info;
4727 + unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
4729 if (len > TASK_SIZE)
4731 @@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
4733 addr = PAGE_ALIGN(addr);
4734 vma = find_vma(current->mm, addr);
4735 - if (TASK_SIZE - len >= addr &&
4736 - (!vma || addr + len <= vma->vm_start))
4737 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4741 @@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
4742 info.high_limit = (current->mm->start_stack - 0x00200000);
4743 info.align_mask = 0;
4744 info.align_offset = 0;
4745 + info.threadstack_offset = offset;
4746 addr = vm_unmapped_area(&info);
4747 if (!(addr & ~PAGE_MASK))
4749 diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
4750 index f4ca594..adc72fd6 100644
4751 --- a/arch/hexagon/include/asm/cache.h
4752 +++ b/arch/hexagon/include/asm/cache.h
4754 #ifndef __ASM_CACHE_H
4755 #define __ASM_CACHE_H
4757 +#include <linux/const.h>
4759 /* Bytes per L1 cache line */
4760 -#define L1_CACHE_SHIFT (5)
4761 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
4762 +#define L1_CACHE_SHIFT 5
4763 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4765 #define __cacheline_aligned __aligned(L1_CACHE_BYTES)
4766 #define ____cacheline_aligned __aligned(L1_CACHE_BYTES)
4767 diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
4768 index 6e6fe18..a6ae668 100644
4769 --- a/arch/ia64/include/asm/atomic.h
4770 +++ b/arch/ia64/include/asm/atomic.h
4771 @@ -208,6 +208,16 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
4772 #define atomic64_inc(v) atomic64_add(1, (v))
4773 #define atomic64_dec(v) atomic64_sub(1, (v))
4775 +#define atomic64_read_unchecked(v) atomic64_read(v)
4776 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
4777 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
4778 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
4779 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
4780 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
4781 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
4782 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
4783 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
4785 /* Atomic operations are already serializing */
4786 #define smp_mb__before_atomic_dec() barrier()
4787 #define smp_mb__after_atomic_dec() barrier()
4788 diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h
4789 index 988254a..e1ee885 100644
4790 --- a/arch/ia64/include/asm/cache.h
4791 +++ b/arch/ia64/include/asm/cache.h
4793 #ifndef _ASM_IA64_CACHE_H
4794 #define _ASM_IA64_CACHE_H
4796 +#include <linux/const.h>
4799 * Copyright (C) 1998-2000 Hewlett-Packard Co
4802 /* Bytes per L1 (data) cache line. */
4803 #define L1_CACHE_SHIFT CONFIG_IA64_L1_CACHE_SHIFT
4804 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
4805 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
4808 # define SMP_CACHE_SHIFT L1_CACHE_SHIFT
4809 diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h
4810 index 5a83c5c..4d7f553 100644
4811 --- a/arch/ia64/include/asm/elf.h
4812 +++ b/arch/ia64/include/asm/elf.h
4815 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
4817 +#ifdef CONFIG_PAX_ASLR
4818 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
4820 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
4821 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
4824 #define PT_IA_64_UNWIND 0x70000001
4826 /* IA-64 relocations: */
4827 diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h
4828 index 96a8d92..617a1cf 100644
4829 --- a/arch/ia64/include/asm/pgalloc.h
4830 +++ b/arch/ia64/include/asm/pgalloc.h
4831 @@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
4832 pgd_val(*pgd_entry) = __pa(pud);
4836 +pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
4838 + pgd_populate(mm, pgd_entry, pud);
4841 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
4843 return quicklist_alloc(0, GFP_KERNEL, NULL);
4844 @@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
4845 pud_val(*pud_entry) = __pa(pmd);
4849 +pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
4851 + pud_populate(mm, pud_entry, pmd);
4854 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
4856 return quicklist_alloc(0, GFP_KERNEL, NULL);
4857 diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
4858 index 815810c..d60bd4c 100644
4859 --- a/arch/ia64/include/asm/pgtable.h
4860 +++ b/arch/ia64/include/asm/pgtable.h
4862 * David Mosberger-Tang <davidm@hpl.hp.com>
4866 +#include <linux/const.h>
4867 #include <asm/mman.h>
4868 #include <asm/page.h>
4869 #include <asm/processor.h>
4870 @@ -142,6 +142,17 @@
4871 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
4872 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
4873 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
4875 +#ifdef CONFIG_PAX_PAGEEXEC
4876 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
4877 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
4878 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
4880 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4881 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4882 +# define PAGE_COPY_NOEXEC PAGE_COPY
4885 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
4886 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
4887 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
4888 diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
4889 index 54ff557..70c88b7 100644
4890 --- a/arch/ia64/include/asm/spinlock.h
4891 +++ b/arch/ia64/include/asm/spinlock.h
4892 @@ -71,7 +71,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock)
4893 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
4895 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
4896 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
4897 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
4900 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
4901 diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
4902 index 449c8c0..18965fb 100644
4903 --- a/arch/ia64/include/asm/uaccess.h
4904 +++ b/arch/ia64/include/asm/uaccess.h
4905 @@ -240,12 +240,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
4906 static inline unsigned long
4907 __copy_to_user (void __user *to, const void *from, unsigned long count)
4909 + if (count > INT_MAX)
4912 + if (!__builtin_constant_p(count))
4913 + check_object_size(from, count, true);
4915 return __copy_user(to, (__force void __user *) from, count);
4918 static inline unsigned long
4919 __copy_from_user (void *to, const void __user *from, unsigned long count)
4921 + if (count > INT_MAX)
4924 + if (!__builtin_constant_p(count))
4925 + check_object_size(to, count, false);
4927 return __copy_user((__force void __user *) to, from, count);
4930 @@ -255,10 +267,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
4932 void __user *__cu_to = (to); \
4933 const void *__cu_from = (from); \
4934 - long __cu_len = (n); \
4935 + unsigned long __cu_len = (n); \
4937 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
4938 + if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \
4939 + if (!__builtin_constant_p(n)) \
4940 + check_object_size(__cu_from, __cu_len, true); \
4941 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
4946 @@ -266,11 +281,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
4948 void *__cu_to = (to); \
4949 const void __user *__cu_from = (from); \
4950 - long __cu_len = (n); \
4951 + unsigned long __cu_len = (n); \
4953 __chk_user_ptr(__cu_from); \
4954 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
4955 + if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \
4956 + if (!__builtin_constant_p(n)) \
4957 + check_object_size(__cu_to, __cu_len, false); \
4958 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
4963 diff --git a/arch/ia64/kernel/err_inject.c b/arch/ia64/kernel/err_inject.c
4964 index 2d67317..07d8bfa 100644
4965 --- a/arch/ia64/kernel/err_inject.c
4966 +++ b/arch/ia64/kernel/err_inject.c
4967 @@ -256,7 +256,7 @@ static int __cpuinit err_inject_cpu_callback(struct notifier_block *nfb,
4971 -static struct notifier_block __cpuinitdata err_inject_cpu_notifier =
4972 +static struct notifier_block err_inject_cpu_notifier =
4974 .notifier_call = err_inject_cpu_callback,
4976 diff --git a/arch/ia64/kernel/mca.c b/arch/ia64/kernel/mca.c
4977 index d7396db..b33e873 100644
4978 --- a/arch/ia64/kernel/mca.c
4979 +++ b/arch/ia64/kernel/mca.c
4980 @@ -1922,7 +1922,7 @@ static int __cpuinit mca_cpu_callback(struct notifier_block *nfb,
4984 -static struct notifier_block mca_cpu_notifier __cpuinitdata = {
4985 +static struct notifier_block mca_cpu_notifier = {
4986 .notifier_call = mca_cpu_callback
4989 diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
4990 index 24603be..948052d 100644
4991 --- a/arch/ia64/kernel/module.c
4992 +++ b/arch/ia64/kernel/module.c
4993 @@ -307,8 +307,7 @@ plt_target (struct plt_entry *plt)
4995 module_free (struct module *mod, void *module_region)
4997 - if (mod && mod->arch.init_unw_table &&
4998 - module_region == mod->module_init) {
4999 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
5000 unw_remove_unwind_table(mod->arch.init_unw_table);
5001 mod->arch.init_unw_table = NULL;
5003 @@ -494,15 +493,39 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings,
5007 +in_init_rx (const struct module *mod, uint64_t addr)
5009 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
5013 +in_init_rw (const struct module *mod, uint64_t addr)
5015 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
5019 in_init (const struct module *mod, uint64_t addr)
5021 - return addr - (uint64_t) mod->module_init < mod->init_size;
5022 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
5026 +in_core_rx (const struct module *mod, uint64_t addr)
5028 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
5032 +in_core_rw (const struct module *mod, uint64_t addr)
5034 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
5038 in_core (const struct module *mod, uint64_t addr)
5040 - return addr - (uint64_t) mod->module_core < mod->core_size;
5041 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
5045 @@ -685,7 +708,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend,
5049 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
5050 + if (in_init_rx(mod, val))
5051 + val -= (uint64_t) mod->module_init_rx;
5052 + else if (in_init_rw(mod, val))
5053 + val -= (uint64_t) mod->module_init_rw;
5054 + else if (in_core_rx(mod, val))
5055 + val -= (uint64_t) mod->module_core_rx;
5056 + else if (in_core_rw(mod, val))
5057 + val -= (uint64_t) mod->module_core_rw;
5061 @@ -820,15 +850,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind
5062 * addresses have been selected...
5065 - if (mod->core_size > MAX_LTOFF)
5066 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
5068 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
5069 * at the end of the module.
5071 - gp = mod->core_size - MAX_LTOFF / 2;
5072 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
5074 - gp = mod->core_size / 2;
5075 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
5076 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
5077 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
5079 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
5081 diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
5082 index 2b3c2d7..a318d84 100644
5083 --- a/arch/ia64/kernel/palinfo.c
5084 +++ b/arch/ia64/kernel/palinfo.c
5085 @@ -980,7 +980,7 @@ static int __cpuinit palinfo_cpu_callback(struct notifier_block *nfb,
5089 -static struct notifier_block __refdata palinfo_cpu_notifier =
5090 +static struct notifier_block palinfo_cpu_notifier =
5092 .notifier_call = palinfo_cpu_callback,
5094 diff --git a/arch/ia64/kernel/salinfo.c b/arch/ia64/kernel/salinfo.c
5095 index 4bc580a..7767f24 100644
5096 --- a/arch/ia64/kernel/salinfo.c
5097 +++ b/arch/ia64/kernel/salinfo.c
5098 @@ -609,7 +609,7 @@ salinfo_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu
5102 -static struct notifier_block salinfo_cpu_notifier __cpuinitdata =
5103 +static struct notifier_block salinfo_cpu_notifier =
5105 .notifier_call = salinfo_cpu_callback,
5107 diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
5108 index 41e33f8..65180b2 100644
5109 --- a/arch/ia64/kernel/sys_ia64.c
5110 +++ b/arch/ia64/kernel/sys_ia64.c
5111 @@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5112 unsigned long align_mask = 0;
5113 struct mm_struct *mm = current->mm;
5114 struct vm_unmapped_area_info info;
5115 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
5117 if (len > RGN_MAP_LIMIT)
5119 @@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5120 if (REGION_NUMBER(addr) == RGN_HPAGE)
5124 +#ifdef CONFIG_PAX_RANDMMAP
5125 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5126 + addr = mm->free_area_cache;
5131 addr = TASK_UNMAPPED_BASE;
5133 @@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5134 info.high_limit = TASK_SIZE;
5135 info.align_mask = align_mask;
5136 info.align_offset = 0;
5137 + info.threadstack_offset = offset;
5138 return vm_unmapped_area(&info);
5141 diff --git a/arch/ia64/kernel/topology.c b/arch/ia64/kernel/topology.c
5142 index dc00b2c..cce53c2 100644
5143 --- a/arch/ia64/kernel/topology.c
5144 +++ b/arch/ia64/kernel/topology.c
5145 @@ -445,7 +445,7 @@ static int __cpuinit cache_cpu_callback(struct notifier_block *nfb,
5149 -static struct notifier_block __cpuinitdata cache_cpu_notifier =
5150 +static struct notifier_block cache_cpu_notifier =
5152 .notifier_call = cache_cpu_callback
5154 diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
5155 index 0ccb28f..8992469 100644
5156 --- a/arch/ia64/kernel/vmlinux.lds.S
5157 +++ b/arch/ia64/kernel/vmlinux.lds.S
5158 @@ -198,7 +198,7 @@ SECTIONS {
5160 . = ALIGN(PERCPU_PAGE_SIZE);
5161 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
5162 - __phys_per_cpu_start = __per_cpu_load;
5163 + __phys_per_cpu_start = per_cpu_load;
5165 * ensure percpu data fits
5166 * into percpu page size
5167 diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
5168 index 6cf0341..d352594 100644
5169 --- a/arch/ia64/mm/fault.c
5170 +++ b/arch/ia64/mm/fault.c
5171 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
5172 return pte_present(pte);
5175 +#ifdef CONFIG_PAX_PAGEEXEC
5176 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5180 + printk(KERN_ERR "PAX: bytes at PC: ");
5181 + for (i = 0; i < 8; i++) {
5183 + if (get_user(c, (unsigned int *)pc+i))
5184 + printk(KERN_CONT "???????? ");
5186 + printk(KERN_CONT "%08x ", c);
5192 # define VM_READ_BIT 0
5193 # define VM_WRITE_BIT 1
5194 # define VM_EXEC_BIT 2
5195 @@ -149,8 +166,21 @@ retry:
5196 if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE))))
5199 - if ((vma->vm_flags & mask) != mask)
5200 + if ((vma->vm_flags & mask) != mask) {
5202 +#ifdef CONFIG_PAX_PAGEEXEC
5203 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
5204 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
5207 + up_read(&mm->mmap_sem);
5208 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
5209 + do_group_exit(SIGKILL);
5217 * If for any reason at all we couldn't handle the fault, make
5218 diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
5219 index 76069c1..c2aa816 100644
5220 --- a/arch/ia64/mm/hugetlbpage.c
5221 +++ b/arch/ia64/mm/hugetlbpage.c
5222 @@ -149,6 +149,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5223 unsigned long pgoff, unsigned long flags)
5225 struct vm_unmapped_area_info info;
5226 + unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags);
5228 if (len > RGN_MAP_LIMIT)
5230 @@ -172,6 +173,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5231 info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT;
5232 info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1);
5233 info.align_offset = 0;
5234 + info.threadstack_offset = offset;
5235 return vm_unmapped_area(&info);
5238 diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
5239 index d1fe4b4..2628f37 100644
5240 --- a/arch/ia64/mm/init.c
5241 +++ b/arch/ia64/mm/init.c
5242 @@ -120,6 +120,19 @@ ia64_init_addr_space (void)
5243 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
5244 vma->vm_end = vma->vm_start + PAGE_SIZE;
5245 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
5247 +#ifdef CONFIG_PAX_PAGEEXEC
5248 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
5249 + vma->vm_flags &= ~VM_EXEC;
5251 +#ifdef CONFIG_PAX_MPROTECT
5252 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
5253 + vma->vm_flags &= ~VM_MAYEXEC;
5259 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5260 down_write(¤t->mm->mmap_sem);
5261 if (insert_vm_struct(current->mm, vma)) {
5262 diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h
5263 index 40b3ee9..8c2c112 100644
5264 --- a/arch/m32r/include/asm/cache.h
5265 +++ b/arch/m32r/include/asm/cache.h
5267 #ifndef _ASM_M32R_CACHE_H
5268 #define _ASM_M32R_CACHE_H
5270 +#include <linux/const.h>
5272 /* L1 cache line size */
5273 #define L1_CACHE_SHIFT 4
5274 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5275 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5277 #endif /* _ASM_M32R_CACHE_H */
5278 diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c
5279 index 82abd15..d95ae5d 100644
5280 --- a/arch/m32r/lib/usercopy.c
5281 +++ b/arch/m32r/lib/usercopy.c
5284 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5290 if (access_ok(VERIFY_WRITE, to, n))
5291 __copy_user(to,from,n);
5292 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5294 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
5300 if (access_ok(VERIFY_READ, from, n))
5301 __copy_user_zeroing(to,from,n);
5302 diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h
5303 index 0395c51..5f26031 100644
5304 --- a/arch/m68k/include/asm/cache.h
5305 +++ b/arch/m68k/include/asm/cache.h
5307 #ifndef __ARCH_M68K_CACHE_H
5308 #define __ARCH_M68K_CACHE_H
5310 +#include <linux/const.h>
5312 /* bytes per L1 cache line */
5313 #define L1_CACHE_SHIFT 4
5314 -#define L1_CACHE_BYTES (1<< L1_CACHE_SHIFT)
5315 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5317 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5319 diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c
5320 index 3c52fa6..11b2ad8 100644
5321 --- a/arch/metag/mm/hugetlbpage.c
5322 +++ b/arch/metag/mm/hugetlbpage.c
5323 @@ -200,6 +200,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len)
5324 info.high_limit = TASK_SIZE;
5325 info.align_mask = PAGE_MASK & HUGEPT_MASK;
5326 info.align_offset = 0;
5327 + info.threadstack_offset = 0;
5328 return vm_unmapped_area(&info);
5331 diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h
5332 index 4efe96a..60e8699 100644
5333 --- a/arch/microblaze/include/asm/cache.h
5334 +++ b/arch/microblaze/include/asm/cache.h
5336 #ifndef _ASM_MICROBLAZE_CACHE_H
5337 #define _ASM_MICROBLAZE_CACHE_H
5339 +#include <linux/const.h>
5340 #include <asm/registers.h>
5342 #define L1_CACHE_SHIFT 5
5343 /* word-granular cache in microblaze */
5344 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5345 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5347 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5349 diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
5350 index 08b6079..eb272cf 100644
5351 --- a/arch/mips/include/asm/atomic.h
5352 +++ b/arch/mips/include/asm/atomic.h
5354 #include <asm/cmpxchg.h>
5355 #include <asm/war.h>
5357 +#ifdef CONFIG_GENERIC_ATOMIC64
5358 +#include <asm-generic/atomic64.h>
5361 #define ATOMIC_INIT(i) { (i) }
5364 @@ -759,6 +763,16 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
5366 #define atomic64_add_negative(i, v) (atomic64_add_return(i, (v)) < 0)
5368 +#define atomic64_read_unchecked(v) atomic64_read(v)
5369 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5370 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5371 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5372 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5373 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
5374 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5375 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
5376 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5378 #endif /* CONFIG_64BIT */
5381 diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
5382 index b4db69f..8f3b093 100644
5383 --- a/arch/mips/include/asm/cache.h
5384 +++ b/arch/mips/include/asm/cache.h
5386 #ifndef _ASM_CACHE_H
5387 #define _ASM_CACHE_H
5389 +#include <linux/const.h>
5390 #include <kmalloc.h>
5392 #define L1_CACHE_SHIFT CONFIG_MIPS_L1_CACHE_SHIFT
5393 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5394 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5396 #define SMP_CACHE_SHIFT L1_CACHE_SHIFT
5397 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5398 diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h
5399 index cf3ae24..238d22f 100644
5400 --- a/arch/mips/include/asm/elf.h
5401 +++ b/arch/mips/include/asm/elf.h
5402 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
5403 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5406 +#ifdef CONFIG_PAX_ASLR
5407 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
5409 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5410 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5413 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
5414 struct linux_binprm;
5415 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
5419 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
5420 -#define arch_randomize_brk arch_randomize_brk
5422 #endif /* _ASM_ELF_H */
5423 diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h
5424 index c1f6afa..38cc6e9 100644
5425 --- a/arch/mips/include/asm/exec.h
5426 +++ b/arch/mips/include/asm/exec.h
5431 -extern unsigned long arch_align_stack(unsigned long sp);
5432 +#define arch_align_stack(x) ((x) & ~0xfUL)
5434 #endif /* _ASM_EXEC_H */
5435 diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
5436 index d44622c..64990d2 100644
5437 --- a/arch/mips/include/asm/local.h
5438 +++ b/arch/mips/include/asm/local.h
5439 @@ -12,15 +12,25 @@ typedef struct
5444 + atomic_long_unchecked_t a;
5445 +} local_unchecked_t;
5447 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
5449 #define local_read(l) atomic_long_read(&(l)->a)
5450 +#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
5451 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
5452 +#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
5454 #define local_add(i, l) atomic_long_add((i), (&(l)->a))
5455 +#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
5456 #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
5457 +#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
5458 #define local_inc(l) atomic_long_inc(&(l)->a)
5459 +#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
5460 #define local_dec(l) atomic_long_dec(&(l)->a)
5461 +#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
5464 * Same as above, but return the result value
5465 @@ -70,6 +80,51 @@ static __inline__ long local_add_return(long i, local_t * l)
5469 +static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
5471 + unsigned long result;
5473 + if (kernel_uses_llsc && R10000_LLSC_WAR) {
5474 + unsigned long temp;
5476 + __asm__ __volatile__(
5478 + "1:" __LL "%1, %2 # local_add_return \n"
5479 + " addu %0, %1, %3 \n"
5481 + " beqzl %0, 1b \n"
5482 + " addu %0, %1, %3 \n"
5484 + : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
5485 + : "Ir" (i), "m" (l->a.counter)
5487 + } else if (kernel_uses_llsc) {
5488 + unsigned long temp;
5490 + __asm__ __volatile__(
5492 + "1:" __LL "%1, %2 # local_add_return \n"
5493 + " addu %0, %1, %3 \n"
5496 + " addu %0, %1, %3 \n"
5498 + : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
5499 + : "Ir" (i), "m" (l->a.counter)
5502 + unsigned long flags;
5504 + local_irq_save(flags);
5505 + result = l->a.counter;
5507 + l->a.counter = result;
5508 + local_irq_restore(flags);
5514 static __inline__ long local_sub_return(long i, local_t * l)
5516 unsigned long result;
5517 @@ -117,6 +172,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
5519 #define local_cmpxchg(l, o, n) \
5520 ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
5521 +#define local_cmpxchg_unchecked(l, o, n) \
5522 + ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
5523 #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
5526 diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
5527 index f59552f..3abe9b9 100644
5528 --- a/arch/mips/include/asm/page.h
5529 +++ b/arch/mips/include/asm/page.h
5530 @@ -95,7 +95,7 @@ extern void copy_user_highpage(struct page *to, struct page *from,
5531 #ifdef CONFIG_CPU_MIPS32
5532 typedef struct { unsigned long pte_low, pte_high; } pte_t;
5533 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
5534 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
5535 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
5537 typedef struct { unsigned long long pte; } pte_t;
5538 #define pte_val(x) ((x).pte)
5539 diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
5540 index 881d18b..cea38bc 100644
5541 --- a/arch/mips/include/asm/pgalloc.h
5542 +++ b/arch/mips/include/asm/pgalloc.h
5543 @@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5545 set_pud(pud, __pud((unsigned long)pmd));
5548 +static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5550 + pud_populate(mm, pud, pmd);
5555 diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
5556 index 895320e..bf63e10 100644
5557 --- a/arch/mips/include/asm/thread_info.h
5558 +++ b/arch/mips/include/asm/thread_info.h
5559 @@ -115,6 +115,8 @@ static inline struct thread_info *current_thread_info(void)
5560 #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */
5561 #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */
5562 #define TIF_LOAD_WATCH 25 /* If set, load watch registers */
5563 +/* li takes a 32bit immediate */
5564 +#define TIF_GRSEC_SETXID 29 /* update credentials on syscall entry/exit */
5565 #define TIF_SYSCALL_TRACE 31 /* syscall trace active */
5567 #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
5568 @@ -130,15 +132,18 @@ static inline struct thread_info *current_thread_info(void)
5569 #define _TIF_32BIT_ADDR (1<<TIF_32BIT_ADDR)
5570 #define _TIF_FPUBOUND (1<<TIF_FPUBOUND)
5571 #define _TIF_LOAD_WATCH (1<<TIF_LOAD_WATCH)
5572 +#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
5574 +#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
5576 /* work to do in syscall_trace_leave() */
5577 -#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
5578 +#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
5580 /* work to do on interrupt/exception return */
5581 #define _TIF_WORK_MASK \
5582 (_TIF_SIGPENDING | _TIF_NEED_RESCHED | _TIF_NOTIFY_RESUME)
5583 /* work to do on any return to u-space */
5584 -#define _TIF_ALLWORK_MASK (_TIF_WORK_MASK | _TIF_WORK_SYSCALL_EXIT)
5585 +#define _TIF_ALLWORK_MASK (_TIF_WORK_MASK | _TIF_WORK_SYSCALL_EXIT | _TIF_GRSEC_SETXID)
5587 #endif /* __KERNEL__ */
5589 diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
5590 index 1188e00..41cf144 100644
5591 --- a/arch/mips/kernel/binfmt_elfn32.c
5592 +++ b/arch/mips/kernel/binfmt_elfn32.c
5593 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
5594 #undef ELF_ET_DYN_BASE
5595 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
5597 +#ifdef CONFIG_PAX_ASLR
5598 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
5600 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5601 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5604 #include <asm/processor.h>
5605 #include <linux/module.h>
5606 #include <linux/elfcore.h>
5607 diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c
5608 index 202e581..689ca79 100644
5609 --- a/arch/mips/kernel/binfmt_elfo32.c
5610 +++ b/arch/mips/kernel/binfmt_elfo32.c
5611 @@ -56,6 +56,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
5612 #undef ELF_ET_DYN_BASE
5613 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
5615 +#ifdef CONFIG_PAX_ASLR
5616 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
5618 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5619 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
5622 #include <asm/processor.h>
5625 diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
5626 index c6a041d..b3e7318 100644
5627 --- a/arch/mips/kernel/process.c
5628 +++ b/arch/mips/kernel/process.c
5629 @@ -563,15 +563,3 @@ unsigned long get_wchan(struct task_struct *task)
5635 - * Don't forget that the stack pointer must be aligned on a 8 bytes
5636 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
5638 -unsigned long arch_align_stack(unsigned long sp)
5640 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5641 - sp -= get_random_int() & ~PAGE_MASK;
5643 - return sp & ALMASK;
5645 diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
5646 index 9c6299c..2fb4c22 100644
5647 --- a/arch/mips/kernel/ptrace.c
5648 +++ b/arch/mips/kernel/ptrace.c
5649 @@ -528,6 +528,10 @@ static inline int audit_arch(void)
5653 +#ifdef CONFIG_GRKERNSEC_SETXID
5654 +extern void gr_delayed_cred_worker(void);
5658 * Notification of system call entry/exit
5659 * - triggered by current->work.syscall_trace
5660 @@ -537,6 +541,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
5661 /* do the secure computing check first */
5662 secure_computing_strict(regs->regs[2]);
5664 +#ifdef CONFIG_GRKERNSEC_SETXID
5665 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
5666 + gr_delayed_cred_worker();
5669 if (!(current->ptrace & PT_PTRACED))
5672 diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
5673 index 9b36424..e7f4154 100644
5674 --- a/arch/mips/kernel/scall32-o32.S
5675 +++ b/arch/mips/kernel/scall32-o32.S
5676 @@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
5679 lw t0, TI_FLAGS($28) # syscall tracing enabled?
5680 - li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
5681 + li t1, _TIF_SYSCALL_WORK
5683 bnez t0, syscall_trace_entry # -> yes
5685 diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
5686 index 97a5909..59622f8 100644
5687 --- a/arch/mips/kernel/scall64-64.S
5688 +++ b/arch/mips/kernel/scall64-64.S
5689 @@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
5691 sd a3, PT_R26(sp) # save a3 for syscall restarting
5693 - li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
5694 + li t1, _TIF_SYSCALL_WORK
5695 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
5697 bnez t0, syscall_trace_entry
5698 diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
5699 index edcb659..fb2ab09 100644
5700 --- a/arch/mips/kernel/scall64-n32.S
5701 +++ b/arch/mips/kernel/scall64-n32.S
5702 @@ -47,7 +47,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
5704 sd a3, PT_R26(sp) # save a3 for syscall restarting
5706 - li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
5707 + li t1, _TIF_SYSCALL_WORK
5708 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
5710 bnez t0, n32_syscall_trace_entry
5711 diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
5712 index 74f485d..47d2c38 100644
5713 --- a/arch/mips/kernel/scall64-o32.S
5714 +++ b/arch/mips/kernel/scall64-o32.S
5715 @@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
5719 - li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
5720 + li t1, _TIF_SYSCALL_WORK
5721 LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
5723 bnez t0, trace_a_syscall
5724 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
5725 index 0fead53..eeb00a6 100644
5726 --- a/arch/mips/mm/fault.c
5727 +++ b/arch/mips/mm/fault.c
5729 #include <asm/highmem.h> /* For VMALLOC_END */
5730 #include <linux/kdebug.h>
5732 +#ifdef CONFIG_PAX_PAGEEXEC
5733 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5737 + printk(KERN_ERR "PAX: bytes at PC: ");
5738 + for (i = 0; i < 5; i++) {
5740 + if (get_user(c, (unsigned int *)pc+i))
5741 + printk(KERN_CONT "???????? ");
5743 + printk(KERN_CONT "%08x ", c);
5750 * This routine handles page faults. It determines the address,
5751 * and the problem, and then passes it off to one of the appropriate
5752 @@ -196,6 +213,14 @@ bad_area:
5753 bad_area_nosemaphore:
5754 /* User mode accesses just cause a SIGSEGV */
5755 if (user_mode(regs)) {
5757 +#ifdef CONFIG_PAX_PAGEEXEC
5758 + if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
5759 + pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
5760 + do_group_exit(SIGKILL);
5764 tsk->thread.cp0_badvaddr = address;
5765 tsk->thread.error_code = write;
5767 diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
5768 index 7e5fe27..9656513 100644
5769 --- a/arch/mips/mm/mmap.c
5770 +++ b/arch/mips/mm/mmap.c
5771 @@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
5772 struct vm_area_struct *vma;
5773 unsigned long addr = addr0;
5775 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
5776 struct vm_unmapped_area_info info;
5778 if (unlikely(len > TASK_SIZE))
5779 @@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
5782 /* requesting a specific address */
5784 +#ifdef CONFIG_PAX_RANDMMAP
5785 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
5790 addr = COLOUR_ALIGN(addr, pgoff);
5791 @@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
5792 addr = PAGE_ALIGN(addr);
5794 vma = find_vma(mm, addr);
5795 - if (TASK_SIZE - len >= addr &&
5796 - (!vma || addr + len <= vma->vm_start))
5797 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len, offset))
5802 info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0;
5803 info.align_offset = pgoff << PAGE_SHIFT;
5804 + info.threadstack_offset = offset;
5807 info.flags = VM_UNMAPPED_AREA_TOPDOWN;
5808 @@ -146,6 +152,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
5810 unsigned long random_factor = 0UL;
5812 +#ifdef CONFIG_PAX_RANDMMAP
5813 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
5816 if (current->flags & PF_RANDOMIZE) {
5817 random_factor = get_random_int();
5818 random_factor = random_factor << PAGE_SHIFT;
5819 @@ -157,42 +167,27 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
5821 if (mmap_is_legacy()) {
5822 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
5824 +#ifdef CONFIG_PAX_RANDMMAP
5825 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5826 + mm->mmap_base += mm->delta_mmap;
5829 mm->get_unmapped_area = arch_get_unmapped_area;
5830 mm->unmap_area = arch_unmap_area;
5832 mm->mmap_base = mmap_base(random_factor);
5834 +#ifdef CONFIG_PAX_RANDMMAP
5835 + if (mm->pax_flags & MF_PAX_RANDMMAP)
5836 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
5839 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
5840 mm->unmap_area = arch_unmap_area_topdown;
5844 -static inline unsigned long brk_rnd(void)
5846 - unsigned long rnd = get_random_int();
5848 - rnd = rnd << PAGE_SHIFT;
5849 - /* 8MB for 32bit, 256MB for 64bit */
5850 - if (TASK_IS_32BIT_ADDR)
5851 - rnd = rnd & 0x7ffffful;
5853 - rnd = rnd & 0xffffffful;
5858 -unsigned long arch_randomize_brk(struct mm_struct *mm)
5860 - unsigned long base = mm->brk;
5861 - unsigned long ret;
5863 - ret = PAGE_ALIGN(base + brk_rnd());
5865 - if (ret < mm->brk)
5871 int __virt_addr_valid(const volatile void *kaddr)
5873 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
5874 diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
5875 index 967d144..db12197 100644
5876 --- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
5877 +++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h
5879 #ifndef _ASM_PROC_CACHE_H
5880 #define _ASM_PROC_CACHE_H
5882 +#include <linux/const.h>
5886 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
5887 #define L1_CACHE_NENTRIES 256 /* number of entries in each way */
5888 -#define L1_CACHE_BYTES 16 /* bytes per entry */
5889 #define L1_CACHE_SHIFT 4 /* shift for bytes per entry */
5890 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
5891 #define L1_CACHE_WAYDISP 0x1000 /* displacement of one way from the next */
5893 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
5894 diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
5895 index bcb5df2..84fabd2 100644
5896 --- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
5897 +++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
5899 #ifndef _ASM_PROC_CACHE_H
5900 #define _ASM_PROC_CACHE_H
5902 +#include <linux/const.h>
5907 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
5908 #define L1_CACHE_NENTRIES 128 /* number of entries in each way */
5909 -#define L1_CACHE_BYTES 32 /* bytes per entry */
5910 #define L1_CACHE_SHIFT 5 /* shift for bytes per entry */
5911 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
5912 #define L1_CACHE_WAYDISP 0x1000 /* distance from one way to the next */
5914 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
5915 diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h
5916 index 4ce7a01..449202a 100644
5917 --- a/arch/openrisc/include/asm/cache.h
5918 +++ b/arch/openrisc/include/asm/cache.h
5920 #ifndef __ASM_OPENRISC_CACHE_H
5921 #define __ASM_OPENRISC_CACHE_H
5923 +#include <linux/const.h>
5925 /* FIXME: How can we replace these with values from the CPU...
5926 * they shouldn't be hard-coded!
5929 -#define L1_CACHE_BYTES 16
5930 #define L1_CACHE_SHIFT 4
5931 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5933 #endif /* __ASM_OPENRISC_CACHE_H */
5934 diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
5935 index 472886c..00e7df9 100644
5936 --- a/arch/parisc/include/asm/atomic.h
5937 +++ b/arch/parisc/include/asm/atomic.h
5938 @@ -252,6 +252,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
5942 +#define atomic64_read_unchecked(v) atomic64_read(v)
5943 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5944 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5945 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5946 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5947 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
5948 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5949 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
5950 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5952 #endif /* !CONFIG_64BIT */
5955 diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
5956 index 47f11c7..3420df2 100644
5957 --- a/arch/parisc/include/asm/cache.h
5958 +++ b/arch/parisc/include/asm/cache.h
5960 #ifndef __ARCH_PARISC_CACHE_H
5961 #define __ARCH_PARISC_CACHE_H
5963 +#include <linux/const.h>
5966 * PA 2.0 processors have 64-byte cachelines; PA 1.1 processors have
5968 * just ruin performance.
5971 -#define L1_CACHE_BYTES 64
5972 #define L1_CACHE_SHIFT 6
5974 -#define L1_CACHE_BYTES 32
5975 #define L1_CACHE_SHIFT 5
5978 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5980 #ifndef __ASSEMBLY__
5982 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5983 diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h
5984 index ad2b503..bdf1651 100644
5985 --- a/arch/parisc/include/asm/elf.h
5986 +++ b/arch/parisc/include/asm/elf.h
5987 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration... */
5989 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
5991 +#ifdef CONFIG_PAX_ASLR
5992 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
5994 +#define PAX_DELTA_MMAP_LEN 16
5995 +#define PAX_DELTA_STACK_LEN 16
5998 /* This yields a mask that user programs can use to figure out what
5999 instruction set this CPU supports. This could be done in user space,
6000 but it's not easy, and we've already done it here. */
6001 diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
6002 index fc987a1..6e068ef 100644
6003 --- a/arch/parisc/include/asm/pgalloc.h
6004 +++ b/arch/parisc/include/asm/pgalloc.h
6005 @@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
6006 (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT));
6009 +static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
6011 + pgd_populate(mm, pgd, pmd);
6014 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
6016 pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL|__GFP_REPEAT,
6017 @@ -93,6 +98,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
6018 #define pmd_alloc_one(mm, addr) ({ BUG(); ((pmd_t *)2); })
6019 #define pmd_free(mm, x) do { } while (0)
6020 #define pgd_populate(mm, pmd, pte) BUG()
6021 +#define pgd_populate_kernel(mm, pmd, pte) BUG()
6025 diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
6026 index 1e40d7f..a3eb445 100644
6027 --- a/arch/parisc/include/asm/pgtable.h
6028 +++ b/arch/parisc/include/asm/pgtable.h
6029 @@ -223,6 +223,17 @@ extern void purge_tlb_entries(struct mm_struct *, unsigned long);
6030 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
6031 #define PAGE_COPY PAGE_EXECREAD
6032 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
6034 +#ifdef CONFIG_PAX_PAGEEXEC
6035 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
6036 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
6037 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
6039 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
6040 +# define PAGE_COPY_NOEXEC PAGE_COPY
6041 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
6044 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
6045 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
6046 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
6047 diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
6048 index e0a8235..ce2f1e1 100644
6049 --- a/arch/parisc/include/asm/uaccess.h
6050 +++ b/arch/parisc/include/asm/uaccess.h
6051 @@ -245,10 +245,10 @@ static inline unsigned long __must_check copy_from_user(void *to,
6052 const void __user *from,
6055 - int sz = __compiletime_object_size(to);
6056 + size_t sz = __compiletime_object_size(to);
6059 - if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
6060 + if (likely(sz == (size_t)-1 || !__builtin_constant_p(n) || sz >= n))
6061 ret = __copy_from_user(to, from, n);
6063 copy_from_user_overflow();
6064 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
6065 index 2a625fb..9908930 100644
6066 --- a/arch/parisc/kernel/module.c
6067 +++ b/arch/parisc/kernel/module.c
6070 /* three functions to determine where in the module core
6071 * or init pieces the location is */
6072 +static inline int in_init_rx(struct module *me, void *loc)
6074 + return (loc >= me->module_init_rx &&
6075 + loc < (me->module_init_rx + me->init_size_rx));
6078 +static inline int in_init_rw(struct module *me, void *loc)
6080 + return (loc >= me->module_init_rw &&
6081 + loc < (me->module_init_rw + me->init_size_rw));
6084 static inline int in_init(struct module *me, void *loc)
6086 - return (loc >= me->module_init &&
6087 - loc <= (me->module_init + me->init_size));
6088 + return in_init_rx(me, loc) || in_init_rw(me, loc);
6091 +static inline int in_core_rx(struct module *me, void *loc)
6093 + return (loc >= me->module_core_rx &&
6094 + loc < (me->module_core_rx + me->core_size_rx));
6097 +static inline int in_core_rw(struct module *me, void *loc)
6099 + return (loc >= me->module_core_rw &&
6100 + loc < (me->module_core_rw + me->core_size_rw));
6103 static inline int in_core(struct module *me, void *loc)
6105 - return (loc >= me->module_core &&
6106 - loc <= (me->module_core + me->core_size));
6107 + return in_core_rx(me, loc) || in_core_rw(me, loc);
6110 static inline int in_local(struct module *me, void *loc)
6111 @@ -371,13 +393,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr,
6114 /* align things a bit */
6115 - me->core_size = ALIGN(me->core_size, 16);
6116 - me->arch.got_offset = me->core_size;
6117 - me->core_size += gots * sizeof(struct got_entry);
6118 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
6119 + me->arch.got_offset = me->core_size_rw;
6120 + me->core_size_rw += gots * sizeof(struct got_entry);
6122 - me->core_size = ALIGN(me->core_size, 16);
6123 - me->arch.fdesc_offset = me->core_size;
6124 - me->core_size += fdescs * sizeof(Elf_Fdesc);
6125 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
6126 + me->arch.fdesc_offset = me->core_size_rw;
6127 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
6129 me->arch.got_max = gots;
6130 me->arch.fdesc_max = fdescs;
6131 @@ -395,7 +417,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
6135 - got = me->module_core + me->arch.got_offset;
6136 + got = me->module_core_rw + me->arch.got_offset;
6137 for (i = 0; got[i].addr; i++)
6138 if (got[i].addr == value)
6140 @@ -413,7 +435,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
6142 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
6144 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
6145 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
6148 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
6149 @@ -431,7 +453,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
6151 /* Create new one */
6152 fdesc->addr = value;
6153 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
6154 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
6155 return (Elf_Addr)fdesc;
6157 #endif /* CONFIG_64BIT */
6158 @@ -843,7 +865,7 @@ register_unwind_table(struct module *me,
6160 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
6161 end = table + sechdrs[me->arch.unwind_section].sh_size;
6162 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
6163 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
6165 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
6166 me->arch.unwind_section, table, end, gp);
6167 diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
6168 index 5dfd248..64914ac 100644
6169 --- a/arch/parisc/kernel/sys_parisc.c
6170 +++ b/arch/parisc/kernel/sys_parisc.c
6172 #include <linux/utsname.h>
6173 #include <linux/personality.h>
6175 -static unsigned long get_unshared_area(unsigned long addr, unsigned long len)
6176 +static unsigned long get_unshared_area(struct file *filp, unsigned long addr, unsigned long len,
6177 + unsigned long flags)
6179 struct vm_unmapped_area_info info;
6180 + unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
6184 @@ -43,6 +45,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len)
6185 info.high_limit = TASK_SIZE;
6186 info.align_mask = 0;
6187 info.align_offset = 0;
6188 + info.threadstack_offset = offset;
6189 return vm_unmapped_area(&info);
6192 @@ -61,10 +64,11 @@ static int get_offset(struct address_space *mapping)
6193 return (unsigned long) mapping >> 8;
6196 -static unsigned long get_shared_area(struct address_space *mapping,
6197 - unsigned long addr, unsigned long len, unsigned long pgoff)
6198 +static unsigned long get_shared_area(struct file *filp, struct address_space *mapping,
6199 + unsigned long addr, unsigned long len, unsigned long pgoff, unsigned long flags)
6201 struct vm_unmapped_area_info info;
6202 + unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
6206 @@ -72,6 +76,7 @@ static unsigned long get_shared_area(struct address_space *mapping,
6207 info.high_limit = TASK_SIZE;
6208 info.align_mask = PAGE_MASK & (SHMLBA - 1);
6209 info.align_offset = (get_offset(mapping) + pgoff) << PAGE_SHIFT;
6210 + info.threadstack_offset = offset;
6211 return vm_unmapped_area(&info);
6214 @@ -86,15 +91,22 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
6220 addr = TASK_UNMAPPED_BASE;
6222 +#ifdef CONFIG_PAX_RANDMMAP
6223 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
6224 + addr += current->mm->delta_mmap;
6230 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
6231 + addr = get_shared_area(filp, filp->f_mapping, addr, len, pgoff, flags);
6232 } else if(flags & MAP_SHARED) {
6233 - addr = get_shared_area(NULL, addr, len, pgoff);
6234 + addr = get_shared_area(filp, NULL, addr, len, pgoff, flags);
6236 - addr = get_unshared_area(addr, len);
6237 + addr = get_unshared_area(filp, addr, len, flags);
6241 diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
6242 index 04e47c6..7a8faf6 100644
6243 --- a/arch/parisc/kernel/traps.c
6244 +++ b/arch/parisc/kernel/traps.c
6245 @@ -727,9 +727,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
6247 down_read(¤t->mm->mmap_sem);
6248 vma = find_vma(current->mm,regs->iaoq[0]);
6249 - if (vma && (regs->iaoq[0] >= vma->vm_start)
6250 - && (vma->vm_flags & VM_EXEC)) {
6252 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
6253 fault_address = regs->iaoq[0];
6254 fault_space = regs->iasq[0];
6256 diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
6257 index f247a34..dc0f219 100644
6258 --- a/arch/parisc/mm/fault.c
6259 +++ b/arch/parisc/mm/fault.c
6261 #include <linux/sched.h>
6262 #include <linux/interrupt.h>
6263 #include <linux/module.h>
6264 +#include <linux/unistd.h>
6266 #include <asm/uaccess.h>
6267 #include <asm/traps.h>
6268 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, exception_data);
6269 static unsigned long
6270 parisc_acctyp(unsigned long code, unsigned int inst)
6272 - if (code == 6 || code == 16)
6273 + if (code == 6 || code == 7 || code == 16)
6276 switch (inst & 0xf0000000) {
6277 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsigned int inst)
6281 +#ifdef CONFIG_PAX_PAGEEXEC
6283 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
6285 + * returns 1 when task should be killed
6286 + * 2 when rt_sigreturn trampoline was detected
6287 + * 3 when unpatched PLT trampoline was detected
6289 +static int pax_handle_fetch_fault(struct pt_regs *regs)
6292 +#ifdef CONFIG_PAX_EMUPLT
6295 + do { /* PaX: unpatched PLT emulation */
6296 + unsigned int bl, depwi;
6298 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
6299 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
6304 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
6305 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
6307 + err = get_user(ldw, (unsigned int *)addr);
6308 + err |= get_user(bv, (unsigned int *)(addr+4));
6309 + err |= get_user(ldw2, (unsigned int *)(addr+8));
6314 + if (ldw == 0x0E801096U &&
6315 + bv == 0xEAC0C000U &&
6316 + ldw2 == 0x0E881095U)
6318 + unsigned int resolver, map;
6320 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
6321 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
6325 + regs->gr[20] = instruction_pointer(regs)+8;
6326 + regs->gr[21] = map;
6327 + regs->gr[22] = resolver;
6328 + regs->iaoq[0] = resolver | 3UL;
6329 + regs->iaoq[1] = regs->iaoq[0] + 4;
6336 +#ifdef CONFIG_PAX_EMUTRAMP
6338 +#ifndef CONFIG_PAX_EMUSIGRT
6339 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
6343 + do { /* PaX: rt_sigreturn emulation */
6344 + unsigned int ldi1, ldi2, bel, nop;
6346 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
6347 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
6348 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
6349 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
6354 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
6355 + ldi2 == 0x3414015AU &&
6356 + bel == 0xE4008200U &&
6357 + nop == 0x08000240U)
6359 + regs->gr[25] = (ldi1 & 2) >> 1;
6360 + regs->gr[20] = __NR_rt_sigreturn;
6361 + regs->gr[31] = regs->iaoq[1] + 16;
6362 + regs->sr[0] = regs->iasq[1];
6363 + regs->iaoq[0] = 0x100UL;
6364 + regs->iaoq[1] = regs->iaoq[0] + 4;
6365 + regs->iasq[0] = regs->sr[2];
6366 + regs->iasq[1] = regs->sr[2];
6375 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
6379 + printk(KERN_ERR "PAX: bytes at PC: ");
6380 + for (i = 0; i < 5; i++) {
6382 + if (get_user(c, (unsigned int *)pc+i))
6383 + printk(KERN_CONT "???????? ");
6385 + printk(KERN_CONT "%08x ", c);
6391 int fixup_exception(struct pt_regs *regs)
6393 const struct exception_table_entry *fix;
6394 @@ -194,8 +305,33 @@ good_area:
6396 acc_type = parisc_acctyp(code,regs->iir);
6398 - if ((vma->vm_flags & acc_type) != acc_type)
6399 + if ((vma->vm_flags & acc_type) != acc_type) {
6401 +#ifdef CONFIG_PAX_PAGEEXEC
6402 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
6403 + (address & ~3UL) == instruction_pointer(regs))
6405 + up_read(&mm->mmap_sem);
6406 + switch (pax_handle_fetch_fault(regs)) {
6408 +#ifdef CONFIG_PAX_EMUPLT
6413 +#ifdef CONFIG_PAX_EMUTRAMP
6419 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
6420 + do_group_exit(SIGKILL);
6428 * If for any reason at all we couldn't handle the fault, make
6429 diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
6430 index e3b1d41..8e81edf 100644
6431 --- a/arch/powerpc/include/asm/atomic.h
6432 +++ b/arch/powerpc/include/asm/atomic.h
6433 @@ -523,6 +523,16 @@ static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
6437 +#define atomic64_read_unchecked(v) atomic64_read(v)
6438 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
6439 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
6440 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
6441 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
6442 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
6443 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
6444 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
6445 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
6447 #endif /* __powerpc64__ */
6449 #endif /* __KERNEL__ */
6450 diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
6451 index 9e495c9..b6878e5 100644
6452 --- a/arch/powerpc/include/asm/cache.h
6453 +++ b/arch/powerpc/include/asm/cache.h
6458 +#include <linux/const.h>
6460 /* bytes per L1 cache line */
6461 #if defined(CONFIG_8xx) || defined(CONFIG_403GCX)
6463 #define L1_CACHE_SHIFT 7
6466 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6467 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
6469 #define SMP_CACHE_BYTES L1_CACHE_BYTES
6471 diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
6472 index cc0655a..13eac2e 100644
6473 --- a/arch/powerpc/include/asm/elf.h
6474 +++ b/arch/powerpc/include/asm/elf.h
6476 the loader. We need to make sure that it is out of the way of the program
6477 that it will "exec", and that there is sufficient room for the brk. */
6479 -extern unsigned long randomize_et_dyn(unsigned long base);
6480 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
6481 +#define ELF_ET_DYN_BASE (0x20000000)
6483 +#ifdef CONFIG_PAX_ASLR
6484 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
6486 +#ifdef __powerpc64__
6487 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
6488 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
6490 +#define PAX_DELTA_MMAP_LEN 15
6491 +#define PAX_DELTA_STACK_LEN 15
6496 * Our registers are always unsigned longs, whether we're a 32 bit
6497 @@ -123,10 +134,6 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm,
6498 (0x7ff >> (PAGE_SHIFT - 12)) : \
6499 (0x3ffff >> (PAGE_SHIFT - 12)))
6501 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
6502 -#define arch_randomize_brk arch_randomize_brk
6505 #ifdef CONFIG_SPU_BASE
6506 /* Notes used in ET_CORE. Note name is "SPU/<fd>/<filename>". */
6508 diff --git a/arch/powerpc/include/asm/exec.h b/arch/powerpc/include/asm/exec.h
6509 index 8196e9c..d83a9f3 100644
6510 --- a/arch/powerpc/include/asm/exec.h
6511 +++ b/arch/powerpc/include/asm/exec.h
6513 #ifndef _ASM_POWERPC_EXEC_H
6514 #define _ASM_POWERPC_EXEC_H
6516 -extern unsigned long arch_align_stack(unsigned long sp);
6517 +#define arch_align_stack(x) ((x) & ~0xfUL)
6519 #endif /* _ASM_POWERPC_EXEC_H */
6520 diff --git a/arch/powerpc/include/asm/kmap_types.h b/arch/powerpc/include/asm/kmap_types.h
6521 index 5acabbd..7ea14fa 100644
6522 --- a/arch/powerpc/include/asm/kmap_types.h
6523 +++ b/arch/powerpc/include/asm/kmap_types.h
6525 * 2 of the License, or (at your option) any later version.
6528 -#define KM_TYPE_NR 16
6529 +#define KM_TYPE_NR 17
6531 #endif /* __KERNEL__ */
6532 #endif /* _ASM_POWERPC_KMAP_TYPES_H */
6533 diff --git a/arch/powerpc/include/asm/mman.h b/arch/powerpc/include/asm/mman.h
6534 index 8565c25..2865190 100644
6535 --- a/arch/powerpc/include/asm/mman.h
6536 +++ b/arch/powerpc/include/asm/mman.h
6537 @@ -24,7 +24,7 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot)
6539 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
6541 -static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
6542 +static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
6544 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
6546 diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
6547 index 988c812..63c7d70 100644
6548 --- a/arch/powerpc/include/asm/page.h
6549 +++ b/arch/powerpc/include/asm/page.h
6550 @@ -220,8 +220,9 @@ extern long long virt_phys_offset;
6551 * and needs to be executable. This means the whole heap ends
6552 * up being executable.
6554 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
6555 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6556 +#define VM_DATA_DEFAULT_FLAGS32 \
6557 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
6558 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6560 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
6561 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6562 @@ -249,6 +250,9 @@ extern long long virt_phys_offset;
6563 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
6566 +#define ktla_ktva(addr) (addr)
6567 +#define ktva_ktla(addr) (addr)
6569 #ifndef CONFIG_PPC_BOOK3S_64
6571 * Use the top bit of the higher-level page table entries to indicate whether
6572 diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h
6573 index 88693ce..ac6f9ab 100644
6574 --- a/arch/powerpc/include/asm/page_64.h
6575 +++ b/arch/powerpc/include/asm/page_64.h
6576 @@ -153,15 +153,18 @@ do { \
6577 * stack by default, so in the absence of a PT_GNU_STACK program header
6578 * we turn execute permission off.
6580 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
6581 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6582 +#define VM_STACK_DEFAULT_FLAGS32 \
6583 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
6584 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6586 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
6587 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
6589 +#ifndef CONFIG_PAX_PAGEEXEC
6590 #define VM_STACK_DEFAULT_FLAGS \
6591 (is_32bit_task() ? \
6592 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
6595 #include <asm-generic/getorder.h>
6597 diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h
6598 index b66ae72..4a378cd 100644
6599 --- a/arch/powerpc/include/asm/pgalloc-64.h
6600 +++ b/arch/powerpc/include/asm/pgalloc-64.h
6601 @@ -53,6 +53,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
6602 #ifndef CONFIG_PPC_64K_PAGES
6604 #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD)
6605 +#define pgd_populate_kernel(MM, PGD, PUD) pgd_populate((MM), (PGD), (PUD))
6607 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
6609 @@ -70,6 +71,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6610 pud_set(pud, (unsigned long)pmd);
6613 +static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6615 + pud_populate(mm, pud, pmd);
6618 #define pmd_populate(mm, pmd, pte_page) \
6619 pmd_populate_kernel(mm, pmd, page_address(pte_page))
6620 #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte))
6621 @@ -171,6 +177,7 @@ extern void __tlb_remove_table(void *_table);
6624 #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd)
6625 +#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
6627 static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd,
6629 diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
6630 index 7aeb955..19f748e 100644
6631 --- a/arch/powerpc/include/asm/pgtable.h
6632 +++ b/arch/powerpc/include/asm/pgtable.h
6634 #define _ASM_POWERPC_PGTABLE_H
6637 +#include <linux/const.h>
6638 #ifndef __ASSEMBLY__
6639 #include <asm/processor.h> /* For TASK_SIZE */
6640 #include <asm/mmu.h>
6641 diff --git a/arch/powerpc/include/asm/pte-hash32.h b/arch/powerpc/include/asm/pte-hash32.h
6642 index 4aad413..85d86bf 100644
6643 --- a/arch/powerpc/include/asm/pte-hash32.h
6644 +++ b/arch/powerpc/include/asm/pte-hash32.h
6646 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
6647 #define _PAGE_USER 0x004 /* usermode access allowed */
6648 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
6649 +#define _PAGE_EXEC _PAGE_GUARDED
6650 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
6651 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
6652 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
6653 diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
6654 index e1fb161..2290d1d 100644
6655 --- a/arch/powerpc/include/asm/reg.h
6656 +++ b/arch/powerpc/include/asm/reg.h
6658 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
6659 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
6660 #define DSISR_NOHPTE 0x40000000 /* no translation found */
6661 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
6662 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
6663 #define DSISR_ISSTORE 0x02000000 /* access was a store */
6664 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
6665 diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h
6666 index 48cfc85..891382f 100644
6667 --- a/arch/powerpc/include/asm/smp.h
6668 +++ b/arch/powerpc/include/asm/smp.h
6669 @@ -50,7 +50,7 @@ struct smp_ops_t {
6670 int (*cpu_disable)(void);
6671 void (*cpu_die)(unsigned int nr);
6672 int (*cpu_bootable)(unsigned int nr);
6676 extern void smp_send_debugger_break(void);
6677 extern void start_secondary_resume(void);
6678 diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
6679 index ba7b197..d292e26 100644
6680 --- a/arch/powerpc/include/asm/thread_info.h
6681 +++ b/arch/powerpc/include/asm/thread_info.h
6682 @@ -93,7 +93,6 @@ static inline struct thread_info *current_thread_info(void)
6683 #define TIF_POLLING_NRFLAG 3 /* true if poll_idle() is polling
6685 #define TIF_32BIT 4 /* 32 bit binary */
6686 -#define TIF_PERFMON_WORK 5 /* work for pfm_handle_work() */
6687 #define TIF_PERFMON_CTXSW 6 /* perfmon needs ctxsw calls */
6688 #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
6689 #define TIF_SINGLESTEP 8 /* singlestepping active */
6690 @@ -107,6 +106,9 @@ static inline struct thread_info *current_thread_info(void)
6691 #define TIF_EMULATE_STACK_STORE 16 /* Is an instruction emulation
6693 #define TIF_MEMDIE 17 /* is terminating due to OOM killer */
6694 +#define TIF_PERFMON_WORK 18 /* work for pfm_handle_work() */
6695 +/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
6696 +#define TIF_GRSEC_SETXID 5 /* update credentials on syscall entry/exit */
6698 /* as above, but as bit values */
6699 #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
6700 @@ -126,9 +128,10 @@ static inline struct thread_info *current_thread_info(void)
6701 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
6702 #define _TIF_EMULATE_STACK_STORE (1<<TIF_EMULATE_STACK_STORE)
6703 #define _TIF_NOHZ (1<<TIF_NOHZ)
6704 +#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
6705 #define _TIF_SYSCALL_T_OR_A (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
6706 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \
6708 + _TIF_NOHZ | _TIF_GRSEC_SETXID)
6710 #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
6711 _TIF_NOTIFY_RESUME | _TIF_UPROBE)
6712 diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
6713 index 4db4959..aba5c41 100644
6714 --- a/arch/powerpc/include/asm/uaccess.h
6715 +++ b/arch/powerpc/include/asm/uaccess.h
6716 @@ -318,52 +318,6 @@ do { \
6717 extern unsigned long __copy_tofrom_user(void __user *to,
6718 const void __user *from, unsigned long size);
6720 -#ifndef __powerpc64__
6722 -static inline unsigned long copy_from_user(void *to,
6723 - const void __user *from, unsigned long n)
6725 - unsigned long over;
6727 - if (access_ok(VERIFY_READ, from, n))
6728 - return __copy_tofrom_user((__force void __user *)to, from, n);
6729 - if ((unsigned long)from < TASK_SIZE) {
6730 - over = (unsigned long)from + n - TASK_SIZE;
6731 - return __copy_tofrom_user((__force void __user *)to, from,
6737 -static inline unsigned long copy_to_user(void __user *to,
6738 - const void *from, unsigned long n)
6740 - unsigned long over;
6742 - if (access_ok(VERIFY_WRITE, to, n))
6743 - return __copy_tofrom_user(to, (__force void __user *)from, n);
6744 - if ((unsigned long)to < TASK_SIZE) {
6745 - over = (unsigned long)to + n - TASK_SIZE;
6746 - return __copy_tofrom_user(to, (__force void __user *)from,
6752 -#else /* __powerpc64__ */
6754 -#define __copy_in_user(to, from, size) \
6755 - __copy_tofrom_user((to), (from), (size))
6757 -extern unsigned long copy_from_user(void *to, const void __user *from,
6759 -extern unsigned long copy_to_user(void __user *to, const void *from,
6761 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
6764 -#endif /* __powerpc64__ */
6766 static inline unsigned long __copy_from_user_inatomic(void *to,
6767 const void __user *from, unsigned long n)
6769 @@ -387,6 +341,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
6774 + if (!__builtin_constant_p(n))
6775 + check_object_size(to, n, false);
6777 return __copy_tofrom_user((__force void __user *)to, from, n);
6780 @@ -413,6 +371,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
6785 + if (!__builtin_constant_p(n))
6786 + check_object_size(from, n, true);
6788 return __copy_tofrom_user(to, (__force const void __user *)from, n);
6791 @@ -430,6 +392,92 @@ static inline unsigned long __copy_to_user(void __user *to,
6792 return __copy_to_user_inatomic(to, from, size);
6795 +#ifndef __powerpc64__
6797 +static inline unsigned long __must_check copy_from_user(void *to,
6798 + const void __user *from, unsigned long n)
6800 + unsigned long over;
6805 + if (access_ok(VERIFY_READ, from, n)) {
6806 + if (!__builtin_constant_p(n))
6807 + check_object_size(to, n, false);
6808 + return __copy_tofrom_user((__force void __user *)to, from, n);
6810 + if ((unsigned long)from < TASK_SIZE) {
6811 + over = (unsigned long)from + n - TASK_SIZE;
6812 + if (!__builtin_constant_p(n - over))
6813 + check_object_size(to, n - over, false);
6814 + return __copy_tofrom_user((__force void __user *)to, from,
6820 +static inline unsigned long __must_check copy_to_user(void __user *to,
6821 + const void *from, unsigned long n)
6823 + unsigned long over;
6828 + if (access_ok(VERIFY_WRITE, to, n)) {
6829 + if (!__builtin_constant_p(n))
6830 + check_object_size(from, n, true);
6831 + return __copy_tofrom_user(to, (__force void __user *)from, n);
6833 + if ((unsigned long)to < TASK_SIZE) {
6834 + over = (unsigned long)to + n - TASK_SIZE;
6835 + if (!__builtin_constant_p(n))
6836 + check_object_size(from, n - over, true);
6837 + return __copy_tofrom_user(to, (__force void __user *)from,
6843 +#else /* __powerpc64__ */
6845 +#define __copy_in_user(to, from, size) \
6846 + __copy_tofrom_user((to), (from), (size))
6848 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
6850 + if ((long)n < 0 || n > INT_MAX)
6853 + if (!__builtin_constant_p(n))
6854 + check_object_size(to, n, false);
6856 + if (likely(access_ok(VERIFY_READ, from, n)))
6857 + n = __copy_from_user(to, from, n);
6863 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
6865 + if ((long)n < 0 || n > INT_MAX)
6868 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
6869 + if (!__builtin_constant_p(n))
6870 + check_object_size(from, n, true);
6871 + n = __copy_to_user(to, from, n);
6876 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
6879 +#endif /* __powerpc64__ */
6881 extern unsigned long __clear_user(void __user *addr, unsigned long size);
6883 static inline unsigned long clear_user(void __user *addr, unsigned long size)
6884 diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
6885 index 645170a..6cf0271 100644
6886 --- a/arch/powerpc/kernel/exceptions-64e.S
6887 +++ b/arch/powerpc/kernel/exceptions-64e.S
6888 @@ -757,6 +757,7 @@ storage_fault_common:
6891 addi r3,r1,STACK_FRAME_OVERHEAD
6895 ld r14,PACA_EXGEN+EX_R14(r13)
6896 @@ -765,8 +766,7 @@ storage_fault_common:
6899 b .ret_from_except_lite
6903 addi r3,r1,STACK_FRAME_OVERHEAD
6906 diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
6907 index 902ca3c..e942155 100644
6908 --- a/arch/powerpc/kernel/exceptions-64s.S
6909 +++ b/arch/powerpc/kernel/exceptions-64s.S
6910 @@ -1357,10 +1357,10 @@ handle_page_fault:
6913 addi r3,r1,STACK_FRAME_OVERHEAD
6920 addi r3,r1,STACK_FRAME_OVERHEAD
6922 diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
6923 index 2e3200c..72095ce 100644
6924 --- a/arch/powerpc/kernel/module_32.c
6925 +++ b/arch/powerpc/kernel/module_32.c
6926 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr,
6927 me->arch.core_plt_section = i;
6929 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
6930 - printk("Module doesn't contain .plt or .init.plt sections.\n");
6931 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
6935 @@ -192,11 +192,16 @@ static uint32_t do_plt_call(void *location,
6937 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
6938 /* Init, or core PLT? */
6939 - if (location >= mod->module_core
6940 - && location < mod->module_core + mod->core_size)
6941 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
6942 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
6943 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
6945 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
6946 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
6947 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
6949 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
6953 /* Find this entry, or if that fails, the next avail. entry */
6954 while (entry->jump[0]) {
6955 diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
6956 index 7baa27b..f6b394a 100644
6957 --- a/arch/powerpc/kernel/process.c
6958 +++ b/arch/powerpc/kernel/process.c
6959 @@ -884,8 +884,8 @@ void show_regs(struct pt_regs * regs)
6960 * Lookup NIP late so we have the best change of getting the
6961 * above info out without failing
6963 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
6964 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
6965 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
6966 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
6968 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
6969 printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
6970 @@ -1345,10 +1345,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6972 ip = stack[STACK_FRAME_LR_SAVE];
6973 if (!firstframe || ip != lr) {
6974 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
6975 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
6976 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
6977 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
6980 (void *)current->ret_stack[curr_frame].ret);
6983 @@ -1368,7 +1368,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
6984 struct pt_regs *regs = (struct pt_regs *)
6985 (sp + STACK_FRAME_OVERHEAD);
6987 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
6988 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
6989 regs->trap, (void *)regs->nip, (void *)lr);
6992 @@ -1404,58 +1404,3 @@ void notrace __ppc64_runlatch_off(void)
6993 mtspr(SPRN_CTRLT, ctrl);
6995 #endif /* CONFIG_PPC64 */
6997 -unsigned long arch_align_stack(unsigned long sp)
6999 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7000 - sp -= get_random_int() & ~PAGE_MASK;
7004 -static inline unsigned long brk_rnd(void)
7006 - unsigned long rnd = 0;
7008 - /* 8MB for 32bit, 1GB for 64bit */
7009 - if (is_32bit_task())
7010 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
7012 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
7014 - return rnd << PAGE_SHIFT;
7017 -unsigned long arch_randomize_brk(struct mm_struct *mm)
7019 - unsigned long base = mm->brk;
7020 - unsigned long ret;
7022 -#ifdef CONFIG_PPC_STD_MMU_64
7024 - * If we are using 1TB segments and we are allowed to randomise
7025 - * the heap, we can put it above 1TB so it is backed by a 1TB
7026 - * segment. Otherwise the heap will be in the bottom 1TB
7027 - * which always uses 256MB segments and this may result in a
7028 - * performance penalty.
7030 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
7031 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
7034 - ret = PAGE_ALIGN(base + brk_rnd());
7036 - if (ret < mm->brk)
7042 -unsigned long randomize_et_dyn(unsigned long base)
7044 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
7051 diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
7052 index 64f7bd5..8dd550f 100644
7053 --- a/arch/powerpc/kernel/ptrace.c
7054 +++ b/arch/powerpc/kernel/ptrace.c
7055 @@ -1783,6 +1783,10 @@ long arch_ptrace(struct task_struct *child, long request,
7059 +#ifdef CONFIG_GRKERNSEC_SETXID
7060 +extern void gr_delayed_cred_worker(void);
7064 * We must return the syscall number to actually look up in the table.
7065 * This can be -1L to skip running any syscall at all.
7066 @@ -1795,6 +1799,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
7068 secure_computing_strict(regs->gpr[0]);
7070 +#ifdef CONFIG_GRKERNSEC_SETXID
7071 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
7072 + gr_delayed_cred_worker();
7075 if (test_thread_flag(TIF_SYSCALL_TRACE) &&
7076 tracehook_report_syscall_entry(regs))
7078 @@ -1829,6 +1838,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
7082 +#ifdef CONFIG_GRKERNSEC_SETXID
7083 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
7084 + gr_delayed_cred_worker();
7087 audit_syscall_exit(regs);
7089 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
7090 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
7091 index 0f83122..c0aca6a 100644
7092 --- a/arch/powerpc/kernel/signal_32.c
7093 +++ b/arch/powerpc/kernel/signal_32.c
7094 @@ -987,7 +987,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
7095 /* Save user registers on the stack */
7096 frame = &rt_sf->uc.uc_mcontext;
7098 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
7099 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
7101 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
7103 diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
7104 index 887e99d..310bc11 100644
7105 --- a/arch/powerpc/kernel/signal_64.c
7106 +++ b/arch/powerpc/kernel/signal_64.c
7107 @@ -751,7 +751,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
7110 /* Set up to return from userspace. */
7111 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
7112 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
7113 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
7115 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
7116 diff --git a/arch/powerpc/kernel/sysfs.c b/arch/powerpc/kernel/sysfs.c
7117 index e68a845..8b140e6 100644
7118 --- a/arch/powerpc/kernel/sysfs.c
7119 +++ b/arch/powerpc/kernel/sysfs.c
7120 @@ -522,7 +522,7 @@ static int __cpuinit sysfs_cpu_notify(struct notifier_block *self,
7124 -static struct notifier_block __cpuinitdata sysfs_cpu_nb = {
7125 +static struct notifier_block sysfs_cpu_nb = {
7126 .notifier_call = sysfs_cpu_notify,
7129 diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
7130 index 88929b1..bece8f8 100644
7131 --- a/arch/powerpc/kernel/traps.c
7132 +++ b/arch/powerpc/kernel/traps.c
7133 @@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
7137 +extern void gr_handle_kernel_exploit(void);
7139 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
7142 @@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
7143 panic("Fatal exception in interrupt");
7145 panic("Fatal exception");
7147 + gr_handle_kernel_exploit();
7152 diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
7153 index d4f463a..8fb7431 100644
7154 --- a/arch/powerpc/kernel/vdso.c
7155 +++ b/arch/powerpc/kernel/vdso.c
7157 #include <asm/firmware.h>
7158 #include <asm/vdso.h>
7159 #include <asm/vdso_datapage.h>
7160 +#include <asm/mman.h>
7164 @@ -222,7 +223,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
7165 vdso_base = VDSO32_MBASE;
7168 - current->mm->context.vdso_base = 0;
7169 + current->mm->context.vdso_base = ~0UL;
7171 /* vDSO has a problem and was disabled, just don't "enable" it for the
7173 @@ -242,7 +243,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
7174 vdso_base = get_unmapped_area(NULL, vdso_base,
7175 (vdso_pages << PAGE_SHIFT) +
7176 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
7178 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
7179 if (IS_ERR_VALUE(vdso_base)) {
7182 diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c
7183 index 5eea6f3..5d10396 100644
7184 --- a/arch/powerpc/lib/usercopy_64.c
7185 +++ b/arch/powerpc/lib/usercopy_64.c
7187 #include <linux/module.h>
7188 #include <asm/uaccess.h>
7190 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
7192 - if (likely(access_ok(VERIFY_READ, from, n)))
7193 - n = __copy_from_user(to, from, n);
7199 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
7201 - if (likely(access_ok(VERIFY_WRITE, to, n)))
7202 - n = __copy_to_user(to, from, n);
7206 unsigned long copy_in_user(void __user *to, const void __user *from,
7209 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *to, const void __user *from,
7213 -EXPORT_SYMBOL(copy_from_user);
7214 -EXPORT_SYMBOL(copy_to_user);
7215 EXPORT_SYMBOL(copy_in_user);
7217 diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
7218 index 8726779..a33c512 100644
7219 --- a/arch/powerpc/mm/fault.c
7220 +++ b/arch/powerpc/mm/fault.c
7222 #include <linux/magic.h>
7223 #include <linux/ratelimit.h>
7224 #include <linux/context_tracking.h>
7225 +#include <linux/slab.h>
7226 +#include <linux/pagemap.h>
7227 +#include <linux/compiler.h>
7228 +#include <linux/unistd.h>
7230 #include <asm/firmware.h>
7231 #include <asm/page.h>
7232 @@ -69,6 +73,33 @@ static inline int notify_page_fault(struct pt_regs *regs)
7236 +#ifdef CONFIG_PAX_PAGEEXEC
7238 + * PaX: decide what to do with offenders (regs->nip = fault address)
7240 + * returns 1 when task should be killed
7242 +static int pax_handle_fetch_fault(struct pt_regs *regs)
7247 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7251 + printk(KERN_ERR "PAX: bytes at PC: ");
7252 + for (i = 0; i < 5; i++) {
7254 + if (get_user(c, (unsigned int __user *)pc+i))
7255 + printk(KERN_CONT "???????? ");
7257 + printk(KERN_CONT "%08x ", c);
7264 * Check whether the instruction at regs->nip is a store using
7265 * an update addressing form which will update r1.
7266 @@ -216,7 +247,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
7267 * indicate errors in DSISR but can validly be set in SRR1.
7270 - error_code &= 0x48200000;
7271 + error_code &= 0x58200000;
7273 is_write = error_code & DSISR_ISSTORE;
7275 @@ -371,7 +402,7 @@ good_area:
7276 * "undefined". Of those that can be set, this is the only
7277 * one which seems bad.
7279 - if (error_code & 0x10000000)
7280 + if (error_code & DSISR_GUARDED)
7281 /* Guarded storage error. */
7283 #endif /* CONFIG_8xx */
7284 @@ -386,7 +417,7 @@ good_area:
7285 * processors use the same I/D cache coherency mechanism
7288 - if (error_code & DSISR_PROTFAULT)
7289 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
7291 #endif /* CONFIG_PPC_STD_MMU */
7293 @@ -471,6 +502,23 @@ bad_area:
7294 bad_area_nosemaphore:
7295 /* User mode accesses cause a SIGSEGV */
7296 if (user_mode(regs)) {
7298 +#ifdef CONFIG_PAX_PAGEEXEC
7299 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
7300 +#ifdef CONFIG_PPC_STD_MMU
7301 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
7303 + if (is_exec && regs->nip == address) {
7305 + switch (pax_handle_fetch_fault(regs)) {
7308 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
7309 + do_group_exit(SIGKILL);
7314 _exception(SIGSEGV, regs, code, address);
7317 diff --git a/arch/powerpc/mm/mmap_64.c b/arch/powerpc/mm/mmap_64.c
7318 index 67a42ed..cd463e0 100644
7319 --- a/arch/powerpc/mm/mmap_64.c
7320 +++ b/arch/powerpc/mm/mmap_64.c
7321 @@ -57,6 +57,10 @@ static unsigned long mmap_rnd(void)
7323 unsigned long rnd = 0;
7325 +#ifdef CONFIG_PAX_RANDMMAP
7326 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7329 if (current->flags & PF_RANDOMIZE) {
7330 /* 8MB for 32bit, 1GB for 64bit */
7331 if (is_32bit_task())
7332 @@ -91,10 +95,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7334 if (mmap_is_legacy()) {
7335 mm->mmap_base = TASK_UNMAPPED_BASE;
7337 +#ifdef CONFIG_PAX_RANDMMAP
7338 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7339 + mm->mmap_base += mm->delta_mmap;
7342 mm->get_unmapped_area = arch_get_unmapped_area;
7343 mm->unmap_area = arch_unmap_area;
7345 mm->mmap_base = mmap_base();
7347 +#ifdef CONFIG_PAX_RANDMMAP
7348 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7349 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7352 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7353 mm->unmap_area = arch_unmap_area_topdown;
7355 diff --git a/arch/powerpc/mm/mmu_context_nohash.c b/arch/powerpc/mm/mmu_context_nohash.c
7356 index e779642..e5bb889 100644
7357 --- a/arch/powerpc/mm/mmu_context_nohash.c
7358 +++ b/arch/powerpc/mm/mmu_context_nohash.c
7359 @@ -363,7 +363,7 @@ static int __cpuinit mmu_context_cpu_notify(struct notifier_block *self,
7363 -static struct notifier_block __cpuinitdata mmu_context_cpu_nb = {
7364 +static struct notifier_block mmu_context_cpu_nb = {
7365 .notifier_call = mmu_context_cpu_notify,
7368 diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
7369 index cafad40..9cbc0fc 100644
7370 --- a/arch/powerpc/mm/numa.c
7371 +++ b/arch/powerpc/mm/numa.c
7372 @@ -920,7 +920,7 @@ static void __init *careful_zallocation(int nid, unsigned long size,
7376 -static struct notifier_block __cpuinitdata ppc64_numa_nb = {
7377 +static struct notifier_block ppc64_numa_nb = {
7378 .notifier_call = cpu_numa_callback,
7379 .priority = 1 /* Must run before sched domains notifier. */
7381 diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
7382 index 3e99c14..f00953c 100644
7383 --- a/arch/powerpc/mm/slice.c
7384 +++ b/arch/powerpc/mm/slice.c
7385 @@ -103,7 +103,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
7386 if ((mm->task_size - len) < addr)
7388 vma = find_vma(mm, addr);
7389 - return (!vma || (addr + len) <= vma->vm_start);
7390 + return check_heap_stack_gap(vma, addr, len, 0);
7393 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
7394 @@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm,
7395 info.align_offset = 0;
7397 addr = TASK_UNMAPPED_BASE;
7399 +#ifdef CONFIG_PAX_RANDMMAP
7400 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7401 + addr += mm->delta_mmap;
7404 while (addr < TASK_SIZE) {
7405 info.low_limit = addr;
7406 if (!slice_scan_available(addr, available, 1, &addr))
7407 @@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len,
7408 if (fixed && addr > (mm->task_size - len))
7411 +#ifdef CONFIG_PAX_RANDMMAP
7412 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
7416 /* If hint, make sure it matches our alignment restrictions */
7417 if (!fixed && addr) {
7418 addr = _ALIGN_UP(addr, 1ul << pshift);
7419 diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
7420 index 9098692..3d54cd1 100644
7421 --- a/arch/powerpc/platforms/cell/spufs/file.c
7422 +++ b/arch/powerpc/platforms/cell/spufs/file.c
7423 @@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
7424 return VM_FAULT_NOPAGE;
7427 -static int spufs_mem_mmap_access(struct vm_area_struct *vma,
7428 +static ssize_t spufs_mem_mmap_access(struct vm_area_struct *vma,
7429 unsigned long address,
7430 - void *buf, int len, int write)
7431 + void *buf, size_t len, int write)
7433 struct spu_context *ctx = vma->vm_file->private_data;
7434 unsigned long offset = address - vma->vm_start;
7435 diff --git a/arch/powerpc/platforms/powermac/smp.c b/arch/powerpc/platforms/powermac/smp.c
7436 index bdb738a..49c9f95 100644
7437 --- a/arch/powerpc/platforms/powermac/smp.c
7438 +++ b/arch/powerpc/platforms/powermac/smp.c
7439 @@ -885,7 +885,7 @@ static int smp_core99_cpu_notify(struct notifier_block *self,
7443 -static struct notifier_block __cpuinitdata smp_core99_cpu_nb = {
7444 +static struct notifier_block smp_core99_cpu_nb = {
7445 .notifier_call = smp_core99_cpu_notify,
7447 #endif /* CONFIG_HOTPLUG_CPU */
7448 diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h
7449 index c797832..ce575c8 100644
7450 --- a/arch/s390/include/asm/atomic.h
7451 +++ b/arch/s390/include/asm/atomic.h
7452 @@ -326,6 +326,16 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
7453 #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0)
7454 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
7456 +#define atomic64_read_unchecked(v) atomic64_read(v)
7457 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
7458 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
7459 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
7460 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
7461 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
7462 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
7463 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
7464 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
7466 #define smp_mb__before_atomic_dec() smp_mb()
7467 #define smp_mb__after_atomic_dec() smp_mb()
7468 #define smp_mb__before_atomic_inc() smp_mb()
7469 diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h
7470 index 4d7ccac..d03d0ad 100644
7471 --- a/arch/s390/include/asm/cache.h
7472 +++ b/arch/s390/include/asm/cache.h
7474 #ifndef __ARCH_S390_CACHE_H
7475 #define __ARCH_S390_CACHE_H
7477 -#define L1_CACHE_BYTES 256
7478 +#include <linux/const.h>
7480 #define L1_CACHE_SHIFT 8
7481 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7482 #define NET_SKB_PAD 32
7484 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7485 diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
7486 index 78f4f87..598ce39 100644
7487 --- a/arch/s390/include/asm/elf.h
7488 +++ b/arch/s390/include/asm/elf.h
7489 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
7490 the loader. We need to make sure that it is out of the way of the program
7491 that it will "exec", and that there is sufficient room for the brk. */
7493 -extern unsigned long randomize_et_dyn(unsigned long base);
7494 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
7495 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
7497 +#ifdef CONFIG_PAX_ASLR
7498 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
7500 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
7501 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
7504 /* This yields a mask that user programs can use to figure out what
7505 instruction set this CPU supports. */
7506 @@ -222,9 +228,6 @@ struct linux_binprm;
7507 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
7508 int arch_setup_additional_pages(struct linux_binprm *, int);
7510 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7511 -#define arch_randomize_brk arch_randomize_brk
7513 void *fill_cpu_elf_notes(void *ptr, struct save_area *sa);
7516 diff --git a/arch/s390/include/asm/exec.h b/arch/s390/include/asm/exec.h
7517 index c4a93d6..4d2a9b4 100644
7518 --- a/arch/s390/include/asm/exec.h
7519 +++ b/arch/s390/include/asm/exec.h
7521 #ifndef __ASM_EXEC_H
7522 #define __ASM_EXEC_H
7524 -extern unsigned long arch_align_stack(unsigned long sp);
7525 +#define arch_align_stack(x) ((x) & ~0xfUL)
7527 #endif /* __ASM_EXEC_H */
7528 diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
7529 index 9c33ed4..e40cbef 100644
7530 --- a/arch/s390/include/asm/uaccess.h
7531 +++ b/arch/s390/include/asm/uaccess.h
7532 @@ -252,6 +252,10 @@ static inline unsigned long __must_check
7533 copy_to_user(void __user *to, const void *from, unsigned long n)
7540 return __copy_to_user(to, from, n);
7543 @@ -275,6 +279,9 @@ copy_to_user(void __user *to, const void *from, unsigned long n)
7544 static inline unsigned long __must_check
7545 __copy_from_user(void *to, const void __user *from, unsigned long n)
7550 if (__builtin_constant_p(n) && (n <= 256))
7551 return uaccess.copy_from_user_small(n, from, to);
7553 @@ -306,10 +313,14 @@ __compiletime_warning("copy_from_user() buffer size is not provably correct")
7554 static inline unsigned long __must_check
7555 copy_from_user(void *to, const void __user *from, unsigned long n)
7557 - unsigned int sz = __compiletime_object_size(to);
7558 + size_t sz = __compiletime_object_size(to);
7561 - if (unlikely(sz != -1 && sz < n)) {
7566 + if (unlikely(sz != (size_t)-1 && sz < n)) {
7567 copy_from_user_overflow();
7570 diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
7571 index 7845e15..59c4353 100644
7572 --- a/arch/s390/kernel/module.c
7573 +++ b/arch/s390/kernel/module.c
7574 @@ -169,11 +169,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
7576 /* Increase core size by size of got & plt and set start
7577 offsets for got and plt. */
7578 - me->core_size = ALIGN(me->core_size, 4);
7579 - me->arch.got_offset = me->core_size;
7580 - me->core_size += me->arch.got_size;
7581 - me->arch.plt_offset = me->core_size;
7582 - me->core_size += me->arch.plt_size;
7583 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
7584 + me->arch.got_offset = me->core_size_rw;
7585 + me->core_size_rw += me->arch.got_size;
7586 + me->arch.plt_offset = me->core_size_rx;
7587 + me->core_size_rx += me->arch.plt_size;
7591 @@ -289,7 +289,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7592 if (info->got_initialized == 0) {
7595 - gotent = me->module_core + me->arch.got_offset +
7596 + gotent = me->module_core_rw + me->arch.got_offset +
7599 info->got_initialized = 1;
7600 @@ -312,7 +312,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7601 rc = apply_rela_bits(loc, val, 0, 64, 0);
7602 else if (r_type == R_390_GOTENT ||
7603 r_type == R_390_GOTPLTENT) {
7604 - val += (Elf_Addr) me->module_core - loc;
7605 + val += (Elf_Addr) me->module_core_rw - loc;
7606 rc = apply_rela_bits(loc, val, 1, 32, 1);
7609 @@ -325,7 +325,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7610 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
7611 if (info->plt_initialized == 0) {
7613 - ip = me->module_core + me->arch.plt_offset +
7614 + ip = me->module_core_rx + me->arch.plt_offset +
7616 #ifndef CONFIG_64BIT
7617 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
7618 @@ -350,7 +350,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7619 val - loc + 0xffffUL < 0x1ffffeUL) ||
7620 (r_type == R_390_PLT32DBL &&
7621 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
7622 - val = (Elf_Addr) me->module_core +
7623 + val = (Elf_Addr) me->module_core_rx +
7624 me->arch.plt_offset +
7626 val += rela->r_addend - loc;
7627 @@ -372,7 +372,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7628 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
7629 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
7630 val = val + rela->r_addend -
7631 - ((Elf_Addr) me->module_core + me->arch.got_offset);
7632 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
7633 if (r_type == R_390_GOTOFF16)
7634 rc = apply_rela_bits(loc, val, 0, 16, 0);
7635 else if (r_type == R_390_GOTOFF32)
7636 @@ -382,7 +382,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
7638 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
7639 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
7640 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
7641 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
7642 rela->r_addend - loc;
7643 if (r_type == R_390_GOTPC)
7644 rc = apply_rela_bits(loc, val, 1, 32, 0);
7645 diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
7646 index 2bc3edd..ab9d598 100644
7647 --- a/arch/s390/kernel/process.c
7648 +++ b/arch/s390/kernel/process.c
7649 @@ -236,39 +236,3 @@ unsigned long get_wchan(struct task_struct *p)
7654 -unsigned long arch_align_stack(unsigned long sp)
7656 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
7657 - sp -= get_random_int() & ~PAGE_MASK;
7661 -static inline unsigned long brk_rnd(void)
7663 - /* 8MB for 32bit, 1GB for 64bit */
7664 - if (is_32bit_task())
7665 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
7667 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
7670 -unsigned long arch_randomize_brk(struct mm_struct *mm)
7672 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
7674 - if (ret < mm->brk)
7679 -unsigned long randomize_et_dyn(unsigned long base)
7681 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
7683 - if (!(current->flags & PF_RANDOMIZE))
7689 diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
7690 index 06bafec..2bca531 100644
7691 --- a/arch/s390/mm/mmap.c
7692 +++ b/arch/s390/mm/mmap.c
7693 @@ -90,10 +90,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7695 if (mmap_is_legacy()) {
7696 mm->mmap_base = TASK_UNMAPPED_BASE;
7698 +#ifdef CONFIG_PAX_RANDMMAP
7699 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7700 + mm->mmap_base += mm->delta_mmap;
7703 mm->get_unmapped_area = arch_get_unmapped_area;
7704 mm->unmap_area = arch_unmap_area;
7706 mm->mmap_base = mmap_base();
7708 +#ifdef CONFIG_PAX_RANDMMAP
7709 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7710 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7713 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7714 mm->unmap_area = arch_unmap_area_topdown;
7716 @@ -175,10 +187,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7718 if (mmap_is_legacy()) {
7719 mm->mmap_base = TASK_UNMAPPED_BASE;
7721 +#ifdef CONFIG_PAX_RANDMMAP
7722 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7723 + mm->mmap_base += mm->delta_mmap;
7726 mm->get_unmapped_area = s390_get_unmapped_area;
7727 mm->unmap_area = arch_unmap_area;
7729 mm->mmap_base = mmap_base();
7731 +#ifdef CONFIG_PAX_RANDMMAP
7732 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7733 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7736 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
7737 mm->unmap_area = arch_unmap_area_topdown;
7739 diff --git a/arch/score/include/asm/cache.h b/arch/score/include/asm/cache.h
7740 index ae3d59f..f65f075 100644
7741 --- a/arch/score/include/asm/cache.h
7742 +++ b/arch/score/include/asm/cache.h
7744 #ifndef _ASM_SCORE_CACHE_H
7745 #define _ASM_SCORE_CACHE_H
7747 +#include <linux/const.h>
7749 #define L1_CACHE_SHIFT 4
7750 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7751 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7753 #endif /* _ASM_SCORE_CACHE_H */
7754 diff --git a/arch/score/include/asm/exec.h b/arch/score/include/asm/exec.h
7755 index f9f3cd5..58ff438 100644
7756 --- a/arch/score/include/asm/exec.h
7757 +++ b/arch/score/include/asm/exec.h
7759 #ifndef _ASM_SCORE_EXEC_H
7760 #define _ASM_SCORE_EXEC_H
7762 -extern unsigned long arch_align_stack(unsigned long sp);
7763 +#define arch_align_stack(x) (x)
7765 #endif /* _ASM_SCORE_EXEC_H */
7766 diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c
7767 index f4c6d02..e9355c3 100644
7768 --- a/arch/score/kernel/process.c
7769 +++ b/arch/score/kernel/process.c
7770 @@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task)
7772 return task_pt_regs(task)->cp0_epc;
7775 -unsigned long arch_align_stack(unsigned long sp)
7779 diff --git a/arch/sh/include/asm/cache.h b/arch/sh/include/asm/cache.h
7780 index ef9e555..331bd29 100644
7781 --- a/arch/sh/include/asm/cache.h
7782 +++ b/arch/sh/include/asm/cache.h
7784 #define __ASM_SH_CACHE_H
7787 +#include <linux/const.h>
7788 #include <linux/init.h>
7789 #include <cpu/cache.h>
7791 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7792 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7794 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7796 diff --git a/arch/sh/kernel/cpu/sh4a/smp-shx3.c b/arch/sh/kernel/cpu/sh4a/smp-shx3.c
7797 index 03f2b55..b0270327 100644
7798 --- a/arch/sh/kernel/cpu/sh4a/smp-shx3.c
7799 +++ b/arch/sh/kernel/cpu/sh4a/smp-shx3.c
7800 @@ -143,7 +143,7 @@ shx3_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu)
7804 -static struct notifier_block __cpuinitdata shx3_cpu_notifier = {
7805 +static struct notifier_block shx3_cpu_notifier = {
7806 .notifier_call = shx3_cpu_callback,
7809 diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
7810 index 6777177..cb5e44f 100644
7811 --- a/arch/sh/mm/mmap.c
7812 +++ b/arch/sh/mm/mmap.c
7813 @@ -36,6 +36,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7814 struct mm_struct *mm = current->mm;
7815 struct vm_area_struct *vma;
7816 int do_colour_align;
7817 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
7818 struct vm_unmapped_area_info info;
7820 if (flags & MAP_FIXED) {
7821 @@ -55,6 +56,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7822 if (filp || (flags & MAP_SHARED))
7823 do_colour_align = 1;
7825 +#ifdef CONFIG_PAX_RANDMMAP
7826 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7830 if (do_colour_align)
7831 addr = COLOUR_ALIGN(addr, pgoff);
7832 @@ -62,14 +67,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7833 addr = PAGE_ALIGN(addr);
7835 vma = find_vma(mm, addr);
7836 - if (TASK_SIZE - len >= addr &&
7837 - (!vma || addr + len <= vma->vm_start))
7838 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
7844 - info.low_limit = TASK_UNMAPPED_BASE;
7845 + info.low_limit = mm->mmap_base;
7846 info.high_limit = TASK_SIZE;
7847 info.align_mask = do_colour_align ? (PAGE_MASK & shm_align_mask) : 0;
7848 info.align_offset = pgoff << PAGE_SHIFT;
7849 @@ -85,6 +89,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7850 struct mm_struct *mm = current->mm;
7851 unsigned long addr = addr0;
7852 int do_colour_align;
7853 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
7854 struct vm_unmapped_area_info info;
7856 if (flags & MAP_FIXED) {
7857 @@ -104,6 +109,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7858 if (filp || (flags & MAP_SHARED))
7859 do_colour_align = 1;
7861 +#ifdef CONFIG_PAX_RANDMMAP
7862 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7865 /* requesting a specific address */
7867 if (do_colour_align)
7868 @@ -112,8 +121,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7869 addr = PAGE_ALIGN(addr);
7871 vma = find_vma(mm, addr);
7872 - if (TASK_SIZE - len >= addr &&
7873 - (!vma || addr + len <= vma->vm_start))
7874 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
7878 @@ -135,6 +143,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7879 VM_BUG_ON(addr != -ENOMEM);
7881 info.low_limit = TASK_UNMAPPED_BASE;
7883 +#ifdef CONFIG_PAX_RANDMMAP
7884 + if (mm->pax_flags & MF_PAX_RANDMMAP)
7885 + info.low_limit += mm->delta_mmap;
7888 info.high_limit = TASK_SIZE;
7889 addr = vm_unmapped_area(&info);
7891 diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
7892 index be56a24..443328f 100644
7893 --- a/arch/sparc/include/asm/atomic_64.h
7894 +++ b/arch/sparc/include/asm/atomic_64.h
7896 #define ATOMIC64_INIT(i) { (i) }
7898 #define atomic_read(v) (*(volatile int *)&(v)->counter)
7899 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7901 + return v->counter;
7903 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
7904 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
7906 + return v->counter;
7909 #define atomic_set(v, i) (((v)->counter) = i)
7910 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7914 #define atomic64_set(v, i) (((v)->counter) = i)
7915 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
7920 extern void atomic_add(int, atomic_t *);
7921 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
7922 extern void atomic64_add(long, atomic64_t *);
7923 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
7924 extern void atomic_sub(int, atomic_t *);
7925 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
7926 extern void atomic64_sub(long, atomic64_t *);
7927 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
7929 extern int atomic_add_ret(int, atomic_t *);
7930 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
7931 extern long atomic64_add_ret(long, atomic64_t *);
7932 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
7933 extern int atomic_sub_ret(int, atomic_t *);
7934 extern long atomic64_sub_ret(long, atomic64_t *);
7936 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomic64_t *);
7937 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
7939 #define atomic_inc_return(v) atomic_add_ret(1, v)
7940 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7942 + return atomic_add_ret_unchecked(1, v);
7944 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
7945 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7947 + return atomic64_add_ret_unchecked(1, v);
7950 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
7951 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
7953 #define atomic_add_return(i, v) atomic_add_ret(i, v)
7954 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7956 + return atomic_add_ret_unchecked(i, v);
7958 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
7959 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
7961 + return atomic64_add_ret_unchecked(i, v);
7965 * atomic_inc_and_test - increment and test
7966 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomic64_t *);
7969 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
7970 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7972 + return atomic_inc_return_unchecked(v) == 0;
7974 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
7976 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
7977 @@ -59,25 +101,60 @@ extern long atomic64_sub_ret(long, atomic64_t *);
7978 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
7980 #define atomic_inc(v) atomic_add(1, v)
7981 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7983 + atomic_add_unchecked(1, v);
7985 #define atomic64_inc(v) atomic64_add(1, v)
7986 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
7988 + atomic64_add_unchecked(1, v);
7991 #define atomic_dec(v) atomic_sub(1, v)
7992 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7994 + atomic_sub_unchecked(1, v);
7996 #define atomic64_dec(v) atomic64_sub(1, v)
7997 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
7999 + atomic64_sub_unchecked(1, v);
8002 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
8003 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
8005 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8006 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8008 + return cmpxchg(&v->counter, old, new);
8010 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
8011 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8013 + return xchg(&v->counter, new);
8016 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
8022 - if (unlikely(c == (u)))
8023 + if (unlikely(c == u))
8025 - old = atomic_cmpxchg((v), c, c + (a));
8027 + asm volatile("addcc %2, %0, %0\n"
8029 +#ifdef CONFIG_PAX_REFCOUNT
8034 + : "0" (c), "ir" (a)
8037 + old = atomic_cmpxchg(v, c, new);
8038 if (likely(old == c))
8041 @@ -88,20 +165,35 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
8042 #define atomic64_cmpxchg(v, o, n) \
8043 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
8044 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
8045 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8047 + return xchg(&v->counter, new);
8050 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
8054 c = atomic64_read(v);
8056 - if (unlikely(c == (u)))
8057 + if (unlikely(c == u))
8059 - old = atomic64_cmpxchg((v), c, c + (a));
8061 + asm volatile("addcc %2, %0, %0\n"
8063 +#ifdef CONFIG_PAX_REFCOUNT
8068 + : "0" (c), "ir" (a)
8071 + old = atomic64_cmpxchg(v, c, new);
8072 if (likely(old == c))
8080 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
8081 diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h
8082 index 5bb6991..5c2132e 100644
8083 --- a/arch/sparc/include/asm/cache.h
8084 +++ b/arch/sparc/include/asm/cache.h
8086 #ifndef _SPARC_CACHE_H
8087 #define _SPARC_CACHE_H
8089 +#include <linux/const.h>
8091 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
8093 #define L1_CACHE_SHIFT 5
8094 -#define L1_CACHE_BYTES 32
8095 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8097 #ifdef CONFIG_SPARC32
8098 #define SMP_CACHE_BYTES_SHIFT 5
8099 diff --git a/arch/sparc/include/asm/elf_32.h b/arch/sparc/include/asm/elf_32.h
8100 index a24e41f..47677ff 100644
8101 --- a/arch/sparc/include/asm/elf_32.h
8102 +++ b/arch/sparc/include/asm/elf_32.h
8103 @@ -114,6 +114,13 @@ typedef struct {
8105 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
8107 +#ifdef CONFIG_PAX_ASLR
8108 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
8110 +#define PAX_DELTA_MMAP_LEN 16
8111 +#define PAX_DELTA_STACK_LEN 16
8114 /* This yields a mask that user programs can use to figure out what
8115 instruction set this cpu supports. This can NOT be done in userspace
8117 diff --git a/arch/sparc/include/asm/elf_64.h b/arch/sparc/include/asm/elf_64.h
8118 index 370ca1e..d4f4a98 100644
8119 --- a/arch/sparc/include/asm/elf_64.h
8120 +++ b/arch/sparc/include/asm/elf_64.h
8121 @@ -189,6 +189,13 @@ typedef struct {
8122 #define ELF_ET_DYN_BASE 0x0000010000000000UL
8123 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
8125 +#ifdef CONFIG_PAX_ASLR
8126 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
8128 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
8129 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
8132 extern unsigned long sparc64_elf_hwcap;
8133 #define ELF_HWCAP sparc64_elf_hwcap
8135 diff --git a/arch/sparc/include/asm/pgalloc_32.h b/arch/sparc/include/asm/pgalloc_32.h
8136 index 9b1c36d..209298b 100644
8137 --- a/arch/sparc/include/asm/pgalloc_32.h
8138 +++ b/arch/sparc/include/asm/pgalloc_32.h
8139 @@ -33,6 +33,7 @@ static inline void pgd_set(pgd_t * pgdp, pmd_t * pmdp)
8142 #define pgd_populate(MM, PGD, PMD) pgd_set(PGD, PMD)
8143 +#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
8145 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm,
8146 unsigned long address)
8147 diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h
8148 index bcfe063..b333142 100644
8149 --- a/arch/sparc/include/asm/pgalloc_64.h
8150 +++ b/arch/sparc/include/asm/pgalloc_64.h
8151 @@ -26,6 +26,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
8154 #define pud_populate(MM, PUD, PMD) pud_set(PUD, PMD)
8155 +#define pud_populate_kernel(MM, PUD, PMD) pud_populate((MM), (PUD), (PMD))
8157 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
8159 diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
8160 index 6fc1348..390c50a 100644
8161 --- a/arch/sparc/include/asm/pgtable_32.h
8162 +++ b/arch/sparc/include/asm/pgtable_32.h
8163 @@ -50,6 +50,9 @@ extern unsigned long calc_highpages(void);
8164 #define PAGE_SHARED SRMMU_PAGE_SHARED
8165 #define PAGE_COPY SRMMU_PAGE_COPY
8166 #define PAGE_READONLY SRMMU_PAGE_RDONLY
8167 +#define PAGE_SHARED_NOEXEC SRMMU_PAGE_SHARED_NOEXEC
8168 +#define PAGE_COPY_NOEXEC SRMMU_PAGE_COPY_NOEXEC
8169 +#define PAGE_READONLY_NOEXEC SRMMU_PAGE_RDONLY_NOEXEC
8170 #define PAGE_KERNEL SRMMU_PAGE_KERNEL
8172 /* Top-level page directory - dummy used by init-mm.
8173 @@ -62,18 +65,18 @@ extern unsigned long ptr_in_current_pgd;
8176 #define __P000 PAGE_NONE
8177 -#define __P001 PAGE_READONLY
8178 -#define __P010 PAGE_COPY
8179 -#define __P011 PAGE_COPY
8180 +#define __P001 PAGE_READONLY_NOEXEC
8181 +#define __P010 PAGE_COPY_NOEXEC
8182 +#define __P011 PAGE_COPY_NOEXEC
8183 #define __P100 PAGE_READONLY
8184 #define __P101 PAGE_READONLY
8185 #define __P110 PAGE_COPY
8186 #define __P111 PAGE_COPY
8188 #define __S000 PAGE_NONE
8189 -#define __S001 PAGE_READONLY
8190 -#define __S010 PAGE_SHARED
8191 -#define __S011 PAGE_SHARED
8192 +#define __S001 PAGE_READONLY_NOEXEC
8193 +#define __S010 PAGE_SHARED_NOEXEC
8194 +#define __S011 PAGE_SHARED_NOEXEC
8195 #define __S100 PAGE_READONLY
8196 #define __S101 PAGE_READONLY
8197 #define __S110 PAGE_SHARED
8198 diff --git a/arch/sparc/include/asm/pgtsrmmu.h b/arch/sparc/include/asm/pgtsrmmu.h
8199 index 79da178..c2eede8 100644
8200 --- a/arch/sparc/include/asm/pgtsrmmu.h
8201 +++ b/arch/sparc/include/asm/pgtsrmmu.h
8202 @@ -115,6 +115,11 @@
8203 SRMMU_EXEC | SRMMU_REF)
8204 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
8205 SRMMU_EXEC | SRMMU_REF)
8207 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
8208 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
8209 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
8211 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
8212 SRMMU_DIRTY | SRMMU_REF)
8214 diff --git a/arch/sparc/include/asm/spinlock_64.h b/arch/sparc/include/asm/spinlock_64.h
8215 index 9689176..63c18ea 100644
8216 --- a/arch/sparc/include/asm/spinlock_64.h
8217 +++ b/arch/sparc/include/asm/spinlock_64.h
8218 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *lock, unsigned long fla
8220 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
8222 -static void inline arch_read_lock(arch_rwlock_t *lock)
8223 +static inline void arch_read_lock(arch_rwlock_t *lock)
8225 unsigned long tmp1, tmp2;
8227 __asm__ __volatile__ (
8228 "1: ldsw [%2], %0\n"
8230 -"4: add %0, 1, %1\n"
8231 +"4: addcc %0, 1, %1\n"
8233 +#ifdef CONFIG_PAX_REFCOUNT
8237 " cas [%2], %0, %1\n"
8239 " bne,pn %%icc, 1b\n"
8240 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_rwlock_t *lock)
8242 : "=&r" (tmp1), "=&r" (tmp2)
8245 + : "memory", "cc");
8248 -static int inline arch_read_trylock(arch_rwlock_t *lock)
8249 +static inline int arch_read_trylock(arch_rwlock_t *lock)
8253 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
8254 "1: ldsw [%2], %0\n"
8255 " brlz,a,pn %0, 2f\n"
8258 +" addcc %0, 1, %1\n"
8260 +#ifdef CONFIG_PAX_REFCOUNT
8264 " cas [%2], %0, %1\n"
8266 " bne,pn %%icc, 1b\n"
8267 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
8271 -static void inline arch_read_unlock(arch_rwlock_t *lock)
8272 +static inline void arch_read_unlock(arch_rwlock_t *lock)
8274 unsigned long tmp1, tmp2;
8276 __asm__ __volatile__(
8277 "1: lduw [%2], %0\n"
8279 +" subcc %0, 1, %1\n"
8281 +#ifdef CONFIG_PAX_REFCOUNT
8285 " cas [%2], %0, %1\n"
8287 " bne,pn %%xcc, 1b\n"
8288 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch_rwlock_t *lock)
8292 -static void inline arch_write_lock(arch_rwlock_t *lock)
8293 +static inline void arch_write_lock(arch_rwlock_t *lock)
8295 unsigned long mask, tmp1, tmp2;
8297 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_rwlock_t *lock)
8301 -static void inline arch_write_unlock(arch_rwlock_t *lock)
8302 +static inline void arch_write_unlock(arch_rwlock_t *lock)
8304 __asm__ __volatile__(
8306 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arch_rwlock_t *lock)
8310 -static int inline arch_write_trylock(arch_rwlock_t *lock)
8311 +static inline int arch_write_trylock(arch_rwlock_t *lock)
8313 unsigned long mask, tmp1, tmp2, result;
8315 diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h
8316 index dd38075..e7cac83 100644
8317 --- a/arch/sparc/include/asm/thread_info_32.h
8318 +++ b/arch/sparc/include/asm/thread_info_32.h
8319 @@ -49,6 +49,8 @@ struct thread_info {
8320 unsigned long w_saved;
8322 struct restart_block restart_block;
8324 + unsigned long lowest_stack;
8328 diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
8329 index d5e5042..9bfee76 100644
8330 --- a/arch/sparc/include/asm/thread_info_64.h
8331 +++ b/arch/sparc/include/asm/thread_info_64.h
8332 @@ -63,6 +63,8 @@ struct thread_info {
8333 struct pt_regs *kern_una_regs;
8334 unsigned int kern_una_insn;
8336 + unsigned long lowest_stack;
8338 unsigned long fpregs[0] __attribute__ ((aligned(64)));
8341 @@ -192,10 +194,11 @@ register struct thread_info *current_thread_info_reg asm("g6");
8342 #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */
8343 /* flag bit 6 is available */
8344 #define TIF_32BIT 7 /* 32-bit binary */
8345 -/* flag bit 8 is available */
8346 +#define TIF_GRSEC_SETXID 8 /* update credentials on syscall entry/exit */
8347 #define TIF_SECCOMP 9 /* secure computing */
8348 #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
8349 #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */
8351 /* NOTE: Thread flags >= 12 should be ones we have no interest
8352 * in using in assembly, else we can't use the mask as
8353 * an immediate value in instructions such as andcc.
8354 @@ -214,12 +217,18 @@ register struct thread_info *current_thread_info_reg asm("g6");
8355 #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
8356 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
8357 #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
8358 +#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
8360 #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \
8361 _TIF_DO_NOTIFY_RESUME_MASK | \
8363 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
8365 +#define _TIF_WORK_SYSCALL \
8366 + (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
8367 + _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
8371 * Thread-synchronous status.
8373 diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
8374 index 0167d26..767bb0c 100644
8375 --- a/arch/sparc/include/asm/uaccess.h
8376 +++ b/arch/sparc/include/asm/uaccess.h
8378 #ifndef ___ASM_SPARC_UACCESS_H
8379 #define ___ASM_SPARC_UACCESS_H
8381 #if defined(__sparc__) && defined(__arch64__)
8382 #include <asm/uaccess_64.h>
8384 diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
8385 index 53a28dd..50c38c3 100644
8386 --- a/arch/sparc/include/asm/uaccess_32.h
8387 +++ b/arch/sparc/include/asm/uaccess_32.h
8388 @@ -250,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig
8390 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
8392 - if (n && __access_ok((unsigned long) to, n))
8396 + if (n && __access_ok((unsigned long) to, n)) {
8397 + if (!__builtin_constant_p(n))
8398 + check_object_size(from, n, true);
8399 return __copy_user(to, (__force void __user *) from, n);
8405 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
8410 + if (!__builtin_constant_p(n))
8411 + check_object_size(from, n, true);
8413 return __copy_user(to, (__force void __user *) from, n);
8416 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
8418 - if (n && __access_ok((unsigned long) from, n))
8422 + if (n && __access_ok((unsigned long) from, n)) {
8423 + if (!__builtin_constant_p(n))
8424 + check_object_size(to, n, false);
8425 return __copy_user((__force void __user *) to, from, n);
8431 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
8436 return __copy_user((__force void __user *) to, from, n);
8439 diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
8440 index e562d3c..191f176 100644
8441 --- a/arch/sparc/include/asm/uaccess_64.h
8442 +++ b/arch/sparc/include/asm/uaccess_64.h
8444 #include <linux/compiler.h>
8445 #include <linux/string.h>
8446 #include <linux/thread_info.h>
8447 +#include <linux/kernel.h>
8448 #include <asm/asi.h>
8449 #include <asm/spitfire.h>
8450 #include <asm-generic/uaccess-unaligned.h>
8451 @@ -214,8 +215,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from,
8452 static inline unsigned long __must_check
8453 copy_from_user(void *to, const void __user *from, unsigned long size)
8455 - unsigned long ret = ___copy_from_user(to, from, size);
8456 + unsigned long ret;
8458 + if ((long)size < 0 || size > INT_MAX)
8461 + if (!__builtin_constant_p(size))
8462 + check_object_size(to, size, false);
8464 + ret = ___copy_from_user(to, from, size);
8466 ret = copy_from_user_fixup(to, from, size);
8468 @@ -231,8 +239,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from,
8469 static inline unsigned long __must_check
8470 copy_to_user(void __user *to, const void *from, unsigned long size)
8472 - unsigned long ret = ___copy_to_user(to, from, size);
8473 + unsigned long ret;
8475 + if ((long)size < 0 || size > INT_MAX)
8478 + if (!__builtin_constant_p(size))
8479 + check_object_size(from, size, true);
8481 + ret = ___copy_to_user(to, from, size);
8483 ret = copy_to_user_fixup(to, from, size);
8485 diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
8486 index d432fb2..6056af1 100644
8487 --- a/arch/sparc/kernel/Makefile
8488 +++ b/arch/sparc/kernel/Makefile
8493 -ccflags-y := -Werror
8494 +#ccflags-y := -Werror
8496 extra-y := head_$(BITS).o
8498 diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
8499 index 5ef48da..11d460f 100644
8500 --- a/arch/sparc/kernel/ds.c
8501 +++ b/arch/sparc/kernel/ds.c
8502 @@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value)
8506 + if (strlen(var) + strlen(value) + 2 >
8507 + sizeof(pkt) - sizeof(pkt.header)) {
8508 + printk(KERN_ERR PFX
8509 + "contents length: %zu, which more than max: %lu,"
8510 + "so could not set (%s) variable to (%s).\n",
8511 + strlen(var) + strlen(value) + 2,
8512 + sizeof(pkt) - sizeof(pkt.header), var, value);
8516 memset(&pkt, 0, sizeof(pkt));
8517 pkt.header.data.tag.type = DS_DATA;
8518 pkt.header.data.handle = cp->handle;
8519 diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
8520 index fdd819d..5af08c8 100644
8521 --- a/arch/sparc/kernel/process_32.c
8522 +++ b/arch/sparc/kernel/process_32.c
8523 @@ -116,14 +116,14 @@ void show_regs(struct pt_regs *r)
8525 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
8526 r->psr, r->pc, r->npc, r->y, print_tainted());
8527 - printk("PC: <%pS>\n", (void *) r->pc);
8528 + printk("PC: <%pA>\n", (void *) r->pc);
8529 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
8530 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
8531 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
8532 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
8533 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
8534 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
8535 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
8536 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
8538 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
8539 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
8540 @@ -160,7 +160,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
8541 rw = (struct reg_window32 *) fp;
8543 printk("[%08lx : ", pc);
8544 - printk("%pS ] ", (void *) pc);
8545 + printk("%pA ] ", (void *) pc);
8547 } while (++count < 16);
8549 diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
8550 index baebab2..9cd13b1 100644
8551 --- a/arch/sparc/kernel/process_64.c
8552 +++ b/arch/sparc/kernel/process_64.c
8553 @@ -158,7 +158,7 @@ static void show_regwindow(struct pt_regs *regs)
8554 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
8555 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
8556 if (regs->tstate & TSTATE_PRIV)
8557 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
8558 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
8561 void show_regs(struct pt_regs *regs)
8562 @@ -167,7 +167,7 @@ void show_regs(struct pt_regs *regs)
8564 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
8565 regs->tpc, regs->tnpc, regs->y, print_tainted());
8566 - printk("TPC: <%pS>\n", (void *) regs->tpc);
8567 + printk("TPC: <%pA>\n", (void *) regs->tpc);
8568 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
8569 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
8571 @@ -180,7 +180,7 @@ void show_regs(struct pt_regs *regs)
8572 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
8573 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
8575 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
8576 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
8577 show_regwindow(regs);
8578 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
8580 @@ -269,7 +269,7 @@ void arch_trigger_all_cpu_backtrace(void)
8581 ((tp && tp->task) ? tp->task->pid : -1));
8583 if (gp->tstate & TSTATE_PRIV) {
8584 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
8585 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
8589 diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c
8590 index 79cc0d1..ec62734 100644
8591 --- a/arch/sparc/kernel/prom_common.c
8592 +++ b/arch/sparc/kernel/prom_common.c
8593 @@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf)
8595 unsigned int prom_early_allocated __initdata;
8597 -static struct of_pdt_ops prom_sparc_ops __initdata = {
8598 +static struct of_pdt_ops prom_sparc_ops __initconst = {
8599 .nextprop = prom_common_nextprop,
8600 .getproplen = prom_getproplen,
8601 .getproperty = prom_getproperty,
8602 diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
8603 index 7ff45e4..a58f271 100644
8604 --- a/arch/sparc/kernel/ptrace_64.c
8605 +++ b/arch/sparc/kernel/ptrace_64.c
8606 @@ -1057,6 +1057,10 @@ long arch_ptrace(struct task_struct *child, long request,
8610 +#ifdef CONFIG_GRKERNSEC_SETXID
8611 +extern void gr_delayed_cred_worker(void);
8614 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
8617 @@ -1064,6 +1068,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
8618 /* do the secure computing check first */
8619 secure_computing_strict(regs->u_regs[UREG_G1]);
8621 +#ifdef CONFIG_GRKERNSEC_SETXID
8622 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
8623 + gr_delayed_cred_worker();
8626 if (test_thread_flag(TIF_SYSCALL_TRACE))
8627 ret = tracehook_report_syscall_entry(regs);
8629 @@ -1084,6 +1093,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
8631 asmlinkage void syscall_trace_leave(struct pt_regs *regs)
8633 +#ifdef CONFIG_GRKERNSEC_SETXID
8634 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
8635 + gr_delayed_cred_worker();
8638 audit_syscall_exit(regs);
8640 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
8641 diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
8642 index 3a8d184..49498a8 100644
8643 --- a/arch/sparc/kernel/sys_sparc_32.c
8644 +++ b/arch/sparc/kernel/sys_sparc_32.c
8645 @@ -52,7 +52,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
8646 if (len > TASK_SIZE - PAGE_SIZE)
8649 - addr = TASK_UNMAPPED_BASE;
8650 + addr = current->mm->mmap_base;
8654 diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
8655 index 2daaaa6..4fb84dc 100644
8656 --- a/arch/sparc/kernel/sys_sparc_64.c
8657 +++ b/arch/sparc/kernel/sys_sparc_64.c
8658 @@ -90,13 +90,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
8659 struct vm_area_struct * vma;
8660 unsigned long task_size = TASK_SIZE;
8662 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
8663 struct vm_unmapped_area_info info;
8665 if (flags & MAP_FIXED) {
8666 /* We do not accept a shared mapping if it would violate
8667 * cache aliasing constraints.
8669 - if ((flags & MAP_SHARED) &&
8670 + if ((filp || (flags & MAP_SHARED)) &&
8671 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
8674 @@ -111,6 +112,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
8675 if (filp || (flags & MAP_SHARED))
8678 +#ifdef CONFIG_PAX_RANDMMAP
8679 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
8684 addr = COLOR_ALIGN(addr, pgoff);
8685 @@ -118,22 +123,28 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
8686 addr = PAGE_ALIGN(addr);
8688 vma = find_vma(mm, addr);
8689 - if (task_size - len >= addr &&
8690 - (!vma || addr + len <= vma->vm_start))
8691 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
8697 - info.low_limit = TASK_UNMAPPED_BASE;
8698 + info.low_limit = mm->mmap_base;
8699 info.high_limit = min(task_size, VA_EXCLUDE_START);
8700 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
8701 info.align_offset = pgoff << PAGE_SHIFT;
8702 + info.threadstack_offset = offset;
8703 addr = vm_unmapped_area(&info);
8705 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
8706 VM_BUG_ON(addr != -ENOMEM);
8707 info.low_limit = VA_EXCLUDE_END;
8709 +#ifdef CONFIG_PAX_RANDMMAP
8710 + if (mm->pax_flags & MF_PAX_RANDMMAP)
8711 + info.low_limit += mm->delta_mmap;
8714 info.high_limit = task_size;
8715 addr = vm_unmapped_area(&info);
8717 @@ -151,6 +162,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8718 unsigned long task_size = STACK_TOP32;
8719 unsigned long addr = addr0;
8721 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
8722 struct vm_unmapped_area_info info;
8724 /* This should only ever run for 32-bit processes. */
8725 @@ -160,7 +172,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8726 /* We do not accept a shared mapping if it would violate
8727 * cache aliasing constraints.
8729 - if ((flags & MAP_SHARED) &&
8730 + if ((filp || (flags & MAP_SHARED)) &&
8731 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
8734 @@ -173,6 +185,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8735 if (filp || (flags & MAP_SHARED))
8738 +#ifdef CONFIG_PAX_RANDMMAP
8739 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
8742 /* requesting a specific address */
8745 @@ -181,8 +197,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8746 addr = PAGE_ALIGN(addr);
8748 vma = find_vma(mm, addr);
8749 - if (task_size - len >= addr &&
8750 - (!vma || addr + len <= vma->vm_start))
8751 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
8755 @@ -192,6 +207,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8756 info.high_limit = mm->mmap_base;
8757 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
8758 info.align_offset = pgoff << PAGE_SHIFT;
8759 + info.threadstack_offset = offset;
8760 addr = vm_unmapped_area(&info);
8763 @@ -204,6 +220,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
8764 VM_BUG_ON(addr != -ENOMEM);
8766 info.low_limit = TASK_UNMAPPED_BASE;
8768 +#ifdef CONFIG_PAX_RANDMMAP
8769 + if (mm->pax_flags & MF_PAX_RANDMMAP)
8770 + info.low_limit += mm->delta_mmap;
8773 info.high_limit = STACK_TOP32;
8774 addr = vm_unmapped_area(&info);
8776 @@ -260,10 +282,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u
8777 EXPORT_SYMBOL(get_fb_unmapped_area);
8779 /* Essentially the same as PowerPC. */
8780 -static unsigned long mmap_rnd(void)
8781 +static unsigned long mmap_rnd(struct mm_struct *mm)
8783 unsigned long rnd = 0UL;
8785 +#ifdef CONFIG_PAX_RANDMMAP
8786 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
8789 if (current->flags & PF_RANDOMIZE) {
8790 unsigned long val = get_random_int();
8791 if (test_thread_flag(TIF_32BIT))
8792 @@ -276,7 +302,7 @@ static unsigned long mmap_rnd(void)
8794 void arch_pick_mmap_layout(struct mm_struct *mm)
8796 - unsigned long random_factor = mmap_rnd();
8797 + unsigned long random_factor = mmap_rnd(mm);
8801 @@ -289,6 +315,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
8802 gap == RLIM_INFINITY ||
8803 sysctl_legacy_va_layout) {
8804 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
8806 +#ifdef CONFIG_PAX_RANDMMAP
8807 + if (mm->pax_flags & MF_PAX_RANDMMAP)
8808 + mm->mmap_base += mm->delta_mmap;
8811 mm->get_unmapped_area = arch_get_unmapped_area;
8812 mm->unmap_area = arch_unmap_area;
8814 @@ -301,6 +333,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
8815 gap = (task_size / 6 * 5);
8817 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
8819 +#ifdef CONFIG_PAX_RANDMMAP
8820 + if (mm->pax_flags & MF_PAX_RANDMMAP)
8821 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
8824 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
8825 mm->unmap_area = arch_unmap_area_topdown;
8827 diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
8828 index 22a1098..6255eb9 100644
8829 --- a/arch/sparc/kernel/syscalls.S
8830 +++ b/arch/sparc/kernel/syscalls.S
8831 @@ -52,7 +52,7 @@ sys32_rt_sigreturn:
8834 1: ldx [%g6 + TI_FLAGS], %l5
8835 - andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
8836 + andcc %l5, _TIF_WORK_SYSCALL, %g0
8839 call syscall_trace_leave
8840 @@ -184,7 +184,7 @@ linux_sparc_syscall32:
8842 srl %i5, 0, %o5 ! IEU1
8843 srl %i2, 0, %o2 ! IEU0 Group
8844 - andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
8845 + andcc %l0, _TIF_WORK_SYSCALL, %g0
8846 bne,pn %icc, linux_syscall_trace32 ! CTI
8848 call %l7 ! CTI Group brk forced
8849 @@ -207,7 +207,7 @@ linux_sparc_syscall:
8852 mov %i4, %o4 ! IEU0 Group
8853 - andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
8854 + andcc %l0, _TIF_WORK_SYSCALL, %g0
8855 bne,pn %icc, linux_syscall_trace ! CTI Group
8857 2: call %l7 ! CTI Group brk forced
8858 @@ -223,7 +223,7 @@ ret_sys_call:
8860 cmp %o0, -ERESTART_RESTARTBLOCK
8862 - andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
8863 + andcc %l0, _TIF_WORK_SYSCALL, %g0
8864 ldx [%sp + PTREGS_OFF + PT_V9_TNPC], %l1 ! pc = npc
8867 diff --git a/arch/sparc/kernel/sysfs.c b/arch/sparc/kernel/sysfs.c
8868 index 654e8aa..45f431b 100644
8869 --- a/arch/sparc/kernel/sysfs.c
8870 +++ b/arch/sparc/kernel/sysfs.c
8871 @@ -266,7 +266,7 @@ static int __cpuinit sysfs_cpu_notify(struct notifier_block *self,
8875 -static struct notifier_block __cpuinitdata sysfs_cpu_nb = {
8876 +static struct notifier_block sysfs_cpu_nb = {
8877 .notifier_call = sysfs_cpu_notify,
8880 diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
8881 index 6629829..036032d 100644
8882 --- a/arch/sparc/kernel/traps_32.c
8883 +++ b/arch/sparc/kernel/traps_32.c
8884 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned long *pc)
8885 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
8886 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
8888 +extern void gr_handle_kernel_exploit(void);
8890 void die_if_kernel(char *str, struct pt_regs *regs)
8892 static int die_counter;
8893 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_regs *regs)
8895 (((unsigned long) rw) >= PAGE_OFFSET) &&
8896 !(((unsigned long) rw) & 0x7)) {
8897 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
8898 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
8899 (void *) rw->ins[7]);
8900 rw = (struct reg_window32 *)rw->ins[6];
8903 printk("Instruction DUMP:");
8904 instruction_dump ((unsigned long *) regs->pc);
8905 - if(regs->psr & PSR_PS)
8906 + if(regs->psr & PSR_PS) {
8907 + gr_handle_kernel_exploit();
8913 diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c
8914 index b3f833a..ac74b2d 100644
8915 --- a/arch/sparc/kernel/traps_64.c
8916 +++ b/arch/sparc/kernel/traps_64.c
8917 @@ -76,7 +76,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p)
8919 p->trapstack[i].tstate, p->trapstack[i].tpc,
8920 p->trapstack[i].tnpc, p->trapstack[i].tt);
8921 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
8922 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
8926 @@ -96,6 +96,12 @@ void bad_trap(struct pt_regs *regs, long lvl)
8929 if (regs->tstate & TSTATE_PRIV) {
8931 +#ifdef CONFIG_PAX_REFCOUNT
8933 + pax_report_refcount_overflow(regs);
8936 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
8937 die_if_kernel(buffer, regs);
8939 @@ -114,11 +120,16 @@ void bad_trap(struct pt_regs *regs, long lvl)
8940 void bad_trap_tl1(struct pt_regs *regs, long lvl)
8945 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
8946 0, lvl, SIGTRAP) == NOTIFY_STOP)
8949 +#ifdef CONFIG_PAX_REFCOUNT
8951 + pax_report_refcount_overflow(regs);
8954 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
8956 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
8957 @@ -1142,7 +1153,7 @@ static void cheetah_log_errors(struct pt_regs *regs, struct cheetah_err_info *in
8958 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
8959 printk("%s" "ERROR(%d): ",
8960 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
8961 - printk("TPC<%pS>\n", (void *) regs->tpc);
8962 + printk("TPC<%pA>\n", (void *) regs->tpc);
8963 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
8964 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
8965 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
8966 @@ -1749,7 +1760,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
8968 (type & 0x1) ? 'I' : 'D',
8970 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
8971 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
8972 panic("Irrecoverable Cheetah+ parity error.");
8975 @@ -1757,7 +1768,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
8977 (type & 0x1) ? 'I' : 'D',
8979 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
8980 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
8983 struct sun4v_error_entry {
8984 @@ -2104,9 +2115,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl)
8986 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
8988 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
8989 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
8990 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
8991 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
8992 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
8993 (void *) regs->u_regs[UREG_I7]);
8994 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
8995 "pte[%lx] error[%lx]\n",
8996 @@ -2128,9 +2139,9 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl)
8998 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
9000 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
9001 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
9002 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
9003 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
9004 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
9005 (void *) regs->u_regs[UREG_I7]);
9006 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
9007 "pte[%lx] error[%lx]\n",
9008 @@ -2336,13 +2347,13 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
9009 fp = (unsigned long)sf->fp + STACK_BIAS;
9012 - printk(" [%016lx] %pS\n", pc, (void *) pc);
9013 + printk(" [%016lx] %pA\n", pc, (void *) pc);
9014 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
9015 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
9016 int index = tsk->curr_ret_stack;
9017 if (tsk->ret_stack && index >= graph) {
9018 pc = tsk->ret_stack[index - graph].ret;
9019 - printk(" [%016lx] %pS\n", pc, (void *) pc);
9020 + printk(" [%016lx] %pA\n", pc, (void *) pc);
9024 @@ -2360,6 +2371,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw)
9025 return (struct reg_window *) (fp + STACK_BIAS);
9028 +extern void gr_handle_kernel_exploit(void);
9030 void die_if_kernel(char *str, struct pt_regs *regs)
9032 static int die_counter;
9033 @@ -2388,7 +2401,7 @@ void die_if_kernel(char *str, struct pt_regs *regs)
9036 kstack_valid(tp, (unsigned long) rw)) {
9037 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
9038 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
9039 (void *) rw->ins[7]);
9041 rw = kernel_stack_up(rw);
9042 @@ -2401,8 +2414,10 @@ void die_if_kernel(char *str, struct pt_regs *regs)
9044 user_instruction_dump ((unsigned int __user *) regs->tpc);
9046 - if (regs->tstate & TSTATE_PRIV)
9047 + if (regs->tstate & TSTATE_PRIV) {
9048 + gr_handle_kernel_exploit();
9053 EXPORT_SYMBOL(die_if_kernel);
9054 diff --git a/arch/sparc/kernel/unaligned_64.c b/arch/sparc/kernel/unaligned_64.c
9055 index 8201c25e..072a2a7 100644
9056 --- a/arch/sparc/kernel/unaligned_64.c
9057 +++ b/arch/sparc/kernel/unaligned_64.c
9058 @@ -286,7 +286,7 @@ static void log_unaligned(struct pt_regs *regs)
9059 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
9061 if (__ratelimit(&ratelimit)) {
9062 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
9063 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
9064 regs->tpc, (void *) regs->tpc);
9067 diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile
9068 index dbe119b..089c7c1 100644
9069 --- a/arch/sparc/lib/Makefile
9070 +++ b/arch/sparc/lib/Makefile
9074 asflags-y := -ansi -DST_DIV0=0x02
9075 -ccflags-y := -Werror
9076 +#ccflags-y := -Werror
9078 lib-$(CONFIG_SPARC32) += ashrdi3.o
9079 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
9080 diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
9081 index 85c233d..68500e0 100644
9082 --- a/arch/sparc/lib/atomic_64.S
9083 +++ b/arch/sparc/lib/atomic_64.S
9085 ENTRY(atomic_add) /* %o0 = increment, %o1 = atomic_ptr */
9089 + addcc %g1, %o0, %g7
9091 +#ifdef CONFIG_PAX_REFCOUNT
9097 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
9098 @@ -27,10 +32,28 @@ ENTRY(atomic_add) /* %o0 = increment, %o1 = atomic_ptr */
9099 2: BACKOFF_SPIN(%o2, %o3, 1b)
9102 +ENTRY(atomic_add_unchecked) /* %o0 = increment, %o1 = atomic_ptr */
9103 + BACKOFF_SETUP(%o2)
9106 + cas [%o1], %g1, %g7
9112 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9113 +ENDPROC(atomic_add_unchecked)
9115 ENTRY(atomic_sub) /* %o0 = decrement, %o1 = atomic_ptr */
9119 + subcc %g1, %o0, %g7
9121 +#ifdef CONFIG_PAX_REFCOUNT
9127 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
9128 @@ -40,10 +63,28 @@ ENTRY(atomic_sub) /* %o0 = decrement, %o1 = atomic_ptr */
9129 2: BACKOFF_SPIN(%o2, %o3, 1b)
9132 +ENTRY(atomic_sub_unchecked) /* %o0 = decrement, %o1 = atomic_ptr */
9133 + BACKOFF_SETUP(%o2)
9136 + cas [%o1], %g1, %g7
9142 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9143 +ENDPROC(atomic_sub_unchecked)
9145 ENTRY(atomic_add_ret) /* %o0 = increment, %o1 = atomic_ptr */
9149 + addcc %g1, %o0, %g7
9151 +#ifdef CONFIG_PAX_REFCOUNT
9157 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
9158 @@ -53,10 +94,29 @@ ENTRY(atomic_add_ret) /* %o0 = increment, %o1 = atomic_ptr */
9159 2: BACKOFF_SPIN(%o2, %o3, 1b)
9160 ENDPROC(atomic_add_ret)
9162 +ENTRY(atomic_add_ret_unchecked) /* %o0 = increment, %o1 = atomic_ptr */
9163 + BACKOFF_SETUP(%o2)
9165 + addcc %g1, %o0, %g7
9166 + cas [%o1], %g1, %g7
9173 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9174 +ENDPROC(atomic_add_ret_unchecked)
9176 ENTRY(atomic_sub_ret) /* %o0 = decrement, %o1 = atomic_ptr */
9180 + subcc %g1, %o0, %g7
9182 +#ifdef CONFIG_PAX_REFCOUNT
9188 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
9189 @@ -69,7 +129,12 @@ ENDPROC(atomic_sub_ret)
9190 ENTRY(atomic64_add) /* %o0 = increment, %o1 = atomic_ptr */
9194 + addcc %g1, %o0, %g7
9196 +#ifdef CONFIG_PAX_REFCOUNT
9200 casx [%o1], %g1, %g7
9202 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
9203 @@ -79,10 +144,28 @@ ENTRY(atomic64_add) /* %o0 = increment, %o1 = atomic_ptr */
9204 2: BACKOFF_SPIN(%o2, %o3, 1b)
9205 ENDPROC(atomic64_add)
9207 +ENTRY(atomic64_add_unchecked) /* %o0 = increment, %o1 = atomic_ptr */
9208 + BACKOFF_SETUP(%o2)
9210 + addcc %g1, %o0, %g7
9211 + casx [%o1], %g1, %g7
9217 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9218 +ENDPROC(atomic64_add_unchecked)
9220 ENTRY(atomic64_sub) /* %o0 = decrement, %o1 = atomic_ptr */
9224 + subcc %g1, %o0, %g7
9226 +#ifdef CONFIG_PAX_REFCOUNT
9230 casx [%o1], %g1, %g7
9232 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
9233 @@ -92,10 +175,28 @@ ENTRY(atomic64_sub) /* %o0 = decrement, %o1 = atomic_ptr */
9234 2: BACKOFF_SPIN(%o2, %o3, 1b)
9235 ENDPROC(atomic64_sub)
9237 +ENTRY(atomic64_sub_unchecked) /* %o0 = decrement, %o1 = atomic_ptr */
9238 + BACKOFF_SETUP(%o2)
9240 + subcc %g1, %o0, %g7
9241 + casx [%o1], %g1, %g7
9247 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9248 +ENDPROC(atomic64_sub_unchecked)
9250 ENTRY(atomic64_add_ret) /* %o0 = increment, %o1 = atomic_ptr */
9254 + addcc %g1, %o0, %g7
9256 +#ifdef CONFIG_PAX_REFCOUNT
9260 casx [%o1], %g1, %g7
9262 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
9263 @@ -105,10 +206,29 @@ ENTRY(atomic64_add_ret) /* %o0 = increment, %o1 = atomic_ptr */
9264 2: BACKOFF_SPIN(%o2, %o3, 1b)
9265 ENDPROC(atomic64_add_ret)
9267 +ENTRY(atomic64_add_ret_unchecked) /* %o0 = increment, %o1 = atomic_ptr */
9268 + BACKOFF_SETUP(%o2)
9270 + addcc %g1, %o0, %g7
9271 + casx [%o1], %g1, %g7
9278 +2: BACKOFF_SPIN(%o2, %o3, 1b)
9279 +ENDPROC(atomic64_add_ret_unchecked)
9281 ENTRY(atomic64_sub_ret) /* %o0 = decrement, %o1 = atomic_ptr */
9285 + subcc %g1, %o0, %g7
9287 +#ifdef CONFIG_PAX_REFCOUNT
9291 casx [%o1], %g1, %g7
9293 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
9294 diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
9295 index 0c4e35e..745d3e4 100644
9296 --- a/arch/sparc/lib/ksyms.c
9297 +++ b/arch/sparc/lib/ksyms.c
9298 @@ -109,12 +109,18 @@ EXPORT_SYMBOL(__downgrade_write);
9300 /* Atomic counter implementation. */
9301 EXPORT_SYMBOL(atomic_add);
9302 +EXPORT_SYMBOL(atomic_add_unchecked);
9303 EXPORT_SYMBOL(atomic_add_ret);
9304 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
9305 EXPORT_SYMBOL(atomic_sub);
9306 +EXPORT_SYMBOL(atomic_sub_unchecked);
9307 EXPORT_SYMBOL(atomic_sub_ret);
9308 EXPORT_SYMBOL(atomic64_add);
9309 +EXPORT_SYMBOL(atomic64_add_unchecked);
9310 EXPORT_SYMBOL(atomic64_add_ret);
9311 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
9312 EXPORT_SYMBOL(atomic64_sub);
9313 +EXPORT_SYMBOL(atomic64_sub_unchecked);
9314 EXPORT_SYMBOL(atomic64_sub_ret);
9315 EXPORT_SYMBOL(atomic64_dec_if_positive);
9317 diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
9318 index 30c3ecc..736f015 100644
9319 --- a/arch/sparc/mm/Makefile
9320 +++ b/arch/sparc/mm/Makefile
9325 -ccflags-y := -Werror
9326 +#ccflags-y := -Werror
9328 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
9329 obj-y += fault_$(BITS).o
9330 diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
9331 index e98bfda..ea8d221 100644
9332 --- a/arch/sparc/mm/fault_32.c
9333 +++ b/arch/sparc/mm/fault_32.c
9335 #include <linux/perf_event.h>
9336 #include <linux/interrupt.h>
9337 #include <linux/kdebug.h>
9338 +#include <linux/slab.h>
9339 +#include <linux/pagemap.h>
9340 +#include <linux/compiler.h>
9342 #include <asm/page.h>
9343 #include <asm/pgtable.h>
9344 @@ -159,6 +162,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault)
9345 return safe_compute_effective_address(regs, insn);
9348 +#ifdef CONFIG_PAX_PAGEEXEC
9349 +#ifdef CONFIG_PAX_DLRESOLVE
9350 +static void pax_emuplt_close(struct vm_area_struct *vma)
9352 + vma->vm_mm->call_dl_resolve = 0UL;
9355 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
9357 + unsigned int *kaddr;
9359 + vmf->page = alloc_page(GFP_HIGHUSER);
9361 + return VM_FAULT_OOM;
9363 + kaddr = kmap(vmf->page);
9364 + memset(kaddr, 0, PAGE_SIZE);
9365 + kaddr[0] = 0x9DE3BFA8U; /* save */
9366 + flush_dcache_page(vmf->page);
9367 + kunmap(vmf->page);
9368 + return VM_FAULT_MAJOR;
9371 +static const struct vm_operations_struct pax_vm_ops = {
9372 + .close = pax_emuplt_close,
9373 + .fault = pax_emuplt_fault
9376 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9380 + INIT_LIST_HEAD(&vma->anon_vma_chain);
9381 + vma->vm_mm = current->mm;
9382 + vma->vm_start = addr;
9383 + vma->vm_end = addr + PAGE_SIZE;
9384 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9385 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9386 + vma->vm_ops = &pax_vm_ops;
9388 + ret = insert_vm_struct(current->mm, vma);
9392 + ++current->mm->total_vm;
9398 + * PaX: decide what to do with offenders (regs->pc = fault address)
9400 + * returns 1 when task should be killed
9401 + * 2 when patched PLT trampoline was detected
9402 + * 3 when unpatched PLT trampoline was detected
9404 +static int pax_handle_fetch_fault(struct pt_regs *regs)
9407 +#ifdef CONFIG_PAX_EMUPLT
9410 + do { /* PaX: patched PLT emulation #1 */
9411 + unsigned int sethi1, sethi2, jmpl;
9413 + err = get_user(sethi1, (unsigned int *)regs->pc);
9414 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
9415 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
9420 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
9421 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
9422 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
9424 + unsigned int addr;
9426 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
9427 + addr = regs->u_regs[UREG_G1];
9428 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
9430 + regs->npc = addr+4;
9435 + do { /* PaX: patched PLT emulation #2 */
9438 + err = get_user(ba, (unsigned int *)regs->pc);
9443 + if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
9444 + unsigned int addr;
9446 + if ((ba & 0xFFC00000U) == 0x30800000U)
9447 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
9449 + addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
9451 + regs->npc = addr+4;
9456 + do { /* PaX: patched PLT emulation #3 */
9457 + unsigned int sethi, bajmpl, nop;
9459 + err = get_user(sethi, (unsigned int *)regs->pc);
9460 + err |= get_user(bajmpl, (unsigned int *)(regs->pc+4));
9461 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
9466 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9467 + ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
9468 + nop == 0x01000000U)
9470 + unsigned int addr;
9472 + addr = (sethi & 0x003FFFFFU) << 10;
9473 + regs->u_regs[UREG_G1] = addr;
9474 + if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
9475 + addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
9477 + addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
9479 + regs->npc = addr+4;
9484 + do { /* PaX: unpatched PLT emulation step 1 */
9485 + unsigned int sethi, ba, nop;
9487 + err = get_user(sethi, (unsigned int *)regs->pc);
9488 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
9489 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
9494 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9495 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
9496 + nop == 0x01000000U)
9498 + unsigned int addr, save, call;
9500 + if ((ba & 0xFFC00000U) == 0x30800000U)
9501 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
9503 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
9505 + err = get_user(save, (unsigned int *)addr);
9506 + err |= get_user(call, (unsigned int *)(addr+4));
9507 + err |= get_user(nop, (unsigned int *)(addr+8));
9511 +#ifdef CONFIG_PAX_DLRESOLVE
9512 + if (save == 0x9DE3BFA8U &&
9513 + (call & 0xC0000000U) == 0x40000000U &&
9514 + nop == 0x01000000U)
9516 + struct vm_area_struct *vma;
9517 + unsigned long call_dl_resolve;
9519 + down_read(¤t->mm->mmap_sem);
9520 + call_dl_resolve = current->mm->call_dl_resolve;
9521 + up_read(¤t->mm->mmap_sem);
9522 + if (likely(call_dl_resolve))
9525 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
9527 + down_write(¤t->mm->mmap_sem);
9528 + if (current->mm->call_dl_resolve) {
9529 + call_dl_resolve = current->mm->call_dl_resolve;
9530 + up_write(¤t->mm->mmap_sem);
9532 + kmem_cache_free(vm_area_cachep, vma);
9536 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9537 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
9538 + up_write(¤t->mm->mmap_sem);
9540 + kmem_cache_free(vm_area_cachep, vma);
9544 + if (pax_insert_vma(vma, call_dl_resolve)) {
9545 + up_write(¤t->mm->mmap_sem);
9546 + kmem_cache_free(vm_area_cachep, vma);
9550 + current->mm->call_dl_resolve = call_dl_resolve;
9551 + up_write(¤t->mm->mmap_sem);
9554 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
9555 + regs->pc = call_dl_resolve;
9556 + regs->npc = addr+4;
9561 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
9562 + if ((save & 0xFFC00000U) == 0x05000000U &&
9563 + (call & 0xFFFFE000U) == 0x85C0A000U &&
9564 + nop == 0x01000000U)
9566 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
9567 + regs->u_regs[UREG_G2] = addr + 4;
9568 + addr = (save & 0x003FFFFFU) << 10;
9569 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
9571 + regs->npc = addr+4;
9577 + do { /* PaX: unpatched PLT emulation step 2 */
9578 + unsigned int save, call, nop;
9580 + err = get_user(save, (unsigned int *)(regs->pc-4));
9581 + err |= get_user(call, (unsigned int *)regs->pc);
9582 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
9586 + if (save == 0x9DE3BFA8U &&
9587 + (call & 0xC0000000U) == 0x40000000U &&
9588 + nop == 0x01000000U)
9590 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
9592 + regs->u_regs[UREG_RETPC] = regs->pc;
9593 + regs->pc = dl_resolve;
9594 + regs->npc = dl_resolve+4;
9603 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
9607 + printk(KERN_ERR "PAX: bytes at PC: ");
9608 + for (i = 0; i < 8; i++) {
9610 + if (get_user(c, (unsigned int *)pc+i))
9611 + printk(KERN_CONT "???????? ");
9613 + printk(KERN_CONT "%08x ", c);
9619 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
9622 @@ -230,6 +504,24 @@ good_area:
9623 if (!(vma->vm_flags & VM_WRITE))
9627 +#ifdef CONFIG_PAX_PAGEEXEC
9628 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
9629 + up_read(&mm->mmap_sem);
9630 + switch (pax_handle_fetch_fault(regs)) {
9632 +#ifdef CONFIG_PAX_EMUPLT
9639 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
9640 + do_group_exit(SIGKILL);
9644 /* Allow reads even for write-only mappings */
9645 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
9647 diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
9648 index 5062ff3..e0b75f3 100644
9649 --- a/arch/sparc/mm/fault_64.c
9650 +++ b/arch/sparc/mm/fault_64.c
9652 #include <linux/kprobes.h>
9653 #include <linux/kdebug.h>
9654 #include <linux/percpu.h>
9655 +#include <linux/slab.h>
9656 +#include <linux/pagemap.h>
9657 +#include <linux/compiler.h>
9659 #include <asm/page.h>
9660 #include <asm/pgtable.h>
9661 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr)
9662 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
9664 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
9665 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
9666 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
9667 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
9669 unhandled_fault(regs->tpc, current, regs);
9670 @@ -270,6 +273,466 @@ static void noinline __kprobes bogus_32bit_fault_address(struct pt_regs *regs,
9674 +#ifdef CONFIG_PAX_PAGEEXEC
9675 +#ifdef CONFIG_PAX_DLRESOLVE
9676 +static void pax_emuplt_close(struct vm_area_struct *vma)
9678 + vma->vm_mm->call_dl_resolve = 0UL;
9681 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
9683 + unsigned int *kaddr;
9685 + vmf->page = alloc_page(GFP_HIGHUSER);
9687 + return VM_FAULT_OOM;
9689 + kaddr = kmap(vmf->page);
9690 + memset(kaddr, 0, PAGE_SIZE);
9691 + kaddr[0] = 0x9DE3BFA8U; /* save */
9692 + flush_dcache_page(vmf->page);
9693 + kunmap(vmf->page);
9694 + return VM_FAULT_MAJOR;
9697 +static const struct vm_operations_struct pax_vm_ops = {
9698 + .close = pax_emuplt_close,
9699 + .fault = pax_emuplt_fault
9702 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9706 + INIT_LIST_HEAD(&vma->anon_vma_chain);
9707 + vma->vm_mm = current->mm;
9708 + vma->vm_start = addr;
9709 + vma->vm_end = addr + PAGE_SIZE;
9710 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9711 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9712 + vma->vm_ops = &pax_vm_ops;
9714 + ret = insert_vm_struct(current->mm, vma);
9718 + ++current->mm->total_vm;
9724 + * PaX: decide what to do with offenders (regs->tpc = fault address)
9726 + * returns 1 when task should be killed
9727 + * 2 when patched PLT trampoline was detected
9728 + * 3 when unpatched PLT trampoline was detected
9730 +static int pax_handle_fetch_fault(struct pt_regs *regs)
9733 +#ifdef CONFIG_PAX_EMUPLT
9736 + do { /* PaX: patched PLT emulation #1 */
9737 + unsigned int sethi1, sethi2, jmpl;
9739 + err = get_user(sethi1, (unsigned int *)regs->tpc);
9740 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
9741 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
9746 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
9747 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
9748 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
9750 + unsigned long addr;
9752 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
9753 + addr = regs->u_regs[UREG_G1];
9754 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
9756 + if (test_thread_flag(TIF_32BIT))
9757 + addr &= 0xFFFFFFFFUL;
9760 + regs->tnpc = addr+4;
9765 + do { /* PaX: patched PLT emulation #2 */
9768 + err = get_user(ba, (unsigned int *)regs->tpc);
9773 + if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
9774 + unsigned long addr;
9776 + if ((ba & 0xFFC00000U) == 0x30800000U)
9777 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
9779 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
9781 + if (test_thread_flag(TIF_32BIT))
9782 + addr &= 0xFFFFFFFFUL;
9785 + regs->tnpc = addr+4;
9790 + do { /* PaX: patched PLT emulation #3 */
9791 + unsigned int sethi, bajmpl, nop;
9793 + err = get_user(sethi, (unsigned int *)regs->tpc);
9794 + err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4));
9795 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
9800 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9801 + ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
9802 + nop == 0x01000000U)
9804 + unsigned long addr;
9806 + addr = (sethi & 0x003FFFFFU) << 10;
9807 + regs->u_regs[UREG_G1] = addr;
9808 + if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
9809 + addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
9811 + addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
9813 + if (test_thread_flag(TIF_32BIT))
9814 + addr &= 0xFFFFFFFFUL;
9817 + regs->tnpc = addr+4;
9822 + do { /* PaX: patched PLT emulation #4 */
9823 + unsigned int sethi, mov1, call, mov2;
9825 + err = get_user(sethi, (unsigned int *)regs->tpc);
9826 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
9827 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
9828 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
9833 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9834 + mov1 == 0x8210000FU &&
9835 + (call & 0xC0000000U) == 0x40000000U &&
9836 + mov2 == 0x9E100001U)
9838 + unsigned long addr;
9840 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
9841 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
9843 + if (test_thread_flag(TIF_32BIT))
9844 + addr &= 0xFFFFFFFFUL;
9847 + regs->tnpc = addr+4;
9852 + do { /* PaX: patched PLT emulation #5 */
9853 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
9855 + err = get_user(sethi, (unsigned int *)regs->tpc);
9856 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
9857 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
9858 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
9859 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
9860 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
9861 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
9862 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
9867 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9868 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
9869 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
9870 + (or1 & 0xFFFFE000U) == 0x82106000U &&
9871 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
9872 + sllx == 0x83287020U &&
9873 + jmpl == 0x81C04005U &&
9874 + nop == 0x01000000U)
9876 + unsigned long addr;
9878 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
9879 + regs->u_regs[UREG_G1] <<= 32;
9880 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
9881 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
9883 + regs->tnpc = addr+4;
9888 + do { /* PaX: patched PLT emulation #6 */
9889 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
9891 + err = get_user(sethi, (unsigned int *)regs->tpc);
9892 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
9893 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
9894 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
9895 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
9896 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
9897 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
9902 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9903 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
9904 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
9905 + sllx == 0x83287020U &&
9906 + (or & 0xFFFFE000U) == 0x8A116000U &&
9907 + jmpl == 0x81C04005U &&
9908 + nop == 0x01000000U)
9910 + unsigned long addr;
9912 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
9913 + regs->u_regs[UREG_G1] <<= 32;
9914 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
9915 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
9917 + regs->tnpc = addr+4;
9922 + do { /* PaX: unpatched PLT emulation step 1 */
9923 + unsigned int sethi, ba, nop;
9925 + err = get_user(sethi, (unsigned int *)regs->tpc);
9926 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
9927 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
9932 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
9933 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
9934 + nop == 0x01000000U)
9936 + unsigned long addr;
9937 + unsigned int save, call;
9938 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
9940 + if ((ba & 0xFFC00000U) == 0x30800000U)
9941 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
9943 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
9945 + if (test_thread_flag(TIF_32BIT))
9946 + addr &= 0xFFFFFFFFUL;
9948 + err = get_user(save, (unsigned int *)addr);
9949 + err |= get_user(call, (unsigned int *)(addr+4));
9950 + err |= get_user(nop, (unsigned int *)(addr+8));
9954 +#ifdef CONFIG_PAX_DLRESOLVE
9955 + if (save == 0x9DE3BFA8U &&
9956 + (call & 0xC0000000U) == 0x40000000U &&
9957 + nop == 0x01000000U)
9959 + struct vm_area_struct *vma;
9960 + unsigned long call_dl_resolve;
9962 + down_read(¤t->mm->mmap_sem);
9963 + call_dl_resolve = current->mm->call_dl_resolve;
9964 + up_read(¤t->mm->mmap_sem);
9965 + if (likely(call_dl_resolve))
9968 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
9970 + down_write(¤t->mm->mmap_sem);
9971 + if (current->mm->call_dl_resolve) {
9972 + call_dl_resolve = current->mm->call_dl_resolve;
9973 + up_write(¤t->mm->mmap_sem);
9975 + kmem_cache_free(vm_area_cachep, vma);
9979 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9980 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
9981 + up_write(¤t->mm->mmap_sem);
9983 + kmem_cache_free(vm_area_cachep, vma);
9987 + if (pax_insert_vma(vma, call_dl_resolve)) {
9988 + up_write(¤t->mm->mmap_sem);
9989 + kmem_cache_free(vm_area_cachep, vma);
9993 + current->mm->call_dl_resolve = call_dl_resolve;
9994 + up_write(¤t->mm->mmap_sem);
9997 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
9998 + regs->tpc = call_dl_resolve;
9999 + regs->tnpc = addr+4;
10004 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
10005 + if ((save & 0xFFC00000U) == 0x05000000U &&
10006 + (call & 0xFFFFE000U) == 0x85C0A000U &&
10007 + nop == 0x01000000U)
10009 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10010 + regs->u_regs[UREG_G2] = addr + 4;
10011 + addr = (save & 0x003FFFFFU) << 10;
10012 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
10014 + if (test_thread_flag(TIF_32BIT))
10015 + addr &= 0xFFFFFFFFUL;
10017 + regs->tpc = addr;
10018 + regs->tnpc = addr+4;
10022 + /* PaX: 64-bit PLT stub */
10023 + err = get_user(sethi1, (unsigned int *)addr);
10024 + err |= get_user(sethi2, (unsigned int *)(addr+4));
10025 + err |= get_user(or1, (unsigned int *)(addr+8));
10026 + err |= get_user(or2, (unsigned int *)(addr+12));
10027 + err |= get_user(sllx, (unsigned int *)(addr+16));
10028 + err |= get_user(add, (unsigned int *)(addr+20));
10029 + err |= get_user(jmpl, (unsigned int *)(addr+24));
10030 + err |= get_user(nop, (unsigned int *)(addr+28));
10034 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
10035 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
10036 + (or1 & 0xFFFFE000U) == 0x88112000U &&
10037 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
10038 + sllx == 0x89293020U &&
10039 + add == 0x8A010005U &&
10040 + jmpl == 0x89C14000U &&
10041 + nop == 0x01000000U)
10043 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10044 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
10045 + regs->u_regs[UREG_G4] <<= 32;
10046 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
10047 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
10048 + regs->u_regs[UREG_G4] = addr + 24;
10049 + addr = regs->u_regs[UREG_G5];
10050 + regs->tpc = addr;
10051 + regs->tnpc = addr+4;
10057 +#ifdef CONFIG_PAX_DLRESOLVE
10058 + do { /* PaX: unpatched PLT emulation step 2 */
10059 + unsigned int save, call, nop;
10061 + err = get_user(save, (unsigned int *)(regs->tpc-4));
10062 + err |= get_user(call, (unsigned int *)regs->tpc);
10063 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
10067 + if (save == 0x9DE3BFA8U &&
10068 + (call & 0xC0000000U) == 0x40000000U &&
10069 + nop == 0x01000000U)
10071 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
10073 + if (test_thread_flag(TIF_32BIT))
10074 + dl_resolve &= 0xFFFFFFFFUL;
10076 + regs->u_regs[UREG_RETPC] = regs->tpc;
10077 + regs->tpc = dl_resolve;
10078 + regs->tnpc = dl_resolve+4;
10084 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
10085 + unsigned int sethi, ba, nop;
10087 + err = get_user(sethi, (unsigned int *)regs->tpc);
10088 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
10089 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10094 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
10095 + (ba & 0xFFF00000U) == 0x30600000U &&
10096 + nop == 0x01000000U)
10098 + unsigned long addr;
10100 + addr = (sethi & 0x003FFFFFU) << 10;
10101 + regs->u_regs[UREG_G1] = addr;
10102 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
10104 + if (test_thread_flag(TIF_32BIT))
10105 + addr &= 0xFFFFFFFFUL;
10107 + regs->tpc = addr;
10108 + regs->tnpc = addr+4;
10118 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
10122 + printk(KERN_ERR "PAX: bytes at PC: ");
10123 + for (i = 0; i < 8; i++) {
10125 + if (get_user(c, (unsigned int *)pc+i))
10126 + printk(KERN_CONT "???????? ");
10128 + printk(KERN_CONT "%08x ", c);
10134 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
10136 struct mm_struct *mm = current->mm;
10137 @@ -341,6 +804,29 @@ retry:
10141 +#ifdef CONFIG_PAX_PAGEEXEC
10142 + /* PaX: detect ITLB misses on non-exec pages */
10143 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
10144 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
10146 + if (address != regs->tpc)
10149 + up_read(&mm->mmap_sem);
10150 + switch (pax_handle_fetch_fault(regs)) {
10152 +#ifdef CONFIG_PAX_EMUPLT
10159 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
10160 + do_group_exit(SIGKILL);
10164 /* Pure DTLB misses do not tell us whether the fault causing
10165 * load/store/atomic was a write or not, it only says that there
10166 * was no match. So in such a case we (carefully) read the
10167 diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
10168 index d2b5944..d878f3c 100644
10169 --- a/arch/sparc/mm/hugetlbpage.c
10170 +++ b/arch/sparc/mm/hugetlbpage.c
10171 @@ -28,7 +28,8 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
10172 unsigned long addr,
10174 unsigned long pgoff,
10175 - unsigned long flags)
10176 + unsigned long flags,
10177 + unsigned long offset)
10179 unsigned long task_size = TASK_SIZE;
10180 struct vm_unmapped_area_info info;
10181 @@ -38,15 +39,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
10185 - info.low_limit = TASK_UNMAPPED_BASE;
10186 + info.low_limit = mm->mmap_base;
10187 info.high_limit = min(task_size, VA_EXCLUDE_START);
10188 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
10189 info.align_offset = 0;
10190 + info.threadstack_offset = offset;
10191 addr = vm_unmapped_area(&info);
10193 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
10194 VM_BUG_ON(addr != -ENOMEM);
10195 info.low_limit = VA_EXCLUDE_END;
10197 +#ifdef CONFIG_PAX_RANDMMAP
10198 + if (mm->pax_flags & MF_PAX_RANDMMAP)
10199 + info.low_limit += mm->delta_mmap;
10202 info.high_limit = task_size;
10203 addr = vm_unmapped_area(&info);
10205 @@ -58,7 +66,8 @@ static unsigned long
10206 hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10207 const unsigned long len,
10208 const unsigned long pgoff,
10209 - const unsigned long flags)
10210 + const unsigned long flags,
10211 + const unsigned long offset)
10213 struct mm_struct *mm = current->mm;
10214 unsigned long addr = addr0;
10215 @@ -73,6 +82,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10216 info.high_limit = mm->mmap_base;
10217 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
10218 info.align_offset = 0;
10219 + info.threadstack_offset = offset;
10220 addr = vm_unmapped_area(&info);
10223 @@ -85,6 +95,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10224 VM_BUG_ON(addr != -ENOMEM);
10226 info.low_limit = TASK_UNMAPPED_BASE;
10228 +#ifdef CONFIG_PAX_RANDMMAP
10229 + if (mm->pax_flags & MF_PAX_RANDMMAP)
10230 + info.low_limit += mm->delta_mmap;
10233 info.high_limit = STACK_TOP32;
10234 addr = vm_unmapped_area(&info);
10236 @@ -99,6 +115,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
10237 struct mm_struct *mm = current->mm;
10238 struct vm_area_struct *vma;
10239 unsigned long task_size = TASK_SIZE;
10240 + unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
10242 if (test_thread_flag(TIF_32BIT))
10243 task_size = STACK_TOP32;
10244 @@ -114,19 +131,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
10248 +#ifdef CONFIG_PAX_RANDMMAP
10249 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10253 addr = ALIGN(addr, HPAGE_SIZE);
10254 vma = find_vma(mm, addr);
10255 - if (task_size - len >= addr &&
10256 - (!vma || addr + len <= vma->vm_start))
10257 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10260 if (mm->get_unmapped_area == arch_get_unmapped_area)
10261 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
10263 + pgoff, flags, offset);
10265 return hugetlb_get_unmapped_area_topdown(file, addr, len,
10267 + pgoff, flags, offset);
10270 pte_t *huge_pte_alloc(struct mm_struct *mm,
10271 diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h
10272 index f4500c6..889656c 100644
10273 --- a/arch/tile/include/asm/atomic_64.h
10274 +++ b/arch/tile/include/asm/atomic_64.h
10275 @@ -143,6 +143,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
10277 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
10279 +#define atomic64_read_unchecked(v) atomic64_read(v)
10280 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
10281 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
10282 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
10283 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
10284 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
10285 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
10286 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
10287 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
10289 /* Atomic dec and inc don't implement barrier, so provide them if needed. */
10290 #define smp_mb__before_atomic_dec() smp_mb()
10291 #define smp_mb__after_atomic_dec() smp_mb()
10292 diff --git a/arch/tile/include/asm/cache.h b/arch/tile/include/asm/cache.h
10293 index a9a5299..0fce79e 100644
10294 --- a/arch/tile/include/asm/cache.h
10295 +++ b/arch/tile/include/asm/cache.h
10296 @@ -15,11 +15,12 @@
10297 #ifndef _ASM_TILE_CACHE_H
10298 #define _ASM_TILE_CACHE_H
10300 +#include <linux/const.h>
10301 #include <arch/chip.h>
10303 /* bytes per L1 data cache line */
10304 #define L1_CACHE_SHIFT CHIP_L1D_LOG_LINE_SIZE()
10305 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
10306 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10308 /* bytes per L2 cache line */
10309 #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE()
10310 diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h
10311 index 8a082bc..7a6bf87 100644
10312 --- a/arch/tile/include/asm/uaccess.h
10313 +++ b/arch/tile/include/asm/uaccess.h
10314 @@ -408,9 +408,9 @@ static inline unsigned long __must_check copy_from_user(void *to,
10315 const void __user *from,
10318 - int sz = __compiletime_object_size(to);
10319 + size_t sz = __compiletime_object_size(to);
10321 - if (likely(sz == -1 || sz >= n))
10322 + if (likely(sz == (size_t)-1 || sz >= n))
10323 n = _copy_from_user(to, from, n);
10325 copy_from_user_overflow();
10326 diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
10327 index 650ccff..45fe2d6 100644
10328 --- a/arch/tile/mm/hugetlbpage.c
10329 +++ b/arch/tile/mm/hugetlbpage.c
10330 @@ -239,6 +239,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
10331 info.high_limit = TASK_SIZE;
10332 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
10333 info.align_offset = 0;
10334 + info.threadstack_offset = 0;
10335 return vm_unmapped_area(&info);
10338 @@ -256,6 +257,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
10339 info.high_limit = current->mm->mmap_base;
10340 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
10341 info.align_offset = 0;
10342 + info.threadstack_offset = 0;
10343 addr = vm_unmapped_area(&info);
10346 diff --git a/arch/um/Makefile b/arch/um/Makefile
10347 index 133f7de..1d6f2f1 100644
10348 --- a/arch/um/Makefile
10349 +++ b/arch/um/Makefile
10350 @@ -62,6 +62,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -D__KERNEL__,,\
10351 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
10352 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64 -idirafter include
10354 +ifdef CONSTIFY_PLUGIN
10355 +USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify
10358 #This will adjust *FLAGS accordingly to the platform.
10359 include $(srctree)/$(ARCH_DIR)/Makefile-os-$(OS)
10361 diff --git a/arch/um/defconfig b/arch/um/defconfig
10362 index 08107a7..ab22afe 100644
10363 --- a/arch/um/defconfig
10364 +++ b/arch/um/defconfig
10365 @@ -51,7 +51,6 @@ CONFIG_X86_CMPXCHG=y
10366 CONFIG_X86_L1_CACHE_SHIFT=5
10368 CONFIG_X86_PPRO_FENCE=y
10369 -CONFIG_X86_WP_WORKS_OK=y
10370 CONFIG_X86_INVLPG=y
10372 CONFIG_X86_POPAD_OK=y
10373 diff --git a/arch/um/include/asm/cache.h b/arch/um/include/asm/cache.h
10374 index 19e1bdd..3665b77 100644
10375 --- a/arch/um/include/asm/cache.h
10376 +++ b/arch/um/include/asm/cache.h
10378 #ifndef __UM_CACHE_H
10379 #define __UM_CACHE_H
10381 +#include <linux/const.h>
10383 #if defined(CONFIG_UML_X86) && !defined(CONFIG_64BIT)
10384 # define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
10386 # define L1_CACHE_SHIFT 5
10389 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
10390 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10393 diff --git a/arch/um/include/asm/kmap_types.h b/arch/um/include/asm/kmap_types.h
10394 index 2e0a6b1..a64d0f5 100644
10395 --- a/arch/um/include/asm/kmap_types.h
10396 +++ b/arch/um/include/asm/kmap_types.h
10399 /* No more #include "asm/arch/kmap_types.h" ! */
10401 -#define KM_TYPE_NR 14
10402 +#define KM_TYPE_NR 15
10405 diff --git a/arch/um/include/asm/page.h b/arch/um/include/asm/page.h
10406 index 5ff53d9..5850cdf 100644
10407 --- a/arch/um/include/asm/page.h
10408 +++ b/arch/um/include/asm/page.h
10410 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
10411 #define PAGE_MASK (~(PAGE_SIZE-1))
10413 +#define ktla_ktva(addr) (addr)
10414 +#define ktva_ktla(addr) (addr)
10416 #ifndef __ASSEMBLY__
10419 diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h
10420 index 0032f92..cd151e0 100644
10421 --- a/arch/um/include/asm/pgtable-3level.h
10422 +++ b/arch/um/include/asm/pgtable-3level.h
10424 #define pud_present(x) (pud_val(x) & _PAGE_PRESENT)
10425 #define pud_populate(mm, pud, pmd) \
10426 set_pud(pud, __pud(_PAGE_TABLE + __pa(pmd)))
10427 +#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
10429 #ifdef CONFIG_64BIT
10430 #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval))
10431 diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
10432 index bbcef52..6a2a483 100644
10433 --- a/arch/um/kernel/process.c
10434 +++ b/arch/um/kernel/process.c
10435 @@ -367,22 +367,6 @@ int singlestepping(void * t)
10440 - * Only x86 and x86_64 have an arch_align_stack().
10441 - * All other arches have "#define arch_align_stack(x) (x)"
10442 - * in their asm/system.h
10443 - * As this is included in UML from asm-um/system-generic.h,
10444 - * we can use it to behave as the subarch does.
10446 -#ifndef arch_align_stack
10447 -unsigned long arch_align_stack(unsigned long sp)
10449 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
10450 - sp -= get_random_int() % 8192;
10451 - return sp & ~0xf;
10455 unsigned long get_wchan(struct task_struct *p)
10457 unsigned long stack_page, sp, ip;
10458 diff --git a/arch/unicore32/include/asm/cache.h b/arch/unicore32/include/asm/cache.h
10459 index ad8f795..2c7eec6 100644
10460 --- a/arch/unicore32/include/asm/cache.h
10461 +++ b/arch/unicore32/include/asm/cache.h
10463 #ifndef __UNICORE_CACHE_H__
10464 #define __UNICORE_CACHE_H__
10466 -#define L1_CACHE_SHIFT (5)
10467 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
10468 +#include <linux/const.h>
10470 +#define L1_CACHE_SHIFT 5
10471 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10474 * Memory returned by kmalloc() may be used for DMA, so we must make
10475 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
10476 index fe120da..24177f7 100644
10477 --- a/arch/x86/Kconfig
10478 +++ b/arch/x86/Kconfig
10479 @@ -239,7 +239,7 @@ config X86_HT
10481 config X86_32_LAZY_GS
10483 - depends on X86_32 && !CC_STACKPROTECTOR
10484 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10486 config ARCH_HWEIGHT_CFLAGS
10488 @@ -1073,6 +1073,7 @@ config MICROCODE_EARLY
10491 tristate "/dev/cpu/*/msr - Model-specific register support"
10492 + depends on !GRKERNSEC_KMEM
10494 This device gives privileged processes access to the x86
10495 Model-Specific Registers (MSRs). It is a character device with
10496 @@ -1096,7 +1097,7 @@ choice
10500 - depends on !X86_NUMAQ
10501 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10503 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10504 However, the address space of 32-bit x86 processors is only 4
10505 @@ -1133,7 +1134,7 @@ config NOHIGHMEM
10509 - depends on !X86_NUMAQ
10510 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10512 Select this if you have a 32-bit processor and between 1 and 4
10513 gigabytes of physical RAM.
10514 @@ -1186,7 +1187,7 @@ config PAGE_OFFSET
10516 default 0xB0000000 if VMSPLIT_3G_OPT
10517 default 0x80000000 if VMSPLIT_2G
10518 - default 0x78000000 if VMSPLIT_2G_OPT
10519 + default 0x70000000 if VMSPLIT_2G_OPT
10520 default 0x40000000 if VMSPLIT_1G
10523 @@ -1584,6 +1585,7 @@ config SECCOMP
10525 config CC_STACKPROTECTOR
10526 bool "Enable -fstack-protector buffer overflow detection"
10527 + depends on X86_64 || !PAX_MEMORY_UDEREF
10529 This option turns on the -fstack-protector GCC feature. This
10530 feature puts, at the beginning of functions, a canary value on
10531 @@ -1703,6 +1705,8 @@ config X86_NEED_RELOCS
10532 config PHYSICAL_ALIGN
10533 hex "Alignment value to which kernel should be aligned" if X86_32
10534 default "0x1000000"
10535 + range 0x200000 0x1000000 if PAX_KERNEXEC && X86_PAE
10536 + range 0x400000 0x1000000 if PAX_KERNEXEC && !X86_PAE
10537 range 0x2000 0x1000000
10539 This value puts the alignment restrictions on physical address
10540 @@ -1778,9 +1782,10 @@ config DEBUG_HOTPLUG_CPU0
10546 prompt "Compat VDSO support"
10547 depends on X86_32 || IA32_EMULATION
10548 + depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
10550 Map the 32-bit VDSO to the predictable old-style address too.
10552 diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
10553 index c026cca..14657ae 100644
10554 --- a/arch/x86/Kconfig.cpu
10555 +++ b/arch/x86/Kconfig.cpu
10556 @@ -319,7 +319,7 @@ config X86_PPRO_FENCE
10558 config X86_F00F_BUG
10560 - depends on M586MMX || M586TSC || M586 || M486
10561 + depends on (M586MMX || M586TSC || M586 || M486) && !PAX_KERNEXEC
10563 config X86_INVD_BUG
10565 @@ -327,7 +327,7 @@ config X86_INVD_BUG
10567 config X86_ALIGNMENT_16
10569 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10570 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10572 config X86_INTEL_USERCOPY
10574 @@ -373,7 +373,7 @@ config X86_CMPXCHG64
10578 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10579 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10581 config X86_MINIMUM_CPU_FAMILY
10583 diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
10584 index c198b7e..63eea60 100644
10585 --- a/arch/x86/Kconfig.debug
10586 +++ b/arch/x86/Kconfig.debug
10587 @@ -84,7 +84,7 @@ config X86_PTDUMP
10588 config DEBUG_RODATA
10589 bool "Write protect kernel read-only data structures"
10591 - depends on DEBUG_KERNEL
10592 + depends on DEBUG_KERNEL && BROKEN
10594 Mark the kernel read-only data as write-protected in the pagetables,
10595 in order to catch accidental (and incorrect) writes to such const
10596 @@ -102,7 +102,7 @@ config DEBUG_RODATA_TEST
10598 config DEBUG_SET_MODULE_RONX
10599 bool "Set loadable kernel module data as NX and text as RO"
10600 - depends on MODULES
10601 + depends on MODULES && BROKEN
10603 This option helps catch unintended modifications to loadable
10604 kernel module's text and read-only data. It also prevents execution
10605 diff --git a/arch/x86/Makefile b/arch/x86/Makefile
10606 index 5c47726..8c4fa67 100644
10607 --- a/arch/x86/Makefile
10608 +++ b/arch/x86/Makefile
10609 @@ -54,6 +54,7 @@ else
10610 UTS_MACHINE := x86_64
10611 CHECKFLAGS += -D__x86_64__ -m64
10613 + biarch := $(call cc-option,-m64)
10614 KBUILD_AFLAGS += -m64
10615 KBUILD_CFLAGS += -m64
10617 @@ -234,3 +235,12 @@ define archhelp
10618 echo ' FDARGS="..." arguments for the booted kernel'
10619 echo ' FDINITRD=file initrd for the booted kernel'
10624 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
10625 +*** Please upgrade your binutils to 2.18 or newer
10629 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
10630 diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
10631 index 379814b..add62ce 100644
10632 --- a/arch/x86/boot/Makefile
10633 +++ b/arch/x86/boot/Makefile
10634 @@ -65,6 +65,9 @@ KBUILD_CFLAGS := $(USERINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \
10635 $(call cc-option, -fno-stack-protector) \
10636 $(call cc-option, -mpreferred-stack-boundary=2)
10637 KBUILD_CFLAGS += $(call cc-option, -m32)
10638 +ifdef CONSTIFY_PLUGIN
10639 +KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
10641 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10644 diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h
10645 index 878e4b9..20537ab 100644
10646 --- a/arch/x86/boot/bitops.h
10647 +++ b/arch/x86/boot/bitops.h
10648 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int nr, const void *addr)
10650 const u32 *p = (const u32 *)addr;
10652 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
10653 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
10657 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int nr, const void *addr)
10659 static inline void set_bit(int nr, void *addr)
10661 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
10662 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
10665 #endif /* BOOT_BITOPS_H */
10666 diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
10667 index 5b75319..331a4ca 100644
10668 --- a/arch/x86/boot/boot.h
10669 +++ b/arch/x86/boot/boot.h
10670 @@ -85,7 +85,7 @@ static inline void io_delay(void)
10671 static inline u16 ds(void)
10674 - asm("movw %%ds,%0" : "=rm" (seg));
10675 + asm volatile("movw %%ds,%0" : "=rm" (seg));
10679 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t addr)
10680 static inline int memcmp(const void *s1, const void *s2, size_t len)
10683 - asm("repe; cmpsb; setnz %0"
10684 + asm volatile("repe; cmpsb; setnz %0"
10685 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
10688 diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
10689 index 5ef205c..342191d 100644
10690 --- a/arch/x86/boot/compressed/Makefile
10691 +++ b/arch/x86/boot/compressed/Makefile
10692 @@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small
10693 KBUILD_CFLAGS += $(cflags-y)
10694 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
10695 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
10696 +ifdef CONSTIFY_PLUGIN
10697 +KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
10700 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10702 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
10703 index d606463..b887794 100644
10704 --- a/arch/x86/boot/compressed/eboot.c
10705 +++ b/arch/x86/boot/compressed/eboot.c
10706 @@ -150,7 +150,6 @@ again:
10711 efi_call_phys1(sys_table->boottime->free_pool, map);
10714 @@ -214,7 +213,6 @@ static efi_status_t low_alloc(unsigned long size, unsigned long align,
10715 if (i == map_size / desc_size)
10716 status = EFI_NOT_FOUND;
10719 efi_call_phys1(sys_table->boottime->free_pool, map);
10722 diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
10723 index a53440e..c3dbf1e 100644
10724 --- a/arch/x86/boot/compressed/efi_stub_32.S
10725 +++ b/arch/x86/boot/compressed/efi_stub_32.S
10726 @@ -46,16 +46,13 @@ ENTRY(efi_call_phys)
10727 * parameter 2, ..., param n. To make things easy, we save the return
10728 * address of efi_call_phys in a global variable.
10731 - movl %ecx, saved_return_addr(%edx)
10732 - /* get the function pointer into ECX*/
10734 - movl %ecx, efi_rt_function_ptr(%edx)
10735 + popl saved_return_addr(%edx)
10736 + popl efi_rt_function_ptr(%edx)
10739 * 3. Call the physical function.
10742 + call *efi_rt_function_ptr(%edx)
10745 * 4. Balance the stack. And because EAX contain the return value,
10746 @@ -67,15 +64,12 @@ ENTRY(efi_call_phys)
10750 - movl efi_rt_function_ptr(%edx), %ecx
10752 + pushl efi_rt_function_ptr(%edx)
10755 * 10. Push the saved return address onto the stack and return.
10757 - movl saved_return_addr(%edx), %ecx
10760 + jmpl *saved_return_addr(%edx)
10761 ENDPROC(efi_call_phys)
10764 diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
10765 index 1e3184f..0d11e2e 100644
10766 --- a/arch/x86/boot/compressed/head_32.S
10767 +++ b/arch/x86/boot/compressed/head_32.S
10768 @@ -118,7 +118,7 @@ preferred_addr:
10772 - movl $LOAD_PHYSICAL_ADDR, %ebx
10773 + movl $____LOAD_PHYSICAL_ADDR, %ebx
10776 /* Target address to relocate to for decompression */
10777 @@ -204,7 +204,7 @@ relocated:
10778 * and where it was actually loaded.
10781 - subl $LOAD_PHYSICAL_ADDR, %ebx
10782 + subl $____LOAD_PHYSICAL_ADDR, %ebx
10783 jz 2f /* Nothing to be done if loaded at compiled addr. */
10785 * Process relocations.
10786 @@ -212,8 +212,7 @@ relocated:
10793 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
10796 diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
10797 index 16f24e6..47491a3 100644
10798 --- a/arch/x86/boot/compressed/head_64.S
10799 +++ b/arch/x86/boot/compressed/head_64.S
10800 @@ -97,7 +97,7 @@ ENTRY(startup_32)
10804 - movl $LOAD_PHYSICAL_ADDR, %ebx
10805 + movl $____LOAD_PHYSICAL_ADDR, %ebx
10808 /* Target address to relocate to for decompression */
10809 @@ -272,7 +272,7 @@ preferred_addr:
10813 - movq $LOAD_PHYSICAL_ADDR, %rbp
10814 + movq $____LOAD_PHYSICAL_ADDR, %rbp
10817 /* Target address to relocate to for decompression */
10818 @@ -363,8 +363,8 @@ gdt:
10821 .quad 0x0000000000000000 /* NULL descriptor */
10822 - .quad 0x00af9a000000ffff /* __KERNEL_CS */
10823 - .quad 0x00cf92000000ffff /* __KERNEL_DS */
10824 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
10825 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
10826 .quad 0x0080890000000000 /* TS descriptor */
10827 .quad 0x0000000000000000 /* TS continued */
10829 diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
10830 index 7cb56c6..d382d84 100644
10831 --- a/arch/x86/boot/compressed/misc.c
10832 +++ b/arch/x86/boot/compressed/misc.c
10833 @@ -303,7 +303,7 @@ static void parse_elf(void *output)
10835 #ifdef CONFIG_RELOCATABLE
10837 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
10838 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
10840 dest = (void *)(phdr->p_paddr);
10842 @@ -354,7 +354,7 @@ asmlinkage void decompress_kernel(void *rmode, memptr heap,
10843 error("Destination address too large");
10845 #ifndef CONFIG_RELOCATABLE
10846 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
10847 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
10848 error("Wrong destination address");
10851 diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c
10852 index 4d3ff03..e4972ff 100644
10853 --- a/arch/x86/boot/cpucheck.c
10854 +++ b/arch/x86/boot/cpucheck.c
10855 @@ -74,7 +74,7 @@ static int has_fpu(void)
10856 u16 fcw = -1, fsw = -1;
10859 - asm("movl %%cr0,%0" : "=r" (cr0));
10860 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
10861 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
10862 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
10863 asm volatile("movl %0,%%cr0" : : "r" (cr0));
10864 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
10869 + asm volatile("pushfl ; "
10873 @@ -115,7 +115,7 @@ static void get_flags(void)
10874 set_bit(X86_FEATURE_FPU, cpu.flags);
10876 if (has_eflag(X86_EFLAGS_ID)) {
10878 + asm volatile("cpuid"
10879 : "=a" (max_intel_level),
10880 "=b" (cpu_vendor[0]),
10881 "=d" (cpu_vendor[1]),
10882 @@ -124,7 +124,7 @@ static void get_flags(void)
10884 if (max_intel_level >= 0x00000001 &&
10885 max_intel_level <= 0x0000ffff) {
10887 + asm volatile("cpuid"
10889 "=c" (cpu.flags[4]),
10890 "=d" (cpu.flags[0])
10891 @@ -136,7 +136,7 @@ static void get_flags(void)
10892 cpu.model += ((tfms >> 16) & 0xf) << 4;
10896 + asm volatile("cpuid"
10897 : "=a" (max_amd_level)
10899 : "ebx", "ecx", "edx");
10900 @@ -144,7 +144,7 @@ static void get_flags(void)
10901 if (max_amd_level >= 0x80000001 &&
10902 max_amd_level <= 0x8000ffff) {
10903 u32 eax = 0x80000001;
10905 + asm volatile("cpuid"
10907 "=c" (cpu.flags[6]),
10908 "=d" (cpu.flags[1])
10909 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
10910 u32 ecx = MSR_K7_HWCR;
10913 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10914 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10916 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10917 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10919 get_flags(); /* Make sure it really did something */
10920 err = check_flags();
10921 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
10922 u32 ecx = MSR_VIA_FCR;
10925 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10926 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10927 eax |= (1<<1)|(1<<7);
10928 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10929 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10931 set_bit(X86_FEATURE_CX8, cpu.flags);
10932 err = check_flags();
10933 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
10937 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10938 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
10940 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
10941 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
10942 + asm volatile("cpuid"
10943 : "+a" (level), "=d" (cpu.flags[0])
10945 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10946 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
10948 err = check_flags();
10950 diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
10951 index 9ec06a1..2c25e79 100644
10952 --- a/arch/x86/boot/header.S
10953 +++ b/arch/x86/boot/header.S
10954 @@ -409,10 +409,14 @@ setup_data: .quad 0 # 64-bit physical pointer to
10955 # single linked list of
10956 # struct setup_data
10958 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
10959 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
10961 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
10962 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10963 +#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR)
10965 #define VO_INIT_SIZE (VO__end - VO__text)
10967 #if ZO_INIT_SIZE > VO_INIT_SIZE
10968 #define INIT_SIZE ZO_INIT_SIZE
10970 diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c
10971 index db75d07..8e6d0af 100644
10972 --- a/arch/x86/boot/memory.c
10973 +++ b/arch/x86/boot/memory.c
10976 static int detect_memory_e820(void)
10979 + unsigned int count = 0;
10980 struct biosregs ireg, oreg;
10981 struct e820entry *desc = boot_params.e820_map;
10982 static struct e820entry buf; /* static so it is zeroed */
10983 diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
10984 index 11e8c6e..fdbb1ed 100644
10985 --- a/arch/x86/boot/video-vesa.c
10986 +++ b/arch/x86/boot/video-vesa.c
10987 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
10989 boot_params.screen_info.vesapm_seg = oreg.es;
10990 boot_params.screen_info.vesapm_off = oreg.di;
10991 + boot_params.screen_info.vesapm_size = oreg.cx;
10995 diff --git a/arch/x86/boot/video.c b/arch/x86/boot/video.c
10996 index 43eda28..5ab5fdb 100644
10997 --- a/arch/x86/boot/video.c
10998 +++ b/arch/x86/boot/video.c
10999 @@ -96,7 +96,7 @@ static void store_mode_params(void)
11000 static unsigned int get_entry(void)
11004 + unsigned int i, len = 0;
11008 diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S
11009 index 9105655..5e37f27 100644
11010 --- a/arch/x86/crypto/aes-x86_64-asm_64.S
11011 +++ b/arch/x86/crypto/aes-x86_64-asm_64.S
11013 * including this sentence is retained in full.
11016 +#include <asm/alternative-asm.h>
11018 .extern crypto_ft_tab
11019 .extern crypto_it_tab
11020 .extern crypto_fl_tab
11025 +#define ret pax_force_retaddr 0, 1; ret
11027 #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \
11030 diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
11031 index 477e9d7..3ab339f 100644
11032 --- a/arch/x86/crypto/aesni-intel_asm.S
11033 +++ b/arch/x86/crypto/aesni-intel_asm.S
11036 #include <linux/linkage.h>
11037 #include <asm/inst.h>
11038 +#include <asm/alternative-asm.h>
11042 @@ -1441,6 +1442,7 @@ _return_T_done_decrypt:
11046 + pax_force_retaddr 0, 1
11048 ENDPROC(aesni_gcm_dec)
11050 @@ -1705,6 +1707,7 @@ _return_T_done_encrypt:
11054 + pax_force_retaddr 0, 1
11056 ENDPROC(aesni_gcm_enc)
11058 @@ -1722,6 +1725,7 @@ _key_expansion_256a:
11060 movaps %xmm0, (TKEYP)
11062 + pax_force_retaddr_bts
11064 ENDPROC(_key_expansion_128)
11065 ENDPROC(_key_expansion_256a)
11066 @@ -1748,6 +1752,7 @@ _key_expansion_192a:
11067 shufps $0b01001110, %xmm2, %xmm1
11068 movaps %xmm1, 0x10(TKEYP)
11070 + pax_force_retaddr_bts
11072 ENDPROC(_key_expansion_192a)
11074 @@ -1768,6 +1773,7 @@ _key_expansion_192b:
11076 movaps %xmm0, (TKEYP)
11078 + pax_force_retaddr_bts
11080 ENDPROC(_key_expansion_192b)
11082 @@ -1781,6 +1787,7 @@ _key_expansion_256b:
11084 movaps %xmm2, (TKEYP)
11086 + pax_force_retaddr_bts
11088 ENDPROC(_key_expansion_256b)
11090 @@ -1894,6 +1901,7 @@ ENTRY(aesni_set_key)
11094 + pax_force_retaddr 0, 1
11096 ENDPROC(aesni_set_key)
11098 @@ -1916,6 +1924,7 @@ ENTRY(aesni_enc)
11102 + pax_force_retaddr 0, 1
11106 @@ -1974,6 +1983,7 @@ _aesni_enc1:
11108 movaps 0x70(TKEYP), KEY
11109 AESENCLAST KEY STATE
11110 + pax_force_retaddr_bts
11112 ENDPROC(_aesni_enc1)
11114 @@ -2083,6 +2093,7 @@ _aesni_enc4:
11115 AESENCLAST KEY STATE2
11116 AESENCLAST KEY STATE3
11117 AESENCLAST KEY STATE4
11118 + pax_force_retaddr_bts
11120 ENDPROC(_aesni_enc4)
11122 @@ -2106,6 +2117,7 @@ ENTRY(aesni_dec)
11126 + pax_force_retaddr 0, 1
11130 @@ -2164,6 +2176,7 @@ _aesni_dec1:
11132 movaps 0x70(TKEYP), KEY
11133 AESDECLAST KEY STATE
11134 + pax_force_retaddr_bts
11136 ENDPROC(_aesni_dec1)
11138 @@ -2273,6 +2286,7 @@ _aesni_dec4:
11139 AESDECLAST KEY STATE2
11140 AESDECLAST KEY STATE3
11141 AESDECLAST KEY STATE4
11142 + pax_force_retaddr_bts
11144 ENDPROC(_aesni_dec4)
11146 @@ -2331,6 +2345,7 @@ ENTRY(aesni_ecb_enc)
11150 + pax_force_retaddr 0, 1
11152 ENDPROC(aesni_ecb_enc)
11154 @@ -2390,6 +2405,7 @@ ENTRY(aesni_ecb_dec)
11158 + pax_force_retaddr 0, 1
11160 ENDPROC(aesni_ecb_dec)
11162 @@ -2432,6 +2448,7 @@ ENTRY(aesni_cbc_enc)
11166 + pax_force_retaddr 0, 1
11168 ENDPROC(aesni_cbc_enc)
11170 @@ -2523,6 +2540,7 @@ ENTRY(aesni_cbc_dec)
11174 + pax_force_retaddr 0, 1
11176 ENDPROC(aesni_cbc_dec)
11178 @@ -2550,6 +2568,7 @@ _aesni_inc_init:
11180 MOVQ_R64_XMM TCTR_LOW INC
11181 MOVQ_R64_XMM CTR TCTR_LOW
11182 + pax_force_retaddr_bts
11184 ENDPROC(_aesni_inc_init)
11186 @@ -2579,6 +2598,7 @@ _aesni_inc:
11189 PSHUFB_XMM BSWAP_MASK IV
11190 + pax_force_retaddr_bts
11192 ENDPROC(_aesni_inc)
11194 @@ -2640,6 +2660,7 @@ ENTRY(aesni_ctr_enc)
11197 .Lctr_enc_just_ret:
11198 + pax_force_retaddr 0, 1
11200 ENDPROC(aesni_ctr_enc)
11202 @@ -2766,6 +2787,7 @@ ENTRY(aesni_xts_crypt8)
11204 movdqu STATE4, 0x70(OUTP)
11206 + pax_force_retaddr 0, 1
11208 ENDPROC(aesni_xts_crypt8)
11210 diff --git a/arch/x86/crypto/blowfish-avx2-asm_64.S b/arch/x86/crypto/blowfish-avx2-asm_64.S
11211 index 784452e..46982c7 100644
11212 --- a/arch/x86/crypto/blowfish-avx2-asm_64.S
11213 +++ b/arch/x86/crypto/blowfish-avx2-asm_64.S
11214 @@ -221,6 +221,7 @@ __blowfish_enc_blk32:
11216 write_block(RXl, RXr);
11218 + pax_force_retaddr 0, 1
11220 ENDPROC(__blowfish_enc_blk32)
11222 @@ -250,6 +251,7 @@ __blowfish_dec_blk32:
11224 write_block(RXl, RXr);
11226 + pax_force_retaddr 0, 1
11228 ENDPROC(__blowfish_dec_blk32)
11230 @@ -284,6 +286,7 @@ ENTRY(blowfish_ecb_enc_32way)
11234 + pax_force_retaddr 0, 1
11236 ENDPROC(blowfish_ecb_enc_32way)
11238 @@ -318,6 +321,7 @@ ENTRY(blowfish_ecb_dec_32way)
11242 + pax_force_retaddr 0, 1
11244 ENDPROC(blowfish_ecb_dec_32way)
11246 @@ -365,6 +369,7 @@ ENTRY(blowfish_cbc_dec_32way)
11250 + pax_force_retaddr 0, 1
11252 ENDPROC(blowfish_cbc_dec_32way)
11254 @@ -445,5 +450,6 @@ ENTRY(blowfish_ctr_32way)
11258 + pax_force_retaddr 0, 1
11260 ENDPROC(blowfish_ctr_32way)
11261 diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
11262 index 246c670..4d1ed00 100644
11263 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
11264 +++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S
11268 #include <linux/linkage.h>
11269 +#include <asm/alternative-asm.h>
11271 .file "blowfish-x86_64-asm.S"
11273 @@ -149,9 +150,11 @@ ENTRY(__blowfish_enc_blk)
11277 + pax_force_retaddr 0, 1
11281 + pax_force_retaddr 0, 1
11283 ENDPROC(__blowfish_enc_blk)
11285 @@ -183,6 +186,7 @@ ENTRY(blowfish_dec_blk)
11289 + pax_force_retaddr 0, 1
11291 ENDPROC(blowfish_dec_blk)
11293 @@ -334,6 +338,7 @@ ENTRY(__blowfish_enc_blk_4way)
11297 + pax_force_retaddr 0, 1
11301 @@ -341,6 +346,7 @@ ENTRY(__blowfish_enc_blk_4way)
11305 + pax_force_retaddr 0, 1
11307 ENDPROC(__blowfish_enc_blk_4way)
11309 @@ -375,5 +381,6 @@ ENTRY(blowfish_dec_blk_4way)
11313 + pax_force_retaddr 0, 1
11315 ENDPROC(blowfish_dec_blk_4way)
11316 diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
11317 index ce71f92..2dd5b1e 100644
11318 --- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
11319 +++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
11323 #include <linux/linkage.h>
11324 +#include <asm/alternative-asm.h>
11326 #define CAMELLIA_TABLE_BYTE_LEN 272
11328 @@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
11329 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
11330 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
11332 + pax_force_retaddr_bts
11334 ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
11336 @@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
11337 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
11338 %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
11340 + pax_force_retaddr_bts
11342 ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
11344 @@ -780,6 +783,7 @@ __camellia_enc_blk16:
11345 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
11346 %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
11348 + pax_force_retaddr_bts
11352 @@ -865,6 +869,7 @@ __camellia_dec_blk16:
11353 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
11354 %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
11356 + pax_force_retaddr_bts
11360 @@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way)
11361 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
11364 + pax_force_retaddr 0, 1
11366 ENDPROC(camellia_ecb_enc_16way)
11368 @@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way)
11369 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
11372 + pax_force_retaddr 0, 1
11374 ENDPROC(camellia_ecb_dec_16way)
11376 @@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way)
11377 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
11380 + pax_force_retaddr 0, 1
11382 ENDPROC(camellia_cbc_dec_16way)
11384 @@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way)
11385 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
11388 + pax_force_retaddr 0, 1
11390 ENDPROC(camellia_ctr_16way)
11392 @@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way:
11393 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
11396 + pax_force_retaddr 0, 1
11398 ENDPROC(camellia_xts_crypt_16way)
11400 diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
11401 index 91a1878..bcf340a 100644
11402 --- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
11403 +++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
11407 #include <linux/linkage.h>
11408 +#include <asm/alternative-asm.h>
11410 #define CAMELLIA_TABLE_BYTE_LEN 272
11412 @@ -212,6 +213,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
11413 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
11414 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
11416 + pax_force_retaddr_bts
11418 ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
11420 @@ -220,6 +222,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
11421 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3,
11422 %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11,
11424 + pax_force_retaddr_bts
11426 ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
11428 @@ -802,6 +805,7 @@ __camellia_enc_blk32:
11429 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
11430 %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax));
11432 + pax_force_retaddr_bts
11436 @@ -887,6 +891,7 @@ __camellia_dec_blk32:
11437 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
11438 %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax));
11440 + pax_force_retaddr_bts
11444 @@ -930,6 +935,7 @@ ENTRY(camellia_ecb_enc_32way)
11448 + pax_force_retaddr 0, 1
11450 ENDPROC(camellia_ecb_enc_32way)
11452 @@ -962,6 +968,7 @@ ENTRY(camellia_ecb_dec_32way)
11456 + pax_force_retaddr 0, 1
11458 ENDPROC(camellia_ecb_dec_32way)
11460 @@ -1028,6 +1035,7 @@ ENTRY(camellia_cbc_dec_32way)
11464 + pax_force_retaddr 0, 1
11466 ENDPROC(camellia_cbc_dec_32way)
11468 @@ -1166,6 +1174,7 @@ ENTRY(camellia_ctr_32way)
11472 + pax_force_retaddr 0, 1
11474 ENDPROC(camellia_ctr_32way)
11476 @@ -1331,6 +1340,7 @@ camellia_xts_crypt_32way:
11480 + pax_force_retaddr 0, 1
11482 ENDPROC(camellia_xts_crypt_32way)
11484 diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S
11485 index 310319c..ce174a4 100644
11486 --- a/arch/x86/crypto/camellia-x86_64-asm_64.S
11487 +++ b/arch/x86/crypto/camellia-x86_64-asm_64.S
11491 #include <linux/linkage.h>
11492 +#include <asm/alternative-asm.h>
11494 .file "camellia-x86_64-asm_64.S"
11496 @@ -228,12 +229,14 @@ ENTRY(__camellia_enc_blk)
11497 enc_outunpack(mov, RT1);
11500 + pax_force_retaddr 0, 1
11504 enc_outunpack(xor, RT1);
11507 + pax_force_retaddr 0, 1
11509 ENDPROC(__camellia_enc_blk)
11511 @@ -272,6 +275,7 @@ ENTRY(camellia_dec_blk)
11515 + pax_force_retaddr 0, 1
11517 ENDPROC(camellia_dec_blk)
11519 @@ -463,6 +467,7 @@ ENTRY(__camellia_enc_blk_2way)
11523 + pax_force_retaddr 0, 1
11527 @@ -470,6 +475,7 @@ ENTRY(__camellia_enc_blk_2way)
11531 + pax_force_retaddr 0, 1
11533 ENDPROC(__camellia_enc_blk_2way)
11535 @@ -510,5 +516,6 @@ ENTRY(camellia_dec_blk_2way)
11539 + pax_force_retaddr 0, 1
11541 ENDPROC(camellia_dec_blk_2way)
11542 diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
11543 index c35fd5d..c1ee236 100644
11544 --- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
11545 +++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
11549 #include <linux/linkage.h>
11550 +#include <asm/alternative-asm.h>
11552 .file "cast5-avx-x86_64-asm_64.S"
11554 @@ -281,6 +282,7 @@ __cast5_enc_blk16:
11555 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
11556 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
11558 + pax_force_retaddr 0, 1
11560 ENDPROC(__cast5_enc_blk16)
11562 @@ -352,6 +354,7 @@ __cast5_dec_blk16:
11563 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
11564 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
11566 + pax_force_retaddr 0, 1
11570 @@ -388,6 +391,7 @@ ENTRY(cast5_ecb_enc_16way)
11571 vmovdqu RR4, (6*4*4)(%r11);
11572 vmovdqu RL4, (7*4*4)(%r11);
11574 + pax_force_retaddr
11576 ENDPROC(cast5_ecb_enc_16way)
11578 @@ -420,6 +424,7 @@ ENTRY(cast5_ecb_dec_16way)
11579 vmovdqu RR4, (6*4*4)(%r11);
11580 vmovdqu RL4, (7*4*4)(%r11);
11582 + pax_force_retaddr
11584 ENDPROC(cast5_ecb_dec_16way)
11586 @@ -469,6 +474,7 @@ ENTRY(cast5_cbc_dec_16way)
11590 + pax_force_retaddr
11592 ENDPROC(cast5_cbc_dec_16way)
11594 @@ -542,5 +548,6 @@ ENTRY(cast5_ctr_16way)
11598 + pax_force_retaddr
11600 ENDPROC(cast5_ctr_16way)
11601 diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
11602 index e3531f8..18ded3a 100644
11603 --- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
11604 +++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
11608 #include <linux/linkage.h>
11609 +#include <asm/alternative-asm.h>
11610 #include "glue_helper-asm-avx.S"
11612 .file "cast6-avx-x86_64-asm_64.S"
11613 @@ -295,6 +296,7 @@ __cast6_enc_blk8:
11614 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
11615 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
11617 + pax_force_retaddr 0, 1
11619 ENDPROC(__cast6_enc_blk8)
11621 @@ -340,6 +342,7 @@ __cast6_dec_blk8:
11622 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
11623 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
11625 + pax_force_retaddr 0, 1
11627 ENDPROC(__cast6_dec_blk8)
11629 @@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way)
11631 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11633 + pax_force_retaddr
11635 ENDPROC(cast6_ecb_enc_8way)
11637 @@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way)
11639 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11641 + pax_force_retaddr
11643 ENDPROC(cast6_ecb_dec_8way)
11645 @@ -399,6 +404,7 @@ ENTRY(cast6_cbc_dec_8way)
11649 + pax_force_retaddr
11651 ENDPROC(cast6_cbc_dec_8way)
11653 @@ -424,6 +430,7 @@ ENTRY(cast6_ctr_8way)
11657 + pax_force_retaddr
11659 ENDPROC(cast6_ctr_8way)
11661 @@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way)
11662 /* dst <= regs xor IVs(in dst) */
11663 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11665 + pax_force_retaddr
11667 ENDPROC(cast6_xts_enc_8way)
11669 @@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way)
11670 /* dst <= regs xor IVs(in dst) */
11671 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11673 + pax_force_retaddr
11675 ENDPROC(cast6_xts_dec_8way)
11676 diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
11677 index dbc4339..3d868c5 100644
11678 --- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
11679 +++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
11682 #include <asm/inst.h>
11683 #include <linux/linkage.h>
11684 +#include <asm/alternative-asm.h>
11686 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
11688 @@ -312,6 +313,7 @@ do_return:
11692 + pax_force_retaddr 0, 1
11695 ################################################################
11696 diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S
11697 index 586f41a..d02851e 100644
11698 --- a/arch/x86/crypto/ghash-clmulni-intel_asm.S
11699 +++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S
11702 #include <linux/linkage.h>
11703 #include <asm/inst.h>
11704 +#include <asm/alternative-asm.h>
11708 @@ -93,6 +94,7 @@ __clmul_gf128mul_ble:
11712 + pax_force_retaddr
11714 ENDPROC(__clmul_gf128mul_ble)
11716 @@ -105,6 +107,7 @@ ENTRY(clmul_ghash_mul)
11717 call __clmul_gf128mul_ble
11718 PSHUFB_XMM BSWAP DATA
11719 movups DATA, (%rdi)
11720 + pax_force_retaddr
11722 ENDPROC(clmul_ghash_mul)
11724 @@ -132,6 +135,7 @@ ENTRY(clmul_ghash_update)
11725 PSHUFB_XMM BSWAP DATA
11726 movups DATA, (%rdi)
11728 + pax_force_retaddr
11730 ENDPROC(clmul_ghash_update)
11732 @@ -157,5 +161,6 @@ ENTRY(clmul_ghash_setkey)
11735 movups %xmm0, (%rdi)
11736 + pax_force_retaddr
11738 ENDPROC(clmul_ghash_setkey)
11739 diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S
11740 index 9279e0b..9270820 100644
11741 --- a/arch/x86/crypto/salsa20-x86_64-asm_64.S
11742 +++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S
11744 #include <linux/linkage.h>
11745 +#include <asm/alternative-asm.h>
11747 # enter salsa20_encrypt_bytes
11748 ENTRY(salsa20_encrypt_bytes)
11749 @@ -789,6 +790,7 @@ ENTRY(salsa20_encrypt_bytes)
11753 + pax_force_retaddr 0, 1
11757 @@ -889,6 +891,7 @@ ENTRY(salsa20_keysetup)
11761 + pax_force_retaddr
11763 ENDPROC(salsa20_keysetup)
11765 @@ -914,5 +917,6 @@ ENTRY(salsa20_ivsetup)
11769 + pax_force_retaddr
11771 ENDPROC(salsa20_ivsetup)
11772 diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
11773 index 2f202f4..d9164d6 100644
11774 --- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
11775 +++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
11779 #include <linux/linkage.h>
11780 +#include <asm/alternative-asm.h>
11781 #include "glue_helper-asm-avx.S"
11783 .file "serpent-avx-x86_64-asm_64.S"
11784 @@ -618,6 +619,7 @@ __serpent_enc_blk8_avx:
11785 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
11786 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
11788 + pax_force_retaddr
11790 ENDPROC(__serpent_enc_blk8_avx)
11792 @@ -672,6 +674,7 @@ __serpent_dec_blk8_avx:
11793 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
11794 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
11796 + pax_force_retaddr
11798 ENDPROC(__serpent_dec_blk8_avx)
11800 @@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx)
11802 store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11804 + pax_force_retaddr
11806 ENDPROC(serpent_ecb_enc_8way_avx)
11808 @@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx)
11810 store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
11812 + pax_force_retaddr
11814 ENDPROC(serpent_ecb_dec_8way_avx)
11816 @@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx)
11818 store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
11820 + pax_force_retaddr
11822 ENDPROC(serpent_cbc_dec_8way_avx)
11824 @@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx)
11826 store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11828 + pax_force_retaddr
11830 ENDPROC(serpent_ctr_8way_avx)
11832 @@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx)
11833 /* dst <= regs xor IVs(in dst) */
11834 store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
11836 + pax_force_retaddr
11838 ENDPROC(serpent_xts_enc_8way_avx)
11840 @@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx)
11841 /* dst <= regs xor IVs(in dst) */
11842 store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
11844 + pax_force_retaddr
11846 ENDPROC(serpent_xts_dec_8way_avx)
11847 diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S
11848 index b222085..abd483c 100644
11849 --- a/arch/x86/crypto/serpent-avx2-asm_64.S
11850 +++ b/arch/x86/crypto/serpent-avx2-asm_64.S
11854 #include <linux/linkage.h>
11855 +#include <asm/alternative-asm.h>
11856 #include "glue_helper-asm-avx2.S"
11858 .file "serpent-avx2-asm_64.S"
11859 @@ -610,6 +611,7 @@ __serpent_enc_blk16:
11860 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
11861 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
11863 + pax_force_retaddr
11865 ENDPROC(__serpent_enc_blk16)
11867 @@ -664,6 +666,7 @@ __serpent_dec_blk16:
11868 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
11869 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
11871 + pax_force_retaddr
11873 ENDPROC(__serpent_dec_blk16)
11875 @@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way)
11879 + pax_force_retaddr
11881 ENDPROC(serpent_ecb_enc_16way)
11883 @@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way)
11887 + pax_force_retaddr
11889 ENDPROC(serpent_ecb_dec_16way)
11891 @@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way)
11895 + pax_force_retaddr
11897 ENDPROC(serpent_cbc_dec_16way)
11899 @@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way)
11903 + pax_force_retaddr
11905 ENDPROC(serpent_ctr_16way)
11907 @@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way)
11911 + pax_force_retaddr
11913 ENDPROC(serpent_xts_enc_16way)
11915 @@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way)
11919 + pax_force_retaddr
11921 ENDPROC(serpent_xts_dec_16way)
11922 diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
11923 index acc066c..1559cc4 100644
11924 --- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
11925 +++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
11929 #include <linux/linkage.h>
11930 +#include <asm/alternative-asm.h>
11932 .file "serpent-sse2-x86_64-asm_64.S"
11934 @@ -690,12 +691,14 @@ ENTRY(__serpent_enc_blk_8way)
11935 write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
11936 write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
11938 + pax_force_retaddr
11942 xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
11943 xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
11945 + pax_force_retaddr
11947 ENDPROC(__serpent_enc_blk_8way)
11949 @@ -750,5 +753,6 @@ ENTRY(serpent_dec_blk_8way)
11950 write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2);
11951 write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2);
11953 + pax_force_retaddr
11955 ENDPROC(serpent_dec_blk_8way)
11956 diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S
11957 index a410950..3356d42 100644
11958 --- a/arch/x86/crypto/sha1_ssse3_asm.S
11959 +++ b/arch/x86/crypto/sha1_ssse3_asm.S
11963 #include <linux/linkage.h>
11964 +#include <asm/alternative-asm.h>
11966 #define CTX %rdi // arg1
11967 #define BUF %rsi // arg2
11968 @@ -104,6 +105,7 @@
11972 + pax_force_retaddr 0, 1
11976 diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S
11977 index 642f156..4ab07b9 100644
11978 --- a/arch/x86/crypto/sha256-avx-asm.S
11979 +++ b/arch/x86/crypto/sha256-avx-asm.S
11982 #ifdef CONFIG_AS_AVX
11983 #include <linux/linkage.h>
11984 +#include <asm/alternative-asm.h>
11986 ## assume buffers not aligned
11987 #define VMOVDQ vmovdqu
11988 @@ -460,6 +461,7 @@ done_hash:
11992 + pax_force_retaddr 0, 1
11994 ENDPROC(sha256_transform_avx)
11996 diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
11997 index 9e86944..2e7f95a 100644
11998 --- a/arch/x86/crypto/sha256-avx2-asm.S
11999 +++ b/arch/x86/crypto/sha256-avx2-asm.S
12002 #ifdef CONFIG_AS_AVX2
12003 #include <linux/linkage.h>
12004 +#include <asm/alternative-asm.h>
12006 ## assume buffers not aligned
12007 #define VMOVDQ vmovdqu
12008 @@ -720,6 +721,7 @@ done_hash:
12012 + pax_force_retaddr 0, 1
12014 ENDPROC(sha256_transform_rorx)
12016 diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S
12017 index f833b74..c36ed14 100644
12018 --- a/arch/x86/crypto/sha256-ssse3-asm.S
12019 +++ b/arch/x86/crypto/sha256-ssse3-asm.S
12021 ########################################################################
12023 #include <linux/linkage.h>
12024 +#include <asm/alternative-asm.h>
12026 ## assume buffers not aligned
12027 #define MOVDQ movdqu
12028 @@ -471,6 +472,7 @@ done_hash:
12032 + pax_force_retaddr 0, 1
12034 ENDPROC(sha256_transform_ssse3)
12036 diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S
12037 index 974dde9..4533d34 100644
12038 --- a/arch/x86/crypto/sha512-avx-asm.S
12039 +++ b/arch/x86/crypto/sha512-avx-asm.S
12042 #ifdef CONFIG_AS_AVX
12043 #include <linux/linkage.h>
12044 +#include <asm/alternative-asm.h>
12048 @@ -364,6 +365,7 @@ updateblock:
12049 mov frame_RSPSAVE(%rsp), %rsp
12052 + pax_force_retaddr 0, 1
12054 ENDPROC(sha512_transform_avx)
12056 diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S
12057 index 568b961..061ef1d 100644
12058 --- a/arch/x86/crypto/sha512-avx2-asm.S
12059 +++ b/arch/x86/crypto/sha512-avx2-asm.S
12062 #ifdef CONFIG_AS_AVX2
12063 #include <linux/linkage.h>
12064 +#include <asm/alternative-asm.h>
12068 @@ -678,6 +679,7 @@ done_hash:
12070 # Restore Stack Pointer
12071 mov frame_RSPSAVE(%rsp), %rsp
12072 + pax_force_retaddr 0, 1
12074 ENDPROC(sha512_transform_rorx)
12076 diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S
12077 index fb56855..e23914f 100644
12078 --- a/arch/x86/crypto/sha512-ssse3-asm.S
12079 +++ b/arch/x86/crypto/sha512-ssse3-asm.S
12081 ########################################################################
12083 #include <linux/linkage.h>
12084 +#include <asm/alternative-asm.h>
12088 @@ -363,6 +364,7 @@ updateblock:
12089 mov frame_RSPSAVE(%rsp), %rsp
12092 + pax_force_retaddr 0, 1
12094 ENDPROC(sha512_transform_ssse3)
12096 diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
12097 index 0505813..63b1d00 100644
12098 --- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
12099 +++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
12103 #include <linux/linkage.h>
12104 +#include <asm/alternative-asm.h>
12105 #include "glue_helper-asm-avx.S"
12107 .file "twofish-avx-x86_64-asm_64.S"
12108 @@ -284,6 +285,7 @@ __twofish_enc_blk8:
12109 outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2);
12110 outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2);
12112 + pax_force_retaddr 0, 1
12114 ENDPROC(__twofish_enc_blk8)
12116 @@ -324,6 +326,7 @@ __twofish_dec_blk8:
12117 outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2);
12118 outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2);
12120 + pax_force_retaddr 0, 1
12122 ENDPROC(__twofish_dec_blk8)
12124 @@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way)
12126 store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
12128 + pax_force_retaddr 0, 1
12130 ENDPROC(twofish_ecb_enc_8way)
12132 @@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way)
12134 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
12136 + pax_force_retaddr 0, 1
12138 ENDPROC(twofish_ecb_dec_8way)
12140 @@ -383,6 +388,7 @@ ENTRY(twofish_cbc_dec_8way)
12144 + pax_force_retaddr 0, 1
12146 ENDPROC(twofish_cbc_dec_8way)
12148 @@ -408,6 +414,7 @@ ENTRY(twofish_ctr_8way)
12152 + pax_force_retaddr 0, 1
12154 ENDPROC(twofish_ctr_8way)
12156 @@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way)
12157 /* dst <= regs xor IVs(in dst) */
12158 store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
12160 + pax_force_retaddr 0, 1
12162 ENDPROC(twofish_xts_enc_8way)
12164 @@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way)
12165 /* dst <= regs xor IVs(in dst) */
12166 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
12168 + pax_force_retaddr 0, 1
12170 ENDPROC(twofish_xts_dec_8way)
12171 diff --git a/arch/x86/crypto/twofish-avx2-asm_64.S b/arch/x86/crypto/twofish-avx2-asm_64.S
12172 index e1a83b9..33006b9 100644
12173 --- a/arch/x86/crypto/twofish-avx2-asm_64.S
12174 +++ b/arch/x86/crypto/twofish-avx2-asm_64.S
12178 #include <linux/linkage.h>
12179 +#include <asm/alternative-asm.h>
12180 #include "glue_helper-asm-avx2.S"
12182 .file "twofish-avx2-asm_64.S"
12183 @@ -422,6 +423,7 @@ __twofish_enc_blk16:
12184 outunpack_enc16(RA, RB, RC, RD);
12185 write_blocks16(RA, RB, RC, RD);
12187 + pax_force_retaddr_bts
12189 ENDPROC(__twofish_enc_blk16)
12191 @@ -454,6 +456,7 @@ __twofish_dec_blk16:
12192 outunpack_dec16(RA, RB, RC, RD);
12193 write_blocks16(RA, RB, RC, RD);
12195 + pax_force_retaddr_bts
12197 ENDPROC(__twofish_dec_blk16)
12199 @@ -476,6 +479,7 @@ ENTRY(twofish_ecb_enc_16way)
12203 + pax_force_retaddr 0, 1
12205 ENDPROC(twofish_ecb_enc_16way)
12207 @@ -498,6 +502,7 @@ ENTRY(twofish_ecb_dec_16way)
12211 + pax_force_retaddr 0, 1
12213 ENDPROC(twofish_ecb_dec_16way)
12215 @@ -521,6 +526,7 @@ ENTRY(twofish_cbc_dec_16way)
12219 + pax_force_retaddr 0, 1
12221 ENDPROC(twofish_cbc_dec_16way)
12223 @@ -546,6 +552,7 @@ ENTRY(twofish_ctr_16way)
12227 + pax_force_retaddr 0, 1
12229 ENDPROC(twofish_ctr_16way)
12231 @@ -574,6 +581,7 @@ twofish_xts_crypt_16way:
12235 + pax_force_retaddr 0, 1
12237 ENDPROC(twofish_xts_crypt_16way)
12239 diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
12240 index 1c3b7ce..b365c5e 100644
12241 --- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
12242 +++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
12246 #include <linux/linkage.h>
12247 +#include <asm/alternative-asm.h>
12249 .file "twofish-x86_64-asm-3way.S"
12251 @@ -258,6 +259,7 @@ ENTRY(__twofish_enc_blk_3way)
12255 + pax_force_retaddr 0, 1
12259 @@ -269,6 +271,7 @@ ENTRY(__twofish_enc_blk_3way)
12263 + pax_force_retaddr 0, 1
12265 ENDPROC(__twofish_enc_blk_3way)
12267 @@ -308,5 +311,6 @@ ENTRY(twofish_dec_blk_3way)
12271 + pax_force_retaddr 0, 1
12273 ENDPROC(twofish_dec_blk_3way)
12274 diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S
12275 index a039d21..29e7615 100644
12276 --- a/arch/x86/crypto/twofish-x86_64-asm_64.S
12277 +++ b/arch/x86/crypto/twofish-x86_64-asm_64.S
12280 #include <linux/linkage.h>
12281 #include <asm/asm-offsets.h>
12282 +#include <asm/alternative-asm.h>
12286 @@ -265,6 +266,7 @@ ENTRY(twofish_enc_blk)
12290 + pax_force_retaddr 0, 1
12292 ENDPROC(twofish_enc_blk)
12294 @@ -317,5 +319,6 @@ ENTRY(twofish_dec_blk)
12298 + pax_force_retaddr 0, 1
12300 ENDPROC(twofish_dec_blk)
12301 diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
12302 index 52ff81c..98af645 100644
12303 --- a/arch/x86/ia32/ia32_aout.c
12304 +++ b/arch/x86/ia32/ia32_aout.c
12305 @@ -159,6 +159,8 @@ static int aout_core_dump(long signr, struct pt_regs *regs, struct file *file,
12306 unsigned long dump_start, dump_size;
12307 struct user32 dump;
12309 + memset(&dump, 0, sizeof(dump));
12314 diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
12315 index cf1a471..5ba2673 100644
12316 --- a/arch/x86/ia32/ia32_signal.c
12317 +++ b/arch/x86/ia32/ia32_signal.c
12318 @@ -340,7 +340,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
12320 /* Align the stack pointer according to the i386 ABI,
12321 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
12322 - sp = ((sp + 4) & -16ul) - 4;
12323 + sp = ((sp - 12) & -16ul) - 4;
12324 return (void __user *) sp;
12327 @@ -398,7 +398,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
12328 * These are actually not used anymore, but left because some
12329 * gdb versions depend on them as a marker.
12331 - put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
12332 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
12333 } put_user_catch(err);
12336 @@ -440,7 +440,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
12338 __NR_ia32_rt_sigreturn,
12344 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
12345 @@ -459,20 +459,22 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
12347 put_user_ex(0, &frame->uc.uc_flags);
12348 put_user_ex(0, &frame->uc.uc_link);
12349 - err |= __compat_save_altstack(&frame->uc.uc_stack, regs->sp);
12350 + __compat_save_altstack_ex(&frame->uc.uc_stack, regs->sp);
12352 if (ksig->ka.sa.sa_flags & SA_RESTORER)
12353 restorer = ksig->ka.sa.sa_restorer;
12354 + else if (current->mm->context.vdso)
12355 + /* Return stub is in 32bit vsyscall page */
12356 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12358 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
12360 + restorer = &frame->retcode;
12361 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
12364 * Not actually used anymore, but left because some gdb
12365 * versions need it.
12367 - put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
12368 + put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
12369 } put_user_catch(err);
12371 err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
12372 diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
12373 index 474dc1b..9297c58 100644
12374 --- a/arch/x86/ia32/ia32entry.S
12375 +++ b/arch/x86/ia32/ia32entry.S
12377 #include <asm/irqflags.h>
12378 #include <asm/asm.h>
12379 #include <asm/smap.h>
12380 +#include <asm/pgtable.h>
12381 #include <linux/linkage.h>
12382 #include <linux/err.h>
12383 +#include <asm/alternative-asm.h>
12385 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12386 #include <linux/elf-em.h>
12387 @@ -96,6 +98,32 @@ ENTRY(native_irq_enable_sysexit)
12388 ENDPROC(native_irq_enable_sysexit)
12391 + .macro pax_enter_kernel_user
12392 + pax_set_fptr_mask
12393 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12394 + call pax_enter_kernel_user
12398 + .macro pax_exit_kernel_user
12399 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12400 + call pax_exit_kernel_user
12402 +#ifdef CONFIG_PAX_RANDKSTACK
12405 + call pax_randomize_kstack
12411 + .macro pax_erase_kstack
12412 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12413 + call pax_erase_kstack
12418 * 32bit SYSENTER instruction entry.
12420 @@ -122,12 +150,6 @@ ENTRY(ia32_sysenter_target)
12421 CFI_REGISTER rsp,rbp
12422 SWAPGS_UNSAFE_STACK
12423 movq PER_CPU_VAR(kernel_stack), %rsp
12424 - addq $(KERNEL_STACK_OFFSET),%rsp
12426 - * No need to follow this irqs on/off section: the syscall
12427 - * disabled irqs, here we enable it straight after entry:
12429 - ENABLE_INTERRUPTS(CLBR_NONE)
12430 movl %ebp,%ebp /* zero extension */
12431 pushq_cfi $__USER32_DS
12432 /*CFI_REL_OFFSET ss,0*/
12433 @@ -135,24 +157,49 @@ ENTRY(ia32_sysenter_target)
12434 CFI_REL_OFFSET rsp,0
12436 /*CFI_REL_OFFSET rflags,0*/
12437 - movl TI_sysenter_return+THREAD_INFO(%rsp,3*8-KERNEL_STACK_OFFSET),%r10d
12438 - CFI_REGISTER rip,r10
12439 + orl $X86_EFLAGS_IF,(%rsp)
12440 + GET_THREAD_INFO(%r11)
12441 + movl TI_sysenter_return(%r11), %r11d
12442 + CFI_REGISTER rip,r11
12443 pushq_cfi $__USER32_CS
12444 /*CFI_REL_OFFSET cs,0*/
12448 CFI_REL_OFFSET rip,0
12452 + pax_enter_kernel_user
12454 +#ifdef CONFIG_PAX_RANDKSTACK
12459 + * No need to follow this irqs on/off section: the syscall
12460 + * disabled irqs, here we enable it straight after entry:
12462 + ENABLE_INTERRUPTS(CLBR_NONE)
12463 /* no need to do an access_ok check here because rbp has been
12464 32bit zero extended */
12466 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12467 + addq pax_user_shadow_base,%rbp
12468 + ASM_PAX_OPEN_USERLAND
12472 1: movl (%rbp),%ebp
12473 _ASM_EXTABLE(1b,ia32_badarg)
12475 - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12476 - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12478 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12479 + ASM_PAX_CLOSE_USERLAND
12482 + GET_THREAD_INFO(%r11)
12483 + orl $TS_COMPAT,TI_status(%r11)
12484 + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
12486 jnz sysenter_tracesys
12487 cmpq $(IA32_NR_syscalls-1),%rax
12488 @@ -162,12 +209,15 @@ sysenter_do_call:
12490 call *ia32_sys_call_table(,%rax,8)
12491 movq %rax,RAX-ARGOFFSET(%rsp)
12492 + GET_THREAD_INFO(%r11)
12493 DISABLE_INTERRUPTS(CLBR_NONE)
12495 - testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12496 + testl $_TIF_ALLWORK_MASK,TI_flags(%r11)
12498 sysexit_from_sys_call:
12499 - andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12500 + pax_exit_kernel_user
12502 + andl $~TS_COMPAT,TI_status(%r11)
12503 /* clear IF, that popfq doesn't enable interrupts early */
12504 andl $~0x200,EFLAGS-R11(%rsp)
12505 movl RIP-R11(%rsp),%edx /* User %eip */
12506 @@ -193,6 +243,9 @@ sysexit_from_sys_call:
12507 movl %eax,%esi /* 2nd arg: syscall number */
12508 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
12509 call __audit_syscall_entry
12513 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
12514 cmpq $(IA32_NR_syscalls-1),%rax
12516 @@ -204,7 +257,7 @@ sysexit_from_sys_call:
12519 .macro auditsys_exit exit
12520 - testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12521 + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11)
12522 jnz ia32_ret_from_sys_call
12524 ENABLE_INTERRUPTS(CLBR_NONE)
12525 @@ -215,11 +268,12 @@ sysexit_from_sys_call:
12526 1: setbe %al /* 1 if error, 0 if not */
12527 movzbl %al,%edi /* zero-extend that into %edi */
12528 call __audit_syscall_exit
12529 + GET_THREAD_INFO(%r11)
12530 movq RAX-ARGOFFSET(%rsp),%rax /* reload syscall return value */
12531 movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
12532 DISABLE_INTERRUPTS(CLBR_NONE)
12534 - testl %edi,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12535 + testl %edi,TI_flags(%r11)
12537 CLEAR_RREGS -ARGOFFSET
12539 @@ -237,7 +291,7 @@ sysexit_audit:
12542 #ifdef CONFIG_AUDITSYSCALL
12543 - testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12544 + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11)
12545 jz sysenter_auditsys
12548 @@ -249,6 +303,9 @@ sysenter_tracesys:
12550 cmpq $(IA32_NR_syscalls-1),%rax
12551 ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
12555 jmp sysenter_do_call
12557 ENDPROC(ia32_sysenter_target)
12558 @@ -276,19 +333,25 @@ ENDPROC(ia32_sysenter_target)
12559 ENTRY(ia32_cstar_target)
12560 CFI_STARTPROC32 simple
12562 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12563 + CFI_DEF_CFA rsp,0
12564 CFI_REGISTER rip,rcx
12565 /*CFI_REGISTER rflags,r11*/
12566 SWAPGS_UNSAFE_STACK
12568 CFI_REGISTER rsp,r8
12569 movq PER_CPU_VAR(kernel_stack),%rsp
12570 + SAVE_ARGS 8*6,0,0
12571 + pax_enter_kernel_user
12573 +#ifdef CONFIG_PAX_RANDKSTACK
12578 * No need to follow this irqs on/off section: the syscall
12579 * disabled irqs and here we enable it straight after entry:
12581 ENABLE_INTERRUPTS(CLBR_NONE)
12583 movl %eax,%eax /* zero extension */
12584 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12585 movq %rcx,RIP-ARGOFFSET(%rsp)
12586 @@ -304,12 +367,25 @@ ENTRY(ia32_cstar_target)
12587 /* no need to do an access_ok check here because r8 has been
12588 32bit zero extended */
12589 /* hardware stack frame is complete now */
12591 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12592 + ASM_PAX_OPEN_USERLAND
12593 + movq pax_user_shadow_base,%r8
12594 + addq RSP-ARGOFFSET(%rsp),%r8
12599 _ASM_EXTABLE(1b,ia32_badarg)
12601 - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12602 - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12604 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12605 + ASM_PAX_CLOSE_USERLAND
12608 + GET_THREAD_INFO(%r11)
12609 + orl $TS_COMPAT,TI_status(%r11)
12610 + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
12613 cmpq $IA32_NR_syscalls-1,%rax
12614 @@ -319,12 +395,15 @@ cstar_do_call:
12616 call *ia32_sys_call_table(,%rax,8)
12617 movq %rax,RAX-ARGOFFSET(%rsp)
12618 + GET_THREAD_INFO(%r11)
12619 DISABLE_INTERRUPTS(CLBR_NONE)
12621 - testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12622 + testl $_TIF_ALLWORK_MASK,TI_flags(%r11)
12624 sysretl_from_sys_call:
12625 - andl $~TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12626 + pax_exit_kernel_user
12628 + andl $~TS_COMPAT,TI_status(%r11)
12629 RESTORE_ARGS 0,-ARG_SKIP,0,0,0
12630 movl RIP-ARGOFFSET(%rsp),%ecx
12631 CFI_REGISTER rip,rcx
12632 @@ -352,7 +431,7 @@ sysretl_audit:
12635 #ifdef CONFIG_AUDITSYSCALL
12636 - testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12637 + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%r11)
12641 @@ -366,11 +445,19 @@ cstar_tracesys:
12643 cmpq $(IA32_NR_syscalls-1),%rax
12644 ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
12649 END(ia32_cstar_target)
12654 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12655 + ASM_PAX_CLOSE_USERLAND
12661 @@ -407,19 +494,26 @@ ENTRY(ia32_syscall)
12662 CFI_REL_OFFSET rip,RIP-RIP
12663 PARAVIRT_ADJUST_EXCEPTION_FRAME
12666 - * No need to follow this irqs on/off section: the syscall
12667 - * disabled irqs and here we enable it straight after entry:
12669 - ENABLE_INTERRUPTS(CLBR_NONE)
12673 /* note the registers are not zero extended to the sf.
12674 this could be a problem. */
12676 - orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12677 - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
12678 + pax_enter_kernel_user
12680 +#ifdef CONFIG_PAX_RANDKSTACK
12685 + * No need to follow this irqs on/off section: the syscall
12686 + * disabled irqs and here we enable it straight after entry:
12688 + ENABLE_INTERRUPTS(CLBR_NONE)
12689 + GET_THREAD_INFO(%r11)
12690 + orl $TS_COMPAT,TI_status(%r11)
12691 + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
12693 cmpq $(IA32_NR_syscalls-1),%rax
12695 @@ -442,6 +536,9 @@ ia32_tracesys:
12697 cmpq $(IA32_NR_syscalls-1),%rax
12698 ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
12705 diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
12706 index 8e0ceec..af13504 100644
12707 --- a/arch/x86/ia32/sys_ia32.c
12708 +++ b/arch/x86/ia32/sys_ia32.c
12709 @@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
12711 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
12713 - typeof(ubuf->st_uid) uid = 0;
12714 - typeof(ubuf->st_gid) gid = 0;
12715 + typeof(((struct stat64 *)0)->st_uid) uid = 0;
12716 + typeof(((struct stat64 *)0)->st_gid) gid = 0;
12717 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
12718 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
12719 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
12720 diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h
12721 index 372231c..a5aa1a1 100644
12722 --- a/arch/x86/include/asm/alternative-asm.h
12723 +++ b/arch/x86/include/asm/alternative-asm.h
12728 +#ifdef KERNEXEC_PLUGIN
12729 + .macro pax_force_retaddr_bts rip=0
12730 + btsq $63,\rip(%rsp)
12732 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
12733 + .macro pax_force_retaddr rip=0, reload=0
12734 + btsq $63,\rip(%rsp)
12736 + .macro pax_force_fptr ptr
12739 + .macro pax_set_fptr_mask
12742 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
12743 + .macro pax_force_retaddr rip=0, reload=0
12745 + pax_set_fptr_mask
12747 + orq %r10,\rip(%rsp)
12749 + .macro pax_force_fptr ptr
12752 + .macro pax_set_fptr_mask
12753 + movabs $0x8000000000000000,%r10
12757 + .macro pax_force_retaddr rip=0, reload=0
12759 + .macro pax_force_fptr ptr
12761 + .macro pax_force_retaddr_bts rip=0
12763 + .macro pax_set_fptr_mask
12767 .macro altinstruction_entry orig alt feature orig_len alt_len
12770 diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
12771 index 58ed6d9..f1cbe58 100644
12772 --- a/arch/x86/include/asm/alternative.h
12773 +++ b/arch/x86/include/asm/alternative.h
12774 @@ -105,7 +105,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
12775 ".pushsection .discard,\"aw\",@progbits\n" \
12778 - ".pushsection .altinstr_replacement, \"ax\"\n" \
12779 + ".pushsection .altinstr_replacement, \"a\"\n" \
12780 ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
12783 @@ -119,7 +119,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
12787 - ".pushsection .altinstr_replacement, \"ax\"\n" \
12788 + ".pushsection .altinstr_replacement, \"a\"\n" \
12789 ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
12790 ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
12792 diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
12793 index 3388034..050f0b9 100644
12794 --- a/arch/x86/include/asm/apic.h
12795 +++ b/arch/x86/include/asm/apic.h
12796 @@ -44,7 +44,7 @@ static inline void generic_apic_probe(void)
12798 #ifdef CONFIG_X86_LOCAL_APIC
12800 -extern unsigned int apic_verbosity;
12801 +extern int apic_verbosity;
12802 extern int local_apic_timer_c2_ok;
12804 extern int disable_apic;
12805 diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
12806 index 20370c6..a2eb9b0 100644
12807 --- a/arch/x86/include/asm/apm.h
12808 +++ b/arch/x86/include/asm/apm.h
12809 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
12810 __asm__ __volatile__(APM_DO_ZERO_SEGS
12813 - "lcall *%%cs:apm_bios_entry\n\t"
12814 + "lcall *%%ss:apm_bios_entry\n\t"
12818 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
12819 __asm__ __volatile__(APM_DO_ZERO_SEGS
12822 - "lcall *%%cs:apm_bios_entry\n\t"
12823 + "lcall *%%ss:apm_bios_entry\n\t"
12827 diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
12828 index 722aa3b..3a0bb27 100644
12829 --- a/arch/x86/include/asm/atomic.h
12830 +++ b/arch/x86/include/asm/atomic.h
12833 static inline int atomic_read(const atomic_t *v)
12835 - return (*(volatile int *)&(v)->counter);
12836 + return (*(volatile const int *)&(v)->counter);
12840 + * atomic_read_unchecked - read atomic variable
12841 + * @v: pointer of type atomic_unchecked_t
12843 + * Atomically reads the value of @v.
12845 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
12847 + return (*(volatile const int *)&(v)->counter);
12851 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *v, int i)
12855 + * atomic_set_unchecked - set atomic variable
12856 + * @v: pointer of type atomic_unchecked_t
12857 + * @i: required value
12859 + * Atomically sets the value of @v to @i.
12861 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
12867 * atomic_add - add integer to atomic variable
12868 * @i: integer value to add
12869 * @v: pointer of type atomic_t
12870 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *v, int i)
12872 static inline void atomic_add(int i, atomic_t *v)
12874 - asm volatile(LOCK_PREFIX "addl %1,%0"
12875 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
12877 +#ifdef CONFIG_PAX_REFCOUNT
12879 + LOCK_PREFIX "subl %1,%0\n"
12881 + _ASM_EXTABLE(0b, 0b)
12884 + : "+m" (v->counter)
12889 + * atomic_add_unchecked - add integer to atomic variable
12890 + * @i: integer value to add
12891 + * @v: pointer of type atomic_unchecked_t
12893 + * Atomically adds @i to @v.
12895 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
12897 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
12898 : "+m" (v->counter)
12901 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, atomic_t *v)
12903 static inline void atomic_sub(int i, atomic_t *v)
12905 - asm volatile(LOCK_PREFIX "subl %1,%0"
12906 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
12908 +#ifdef CONFIG_PAX_REFCOUNT
12910 + LOCK_PREFIX "addl %1,%0\n"
12912 + _ASM_EXTABLE(0b, 0b)
12915 + : "+m" (v->counter)
12920 + * atomic_sub_unchecked - subtract integer from atomic variable
12921 + * @i: integer value to subtract
12922 + * @v: pointer of type atomic_unchecked_t
12924 + * Atomically subtracts @i from @v.
12926 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
12928 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
12929 : "+m" (v->counter)
12932 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(int i, atomic_t *v)
12936 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
12937 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
12939 +#ifdef CONFIG_PAX_REFCOUNT
12941 + LOCK_PREFIX "addl %2,%0\n"
12943 + _ASM_EXTABLE(0b, 0b)
12947 : "+m" (v->counter), "=qm" (c)
12948 : "ir" (i) : "memory");
12950 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(int i, atomic_t *v)
12952 static inline void atomic_inc(atomic_t *v)
12954 - asm volatile(LOCK_PREFIX "incl %0"
12955 + asm volatile(LOCK_PREFIX "incl %0\n"
12957 +#ifdef CONFIG_PAX_REFCOUNT
12959 + LOCK_PREFIX "decl %0\n"
12961 + _ASM_EXTABLE(0b, 0b)
12964 + : "+m" (v->counter));
12968 + * atomic_inc_unchecked - increment atomic variable
12969 + * @v: pointer of type atomic_unchecked_t
12971 + * Atomically increments @v by 1.
12973 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
12975 + asm volatile(LOCK_PREFIX "incl %0\n"
12976 : "+m" (v->counter));
12979 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *v)
12981 static inline void atomic_dec(atomic_t *v)
12983 - asm volatile(LOCK_PREFIX "decl %0"
12984 + asm volatile(LOCK_PREFIX "decl %0\n"
12986 +#ifdef CONFIG_PAX_REFCOUNT
12988 + LOCK_PREFIX "incl %0\n"
12990 + _ASM_EXTABLE(0b, 0b)
12993 + : "+m" (v->counter));
12997 + * atomic_dec_unchecked - decrement atomic variable
12998 + * @v: pointer of type atomic_unchecked_t
13000 + * Atomically decrements @v by 1.
13002 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
13004 + asm volatile(LOCK_PREFIX "decl %0\n"
13005 : "+m" (v->counter));
13008 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(atomic_t *v)
13012 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
13013 + asm volatile(LOCK_PREFIX "decl %0\n"
13015 +#ifdef CONFIG_PAX_REFCOUNT
13017 + LOCK_PREFIX "incl %0\n"
13019 + _ASM_EXTABLE(0b, 0b)
13023 : "+m" (v->counter), "=qm" (c)
13026 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(atomic_t *v)
13030 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
13031 + asm volatile(LOCK_PREFIX "incl %0\n"
13033 +#ifdef CONFIG_PAX_REFCOUNT
13035 + LOCK_PREFIX "decl %0\n"
13037 + _ASM_EXTABLE(0b, 0b)
13041 + : "+m" (v->counter), "=qm" (c)
13047 + * atomic_inc_and_test_unchecked - increment and test
13048 + * @v: pointer of type atomic_unchecked_t
13050 + * Atomically increments @v by 1
13051 + * and returns true if the result is zero, or false for all
13054 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
13058 + asm volatile(LOCK_PREFIX "incl %0\n"
13060 : "+m" (v->counter), "=qm" (c)
13063 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(int i, atomic_t *v)
13067 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
13068 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
13070 +#ifdef CONFIG_PAX_REFCOUNT
13072 + LOCK_PREFIX "subl %2,%0\n"
13074 + _ASM_EXTABLE(0b, 0b)
13078 : "+m" (v->counter), "=qm" (c)
13079 : "ir" (i) : "memory");
13081 @@ -172,6 +334,18 @@ static inline int atomic_add_negative(int i, atomic_t *v)
13083 static inline int atomic_add_return(int i, atomic_t *v)
13085 + return i + xadd_check_overflow(&v->counter, i);
13089 + * atomic_add_return_unchecked - add integer and return
13090 + * @i: integer value to add
13091 + * @v: pointer of type atomic_unchecked_t
13093 + * Atomically adds @i to @v and returns @i + @v
13095 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
13097 return i + xadd(&v->counter, i);
13100 @@ -188,6 +362,10 @@ static inline int atomic_sub_return(int i, atomic_t *v)
13103 #define atomic_inc_return(v) (atomic_add_return(1, v))
13104 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
13106 + return atomic_add_return_unchecked(1, v);
13108 #define atomic_dec_return(v) (atomic_sub_return(1, v))
13110 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
13111 @@ -195,11 +373,21 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
13112 return cmpxchg(&v->counter, old, new);
13115 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
13117 + return cmpxchg(&v->counter, old, new);
13120 static inline int atomic_xchg(atomic_t *v, int new)
13122 return xchg(&v->counter, new);
13125 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
13127 + return xchg(&v->counter, new);
13131 * __atomic_add_unless - add unless the number is already a given value
13132 * @v: pointer of type atomic_t
13133 @@ -211,12 +399,25 @@ static inline int atomic_xchg(atomic_t *v, int new)
13135 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
13139 c = atomic_read(v);
13141 - if (unlikely(c == (u)))
13142 + if (unlikely(c == u))
13144 - old = atomic_cmpxchg((v), c, c + (a));
13146 + asm volatile("addl %2,%0\n"
13148 +#ifdef CONFIG_PAX_REFCOUNT
13152 + _ASM_EXTABLE(0b, 0b)
13156 + : "0" (c), "ir" (a));
13158 + old = atomic_cmpxchg(v, c, new);
13159 if (likely(old == c))
13162 @@ -225,6 +426,49 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
13166 + * atomic_inc_not_zero_hint - increment if not null
13167 + * @v: pointer of type atomic_t
13168 + * @hint: probable value of the atomic before the increment
13170 + * This version of atomic_inc_not_zero() gives a hint of probable
13171 + * value of the atomic. This helps processor to not read the memory
13172 + * before doing the atomic read/modify/write cycle, lowering
13173 + * number of bus transactions on some arches.
13175 + * Returns: 0 if increment was not done, 1 otherwise.
13177 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
13178 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
13180 + int val, c = hint, new;
13182 + /* sanity test, should be removed by compiler if hint is a constant */
13184 + return __atomic_add_unless(v, 1, 0);
13187 + asm volatile("incl %0\n"
13189 +#ifdef CONFIG_PAX_REFCOUNT
13193 + _ASM_EXTABLE(0b, 0b)
13199 + val = atomic_cmpxchg(v, c, new);
13209 * atomic_inc_short - increment of a short integer
13210 * @v: pointer to type int
13212 @@ -253,14 +497,37 @@ static inline void atomic_or_long(unsigned long *v1, unsigned long v2)
13215 /* These are x86-specific, used by some header files */
13216 -#define atomic_clear_mask(mask, addr) \
13217 - asm volatile(LOCK_PREFIX "andl %0,%1" \
13218 - : : "r" (~(mask)), "m" (*(addr)) : "memory")
13219 +static inline void atomic_clear_mask(unsigned int mask, atomic_t *v)
13221 + asm volatile(LOCK_PREFIX "andl %1,%0"
13222 + : "+m" (v->counter)
13227 -#define atomic_set_mask(mask, addr) \
13228 - asm volatile(LOCK_PREFIX "orl %0,%1" \
13229 - : : "r" ((unsigned)(mask)), "m" (*(addr)) \
13231 +static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
13233 + asm volatile(LOCK_PREFIX "andl %1,%0"
13234 + : "+m" (v->counter)
13239 +static inline void atomic_set_mask(unsigned int mask, atomic_t *v)
13241 + asm volatile(LOCK_PREFIX "orl %1,%0"
13242 + : "+m" (v->counter)
13247 +static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
13249 + asm volatile(LOCK_PREFIX "orl %1,%0"
13250 + : "+m" (v->counter)
13255 /* Atomic operations are already serializing on x86 */
13256 #define smp_mb__before_atomic_dec() barrier()
13257 diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
13258 index b154de7..aadebd8 100644
13259 --- a/arch/x86/include/asm/atomic64_32.h
13260 +++ b/arch/x86/include/asm/atomic64_32.h
13261 @@ -12,6 +12,14 @@ typedef struct {
13262 u64 __aligned(8) counter;
13265 +#ifdef CONFIG_PAX_REFCOUNT
13267 + u64 __aligned(8) counter;
13268 +} atomic64_unchecked_t;
13270 +typedef atomic64_t atomic64_unchecked_t;
13273 #define ATOMIC64_INIT(val) { (val) }
13275 #define __ATOMIC64_DECL(sym) void atomic64_##sym(atomic64_t *, ...)
13276 @@ -37,21 +45,31 @@ typedef struct {
13277 ATOMIC64_DECL_ONE(sym##_386)
13279 ATOMIC64_DECL_ONE(add_386);
13280 +ATOMIC64_DECL_ONE(add_unchecked_386);
13281 ATOMIC64_DECL_ONE(sub_386);
13282 +ATOMIC64_DECL_ONE(sub_unchecked_386);
13283 ATOMIC64_DECL_ONE(inc_386);
13284 +ATOMIC64_DECL_ONE(inc_unchecked_386);
13285 ATOMIC64_DECL_ONE(dec_386);
13286 +ATOMIC64_DECL_ONE(dec_unchecked_386);
13289 #define alternative_atomic64(f, out, in...) \
13290 __alternative_atomic64(f, f, ASM_OUTPUT2(out), ## in)
13292 ATOMIC64_DECL(read);
13293 +ATOMIC64_DECL(read_unchecked);
13294 ATOMIC64_DECL(set);
13295 +ATOMIC64_DECL(set_unchecked);
13296 ATOMIC64_DECL(xchg);
13297 ATOMIC64_DECL(add_return);
13298 +ATOMIC64_DECL(add_return_unchecked);
13299 ATOMIC64_DECL(sub_return);
13300 +ATOMIC64_DECL(sub_return_unchecked);
13301 ATOMIC64_DECL(inc_return);
13302 +ATOMIC64_DECL(inc_return_unchecked);
13303 ATOMIC64_DECL(dec_return);
13304 +ATOMIC64_DECL(dec_return_unchecked);
13305 ATOMIC64_DECL(dec_if_positive);
13306 ATOMIC64_DECL(inc_not_zero);
13307 ATOMIC64_DECL(add_unless);
13308 @@ -77,6 +95,21 @@ static inline long long atomic64_cmpxchg(atomic64_t *v, long long o, long long n
13312 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
13313 + * @p: pointer to type atomic64_unchecked_t
13314 + * @o: expected value
13317 + * Atomically sets @v to @n if it was equal to @o and returns
13321 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
13323 + return cmpxchg64(&v->counter, o, n);
13327 * atomic64_xchg - xchg atomic64 variable
13328 * @v: pointer to type atomic64_t
13329 * @n: value to assign
13330 @@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i)
13334 + * atomic64_set_unchecked - set atomic64 variable
13335 + * @v: pointer to type atomic64_unchecked_t
13336 + * @n: value to assign
13338 + * Atomically sets the value of @v to @n.
13340 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
13342 + unsigned high = (unsigned)(i >> 32);
13343 + unsigned low = (unsigned)i;
13344 + alternative_atomic64(set, /* no output */,
13345 + "S" (v), "b" (low), "c" (high)
13346 + : "eax", "edx", "memory");
13350 * atomic64_read - read atomic64 variable
13351 * @v: pointer to type atomic64_t
13353 @@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v)
13357 + * atomic64_read_unchecked - read atomic64 variable
13358 + * @v: pointer to type atomic64_unchecked_t
13360 + * Atomically reads the value of @v and returns it.
13362 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
13365 + alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
13370 * atomic64_add_return - add and return
13371 * @i: integer value to add
13372 * @v: pointer to type atomic64_t
13373 @@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v)
13378 + * atomic64_add_return_unchecked - add and return
13379 + * @i: integer value to add
13380 + * @v: pointer to type atomic64_unchecked_t
13382 + * Atomically adds @i to @v and returns @i + *@v
13384 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
13386 + alternative_atomic64(add_return_unchecked,
13387 + ASM_OUTPUT2("+A" (i), "+c" (v)),
13388 + ASM_NO_INPUT_CLOBBER("memory"));
13393 * Other variants with different arithmetic operators:
13395 @@ -158,6 +235,14 @@ static inline long long atomic64_inc_return(atomic64_t *v)
13399 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
13402 + alternative_atomic64(inc_return_unchecked, "=&A" (a),
13403 + "S" (v) : "memory", "ecx");
13407 static inline long long atomic64_dec_return(atomic64_t *v)
13410 @@ -182,6 +267,21 @@ static inline long long atomic64_add(long long i, atomic64_t *v)
13414 + * atomic64_add_unchecked - add integer to atomic64 variable
13415 + * @i: integer value to add
13416 + * @v: pointer to type atomic64_unchecked_t
13418 + * Atomically adds @i to @v.
13420 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
13422 + __alternative_atomic64(add_unchecked, add_return_unchecked,
13423 + ASM_OUTPUT2("+A" (i), "+c" (v)),
13424 + ASM_NO_INPUT_CLOBBER("memory"));
13429 * atomic64_sub - subtract the atomic64 variable
13430 * @i: integer value to subtract
13431 * @v: pointer to type atomic64_t
13432 diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
13433 index 0e1cbfc..5623683 100644
13434 --- a/arch/x86/include/asm/atomic64_64.h
13435 +++ b/arch/x86/include/asm/atomic64_64.h
13438 static inline long atomic64_read(const atomic64_t *v)
13440 - return (*(volatile long *)&(v)->counter);
13441 + return (*(volatile const long *)&(v)->counter);
13445 + * atomic64_read_unchecked - read atomic64 variable
13446 + * @v: pointer of type atomic64_unchecked_t
13448 + * Atomically reads the value of @v.
13449 + * Doesn't imply a read memory barrier.
13451 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
13453 + return (*(volatile const long *)&(v)->counter);
13457 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64_t *v, long i)
13461 + * atomic64_set_unchecked - set atomic64 variable
13462 + * @v: pointer to type atomic64_unchecked_t
13463 + * @i: required value
13465 + * Atomically sets the value of @v to @i.
13467 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
13473 * atomic64_add - add integer to atomic64 variable
13474 * @i: integer value to add
13475 * @v: pointer to type atomic64_t
13476 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64_t *v, long i)
13478 static inline void atomic64_add(long i, atomic64_t *v)
13480 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
13482 +#ifdef CONFIG_PAX_REFCOUNT
13484 + LOCK_PREFIX "subq %1,%0\n"
13486 + _ASM_EXTABLE(0b, 0b)
13489 + : "=m" (v->counter)
13490 + : "er" (i), "m" (v->counter));
13494 + * atomic64_add_unchecked - add integer to atomic64 variable
13495 + * @i: integer value to add
13496 + * @v: pointer to type atomic64_unchecked_t
13498 + * Atomically adds @i to @v.
13500 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
13502 asm volatile(LOCK_PREFIX "addq %1,%0"
13503 : "=m" (v->counter)
13504 : "er" (i), "m" (v->counter));
13505 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i, atomic64_t *v)
13507 static inline void atomic64_sub(long i, atomic64_t *v)
13509 - asm volatile(LOCK_PREFIX "subq %1,%0"
13510 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
13512 +#ifdef CONFIG_PAX_REFCOUNT
13514 + LOCK_PREFIX "addq %1,%0\n"
13516 + _ASM_EXTABLE(0b, 0b)
13519 + : "=m" (v->counter)
13520 + : "er" (i), "m" (v->counter));
13524 + * atomic64_sub_unchecked - subtract the atomic64 variable
13525 + * @i: integer value to subtract
13526 + * @v: pointer to type atomic64_unchecked_t
13528 + * Atomically subtracts @i from @v.
13530 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
13532 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
13533 : "=m" (v->counter)
13534 : "er" (i), "m" (v->counter));
13536 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v)
13540 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
13541 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
13543 +#ifdef CONFIG_PAX_REFCOUNT
13545 + LOCK_PREFIX "addq %2,%0\n"
13547 + _ASM_EXTABLE(0b, 0b)
13551 : "=m" (v->counter), "=qm" (c)
13552 : "er" (i), "m" (v->counter) : "memory");
13554 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v)
13556 static inline void atomic64_inc(atomic64_t *v)
13558 + asm volatile(LOCK_PREFIX "incq %0\n"
13560 +#ifdef CONFIG_PAX_REFCOUNT
13562 + LOCK_PREFIX "decq %0\n"
13564 + _ASM_EXTABLE(0b, 0b)
13567 + : "=m" (v->counter)
13568 + : "m" (v->counter));
13572 + * atomic64_inc_unchecked - increment atomic64 variable
13573 + * @v: pointer to type atomic64_unchecked_t
13575 + * Atomically increments @v by 1.
13577 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
13579 asm volatile(LOCK_PREFIX "incq %0"
13580 : "=m" (v->counter)
13581 : "m" (v->counter));
13582 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64_t *v)
13584 static inline void atomic64_dec(atomic64_t *v)
13586 - asm volatile(LOCK_PREFIX "decq %0"
13587 + asm volatile(LOCK_PREFIX "decq %0\n"
13589 +#ifdef CONFIG_PAX_REFCOUNT
13591 + LOCK_PREFIX "incq %0\n"
13593 + _ASM_EXTABLE(0b, 0b)
13596 + : "=m" (v->counter)
13597 + : "m" (v->counter));
13601 + * atomic64_dec_unchecked - decrement atomic64 variable
13602 + * @v: pointer to type atomic64_t
13604 + * Atomically decrements @v by 1.
13606 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
13608 + asm volatile(LOCK_PREFIX "decq %0\n"
13609 : "=m" (v->counter)
13610 : "m" (v->counter));
13612 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(atomic64_t *v)
13616 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
13617 + asm volatile(LOCK_PREFIX "decq %0\n"
13619 +#ifdef CONFIG_PAX_REFCOUNT
13621 + LOCK_PREFIX "incq %0\n"
13623 + _ASM_EXTABLE(0b, 0b)
13627 : "=m" (v->counter), "=qm" (c)
13628 : "m" (v->counter) : "memory");
13630 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(atomic64_t *v)
13634 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
13635 + asm volatile(LOCK_PREFIX "incq %0\n"
13637 +#ifdef CONFIG_PAX_REFCOUNT
13639 + LOCK_PREFIX "decq %0\n"
13641 + _ASM_EXTABLE(0b, 0b)
13645 : "=m" (v->counter), "=qm" (c)
13646 : "m" (v->counter) : "memory");
13648 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(long i, atomic64_t *v)
13652 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
13653 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
13655 +#ifdef CONFIG_PAX_REFCOUNT
13657 + LOCK_PREFIX "subq %2,%0\n"
13659 + _ASM_EXTABLE(0b, 0b)
13663 : "=m" (v->counter), "=qm" (c)
13664 : "er" (i), "m" (v->counter) : "memory");
13666 @@ -170,6 +316,18 @@ static inline int atomic64_add_negative(long i, atomic64_t *v)
13668 static inline long atomic64_add_return(long i, atomic64_t *v)
13670 + return i + xadd_check_overflow(&v->counter, i);
13674 + * atomic64_add_return_unchecked - add and return
13675 + * @i: integer value to add
13676 + * @v: pointer to type atomic64_unchecked_t
13678 + * Atomically adds @i to @v and returns @i + @v
13680 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
13682 return i + xadd(&v->counter, i);
13685 @@ -179,6 +337,10 @@ static inline long atomic64_sub_return(long i, atomic64_t *v)
13688 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
13689 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
13691 + return atomic64_add_return_unchecked(1, v);
13693 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
13695 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
13696 @@ -186,6 +348,11 @@ static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
13697 return cmpxchg(&v->counter, old, new);
13700 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
13702 + return cmpxchg(&v->counter, old, new);
13705 static inline long atomic64_xchg(atomic64_t *v, long new)
13707 return xchg(&v->counter, new);
13708 @@ -202,17 +369,30 @@ static inline long atomic64_xchg(atomic64_t *v, long new)
13710 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
13713 + long c, old, new;
13714 c = atomic64_read(v);
13716 - if (unlikely(c == (u)))
13717 + if (unlikely(c == u))
13719 - old = atomic64_cmpxchg((v), c, c + (a));
13721 + asm volatile("add %2,%0\n"
13723 +#ifdef CONFIG_PAX_REFCOUNT
13727 + _ASM_EXTABLE(0b, 0b)
13731 + : "0" (c), "ir" (a));
13733 + old = atomic64_cmpxchg(v, c, new);
13734 if (likely(old == c))
13742 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
13743 diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
13744 index 6dfd019..28e188d 100644
13745 --- a/arch/x86/include/asm/bitops.h
13746 +++ b/arch/x86/include/asm/bitops.h
13748 * a mask operation on a byte.
13750 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
13751 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
13752 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
13753 #define CONST_MASK(nr) (1 << ((nr) & 7))
13756 @@ -486,7 +486,7 @@ static inline int fls(int x)
13759 #ifdef CONFIG_X86_64
13760 -static __always_inline int fls64(__u64 x)
13761 +static __always_inline long fls64(__u64 x)
13765 diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
13766 index 4fa687a..60f2d39 100644
13767 --- a/arch/x86/include/asm/boot.h
13768 +++ b/arch/x86/include/asm/boot.h
13770 #include <uapi/asm/boot.h>
13772 /* Physical address where kernel should be loaded. */
13773 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
13774 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
13775 + (CONFIG_PHYSICAL_ALIGN - 1)) \
13776 & ~(CONFIG_PHYSICAL_ALIGN - 1))
13778 +#ifndef __ASSEMBLY__
13779 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
13780 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
13783 /* Minimum kernel alignment, as a power of two */
13784 #ifdef CONFIG_X86_64
13785 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
13786 diff --git a/arch/x86/include/asm/cache.h b/arch/x86/include/asm/cache.h
13787 index 48f99f1..d78ebf9 100644
13788 --- a/arch/x86/include/asm/cache.h
13789 +++ b/arch/x86/include/asm/cache.h
13792 /* L1 cache line size */
13793 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
13794 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
13795 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
13797 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
13798 +#define __read_only __attribute__((__section__(".data..read_only")))
13800 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
13801 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
13802 +#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
13804 #ifdef CONFIG_X86_VSMP
13806 diff --git a/arch/x86/include/asm/cacheflush.h b/arch/x86/include/asm/cacheflush.h
13807 index 9863ee3..4a1f8e1 100644
13808 --- a/arch/x86/include/asm/cacheflush.h
13809 +++ b/arch/x86/include/asm/cacheflush.h
13810 @@ -27,7 +27,7 @@ static inline unsigned long get_page_memtype(struct page *pg)
13811 unsigned long pg_flags = pg->flags & _PGMT_MASK;
13813 if (pg_flags == _PGMT_DEFAULT)
13816 else if (pg_flags == _PGMT_WC)
13817 return _PAGE_CACHE_WC;
13818 else if (pg_flags == _PGMT_UC_MINUS)
13819 diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
13820 index 46fc474..b02b0f9 100644
13821 --- a/arch/x86/include/asm/checksum_32.h
13822 +++ b/arch/x86/include/asm/checksum_32.h
13823 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
13824 int len, __wsum sum,
13825 int *src_err_ptr, int *dst_err_ptr);
13827 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
13828 + int len, __wsum sum,
13829 + int *src_err_ptr, int *dst_err_ptr);
13831 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
13832 + int len, __wsum sum,
13833 + int *src_err_ptr, int *dst_err_ptr);
13836 * Note: when you get a NULL pointer exception here this means someone
13837 * passed in an incorrect kernel address to one of these functions.
13838 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
13842 - return csum_partial_copy_generic((__force void *)src, dst,
13843 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
13844 len, sum, err_ptr, NULL);
13847 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
13850 if (access_ok(VERIFY_WRITE, dst, len))
13851 - return csum_partial_copy_generic(src, (__force void *)dst,
13852 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
13853 len, sum, NULL, err_ptr);
13856 diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
13857 index d47786a..ce1b05d 100644
13858 --- a/arch/x86/include/asm/cmpxchg.h
13859 +++ b/arch/x86/include/asm/cmpxchg.h
13860 @@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void)
13861 __compiletime_error("Bad argument size for cmpxchg");
13862 extern void __xadd_wrong_size(void)
13863 __compiletime_error("Bad argument size for xadd");
13864 +extern void __xadd_check_overflow_wrong_size(void)
13865 + __compiletime_error("Bad argument size for xadd_check_overflow");
13866 extern void __add_wrong_size(void)
13867 __compiletime_error("Bad argument size for add");
13868 +extern void __add_check_overflow_wrong_size(void)
13869 + __compiletime_error("Bad argument size for add_check_overflow");
13872 * Constants for operation sizes. On 32-bit, the 64-bit size it set to
13873 @@ -67,6 +71,34 @@ extern void __add_wrong_size(void)
13877 +#define __xchg_op_check_overflow(ptr, arg, op, lock) \
13879 + __typeof__ (*(ptr)) __ret = (arg); \
13880 + switch (sizeof(*(ptr))) { \
13881 + case __X86_CASE_L: \
13882 + asm volatile (lock #op "l %0, %1\n" \
13886 + _ASM_EXTABLE(0b, 0b) \
13887 + : "+r" (__ret), "+m" (*(ptr)) \
13888 + : : "memory", "cc"); \
13890 + case __X86_CASE_Q: \
13891 + asm volatile (lock #op "q %q0, %1\n" \
13895 + _ASM_EXTABLE(0b, 0b) \
13896 + : "+r" (__ret), "+m" (*(ptr)) \
13897 + : : "memory", "cc"); \
13900 + __ ## op ## _check_overflow_wrong_size(); \
13906 * Note: no "lock" prefix even on SMP: xchg always implies lock anyway.
13907 * Since this is generally used to protect other memory information, we
13908 @@ -167,6 +199,9 @@ extern void __add_wrong_size(void)
13909 #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ")
13910 #define xadd_local(ptr, inc) __xadd((ptr), (inc), "")
13912 +#define __xadd_check_overflow(ptr, inc, lock) __xchg_op_check_overflow((ptr), (inc), xadd, lock)
13913 +#define xadd_check_overflow(ptr, inc) __xadd_check_overflow((ptr), (inc), LOCK_PREFIX)
13915 #define __add(ptr, inc, lock) \
13917 __typeof__ (*(ptr)) __ret = (inc); \
13918 diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
13919 index 59c6c40..5e0b22c 100644
13920 --- a/arch/x86/include/asm/compat.h
13921 +++ b/arch/x86/include/asm/compat.h
13922 @@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
13923 typedef u32 compat_uint_t;
13924 typedef u32 compat_ulong_t;
13925 typedef u64 __attribute__((aligned(4))) compat_u64;
13926 -typedef u32 compat_uptr_t;
13927 +typedef u32 __user compat_uptr_t;
13929 struct compat_timespec {
13930 compat_time_t tv_sec;
13931 diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
13932 index e99ac27..10d834e 100644
13933 --- a/arch/x86/include/asm/cpufeature.h
13934 +++ b/arch/x86/include/asm/cpufeature.h
13935 @@ -203,7 +203,7 @@
13936 #define X86_FEATURE_DECODEASSISTS (8*32+12) /* AMD Decode Assists support */
13937 #define X86_FEATURE_PAUSEFILTER (8*32+13) /* AMD filtered pause intercept */
13938 #define X86_FEATURE_PFTHRESHOLD (8*32+14) /* AMD pause filter threshold */
13940 +#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
13942 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
13943 #define X86_FEATURE_FSGSBASE (9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
13944 @@ -211,7 +211,7 @@
13945 #define X86_FEATURE_BMI1 (9*32+ 3) /* 1st group bit manipulation extensions */
13946 #define X86_FEATURE_HLE (9*32+ 4) /* Hardware Lock Elision */
13947 #define X86_FEATURE_AVX2 (9*32+ 5) /* AVX2 instructions */
13948 -#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Protection */
13949 +#define X86_FEATURE_SMEP (9*32+ 7) /* Supervisor Mode Execution Prevention */
13950 #define X86_FEATURE_BMI2 (9*32+ 8) /* 2nd group bit manipulation extensions */
13951 #define X86_FEATURE_ERMS (9*32+ 9) /* Enhanced REP MOVSB/STOSB */
13952 #define X86_FEATURE_INVPCID (9*32+10) /* Invalidate Processor Context ID */
13953 @@ -353,6 +353,7 @@ extern const char * const x86_power_flags[32];
13954 #undef cpu_has_centaur_mcr
13955 #define cpu_has_centaur_mcr 0
13957 +#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID)
13958 #endif /* CONFIG_X86_64 */
13961 @@ -394,7 +395,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
13962 ".section .discard,\"aw\",@progbits\n"
13963 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
13965 - ".section .altinstr_replacement,\"ax\"\n"
13966 + ".section .altinstr_replacement,\"a\"\n"
13970 diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
13971 index 8bf1c06..b6ae785 100644
13972 --- a/arch/x86/include/asm/desc.h
13973 +++ b/arch/x86/include/asm/desc.h
13975 #include <asm/desc_defs.h>
13976 #include <asm/ldt.h>
13977 #include <asm/mmu.h>
13978 +#include <asm/pgtable.h>
13980 #include <linux/smp.h>
13981 #include <linux/percpu.h>
13982 @@ -17,6 +18,7 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
13984 desc->type = (info->read_exec_only ^ 1) << 1;
13985 desc->type |= info->contents << 2;
13986 + desc->type |= info->seg_not_present ^ 1;
13990 @@ -35,19 +37,14 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
13993 extern struct desc_ptr idt_descr;
13994 -extern gate_desc idt_table[];
13995 extern struct desc_ptr nmi_idt_descr;
13996 -extern gate_desc nmi_idt_table[];
13999 - struct desc_struct gdt[GDT_ENTRIES];
14000 -} __attribute__((aligned(PAGE_SIZE)));
14002 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
14003 +extern gate_desc idt_table[256];
14004 +extern gate_desc nmi_idt_table[256];
14006 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
14007 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
14009 - return per_cpu(gdt_page, cpu).gdt;
14010 + return cpu_gdt_table[cpu];
14013 #ifdef CONFIG_X86_64
14014 @@ -72,8 +69,14 @@ static inline void pack_gate(gate_desc *gate, unsigned char type,
14015 unsigned long base, unsigned dpl, unsigned flags,
14016 unsigned short seg)
14018 - gate->a = (seg << 16) | (base & 0xffff);
14019 - gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
14020 + gate->gate.offset_low = base;
14021 + gate->gate.seg = seg;
14022 + gate->gate.reserved = 0;
14023 + gate->gate.type = type;
14024 + gate->gate.s = 0;
14025 + gate->gate.dpl = dpl;
14026 + gate->gate.p = 1;
14027 + gate->gate.offset_high = base >> 16;
14031 @@ -118,12 +121,16 @@ static inline void paravirt_free_ldt(struct desc_struct *ldt, unsigned entries)
14033 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
14035 + pax_open_kernel();
14036 memcpy(&idt[entry], gate, sizeof(*gate));
14037 + pax_close_kernel();
14040 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
14042 + pax_open_kernel();
14043 memcpy(&ldt[entry], desc, 8);
14044 + pax_close_kernel();
14048 @@ -137,7 +144,9 @@ native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int
14049 default: size = sizeof(*gdt); break;
14052 + pax_open_kernel();
14053 memcpy(&gdt[entry], desc, size);
14054 + pax_close_kernel();
14057 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
14058 @@ -210,7 +219,9 @@ static inline void native_set_ldt(const void *addr, unsigned int entries)
14060 static inline void native_load_tr_desc(void)
14062 + pax_open_kernel();
14063 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
14064 + pax_close_kernel();
14067 static inline void native_load_gdt(const struct desc_ptr *dtr)
14068 @@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
14069 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
14072 + pax_open_kernel();
14073 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
14074 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
14075 + pax_close_kernel();
14078 #define _LDT_empty(info) \
14079 @@ -287,7 +300,7 @@ static inline void load_LDT(mm_context_t *pc)
14083 -static inline unsigned long get_desc_base(const struct desc_struct *desc)
14084 +static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc)
14086 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
14088 @@ -311,7 +324,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
14091 #ifdef CONFIG_X86_64
14092 -static inline void set_nmi_gate(int gate, void *addr)
14093 +static inline void set_nmi_gate(int gate, const void *addr)
14097 @@ -320,7 +333,7 @@ static inline void set_nmi_gate(int gate, void *addr)
14101 -static inline void _set_gate(int gate, unsigned type, void *addr,
14102 +static inline void _set_gate(int gate, unsigned type, const void *addr,
14103 unsigned dpl, unsigned ist, unsigned seg)
14106 @@ -339,7 +352,7 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
14107 * Pentium F0 0F bugfix can have resulted in the mapped
14108 * IDT being write-protected.
14110 -static inline void set_intr_gate(unsigned int n, void *addr)
14111 +static inline void set_intr_gate(unsigned int n, const void *addr)
14113 BUG_ON((unsigned)n > 0xFF);
14114 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
14115 @@ -369,19 +382,19 @@ static inline void alloc_intr_gate(unsigned int n, void *addr)
14117 * This routine sets up an interrupt gate at directory privilege level 3.
14119 -static inline void set_system_intr_gate(unsigned int n, void *addr)
14120 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
14122 BUG_ON((unsigned)n > 0xFF);
14123 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
14126 -static inline void set_system_trap_gate(unsigned int n, void *addr)
14127 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
14129 BUG_ON((unsigned)n > 0xFF);
14130 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
14133 -static inline void set_trap_gate(unsigned int n, void *addr)
14134 +static inline void set_trap_gate(unsigned int n, const void *addr)
14136 BUG_ON((unsigned)n > 0xFF);
14137 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
14138 @@ -390,19 +403,31 @@ static inline void set_trap_gate(unsigned int n, void *addr)
14139 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
14141 BUG_ON((unsigned)n > 0xFF);
14142 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
14143 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
14146 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
14147 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
14149 BUG_ON((unsigned)n > 0xFF);
14150 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
14153 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
14154 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
14156 BUG_ON((unsigned)n > 0xFF);
14157 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
14160 +#ifdef CONFIG_X86_32
14161 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
14163 + struct desc_struct d;
14165 + if (likely(limit))
14166 + limit = (limit - 1UL) >> PAGE_SHIFT;
14167 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
14168 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
14172 #endif /* _ASM_X86_DESC_H */
14173 diff --git a/arch/x86/include/asm/desc_defs.h b/arch/x86/include/asm/desc_defs.h
14174 index 278441f..b95a174 100644
14175 --- a/arch/x86/include/asm/desc_defs.h
14176 +++ b/arch/x86/include/asm/desc_defs.h
14177 @@ -31,6 +31,12 @@ struct desc_struct {
14178 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
14179 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
14184 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
14185 + unsigned offset_high: 16;
14188 } __attribute__((packed));
14190 diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h
14191 index ced283a..ffe04cc 100644
14192 --- a/arch/x86/include/asm/div64.h
14193 +++ b/arch/x86/include/asm/div64.h
14198 -static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
14199 +static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
14203 diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
14204 index 9c999c1..3860cb8 100644
14205 --- a/arch/x86/include/asm/elf.h
14206 +++ b/arch/x86/include/asm/elf.h
14207 @@ -243,7 +243,25 @@ extern int force_personality32;
14208 the loader. We need to make sure that it is out of the way of the program
14209 that it will "exec", and that there is sufficient room for the brk. */
14211 +#ifdef CONFIG_PAX_SEGMEXEC
14212 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
14214 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
14217 +#ifdef CONFIG_PAX_ASLR
14218 +#ifdef CONFIG_X86_32
14219 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
14221 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
14222 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
14224 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
14226 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
14227 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
14231 /* This yields a mask that user programs can use to figure out what
14232 instruction set this CPU supports. This could be done in user space,
14233 @@ -296,16 +314,12 @@ do { \
14235 #define ARCH_DLINFO \
14237 - if (vdso_enabled) \
14238 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
14239 - (unsigned long)current->mm->context.vdso); \
14240 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
14243 #define ARCH_DLINFO_X32 \
14245 - if (vdso_enabled) \
14246 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
14247 - (unsigned long)current->mm->context.vdso); \
14248 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
14251 #define AT_SYSINFO 32
14252 @@ -320,7 +334,7 @@ else \
14254 #endif /* !CONFIG_X86_32 */
14256 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
14257 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
14259 #define VDSO_ENTRY \
14260 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
14261 @@ -336,9 +350,6 @@ extern int x32_setup_additional_pages(struct linux_binprm *bprm,
14262 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
14263 #define compat_arch_setup_additional_pages syscall32_setup_pages
14265 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
14266 -#define arch_randomize_brk arch_randomize_brk
14269 * True on X86_32 or when emulating IA32 on X86_64
14271 diff --git a/arch/x86/include/asm/emergency-restart.h b/arch/x86/include/asm/emergency-restart.h
14272 index 75ce3f4..882e801 100644
14273 --- a/arch/x86/include/asm/emergency-restart.h
14274 +++ b/arch/x86/include/asm/emergency-restart.h
14275 @@ -13,6 +13,6 @@ enum reboot_type {
14277 extern enum reboot_type reboot_type;
14279 -extern void machine_emergency_restart(void);
14280 +extern void machine_emergency_restart(void) __noreturn;
14282 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
14283 diff --git a/arch/x86/include/asm/fpu-internal.h b/arch/x86/include/asm/fpu-internal.h
14284 index e25cc33..7d3ec01 100644
14285 --- a/arch/x86/include/asm/fpu-internal.h
14286 +++ b/arch/x86/include/asm/fpu-internal.h
14287 @@ -126,8 +126,11 @@ static inline void sanitize_i387_state(struct task_struct *tsk)
14288 #define user_insn(insn, output, input...) \
14291 + pax_open_userland(); \
14292 asm volatile(ASM_STAC "\n" \
14293 - "1:" #insn "\n\t" \
14297 "2: " ASM_CLAC "\n" \
14298 ".section .fixup,\"ax\"\n" \
14299 "3: movl $-1,%[err]\n" \
14300 @@ -136,6 +139,7 @@ static inline void sanitize_i387_state(struct task_struct *tsk)
14301 _ASM_EXTABLE(1b, 3b) \
14302 : [err] "=r" (err), output \
14303 : "0"(0), input); \
14304 + pax_close_userland(); \
14308 @@ -300,7 +304,7 @@ static inline int restore_fpu_checking(struct task_struct *tsk)
14309 "emms\n\t" /* clear stack tags */
14310 "fildl %P[addr]", /* set F?P to defined value */
14311 X86_FEATURE_FXSAVE_LEAK,
14312 - [addr] "m" (tsk->thread.fpu.has_fpu));
14313 + [addr] "m" (init_tss[raw_smp_processor_id()].x86_tss.sp0));
14315 return fpu_restore_checking(&tsk->thread.fpu);
14317 diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
14318 index be27ba1..04a8801 100644
14319 --- a/arch/x86/include/asm/futex.h
14320 +++ b/arch/x86/include/asm/futex.h
14322 #include <asm/smap.h>
14324 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
14325 + typecheck(u32 __user *, uaddr); \
14326 asm volatile("\t" ASM_STAC "\n" \
14328 "2:\t" ASM_CLAC "\n" \
14329 @@ -20,15 +21,16 @@
14332 _ASM_EXTABLE(1b, 3b) \
14333 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
14334 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr)) \
14335 : "i" (-EFAULT), "0" (oparg), "1" (0))
14337 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
14338 + typecheck(u32 __user *, uaddr); \
14339 asm volatile("\t" ASM_STAC "\n" \
14340 "1:\tmovl %2, %0\n" \
14341 "\tmovl\t%0, %3\n" \
14343 - "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \
14344 + "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \
14346 "3:\t" ASM_CLAC "\n" \
14347 "\t.section .fixup,\"ax\"\n" \
14349 _ASM_EXTABLE(1b, 4b) \
14350 _ASM_EXTABLE(2b, 4b) \
14351 : "=&a" (oldval), "=&r" (ret), \
14352 - "+m" (*uaddr), "=&r" (tem) \
14353 + "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
14354 : "r" (oparg), "i" (-EFAULT), "1" (0))
14356 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
14357 @@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
14359 pagefault_disable();
14361 + pax_open_userland();
14364 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
14365 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
14368 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
14369 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
14373 @@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
14377 + pax_close_userland();
14379 pagefault_enable();
14381 @@ -115,18 +119,20 @@ static inline int futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
14382 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
14385 + pax_open_userland();
14386 asm volatile("\t" ASM_STAC "\n"
14387 - "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
14388 + "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
14389 "2:\t" ASM_CLAC "\n"
14390 "\t.section .fixup, \"ax\"\n"
14394 _ASM_EXTABLE(1b, 3b)
14395 - : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
14396 + : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr))
14397 : "i" (-EFAULT), "r" (newval), "1" (oldval)
14400 + pax_close_userland();
14404 diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
14405 index 1da97ef..9c2ebff 100644
14406 --- a/arch/x86/include/asm/hw_irq.h
14407 +++ b/arch/x86/include/asm/hw_irq.h
14408 @@ -148,8 +148,8 @@ extern void setup_ioapic_dest(void);
14409 extern void enable_IO_APIC(void);
14412 -extern atomic_t irq_err_count;
14413 -extern atomic_t irq_mis_count;
14414 +extern atomic_unchecked_t irq_err_count;
14415 +extern atomic_unchecked_t irq_mis_count;
14418 extern void eisa_set_level_irq(unsigned int irq);
14419 diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
14420 index a203659..9889f1c 100644
14421 --- a/arch/x86/include/asm/i8259.h
14422 +++ b/arch/x86/include/asm/i8259.h
14423 @@ -62,7 +62,7 @@ struct legacy_pic {
14424 void (*init)(int auto_eoi);
14425 int (*irq_pending)(unsigned int irq);
14426 void (*make_irq)(unsigned int irq);
14430 extern struct legacy_pic *legacy_pic;
14431 extern struct legacy_pic null_legacy_pic;
14432 diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
14433 index d8e8eef..1765f78 100644
14434 --- a/arch/x86/include/asm/io.h
14435 +++ b/arch/x86/include/asm/io.h
14436 @@ -51,12 +51,12 @@ static inline void name(type val, volatile void __iomem *addr) \
14437 "m" (*(volatile type __force *)addr) barrier); }
14439 build_mmio_read(readb, "b", unsigned char, "=q", :"memory")
14440 -build_mmio_read(readw, "w", unsigned short, "=r", :"memory")
14441 -build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
14442 +build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory")
14443 +build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory")
14445 build_mmio_read(__readb, "b", unsigned char, "=q", )
14446 -build_mmio_read(__readw, "w", unsigned short, "=r", )
14447 -build_mmio_read(__readl, "l", unsigned int, "=r", )
14448 +build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", )
14449 +build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", )
14451 build_mmio_write(writeb, "b", unsigned char, "q", :"memory")
14452 build_mmio_write(writew, "w", unsigned short, "r", :"memory")
14453 @@ -184,7 +184,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size)
14454 return ioremap_nocache(offset, size);
14457 -extern void iounmap(volatile void __iomem *addr);
14458 +extern void iounmap(const volatile void __iomem *addr);
14460 extern void set_iounmap_nonlazy(void);
14462 @@ -194,6 +194,17 @@ extern void set_iounmap_nonlazy(void);
14464 #include <linux/vmalloc.h>
14466 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
14467 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
14469 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
14472 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
14474 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
14478 * Convert a virtual cached pointer to an uncached pointer
14480 diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
14481 index bba3cf8..06bc8da 100644
14482 --- a/arch/x86/include/asm/irqflags.h
14483 +++ b/arch/x86/include/asm/irqflags.h
14484 @@ -141,6 +141,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
14488 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
14489 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
14490 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
14491 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
14494 #define INTERRUPT_RETURN iret
14495 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
14496 diff --git a/arch/x86/include/asm/kprobes.h b/arch/x86/include/asm/kprobes.h
14497 index 5a6d287..f815789 100644
14498 --- a/arch/x86/include/asm/kprobes.h
14499 +++ b/arch/x86/include/asm/kprobes.h
14500 @@ -38,13 +38,8 @@ typedef u8 kprobe_opcode_t;
14501 #define RELATIVEJUMP_SIZE 5
14502 #define RELATIVECALL_OPCODE 0xe8
14503 #define RELATIVE_ADDR_SIZE 4
14504 -#define MAX_STACK_SIZE 64
14505 -#define MIN_STACK_SIZE(ADDR) \
14506 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
14507 - THREAD_SIZE - (unsigned long)(ADDR))) \
14508 - ? (MAX_STACK_SIZE) \
14509 - : (((unsigned long)current_thread_info()) + \
14510 - THREAD_SIZE - (unsigned long)(ADDR)))
14511 +#define MAX_STACK_SIZE 64UL
14512 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
14514 #define flush_insn_slot(p) do { } while (0)
14516 diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
14517 index 2d89e39..baee879 100644
14518 --- a/arch/x86/include/asm/local.h
14519 +++ b/arch/x86/include/asm/local.h
14520 @@ -10,33 +10,97 @@ typedef struct {
14525 + atomic_long_unchecked_t a;
14526 +} local_unchecked_t;
14528 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
14530 #define local_read(l) atomic_long_read(&(l)->a)
14531 +#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
14532 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
14533 +#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
14535 static inline void local_inc(local_t *l)
14537 - asm volatile(_ASM_INC "%0"
14538 + asm volatile(_ASM_INC "%0\n"
14540 +#ifdef CONFIG_PAX_REFCOUNT
14544 + _ASM_EXTABLE(0b, 0b)
14547 + : "+m" (l->a.counter));
14550 +static inline void local_inc_unchecked(local_unchecked_t *l)
14552 + asm volatile(_ASM_INC "%0\n"
14553 : "+m" (l->a.counter));
14556 static inline void local_dec(local_t *l)
14558 - asm volatile(_ASM_DEC "%0"
14559 + asm volatile(_ASM_DEC "%0\n"
14561 +#ifdef CONFIG_PAX_REFCOUNT
14565 + _ASM_EXTABLE(0b, 0b)
14568 + : "+m" (l->a.counter));
14571 +static inline void local_dec_unchecked(local_unchecked_t *l)
14573 + asm volatile(_ASM_DEC "%0\n"
14574 : "+m" (l->a.counter));
14577 static inline void local_add(long i, local_t *l)
14579 - asm volatile(_ASM_ADD "%1,%0"
14580 + asm volatile(_ASM_ADD "%1,%0\n"
14582 +#ifdef CONFIG_PAX_REFCOUNT
14584 + _ASM_SUB "%1,%0\n"
14586 + _ASM_EXTABLE(0b, 0b)
14589 + : "+m" (l->a.counter)
14593 +static inline void local_add_unchecked(long i, local_unchecked_t *l)
14595 + asm volatile(_ASM_ADD "%1,%0\n"
14596 : "+m" (l->a.counter)
14600 static inline void local_sub(long i, local_t *l)
14602 - asm volatile(_ASM_SUB "%1,%0"
14603 + asm volatile(_ASM_SUB "%1,%0\n"
14605 +#ifdef CONFIG_PAX_REFCOUNT
14607 + _ASM_ADD "%1,%0\n"
14609 + _ASM_EXTABLE(0b, 0b)
14612 + : "+m" (l->a.counter)
14616 +static inline void local_sub_unchecked(long i, local_unchecked_t *l)
14618 + asm volatile(_ASM_SUB "%1,%0\n"
14619 : "+m" (l->a.counter)
14622 @@ -54,7 +118,16 @@ static inline int local_sub_and_test(long i, local_t *l)
14626 - asm volatile(_ASM_SUB "%2,%0; sete %1"
14627 + asm volatile(_ASM_SUB "%2,%0\n"
14629 +#ifdef CONFIG_PAX_REFCOUNT
14631 + _ASM_ADD "%2,%0\n"
14633 + _ASM_EXTABLE(0b, 0b)
14637 : "+m" (l->a.counter), "=qm" (c)
14638 : "ir" (i) : "memory");
14640 @@ -72,7 +145,16 @@ static inline int local_dec_and_test(local_t *l)
14644 - asm volatile(_ASM_DEC "%0; sete %1"
14645 + asm volatile(_ASM_DEC "%0\n"
14647 +#ifdef CONFIG_PAX_REFCOUNT
14651 + _ASM_EXTABLE(0b, 0b)
14655 : "+m" (l->a.counter), "=qm" (c)
14658 @@ -90,7 +172,16 @@ static inline int local_inc_and_test(local_t *l)
14662 - asm volatile(_ASM_INC "%0; sete %1"
14663 + asm volatile(_ASM_INC "%0\n"
14665 +#ifdef CONFIG_PAX_REFCOUNT
14669 + _ASM_EXTABLE(0b, 0b)
14673 : "+m" (l->a.counter), "=qm" (c)
14676 @@ -109,7 +200,16 @@ static inline int local_add_negative(long i, local_t *l)
14680 - asm volatile(_ASM_ADD "%2,%0; sets %1"
14681 + asm volatile(_ASM_ADD "%2,%0\n"
14683 +#ifdef CONFIG_PAX_REFCOUNT
14685 + _ASM_SUB "%2,%0\n"
14687 + _ASM_EXTABLE(0b, 0b)
14691 : "+m" (l->a.counter), "=qm" (c)
14692 : "ir" (i) : "memory");
14694 @@ -125,6 +225,30 @@ static inline int local_add_negative(long i, local_t *l)
14695 static inline long local_add_return(long i, local_t *l)
14698 + asm volatile(_ASM_XADD "%0, %1\n"
14700 +#ifdef CONFIG_PAX_REFCOUNT
14702 + _ASM_MOV "%0,%1\n"
14704 + _ASM_EXTABLE(0b, 0b)
14707 + : "+r" (i), "+m" (l->a.counter)
14713 + * local_add_return_unchecked - add and return
14714 + * @i: integer value to add
14715 + * @l: pointer to type local_unchecked_t
14717 + * Atomically adds @i to @l and returns @i + @l
14719 +static inline long local_add_return_unchecked(long i, local_unchecked_t *l)
14722 asm volatile(_ASM_XADD "%0, %1;"
14723 : "+r" (i), "+m" (l->a.counter)
14725 @@ -141,6 +265,8 @@ static inline long local_sub_return(long i, local_t *l)
14727 #define local_cmpxchg(l, o, n) \
14728 (cmpxchg_local(&((l)->a.counter), (o), (n)))
14729 +#define local_cmpxchg_unchecked(l, o, n) \
14730 + (cmpxchg_local(&((l)->a.counter), (o), (n)))
14731 /* Always has a lock prefix */
14732 #define local_xchg(l, n) (xchg(&((l)->a.counter), (n)))
14734 diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h
14735 new file mode 100644
14736 index 0000000..2bfd3ba
14738 +++ b/arch/x86/include/asm/mman.h
14740 +#ifndef _X86_MMAN_H
14741 +#define _X86_MMAN_H
14743 +#include <uapi/asm/mman.h>
14746 +#ifndef __ASSEMBLY__
14747 +#ifdef CONFIG_X86_32
14748 +#define arch_mmap_check i386_mmap_check
14749 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags);
14754 +#endif /* X86_MMAN_H */
14755 diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
14756 index 5f55e69..e20bfb1 100644
14757 --- a/arch/x86/include/asm/mmu.h
14758 +++ b/arch/x86/include/asm/mmu.h
14760 * we put the segment information here.
14764 + struct desc_struct *ldt;
14767 #ifdef CONFIG_X86_64
14768 @@ -18,7 +18,19 @@ typedef struct {
14773 + unsigned long vdso;
14775 +#ifdef CONFIG_X86_32
14776 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14777 + unsigned long user_cs_base;
14778 + unsigned long user_cs_limit;
14780 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14781 + cpumask_t cpu_user_cs_mask;
14789 diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
14790 index cdbf367..4c73c9e 100644
14791 --- a/arch/x86/include/asm/mmu_context.h
14792 +++ b/arch/x86/include/asm/mmu_context.h
14793 @@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm);
14795 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
14798 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
14799 + if (!(static_cpu_has(X86_FEATURE_PCID))) {
14803 + pax_open_kernel();
14804 + pgd = get_cpu_pgd(smp_processor_id(), kernel);
14805 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
14806 + set_pgd_batched(pgd+i, native_make_pgd(0));
14807 + pax_close_kernel();
14812 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
14813 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
14814 @@ -34,16 +48,55 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
14815 struct task_struct *tsk)
14817 unsigned cpu = smp_processor_id();
14818 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
14819 + int tlbstate = TLBSTATE_OK;
14822 if (likely(prev != next)) {
14824 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
14825 + tlbstate = this_cpu_read(cpu_tlbstate.state);
14827 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
14828 this_cpu_write(cpu_tlbstate.active_mm, next);
14830 cpumask_set_cpu(cpu, mm_cpumask(next));
14832 /* Re-load page tables */
14833 +#ifdef CONFIG_PAX_PER_CPU_PGD
14834 + pax_open_kernel();
14836 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
14837 + if (static_cpu_has(X86_FEATURE_PCID))
14838 + __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
14842 + __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
14843 + __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
14844 + pax_close_kernel();
14845 + BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
14847 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
14848 + if (static_cpu_has(X86_FEATURE_PCID)) {
14849 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
14850 + unsigned long descriptor[2];
14851 + descriptor[0] = PCID_USER;
14852 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
14854 + write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
14855 + if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
14856 + write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
14858 + write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
14863 + load_cr3(get_cpu_pgd(cpu, kernel));
14865 load_cr3(next->pgd);
14868 /* stop flush ipis for the previous mm */
14869 cpumask_clear_cpu(cpu, mm_cpumask(prev));
14870 @@ -53,9 +106,63 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
14872 if (unlikely(prev->context.ldt != next->context.ldt))
14873 load_LDT_nolock(&next->context);
14876 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14877 + if (!(__supported_pte_mask & _PAGE_NX)) {
14878 + smp_mb__before_clear_bit();
14879 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
14880 + smp_mb__after_clear_bit();
14881 + cpu_set(cpu, next->context.cpu_user_cs_mask);
14885 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
14886 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
14887 + prev->context.user_cs_limit != next->context.user_cs_limit))
14888 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
14890 + else if (unlikely(tlbstate != TLBSTATE_OK))
14891 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
14898 +#ifdef CONFIG_PAX_PER_CPU_PGD
14899 + pax_open_kernel();
14901 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
14902 + if (static_cpu_has(X86_FEATURE_PCID))
14903 + __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
14907 + __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
14908 + __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
14909 + pax_close_kernel();
14910 + BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
14912 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
14913 + if (static_cpu_has(X86_FEATURE_PCID)) {
14914 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
14915 + unsigned long descriptor[2];
14916 + descriptor[0] = PCID_USER;
14917 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
14919 + write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
14920 + if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
14921 + write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
14923 + write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
14928 + load_cr3(get_cpu_pgd(cpu, kernel));
14932 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
14933 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
14935 @@ -64,11 +171,28 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
14936 * tlb flush IPI delivery. We must reload CR3
14937 * to make sure to use no freed page tables.
14940 +#ifndef CONFIG_PAX_PER_CPU_PGD
14941 load_cr3(next->pgd);
14944 load_LDT_nolock(&next->context);
14946 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14947 + if (!(__supported_pte_mask & _PAGE_NX))
14948 + cpu_set(cpu, next->context.cpu_user_cs_mask);
14951 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
14952 +#ifdef CONFIG_PAX_PAGEEXEC
14953 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
14955 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
14964 #define activate_mm(prev, next) \
14965 diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
14966 index e3b7819..b257c64 100644
14967 --- a/arch/x86/include/asm/module.h
14968 +++ b/arch/x86/include/asm/module.h
14971 #ifdef CONFIG_X86_64
14972 /* X86_64 does not define MODULE_PROC_FAMILY */
14973 +#define MODULE_PROC_FAMILY ""
14974 #elif defined CONFIG_M486
14975 #define MODULE_PROC_FAMILY "486 "
14976 #elif defined CONFIG_M586
14978 #error unknown processor family
14981 -#ifdef CONFIG_X86_32
14982 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
14983 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
14984 +#define MODULE_PAX_KERNEXEC "KERNEXEC_BTS "
14985 +#elif defined(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR)
14986 +#define MODULE_PAX_KERNEXEC "KERNEXEC_OR "
14988 +#define MODULE_PAX_KERNEXEC ""
14991 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14992 +#define MODULE_PAX_UDEREF "UDEREF "
14994 +#define MODULE_PAX_UDEREF ""
14997 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
14999 #endif /* _ASM_X86_MODULE_H */
15000 diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h
15001 index 86f9301..b365cda 100644
15002 --- a/arch/x86/include/asm/nmi.h
15003 +++ b/arch/x86/include/asm/nmi.h
15004 @@ -40,11 +40,11 @@ struct nmiaction {
15005 nmi_handler_t handler;
15006 unsigned long flags;
15011 #define register_nmi_handler(t, fn, fg, n, init...) \
15013 - static struct nmiaction init fn##_na = { \
15014 + static const struct nmiaction init fn##_na = { \
15018 @@ -52,7 +52,7 @@ struct nmiaction {
15019 __register_nmi_handler((t), &fn##_na); \
15022 -int __register_nmi_handler(unsigned int, struct nmiaction *);
15023 +int __register_nmi_handler(unsigned int, const struct nmiaction *);
15025 void unregister_nmi_handler(unsigned int, const char *);
15027 diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
15028 index c878924..21f4889 100644
15029 --- a/arch/x86/include/asm/page.h
15030 +++ b/arch/x86/include/asm/page.h
15031 @@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
15032 __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x)))
15034 #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
15035 +#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base))
15037 #define __boot_va(x) __va(x)
15038 #define __boot_pa(x) __pa(x)
15039 diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
15040 index 0f1ddee..e2fc3d1 100644
15041 --- a/arch/x86/include/asm/page_64.h
15042 +++ b/arch/x86/include/asm/page_64.h
15045 /* duplicated to the one in bootmem.h */
15046 extern unsigned long max_pfn;
15047 -extern unsigned long phys_base;
15048 +extern const unsigned long phys_base;
15050 -static inline unsigned long __phys_addr_nodebug(unsigned long x)
15051 +static inline unsigned long __intentional_overflow(-1) __phys_addr_nodebug(unsigned long x)
15053 unsigned long y = x - __START_KERNEL_map;
15055 diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
15056 index cfdc9ee..3f7b5d6 100644
15057 --- a/arch/x86/include/asm/paravirt.h
15058 +++ b/arch/x86/include/asm/paravirt.h
15059 @@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val)
15060 return (pmd_t) { ret };
15063 -static inline pmdval_t pmd_val(pmd_t pmd)
15064 +static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd)
15068 @@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
15072 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
15074 + pgdval_t val = native_pgd_val(pgd);
15076 + if (sizeof(pgdval_t) > sizeof(long))
15077 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
15078 + val, (u64)val >> 32);
15080 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
15084 static inline void pgd_clear(pgd_t *pgdp)
15086 set_pgd(pgdp, __pgd(0));
15087 @@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
15088 pv_mmu_ops.set_fixmap(idx, phys, flags);
15091 +#ifdef CONFIG_PAX_KERNEXEC
15092 +static inline unsigned long pax_open_kernel(void)
15094 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
15097 +static inline unsigned long pax_close_kernel(void)
15099 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
15102 +static inline unsigned long pax_open_kernel(void) { return 0; }
15103 +static inline unsigned long pax_close_kernel(void) { return 0; }
15106 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
15108 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
15109 @@ -926,7 +953,7 @@ extern void default_banner(void);
15111 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
15112 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
15113 -#define PARA_INDIRECT(addr) *%cs:addr
15114 +#define PARA_INDIRECT(addr) *%ss:addr
15117 #define INTERRUPT_RETURN \
15118 @@ -1001,6 +1028,21 @@ extern void default_banner(void);
15119 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
15121 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
15123 +#define GET_CR0_INTO_RDI \
15124 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
15127 +#define SET_RDI_INTO_CR0 \
15128 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
15130 +#define GET_CR3_INTO_RDI \
15131 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
15134 +#define SET_RDI_INTO_CR3 \
15135 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
15137 #endif /* CONFIG_X86_32 */
15139 #endif /* __ASSEMBLY__ */
15140 diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
15141 index 0db1fca..52310cc 100644
15142 --- a/arch/x86/include/asm/paravirt_types.h
15143 +++ b/arch/x86/include/asm/paravirt_types.h
15144 @@ -84,7 +84,7 @@ struct pv_init_ops {
15146 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
15147 unsigned long addr, unsigned len);
15152 struct pv_lazy_ops {
15153 @@ -98,7 +98,7 @@ struct pv_time_ops {
15154 unsigned long long (*sched_clock)(void);
15155 unsigned long long (*steal_clock)(int cpu);
15156 unsigned long (*get_tsc_khz)(void);
15160 struct pv_cpu_ops {
15161 /* hooks for various privileged instructions */
15162 @@ -192,7 +192,7 @@ struct pv_cpu_ops {
15164 void (*start_context_switch)(struct task_struct *prev);
15165 void (*end_context_switch)(struct task_struct *next);
15169 struct pv_irq_ops {
15171 @@ -223,7 +223,7 @@ struct pv_apic_ops {
15172 unsigned long start_eip,
15173 unsigned long start_esp);
15178 struct pv_mmu_ops {
15179 unsigned long (*read_cr2)(void);
15180 @@ -313,6 +313,7 @@ struct pv_mmu_ops {
15181 struct paravirt_callee_save make_pud;
15183 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
15184 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
15185 #endif /* PAGETABLE_LEVELS == 4 */
15186 #endif /* PAGETABLE_LEVELS >= 3 */
15188 @@ -324,6 +325,12 @@ struct pv_mmu_ops {
15189 an mfn. We can tell which is which from the index. */
15190 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
15191 phys_addr_t phys, pgprot_t flags);
15193 +#ifdef CONFIG_PAX_KERNEXEC
15194 + unsigned long (*pax_open_kernel)(void);
15195 + unsigned long (*pax_close_kernel)(void);
15200 struct arch_spinlock;
15201 @@ -334,7 +341,7 @@ struct pv_lock_ops {
15202 void (*spin_lock_flags)(struct arch_spinlock *lock, unsigned long flags);
15203 int (*spin_trylock)(struct arch_spinlock *lock);
15204 void (*spin_unlock)(struct arch_spinlock *lock);
15208 /* This contains all the paravirt structures: we get a convenient
15209 * number for each function using the offset which we use to indicate
15210 diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
15211 index b4389a4..7024269 100644
15212 --- a/arch/x86/include/asm/pgalloc.h
15213 +++ b/arch/x86/include/asm/pgalloc.h
15214 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(struct mm_struct *mm,
15215 pmd_t *pmd, pte_t *pte)
15217 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
15218 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
15221 +static inline void pmd_populate_user(struct mm_struct *mm,
15222 + pmd_t *pmd, pte_t *pte)
15224 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
15225 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
15228 @@ -99,12 +106,22 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmd,
15230 #ifdef CONFIG_X86_PAE
15231 extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd);
15232 +static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
15234 + pud_populate(mm, pudp, pmd);
15236 #else /* !CONFIG_X86_PAE */
15237 static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
15239 paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
15240 set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)));
15243 +static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
15245 + paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
15246 + set_pud(pud, __pud(_KERNPG_TABLE | __pa(pmd)));
15248 #endif /* CONFIG_X86_PAE */
15250 #if PAGETABLE_LEVELS > 3
15251 @@ -114,6 +131,12 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
15252 set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pud)));
15255 +static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
15257 + paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT);
15258 + set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(pud)));
15261 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
15263 return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT);
15264 diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
15265 index f2b489c..4f7e2e5 100644
15266 --- a/arch/x86/include/asm/pgtable-2level.h
15267 +++ b/arch/x86/include/asm/pgtable-2level.h
15268 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t *ptep , pte_t pte)
15270 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
15272 + pax_open_kernel();
15274 + pax_close_kernel();
15277 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
15278 diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
15279 index 4cc9f2b..5fd9226 100644
15280 --- a/arch/x86/include/asm/pgtable-3level.h
15281 +++ b/arch/x86/include/asm/pgtable-3level.h
15282 @@ -92,12 +92,16 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
15284 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
15286 + pax_open_kernel();
15287 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
15288 + pax_close_kernel();
15291 static inline void native_set_pud(pud_t *pudp, pud_t pud)
15293 + pax_open_kernel();
15294 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
15295 + pax_close_kernel();
15299 diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
15300 index 1e67223..92a9585 100644
15301 --- a/arch/x86/include/asm/pgtable.h
15302 +++ b/arch/x86/include/asm/pgtable.h
15303 @@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
15305 #ifndef __PAGETABLE_PUD_FOLDED
15306 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
15307 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
15308 #define pgd_clear(pgd) native_pgd_clear(pgd)
15311 @@ -81,12 +82,51 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
15313 #define arch_end_context_switch(prev) do {} while(0)
15315 +#define pax_open_kernel() native_pax_open_kernel()
15316 +#define pax_close_kernel() native_pax_close_kernel()
15317 #endif /* CONFIG_PARAVIRT */
15319 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
15320 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
15322 +#ifdef CONFIG_PAX_KERNEXEC
15323 +static inline unsigned long native_pax_open_kernel(void)
15325 + unsigned long cr0;
15327 + preempt_disable();
15329 + cr0 = read_cr0() ^ X86_CR0_WP;
15330 + BUG_ON(cr0 & X86_CR0_WP);
15332 + return cr0 ^ X86_CR0_WP;
15335 +static inline unsigned long native_pax_close_kernel(void)
15337 + unsigned long cr0;
15339 + cr0 = read_cr0() ^ X86_CR0_WP;
15340 + BUG_ON(!(cr0 & X86_CR0_WP));
15343 + preempt_enable_no_resched();
15344 + return cr0 ^ X86_CR0_WP;
15347 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
15348 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
15352 * The following only work if pte_present() is true.
15353 * Undefined behaviour if not..
15355 +static inline int pte_user(pte_t pte)
15357 + return pte_val(pte) & _PAGE_USER;
15360 static inline int pte_dirty(pte_t pte)
15362 return pte_flags(pte) & _PAGE_DIRTY;
15363 @@ -147,6 +187,11 @@ static inline unsigned long pud_pfn(pud_t pud)
15364 return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT;
15367 +static inline unsigned long pgd_pfn(pgd_t pgd)
15369 + return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
15372 #define pte_page(pte) pfn_to_page(pte_pfn(pte))
15374 static inline int pmd_large(pmd_t pte)
15375 @@ -200,9 +245,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
15376 return pte_clear_flags(pte, _PAGE_RW);
15379 +static inline pte_t pte_mkread(pte_t pte)
15381 + return __pte(pte_val(pte) | _PAGE_USER);
15384 static inline pte_t pte_mkexec(pte_t pte)
15386 - return pte_clear_flags(pte, _PAGE_NX);
15387 +#ifdef CONFIG_X86_PAE
15388 + if (__supported_pte_mask & _PAGE_NX)
15389 + return pte_clear_flags(pte, _PAGE_NX);
15392 + return pte_set_flags(pte, _PAGE_USER);
15395 +static inline pte_t pte_exprotect(pte_t pte)
15397 +#ifdef CONFIG_X86_PAE
15398 + if (__supported_pte_mask & _PAGE_NX)
15399 + return pte_set_flags(pte, _PAGE_NX);
15402 + return pte_clear_flags(pte, _PAGE_USER);
15405 static inline pte_t pte_mkdirty(pte_t pte)
15406 @@ -394,6 +459,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
15409 #ifndef __ASSEMBLY__
15411 +#ifdef CONFIG_PAX_PER_CPU_PGD
15412 +extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD];
15413 +enum cpu_pgd_type {kernel = 0, user = 1};
15414 +static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type)
15416 + return cpu_pgd[cpu][type];
15420 #include <linux/mm_types.h>
15421 #include <linux/log2.h>
15423 @@ -529,7 +604,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
15424 * Currently stuck as a macro due to indirect forward reference to
15425 * linux/mmzone.h's __section_mem_map_addr() definition:
15427 -#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
15428 +#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT)
15430 /* Find an entry in the second-level page table.. */
15431 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
15432 @@ -569,7 +644,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
15433 * Currently stuck as a macro due to indirect forward reference to
15434 * linux/mmzone.h's __section_mem_map_addr() definition:
15436 -#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
15437 +#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT)
15439 /* to find an entry in a page-table-directory. */
15440 static inline unsigned long pud_index(unsigned long address)
15441 @@ -584,7 +659,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
15443 static inline int pgd_bad(pgd_t pgd)
15445 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
15446 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
15449 static inline int pgd_none(pgd_t pgd)
15450 @@ -607,7 +682,12 @@ static inline int pgd_none(pgd_t pgd)
15451 * pgd_offset() returns a (pgd_t *)
15452 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
15454 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
15455 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
15457 +#ifdef CONFIG_PAX_PER_CPU_PGD
15458 +#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address))
15462 * a shortcut which implies the use of the kernel's pgd, instead
15464 @@ -618,6 +698,23 @@ static inline int pgd_none(pgd_t pgd)
15465 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
15466 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
15468 +#ifdef CONFIG_X86_32
15469 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
15471 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
15472 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
15474 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15475 +#ifdef __ASSEMBLY__
15476 +#define pax_user_shadow_base pax_user_shadow_base(%rip)
15478 +extern unsigned long pax_user_shadow_base;
15479 +extern pgdval_t clone_pgd_mask;
15485 #ifndef __ASSEMBLY__
15487 extern int direct_gbpages;
15488 @@ -784,11 +881,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
15489 * dst and src can be on the same page, but the range must not overlap,
15490 * and must not cross a page boundary.
15492 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
15493 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
15495 - memcpy(dst, src, count * sizeof(pgd_t));
15496 + pax_open_kernel();
15499 + pax_close_kernel();
15502 +#ifdef CONFIG_PAX_PER_CPU_PGD
15503 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src);
15506 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15507 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src);
15509 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {}
15512 #define PTE_SHIFT ilog2(PTRS_PER_PTE)
15513 static inline int page_level_shift(enum pg_level level)
15515 diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
15516 index 9ee3221..b979c6b 100644
15517 --- a/arch/x86/include/asm/pgtable_32.h
15518 +++ b/arch/x86/include/asm/pgtable_32.h
15521 struct vm_area_struct;
15523 -extern pgd_t swapper_pg_dir[1024];
15524 -extern pgd_t initial_page_table[1024];
15526 static inline void pgtable_cache_init(void) { }
15527 static inline void check_pgt_cache(void) { }
15528 void paging_init(void);
15529 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, unsigned long, pgprot_t);
15530 # include <asm/pgtable-2level.h>
15533 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
15534 +extern pgd_t initial_page_table[PTRS_PER_PGD];
15535 +#ifdef CONFIG_X86_PAE
15536 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
15539 #if defined(CONFIG_HIGHPTE)
15540 #define pte_offset_map(dir, address) \
15541 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
15542 @@ -62,12 +65,17 @@ extern void set_pmd_pfn(unsigned long, unsigned long, pgprot_t);
15543 /* Clear a kernel PTE and flush it from the TLB */
15544 #define kpte_clear_flush(ptep, vaddr) \
15546 + pax_open_kernel(); \
15547 pte_clear(&init_mm, (vaddr), (ptep)); \
15548 + pax_close_kernel(); \
15549 __flush_tlb_one((vaddr)); \
15552 #endif /* !__ASSEMBLY__ */
15554 +#define HAVE_ARCH_UNMAPPED_AREA
15555 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
15558 * kern_addr_valid() is (1) for FLATMEM and (0) for
15559 * SPARSEMEM and DISCONTIGMEM
15560 diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h
15561 index ed5903b..c7fe163 100644
15562 --- a/arch/x86/include/asm/pgtable_32_types.h
15563 +++ b/arch/x86/include/asm/pgtable_32_types.h
15566 #ifdef CONFIG_X86_PAE
15567 # include <asm/pgtable-3level_types.h>
15568 -# define PMD_SIZE (1UL << PMD_SHIFT)
15569 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
15570 # define PMD_MASK (~(PMD_SIZE - 1))
15572 # include <asm/pgtable-2level_types.h>
15573 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */
15574 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
15577 +#ifdef CONFIG_PAX_KERNEXEC
15578 +#ifndef __ASSEMBLY__
15579 +extern unsigned char MODULES_EXEC_VADDR[];
15580 +extern unsigned char MODULES_EXEC_END[];
15582 +#include <asm/boot.h>
15583 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
15584 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
15586 +#define ktla_ktva(addr) (addr)
15587 +#define ktva_ktla(addr) (addr)
15590 #define MODULES_VADDR VMALLOC_START
15591 #define MODULES_END VMALLOC_END
15592 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
15593 diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
15594 index e22c1db..23a625a 100644
15595 --- a/arch/x86/include/asm/pgtable_64.h
15596 +++ b/arch/x86/include/asm/pgtable_64.h
15597 @@ -16,10 +16,14 @@
15599 extern pud_t level3_kernel_pgt[512];
15600 extern pud_t level3_ident_pgt[512];
15601 +extern pud_t level3_vmalloc_start_pgt[512];
15602 +extern pud_t level3_vmalloc_end_pgt[512];
15603 +extern pud_t level3_vmemmap_pgt[512];
15604 +extern pud_t level2_vmemmap_pgt[512];
15605 extern pmd_t level2_kernel_pgt[512];
15606 extern pmd_t level2_fixmap_pgt[512];
15607 -extern pmd_t level2_ident_pgt[512];
15608 -extern pgd_t init_level4_pgt[];
15609 +extern pmd_t level2_ident_pgt[512*2];
15610 +extern pgd_t init_level4_pgt[512];
15612 #define swapper_pg_dir init_level4_pgt
15614 @@ -61,7 +65,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
15616 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
15618 + pax_open_kernel();
15620 + pax_close_kernel();
15623 static inline void native_pmd_clear(pmd_t *pmd)
15624 @@ -97,7 +103,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
15626 static inline void native_set_pud(pud_t *pudp, pud_t pud)
15628 + pax_open_kernel();
15630 + pax_close_kernel();
15633 static inline void native_pud_clear(pud_t *pud)
15634 @@ -107,6 +115,13 @@ static inline void native_pud_clear(pud_t *pud)
15636 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
15638 + pax_open_kernel();
15640 + pax_close_kernel();
15643 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
15648 diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
15649 index 2d88344..4679fc3 100644
15650 --- a/arch/x86/include/asm/pgtable_64_types.h
15651 +++ b/arch/x86/include/asm/pgtable_64_types.h
15652 @@ -61,6 +61,11 @@ typedef struct { pteval_t pte; } pte_t;
15653 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
15654 #define MODULES_END _AC(0xffffffffff000000, UL)
15655 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
15656 +#define MODULES_EXEC_VADDR MODULES_VADDR
15657 +#define MODULES_EXEC_END MODULES_END
15659 +#define ktla_ktva(addr) (addr)
15660 +#define ktva_ktla(addr) (addr)
15662 #define EARLY_DYNAMIC_PAGE_TABLES 64
15664 diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
15665 index e642300..0ef8f31 100644
15666 --- a/arch/x86/include/asm/pgtable_types.h
15667 +++ b/arch/x86/include/asm/pgtable_types.h
15668 @@ -16,13 +16,12 @@
15669 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
15670 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
15671 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
15672 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
15673 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
15674 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
15675 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
15676 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
15677 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
15678 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
15679 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
15680 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
15681 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
15682 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
15684 /* If _PAGE_BIT_PRESENT is clear, we use these: */
15686 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
15687 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
15688 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
15689 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
15690 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
15691 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
15692 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
15695 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
15696 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
15698 +#elif defined(CONFIG_KMEMCHECK)
15699 #define _PAGE_NX (_AT(pteval_t, 0))
15701 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
15704 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
15705 @@ -116,6 +116,9 @@
15706 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
15709 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
15710 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
15712 #define __PAGE_KERNEL_EXEC \
15713 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
15714 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
15715 @@ -126,7 +129,7 @@
15716 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
15717 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
15718 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
15719 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
15720 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
15721 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
15722 #define __PAGE_KERNEL_VVAR_NOCACHE (__PAGE_KERNEL_VVAR | _PAGE_PCD | _PAGE_PWT)
15723 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
15724 @@ -188,8 +191,8 @@
15725 * bits are combined, this will alow user to access the high address mapped
15726 * VDSO in the presence of CONFIG_COMPAT_VDSO
15728 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
15729 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
15730 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
15731 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
15732 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
15735 @@ -227,7 +230,17 @@ static inline pgdval_t pgd_flags(pgd_t pgd)
15737 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
15741 +#if PAGETABLE_LEVELS == 3
15742 +#include <asm-generic/pgtable-nopud.h>
15745 +#if PAGETABLE_LEVELS == 2
15746 +#include <asm-generic/pgtable-nopmd.h>
15749 +#ifndef __ASSEMBLY__
15750 #if PAGETABLE_LEVELS > 3
15751 typedef struct { pudval_t pud; } pud_t;
15753 @@ -241,8 +254,6 @@ static inline pudval_t native_pud_val(pud_t pud)
15757 -#include <asm-generic/pgtable-nopud.h>
15759 static inline pudval_t native_pud_val(pud_t pud)
15761 return native_pgd_val(pud.pgd);
15762 @@ -262,8 +273,6 @@ static inline pmdval_t native_pmd_val(pmd_t pmd)
15766 -#include <asm-generic/pgtable-nopmd.h>
15768 static inline pmdval_t native_pmd_val(pmd_t pmd)
15770 return native_pgd_val(pmd.pud.pgd);
15771 @@ -303,7 +312,6 @@ typedef struct page *pgtable_t;
15773 extern pteval_t __supported_pte_mask;
15774 extern void set_nx(void);
15775 -extern int nx_enabled;
15777 #define pgprot_writecombine pgprot_writecombine
15778 extern pgprot_t pgprot_writecombine(pgprot_t prot);
15779 diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
15780 index 22224b3..b3a2f90 100644
15781 --- a/arch/x86/include/asm/processor.h
15782 +++ b/arch/x86/include/asm/processor.h
15783 @@ -198,9 +198,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
15787 +/* invpcid (%rdx),%rax */
15788 +#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
15790 +#define INVPCID_SINGLE_ADDRESS 0UL
15791 +#define INVPCID_SINGLE_CONTEXT 1UL
15792 +#define INVPCID_ALL_GLOBAL 2UL
15793 +#define INVPCID_ALL_MONGLOBAL 3UL
15795 +#define PCID_KERNEL 0UL
15796 +#define PCID_USER 1UL
15797 +#define PCID_NOFLUSH (1UL << 63)
15799 static inline void load_cr3(pgd_t *pgdir)
15801 - write_cr3(__pa(pgdir));
15802 + write_cr3(__pa(pgdir) | PCID_KERNEL);
15805 #ifdef CONFIG_X86_32
15806 @@ -282,7 +294,7 @@ struct tss_struct {
15808 } ____cacheline_aligned;
15810 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
15811 +extern struct tss_struct init_tss[NR_CPUS];
15814 * Save the original ist values for checking stack pointers during debugging
15815 @@ -452,6 +464,7 @@ struct thread_struct {
15817 unsigned short fsindex;
15818 unsigned short gsindex;
15819 + unsigned short ss;
15821 #ifdef CONFIG_X86_32
15823 @@ -552,29 +565,8 @@ static inline void load_sp0(struct tss_struct *tss,
15824 extern unsigned long mmu_cr4_features;
15825 extern u32 *trampoline_cr4_features;
15827 -static inline void set_in_cr4(unsigned long mask)
15829 - unsigned long cr4;
15831 - mmu_cr4_features |= mask;
15832 - if (trampoline_cr4_features)
15833 - *trampoline_cr4_features = mmu_cr4_features;
15834 - cr4 = read_cr4();
15839 -static inline void clear_in_cr4(unsigned long mask)
15841 - unsigned long cr4;
15843 - mmu_cr4_features &= ~mask;
15844 - if (trampoline_cr4_features)
15845 - *trampoline_cr4_features = mmu_cr4_features;
15846 - cr4 = read_cr4();
15850 +extern void set_in_cr4(unsigned long mask);
15851 +extern void clear_in_cr4(unsigned long mask);
15855 @@ -823,11 +815,18 @@ static inline void spin_lock_prefetch(const void *x)
15857 #define TASK_SIZE PAGE_OFFSET
15858 #define TASK_SIZE_MAX TASK_SIZE
15860 +#ifdef CONFIG_PAX_SEGMEXEC
15861 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
15862 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
15864 #define STACK_TOP TASK_SIZE
15865 -#define STACK_TOP_MAX STACK_TOP
15868 +#define STACK_TOP_MAX TASK_SIZE
15870 #define INIT_THREAD { \
15871 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
15872 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
15873 .vm86_info = NULL, \
15874 .sysenter_cs = __KERNEL_CS, \
15875 .io_bitmap_ptr = NULL, \
15876 @@ -841,7 +840,7 @@ static inline void spin_lock_prefetch(const void *x)
15878 #define INIT_TSS { \
15880 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
15881 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
15882 .ss0 = __KERNEL_DS, \
15883 .ss1 = __KERNEL_CS, \
15884 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
15885 @@ -852,11 +851,7 @@ static inline void spin_lock_prefetch(const void *x)
15886 extern unsigned long thread_saved_pc(struct task_struct *tsk);
15888 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
15889 -#define KSTK_TOP(info) \
15891 - unsigned long *__ptr = (unsigned long *)(info); \
15892 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
15894 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
15897 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
15898 @@ -871,7 +866,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
15899 #define task_pt_regs(task) \
15901 struct pt_regs *__regs__; \
15902 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
15903 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
15907 @@ -881,13 +876,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
15909 * User space process size. 47bits minus one guard page.
15911 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
15912 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
15914 /* This decides where the kernel will search for a free chunk of vm
15915 * space during mmap's.
15917 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
15918 - 0xc0000000 : 0xFFFFe000)
15919 + 0xc0000000 : 0xFFFFf000)
15921 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
15922 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
15923 @@ -898,11 +893,11 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
15924 #define STACK_TOP_MAX TASK_SIZE_MAX
15926 #define INIT_THREAD { \
15927 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
15928 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
15931 #define INIT_TSS { \
15932 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
15933 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
15937 @@ -930,6 +925,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
15939 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
15941 +#ifdef CONFIG_PAX_SEGMEXEC
15942 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
15945 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
15947 /* Get/set a process' ability to use the timestamp counter instruction */
15948 @@ -942,7 +941,8 @@ extern int set_tsc_mode(unsigned int val);
15949 extern u16 amd_get_nb_id(int cpu);
15951 struct aperfmperf {
15952 - u64 aperf, mperf;
15953 + u64 aperf __intentional_overflow(0);
15954 + u64 mperf __intentional_overflow(0);
15957 static inline void get_aperfmperf(struct aperfmperf *am)
15958 @@ -970,7 +970,7 @@ unsigned long calc_aperfmperf_ratio(struct aperfmperf *old,
15962 -extern unsigned long arch_align_stack(unsigned long sp);
15963 +#define arch_align_stack(x) ((x) & ~0xfUL)
15964 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
15966 void default_idle(void);
15967 @@ -980,6 +980,6 @@ bool xen_set_default_idle(void);
15968 #define xen_set_default_idle 0
15971 -void stop_this_cpu(void *dummy);
15972 +void stop_this_cpu(void *dummy) __noreturn;
15974 #endif /* _ASM_X86_PROCESSOR_H */
15975 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
15976 index 942a086..6c26446 100644
15977 --- a/arch/x86/include/asm/ptrace.h
15978 +++ b/arch/x86/include/asm/ptrace.h
15979 @@ -85,28 +85,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
15983 - * user_mode_vm(regs) determines whether a register set came from user mode.
15984 + * user_mode(regs) determines whether a register set came from user mode.
15985 * This is true if V8086 mode was enabled OR if the register set was from
15986 * protected mode with RPL-3 CS value. This tricky test checks that with
15987 * one comparison. Many places in the kernel can bypass this full check
15988 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
15989 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
15992 -static inline int user_mode(struct pt_regs *regs)
15993 +static inline int user_mode_novm(struct pt_regs *regs)
15995 #ifdef CONFIG_X86_32
15996 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
15998 - return !!(regs->cs & 3);
15999 + return !!(regs->cs & SEGMENT_RPL_MASK);
16003 -static inline int user_mode_vm(struct pt_regs *regs)
16004 +static inline int user_mode(struct pt_regs *regs)
16006 #ifdef CONFIG_X86_32
16007 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
16010 - return user_mode(regs);
16011 + return user_mode_novm(regs);
16015 @@ -122,15 +123,16 @@ static inline int v8086_mode(struct pt_regs *regs)
16016 #ifdef CONFIG_X86_64
16017 static inline bool user_64bit_mode(struct pt_regs *regs)
16019 + unsigned long cs = regs->cs & 0xffff;
16020 #ifndef CONFIG_PARAVIRT
16022 * On non-paravirt systems, this is the only long mode CPL 3
16023 * selector. We do not allow long mode selectors in the LDT.
16025 - return regs->cs == __USER_CS;
16026 + return cs == __USER_CS;
16028 /* Headers are too twisted for this to go in paravirt.h. */
16029 - return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
16030 + return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
16034 @@ -181,9 +183,11 @@ static inline unsigned long regs_get_register(struct pt_regs *regs,
16035 * Traps from the kernel do not save sp and ss.
16036 * Use the helper function to retrieve sp.
16038 - if (offset == offsetof(struct pt_regs, sp) &&
16039 - regs->cs == __KERNEL_CS)
16040 - return kernel_stack_pointer(regs);
16041 + if (offset == offsetof(struct pt_regs, sp)) {
16042 + unsigned long cs = regs->cs & 0xffff;
16043 + if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS)
16044 + return kernel_stack_pointer(regs);
16047 return *(unsigned long *)((unsigned long)regs + offset);
16049 diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
16050 index 9c6b890..5305f53 100644
16051 --- a/arch/x86/include/asm/realmode.h
16052 +++ b/arch/x86/include/asm/realmode.h
16053 @@ -22,16 +22,14 @@ struct real_mode_header {
16055 /* APM/BIOS reboot */
16056 u32 machine_real_restart_asm;
16057 -#ifdef CONFIG_X86_64
16058 u32 machine_real_restart_seg;
16062 /* This must match data at trampoline_32/64.S */
16063 struct trampoline_header {
16064 #ifdef CONFIG_X86_32
16071 diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h
16072 index a82c4f1..ac45053 100644
16073 --- a/arch/x86/include/asm/reboot.h
16074 +++ b/arch/x86/include/asm/reboot.h
16078 struct machine_ops {
16079 - void (*restart)(char *cmd);
16080 - void (*halt)(void);
16081 - void (*power_off)(void);
16082 + void (* __noreturn restart)(char *cmd);
16083 + void (* __noreturn halt)(void);
16084 + void (* __noreturn power_off)(void);
16085 void (*shutdown)(void);
16086 void (*crash_shutdown)(struct pt_regs *);
16087 - void (*emergency_restart)(void);
16089 + void (* __noreturn emergency_restart)(void);
16092 extern struct machine_ops machine_ops;
16094 diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h
16095 index cad82c9..2e5c5c1 100644
16096 --- a/arch/x86/include/asm/rwsem.h
16097 +++ b/arch/x86/include/asm/rwsem.h
16098 @@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem)
16100 asm volatile("# beginning down_read\n\t"
16101 LOCK_PREFIX _ASM_INC "(%1)\n\t"
16103 +#ifdef CONFIG_PAX_REFCOUNT
16105 + LOCK_PREFIX _ASM_DEC "(%1)\n"
16107 + _ASM_EXTABLE(0b, 0b)
16110 /* adds 0x00000001 */
16112 " call call_rwsem_down_read_failed\n"
16113 @@ -85,6 +93,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem)
16118 +#ifdef CONFIG_PAX_REFCOUNT
16122 + _ASM_EXTABLE(0b, 0b)
16126 LOCK_PREFIX " cmpxchg %2,%0\n\t"
16128 @@ -104,6 +120,14 @@ static inline void __down_write_nested(struct rw_semaphore *sem, int subclass)
16130 asm volatile("# beginning down_write\n\t"
16131 LOCK_PREFIX " xadd %1,(%2)\n\t"
16133 +#ifdef CONFIG_PAX_REFCOUNT
16137 + _ASM_EXTABLE(0b, 0b)
16140 /* adds 0xffff0001, returns the old value */
16141 " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t"
16142 /* was the active mask 0 before? */
16143 @@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem)
16145 asm volatile("# beginning __up_read\n\t"
16146 LOCK_PREFIX " xadd %1,(%2)\n\t"
16148 +#ifdef CONFIG_PAX_REFCOUNT
16152 + _ASM_EXTABLE(0b, 0b)
16155 /* subtracts 1, returns the old value */
16157 " call call_rwsem_wake\n" /* expects old value in %edx */
16158 @@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem)
16160 asm volatile("# beginning __up_write\n\t"
16161 LOCK_PREFIX " xadd %1,(%2)\n\t"
16163 +#ifdef CONFIG_PAX_REFCOUNT
16167 + _ASM_EXTABLE(0b, 0b)
16170 /* subtracts 0xffff0001, returns the old value */
16172 " call call_rwsem_wake\n" /* expects old value in %edx */
16173 @@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
16175 asm volatile("# beginning __downgrade_write\n\t"
16176 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
16178 +#ifdef CONFIG_PAX_REFCOUNT
16180 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
16182 + _ASM_EXTABLE(0b, 0b)
16186 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
16187 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
16188 @@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
16190 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
16192 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
16193 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
16195 +#ifdef CONFIG_PAX_REFCOUNT
16197 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
16199 + _ASM_EXTABLE(0b, 0b)
16202 : "+m" (sem->count)
16205 @@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
16207 static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem)
16209 - return delta + xadd(&sem->count, delta);
16210 + return delta + xadd_check_overflow(&sem->count, delta);
16213 #endif /* __KERNEL__ */
16214 diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
16215 index c48a950..bc40804 100644
16216 --- a/arch/x86/include/asm/segment.h
16217 +++ b/arch/x86/include/asm/segment.h
16218 @@ -64,10 +64,15 @@
16219 * 26 - ESPFIX small SS
16220 * 27 - per-cpu [ offset to per-cpu data area ]
16221 * 28 - stack_canary-20 [ for stack protector ]
16224 + * 29 - PCI BIOS CS
16225 + * 30 - PCI BIOS DS
16226 * 31 - TSS for double fault handler
16228 +#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
16229 +#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
16230 +#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
16231 +#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
16233 #define GDT_ENTRY_TLS_MIN 6
16234 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
16238 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
16240 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
16242 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
16244 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
16245 @@ -104,6 +111,12 @@
16246 #define __KERNEL_STACK_CANARY 0
16249 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
16250 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
16252 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
16253 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
16255 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
16258 @@ -141,7 +154,7 @@
16261 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
16262 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
16263 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
16267 @@ -165,6 +178,8 @@
16268 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8+3)
16269 #define __USER32_DS __USER_DS
16271 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
16273 #define GDT_ENTRY_TSS 8 /* needs two entries */
16274 #define GDT_ENTRY_LDT 10 /* needs two entries */
16275 #define GDT_ENTRY_TLS_MIN 12
16276 @@ -173,6 +188,8 @@
16277 #define GDT_ENTRY_PER_CPU 15 /* Abused to load per CPU data from limit */
16278 #define __PER_CPU_SEG (GDT_ENTRY_PER_CPU * 8 + 3)
16280 +#define GDT_ENTRY_UDEREF_KERNEL_DS 16
16282 /* TLS indexes for 64bit - hardcoded in arch_prctl */
16285 @@ -180,12 +197,14 @@
16286 #define GS_TLS_SEL ((GDT_ENTRY_TLS_MIN+GS_TLS)*8 + 3)
16287 #define FS_TLS_SEL ((GDT_ENTRY_TLS_MIN+FS_TLS)*8 + 3)
16289 -#define GDT_ENTRIES 16
16290 +#define GDT_ENTRIES 17
16294 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
16295 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
16296 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
16297 +#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8)
16298 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
16299 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
16300 #ifndef CONFIG_PARAVIRT
16301 @@ -265,7 +284,7 @@ static inline unsigned long get_limit(unsigned long segment)
16303 unsigned long __limit;
16304 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
16305 - return __limit + 1;
16309 #endif /* !__ASSEMBLY__ */
16310 diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
16311 index 8d3120f..352b440 100644
16312 --- a/arch/x86/include/asm/smap.h
16313 +++ b/arch/x86/include/asm/smap.h
16314 @@ -25,11 +25,40 @@
16316 #include <asm/alternative-asm.h>
16318 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16319 +#define ASM_PAX_OPEN_USERLAND \
16321 + .pushsection .altinstr_replacement, "a" ; \
16322 + 662: pushq %rax; nop; \
16324 + .pushsection .altinstructions, "a" ; \
16325 + altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\
16327 + call __pax_open_userland; \
16331 +#define ASM_PAX_CLOSE_USERLAND \
16333 + .pushsection .altinstr_replacement, "a" ; \
16334 + 662: pushq %rax; nop; \
16336 + .pushsection .altinstructions, "a" ; \
16337 + altinstruction_entry 661b, 662b, X86_FEATURE_STRONGUDEREF, 2, 2;\
16339 + call __pax_close_userland; \
16343 +#define ASM_PAX_OPEN_USERLAND
16344 +#define ASM_PAX_CLOSE_USERLAND
16347 #ifdef CONFIG_X86_SMAP
16351 - .pushsection .altinstr_replacement, "ax" ; \
16352 + .pushsection .altinstr_replacement, "a" ; \
16353 662: __ASM_CLAC ; \
16355 .pushsection .altinstructions, "a" ; \
16360 - .pushsection .altinstr_replacement, "ax" ; \
16361 + .pushsection .altinstr_replacement, "a" ; \
16362 662: __ASM_STAC ; \
16364 .pushsection .altinstructions, "a" ; \
16367 #include <asm/alternative.h>
16369 +#define __HAVE_ARCH_PAX_OPEN_USERLAND
16370 +#define __HAVE_ARCH_PAX_CLOSE_USERLAND
16372 +extern void __pax_open_userland(void);
16373 +static __always_inline unsigned long pax_open_userland(void)
16376 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16377 + asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[open]", X86_FEATURE_STRONGUDEREF)
16379 + : [open] "i" (__pax_open_userland)
16380 + : "memory", "rax");
16386 +extern void __pax_close_userland(void);
16387 +static __always_inline unsigned long pax_close_userland(void)
16390 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16391 + asm volatile(ALTERNATIVE(ASM_NOP5, "call %P[close]", X86_FEATURE_STRONGUDEREF)
16393 + : [close] "i" (__pax_close_userland)
16394 + : "memory", "rax");
16400 #ifdef CONFIG_X86_SMAP
16402 static __always_inline void clac(void)
16403 diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
16404 index b073aae..39f9bdd 100644
16405 --- a/arch/x86/include/asm/smp.h
16406 +++ b/arch/x86/include/asm/smp.h
16407 @@ -36,7 +36,7 @@ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
16408 /* cpus sharing the last level cache: */
16409 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map);
16410 DECLARE_PER_CPU_READ_MOSTLY(u16, cpu_llc_id);
16411 -DECLARE_PER_CPU_READ_MOSTLY(int, cpu_number);
16412 +DECLARE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
16414 static inline struct cpumask *cpu_sibling_mask(int cpu)
16416 @@ -79,7 +79,7 @@ struct smp_ops {
16418 void (*send_call_func_ipi)(const struct cpumask *mask);
16419 void (*send_call_func_single_ipi)(int cpu);
16423 /* Globals due to paravirt */
16424 extern void set_cpu_sibling_map(int cpu);
16425 @@ -191,14 +191,8 @@ extern unsigned disabled_cpus __cpuinitdata;
16426 extern int safe_smp_processor_id(void);
16428 #elif defined(CONFIG_X86_64_SMP)
16429 -#define raw_smp_processor_id() (this_cpu_read(cpu_number))
16431 -#define stack_smp_processor_id() \
16433 - struct thread_info *ti; \
16434 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
16437 +#define raw_smp_processor_id() (this_cpu_read(cpu_number))
16438 +#define stack_smp_processor_id() raw_smp_processor_id()
16439 #define safe_smp_processor_id() smp_processor_id()
16442 diff --git a/arch/x86/include/asm/spinlock.h b/arch/x86/include/asm/spinlock.h
16443 index 33692ea..350a534 100644
16444 --- a/arch/x86/include/asm/spinlock.h
16445 +++ b/arch/x86/include/asm/spinlock.h
16446 @@ -172,6 +172,14 @@ static inline int arch_write_can_lock(arch_rwlock_t *lock)
16447 static inline void arch_read_lock(arch_rwlock_t *rw)
16449 asm volatile(LOCK_PREFIX READ_LOCK_SIZE(dec) " (%0)\n\t"
16451 +#ifdef CONFIG_PAX_REFCOUNT
16453 + LOCK_PREFIX READ_LOCK_SIZE(inc) " (%0)\n"
16455 + _ASM_EXTABLE(0b, 0b)
16459 "call __read_lock_failed\n\t"
16461 @@ -181,6 +189,14 @@ static inline void arch_read_lock(arch_rwlock_t *rw)
16462 static inline void arch_write_lock(arch_rwlock_t *rw)
16464 asm volatile(LOCK_PREFIX WRITE_LOCK_SUB(%1) "(%0)\n\t"
16466 +#ifdef CONFIG_PAX_REFCOUNT
16468 + LOCK_PREFIX WRITE_LOCK_ADD(%1) "(%0)\n"
16470 + _ASM_EXTABLE(0b, 0b)
16474 "call __write_lock_failed\n\t"
16476 @@ -210,13 +226,29 @@ static inline int arch_write_trylock(arch_rwlock_t *lock)
16478 static inline void arch_read_unlock(arch_rwlock_t *rw)
16480 - asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0"
16481 + asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0\n"
16483 +#ifdef CONFIG_PAX_REFCOUNT
16485 + LOCK_PREFIX READ_LOCK_SIZE(dec) " %0\n"
16487 + _ASM_EXTABLE(0b, 0b)
16490 :"+m" (rw->lock) : : "memory");
16493 static inline void arch_write_unlock(arch_rwlock_t *rw)
16495 - asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0"
16496 + asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0\n"
16498 +#ifdef CONFIG_PAX_REFCOUNT
16500 + LOCK_PREFIX WRITE_LOCK_SUB(%1) "%0\n"
16502 + _ASM_EXTABLE(0b, 0b)
16505 : "+m" (rw->write) : "i" (RW_LOCK_BIAS) : "memory");
16508 diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h
16509 index 6a99859..03cb807 100644
16510 --- a/arch/x86/include/asm/stackprotector.h
16511 +++ b/arch/x86/include/asm/stackprotector.h
16513 * head_32 for boot CPU and setup_per_cpu_areas() for others.
16515 #define GDT_STACK_CANARY_INIT \
16516 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
16517 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
16520 * Initialize the stackprotector canary value.
16521 @@ -112,7 +112,7 @@ static inline void setup_stack_canary_segment(int cpu)
16523 static inline void load_stack_canary_segment(void)
16525 -#ifdef CONFIG_X86_32
16526 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16527 asm volatile ("mov %0, %%gs" : : "r" (0));
16530 diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h
16531 index 70bbe39..4ae2bd4 100644
16532 --- a/arch/x86/include/asm/stacktrace.h
16533 +++ b/arch/x86/include/asm/stacktrace.h
16534 @@ -11,28 +11,20 @@
16536 extern int kstack_depth_to_print;
16538 -struct thread_info;
16539 +struct task_struct;
16540 struct stacktrace_ops;
16542 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
16543 - unsigned long *stack,
16544 - unsigned long bp,
16545 - const struct stacktrace_ops *ops,
16547 - unsigned long *end,
16549 +typedef unsigned long walk_stack_t(struct task_struct *task,
16550 + void *stack_start,
16551 + unsigned long *stack,
16552 + unsigned long bp,
16553 + const struct stacktrace_ops *ops,
16555 + unsigned long *end,
16558 -extern unsigned long
16559 -print_context_stack(struct thread_info *tinfo,
16560 - unsigned long *stack, unsigned long bp,
16561 - const struct stacktrace_ops *ops, void *data,
16562 - unsigned long *end, int *graph);
16564 -extern unsigned long
16565 -print_context_stack_bp(struct thread_info *tinfo,
16566 - unsigned long *stack, unsigned long bp,
16567 - const struct stacktrace_ops *ops, void *data,
16568 - unsigned long *end, int *graph);
16569 +extern walk_stack_t print_context_stack;
16570 +extern walk_stack_t print_context_stack_bp;
16572 /* Generic stack tracer with callbacks */
16574 @@ -40,7 +32,7 @@ struct stacktrace_ops {
16575 void (*address)(void *data, unsigned long address, int reliable);
16576 /* On negative return stop dumping */
16577 int (*stack)(void *data, char *name);
16578 - walk_stack_t walk_stack;
16579 + walk_stack_t *walk_stack;
16582 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
16583 diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
16584 index 4ec45b3..a4f0a8a 100644
16585 --- a/arch/x86/include/asm/switch_to.h
16586 +++ b/arch/x86/include/asm/switch_to.h
16587 @@ -108,7 +108,7 @@ do { \
16588 "call __switch_to\n\t" \
16589 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
16591 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
16592 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
16593 "movq %%rax,%%rdi\n\t" \
16594 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
16595 "jnz ret_from_fork\n\t" \
16596 @@ -119,7 +119,7 @@ do { \
16597 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
16598 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
16599 [_tif_fork] "i" (_TIF_FORK), \
16600 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
16601 + [thread_info] "m" (current_tinfo), \
16602 [current_task] "m" (current_task) \
16603 __switch_canary_iparam \
16604 : "memory", "cc" __EXTRA_CLOBBER)
16605 diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
16606 index a1df6e8..e002940 100644
16607 --- a/arch/x86/include/asm/thread_info.h
16608 +++ b/arch/x86/include/asm/thread_info.h
16610 #include <linux/compiler.h>
16611 #include <asm/page.h>
16612 #include <asm/types.h>
16613 +#include <asm/percpu.h>
16616 * low level task data that entry.S needs immediate access to
16617 @@ -23,7 +24,6 @@ struct exec_domain;
16618 #include <linux/atomic.h>
16620 struct thread_info {
16621 - struct task_struct *task; /* main task structure */
16622 struct exec_domain *exec_domain; /* execution domain */
16623 __u32 flags; /* low level flags */
16624 __u32 status; /* thread synchronous flags */
16625 @@ -33,19 +33,13 @@ struct thread_info {
16626 mm_segment_t addr_limit;
16627 struct restart_block restart_block;
16628 void __user *sysenter_return;
16629 -#ifdef CONFIG_X86_32
16630 - unsigned long previous_esp; /* ESP of the previous stack in
16631 - case of nested (IRQ) stacks
16633 - __u8 supervisor_stack[0];
16635 + unsigned long lowest_stack;
16636 unsigned int sig_on_uaccess_error:1;
16637 unsigned int uaccess_err:1; /* uaccess failed */
16640 -#define INIT_THREAD_INFO(tsk) \
16641 +#define INIT_THREAD_INFO \
16644 .exec_domain = &default_exec_domain, \
16647 @@ -56,7 +50,7 @@ struct thread_info {
16651 -#define init_thread_info (init_thread_union.thread_info)
16652 +#define init_thread_info (init_thread_union.stack)
16653 #define init_stack (init_thread_union.stack)
16655 #else /* !__ASSEMBLY__ */
16656 @@ -97,6 +91,7 @@ struct thread_info {
16657 #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */
16658 #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */
16659 #define TIF_X32 30 /* 32-bit native x86-64 binary */
16660 +#define TIF_GRSEC_SETXID 31 /* update credentials on syscall entry/exit */
16662 #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
16663 #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
16664 @@ -121,17 +116,18 @@ struct thread_info {
16665 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
16666 #define _TIF_ADDR32 (1 << TIF_ADDR32)
16667 #define _TIF_X32 (1 << TIF_X32)
16668 +#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
16670 /* work to do in syscall_trace_enter() */
16671 #define _TIF_WORK_SYSCALL_ENTRY \
16672 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \
16673 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | \
16675 + _TIF_NOHZ | _TIF_GRSEC_SETXID)
16677 /* work to do in syscall_trace_leave() */
16678 #define _TIF_WORK_SYSCALL_EXIT \
16679 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \
16680 - _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ)
16681 + _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
16683 /* work to do on interrupt/exception return */
16684 #define _TIF_WORK_MASK \
16685 @@ -142,7 +138,7 @@ struct thread_info {
16686 /* work to do on any return to user space */
16687 #define _TIF_ALLWORK_MASK \
16688 ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \
16690 + _TIF_NOHZ | _TIF_GRSEC_SETXID)
16692 /* Only used for 64 bit */
16693 #define _TIF_DO_NOTIFY_MASK \
16694 @@ -158,45 +154,40 @@ struct thread_info {
16696 #define PREEMPT_ACTIVE 0x10000000
16698 -#ifdef CONFIG_X86_32
16700 -#define STACK_WARN (THREAD_SIZE/8)
16702 - * macros/functions for gaining access to the thread information structure
16704 - * preempt_count needs to be 1 initially, until the scheduler is functional.
16706 -#ifndef __ASSEMBLY__
16709 -/* how to get the current stack pointer from C */
16710 -register unsigned long current_stack_pointer asm("esp") __used;
16712 -/* how to get the thread information struct from C */
16713 -static inline struct thread_info *current_thread_info(void)
16715 - return (struct thread_info *)
16716 - (current_stack_pointer & ~(THREAD_SIZE - 1));
16719 -#else /* !__ASSEMBLY__ */
16721 +#ifdef __ASSEMBLY__
16722 /* how to get the thread information struct from ASM */
16723 #define GET_THREAD_INFO(reg) \
16724 - movl $-THREAD_SIZE, reg; \
16726 + mov PER_CPU_VAR(current_tinfo), reg
16728 /* use this one if reg already contains %esp */
16729 -#define GET_THREAD_INFO_WITH_ESP(reg) \
16730 - andl $-THREAD_SIZE, reg
16731 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
16733 +/* how to get the thread information struct from C */
16734 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
16736 +static __always_inline struct thread_info *current_thread_info(void)
16738 + return this_cpu_read_stable(current_tinfo);
16742 +#ifdef CONFIG_X86_32
16744 +#define STACK_WARN (THREAD_SIZE/8)
16746 + * macros/functions for gaining access to the thread information structure
16748 + * preempt_count needs to be 1 initially, until the scheduler is functional.
16750 +#ifndef __ASSEMBLY__
16752 +/* how to get the current stack pointer from C */
16753 +register unsigned long current_stack_pointer asm("esp") __used;
16759 -#include <asm/percpu.h>
16760 -#define KERNEL_STACK_OFFSET (5*8)
16763 * macros/functions for gaining access to the thread information structure
16764 * preempt_count needs to be 1 initially, until the scheduler is functional.
16765 @@ -204,27 +195,8 @@ static inline struct thread_info *current_thread_info(void)
16766 #ifndef __ASSEMBLY__
16767 DECLARE_PER_CPU(unsigned long, kernel_stack);
16769 -static inline struct thread_info *current_thread_info(void)
16771 - struct thread_info *ti;
16772 - ti = (void *)(this_cpu_read_stable(kernel_stack) +
16773 - KERNEL_STACK_OFFSET - THREAD_SIZE);
16777 -#else /* !__ASSEMBLY__ */
16779 -/* how to get the thread information struct from ASM */
16780 -#define GET_THREAD_INFO(reg) \
16781 - movq PER_CPU_VAR(kernel_stack),reg ; \
16782 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
16785 - * Same if PER_CPU_VAR(kernel_stack) is, perhaps with some offset, already in
16786 - * a certain register (to be used in assembler memory operands).
16788 -#define THREAD_INFO(reg, off) KERNEL_STACK_OFFSET+(off)-THREAD_SIZE(reg)
16790 +/* how to get the current stack pointer from C */
16791 +register unsigned long current_stack_pointer asm("rsp") __used;
16794 #endif /* !X86_32 */
16795 @@ -283,5 +255,12 @@ static inline bool is_ia32_task(void)
16796 extern void arch_task_cache_init(void);
16797 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
16798 extern void arch_release_task_struct(struct task_struct *tsk);
16800 +#define __HAVE_THREAD_FUNCTIONS
16801 +#define task_thread_info(task) (&(task)->tinfo)
16802 +#define task_stack_page(task) ((task)->stack)
16803 +#define setup_thread_stack(p, org) do {} while (0)
16804 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
16807 #endif /* _ASM_X86_THREAD_INFO_H */
16808 diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
16809 index 50a7fc0..7c437a7 100644
16810 --- a/arch/x86/include/asm/tlbflush.h
16811 +++ b/arch/x86/include/asm/tlbflush.h
16812 @@ -17,18 +17,40 @@
16814 static inline void __native_flush_tlb(void)
16816 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
16817 + unsigned long descriptor[2];
16818 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_MONGLOBAL) : "memory");
16822 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16823 + if (static_cpu_has(X86_FEATURE_PCID)) {
16824 + unsigned int cpu = raw_get_cpu();
16826 + native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
16827 + native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
16828 + raw_put_cpu_no_resched();
16833 native_write_cr3(native_read_cr3());
16836 static inline void __native_flush_tlb_global_irq_disabled(void)
16838 - unsigned long cr4;
16839 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
16840 + unsigned long descriptor[2];
16841 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
16843 + unsigned long cr4;
16845 - cr4 = native_read_cr4();
16847 - native_write_cr4(cr4 & ~X86_CR4_PGE);
16848 - /* write old PGE again and flush TLBs */
16849 - native_write_cr4(cr4);
16850 + cr4 = native_read_cr4();
16852 + native_write_cr4(cr4 & ~X86_CR4_PGE);
16853 + /* write old PGE again and flush TLBs */
16854 + native_write_cr4(cr4);
16858 static inline void __native_flush_tlb_global(void)
16859 @@ -49,6 +71,42 @@ static inline void __native_flush_tlb_global(void)
16861 static inline void __native_flush_tlb_single(unsigned long addr)
16864 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
16865 + unsigned long descriptor[2];
16867 + descriptor[0] = PCID_KERNEL;
16868 + descriptor[1] = addr;
16870 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16871 + if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
16872 + if (addr < TASK_SIZE_MAX)
16873 + descriptor[1] += pax_user_shadow_base;
16874 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
16877 + descriptor[0] = PCID_USER;
16878 + descriptor[1] = addr;
16881 + asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
16885 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16886 + if (static_cpu_has(X86_FEATURE_PCID)) {
16887 + unsigned int cpu = raw_get_cpu();
16889 + native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
16890 + asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
16891 + native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
16892 + raw_put_cpu_no_resched();
16894 + if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX)
16895 + addr += pax_user_shadow_base;
16899 asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
16902 diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
16903 index 5ee2687..74590b9 100644
16904 --- a/arch/x86/include/asm/uaccess.h
16905 +++ b/arch/x86/include/asm/uaccess.h
16907 #include <linux/compiler.h>
16908 #include <linux/thread_info.h>
16909 #include <linux/string.h>
16910 +#include <linux/sched.h>
16911 #include <asm/asm.h>
16912 #include <asm/page.h>
16913 #include <asm/smap.h>
16916 #define get_ds() (KERNEL_DS)
16917 #define get_fs() (current_thread_info()->addr_limit)
16918 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16919 +void __set_fs(mm_segment_t x);
16920 +void set_fs(mm_segment_t x);
16922 #define set_fs(x) (current_thread_info()->addr_limit = (x))
16925 #define segment_eq(a, b) ((a).seg == (b).seg)
16928 * checks that the pointer is in the user space range - after calling
16929 * this function, memory access functions may still return -EFAULT.
16931 -#define access_ok(type, addr, size) \
16932 - (likely(__range_not_ok(addr, size, user_addr_max()) == 0))
16933 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size, user_addr_max()) == 0))
16934 +#define access_ok(type, addr, size) \
16936 + long __size = size; \
16937 + unsigned long __addr = (unsigned long)addr; \
16938 + unsigned long __addr_ao = __addr & PAGE_MASK; \
16939 + unsigned long __end_ao = __addr + __size - 1; \
16940 + bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
16941 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
16942 + while(__addr_ao <= __end_ao) { \
16944 + __addr_ao += PAGE_SIZE; \
16945 + if (__size > PAGE_SIZE) \
16946 + cond_resched(); \
16947 + if (__get_user(__c_ao, (char __user *)__addr)) \
16949 + if (type != VERIFY_WRITE) { \
16950 + __addr = __addr_ao; \
16953 + if (__put_user(__c_ao, (char __user *)__addr)) \
16955 + __addr = __addr_ao; \
16962 * The exception table consists of pairs of addresses relative to the
16963 @@ -165,10 +196,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
16964 register __inttype(*(ptr)) __val_gu asm("%edx"); \
16965 __chk_user_ptr(ptr); \
16967 + pax_open_userland(); \
16968 asm volatile("call __get_user_%P3" \
16969 : "=a" (__ret_gu), "=r" (__val_gu) \
16970 : "0" (ptr), "i" (sizeof(*(ptr)))); \
16971 (x) = (__typeof__(*(ptr))) __val_gu; \
16972 + pax_close_userland(); \
16976 @@ -176,13 +209,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
16977 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
16978 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
16981 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16982 +#define __copyuser_seg "gs;"
16983 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
16984 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
16986 +#define __copyuser_seg
16987 +#define __COPYUSER_SET_ES
16988 +#define __COPYUSER_RESTORE_ES
16991 #ifdef CONFIG_X86_32
16992 #define __put_user_asm_u64(x, addr, err, errret) \
16993 asm volatile(ASM_STAC "\n" \
16994 - "1: movl %%eax,0(%2)\n" \
16995 - "2: movl %%edx,4(%2)\n" \
16996 + "1: "__copyuser_seg"movl %%eax,0(%2)\n" \
16997 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
16998 "3: " ASM_CLAC "\n" \
16999 ".section .fixup,\"ax\"\n" \
17000 "4: movl %3,%0\n" \
17001 @@ -195,8 +236,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
17003 #define __put_user_asm_ex_u64(x, addr) \
17004 asm volatile(ASM_STAC "\n" \
17005 - "1: movl %%eax,0(%1)\n" \
17006 - "2: movl %%edx,4(%1)\n" \
17007 + "1: "__copyuser_seg"movl %%eax,0(%1)\n" \
17008 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
17009 "3: " ASM_CLAC "\n" \
17010 _ASM_EXTABLE_EX(1b, 2b) \
17011 _ASM_EXTABLE_EX(2b, 3b) \
17012 @@ -246,7 +287,8 @@ extern void __put_user_8(void);
17013 __typeof__(*(ptr)) __pu_val; \
17014 __chk_user_ptr(ptr); \
17017 + __pu_val = (x); \
17018 + pax_open_userland(); \
17019 switch (sizeof(*(ptr))) { \
17021 __put_user_x(1, __pu_val, ptr, __ret_pu); \
17022 @@ -264,6 +306,7 @@ extern void __put_user_8(void);
17023 __put_user_x(X, __pu_val, ptr, __ret_pu); \
17026 + pax_close_userland(); \
17030 @@ -344,8 +387,10 @@ do { \
17033 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
17035 + pax_open_userland(); \
17036 asm volatile(ASM_STAC "\n" \
17037 - "1: mov"itype" %2,%"rtype"1\n" \
17038 + "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
17039 "2: " ASM_CLAC "\n" \
17040 ".section .fixup,\"ax\"\n" \
17042 @@ -353,8 +398,10 @@ do { \
17045 _ASM_EXTABLE(1b, 3b) \
17046 - : "=r" (err), ltype(x) \
17047 - : "m" (__m(addr)), "i" (errret), "0" (err))
17048 + : "=r" (err), ltype (x) \
17049 + : "m" (__m(addr)), "i" (errret), "0" (err)); \
17050 + pax_close_userland(); \
17053 #define __get_user_size_ex(x, ptr, size) \
17055 @@ -378,7 +425,7 @@ do { \
17058 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
17059 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
17060 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
17062 _ASM_EXTABLE_EX(1b, 2b) \
17063 : ltype(x) : "m" (__m(addr)))
17064 @@ -395,13 +442,24 @@ do { \
17066 unsigned long __gu_val; \
17067 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
17068 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
17069 + (x) = (__typeof__(*(ptr)))__gu_val; \
17073 /* FIXME: this hack is definitely wrong -AK */
17074 struct __large_struct { unsigned long buf[100]; };
17075 -#define __m(x) (*(struct __large_struct __user *)(x))
17076 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17077 +#define ____m(x) \
17079 + unsigned long ____x = (unsigned long)(x); \
17080 + if (____x < pax_user_shadow_base) \
17081 + ____x += pax_user_shadow_base; \
17082 + (typeof(x))____x; \
17085 +#define ____m(x) (x)
17087 +#define __m(x) (*(struct __large_struct __user *)____m(x))
17090 * Tell gcc we read from memory instead of writing: this is because
17091 @@ -409,8 +467,10 @@ struct __large_struct { unsigned long buf[100]; };
17094 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
17096 + pax_open_userland(); \
17097 asm volatile(ASM_STAC "\n" \
17098 - "1: mov"itype" %"rtype"1,%2\n" \
17099 + "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
17100 "2: " ASM_CLAC "\n" \
17101 ".section .fixup,\"ax\"\n" \
17103 @@ -418,10 +478,12 @@ struct __large_struct { unsigned long buf[100]; };
17105 _ASM_EXTABLE(1b, 3b) \
17107 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
17108 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\
17109 + pax_close_userland(); \
17112 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
17113 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
17114 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
17116 _ASM_EXTABLE_EX(1b, 2b) \
17117 : : ltype(x), "m" (__m(addr)))
17118 @@ -431,11 +493,13 @@ struct __large_struct { unsigned long buf[100]; };
17120 #define uaccess_try do { \
17121 current_thread_info()->uaccess_err = 0; \
17122 + pax_open_userland(); \
17126 #define uaccess_catch(err) \
17128 + pax_close_userland(); \
17129 (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
17132 @@ -460,8 +524,12 @@ struct __large_struct { unsigned long buf[100]; };
17133 * On error, the variable @x is set to zero.
17136 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17137 +#define __get_user(x, ptr) get_user((x), (ptr))
17139 #define __get_user(x, ptr) \
17140 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
17144 * __put_user: - Write a simple value into user space, with less checking.
17145 @@ -483,8 +551,12 @@ struct __large_struct { unsigned long buf[100]; };
17146 * Returns zero on success, or -EFAULT on error.
17149 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17150 +#define __put_user(x, ptr) put_user((x), (ptr))
17152 #define __put_user(x, ptr) \
17153 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
17156 #define __get_user_unaligned __get_user
17157 #define __put_user_unaligned __put_user
17158 @@ -502,7 +574,7 @@ struct __large_struct { unsigned long buf[100]; };
17159 #define get_user_ex(x, ptr) do { \
17160 unsigned long __gue_val; \
17161 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
17162 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
17163 + (x) = (__typeof__(*(ptr)))__gue_val; \
17166 #define put_user_try uaccess_try
17167 @@ -519,8 +591,8 @@ strncpy_from_user(char *dst, const char __user *src, long count);
17168 extern __must_check long strlen_user(const char __user *str);
17169 extern __must_check long strnlen_user(const char __user *str, long n);
17171 -unsigned long __must_check clear_user(void __user *mem, unsigned long len);
17172 -unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
17173 +unsigned long __must_check clear_user(void __user *mem, unsigned long len) __size_overflow(2);
17174 +unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
17177 * movsl can be slow when source and dest are not both 8-byte aligned
17178 diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
17179 index 7f760a9..04b1c65 100644
17180 --- a/arch/x86/include/asm/uaccess_32.h
17181 +++ b/arch/x86/include/asm/uaccess_32.h
17182 @@ -11,15 +11,15 @@
17183 #include <asm/page.h>
17185 unsigned long __must_check __copy_to_user_ll
17186 - (void __user *to, const void *from, unsigned long n);
17187 + (void __user *to, const void *from, unsigned long n) __size_overflow(3);
17188 unsigned long __must_check __copy_from_user_ll
17189 - (void *to, const void __user *from, unsigned long n);
17190 + (void *to, const void __user *from, unsigned long n) __size_overflow(3);
17191 unsigned long __must_check __copy_from_user_ll_nozero
17192 - (void *to, const void __user *from, unsigned long n);
17193 + (void *to, const void __user *from, unsigned long n) __size_overflow(3);
17194 unsigned long __must_check __copy_from_user_ll_nocache
17195 - (void *to, const void __user *from, unsigned long n);
17196 + (void *to, const void __user *from, unsigned long n) __size_overflow(3);
17197 unsigned long __must_check __copy_from_user_ll_nocache_nozero
17198 - (void *to, const void __user *from, unsigned long n);
17199 + (void *to, const void __user *from, unsigned long n) __size_overflow(3);
17202 * __copy_to_user_inatomic: - Copy a block of data into user space, with less checking.
17203 @@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
17204 static __always_inline unsigned long __must_check
17205 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
17210 + check_object_size(from, n, true);
17212 if (__builtin_constant_p(n)) {
17215 @@ -82,12 +87,16 @@ static __always_inline unsigned long __must_check
17216 __copy_to_user(void __user *to, const void *from, unsigned long n)
17220 return __copy_to_user_inatomic(to, from, n);
17223 static __always_inline unsigned long
17224 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
17229 /* Avoid zeroing the tail if the copy fails..
17230 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
17231 * but as the zeroing behaviour is only significant when n is not
17232 @@ -137,6 +146,12 @@ static __always_inline unsigned long
17233 __copy_from_user(void *to, const void __user *from, unsigned long n)
17240 + check_object_size(to, n, false);
17242 if (__builtin_constant_p(n)) {
17245 @@ -159,6 +174,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
17246 const void __user *from, unsigned long n)
17253 if (__builtin_constant_p(n)) {
17256 @@ -181,15 +200,19 @@ static __always_inline unsigned long
17257 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
17260 - return __copy_from_user_ll_nocache_nozero(to, from, n);
17264 + return __copy_from_user_ll_nocache_nozero(to, from, n);
17267 -unsigned long __must_check copy_to_user(void __user *to,
17268 - const void *from, unsigned long n);
17269 -unsigned long __must_check _copy_from_user(void *to,
17270 - const void __user *from,
17271 - unsigned long n);
17273 +extern void copy_to_user_overflow(void)
17274 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
17275 + __compiletime_error("copy_to_user() buffer size is not provably correct")
17277 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
17281 extern void copy_from_user_overflow(void)
17282 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
17283 @@ -199,17 +222,60 @@ extern void copy_from_user_overflow(void)
17287 -static inline unsigned long __must_check copy_from_user(void *to,
17288 - const void __user *from,
17291 + * copy_to_user: - Copy a block of data into user space.
17292 + * @to: Destination address, in user space.
17293 + * @from: Source address, in kernel space.
17294 + * @n: Number of bytes to copy.
17296 + * Context: User context only. This function may sleep.
17298 + * Copy data from kernel space to user space.
17300 + * Returns number of bytes that could not be copied.
17301 + * On success, this will be zero.
17303 +static inline unsigned long __must_check
17304 +copy_to_user(void __user *to, const void *from, unsigned long n)
17306 - int sz = __compiletime_object_size(to);
17307 + size_t sz = __compiletime_object_size(from);
17309 - if (likely(sz == -1 || sz >= n))
17310 - n = _copy_from_user(to, from, n);
17312 + if (unlikely(sz != (size_t)-1 && sz < n))
17313 + copy_to_user_overflow();
17314 + else if (access_ok(VERIFY_WRITE, to, n))
17315 + n = __copy_to_user(to, from, n);
17320 + * copy_from_user: - Copy a block of data from user space.
17321 + * @to: Destination address, in kernel space.
17322 + * @from: Source address, in user space.
17323 + * @n: Number of bytes to copy.
17325 + * Context: User context only. This function may sleep.
17327 + * Copy data from user space to kernel space.
17329 + * Returns number of bytes that could not be copied.
17330 + * On success, this will be zero.
17332 + * If some data could not be copied, this function will pad the copied
17333 + * data to the requested size using zero bytes.
17335 +static inline unsigned long __must_check
17336 +copy_from_user(void *to, const void __user *from, unsigned long n)
17338 + size_t sz = __compiletime_object_size(to);
17340 + check_object_size(to, n, false);
17342 + if (unlikely(sz != (size_t)-1 && sz < n))
17343 copy_from_user_overflow();
17345 + else if (access_ok(VERIFY_READ, from, n))
17346 + n = __copy_from_user(to, from, n);
17347 + else if ((long)n > 0)
17348 + memset(to, 0, n);
17352 diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
17353 index 142810c..1f2a0a7 100644
17354 --- a/arch/x86/include/asm/uaccess_64.h
17355 +++ b/arch/x86/include/asm/uaccess_64.h
17357 #include <asm/alternative.h>
17358 #include <asm/cpufeature.h>
17359 #include <asm/page.h>
17360 +#include <asm/pgtable.h>
17362 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
17365 * Copy To/From Userspace
17366 @@ -17,13 +20,13 @@
17368 /* Handles exceptions in both to and from, but doesn't do access_ok */
17369 __must_check unsigned long
17370 -copy_user_enhanced_fast_string(void *to, const void *from, unsigned len);
17371 +copy_user_enhanced_fast_string(void *to, const void *from, unsigned len) __size_overflow(3);
17372 __must_check unsigned long
17373 -copy_user_generic_string(void *to, const void *from, unsigned len);
17374 +copy_user_generic_string(void *to, const void *from, unsigned len) __size_overflow(3);
17375 __must_check unsigned long
17376 -copy_user_generic_unrolled(void *to, const void *from, unsigned len);
17377 +copy_user_generic_unrolled(void *to, const void *from, unsigned len) __size_overflow(3);
17379 -static __always_inline __must_check unsigned long
17380 +static __always_inline __must_check __size_overflow(3) unsigned long
17381 copy_user_generic(void *to, const void *from, unsigned len)
17384 @@ -41,142 +44,204 @@ copy_user_generic(void *to, const void *from, unsigned len)
17385 ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from),
17387 "1" (to), "2" (from), "3" (len)
17388 - : "memory", "rcx", "r8", "r9", "r10", "r11");
17389 + : "memory", "rcx", "r8", "r9", "r11");
17393 +static __always_inline __must_check unsigned long
17394 +__copy_to_user(void __user *to, const void *from, unsigned long len);
17395 +static __always_inline __must_check unsigned long
17396 +__copy_from_user(void *to, const void __user *from, unsigned long len);
17397 __must_check unsigned long
17398 -_copy_to_user(void __user *to, const void *from, unsigned len);
17399 -__must_check unsigned long
17400 -_copy_from_user(void *to, const void __user *from, unsigned len);
17401 -__must_check unsigned long
17402 -copy_in_user(void __user *to, const void __user *from, unsigned len);
17403 +copy_in_user(void __user *to, const void __user *from, unsigned long len);
17405 +extern void copy_to_user_overflow(void)
17406 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
17407 + __compiletime_error("copy_to_user() buffer size is not provably correct")
17409 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
17413 +extern void copy_from_user_overflow(void)
17414 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
17415 + __compiletime_error("copy_from_user() buffer size is not provably correct")
17417 + __compiletime_warning("copy_from_user() buffer size is not provably correct")
17421 static inline unsigned long __must_check copy_from_user(void *to,
17422 const void __user *from,
17425 - int sz = __compiletime_object_size(to);
17428 - if (likely(sz == -1 || sz >= n))
17429 - n = _copy_from_user(to, from, n);
17430 -#ifdef CONFIG_DEBUG_VM
17432 - WARN(1, "Buffer overflow detected!\n");
17435 + check_object_size(to, n, false);
17437 + if (access_ok(VERIFY_READ, from, n))
17438 + n = __copy_from_user(to, from, n);
17439 + else if (n < INT_MAX)
17440 + memset(to, 0, n);
17444 static __always_inline __must_check
17445 -int copy_to_user(void __user *dst, const void *src, unsigned size)
17446 +int copy_to_user(void __user *dst, const void *src, unsigned long size)
17450 - return _copy_to_user(dst, src, size);
17451 + if (access_ok(VERIFY_WRITE, dst, size))
17452 + size = __copy_to_user(dst, src, size);
17456 static __always_inline __must_check
17457 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
17458 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
17461 + size_t sz = __compiletime_object_size(dst);
17462 + unsigned ret = 0;
17466 + if (size > INT_MAX)
17469 + check_object_size(dst, size, false);
17471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17472 + if (!__access_ok(VERIFY_READ, src, size))
17476 + if (unlikely(sz != (size_t)-1 && sz < size)) {
17477 + copy_from_user_overflow();
17481 if (!__builtin_constant_p(size))
17482 - return copy_user_generic(dst, (__force void *)src, size);
17483 + return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
17485 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
17486 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
17487 ret, "b", "b", "=q", 1);
17489 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
17490 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
17491 ret, "w", "w", "=r", 2);
17493 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
17494 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
17495 ret, "l", "k", "=r", 4);
17497 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
17498 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
17499 ret, "q", "", "=r", 8);
17502 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
17503 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
17504 ret, "q", "", "=r", 10);
17507 __get_user_asm(*(u16 *)(8 + (char *)dst),
17508 - (u16 __user *)(8 + (char __user *)src),
17509 + (const u16 __user *)(8 + (const char __user *)src),
17510 ret, "w", "w", "=r", 2);
17513 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
17514 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
17515 ret, "q", "", "=r", 16);
17518 __get_user_asm(*(u64 *)(8 + (char *)dst),
17519 - (u64 __user *)(8 + (char __user *)src),
17520 + (const u64 __user *)(8 + (const char __user *)src),
17521 ret, "q", "", "=r", 8);
17524 - return copy_user_generic(dst, (__force void *)src, size);
17525 + return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
17529 static __always_inline __must_check
17530 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
17531 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
17534 + size_t sz = __compiletime_object_size(src);
17535 + unsigned ret = 0;
17539 + if (size > INT_MAX)
17542 + check_object_size(src, size, true);
17544 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17545 + if (!__access_ok(VERIFY_WRITE, dst, size))
17549 + if (unlikely(sz != (size_t)-1 && sz < size)) {
17550 + copy_to_user_overflow();
17554 if (!__builtin_constant_p(size))
17555 - return copy_user_generic((__force void *)dst, src, size);
17556 + return copy_user_generic((__force_kernel void *)____m(dst), src, size);
17558 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
17559 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
17560 ret, "b", "b", "iq", 1);
17562 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
17563 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
17564 ret, "w", "w", "ir", 2);
17566 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
17567 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
17568 ret, "l", "k", "ir", 4);
17570 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
17571 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
17572 ret, "q", "", "er", 8);
17575 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
17576 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
17577 ret, "q", "", "er", 10);
17580 asm("":::"memory");
17581 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
17582 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
17583 ret, "w", "w", "ir", 2);
17586 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
17587 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
17588 ret, "q", "", "er", 16);
17591 asm("":::"memory");
17592 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
17593 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
17594 ret, "q", "", "er", 8);
17597 - return copy_user_generic((__force void *)dst, src, size);
17598 + return copy_user_generic((__force_kernel void *)____m(dst), src, size);
17602 static __always_inline __must_check
17603 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
17604 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned long size)
17607 + unsigned ret = 0;
17611 + if (size > INT_MAX)
17614 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17615 + if (!__access_ok(VERIFY_READ, src, size))
17617 + if (!__access_ok(VERIFY_WRITE, dst, size))
17621 if (!__builtin_constant_p(size))
17622 - return copy_user_generic((__force void *)dst,
17623 - (__force void *)src, size);
17624 + return copy_user_generic((__force_kernel void *)____m(dst),
17625 + (__force_kernel const void *)____m(src), size);
17629 - __get_user_asm(tmp, (u8 __user *)src,
17630 + __get_user_asm(tmp, (const u8 __user *)src,
17631 ret, "b", "b", "=q", 1);
17633 __put_user_asm(tmp, (u8 __user *)dst,
17634 @@ -185,7 +250,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
17638 - __get_user_asm(tmp, (u16 __user *)src,
17639 + __get_user_asm(tmp, (const u16 __user *)src,
17640 ret, "w", "w", "=r", 2);
17642 __put_user_asm(tmp, (u16 __user *)dst,
17643 @@ -195,7 +260,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
17647 - __get_user_asm(tmp, (u32 __user *)src,
17648 + __get_user_asm(tmp, (const u32 __user *)src,
17649 ret, "l", "k", "=r", 4);
17651 __put_user_asm(tmp, (u32 __user *)dst,
17652 @@ -204,7 +269,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
17656 - __get_user_asm(tmp, (u64 __user *)src,
17657 + __get_user_asm(tmp, (const u64 __user *)src,
17658 ret, "q", "", "=r", 8);
17660 __put_user_asm(tmp, (u64 __user *)dst,
17661 @@ -212,41 +277,72 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
17665 - return copy_user_generic((__force void *)dst,
17666 - (__force void *)src, size);
17667 + return copy_user_generic((__force_kernel void *)____m(dst),
17668 + (__force_kernel const void *)____m(src), size);
17672 static __must_check __always_inline int
17673 -__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
17674 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
17676 - return copy_user_generic(dst, (__force const void *)src, size);
17677 + if (size > INT_MAX)
17680 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17681 + if (!__access_ok(VERIFY_READ, src, size))
17685 + return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
17688 -static __must_check __always_inline int
17689 -__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
17690 +static __must_check __always_inline unsigned long
17691 +__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
17693 - return copy_user_generic((__force void *)dst, src, size);
17694 + if (size > INT_MAX)
17697 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17698 + if (!__access_ok(VERIFY_WRITE, dst, size))
17702 + return copy_user_generic((__force_kernel void *)____m(dst), src, size);
17705 -extern long __copy_user_nocache(void *dst, const void __user *src,
17706 - unsigned size, int zerorest);
17707 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
17708 + unsigned long size, int zerorest) __size_overflow(3);
17711 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
17712 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
17716 + if (size > INT_MAX)
17719 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17720 + if (!__access_ok(VERIFY_READ, src, size))
17724 return __copy_user_nocache(dst, src, size, 1);
17728 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
17730 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
17731 + unsigned long size)
17733 + if (size > INT_MAX)
17736 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17737 + if (!__access_ok(VERIFY_READ, src, size))
17741 return __copy_user_nocache(dst, src, size, 0);
17745 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
17746 +extern unsigned long
17747 +copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest) __size_overflow(3);
17749 #endif /* _ASM_X86_UACCESS_64_H */
17750 diff --git a/arch/x86/include/asm/word-at-a-time.h b/arch/x86/include/asm/word-at-a-time.h
17751 index 5b238981..77fdd78 100644
17752 --- a/arch/x86/include/asm/word-at-a-time.h
17753 +++ b/arch/x86/include/asm/word-at-a-time.h
17755 * and shift, for example.
17757 struct word_at_a_time {
17758 - const unsigned long one_bits, high_bits;
17759 + unsigned long one_bits, high_bits;
17762 #define WORD_AT_A_TIME_CONSTANTS { REPEAT_BYTE(0x01), REPEAT_BYTE(0x80) }
17763 diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
17764 index d8d9922..bf6cecb 100644
17765 --- a/arch/x86/include/asm/x86_init.h
17766 +++ b/arch/x86/include/asm/x86_init.h
17767 @@ -129,7 +129,7 @@ struct x86_init_ops {
17768 struct x86_init_timers timers;
17769 struct x86_init_iommu iommu;
17770 struct x86_init_pci pci;
17775 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
17776 @@ -140,7 +140,7 @@ struct x86_cpuinit_ops {
17777 void (*setup_percpu_clockev)(void);
17778 void (*early_percpu_clock_init)(void);
17779 void (*fixup_cpu_id)(struct cpuinfo_x86 *c, int node);
17784 * struct x86_platform_ops - platform specific runtime functions
17785 @@ -166,7 +166,7 @@ struct x86_platform_ops {
17786 void (*save_sched_clock_state)(void);
17787 void (*restore_sched_clock_state)(void);
17788 void (*apic_post_init)(void);
17794 @@ -180,7 +180,7 @@ struct x86_msi_ops {
17795 void (*teardown_msi_irqs)(struct pci_dev *dev);
17796 void (*restore_msi_irqs)(struct pci_dev *dev, int irq);
17797 int (*setup_hpet_msi)(unsigned int irq, unsigned int id);
17801 struct IO_APIC_route_entry;
17802 struct io_apic_irq_attr;
17803 @@ -201,7 +201,7 @@ struct x86_io_apic_ops {
17804 unsigned int destination, int vector,
17805 struct io_apic_irq_attr *attr);
17806 void (*eoi_ioapic_pin)(int apic, int pin, int vector);
17810 extern struct x86_init_ops x86_init;
17811 extern struct x86_cpuinit_ops x86_cpuinit;
17812 diff --git a/arch/x86/include/asm/xsave.h b/arch/x86/include/asm/xsave.h
17813 index 0415cda..3b22adc 100644
17814 --- a/arch/x86/include/asm/xsave.h
17815 +++ b/arch/x86/include/asm/xsave.h
17816 @@ -70,8 +70,11 @@ static inline int xsave_user(struct xsave_struct __user *buf)
17820 + pax_open_userland();
17821 __asm__ __volatile__(ASM_STAC "\n"
17822 - "1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
17825 + ".byte " REX_PREFIX "0x0f,0xae,0x27\n"
17826 "2: " ASM_CLAC "\n"
17827 ".section .fixup,\"ax\"\n"
17828 "3: movl $-1,%[err]\n"
17829 @@ -81,18 +84,22 @@ static inline int xsave_user(struct xsave_struct __user *buf)
17831 : "D" (buf), "a" (-1), "d" (-1), "0" (0)
17833 + pax_close_userland();
17837 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
17840 - struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
17841 + struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
17843 u32 hmask = mask >> 32;
17845 + pax_open_userland();
17846 __asm__ __volatile__(ASM_STAC "\n"
17847 - "1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
17850 + ".byte " REX_PREFIX "0x0f,0xae,0x2f\n"
17851 "2: " ASM_CLAC "\n"
17852 ".section .fixup,\"ax\"\n"
17853 "3: movl $-1,%[err]\n"
17854 @@ -102,6 +109,7 @@ static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
17856 : "D" (xstate), "a" (lmask), "d" (hmask), "0" (0)
17857 : "memory"); /* memory required? */
17858 + pax_close_userland();
17862 diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h
17863 index bbae024..e1528f9 100644
17864 --- a/arch/x86/include/uapi/asm/e820.h
17865 +++ b/arch/x86/include/uapi/asm/e820.h
17866 @@ -63,7 +63,7 @@ struct e820map {
17867 #define ISA_START_ADDRESS 0xa0000
17868 #define ISA_END_ADDRESS 0x100000
17870 -#define BIOS_BEGIN 0x000a0000
17871 +#define BIOS_BEGIN 0x000c0000
17872 #define BIOS_END 0x00100000
17874 #define BIOS_ROM_BASE 0xffe00000
17875 diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
17876 index 7bd3bd3..5dac791 100644
17877 --- a/arch/x86/kernel/Makefile
17878 +++ b/arch/x86/kernel/Makefile
17879 @@ -22,7 +22,7 @@ obj-y += time.o ioport.o ldt.o dumpstack.o nmi.o
17880 obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o
17881 obj-$(CONFIG_IRQ_WORK) += irq_work.o
17882 obj-y += probe_roms.o
17883 -obj-$(CONFIG_X86_32) += i386_ksyms_32.o
17884 +obj-$(CONFIG_X86_32) += sys_i386_32.o i386_ksyms_32.o
17885 obj-$(CONFIG_X86_64) += sys_x86_64.o x8664_ksyms_64.o
17886 obj-y += syscall_$(BITS).o
17887 obj-$(CONFIG_X86_64) += vsyscall_64.o
17888 diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
17889 index 230c8ea..f915130 100644
17890 --- a/arch/x86/kernel/acpi/boot.c
17891 +++ b/arch/x86/kernel/acpi/boot.c
17892 @@ -1361,7 +1361,7 @@ static int __init dmi_ignore_irq0_timer_override(const struct dmi_system_id *d)
17893 * If your system is blacklisted here, but you find that acpi=force
17894 * works for you, please contact linux-acpi@vger.kernel.org
17896 -static struct dmi_system_id __initdata acpi_dmi_table[] = {
17897 +static const struct dmi_system_id __initconst acpi_dmi_table[] = {
17899 * Boxes that need ACPI disabled
17901 @@ -1436,7 +1436,7 @@ static struct dmi_system_id __initdata acpi_dmi_table[] = {
17904 /* second table for DMI checks that should run after early-quirks */
17905 -static struct dmi_system_id __initdata acpi_dmi_table_late[] = {
17906 +static const struct dmi_system_id __initconst acpi_dmi_table_late[] = {
17908 * HP laptops which use a DSDT reporting as HP/SB400/10000,
17909 * which includes some code which overrides all temperature
17910 diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c
17911 index ec94e11..7fbbec0 100644
17912 --- a/arch/x86/kernel/acpi/sleep.c
17913 +++ b/arch/x86/kernel/acpi/sleep.c
17914 @@ -88,8 +88,12 @@ int acpi_suspend_lowlevel(void)
17915 #else /* CONFIG_64BIT */
17917 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
17919 + pax_open_kernel();
17920 early_gdt_descr.address =
17921 (unsigned long)get_cpu_gdt_table(smp_processor_id());
17922 + pax_close_kernel();
17924 initial_gs = per_cpu_offset(smp_processor_id());
17926 initial_code = (unsigned long)wakeup_long64;
17927 diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S
17928 index d1daa66..59fecba 100644
17929 --- a/arch/x86/kernel/acpi/wakeup_32.S
17930 +++ b/arch/x86/kernel/acpi/wakeup_32.S
17931 @@ -29,13 +29,11 @@ wakeup_pmode_return:
17932 # and restore the stack ... but you need gdt for this to work
17933 movl saved_context_esp, %esp
17935 - movl %cs:saved_magic, %eax
17936 - cmpl $0x12345678, %eax
17937 + cmpl $0x12345678, saved_magic
17940 # jump to place where we left off
17941 - movl saved_eip, %eax
17947 diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
17948 index c15cf9a..0e63558 100644
17949 --- a/arch/x86/kernel/alternative.c
17950 +++ b/arch/x86/kernel/alternative.c
17951 @@ -268,6 +268,13 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
17953 for (a = start; a < end; a++) {
17954 instr = (u8 *)&a->instr_offset + a->instr_offset;
17956 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17957 + instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17958 + if (instr < (u8 *)_text || (u8 *)_einittext <= instr)
17959 + instr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17962 replacement = (u8 *)&a->repl_offset + a->repl_offset;
17963 BUG_ON(a->replacementlen > a->instrlen);
17964 BUG_ON(a->instrlen > sizeof(insnbuf));
17965 @@ -299,10 +306,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
17966 for (poff = start; poff < end; poff++) {
17967 u8 *ptr = (u8 *)poff + *poff;
17969 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17970 + ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17971 + if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
17972 + ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17975 if (!*poff || ptr < text || ptr >= text_end)
17977 /* turn DS segment override prefix into lock prefix */
17978 - if (*ptr == 0x3e)
17979 + if (*ktla_ktva(ptr) == 0x3e)
17980 text_poke(ptr, ((unsigned char []){0xf0}), 1);
17982 mutex_unlock(&text_mutex);
17983 @@ -317,10 +330,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
17984 for (poff = start; poff < end; poff++) {
17985 u8 *ptr = (u8 *)poff + *poff;
17987 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17988 + ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17989 + if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
17990 + ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
17993 if (!*poff || ptr < text || ptr >= text_end)
17995 /* turn lock prefix into DS segment override prefix */
17996 - if (*ptr == 0xf0)
17997 + if (*ktla_ktva(ptr) == 0xf0)
17998 text_poke(ptr, ((unsigned char []){0x3E}), 1);
18000 mutex_unlock(&text_mutex);
18001 @@ -468,7 +487,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
18003 BUG_ON(p->len > MAX_PATCH_LEN);
18004 /* prep the buffer with the original instructions */
18005 - memcpy(insnbuf, p->instr, p->len);
18006 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
18007 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
18008 (unsigned long)p->instr, p->len);
18010 @@ -515,7 +534,7 @@ void __init alternative_instructions(void)
18011 if (!uniproc_patched || num_possible_cpus() == 1)
18012 free_init_pages("SMP alternatives",
18013 (unsigned long)__smp_locks,
18014 - (unsigned long)__smp_locks_end);
18015 + PAGE_ALIGN((unsigned long)__smp_locks_end));
18018 apply_paravirt(__parainstructions, __parainstructions_end);
18019 @@ -535,13 +554,17 @@ void __init alternative_instructions(void)
18020 * instructions. And on the local CPU you need to be protected again NMI or MCE
18021 * handlers seeing an inconsistent instruction while you patch.
18023 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
18024 +void *__kprobes text_poke_early(void *addr, const void *opcode,
18027 unsigned long flags;
18028 local_irq_save(flags);
18029 - memcpy(addr, opcode, len);
18031 + pax_open_kernel();
18032 + memcpy(ktla_ktva(addr), opcode, len);
18034 + pax_close_kernel();
18036 local_irq_restore(flags);
18037 /* Could also do a CLFLUSH here to speed up CPU recovery; but
18038 that causes hangs on some VIA CPUs. */
18039 @@ -563,36 +586,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
18041 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
18043 - unsigned long flags;
18045 + unsigned char *vaddr = ktla_ktva(addr);
18046 struct page *pages[2];
18050 if (!core_kernel_text((unsigned long)addr)) {
18051 - pages[0] = vmalloc_to_page(addr);
18052 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
18053 + pages[0] = vmalloc_to_page(vaddr);
18054 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
18056 - pages[0] = virt_to_page(addr);
18057 + pages[0] = virt_to_page(vaddr);
18058 WARN_ON(!PageReserved(pages[0]));
18059 - pages[1] = virt_to_page(addr + PAGE_SIZE);
18060 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
18063 - local_irq_save(flags);
18064 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
18066 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
18067 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
18068 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
18069 - clear_fixmap(FIX_TEXT_POKE0);
18071 - clear_fixmap(FIX_TEXT_POKE1);
18072 - local_flush_tlb();
18074 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
18075 - that causes hangs on some VIA CPUs. */
18076 + text_poke_early(addr, opcode, len);
18077 for (i = 0; i < len; i++)
18078 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
18079 - local_irq_restore(flags);
18080 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
18084 diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
18085 index 904611b..004dde6 100644
18086 --- a/arch/x86/kernel/apic/apic.c
18087 +++ b/arch/x86/kernel/apic/apic.c
18088 @@ -189,7 +189,7 @@ int first_system_vector = 0xfe;
18090 * Debug level, exported for io_apic.c
18092 -unsigned int apic_verbosity;
18093 +int apic_verbosity;
18097 @@ -1955,7 +1955,7 @@ void smp_error_interrupt(struct pt_regs *regs)
18098 apic_write(APIC_ESR, 0);
18099 v1 = apic_read(APIC_ESR);
18101 - atomic_inc(&irq_err_count);
18102 + atomic_inc_unchecked(&irq_err_count);
18104 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x(%02x)",
18105 smp_processor_id(), v0 , v1);
18106 diff --git a/arch/x86/kernel/apic/apic_flat_64.c b/arch/x86/kernel/apic/apic_flat_64.c
18107 index 00c77cf..2dc6a2d 100644
18108 --- a/arch/x86/kernel/apic/apic_flat_64.c
18109 +++ b/arch/x86/kernel/apic/apic_flat_64.c
18110 @@ -157,7 +157,7 @@ static int flat_probe(void)
18114 -static struct apic apic_flat = {
18115 +static struct apic apic_flat __read_only = {
18117 .probe = flat_probe,
18118 .acpi_madt_oem_check = flat_acpi_madt_oem_check,
18119 @@ -271,7 +271,7 @@ static int physflat_probe(void)
18123 -static struct apic apic_physflat = {
18124 +static struct apic apic_physflat __read_only = {
18126 .name = "physical flat",
18127 .probe = physflat_probe,
18128 diff --git a/arch/x86/kernel/apic/apic_noop.c b/arch/x86/kernel/apic/apic_noop.c
18129 index e145f28..2752888 100644
18130 --- a/arch/x86/kernel/apic/apic_noop.c
18131 +++ b/arch/x86/kernel/apic/apic_noop.c
18132 @@ -119,7 +119,7 @@ static void noop_apic_write(u32 reg, u32 v)
18133 WARN_ON_ONCE(cpu_has_apic && !disable_apic);
18136 -struct apic apic_noop = {
18137 +struct apic apic_noop __read_only = {
18139 .probe = noop_probe,
18140 .acpi_madt_oem_check = NULL,
18141 diff --git a/arch/x86/kernel/apic/bigsmp_32.c b/arch/x86/kernel/apic/bigsmp_32.c
18142 index d50e364..543bee3 100644
18143 --- a/arch/x86/kernel/apic/bigsmp_32.c
18144 +++ b/arch/x86/kernel/apic/bigsmp_32.c
18145 @@ -152,7 +152,7 @@ static int probe_bigsmp(void)
18149 -static struct apic apic_bigsmp = {
18150 +static struct apic apic_bigsmp __read_only = {
18153 .probe = probe_bigsmp,
18154 diff --git a/arch/x86/kernel/apic/es7000_32.c b/arch/x86/kernel/apic/es7000_32.c
18155 index 0874799..a7a7892 100644
18156 --- a/arch/x86/kernel/apic/es7000_32.c
18157 +++ b/arch/x86/kernel/apic/es7000_32.c
18158 @@ -608,8 +608,7 @@ static int es7000_mps_oem_check_cluster(struct mpc_table *mpc, char *oem,
18159 return ret && es7000_apic_is_cluster();
18162 -/* We've been warned by a false positive warning.Use __refdata to keep calm. */
18163 -static struct apic __refdata apic_es7000_cluster = {
18164 +static struct apic apic_es7000_cluster __read_only = {
18167 .probe = probe_es7000,
18168 @@ -675,7 +674,7 @@ static struct apic __refdata apic_es7000_cluster = {
18169 .x86_32_early_logical_apicid = es7000_early_logical_apicid,
18172 -static struct apic __refdata apic_es7000 = {
18173 +static struct apic apic_es7000 __read_only = {
18176 .probe = probe_es7000,
18177 diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
18178 index 9ed796c..e930fe4 100644
18179 --- a/arch/x86/kernel/apic/io_apic.c
18180 +++ b/arch/x86/kernel/apic/io_apic.c
18181 @@ -1060,7 +1060,7 @@ int IO_APIC_get_PCI_irq_vector(int bus, int slot, int pin,
18183 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
18185 -void lock_vector_lock(void)
18186 +void lock_vector_lock(void) __acquires(vector_lock)
18188 /* Used to the online set of cpus does not change
18189 * during assign_irq_vector.
18190 @@ -1068,7 +1068,7 @@ void lock_vector_lock(void)
18191 raw_spin_lock(&vector_lock);
18194 -void unlock_vector_lock(void)
18195 +void unlock_vector_lock(void) __releases(vector_lock)
18197 raw_spin_unlock(&vector_lock);
18199 @@ -2362,7 +2362,7 @@ static void ack_apic_edge(struct irq_data *data)
18203 -atomic_t irq_mis_count;
18204 +atomic_unchecked_t irq_mis_count;
18206 #ifdef CONFIG_GENERIC_PENDING_IRQ
18207 static bool io_apic_level_ack_pending(struct irq_cfg *cfg)
18208 @@ -2503,7 +2503,7 @@ static void ack_apic_level(struct irq_data *data)
18211 if (!(v & (1 << (i & 0x1f)))) {
18212 - atomic_inc(&irq_mis_count);
18213 + atomic_inc_unchecked(&irq_mis_count);
18215 eoi_ioapic_irq(irq, cfg);
18217 diff --git a/arch/x86/kernel/apic/numaq_32.c b/arch/x86/kernel/apic/numaq_32.c
18218 index d661ee9..791fd33 100644
18219 --- a/arch/x86/kernel/apic/numaq_32.c
18220 +++ b/arch/x86/kernel/apic/numaq_32.c
18221 @@ -455,8 +455,7 @@ static void numaq_setup_portio_remap(void)
18222 (u_long) xquad_portio, (u_long) num_quads*XQUAD_PORTIO_QUAD);
18225 -/* Use __refdata to keep false positive warning calm. */
18226 -static struct apic __refdata apic_numaq = {
18227 +static struct apic apic_numaq __read_only = {
18230 .probe = probe_numaq,
18231 diff --git a/arch/x86/kernel/apic/probe_32.c b/arch/x86/kernel/apic/probe_32.c
18232 index eb35ef9..f184a21 100644
18233 --- a/arch/x86/kernel/apic/probe_32.c
18234 +++ b/arch/x86/kernel/apic/probe_32.c
18235 @@ -72,7 +72,7 @@ static int probe_default(void)
18239 -static struct apic apic_default = {
18240 +static struct apic apic_default __read_only = {
18243 .probe = probe_default,
18244 diff --git a/arch/x86/kernel/apic/summit_32.c b/arch/x86/kernel/apic/summit_32.c
18245 index 77c95c0..434f8a4 100644
18246 --- a/arch/x86/kernel/apic/summit_32.c
18247 +++ b/arch/x86/kernel/apic/summit_32.c
18248 @@ -486,7 +486,7 @@ void setup_summit(void)
18252 -static struct apic apic_summit = {
18253 +static struct apic apic_summit __read_only = {
18256 .probe = probe_summit,
18257 diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
18258 index c88baa4..757aee1 100644
18259 --- a/arch/x86/kernel/apic/x2apic_cluster.c
18260 +++ b/arch/x86/kernel/apic/x2apic_cluster.c
18261 @@ -183,7 +183,7 @@ update_clusterinfo(struct notifier_block *nfb, unsigned long action, void *hcpu)
18262 return notifier_from_errno(err);
18265 -static struct notifier_block __refdata x2apic_cpu_notifier = {
18266 +static struct notifier_block x2apic_cpu_notifier = {
18267 .notifier_call = update_clusterinfo,
18270 @@ -235,7 +235,7 @@ static void cluster_vector_allocation_domain(int cpu, struct cpumask *retmask,
18271 cpumask_and(retmask, mask, per_cpu(cpus_in_cluster, cpu));
18274 -static struct apic apic_x2apic_cluster = {
18275 +static struct apic apic_x2apic_cluster __read_only = {
18277 .name = "cluster x2apic",
18278 .probe = x2apic_cluster_probe,
18279 diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
18280 index 562a76d..a003c0f 100644
18281 --- a/arch/x86/kernel/apic/x2apic_phys.c
18282 +++ b/arch/x86/kernel/apic/x2apic_phys.c
18283 @@ -89,7 +89,7 @@ static int x2apic_phys_probe(void)
18284 return apic == &apic_x2apic_phys;
18287 -static struct apic apic_x2apic_phys = {
18288 +static struct apic apic_x2apic_phys __read_only = {
18290 .name = "physical x2apic",
18291 .probe = x2apic_phys_probe,
18292 diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
18293 index 794f6eb..67e1db2 100644
18294 --- a/arch/x86/kernel/apic/x2apic_uv_x.c
18295 +++ b/arch/x86/kernel/apic/x2apic_uv_x.c
18296 @@ -342,7 +342,7 @@ static int uv_probe(void)
18297 return apic == &apic_x2apic_uv_x;
18300 -static struct apic __refdata apic_x2apic_uv_x = {
18301 +static struct apic apic_x2apic_uv_x __read_only = {
18303 .name = "UV large system",
18305 diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
18306 index 53a4e27..038760a 100644
18307 --- a/arch/x86/kernel/apm_32.c
18308 +++ b/arch/x86/kernel/apm_32.c
18309 @@ -433,7 +433,7 @@ static DEFINE_MUTEX(apm_mutex);
18310 * This is for buggy BIOS's that refer to (real mode) segment 0x40
18311 * even though they are called in protected mode.
18313 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
18314 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
18315 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
18317 static const char driver_version[] = "1.16ac"; /* no spaces */
18318 @@ -611,7 +611,10 @@ static long __apm_bios_call(void *_call)
18320 gdt = get_cpu_gdt_table(cpu);
18321 save_desc_40 = gdt[0x40 / 8];
18323 + pax_open_kernel();
18324 gdt[0x40 / 8] = bad_bios_desc;
18325 + pax_close_kernel();
18327 apm_irq_save(flags);
18329 @@ -620,7 +623,11 @@ static long __apm_bios_call(void *_call)
18331 APM_DO_RESTORE_SEGS;
18332 apm_irq_restore(flags);
18334 + pax_open_kernel();
18335 gdt[0x40 / 8] = save_desc_40;
18336 + pax_close_kernel();
18340 return call->eax & 0xff;
18341 @@ -687,7 +694,10 @@ static long __apm_bios_call_simple(void *_call)
18343 gdt = get_cpu_gdt_table(cpu);
18344 save_desc_40 = gdt[0x40 / 8];
18346 + pax_open_kernel();
18347 gdt[0x40 / 8] = bad_bios_desc;
18348 + pax_close_kernel();
18350 apm_irq_save(flags);
18352 @@ -695,7 +705,11 @@ static long __apm_bios_call_simple(void *_call)
18354 APM_DO_RESTORE_SEGS;
18355 apm_irq_restore(flags);
18357 + pax_open_kernel();
18358 gdt[0x40 / 8] = save_desc_40;
18359 + pax_close_kernel();
18364 @@ -2362,12 +2376,15 @@ static int __init apm_init(void)
18365 * code to that CPU.
18367 gdt = get_cpu_gdt_table(0);
18369 + pax_open_kernel();
18370 set_desc_base(&gdt[APM_CS >> 3],
18371 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
18372 set_desc_base(&gdt[APM_CS_16 >> 3],
18373 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
18374 set_desc_base(&gdt[APM_DS >> 3],
18375 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
18376 + pax_close_kernel();
18378 proc_create("apm", 0, NULL, &apm_file_ops);
18380 diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
18381 index 2861082..6d4718e 100644
18382 --- a/arch/x86/kernel/asm-offsets.c
18383 +++ b/arch/x86/kernel/asm-offsets.c
18384 @@ -33,6 +33,8 @@ void common(void) {
18385 OFFSET(TI_status, thread_info, status);
18386 OFFSET(TI_addr_limit, thread_info, addr_limit);
18387 OFFSET(TI_preempt_count, thread_info, preempt_count);
18388 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
18389 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
18392 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
18393 @@ -53,8 +55,26 @@ void common(void) {
18394 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
18395 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
18396 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
18398 +#ifdef CONFIG_PAX_KERNEXEC
18399 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
18402 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18403 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
18404 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
18405 +#ifdef CONFIG_X86_64
18406 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
18413 + DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
18414 + DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
18415 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
18419 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
18420 diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
18421 index e7c798b..2b2019b 100644
18422 --- a/arch/x86/kernel/asm-offsets_64.c
18423 +++ b/arch/x86/kernel/asm-offsets_64.c
18424 @@ -77,6 +77,7 @@ int main(void)
18428 + DEFINE(TSS_size, sizeof(struct tss_struct));
18429 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
18432 diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
18433 index b0684e4..22ccfd7 100644
18434 --- a/arch/x86/kernel/cpu/Makefile
18435 +++ b/arch/x86/kernel/cpu/Makefile
18436 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
18437 CFLAGS_REMOVE_perf_event.o = -pg
18440 -# Make sure load_percpu_segment has no stackprotector
18441 -nostackp := $(call cc-option, -fno-stack-protector)
18442 -CFLAGS_common.o := $(nostackp)
18444 obj-y := intel_cacheinfo.o scattered.o topology.o
18445 obj-y += proc.o capflags.o powerflags.o common.o
18447 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
18448 index 5013a48..0782c53 100644
18449 --- a/arch/x86/kernel/cpu/amd.c
18450 +++ b/arch/x86/kernel/cpu/amd.c
18451 @@ -744,7 +744,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
18454 /* AMD errata T13 (order #21922) */
18455 - if ((c->x86 == 6)) {
18456 + if (c->x86 == 6) {
18458 if (c->x86_model == 3 && c->x86_mask == 0)
18460 diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
18461 index 22018f7..df77e23 100644
18462 --- a/arch/x86/kernel/cpu/common.c
18463 +++ b/arch/x86/kernel/cpu/common.c
18464 @@ -88,60 +88,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = {
18466 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
18468 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
18469 -#ifdef CONFIG_X86_64
18471 - * We need valid kernel segments for data and code in long mode too
18472 - * IRET will check the segment types kkeil 2000/10/28
18473 - * Also sysret mandates a special GDT layout
18475 - * TLS descriptors are currently at a different place compared to i386.
18476 - * Hopefully nobody expects them at a fixed place (Wine?)
18478 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
18479 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
18480 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
18481 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
18482 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
18483 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
18485 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
18486 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
18487 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
18488 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
18490 - * Segments used for calling PnP BIOS have byte granularity.
18491 - * They code segments and data segments have fixed 64k limits,
18492 - * the transfer segment sizes are set at run time.
18494 - /* 32-bit code */
18495 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
18496 - /* 16-bit code */
18497 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
18498 - /* 16-bit data */
18499 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
18500 - /* 16-bit data */
18501 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
18502 - /* 16-bit data */
18503 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
18505 - * The APM segments have byte granularity and their bases
18506 - * are set at run time. All have 64k limits.
18508 - /* 32-bit code */
18509 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
18510 - /* 16-bit code */
18511 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
18513 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
18515 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
18516 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
18517 - GDT_STACK_CANARY_INIT
18520 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
18522 static int __init x86_xsave_setup(char *s)
18524 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
18525 @@ -288,6 +234,57 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
18526 set_in_cr4(X86_CR4_SMAP);
18529 +#ifdef CONFIG_X86_64
18530 +static __init int setup_disable_pcid(char *arg)
18532 + setup_clear_cpu_cap(X86_FEATURE_PCID);
18534 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18535 + if (clone_pgd_mask != ~(pgdval_t)0UL)
18536 + pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
18541 +__setup("nopcid", setup_disable_pcid);
18543 +static void setup_pcid(struct cpuinfo_x86 *c)
18545 + if (!cpu_has(c, X86_FEATURE_PCID)) {
18547 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18548 + if (clone_pgd_mask != ~(pgdval_t)0UL) {
18549 + pax_open_kernel();
18550 + pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
18551 + pax_close_kernel();
18552 + printk("PAX: slow and weak UDEREF enabled\n");
18554 + printk("PAX: UDEREF disabled\n");
18560 + printk("PAX: PCID detected\n");
18561 + set_in_cr4(X86_CR4_PCIDE);
18563 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18564 + pax_open_kernel();
18565 + clone_pgd_mask = ~(pgdval_t)0UL;
18566 + pax_close_kernel();
18567 + if (pax_user_shadow_base)
18568 + printk("PAX: weak UDEREF enabled\n");
18570 + set_cpu_cap(c, X86_FEATURE_STRONGUDEREF);
18571 + printk("PAX: strong UDEREF enabled\n");
18575 + if (cpu_has(c, X86_FEATURE_INVPCID))
18576 + printk("PAX: INVPCID detected\n");
18581 * Some CPU features depend on higher CPUID levels, which may not always
18582 * be available due to CPUID level capping or broken virtualization
18583 @@ -386,7 +383,7 @@ void switch_to_new_gdt(int cpu)
18585 struct desc_ptr gdt_descr;
18587 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
18588 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
18589 gdt_descr.size = GDT_SIZE - 1;
18590 load_gdt(&gdt_descr);
18591 /* Reload the per-cpu base */
18592 @@ -874,6 +871,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
18596 +#ifdef CONFIG_X86_64
18601 * The vendor-specific functions might have changed features.
18602 * Now we do "generic changes."
18603 @@ -882,6 +883,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
18604 /* Filter out anything that depends on CPUID levels we don't have */
18605 filter_cpuid_features(c, true);
18607 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
18608 + setup_clear_cpu_cap(X86_FEATURE_SEP);
18611 /* If the model name is still unset, do table lookup. */
18612 if (!c->x86_model_id[0]) {
18614 @@ -1069,10 +1074,12 @@ static __init int setup_disablecpuid(char *arg)
18616 __setup("clearcpuid=", setup_disablecpuid);
18618 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
18619 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
18621 #ifdef CONFIG_X86_64
18622 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
18623 -struct desc_ptr nmi_idt_descr = { NR_VECTORS * 16 - 1,
18624 - (unsigned long) nmi_idt_table };
18625 +struct desc_ptr nmi_idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) nmi_idt_table };
18627 DEFINE_PER_CPU_FIRST(union irq_stack_union,
18628 irq_stack_union) __aligned(PAGE_SIZE);
18629 @@ -1086,7 +1093,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
18630 EXPORT_PER_CPU_SYMBOL(current_task);
18632 DEFINE_PER_CPU(unsigned long, kernel_stack) =
18633 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
18634 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
18635 EXPORT_PER_CPU_SYMBOL(kernel_stack);
18637 DEFINE_PER_CPU(char *, irq_stack_ptr) =
18638 @@ -1231,7 +1238,7 @@ void __cpuinit cpu_init(void)
18641 cpu = stack_smp_processor_id();
18642 - t = &per_cpu(init_tss, cpu);
18643 + t = init_tss + cpu;
18644 oist = &per_cpu(orig_ist, cpu);
18647 @@ -1257,7 +1264,7 @@ void __cpuinit cpu_init(void)
18648 switch_to_new_gdt(cpu);
18649 loadsegment(fs, 0);
18651 - load_idt((const struct desc_ptr *)&idt_descr);
18652 + load_idt(&idt_descr);
18654 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
18656 @@ -1266,7 +1273,6 @@ void __cpuinit cpu_init(void)
18657 wrmsrl(MSR_KERNEL_GS_BASE, 0);
18660 - x86_configure_nx();
18664 @@ -1318,7 +1324,7 @@ void __cpuinit cpu_init(void)
18666 int cpu = smp_processor_id();
18667 struct task_struct *curr = current;
18668 - struct tss_struct *t = &per_cpu(init_tss, cpu);
18669 + struct tss_struct *t = init_tss + cpu;
18670 struct thread_struct *thread = &curr->thread;
18672 show_ucode_info_early();
18673 diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
18674 index 7c6f7d5..8cac382 100644
18675 --- a/arch/x86/kernel/cpu/intel_cacheinfo.c
18676 +++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
18677 @@ -1017,6 +1017,22 @@ static struct attribute *default_attrs[] = {
18680 #ifdef CONFIG_AMD_NB
18681 +static struct attribute *default_attrs_amd_nb[] = {
18684 + &coherency_line_size.attr,
18685 + &physical_line_partition.attr,
18686 + &ways_of_associativity.attr,
18687 + &number_of_sets.attr,
18689 + &shared_cpu_map.attr,
18690 + &shared_cpu_list.attr,
18697 static struct attribute ** __cpuinit amd_l3_attrs(void)
18699 static struct attribute **attrs;
18700 @@ -1027,18 +1043,7 @@ static struct attribute ** __cpuinit amd_l3_attrs(void)
18702 n = ARRAY_SIZE(default_attrs);
18704 - if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE))
18707 - if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
18710 - attrs = kzalloc(n * sizeof (struct attribute *), GFP_KERNEL);
18711 - if (attrs == NULL)
18712 - return attrs = default_attrs;
18714 - for (n = 0; default_attrs[n]; n++)
18715 - attrs[n] = default_attrs[n];
18716 + attrs = default_attrs_amd_nb;
18718 if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE)) {
18719 attrs[n++] = &cache_disable_0.attr;
18720 @@ -1089,6 +1094,13 @@ static struct kobj_type ktype_cache = {
18721 .default_attrs = default_attrs,
18724 +#ifdef CONFIG_AMD_NB
18725 +static struct kobj_type ktype_cache_amd_nb = {
18726 + .sysfs_ops = &sysfs_ops,
18727 + .default_attrs = default_attrs_amd_nb,
18731 static struct kobj_type ktype_percpu_entry = {
18732 .sysfs_ops = &sysfs_ops,
18734 @@ -1154,20 +1166,26 @@ static int __cpuinit cache_add_dev(struct device *dev)
18738 +#ifdef CONFIG_AMD_NB
18742 for (i = 0; i < num_cache_leaves; i++) {
18743 + struct kobj_type *ktype;
18745 this_object = INDEX_KOBJECT_PTR(cpu, i);
18746 this_object->cpu = cpu;
18747 this_object->index = i;
18749 this_leaf = CPUID4_INFO_IDX(cpu, i);
18751 - ktype_cache.default_attrs = default_attrs;
18752 + ktype = &ktype_cache;
18753 #ifdef CONFIG_AMD_NB
18754 if (this_leaf->base.nb)
18755 - ktype_cache.default_attrs = amd_l3_attrs();
18756 + ktype = &ktype_cache_amd_nb;
18758 retval = kobject_init_and_add(&(this_object->kobj),
18761 per_cpu(ici_cache_kobject, cpu),
18763 if (unlikely(retval)) {
18764 @@ -1222,7 +1240,7 @@ static int __cpuinit cacheinfo_cpu_callback(struct notifier_block *nfb,
18768 -static struct notifier_block __cpuinitdata cacheinfo_cpu_notifier = {
18769 +static struct notifier_block cacheinfo_cpu_notifier = {
18770 .notifier_call = cacheinfo_cpu_callback,
18773 diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
18774 index 9239504..b2471ce 100644
18775 --- a/arch/x86/kernel/cpu/mcheck/mce.c
18776 +++ b/arch/x86/kernel/cpu/mcheck/mce.c
18778 #include <asm/processor.h>
18779 #include <asm/mce.h>
18780 #include <asm/msr.h>
18781 +#include <asm/local.h>
18783 #include "mce-internal.h"
18785 @@ -246,7 +247,7 @@ static void print_mce(struct mce *m)
18786 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
18789 - if (m->cs == __KERNEL_CS)
18790 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
18791 print_symbol("{%s}", m->ip);
18794 @@ -279,10 +280,10 @@ static void print_mce(struct mce *m)
18796 #define PANIC_TIMEOUT 5 /* 5 seconds */
18798 -static atomic_t mce_paniced;
18799 +static atomic_unchecked_t mce_paniced;
18801 static int fake_panic;
18802 -static atomic_t mce_fake_paniced;
18803 +static atomic_unchecked_t mce_fake_paniced;
18805 /* Panic in progress. Enable interrupts and wait for final IPI */
18806 static void wait_for_panic(void)
18807 @@ -306,7 +307,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp)
18809 * Make sure only one CPU runs in machine check panic
18811 - if (atomic_inc_return(&mce_paniced) > 1)
18812 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
18816 @@ -314,7 +315,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp)
18819 /* Don't log too much for fake panic */
18820 - if (atomic_inc_return(&mce_fake_paniced) > 1)
18821 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
18824 /* First print corrected ones that are still unlogged */
18825 @@ -353,7 +354,7 @@ static void mce_panic(char *msg, struct mce *final, char *exp)
18827 if (panic_timeout == 0)
18828 panic_timeout = mca_cfg.panic_timeout;
18830 + panic("%s", msg);
18832 pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
18834 @@ -683,7 +684,7 @@ static int mce_timed_out(u64 *t)
18835 * might have been modified by someone else.
18838 - if (atomic_read(&mce_paniced))
18839 + if (atomic_read_unchecked(&mce_paniced))
18841 if (!mca_cfg.monarch_timeout)
18843 @@ -1654,7 +1655,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
18846 /* Call the installed machine check handler for this CPU setup. */
18847 -void (*machine_check_vector)(struct pt_regs *, long error_code) =
18848 +void (*machine_check_vector)(struct pt_regs *, long error_code) __read_only =
18849 unexpected_machine_check;
18852 @@ -1677,7 +1678,9 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
18856 + pax_open_kernel();
18857 machine_check_vector = do_machine_check;
18858 + pax_close_kernel();
18860 __mcheck_cpu_init_generic();
18861 __mcheck_cpu_init_vendor(c);
18862 @@ -1691,7 +1694,7 @@ void __cpuinit mcheck_cpu_init(struct cpuinfo_x86 *c)
18865 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
18866 -static int mce_chrdev_open_count; /* #times opened */
18867 +static local_t mce_chrdev_open_count; /* #times opened */
18868 static int mce_chrdev_open_exclu; /* already open exclusive? */
18870 static int mce_chrdev_open(struct inode *inode, struct file *file)
18871 @@ -1699,7 +1702,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
18872 spin_lock(&mce_chrdev_state_lock);
18874 if (mce_chrdev_open_exclu ||
18875 - (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
18876 + (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
18877 spin_unlock(&mce_chrdev_state_lock);
18880 @@ -1707,7 +1710,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
18882 if (file->f_flags & O_EXCL)
18883 mce_chrdev_open_exclu = 1;
18884 - mce_chrdev_open_count++;
18885 + local_inc(&mce_chrdev_open_count);
18887 spin_unlock(&mce_chrdev_state_lock);
18889 @@ -1718,7 +1721,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
18891 spin_lock(&mce_chrdev_state_lock);
18893 - mce_chrdev_open_count--;
18894 + local_dec(&mce_chrdev_open_count);
18895 mce_chrdev_open_exclu = 0;
18897 spin_unlock(&mce_chrdev_state_lock);
18898 @@ -2364,7 +2367,7 @@ mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu)
18902 -static struct notifier_block mce_cpu_notifier __cpuinitdata = {
18903 +static struct notifier_block mce_cpu_notifier = {
18904 .notifier_call = mce_cpu_callback,
18907 @@ -2374,7 +2377,7 @@ static __init void mce_init_banks(void)
18909 for (i = 0; i < mca_cfg.banks; i++) {
18910 struct mce_bank *b = &mce_banks[i];
18911 - struct device_attribute *a = &b->attr;
18912 + device_attribute_no_const *a = &b->attr;
18914 sysfs_attr_init(&a->attr);
18915 a->attr.name = b->attrname;
18916 @@ -2442,7 +2445,7 @@ struct dentry *mce_get_debugfs_dir(void)
18917 static void mce_reset(void)
18920 - atomic_set(&mce_fake_paniced, 0);
18921 + atomic_set_unchecked(&mce_fake_paniced, 0);
18922 atomic_set(&mce_executing, 0);
18923 atomic_set(&mce_callin, 0);
18924 atomic_set(&global_nwo, 0);
18925 diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
18926 index 1c044b1..37a2a43 100644
18927 --- a/arch/x86/kernel/cpu/mcheck/p5.c
18928 +++ b/arch/x86/kernel/cpu/mcheck/p5.c
18930 #include <asm/processor.h>
18931 #include <asm/mce.h>
18932 #include <asm/msr.h>
18933 +#include <asm/pgtable.h>
18935 /* By default disabled */
18936 int mce_p5_enabled __read_mostly;
18937 @@ -49,7 +50,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
18938 if (!cpu_has(c, X86_FEATURE_MCE))
18941 + pax_open_kernel();
18942 machine_check_vector = pentium_machine_check;
18943 + pax_close_kernel();
18944 /* Make sure the vector pointer is visible before we enable MCEs: */
18947 diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c
18948 index 47a1870..8c019a7 100644
18949 --- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
18950 +++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
18951 @@ -288,7 +288,7 @@ thermal_throttle_cpu_callback(struct notifier_block *nfb,
18952 return notifier_from_errno(err);
18955 -static struct notifier_block thermal_throttle_cpu_notifier __cpuinitdata =
18956 +static struct notifier_block thermal_throttle_cpu_notifier =
18958 .notifier_call = thermal_throttle_cpu_callback,
18960 diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
18961 index e9a701a..35317d6 100644
18962 --- a/arch/x86/kernel/cpu/mcheck/winchip.c
18963 +++ b/arch/x86/kernel/cpu/mcheck/winchip.c
18965 #include <asm/processor.h>
18966 #include <asm/mce.h>
18967 #include <asm/msr.h>
18968 +#include <asm/pgtable.h>
18970 /* Machine check handler for WinChip C6: */
18971 static void winchip_machine_check(struct pt_regs *regs, long error_code)
18972 @@ -23,7 +24,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
18976 + pax_open_kernel();
18977 machine_check_vector = winchip_machine_check;
18978 + pax_close_kernel();
18979 /* Make sure the vector pointer is visible before we enable MCEs: */
18982 diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
18983 index ca22b73..9987afe 100644
18984 --- a/arch/x86/kernel/cpu/mtrr/main.c
18985 +++ b/arch/x86/kernel/cpu/mtrr/main.c
18986 @@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
18987 u64 size_or_mask, size_and_mask;
18988 static bool mtrr_aps_delayed_init;
18990 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
18991 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
18993 const struct mtrr_ops *mtrr_if;
18995 diff --git a/arch/x86/kernel/cpu/mtrr/mtrr.h b/arch/x86/kernel/cpu/mtrr/mtrr.h
18996 index df5e41f..816c719 100644
18997 --- a/arch/x86/kernel/cpu/mtrr/mtrr.h
18998 +++ b/arch/x86/kernel/cpu/mtrr/mtrr.h
18999 @@ -25,7 +25,7 @@ struct mtrr_ops {
19000 int (*validate_add_page)(unsigned long base, unsigned long size,
19001 unsigned int type);
19002 int (*have_wrcomb)(void);
19006 extern int generic_get_free_region(unsigned long base, unsigned long size,
19008 diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
19009 index 1025f3c..824f677 100644
19010 --- a/arch/x86/kernel/cpu/perf_event.c
19011 +++ b/arch/x86/kernel/cpu/perf_event.c
19012 @@ -1311,7 +1311,7 @@ static void __init pmu_check_apic(void)
19013 pr_info("no hardware sampling interrupt available.\n");
19016 -static struct attribute_group x86_pmu_format_group = {
19017 +static attribute_group_no_const x86_pmu_format_group = {
19021 @@ -1410,7 +1410,7 @@ static struct attribute *events_attr[] = {
19025 -static struct attribute_group x86_pmu_events_group = {
19026 +static attribute_group_no_const x86_pmu_events_group = {
19028 .attrs = events_attr,
19030 @@ -1920,7 +1920,7 @@ static unsigned long get_segment_base(unsigned int segment)
19031 if (idx > GDT_ENTRIES)
19034 - desc = __this_cpu_ptr(&gdt_page.gdt[0]);
19035 + desc = get_cpu_gdt_table(smp_processor_id());
19038 return get_desc_base(desc + idx);
19039 @@ -2010,7 +2010,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
19042 perf_callchain_store(entry, frame.return_address);
19043 - fp = frame.next_frame;
19044 + fp = (const void __force_user *)frame.next_frame;
19048 diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
19049 index a9e2207..d70c83a 100644
19050 --- a/arch/x86/kernel/cpu/perf_event_intel.c
19051 +++ b/arch/x86/kernel/cpu/perf_event_intel.c
19052 @@ -2022,10 +2022,10 @@ __init int intel_pmu_init(void)
19053 * v2 and above have a perf capabilities MSR
19056 - u64 capabilities;
19057 + u64 capabilities = x86_pmu.intel_cap.capabilities;
19059 - rdmsrl(MSR_IA32_PERF_CAPABILITIES, capabilities);
19060 - x86_pmu.intel_cap.capabilities = capabilities;
19061 + if (rdmsrl_safe(MSR_IA32_PERF_CAPABILITIES, &x86_pmu.intel_cap.capabilities))
19062 + x86_pmu.intel_cap.capabilities = capabilities;
19066 diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
19067 index 8aac56b..588fb13 100644
19068 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
19069 +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
19070 @@ -3093,7 +3093,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
19071 static int __init uncore_type_init(struct intel_uncore_type *type)
19073 struct intel_uncore_pmu *pmus;
19074 - struct attribute_group *attr_group;
19075 + attribute_group_no_const *attr_group;
19076 struct attribute **attrs;
19079 @@ -3518,7 +3518,7 @@ static int
19083 -static struct notifier_block uncore_cpu_nb __cpuinitdata = {
19084 +static struct notifier_block uncore_cpu_nb = {
19085 .notifier_call = uncore_cpu_notifier,
19087 * to migrate uncore events, our notifier should be executed
19088 diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
19089 index f952891..4722ad4 100644
19090 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h
19091 +++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
19092 @@ -488,7 +488,7 @@ struct intel_uncore_box {
19093 struct uncore_event_desc {
19094 struct kobj_attribute attr;
19095 const char *config;
19099 #define INTEL_UNCORE_EVENT_DESC(_name, _config) \
19101 diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
19102 index 1e4dbcf..b9a34c2 100644
19103 --- a/arch/x86/kernel/cpuid.c
19104 +++ b/arch/x86/kernel/cpuid.c
19105 @@ -171,7 +171,7 @@ static int __cpuinit cpuid_class_cpu_callback(struct notifier_block *nfb,
19106 return notifier_from_errno(err);
19109 -static struct notifier_block __refdata cpuid_class_cpu_notifier =
19110 +static struct notifier_block cpuid_class_cpu_notifier =
19112 .notifier_call = cpuid_class_cpu_callback,
19114 diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
19115 index 74467fe..18793d5 100644
19116 --- a/arch/x86/kernel/crash.c
19117 +++ b/arch/x86/kernel/crash.c
19118 @@ -58,10 +58,8 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)
19120 #ifdef CONFIG_X86_32
19121 struct pt_regs fixed_regs;
19124 -#ifdef CONFIG_X86_32
19125 - if (!user_mode_vm(regs)) {
19126 + if (!user_mode(regs)) {
19127 crash_fixup_ss_esp(&fixed_regs, regs);
19128 regs = &fixed_regs;
19130 diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
19131 index afa64ad..dce67dd 100644
19132 --- a/arch/x86/kernel/crash_dump_64.c
19133 +++ b/arch/x86/kernel/crash_dump_64.c
19134 @@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
19138 - if (copy_to_user(buf, vaddr + offset, csize)) {
19139 + if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
19143 diff --git a/arch/x86/kernel/doublefault_32.c b/arch/x86/kernel/doublefault_32.c
19144 index 155a13f..1672b9b 100644
19145 --- a/arch/x86/kernel/doublefault_32.c
19146 +++ b/arch/x86/kernel/doublefault_32.c
19149 #define DOUBLEFAULT_STACKSIZE (1024)
19150 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
19151 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
19152 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
19154 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
19156 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
19157 unsigned long gdt, tss;
19159 native_store_gdt(&gdt_desc);
19160 - gdt = gdt_desc.address;
19161 + gdt = (unsigned long)gdt_desc.address;
19163 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
19165 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cacheline_aligned = {
19166 /* 0x2 bit is always set */
19167 .flags = X86_EFLAGS_SF | 0x2,
19170 + .es = __KERNEL_DS,
19174 + .ds = __KERNEL_DS,
19175 .fs = __KERNEL_PERCPU,
19177 .__cr3 = __pa_nodebug(swapper_pg_dir),
19178 diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
19179 index deb6421..76bbc12 100644
19180 --- a/arch/x86/kernel/dumpstack.c
19181 +++ b/arch/x86/kernel/dumpstack.c
19183 * Copyright (C) 1991, 1992 Linus Torvalds
19184 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
19186 +#ifdef CONFIG_GRKERNSEC_HIDESYM
19187 +#define __INCLUDED_BY_HIDESYM 1
19189 #include <linux/kallsyms.h>
19190 #include <linux/kprobes.h>
19191 #include <linux/uaccess.h>
19192 @@ -35,16 +38,14 @@ void printk_address(unsigned long address, int reliable)
19194 print_ftrace_graph_addr(unsigned long addr, void *data,
19195 const struct stacktrace_ops *ops,
19196 - struct thread_info *tinfo, int *graph)
19197 + struct task_struct *task, int *graph)
19199 - struct task_struct *task;
19200 unsigned long ret_addr;
19203 if (addr != (unsigned long)return_to_handler)
19206 - task = tinfo->task;
19207 index = task->curr_ret_stack;
19209 if (!task->ret_stack || index < *graph)
19210 @@ -61,7 +62,7 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
19212 print_ftrace_graph_addr(unsigned long addr, void *data,
19213 const struct stacktrace_ops *ops,
19214 - struct thread_info *tinfo, int *graph)
19215 + struct task_struct *task, int *graph)
19219 @@ -72,10 +73,8 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
19220 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
19223 -static inline int valid_stack_ptr(struct thread_info *tinfo,
19224 - void *p, unsigned int size, void *end)
19225 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
19229 if (p < end && p >= (end-THREAD_SIZE))
19231 @@ -86,14 +85,14 @@ static inline int valid_stack_ptr(struct thread_info *tinfo,
19235 -print_context_stack(struct thread_info *tinfo,
19236 +print_context_stack(struct task_struct *task, void *stack_start,
19237 unsigned long *stack, unsigned long bp,
19238 const struct stacktrace_ops *ops, void *data,
19239 unsigned long *end, int *graph)
19241 struct stack_frame *frame = (struct stack_frame *)bp;
19243 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
19244 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
19245 unsigned long addr;
19248 @@ -105,7 +104,7 @@ print_context_stack(struct thread_info *tinfo,
19250 ops->address(data, addr, 0);
19252 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
19253 + print_ftrace_graph_addr(addr, data, ops, task, graph);
19257 @@ -114,7 +113,7 @@ print_context_stack(struct thread_info *tinfo,
19258 EXPORT_SYMBOL_GPL(print_context_stack);
19261 -print_context_stack_bp(struct thread_info *tinfo,
19262 +print_context_stack_bp(struct task_struct *task, void *stack_start,
19263 unsigned long *stack, unsigned long bp,
19264 const struct stacktrace_ops *ops, void *data,
19265 unsigned long *end, int *graph)
19266 @@ -122,7 +121,7 @@ print_context_stack_bp(struct thread_info *tinfo,
19267 struct stack_frame *frame = (struct stack_frame *)bp;
19268 unsigned long *ret_addr = &frame->return_address;
19270 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
19271 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
19272 unsigned long addr = *ret_addr;
19274 if (!__kernel_text_address(addr))
19275 @@ -131,7 +130,7 @@ print_context_stack_bp(struct thread_info *tinfo,
19276 ops->address(data, addr, 1);
19277 frame = frame->next_frame;
19278 ret_addr = &frame->return_address;
19279 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
19280 + print_ftrace_graph_addr(addr, data, ops, task, graph);
19283 return (unsigned long)frame;
19284 @@ -150,7 +149,7 @@ static int print_trace_stack(void *data, char *name)
19285 static void print_trace_address(void *data, unsigned long addr, int reliable)
19287 touch_nmi_watchdog();
19289 + printk("%s", (char *)data);
19290 printk_address(addr, reliable);
19293 @@ -219,6 +218,8 @@ unsigned __kprobes long oops_begin(void)
19295 EXPORT_SYMBOL_GPL(oops_begin);
19297 +extern void gr_handle_kernel_exploit(void);
19299 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
19301 if (regs && kexec_should_crash(current))
19302 @@ -240,7 +241,10 @@ void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
19303 panic("Fatal exception in interrupt");
19305 panic("Fatal exception");
19308 + gr_handle_kernel_exploit();
19310 + do_group_exit(signr);
19313 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
19314 @@ -268,7 +272,7 @@ int __kprobes __die(const char *str, struct pt_regs *regs, long err)
19317 #ifdef CONFIG_X86_32
19318 - if (user_mode_vm(regs)) {
19319 + if (user_mode(regs)) {
19321 ss = regs->ss & 0xffff;
19323 @@ -296,7 +300,7 @@ void die(const char *str, struct pt_regs *regs, long err)
19324 unsigned long flags = oops_begin();
19327 - if (!user_mode_vm(regs))
19328 + if (!user_mode(regs))
19329 report_bug(regs->ip, regs);
19331 if (__die(str, regs, err))
19332 diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
19333 index f2a1770..540657f 100644
19334 --- a/arch/x86/kernel/dumpstack_32.c
19335 +++ b/arch/x86/kernel/dumpstack_32.c
19336 @@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19337 bp = stack_frame(task, regs);
19340 - struct thread_info *context;
19341 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
19343 - context = (struct thread_info *)
19344 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
19345 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
19346 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
19348 - stack = (unsigned long *)context->previous_esp;
19350 + if (stack_start == task_stack_page(task))
19352 + stack = *(unsigned long **)stack_start;
19353 if (ops->stack(data, "IRQ") < 0)
19355 touch_nmi_watchdog();
19356 @@ -87,27 +85,28 @@ void show_regs(struct pt_regs *regs)
19359 show_regs_print_info(KERN_EMERG);
19360 - __show_regs(regs, !user_mode_vm(regs));
19361 + __show_regs(regs, !user_mode(regs));
19364 * When in-kernel, we also print out the stack and code at the
19365 * time of the fault..
19367 - if (!user_mode_vm(regs)) {
19368 + if (!user_mode(regs)) {
19369 unsigned int code_prologue = code_bytes * 43 / 64;
19370 unsigned int code_len = code_bytes;
19373 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]);
19375 pr_emerg("Stack:\n");
19376 show_stack_log_lvl(NULL, regs, ®s->sp, 0, KERN_EMERG);
19380 - ip = (u8 *)regs->ip - code_prologue;
19381 + ip = (u8 *)regs->ip - code_prologue + cs_base;
19382 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
19383 /* try starting at IP */
19384 - ip = (u8 *)regs->ip;
19385 + ip = (u8 *)regs->ip + cs_base;
19386 code_len = code_len - code_prologue + 1;
19388 for (i = 0; i < code_len; i++, ip++) {
19389 @@ -116,7 +115,7 @@ void show_regs(struct pt_regs *regs)
19390 pr_cont(" Bad EIP value.");
19393 - if (ip == (u8 *)regs->ip)
19394 + if (ip == (u8 *)regs->ip + cs_base)
19395 pr_cont(" <%02x>", c);
19397 pr_cont(" %02x", c);
19398 @@ -129,6 +128,7 @@ int is_valid_bugaddr(unsigned long ip)
19400 unsigned short ud2;
19402 + ip = ktla_ktva(ip);
19403 if (ip < PAGE_OFFSET)
19405 if (probe_kernel_address((unsigned short *)ip, ud2))
19406 @@ -136,3 +136,15 @@ int is_valid_bugaddr(unsigned long ip)
19408 return ud2 == 0x0b0f;
19411 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
19412 +void pax_check_alloca(unsigned long size)
19414 + unsigned long sp = (unsigned long)&sp, stack_left;
19416 + /* all kernel stacks are of the same size */
19417 + stack_left = sp & (THREAD_SIZE - 1);
19418 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
19420 +EXPORT_SYMBOL(pax_check_alloca);
19422 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
19423 index addb207..99635fa 100644
19424 --- a/arch/x86/kernel/dumpstack_64.c
19425 +++ b/arch/x86/kernel/dumpstack_64.c
19426 @@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19427 unsigned long *irq_stack_end =
19428 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
19430 - struct thread_info *tinfo;
19432 unsigned long dummy;
19433 + void *stack_start;
19437 @@ -142,10 +142,10 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19438 * current stack address. If the stacks consist of nested
19441 - tinfo = task_thread_info(task);
19444 unsigned long *estack_end;
19446 estack_end = in_exception_stack(cpu, (unsigned long)stack,
19449 @@ -153,7 +153,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19450 if (ops->stack(data, id) < 0)
19453 - bp = ops->walk_stack(tinfo, stack, bp, ops,
19454 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
19455 data, estack_end, &graph);
19456 ops->stack(data, "<EOE>");
19458 @@ -161,6 +161,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19459 * second-to-last pointer (index -2 to end) in the
19462 + if ((u16)estack_end[-1] != __KERNEL_DS)
19464 stack = (unsigned long *) estack_end[-2];
19467 @@ -172,7 +174,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19468 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
19469 if (ops->stack(data, "IRQ") < 0)
19471 - bp = ops->walk_stack(tinfo, stack, bp,
19472 + bp = ops->walk_stack(task, irq_stack, stack, bp,
19473 ops, data, irq_stack_end, &graph);
19475 * We link to the next stack (which would be
19476 @@ -191,7 +193,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
19478 * This handles the process stack:
19480 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
19481 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
19482 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
19486 EXPORT_SYMBOL(dump_trace);
19487 @@ -300,3 +304,50 @@ int is_valid_bugaddr(unsigned long ip)
19489 return ud2 == 0x0b0f;
19492 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
19493 +void pax_check_alloca(unsigned long size)
19495 + unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
19496 + unsigned cpu, used;
19499 + /* check the process stack first */
19500 + stack_start = (unsigned long)task_stack_page(current);
19501 + stack_end = stack_start + THREAD_SIZE;
19502 + if (likely(stack_start <= sp && sp < stack_end)) {
19503 + unsigned long stack_left = sp & (THREAD_SIZE - 1);
19504 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
19510 + /* check the irq stacks */
19511 + stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
19512 + stack_start = stack_end - IRQ_STACK_SIZE;
19513 + if (stack_start <= sp && sp < stack_end) {
19514 + unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
19516 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
19520 + /* check the exception stacks */
19522 + stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
19523 + stack_start = stack_end - EXCEPTION_STKSZ;
19524 + if (stack_end && stack_start <= sp && sp < stack_end) {
19525 + unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
19527 + BUG_ON(stack_left < 256 || size >= stack_left - 256);
19533 + /* unknown stack */
19536 +EXPORT_SYMBOL(pax_check_alloca);
19538 diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
19539 index d32abea..74daf4f 100644
19540 --- a/arch/x86/kernel/e820.c
19541 +++ b/arch/x86/kernel/e820.c
19542 @@ -800,8 +800,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
19544 static void early_panic(char *msg)
19546 - early_printk(msg);
19548 + early_printk("%s", msg);
19549 + panic("%s", msg);
19552 static int userdef __initdata;
19553 diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c
19554 index d15f575..d692043 100644
19555 --- a/arch/x86/kernel/early_printk.c
19556 +++ b/arch/x86/kernel/early_printk.c
19558 #include <linux/pci_regs.h>
19559 #include <linux/pci_ids.h>
19560 #include <linux/errno.h>
19561 +#include <linux/sched.h>
19562 #include <asm/io.h>
19563 #include <asm/processor.h>
19564 #include <asm/fcntl.h>
19565 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
19566 index 8f3e2de..6b71e39 100644
19567 --- a/arch/x86/kernel/entry_32.S
19568 +++ b/arch/x86/kernel/entry_32.S
19569 @@ -177,13 +177,153 @@
19570 /*CFI_REL_OFFSET gs, PT_GS*/
19572 .macro SET_KERNEL_GS reg
19574 +#ifdef CONFIG_CC_STACKPROTECTOR
19575 movl $(__KERNEL_STACK_CANARY), \reg
19576 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
19577 + movl $(__USER_DS), \reg
19585 #endif /* CONFIG_X86_32_LAZY_GS */
19588 +.macro pax_enter_kernel
19589 +#ifdef CONFIG_PAX_KERNEXEC
19590 + call pax_enter_kernel
19594 +.macro pax_exit_kernel
19595 +#ifdef CONFIG_PAX_KERNEXEC
19596 + call pax_exit_kernel
19600 +#ifdef CONFIG_PAX_KERNEXEC
19601 +ENTRY(pax_enter_kernel)
19602 +#ifdef CONFIG_PARAVIRT
19605 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
19613 + cmp $__KERNEL_CS, %esi
19615 + ljmp $__KERNEL_CS, $3f
19616 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
19618 +#ifdef CONFIG_PARAVIRT
19620 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
19625 +#ifdef CONFIG_PARAVIRT
19630 +ENDPROC(pax_enter_kernel)
19632 +ENTRY(pax_exit_kernel)
19633 +#ifdef CONFIG_PARAVIRT
19638 + cmp $__KERNEXEC_KERNEL_CS, %esi
19640 +#ifdef CONFIG_PARAVIRT
19641 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
19647 + ljmp $__KERNEL_CS, $1f
19649 +#ifdef CONFIG_PARAVIRT
19651 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
19656 +#ifdef CONFIG_PARAVIRT
19661 +ENDPROC(pax_exit_kernel)
19664 + .macro pax_erase_kstack
19665 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
19666 + call pax_erase_kstack
19670 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
19672 + * ebp: thread_info
19674 +ENTRY(pax_erase_kstack)
19679 + mov TI_lowest_stack(%ebp), %edi
19680 + mov $-0xBEEF, %eax
19684 + and $THREAD_SIZE_asm - 1, %ecx
19701 + cmp $THREAD_SIZE_asm, %ecx
19709 + mov TI_task_thread_sp0(%ebp), %edi
19711 + mov %edi, TI_lowest_stack(%ebp)
19717 +ENDPROC(pax_erase_kstack)
19720 +.macro __SAVE_ALL _DS
19724 @@ -206,7 +346,7 @@
19725 CFI_REL_OFFSET ecx, 0
19727 CFI_REL_OFFSET ebx, 0
19728 - movl $(__USER_DS), %edx
19732 movl $(__KERNEL_PERCPU), %edx
19733 @@ -214,6 +354,15 @@
19738 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
19739 + __SAVE_ALL __KERNEL_DS
19742 + __SAVE_ALL __USER_DS
19746 .macro RESTORE_INT_REGS
19749 @@ -297,7 +446,7 @@ ENTRY(ret_from_fork)
19753 -END(ret_from_fork)
19754 +ENDPROC(ret_from_fork)
19756 ENTRY(ret_from_kernel_thread)
19758 @@ -344,7 +493,15 @@ ret_from_intr:
19759 andl $SEGMENT_RPL_MASK, %eax
19761 cmpl $USER_RPL, %eax
19763 +#ifdef CONFIG_PAX_KERNEXEC
19764 + jae resume_userspace
19767 + jmp resume_kernel
19769 jb resume_kernel # not returning to v8086 or userspace
19772 ENTRY(resume_userspace)
19774 @@ -356,8 +513,8 @@ ENTRY(resume_userspace)
19775 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
19776 # int/exception return?
19779 -END(ret_from_exception)
19780 + jmp restore_all_pax
19781 +ENDPROC(ret_from_exception)
19783 #ifdef CONFIG_PREEMPT
19784 ENTRY(resume_kernel)
19785 @@ -372,7 +529,7 @@ need_resched:
19787 call preempt_schedule_irq
19789 -END(resume_kernel)
19790 +ENDPROC(resume_kernel)
19794 @@ -406,30 +563,45 @@ sysenter_past_esp:
19795 /*CFI_REL_OFFSET cs, 0*/
19797 * Push current_thread_info()->sysenter_return to the stack.
19798 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
19799 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
19801 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
19803 CFI_REL_OFFSET eip, 0
19807 + GET_THREAD_INFO(%ebp)
19808 + movl TI_sysenter_return(%ebp),%ebp
19809 + movl %ebp,PT_EIP(%esp)
19810 ENABLE_INTERRUPTS(CLBR_NONE)
19813 * Load the potential sixth argument from user stack.
19814 * Careful about security.
19816 + movl PT_OLDESP(%esp),%ebp
19818 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19819 + mov PT_OLDSS(%esp),%ds
19820 +1: movl %ds:(%ebp),%ebp
19824 cmpl $__PAGE_OFFSET-3,%ebp
19827 1: movl (%ebp),%ebp
19831 movl %ebp,PT_EBP(%esp)
19832 _ASM_EXTABLE(1b,syscall_fault)
19834 GET_THREAD_INFO(%ebp)
19836 +#ifdef CONFIG_PAX_RANDKSTACK
19840 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
19843 @@ -444,12 +616,24 @@ sysenter_do_call:
19844 testl $_TIF_ALLWORK_MASK, %ecx
19848 +#ifdef CONFIG_PAX_RANDKSTACK
19851 + call pax_randomize_kstack
19857 /* if something modifies registers it must also disable sysexit */
19858 movl PT_EIP(%esp), %edx
19859 movl PT_OLDESP(%esp), %ecx
19862 1: mov PT_FS(%esp), %fs
19863 +2: mov PT_DS(%esp), %ds
19864 +3: mov PT_ES(%esp), %es
19866 ENABLE_INTERRUPTS_SYSEXIT
19868 @@ -466,6 +650,9 @@ sysenter_audit:
19869 movl %eax,%edx /* 2nd arg: syscall number */
19870 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
19871 call __audit_syscall_entry
19876 movl PT_EAX(%esp),%eax /* reload syscall number */
19877 jmp sysenter_do_call
19878 @@ -491,10 +678,16 @@ sysexit_audit:
19881 .pushsection .fixup,"ax"
19882 -2: movl $0,PT_FS(%esp)
19883 +4: movl $0,PT_FS(%esp)
19885 +5: movl $0,PT_DS(%esp)
19887 +6: movl $0,PT_ES(%esp)
19890 - _ASM_EXTABLE(1b,2b)
19891 + _ASM_EXTABLE(1b,4b)
19892 + _ASM_EXTABLE(2b,5b)
19893 + _ASM_EXTABLE(3b,6b)
19895 ENDPROC(ia32_sysenter_target)
19897 @@ -509,6 +702,11 @@ ENTRY(system_call)
19898 pushl_cfi %eax # save orig_eax
19900 GET_THREAD_INFO(%ebp)
19902 +#ifdef CONFIG_PAX_RANDKSTACK
19906 # system call tracing in operation / emulation
19907 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
19908 jnz syscall_trace_entry
19909 @@ -527,6 +725,15 @@ syscall_exit:
19910 testl $_TIF_ALLWORK_MASK, %ecx # current->work
19911 jne syscall_exit_work
19915 +#ifdef CONFIG_PAX_RANDKSTACK
19917 + call pax_randomize_kstack
19924 restore_all_notrace:
19925 @@ -583,14 +790,34 @@ ldt_ss:
19926 * compensating for the offset by changing to the ESPFIX segment with
19927 * a base address that matches for the difference.
19929 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
19930 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
19931 mov %esp, %edx /* load kernel esp */
19932 mov PT_OLDESP(%esp), %eax /* load userspace esp */
19933 mov %dx, %ax /* eax: new kernel esp */
19934 sub %eax, %edx /* offset (low word is 0) */
19936 + movl PER_CPU_VAR(cpu_number), %ebx
19937 + shll $PAGE_SHIFT_asm, %ebx
19938 + addl $cpu_gdt_table, %ebx
19940 + movl $cpu_gdt_table, %ebx
19943 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
19944 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
19946 +#ifdef CONFIG_PAX_KERNEXEC
19952 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
19953 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
19955 +#ifdef CONFIG_PAX_KERNEXEC
19960 pushl_cfi $__ESPFIX_SS
19961 pushl_cfi %eax /* new kernel esp */
19962 /* Disable interrupts, but do not irqtrace this section: we
19963 @@ -619,20 +846,18 @@ work_resched:
19964 movl TI_flags(%ebp), %ecx
19965 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
19966 # than syscall tracing?
19968 + jz restore_all_pax
19969 testb $_TIF_NEED_RESCHED, %cl
19972 work_notifysig: # deal with pending signals and
19973 # notify-resume requests
19976 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
19978 jne work_notifysig_v86 # returning to kernel-space or
19985 ENABLE_INTERRUPTS(CLBR_NONE)
19986 @@ -653,7 +878,7 @@ work_notifysig_v86:
19991 +ENDPROC(work_pending)
19993 # perform syscall exit tracing
19995 @@ -661,11 +886,14 @@ syscall_trace_entry:
19996 movl $-ENOSYS,PT_EAX(%esp)
19998 call syscall_trace_enter
20002 /* What it returned is what we'll actually use. */
20003 cmpl $(NR_syscalls), %eax
20006 -END(syscall_trace_entry)
20007 +ENDPROC(syscall_trace_entry)
20009 # perform syscall exit tracing
20011 @@ -678,21 +906,25 @@ syscall_exit_work:
20013 call syscall_trace_leave
20014 jmp resume_userspace
20015 -END(syscall_exit_work)
20016 +ENDPROC(syscall_exit_work)
20019 RING0_INT_FRAME # can't unwind into user space anyway
20021 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20026 GET_THREAD_INFO(%ebp)
20027 movl $-EFAULT,PT_EAX(%esp)
20028 jmp resume_userspace
20029 -END(syscall_fault)
20030 +ENDPROC(syscall_fault)
20033 movl $-ENOSYS,PT_EAX(%esp)
20034 jmp resume_userspace
20035 -END(syscall_badsys)
20036 +ENDPROC(syscall_badsys)
20039 * End of kprobes section
20040 @@ -708,8 +940,15 @@ END(syscall_badsys)
20041 * normal stack and adjusts ESP with the matching offset.
20043 /* fixup the stack */
20044 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
20045 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
20047 + movl PER_CPU_VAR(cpu_number), %ebx
20048 + shll $PAGE_SHIFT_asm, %ebx
20049 + addl $cpu_gdt_table, %ebx
20051 + movl $cpu_gdt_table, %ebx
20053 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
20054 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
20056 addl %esp, %eax /* the adjusted stack pointer */
20057 pushl_cfi $__KERNEL_DS
20058 @@ -762,7 +1001,7 @@ vector=vector+1
20060 2: jmp common_interrupt
20062 -END(irq_entries_start)
20063 +ENDPROC(irq_entries_start)
20067 @@ -813,7 +1052,7 @@ ENTRY(coprocessor_error)
20068 pushl_cfi $do_coprocessor_error
20071 -END(coprocessor_error)
20072 +ENDPROC(coprocessor_error)
20074 ENTRY(simd_coprocessor_error)
20076 @@ -826,7 +1065,7 @@ ENTRY(simd_coprocessor_error)
20077 .section .altinstructions,"a"
20078 altinstruction_entry 661b, 663f, X86_FEATURE_XMM, 662b-661b, 664f-663f
20080 -.section .altinstr_replacement,"ax"
20081 +.section .altinstr_replacement,"a"
20082 663: pushl $do_simd_coprocessor_error
20085 @@ -835,7 +1074,7 @@ ENTRY(simd_coprocessor_error)
20089 -END(simd_coprocessor_error)
20090 +ENDPROC(simd_coprocessor_error)
20092 ENTRY(device_not_available)
20094 @@ -844,18 +1083,18 @@ ENTRY(device_not_available)
20095 pushl_cfi $do_device_not_available
20098 -END(device_not_available)
20099 +ENDPROC(device_not_available)
20101 #ifdef CONFIG_PARAVIRT
20104 _ASM_EXTABLE(native_iret, iret_exc)
20106 +ENDPROC(native_iret)
20108 ENTRY(native_irq_enable_sysexit)
20111 -END(native_irq_enable_sysexit)
20112 +ENDPROC(native_irq_enable_sysexit)
20116 @@ -865,7 +1104,7 @@ ENTRY(overflow)
20117 pushl_cfi $do_overflow
20125 @@ -874,7 +1113,7 @@ ENTRY(bounds)
20126 pushl_cfi $do_bounds
20134 @@ -883,7 +1122,7 @@ ENTRY(invalid_op)
20135 pushl_cfi $do_invalid_op
20139 +ENDPROC(invalid_op)
20141 ENTRY(coprocessor_segment_overrun)
20143 @@ -892,7 +1131,7 @@ ENTRY(coprocessor_segment_overrun)
20144 pushl_cfi $do_coprocessor_segment_overrun
20147 -END(coprocessor_segment_overrun)
20148 +ENDPROC(coprocessor_segment_overrun)
20152 @@ -900,7 +1139,7 @@ ENTRY(invalid_TSS)
20153 pushl_cfi $do_invalid_TSS
20157 +ENDPROC(invalid_TSS)
20159 ENTRY(segment_not_present)
20161 @@ -908,7 +1147,7 @@ ENTRY(segment_not_present)
20162 pushl_cfi $do_segment_not_present
20165 -END(segment_not_present)
20166 +ENDPROC(segment_not_present)
20168 ENTRY(stack_segment)
20170 @@ -916,7 +1155,7 @@ ENTRY(stack_segment)
20171 pushl_cfi $do_stack_segment
20174 -END(stack_segment)
20175 +ENDPROC(stack_segment)
20177 ENTRY(alignment_check)
20179 @@ -924,7 +1163,7 @@ ENTRY(alignment_check)
20180 pushl_cfi $do_alignment_check
20183 -END(alignment_check)
20184 +ENDPROC(alignment_check)
20186 ENTRY(divide_error)
20188 @@ -933,7 +1172,7 @@ ENTRY(divide_error)
20189 pushl_cfi $do_divide_error
20193 +ENDPROC(divide_error)
20195 #ifdef CONFIG_X86_MCE
20196 ENTRY(machine_check)
20197 @@ -943,7 +1182,7 @@ ENTRY(machine_check)
20198 pushl_cfi machine_check_vector
20201 -END(machine_check)
20202 +ENDPROC(machine_check)
20205 ENTRY(spurious_interrupt_bug)
20206 @@ -953,7 +1192,7 @@ ENTRY(spurious_interrupt_bug)
20207 pushl_cfi $do_spurious_interrupt_bug
20210 -END(spurious_interrupt_bug)
20211 +ENDPROC(spurious_interrupt_bug)
20213 * End of kprobes section
20215 @@ -1063,7 +1302,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
20222 ENTRY(ftrace_caller)
20223 cmpl $0, function_trace_stop
20224 @@ -1096,7 +1335,7 @@ ftrace_graph_call:
20228 -END(ftrace_caller)
20229 +ENDPROC(ftrace_caller)
20231 ENTRY(ftrace_regs_caller)
20232 pushf /* push flags before compare (in cs location) */
20233 @@ -1197,7 +1436,7 @@ trace:
20239 #endif /* CONFIG_DYNAMIC_FTRACE */
20240 #endif /* CONFIG_FUNCTION_TRACER */
20242 @@ -1215,7 +1454,7 @@ ENTRY(ftrace_graph_caller)
20246 -END(ftrace_graph_caller)
20247 +ENDPROC(ftrace_graph_caller)
20249 .globl return_to_handler
20251 @@ -1271,15 +1510,18 @@ error_code:
20252 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
20255 - movl $(__USER_DS), %ecx
20256 + movl $(__KERNEL_DS), %ecx
20263 movl %esp,%eax # pt_regs pointer
20265 jmp ret_from_exception
20268 +ENDPROC(page_fault)
20271 * Debug traps and NMI can happen at the one SYSENTER instruction
20272 @@ -1322,7 +1564,7 @@ debug_stack_correct:
20274 jmp ret_from_exception
20280 * NMI is doubly nasty. It can happen _while_ we're handling
20281 @@ -1360,6 +1602,9 @@ nmi_stack_correct:
20282 xorl %edx,%edx # zero error code
20283 movl %esp,%eax # pt_regs pointer
20288 jmp restore_all_notrace
20291 @@ -1396,12 +1641,15 @@ nmi_espfix_stack:
20292 FIXUP_ESPFIX_STACK # %eax == %esp
20293 xorl %edx,%edx # zero error code
20299 lss 12+4(%esp), %esp # back to espfix stack
20300 CFI_ADJUST_CFA_OFFSET -24
20308 @@ -1414,14 +1662,14 @@ ENTRY(int3)
20310 jmp ret_from_exception
20315 ENTRY(general_protection)
20317 pushl_cfi $do_general_protection
20320 -END(general_protection)
20321 +ENDPROC(general_protection)
20323 #ifdef CONFIG_KVM_GUEST
20324 ENTRY(async_page_fault)
20325 @@ -1430,7 +1678,7 @@ ENTRY(async_page_fault)
20326 pushl_cfi $do_async_page_fault
20329 -END(async_page_fault)
20330 +ENDPROC(async_page_fault)
20334 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
20335 index 7272089..0b74104 100644
20336 --- a/arch/x86/kernel/entry_64.S
20337 +++ b/arch/x86/kernel/entry_64.S
20339 #include <asm/context_tracking.h>
20340 #include <asm/smap.h>
20341 #include <linux/err.h>
20342 +#include <asm/pgtable.h>
20343 +#include <asm/alternative-asm.h>
20345 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
20346 #include <linux/elf-em.h>
20348 #ifdef CONFIG_DYNAMIC_FTRACE
20350 ENTRY(function_hook)
20351 + pax_force_retaddr
20353 -END(function_hook)
20354 +ENDPROC(function_hook)
20356 /* skip is set if stack has been adjusted */
20357 .macro ftrace_caller_setup skip=0
20358 @@ -122,8 +125,9 @@ GLOBAL(ftrace_graph_call)
20361 GLOBAL(ftrace_stub)
20362 + pax_force_retaddr
20364 -END(ftrace_caller)
20365 +ENDPROC(ftrace_caller)
20367 ENTRY(ftrace_regs_caller)
20368 /* Save the current flags before compare (in SS location)*/
20369 @@ -191,7 +195,7 @@ ftrace_restore_flags:
20373 -END(ftrace_regs_caller)
20374 +ENDPROC(ftrace_regs_caller)
20377 #else /* ! CONFIG_DYNAMIC_FTRACE */
20378 @@ -212,6 +216,7 @@ ENTRY(function_hook)
20381 GLOBAL(ftrace_stub)
20382 + pax_force_retaddr
20386 @@ -225,12 +230,13 @@ trace:
20388 subq $MCOUNT_INSN_SIZE, %rdi
20390 + pax_force_fptr ftrace_trace_function
20391 call *ftrace_trace_function
20393 MCOUNT_RESTORE_FRAME
20396 -END(function_hook)
20397 +ENDPROC(function_hook)
20398 #endif /* CONFIG_DYNAMIC_FTRACE */
20399 #endif /* CONFIG_FUNCTION_TRACER */
20401 @@ -252,8 +258,9 @@ ENTRY(ftrace_graph_caller)
20403 MCOUNT_RESTORE_FRAME
20405 + pax_force_retaddr
20407 -END(ftrace_graph_caller)
20408 +ENDPROC(ftrace_graph_caller)
20410 GLOBAL(return_to_handler)
20412 @@ -269,7 +276,9 @@ GLOBAL(return_to_handler)
20416 + pax_force_fptr %rdi
20418 +ENDPROC(return_to_handler)
20422 @@ -284,6 +293,430 @@ ENTRY(native_usergs_sysret64)
20423 ENDPROC(native_usergs_sysret64)
20424 #endif /* CONFIG_PARAVIRT */
20426 + .macro ljmpq sel, off
20427 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
20428 + .byte 0x48; ljmp *1234f(%rip)
20429 + .pushsection .rodata
20431 + 1234: .quad \off; .word \sel
20440 + .macro pax_enter_kernel
20441 + pax_set_fptr_mask
20442 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
20443 + call pax_enter_kernel
20447 + .macro pax_exit_kernel
20448 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
20449 + call pax_exit_kernel
20454 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
20455 +ENTRY(pax_enter_kernel)
20458 +#ifdef CONFIG_PARAVIRT
20459 + PV_SAVE_REGS(CLBR_RDI)
20462 +#ifdef CONFIG_PAX_KERNEXEC
20467 + cmp $__KERNEL_CS,%edi
20472 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20474 + .pushsection .altinstr_replacement, "a"
20477 + .pushsection .altinstructions, "a"
20478 + altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
20483 + mov $__KERNEL_DS,%edi
20489 +113: sub $4097,%rdi
20492 + mov $__UDEREF_KERNEL_DS,%edi
20497 +#ifdef CONFIG_PARAVIRT
20498 + PV_RESTORE_REGS(CLBR_RDI)
20502 + pax_force_retaddr
20505 +#ifdef CONFIG_PAX_KERNEXEC
20506 +2: ljmpq __KERNEL_CS,1b
20507 +3: ljmpq __KERNEXEC_KERNEL_CS,4f
20508 +4: SET_RDI_INTO_CR0
20511 +ENDPROC(pax_enter_kernel)
20513 +ENTRY(pax_exit_kernel)
20516 +#ifdef CONFIG_PARAVIRT
20517 + PV_SAVE_REGS(CLBR_RDI)
20520 +#ifdef CONFIG_PAX_KERNEXEC
20522 + cmp $__KERNEXEC_KERNEL_CS,%edi
20530 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20532 + .pushsection .altinstr_replacement, "a"
20535 + .pushsection .altinstructions, "a"
20536 + altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
20539 + cmp $__UDEREF_KERNEL_DS,%edi
20545 +112: add $4097,%rdi
20548 + mov $__KERNEL_DS,%edi
20553 +#ifdef CONFIG_PARAVIRT
20554 + PV_RESTORE_REGS(CLBR_RDI);
20558 + pax_force_retaddr
20561 +#ifdef CONFIG_PAX_KERNEXEC
20562 +2: GET_CR0_INTO_RDI
20565 + ljmpq __KERNEL_CS,3f
20566 +3: SET_RDI_INTO_CR0
20571 +ENDPROC(pax_exit_kernel)
20574 + .macro pax_enter_kernel_user
20575 + pax_set_fptr_mask
20576 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20577 + call pax_enter_kernel_user
20581 + .macro pax_exit_kernel_user
20582 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20583 + call pax_exit_kernel_user
20585 +#ifdef CONFIG_PAX_RANDKSTACK
20588 + call pax_randomize_kstack
20594 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20595 +ENTRY(pax_enter_kernel_user)
20599 +#ifdef CONFIG_PARAVIRT
20600 + PV_SAVE_REGS(CLBR_RDI)
20604 + .pushsection .altinstr_replacement, "a"
20607 + .pushsection .altinstructions, "a"
20608 + altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
20621 + add $__START_KERNEL_map,%rbx
20622 + sub phys_base(%rip),%rbx
20624 +#ifdef CONFIG_PARAVIRT
20625 + cmpl $0, pv_info+PARAVIRT_enabled
20629 + .rept USER_PGD_PTRS
20630 + mov i*8(%rbx),%rsi
20632 + lea i*8(%rbx),%rdi
20633 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
20642 + .rept USER_PGD_PTRS
20643 + movb $0,i*8(%rbx)
20647 +2: SET_RDI_INTO_CR3
20649 +#ifdef CONFIG_PAX_KERNEXEC
20657 +#ifdef CONFIG_PARAVIRT
20658 + PV_RESTORE_REGS(CLBR_RDI)
20663 + pax_force_retaddr
20666 +ENDPROC(pax_enter_kernel_user)
20668 +ENTRY(pax_exit_kernel_user)
20672 +#ifdef CONFIG_PARAVIRT
20673 + PV_SAVE_REGS(CLBR_RDI)
20678 + .pushsection .altinstr_replacement, "a"
20681 + .pushsection .altinstructions, "a"
20682 + altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
20694 +#ifdef CONFIG_PAX_KERNEXEC
20701 + add $__START_KERNEL_map,%rbx
20702 + sub phys_base(%rip),%rbx
20704 +#ifdef CONFIG_PARAVIRT
20705 + cmpl $0, pv_info+PARAVIRT_enabled
20708 + .rept USER_PGD_PTRS
20709 + mov i*8(%rbx),%rsi
20711 + lea i*8(%rbx),%rdi
20712 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
20720 + .rept USER_PGD_PTRS
20721 + movb $0x67,i*8(%rbx)
20726 +#ifdef CONFIG_PARAVIRT
20727 + PV_RESTORE_REGS(CLBR_RDI)
20732 + pax_force_retaddr
20735 +ENDPROC(pax_exit_kernel_user)
20738 + .macro pax_enter_kernel_nmi
20739 + pax_set_fptr_mask
20741 +#ifdef CONFIG_PAX_KERNEXEC
20750 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20752 + .pushsection .altinstr_replacement, "a"
20755 + .pushsection .altinstructions, "a"
20756 + altinstruction_entry 661b, 662b, X86_FEATURE_PCID, 2, 2
20765 + mov $__UDEREF_KERNEL_DS,%edi
20771 + .macro pax_exit_kernel_nmi
20772 +#ifdef CONFIG_PAX_KERNEXEC
20781 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20788 + mov $__KERNEL_DS,%edi
20794 + .macro pax_erase_kstack
20795 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
20796 + call pax_erase_kstack
20800 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
20801 +ENTRY(pax_erase_kstack)
20807 + GET_THREAD_INFO(%r11)
20808 + mov TI_lowest_stack(%r11), %rdi
20809 + mov $-0xBEEF, %rax
20813 + and $THREAD_SIZE_asm - 1, %ecx
20830 + cmp $THREAD_SIZE_asm, %rcx
20838 + mov TI_task_thread_sp0(%r11), %rdi
20840 + mov %rdi, TI_lowest_stack(%r11)
20846 + pax_force_retaddr
20848 +ENDPROC(pax_erase_kstack)
20851 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
20852 #ifdef CONFIG_TRACE_IRQFLAGS
20853 @@ -375,8 +808,8 @@ ENDPROC(native_usergs_sysret64)
20856 .macro UNFAKE_STACK_FRAME
20858 - CFI_ADJUST_CFA_OFFSET -(6*8)
20859 + addq $8*6 + ARG_SKIP, %rsp
20860 + CFI_ADJUST_CFA_OFFSET -(6*8 + ARG_SKIP)
20864 @@ -463,7 +896,7 @@ ENDPROC(native_usergs_sysret64)
20867 leaq -RBP(%rsp),%rdi /* arg1 for handler */
20868 - testl $3, CS-RBP(%rsi)
20869 + testb $3, CS-RBP(%rsi)
20873 @@ -498,9 +931,10 @@ ENTRY(save_rest)
20874 movq_cfi r15, R15+16
20875 movq %r11, 8(%rsp) /* return address */
20876 FIXUP_TOP_OF_STACK %r11, 16
20877 + pax_force_retaddr
20881 +ENDPROC(save_rest)
20883 /* save complete stack frame */
20884 .pushsection .kprobes.text, "ax"
20885 @@ -529,9 +963,10 @@ ENTRY(save_paranoid)
20886 js 1f /* negative -> in kernel */
20890 +1: pax_force_retaddr_bts
20893 -END(save_paranoid)
20894 +ENDPROC(save_paranoid)
20898 @@ -553,7 +988,7 @@ ENTRY(ret_from_fork)
20902 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
20903 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
20906 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
20907 @@ -571,7 +1006,7 @@ ENTRY(ret_from_fork)
20909 jmp int_ret_from_sys_call
20911 -END(ret_from_fork)
20912 +ENDPROC(ret_from_fork)
20915 * System call entry. Up to 6 arguments in registers are supported.
20916 @@ -608,7 +1043,7 @@ END(ret_from_fork)
20918 CFI_STARTPROC simple
20920 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
20921 + CFI_DEF_CFA rsp,0
20922 CFI_REGISTER rip,rcx
20923 /*CFI_REGISTER rflags,r11*/
20924 SWAPGS_UNSAFE_STACK
20925 @@ -621,16 +1056,23 @@ GLOBAL(system_call_after_swapgs)
20927 movq %rsp,PER_CPU_VAR(old_rsp)
20928 movq PER_CPU_VAR(kernel_stack),%rsp
20930 + pax_enter_kernel_user
20932 +#ifdef CONFIG_PAX_RANDKSTACK
20937 * No need to follow this irqs off/on section - it's straight
20940 ENABLE_INTERRUPTS(CLBR_NONE)
20942 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
20943 movq %rcx,RIP-ARGOFFSET(%rsp)
20944 CFI_REL_OFFSET rip,RIP-ARGOFFSET
20945 - testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
20946 + GET_THREAD_INFO(%rcx)
20947 + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx)
20949 system_call_fastpath:
20950 #if __SYSCALL_MASK == ~0
20951 @@ -640,7 +1082,7 @@ system_call_fastpath:
20952 cmpl $__NR_syscall_max,%eax
20956 + movq R10-ARGOFFSET(%rsp),%rcx
20957 call *sys_call_table(,%rax,8) # XXX: rip relative
20958 movq %rax,RAX-ARGOFFSET(%rsp)
20960 @@ -654,10 +1096,13 @@ sysret_check:
20962 DISABLE_INTERRUPTS(CLBR_NONE)
20964 - movl TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET),%edx
20965 + GET_THREAD_INFO(%rcx)
20966 + movl TI_flags(%rcx),%edx
20970 + pax_exit_kernel_user
20973 * sysretq will re-enable interrupts:
20975 @@ -709,14 +1154,18 @@ badsys:
20976 * jump back to the normal fast path.
20979 - movq %r10,%r9 /* 6th arg: 4th syscall arg */
20980 + movq R10-ARGOFFSET(%rsp),%r9 /* 6th arg: 4th syscall arg */
20981 movq %rdx,%r8 /* 5th arg: 3rd syscall arg */
20982 movq %rsi,%rcx /* 4th arg: 2nd syscall arg */
20983 movq %rdi,%rdx /* 3rd arg: 1st syscall arg */
20984 movq %rax,%rsi /* 2nd arg: syscall number */
20985 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
20986 call __audit_syscall_entry
20990 LOAD_ARGS 0 /* reload call-clobbered registers */
20991 + pax_set_fptr_mask
20992 jmp system_call_fastpath
20995 @@ -737,7 +1186,7 @@ sysret_audit:
20996 /* Do syscall tracing */
20998 #ifdef CONFIG_AUDITSYSCALL
20999 - testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
21000 + testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%rcx)
21004 @@ -745,12 +1194,16 @@ tracesys:
21005 FIXUP_TOP_OF_STACK %rdi
21007 call syscall_trace_enter
21012 * Reload arg registers from stack in case ptrace changed them.
21013 * We don't reload %rax because syscall_trace_enter() returned
21014 * the value it wants us to use in the table lookup.
21016 LOAD_ARGS ARGOFFSET, 1
21017 + pax_set_fptr_mask
21019 #if __SYSCALL_MASK == ~0
21020 cmpq $__NR_syscall_max,%rax
21021 @@ -759,7 +1212,7 @@ tracesys:
21022 cmpl $__NR_syscall_max,%eax
21024 ja int_ret_from_sys_call /* RAX(%rsp) set to -ENOSYS above */
21025 - movq %r10,%rcx /* fixup for C */
21026 + movq R10-ARGOFFSET(%rsp),%rcx /* fixup for C */
21027 call *sys_call_table(,%rax,8)
21028 movq %rax,RAX-ARGOFFSET(%rsp)
21029 /* Use IRET because user could have changed frame */
21030 @@ -780,7 +1233,9 @@ GLOBAL(int_with_check)
21033 andl $~TS_COMPAT,TI_status(%rcx)
21034 - jmp retint_swapgs
21035 + pax_exit_kernel_user
21037 + jmp retint_swapgs_pax
21039 /* Either reschedule or signal or syscall exit tracking needed. */
21040 /* First do a reschedule test. */
21041 @@ -826,7 +1281,7 @@ int_restore_rest:
21046 +ENDPROC(system_call)
21048 .macro FORK_LIKE func
21050 @@ -839,9 +1294,10 @@ ENTRY(stub_\func)
21051 DEFAULT_FRAME 0 8 /* offset 8: return address */
21053 RESTORE_TOP_OF_STACK %r11, 8
21054 + pax_force_retaddr
21055 ret $REST_SKIP /* pop extended registers */
21058 +ENDPROC(stub_\func)
21061 .macro FIXED_FRAME label,func
21062 @@ -851,9 +1307,10 @@ ENTRY(\label)
21063 FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
21065 RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
21066 + pax_force_retaddr
21074 @@ -870,9 +1327,10 @@ ENTRY(ptregscall_common)
21075 movq_cfi_restore R12+8, r12
21076 movq_cfi_restore RBP+8, rbp
21077 movq_cfi_restore RBX+8, rbx
21078 + pax_force_retaddr
21079 ret $REST_SKIP /* pop extended registers */
21081 -END(ptregscall_common)
21082 +ENDPROC(ptregscall_common)
21086 @@ -885,7 +1343,7 @@ ENTRY(stub_execve)
21088 jmp int_ret_from_sys_call
21091 +ENDPROC(stub_execve)
21094 * sigreturn is special because it needs to restore all registers on return.
21095 @@ -902,7 +1360,7 @@ ENTRY(stub_rt_sigreturn)
21097 jmp int_ret_from_sys_call
21099 -END(stub_rt_sigreturn)
21100 +ENDPROC(stub_rt_sigreturn)
21102 #ifdef CONFIG_X86_X32_ABI
21103 ENTRY(stub_x32_rt_sigreturn)
21104 @@ -916,7 +1374,7 @@ ENTRY(stub_x32_rt_sigreturn)
21106 jmp int_ret_from_sys_call
21108 -END(stub_x32_rt_sigreturn)
21109 +ENDPROC(stub_x32_rt_sigreturn)
21111 ENTRY(stub_x32_execve)
21113 @@ -930,7 +1388,7 @@ ENTRY(stub_x32_execve)
21115 jmp int_ret_from_sys_call
21117 -END(stub_x32_execve)
21118 +ENDPROC(stub_x32_execve)
21122 @@ -967,7 +1425,7 @@ vector=vector+1
21123 2: jmp common_interrupt
21126 -END(irq_entries_start)
21127 +ENDPROC(irq_entries_start)
21131 @@ -987,6 +1445,16 @@ END(interrupt)
21132 subq $ORIG_RAX-RBP, %rsp
21133 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
21135 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21136 + testb $3, CS(%rdi)
21140 +1: pax_enter_kernel_user
21148 @@ -1019,7 +1487,7 @@ ret_from_intr:
21151 GET_THREAD_INFO(%rcx)
21152 - testl $3,CS-ARGOFFSET(%rsp)
21153 + testb $3,CS-ARGOFFSET(%rsp)
21156 /* Interrupt came from user space */
21157 @@ -1041,12 +1509,16 @@ retint_swapgs: /* return to user-space */
21158 * The iretq could re-enable interrupts:
21160 DISABLE_INTERRUPTS(CLBR_ANY)
21161 + pax_exit_kernel_user
21162 +retint_swapgs_pax:
21167 retint_restore_args: /* return to kernel space */
21168 DISABLE_INTERRUPTS(CLBR_ANY)
21170 + pax_force_retaddr (RIP-ARGOFFSET)
21172 * The iretq could re-enable interrupts:
21174 @@ -1129,7 +1601,7 @@ ENTRY(retint_kernel)
21178 -END(common_interrupt)
21179 +ENDPROC(common_interrupt)
21181 * End of kprobes section
21183 @@ -1147,7 +1619,7 @@ ENTRY(\sym)
21192 @@ -1208,12 +1680,22 @@ ENTRY(\sym)
21193 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
21196 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21197 + testb $3, CS(%rsp)
21201 +1: pax_enter_kernel_user
21206 movq %rsp,%rdi /* pt_regs pointer */
21207 xorl %esi,%esi /* no error code */
21209 jmp error_exit /* %ebx: no swapgs flag */
21215 .macro paranoidzeroentry sym do_sym
21216 @@ -1226,15 +1708,25 @@ ENTRY(\sym)
21217 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
21220 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21221 + testb $3, CS(%rsp)
21225 +1: pax_enter_kernel_user
21230 movq %rsp,%rdi /* pt_regs pointer */
21231 xorl %esi,%esi /* no error code */
21233 jmp paranoid_exit /* %ebx: no swapgs flag */
21239 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
21240 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
21241 .macro paranoidzeroentry_ist sym do_sym ist
21244 @@ -1245,14 +1737,30 @@ ENTRY(\sym)
21245 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
21247 TRACE_IRQS_OFF_DEBUG
21248 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21249 + testb $3, CS(%rsp)
21253 +1: pax_enter_kernel_user
21258 movq %rsp,%rdi /* pt_regs pointer */
21259 xorl %esi,%esi /* no error code */
21261 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
21262 + lea init_tss(%r12), %r12
21264 + lea init_tss(%rip), %r12
21266 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
21268 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
21269 jmp paranoid_exit /* %ebx: no swapgs flag */
21275 .macro errorentry sym do_sym
21276 @@ -1264,13 +1772,23 @@ ENTRY(\sym)
21277 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
21280 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21281 + testb $3, CS(%rsp)
21285 +1: pax_enter_kernel_user
21290 movq %rsp,%rdi /* pt_regs pointer */
21291 movq ORIG_RAX(%rsp),%rsi /* get error code */
21292 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
21294 jmp error_exit /* %ebx: no swapgs flag */
21300 /* error code is on the stack already */
21301 @@ -1284,13 +1802,23 @@ ENTRY(\sym)
21305 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21306 + testb $3, CS(%rsp)
21310 +1: pax_enter_kernel_user
21315 movq %rsp,%rdi /* pt_regs pointer */
21316 movq ORIG_RAX(%rsp),%rsi /* get error code */
21317 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
21319 jmp paranoid_exit /* %ebx: no swapgs flag */
21325 zeroentry divide_error do_divide_error
21326 @@ -1320,9 +1848,10 @@ gs_change:
21327 2: mfence /* workaround */
21330 + pax_force_retaddr
21333 -END(native_load_gs_index)
21334 +ENDPROC(native_load_gs_index)
21336 _ASM_EXTABLE(gs_change,bad_gs)
21337 .section .fixup,"ax"
21338 @@ -1350,9 +1879,10 @@ ENTRY(call_softirq)
21339 CFI_DEF_CFA_REGISTER rsp
21340 CFI_ADJUST_CFA_OFFSET -8
21341 decl PER_CPU_VAR(irq_count)
21342 + pax_force_retaddr
21346 +ENDPROC(call_softirq)
21349 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
21350 @@ -1390,7 +1920,7 @@ ENTRY(xen_do_hypervisor_callback) # do_hypervisor_callback(struct *pt_regs)
21351 decl PER_CPU_VAR(irq_count)
21354 -END(xen_do_hypervisor_callback)
21355 +ENDPROC(xen_do_hypervisor_callback)
21358 * Hypervisor uses this for application faults while it executes.
21359 @@ -1449,7 +1979,7 @@ ENTRY(xen_failsafe_callback)
21363 -END(xen_failsafe_callback)
21364 +ENDPROC(xen_failsafe_callback)
21366 apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
21367 xen_hvm_callback_vector xen_evtchn_do_upcall
21368 @@ -1501,18 +2031,33 @@ ENTRY(paranoid_exit)
21370 DISABLE_INTERRUPTS(CLBR_NONE)
21371 TRACE_IRQS_OFF_DEBUG
21372 - testl %ebx,%ebx /* swapgs needed? */
21373 + testl $1,%ebx /* swapgs needed? */
21374 jnz paranoid_restore
21375 - testl $3,CS(%rsp)
21376 + testb $3,CS(%rsp)
21377 jnz paranoid_userspace
21378 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21380 + TRACE_IRQS_IRETQ 0
21381 + SWAPGS_UNSAFE_STACK
21383 + pax_force_retaddr_bts
21387 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21388 + pax_exit_kernel_user
21393 SWAPGS_UNSAFE_STACK
21398 TRACE_IRQS_IRETQ_DEBUG 0
21400 + pax_force_retaddr_bts
21402 paranoid_userspace:
21403 GET_THREAD_INFO(%rcx)
21404 @@ -1541,7 +2086,7 @@ paranoid_schedule:
21406 jmp paranoid_userspace
21408 -END(paranoid_exit)
21409 +ENDPROC(paranoid_exit)
21412 * Exception entry point. This expects an error code/orig_rax on the stack.
21413 @@ -1568,12 +2113,13 @@ ENTRY(error_entry)
21414 movq_cfi r14, R14+8
21415 movq_cfi r15, R15+8
21417 - testl $3,CS+8(%rsp)
21418 + testb $3,CS+8(%rsp)
21419 je error_kernelspace
21424 + pax_force_retaddr_bts
21428 @@ -1600,7 +2146,7 @@ bstep_iret:
21429 movq %rcx,RIP+8(%rsp)
21433 +ENDPROC(error_entry)
21436 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
21437 @@ -1611,7 +2157,7 @@ ENTRY(error_exit)
21438 DISABLE_INTERRUPTS(CLBR_NONE)
21440 GET_THREAD_INFO(%rcx)
21444 LOCKDEP_SYS_EXIT_IRQ
21445 movl TI_flags(%rcx),%edx
21446 @@ -1620,7 +2166,7 @@ ENTRY(error_exit)
21451 +ENDPROC(error_exit)
21454 * Test if a given stack is an NMI stack or not.
21455 @@ -1678,9 +2224,11 @@ ENTRY(nmi)
21456 * If %cs was not the kernel segment, then the NMI triggered in user
21457 * space, which means it is definitely not nested.
21459 + cmpl $__KERNEXEC_KERNEL_CS, 16(%rsp)
21461 cmpl $__KERNEL_CS, 16(%rsp)
21466 * Check the special variable on the stack to see if NMIs are
21468 @@ -1714,8 +2262,7 @@ nested_nmi:
21471 /* Set up the interrupted NMIs stack to jump to repeat_nmi */
21472 - leaq -1*8(%rsp), %rdx
21475 CFI_ADJUST_CFA_OFFSET 1*8
21476 leaq -10*8(%rsp), %rdx
21477 pushq_cfi $__KERNEL_DS
21478 @@ -1733,6 +2280,7 @@ nested_nmi_out:
21481 /* No need to check faults here */
21482 +# pax_force_retaddr_bts
21486 @@ -1849,6 +2397,8 @@ end_repeat_nmi:
21490 + pax_enter_kernel_nmi
21492 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
21495 @@ -1861,26 +2411,31 @@ end_repeat_nmi:
21499 - testl %ebx,%ebx /* swapgs needed? */
21500 + testl $1,%ebx /* swapgs needed? */
21503 SWAPGS_UNSAFE_STACK
21505 + pax_exit_kernel_nmi
21506 /* Pop the extra iret frame at once */
21508 + testb $3, 8(%rsp)
21510 + pax_force_retaddr_bts
21513 /* Clear the NMI executing stack variable */
21520 ENTRY(ignore_sysret)
21525 -END(ignore_sysret)
21526 +ENDPROC(ignore_sysret)
21529 * End of kprobes section
21530 diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
21531 index 42a392a..fbbd930 100644
21532 --- a/arch/x86/kernel/ftrace.c
21533 +++ b/arch/x86/kernel/ftrace.c
21534 @@ -105,6 +105,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code,
21536 unsigned char replaced[MCOUNT_INSN_SIZE];
21538 + ip = ktla_ktva(ip);
21541 * Note: Due to modules and __init, code can
21542 * disappear and change, we need to protect against faulting
21543 @@ -227,7 +229,7 @@ int ftrace_update_ftrace_func(ftrace_func_t func)
21544 unsigned char old[MCOUNT_INSN_SIZE], *new;
21547 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
21548 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
21549 new = ftrace_call_replace(ip, (unsigned long)func);
21551 /* See comment above by declaration of modifying_ftrace_code */
21552 @@ -238,7 +240,7 @@ int ftrace_update_ftrace_func(ftrace_func_t func)
21553 /* Also update the regs callback function */
21555 ip = (unsigned long)(&ftrace_regs_call);
21556 - memcpy(old, &ftrace_regs_call, MCOUNT_INSN_SIZE);
21557 + memcpy(old, ktla_ktva((void *)&ftrace_regs_call), MCOUNT_INSN_SIZE);
21558 new = ftrace_call_replace(ip, (unsigned long)func);
21559 ret = ftrace_modify_code(ip, old, new);
21561 @@ -279,7 +281,7 @@ static int ftrace_write(unsigned long ip, const char *val, int size)
21562 * kernel identity mapping to modify code.
21564 if (within(ip, (unsigned long)_text, (unsigned long)_etext))
21565 - ip = (unsigned long)__va(__pa_symbol(ip));
21566 + ip = (unsigned long)__va(__pa_symbol(ktla_ktva(ip)));
21568 return probe_kernel_write((void *)ip, val, size);
21570 @@ -289,7 +291,7 @@ static int add_break(unsigned long ip, const char *old)
21571 unsigned char replaced[MCOUNT_INSN_SIZE];
21572 unsigned char brk = BREAKPOINT_INSTRUCTION;
21574 - if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE))
21575 + if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE))
21578 /* Make sure it is what we expect it to be */
21579 @@ -637,7 +639,7 @@ ftrace_modify_code(unsigned long ip, unsigned const char *old_code,
21583 - probe_kernel_write((void *)ip, &old_code[0], 1);
21584 + probe_kernel_write((void *)ktla_ktva(ip), &old_code[0], 1);
21588 @@ -670,6 +672,8 @@ static int ftrace_mod_jmp(unsigned long ip,
21590 unsigned char code[MCOUNT_INSN_SIZE];
21592 + ip = ktla_ktva(ip);
21594 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
21597 diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
21598 index 55b6761..a6456fc 100644
21599 --- a/arch/x86/kernel/head64.c
21600 +++ b/arch/x86/kernel/head64.c
21601 @@ -67,12 +67,12 @@ again:
21605 - * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is
21606 - * critical -- __PAGE_OFFSET would point us back into the dynamic
21607 + * The use of __early_va rather than __va here is critical:
21608 + * __va would point us back into the dynamic
21609 * range and we might end up looping forever...
21612 - pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
21613 + pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK));
21615 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
21616 reset_early_page_tables();
21617 @@ -82,13 +82,13 @@ again:
21618 pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++];
21619 for (i = 0; i < PTRS_PER_PUD; i++)
21621 - *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
21622 + *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE;
21624 pud_p += pud_index(address);
21628 - pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
21629 + pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK));
21631 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
21632 reset_early_page_tables();
21633 @@ -98,7 +98,7 @@ again:
21634 pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++];
21635 for (i = 0; i < PTRS_PER_PMD; i++)
21637 - *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
21638 + *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE;
21640 pmd = (physaddr & PMD_MASK) + early_pmd_flags;
21641 pmd_p[pmd_index(address)] = pmd;
21642 @@ -175,7 +175,6 @@ void __init x86_64_start_kernel(char * real_mode_data)
21643 if (console_loglevel == 10)
21644 early_printk("Kernel alive\n");
21646 - clear_page(init_level4_pgt);
21647 /* set init_level4_pgt kernel high mapping*/
21648 init_level4_pgt[511] = early_level4_pgt[511];
21650 diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
21651 index 73afd11..0ef46f2 100644
21652 --- a/arch/x86/kernel/head_32.S
21653 +++ b/arch/x86/kernel/head_32.S
21655 /* Physical address */
21656 #define pa(X) ((X) - __PAGE_OFFSET)
21658 +#ifdef CONFIG_PAX_KERNEXEC
21661 +#define ta(X) ((X) - __PAGE_OFFSET)
21665 * References to members of the new_cpu_data structure.
21668 * and small than max_low_pfn, otherwise will waste some page table entries
21671 -#if PTRS_PER_PMD > 1
21672 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
21674 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
21676 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
21678 /* Number of possible pages in the lowmem region */
21679 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
21680 @@ -78,6 +80,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_PAGES) * PAGE_SIZE
21681 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
21684 + * Real beginning of normal "text" segment
21690 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
21691 * %esi points to the real-mode code as a 32-bit pointer.
21692 * CS and DS must be 4 GB flat segments, but we don't depend on
21693 @@ -85,6 +93,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
21698 +#ifdef CONFIG_PAX_KERNEXEC
21700 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
21701 +.fill PAGE_SIZE-5,1,0xcc
21705 movl pa(stack_start),%ecx
21707 @@ -106,6 +121,59 @@ ENTRY(startup_32)
21709 leal -__PAGE_OFFSET(%ecx),%esp
21712 + movl $pa(cpu_gdt_table),%edi
21713 + movl $__per_cpu_load,%eax
21714 + movw %ax,GDT_ENTRY_PERCPU * 8 + 2(%edi)
21716 + movb %al,GDT_ENTRY_PERCPU * 8 + 4(%edi)
21717 + movb %ah,GDT_ENTRY_PERCPU * 8 + 7(%edi)
21718 + movl $__per_cpu_end - 1,%eax
21719 + subl $__per_cpu_start,%eax
21720 + movw %ax,GDT_ENTRY_PERCPU * 8 + 0(%edi)
21723 +#ifdef CONFIG_PAX_MEMORY_UDEREF
21724 + movl $NR_CPUS,%ecx
21725 + movl $pa(cpu_gdt_table),%edi
21727 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
21728 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
21729 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
21730 + addl $PAGE_SIZE_asm,%edi
21734 +#ifdef CONFIG_PAX_KERNEXEC
21735 + movl $pa(boot_gdt),%edi
21736 + movl $__LOAD_PHYSICAL_ADDR,%eax
21737 + movw %ax,GDT_ENTRY_BOOT_CS * 8 + 2(%edi)
21739 + movb %al,GDT_ENTRY_BOOT_CS * 8 + 4(%edi)
21740 + movb %ah,GDT_ENTRY_BOOT_CS * 8 + 7(%edi)
21743 + ljmp $(__BOOT_CS),$1f
21746 + movl $NR_CPUS,%ecx
21747 + movl $pa(cpu_gdt_table),%edi
21748 + addl $__PAGE_OFFSET,%eax
21750 + movb $0xc0,GDT_ENTRY_KERNEL_CS * 8 + 6(%edi)
21751 + movb $0xc0,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 6(%edi)
21752 + movw %ax,GDT_ENTRY_KERNEL_CS * 8 + 2(%edi)
21753 + movw %ax,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 2(%edi)
21755 + movb %al,GDT_ENTRY_KERNEL_CS * 8 + 4(%edi)
21756 + movb %al,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 4(%edi)
21757 + movb %ah,GDT_ENTRY_KERNEL_CS * 8 + 7(%edi)
21758 + movb %ah,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 7(%edi)
21760 + addl $PAGE_SIZE_asm,%edi
21765 * Clear BSS first so that there are no surprises...
21767 @@ -201,8 +269,11 @@ ENTRY(startup_32)
21768 movl %eax, pa(max_pfn_mapped)
21770 /* Do early initialization of the fixmap area */
21771 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
21772 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
21773 +#ifdef CONFIG_COMPAT_VDSO
21774 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
21776 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
21778 #else /* Not PAE */
21780 page_pde_offset = (__PAGE_OFFSET >> 20);
21781 @@ -232,8 +303,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
21782 movl %eax, pa(max_pfn_mapped)
21784 /* Do early initialization of the fixmap area */
21785 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
21786 - movl %eax,pa(initial_page_table+0xffc)
21787 +#ifdef CONFIG_COMPAT_VDSO
21788 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
21790 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
21794 #ifdef CONFIG_PARAVIRT
21795 @@ -247,9 +321,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
21796 cmpl $num_subarch_entries, %eax
21799 - movl pa(subarch_entries)(,%eax,4), %eax
21800 - subl $__PAGE_OFFSET, %eax
21802 + jmp *pa(subarch_entries)(,%eax,4)
21806 @@ -261,10 +333,10 @@ WEAK(xen_entry)
21810 - .long default_entry /* normal x86/PC */
21811 - .long lguest_entry /* lguest hypervisor */
21812 - .long xen_entry /* Xen hypervisor */
21813 - .long default_entry /* Moorestown MID */
21814 + .long ta(default_entry) /* normal x86/PC */
21815 + .long ta(lguest_entry) /* lguest hypervisor */
21816 + .long ta(xen_entry) /* Xen hypervisor */
21817 + .long ta(default_entry) /* Moorestown MID */
21818 num_subarch_entries = (. - subarch_entries) / 4
21821 @@ -355,6 +427,7 @@ default_entry:
21822 movl pa(mmu_cr4_features),%eax
21825 +#ifdef CONFIG_X86_PAE
21826 testb $X86_CR4_PAE, %al # check if PAE is enabled
21829 @@ -383,6 +456,9 @@ default_entry:
21830 /* Make changes effective */
21833 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
21839 @@ -451,14 +527,20 @@ is486:
21840 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
21841 movl %eax,%ss # after changing gdt.
21843 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
21844 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
21848 movl $(__KERNEL_PERCPU), %eax
21849 movl %eax,%fs # set this cpu's percpu
21851 +#ifdef CONFIG_CC_STACKPROTECTOR
21852 movl $(__KERNEL_STACK_CANARY),%eax
21853 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
21854 + movl $(__USER_DS),%eax
21860 xorl %eax,%eax # Clear LDT
21861 @@ -534,8 +616,11 @@ setup_once:
21862 * relocation. Manually set base address in stack canary
21863 * segment descriptor.
21865 - movl $gdt_page,%eax
21866 + movl $cpu_gdt_table,%eax
21867 movl $stack_canary,%ecx
21869 + addl $__per_cpu_load,%ecx
21871 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
21873 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
21874 @@ -566,7 +651,7 @@ ENDPROC(early_idt_handlers)
21875 /* This is global to keep gas from relaxing the jumps */
21876 ENTRY(early_idt_handler)
21878 - cmpl $2,%ss:early_recursion_flag
21879 + cmpl $1,%ss:early_recursion_flag
21881 incl %ss:early_recursion_flag
21883 @@ -604,8 +689,8 @@ ENTRY(early_idt_handler)
21884 pushl (20+6*4)(%esp) /* trapno */
21893 @@ -624,8 +709,11 @@ ENDPROC(early_idt_handler)
21894 /* This is the default interrupt "handler" :-) */
21898 #ifdef CONFIG_PRINTK
21899 + cmpl $2,%ss:early_recursion_flag
21901 + incl %ss:early_recursion_flag
21906 @@ -634,9 +722,6 @@ ignore_int:
21907 movl $(__KERNEL_DS),%eax
21910 - cmpl $2,early_recursion_flag
21912 - incl early_recursion_flag
21916 @@ -670,29 +755,43 @@ ENTRY(setup_once_ref)
21920 -__PAGE_ALIGNED_BSS
21922 #ifdef CONFIG_X86_PAE
21923 +.section .initial_pg_pmd,"a",@progbits
21925 .fill 1024*KPMDS,4,0
21927 +.section .initial_page_table,"a",@progbits
21928 ENTRY(initial_page_table)
21931 +.section .initial_pg_fixmap,"a",@progbits
21934 +.section .empty_zero_page,"a",@progbits
21935 ENTRY(empty_zero_page)
21937 +.section .swapper_pg_dir,"a",@progbits
21938 ENTRY(swapper_pg_dir)
21939 +#ifdef CONFIG_X86_PAE
21946 + * The IDT has to be page-aligned to simplify the Pentium
21947 + * F0 0F bug workaround.. We have a special link segment
21950 +.section .idt,"a",@progbits
21955 * This starts the data section.
21957 #ifdef CONFIG_X86_PAE
21958 -__PAGE_ALIGNED_DATA
21959 - /* Page-aligned for the benefit of paravirt? */
21961 +.section .initial_page_table,"a",@progbits
21962 ENTRY(initial_page_table)
21963 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
21965 @@ -711,12 +810,20 @@ ENTRY(initial_page_table)
21966 # error "Kernel PMDs should be 1, 2 or 3"
21968 .align PAGE_SIZE /* needs to be page-sized too */
21970 +#ifdef CONFIG_PAX_PER_CPU_PGD
21982 - .long init_thread_union+THREAD_SIZE
21983 + .long init_thread_union+THREAD_SIZE-8
21987 @@ -744,7 +851,7 @@ fault_msg:
21988 * segment size, and 32-bit linear address value:
21992 +.section .rodata,"a",@progbits
21993 .globl boot_gdt_descr
21996 @@ -753,7 +860,7 @@ fault_msg:
21997 .word 0 # 32 bit align gdt_desc.address
22000 - .long boot_gdt - __PAGE_OFFSET
22001 + .long pa(boot_gdt)
22003 .word 0 # 32-bit align idt_desc.address
22005 @@ -764,7 +871,7 @@ idt_descr:
22006 .word 0 # 32 bit align gdt_desc.address
22007 ENTRY(early_gdt_descr)
22008 .word GDT_ENTRIES*8-1
22009 - .long gdt_page /* Overwritten for secondary CPUs */
22010 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
22013 * The boot_gdt must mirror the equivalent in setup.S and is
22014 @@ -773,5 +880,65 @@ ENTRY(early_gdt_descr)
22015 .align L1_CACHE_BYTES
22017 .fill GDT_ENTRY_BOOT_CS,8,0
22018 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
22019 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
22020 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
22021 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
22023 + .align PAGE_SIZE_asm
22024 +ENTRY(cpu_gdt_table)
22026 + .quad 0x0000000000000000 /* NULL descriptor */
22027 + .quad 0x0000000000000000 /* 0x0b reserved */
22028 + .quad 0x0000000000000000 /* 0x13 reserved */
22029 + .quad 0x0000000000000000 /* 0x1b reserved */
22031 +#ifdef CONFIG_PAX_KERNEXEC
22032 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
22034 + .quad 0x0000000000000000 /* 0x20 unused */
22037 + .quad 0x0000000000000000 /* 0x28 unused */
22038 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
22039 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
22040 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
22041 + .quad 0x0000000000000000 /* 0x4b reserved */
22042 + .quad 0x0000000000000000 /* 0x53 reserved */
22043 + .quad 0x0000000000000000 /* 0x5b reserved */
22045 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
22046 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
22047 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
22048 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
22050 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
22051 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
22054 + * Segments used for calling PnP BIOS have byte granularity.
22055 + * The code segments and data segments have fixed 64k limits,
22056 + * the transfer segment sizes are set at run time.
22058 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
22059 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
22060 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
22061 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
22062 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
22065 + * The APM segments have byte granularity and their bases
22066 + * are set at run time. All have 64k limits.
22068 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
22069 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
22070 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
22072 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
22073 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
22074 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
22075 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
22076 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
22077 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
22079 + /* Be sure this is zeroed to avoid false validations in Xen */
22080 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
22082 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
22083 index a836860..1b5c665 100644
22084 --- a/arch/x86/kernel/head_64.S
22085 +++ b/arch/x86/kernel/head_64.S
22087 #include <asm/processor-flags.h>
22088 #include <asm/percpu.h>
22089 #include <asm/nops.h>
22090 +#include <asm/cpufeature.h>
22091 +#include <asm/alternative-asm.h>
22093 #ifdef CONFIG_PARAVIRT
22094 #include <asm/asm-offsets.h>
22095 @@ -41,6 +43,12 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET)
22096 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
22097 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
22098 L3_START_KERNEL = pud_index(__START_KERNEL_map)
22099 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
22100 +L3_VMALLOC_START = pud_index(VMALLOC_START)
22101 +L4_VMALLOC_END = pgd_index(VMALLOC_END)
22102 +L3_VMALLOC_END = pud_index(VMALLOC_END)
22103 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
22104 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
22108 @@ -89,11 +97,23 @@ startup_64:
22109 * Fixup the physical addresses in the page table
22111 addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
22112 + addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
22113 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
22114 + addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip)
22115 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
22116 + addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
22118 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
22119 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
22120 + addq %rbp, level3_ident_pgt + (0*8)(%rip)
22121 +#ifndef CONFIG_XEN
22122 + addq %rbp, level3_ident_pgt + (1*8)(%rip)
22125 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
22126 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
22128 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
22129 + addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
22131 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
22134 * Set up the identity mapping for the switchover. These
22135 @@ -177,8 +197,8 @@ ENTRY(secondary_startup_64)
22136 movq $(init_level4_pgt - __START_KERNEL_map), %rax
22139 - /* Enable PAE mode and PGE */
22140 - movl $(X86_CR4_PAE | X86_CR4_PGE), %ecx
22141 + /* Enable PAE mode and PSE/PGE */
22142 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %ecx
22145 /* Setup early boot stage 4 level pagetables. */
22146 @@ -199,10 +219,18 @@ ENTRY(secondary_startup_64)
22147 movl $MSR_EFER, %ecx
22149 btsl $_EFER_SCE, %eax /* Enable System Call */
22150 - btl $20,%edi /* No Execute supported? */
22151 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
22153 btsl $_EFER_NX, %eax
22154 btsq $_PAGE_BIT_NX,early_pmd_flags(%rip)
22155 + leaq init_level4_pgt(%rip), %rdi
22156 +#ifndef CONFIG_EFI
22157 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
22159 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
22160 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_END(%rdi)
22161 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
22162 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
22163 1: wrmsr /* Make changes effective */
22166 @@ -282,6 +310,7 @@ ENTRY(secondary_startup_64)
22167 * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
22168 * address given in m16:64.
22170 + pax_set_fptr_mask
22171 movq initial_code(%rip),%rax
22172 pushq $0 # fake return address to stop unwinder
22173 pushq $__KERNEL_CS # set correct cs
22174 @@ -388,7 +417,7 @@ ENTRY(early_idt_handler)
22176 #ifdef CONFIG_KALLSYMS
22177 leaq early_idt_ripmsg(%rip),%rdi
22178 - movq 40(%rsp),%rsi # %rip again
22179 + movq 88(%rsp),%rsi # %rip again
22180 call __print_symbol
22182 #endif /* EARLY_PRINTK */
22183 @@ -416,6 +445,7 @@ ENDPROC(early_idt_handler)
22184 early_recursion_flag:
22187 + .section .rodata,"a",@progbits
22188 #ifdef CONFIG_EARLY_PRINTK
22190 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
22191 @@ -443,29 +473,52 @@ NEXT_PAGE(early_level4_pgt)
22192 NEXT_PAGE(early_dynamic_pgts)
22193 .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
22196 + .section .rodata,"a",@progbits
22198 -#ifndef CONFIG_XEN
22199 NEXT_PAGE(init_level4_pgt)
22202 -NEXT_PAGE(init_level4_pgt)
22203 - .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
22204 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
22205 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
22206 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
22207 + .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE
22208 + .org init_level4_pgt + L4_VMALLOC_END*8, 0
22209 + .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE
22210 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
22211 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
22212 .org init_level4_pgt + L4_START_KERNEL*8, 0
22213 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
22214 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
22216 +#ifdef CONFIG_PAX_PER_CPU_PGD
22217 +NEXT_PAGE(cpu_pgd)
22223 NEXT_PAGE(level3_ident_pgt)
22224 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
22228 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
22232 +NEXT_PAGE(level3_vmalloc_start_pgt)
22235 +NEXT_PAGE(level3_vmalloc_end_pgt)
22238 +NEXT_PAGE(level3_vmemmap_pgt)
22239 + .fill L3_VMEMMAP_START,8,0
22240 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
22242 NEXT_PAGE(level2_ident_pgt)
22243 - /* Since I easily can, map the first 1G.
22244 + /* Since I easily can, map the first 2G.
22245 * Don't set NX because code runs from these pages.
22247 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
22249 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
22251 NEXT_PAGE(level3_kernel_pgt)
22252 .fill L3_START_KERNEL,8,0
22253 @@ -473,6 +526,9 @@ NEXT_PAGE(level3_kernel_pgt)
22254 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
22255 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
22257 +NEXT_PAGE(level2_vmemmap_pgt)
22260 NEXT_PAGE(level2_kernel_pgt)
22262 * 512 MB kernel mapping. We spend a full page on this pagetable
22263 @@ -488,39 +544,70 @@ NEXT_PAGE(level2_kernel_pgt)
22264 KERNEL_IMAGE_SIZE/PMD_SIZE)
22266 NEXT_PAGE(level2_fixmap_pgt)
22268 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
22269 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
22272 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
22273 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
22276 -NEXT_PAGE(level1_fixmap_pgt)
22277 +NEXT_PAGE(level1_vsyscall_pgt)
22284 +ENTRY(cpu_gdt_table)
22286 + .quad 0x0000000000000000 /* NULL descriptor */
22287 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
22288 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
22289 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
22290 + .quad 0x00cffb000000ffff /* __USER32_CS */
22291 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
22292 + .quad 0x00affb000000ffff /* __USER_CS */
22294 +#ifdef CONFIG_PAX_KERNEXEC
22295 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
22297 + .quad 0x0 /* unused */
22300 + .quad 0,0 /* TSS */
22301 + .quad 0,0 /* LDT */
22302 + .quad 0,0,0 /* three TLS descriptors */
22303 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
22304 + /* asm/segment.h:GDT_ENTRIES must match this */
22306 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22307 + .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */
22309 + .quad 0x0 /* unused */
22312 + /* zero the remaining page */
22313 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
22317 .globl early_gdt_descr
22319 .word GDT_ENTRIES*8-1
22320 early_gdt_descr_base:
22321 - .quad INIT_PER_CPU_VAR(gdt_page)
22322 + .quad cpu_gdt_table
22325 /* This must match the first entry in level2_kernel_pgt */
22326 .quad 0x0000000000000000
22328 #include "../../x86/xen/xen-head.S"
22330 - .section .bss, "aw", @nobits
22332 + .section .rodata,"a",@progbits
22333 +NEXT_PAGE(empty_zero_page)
22338 - .skip IDT_ENTRIES * 16
22341 .align L1_CACHE_BYTES
22342 ENTRY(nmi_idt_table)
22343 - .skip IDT_ENTRIES * 16
22345 - __PAGE_ALIGNED_BSS
22346 -NEXT_PAGE(empty_zero_page)
22349 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
22350 index 0fa6912..b37438b 100644
22351 --- a/arch/x86/kernel/i386_ksyms_32.c
22352 +++ b/arch/x86/kernel/i386_ksyms_32.c
22353 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
22354 EXPORT_SYMBOL(cmpxchg8b_emu);
22357 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
22359 /* Networking helper routines. */
22360 EXPORT_SYMBOL(csum_partial_copy_generic);
22361 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
22362 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
22364 EXPORT_SYMBOL(__get_user_1);
22365 EXPORT_SYMBOL(__get_user_2);
22366 @@ -37,3 +41,11 @@ EXPORT_SYMBOL(strstr);
22368 EXPORT_SYMBOL(csum_partial);
22369 EXPORT_SYMBOL(empty_zero_page);
22371 +#ifdef CONFIG_PAX_KERNEXEC
22372 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
22375 +#ifdef CONFIG_PAX_PER_CPU_PGD
22376 +EXPORT_SYMBOL(cpu_pgd);
22378 diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
22379 index f7ea30d..6318acc 100644
22380 --- a/arch/x86/kernel/i387.c
22381 +++ b/arch/x86/kernel/i387.c
22382 @@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
22383 static inline bool interrupted_user_mode(void)
22385 struct pt_regs *regs = get_irq_regs();
22386 - return regs && user_mode_vm(regs);
22387 + return regs && user_mode(regs);
22391 diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
22392 index 9a5c460..84868423 100644
22393 --- a/arch/x86/kernel/i8259.c
22394 +++ b/arch/x86/kernel/i8259.c
22395 @@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq)
22396 static void make_8259A_irq(unsigned int irq)
22398 disable_irq_nosync(irq);
22399 - io_apic_irqs &= ~(1<<irq);
22400 + io_apic_irqs &= ~(1UL<<irq);
22401 irq_set_chip_and_handler_name(irq, &i8259A_chip, handle_level_irq,
22404 @@ -209,7 +209,7 @@ spurious_8259A_irq:
22405 "spurious 8259A interrupt: IRQ%d.\n", irq);
22406 spurious_irq_mask |= irqmask;
22408 - atomic_inc(&irq_err_count);
22409 + atomic_inc_unchecked(&irq_err_count);
22411 * Theoretically we do not have to handle this IRQ,
22412 * but in Linux this does not cause problems and is
22413 @@ -333,14 +333,16 @@ static void init_8259A(int auto_eoi)
22414 /* (slave's support for AEOI in flat mode is to be investigated) */
22415 outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR);
22417 + pax_open_kernel();
22420 * In AEOI mode we just have to mask the interrupt
22423 - i8259A_chip.irq_mask_ack = disable_8259A_irq;
22424 + *(void **)&i8259A_chip.irq_mask_ack = disable_8259A_irq;
22426 - i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
22427 + *(void **)&i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
22428 + pax_close_kernel();
22430 udelay(100); /* wait for 8259A to initialize */
22432 diff --git a/arch/x86/kernel/io_delay.c b/arch/x86/kernel/io_delay.c
22433 index a979b5b..1d6db75 100644
22434 --- a/arch/x86/kernel/io_delay.c
22435 +++ b/arch/x86/kernel/io_delay.c
22436 @@ -58,7 +58,7 @@ static int __init dmi_io_delay_0xed_port(const struct dmi_system_id *id)
22437 * Quirk table for systems that misbehave (lock up, etc.) if port
22440 -static struct dmi_system_id __initdata io_delay_0xed_port_dmi_table[] = {
22441 +static const struct dmi_system_id __initconst io_delay_0xed_port_dmi_table[] = {
22443 .callback = dmi_io_delay_0xed_port,
22444 .ident = "Compaq Presario V6000",
22445 diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
22446 index 4ddaf66..6292f4e 100644
22447 --- a/arch/x86/kernel/ioport.c
22448 +++ b/arch/x86/kernel/ioport.c
22450 #include <linux/sched.h>
22451 #include <linux/kernel.h>
22452 #include <linux/capability.h>
22453 +#include <linux/security.h>
22454 #include <linux/errno.h>
22455 #include <linux/types.h>
22456 #include <linux/ioport.h>
22457 @@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
22459 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
22461 +#ifdef CONFIG_GRKERNSEC_IO
22462 + if (turn_on && grsec_disable_privio) {
22463 + gr_handle_ioperm();
22467 if (turn_on && !capable(CAP_SYS_RAWIO))
22470 @@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
22471 * because the ->io_bitmap_max value must match the bitmap
22474 - tss = &per_cpu(init_tss, get_cpu());
22475 + tss = init_tss + get_cpu();
22478 bitmap_clear(t->io_bitmap_ptr, from, num);
22479 @@ -103,6 +110,12 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
22481 /* Trying to gain more privileges? */
22483 +#ifdef CONFIG_GRKERNSEC_IO
22484 + if (grsec_disable_privio) {
22485 + gr_handle_iopl();
22489 if (!capable(CAP_SYS_RAWIO))
22492 diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
22493 index ac0631d..ff7cb62 100644
22494 --- a/arch/x86/kernel/irq.c
22495 +++ b/arch/x86/kernel/irq.c
22497 #include <asm/mce.h>
22498 #include <asm/hw_irq.h>
22500 -atomic_t irq_err_count;
22501 +atomic_unchecked_t irq_err_count;
22503 /* Function pointer for generic interrupt vector handling */
22504 void (*x86_platform_ipi_callback)(void) = NULL;
22505 @@ -122,9 +122,9 @@ int arch_show_interrupts(struct seq_file *p, int prec)
22506 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
22507 seq_printf(p, " Machine check polls\n");
22509 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
22510 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
22511 #if defined(CONFIG_X86_IO_APIC)
22512 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
22513 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
22517 @@ -164,7 +164,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
22519 u64 arch_irq_stat(void)
22521 - u64 sum = atomic_read(&irq_err_count);
22522 + u64 sum = atomic_read_unchecked(&irq_err_count);
22526 diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
22527 index 344faf8..355f60d 100644
22528 --- a/arch/x86/kernel/irq_32.c
22529 +++ b/arch/x86/kernel/irq_32.c
22530 @@ -39,7 +39,7 @@ static int check_stack_overflow(void)
22531 __asm__ __volatile__("andl %%esp,%0" :
22532 "=r" (sp) : "0" (THREAD_SIZE - 1));
22534 - return sp < (sizeof(struct thread_info) + STACK_WARN);
22535 + return sp < STACK_WARN;
22538 static void print_stack_overflow(void)
22539 @@ -59,8 +59,8 @@ static inline void print_stack_overflow(void) { }
22540 * per-CPU IRQ handling contexts (thread information and stack)
22543 - struct thread_info tinfo;
22544 - u32 stack[THREAD_SIZE/sizeof(u32)];
22545 + unsigned long previous_esp;
22546 + u32 stack[THREAD_SIZE/sizeof(u32)];
22547 } __attribute__((aligned(THREAD_SIZE)));
22549 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
22550 @@ -80,10 +80,9 @@ static void call_on_stack(void *func, void *stack)
22552 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
22554 - union irq_ctx *curctx, *irqctx;
22555 + union irq_ctx *irqctx;
22556 u32 *isp, arg1, arg2;
22558 - curctx = (union irq_ctx *) current_thread_info();
22559 irqctx = __this_cpu_read(hardirq_ctx);
22562 @@ -92,16 +91,16 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
22563 * handler) we can't do that and just have to keep using the
22564 * current stack (which is the irq stack already after all)
22566 - if (unlikely(curctx == irqctx))
22567 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
22570 /* build the stack frame on the IRQ stack */
22571 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
22572 - irqctx->tinfo.task = curctx->tinfo.task;
22573 - irqctx->tinfo.previous_esp = current_stack_pointer;
22574 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
22575 + irqctx->previous_esp = current_stack_pointer;
22577 - /* Copy the preempt_count so that the [soft]irq checks work. */
22578 - irqctx->tinfo.preempt_count = curctx->tinfo.preempt_count;
22579 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22580 + __set_fs(MAKE_MM_SEG(0));
22583 if (unlikely(overflow))
22584 call_on_stack(print_stack_overflow, isp);
22585 @@ -113,6 +112,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
22586 : "0" (irq), "1" (desc), "2" (isp),
22587 "D" (desc->handle_irq)
22588 : "memory", "cc", "ecx");
22590 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22591 + __set_fs(current_thread_info()->addr_limit);
22597 @@ -121,29 +125,14 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
22599 void __cpuinit irq_ctx_init(int cpu)
22601 - union irq_ctx *irqctx;
22603 if (per_cpu(hardirq_ctx, cpu))
22606 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
22608 - THREAD_SIZE_ORDER));
22609 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
22610 - irqctx->tinfo.cpu = cpu;
22611 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
22612 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
22614 - per_cpu(hardirq_ctx, cpu) = irqctx;
22616 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
22618 - THREAD_SIZE_ORDER));
22619 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
22620 - irqctx->tinfo.cpu = cpu;
22621 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
22623 - per_cpu(softirq_ctx, cpu) = irqctx;
22624 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
22625 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
22627 + printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
22628 + cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
22630 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
22631 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
22632 @@ -152,7 +141,6 @@ void __cpuinit irq_ctx_init(int cpu)
22633 asmlinkage void do_softirq(void)
22635 unsigned long flags;
22636 - struct thread_info *curctx;
22637 union irq_ctx *irqctx;
22640 @@ -162,15 +150,22 @@ asmlinkage void do_softirq(void)
22641 local_irq_save(flags);
22643 if (local_softirq_pending()) {
22644 - curctx = current_thread_info();
22645 irqctx = __this_cpu_read(softirq_ctx);
22646 - irqctx->tinfo.task = curctx->task;
22647 - irqctx->tinfo.previous_esp = current_stack_pointer;
22648 + irqctx->previous_esp = current_stack_pointer;
22650 /* build the stack frame on the softirq stack */
22651 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
22652 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
22654 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22655 + __set_fs(MAKE_MM_SEG(0));
22658 call_on_stack(__do_softirq, isp);
22660 +#ifdef CONFIG_PAX_MEMORY_UDEREF
22661 + __set_fs(current_thread_info()->addr_limit);
22665 * Shouldn't happen, we returned above if in_interrupt():
22667 @@ -191,7 +186,7 @@ bool handle_irq(unsigned irq, struct pt_regs *regs)
22668 if (unlikely(!desc))
22671 - if (user_mode_vm(regs) || !execute_on_irq_stack(overflow, desc, irq)) {
22672 + if (user_mode(regs) || !execute_on_irq_stack(overflow, desc, irq)) {
22673 if (unlikely(overflow))
22674 print_stack_overflow();
22675 desc->handle_irq(irq, desc);
22676 diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
22677 index d04d3ec..ea4b374 100644
22678 --- a/arch/x86/kernel/irq_64.c
22679 +++ b/arch/x86/kernel/irq_64.c
22680 @@ -44,7 +44,7 @@ static inline void stack_overflow_check(struct pt_regs *regs)
22681 u64 estack_top, estack_bottom;
22682 u64 curbase = (u64)task_stack_page(current);
22684 - if (user_mode_vm(regs))
22685 + if (user_mode(regs))
22688 if (regs->sp >= curbase + sizeof(struct thread_info) +
22689 diff --git a/arch/x86/kernel/kdebugfs.c b/arch/x86/kernel/kdebugfs.c
22690 index dc1404b..bbc43e7 100644
22691 --- a/arch/x86/kernel/kdebugfs.c
22692 +++ b/arch/x86/kernel/kdebugfs.c
22693 @@ -27,7 +27,7 @@ struct setup_data_node {
22697 -static ssize_t setup_data_read(struct file *file, char __user *user_buf,
22698 +static ssize_t __size_overflow(3) setup_data_read(struct file *file, char __user *user_buf,
22699 size_t count, loff_t *ppos)
22701 struct setup_data_node *node = file->private_data;
22702 diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
22703 index 836f832..a8bda67 100644
22704 --- a/arch/x86/kernel/kgdb.c
22705 +++ b/arch/x86/kernel/kgdb.c
22706 @@ -127,11 +127,11 @@ char *dbg_get_reg(int regno, void *mem, struct pt_regs *regs)
22707 #ifdef CONFIG_X86_32
22710 - if (!user_mode_vm(regs))
22711 + if (!user_mode(regs))
22712 *(unsigned long *)mem = __KERNEL_DS;
22715 - if (!user_mode_vm(regs))
22716 + if (!user_mode(regs))
22717 *(unsigned long *)mem = kernel_stack_pointer(regs);
22720 @@ -229,7 +229,10 @@ static void kgdb_correct_hw_break(void)
22721 bp->attr.bp_addr = breakinfo[breakno].addr;
22722 bp->attr.bp_len = breakinfo[breakno].len;
22723 bp->attr.bp_type = breakinfo[breakno].type;
22724 - info->address = breakinfo[breakno].addr;
22725 + if (breakinfo[breakno].type == X86_BREAKPOINT_EXECUTE)
22726 + info->address = ktla_ktva(breakinfo[breakno].addr);
22728 + info->address = breakinfo[breakno].addr;
22729 info->len = breakinfo[breakno].len;
22730 info->type = breakinfo[breakno].type;
22731 val = arch_install_hw_breakpoint(bp);
22732 @@ -476,12 +479,12 @@ int kgdb_arch_handle_exception(int e_vector, int signo, int err_code,
22734 /* clear the trace bit */
22735 linux_regs->flags &= ~X86_EFLAGS_TF;
22736 - atomic_set(&kgdb_cpu_doing_single_step, -1);
22737 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
22739 /* set the trace bit if we're stepping */
22740 if (remcomInBuffer[0] == 's') {
22741 linux_regs->flags |= X86_EFLAGS_TF;
22742 - atomic_set(&kgdb_cpu_doing_single_step,
22743 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
22744 raw_smp_processor_id());
22747 @@ -546,7 +549,7 @@ static int __kgdb_notify(struct die_args *args, unsigned long cmd)
22751 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
22752 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
22753 if (user_mode(regs))
22754 return single_step_cont(regs, args);
22756 @@ -751,11 +754,11 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
22757 #endif /* CONFIG_DEBUG_RODATA */
22759 bpt->type = BP_BREAKPOINT;
22760 - err = probe_kernel_read(bpt->saved_instr, (char *)bpt->bpt_addr,
22761 + err = probe_kernel_read(bpt->saved_instr, ktla_ktva((char *)bpt->bpt_addr),
22765 - err = probe_kernel_write((char *)bpt->bpt_addr,
22766 + err = probe_kernel_write(ktla_ktva((char *)bpt->bpt_addr),
22767 arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE);
22768 #ifdef CONFIG_DEBUG_RODATA
22770 @@ -768,7 +771,7 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
22772 text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
22774 - err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
22775 + err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
22778 if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
22779 @@ -793,13 +796,13 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt)
22780 if (mutex_is_locked(&text_mutex))
22782 text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
22783 - err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
22784 + err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
22785 if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
22789 #endif /* CONFIG_DEBUG_RODATA */
22790 - return probe_kernel_write((char *)bpt->bpt_addr,
22791 + return probe_kernel_write(ktla_ktva((char *)bpt->bpt_addr),
22792 (char *)bpt->saved_instr, BREAK_INSTR_SIZE);
22795 diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
22796 index 211bce4..6e2580a 100644
22797 --- a/arch/x86/kernel/kprobes/core.c
22798 +++ b/arch/x86/kernel/kprobes/core.c
22799 @@ -119,9 +119,12 @@ static void __kprobes __synthesize_relative_insn(void *from, void *to, u8 op)
22803 - insn = (struct __arch_relative_insn *)from;
22804 + insn = (struct __arch_relative_insn *)ktla_ktva(from);
22806 + pax_open_kernel();
22807 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
22809 + pax_close_kernel();
22812 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
22813 @@ -164,7 +167,7 @@ int __kprobes can_boost(kprobe_opcode_t *opcodes)
22814 kprobe_opcode_t opcode;
22815 kprobe_opcode_t *orig_opcodes = opcodes;
22817 - if (search_exception_tables((unsigned long)opcodes))
22818 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
22819 return 0; /* Page fault may occur on this address. */
22822 @@ -238,9 +241,9 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
22823 * for the first byte, we can recover the original instruction
22824 * from it and kp->opcode.
22826 - memcpy(buf, kp->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
22827 + memcpy(buf, ktla_ktva(kp->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
22828 buf[0] = kp->opcode;
22829 - return (unsigned long)buf;
22830 + return ktva_ktla((unsigned long)buf);
22834 @@ -332,7 +335,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
22835 /* Another subsystem puts a breakpoint, failed to recover */
22836 if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
22838 + pax_open_kernel();
22839 memcpy(dest, insn.kaddr, insn.length);
22840 + pax_close_kernel();
22842 #ifdef CONFIG_X86_64
22843 if (insn_rip_relative(&insn)) {
22844 @@ -359,7 +364,9 @@ int __kprobes __copy_instruction(u8 *dest, u8 *src)
22847 disp = (u8 *) dest + insn_offset_displacement(&insn);
22848 + pax_open_kernel();
22849 *(s32 *) disp = (s32) newdisp;
22850 + pax_close_kernel();
22853 return insn.length;
22854 @@ -498,7 +505,7 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k
22855 * nor set current_kprobe, because it doesn't use single
22858 - regs->ip = (unsigned long)p->ainsn.insn;
22859 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
22860 preempt_enable_no_resched();
22863 @@ -515,9 +522,9 @@ setup_singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *k
22864 regs->flags &= ~X86_EFLAGS_IF;
22865 /* single step inline if the instruction is an int3 */
22866 if (p->opcode == BREAKPOINT_INSTRUCTION)
22867 - regs->ip = (unsigned long)p->addr;
22868 + regs->ip = ktla_ktva((unsigned long)p->addr);
22870 - regs->ip = (unsigned long)p->ainsn.insn;
22871 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
22875 @@ -596,7 +603,7 @@ static int __kprobes kprobe_handler(struct pt_regs *regs)
22876 setup_singlestep(p, regs, kcb, 0);
22879 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
22880 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
22882 * The breakpoint instruction was removed right
22883 * after we hit it. Another cpu has removed
22884 @@ -642,6 +649,9 @@ static void __used __kprobes kretprobe_trampoline_holder(void)
22885 " movq %rax, 152(%rsp)\n"
22886 RESTORE_REGS_STRING
22888 +#ifdef KERNEXEC_PLUGIN
22889 + " btsq $63,(%rsp)\n"
22894 @@ -779,7 +789,7 @@ static void __kprobes
22895 resume_execution(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
22897 unsigned long *tos = stack_addr(regs);
22898 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
22899 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
22900 unsigned long orig_ip = (unsigned long)p->addr;
22901 kprobe_opcode_t *insn = p->ainsn.insn;
22903 @@ -961,7 +971,7 @@ kprobe_exceptions_notify(struct notifier_block *self, unsigned long val, void *d
22904 struct die_args *args = data;
22905 int ret = NOTIFY_DONE;
22907 - if (args->regs && user_mode_vm(args->regs))
22908 + if (args->regs && user_mode(args->regs))
22912 diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
22913 index 76dc6f0..66bdfc3 100644
22914 --- a/arch/x86/kernel/kprobes/opt.c
22915 +++ b/arch/x86/kernel/kprobes/opt.c
22916 @@ -79,6 +79,7 @@ found:
22917 /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */
22918 static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
22920 + pax_open_kernel();
22921 #ifdef CONFIG_X86_64
22924 @@ -86,6 +87,7 @@ static void __kprobes synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long v
22927 *(unsigned long *)addr = val;
22928 + pax_close_kernel();
22931 static void __used __kprobes kprobes_optinsn_template_holder(void)
22932 @@ -338,7 +340,7 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
22933 * Verify if the address gap is in 2GB range, because this uses
22936 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
22937 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
22938 if (abs(rel) > 0x7fffffff)
22941 @@ -353,16 +355,18 @@ int __kprobes arch_prepare_optimized_kprobe(struct optimized_kprobe *op)
22942 op->optinsn.size = ret;
22944 /* Copy arch-dep-instance from template */
22945 - memcpy(buf, &optprobe_template_entry, TMPL_END_IDX);
22946 + pax_open_kernel();
22947 + memcpy(buf, ktla_ktva(&optprobe_template_entry), TMPL_END_IDX);
22948 + pax_close_kernel();
22950 /* Set probe information */
22951 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
22953 /* Set probe function call */
22954 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
22955 + synthesize_relcall(ktva_ktla(buf) + TMPL_CALL_IDX, optimized_callback);
22957 /* Set returning jmp instruction at the tail of out-of-line buffer */
22958 - synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
22959 + synthesize_reljump(ktva_ktla(buf) + TMPL_END_IDX + op->optinsn.size,
22960 (u8 *)op->kp.addr + op->optinsn.size);
22962 flush_icache_range((unsigned long) buf,
22963 @@ -385,7 +389,7 @@ static void __kprobes setup_optimize_kprobe(struct text_poke_param *tprm,
22964 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
22966 /* Backup instructions which will be replaced by jump address */
22967 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
22968 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
22969 RELATIVE_ADDR_SIZE);
22971 insn_buf[0] = RELATIVEJUMP_OPCODE;
22972 @@ -483,7 +487,7 @@ setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter)
22973 /* This kprobe is really able to run optimized path. */
22974 op = container_of(p, struct optimized_kprobe, kp);
22975 /* Detour through copied instructions */
22976 - regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
22977 + regs->ip = ktva_ktla((unsigned long)op->optinsn.insn) + TMPL_END_IDX;
22979 reset_current_kprobe();
22980 preempt_enable_no_resched();
22981 diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
22982 index cd6d9a5..16245a4 100644
22983 --- a/arch/x86/kernel/kvm.c
22984 +++ b/arch/x86/kernel/kvm.c
22985 @@ -455,7 +455,7 @@ static int __cpuinit kvm_cpu_notify(struct notifier_block *self,
22989 -static struct notifier_block __cpuinitdata kvm_cpu_notifier = {
22990 +static struct notifier_block kvm_cpu_notifier = {
22991 .notifier_call = kvm_cpu_notify,
22994 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
22995 index ebc9873..1b9724b 100644
22996 --- a/arch/x86/kernel/ldt.c
22997 +++ b/arch/x86/kernel/ldt.c
22998 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
23003 + load_LDT_nolock(pc);
23004 if (!cpumask_equal(mm_cpumask(current->mm),
23005 cpumask_of(smp_processor_id())))
23006 smp_call_function(flush_ldt, current->mm, 1);
23010 + load_LDT_nolock(pc);
23014 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t *new, mm_context_t *old)
23017 for (i = 0; i < old->size; i++)
23018 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
23019 + write_ldt_entry(new->ldt, i, old->ldt + i);
23023 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
23024 retval = copy_ldt(&mm->context, &old_mm->context);
23025 mutex_unlock(&old_mm->context.lock);
23028 + if (tsk == current) {
23029 + mm->context.vdso = 0;
23031 +#ifdef CONFIG_X86_32
23032 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23033 + mm->context.user_cs_base = 0UL;
23034 + mm->context.user_cs_limit = ~0UL;
23036 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
23037 + cpus_clear(mm->context.cpu_user_cs_mask);
23048 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
23052 +#ifdef CONFIG_PAX_SEGMEXEC
23053 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
23059 fill_ldt(&ldt, &ldt_info);
23062 diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
23063 index 5b19e4d..6476a76 100644
23064 --- a/arch/x86/kernel/machine_kexec_32.c
23065 +++ b/arch/x86/kernel/machine_kexec_32.c
23067 #include <asm/cacheflush.h>
23068 #include <asm/debugreg.h>
23070 -static void set_idt(void *newidt, __u16 limit)
23071 +static void set_idt(struct desc_struct *newidt, __u16 limit)
23073 struct desc_ptr curidt;
23075 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16 limit)
23079 -static void set_gdt(void *newgdt, __u16 limit)
23080 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
23082 struct desc_ptr curgdt;
23084 @@ -216,7 +216,7 @@ void machine_kexec(struct kimage *image)
23087 control_page = page_address(image->control_code_page);
23088 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
23089 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
23091 relocate_kernel_ptr = control_page;
23092 page_list[PA_CONTROL_PAGE] = __pa(control_page);
23093 diff --git a/arch/x86/kernel/microcode_core.c b/arch/x86/kernel/microcode_core.c
23094 index 22db92b..d546bec 100644
23095 --- a/arch/x86/kernel/microcode_core.c
23096 +++ b/arch/x86/kernel/microcode_core.c
23097 @@ -513,7 +513,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu)
23101 -static struct notifier_block __refdata mc_cpu_notifier = {
23102 +static struct notifier_block mc_cpu_notifier = {
23103 .notifier_call = mc_cpu_callback,
23106 diff --git a/arch/x86/kernel/microcode_intel.c b/arch/x86/kernel/microcode_intel.c
23107 index 5fb2ceb..3ae90bb 100644
23108 --- a/arch/x86/kernel/microcode_intel.c
23109 +++ b/arch/x86/kernel/microcode_intel.c
23110 @@ -293,13 +293,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
23112 static int get_ucode_user(void *to, const void *from, size_t n)
23114 - return copy_from_user(to, from, n);
23115 + return copy_from_user(to, (const void __force_user *)from, n);
23118 static enum ucode_state
23119 request_microcode_user(int cpu, const void __user *buf, size_t size)
23121 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
23122 + return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
23125 static void microcode_fini_cpu(int cpu)
23126 diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
23127 index 216a4d7..228255a 100644
23128 --- a/arch/x86/kernel/module.c
23129 +++ b/arch/x86/kernel/module.c
23130 @@ -43,15 +43,60 @@ do { \
23134 -void *module_alloc(unsigned long size)
23135 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
23137 - if (PAGE_ALIGN(size) > MODULES_LEN)
23138 + if (!size || PAGE_ALIGN(size) > MODULES_LEN)
23140 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
23141 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
23142 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
23143 -1, __builtin_return_address(0));
23146 +void *module_alloc(unsigned long size)
23149 +#ifdef CONFIG_PAX_KERNEXEC
23150 + return __module_alloc(size, PAGE_KERNEL);
23152 + return __module_alloc(size, PAGE_KERNEL_EXEC);
23157 +#ifdef CONFIG_PAX_KERNEXEC
23158 +#ifdef CONFIG_X86_32
23159 +void *module_alloc_exec(unsigned long size)
23161 + struct vm_struct *area;
23166 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
23167 + return area ? area->addr : NULL;
23169 +EXPORT_SYMBOL(module_alloc_exec);
23171 +void module_free_exec(struct module *mod, void *module_region)
23173 + vunmap(module_region);
23175 +EXPORT_SYMBOL(module_free_exec);
23177 +void module_free_exec(struct module *mod, void *module_region)
23179 + module_free(mod, module_region);
23181 +EXPORT_SYMBOL(module_free_exec);
23183 +void *module_alloc_exec(unsigned long size)
23185 + return __module_alloc(size, PAGE_KERNEL_RX);
23187 +EXPORT_SYMBOL(module_alloc_exec);
23191 #ifdef CONFIG_X86_32
23192 int apply_relocate(Elf32_Shdr *sechdrs,
23193 const char *strtab,
23194 @@ -62,14 +107,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
23196 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
23198 - uint32_t *location;
23199 + uint32_t *plocation, location;
23201 DEBUGP("Applying relocate section %u to %u\n",
23202 relsec, sechdrs[relsec].sh_info);
23203 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
23204 /* This is where to make the change */
23205 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
23206 - + rel[i].r_offset;
23207 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
23208 + location = (uint32_t)plocation;
23209 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
23210 + plocation = ktla_ktva((void *)plocation);
23211 /* This is the symbol it is referring to. Note that all
23212 undefined symbols have been resolved. */
23213 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
23214 @@ -78,11 +125,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
23215 switch (ELF32_R_TYPE(rel[i].r_info)) {
23217 /* We add the value into the location given */
23218 - *location += sym->st_value;
23219 + pax_open_kernel();
23220 + *plocation += sym->st_value;
23221 + pax_close_kernel();
23224 /* Add the value, subtract its position */
23225 - *location += sym->st_value - (uint32_t)location;
23226 + pax_open_kernel();
23227 + *plocation += sym->st_value - location;
23228 + pax_close_kernel();
23231 pr_err("%s: Unknown relocation: %u\n",
23232 @@ -127,21 +178,30 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
23233 case R_X86_64_NONE:
23236 + pax_open_kernel();
23238 + pax_close_kernel();
23241 + pax_open_kernel();
23243 + pax_close_kernel();
23244 if (val != *(u32 *)loc)
23248 + pax_open_kernel();
23250 + pax_close_kernel();
23251 if ((s64)val != *(s32 *)loc)
23254 case R_X86_64_PC32:
23256 + pax_open_kernel();
23258 + pax_close_kernel();
23261 if ((s64)val != *(s32 *)loc)
23263 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
23264 index ce13049..e2e9c3c 100644
23265 --- a/arch/x86/kernel/msr.c
23266 +++ b/arch/x86/kernel/msr.c
23267 @@ -233,7 +233,7 @@ static int __cpuinit msr_class_cpu_callback(struct notifier_block *nfb,
23268 return notifier_from_errno(err);
23271 -static struct notifier_block __refdata msr_class_cpu_notifier = {
23272 +static struct notifier_block msr_class_cpu_notifier = {
23273 .notifier_call = msr_class_cpu_callback,
23276 diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
23277 index 6030805..2d33f21 100644
23278 --- a/arch/x86/kernel/nmi.c
23279 +++ b/arch/x86/kernel/nmi.c
23280 @@ -105,7 +105,7 @@ static int __kprobes nmi_handle(unsigned int type, struct pt_regs *regs, bool b2
23284 -int __register_nmi_handler(unsigned int type, struct nmiaction *action)
23285 +int __register_nmi_handler(unsigned int type, const struct nmiaction *action)
23287 struct nmi_desc *desc = nmi_to_desc(type);
23288 unsigned long flags;
23289 @@ -129,9 +129,9 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
23290 * event confuses some handlers (kdump uses this flag)
23292 if (action->flags & NMI_FLAG_FIRST)
23293 - list_add_rcu(&action->list, &desc->head);
23294 + pax_list_add_rcu((struct list_head *)&action->list, &desc->head);
23296 - list_add_tail_rcu(&action->list, &desc->head);
23297 + pax_list_add_tail_rcu((struct list_head *)&action->list, &desc->head);
23299 spin_unlock_irqrestore(&desc->lock, flags);
23301 @@ -154,7 +154,7 @@ void unregister_nmi_handler(unsigned int type, const char *name)
23302 if (!strcmp(n->name, name)) {
23304 "Trying to free NMI (%s) from NMI context!\n", n->name);
23305 - list_del_rcu(&n->list);
23306 + pax_list_del_rcu((struct list_head *)&n->list);
23310 @@ -479,6 +479,17 @@ static inline void nmi_nesting_postprocess(void)
23311 dotraplinkage notrace __kprobes void
23312 do_nmi(struct pt_regs *regs, long error_code)
23315 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23316 + if (!user_mode(regs)) {
23317 + unsigned long cs = regs->cs & 0xFFFF;
23318 + unsigned long ip = ktva_ktla(regs->ip);
23320 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
23325 nmi_nesting_preprocess(regs);
23328 diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c
23329 index 6d9582e..f746287 100644
23330 --- a/arch/x86/kernel/nmi_selftest.c
23331 +++ b/arch/x86/kernel/nmi_selftest.c
23332 @@ -43,7 +43,7 @@ static void __init init_nmi_testsuite(void)
23334 /* trap all the unknown NMIs we may generate */
23335 register_nmi_handler(NMI_UNKNOWN, nmi_unk_cb, 0, "nmi_selftest_unk",
23340 static void __init cleanup_nmi_testsuite(void)
23341 @@ -66,7 +66,7 @@ static void __init test_nmi_ipi(struct cpumask *mask)
23342 unsigned long timeout;
23344 if (register_nmi_handler(NMI_LOCAL, test_nmi_ipi_callback,
23345 - NMI_FLAG_FIRST, "nmi_selftest", __initdata)) {
23346 + NMI_FLAG_FIRST, "nmi_selftest", __initconst)) {
23347 nmi_fail = FAILURE;
23350 diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c
23351 index 676b8c7..870ba04 100644
23352 --- a/arch/x86/kernel/paravirt-spinlocks.c
23353 +++ b/arch/x86/kernel/paravirt-spinlocks.c
23354 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t *lock, unsigned long flags)
23355 arch_spin_lock(lock);
23358 -struct pv_lock_ops pv_lock_ops = {
23359 +struct pv_lock_ops pv_lock_ops __read_only = {
23361 .spin_is_locked = __ticket_spin_is_locked,
23362 .spin_is_contended = __ticket_spin_is_contended,
23363 diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
23364 index cd6de64..27c6af0 100644
23365 --- a/arch/x86/kernel/paravirt.c
23366 +++ b/arch/x86/kernel/paravirt.c
23367 @@ -55,6 +55,9 @@ u64 _paravirt_ident_64(u64 x)
23371 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23372 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
23375 void __init default_banner(void)
23377 @@ -147,15 +150,19 @@ unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
23378 if (opfunc == NULL)
23379 /* If there's no function, patch it with a ud2a (BUG) */
23380 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
23381 - else if (opfunc == _paravirt_nop)
23382 + else if (opfunc == (void *)_paravirt_nop)
23383 /* If the operation is a nop, then nop the callsite */
23384 ret = paravirt_patch_nop();
23386 /* identity functions just return their single argument */
23387 - else if (opfunc == _paravirt_ident_32)
23388 + else if (opfunc == (void *)_paravirt_ident_32)
23389 ret = paravirt_patch_ident_32(insnbuf, len);
23390 - else if (opfunc == _paravirt_ident_64)
23391 + else if (opfunc == (void *)_paravirt_ident_64)
23392 ret = paravirt_patch_ident_64(insnbuf, len);
23393 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
23394 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
23395 + ret = paravirt_patch_ident_64(insnbuf, len);
23398 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
23399 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
23400 @@ -180,7 +187,7 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,
23401 if (insn_len > len || start == NULL)
23404 - memcpy(insnbuf, start, insn_len);
23405 + memcpy(insnbuf, ktla_ktva(start), insn_len);
23409 @@ -304,7 +311,7 @@ enum paravirt_lazy_mode paravirt_get_lazy_mode(void)
23410 return this_cpu_read(paravirt_lazy_mode);
23413 -struct pv_info pv_info = {
23414 +struct pv_info pv_info __read_only = {
23415 .name = "bare hardware",
23416 .paravirt_enabled = 0,
23418 @@ -315,16 +322,16 @@ struct pv_info pv_info = {
23422 -struct pv_init_ops pv_init_ops = {
23423 +struct pv_init_ops pv_init_ops __read_only = {
23424 .patch = native_patch,
23427 -struct pv_time_ops pv_time_ops = {
23428 +struct pv_time_ops pv_time_ops __read_only = {
23429 .sched_clock = native_sched_clock,
23430 .steal_clock = native_steal_clock,
23433 -struct pv_irq_ops pv_irq_ops = {
23434 +struct pv_irq_ops pv_irq_ops __read_only = {
23435 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
23436 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
23437 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
23438 @@ -336,7 +343,7 @@ struct pv_irq_ops pv_irq_ops = {
23442 -struct pv_cpu_ops pv_cpu_ops = {
23443 +struct pv_cpu_ops pv_cpu_ops __read_only = {
23444 .cpuid = native_cpuid,
23445 .get_debugreg = native_get_debugreg,
23446 .set_debugreg = native_set_debugreg,
23447 @@ -394,21 +401,26 @@ struct pv_cpu_ops pv_cpu_ops = {
23448 .end_context_switch = paravirt_nop,
23451 -struct pv_apic_ops pv_apic_ops = {
23452 +struct pv_apic_ops pv_apic_ops __read_only= {
23453 #ifdef CONFIG_X86_LOCAL_APIC
23454 .startup_ipi_hook = paravirt_nop,
23458 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
23459 +#ifdef CONFIG_X86_32
23460 +#ifdef CONFIG_X86_PAE
23461 +/* 64-bit pagetable entries */
23462 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
23464 /* 32-bit pagetable entries */
23465 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
23468 /* 64-bit pagetable entries */
23469 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
23472 -struct pv_mmu_ops pv_mmu_ops = {
23473 +struct pv_mmu_ops pv_mmu_ops __read_only = {
23475 .read_cr2 = native_read_cr2,
23476 .write_cr2 = native_write_cr2,
23477 @@ -458,6 +470,7 @@ struct pv_mmu_ops pv_mmu_ops = {
23478 .make_pud = PTE_IDENT,
23480 .set_pgd = native_set_pgd,
23481 + .set_pgd_batched = native_set_pgd_batched,
23483 #endif /* PAGETABLE_LEVELS >= 3 */
23485 @@ -478,6 +491,12 @@ struct pv_mmu_ops pv_mmu_ops = {
23488 .set_fixmap = native_set_fixmap,
23490 +#ifdef CONFIG_PAX_KERNEXEC
23491 + .pax_open_kernel = native_pax_open_kernel,
23492 + .pax_close_kernel = native_pax_close_kernel,
23497 EXPORT_SYMBOL_GPL(pv_time_ops);
23498 diff --git a/arch/x86/kernel/pci-calgary_64.c b/arch/x86/kernel/pci-calgary_64.c
23499 index 299d493..2ccb0ee 100644
23500 --- a/arch/x86/kernel/pci-calgary_64.c
23501 +++ b/arch/x86/kernel/pci-calgary_64.c
23502 @@ -1339,7 +1339,7 @@ static void __init get_tce_space_from_tar(void)
23503 tce_space = be64_to_cpu(readq(target));
23504 tce_space = tce_space & TAR_SW_BITS;
23506 - tce_space = tce_space & (~specified_table_size);
23507 + tce_space = tce_space & (~(unsigned long)specified_table_size);
23508 info->tce_space = (u64 *)__va(tce_space);
23511 diff --git a/arch/x86/kernel/pci-iommu_table.c b/arch/x86/kernel/pci-iommu_table.c
23512 index 35ccf75..7a15747 100644
23513 --- a/arch/x86/kernel/pci-iommu_table.c
23514 +++ b/arch/x86/kernel/pci-iommu_table.c
23516 #include <asm/iommu_table.h>
23517 #include <linux/string.h>
23518 #include <linux/kallsyms.h>
23520 +#include <linux/sched.h>
23524 diff --git a/arch/x86/kernel/pci-swiotlb.c b/arch/x86/kernel/pci-swiotlb.c
23525 index 6c483ba..d10ce2f 100644
23526 --- a/arch/x86/kernel/pci-swiotlb.c
23527 +++ b/arch/x86/kernel/pci-swiotlb.c
23528 @@ -32,7 +32,7 @@ static void x86_swiotlb_free_coherent(struct device *dev, size_t size,
23529 void *vaddr, dma_addr_t dma_addr,
23530 struct dma_attrs *attrs)
23532 - swiotlb_free_coherent(dev, size, vaddr, dma_addr);
23533 + swiotlb_free_coherent(dev, size, vaddr, dma_addr, attrs);
23536 static struct dma_map_ops swiotlb_dma_ops = {
23537 diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
23538 index 81a5f5e..20f8b58 100644
23539 --- a/arch/x86/kernel/process.c
23540 +++ b/arch/x86/kernel/process.c
23542 * section. Since TSS's are completely CPU-local, we want them
23543 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
23545 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
23546 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
23547 +EXPORT_SYMBOL(init_tss);
23549 #ifdef CONFIG_X86_64
23550 static DEFINE_PER_CPU(unsigned char, is_idle);
23551 @@ -92,7 +93,7 @@ void arch_task_cache_init(void)
23552 task_xstate_cachep =
23553 kmem_cache_create("task_xstate", xstate_size,
23554 __alignof__(union thread_xstate),
23555 - SLAB_PANIC | SLAB_NOTRACK, NULL);
23556 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
23560 @@ -105,7 +106,7 @@ void exit_thread(void)
23561 unsigned long *bp = t->io_bitmap_ptr;
23564 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
23565 + struct tss_struct *tss = init_tss + get_cpu();
23567 t->io_bitmap_ptr = NULL;
23568 clear_thread_flag(TIF_IO_BITMAP);
23569 @@ -125,6 +126,9 @@ void flush_thread(void)
23571 struct task_struct *tsk = current;
23573 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
23574 + loadsegment(gs, 0);
23576 flush_ptrace_hw_breakpoint(tsk);
23577 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
23578 drop_init_fpu(tsk);
23579 @@ -271,7 +275,7 @@ static void __exit_idle(void)
23580 void exit_idle(void)
23582 /* idle loop has pid 0 */
23583 - if (current->pid)
23584 + if (task_pid_nr(current))
23588 @@ -327,7 +331,7 @@ bool xen_set_default_idle(void)
23592 -void stop_this_cpu(void *dummy)
23593 +__noreturn void stop_this_cpu(void *dummy)
23595 local_irq_disable();
23597 @@ -456,16 +460,37 @@ static int __init idle_setup(char *str)
23599 early_param("idle", idle_setup);
23601 -unsigned long arch_align_stack(unsigned long sp)
23602 +#ifdef CONFIG_PAX_RANDKSTACK
23603 +void pax_randomize_kstack(struct pt_regs *regs)
23605 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
23606 - sp -= get_random_int() % 8192;
23607 - return sp & ~0xf;
23609 + struct thread_struct *thread = ¤t->thread;
23610 + unsigned long time;
23612 -unsigned long arch_randomize_brk(struct mm_struct *mm)
23614 - unsigned long range_end = mm->brk + 0x02000000;
23615 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
23617 + if (!randomize_va_space)
23620 + if (v8086_mode(regs))
23625 + /* P4 seems to return a 0 LSB, ignore it */
23626 +#ifdef CONFIG_MPENTIUM4
23629 +#elif defined(CONFIG_X86_64)
23637 + thread->sp0 ^= time;
23638 + load_sp0(init_tss + smp_processor_id(), thread);
23640 +#ifdef CONFIG_X86_64
23641 + this_cpu_write(kernel_stack, thread->sp0);
23645 diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
23646 index 7305f7d..22f73d6 100644
23647 --- a/arch/x86/kernel/process_32.c
23648 +++ b/arch/x86/kernel/process_32.c
23649 @@ -65,6 +65,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread");
23650 unsigned long thread_saved_pc(struct task_struct *tsk)
23652 return ((unsigned long *)tsk->thread.sp)[3];
23653 +//XXX return tsk->thread.eip;
23656 void __show_regs(struct pt_regs *regs, int all)
23657 @@ -74,19 +75,18 @@ void __show_regs(struct pt_regs *regs, int all)
23659 unsigned short ss, gs;
23661 - if (user_mode_vm(regs)) {
23662 + if (user_mode(regs)) {
23664 ss = regs->ss & 0xffff;
23665 - gs = get_user_gs(regs);
23667 sp = kernel_stack_pointer(regs);
23668 savesegment(ss, ss);
23669 - savesegment(gs, gs);
23671 + gs = get_user_gs(regs);
23673 printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n",
23674 (u16)regs->cs, regs->ip, regs->flags,
23675 - smp_processor_id());
23676 + raw_smp_processor_id());
23677 print_symbol("EIP is at %s\n", regs->ip);
23679 printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n",
23680 @@ -128,20 +128,21 @@ void release_thread(struct task_struct *dead_task)
23681 int copy_thread(unsigned long clone_flags, unsigned long sp,
23682 unsigned long arg, struct task_struct *p)
23684 - struct pt_regs *childregs = task_pt_regs(p);
23685 + struct pt_regs *childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
23686 struct task_struct *tsk;
23689 p->thread.sp = (unsigned long) childregs;
23690 p->thread.sp0 = (unsigned long) (childregs+1);
23691 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
23693 if (unlikely(p->flags & PF_KTHREAD)) {
23694 /* kernel thread */
23695 memset(childregs, 0, sizeof(struct pt_regs));
23696 p->thread.ip = (unsigned long) ret_from_kernel_thread;
23697 - task_user_gs(p) = __KERNEL_STACK_CANARY;
23698 - childregs->ds = __USER_DS;
23699 - childregs->es = __USER_DS;
23700 + savesegment(gs, childregs->gs);
23701 + childregs->ds = __KERNEL_DS;
23702 + childregs->es = __KERNEL_DS;
23703 childregs->fs = __KERNEL_PERCPU;
23704 childregs->bx = sp; /* function */
23705 childregs->bp = arg;
23706 @@ -248,7 +249,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23707 struct thread_struct *prev = &prev_p->thread,
23708 *next = &next_p->thread;
23709 int cpu = smp_processor_id();
23710 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
23711 + struct tss_struct *tss = init_tss + cpu;
23714 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
23715 @@ -272,6 +273,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23717 lazy_save_gs(prev->gs);
23719 +#ifdef CONFIG_PAX_MEMORY_UDEREF
23720 + __set_fs(task_thread_info(next_p)->addr_limit);
23724 * Load the per-thread Thread-Local Storage descriptor.
23726 @@ -302,6 +307,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23728 arch_end_context_switch(next_p);
23730 + this_cpu_write(current_task, next_p);
23731 + this_cpu_write(current_tinfo, &next_p->tinfo);
23734 * Restore %gs if needed (which is common)
23736 @@ -310,8 +318,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23738 switch_fpu_finish(next_p, fpu);
23740 - this_cpu_write(current_task, next_p);
23745 @@ -341,4 +347,3 @@ unsigned long get_wchan(struct task_struct *p)
23746 } while (count++ < 16);
23750 diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
23751 index 355ae06..560fbbe 100644
23752 --- a/arch/x86/kernel/process_64.c
23753 +++ b/arch/x86/kernel/process_64.c
23754 @@ -151,10 +151,11 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
23755 struct pt_regs *childregs;
23756 struct task_struct *me = current;
23758 - p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE;
23759 + p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE - 16;
23760 childregs = task_pt_regs(p);
23761 p->thread.sp = (unsigned long) childregs;
23762 p->thread.usersp = me->thread.usersp;
23763 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
23764 set_tsk_thread_flag(p, TIF_FORK);
23765 p->fpu_counter = 0;
23766 p->thread.io_bitmap_ptr = NULL;
23767 @@ -165,6 +166,8 @@ int copy_thread(unsigned long clone_flags, unsigned long sp,
23768 p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs;
23769 savesegment(es, p->thread.es);
23770 savesegment(ds, p->thread.ds);
23771 + savesegment(ss, p->thread.ss);
23772 + BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS);
23773 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
23775 if (unlikely(p->flags & PF_KTHREAD)) {
23776 @@ -273,7 +276,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23777 struct thread_struct *prev = &prev_p->thread;
23778 struct thread_struct *next = &next_p->thread;
23779 int cpu = smp_processor_id();
23780 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
23781 + struct tss_struct *tss = init_tss + cpu;
23782 unsigned fsindex, gsindex;
23785 @@ -296,6 +299,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23786 if (unlikely(next->ds | prev->ds))
23787 loadsegment(ds, next->ds);
23789 + savesegment(ss, prev->ss);
23790 + if (unlikely(next->ss != prev->ss))
23791 + loadsegment(ss, next->ss);
23793 /* We must save %fs and %gs before load_TLS() because
23794 * %fs and %gs may be cleared by load_TLS().
23795 @@ -355,10 +361,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
23796 prev->usersp = this_cpu_read(old_rsp);
23797 this_cpu_write(old_rsp, next->usersp);
23798 this_cpu_write(current_task, next_p);
23799 + this_cpu_write(current_tinfo, &next_p->tinfo);
23801 - this_cpu_write(kernel_stack,
23802 - (unsigned long)task_stack_page(next_p) +
23803 - THREAD_SIZE - KERNEL_STACK_OFFSET);
23804 + this_cpu_write(kernel_stack, next->sp0);
23807 * Now maybe reload the debug registers and handle I/O bitmaps
23808 @@ -427,12 +432,11 @@ unsigned long get_wchan(struct task_struct *p)
23809 if (!p || p == current || p->state == TASK_RUNNING)
23811 stack = (unsigned long)task_stack_page(p);
23812 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
23813 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
23815 fp = *(u64 *)(p->thread.sp);
23817 - if (fp < (unsigned long)stack ||
23818 - fp >= (unsigned long)stack+THREAD_SIZE)
23819 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
23821 ip = *(u64 *)(fp+8);
23822 if (!in_sched_functions(ip))
23823 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
23824 index 29a8120..a50b5ee 100644
23825 --- a/arch/x86/kernel/ptrace.c
23826 +++ b/arch/x86/kernel/ptrace.c
23827 @@ -184,14 +184,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
23829 unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1);
23830 unsigned long sp = (unsigned long)®s->sp;
23831 - struct thread_info *tinfo;
23833 - if (context == (sp & ~(THREAD_SIZE - 1)))
23834 + if (context == ((sp + 8) & ~(THREAD_SIZE - 1)))
23837 - tinfo = (struct thread_info *)context;
23838 - if (tinfo->previous_esp)
23839 - return tinfo->previous_esp;
23840 + sp = *(unsigned long *)context;
23844 return (unsigned long)regs;
23846 @@ -588,7 +587,7 @@ static void ptrace_triggered(struct perf_event *bp,
23847 static unsigned long ptrace_get_dr7(struct perf_event *bp[])
23851 + unsigned long dr7 = 0;
23852 struct arch_hw_breakpoint *info;
23854 for (i = 0; i < HBP_NUM; i++) {
23855 @@ -856,7 +855,7 @@ long arch_ptrace(struct task_struct *child, long request,
23856 unsigned long addr, unsigned long data)
23859 - unsigned long __user *datap = (unsigned long __user *)data;
23860 + unsigned long __user *datap = (__force unsigned long __user *)data;
23863 /* read the word at location addr in the USER area. */
23864 @@ -941,14 +940,14 @@ long arch_ptrace(struct task_struct *child, long request,
23865 if ((int) addr < 0)
23867 ret = do_get_thread_area(child, addr,
23868 - (struct user_desc __user *)data);
23869 + (__force struct user_desc __user *) data);
23872 case PTRACE_SET_THREAD_AREA:
23873 if ((int) addr < 0)
23875 ret = do_set_thread_area(child, addr,
23876 - (struct user_desc __user *)data, 0);
23877 + (__force struct user_desc __user *) data, 0);
23881 @@ -1326,7 +1325,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
23883 #ifdef CONFIG_X86_64
23885 -static struct user_regset x86_64_regsets[] __read_mostly = {
23886 +static user_regset_no_const x86_64_regsets[] __read_only = {
23887 [REGSET_GENERAL] = {
23888 .core_note_type = NT_PRSTATUS,
23889 .n = sizeof(struct user_regs_struct) / sizeof(long),
23890 @@ -1367,7 +1366,7 @@ static const struct user_regset_view user_x86_64_view = {
23891 #endif /* CONFIG_X86_64 */
23893 #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
23894 -static struct user_regset x86_32_regsets[] __read_mostly = {
23895 +static user_regset_no_const x86_32_regsets[] __read_only = {
23896 [REGSET_GENERAL] = {
23897 .core_note_type = NT_PRSTATUS,
23898 .n = sizeof(struct user_regs_struct32) / sizeof(u32),
23899 @@ -1420,7 +1419,7 @@ static const struct user_regset_view user_x86_32_view = {
23901 u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
23903 -void update_regset_xstate_info(unsigned int size, u64 xstate_mask)
23904 +void __init update_regset_xstate_info(unsigned int size, u64 xstate_mask)
23906 #ifdef CONFIG_X86_64
23907 x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
23908 @@ -1455,7 +1454,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
23909 memset(info, 0, sizeof(*info));
23910 info->si_signo = SIGTRAP;
23911 info->si_code = si_code;
23912 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
23913 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
23916 void user_single_step_siginfo(struct task_struct *tsk,
23917 @@ -1484,6 +1483,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
23921 +#ifdef CONFIG_GRKERNSEC_SETXID
23922 +extern void gr_delayed_cred_worker(void);
23926 * We must return the syscall number to actually look up in the table.
23927 * This can be -1L to skip running any syscall at all.
23928 @@ -1494,6 +1497,11 @@ long syscall_trace_enter(struct pt_regs *regs)
23932 +#ifdef CONFIG_GRKERNSEC_SETXID
23933 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
23934 + gr_delayed_cred_worker();
23938 * If we stepped into a sysenter/syscall insn, it trapped in
23939 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
23940 @@ -1549,6 +1557,11 @@ void syscall_trace_leave(struct pt_regs *regs)
23944 +#ifdef CONFIG_GRKERNSEC_SETXID
23945 + if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
23946 + gr_delayed_cred_worker();
23949 audit_syscall_exit(regs);
23951 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
23952 diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
23953 index 2cb9470..ff1fd80 100644
23954 --- a/arch/x86/kernel/pvclock.c
23955 +++ b/arch/x86/kernel/pvclock.c
23956 @@ -43,11 +43,11 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src)
23960 -static atomic64_t last_value = ATOMIC64_INIT(0);
23961 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
23963 void pvclock_resume(void)
23965 - atomic64_set(&last_value, 0);
23966 + atomic64_set_unchecked(&last_value, 0);
23969 u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src)
23970 @@ -92,11 +92,11 @@ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
23971 * updating at the same time, and one of them could be slightly behind,
23972 * making the assumption that last_value always go forward fail to hold.
23974 - last = atomic64_read(&last_value);
23975 + last = atomic64_read_unchecked(&last_value);
23979 - last = atomic64_cmpxchg(&last_value, last, ret);
23980 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
23981 } while (unlikely(last != ret));
23984 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
23985 index 76fa1e9..abf09ea 100644
23986 --- a/arch/x86/kernel/reboot.c
23987 +++ b/arch/x86/kernel/reboot.c
23988 @@ -36,7 +36,7 @@ void (*pm_power_off)(void);
23989 EXPORT_SYMBOL(pm_power_off);
23991 static const struct desc_ptr no_idt = {};
23992 -static int reboot_mode;
23993 +static unsigned short reboot_mode;
23994 enum reboot_type reboot_type = BOOT_ACPI;
23997 @@ -157,6 +157,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
23999 void __noreturn machine_real_restart(unsigned int type)
24002 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
24003 + struct desc_struct *gdt;
24006 local_irq_disable();
24009 @@ -184,7 +189,29 @@ void __noreturn machine_real_restart(unsigned int type)
24011 /* Jump to the identity-mapped low memory code */
24012 #ifdef CONFIG_X86_32
24013 - asm volatile("jmpl *%0" : :
24015 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
24016 + gdt = get_cpu_gdt_table(smp_processor_id());
24017 + pax_open_kernel();
24018 +#ifdef CONFIG_PAX_MEMORY_UDEREF
24019 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
24020 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
24021 + loadsegment(ds, __KERNEL_DS);
24022 + loadsegment(es, __KERNEL_DS);
24023 + loadsegment(ss, __KERNEL_DS);
24025 +#ifdef CONFIG_PAX_KERNEXEC
24026 + gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
24027 + gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
24028 + gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
24029 + gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
24030 + gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
24031 + gdt[GDT_ENTRY_KERNEL_CS].g = 1;
24033 + pax_close_kernel();
24036 + asm volatile("ljmpl *%0" : :
24037 "rm" (real_mode_header->machine_real_restart_asm),
24040 @@ -531,7 +558,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
24041 * try to force a triple fault and then cycle between hitting the keyboard
24042 * controller and doing that
24044 -static void native_machine_emergency_restart(void)
24045 +static void __noreturn native_machine_emergency_restart(void)
24049 @@ -654,13 +681,13 @@ void native_machine_shutdown(void)
24053 -static void __machine_emergency_restart(int emergency)
24054 +static void __noreturn __machine_emergency_restart(int emergency)
24056 reboot_emergency = emergency;
24057 machine_ops.emergency_restart();
24060 -static void native_machine_restart(char *__unused)
24061 +static void __noreturn native_machine_restart(char *__unused)
24063 pr_notice("machine restart\n");
24065 @@ -669,7 +696,7 @@ static void native_machine_restart(char *__unused)
24066 __machine_emergency_restart(0);
24069 -static void native_machine_halt(void)
24070 +static void __noreturn native_machine_halt(void)
24072 /* Stop other cpus and apics */
24073 machine_shutdown();
24074 @@ -679,7 +706,7 @@ static void native_machine_halt(void)
24075 stop_this_cpu(NULL);
24078 -static void native_machine_power_off(void)
24079 +static void __noreturn native_machine_power_off(void)
24081 if (pm_power_off) {
24083 @@ -688,9 +715,10 @@ static void native_machine_power_off(void)
24085 /* A fallback in case there is no PM info available */
24086 tboot_shutdown(TB_SHUTDOWN_HALT);
24090 -struct machine_ops machine_ops = {
24091 +struct machine_ops machine_ops __read_only = {
24092 .power_off = native_machine_power_off,
24093 .shutdown = native_machine_shutdown,
24094 .emergency_restart = native_machine_emergency_restart,
24095 diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c
24096 index c8e41e9..64049ef 100644
24097 --- a/arch/x86/kernel/reboot_fixups_32.c
24098 +++ b/arch/x86/kernel/reboot_fixups_32.c
24099 @@ -57,7 +57,7 @@ struct device_fixup {
24100 unsigned int vendor;
24101 unsigned int device;
24102 void (*reboot_fixup)(struct pci_dev *);
24107 * PCI ids solely used for fixups_table go here
24108 diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
24109 index f2bb9c9..bed145d7 100644
24110 --- a/arch/x86/kernel/relocate_kernel_64.S
24111 +++ b/arch/x86/kernel/relocate_kernel_64.S
24113 #include <asm/kexec.h>
24114 #include <asm/processor-flags.h>
24115 #include <asm/pgtable_types.h>
24116 +#include <asm/alternative-asm.h>
24119 * Must be relocatable PIC code callable as a C function
24120 @@ -167,6 +168,7 @@ identity_mapped:
24124 + pax_force_retaddr 0, 1
24128 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
24129 index 56f7fcf..2cfe4f1 100644
24130 --- a/arch/x86/kernel/setup.c
24131 +++ b/arch/x86/kernel/setup.c
24132 @@ -110,6 +110,7 @@
24133 #include <asm/mce.h>
24134 #include <asm/alternative.h>
24135 #include <asm/prom.h>
24136 +#include <asm/boot.h>
24139 * max_low_pfn_mapped: highest direct mapped pfn under 4GB
24140 @@ -205,12 +206,50 @@ EXPORT_SYMBOL(boot_cpu_data);
24144 -#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64)
24145 -unsigned long mmu_cr4_features;
24146 +#ifdef CONFIG_X86_64
24147 +unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE;
24148 +#elif defined(CONFIG_X86_PAE)
24149 +unsigned long mmu_cr4_features __read_only = X86_CR4_PAE;
24151 -unsigned long mmu_cr4_features = X86_CR4_PAE;
24152 +unsigned long mmu_cr4_features __read_only;
24155 +void set_in_cr4(unsigned long mask)
24157 + unsigned long cr4 = read_cr4();
24159 + if ((cr4 & mask) == mask && cr4 == mmu_cr4_features)
24162 + pax_open_kernel();
24163 + mmu_cr4_features |= mask;
24164 + pax_close_kernel();
24166 + if (trampoline_cr4_features)
24167 + *trampoline_cr4_features = mmu_cr4_features;
24171 +EXPORT_SYMBOL(set_in_cr4);
24173 +void clear_in_cr4(unsigned long mask)
24175 + unsigned long cr4 = read_cr4();
24177 + if (!(cr4 & mask) && cr4 == mmu_cr4_features)
24180 + pax_open_kernel();
24181 + mmu_cr4_features &= ~mask;
24182 + pax_close_kernel();
24184 + if (trampoline_cr4_features)
24185 + *trampoline_cr4_features = mmu_cr4_features;
24189 +EXPORT_SYMBOL(clear_in_cr4);
24191 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */
24192 int bootloader_type, bootloader_version;
24194 @@ -444,7 +483,7 @@ static void __init parse_setup_data(void)
24196 switch (data->type) {
24197 case SETUP_E820_EXT:
24198 - parse_e820_ext(data);
24199 + parse_e820_ext((struct setup_data __force_kernel *)data);
24203 @@ -771,7 +810,7 @@ static void __init trim_bios_range(void)
24204 * area (640->1Mb) as ram even though it is not.
24207 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
24208 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
24210 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
24212 @@ -779,7 +818,7 @@ static void __init trim_bios_range(void)
24213 /* called before trim_bios_range() to spare extra sanitize */
24214 static void __init e820_add_kernel_range(void)
24216 - u64 start = __pa_symbol(_text);
24217 + u64 start = __pa_symbol(ktla_ktva(_text));
24218 u64 size = __pa_symbol(_end) - start;
24221 @@ -841,8 +880,12 @@ static void __init trim_low_memory_range(void)
24223 void __init setup_arch(char **cmdline_p)
24225 +#ifdef CONFIG_X86_32
24226 + memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR);
24228 memblock_reserve(__pa_symbol(_text),
24229 (unsigned long)__bss_stop - (unsigned long)_text);
24232 early_reserve_initrd();
24234 @@ -934,14 +977,14 @@ void __init setup_arch(char **cmdline_p)
24236 if (!boot_params.hdr.root_flags)
24237 root_mountflags &= ~MS_RDONLY;
24238 - init_mm.start_code = (unsigned long) _text;
24239 - init_mm.end_code = (unsigned long) _etext;
24240 + init_mm.start_code = ktla_ktva((unsigned long) _text);
24241 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
24242 init_mm.end_data = (unsigned long) _edata;
24243 init_mm.brk = _brk_end;
24245 - code_resource.start = __pa_symbol(_text);
24246 - code_resource.end = __pa_symbol(_etext)-1;
24247 - data_resource.start = __pa_symbol(_etext);
24248 + code_resource.start = __pa_symbol(ktla_ktva(_text));
24249 + code_resource.end = __pa_symbol(ktla_ktva(_etext))-1;
24250 + data_resource.start = __pa_symbol(_sdata);
24251 data_resource.end = __pa_symbol(_edata)-1;
24252 bss_resource.start = __pa_symbol(__bss_start);
24253 bss_resource.end = __pa_symbol(__bss_stop)-1;
24254 diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
24255 index 5cdff03..80fa283 100644
24256 --- a/arch/x86/kernel/setup_percpu.c
24257 +++ b/arch/x86/kernel/setup_percpu.c
24258 @@ -21,19 +21,17 @@
24259 #include <asm/cpu.h>
24260 #include <asm/stackprotector.h>
24262 -DEFINE_PER_CPU_READ_MOSTLY(int, cpu_number);
24264 +DEFINE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
24265 EXPORT_PER_CPU_SYMBOL(cpu_number);
24268 -#ifdef CONFIG_X86_64
24269 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
24271 -#define BOOT_PERCPU_OFFSET 0
24274 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
24275 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
24277 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
24278 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
24279 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
24281 EXPORT_SYMBOL(__per_cpu_offset);
24282 @@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void)
24284 #ifdef CONFIG_NEED_MULTIPLE_NODES
24285 pg_data_t *last = NULL;
24286 - unsigned int cpu;
24289 for_each_possible_cpu(cpu) {
24290 int node = early_cpu_to_node(cpu);
24291 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
24293 #ifdef CONFIG_X86_32
24294 struct desc_struct gdt;
24295 + unsigned long base = per_cpu_offset(cpu);
24297 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
24298 - 0x2 | DESCTYPE_S, 0x8);
24300 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
24301 + 0x83 | DESCTYPE_S, 0xC);
24302 write_gdt_entry(get_cpu_gdt_table(cpu),
24303 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
24305 @@ -219,6 +217,11 @@ void __init setup_per_cpu_areas(void)
24306 /* alrighty, percpu areas up and running */
24307 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
24308 for_each_possible_cpu(cpu) {
24309 +#ifdef CONFIG_CC_STACKPROTECTOR
24310 +#ifdef CONFIG_X86_32
24311 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
24314 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
24315 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
24316 per_cpu(cpu_number, cpu) = cpu;
24317 @@ -259,6 +262,12 @@ void __init setup_per_cpu_areas(void)
24319 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
24321 +#ifdef CONFIG_CC_STACKPROTECTOR
24322 +#ifdef CONFIG_X86_32
24324 + per_cpu(stack_canary.canary, cpu) = canary;
24328 * Up to this point, the boot CPU has been using .init.data
24329 * area. Reload any changed state for the boot CPU.
24330 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
24331 index 6956299..18126ec4 100644
24332 --- a/arch/x86/kernel/signal.c
24333 +++ b/arch/x86/kernel/signal.c
24334 @@ -196,7 +196,7 @@ static unsigned long align_sigframe(unsigned long sp)
24335 * Align the stack pointer according to the i386 ABI,
24336 * i.e. so that on function entry ((sp + 4) & 15) == 0.
24338 - sp = ((sp + 4) & -16ul) - 4;
24339 + sp = ((sp - 12) & -16ul) - 4;
24340 #else /* !CONFIG_X86_32 */
24341 sp = round_down(sp, 16) - 8;
24343 @@ -304,9 +304,9 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
24346 if (current->mm->context.vdso)
24347 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
24348 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
24350 - restorer = &frame->retcode;
24351 + restorer = (void __user *)&frame->retcode;
24352 if (ksig->ka.sa.sa_flags & SA_RESTORER)
24353 restorer = ksig->ka.sa.sa_restorer;
24355 @@ -320,7 +320,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
24356 * reasons and because gdb uses it as a signature to notice
24357 * signal handler stack frames.
24359 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
24360 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
24364 @@ -364,10 +364,13 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
24366 put_user_ex(0, &frame->uc.uc_flags);
24367 put_user_ex(0, &frame->uc.uc_link);
24368 - err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
24369 + __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
24371 /* Set up to return from userspace. */
24372 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
24373 + if (current->mm->context.vdso)
24374 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
24376 + restorer = (void __user *)&frame->retcode;
24377 if (ksig->ka.sa.sa_flags & SA_RESTORER)
24378 restorer = ksig->ka.sa.sa_restorer;
24379 put_user_ex(restorer, &frame->pretcode);
24380 @@ -379,7 +382,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
24381 * reasons and because gdb uses it as a signature to notice
24382 * signal handler stack frames.
24384 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
24385 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
24386 } put_user_catch(err);
24388 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
24389 @@ -429,7 +432,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
24391 put_user_ex(0, &frame->uc.uc_flags);
24392 put_user_ex(0, &frame->uc.uc_link);
24393 - err |= __save_altstack(&frame->uc.uc_stack, regs->sp);
24394 + __save_altstack_ex(&frame->uc.uc_stack, regs->sp);
24396 /* Set up to return from userspace. If provided, use a stub
24397 already in userspace. */
24398 @@ -615,7 +618,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
24400 int usig = signr_convert(ksig->sig);
24401 sigset_t *set = sigmask_to_save();
24402 - compat_sigset_t *cset = (compat_sigset_t *) set;
24403 + sigset_t sigcopy;
24404 + compat_sigset_t *cset;
24408 + cset = (compat_sigset_t *) &sigcopy;
24410 /* Set up the stack frame */
24411 if (is_ia32_frame()) {
24412 @@ -626,7 +634,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
24413 } else if (is_x32_frame()) {
24414 return x32_setup_rt_frame(ksig, cset, regs);
24416 - return __setup_rt_frame(ksig->sig, ksig, set, regs);
24417 + return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs);
24421 diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
24422 index 48d2b7d..90d328a 100644
24423 --- a/arch/x86/kernel/smp.c
24424 +++ b/arch/x86/kernel/smp.c
24425 @@ -285,7 +285,7 @@ static int __init nonmi_ipi_setup(char *str)
24427 __setup("nonmi_ipi", nonmi_ipi_setup);
24429 -struct smp_ops smp_ops = {
24430 +struct smp_ops smp_ops __read_only = {
24431 .smp_prepare_boot_cpu = native_smp_prepare_boot_cpu,
24432 .smp_prepare_cpus = native_smp_prepare_cpus,
24433 .smp_cpus_done = native_smp_cpus_done,
24434 diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
24435 index bfd348e..914f323 100644
24436 --- a/arch/x86/kernel/smpboot.c
24437 +++ b/arch/x86/kernel/smpboot.c
24438 @@ -251,14 +251,18 @@ notrace static void __cpuinit start_secondary(void *unused)
24440 enable_start_cpu0 = 0;
24442 -#ifdef CONFIG_X86_32
24443 - /* switch away from the initial page table */
24444 - load_cr3(swapper_pg_dir);
24445 - __flush_tlb_all();
24448 /* otherwise gcc will move up smp_processor_id before the cpu_init */
24451 + /* switch away from the initial page table */
24452 +#ifdef CONFIG_PAX_PER_CPU_PGD
24453 + load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
24454 + __flush_tlb_all();
24455 +#elif defined(CONFIG_X86_32)
24456 + load_cr3(swapper_pg_dir);
24457 + __flush_tlb_all();
24461 * Check TSC synchronization with the BP:
24463 @@ -748,6 +752,7 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
24464 idle->thread.sp = (unsigned long) (((struct pt_regs *)
24465 (THREAD_SIZE + task_stack_page(idle))) - 1);
24466 per_cpu(current_task, cpu) = idle;
24467 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24469 #ifdef CONFIG_X86_32
24470 /* Stack for startup_32 can be just as for start_secondary onwards */
24471 @@ -755,11 +760,13 @@ static int __cpuinit do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
24473 clear_tsk_thread_flag(idle, TIF_FORK);
24474 initial_gs = per_cpu_offset(cpu);
24475 - per_cpu(kernel_stack, cpu) =
24476 - (unsigned long)task_stack_page(idle) -
24477 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24478 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24481 + pax_open_kernel();
24482 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
24483 + pax_close_kernel();
24485 initial_code = (unsigned long)start_secondary;
24486 stack_start = idle->thread.sp;
24488 @@ -908,6 +915,15 @@ int __cpuinit native_cpu_up(unsigned int cpu, struct task_struct *tidle)
24489 /* the FPU context is blank, nobody can own it */
24490 __cpu_disable_lazy_restore(cpu);
24492 +#ifdef CONFIG_PAX_PER_CPU_PGD
24493 + clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY,
24494 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
24495 + KERNEL_PGD_PTRS);
24496 + clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY,
24497 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
24498 + KERNEL_PGD_PTRS);
24501 err = do_boot_cpu(apicid, cpu, tidle);
24503 pr_debug("do_boot_cpu failed %d\n", err);
24504 diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
24505 index 9b4d51d..5d28b58 100644
24506 --- a/arch/x86/kernel/step.c
24507 +++ b/arch/x86/kernel/step.c
24508 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
24509 struct desc_struct *desc;
24510 unsigned long base;
24515 mutex_lock(&child->mm->context.lock);
24516 - if (unlikely((seg >> 3) >= child->mm->context.size))
24517 + if (unlikely(seg >= child->mm->context.size))
24518 addr = -1L; /* bogus selector, access would fault */
24520 desc = child->mm->context.ldt + seg;
24521 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
24524 mutex_unlock(&child->mm->context.lock);
24526 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
24527 + addr = ktla_ktva(addr);
24531 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct task_struct *child, struct pt_regs *regs)
24532 unsigned char opcode[15];
24533 unsigned long addr = convert_ip_to_linear(child, regs);
24535 + if (addr == -EINVAL)
24538 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
24539 for (i = 0; i < copied; i++) {
24540 switch (opcode[i]) {
24541 diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
24542 new file mode 100644
24543 index 0000000..5877189
24545 +++ b/arch/x86/kernel/sys_i386_32.c
24548 + * This file contains various random system calls that
24549 + * have a non-standard calling sequence on the Linux/i386
24553 +#include <linux/errno.h>
24554 +#include <linux/sched.h>
24555 +#include <linux/mm.h>
24556 +#include <linux/fs.h>
24557 +#include <linux/smp.h>
24558 +#include <linux/sem.h>
24559 +#include <linux/msg.h>
24560 +#include <linux/shm.h>
24561 +#include <linux/stat.h>
24562 +#include <linux/syscalls.h>
24563 +#include <linux/mman.h>
24564 +#include <linux/file.h>
24565 +#include <linux/utsname.h>
24566 +#include <linux/ipc.h>
24567 +#include <linux/elf.h>
24569 +#include <linux/uaccess.h>
24570 +#include <linux/unistd.h>
24572 +#include <asm/syscalls.h>
24574 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
24576 + unsigned long pax_task_size = TASK_SIZE;
24578 +#ifdef CONFIG_PAX_SEGMEXEC
24579 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
24580 + pax_task_size = SEGMEXEC_TASK_SIZE;
24583 + if (flags & MAP_FIXED)
24584 + if (len > pax_task_size || addr > pax_task_size - len)
24591 + * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
24593 +static unsigned long get_align_mask(void)
24595 + if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
24598 + if (!(current->flags & PF_RANDOMIZE))
24601 + return va_align.mask;
24605 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
24606 + unsigned long len, unsigned long pgoff, unsigned long flags)
24608 + struct mm_struct *mm = current->mm;
24609 + struct vm_area_struct *vma;
24610 + unsigned long pax_task_size = TASK_SIZE;
24611 + struct vm_unmapped_area_info info;
24612 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
24614 +#ifdef CONFIG_PAX_SEGMEXEC
24615 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
24616 + pax_task_size = SEGMEXEC_TASK_SIZE;
24619 + pax_task_size -= PAGE_SIZE;
24621 + if (len > pax_task_size)
24624 + if (flags & MAP_FIXED)
24627 +#ifdef CONFIG_PAX_RANDMMAP
24628 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
24632 + addr = PAGE_ALIGN(addr);
24633 + if (pax_task_size - len >= addr) {
24634 + vma = find_vma(mm, addr);
24635 + if (check_heap_stack_gap(vma, addr, len, offset))
24641 + info.length = len;
24642 + info.align_mask = filp ? get_align_mask() : 0;
24643 + info.align_offset = pgoff << PAGE_SHIFT;
24644 + info.threadstack_offset = offset;
24646 +#ifdef CONFIG_PAX_PAGEEXEC
24647 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
24648 + info.low_limit = 0x00110000UL;
24649 + info.high_limit = mm->start_code;
24651 +#ifdef CONFIG_PAX_RANDMMAP
24652 + if (mm->pax_flags & MF_PAX_RANDMMAP)
24653 + info.low_limit += mm->delta_mmap & 0x03FFF000UL;
24656 + if (info.low_limit < info.high_limit) {
24657 + addr = vm_unmapped_area(&info);
24658 + if (!IS_ERR_VALUE(addr))
24664 + info.low_limit = mm->mmap_base;
24665 + info.high_limit = pax_task_size;
24667 + return vm_unmapped_area(&info);
24671 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
24672 + const unsigned long len, const unsigned long pgoff,
24673 + const unsigned long flags)
24675 + struct vm_area_struct *vma;
24676 + struct mm_struct *mm = current->mm;
24677 + unsigned long addr = addr0, pax_task_size = TASK_SIZE;
24678 + struct vm_unmapped_area_info info;
24679 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
24681 +#ifdef CONFIG_PAX_SEGMEXEC
24682 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
24683 + pax_task_size = SEGMEXEC_TASK_SIZE;
24686 + pax_task_size -= PAGE_SIZE;
24688 + /* requested length too big for entire address space */
24689 + if (len > pax_task_size)
24692 + if (flags & MAP_FIXED)
24695 +#ifdef CONFIG_PAX_PAGEEXEC
24696 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
24700 +#ifdef CONFIG_PAX_RANDMMAP
24701 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
24704 + /* requesting a specific address */
24706 + addr = PAGE_ALIGN(addr);
24707 + if (pax_task_size - len >= addr) {
24708 + vma = find_vma(mm, addr);
24709 + if (check_heap_stack_gap(vma, addr, len, offset))
24714 + info.flags = VM_UNMAPPED_AREA_TOPDOWN;
24715 + info.length = len;
24716 + info.low_limit = PAGE_SIZE;
24717 + info.high_limit = mm->mmap_base;
24718 + info.align_mask = filp ? get_align_mask() : 0;
24719 + info.align_offset = pgoff << PAGE_SHIFT;
24720 + info.threadstack_offset = offset;
24722 + addr = vm_unmapped_area(&info);
24723 + if (!(addr & ~PAGE_MASK))
24725 + VM_BUG_ON(addr != -ENOMEM);
24729 + * A failed mmap() very likely causes application failure,
24730 + * so fall back to the bottom-up function here. This scenario
24731 + * can happen with large stack limits and large mmap()
24734 + return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
24736 diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
24737 index 48f8375..ace2781 100644
24738 --- a/arch/x86/kernel/sys_x86_64.c
24739 +++ b/arch/x86/kernel/sys_x86_64.c
24740 @@ -81,8 +81,8 @@ out:
24744 -static void find_start_end(unsigned long flags, unsigned long *begin,
24745 - unsigned long *end)
24746 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
24747 + unsigned long *begin, unsigned long *end)
24749 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) {
24750 unsigned long new_begin;
24751 @@ -101,7 +101,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
24752 *begin = new_begin;
24755 - *begin = mmap_legacy_base();
24756 + *begin = mm->mmap_base;
24760 @@ -114,20 +114,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
24761 struct vm_area_struct *vma;
24762 struct vm_unmapped_area_info info;
24763 unsigned long begin, end;
24764 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
24766 if (flags & MAP_FIXED)
24769 - find_start_end(flags, &begin, &end);
24770 + find_start_end(mm, flags, &begin, &end);
24775 +#ifdef CONFIG_PAX_RANDMMAP
24776 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
24780 addr = PAGE_ALIGN(addr);
24781 vma = find_vma(mm, addr);
24782 - if (end - len >= addr &&
24783 - (!vma || addr + len <= vma->vm_start))
24784 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
24788 @@ -137,6 +141,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
24789 info.high_limit = end;
24790 info.align_mask = filp ? get_align_mask() : 0;
24791 info.align_offset = pgoff << PAGE_SHIFT;
24792 + info.threadstack_offset = offset;
24793 return vm_unmapped_area(&info);
24796 @@ -149,6 +154,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
24797 struct mm_struct *mm = current->mm;
24798 unsigned long addr = addr0;
24799 struct vm_unmapped_area_info info;
24800 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
24802 /* requested length too big for entire address space */
24803 if (len > TASK_SIZE)
24804 @@ -161,12 +167,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
24805 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT))
24808 +#ifdef CONFIG_PAX_RANDMMAP
24809 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
24812 /* requesting a specific address */
24814 addr = PAGE_ALIGN(addr);
24815 vma = find_vma(mm, addr);
24816 - if (TASK_SIZE - len >= addr &&
24817 - (!vma || addr + len <= vma->vm_start))
24818 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
24822 @@ -176,6 +185,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
24823 info.high_limit = mm->mmap_base;
24824 info.align_mask = filp ? get_align_mask() : 0;
24825 info.align_offset = pgoff << PAGE_SHIFT;
24826 + info.threadstack_offset = offset;
24827 addr = vm_unmapped_area(&info);
24828 if (!(addr & ~PAGE_MASK))
24830 diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
24831 index f84fe00..f41d9f1 100644
24832 --- a/arch/x86/kernel/tboot.c
24833 +++ b/arch/x86/kernel/tboot.c
24834 @@ -220,7 +220,7 @@ static int tboot_setup_sleep(void)
24836 void tboot_shutdown(u32 shutdown_type)
24838 - void (*shutdown)(void);
24839 + void (* __noreturn shutdown)(void);
24841 if (!tboot_enabled())
24843 @@ -242,7 +242,7 @@ void tboot_shutdown(u32 shutdown_type)
24845 switch_to_tboot_pt();
24847 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
24848 + shutdown = (void *)tboot->shutdown_entry;
24851 /* should not reach here */
24852 @@ -300,7 +300,7 @@ static int tboot_sleep(u8 sleep_state, u32 pm1a_control, u32 pm1b_control)
24856 -static atomic_t ap_wfs_count;
24857 +static atomic_unchecked_t ap_wfs_count;
24859 static int tboot_wait_for_aps(int num_aps)
24861 @@ -324,16 +324,16 @@ static int __cpuinit tboot_cpu_callback(struct notifier_block *nfb,
24865 - atomic_inc(&ap_wfs_count);
24866 + atomic_inc_unchecked(&ap_wfs_count);
24867 if (num_online_cpus() == 1)
24868 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
24869 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
24876 -static struct notifier_block tboot_cpu_notifier __cpuinitdata =
24877 +static struct notifier_block tboot_cpu_notifier =
24879 .notifier_call = tboot_cpu_callback,
24881 @@ -345,7 +345,7 @@ static __init int tboot_late_init(void)
24883 tboot_create_trampoline();
24885 - atomic_set(&ap_wfs_count, 0);
24886 + atomic_set_unchecked(&ap_wfs_count, 0);
24887 register_hotcpu_notifier(&tboot_cpu_notifier);
24889 acpi_os_set_prepare_sleep(&tboot_sleep);
24890 diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
24891 index 24d3c91..d06b473 100644
24892 --- a/arch/x86/kernel/time.c
24893 +++ b/arch/x86/kernel/time.c
24894 @@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs *regs)
24896 unsigned long pc = instruction_pointer(regs);
24898 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
24899 + if (!user_mode(regs) && in_lock_functions(pc)) {
24900 #ifdef CONFIG_FRAME_POINTER
24901 - return *(unsigned long *)(regs->bp + sizeof(long));
24902 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
24904 unsigned long *sp =
24905 (unsigned long *)kernel_stack_pointer(regs);
24906 @@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs *regs)
24907 * or above a saved flags. Eflags has bits 22-31 zero,
24908 * kernel addresses don't.
24911 +#ifdef CONFIG_PAX_KERNEXEC
24912 + return ktla_ktva(sp[0]);
24924 diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
24925 index f7fec09..9991981 100644
24926 --- a/arch/x86/kernel/tls.c
24927 +++ b/arch/x86/kernel/tls.c
24928 @@ -84,6 +84,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
24929 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
24932 +#ifdef CONFIG_PAX_SEGMEXEC
24933 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
24937 set_tls_desc(p, idx, &info, 1);
24940 @@ -200,7 +205,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
24944 - else if (__copy_from_user(infobuf, ubuf, count))
24945 + else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
24949 diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
24950 index 772e2a8..bad5bf6 100644
24951 --- a/arch/x86/kernel/traps.c
24952 +++ b/arch/x86/kernel/traps.c
24954 #include <asm/setup.h>
24956 asmlinkage int system_call(void);
24959 - * The IDT has to be page-aligned to simplify the Pentium
24960 - * F0 0F bug workaround.
24962 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
24965 DECLARE_BITMAP(used_vectors, NR_VECTORS);
24966 @@ -106,11 +100,11 @@ static inline void preempt_conditional_cli(struct pt_regs *regs)
24969 static int __kprobes
24970 -do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
24971 +do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
24972 struct pt_regs *regs, long error_code)
24974 #ifdef CONFIG_X86_32
24975 - if (regs->flags & X86_VM_MASK) {
24976 + if (v8086_mode(regs)) {
24978 * Traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
24979 * On nmi (interrupt 2), do_trap should not be called.
24980 @@ -123,12 +117,24 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
24984 - if (!user_mode(regs)) {
24985 + if (!user_mode_novm(regs)) {
24986 if (!fixup_exception(regs)) {
24987 tsk->thread.error_code = error_code;
24988 tsk->thread.trap_nr = trapnr;
24990 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
24991 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
24992 + str = "PAX: suspicious stack segment fault";
24995 die(str, regs, error_code);
24998 +#ifdef CONFIG_PAX_REFCOUNT
25000 + pax_report_refcount_overflow(regs);
25006 @@ -136,7 +142,7 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
25009 static void __kprobes
25010 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
25011 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
25012 long error_code, siginfo_t *info)
25014 struct task_struct *tsk = current;
25015 @@ -160,7 +166,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
25016 if (show_unhandled_signals && unhandled_signal(tsk, signr) &&
25017 printk_ratelimit()) {
25018 pr_info("%s[%d] trap %s ip:%lx sp:%lx error:%lx",
25019 - tsk->comm, tsk->pid, str,
25020 + tsk->comm, task_pid_nr(tsk), str,
25021 regs->ip, regs->sp, error_code);
25022 print_vma_addr(" in ", regs->ip);
25024 @@ -273,7 +279,7 @@ do_general_protection(struct pt_regs *regs, long error_code)
25025 conditional_sti(regs);
25027 #ifdef CONFIG_X86_32
25028 - if (regs->flags & X86_VM_MASK) {
25029 + if (v8086_mode(regs)) {
25030 local_irq_enable();
25031 handle_vm86_fault((struct kernel_vm86_regs *) regs, error_code);
25033 @@ -281,18 +287,42 @@ do_general_protection(struct pt_regs *regs, long error_code)
25037 - if (!user_mode(regs)) {
25038 + if (!user_mode_novm(regs)) {
25039 if (fixup_exception(regs))
25042 tsk->thread.error_code = error_code;
25043 tsk->thread.trap_nr = X86_TRAP_GP;
25044 if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
25045 - X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP)
25046 + X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) {
25048 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25049 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
25050 + die("PAX: suspicious general protection fault", regs, error_code);
25054 die("general protection fault", regs, error_code);
25059 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
25060 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
25061 + struct mm_struct *mm = tsk->mm;
25062 + unsigned long limit;
25064 + down_write(&mm->mmap_sem);
25065 + limit = mm->context.user_cs_limit;
25066 + if (limit < TASK_SIZE) {
25067 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
25068 + up_write(&mm->mmap_sem);
25071 + up_write(&mm->mmap_sem);
25075 tsk->thread.error_code = error_code;
25076 tsk->thread.trap_nr = X86_TRAP_GP;
25078 @@ -450,7 +480,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
25079 /* It's safe to allow irq's after DR6 has been saved */
25080 preempt_conditional_sti(regs);
25082 - if (regs->flags & X86_VM_MASK) {
25083 + if (v8086_mode(regs)) {
25084 handle_vm86_trap((struct kernel_vm86_regs *) regs, error_code,
25086 preempt_conditional_cli(regs);
25087 @@ -465,7 +495,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
25088 * We already checked v86 mode above, so we can check for kernel mode
25089 * by just checking the CPL of CS.
25091 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
25092 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
25093 tsk->thread.debugreg6 &= ~DR_STEP;
25094 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
25095 regs->flags &= ~X86_EFLAGS_TF;
25096 @@ -497,7 +527,7 @@ void math_error(struct pt_regs *regs, int error_code, int trapnr)
25098 conditional_sti(regs);
25100 - if (!user_mode_vm(regs))
25101 + if (!user_mode(regs))
25103 if (!fixup_exception(regs)) {
25104 task->thread.error_code = error_code;
25105 diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
25106 index 2ed8459..7cf329f 100644
25107 --- a/arch/x86/kernel/uprobes.c
25108 +++ b/arch/x86/kernel/uprobes.c
25109 @@ -629,7 +629,7 @@ int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val,
25110 int ret = NOTIFY_DONE;
25112 /* We are only interested in userspace traps */
25113 - if (regs && !user_mode_vm(regs))
25114 + if (regs && !user_mode(regs))
25115 return NOTIFY_DONE;
25118 @@ -719,7 +719,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs
25120 if (ncopied != rasize) {
25121 pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
25122 - "%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
25123 + "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip);
25125 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
25127 diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
25128 index b9242ba..50c5edd 100644
25129 --- a/arch/x86/kernel/verify_cpu.S
25130 +++ b/arch/x86/kernel/verify_cpu.S
25132 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
25133 * arch/x86/kernel/trampoline_64.S: secondary processor verification
25134 * arch/x86/kernel/head_32.S: processor startup
25135 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
25137 * verify_cpu, returns the status of longmode and SSE in register %eax.
25138 * 0: Success 1: Failure
25139 diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
25140 index e8edcf5..27f9344 100644
25141 --- a/arch/x86/kernel/vm86_32.c
25142 +++ b/arch/x86/kernel/vm86_32.c
25144 #include <linux/ptrace.h>
25145 #include <linux/audit.h>
25146 #include <linux/stddef.h>
25147 +#include <linux/grsecurity.h>
25149 #include <asm/uaccess.h>
25150 #include <asm/io.h>
25151 @@ -150,7 +151,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
25155 - tss = &per_cpu(init_tss, get_cpu());
25156 + tss = init_tss + get_cpu();
25157 current->thread.sp0 = current->thread.saved_sp0;
25158 current->thread.sysenter_cs = __KERNEL_CS;
25159 load_sp0(tss, ¤t->thread);
25160 @@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
25162 if (tsk->thread.saved_sp0)
25165 +#ifdef CONFIG_GRKERNSEC_VM86
25166 + if (!capable(CAP_SYS_RAWIO)) {
25167 + gr_handle_vm86();
25172 tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
25173 offsetof(struct kernel_vm86_struct, vm86plus) -
25174 sizeof(info.regs));
25175 @@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
25177 struct vm86plus_struct __user *v86;
25179 +#ifdef CONFIG_GRKERNSEC_VM86
25180 + if (!capable(CAP_SYS_RAWIO)) {
25181 + gr_handle_vm86();
25188 case VM86_REQUEST_IRQ:
25189 @@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
25190 tsk->thread.saved_fs = info->regs32->fs;
25191 tsk->thread.saved_gs = get_user_gs(info->regs32);
25193 - tss = &per_cpu(init_tss, get_cpu());
25194 + tss = init_tss + get_cpu();
25195 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
25197 tsk->thread.sysenter_cs = 0;
25198 @@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
25199 goto cannot_handle;
25200 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
25201 goto cannot_handle;
25202 - intr_ptr = (unsigned long __user *) (i << 2);
25203 + intr_ptr = (__force unsigned long __user *) (i << 2);
25204 if (get_user(segoffs, intr_ptr))
25205 goto cannot_handle;
25206 if ((segoffs >> 16) == BIOSSEG)
25207 diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
25208 index 10c4f30..57377c2 100644
25209 --- a/arch/x86/kernel/vmlinux.lds.S
25210 +++ b/arch/x86/kernel/vmlinux.lds.S
25212 #include <asm/page_types.h>
25213 #include <asm/cache.h>
25214 #include <asm/boot.h>
25215 +#include <asm/segment.h>
25217 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25218 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
25220 +#define __KERNEL_TEXT_OFFSET 0
25223 #undef i386 /* in case the preprocessor is a 32bit one */
25225 @@ -69,30 +76,43 @@ jiffies_64 = jiffies;
25228 text PT_LOAD FLAGS(5); /* R_E */
25229 +#ifdef CONFIG_X86_32
25230 + module PT_LOAD FLAGS(5); /* R_E */
25233 + rodata PT_LOAD FLAGS(5); /* R_E */
25235 + rodata PT_LOAD FLAGS(4); /* R__ */
25237 data PT_LOAD FLAGS(6); /* RW_ */
25238 -#ifdef CONFIG_X86_64
25239 + init.begin PT_LOAD FLAGS(6); /* RW_ */
25241 percpu PT_LOAD FLAGS(6); /* RW_ */
25243 + text.init PT_LOAD FLAGS(5); /* R_E */
25244 + text.exit PT_LOAD FLAGS(5); /* R_E */
25245 init PT_LOAD FLAGS(7); /* RWE */
25247 note PT_NOTE FLAGS(0); /* ___ */
25252 #ifdef CONFIG_X86_32
25253 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
25254 - phys_startup_32 = startup_32 - LOAD_OFFSET;
25255 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
25257 - . = __START_KERNEL;
25258 - phys_startup_64 = startup_64 - LOAD_OFFSET;
25259 + . = __START_KERNEL;
25262 /* Text and read-only data */
25263 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
25265 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
25266 /* bootstrapping code */
25267 +#ifdef CONFIG_X86_32
25268 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
25270 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
25272 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
25277 @@ -104,13 +124,48 @@ SECTIONS
25281 - /* End of text section */
25285 - NOTES :text :note
25286 + . += __KERNEL_TEXT_OFFSET;
25288 - EXCEPTION_TABLE(16) :text = 0x9090
25289 +#ifdef CONFIG_X86_32
25290 + . = ALIGN(PAGE_SIZE);
25291 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
25293 +#ifdef CONFIG_PAX_KERNEXEC
25294 + MODULES_EXEC_VADDR = .;
25296 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
25297 + . = ALIGN(HPAGE_SIZE) - 1;
25298 + MODULES_EXEC_END = .;
25304 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
25305 + /* End of text section */
25307 + _etext = . - __KERNEL_TEXT_OFFSET;
25310 +#ifdef CONFIG_X86_32
25311 + . = ALIGN(PAGE_SIZE);
25312 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
25314 + . = ALIGN(PAGE_SIZE);
25315 + *(.empty_zero_page)
25316 + *(.initial_pg_fixmap)
25317 + *(.initial_pg_pmd)
25318 + *(.initial_page_table)
25319 + *(.swapper_pg_dir)
25323 + . = ALIGN(PAGE_SIZE);
25324 + NOTES :rodata :note
25326 + EXCEPTION_TABLE(16) :rodata
25328 #if defined(CONFIG_DEBUG_RODATA)
25329 /* .text should occupy whole number of pages */
25330 @@ -122,16 +177,20 @@ SECTIONS
25333 .data : AT(ADDR(.data) - LOAD_OFFSET) {
25335 +#ifdef CONFIG_PAX_KERNEXEC
25336 + . = ALIGN(HPAGE_SIZE);
25338 + . = ALIGN(PAGE_SIZE);
25341 /* Start of data section */
25345 INIT_TASK_DATA(THREAD_SIZE)
25347 -#ifdef CONFIG_X86_32
25348 - /* 32 bit has nosave before _edata */
25352 PAGE_ALIGNED_DATA(PAGE_SIZE)
25354 @@ -172,12 +231,19 @@ SECTIONS
25355 #endif /* CONFIG_X86_64 */
25357 /* Init code and data - will be freed after init */
25358 - . = ALIGN(PAGE_SIZE);
25359 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
25362 +#ifdef CONFIG_PAX_KERNEXEC
25363 + . = ALIGN(HPAGE_SIZE);
25365 + . = ALIGN(PAGE_SIZE);
25368 __init_begin = .; /* paired with __init_end */
25372 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
25375 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
25376 * output PHDR, so the next output section - .init.text - should
25377 @@ -186,12 +252,27 @@ SECTIONS
25378 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
25381 - INIT_TEXT_SECTION(PAGE_SIZE)
25382 -#ifdef CONFIG_X86_64
25385 + . = ALIGN(PAGE_SIZE);
25387 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
25388 + VMLINUX_SYMBOL(_sinittext) = .;
25390 + VMLINUX_SYMBOL(_einittext) = .;
25391 + . = ALIGN(PAGE_SIZE);
25394 - INIT_DATA_SECTION(16)
25396 + * .exit.text is discard at runtime, not link time, to deal with
25397 + * references from .altinstructions and .eh_frame
25399 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
25403 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
25405 + . = ALIGN(PAGE_SIZE);
25406 + INIT_DATA_SECTION(16) :init
25408 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
25409 __x86_cpu_dev_start = .;
25410 @@ -253,19 +334,12 @@ SECTIONS
25415 - * .exit.text is discard at runtime, not link time, to deal with
25416 - * references from .altinstructions and .eh_frame
25418 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
25422 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
25426 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
25427 +#ifndef CONFIG_SMP
25428 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
25431 @@ -284,16 +358,10 @@ SECTIONS
25432 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
25435 - . = ALIGN(PAGE_SIZE);
25436 __smp_locks_end = .;
25437 + . = ALIGN(PAGE_SIZE);
25440 -#ifdef CONFIG_X86_64
25441 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
25447 . = ALIGN(PAGE_SIZE);
25448 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
25449 @@ -309,6 +377,7 @@ SECTIONS
25451 . += 64 * 1024; /* 64k alignment slop space */
25452 *(.brk_reservation) /* areas brk users have reserved */
25453 + . = ALIGN(HPAGE_SIZE);
25457 @@ -335,13 +404,12 @@ SECTIONS
25458 * for the boot processor.
25460 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
25461 -INIT_PER_CPU(gdt_page);
25462 INIT_PER_CPU(irq_stack_union);
25465 * Build-time check on the image size:
25467 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
25468 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
25469 "kernel image bigger than KERNEL_IMAGE_SIZE");
25472 diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
25473 index 9a907a6..f83f921 100644
25474 --- a/arch/x86/kernel/vsyscall_64.c
25475 +++ b/arch/x86/kernel/vsyscall_64.c
25476 @@ -56,15 +56,13 @@
25477 DEFINE_VVAR(int, vgetcpu_mode);
25478 DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data);
25480 -static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
25481 +static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
25483 static int __init vsyscall_setup(char *str)
25486 if (!strcmp("emulate", str))
25487 vsyscall_mode = EMULATE;
25488 - else if (!strcmp("native", str))
25489 - vsyscall_mode = NATIVE;
25490 else if (!strcmp("none", str))
25491 vsyscall_mode = NONE;
25493 @@ -323,8 +321,7 @@ do_ret:
25497 - force_sig(SIGSEGV, current);
25499 + do_group_exit(SIGKILL);
25503 @@ -377,10 +374,7 @@ void __init map_vsyscall(void)
25504 extern char __vvar_page;
25505 unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
25507 - __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
25508 - vsyscall_mode == NATIVE
25509 - ? PAGE_KERNEL_VSYSCALL
25510 - : PAGE_KERNEL_VVAR);
25511 + __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
25512 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) !=
25513 (unsigned long)VSYSCALL_START);
25515 diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
25516 index b014d94..e775258 100644
25517 --- a/arch/x86/kernel/x8664_ksyms_64.c
25518 +++ b/arch/x86/kernel/x8664_ksyms_64.c
25519 @@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string);
25520 EXPORT_SYMBOL(copy_user_generic_unrolled);
25521 EXPORT_SYMBOL(copy_user_enhanced_fast_string);
25522 EXPORT_SYMBOL(__copy_user_nocache);
25523 -EXPORT_SYMBOL(_copy_from_user);
25524 -EXPORT_SYMBOL(_copy_to_user);
25526 EXPORT_SYMBOL(copy_page);
25527 EXPORT_SYMBOL(clear_page);
25528 @@ -66,3 +64,7 @@ EXPORT_SYMBOL(empty_zero_page);
25529 #ifndef CONFIG_PARAVIRT
25530 EXPORT_SYMBOL(native_load_gs_index);
25533 +#ifdef CONFIG_PAX_PER_CPU_PGD
25534 +EXPORT_SYMBOL(cpu_pgd);
25536 diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
25537 index 45a14db..075bb9b 100644
25538 --- a/arch/x86/kernel/x86_init.c
25539 +++ b/arch/x86/kernel/x86_init.c
25540 @@ -85,7 +85,7 @@ struct x86_init_ops x86_init __initdata = {
25544 -struct x86_cpuinit_ops x86_cpuinit __cpuinitdata = {
25545 +struct x86_cpuinit_ops x86_cpuinit __cpuinitconst = {
25546 .early_percpu_clock_init = x86_init_noop,
25547 .setup_percpu_clockev = setup_secondary_APIC_clock,
25549 @@ -93,7 +93,7 @@ struct x86_cpuinit_ops x86_cpuinit __cpuinitdata = {
25550 static void default_nmi_init(void) { };
25551 static int default_i8042_detect(void) { return 1; };
25553 -struct x86_platform_ops x86_platform = {
25554 +struct x86_platform_ops x86_platform __read_only = {
25555 .calibrate_tsc = native_calibrate_tsc,
25556 .get_wallclock = mach_get_cmos_time,
25557 .set_wallclock = mach_set_rtc_mmss,
25558 @@ -107,7 +107,7 @@ struct x86_platform_ops x86_platform = {
25561 EXPORT_SYMBOL_GPL(x86_platform);
25562 -struct x86_msi_ops x86_msi = {
25563 +struct x86_msi_ops x86_msi __read_only = {
25564 .setup_msi_irqs = native_setup_msi_irqs,
25565 .compose_msi_msg = native_compose_msi_msg,
25566 .teardown_msi_irq = native_teardown_msi_irq,
25567 @@ -116,7 +116,7 @@ struct x86_msi_ops x86_msi = {
25568 .setup_hpet_msi = default_setup_hpet_msi,
25571 -struct x86_io_apic_ops x86_io_apic_ops = {
25572 +struct x86_io_apic_ops x86_io_apic_ops __read_only = {
25573 .init = native_io_apic_init_mappings,
25574 .read = native_io_apic_read,
25575 .write = native_io_apic_write,
25576 diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
25577 index ada87a3..afea76d 100644
25578 --- a/arch/x86/kernel/xsave.c
25579 +++ b/arch/x86/kernel/xsave.c
25580 @@ -199,6 +199,7 @@ static inline int save_user_xstate(struct xsave_struct __user *buf)
25584 + buf = (struct xsave_struct __user *)____m(buf);
25586 err = xsave_user(buf);
25587 else if (use_fxsr())
25588 @@ -311,6 +312,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25590 static inline int restore_user_xstate(void __user *buf, u64 xbv, int fx_only)
25592 + buf = (void __user *)____m(buf);
25594 if ((unsigned long)buf % 64 || fx_only) {
25595 u64 init_bv = pcntxt_mask & ~XSTATE_FPSSE;
25596 diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
25597 index a20ecb5..d0e2194 100644
25598 --- a/arch/x86/kvm/cpuid.c
25599 +++ b/arch/x86/kvm/cpuid.c
25600 @@ -124,15 +124,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
25601 struct kvm_cpuid2 *cpuid,
25602 struct kvm_cpuid_entry2 __user *entries)
25608 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
25611 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
25612 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
25613 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
25615 + for (i = 0; i < cpuid->nent; ++i) {
25616 + struct kvm_cpuid_entry2 cpuid_entry;
25617 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
25619 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
25621 vcpu->arch.cpuid_nent = cpuid->nent;
25622 kvm_apic_set_version(vcpu);
25623 kvm_x86_ops->cpuid_update(vcpu);
25624 @@ -147,15 +152,19 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
25625 struct kvm_cpuid2 *cpuid,
25626 struct kvm_cpuid_entry2 __user *entries)
25632 if (cpuid->nent < vcpu->arch.cpuid_nent)
25635 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
25636 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
25637 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
25639 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
25640 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
25641 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
25647 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
25648 index 5953dce..f11a7d2 100644
25649 --- a/arch/x86/kvm/emulate.c
25650 +++ b/arch/x86/kvm/emulate.c
25651 @@ -329,6 +329,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
25653 #define ____emulate_2op(ctxt, _op, _x, _y, _suffix, _dsttype) \
25655 + unsigned long _tmp; \
25656 __asm__ __volatile__ ( \
25657 _PRE_EFLAGS("0", "4", "2") \
25658 _op _suffix " %"_x"3,%1; " \
25659 @@ -343,8 +344,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
25660 /* Raw emulation: instruction has two explicit operands. */
25661 #define __emulate_2op_nobyte(ctxt,_op,_wx,_wy,_lx,_ly,_qx,_qy) \
25663 - unsigned long _tmp; \
25665 switch ((ctxt)->dst.bytes) { \
25667 ____emulate_2op(ctxt,_op,_wx,_wy,"w",u16); \
25668 @@ -360,7 +359,6 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
25670 #define __emulate_2op(ctxt,_op,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
25672 - unsigned long _tmp; \
25673 switch ((ctxt)->dst.bytes) { \
25675 ____emulate_2op(ctxt,_op,_bx,_by,"b",u8); \
25676 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
25677 index 0eee2c8..94a32c3 100644
25678 --- a/arch/x86/kvm/lapic.c
25679 +++ b/arch/x86/kvm/lapic.c
25681 #define APIC_BUS_CYCLE_NS 1
25683 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
25684 -#define apic_debug(fmt, arg...)
25685 +#define apic_debug(fmt, arg...) do {} while (0)
25687 #define APIC_LVT_NUM 6
25688 /* 14 is the version for Xeon and Pentium 8.4.8*/
25689 diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
25690 index da20860..d19fdf5 100644
25691 --- a/arch/x86/kvm/paging_tmpl.h
25692 +++ b/arch/x86/kvm/paging_tmpl.h
25693 @@ -208,7 +208,7 @@ retry_walk:
25694 if (unlikely(kvm_is_error_hva(host_addr)))
25697 - ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
25698 + ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
25699 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
25701 walker->ptep_user[walker->level - 1] = ptep_user;
25702 diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
25703 index a14a6ea..dc86cf0 100644
25704 --- a/arch/x86/kvm/svm.c
25705 +++ b/arch/x86/kvm/svm.c
25706 @@ -3493,7 +3493,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
25707 int cpu = raw_smp_processor_id();
25709 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
25711 + pax_open_kernel();
25712 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
25713 + pax_close_kernel();
25718 @@ -3894,6 +3898,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
25722 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
25723 + __set_fs(current_thread_info()->addr_limit);
25728 local_irq_disable();
25729 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
25730 index 5402c94..c3bdeee 100644
25731 --- a/arch/x86/kvm/vmx.c
25732 +++ b/arch/x86/kvm/vmx.c
25733 @@ -1311,12 +1311,12 @@ static void vmcs_write64(unsigned long field, u64 value)
25737 -static void vmcs_clear_bits(unsigned long field, u32 mask)
25738 +static void vmcs_clear_bits(unsigned long field, unsigned long mask)
25740 vmcs_writel(field, vmcs_readl(field) & ~mask);
25743 -static void vmcs_set_bits(unsigned long field, u32 mask)
25744 +static void vmcs_set_bits(unsigned long field, unsigned long mask)
25746 vmcs_writel(field, vmcs_readl(field) | mask);
25748 @@ -1517,7 +1517,11 @@ static void reload_tss(void)
25749 struct desc_struct *descs;
25751 descs = (void *)gdt->address;
25753 + pax_open_kernel();
25754 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
25755 + pax_close_kernel();
25760 @@ -1741,6 +1745,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
25761 vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
25762 vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
25764 +#ifdef CONFIG_PAX_PER_CPU_PGD
25765 + vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
25768 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
25769 vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
25770 vmx->loaded_vmcs->cpu = cpu;
25771 @@ -2935,8 +2943,11 @@ static __init int hardware_setup(void)
25772 if (!cpu_has_vmx_flexpriority())
25773 flexpriority_enabled = 0;
25775 - if (!cpu_has_vmx_tpr_shadow())
25776 - kvm_x86_ops->update_cr8_intercept = NULL;
25777 + if (!cpu_has_vmx_tpr_shadow()) {
25778 + pax_open_kernel();
25779 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
25780 + pax_close_kernel();
25783 if (enable_ept && !cpu_has_vmx_ept_2m_page())
25784 kvm_disable_largepages();
25785 @@ -2947,13 +2958,15 @@ static __init int hardware_setup(void)
25786 if (!cpu_has_vmx_apicv())
25789 + pax_open_kernel();
25791 - kvm_x86_ops->update_cr8_intercept = NULL;
25792 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
25794 - kvm_x86_ops->hwapic_irr_update = NULL;
25795 - kvm_x86_ops->deliver_posted_interrupt = NULL;
25796 - kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
25797 + *(void **)&kvm_x86_ops->hwapic_irr_update = NULL;
25798 + *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL;
25799 + *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
25801 + pax_close_kernel();
25804 nested_vmx_setup_ctls_msrs();
25805 @@ -4076,7 +4089,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
25807 vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
25808 vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */
25810 +#ifndef CONFIG_PAX_PER_CPU_PGD
25811 vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
25814 vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
25815 #ifdef CONFIG_X86_64
25816 @@ -4098,7 +4114,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
25817 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
25818 vmx->host_idt_base = dt.address;
25820 - vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
25821 + vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */
25823 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
25824 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
25825 @@ -7030,6 +7046,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
25827 "1: " __ex(ASM_VMX_VMRESUME) "\n\t"
25830 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25831 + "ljmp %[cs],$3f\n\t"
25835 /* Save guest registers, load host registers, keep flags */
25836 "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
25838 @@ -7082,6 +7104,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
25840 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
25841 [wordsize]"i"(sizeof(ulong))
25843 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25844 + ,[cs]"i"(__KERNEL_CS)
25848 #ifdef CONFIG_X86_64
25849 , "rax", "rbx", "rdi", "rsi"
25850 @@ -7095,7 +7122,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
25852 update_debugctlmsr(debugctlmsr);
25854 -#ifndef CONFIG_X86_64
25855 +#ifdef CONFIG_X86_32
25857 * The sysexit path does not restore ds/es, so we must set them to
25858 * a reasonable value ourselves.
25859 @@ -7104,8 +7131,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
25860 * may be executed in interrupt context, which saves and restore segments
25861 * around it, nullifying its effect.
25863 - loadsegment(ds, __USER_DS);
25864 - loadsegment(es, __USER_DS);
25865 + loadsegment(ds, __KERNEL_DS);
25866 + loadsegment(es, __KERNEL_DS);
25867 + loadsegment(ss, __KERNEL_DS);
25869 +#ifdef CONFIG_PAX_KERNEXEC
25870 + loadsegment(fs, __KERNEL_PERCPU);
25873 +#ifdef CONFIG_PAX_MEMORY_UDEREF
25874 + __set_fs(current_thread_info()->addr_limit);
25879 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
25880 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
25881 index e8ba99c..ee9d7d9 100644
25882 --- a/arch/x86/kvm/x86.c
25883 +++ b/arch/x86/kvm/x86.c
25884 @@ -1725,8 +1725,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
25886 struct kvm *kvm = vcpu->kvm;
25887 int lm = is_long_mode(vcpu);
25888 - u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
25889 - : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
25890 + u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
25891 + : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
25892 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
25893 : kvm->arch.xen_hvm_config.blob_size_32;
25894 u32 page_num = data & ~PAGE_MASK;
25895 @@ -2609,6 +2609,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
25896 if (n < msr_list.nmsrs)
25899 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
25901 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
25902 num_msrs_to_save * sizeof(u32)))
25904 @@ -5297,7 +5299,7 @@ static struct notifier_block pvclock_gtod_notifier = {
25908 -int kvm_arch_init(void *opaque)
25909 +int kvm_arch_init(const void *opaque)
25912 struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
25913 diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
25914 index 7114c63..a1018fc 100644
25915 --- a/arch/x86/lguest/boot.c
25916 +++ b/arch/x86/lguest/boot.c
25917 @@ -1201,9 +1201,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
25918 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
25919 * Launcher to reboot us.
25921 -static void lguest_restart(char *reason)
25922 +static __noreturn void lguest_restart(char *reason)
25924 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
25929 diff --git a/arch/x86/lib/atomic64_386_32.S b/arch/x86/lib/atomic64_386_32.S
25930 index 00933d5..3a64af9 100644
25931 --- a/arch/x86/lib/atomic64_386_32.S
25932 +++ b/arch/x86/lib/atomic64_386_32.S
25933 @@ -48,6 +48,10 @@ BEGIN(read)
25937 +BEGIN(read_unchecked)
25944 @@ -55,6 +59,10 @@ BEGIN(set)
25948 +BEGIN(set_unchecked)
25955 @@ -70,6 +78,20 @@ RET_ENDP
25960 +#ifdef CONFIG_PAX_REFCOUNT
25966 + _ASM_EXTABLE(0b, 0b)
25970 +BEGIN(add_unchecked)
25976 @@ -77,6 +99,24 @@ RET_ENDP
25981 +#ifdef CONFIG_PAX_REFCOUNT
25984 + _ASM_EXTABLE(1234b, 2f)
25990 +#ifdef CONFIG_PAX_REFCOUNT
25995 +BEGIN(add_return_unchecked)
26001 @@ -86,6 +126,20 @@ RET_ENDP
26006 +#ifdef CONFIG_PAX_REFCOUNT
26012 + _ASM_EXTABLE(0b, 0b)
26016 +BEGIN(sub_unchecked)
26022 @@ -96,6 +150,27 @@ BEGIN(sub_return)
26027 +#ifdef CONFIG_PAX_REFCOUNT
26030 + _ASM_EXTABLE(1234b, 2f)
26036 +#ifdef CONFIG_PAX_REFCOUNT
26041 +BEGIN(sub_return_unchecked)
26050 @@ -105,6 +180,20 @@ RET_ENDP
26055 +#ifdef CONFIG_PAX_REFCOUNT
26061 + _ASM_EXTABLE(0b, 0b)
26065 +BEGIN(inc_unchecked)
26071 @@ -114,6 +203,26 @@ BEGIN(inc_return)
26076 +#ifdef CONFIG_PAX_REFCOUNT
26079 + _ASM_EXTABLE(1234b, 2f)
26085 +#ifdef CONFIG_PAX_REFCOUNT
26090 +BEGIN(inc_return_unchecked)
26098 @@ -123,6 +232,20 @@ RET_ENDP
26103 +#ifdef CONFIG_PAX_REFCOUNT
26109 + _ASM_EXTABLE(0b, 0b)
26113 +BEGIN(dec_unchecked)
26119 @@ -132,6 +255,26 @@ BEGIN(dec_return)
26124 +#ifdef CONFIG_PAX_REFCOUNT
26127 + _ASM_EXTABLE(1234b, 2f)
26133 +#ifdef CONFIG_PAX_REFCOUNT
26138 +BEGIN(dec_return_unchecked)
26146 @@ -143,6 +286,13 @@ BEGIN(add_unless)
26151 +#ifdef CONFIG_PAX_REFCOUNT
26154 + _ASM_EXTABLE(1234b, 2f)
26160 @@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
26165 +#ifdef CONFIG_PAX_REFCOUNT
26168 + _ASM_EXTABLE(1234b, 2f)
26174 @@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
26179 +#ifdef CONFIG_PAX_REFCOUNT
26182 + _ASM_EXTABLE(1234b, 1f)
26188 diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
26189 index f5cc9eb..51fa319 100644
26190 --- a/arch/x86/lib/atomic64_cx8_32.S
26191 +++ b/arch/x86/lib/atomic64_cx8_32.S
26192 @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
26196 + pax_force_retaddr
26199 ENDPROC(atomic64_read_cx8)
26201 +ENTRY(atomic64_read_unchecked_cx8)
26205 + pax_force_retaddr
26208 +ENDPROC(atomic64_read_unchecked_cx8)
26210 ENTRY(atomic64_set_cx8)
26213 @@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8)
26217 + pax_force_retaddr
26220 ENDPROC(atomic64_set_cx8)
26222 +ENTRY(atomic64_set_unchecked_cx8)
26226 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
26227 + * are atomic on 586 and newer */
26231 + pax_force_retaddr
26234 +ENDPROC(atomic64_set_unchecked_cx8)
26236 ENTRY(atomic64_xchg_cx8)
26239 @@ -60,12 +85,13 @@ ENTRY(atomic64_xchg_cx8)
26243 + pax_force_retaddr
26246 ENDPROC(atomic64_xchg_cx8)
26248 -.macro addsub_return func ins insc
26249 -ENTRY(atomic64_\func\()_return_cx8)
26250 +.macro addsub_return func ins insc unchecked=""
26251 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
26255 @@ -82,27 +108,44 @@ ENTRY(atomic64_\func\()_return_cx8)
26257 \ins\()l %esi, %ebx
26258 \insc\()l %edi, %ecx
26261 +#ifdef CONFIG_PAX_REFCOUNT
26264 + _ASM_EXTABLE(2b, 3f)
26277 +#ifdef CONFIG_PAX_REFCOUNT
26286 + pax_force_retaddr
26289 -ENDPROC(atomic64_\func\()_return_cx8)
26290 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
26293 addsub_return add add adc
26294 addsub_return sub sub sbb
26295 +addsub_return add add adc _unchecked
26296 +addsub_return sub sub sbb _unchecked
26298 -.macro incdec_return func ins insc
26299 -ENTRY(atomic64_\func\()_return_cx8)
26300 +.macro incdec_return func ins insc unchecked=""
26301 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
26305 @@ -112,21 +155,39 @@ ENTRY(atomic64_\func\()_return_cx8)
26311 +#ifdef CONFIG_PAX_REFCOUNT
26314 + _ASM_EXTABLE(2b, 3f)
26327 +#ifdef CONFIG_PAX_REFCOUNT
26333 + pax_force_retaddr
26336 -ENDPROC(atomic64_\func\()_return_cx8)
26337 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
26340 incdec_return inc add adc
26341 incdec_return dec sub sbb
26342 +incdec_return inc add adc _unchecked
26343 +incdec_return dec sub sbb _unchecked
26345 ENTRY(atomic64_dec_if_positive_cx8)
26347 @@ -138,6 +199,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
26352 +#ifdef CONFIG_PAX_REFCOUNT
26355 + _ASM_EXTABLE(1234b, 2f)
26361 @@ -147,6 +215,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
26365 + pax_force_retaddr
26368 ENDPROC(atomic64_dec_if_positive_cx8)
26369 @@ -171,6 +240,13 @@ ENTRY(atomic64_add_unless_cx8)
26374 +#ifdef CONFIG_PAX_REFCOUNT
26377 + _ASM_EXTABLE(1234b, 3f)
26383 @@ -181,6 +257,7 @@ ENTRY(atomic64_add_unless_cx8)
26384 CFI_ADJUST_CFA_OFFSET -8
26387 + pax_force_retaddr
26391 @@ -203,6 +280,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
26396 +#ifdef CONFIG_PAX_REFCOUNT
26399 + _ASM_EXTABLE(1234b, 3f)
26405 @@ -210,6 +294,7 @@ ENTRY(atomic64_inc_not_zero_cx8)
26409 + pax_force_retaddr
26412 ENDPROC(atomic64_inc_not_zero_cx8)
26413 diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
26414 index e78b8ee..7e173a8 100644
26415 --- a/arch/x86/lib/checksum_32.S
26416 +++ b/arch/x86/lib/checksum_32.S
26418 #include <asm/dwarf2.h>
26419 #include <asm/errno.h>
26420 #include <asm/asm.h>
26422 +#include <asm/segment.h>
26425 * computes a partial checksum, e.g. for TCP/UDP fragments
26427 @@ -293,9 +294,24 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst,
26432 -ENTRY(csum_partial_copy_generic)
26434 +ENTRY(csum_partial_copy_generic_to_user)
26437 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26440 + jmp csum_partial_copy_generic
26443 +ENTRY(csum_partial_copy_generic_from_user)
26445 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26450 +ENTRY(csum_partial_copy_generic)
26452 CFI_ADJUST_CFA_OFFSET 4
26454 @@ -317,7 +333,7 @@ ENTRY(csum_partial_copy_generic)
26456 SRC(1: movw (%esi), %bx )
26458 -DST( movw %bx, (%edi) )
26459 +DST( movw %bx, %es:(%edi) )
26463 @@ -329,30 +345,30 @@ DST( movw %bx, (%edi) )
26464 SRC(1: movl (%esi), %ebx )
26465 SRC( movl 4(%esi), %edx )
26467 -DST( movl %ebx, (%edi) )
26468 +DST( movl %ebx, %es:(%edi) )
26470 -DST( movl %edx, 4(%edi) )
26471 +DST( movl %edx, %es:4(%edi) )
26473 SRC( movl 8(%esi), %ebx )
26474 SRC( movl 12(%esi), %edx )
26476 -DST( movl %ebx, 8(%edi) )
26477 +DST( movl %ebx, %es:8(%edi) )
26479 -DST( movl %edx, 12(%edi) )
26480 +DST( movl %edx, %es:12(%edi) )
26482 SRC( movl 16(%esi), %ebx )
26483 SRC( movl 20(%esi), %edx )
26485 -DST( movl %ebx, 16(%edi) )
26486 +DST( movl %ebx, %es:16(%edi) )
26488 -DST( movl %edx, 20(%edi) )
26489 +DST( movl %edx, %es:20(%edi) )
26491 SRC( movl 24(%esi), %ebx )
26492 SRC( movl 28(%esi), %edx )
26494 -DST( movl %ebx, 24(%edi) )
26495 +DST( movl %ebx, %es:24(%edi) )
26497 -DST( movl %edx, 28(%edi) )
26498 +DST( movl %edx, %es:28(%edi) )
26502 @@ -366,7 +382,7 @@ DST( movl %edx, 28(%edi) )
26503 shrl $2, %edx # This clears CF
26504 SRC(3: movl (%esi), %ebx )
26506 -DST( movl %ebx, (%edi) )
26507 +DST( movl %ebx, %es:(%edi) )
26511 @@ -378,12 +394,12 @@ DST( movl %ebx, (%edi) )
26513 SRC( movw (%esi), %cx )
26515 -DST( movw %cx, (%edi) )
26516 +DST( movw %cx, %es:(%edi) )
26520 SRC(5: movb (%esi), %cl )
26521 -DST( movb %cl, (%edi) )
26522 +DST( movb %cl, %es:(%edi) )
26526 @@ -394,7 +410,7 @@ DST( movb %cl, (%edi) )
26529 movl ARGBASE+20(%esp), %ebx # src_err_ptr
26530 - movl $-EFAULT, (%ebx)
26531 + movl $-EFAULT, %ss:(%ebx)
26533 # zero the complete destination - computing the rest
26535 @@ -407,11 +423,15 @@ DST( movb %cl, (%edi) )
26538 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
26539 - movl $-EFAULT,(%ebx)
26540 + movl $-EFAULT,%ss:(%ebx)
26552 @@ -421,26 +441,43 @@ DST( movb %cl, (%edi) )
26553 popl_cfi %ecx # equivalent to addl $4,%esp
26556 -ENDPROC(csum_partial_copy_generic)
26557 +ENDPROC(csum_partial_copy_generic_to_user)
26561 /* Version for PentiumII/PPro */
26563 #define ROUND1(x) \
26565 SRC(movl x(%esi), %ebx ) ; \
26566 addl %ebx, %eax ; \
26567 - DST(movl %ebx, x(%edi) ) ;
26568 + DST(movl %ebx, %es:x(%edi)) ;
26572 SRC(movl x(%esi), %ebx ) ; \
26573 adcl %ebx, %eax ; \
26574 - DST(movl %ebx, x(%edi) ) ;
26575 + DST(movl %ebx, %es:x(%edi)) ;
26579 -ENTRY(csum_partial_copy_generic)
26581 +ENTRY(csum_partial_copy_generic_to_user)
26584 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26587 + jmp csum_partial_copy_generic
26590 +ENTRY(csum_partial_copy_generic_from_user)
26592 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26597 +ENTRY(csum_partial_copy_generic)
26599 CFI_REL_OFFSET ebx, 0
26601 @@ -461,7 +498,7 @@ ENTRY(csum_partial_copy_generic)
26605 - lea 3f(%ebx,%ebx), %ebx
26606 + lea 3f(%ebx,%ebx,2), %ebx
26610 @@ -482,19 +519,19 @@ ENTRY(csum_partial_copy_generic)
26612 SRC( movw (%esi), %dx )
26614 -DST( movw %dx, (%edi) )
26615 +DST( movw %dx, %es:(%edi) )
26620 SRC( movb (%esi), %dl )
26621 -DST( movb %dl, (%edi) )
26622 +DST( movb %dl, %es:(%edi) )
26626 .section .fixup, "ax"
26627 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
26628 - movl $-EFAULT, (%ebx)
26629 + movl $-EFAULT, %ss:(%ebx)
26630 # zero the complete destination (computing the rest is too much work)
26631 movl ARGBASE+8(%esp),%edi # dst
26632 movl ARGBASE+12(%esp),%ecx # len
26633 @@ -502,10 +539,17 @@ DST( movb %dl, (%edi) )
26636 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
26637 - movl $-EFAULT, (%ebx)
26638 + movl $-EFAULT, %ss:(%ebx)
26642 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26652 @@ -514,7 +558,7 @@ DST( movb %dl, (%edi) )
26656 -ENDPROC(csum_partial_copy_generic)
26657 +ENDPROC(csum_partial_copy_generic_to_user)
26661 diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
26662 index f2145cf..cea889d 100644
26663 --- a/arch/x86/lib/clear_page_64.S
26664 +++ b/arch/x86/lib/clear_page_64.S
26665 @@ -11,6 +11,7 @@ ENTRY(clear_page_c)
26669 + pax_force_retaddr
26672 ENDPROC(clear_page_c)
26673 @@ -20,6 +21,7 @@ ENTRY(clear_page_c_e)
26677 + pax_force_retaddr
26680 ENDPROC(clear_page_c_e)
26681 @@ -43,6 +45,7 @@ ENTRY(clear_page)
26685 + pax_force_retaddr
26689 @@ -58,7 +61,7 @@ ENDPROC(clear_page)
26691 #include <asm/cpufeature.h>
26693 - .section .altinstr_replacement,"ax"
26694 + .section .altinstr_replacement,"a"
26695 1: .byte 0xeb /* jmp <disp8> */
26696 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
26697 2: .byte 0xeb /* jmp <disp8> */
26698 diff --git a/arch/x86/lib/cmpxchg16b_emu.S b/arch/x86/lib/cmpxchg16b_emu.S
26699 index 1e572c5..2a162cd 100644
26700 --- a/arch/x86/lib/cmpxchg16b_emu.S
26701 +++ b/arch/x86/lib/cmpxchg16b_emu.S
26702 @@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu:
26706 + pax_force_retaddr
26712 + pax_force_retaddr
26716 diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
26717 index 176cca6..1166c50 100644
26718 --- a/arch/x86/lib/copy_page_64.S
26719 +++ b/arch/x86/lib/copy_page_64.S
26720 @@ -9,6 +9,7 @@ copy_page_rep:
26724 + pax_force_retaddr
26727 ENDPROC(copy_page_rep)
26728 @@ -20,12 +21,14 @@ ENDPROC(copy_page_rep)
26733 - CFI_ADJUST_CFA_OFFSET 2*8
26735 + CFI_ADJUST_CFA_OFFSET 3*8
26737 CFI_REL_OFFSET rbx, 0
26738 movq %r12, 1*8(%rsp)
26739 CFI_REL_OFFSET r12, 1*8
26740 + movq %r13, 2*8(%rsp)
26741 + CFI_REL_OFFSET r13, 2*8
26743 movl $(4096/64)-5, %ecx
26745 @@ -36,7 +39,7 @@ ENTRY(copy_page)
26746 movq 0x8*2(%rsi), %rdx
26747 movq 0x8*3(%rsi), %r8
26748 movq 0x8*4(%rsi), %r9
26749 - movq 0x8*5(%rsi), %r10
26750 + movq 0x8*5(%rsi), %r13
26751 movq 0x8*6(%rsi), %r11
26752 movq 0x8*7(%rsi), %r12
26754 @@ -47,7 +50,7 @@ ENTRY(copy_page)
26755 movq %rdx, 0x8*2(%rdi)
26756 movq %r8, 0x8*3(%rdi)
26757 movq %r9, 0x8*4(%rdi)
26758 - movq %r10, 0x8*5(%rdi)
26759 + movq %r13, 0x8*5(%rdi)
26760 movq %r11, 0x8*6(%rdi)
26761 movq %r12, 0x8*7(%rdi)
26763 @@ -66,7 +69,7 @@ ENTRY(copy_page)
26764 movq 0x8*2(%rsi), %rdx
26765 movq 0x8*3(%rsi), %r8
26766 movq 0x8*4(%rsi), %r9
26767 - movq 0x8*5(%rsi), %r10
26768 + movq 0x8*5(%rsi), %r13
26769 movq 0x8*6(%rsi), %r11
26770 movq 0x8*7(%rsi), %r12
26772 @@ -75,7 +78,7 @@ ENTRY(copy_page)
26773 movq %rdx, 0x8*2(%rdi)
26774 movq %r8, 0x8*3(%rdi)
26775 movq %r9, 0x8*4(%rdi)
26776 - movq %r10, 0x8*5(%rdi)
26777 + movq %r13, 0x8*5(%rdi)
26778 movq %r11, 0x8*6(%rdi)
26779 movq %r12, 0x8*7(%rdi)
26781 @@ -87,8 +90,11 @@ ENTRY(copy_page)
26783 movq 1*8(%rsp), %r12
26786 - CFI_ADJUST_CFA_OFFSET -2*8
26787 + movq 2*8(%rsp), %r13
26790 + CFI_ADJUST_CFA_OFFSET -3*8
26791 + pax_force_retaddr
26795 @@ -99,7 +105,7 @@ ENDPROC(copy_page)
26797 #include <asm/cpufeature.h>
26799 - .section .altinstr_replacement,"ax"
26800 + .section .altinstr_replacement,"a"
26801 1: .byte 0xeb /* jmp <disp8> */
26802 .byte (copy_page_rep - copy_page) - (2f - 1b) /* offset */
26804 diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
26805 index a30ca15..6b3f4e1 100644
26806 --- a/arch/x86/lib/copy_user_64.S
26807 +++ b/arch/x86/lib/copy_user_64.S
26809 #include <asm/alternative-asm.h>
26810 #include <asm/asm.h>
26811 #include <asm/smap.h>
26814 - * By placing feature2 after feature1 in altinstructions section, we logically
26816 - * If CPU has feature2, jmp to alt2 is used
26817 - * else if CPU has feature1, jmp to alt1 is used
26818 - * else jmp to orig is used.
26820 - .macro ALTERNATIVE_JUMP feature1,feature2,orig,alt1,alt2
26822 - .byte 0xe9 /* 32bit jump */
26823 - .long \orig-1f /* by default jump to orig */
26825 - .section .altinstr_replacement,"ax"
26826 -2: .byte 0xe9 /* near jump with 32bit immediate */
26827 - .long \alt1-1b /* offset */ /* or alternatively to alt1 */
26828 -3: .byte 0xe9 /* near jump with 32bit immediate */
26829 - .long \alt2-1b /* offset */ /* or alternatively to alt2 */
26832 - .section .altinstructions,"a"
26833 - altinstruction_entry 0b,2b,\feature1,5,5
26834 - altinstruction_entry 0b,3b,\feature2,5,5
26837 +#include <asm/pgtable.h>
26839 .macro ALIGN_DESTINATION
26840 #ifdef FIX_ALIGNMENT
26845 -/* Standard copy_to_user with segment limit checking */
26846 -ENTRY(_copy_to_user)
26848 - GET_THREAD_INFO(%rax)
26852 - cmpq TI_addr_limit(%rax),%rcx
26854 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
26855 - copy_user_generic_unrolled,copy_user_generic_string, \
26856 - copy_user_enhanced_fast_string
26858 -ENDPROC(_copy_to_user)
26860 -/* Standard copy_from_user with segment limit checking */
26861 -ENTRY(_copy_from_user)
26863 - GET_THREAD_INFO(%rax)
26867 - cmpq TI_addr_limit(%rax),%rcx
26869 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
26870 - copy_user_generic_unrolled,copy_user_generic_string, \
26871 - copy_user_enhanced_fast_string
26873 -ENDPROC(_copy_from_user)
26875 - .section .fixup,"ax"
26876 - /* must zero dest */
26877 -ENTRY(bad_from_user)
26888 -ENDPROC(bad_from_user)
26892 * copy_user_generic_unrolled - memory copy with exception handling.
26893 * This version is for CPUs like P4 that don't have efficient micro
26894 @@ -131,6 +61,7 @@ ENDPROC(bad_from_user)
26896 ENTRY(copy_user_generic_unrolled)
26898 + ASM_PAX_OPEN_USERLAND
26901 jb 20f /* less then 8 bytes, go to byte copy loop */
26902 @@ -141,19 +72,19 @@ ENTRY(copy_user_generic_unrolled)
26905 2: movq 1*8(%rsi),%r9
26906 -3: movq 2*8(%rsi),%r10
26907 +3: movq 2*8(%rsi),%rax
26908 4: movq 3*8(%rsi),%r11
26910 6: movq %r9,1*8(%rdi)
26911 -7: movq %r10,2*8(%rdi)
26912 +7: movq %rax,2*8(%rdi)
26913 8: movq %r11,3*8(%rdi)
26914 9: movq 4*8(%rsi),%r8
26915 10: movq 5*8(%rsi),%r9
26916 -11: movq 6*8(%rsi),%r10
26917 +11: movq 6*8(%rsi),%rax
26918 12: movq 7*8(%rsi),%r11
26919 13: movq %r8,4*8(%rdi)
26920 14: movq %r9,5*8(%rdi)
26921 -15: movq %r10,6*8(%rdi)
26922 +15: movq %rax,6*8(%rdi)
26923 16: movq %r11,7*8(%rdi)
26926 @@ -180,6 +111,8 @@ ENTRY(copy_user_generic_unrolled)
26930 + ASM_PAX_CLOSE_USERLAND
26931 + pax_force_retaddr
26934 .section .fixup,"ax"
26935 @@ -235,6 +168,7 @@ ENDPROC(copy_user_generic_unrolled)
26937 ENTRY(copy_user_generic_string)
26939 + ASM_PAX_OPEN_USERLAND
26943 @@ -251,6 +185,8 @@ ENTRY(copy_user_generic_string)
26947 + ASM_PAX_CLOSE_USERLAND
26948 + pax_force_retaddr
26951 .section .fixup,"ax"
26952 @@ -278,6 +214,7 @@ ENDPROC(copy_user_generic_string)
26954 ENTRY(copy_user_enhanced_fast_string)
26956 + ASM_PAX_OPEN_USERLAND
26960 @@ -286,6 +223,8 @@ ENTRY(copy_user_enhanced_fast_string)
26964 + ASM_PAX_CLOSE_USERLAND
26965 + pax_force_retaddr
26968 .section .fixup,"ax"
26969 diff --git a/arch/x86/lib/copy_user_nocache_64.S b/arch/x86/lib/copy_user_nocache_64.S
26970 index 6a4f43c..55d26f2 100644
26971 --- a/arch/x86/lib/copy_user_nocache_64.S
26972 +++ b/arch/x86/lib/copy_user_nocache_64.S
26975 #include <linux/linkage.h>
26976 #include <asm/dwarf2.h>
26977 +#include <asm/alternative-asm.h>
26979 #define FIX_ALIGNMENT 1
26982 #include <asm/thread_info.h>
26983 #include <asm/asm.h>
26984 #include <asm/smap.h>
26985 +#include <asm/pgtable.h>
26987 .macro ALIGN_DESTINATION
26988 #ifdef FIX_ALIGNMENT
26991 ENTRY(__copy_user_nocache)
26994 +#ifdef CONFIG_PAX_MEMORY_UDEREF
26995 + mov pax_user_shadow_base,%rcx
27002 + ASM_PAX_OPEN_USERLAND
27005 jb 20f /* less then 8 bytes, go to byte copy loop */
27006 @@ -59,19 +71,19 @@ ENTRY(__copy_user_nocache)
27009 2: movq 1*8(%rsi),%r9
27010 -3: movq 2*8(%rsi),%r10
27011 +3: movq 2*8(%rsi),%rax
27012 4: movq 3*8(%rsi),%r11
27013 5: movnti %r8,(%rdi)
27014 6: movnti %r9,1*8(%rdi)
27015 -7: movnti %r10,2*8(%rdi)
27016 +7: movnti %rax,2*8(%rdi)
27017 8: movnti %r11,3*8(%rdi)
27018 9: movq 4*8(%rsi),%r8
27019 10: movq 5*8(%rsi),%r9
27020 -11: movq 6*8(%rsi),%r10
27021 +11: movq 6*8(%rsi),%rax
27022 12: movq 7*8(%rsi),%r11
27023 13: movnti %r8,4*8(%rdi)
27024 14: movnti %r9,5*8(%rdi)
27025 -15: movnti %r10,6*8(%rdi)
27026 +15: movnti %rax,6*8(%rdi)
27027 16: movnti %r11,7*8(%rdi)
27030 @@ -98,7 +110,9 @@ ENTRY(__copy_user_nocache)
27034 + ASM_PAX_CLOSE_USERLAND
27036 + pax_force_retaddr
27039 .section .fixup,"ax"
27040 diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S
27041 index 2419d5f..953ee51 100644
27042 --- a/arch/x86/lib/csum-copy_64.S
27043 +++ b/arch/x86/lib/csum-copy_64.S
27045 #include <asm/dwarf2.h>
27046 #include <asm/errno.h>
27047 #include <asm/asm.h>
27048 +#include <asm/alternative-asm.h>
27051 * Checksum copy with exception handling.
27052 @@ -220,6 +221,7 @@ ENTRY(csum_partial_copy_generic)
27055 CFI_ADJUST_CFA_OFFSET -7*8
27056 + pax_force_retaddr 0, 1
27060 diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
27061 index 25b7ae8..c40113e 100644
27062 --- a/arch/x86/lib/csum-wrappers_64.c
27063 +++ b/arch/x86/lib/csum-wrappers_64.c
27064 @@ -52,8 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
27068 - isum = csum_partial_copy_generic((__force const void *)src,
27069 + pax_open_userland();
27071 + isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
27072 dst, len, isum, errp, NULL);
27074 + pax_close_userland();
27075 if (unlikely(*errp))
27078 @@ -105,8 +109,13 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
27082 - return csum_partial_copy_generic(src, (void __force *)dst,
27083 + pax_open_userland();
27085 + isum = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
27086 len, isum, NULL, errp);
27088 + pax_close_userland();
27091 EXPORT_SYMBOL(csum_partial_copy_to_user);
27093 diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
27094 index a451235..1daa956 100644
27095 --- a/arch/x86/lib/getuser.S
27096 +++ b/arch/x86/lib/getuser.S
27097 @@ -33,17 +33,40 @@
27098 #include <asm/thread_info.h>
27099 #include <asm/asm.h>
27100 #include <asm/smap.h>
27101 +#include <asm/segment.h>
27102 +#include <asm/pgtable.h>
27103 +#include <asm/alternative-asm.h>
27105 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
27106 +#define __copyuser_seg gs;
27108 +#define __copyuser_seg
27112 ENTRY(__get_user_1)
27115 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
27116 GET_THREAD_INFO(%_ASM_DX)
27117 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
27120 -1: movzbl (%_ASM_AX),%edx
27122 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
27123 + mov pax_user_shadow_base,%_ASM_DX
27124 + cmp %_ASM_DX,%_ASM_AX
27126 + add %_ASM_DX,%_ASM_AX
27132 +1: __copyuser_seg movzbl (%_ASM_AX),%edx
27135 + pax_force_retaddr
27138 ENDPROC(__get_user_1)
27139 @@ -51,14 +74,28 @@ ENDPROC(__get_user_1)
27140 ENTRY(__get_user_2)
27144 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
27146 GET_THREAD_INFO(%_ASM_DX)
27147 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
27150 -2: movzwl -1(%_ASM_AX),%edx
27152 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
27153 + mov pax_user_shadow_base,%_ASM_DX
27154 + cmp %_ASM_DX,%_ASM_AX
27156 + add %_ASM_DX,%_ASM_AX
27162 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
27165 + pax_force_retaddr
27168 ENDPROC(__get_user_2)
27169 @@ -66,14 +103,28 @@ ENDPROC(__get_user_2)
27170 ENTRY(__get_user_4)
27174 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
27176 GET_THREAD_INFO(%_ASM_DX)
27177 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
27180 -3: movl -3(%_ASM_AX),%edx
27182 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
27183 + mov pax_user_shadow_base,%_ASM_DX
27184 + cmp %_ASM_DX,%_ASM_AX
27186 + add %_ASM_DX,%_ASM_AX
27192 +3: __copyuser_seg movl -3(%_ASM_AX),%edx
27195 + pax_force_retaddr
27198 ENDPROC(__get_user_4)
27199 @@ -86,10 +137,20 @@ ENTRY(__get_user_8)
27200 GET_THREAD_INFO(%_ASM_DX)
27201 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
27204 +#ifdef CONFIG_PAX_MEMORY_UDEREF
27205 + mov pax_user_shadow_base,%_ASM_DX
27206 + cmp %_ASM_DX,%_ASM_AX
27208 + add %_ASM_DX,%_ASM_AX
27213 4: movq -7(%_ASM_AX),%rdx
27216 + pax_force_retaddr
27220 @@ -98,10 +159,11 @@ ENTRY(__get_user_8)
27221 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
27224 -4: movl -7(%_ASM_AX),%edx
27225 -5: movl -3(%_ASM_AX),%ecx
27226 +4: __copyuser_seg movl -7(%_ASM_AX),%edx
27227 +5: __copyuser_seg movl -3(%_ASM_AX),%ecx
27230 + pax_force_retaddr
27234 @@ -113,6 +175,7 @@ bad_get_user:
27236 mov $(-EFAULT),%_ASM_AX
27238 + pax_force_retaddr
27242 @@ -124,6 +187,7 @@ bad_get_user_8:
27244 mov $(-EFAULT),%_ASM_AX
27246 + pax_force_retaddr
27249 END(bad_get_user_8)
27250 diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
27251 index 54fcffe..7be149e 100644
27252 --- a/arch/x86/lib/insn.c
27253 +++ b/arch/x86/lib/insn.c
27257 #include <linux/string.h>
27258 +#include <asm/pgtable_types.h>
27260 #include <string.h>
27261 +#define ktla_ktva(addr) addr
27263 #include <asm/inat.h>
27264 #include <asm/insn.h>
27266 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
27268 memset(insn, 0, sizeof(*insn));
27269 - insn->kaddr = kaddr;
27270 - insn->next_byte = kaddr;
27271 + insn->kaddr = ktla_ktva(kaddr);
27272 + insn->next_byte = ktla_ktva(kaddr);
27273 insn->x86_64 = x86_64 ? 1 : 0;
27274 insn->opnd_bytes = 4;
27276 diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S
27277 index 05a95e7..326f2fa 100644
27278 --- a/arch/x86/lib/iomap_copy_64.S
27279 +++ b/arch/x86/lib/iomap_copy_64.S
27282 #include <linux/linkage.h>
27283 #include <asm/dwarf2.h>
27284 +#include <asm/alternative-asm.h>
27287 * override generic version in lib/iomap_copy.c
27288 @@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
27292 + pax_force_retaddr
27295 ENDPROC(__iowrite32_copy)
27296 diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
27297 index 56313a3..9b59269 100644
27298 --- a/arch/x86/lib/memcpy_64.S
27299 +++ b/arch/x86/lib/memcpy_64.S
27301 * This gets patched over the unrolled variant (below) via the
27302 * alternative instructions framework:
27304 - .section .altinstr_replacement, "ax", @progbits
27305 + .section .altinstr_replacement, "a", @progbits
27313 + pax_force_retaddr
27317 @@ -44,11 +45,12 @@
27318 * This gets patched over the unrolled variant (below) via the
27319 * alternative instructions framework:
27321 - .section .altinstr_replacement, "ax", @progbits
27322 + .section .altinstr_replacement, "a", @progbits
27327 + pax_force_retaddr
27331 @@ -76,13 +78,13 @@ ENTRY(memcpy)
27333 movq 0*8(%rsi), %r8
27334 movq 1*8(%rsi), %r9
27335 - movq 2*8(%rsi), %r10
27336 + movq 2*8(%rsi), %rcx
27337 movq 3*8(%rsi), %r11
27338 leaq 4*8(%rsi), %rsi
27340 movq %r8, 0*8(%rdi)
27341 movq %r9, 1*8(%rdi)
27342 - movq %r10, 2*8(%rdi)
27343 + movq %rcx, 2*8(%rdi)
27344 movq %r11, 3*8(%rdi)
27345 leaq 4*8(%rdi), %rdi
27346 jae .Lcopy_forward_loop
27347 @@ -105,12 +107,12 @@ ENTRY(memcpy)
27349 movq -1*8(%rsi), %r8
27350 movq -2*8(%rsi), %r9
27351 - movq -3*8(%rsi), %r10
27352 + movq -3*8(%rsi), %rcx
27353 movq -4*8(%rsi), %r11
27354 leaq -4*8(%rsi), %rsi
27355 movq %r8, -1*8(%rdi)
27356 movq %r9, -2*8(%rdi)
27357 - movq %r10, -3*8(%rdi)
27358 + movq %rcx, -3*8(%rdi)
27359 movq %r11, -4*8(%rdi)
27360 leaq -4*8(%rdi), %rdi
27361 jae .Lcopy_backward_loop
27362 @@ -130,12 +132,13 @@ ENTRY(memcpy)
27364 movq 0*8(%rsi), %r8
27365 movq 1*8(%rsi), %r9
27366 - movq -2*8(%rsi, %rdx), %r10
27367 + movq -2*8(%rsi, %rdx), %rcx
27368 movq -1*8(%rsi, %rdx), %r11
27369 movq %r8, 0*8(%rdi)
27370 movq %r9, 1*8(%rdi)
27371 - movq %r10, -2*8(%rdi, %rdx)
27372 + movq %rcx, -2*8(%rdi, %rdx)
27373 movq %r11, -1*8(%rdi, %rdx)
27374 + pax_force_retaddr
27378 @@ -148,6 +151,7 @@ ENTRY(memcpy)
27379 movq -1*8(%rsi, %rdx), %r9
27380 movq %r8, 0*8(%rdi)
27381 movq %r9, -1*8(%rdi, %rdx)
27382 + pax_force_retaddr
27386 @@ -161,6 +165,7 @@ ENTRY(memcpy)
27387 movl -4(%rsi, %rdx), %r8d
27389 movl %r8d, -4(%rdi, %rdx)
27390 + pax_force_retaddr
27394 @@ -179,6 +184,7 @@ ENTRY(memcpy)
27398 + pax_force_retaddr
27402 diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
27403 index 65268a6..5aa7815 100644
27404 --- a/arch/x86/lib/memmove_64.S
27405 +++ b/arch/x86/lib/memmove_64.S
27406 @@ -61,13 +61,13 @@ ENTRY(memmove)
27409 movq 0*8(%rsi), %r11
27410 - movq 1*8(%rsi), %r10
27411 + movq 1*8(%rsi), %rcx
27412 movq 2*8(%rsi), %r9
27413 movq 3*8(%rsi), %r8
27414 leaq 4*8(%rsi), %rsi
27416 movq %r11, 0*8(%rdi)
27417 - movq %r10, 1*8(%rdi)
27418 + movq %rcx, 1*8(%rdi)
27419 movq %r9, 2*8(%rdi)
27420 movq %r8, 3*8(%rdi)
27421 leaq 4*8(%rdi), %rdi
27422 @@ -81,10 +81,10 @@ ENTRY(memmove)
27425 movq -8(%rsi, %rdx), %r11
27426 - lea -8(%rdi, %rdx), %r10
27427 + lea -8(%rdi, %rdx), %r9
27430 - movq %r11, (%r10)
27433 .Lmemmove_end_forward:
27435 @@ -95,14 +95,14 @@ ENTRY(memmove)
27441 leaq -8(%rsi, %rdx), %rsi
27442 leaq -8(%rdi, %rdx), %rdi
27447 - movq %r11, (%r10)
27452 @@ -127,13 +127,13 @@ ENTRY(memmove)
27455 movq -1*8(%rsi), %r11
27456 - movq -2*8(%rsi), %r10
27457 + movq -2*8(%rsi), %rcx
27458 movq -3*8(%rsi), %r9
27459 movq -4*8(%rsi), %r8
27460 leaq -4*8(%rsi), %rsi
27462 movq %r11, -1*8(%rdi)
27463 - movq %r10, -2*8(%rdi)
27464 + movq %rcx, -2*8(%rdi)
27465 movq %r9, -3*8(%rdi)
27466 movq %r8, -4*8(%rdi)
27467 leaq -4*8(%rdi), %rdi
27468 @@ -151,11 +151,11 @@ ENTRY(memmove)
27469 * Move data from 16 bytes to 31 bytes.
27471 movq 0*8(%rsi), %r11
27472 - movq 1*8(%rsi), %r10
27473 + movq 1*8(%rsi), %rcx
27474 movq -2*8(%rsi, %rdx), %r9
27475 movq -1*8(%rsi, %rdx), %r8
27476 movq %r11, 0*8(%rdi)
27477 - movq %r10, 1*8(%rdi)
27478 + movq %rcx, 1*8(%rdi)
27479 movq %r9, -2*8(%rdi, %rdx)
27480 movq %r8, -1*8(%rdi, %rdx)
27482 @@ -167,9 +167,9 @@ ENTRY(memmove)
27483 * Move data from 8 bytes to 15 bytes.
27485 movq 0*8(%rsi), %r11
27486 - movq -1*8(%rsi, %rdx), %r10
27487 + movq -1*8(%rsi, %rdx), %r9
27488 movq %r11, 0*8(%rdi)
27489 - movq %r10, -1*8(%rdi, %rdx)
27490 + movq %r9, -1*8(%rdi, %rdx)
27494 @@ -178,9 +178,9 @@ ENTRY(memmove)
27495 * Move data from 4 bytes to 7 bytes.
27498 - movl -4(%rsi, %rdx), %r10d
27499 + movl -4(%rsi, %rdx), %r9d
27501 - movl %r10d, -4(%rdi, %rdx)
27502 + movl %r9d, -4(%rdi, %rdx)
27506 @@ -189,9 +189,9 @@ ENTRY(memmove)
27507 * Move data from 2 bytes to 3 bytes.
27510 - movw -2(%rsi, %rdx), %r10w
27511 + movw -2(%rsi, %rdx), %r9w
27513 - movw %r10w, -2(%rdi, %rdx)
27514 + movw %r9w, -2(%rdi, %rdx)
27518 @@ -202,14 +202,16 @@ ENTRY(memmove)
27522 + pax_force_retaddr
27526 - .section .altinstr_replacement,"ax"
27527 + .section .altinstr_replacement,"a"
27528 .Lmemmove_begin_forward_efs:
27529 /* Forward moving data. */
27532 + pax_force_retaddr
27534 .Lmemmove_end_forward_efs:
27536 diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
27537 index 2dcb380..50a78bc 100644
27538 --- a/arch/x86/lib/memset_64.S
27539 +++ b/arch/x86/lib/memset_64.S
27542 * rax original destination
27544 - .section .altinstr_replacement, "ax", @progbits
27545 + .section .altinstr_replacement, "a", @progbits
27553 + pax_force_retaddr
27557 @@ -45,13 +46,14 @@
27559 * rax original destination
27561 - .section .altinstr_replacement, "ax", @progbits
27562 + .section .altinstr_replacement, "a", @progbits
27569 + pax_force_retaddr
27580 /* expand byte value */
27582 @@ -117,7 +119,8 @@ ENTRY(__memset)
27588 + pax_force_retaddr
27592 diff --git a/arch/x86/lib/mmx_32.c b/arch/x86/lib/mmx_32.c
27593 index c9f2d9b..e7fd2c0 100644
27594 --- a/arch/x86/lib/mmx_32.c
27595 +++ b/arch/x86/lib/mmx_32.c
27596 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
27600 + unsigned long cr0;
27602 if (unlikely(in_interrupt()))
27603 return __memcpy(to, from, len);
27604 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
27605 kernel_fpu_begin();
27607 __asm__ __volatile__ (
27608 - "1: prefetch (%0)\n" /* This set is 28 bytes */
27609 - " prefetch 64(%0)\n"
27610 - " prefetch 128(%0)\n"
27611 - " prefetch 192(%0)\n"
27612 - " prefetch 256(%0)\n"
27613 + "1: prefetch (%1)\n" /* This set is 28 bytes */
27614 + " prefetch 64(%1)\n"
27615 + " prefetch 128(%1)\n"
27616 + " prefetch 192(%1)\n"
27617 + " prefetch 256(%1)\n"
27619 ".section .fixup, \"ax\"\n"
27620 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27623 +#ifdef CONFIG_PAX_KERNEXEC
27624 + " movl %%cr0, %0\n"
27625 + " movl %0, %%eax\n"
27626 + " andl $0xFFFEFFFF, %%eax\n"
27627 + " movl %%eax, %%cr0\n"
27630 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27632 +#ifdef CONFIG_PAX_KERNEXEC
27633 + " movl %0, %%cr0\n"
27638 _ASM_EXTABLE(1b, 3b)
27640 + : "=&r" (cr0) : "r" (from) : "ax");
27642 for ( ; i > 5; i--) {
27643 __asm__ __volatile__ (
27644 - "1: prefetch 320(%0)\n"
27645 - "2: movq (%0), %%mm0\n"
27646 - " movq 8(%0), %%mm1\n"
27647 - " movq 16(%0), %%mm2\n"
27648 - " movq 24(%0), %%mm3\n"
27649 - " movq %%mm0, (%1)\n"
27650 - " movq %%mm1, 8(%1)\n"
27651 - " movq %%mm2, 16(%1)\n"
27652 - " movq %%mm3, 24(%1)\n"
27653 - " movq 32(%0), %%mm0\n"
27654 - " movq 40(%0), %%mm1\n"
27655 - " movq 48(%0), %%mm2\n"
27656 - " movq 56(%0), %%mm3\n"
27657 - " movq %%mm0, 32(%1)\n"
27658 - " movq %%mm1, 40(%1)\n"
27659 - " movq %%mm2, 48(%1)\n"
27660 - " movq %%mm3, 56(%1)\n"
27661 + "1: prefetch 320(%1)\n"
27662 + "2: movq (%1), %%mm0\n"
27663 + " movq 8(%1), %%mm1\n"
27664 + " movq 16(%1), %%mm2\n"
27665 + " movq 24(%1), %%mm3\n"
27666 + " movq %%mm0, (%2)\n"
27667 + " movq %%mm1, 8(%2)\n"
27668 + " movq %%mm2, 16(%2)\n"
27669 + " movq %%mm3, 24(%2)\n"
27670 + " movq 32(%1), %%mm0\n"
27671 + " movq 40(%1), %%mm1\n"
27672 + " movq 48(%1), %%mm2\n"
27673 + " movq 56(%1), %%mm3\n"
27674 + " movq %%mm0, 32(%2)\n"
27675 + " movq %%mm1, 40(%2)\n"
27676 + " movq %%mm2, 48(%2)\n"
27677 + " movq %%mm3, 56(%2)\n"
27678 ".section .fixup, \"ax\"\n"
27679 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27682 +#ifdef CONFIG_PAX_KERNEXEC
27683 + " movl %%cr0, %0\n"
27684 + " movl %0, %%eax\n"
27685 + " andl $0xFFFEFFFF, %%eax\n"
27686 + " movl %%eax, %%cr0\n"
27689 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27691 +#ifdef CONFIG_PAX_KERNEXEC
27692 + " movl %0, %%cr0\n"
27697 _ASM_EXTABLE(1b, 3b)
27698 - : : "r" (from), "r" (to) : "memory");
27699 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
27703 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
27704 static void fast_copy_page(void *to, void *from)
27707 + unsigned long cr0;
27709 kernel_fpu_begin();
27711 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, void *from)
27712 * but that is for later. -AV
27714 __asm__ __volatile__(
27715 - "1: prefetch (%0)\n"
27716 - " prefetch 64(%0)\n"
27717 - " prefetch 128(%0)\n"
27718 - " prefetch 192(%0)\n"
27719 - " prefetch 256(%0)\n"
27720 + "1: prefetch (%1)\n"
27721 + " prefetch 64(%1)\n"
27722 + " prefetch 128(%1)\n"
27723 + " prefetch 192(%1)\n"
27724 + " prefetch 256(%1)\n"
27726 ".section .fixup, \"ax\"\n"
27727 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27730 +#ifdef CONFIG_PAX_KERNEXEC
27731 + " movl %%cr0, %0\n"
27732 + " movl %0, %%eax\n"
27733 + " andl $0xFFFEFFFF, %%eax\n"
27734 + " movl %%eax, %%cr0\n"
27737 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27739 +#ifdef CONFIG_PAX_KERNEXEC
27740 + " movl %0, %%cr0\n"
27745 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
27746 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
27748 for (i = 0; i < (4096-320)/64; i++) {
27749 __asm__ __volatile__ (
27750 - "1: prefetch 320(%0)\n"
27751 - "2: movq (%0), %%mm0\n"
27752 - " movntq %%mm0, (%1)\n"
27753 - " movq 8(%0), %%mm1\n"
27754 - " movntq %%mm1, 8(%1)\n"
27755 - " movq 16(%0), %%mm2\n"
27756 - " movntq %%mm2, 16(%1)\n"
27757 - " movq 24(%0), %%mm3\n"
27758 - " movntq %%mm3, 24(%1)\n"
27759 - " movq 32(%0), %%mm4\n"
27760 - " movntq %%mm4, 32(%1)\n"
27761 - " movq 40(%0), %%mm5\n"
27762 - " movntq %%mm5, 40(%1)\n"
27763 - " movq 48(%0), %%mm6\n"
27764 - " movntq %%mm6, 48(%1)\n"
27765 - " movq 56(%0), %%mm7\n"
27766 - " movntq %%mm7, 56(%1)\n"
27767 + "1: prefetch 320(%1)\n"
27768 + "2: movq (%1), %%mm0\n"
27769 + " movntq %%mm0, (%2)\n"
27770 + " movq 8(%1), %%mm1\n"
27771 + " movntq %%mm1, 8(%2)\n"
27772 + " movq 16(%1), %%mm2\n"
27773 + " movntq %%mm2, 16(%2)\n"
27774 + " movq 24(%1), %%mm3\n"
27775 + " movntq %%mm3, 24(%2)\n"
27776 + " movq 32(%1), %%mm4\n"
27777 + " movntq %%mm4, 32(%2)\n"
27778 + " movq 40(%1), %%mm5\n"
27779 + " movntq %%mm5, 40(%2)\n"
27780 + " movq 48(%1), %%mm6\n"
27781 + " movntq %%mm6, 48(%2)\n"
27782 + " movq 56(%1), %%mm7\n"
27783 + " movntq %%mm7, 56(%2)\n"
27784 ".section .fixup, \"ax\"\n"
27785 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27788 +#ifdef CONFIG_PAX_KERNEXEC
27789 + " movl %%cr0, %0\n"
27790 + " movl %0, %%eax\n"
27791 + " andl $0xFFFEFFFF, %%eax\n"
27792 + " movl %%eax, %%cr0\n"
27795 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27797 +#ifdef CONFIG_PAX_KERNEXEC
27798 + " movl %0, %%cr0\n"
27803 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
27804 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
27808 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
27809 static void fast_copy_page(void *to, void *from)
27812 + unsigned long cr0;
27814 kernel_fpu_begin();
27816 __asm__ __volatile__ (
27817 - "1: prefetch (%0)\n"
27818 - " prefetch 64(%0)\n"
27819 - " prefetch 128(%0)\n"
27820 - " prefetch 192(%0)\n"
27821 - " prefetch 256(%0)\n"
27822 + "1: prefetch (%1)\n"
27823 + " prefetch 64(%1)\n"
27824 + " prefetch 128(%1)\n"
27825 + " prefetch 192(%1)\n"
27826 + " prefetch 256(%1)\n"
27828 ".section .fixup, \"ax\"\n"
27829 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27832 +#ifdef CONFIG_PAX_KERNEXEC
27833 + " movl %%cr0, %0\n"
27834 + " movl %0, %%eax\n"
27835 + " andl $0xFFFEFFFF, %%eax\n"
27836 + " movl %%eax, %%cr0\n"
27839 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
27841 +#ifdef CONFIG_PAX_KERNEXEC
27842 + " movl %0, %%cr0\n"
27847 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
27848 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
27850 for (i = 0; i < 4096/64; i++) {
27851 __asm__ __volatile__ (
27852 - "1: prefetch 320(%0)\n"
27853 - "2: movq (%0), %%mm0\n"
27854 - " movq 8(%0), %%mm1\n"
27855 - " movq 16(%0), %%mm2\n"
27856 - " movq 24(%0), %%mm3\n"
27857 - " movq %%mm0, (%1)\n"
27858 - " movq %%mm1, 8(%1)\n"
27859 - " movq %%mm2, 16(%1)\n"
27860 - " movq %%mm3, 24(%1)\n"
27861 - " movq 32(%0), %%mm0\n"
27862 - " movq 40(%0), %%mm1\n"
27863 - " movq 48(%0), %%mm2\n"
27864 - " movq 56(%0), %%mm3\n"
27865 - " movq %%mm0, 32(%1)\n"
27866 - " movq %%mm1, 40(%1)\n"
27867 - " movq %%mm2, 48(%1)\n"
27868 - " movq %%mm3, 56(%1)\n"
27869 + "1: prefetch 320(%1)\n"
27870 + "2: movq (%1), %%mm0\n"
27871 + " movq 8(%1), %%mm1\n"
27872 + " movq 16(%1), %%mm2\n"
27873 + " movq 24(%1), %%mm3\n"
27874 + " movq %%mm0, (%2)\n"
27875 + " movq %%mm1, 8(%2)\n"
27876 + " movq %%mm2, 16(%2)\n"
27877 + " movq %%mm3, 24(%2)\n"
27878 + " movq 32(%1), %%mm0\n"
27879 + " movq 40(%1), %%mm1\n"
27880 + " movq 48(%1), %%mm2\n"
27881 + " movq 56(%1), %%mm3\n"
27882 + " movq %%mm0, 32(%2)\n"
27883 + " movq %%mm1, 40(%2)\n"
27884 + " movq %%mm2, 48(%2)\n"
27885 + " movq %%mm3, 56(%2)\n"
27886 ".section .fixup, \"ax\"\n"
27887 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27890 +#ifdef CONFIG_PAX_KERNEXEC
27891 + " movl %%cr0, %0\n"
27892 + " movl %0, %%eax\n"
27893 + " andl $0xFFFEFFFF, %%eax\n"
27894 + " movl %%eax, %%cr0\n"
27897 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
27899 +#ifdef CONFIG_PAX_KERNEXEC
27900 + " movl %0, %%cr0\n"
27905 _ASM_EXTABLE(1b, 3b)
27906 - : : "r" (from), "r" (to) : "memory");
27907 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
27911 diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S
27912 index f6d13ee..aca5f0b 100644
27913 --- a/arch/x86/lib/msr-reg.S
27914 +++ b/arch/x86/lib/msr-reg.S
27916 #include <asm/dwarf2.h>
27917 #include <asm/asm.h>
27918 #include <asm/msr.h>
27919 +#include <asm/alternative-asm.h>
27921 #ifdef CONFIG_X86_64
27923 @@ -16,7 +17,7 @@ ENTRY(\op\()_safe_regs)
27927 - movq %rdi, %r10 /* Save pointer */
27928 + movq %rdi, %r9 /* Save pointer */
27929 xorl %r11d, %r11d /* Return value */
27932 @@ -27,16 +28,17 @@ ENTRY(\op\()_safe_regs)
27933 movl 28(%rdi), %edi
27936 -2: movl %eax, (%r10)
27937 +2: movl %eax, (%r9)
27938 movl %r11d, %eax /* Return value */
27939 - movl %ecx, 4(%r10)
27940 - movl %edx, 8(%r10)
27941 - movl %ebx, 12(%r10)
27942 - movl %ebp, 20(%r10)
27943 - movl %esi, 24(%r10)
27944 - movl %edi, 28(%r10)
27945 + movl %ecx, 4(%r9)
27946 + movl %edx, 8(%r9)
27947 + movl %ebx, 12(%r9)
27948 + movl %ebp, 20(%r9)
27949 + movl %esi, 24(%r9)
27950 + movl %edi, 28(%r9)
27953 + pax_force_retaddr
27957 diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
27958 index fc6ba17..d4d989d 100644
27959 --- a/arch/x86/lib/putuser.S
27960 +++ b/arch/x86/lib/putuser.S
27962 #include <asm/errno.h>
27963 #include <asm/asm.h>
27964 #include <asm/smap.h>
27966 +#include <asm/segment.h>
27967 +#include <asm/pgtable.h>
27968 +#include <asm/alternative-asm.h>
27972 @@ -30,57 +32,125 @@
27973 * as they get called from within inline assembly.
27976 -#define ENTER CFI_STARTPROC ; \
27977 - GET_THREAD_INFO(%_ASM_BX)
27978 -#define EXIT ASM_CLAC ; \
27980 +#define ENTER CFI_STARTPROC
27981 +#define EXIT ASM_CLAC ; \
27982 + pax_force_retaddr ; \
27986 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
27987 +#define _DEST %_ASM_CX,%_ASM_BX
27989 +#define _DEST %_ASM_CX
27992 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
27993 +#define __copyuser_seg gs;
27995 +#define __copyuser_seg
27999 ENTRY(__put_user_1)
28002 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
28003 + GET_THREAD_INFO(%_ASM_BX)
28004 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
28007 -1: movb %al,(%_ASM_CX)
28009 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
28010 + mov pax_user_shadow_base,%_ASM_BX
28011 + cmp %_ASM_BX,%_ASM_CX
28019 +1: __copyuser_seg movb %al,(_DEST)
28022 ENDPROC(__put_user_1)
28024 ENTRY(__put_user_2)
28027 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
28028 + GET_THREAD_INFO(%_ASM_BX)
28029 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
28031 cmp %_ASM_BX,%_ASM_CX
28034 -2: movw %ax,(%_ASM_CX)
28036 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
28037 + mov pax_user_shadow_base,%_ASM_BX
28038 + cmp %_ASM_BX,%_ASM_CX
28046 +2: __copyuser_seg movw %ax,(_DEST)
28049 ENDPROC(__put_user_2)
28051 ENTRY(__put_user_4)
28054 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
28055 + GET_THREAD_INFO(%_ASM_BX)
28056 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
28058 cmp %_ASM_BX,%_ASM_CX
28061 -3: movl %eax,(%_ASM_CX)
28063 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
28064 + mov pax_user_shadow_base,%_ASM_BX
28065 + cmp %_ASM_BX,%_ASM_CX
28073 +3: __copyuser_seg movl %eax,(_DEST)
28076 ENDPROC(__put_user_4)
28078 ENTRY(__put_user_8)
28081 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
28082 + GET_THREAD_INFO(%_ASM_BX)
28083 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
28085 cmp %_ASM_BX,%_ASM_CX
28088 -4: mov %_ASM_AX,(%_ASM_CX)
28090 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
28091 + mov pax_user_shadow_base,%_ASM_BX
28092 + cmp %_ASM_BX,%_ASM_CX
28100 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
28101 #ifdef CONFIG_X86_32
28102 -5: movl %edx,4(%_ASM_CX)
28103 +5: __copyuser_seg movl %edx,4(_DEST)
28107 diff --git a/arch/x86/lib/rwlock.S b/arch/x86/lib/rwlock.S
28108 index 1cad221..de671ee 100644
28109 --- a/arch/x86/lib/rwlock.S
28110 +++ b/arch/x86/lib/rwlock.S
28111 @@ -16,13 +16,34 @@ ENTRY(__write_lock_failed)
28114 WRITE_LOCK_ADD($RW_LOCK_BIAS) (%__lock_ptr)
28116 +#ifdef CONFIG_PAX_REFCOUNT
28119 + WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr)
28122 + _ASM_EXTABLE(1234b, 1234b)
28126 cmpl $WRITE_LOCK_CMP, (%__lock_ptr)
28129 WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr)
28131 +#ifdef CONFIG_PAX_REFCOUNT
28134 + WRITE_LOCK_ADD($RW_LOCK_BIAS) (%__lock_ptr)
28137 + _ASM_EXTABLE(1234b, 1234b)
28142 + pax_force_retaddr
28145 END(__write_lock_failed)
28146 @@ -32,13 +53,34 @@ ENTRY(__read_lock_failed)
28149 READ_LOCK_SIZE(inc) (%__lock_ptr)
28151 +#ifdef CONFIG_PAX_REFCOUNT
28154 + READ_LOCK_SIZE(dec) (%__lock_ptr)
28157 + _ASM_EXTABLE(1234b, 1234b)
28161 READ_LOCK_SIZE(cmp) $1, (%__lock_ptr)
28164 READ_LOCK_SIZE(dec) (%__lock_ptr)
28166 +#ifdef CONFIG_PAX_REFCOUNT
28169 + READ_LOCK_SIZE(inc) (%__lock_ptr)
28172 + _ASM_EXTABLE(1234b, 1234b)
28177 + pax_force_retaddr
28180 END(__read_lock_failed)
28181 diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S
28182 index 5dff5f0..cadebf4 100644
28183 --- a/arch/x86/lib/rwsem.S
28184 +++ b/arch/x86/lib/rwsem.S
28185 @@ -94,6 +94,7 @@ ENTRY(call_rwsem_down_read_failed)
28186 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
28187 CFI_RESTORE __ASM_REG(dx)
28188 restore_common_regs
28189 + pax_force_retaddr
28192 ENDPROC(call_rwsem_down_read_failed)
28193 @@ -104,6 +105,7 @@ ENTRY(call_rwsem_down_write_failed)
28195 call rwsem_down_write_failed
28196 restore_common_regs
28197 + pax_force_retaddr
28200 ENDPROC(call_rwsem_down_write_failed)
28201 @@ -117,7 +119,8 @@ ENTRY(call_rwsem_wake)
28204 restore_common_regs
28206 +1: pax_force_retaddr
28209 ENDPROC(call_rwsem_wake)
28211 @@ -131,6 +134,7 @@ ENTRY(call_rwsem_downgrade_wake)
28212 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
28213 CFI_RESTORE __ASM_REG(dx)
28214 restore_common_regs
28215 + pax_force_retaddr
28218 ENDPROC(call_rwsem_downgrade_wake)
28219 diff --git a/arch/x86/lib/thunk_64.S b/arch/x86/lib/thunk_64.S
28220 index a63efd6..ccecad8 100644
28221 --- a/arch/x86/lib/thunk_64.S
28222 +++ b/arch/x86/lib/thunk_64.S
28224 #include <linux/linkage.h>
28225 #include <asm/dwarf2.h>
28226 #include <asm/calling.h>
28227 +#include <asm/alternative-asm.h>
28229 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
28230 .macro THUNK name, func, put_ret_addr_in_rdi=0
28235 + pax_force_retaddr
28238 diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
28239 index 3eb18ac..6890bc3 100644
28240 --- a/arch/x86/lib/usercopy_32.c
28241 +++ b/arch/x86/lib/usercopy_32.c
28242 @@ -42,11 +42,13 @@ do { \
28245 __asm__ __volatile__( \
28246 + __COPYUSER_SET_ES \
28248 "0: rep; stosl\n" \
28250 "1: rep; stosb\n" \
28251 "2: " ASM_CLAC "\n" \
28252 + __COPYUSER_RESTORE_ES \
28253 ".section .fixup,\"ax\"\n" \
28254 "3: lea 0(%2,%0,4),%0\n" \
28256 @@ -98,7 +100,7 @@ EXPORT_SYMBOL(__clear_user);
28258 #ifdef CONFIG_X86_INTEL_USERCOPY
28259 static unsigned long
28260 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
28261 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
28264 __asm__ __volatile__(
28265 @@ -110,36 +112,36 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
28267 "3: movl 0(%4), %%eax\n"
28268 "4: movl 4(%4), %%edx\n"
28269 - "5: movl %%eax, 0(%3)\n"
28270 - "6: movl %%edx, 4(%3)\n"
28271 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
28272 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
28273 "7: movl 8(%4), %%eax\n"
28274 "8: movl 12(%4),%%edx\n"
28275 - "9: movl %%eax, 8(%3)\n"
28276 - "10: movl %%edx, 12(%3)\n"
28277 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
28278 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
28279 "11: movl 16(%4), %%eax\n"
28280 "12: movl 20(%4), %%edx\n"
28281 - "13: movl %%eax, 16(%3)\n"
28282 - "14: movl %%edx, 20(%3)\n"
28283 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
28284 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
28285 "15: movl 24(%4), %%eax\n"
28286 "16: movl 28(%4), %%edx\n"
28287 - "17: movl %%eax, 24(%3)\n"
28288 - "18: movl %%edx, 28(%3)\n"
28289 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
28290 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
28291 "19: movl 32(%4), %%eax\n"
28292 "20: movl 36(%4), %%edx\n"
28293 - "21: movl %%eax, 32(%3)\n"
28294 - "22: movl %%edx, 36(%3)\n"
28295 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
28296 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
28297 "23: movl 40(%4), %%eax\n"
28298 "24: movl 44(%4), %%edx\n"
28299 - "25: movl %%eax, 40(%3)\n"
28300 - "26: movl %%edx, 44(%3)\n"
28301 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
28302 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
28303 "27: movl 48(%4), %%eax\n"
28304 "28: movl 52(%4), %%edx\n"
28305 - "29: movl %%eax, 48(%3)\n"
28306 - "30: movl %%edx, 52(%3)\n"
28307 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
28308 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
28309 "31: movl 56(%4), %%eax\n"
28310 "32: movl 60(%4), %%edx\n"
28311 - "33: movl %%eax, 56(%3)\n"
28312 - "34: movl %%edx, 60(%3)\n"
28313 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
28314 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
28318 @@ -149,10 +151,12 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
28320 " andl $3, %%eax\n"
28322 + __COPYUSER_SET_ES
28324 "36: movl %%eax, %0\n"
28327 + __COPYUSER_RESTORE_ES
28328 ".section .fixup,\"ax\"\n"
28329 "101: lea 0(%%eax,%0,4),%0\n"
28331 @@ -202,46 +206,150 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
28334 static unsigned long
28335 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
28338 + __asm__ __volatile__(
28339 + " .align 2,0x90\n"
28340 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
28341 + " cmpl $67, %0\n"
28343 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
28344 + " .align 2,0x90\n"
28345 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
28346 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
28347 + "5: movl %%eax, 0(%3)\n"
28348 + "6: movl %%edx, 4(%3)\n"
28349 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
28350 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
28351 + "9: movl %%eax, 8(%3)\n"
28352 + "10: movl %%edx, 12(%3)\n"
28353 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
28354 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
28355 + "13: movl %%eax, 16(%3)\n"
28356 + "14: movl %%edx, 20(%3)\n"
28357 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
28358 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
28359 + "17: movl %%eax, 24(%3)\n"
28360 + "18: movl %%edx, 28(%3)\n"
28361 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
28362 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
28363 + "21: movl %%eax, 32(%3)\n"
28364 + "22: movl %%edx, 36(%3)\n"
28365 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
28366 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
28367 + "25: movl %%eax, 40(%3)\n"
28368 + "26: movl %%edx, 44(%3)\n"
28369 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
28370 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
28371 + "29: movl %%eax, 48(%3)\n"
28372 + "30: movl %%edx, 52(%3)\n"
28373 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
28374 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
28375 + "33: movl %%eax, 56(%3)\n"
28376 + "34: movl %%edx, 60(%3)\n"
28377 + " addl $-64, %0\n"
28378 + " addl $64, %4\n"
28379 + " addl $64, %3\n"
28380 + " cmpl $63, %0\n"
28382 + "35: movl %0, %%eax\n"
28384 + " andl $3, %%eax\n"
28386 + "99: rep; "__copyuser_seg" movsl\n"
28387 + "36: movl %%eax, %0\n"
28388 + "37: rep; "__copyuser_seg" movsb\n"
28390 + ".section .fixup,\"ax\"\n"
28391 + "101: lea 0(%%eax,%0,4),%0\n"
28394 + _ASM_EXTABLE(1b,100b)
28395 + _ASM_EXTABLE(2b,100b)
28396 + _ASM_EXTABLE(3b,100b)
28397 + _ASM_EXTABLE(4b,100b)
28398 + _ASM_EXTABLE(5b,100b)
28399 + _ASM_EXTABLE(6b,100b)
28400 + _ASM_EXTABLE(7b,100b)
28401 + _ASM_EXTABLE(8b,100b)
28402 + _ASM_EXTABLE(9b,100b)
28403 + _ASM_EXTABLE(10b,100b)
28404 + _ASM_EXTABLE(11b,100b)
28405 + _ASM_EXTABLE(12b,100b)
28406 + _ASM_EXTABLE(13b,100b)
28407 + _ASM_EXTABLE(14b,100b)
28408 + _ASM_EXTABLE(15b,100b)
28409 + _ASM_EXTABLE(16b,100b)
28410 + _ASM_EXTABLE(17b,100b)
28411 + _ASM_EXTABLE(18b,100b)
28412 + _ASM_EXTABLE(19b,100b)
28413 + _ASM_EXTABLE(20b,100b)
28414 + _ASM_EXTABLE(21b,100b)
28415 + _ASM_EXTABLE(22b,100b)
28416 + _ASM_EXTABLE(23b,100b)
28417 + _ASM_EXTABLE(24b,100b)
28418 + _ASM_EXTABLE(25b,100b)
28419 + _ASM_EXTABLE(26b,100b)
28420 + _ASM_EXTABLE(27b,100b)
28421 + _ASM_EXTABLE(28b,100b)
28422 + _ASM_EXTABLE(29b,100b)
28423 + _ASM_EXTABLE(30b,100b)
28424 + _ASM_EXTABLE(31b,100b)
28425 + _ASM_EXTABLE(32b,100b)
28426 + _ASM_EXTABLE(33b,100b)
28427 + _ASM_EXTABLE(34b,100b)
28428 + _ASM_EXTABLE(35b,100b)
28429 + _ASM_EXTABLE(36b,100b)
28430 + _ASM_EXTABLE(37b,100b)
28431 + _ASM_EXTABLE(99b,101b)
28432 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
28433 + : "1"(to), "2"(from), "0"(size)
28434 + : "eax", "edx", "memory");
28438 +static unsigned long __size_overflow(3)
28439 __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
28442 __asm__ __volatile__(
28444 - "0: movl 32(%4), %%eax\n"
28445 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
28448 - "1: movl 64(%4), %%eax\n"
28449 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
28451 - "2: movl 0(%4), %%eax\n"
28452 - "21: movl 4(%4), %%edx\n"
28453 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
28454 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
28455 " movl %%eax, 0(%3)\n"
28456 " movl %%edx, 4(%3)\n"
28457 - "3: movl 8(%4), %%eax\n"
28458 - "31: movl 12(%4),%%edx\n"
28459 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
28460 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
28461 " movl %%eax, 8(%3)\n"
28462 " movl %%edx, 12(%3)\n"
28463 - "4: movl 16(%4), %%eax\n"
28464 - "41: movl 20(%4), %%edx\n"
28465 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
28466 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
28467 " movl %%eax, 16(%3)\n"
28468 " movl %%edx, 20(%3)\n"
28469 - "10: movl 24(%4), %%eax\n"
28470 - "51: movl 28(%4), %%edx\n"
28471 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
28472 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
28473 " movl %%eax, 24(%3)\n"
28474 " movl %%edx, 28(%3)\n"
28475 - "11: movl 32(%4), %%eax\n"
28476 - "61: movl 36(%4), %%edx\n"
28477 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
28478 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
28479 " movl %%eax, 32(%3)\n"
28480 " movl %%edx, 36(%3)\n"
28481 - "12: movl 40(%4), %%eax\n"
28482 - "71: movl 44(%4), %%edx\n"
28483 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
28484 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
28485 " movl %%eax, 40(%3)\n"
28486 " movl %%edx, 44(%3)\n"
28487 - "13: movl 48(%4), %%eax\n"
28488 - "81: movl 52(%4), %%edx\n"
28489 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
28490 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
28491 " movl %%eax, 48(%3)\n"
28492 " movl %%edx, 52(%3)\n"
28493 - "14: movl 56(%4), %%eax\n"
28494 - "91: movl 60(%4), %%edx\n"
28495 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
28496 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
28497 " movl %%eax, 56(%3)\n"
28498 " movl %%edx, 60(%3)\n"
28500 @@ -253,9 +361,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
28502 " andl $3, %%eax\n"
28504 - "6: rep; movsl\n"
28505 + "6: rep; "__copyuser_seg" movsl\n"
28507 - "7: rep; movsb\n"
28508 + "7: rep; "__copyuser_seg" movsb\n"
28510 ".section .fixup,\"ax\"\n"
28511 "9: lea 0(%%eax,%0,4),%0\n"
28512 @@ -298,48 +406,48 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
28513 * hyoshiok@miraclelinux.com
28516 -static unsigned long __copy_user_zeroing_intel_nocache(void *to,
28517 +static unsigned long __size_overflow(3) __copy_user_zeroing_intel_nocache(void *to,
28518 const void __user *from, unsigned long size)
28522 __asm__ __volatile__(
28524 - "0: movl 32(%4), %%eax\n"
28525 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
28528 - "1: movl 64(%4), %%eax\n"
28529 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
28531 - "2: movl 0(%4), %%eax\n"
28532 - "21: movl 4(%4), %%edx\n"
28533 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
28534 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
28535 " movnti %%eax, 0(%3)\n"
28536 " movnti %%edx, 4(%3)\n"
28537 - "3: movl 8(%4), %%eax\n"
28538 - "31: movl 12(%4),%%edx\n"
28539 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
28540 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
28541 " movnti %%eax, 8(%3)\n"
28542 " movnti %%edx, 12(%3)\n"
28543 - "4: movl 16(%4), %%eax\n"
28544 - "41: movl 20(%4), %%edx\n"
28545 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
28546 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
28547 " movnti %%eax, 16(%3)\n"
28548 " movnti %%edx, 20(%3)\n"
28549 - "10: movl 24(%4), %%eax\n"
28550 - "51: movl 28(%4), %%edx\n"
28551 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
28552 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
28553 " movnti %%eax, 24(%3)\n"
28554 " movnti %%edx, 28(%3)\n"
28555 - "11: movl 32(%4), %%eax\n"
28556 - "61: movl 36(%4), %%edx\n"
28557 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
28558 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
28559 " movnti %%eax, 32(%3)\n"
28560 " movnti %%edx, 36(%3)\n"
28561 - "12: movl 40(%4), %%eax\n"
28562 - "71: movl 44(%4), %%edx\n"
28563 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
28564 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
28565 " movnti %%eax, 40(%3)\n"
28566 " movnti %%edx, 44(%3)\n"
28567 - "13: movl 48(%4), %%eax\n"
28568 - "81: movl 52(%4), %%edx\n"
28569 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
28570 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
28571 " movnti %%eax, 48(%3)\n"
28572 " movnti %%edx, 52(%3)\n"
28573 - "14: movl 56(%4), %%eax\n"
28574 - "91: movl 60(%4), %%edx\n"
28575 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
28576 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
28577 " movnti %%eax, 56(%3)\n"
28578 " movnti %%edx, 60(%3)\n"
28580 @@ -352,9 +460,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
28582 " andl $3, %%eax\n"
28584 - "6: rep; movsl\n"
28585 + "6: rep; "__copyuser_seg" movsl\n"
28587 - "7: rep; movsb\n"
28588 + "7: rep; "__copyuser_seg" movsb\n"
28590 ".section .fixup,\"ax\"\n"
28591 "9: lea 0(%%eax,%0,4),%0\n"
28592 @@ -392,48 +500,48 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
28596 -static unsigned long __copy_user_intel_nocache(void *to,
28597 +static unsigned long __size_overflow(3) __copy_user_intel_nocache(void *to,
28598 const void __user *from, unsigned long size)
28602 __asm__ __volatile__(
28604 - "0: movl 32(%4), %%eax\n"
28605 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
28608 - "1: movl 64(%4), %%eax\n"
28609 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
28611 - "2: movl 0(%4), %%eax\n"
28612 - "21: movl 4(%4), %%edx\n"
28613 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
28614 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
28615 " movnti %%eax, 0(%3)\n"
28616 " movnti %%edx, 4(%3)\n"
28617 - "3: movl 8(%4), %%eax\n"
28618 - "31: movl 12(%4),%%edx\n"
28619 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
28620 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
28621 " movnti %%eax, 8(%3)\n"
28622 " movnti %%edx, 12(%3)\n"
28623 - "4: movl 16(%4), %%eax\n"
28624 - "41: movl 20(%4), %%edx\n"
28625 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
28626 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
28627 " movnti %%eax, 16(%3)\n"
28628 " movnti %%edx, 20(%3)\n"
28629 - "10: movl 24(%4), %%eax\n"
28630 - "51: movl 28(%4), %%edx\n"
28631 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
28632 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
28633 " movnti %%eax, 24(%3)\n"
28634 " movnti %%edx, 28(%3)\n"
28635 - "11: movl 32(%4), %%eax\n"
28636 - "61: movl 36(%4), %%edx\n"
28637 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
28638 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
28639 " movnti %%eax, 32(%3)\n"
28640 " movnti %%edx, 36(%3)\n"
28641 - "12: movl 40(%4), %%eax\n"
28642 - "71: movl 44(%4), %%edx\n"
28643 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
28644 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
28645 " movnti %%eax, 40(%3)\n"
28646 " movnti %%edx, 44(%3)\n"
28647 - "13: movl 48(%4), %%eax\n"
28648 - "81: movl 52(%4), %%edx\n"
28649 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
28650 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
28651 " movnti %%eax, 48(%3)\n"
28652 " movnti %%edx, 52(%3)\n"
28653 - "14: movl 56(%4), %%eax\n"
28654 - "91: movl 60(%4), %%edx\n"
28655 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
28656 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
28657 " movnti %%eax, 56(%3)\n"
28658 " movnti %%edx, 60(%3)\n"
28660 @@ -446,9 +554,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
28662 " andl $3, %%eax\n"
28664 - "6: rep; movsl\n"
28665 + "6: rep; "__copyuser_seg" movsl\n"
28667 - "7: rep; movsb\n"
28668 + "7: rep; "__copyuser_seg" movsb\n"
28670 ".section .fixup,\"ax\"\n"
28671 "9: lea 0(%%eax,%0,4),%0\n"
28672 @@ -488,32 +596,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
28674 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
28675 unsigned long size);
28676 -unsigned long __copy_user_intel(void __user *to, const void *from,
28677 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
28678 + unsigned long size);
28679 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
28680 unsigned long size);
28681 unsigned long __copy_user_zeroing_intel_nocache(void *to,
28682 const void __user *from, unsigned long size);
28683 #endif /* CONFIG_X86_INTEL_USERCOPY */
28685 /* Generic arbitrary sized copy. */
28686 -#define __copy_user(to, from, size) \
28687 +#define __copy_user(to, from, size, prefix, set, restore) \
28689 int __d0, __d1, __d2; \
28690 __asm__ __volatile__( \
28698 - "4: rep; movsb\n" \
28699 + "4: rep; "prefix"movsb\n" \
28703 " .align 2,0x90\n" \
28704 - "0: rep; movsl\n" \
28705 + "0: rep; "prefix"movsl\n" \
28707 - "1: rep; movsb\n" \
28708 + "1: rep; "prefix"movsb\n" \
28711 ".section .fixup,\"ax\"\n" \
28712 "5: addl %3,%0\n" \
28714 @@ -538,14 +650,14 @@ do { \
28718 - "4: rep; movsb\n" \
28719 + "4: rep; "__copyuser_seg"movsb\n" \
28723 " .align 2,0x90\n" \
28724 - "0: rep; movsl\n" \
28725 + "0: rep; "__copyuser_seg"movsl\n" \
28727 - "1: rep; movsb\n" \
28728 + "1: rep; "__copyuser_seg"movsb\n" \
28730 ".section .fixup,\"ax\"\n" \
28731 "5: addl %3,%0\n" \
28732 @@ -572,9 +684,9 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from,
28735 if (movsl_is_ok(to, from, n))
28736 - __copy_user(to, from, n);
28737 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
28739 - n = __copy_user_intel(to, from, n);
28740 + n = __generic_copy_to_user_intel(to, from, n);
28744 @@ -598,10 +710,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
28747 if (movsl_is_ok(to, from, n))
28748 - __copy_user(to, from, n);
28749 + __copy_user(to, from, n, __copyuser_seg, "", "");
28751 - n = __copy_user_intel((void __user *)to,
28752 - (const void *)from, n);
28753 + n = __generic_copy_from_user_intel(to, from, n);
28757 @@ -632,60 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
28758 if (n > 64 && cpu_has_xmm2)
28759 n = __copy_user_intel_nocache(to, from, n);
28761 - __copy_user(to, from, n);
28762 + __copy_user(to, from, n, __copyuser_seg, "", "");
28764 - __copy_user(to, from, n);
28765 + __copy_user(to, from, n, __copyuser_seg, "", "");
28770 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
28773 - * copy_to_user: - Copy a block of data into user space.
28774 - * @to: Destination address, in user space.
28775 - * @from: Source address, in kernel space.
28776 - * @n: Number of bytes to copy.
28778 - * Context: User context only. This function may sleep.
28780 - * Copy data from kernel space to user space.
28782 - * Returns number of bytes that could not be copied.
28783 - * On success, this will be zero.
28786 -copy_to_user(void __user *to, const void *from, unsigned long n)
28787 +#ifdef CONFIG_PAX_MEMORY_UDEREF
28788 +void __set_fs(mm_segment_t x)
28790 - if (access_ok(VERIFY_WRITE, to, n))
28791 - n = __copy_to_user(to, from, n);
28795 + loadsegment(gs, 0);
28797 + case TASK_SIZE_MAX:
28798 + loadsegment(gs, __USER_DS);
28801 + loadsegment(gs, __KERNEL_DS);
28807 -EXPORT_SYMBOL(copy_to_user);
28808 +EXPORT_SYMBOL(__set_fs);
28811 - * copy_from_user: - Copy a block of data from user space.
28812 - * @to: Destination address, in kernel space.
28813 - * @from: Source address, in user space.
28814 - * @n: Number of bytes to copy.
28816 - * Context: User context only. This function may sleep.
28818 - * Copy data from user space to kernel space.
28820 - * Returns number of bytes that could not be copied.
28821 - * On success, this will be zero.
28823 - * If some data could not be copied, this function will pad the copied
28824 - * data to the requested size using zero bytes.
28827 -_copy_from_user(void *to, const void __user *from, unsigned long n)
28828 +void set_fs(mm_segment_t x)
28830 - if (access_ok(VERIFY_READ, from, n))
28831 - n = __copy_from_user(to, from, n);
28833 - memset(to, 0, n);
28835 + current_thread_info()->addr_limit = x;
28838 -EXPORT_SYMBOL(_copy_from_user);
28839 +EXPORT_SYMBOL(set_fs);
28841 diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
28842 index 906fea3..0194a18 100644
28843 --- a/arch/x86/lib/usercopy_64.c
28844 +++ b/arch/x86/lib/usercopy_64.c
28845 @@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
28847 /* no memory constraint because it doesn't change any memory gcc knows
28849 + pax_open_userland();
28852 " testq %[size8],%[size8]\n"
28853 @@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
28854 _ASM_EXTABLE(0b,3b)
28855 _ASM_EXTABLE(1b,2b)
28856 : [size8] "=&c"(size), [dst] "=&D" (__d0)
28857 - : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
28858 + : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)),
28859 [zero] "r" (0UL), [eight] "r" (8UL));
28861 + pax_close_userland();
28864 EXPORT_SYMBOL(__clear_user);
28865 @@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n)
28867 EXPORT_SYMBOL(clear_user);
28869 -unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
28870 +unsigned long copy_in_user(void __user *to, const void __user *from, unsigned long len)
28872 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
28873 - return copy_user_generic((__force void *)to, (__force void *)from, len);
28876 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len))
28877 + return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len);
28880 EXPORT_SYMBOL(copy_in_user);
28882 @@ -69,11 +70,13 @@ EXPORT_SYMBOL(copy_in_user);
28883 * it is not necessary to optimize tail handling.
28886 -copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
28887 +copy_user_handle_tail(char __user *to, char __user *from, unsigned long len, unsigned zerorest)
28893 + pax_close_userland();
28894 for (; len; --len, to++) {
28895 if (__get_user_nocheck(c, from++, sizeof(char)))
28897 @@ -84,6 +87,5 @@ copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
28898 for (c = 0, zero_len = len; zerorest && zero_len; --zero_len)
28899 if (__put_user_nocheck(c, to++, sizeof(char)))
28904 diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
28905 index 23d8e5f..9ccc13a 100644
28906 --- a/arch/x86/mm/Makefile
28907 +++ b/arch/x86/mm/Makefile
28908 @@ -28,3 +28,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
28909 obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
28911 obj-$(CONFIG_MEMTEST) += memtest.o
28914 +obj-$(CONFIG_X86_64) += uderef_64.o
28915 +CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS))
28916 diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
28917 index 903ec1e..c4166b2 100644
28918 --- a/arch/x86/mm/extable.c
28919 +++ b/arch/x86/mm/extable.c
28921 static inline unsigned long
28922 ex_insn_addr(const struct exception_table_entry *x)
28924 - return (unsigned long)&x->insn + x->insn;
28925 + unsigned long reloc = 0;
28927 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
28928 + reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
28931 + return (unsigned long)&x->insn + x->insn + reloc;
28933 static inline unsigned long
28934 ex_fixup_addr(const struct exception_table_entry *x)
28936 - return (unsigned long)&x->fixup + x->fixup;
28937 + unsigned long reloc = 0;
28939 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
28940 + reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
28943 + return (unsigned long)&x->fixup + x->fixup + reloc;
28946 int fixup_exception(struct pt_regs *regs)
28947 @@ -20,7 +32,7 @@ int fixup_exception(struct pt_regs *regs)
28948 unsigned long new_ip;
28950 #ifdef CONFIG_PNPBIOS
28951 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
28952 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
28953 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
28954 extern u32 pnp_bios_is_utter_crap;
28955 pnp_bios_is_utter_crap = 1;
28956 @@ -145,6 +157,13 @@ void sort_extable(struct exception_table_entry *start,
28961 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
28962 + BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT));
28963 + p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
28964 + p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
28970 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
28971 index 654be4a..a4a3da1 100644
28972 --- a/arch/x86/mm/fault.c
28973 +++ b/arch/x86/mm/fault.c
28974 @@ -14,11 +14,18 @@
28975 #include <linux/hugetlb.h> /* hstate_index_to_shift */
28976 #include <linux/prefetch.h> /* prefetchw */
28977 #include <linux/context_tracking.h> /* exception_enter(), ... */
28978 +#include <linux/unistd.h>
28979 +#include <linux/compiler.h>
28981 #include <asm/traps.h> /* dotraplinkage, ... */
28982 #include <asm/pgalloc.h> /* pgd_*(), ... */
28983 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
28984 #include <asm/fixmap.h> /* VSYSCALL_START */
28985 +#include <asm/tlbflush.h>
28987 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
28988 +#include <asm/stacktrace.h>
28992 * Page fault error code bits:
28993 @@ -56,7 +63,7 @@ static inline int __kprobes notify_page_fault(struct pt_regs *regs)
28996 /* kprobe_running() needs smp_processor_id() */
28997 - if (kprobes_built_in() && !user_mode_vm(regs)) {
28998 + if (kprobes_built_in() && !user_mode(regs)) {
29000 if (kprobe_running() && kprobe_fault_handler(regs, 14))
29002 @@ -117,7 +124,10 @@ check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
29003 return !instr_lo || (instr_lo>>1) == 1;
29005 /* Prefetch instruction is 0x0F0D or 0x0F18 */
29006 - if (probe_kernel_address(instr, opcode))
29007 + if (user_mode(regs)) {
29008 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
29010 + } else if (probe_kernel_address(instr, opcode))
29013 *prefetch = (instr_lo == 0xF) &&
29014 @@ -151,7 +161,10 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
29015 while (instr < max_instr) {
29016 unsigned char opcode;
29018 - if (probe_kernel_address(instr, opcode))
29019 + if (user_mode(regs)) {
29020 + if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
29022 + } else if (probe_kernel_address(instr, opcode))
29026 @@ -182,6 +195,34 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address,
29027 force_sig_info(si_signo, &info, tsk);
29030 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29031 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
29034 +#ifdef CONFIG_PAX_EMUTRAMP
29035 +static int pax_handle_fetch_fault(struct pt_regs *regs);
29038 +#ifdef CONFIG_PAX_PAGEEXEC
29039 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
29045 + pgd = pgd_offset(mm, address);
29046 + if (!pgd_present(*pgd))
29048 + pud = pud_offset(pgd, address);
29049 + if (!pud_present(*pud))
29051 + pmd = pmd_offset(pud, address);
29052 + if (!pmd_present(*pmd))
29058 DEFINE_SPINLOCK(pgd_lock);
29059 LIST_HEAD(pgd_list);
29061 @@ -232,10 +273,27 @@ void vmalloc_sync_all(void)
29062 for (address = VMALLOC_START & PMD_MASK;
29063 address >= TASK_SIZE && address < FIXADDR_TOP;
29064 address += PMD_SIZE) {
29066 +#ifdef CONFIG_PAX_PER_CPU_PGD
29067 + unsigned long cpu;
29072 spin_lock(&pgd_lock);
29074 +#ifdef CONFIG_PAX_PER_CPU_PGD
29075 + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
29076 + pgd_t *pgd = get_cpu_pgd(cpu, user);
29079 + ret = vmalloc_sync_one(pgd, address);
29082 + pgd = get_cpu_pgd(cpu, kernel);
29084 list_for_each_entry(page, &pgd_list, lru) {
29086 spinlock_t *pgt_lock;
29089 @@ -243,8 +301,14 @@ void vmalloc_sync_all(void)
29090 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
29092 spin_lock(pgt_lock);
29093 - ret = vmalloc_sync_one(page_address(page), address);
29094 + pgd = page_address(page);
29097 + ret = vmalloc_sync_one(pgd, address);
29099 +#ifndef CONFIG_PAX_PER_CPU_PGD
29100 spin_unlock(pgt_lock);
29105 @@ -278,6 +342,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address)
29106 * an interrupt in the middle of a task switch..
29108 pgd_paddr = read_cr3();
29110 +#ifdef CONFIG_PAX_PER_CPU_PGD
29111 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK));
29112 + vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address);
29115 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
29118 @@ -373,11 +443,25 @@ static noinline __kprobes int vmalloc_fault(unsigned long address)
29119 * happen within a race in page table update. In the later
29122 - pgd = pgd_offset(current->active_mm, address);
29124 pgd_ref = pgd_offset_k(address);
29125 if (pgd_none(*pgd_ref))
29128 +#ifdef CONFIG_PAX_PER_CPU_PGD
29129 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK));
29130 + pgd = pgd_offset_cpu(smp_processor_id(), user, address);
29131 + if (pgd_none(*pgd)) {
29132 + set_pgd(pgd, *pgd_ref);
29133 + arch_flush_lazy_mmu_mode();
29135 + BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
29137 + pgd = pgd_offset_cpu(smp_processor_id(), kernel, address);
29139 + pgd = pgd_offset(current->active_mm, address);
29142 if (pgd_none(*pgd)) {
29143 set_pgd(pgd, *pgd_ref);
29144 arch_flush_lazy_mmu_mode();
29145 @@ -543,7 +627,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address)
29146 static int is_errata100(struct pt_regs *regs, unsigned long address)
29148 #ifdef CONFIG_X86_64
29149 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
29150 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
29154 @@ -570,7 +654,7 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
29157 static const char nx_warning[] = KERN_CRIT
29158 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
29159 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
29162 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
29163 @@ -579,15 +663,27 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
29164 if (!oops_may_print())
29167 - if (error_code & PF_INSTR) {
29168 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
29169 unsigned int level;
29171 pte_t *pte = lookup_address(address, &level);
29173 if (pte && pte_present(*pte) && !pte_exec(*pte))
29174 - printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
29175 + printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
29178 +#ifdef CONFIG_PAX_KERNEXEC
29179 + if (init_mm.start_code <= address && address < init_mm.end_code) {
29180 + if (current->signal->curr_ip)
29181 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
29182 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current),
29183 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
29185 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
29186 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
29190 printk(KERN_ALERT "BUG: unable to handle kernel ");
29191 if (address < PAGE_SIZE)
29192 printk(KERN_CONT "NULL pointer dereference");
29193 @@ -750,6 +846,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
29198 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29199 + if (pax_is_fetch_fault(regs, error_code, address)) {
29201 +#ifdef CONFIG_PAX_EMUTRAMP
29202 + switch (pax_handle_fetch_fault(regs)) {
29208 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
29209 + do_group_exit(SIGKILL);
29213 /* Kernel addresses are always protection faults: */
29214 if (address >= TASK_SIZE)
29215 error_code |= PF_PROT;
29216 @@ -835,7 +947,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
29217 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
29219 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
29220 - tsk->comm, tsk->pid, address);
29221 + tsk->comm, task_pid_nr(tsk), address);
29222 code = BUS_MCEERR_AR;
29225 @@ -898,6 +1010,99 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
29229 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
29230 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
29235 + unsigned char pte_mask;
29237 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
29238 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
29241 + /* PaX: it's our fault, let's handle it if we can */
29243 + /* PaX: take a look at read faults before acquiring any locks */
29244 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
29245 + /* instruction fetch attempt from a protected page in user mode */
29246 + up_read(&mm->mmap_sem);
29248 +#ifdef CONFIG_PAX_EMUTRAMP
29249 + switch (pax_handle_fetch_fault(regs)) {
29255 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
29256 + do_group_exit(SIGKILL);
29259 + pmd = pax_get_pmd(mm, address);
29260 + if (unlikely(!pmd))
29263 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
29264 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
29265 + pte_unmap_unlock(pte, ptl);
29269 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
29270 + /* write attempt to a protected page in user mode */
29271 + pte_unmap_unlock(pte, ptl);
29276 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
29278 + if (likely(address > get_limit(regs->cs)))
29281 + set_pte(pte, pte_mkread(*pte));
29282 + __flush_tlb_one(address);
29283 + pte_unmap_unlock(pte, ptl);
29284 + up_read(&mm->mmap_sem);
29288 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
29291 + * PaX: fill DTLB with user rights and retry
29293 + __asm__ __volatile__ (
29295 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
29297 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
29298 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
29299 + * page fault when examined during a TLB load attempt. this is true not only
29300 + * for PTEs holding a non-present entry but also present entries that will
29301 + * raise a page fault (such as those set up by PaX, or the copy-on-write
29302 + * mechanism). in effect it means that we do *not* need to flush the TLBs
29303 + * for our target pages since their PTEs are simply not in the TLBs at all.
29305 + * the best thing in omitting it is that we gain around 15-20% speed in the
29306 + * fast path of the page fault handler and can get rid of tracing since we
29307 + * can no longer flush unintended entries.
29311 + __copyuser_seg"testb $0,(%0)\n"
29314 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
29315 + : "memory", "cc");
29316 + pte_unmap_unlock(pte, ptl);
29317 + up_read(&mm->mmap_sem);
29323 * Handle a spurious fault caused by a stale TLB entry.
29325 @@ -964,6 +1169,9 @@ int show_unhandled_signals = 1;
29327 access_error(unsigned long error_code, struct vm_area_struct *vma)
29329 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
29332 if (error_code & PF_WRITE) {
29333 /* write, present and write, not present: */
29334 if (unlikely(!(vma->vm_flags & VM_WRITE)))
29335 @@ -992,7 +1200,7 @@ static inline bool smap_violation(int error_code, struct pt_regs *regs)
29336 if (error_code & PF_USER)
29339 - if (!user_mode_vm(regs) && (regs->flags & X86_EFLAGS_AC))
29340 + if (!user_mode(regs) && (regs->flags & X86_EFLAGS_AC))
29344 @@ -1008,18 +1216,33 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code)
29346 struct vm_area_struct *vma;
29347 struct task_struct *tsk;
29348 - unsigned long address;
29349 struct mm_struct *mm;
29351 int write = error_code & PF_WRITE;
29352 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
29353 (write ? FAULT_FLAG_WRITE : 0);
29358 /* Get the faulting address: */
29359 - address = read_cr2();
29360 + unsigned long address = read_cr2();
29362 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
29363 + if (!user_mode(regs) && address < 2 * pax_user_shadow_base) {
29364 + if (!search_exception_tables(regs->ip)) {
29365 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
29366 + bad_area_nosemaphore(regs, error_code, address);
29369 + if (address < pax_user_shadow_base) {
29370 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
29371 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
29372 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
29374 + address -= pax_user_shadow_base;
29382 * Detect and handle instructions that would cause a page fault for
29383 @@ -1080,7 +1303,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code)
29384 * User-mode registers count as a user access even for any
29385 * potential system fault or CPU buglet:
29387 - if (user_mode_vm(regs)) {
29388 + if (user_mode(regs)) {
29389 local_irq_enable();
29390 error_code |= PF_USER;
29392 @@ -1142,6 +1365,11 @@ retry:
29396 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
29397 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
29401 vma = find_vma(mm, address);
29402 if (unlikely(!vma)) {
29403 bad_area(regs, error_code, address);
29404 @@ -1153,18 +1381,24 @@ retry:
29405 bad_area(regs, error_code, address);
29408 - if (error_code & PF_USER) {
29410 - * Accessing the stack below %sp is always a bug.
29411 - * The large cushion allows instructions like enter
29412 - * and pusha to work. ("enter $65535, $31" pushes
29413 - * 32 pointers and then decrements %sp by 65535.)
29415 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
29416 - bad_area(regs, error_code, address);
29420 + * Accessing the stack below %sp is always a bug.
29421 + * The large cushion allows instructions like enter
29422 + * and pusha to work. ("enter $65535, $31" pushes
29423 + * 32 pointers and then decrements %sp by 65535.)
29425 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
29426 + bad_area(regs, error_code, address);
29430 +#ifdef CONFIG_PAX_SEGMEXEC
29431 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
29432 + bad_area(regs, error_code, address);
29437 if (unlikely(expand_stack(vma, address))) {
29438 bad_area(regs, error_code, address);
29440 @@ -1230,3 +1464,292 @@ do_page_fault(struct pt_regs *regs, unsigned long error_code)
29441 __do_page_fault(regs, error_code);
29442 exception_exit(prev_state);
29445 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29446 +static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
29448 + struct mm_struct *mm = current->mm;
29449 + unsigned long ip = regs->ip;
29451 + if (v8086_mode(regs))
29452 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
29454 +#ifdef CONFIG_PAX_PAGEEXEC
29455 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
29456 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
29458 + if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
29464 +#ifdef CONFIG_PAX_SEGMEXEC
29465 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
29466 + if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
29476 +#ifdef CONFIG_PAX_EMUTRAMP
29477 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
29481 + do { /* PaX: libffi trampoline emulation */
29482 + unsigned char mov, jmp;
29483 + unsigned int addr1, addr2;
29485 +#ifdef CONFIG_X86_64
29486 + if ((regs->ip + 9) >> 32)
29490 + err = get_user(mov, (unsigned char __user *)regs->ip);
29491 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
29492 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
29493 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
29498 + if (mov == 0xB8 && jmp == 0xE9) {
29499 + regs->ax = addr1;
29500 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
29505 + do { /* PaX: gcc trampoline emulation #1 */
29506 + unsigned char mov1, mov2;
29507 + unsigned short jmp;
29508 + unsigned int addr1, addr2;
29510 +#ifdef CONFIG_X86_64
29511 + if ((regs->ip + 11) >> 32)
29515 + err = get_user(mov1, (unsigned char __user *)regs->ip);
29516 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
29517 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
29518 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
29519 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
29524 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
29525 + regs->cx = addr1;
29526 + regs->ax = addr2;
29527 + regs->ip = addr2;
29532 + do { /* PaX: gcc trampoline emulation #2 */
29533 + unsigned char mov, jmp;
29534 + unsigned int addr1, addr2;
29536 +#ifdef CONFIG_X86_64
29537 + if ((regs->ip + 9) >> 32)
29541 + err = get_user(mov, (unsigned char __user *)regs->ip);
29542 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
29543 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
29544 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
29549 + if (mov == 0xB9 && jmp == 0xE9) {
29550 + regs->cx = addr1;
29551 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
29556 + return 1; /* PaX in action */
29559 +#ifdef CONFIG_X86_64
29560 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
29564 + do { /* PaX: libffi trampoline emulation */
29565 + unsigned short mov1, mov2, jmp1;
29566 + unsigned char stcclc, jmp2;
29567 + unsigned long addr1, addr2;
29569 + err = get_user(mov1, (unsigned short __user *)regs->ip);
29570 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
29571 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
29572 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
29573 + err |= get_user(stcclc, (unsigned char __user *)(regs->ip + 20));
29574 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 21));
29575 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 23));
29580 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) {
29581 + regs->r11 = addr1;
29582 + regs->r10 = addr2;
29583 + if (stcclc == 0xF8)
29584 + regs->flags &= ~X86_EFLAGS_CF;
29586 + regs->flags |= X86_EFLAGS_CF;
29587 + regs->ip = addr1;
29592 + do { /* PaX: gcc trampoline emulation #1 */
29593 + unsigned short mov1, mov2, jmp1;
29594 + unsigned char jmp2;
29595 + unsigned int addr1;
29596 + unsigned long addr2;
29598 + err = get_user(mov1, (unsigned short __user *)regs->ip);
29599 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
29600 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
29601 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
29602 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
29603 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
29608 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
29609 + regs->r11 = addr1;
29610 + regs->r10 = addr2;
29611 + regs->ip = addr1;
29616 + do { /* PaX: gcc trampoline emulation #2 */
29617 + unsigned short mov1, mov2, jmp1;
29618 + unsigned char jmp2;
29619 + unsigned long addr1, addr2;
29621 + err = get_user(mov1, (unsigned short __user *)regs->ip);
29622 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
29623 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
29624 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
29625 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
29626 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
29631 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
29632 + regs->r11 = addr1;
29633 + regs->r10 = addr2;
29634 + regs->ip = addr1;
29639 + return 1; /* PaX in action */
29644 + * PaX: decide what to do with offenders (regs->ip = fault address)
29646 + * returns 1 when task should be killed
29647 + * 2 when gcc trampoline was detected
29649 +static int pax_handle_fetch_fault(struct pt_regs *regs)
29651 + if (v8086_mode(regs))
29654 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
29657 +#ifdef CONFIG_X86_32
29658 + return pax_handle_fetch_fault_32(regs);
29660 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
29661 + return pax_handle_fetch_fault_32(regs);
29663 + return pax_handle_fetch_fault_64(regs);
29668 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29669 +void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
29673 + printk(KERN_ERR "PAX: bytes at PC: ");
29674 + for (i = 0; i < 20; i++) {
29676 + if (get_user(c, (unsigned char __force_user *)pc+i))
29677 + printk(KERN_CONT "?? ");
29679 + printk(KERN_CONT "%02x ", c);
29683 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
29684 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
29686 + if (get_user(c, (unsigned long __force_user *)sp+i)) {
29687 +#ifdef CONFIG_X86_32
29688 + printk(KERN_CONT "???????? ");
29690 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
29691 + printk(KERN_CONT "???????? ???????? ");
29693 + printk(KERN_CONT "???????????????? ");
29696 +#ifdef CONFIG_X86_64
29697 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
29698 + printk(KERN_CONT "%08x ", (unsigned int)c);
29699 + printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
29702 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
29710 + * probe_kernel_write(): safely attempt to write to a location
29711 + * @dst: address to write to
29712 + * @src: pointer to the data that shall be written
29713 + * @size: size of the data chunk
29715 + * Safely write to address @dst from the buffer at @src. If a kernel fault
29716 + * happens, handle that and return -EFAULT.
29718 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
29721 + mm_segment_t old_fs = get_fs();
29723 + set_fs(KERNEL_DS);
29724 + pagefault_disable();
29725 + pax_open_kernel();
29726 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
29727 + pax_close_kernel();
29728 + pagefault_enable();
29731 + return ret ? -EFAULT : 0;
29733 diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
29734 index dd74e46..7d26398 100644
29735 --- a/arch/x86/mm/gup.c
29736 +++ b/arch/x86/mm/gup.c
29737 @@ -255,7 +255,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
29739 len = (unsigned long) nr_pages << PAGE_SHIFT;
29741 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
29742 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
29743 (void __user *)start, len)))
29746 diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
29747 index 252b8f5..4dcfdc1 100644
29748 --- a/arch/x86/mm/highmem_32.c
29749 +++ b/arch/x86/mm/highmem_32.c
29750 @@ -44,7 +44,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
29751 idx = type + KM_TYPE_NR*smp_processor_id();
29752 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
29753 BUG_ON(!pte_none(*(kmap_pte-idx)));
29755 + pax_open_kernel();
29756 set_pte(kmap_pte-idx, mk_pte(page, prot));
29757 + pax_close_kernel();
29759 arch_flush_lazy_mmu_mode();
29761 return (void *)vaddr;
29762 diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
29763 index ae1aa71..d9bea75 100644
29764 --- a/arch/x86/mm/hugetlbpage.c
29765 +++ b/arch/x86/mm/hugetlbpage.c
29766 @@ -271,23 +271,30 @@ follow_huge_pud(struct mm_struct *mm, unsigned long address,
29767 #ifdef HAVE_ARCH_HUGETLB_UNMAPPED_AREA
29768 static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
29769 unsigned long addr, unsigned long len,
29770 - unsigned long pgoff, unsigned long flags)
29771 + unsigned long pgoff, unsigned long flags, unsigned long offset)
29773 struct hstate *h = hstate_file(file);
29774 struct vm_unmapped_area_info info;
29779 info.low_limit = TASK_UNMAPPED_BASE;
29781 +#ifdef CONFIG_PAX_RANDMMAP
29782 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29783 + info.low_limit += current->mm->delta_mmap;
29786 info.high_limit = TASK_SIZE;
29787 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
29788 info.align_offset = 0;
29789 + info.threadstack_offset = offset;
29790 return vm_unmapped_area(&info);
29793 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
29794 unsigned long addr0, unsigned long len,
29795 - unsigned long pgoff, unsigned long flags)
29796 + unsigned long pgoff, unsigned long flags, unsigned long offset)
29798 struct hstate *h = hstate_file(file);
29799 struct vm_unmapped_area_info info;
29800 @@ -299,6 +306,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
29801 info.high_limit = current->mm->mmap_base;
29802 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
29803 info.align_offset = 0;
29804 + info.threadstack_offset = offset;
29805 addr = vm_unmapped_area(&info);
29808 @@ -311,6 +319,12 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
29809 VM_BUG_ON(addr != -ENOMEM);
29811 info.low_limit = TASK_UNMAPPED_BASE;
29813 +#ifdef CONFIG_PAX_RANDMMAP
29814 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29815 + info.low_limit += current->mm->delta_mmap;
29818 info.high_limit = TASK_SIZE;
29819 addr = vm_unmapped_area(&info);
29821 @@ -325,10 +339,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
29822 struct hstate *h = hstate_file(file);
29823 struct mm_struct *mm = current->mm;
29824 struct vm_area_struct *vma;
29825 + unsigned long pax_task_size = TASK_SIZE;
29826 + unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
29828 if (len & ~huge_page_mask(h))
29830 - if (len > TASK_SIZE)
29832 +#ifdef CONFIG_PAX_SEGMEXEC
29833 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
29834 + pax_task_size = SEGMEXEC_TASK_SIZE;
29837 + pax_task_size -= PAGE_SIZE;
29839 + if (len > pax_task_size)
29842 if (flags & MAP_FIXED) {
29843 @@ -337,19 +361,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
29847 +#ifdef CONFIG_PAX_RANDMMAP
29848 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
29852 addr = ALIGN(addr, huge_page_size(h));
29853 vma = find_vma(mm, addr);
29854 - if (TASK_SIZE - len >= addr &&
29855 - (!vma || addr + len <= vma->vm_start))
29856 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
29859 if (mm->get_unmapped_area == arch_get_unmapped_area)
29860 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
29862 + pgoff, flags, offset);
29864 return hugetlb_get_unmapped_area_topdown(file, addr, len,
29866 + pgoff, flags, offset);
29869 #endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/
29870 diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
29871 index 1f34e92..c97b98f 100644
29872 --- a/arch/x86/mm/init.c
29873 +++ b/arch/x86/mm/init.c
29875 #include <linux/swap.h>
29876 #include <linux/memblock.h>
29877 #include <linux/bootmem.h> /* for max_low_pfn */
29878 +#include <linux/tboot.h>
29880 #include <asm/cacheflush.h>
29881 #include <asm/e820.h>
29883 #include <asm/proto.h>
29884 #include <asm/dma.h> /* for MAX_DMA_PFN */
29885 #include <asm/microcode.h>
29886 +#include <asm/desc.h>
29887 +#include <asm/bios_ebda.h>
29889 #include "mm_internal.h"
29891 @@ -465,7 +468,18 @@ void __init init_mem_mapping(void)
29892 early_ioremap_page_table_range_init();
29895 +#ifdef CONFIG_PAX_PER_CPU_PGD
29896 + clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY,
29897 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
29898 + KERNEL_PGD_PTRS);
29899 + clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY,
29900 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
29901 + KERNEL_PGD_PTRS);
29902 + load_cr3(get_cpu_pgd(0, kernel));
29904 load_cr3(swapper_pg_dir);
29909 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
29910 @@ -481,10 +495,40 @@ void __init init_mem_mapping(void)
29911 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
29912 * mmio resources as well as potential bios/acpi data regions.
29915 +#ifdef CONFIG_GRKERNSEC_KMEM
29916 +static unsigned int ebda_start __read_only;
29917 +static unsigned int ebda_end __read_only;
29920 int devmem_is_allowed(unsigned long pagenr)
29922 - if (pagenr < 256)
29923 +#ifdef CONFIG_GRKERNSEC_KMEM
29928 + if (pagenr >= ebda_start && pagenr < ebda_end)
29930 + /* if tboot is in use, allow access to its hardcoded serial log range */
29931 + if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
29936 +#ifdef CONFIG_VM86
29937 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
29942 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
29944 +#ifdef CONFIG_GRKERNSEC_KMEM
29945 + /* throw out everything else below 1MB */
29946 + if (pagenr <= 256)
29949 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
29951 if (!page_is_ram(pagenr))
29952 @@ -538,8 +582,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
29956 +#ifdef CONFIG_GRKERNSEC_KMEM
29957 +static inline void gr_init_ebda(void)
29959 + unsigned int ebda_addr;
29960 + unsigned int ebda_size = 0;
29962 + ebda_addr = get_bios_ebda();
29964 + ebda_size = *(unsigned char *)phys_to_virt(ebda_addr);
29965 + ebda_size <<= 10;
29967 + if (ebda_addr && ebda_size) {
29968 + ebda_start = ebda_addr >> PAGE_SHIFT;
29969 + ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT;
29971 + ebda_start = 0x9f000 >> PAGE_SHIFT;
29972 + ebda_end = 0xa0000 >> PAGE_SHIFT;
29976 +static inline void gr_init_ebda(void) { }
29979 void free_initmem(void)
29981 +#ifdef CONFIG_PAX_KERNEXEC
29982 +#ifdef CONFIG_X86_32
29983 + /* PaX: limit KERNEL_CS to actual size */
29984 + unsigned long addr, limit;
29985 + struct desc_struct d;
29991 + unsigned long addr, end;
29997 +#ifdef CONFIG_PAX_KERNEXEC
29998 +#ifdef CONFIG_X86_32
29999 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
30000 + limit = (limit - 1UL) >> PAGE_SHIFT;
30002 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
30003 + for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
30004 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
30005 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
30006 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
30009 + /* PaX: make KERNEL_CS read-only */
30010 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
30011 + if (!paravirt_enabled())
30012 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
30014 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
30015 + pgd = pgd_offset_k(addr);
30016 + pud = pud_offset(pgd, addr);
30017 + pmd = pmd_offset(pud, addr);
30018 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
30021 +#ifdef CONFIG_X86_PAE
30022 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
30024 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
30025 + pgd = pgd_offset_k(addr);
30026 + pud = pud_offset(pgd, addr);
30027 + pmd = pmd_offset(pud, addr);
30028 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
30033 +#ifdef CONFIG_MODULES
30034 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
30038 + /* PaX: make kernel code/rodata read-only, rest non-executable */
30039 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
30040 + pgd = pgd_offset_k(addr);
30041 + pud = pud_offset(pgd, addr);
30042 + pmd = pmd_offset(pud, addr);
30043 + if (!pmd_present(*pmd))
30045 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
30046 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
30048 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
30051 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
30052 + end = addr + KERNEL_IMAGE_SIZE;
30053 + for (; addr < end; addr += PMD_SIZE) {
30054 + pgd = pgd_offset_k(addr);
30055 + pud = pud_offset(pgd, addr);
30056 + pmd = pmd_offset(pud, addr);
30057 + if (!pmd_present(*pmd))
30059 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
30060 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
30067 free_init_pages("unused kernel memory",
30068 (unsigned long)(&__init_begin),
30069 (unsigned long)(&__init_end));
30070 diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
30071 index 3ac7e31..89611b7 100644
30072 --- a/arch/x86/mm/init_32.c
30073 +++ b/arch/x86/mm/init_32.c
30074 @@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
30075 bool __read_mostly __vmalloc_start_set = false;
30078 - * Creates a middle page table and puts a pointer to it in the
30079 - * given global directory entry. This only returns the gd entry
30080 - * in non-PAE compilation mode, since the middle layer is folded.
30082 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
30085 - pmd_t *pmd_table;
30087 -#ifdef CONFIG_X86_PAE
30088 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
30089 - pmd_table = (pmd_t *)alloc_low_page();
30090 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
30091 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
30092 - pud = pud_offset(pgd, 0);
30093 - BUG_ON(pmd_table != pmd_offset(pud, 0));
30095 - return pmd_table;
30098 - pud = pud_offset(pgd, 0);
30099 - pmd_table = pmd_offset(pud, 0);
30101 - return pmd_table;
30105 * Create a page table and place a pointer to it in a middle page
30108 @@ -98,13 +71,28 @@ static pte_t * __init one_page_table_init(pmd_t *pmd)
30109 pte_t *page_table = (pte_t *)alloc_low_page();
30111 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
30112 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30113 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
30115 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
30117 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
30120 return pte_offset_kernel(pmd, 0);
30123 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
30126 + pmd_t *pmd_table;
30128 + pud = pud_offset(pgd, 0);
30129 + pmd_table = pmd_offset(pud, 0);
30131 + return pmd_table;
30134 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
30136 int pgd_idx = pgd_index(vaddr);
30137 @@ -208,6 +196,7 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
30138 int pgd_idx, pmd_idx;
30139 unsigned long vaddr;
30144 unsigned long count = page_table_range_init_count(start, end);
30145 @@ -222,8 +211,13 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
30146 pgd = pgd_base + pgd_idx;
30148 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
30149 - pmd = one_md_table_init(pgd);
30150 - pmd = pmd + pmd_index(vaddr);
30151 + pud = pud_offset(pgd, vaddr);
30152 + pmd = pmd_offset(pud, vaddr);
30154 +#ifdef CONFIG_X86_PAE
30155 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
30158 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
30159 pmd++, pmd_idx++) {
30160 pte = page_table_kmap_check(one_page_table_init(pmd),
30161 @@ -235,11 +229,20 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
30165 -static inline int is_kernel_text(unsigned long addr)
30166 +static inline int is_kernel_text(unsigned long start, unsigned long end)
30168 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
30171 + if ((start > ktla_ktva((unsigned long)_etext) ||
30172 + end <= ktla_ktva((unsigned long)_stext)) &&
30173 + (start > ktla_ktva((unsigned long)_einittext) ||
30174 + end <= ktla_ktva((unsigned long)_sinittext)) &&
30176 +#ifdef CONFIG_ACPI_SLEEP
30177 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
30180 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
30186 @@ -256,9 +259,10 @@ kernel_physical_mapping_init(unsigned long start,
30187 unsigned long last_map_addr = end;
30188 unsigned long start_pfn, end_pfn;
30189 pgd_t *pgd_base = swapper_pg_dir;
30190 - int pgd_idx, pmd_idx, pte_ofs;
30191 + unsigned int pgd_idx, pmd_idx, pte_ofs;
30197 unsigned pages_2m, pages_4k;
30198 @@ -291,8 +295,13 @@ repeat:
30200 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
30201 pgd = pgd_base + pgd_idx;
30202 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
30203 - pmd = one_md_table_init(pgd);
30204 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
30205 + pud = pud_offset(pgd, 0);
30206 + pmd = pmd_offset(pud, 0);
30208 +#ifdef CONFIG_X86_PAE
30209 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
30212 if (pfn >= end_pfn)
30214 @@ -304,14 +313,13 @@ repeat:
30216 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
30217 pmd++, pmd_idx++) {
30218 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
30219 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
30222 * Map with big pages if possible, otherwise
30223 * create normal page tables:
30226 - unsigned int addr2;
30227 pgprot_t prot = PAGE_KERNEL_LARGE;
30229 * first pass will use the same initial
30230 @@ -322,11 +330,7 @@ repeat:
30233 pfn &= PMD_MASK >> PAGE_SHIFT;
30234 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
30235 - PAGE_OFFSET + PAGE_SIZE-1;
30237 - if (is_kernel_text(addr) ||
30238 - is_kernel_text(addr2))
30239 + if (is_kernel_text(address, address + PMD_SIZE))
30240 prot = PAGE_KERNEL_LARGE_EXEC;
30243 @@ -343,7 +347,7 @@ repeat:
30244 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
30246 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
30247 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
30248 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
30249 pgprot_t prot = PAGE_KERNEL;
30251 * first pass will use the same initial
30252 @@ -351,7 +355,7 @@ repeat:
30254 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
30256 - if (is_kernel_text(addr))
30257 + if (is_kernel_text(address, address + PAGE_SIZE))
30258 prot = PAGE_KERNEL_EXEC;
30261 @@ -474,7 +478,7 @@ void __init native_pagetable_init(void)
30263 pud = pud_offset(pgd, va);
30264 pmd = pmd_offset(pud, va);
30265 - if (!pmd_present(*pmd))
30266 + if (!pmd_present(*pmd)) // PAX TODO || pmd_large(*pmd))
30269 /* should not be large page here */
30270 @@ -532,12 +536,10 @@ void __init early_ioremap_page_table_range_init(void)
30272 static void __init pagetable_init(void)
30274 - pgd_t *pgd_base = swapper_pg_dir;
30276 - permanent_kmaps_init(pgd_base);
30277 + permanent_kmaps_init(swapper_pg_dir);
30280 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
30281 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
30282 EXPORT_SYMBOL_GPL(__supported_pte_mask);
30284 /* user-defined highmem size */
30285 @@ -772,7 +774,7 @@ void __init mem_init(void)
30288 codesize = (unsigned long) &_etext - (unsigned long) &_text;
30289 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
30290 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
30291 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
30293 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
30294 @@ -813,10 +815,10 @@ void __init mem_init(void)
30295 ((unsigned long)&__init_end -
30296 (unsigned long)&__init_begin) >> 10,
30298 - (unsigned long)&_etext, (unsigned long)&_edata,
30299 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
30300 + (unsigned long)&_sdata, (unsigned long)&_edata,
30301 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
30303 - (unsigned long)&_text, (unsigned long)&_etext,
30304 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
30305 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
30308 @@ -906,6 +908,7 @@ void set_kernel_text_rw(void)
30309 if (!kernel_set_to_readonly)
30312 + start = ktla_ktva(start);
30313 pr_debug("Set kernel text: %lx - %lx for read write\n",
30314 start, start+size);
30316 @@ -920,6 +923,7 @@ void set_kernel_text_ro(void)
30317 if (!kernel_set_to_readonly)
30320 + start = ktla_ktva(start);
30321 pr_debug("Set kernel text: %lx - %lx for read only\n",
30322 start, start+size);
30324 @@ -948,6 +952,7 @@ void mark_rodata_ro(void)
30325 unsigned long start = PFN_ALIGN(_text);
30326 unsigned long size = PFN_ALIGN(_etext) - start;
30328 + start = ktla_ktva(start);
30329 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
30330 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
30332 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
30333 index bb00c46..bf91a67 100644
30334 --- a/arch/x86/mm/init_64.c
30335 +++ b/arch/x86/mm/init_64.c
30336 @@ -151,7 +151,7 @@ early_param("gbpages", parse_direct_gbpages_on);
30337 * around without checking the pgd every time.
30340 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
30341 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
30342 EXPORT_SYMBOL_GPL(__supported_pte_mask);
30344 int force_personality32;
30345 @@ -184,12 +184,29 @@ void sync_global_pgds(unsigned long start, unsigned long end)
30347 for (address = start; address <= end; address += PGDIR_SIZE) {
30348 const pgd_t *pgd_ref = pgd_offset_k(address);
30350 +#ifdef CONFIG_PAX_PER_CPU_PGD
30351 + unsigned long cpu;
30356 if (pgd_none(*pgd_ref))
30359 spin_lock(&pgd_lock);
30361 +#ifdef CONFIG_PAX_PER_CPU_PGD
30362 + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
30363 + pgd_t *pgd = pgd_offset_cpu(cpu, user, address);
30365 + if (pgd_none(*pgd))
30366 + set_pgd(pgd, *pgd_ref);
30368 + BUG_ON(pgd_page_vaddr(*pgd)
30369 + != pgd_page_vaddr(*pgd_ref));
30370 + pgd = pgd_offset_cpu(cpu, kernel, address);
30372 list_for_each_entry(page, &pgd_list, lru) {
30374 spinlock_t *pgt_lock;
30375 @@ -198,6 +215,7 @@ void sync_global_pgds(unsigned long start, unsigned long end)
30376 /* the pgt_lock only for Xen */
30377 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
30378 spin_lock(pgt_lock);
30381 if (pgd_none(*pgd))
30382 set_pgd(pgd, *pgd_ref);
30383 @@ -205,7 +223,10 @@ void sync_global_pgds(unsigned long start, unsigned long end)
30384 BUG_ON(pgd_page_vaddr(*pgd)
30385 != pgd_page_vaddr(*pgd_ref));
30387 +#ifndef CONFIG_PAX_PER_CPU_PGD
30388 spin_unlock(pgt_lock);
30392 spin_unlock(&pgd_lock);
30394 @@ -238,7 +259,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
30396 if (pgd_none(*pgd)) {
30397 pud_t *pud = (pud_t *)spp_getpage();
30398 - pgd_populate(&init_mm, pgd, pud);
30399 + pgd_populate_kernel(&init_mm, pgd, pud);
30400 if (pud != pud_offset(pgd, 0))
30401 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n",
30402 pud, pud_offset(pgd, 0));
30403 @@ -250,7 +271,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr)
30405 if (pud_none(*pud)) {
30406 pmd_t *pmd = (pmd_t *) spp_getpage();
30407 - pud_populate(&init_mm, pud, pmd);
30408 + pud_populate_kernel(&init_mm, pud, pmd);
30409 if (pmd != pmd_offset(pud, 0))
30410 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
30411 pmd, pmd_offset(pud, 0));
30412 @@ -279,7 +300,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte)
30413 pmd = fill_pmd(pud, vaddr);
30414 pte = fill_pte(pmd, vaddr);
30416 + pax_open_kernel();
30417 set_pte(pte, new_pte);
30418 + pax_close_kernel();
30421 * It's enough to flush this one mapping.
30422 @@ -338,14 +361,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
30423 pgd = pgd_offset_k((unsigned long)__va(phys));
30424 if (pgd_none(*pgd)) {
30425 pud = (pud_t *) spp_getpage();
30426 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
30428 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
30430 pud = pud_offset(pgd, (unsigned long)__va(phys));
30431 if (pud_none(*pud)) {
30432 pmd = (pmd_t *) spp_getpage();
30433 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
30435 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
30437 pmd = pmd_offset(pud, phys);
30438 BUG_ON(!pmd_none(*pmd));
30439 @@ -586,7 +607,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
30442 spin_lock(&init_mm.page_table_lock);
30443 - pud_populate(&init_mm, pud, pmd);
30444 + pud_populate_kernel(&init_mm, pud, pmd);
30445 spin_unlock(&init_mm.page_table_lock);
30448 @@ -627,7 +648,7 @@ kernel_physical_mapping_init(unsigned long start,
30451 spin_lock(&init_mm.page_table_lock);
30452 - pgd_populate(&init_mm, pgd, pud);
30453 + pgd_populate_kernel(&init_mm, pgd, pud);
30454 spin_unlock(&init_mm.page_table_lock);
30455 pgd_changed = true;
30457 @@ -1221,8 +1242,8 @@ int kern_addr_valid(unsigned long addr)
30458 static struct vm_area_struct gate_vma = {
30459 .vm_start = VSYSCALL_START,
30460 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
30461 - .vm_page_prot = PAGE_READONLY_EXEC,
30462 - .vm_flags = VM_READ | VM_EXEC
30463 + .vm_page_prot = PAGE_READONLY,
30464 + .vm_flags = VM_READ
30467 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
30468 @@ -1256,7 +1277,7 @@ int in_gate_area_no_mm(unsigned long addr)
30470 const char *arch_vma_name(struct vm_area_struct *vma)
30472 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
30473 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
30475 if (vma == &gate_vma)
30476 return "[vsyscall]";
30477 diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
30478 index 7b179b4..6bd17777 100644
30479 --- a/arch/x86/mm/iomap_32.c
30480 +++ b/arch/x86/mm/iomap_32.c
30481 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot)
30482 type = kmap_atomic_idx_push();
30483 idx = type + KM_TYPE_NR * smp_processor_id();
30484 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
30486 + pax_open_kernel();
30487 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
30488 + pax_close_kernel();
30490 arch_flush_lazy_mmu_mode();
30492 return (void *)vaddr;
30493 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
30494 index 9a1e658..da003f3 100644
30495 --- a/arch/x86/mm/ioremap.c
30496 +++ b/arch/x86/mm/ioremap.c
30497 @@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(resource_size_t phys_addr,
30498 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
30499 int is_ram = page_is_ram(pfn);
30501 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
30502 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
30504 WARN_ON_ONCE(is_ram);
30506 @@ -256,7 +256,7 @@ EXPORT_SYMBOL(ioremap_prot);
30508 * Caller must ensure there is only one unmapping for the same pointer.
30510 -void iounmap(volatile void __iomem *addr)
30511 +void iounmap(const volatile void __iomem *addr)
30513 struct vm_struct *p, *o;
30515 @@ -310,6 +310,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
30517 /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
30518 if (page_is_ram(start >> PAGE_SHIFT))
30519 +#ifdef CONFIG_HIGHMEM
30520 + if ((start >> PAGE_SHIFT) < max_low_pfn)
30524 addr = (void __force *)ioremap_cache(start, PAGE_SIZE);
30525 @@ -322,6 +325,9 @@ void *xlate_dev_mem_ptr(unsigned long phys)
30526 void unxlate_dev_mem_ptr(unsigned long phys, void *addr)
30528 if (page_is_ram(phys >> PAGE_SHIFT))
30529 +#ifdef CONFIG_HIGHMEM
30530 + if ((phys >> PAGE_SHIFT) < max_low_pfn)
30534 iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
30535 @@ -339,7 +345,7 @@ static int __init early_ioremap_debug_setup(char *str)
30536 early_param("early_ioremap_debug", early_ioremap_debug_setup);
30538 static __initdata int after_paging_init;
30539 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
30540 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
30542 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
30544 @@ -376,8 +382,7 @@ void __init early_ioremap_init(void)
30545 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
30547 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
30548 - memset(bm_pte, 0, sizeof(bm_pte));
30549 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
30550 + pmd_populate_user(&init_mm, pmd, bm_pte);
30553 * The boot-ioremap range spans multiple pmds, for which
30554 diff --git a/arch/x86/mm/kmemcheck/kmemcheck.c b/arch/x86/mm/kmemcheck/kmemcheck.c
30555 index d87dd6d..bf3fa66 100644
30556 --- a/arch/x86/mm/kmemcheck/kmemcheck.c
30557 +++ b/arch/x86/mm/kmemcheck/kmemcheck.c
30558 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *regs, unsigned long address,
30559 * memory (e.g. tracked pages)? For now, we need this to avoid
30560 * invoking kmemcheck for PnP BIOS calls.
30562 - if (regs->flags & X86_VM_MASK)
30563 + if (v8086_mode(regs))
30565 - if (regs->cs != __KERNEL_CS)
30566 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
30569 pte = kmemcheck_pte_lookup(address);
30570 diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
30571 index c1af323..4758dad 100644
30572 --- a/arch/x86/mm/mmap.c
30573 +++ b/arch/x86/mm/mmap.c
30574 @@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void)
30575 * Leave an at least ~128 MB hole with possible stack randomization.
30577 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
30578 -#define MAX_GAP (TASK_SIZE/6*5)
30579 +#define MAX_GAP (pax_task_size/6*5)
30581 static int mmap_is_legacy(void)
30583 @@ -82,27 +82,40 @@ static unsigned long mmap_rnd(void)
30584 return rnd << PAGE_SHIFT;
30587 -static unsigned long mmap_base(void)
30588 +static unsigned long mmap_base(struct mm_struct *mm)
30590 unsigned long gap = rlimit(RLIMIT_STACK);
30591 + unsigned long pax_task_size = TASK_SIZE;
30593 +#ifdef CONFIG_PAX_SEGMEXEC
30594 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
30595 + pax_task_size = SEGMEXEC_TASK_SIZE;
30600 else if (gap > MAX_GAP)
30603 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
30604 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
30608 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
30609 * does, but not when emulating X86_32
30611 -unsigned long mmap_legacy_base(void)
30612 +unsigned long mmap_legacy_base(struct mm_struct *mm)
30614 - if (mmap_is_ia32())
30615 + if (mmap_is_ia32()) {
30617 +#ifdef CONFIG_PAX_SEGMEXEC
30618 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
30619 + return SEGMEXEC_TASK_UNMAPPED_BASE;
30623 return TASK_UNMAPPED_BASE;
30626 return TASK_UNMAPPED_BASE + mmap_rnd();
30629 @@ -113,11 +126,23 @@ unsigned long mmap_legacy_base(void)
30630 void arch_pick_mmap_layout(struct mm_struct *mm)
30632 if (mmap_is_legacy()) {
30633 - mm->mmap_base = mmap_legacy_base();
30634 + mm->mmap_base = mmap_legacy_base(mm);
30636 +#ifdef CONFIG_PAX_RANDMMAP
30637 + if (mm->pax_flags & MF_PAX_RANDMMAP)
30638 + mm->mmap_base += mm->delta_mmap;
30641 mm->get_unmapped_area = arch_get_unmapped_area;
30642 mm->unmap_area = arch_unmap_area;
30644 - mm->mmap_base = mmap_base();
30645 + mm->mmap_base = mmap_base(mm);
30647 +#ifdef CONFIG_PAX_RANDMMAP
30648 + if (mm->pax_flags & MF_PAX_RANDMMAP)
30649 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
30652 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
30653 mm->unmap_area = arch_unmap_area_topdown;
30655 diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
30656 index dc0b727..f612039 100644
30657 --- a/arch/x86/mm/mmio-mod.c
30658 +++ b/arch/x86/mm/mmio-mod.c
30659 @@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs,
30663 - unsigned char *ip = (unsigned char *)instptr;
30664 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
30665 my_trace->opcode = MMIO_UNKNOWN_OP;
30666 my_trace->width = 0;
30667 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
30668 @@ -234,7 +234,7 @@ static void post(struct kmmio_probe *p, unsigned long condition,
30669 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
30670 void __iomem *addr)
30672 - static atomic_t next_id;
30673 + static atomic_unchecked_t next_id;
30674 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
30675 /* These are page-unaligned. */
30676 struct mmiotrace_map map = {
30677 @@ -258,7 +258,7 @@ static void ioremap_trace_core(resource_size_t offset, unsigned long size,
30681 - .id = atomic_inc_return(&next_id)
30682 + .id = atomic_inc_return_unchecked(&next_id)
30684 map.map_id = trace->id;
30686 @@ -290,7 +290,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
30687 ioremap_trace_core(offset, size, addr);
30690 -static void iounmap_trace_core(volatile void __iomem *addr)
30691 +static void iounmap_trace_core(const volatile void __iomem *addr)
30693 struct mmiotrace_map map = {
30695 @@ -328,7 +328,7 @@ not_enabled:
30699 -void mmiotrace_iounmap(volatile void __iomem *addr)
30700 +void mmiotrace_iounmap(const volatile void __iomem *addr)
30703 if (is_enabled()) /* recheck and proper locking in *_core() */
30704 diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
30705 index a71c4e2..301ae44 100644
30706 --- a/arch/x86/mm/numa.c
30707 +++ b/arch/x86/mm/numa.c
30708 @@ -474,7 +474,7 @@ static bool __init numa_meminfo_cover_memory(const struct numa_meminfo *mi)
30712 -static int __init numa_register_memblks(struct numa_meminfo *mi)
30713 +static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi)
30715 unsigned long uninitialized_var(pfn_align);
30717 diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c
30718 index d0b1773..4c3327c 100644
30719 --- a/arch/x86/mm/pageattr-test.c
30720 +++ b/arch/x86/mm/pageattr-test.c
30721 @@ -36,7 +36,7 @@ enum {
30723 static int pte_testbit(pte_t pte)
30725 - return pte_flags(pte) & _PAGE_UNUSED1;
30726 + return pte_flags(pte) & _PAGE_CPA_TEST;
30729 struct split_state {
30730 diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
30731 index bb32480..75f2f5e 100644
30732 --- a/arch/x86/mm/pageattr.c
30733 +++ b/arch/x86/mm/pageattr.c
30734 @@ -261,7 +261,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
30736 #ifdef CONFIG_PCI_BIOS
30737 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
30738 - pgprot_val(forbidden) |= _PAGE_NX;
30739 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
30743 @@ -269,9 +269,10 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
30744 * Does not cover __inittext since that is gone later on. On
30745 * 64bit we do not enforce !NX on the low mapping
30747 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
30748 - pgprot_val(forbidden) |= _PAGE_NX;
30749 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
30750 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
30752 +#ifdef CONFIG_DEBUG_RODATA
30754 * The .rodata section needs to be read-only. Using the pfn
30755 * catches all aliases.
30756 @@ -279,6 +280,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
30757 if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
30758 __pa_symbol(__end_rodata) >> PAGE_SHIFT))
30759 pgprot_val(forbidden) |= _PAGE_RW;
30762 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
30764 @@ -317,6 +319,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
30768 +#ifdef CONFIG_PAX_KERNEXEC
30769 + if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) {
30770 + pgprot_val(forbidden) |= _PAGE_RW;
30771 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
30775 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
30778 @@ -400,23 +409,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
30779 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
30781 /* change init_mm */
30782 + pax_open_kernel();
30783 set_pte_atomic(kpte, pte);
30785 #ifdef CONFIG_X86_32
30786 if (!SHARED_KERNEL_PMD) {
30788 +#ifdef CONFIG_PAX_PER_CPU_PGD
30789 + unsigned long cpu;
30794 +#ifdef CONFIG_PAX_PER_CPU_PGD
30795 + for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
30796 + pgd_t *pgd = get_cpu_pgd(cpu, kernel);
30798 list_for_each_entry(page, &pgd_list, lru) {
30800 + pgd_t *pgd = (pgd_t *)page_address(page);
30806 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
30807 + pgd += pgd_index(address);
30808 pud = pud_offset(pgd, address);
30809 pmd = pmd_offset(pud, address);
30810 set_pte_atomic((pte_t *)pmd, pte);
30814 + pax_close_kernel();
30818 diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
30819 index 6574388..87e9bef 100644
30820 --- a/arch/x86/mm/pat.c
30821 +++ b/arch/x86/mm/pat.c
30822 @@ -376,7 +376,7 @@ int free_memtype(u64 start, u64 end)
30825 printk(KERN_INFO "%s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n",
30826 - current->comm, current->pid, start, end - 1);
30827 + current->comm, task_pid_nr(current), start, end - 1);
30831 @@ -506,8 +506,8 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
30833 while (cursor < to) {
30834 if (!devmem_is_allowed(pfn)) {
30835 - printk(KERN_INFO "Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx]\n",
30836 - current->comm, from, to - 1);
30837 + printk(KERN_INFO "Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx] (%#010Lx)\n",
30838 + current->comm, from, to - 1, cursor);
30841 cursor += PAGE_SIZE;
30842 @@ -577,7 +577,7 @@ int kernel_map_sync_memtype(u64 base, unsigned long size, unsigned long flags)
30843 if (ioremap_change_attr((unsigned long)__va(base), id_sz, flags) < 0) {
30844 printk(KERN_INFO "%s:%d ioremap_change_attr failed %s "
30845 "for [mem %#010Lx-%#010Lx]\n",
30846 - current->comm, current->pid,
30847 + current->comm, task_pid_nr(current),
30849 base, (unsigned long long)(base + size-1));
30851 @@ -612,7 +612,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
30852 flags = lookup_memtype(paddr);
30853 if (want_flags != flags) {
30854 printk(KERN_WARNING "%s:%d map pfn RAM range req %s for [mem %#010Lx-%#010Lx], got %s\n",
30855 - current->comm, current->pid,
30856 + current->comm, task_pid_nr(current),
30857 cattr_name(want_flags),
30858 (unsigned long long)paddr,
30859 (unsigned long long)(paddr + size - 1),
30860 @@ -634,7 +634,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
30861 free_memtype(paddr, paddr + size);
30862 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
30863 " for [mem %#010Lx-%#010Lx], got %s\n",
30864 - current->comm, current->pid,
30865 + current->comm, task_pid_nr(current),
30866 cattr_name(want_flags),
30867 (unsigned long long)paddr,
30868 (unsigned long long)(paddr + size - 1),
30869 diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c
30870 index 415f6c4..d319983 100644
30871 --- a/arch/x86/mm/pat_rbtree.c
30872 +++ b/arch/x86/mm/pat_rbtree.c
30873 @@ -160,7 +160,7 @@ success:
30876 printk(KERN_INFO "%s:%d conflicting memory types "
30877 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, start,
30878 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), start,
30879 end, cattr_name(found_type), cattr_name(match->type));
30882 diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c
30883 index 9f0614d..92ae64a 100644
30884 --- a/arch/x86/mm/pf_in.c
30885 +++ b/arch/x86/mm/pf_in.c
30886 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned long ins_addr)
30888 enum reason_type rv = OTHERS;
30890 - p = (unsigned char *)ins_addr;
30891 + p = (unsigned char *)ktla_ktva(ins_addr);
30892 p += skip_prefix(p, &prf);
30893 p += get_opcode(p, &opcode);
30895 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(unsigned long ins_addr)
30896 struct prefix_bits prf;
30899 - p = (unsigned char *)ins_addr;
30900 + p = (unsigned char *)ktla_ktva(ins_addr);
30901 p += skip_prefix(p, &prf);
30902 p += get_opcode(p, &opcode);
30904 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned long ins_addr)
30905 struct prefix_bits prf;
30908 - p = (unsigned char *)ins_addr;
30909 + p = (unsigned char *)ktla_ktva(ins_addr);
30910 p += skip_prefix(p, &prf);
30911 p += get_opcode(p, &opcode);
30913 @@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned long ins_addr, struct pt_regs *regs)
30914 struct prefix_bits prf;
30917 - p = (unsigned char *)ins_addr;
30918 + p = (unsigned char *)ktla_ktva(ins_addr);
30919 p += skip_prefix(p, &prf);
30920 p += get_opcode(p, &opcode);
30921 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
30922 @@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned long ins_addr)
30923 struct prefix_bits prf;
30926 - p = (unsigned char *)ins_addr;
30927 + p = (unsigned char *)ktla_ktva(ins_addr);
30928 p += skip_prefix(p, &prf);
30929 p += get_opcode(p, &opcode);
30930 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
30931 diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
30932 index 17fda6a..f7d54a0 100644
30933 --- a/arch/x86/mm/pgtable.c
30934 +++ b/arch/x86/mm/pgtable.c
30935 @@ -91,10 +91,67 @@ static inline void pgd_list_del(pgd_t *pgd)
30936 list_del(&page->lru);
30939 -#define UNSHARED_PTRS_PER_PGD \
30940 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
30941 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
30942 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
30944 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src)
30946 + unsigned int count = USER_PGD_PTRS;
30948 + if (!pax_user_shadow_base)
30952 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
30956 +#ifdef CONFIG_PAX_PER_CPU_PGD
30957 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src)
30959 + unsigned int count = USER_PGD_PTRS;
30961 + while (count--) {
30964 +#ifdef CONFIG_X86_64
30965 + pgd = __pgd(pgd_val(*src++) | _PAGE_USER);
30970 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
30971 + pgd = __pgd(pgd_val(pgd) & clone_pgd_mask);
30980 +#ifdef CONFIG_X86_64
30981 +#define pxd_t pud_t
30982 +#define pyd_t pgd_t
30983 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
30984 +#define pxd_free(mm, pud) pud_free((mm), (pud))
30985 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
30986 +#define pyd_offset(mm, address) pgd_offset((mm), (address))
30987 +#define PYD_SIZE PGDIR_SIZE
30989 +#define pxd_t pmd_t
30990 +#define pyd_t pud_t
30991 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
30992 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
30993 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
30994 +#define pyd_offset(mm, address) pud_offset((mm), (address))
30995 +#define PYD_SIZE PUD_SIZE
30998 +#ifdef CONFIG_PAX_PER_CPU_PGD
30999 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
31000 +static inline void pgd_dtor(pgd_t *pgd) {}
31002 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
31004 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
31005 @@ -135,6 +192,7 @@ static void pgd_dtor(pgd_t *pgd)
31007 spin_unlock(&pgd_lock);
31012 * List of all pgd's needed for non-PAE so it can invalidate entries
31013 @@ -147,7 +205,7 @@ static void pgd_dtor(pgd_t *pgd)
31017 -#ifdef CONFIG_X86_PAE
31018 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
31020 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
31021 * updating the top-level pagetable entries to guarantee the
31022 @@ -159,7 +217,7 @@ static void pgd_dtor(pgd_t *pgd)
31023 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
31024 * and initialize the kernel pmds here.
31026 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
31027 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
31029 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
31031 @@ -177,36 +235,38 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
31035 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
31036 +#define PREALLOCATED_PXDS USER_PGD_PTRS
31037 #else /* !CONFIG_X86_PAE */
31039 /* No need to prepopulate any pagetable entries in non-PAE modes. */
31040 -#define PREALLOCATED_PMDS 0
31041 +#define PREALLOCATED_PXDS 0
31043 #endif /* CONFIG_X86_PAE */
31045 -static void free_pmds(pmd_t *pmds[])
31046 +static void free_pxds(pxd_t *pxds[])
31050 - for(i = 0; i < PREALLOCATED_PMDS; i++)
31052 - free_page((unsigned long)pmds[i]);
31053 + for(i = 0; i < PREALLOCATED_PXDS; i++)
31055 + free_page((unsigned long)pxds[i]);
31058 -static int preallocate_pmds(pmd_t *pmds[])
31059 +static int preallocate_pxds(pxd_t *pxds[])
31062 bool failed = false;
31064 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
31065 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
31067 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
31068 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
31081 @@ -219,51 +279,55 @@ static int preallocate_pmds(pmd_t *pmds[])
31082 * preallocate which never got a corresponding vma will need to be
31085 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
31086 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
31090 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
31091 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
31092 pgd_t pgd = pgdp[i];
31094 if (pgd_val(pgd) != 0) {
31095 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
31096 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
31098 - pgdp[i] = native_make_pgd(0);
31099 + set_pgd(pgdp + i, native_make_pgd(0));
31101 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
31102 - pmd_free(mm, pmd);
31103 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
31104 + pxd_free(mm, pxd);
31109 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
31110 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
31114 unsigned long addr;
31117 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
31118 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
31121 - pud = pud_offset(pgd, 0);
31122 +#ifdef CONFIG_X86_64
31123 + pyd = pyd_offset(mm, 0L);
31125 + pyd = pyd_offset(pgd, 0L);
31128 - for (addr = i = 0; i < PREALLOCATED_PMDS;
31129 - i++, pud++, addr += PUD_SIZE) {
31130 - pmd_t *pmd = pmds[i];
31131 + for (addr = i = 0; i < PREALLOCATED_PXDS;
31132 + i++, pyd++, addr += PYD_SIZE) {
31133 + pxd_t *pxd = pxds[i];
31135 if (i >= KERNEL_PGD_BOUNDARY)
31136 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
31137 - sizeof(pmd_t) * PTRS_PER_PMD);
31138 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
31139 + sizeof(pxd_t) * PTRS_PER_PMD);
31141 - pud_populate(mm, pud, pmd);
31142 + pyd_populate(mm, pyd, pxd);
31146 pgd_t *pgd_alloc(struct mm_struct *mm)
31149 - pmd_t *pmds[PREALLOCATED_PMDS];
31150 + pxd_t *pxds[PREALLOCATED_PXDS];
31152 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
31154 @@ -272,11 +336,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
31158 - if (preallocate_pmds(pmds) != 0)
31159 + if (preallocate_pxds(pxds) != 0)
31162 if (paravirt_pgd_alloc(mm) != 0)
31163 - goto out_free_pmds;
31164 + goto out_free_pxds;
31167 * Make sure that pre-populating the pmds is atomic with
31168 @@ -286,14 +350,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
31169 spin_lock(&pgd_lock);
31172 - pgd_prepopulate_pmd(mm, pgd, pmds);
31173 + pgd_prepopulate_pxd(mm, pgd, pxds);
31175 spin_unlock(&pgd_lock);
31184 free_page((unsigned long)pgd);
31186 @@ -302,7 +366,7 @@ out:
31188 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
31190 - pgd_mop_up_pmds(mm, pgd);
31191 + pgd_mop_up_pxds(mm, pgd);
31193 paravirt_pgd_free(mm, pgd);
31194 free_page((unsigned long)pgd);
31195 diff --git a/arch/x86/mm/pgtable_32.c b/arch/x86/mm/pgtable_32.c
31196 index a69bcb8..19068ab 100644
31197 --- a/arch/x86/mm/pgtable_32.c
31198 +++ b/arch/x86/mm/pgtable_32.c
31199 @@ -47,10 +47,13 @@ void set_pte_vaddr(unsigned long vaddr, pte_t pteval)
31202 pte = pte_offset_kernel(pmd, vaddr);
31204 + pax_open_kernel();
31205 if (pte_val(pteval))
31206 set_pte_at(&init_mm, vaddr, pte, pteval);
31208 pte_clear(&init_mm, vaddr, pte);
31209 + pax_close_kernel();
31212 * It's enough to flush this one mapping.
31213 diff --git a/arch/x86/mm/physaddr.c b/arch/x86/mm/physaddr.c
31214 index e666cbb..61788c45 100644
31215 --- a/arch/x86/mm/physaddr.c
31216 +++ b/arch/x86/mm/physaddr.c
31218 #ifdef CONFIG_X86_64
31220 #ifdef CONFIG_DEBUG_VIRTUAL
31221 -unsigned long __phys_addr(unsigned long x)
31222 +unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
31224 unsigned long y = x - __START_KERNEL_map;
31226 @@ -67,7 +67,7 @@ EXPORT_SYMBOL(__virt_addr_valid);
31229 #ifdef CONFIG_DEBUG_VIRTUAL
31230 -unsigned long __phys_addr(unsigned long x)
31231 +unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
31233 unsigned long phys_addr = x - PAGE_OFFSET;
31234 /* VMALLOC_* aren't constants */
31235 diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
31236 index 410531d..0f16030 100644
31237 --- a/arch/x86/mm/setup_nx.c
31238 +++ b/arch/x86/mm/setup_nx.c
31240 #include <asm/pgtable.h>
31241 #include <asm/proto.h>
31243 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
31244 static int disable_nx __cpuinitdata;
31246 +#ifndef CONFIG_PAX_PAGEEXEC
31250 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str)
31253 early_param("noexec", noexec_setup);
31258 void __cpuinit x86_configure_nx(void)
31260 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
31261 if (cpu_has_nx && !disable_nx)
31262 __supported_pte_mask |= _PAGE_NX;
31265 __supported_pte_mask &= ~_PAGE_NX;
31268 diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
31269 index 282375f..e03a98f 100644
31270 --- a/arch/x86/mm/tlb.c
31271 +++ b/arch/x86/mm/tlb.c
31272 @@ -48,7 +48,11 @@ void leave_mm(int cpu)
31274 if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) {
31275 cpumask_clear_cpu(cpu, mm_cpumask(active_mm));
31277 +#ifndef CONFIG_PAX_PER_CPU_PGD
31278 load_cr3(swapper_pg_dir);
31283 EXPORT_SYMBOL_GPL(leave_mm);
31284 diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
31285 new file mode 100644
31286 index 0000000..dace51c
31288 +++ b/arch/x86/mm/uderef_64.c
31290 +#include <linux/mm.h>
31291 +#include <asm/pgtable.h>
31292 +#include <asm/uaccess.h>
31294 +#ifdef CONFIG_PAX_MEMORY_UDEREF
31295 +/* PaX: due to the special call convention these functions must
31296 + * - remain leaf functions under all configurations,
31297 + * - never be called directly, only dereferenced from the wrappers.
31299 +void __pax_open_userland(void)
31301 + unsigned int cpu;
31303 + if (unlikely(!segment_eq(get_fs(), USER_DS)))
31306 + cpu = raw_get_cpu();
31307 + BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
31308 + write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
31309 + raw_put_cpu_no_resched();
31311 +EXPORT_SYMBOL(__pax_open_userland);
31313 +void __pax_close_userland(void)
31315 + unsigned int cpu;
31317 + if (unlikely(!segment_eq(get_fs(), USER_DS)))
31320 + cpu = raw_get_cpu();
31321 + BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
31322 + write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
31323 + raw_put_cpu_no_resched();
31325 +EXPORT_SYMBOL(__pax_close_userland);
31327 diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S
31328 index 877b9a1..a8ecf42 100644
31329 --- a/arch/x86/net/bpf_jit.S
31330 +++ b/arch/x86/net/bpf_jit.S
31333 #include <linux/linkage.h>
31334 #include <asm/dwarf2.h>
31335 +#include <asm/alternative-asm.h>
31338 * Calling convention :
31339 @@ -35,6 +36,7 @@ sk_load_word_positive_offset:
31340 jle bpf_slow_path_word
31341 mov (SKBDATA,%rsi),%eax
31342 bswap %eax /* ntohl() */
31343 + pax_force_retaddr
31347 @@ -52,6 +54,7 @@ sk_load_half_positive_offset:
31348 jle bpf_slow_path_half
31349 movzwl (SKBDATA,%rsi),%eax
31350 rol $8,%ax # ntohs()
31351 + pax_force_retaddr
31355 @@ -66,6 +69,7 @@ sk_load_byte_positive_offset:
31356 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
31357 jle bpf_slow_path_byte
31358 movzbl (SKBDATA,%rsi),%eax
31359 + pax_force_retaddr
31363 @@ -87,6 +91,7 @@ sk_load_byte_msh_positive_offset:
31364 movzbl (SKBDATA,%rsi),%ebx
31367 + pax_force_retaddr
31370 /* rsi contains offset and can be scratched */
31371 @@ -109,6 +114,7 @@ bpf_slow_path_word:
31375 + pax_force_retaddr
31378 bpf_slow_path_half:
31379 @@ -117,12 +123,14 @@ bpf_slow_path_half:
31383 + pax_force_retaddr
31386 bpf_slow_path_byte:
31387 bpf_slow_path_common(1)
31389 movzbl -12(%rbp),%eax
31390 + pax_force_retaddr
31393 bpf_slow_path_byte_msh:
31394 @@ -133,6 +141,7 @@ bpf_slow_path_byte_msh:
31398 + pax_force_retaddr
31401 #define sk_negative_common(SIZE) \
31402 @@ -157,6 +166,7 @@ sk_load_word_negative_offset:
31403 sk_negative_common(4)
31406 + pax_force_retaddr
31409 bpf_slow_path_half_neg:
31410 @@ -168,6 +178,7 @@ sk_load_half_negative_offset:
31414 + pax_force_retaddr
31417 bpf_slow_path_byte_neg:
31418 @@ -177,6 +188,7 @@ sk_load_byte_negative_offset:
31419 .globl sk_load_byte_negative_offset
31420 sk_negative_common(1)
31421 movzbl (%rax), %eax
31422 + pax_force_retaddr
31425 bpf_slow_path_byte_msh_neg:
31426 @@ -190,6 +202,7 @@ sk_load_byte_msh_negative_offset:
31430 + pax_force_retaddr
31434 @@ -197,4 +210,5 @@ bpf_error:
31438 + pax_force_retaddr
31440 diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
31441 index f66b540..3e88dfb 100644
31442 --- a/arch/x86/net/bpf_jit_comp.c
31443 +++ b/arch/x86/net/bpf_jit_comp.c
31445 #include <linux/netdevice.h>
31446 #include <linux/filter.h>
31447 #include <linux/if_vlan.h>
31448 +#include <linux/random.h>
31452 @@ -49,13 +50,90 @@ static inline u8 *emit_code(u8 *ptr, u32 bytes, unsigned int len)
31456 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31457 +#define MAX_INSTR_CODE_SIZE 96
31459 +#define MAX_INSTR_CODE_SIZE 64
31462 #define EMIT(bytes, len) do { prog = emit_code(prog, bytes, len); } while (0)
31464 #define EMIT1(b1) EMIT(b1, 1)
31465 #define EMIT2(b1, b2) EMIT((b1) + ((b2) << 8), 2)
31466 #define EMIT3(b1, b2, b3) EMIT((b1) + ((b2) << 8) + ((b3) << 16), 3)
31467 #define EMIT4(b1, b2, b3, b4) EMIT((b1) + ((b2) << 8) + ((b3) << 16) + ((b4) << 24), 4)
31469 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31470 +/* original constant will appear in ecx */
31471 +#define DILUTE_CONST_SEQUENCE(_off, _key) \
31473 + /* mov ecx, randkey */ \
31476 + /* xor ecx, randkey ^ off */ \
31477 + EMIT2(0x81, 0xf1); \
31478 + EMIT((_key) ^ (_off), 4); \
31481 +#define EMIT1_off32(b1, _off) \
31484 + case 0x05: /* add eax, imm32 */ \
31485 + case 0x2d: /* sub eax, imm32 */ \
31486 + case 0x25: /* and eax, imm32 */ \
31487 + case 0x0d: /* or eax, imm32 */ \
31488 + case 0xb8: /* mov eax, imm32 */ \
31489 + case 0x35: /* xor eax, imm32 */ \
31490 + case 0x3d: /* cmp eax, imm32 */ \
31491 + case 0xa9: /* test eax, imm32 */ \
31492 + DILUTE_CONST_SEQUENCE(_off, randkey); \
31493 + EMIT2((b1) - 4, 0xc8); /* convert imm instruction to eax, ecx */\
31495 + case 0xbb: /* mov ebx, imm32 */ \
31496 + DILUTE_CONST_SEQUENCE(_off, randkey); \
31497 + /* mov ebx, ecx */ \
31498 + EMIT2(0x89, 0xcb); \
31500 + case 0xbe: /* mov esi, imm32 */ \
31501 + DILUTE_CONST_SEQUENCE(_off, randkey); \
31502 + /* mov esi, ecx */ \
31503 + EMIT2(0x89, 0xce); \
31505 + case 0xe8: /* call rel imm32, always to known funcs */ \
31509 + case 0xe9: /* jmp rel imm32 */ \
31512 + /* prevent fall-through, we're not called if off = 0 */ \
31513 + EMIT(0xcccccccc, 4); \
31514 + EMIT(0xcccccccc, 4); \
31521 +#define EMIT2_off32(b1, b2, _off) \
31523 + if ((b1) == 0x8d && (b2) == 0xb3) { /* lea esi, [rbx+imm32] */ \
31524 + EMIT2(0x8d, 0xb3); /* lea esi, [rbx+randkey] */ \
31525 + EMIT(randkey, 4); \
31526 + EMIT2(0x8d, 0xb6); /* lea esi, [esi+off-randkey] */ \
31527 + EMIT((_off) - randkey, 4); \
31528 + } else if ((b1) == 0x69 && (b2) == 0xc0) { /* imul eax, imm32 */\
31529 + DILUTE_CONST_SEQUENCE(_off, randkey); \
31530 + /* imul eax, ecx */ \
31531 + EMIT3(0x0f, 0xaf, 0xc1); \
31537 #define EMIT1_off32(b1, off) do { EMIT1(b1); EMIT(off, 4);} while (0)
31538 +#define EMIT2_off32(b1, b2, off) do { EMIT2(b1, b2); EMIT(off, 4);} while (0)
31541 #define CLEAR_A() EMIT2(0x31, 0xc0) /* xor %eax,%eax */
31542 #define CLEAR_X() EMIT2(0x31, 0xdb) /* xor %ebx,%ebx */
31543 @@ -90,6 +168,24 @@ do { \
31544 #define X86_JBE 0x76
31545 #define X86_JA 0x77
31547 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31548 +#define APPEND_FLOW_VERIFY() \
31550 + /* mov ecx, randkey */ \
31552 + EMIT(randkey, 4); \
31553 + /* cmp ecx, randkey */ \
31554 + EMIT2(0x81, 0xf9); \
31555 + EMIT(randkey, 4); \
31556 + /* jz after 8 int 3s */ \
31557 + EMIT2(0x74, 0x08); \
31558 + EMIT(0xcccccccc, 4); \
31559 + EMIT(0xcccccccc, 4); \
31562 +#define APPEND_FLOW_VERIFY() do { } while (0)
31565 #define EMIT_COND_JMP(op, offset) \
31567 if (is_near(offset)) \
31568 @@ -97,6 +193,7 @@ do { \
31570 EMIT2(0x0f, op + 0x10); \
31571 EMIT(offset, 4); /* jxx .+off32 */ \
31572 + APPEND_FLOW_VERIFY(); \
31576 @@ -121,6 +218,11 @@ static inline void bpf_flush_icache(void *start, void *end)
31580 +struct bpf_jit_work {
31581 + struct work_struct work;
31585 #define CHOOSE_LOAD_FUNC(K, func) \
31586 ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
31588 @@ -146,7 +248,7 @@ static int pkt_type_offset(void)
31590 void bpf_jit_compile(struct sk_filter *fp)
31593 + u8 temp[MAX_INSTR_CODE_SIZE];
31595 unsigned int proglen, oldproglen = 0;
31597 @@ -159,6 +261,9 @@ void bpf_jit_compile(struct sk_filter *fp)
31598 unsigned int *addrs;
31599 const struct sock_filter *filter = fp->insns;
31600 int flen = fp->len;
31601 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31602 + unsigned int randkey;
31605 if (!bpf_jit_enable)
31607 @@ -167,11 +272,19 @@ void bpf_jit_compile(struct sk_filter *fp)
31611 + fp->work = kmalloc(sizeof(*fp->work), GFP_KERNEL);
31615 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31616 + randkey = get_random_int();
31619 /* Before first pass, make a rough estimation of addrs[]
31620 - * each bpf instruction is translated to less than 64 bytes
31621 + * each bpf instruction is translated to less than MAX_INSTR_CODE_SIZE bytes
31623 for (proglen = 0, i = 0; i < flen; i++) {
31625 + proglen += MAX_INSTR_CODE_SIZE;
31626 addrs[i] = proglen;
31628 cleanup_addr = proglen; /* epilogue address */
31629 @@ -282,10 +395,8 @@ void bpf_jit_compile(struct sk_filter *fp)
31630 case BPF_S_ALU_MUL_K: /* A *= K */
31632 EMIT3(0x6b, 0xc0, K); /* imul imm8,%eax,%eax */
31634 - EMIT2(0x69, 0xc0); /* imul imm32,%eax */
31638 + EMIT2_off32(0x69, 0xc0, K); /* imul imm32,%eax */
31640 case BPF_S_ALU_DIV_X: /* A /= X; */
31642 @@ -325,13 +436,23 @@ void bpf_jit_compile(struct sk_filter *fp)
31644 case BPF_S_ALU_MOD_K: /* A %= K; */
31645 EMIT2(0x31, 0xd2); /* xor %edx,%edx */
31646 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31647 + DILUTE_CONST_SEQUENCE(K, randkey);
31649 EMIT1(0xb9);EMIT(K, 4); /* mov imm32,%ecx */
31651 EMIT2(0xf7, 0xf1); /* div %ecx */
31652 EMIT2(0x89, 0xd0); /* mov %edx,%eax */
31654 case BPF_S_ALU_DIV_K: /* A = reciprocal_divide(A, K); */
31655 +#ifdef CONFIG_GRKERNSEC_JIT_HARDEN
31656 + DILUTE_CONST_SEQUENCE(K, randkey);
31658 + EMIT4(0x48, 0x0f, 0xaf, 0xc1);
31660 EMIT3(0x48, 0x69, 0xc0); /* imul imm32,%rax,%rax */
31663 EMIT4(0x48, 0xc1, 0xe8, 0x20); /* shr $0x20,%rax */
31665 case BPF_S_ALU_AND_X:
31666 @@ -602,8 +723,7 @@ common_load_ind: seen |= SEEN_DATAREF | SEEN_XREG;
31668 EMIT3(0x8d, 0x73, K); /* lea imm8(%rbx), %esi */
31670 - EMIT2(0x8d, 0xb3); /* lea imm32(%rbx),%esi */
31672 + EMIT2_off32(0x8d, 0xb3, K); /* lea imm32(%rbx),%esi */
31675 EMIT2(0x89,0xde); /* mov %ebx,%esi */
31676 @@ -686,17 +806,18 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
31679 /* hmm, too complex filter, give up with jit compiler */
31683 ilen = prog - temp;
31685 if (unlikely(proglen + ilen > oldproglen)) {
31686 pr_err("bpb_jit_compile fatal error\n");
31688 - module_free(NULL, image);
31690 + module_free_exec(NULL, image);
31693 + pax_open_kernel();
31694 memcpy(image + proglen, temp, ilen);
31695 + pax_close_kernel();
31698 addrs[i] = proglen;
31699 @@ -717,11 +838,9 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
31702 if (proglen == oldproglen) {
31703 - image = module_alloc(max_t(unsigned int,
31705 - sizeof(struct work_struct)));
31706 + image = module_alloc_exec(proglen);
31711 oldproglen = proglen;
31713 @@ -732,7 +851,10 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i];
31715 bpf_flush_icache(image, image + proglen);
31716 fp->bpf_func = (void *)image;
31725 @@ -740,18 +862,20 @@ out:
31727 static void jit_free_defer(struct work_struct *arg)
31729 - module_free(NULL, arg);
31730 + module_free_exec(NULL, ((struct bpf_jit_work *)arg)->image);
31734 /* run from softirq, we must use a work_struct to call
31735 - * module_free() from process context
31736 + * module_free_exec() from process context
31738 void bpf_jit_free(struct sk_filter *fp)
31740 if (fp->bpf_func != sk_run_filter) {
31741 - struct work_struct *work = (struct work_struct *)fp->bpf_func;
31742 + struct work_struct *work = &fp->work->work;
31744 INIT_WORK(work, jit_free_defer);
31745 + fp->work->image = fp->bpf_func;
31746 schedule_work(work);
31749 diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
31750 index d6aa6e8..266395a 100644
31751 --- a/arch/x86/oprofile/backtrace.c
31752 +++ b/arch/x86/oprofile/backtrace.c
31753 @@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_frame_ia32 *head)
31754 struct stack_frame_ia32 *fp;
31755 unsigned long bytes;
31757 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
31758 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
31759 if (bytes != sizeof(bufhead))
31762 - fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
31763 + fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
31765 oprofile_add_trace(bufhead[0].return_address);
31767 @@ -92,7 +92,7 @@ static struct stack_frame *dump_user_backtrace(struct stack_frame *head)
31768 struct stack_frame bufhead[2];
31769 unsigned long bytes;
31771 - bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
31772 + bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
31773 if (bytes != sizeof(bufhead))
31776 @@ -111,7 +111,7 @@ x86_backtrace(struct pt_regs * const regs, unsigned int depth)
31778 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
31780 - if (!user_mode_vm(regs)) {
31781 + if (!user_mode(regs)) {
31782 unsigned long stack = kernel_stack_pointer(regs);
31784 dump_trace(NULL, regs, (unsigned long *)stack, 0,
31785 diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
31786 index 48768df..ba9143c 100644
31787 --- a/arch/x86/oprofile/nmi_int.c
31788 +++ b/arch/x86/oprofile/nmi_int.c
31790 #include <asm/nmi.h>
31791 #include <asm/msr.h>
31792 #include <asm/apic.h>
31793 +#include <asm/pgtable.h>
31795 #include "op_counter.h"
31796 #include "op_x86_model.h"
31797 @@ -774,8 +775,11 @@ int __init op_nmi_init(struct oprofile_operations *ops)
31801 - if (!model->num_virt_counters)
31802 - model->num_virt_counters = model->num_counters;
31803 + if (!model->num_virt_counters) {
31804 + pax_open_kernel();
31805 + *(unsigned int *)&model->num_virt_counters = model->num_counters;
31806 + pax_close_kernel();
31811 diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
31812 index b2b9443..be58856 100644
31813 --- a/arch/x86/oprofile/op_model_amd.c
31814 +++ b/arch/x86/oprofile/op_model_amd.c
31815 @@ -519,9 +519,11 @@ static int op_amd_init(struct oprofile_operations *ops)
31816 num_counters = AMD64_NUM_COUNTERS;
31819 - op_amd_spec.num_counters = num_counters;
31820 - op_amd_spec.num_controls = num_counters;
31821 - op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
31822 + pax_open_kernel();
31823 + *(unsigned int *)&op_amd_spec.num_counters = num_counters;
31824 + *(unsigned int *)&op_amd_spec.num_controls = num_counters;
31825 + *(unsigned int *)&op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
31826 + pax_close_kernel();
31830 diff --git a/arch/x86/oprofile/op_model_ppro.c b/arch/x86/oprofile/op_model_ppro.c
31831 index d90528e..0127e2b 100644
31832 --- a/arch/x86/oprofile/op_model_ppro.c
31833 +++ b/arch/x86/oprofile/op_model_ppro.c
31835 #include <asm/msr.h>
31836 #include <asm/apic.h>
31837 #include <asm/nmi.h>
31838 +#include <asm/pgtable.h>
31840 #include "op_x86_model.h"
31841 #include "op_counter.h"
31842 @@ -221,8 +222,10 @@ static void arch_perfmon_setup_counters(void)
31844 num_counters = min((int)eax.split.num_counters, OP_MAX_COUNTER);
31846 - op_arch_perfmon_spec.num_counters = num_counters;
31847 - op_arch_perfmon_spec.num_controls = num_counters;
31848 + pax_open_kernel();
31849 + *(unsigned int *)&op_arch_perfmon_spec.num_counters = num_counters;
31850 + *(unsigned int *)&op_arch_perfmon_spec.num_controls = num_counters;
31851 + pax_close_kernel();
31854 static int arch_perfmon_init(struct oprofile_operations *ignore)
31855 diff --git a/arch/x86/oprofile/op_x86_model.h b/arch/x86/oprofile/op_x86_model.h
31856 index 71e8a67..6a313bb 100644
31857 --- a/arch/x86/oprofile/op_x86_model.h
31858 +++ b/arch/x86/oprofile/op_x86_model.h
31859 @@ -52,7 +52,7 @@ struct op_x86_model_spec {
31860 void (*switch_ctrl)(struct op_x86_model_spec const *model,
31861 struct op_msrs const * const msrs);
31866 struct op_counter_config;
31868 diff --git a/arch/x86/pci/amd_bus.c b/arch/x86/pci/amd_bus.c
31869 index e9e6ed5..e47ae67 100644
31870 --- a/arch/x86/pci/amd_bus.c
31871 +++ b/arch/x86/pci/amd_bus.c
31872 @@ -337,7 +337,7 @@ static int __cpuinit amd_cpu_notify(struct notifier_block *self,
31876 -static struct notifier_block __cpuinitdata amd_cpu_notifier = {
31877 +static struct notifier_block amd_cpu_notifier = {
31878 .notifier_call = amd_cpu_notify,
31881 diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
31882 index 372e9b8..e775a6c 100644
31883 --- a/arch/x86/pci/irq.c
31884 +++ b/arch/x86/pci/irq.c
31885 @@ -50,7 +50,7 @@ struct irq_router {
31886 struct irq_router_handler {
31888 int (*probe)(struct irq_router *r, struct pci_dev *router, u16 device);
31892 int (*pcibios_enable_irq)(struct pci_dev *dev) = pirq_enable_irq;
31893 void (*pcibios_disable_irq)(struct pci_dev *dev) = NULL;
31894 @@ -794,7 +794,7 @@ static __init int pico_router_probe(struct irq_router *r, struct pci_dev *router
31898 -static __initdata struct irq_router_handler pirq_routers[] = {
31899 +static __initconst const struct irq_router_handler pirq_routers[] = {
31900 { PCI_VENDOR_ID_INTEL, intel_router_probe },
31901 { PCI_VENDOR_ID_AL, ali_router_probe },
31902 { PCI_VENDOR_ID_ITE, ite_router_probe },
31903 @@ -821,7 +821,7 @@ static struct pci_dev *pirq_router_dev;
31904 static void __init pirq_find_router(struct irq_router *r)
31906 struct irq_routing_table *rt = pirq_table;
31907 - struct irq_router_handler *h;
31908 + const struct irq_router_handler *h;
31910 #ifdef CONFIG_PCI_BIOS
31911 if (!rt->signature) {
31912 @@ -1094,7 +1094,7 @@ static int __init fix_acer_tm360_irqrouting(const struct dmi_system_id *d)
31916 -static struct dmi_system_id __initdata pciirq_dmi_table[] = {
31917 +static const struct dmi_system_id __initconst pciirq_dmi_table[] = {
31919 .callback = fix_broken_hp_bios_irq9,
31920 .ident = "HP Pavilion N5400 Series Laptop",
31921 diff --git a/arch/x86/pci/mrst.c b/arch/x86/pci/mrst.c
31922 index 6eb18c4..20d83de 100644
31923 --- a/arch/x86/pci/mrst.c
31924 +++ b/arch/x86/pci/mrst.c
31925 @@ -238,7 +238,9 @@ int __init pci_mrst_init(void)
31926 printk(KERN_INFO "Intel MID platform detected, using MID PCI ops\n");
31927 pci_mmcfg_late_init();
31928 pcibios_enable_irq = mrst_pci_irq_enable;
31929 - pci_root_ops = pci_mrst_ops;
31930 + pax_open_kernel();
31931 + memcpy((void *)&pci_root_ops, &pci_mrst_ops, sizeof(pci_mrst_ops));
31932 + pax_close_kernel();
31934 /* Continue with standard init */
31936 diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c
31937 index c77b24a..c979855 100644
31938 --- a/arch/x86/pci/pcbios.c
31939 +++ b/arch/x86/pci/pcbios.c
31940 @@ -79,7 +79,7 @@ union bios32 {
31942 unsigned long address;
31943 unsigned short segment;
31944 -} bios32_indirect = { 0, __KERNEL_CS };
31945 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
31948 * Returns the entry point for the given service, NULL on error
31949 @@ -92,37 +92,80 @@ static unsigned long bios32_service(unsigned long service)
31950 unsigned long length; /* %ecx */
31951 unsigned long entry; /* %edx */
31952 unsigned long flags;
31953 + struct desc_struct d, *gdt;
31955 local_irq_save(flags);
31956 - __asm__("lcall *(%%edi); cld"
31958 + gdt = get_cpu_gdt_table(smp_processor_id());
31960 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
31961 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
31962 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
31963 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
31965 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
31966 : "=a" (return_code),
31972 - "D" (&bios32_indirect));
31973 + "D" (&bios32_indirect),
31974 + "r"(__PCIBIOS_DS)
31977 + pax_open_kernel();
31978 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
31979 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
31980 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
31981 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
31982 + pax_close_kernel();
31984 local_irq_restore(flags);
31986 switch (return_code) {
31988 - return address + entry;
31989 - case 0x80: /* Not present */
31990 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
31992 - default: /* Shouldn't happen */
31993 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
31994 - service, return_code);
31997 + unsigned char flags;
31999 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
32000 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
32001 + printk(KERN_WARNING "bios32_service: not valid\n");
32004 + address = address + PAGE_OFFSET;
32005 + length += 16UL; /* some BIOSs underreport this... */
32007 + if (length >= 64*1024*1024) {
32008 + length >>= PAGE_SHIFT;
32012 + for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
32013 + gdt = get_cpu_gdt_table(cpu);
32014 + pack_descriptor(&d, address, length, 0x9b, flags);
32015 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
32016 + pack_descriptor(&d, address, length, 0x93, flags);
32017 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
32021 + case 0x80: /* Not present */
32022 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
32024 + default: /* Shouldn't happen */
32025 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
32026 + service, return_code);
32032 unsigned long address;
32033 unsigned short segment;
32034 -} pci_indirect = { 0, __KERNEL_CS };
32035 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
32037 -static int pci_bios_present;
32038 +static int pci_bios_present __read_only;
32040 static int check_pcibios(void)
32042 @@ -131,11 +174,13 @@ static int check_pcibios(void)
32043 unsigned long flags, pcibios_entry;
32045 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
32046 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
32047 + pci_indirect.address = pcibios_entry;
32049 local_irq_save(flags);
32051 - "lcall *(%%edi); cld\n\t"
32052 + __asm__("movw %w6, %%ds\n\t"
32053 + "lcall *%%ss:(%%edi); cld\n\t"
32059 @@ -144,7 +189,8 @@ static int check_pcibios(void)
32062 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
32063 - "D" (&pci_indirect)
32064 + "D" (&pci_indirect),
32065 + "r" (__PCIBIOS_DS)
32067 local_irq_restore(flags);
32069 @@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32073 - __asm__("lcall *(%%esi); cld\n\t"
32074 + __asm__("movw %w6, %%ds\n\t"
32075 + "lcall *%%ss:(%%esi); cld\n\t"
32081 @@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32082 : "1" (PCIBIOS_READ_CONFIG_BYTE),
32085 - "S" (&pci_indirect));
32086 + "S" (&pci_indirect),
32087 + "r" (__PCIBIOS_DS));
32089 * Zero-extend the result beyond 8 bits, do not trust the
32090 * BIOS having done it:
32091 @@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32095 - __asm__("lcall *(%%esi); cld\n\t"
32096 + __asm__("movw %w6, %%ds\n\t"
32097 + "lcall *%%ss:(%%esi); cld\n\t"
32103 @@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32104 : "1" (PCIBIOS_READ_CONFIG_WORD),
32107 - "S" (&pci_indirect));
32108 + "S" (&pci_indirect),
32109 + "r" (__PCIBIOS_DS));
32111 * Zero-extend the result beyond 16 bits, do not trust the
32112 * BIOS having done it:
32113 @@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32117 - __asm__("lcall *(%%esi); cld\n\t"
32118 + __asm__("movw %w6, %%ds\n\t"
32119 + "lcall *%%ss:(%%esi); cld\n\t"
32125 @@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
32126 : "1" (PCIBIOS_READ_CONFIG_DWORD),
32129 - "S" (&pci_indirect));
32130 + "S" (&pci_indirect),
32131 + "r" (__PCIBIOS_DS));
32135 @@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
32139 - __asm__("lcall *(%%esi); cld\n\t"
32140 + __asm__("movw %w6, %%ds\n\t"
32141 + "lcall *%%ss:(%%esi); cld\n\t"
32147 @@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
32151 - "S" (&pci_indirect));
32152 + "S" (&pci_indirect),
32153 + "r" (__PCIBIOS_DS));
32156 - __asm__("lcall *(%%esi); cld\n\t"
32157 + __asm__("movw %w6, %%ds\n\t"
32158 + "lcall *%%ss:(%%esi); cld\n\t"
32164 @@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
32168 - "S" (&pci_indirect));
32169 + "S" (&pci_indirect),
32170 + "r" (__PCIBIOS_DS));
32173 - __asm__("lcall *(%%esi); cld\n\t"
32174 + __asm__("movw %w6, %%ds\n\t"
32175 + "lcall *%%ss:(%%esi); cld\n\t"
32181 @@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
32185 - "S" (&pci_indirect));
32186 + "S" (&pci_indirect),
32187 + "r" (__PCIBIOS_DS));
32191 @@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
32193 DBG("PCI: Fetching IRQ routing table... ");
32194 __asm__("push %%es\n\t"
32195 + "movw %w8, %%ds\n\t"
32198 - "lcall *(%%esi); cld\n\t"
32199 + "lcall *%%ss:(%%esi); cld\n\t"
32206 @@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
32209 "S" (&pci_indirect),
32212 + "r" (__PCIBIOS_DS)
32214 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
32216 @@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
32220 - __asm__("lcall *(%%esi); cld\n\t"
32221 + __asm__("movw %w5, %%ds\n\t"
32222 + "lcall *%%ss:(%%esi); cld\n\t"
32228 @@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
32229 : "0" (PCIBIOS_SET_PCI_HW_INT),
32230 "b" ((dev->bus->number << 8) | dev->devfn),
32231 "c" ((irq << 8) | (pin + 10)),
32232 - "S" (&pci_indirect));
32233 + "S" (&pci_indirect),
32234 + "r" (__PCIBIOS_DS));
32235 return !(ret & 0xff00);
32237 EXPORT_SYMBOL(pcibios_set_irq_routing);
32238 diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
32239 index 40e4469..d915bf9 100644
32240 --- a/arch/x86/platform/efi/efi_32.c
32241 +++ b/arch/x86/platform/efi/efi_32.c
32242 @@ -44,11 +44,22 @@ void efi_call_phys_prelog(void)
32244 struct desc_ptr gdt_descr;
32246 +#ifdef CONFIG_PAX_KERNEXEC
32247 + struct desc_struct d;
32250 local_irq_save(efi_rt_eflags);
32252 load_cr3(initial_page_table);
32255 +#ifdef CONFIG_PAX_KERNEXEC
32256 + pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
32257 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
32258 + pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
32259 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
32262 gdt_descr.address = __pa(get_cpu_gdt_table(0));
32263 gdt_descr.size = GDT_SIZE - 1;
32264 load_gdt(&gdt_descr);
32265 @@ -58,11 +69,24 @@ void efi_call_phys_epilog(void)
32267 struct desc_ptr gdt_descr;
32269 +#ifdef CONFIG_PAX_KERNEXEC
32270 + struct desc_struct d;
32272 + memset(&d, 0, sizeof d);
32273 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
32274 + write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
32277 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
32278 gdt_descr.size = GDT_SIZE - 1;
32279 load_gdt(&gdt_descr);
32281 +#ifdef CONFIG_PAX_PER_CPU_PGD
32282 + load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
32284 load_cr3(swapper_pg_dir);
32289 local_irq_restore(efi_rt_eflags);
32290 diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
32291 index 39a0e7f1..872396e 100644
32292 --- a/arch/x86/platform/efi/efi_64.c
32293 +++ b/arch/x86/platform/efi/efi_64.c
32294 @@ -76,6 +76,11 @@ void __init efi_call_phys_prelog(void)
32295 vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
32296 set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
32299 +#ifdef CONFIG_PAX_PER_CPU_PGD
32300 + load_cr3(swapper_pg_dir);
32306 @@ -89,6 +94,11 @@ void __init efi_call_phys_epilog(void)
32307 for (pgd = 0; pgd < n_pgds; pgd++)
32308 set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]);
32311 +#ifdef CONFIG_PAX_PER_CPU_PGD
32312 + load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
32316 local_irq_restore(efi_flags);
32317 early_code_mapping_set_exec(0);
32318 diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S
32319 index fbe66e6..eae5e38 100644
32320 --- a/arch/x86/platform/efi/efi_stub_32.S
32321 +++ b/arch/x86/platform/efi/efi_stub_32.S
32325 #include <linux/linkage.h>
32326 +#include <linux/init.h>
32327 #include <asm/page_types.h>
32328 +#include <asm/segment.h>
32331 * efi_call_phys(void *, ...) is a function with variable parameters.
32333 * service functions will comply with gcc calling convention, too.
32338 ENTRY(efi_call_phys)
32340 * 0. The function can only be called in Linux kernel. So CS has been
32341 @@ -36,10 +38,24 @@ ENTRY(efi_call_phys)
32342 * The mapping of lower virtual memory has been created in prelog and
32346 - subl $__PAGE_OFFSET, %edx
32348 +#ifdef CONFIG_PAX_KERNEXEC
32349 + movl $(__KERNEXEC_EFI_DS), %edx
32357 +1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS
32363 + jmp 1f-__PAGE_OFFSET
32368 * 2. Now on the top of stack is the return
32369 @@ -47,14 +63,8 @@ ENTRY(efi_call_phys)
32370 * parameter 2, ..., param n. To make things easy, we save the return
32371 * address of efi_call_phys in a global variable.
32374 - movl %edx, saved_return_addr
32375 - /* get the function pointer into ECX*/
32377 - movl %ecx, efi_rt_function_ptr
32379 - subl $__PAGE_OFFSET, %edx
32381 + popl (saved_return_addr)
32382 + popl (efi_rt_function_ptr)
32385 * 3. Clear PG bit in %CR0.
32386 @@ -73,9 +83,8 @@ ENTRY(efi_call_phys)
32388 * 5. Call the physical function.
32391 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
32395 * 6. After EFI runtime service returns, control will return to
32396 * following instruction. We'd better readjust stack pointer first.
32397 @@ -88,35 +97,36 @@ ENTRY(efi_call_phys)
32399 orl $0x80000000, %edx
32405 * 8. Now restore the virtual mode from flat mode by
32406 * adding EIP with PAGE_OFFSET.
32410 +#ifdef CONFIG_PAX_KERNEXEC
32411 + movl $(__KERNEL_DS), %edx
32415 + ljmp $(__KERNEL_CS),$1f
32417 + jmp 1f+__PAGE_OFFSET
32422 * 9. Balance the stack. And because EAX contain the return value,
32423 * we'd better not clobber it.
32425 - leal efi_rt_function_ptr, %edx
32426 - movl (%edx), %ecx
32428 + pushl (efi_rt_function_ptr)
32431 - * 10. Push the saved return address onto the stack and return.
32432 + * 10. Return to the saved return address.
32434 - leal saved_return_addr, %edx
32435 - movl (%edx), %ecx
32438 + jmpl *(saved_return_addr)
32439 ENDPROC(efi_call_phys)
32446 efi_rt_function_ptr:
32447 diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S
32448 index 4c07cca..2c8427d 100644
32449 --- a/arch/x86/platform/efi/efi_stub_64.S
32450 +++ b/arch/x86/platform/efi/efi_stub_64.S
32454 #include <linux/linkage.h>
32455 +#include <asm/alternative-asm.h>
32459 @@ -40,6 +41,7 @@ ENTRY(efi_call0)
32463 + pax_force_retaddr 0, 1
32467 @@ -50,6 +52,7 @@ ENTRY(efi_call1)
32471 + pax_force_retaddr 0, 1
32475 @@ -60,6 +63,7 @@ ENTRY(efi_call2)
32479 + pax_force_retaddr 0, 1
32483 @@ -71,6 +75,7 @@ ENTRY(efi_call3)
32487 + pax_force_retaddr 0, 1
32491 @@ -83,6 +88,7 @@ ENTRY(efi_call4)
32495 + pax_force_retaddr 0, 1
32499 @@ -96,6 +102,7 @@ ENTRY(efi_call5)
32503 + pax_force_retaddr 0, 1
32507 @@ -112,5 +119,6 @@ ENTRY(efi_call6)
32511 + pax_force_retaddr 0, 1
32514 diff --git a/arch/x86/platform/mrst/mrst.c b/arch/x86/platform/mrst/mrst.c
32515 index a0a0a43..a48e233 100644
32516 --- a/arch/x86/platform/mrst/mrst.c
32517 +++ b/arch/x86/platform/mrst/mrst.c
32518 @@ -78,13 +78,15 @@ struct sfi_rtc_table_entry sfi_mrtc_array[SFI_MRTC_MAX];
32519 EXPORT_SYMBOL_GPL(sfi_mrtc_array);
32522 -static void mrst_power_off(void)
32523 +static __noreturn void mrst_power_off(void)
32528 -static void mrst_reboot(void)
32529 +static __noreturn void mrst_reboot(void)
32531 intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0);
32535 /* parse all the mtimer info to a static mtimer array */
32536 diff --git a/arch/x86/platform/olpc/olpc_dt.c b/arch/x86/platform/olpc/olpc_dt.c
32537 index d6ee929..3637cb5 100644
32538 --- a/arch/x86/platform/olpc/olpc_dt.c
32539 +++ b/arch/x86/platform/olpc/olpc_dt.c
32540 @@ -156,7 +156,7 @@ void * __init prom_early_alloc(unsigned long size)
32544 -static struct of_pdt_ops prom_olpc_ops __initdata = {
32545 +static struct of_pdt_ops prom_olpc_ops __initconst = {
32546 .nextprop = olpc_dt_nextprop,
32547 .getproplen = olpc_dt_getproplen,
32548 .getproperty = olpc_dt_getproperty,
32549 diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
32550 index 1cf5b30..fd45732 100644
32551 --- a/arch/x86/power/cpu.c
32552 +++ b/arch/x86/power/cpu.c
32553 @@ -137,11 +137,8 @@ static void do_fpu_end(void)
32554 static void fix_processor_context(void)
32556 int cpu = smp_processor_id();
32557 - struct tss_struct *t = &per_cpu(init_tss, cpu);
32558 -#ifdef CONFIG_X86_64
32559 - struct desc_struct *desc = get_cpu_gdt_table(cpu);
32562 + struct tss_struct *t = init_tss + cpu;
32564 set_tss_desc(cpu, t); /*
32565 * This just modifies memory; should not be
32566 * necessary. But... This is necessary, because
32567 @@ -150,10 +147,6 @@ static void fix_processor_context(void)
32570 #ifdef CONFIG_X86_64
32571 - memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
32572 - tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */
32573 - write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS);
32575 syscall_init(); /* This sets MSR_*STAR and related */
32577 load_TR_desc(); /* This does ltr */
32578 diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
32579 index a44f457..9140171 100644
32580 --- a/arch/x86/realmode/init.c
32581 +++ b/arch/x86/realmode/init.c
32582 @@ -70,7 +70,13 @@ void __init setup_real_mode(void)
32583 __va(real_mode_header->trampoline_header);
32585 #ifdef CONFIG_X86_32
32586 - trampoline_header->start = __pa_symbol(startup_32_smp);
32587 + trampoline_header->start = __pa_symbol(ktla_ktva(startup_32_smp));
32589 +#ifdef CONFIG_PAX_KERNEXEC
32590 + trampoline_header->start -= LOAD_PHYSICAL_ADDR;
32593 + trampoline_header->boot_cs = __BOOT_CS;
32594 trampoline_header->gdt_limit = __BOOT_DS + 7;
32595 trampoline_header->gdt_base = __pa_symbol(boot_gdt);
32597 @@ -86,7 +92,7 @@ void __init setup_real_mode(void)
32598 *trampoline_cr4_features = read_cr4();
32600 trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd);
32601 - trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
32602 + trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd & ~_PAGE_NX;
32603 trampoline_pgd[511] = init_level4_pgt[511].pgd;
32606 diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile
32607 index 8869287..d577672 100644
32608 --- a/arch/x86/realmode/rm/Makefile
32609 +++ b/arch/x86/realmode/rm/Makefile
32610 @@ -78,5 +78,8 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ -D_WAKEUP \
32611 $(call cc-option, -fno-unit-at-a-time)) \
32612 $(call cc-option, -fno-stack-protector) \
32613 $(call cc-option, -mpreferred-stack-boundary=2)
32614 +ifdef CONSTIFY_PLUGIN
32615 +KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
32617 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
32619 diff --git a/arch/x86/realmode/rm/header.S b/arch/x86/realmode/rm/header.S
32620 index a28221d..93c40f1 100644
32621 --- a/arch/x86/realmode/rm/header.S
32622 +++ b/arch/x86/realmode/rm/header.S
32623 @@ -30,7 +30,9 @@ GLOBAL(real_mode_header)
32625 /* APM/BIOS reboot */
32626 .long pa_machine_real_restart_asm
32627 -#ifdef CONFIG_X86_64
32628 +#ifdef CONFIG_X86_32
32629 + .long __KERNEL_CS
32631 .long __KERNEL32_CS
32633 END(real_mode_header)
32634 diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S
32635 index c1b2791..f9e31c7 100644
32636 --- a/arch/x86/realmode/rm/trampoline_32.S
32637 +++ b/arch/x86/realmode/rm/trampoline_32.S
32639 #include <asm/page_types.h>
32640 #include "realmode.h"
32642 +#ifdef CONFIG_PAX_KERNEXEC
32645 +#define ta(X) (pa_ ## X)
32651 @@ -39,8 +45,6 @@ ENTRY(trampoline_start)
32653 cli # We should be safe anyway
32655 - movl tr_start, %eax # where we need to go
32657 movl $0xA5A5A5A5, trampoline_status
32658 # write marker for master knows we're running
32660 @@ -56,7 +60,7 @@ ENTRY(trampoline_start)
32661 movw $1, %dx # protected mode (PE) bit
32662 lmsw %dx # into protected mode
32664 - ljmpl $__BOOT_CS, $pa_startup_32
32665 + ljmpl *(trampoline_header)
32667 .section ".text32","ax"
32669 @@ -67,7 +71,7 @@ ENTRY(startup_32) # note: also used from wakeup_asm.S
32671 GLOBAL(trampoline_header)
32673 - tr_gdt_pad: .space 2
32674 + tr_boot_cs: .space 2
32676 END(trampoline_header)
32678 diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S
32679 index bb360dc..d0fd8f8 100644
32680 --- a/arch/x86/realmode/rm/trampoline_64.S
32681 +++ b/arch/x86/realmode/rm/trampoline_64.S
32682 @@ -94,6 +94,7 @@ ENTRY(startup_32)
32685 movl pa_tr_cr4, %eax
32686 + andl $~X86_CR4_PCIDE, %eax
32687 movl %eax, %cr4 # Enable PAE mode
32689 # Setup trampoline 4 level pagetables
32690 @@ -107,7 +108,7 @@ ENTRY(startup_32)
32693 # Enable paging and in turn activate Long Mode
32694 - movl $(X86_CR0_PG | X86_CR0_WP | X86_CR0_PE), %eax
32695 + movl $(X86_CR0_PG | X86_CR0_PE), %eax
32699 diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile
32700 index e812034..c747134 100644
32701 --- a/arch/x86/tools/Makefile
32702 +++ b/arch/x86/tools/Makefile
32703 @@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in
32705 $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c
32707 -HOST_EXTRACFLAGS += -I$(srctree)/tools/include
32708 +HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb
32709 hostprogs-y += relocs
32710 relocs-objs := relocs_32.o relocs_64.o relocs_common.o
32711 relocs: $(obj)/relocs
32712 diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
32713 index f7bab68..b6d9886 100644
32714 --- a/arch/x86/tools/relocs.c
32715 +++ b/arch/x86/tools/relocs.c
32717 /* This is included from relocs_32/64.c */
32719 +#include "../../../include/generated/autoconf.h"
32721 #define ElfW(type) _ElfW(ELF_BITS, type)
32722 #define _ElfW(bits, type) __ElfW(bits, type)
32723 #define __ElfW(bits, type) Elf##bits##_##type
32725 #define Elf_Sym ElfW(Sym)
32727 static Elf_Ehdr ehdr;
32728 +static Elf_Phdr *phdr;
32732 @@ -383,9 +386,39 @@ static void read_ehdr(FILE *fp)
32736 +static void read_phdrs(FILE *fp)
32740 + phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr));
32742 + die("Unable to allocate %d program headers\n",
32745 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
32746 + die("Seek to %d failed: %s\n",
32747 + ehdr.e_phoff, strerror(errno));
32749 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
32750 + die("Cannot read ELF program headers: %s\n",
32751 + strerror(errno));
32753 + for(i = 0; i < ehdr.e_phnum; i++) {
32754 + phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type);
32755 + phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset);
32756 + phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr);
32757 + phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr);
32758 + phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz);
32759 + phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz);
32760 + phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags);
32761 + phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align);
32766 static void read_shdrs(FILE *fp)
32772 secs = calloc(ehdr.e_shnum, sizeof(struct section));
32773 @@ -420,7 +453,7 @@ static void read_shdrs(FILE *fp)
32775 static void read_strtabs(FILE *fp)
32779 for (i = 0; i < ehdr.e_shnum; i++) {
32780 struct section *sec = &secs[i];
32781 if (sec->shdr.sh_type != SHT_STRTAB) {
32782 @@ -445,7 +478,7 @@ static void read_strtabs(FILE *fp)
32784 static void read_symtabs(FILE *fp)
32787 + unsigned int i,j;
32788 for (i = 0; i < ehdr.e_shnum; i++) {
32789 struct section *sec = &secs[i];
32790 if (sec->shdr.sh_type != SHT_SYMTAB) {
32791 @@ -476,9 +509,11 @@ static void read_symtabs(FILE *fp)
32795 -static void read_relocs(FILE *fp)
32796 +static void read_relocs(FILE *fp, int use_real_mode)
32799 + unsigned int i,j;
32802 for (i = 0; i < ehdr.e_shnum; i++) {
32803 struct section *sec = &secs[i];
32804 if (sec->shdr.sh_type != SHT_REL_TYPE) {
32805 @@ -498,9 +533,22 @@ static void read_relocs(FILE *fp)
32806 die("Cannot read symbol table: %s\n",
32811 +#ifdef CONFIG_X86_32
32812 + for (j = 0; !use_real_mode && j < ehdr.e_phnum; j++) {
32813 + if (phdr[j].p_type != PT_LOAD )
32815 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
32817 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
32822 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
32823 Elf_Rel *rel = &sec->reltab[j];
32824 - rel->r_offset = elf_addr_to_cpu(rel->r_offset);
32825 + rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base;
32826 rel->r_info = elf_xword_to_cpu(rel->r_info);
32827 #if (SHT_REL_TYPE == SHT_RELA)
32828 rel->r_addend = elf_xword_to_cpu(rel->r_addend);
32829 @@ -512,7 +560,7 @@ static void read_relocs(FILE *fp)
32831 static void print_absolute_symbols(void)
32835 const char *format;
32837 if (ELF_BITS == 64)
32838 @@ -525,7 +573,7 @@ static void print_absolute_symbols(void)
32839 for (i = 0; i < ehdr.e_shnum; i++) {
32840 struct section *sec = &secs[i];
32845 if (sec->shdr.sh_type != SHT_SYMTAB) {
32847 @@ -552,7 +600,7 @@ static void print_absolute_symbols(void)
32849 static void print_absolute_relocs(void)
32851 - int i, printed = 0;
32852 + unsigned int i, printed = 0;
32853 const char *format;
32855 if (ELF_BITS == 64)
32856 @@ -565,7 +613,7 @@ static void print_absolute_relocs(void)
32857 struct section *sec_applies, *sec_symtab;
32859 Elf_Sym *sh_symtab;
32862 if (sec->shdr.sh_type != SHT_REL_TYPE) {
32865 @@ -642,13 +690,13 @@ static void add_reloc(struct relocs *r, uint32_t offset)
32866 static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
32867 Elf_Sym *sym, const char *symname))
32871 /* Walk through the relocations */
32872 for (i = 0; i < ehdr.e_shnum; i++) {
32874 Elf_Sym *sh_symtab;
32875 struct section *sec_applies, *sec_symtab;
32878 struct section *sec = &secs[i];
32880 if (sec->shdr.sh_type != SHT_REL_TYPE) {
32881 @@ -812,6 +860,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
32883 unsigned r_type = ELF32_R_TYPE(rel->r_info);
32884 int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname);
32885 + char *sym_strtab = sec->link->link->strtab;
32887 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
32888 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
32891 +#ifdef CONFIG_PAX_KERNEXEC
32892 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
32893 + if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
32895 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
32897 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
32899 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
32905 @@ -950,7 +1015,7 @@ static int write32_as_text(uint32_t v, FILE *f)
32907 static void emit_relocs(int as_text, int use_real_mode)
32911 int (*write_reloc)(uint32_t, FILE *) = write32;
32912 int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
32913 const char *symname);
32914 @@ -1026,10 +1091,11 @@ void process(FILE *fp, int use_real_mode, int as_text,
32916 regex_init(use_real_mode);
32923 + read_relocs(fp, use_real_mode);
32924 if (ELF_BITS == 64)
32926 if (show_absolute_syms) {
32927 diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c
32928 index 80ffa5b..a33bd15 100644
32929 --- a/arch/x86/um/tls_32.c
32930 +++ b/arch/x86/um/tls_32.c
32931 @@ -260,7 +260,7 @@ out:
32932 if (unlikely(task == current &&
32933 !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) {
32934 printk(KERN_ERR "get_tls_entry: task with pid %d got here "
32935 - "without flushed TLS.", current->pid);
32936 + "without flushed TLS.", task_pid_nr(current));
32940 diff --git a/arch/x86/vdso/Makefile b/arch/x86/vdso/Makefile
32941 index fd14be1..e3c79c0 100644
32942 --- a/arch/x86/vdso/Makefile
32943 +++ b/arch/x86/vdso/Makefile
32944 @@ -181,7 +181,7 @@ quiet_cmd_vdso = VDSO $@
32945 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
32946 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
32948 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
32949 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
32953 diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c
32954 index 0faad64..39ef157 100644
32955 --- a/arch/x86/vdso/vdso32-setup.c
32956 +++ b/arch/x86/vdso/vdso32-setup.c
32958 #include <asm/tlbflush.h>
32959 #include <asm/vdso.h>
32960 #include <asm/proto.h>
32961 +#include <asm/mman.h>
32965 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int map)
32966 void enable_sep_cpu(void)
32968 int cpu = get_cpu();
32969 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
32970 + struct tss_struct *tss = init_tss + cpu;
32972 if (!boot_cpu_has(X86_FEATURE_SEP)) {
32974 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
32975 gate_vma.vm_start = FIXADDR_USER_START;
32976 gate_vma.vm_end = FIXADDR_USER_END;
32977 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
32978 - gate_vma.vm_page_prot = __P101;
32979 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
32983 @@ -330,14 +331,14 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
32985 addr = VDSO_HIGH_BASE;
32987 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
32988 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
32989 if (IS_ERR_VALUE(addr)) {
32995 - current->mm->context.vdso = (void *)addr;
32996 + current->mm->context.vdso = addr;
32998 if (compat_uses_vma || !compat) {
33000 @@ -353,11 +354,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
33003 current_thread_info()->sysenter_return =
33004 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
33005 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
33009 - current->mm->context.vdso = NULL;
33010 + current->mm->context.vdso = 0;
33012 up_write(&mm->mmap_sem);
33014 @@ -404,8 +405,14 @@ __initcall(ia32_binfmt_init);
33016 const char *arch_vma_name(struct vm_area_struct *vma)
33018 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
33019 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
33022 +#ifdef CONFIG_PAX_SEGMEXEC
33023 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
33030 @@ -415,7 +422,7 @@ struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
33031 * Check to see if the corresponding task was created in compat vdso
33034 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
33035 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
33039 diff --git a/arch/x86/vdso/vma.c b/arch/x86/vdso/vma.c
33040 index 431e875..cbb23f3 100644
33041 --- a/arch/x86/vdso/vma.c
33042 +++ b/arch/x86/vdso/vma.c
33044 #include <asm/vdso.h>
33045 #include <asm/page.h>
33047 -unsigned int __read_mostly vdso_enabled = 1;
33049 extern char vdso_start[], vdso_end[];
33050 extern unsigned short vdso_sync_cpuid;
33052 @@ -141,7 +139,6 @@ static unsigned long vdso_addr(unsigned long start, unsigned len)
33053 * unaligned here as a result of stack start randomization.
33055 addr = PAGE_ALIGN(addr);
33056 - addr = align_vdso_addr(addr);
33060 @@ -154,30 +151,31 @@ static int setup_additional_pages(struct linux_binprm *bprm,
33063 struct mm_struct *mm = current->mm;
33064 - unsigned long addr;
33065 + unsigned long addr = 0;
33068 - if (!vdso_enabled)
33071 down_write(&mm->mmap_sem);
33073 +#ifdef CONFIG_PAX_RANDMMAP
33074 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33077 addr = vdso_addr(mm->start_stack, size);
33078 + addr = align_vdso_addr(addr);
33079 addr = get_unmapped_area(NULL, addr, size, 0, 0);
33080 if (IS_ERR_VALUE(addr)) {
33085 - current->mm->context.vdso = (void *)addr;
33086 + mm->context.vdso = addr;
33088 ret = install_special_mapping(mm, addr, size,
33090 VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
33093 - current->mm->context.vdso = NULL;
33097 + mm->context.vdso = 0;
33100 up_write(&mm->mmap_sem);
33101 @@ -197,10 +195,3 @@ int x32_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
33106 -static __init int vdso_setup(char *s)
33108 - vdso_enabled = simple_strtoul(s, NULL, 0);
33111 -__setup("vdso=", vdso_setup);
33112 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
33113 index a492be2..08678da 100644
33114 --- a/arch/x86/xen/enlighten.c
33115 +++ b/arch/x86/xen/enlighten.c
33116 @@ -123,8 +123,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
33118 struct shared_info xen_dummy_shared_info;
33120 -void *xen_initial_gdt;
33122 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
33123 __read_mostly int xen_have_vector_callback;
33124 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
33125 @@ -542,8 +540,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
33127 unsigned long va = dtr->address;
33128 unsigned int size = dtr->size + 1;
33129 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
33130 - unsigned long frames[pages];
33131 + unsigned long frames[65536 / PAGE_SIZE];
33135 @@ -591,8 +588,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
33137 unsigned long va = dtr->address;
33138 unsigned int size = dtr->size + 1;
33139 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
33140 - unsigned long frames[pages];
33141 + unsigned long frames[(GDT_SIZE + PAGE_SIZE - 1) / PAGE_SIZE];
33145 @@ -600,7 +596,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
33146 * 8-byte entries, or 16 4k pages..
33149 - BUG_ON(size > 65536);
33150 + BUG_ON(size > GDT_SIZE);
33151 BUG_ON(va & ~PAGE_MASK);
33153 for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
33154 @@ -985,7 +981,7 @@ static u32 xen_safe_apic_wait_icr_idle(void)
33158 -static void set_xen_basic_apic_ops(void)
33159 +static void __init set_xen_basic_apic_ops(void)
33161 apic->read = xen_apic_read;
33162 apic->write = xen_apic_write;
33163 @@ -1290,30 +1286,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
33167 -static void xen_reboot(int reason)
33168 +static __noreturn void xen_reboot(int reason)
33170 struct sched_shutdown r = { .reason = reason };
33172 - if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
33174 + HYPERVISOR_sched_op(SCHEDOP_shutdown, &r);
33178 -static void xen_restart(char *msg)
33179 +static __noreturn void xen_restart(char *msg)
33181 xen_reboot(SHUTDOWN_reboot);
33184 -static void xen_emergency_restart(void)
33185 +static __noreturn void xen_emergency_restart(void)
33187 xen_reboot(SHUTDOWN_reboot);
33190 -static void xen_machine_halt(void)
33191 +static __noreturn void xen_machine_halt(void)
33193 xen_reboot(SHUTDOWN_poweroff);
33196 -static void xen_machine_power_off(void)
33197 +static __noreturn void xen_machine_power_off(void)
33201 @@ -1464,7 +1460,17 @@ asmlinkage void __init xen_start_kernel(void)
33202 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
33204 /* Work out if we support NX */
33205 - x86_configure_nx();
33206 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
33207 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
33208 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
33211 + __supported_pte_mask |= _PAGE_NX;
33212 + rdmsr(MSR_EFER, l, h);
33214 + wrmsr(MSR_EFER, l, h);
33218 xen_setup_features();
33220 @@ -1495,13 +1501,6 @@ asmlinkage void __init xen_start_kernel(void)
33222 machine_ops = xen_machine_ops;
33225 - * The only reliable way to retain the initial address of the
33226 - * percpu gdt_page is to remember it here, so we can go and
33227 - * mark it RW later, when the initial percpu area is freed.
33229 - xen_initial_gdt = &per_cpu(gdt_page, 0);
33233 #ifdef CONFIG_ACPI_NUMA
33234 @@ -1700,7 +1699,7 @@ static int __cpuinit xen_hvm_cpu_notify(struct notifier_block *self,
33238 -static struct notifier_block xen_hvm_cpu_notifier __cpuinitdata = {
33239 +static struct notifier_block xen_hvm_cpu_notifier = {
33240 .notifier_call = xen_hvm_cpu_notify,
33243 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
33244 index fdc3ba2..3daee39 100644
33245 --- a/arch/x86/xen/mmu.c
33246 +++ b/arch/x86/xen/mmu.c
33247 @@ -1894,6 +1894,9 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
33248 /* L3_k[510] -> level2_kernel_pgt
33249 * L3_i[511] -> level2_fixmap_pgt */
33250 convert_pfn_mfn(level3_kernel_pgt);
33251 + convert_pfn_mfn(level3_vmalloc_start_pgt);
33252 + convert_pfn_mfn(level3_vmalloc_end_pgt);
33253 + convert_pfn_mfn(level3_vmemmap_pgt);
33255 /* We get [511][511] and have Xen's version of level2_kernel_pgt */
33256 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
33257 @@ -1923,8 +1926,12 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
33258 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
33259 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
33260 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
33261 + set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO);
33262 + set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO);
33263 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
33264 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
33265 set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO);
33266 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
33267 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
33268 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
33270 @@ -2108,6 +2115,7 @@ static void __init xen_post_allocator_init(void)
33271 pv_mmu_ops.set_pud = xen_set_pud;
33272 #if PAGETABLE_LEVELS == 4
33273 pv_mmu_ops.set_pgd = xen_set_pgd;
33274 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
33277 /* This will work as long as patching hasn't happened yet
33278 @@ -2186,6 +2194,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
33279 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
33280 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
33281 .set_pgd = xen_set_pgd_hyper,
33282 + .set_pgd_batched = xen_set_pgd_hyper,
33284 .alloc_pud = xen_alloc_pmd_init,
33285 .release_pud = xen_release_pmd_init,
33286 diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
33287 index d99cae8..18401e1 100644
33288 --- a/arch/x86/xen/smp.c
33289 +++ b/arch/x86/xen/smp.c
33290 @@ -240,11 +240,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
33292 BUG_ON(smp_processor_id() != 0);
33293 native_smp_prepare_boot_cpu();
33295 - /* We've switched to the "real" per-cpu gdt, so make sure the
33296 - old memory can be recycled */
33297 - make_lowmem_page_readwrite(xen_initial_gdt);
33299 xen_filter_cpu_maps();
33300 xen_setup_vcpu_info_placement();
33302 @@ -314,7 +309,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
33303 ctxt->user_regs.ss = __KERNEL_DS;
33304 #ifdef CONFIG_X86_32
33305 ctxt->user_regs.fs = __KERNEL_PERCPU;
33306 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
33307 + savesegment(gs, ctxt->user_regs.gs);
33309 ctxt->gs_base_kernel = per_cpu_offset(cpu);
33311 @@ -324,8 +319,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
33314 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
33315 - ctxt->user_regs.ds = __USER_DS;
33316 - ctxt->user_regs.es = __USER_DS;
33317 + ctxt->user_regs.ds = __KERNEL_DS;
33318 + ctxt->user_regs.es = __KERNEL_DS;
33320 xen_copy_trap_info(ctxt->trap_ctxt);
33322 @@ -370,13 +365,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
33325 per_cpu(current_task, cpu) = idle;
33326 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
33327 #ifdef CONFIG_X86_32
33330 clear_tsk_thread_flag(idle, TIF_FORK);
33331 - per_cpu(kernel_stack, cpu) =
33332 - (unsigned long)task_stack_page(idle) -
33333 - KERNEL_STACK_OFFSET + THREAD_SIZE;
33334 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
33336 xen_setup_runstate_info(cpu);
33337 xen_setup_timer(cpu);
33338 @@ -651,7 +645,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
33340 void __init xen_smp_init(void)
33342 - smp_ops = xen_smp_ops;
33343 + memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops);
33344 xen_fill_possible_map();
33345 xen_init_spinlocks();
33347 diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
33348 index 33ca6e4..0ded929 100644
33349 --- a/arch/x86/xen/xen-asm_32.S
33350 +++ b/arch/x86/xen/xen-asm_32.S
33351 @@ -84,14 +84,14 @@ ENTRY(xen_iret)
33352 ESP_OFFSET=4 # bytes pushed onto stack
33355 - * Store vcpu_info pointer for easy access. Do it this way to
33356 - * avoid having to reload %fs
33357 + * Store vcpu_info pointer for easy access.
33360 - GET_THREAD_INFO(%eax)
33361 - movl %ss:TI_cpu(%eax), %eax
33362 - movl %ss:__per_cpu_offset(,%eax,4), %eax
33363 - mov %ss:xen_vcpu(%eax), %eax
33365 + mov $(__KERNEL_PERCPU), %eax
33367 + mov PER_CPU_VAR(xen_vcpu), %eax
33370 movl %ss:xen_vcpu, %eax
33372 diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
33373 index 7faed58..ba4427c 100644
33374 --- a/arch/x86/xen/xen-head.S
33375 +++ b/arch/x86/xen/xen-head.S
33376 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
33377 #ifdef CONFIG_X86_32
33378 mov %esi,xen_start_info
33379 mov $init_thread_union+THREAD_SIZE,%esp
33381 + movl $cpu_gdt_table,%edi
33382 + movl $__per_cpu_load,%eax
33383 + movw %ax,__KERNEL_PERCPU + 2(%edi)
33385 + movb %al,__KERNEL_PERCPU + 4(%edi)
33386 + movb %ah,__KERNEL_PERCPU + 7(%edi)
33387 + movl $__per_cpu_end - 1,%eax
33388 + subl $__per_cpu_start,%eax
33389 + movw %ax,__KERNEL_PERCPU + 0(%edi)
33392 mov %rsi,xen_start_info
33393 mov $init_thread_union+THREAD_SIZE,%rsp
33394 diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
33395 index a95b417..b6dbd0b 100644
33396 --- a/arch/x86/xen/xen-ops.h
33397 +++ b/arch/x86/xen/xen-ops.h
33399 extern const char xen_hypervisor_callback[];
33400 extern const char xen_failsafe_callback[];
33402 -extern void *xen_initial_gdt;
33405 void xen_copy_trap_info(struct trap_info *traps);
33407 diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h
33408 index 525bd3d..ef888b1 100644
33409 --- a/arch/xtensa/variants/dc232b/include/variant/core.h
33410 +++ b/arch/xtensa/variants/dc232b/include/variant/core.h
33411 @@ -119,9 +119,9 @@
33412 ----------------------------------------------------------------------*/
33414 #define XCHAL_ICACHE_LINESIZE 32 /* I-cache line size in bytes */
33415 -#define XCHAL_DCACHE_LINESIZE 32 /* D-cache line size in bytes */
33416 #define XCHAL_ICACHE_LINEWIDTH 5 /* log2(I line size in bytes) */
33417 #define XCHAL_DCACHE_LINEWIDTH 5 /* log2(D line size in bytes) */
33418 +#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
33420 #define XCHAL_ICACHE_SIZE 16384 /* I-cache size in bytes or 0 */
33421 #define XCHAL_DCACHE_SIZE 16384 /* D-cache size in bytes or 0 */
33422 diff --git a/arch/xtensa/variants/fsf/include/variant/core.h b/arch/xtensa/variants/fsf/include/variant/core.h
33423 index 2f33760..835e50a 100644
33424 --- a/arch/xtensa/variants/fsf/include/variant/core.h
33425 +++ b/arch/xtensa/variants/fsf/include/variant/core.h
33427 #ifndef _XTENSA_CORE_H
33428 #define _XTENSA_CORE_H
33430 +#include <linux/const.h>
33432 /****************************************************************************
33433 Parameters Useful for Any Code, USER or PRIVILEGED
33434 @@ -112,9 +113,9 @@
33435 ----------------------------------------------------------------------*/
33437 #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */
33438 -#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */
33439 #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */
33440 #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */
33441 +#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
33443 #define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
33444 #define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
33445 diff --git a/arch/xtensa/variants/s6000/include/variant/core.h b/arch/xtensa/variants/s6000/include/variant/core.h
33446 index af00795..2bb8105 100644
33447 --- a/arch/xtensa/variants/s6000/include/variant/core.h
33448 +++ b/arch/xtensa/variants/s6000/include/variant/core.h
33450 #ifndef _XTENSA_CORE_CONFIGURATION_H
33451 #define _XTENSA_CORE_CONFIGURATION_H
33453 +#include <linux/const.h>
33455 /****************************************************************************
33456 Parameters Useful for Any Code, USER or PRIVILEGED
33457 @@ -118,9 +119,9 @@
33458 ----------------------------------------------------------------------*/
33460 #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */
33461 -#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */
33462 #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */
33463 #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */
33464 +#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
33466 #define XCHAL_ICACHE_SIZE 32768 /* I-cache size in bytes or 0 */
33467 #define XCHAL_DCACHE_SIZE 32768 /* D-cache size in bytes or 0 */
33468 diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
33469 index 58916af..eb9dbcf6 100644
33470 --- a/block/blk-iopoll.c
33471 +++ b/block/blk-iopoll.c
33472 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopoll *iopoll)
33474 EXPORT_SYMBOL(blk_iopoll_complete);
33476 -static void blk_iopoll_softirq(struct softirq_action *h)
33477 +static void blk_iopoll_softirq(void)
33479 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
33480 int rearm = 0, budget = blk_iopoll_budget;
33481 @@ -209,7 +209,7 @@ static int __cpuinit blk_iopoll_cpu_notify(struct notifier_block *self,
33485 -static struct notifier_block __cpuinitdata blk_iopoll_cpu_notifier = {
33486 +static struct notifier_block blk_iopoll_cpu_notifier = {
33487 .notifier_call = blk_iopoll_cpu_notify,
33490 diff --git a/block/blk-map.c b/block/blk-map.c
33491 index 623e1cd..ca1e109 100644
33492 --- a/block/blk-map.c
33493 +++ b/block/blk-map.c
33494 @@ -302,7 +302,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
33498 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
33499 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
33501 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
33503 diff --git a/block/blk-softirq.c b/block/blk-softirq.c
33504 index 467c8de..f3628c5 100644
33505 --- a/block/blk-softirq.c
33506 +++ b/block/blk-softirq.c
33507 @@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
33508 * Softirq action handler - move entries to local list and loop over them
33509 * while passing them to the queue registered handler.
33511 -static void blk_done_softirq(struct softirq_action *h)
33512 +static void blk_done_softirq(void)
33514 struct list_head *cpu_list, local_list;
33516 @@ -98,7 +98,7 @@ static int __cpuinit blk_cpu_notify(struct notifier_block *self,
33520 -static struct notifier_block __cpuinitdata blk_cpu_notifier = {
33521 +static struct notifier_block blk_cpu_notifier = {
33522 .notifier_call = blk_cpu_notify,
33525 diff --git a/block/bsg.c b/block/bsg.c
33526 index 420a5a9..23834aa 100644
33529 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq,
33530 struct sg_io_v4 *hdr, struct bsg_device *bd,
33531 fmode_t has_write_perm)
33533 + unsigned char tmpcmd[sizeof(rq->__cmd)];
33534 + unsigned char *cmdptr;
33536 if (hdr->request_len > BLK_MAX_CDB) {
33537 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
33541 + cmdptr = rq->cmd;
33545 - if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
33546 + if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
33550 + if (cmdptr != rq->cmd)
33551 + memcpy(rq->cmd, cmdptr, hdr->request_len);
33553 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
33554 if (blk_verify_command(rq->cmd, has_write_perm))
33556 diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c
33557 index 7c668c8..db3521c 100644
33558 --- a/block/compat_ioctl.c
33559 +++ b/block/compat_ioctl.c
33560 @@ -340,7 +340,7 @@ static int compat_fd_ioctl(struct block_device *bdev, fmode_t mode,
33561 err |= __get_user(f->spec1, &uf->spec1);
33562 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
33563 err |= __get_user(name, &uf->name);
33564 - f->name = compat_ptr(name);
33565 + f->name = (void __force_kernel *)compat_ptr(name);
33569 diff --git a/block/genhd.c b/block/genhd.c
33570 index cdeb527..10aa34db 100644
33571 --- a/block/genhd.c
33572 +++ b/block/genhd.c
33573 @@ -467,21 +467,24 @@ static char *bdevt_str(dev_t devt, char *buf)
33576 * Register device numbers dev..(dev+range-1)
33577 - * range must be nonzero
33578 + * Noop if @range is zero.
33579 * The hash chain is sorted on range, so that subranges can override.
33581 void blk_register_region(dev_t devt, unsigned long range, struct module *module,
33582 struct kobject *(*probe)(dev_t, int *, void *),
33583 int (*lock)(dev_t, void *), void *data)
33585 - kobj_map(bdev_map, devt, range, module, probe, lock, data);
33587 + kobj_map(bdev_map, devt, range, module, probe, lock, data);
33590 EXPORT_SYMBOL(blk_register_region);
33592 +/* undo blk_register_region(), noop if @range is zero */
33593 void blk_unregister_region(dev_t devt, unsigned long range)
33595 - kobj_unmap(bdev_map, devt, range);
33597 + kobj_unmap(bdev_map, devt, range);
33600 EXPORT_SYMBOL(blk_unregister_region);
33601 diff --git a/block/partitions/efi.c b/block/partitions/efi.c
33602 index c85fc89..51e690b 100644
33603 --- a/block/partitions/efi.c
33604 +++ b/block/partitions/efi.c
33605 @@ -234,14 +234,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state,
33609 + if (!le32_to_cpu(gpt->num_partition_entries))
33611 + pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL);
33615 count = le32_to_cpu(gpt->num_partition_entries) *
33616 le32_to_cpu(gpt->sizeof_partition_entry);
33619 - pte = kmalloc(count, GFP_KERNEL);
33623 if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba),
33626 diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
33627 index a5ffcc9..3cedc9c 100644
33628 --- a/block/scsi_ioctl.c
33629 +++ b/block/scsi_ioctl.c
33630 @@ -224,8 +224,20 @@ EXPORT_SYMBOL(blk_verify_command);
33631 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
33632 struct sg_io_hdr *hdr, fmode_t mode)
33634 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
33635 + unsigned char tmpcmd[sizeof(rq->__cmd)];
33636 + unsigned char *cmdptr;
33638 + if (rq->cmd != rq->__cmd)
33639 + cmdptr = rq->cmd;
33643 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
33646 + if (cmdptr != rq->cmd)
33647 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
33649 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
33652 @@ -434,6 +446,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
33654 unsigned int in_len, out_len, bytes, opcode, cmdlen;
33655 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
33656 + unsigned char tmpcmd[sizeof(rq->__cmd)];
33657 + unsigned char *cmdptr;
33661 @@ -467,9 +481,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
33664 rq->cmd_len = cmdlen;
33665 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
33667 + if (rq->cmd != rq->__cmd)
33668 + cmdptr = rq->cmd;
33672 + if (copy_from_user(cmdptr, sic->data, cmdlen))
33675 + if (rq->cmd != cmdptr)
33676 + memcpy(rq->cmd, cmdptr, cmdlen);
33678 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
33681 diff --git a/crypto/cryptd.c b/crypto/cryptd.c
33682 index 7bdd61b..afec999 100644
33683 --- a/crypto/cryptd.c
33684 +++ b/crypto/cryptd.c
33685 @@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
33687 struct cryptd_blkcipher_request_ctx {
33688 crypto_completion_t complete;
33692 struct cryptd_hash_ctx {
33693 struct crypto_shash *child;
33694 @@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
33696 struct cryptd_aead_request_ctx {
33697 crypto_completion_t complete;
33701 static void cryptd_queue_worker(struct work_struct *work);
33703 diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
33704 index b2c99dc..476c9fb 100644
33705 --- a/crypto/pcrypt.c
33706 +++ b/crypto/pcrypt.c
33707 @@ -440,7 +440,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name)
33710 pinst->kobj.kset = pcrypt_kset;
33711 - ret = kobject_add(&pinst->kobj, NULL, name);
33712 + ret = kobject_add(&pinst->kobj, NULL, "%s", name);
33714 kobject_uevent(&pinst->kobj, KOBJ_ADD);
33716 @@ -455,8 +455,8 @@ static int pcrypt_init_padata(struct padata_pcrypt *pcrypt,
33720 - pcrypt->wq = alloc_workqueue(name,
33721 - WQ_MEM_RECLAIM | WQ_CPU_INTENSIVE, 1);
33722 + pcrypt->wq = alloc_workqueue("%s",
33723 + WQ_MEM_RECLAIM | WQ_CPU_INTENSIVE, 1, name);
33727 diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
33728 index f220d64..d359ad6 100644
33729 --- a/drivers/acpi/apei/apei-internal.h
33730 +++ b/drivers/acpi/apei/apei-internal.h
33731 @@ -20,7 +20,7 @@ typedef int (*apei_exec_ins_func_t)(struct apei_exec_context *ctx,
33732 struct apei_exec_ins_type {
33734 apei_exec_ins_func_t run;
33738 struct apei_exec_context {
33740 diff --git a/drivers/acpi/apei/cper.c b/drivers/acpi/apei/cper.c
33741 index 33dc6a0..4b24b47 100644
33742 --- a/drivers/acpi/apei/cper.c
33743 +++ b/drivers/acpi/apei/cper.c
33744 @@ -39,12 +39,12 @@
33746 u64 cper_next_record_id(void)
33748 - static atomic64_t seq;
33749 + static atomic64_unchecked_t seq;
33751 - if (!atomic64_read(&seq))
33752 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
33753 + if (!atomic64_read_unchecked(&seq))
33754 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
33756 - return atomic64_inc_return(&seq);
33757 + return atomic64_inc_return_unchecked(&seq);
33759 EXPORT_SYMBOL_GPL(cper_next_record_id);
33761 diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
33762 index be60399..778b33e8 100644
33763 --- a/drivers/acpi/bgrt.c
33764 +++ b/drivers/acpi/bgrt.c
33765 @@ -87,8 +87,10 @@ static int __init bgrt_init(void)
33768 sysfs_bin_attr_init(&image_attr);
33769 - image_attr.private = bgrt_image;
33770 - image_attr.size = bgrt_image_size;
33771 + pax_open_kernel();
33772 + *(void **)&image_attr.private = bgrt_image;
33773 + *(size_t *)&image_attr.size = bgrt_image_size;
33774 + pax_close_kernel();
33776 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
33778 diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
33779 index cb96296..b81293b 100644
33780 --- a/drivers/acpi/blacklist.c
33781 +++ b/drivers/acpi/blacklist.c
33782 @@ -52,7 +52,7 @@ struct acpi_blacklist_item {
33783 u32 is_critical_error;
33786 -static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
33787 +static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
33790 * POLICY: If *anything* doesn't work, put it on the blacklist.
33791 @@ -193,7 +193,7 @@ static int __init dmi_disable_osi_win7(const struct dmi_system_id *d)
33795 -static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
33796 +static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
33798 .callback = dmi_disable_osi_vista,
33799 .ident = "Fujitsu Siemens",
33800 diff --git a/drivers/acpi/ec_sys.c b/drivers/acpi/ec_sys.c
33801 index 7586544..636a2f0 100644
33802 --- a/drivers/acpi/ec_sys.c
33803 +++ b/drivers/acpi/ec_sys.c
33805 #include <linux/acpi.h>
33806 #include <linux/debugfs.h>
33807 #include <linux/module.h>
33808 +#include <linux/uaccess.h>
33809 #include "internal.h"
33811 MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>");
33812 @@ -34,7 +35,7 @@ static ssize_t acpi_ec_read_io(struct file *f, char __user *buf,
33813 * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
33815 unsigned int size = EC_SPACE_SIZE;
33816 - u8 *data = (u8 *) buf;
33818 loff_t init_off = *off;
33821 @@ -47,9 +48,11 @@ static ssize_t acpi_ec_read_io(struct file *f, char __user *buf,
33825 - err = ec_read(*off, &data[*off - init_off]);
33826 + err = ec_read(*off, &data);
33829 + if (put_user(data, &buf[*off - init_off]))
33834 @@ -65,7 +68,6 @@ static ssize_t acpi_ec_write_io(struct file *f, const char __user *buf,
33836 unsigned int size = count;
33837 loff_t init_off = *off;
33838 - u8 *data = (u8 *) buf;
33841 if (*off >= EC_SPACE_SIZE)
33842 @@ -76,7 +78,9 @@ static ssize_t acpi_ec_write_io(struct file *f, const char __user *buf,
33846 - u8 byte_write = data[*off - init_off];
33848 + if (get_user(byte_write, &buf[*off - init_off]))
33850 err = ec_write(*off, byte_write);
33853 diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
33854 index eb133c7..f571552 100644
33855 --- a/drivers/acpi/processor_idle.c
33856 +++ b/drivers/acpi/processor_idle.c
33857 @@ -994,7 +994,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr)
33859 int i, count = CPUIDLE_DRIVER_STATE_START;
33860 struct acpi_processor_cx *cx;
33861 - struct cpuidle_state *state;
33862 + cpuidle_state_no_const *state;
33863 struct cpuidle_driver *drv = &acpi_idle_driver;
33865 if (!pr->flags.power_setup_done)
33866 diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
33867 index fcae5fa..e9f71ea 100644
33868 --- a/drivers/acpi/sysfs.c
33869 +++ b/drivers/acpi/sysfs.c
33870 @@ -423,11 +423,11 @@ static u32 num_counters;
33871 static struct attribute **all_attrs;
33872 static u32 acpi_gpe_count;
33874 -static struct attribute_group interrupt_stats_attr_group = {
33875 +static attribute_group_no_const interrupt_stats_attr_group = {
33876 .name = "interrupts",
33879 -static struct kobj_attribute *counter_attrs;
33880 +static kobj_attribute_no_const *counter_attrs;
33882 static void delete_gpe_attr_array(void)
33884 diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
33885 index 7b9bdd8..37638ca 100644
33886 --- a/drivers/ata/libahci.c
33887 +++ b/drivers/ata/libahci.c
33888 @@ -1230,7 +1230,7 @@ int ahci_kick_engine(struct ata_port *ap)
33890 EXPORT_SYMBOL_GPL(ahci_kick_engine);
33892 -static int ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
33893 +static int __intentional_overflow(-1) ahci_exec_polled_cmd(struct ata_port *ap, int pmp,
33894 struct ata_taskfile *tf, int is_cmd, u16 flags,
33895 unsigned long timeout_msec)
33897 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
33898 index adf002a..39bb8f9 100644
33899 --- a/drivers/ata/libata-core.c
33900 +++ b/drivers/ata/libata-core.c
33901 @@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
33902 struct ata_port *ap;
33905 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
33906 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
33910 @@ -4808,7 +4808,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
33911 struct ata_port *ap;
33912 struct ata_link *link;
33914 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
33915 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
33916 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
33918 link = qc->dev->link;
33919 @@ -5926,6 +5926,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
33923 + pax_open_kernel();
33925 for (cur = ops->inherits; cur; cur = cur->inherits) {
33926 void **inherit = (void **)cur;
33927 @@ -5939,8 +5940,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
33931 - ops->inherits = NULL;
33932 + *(struct ata_port_operations **)&ops->inherits = NULL;
33934 + pax_close_kernel();
33935 spin_unlock(&lock);
33938 diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
33939 index 7638121..357a965 100644
33940 --- a/drivers/ata/pata_arasan_cf.c
33941 +++ b/drivers/ata/pata_arasan_cf.c
33942 @@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev)
33943 /* Handle platform specific quirks */
33945 if (quirk & CF_BROKEN_PIO) {
33946 - ap->ops->set_piomode = NULL;
33947 + pax_open_kernel();
33948 + *(void **)&ap->ops->set_piomode = NULL;
33949 + pax_close_kernel();
33952 if (quirk & CF_BROKEN_MWDMA)
33953 diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c
33954 index f9b983a..887b9d8 100644
33955 --- a/drivers/atm/adummy.c
33956 +++ b/drivers/atm/adummy.c
33957 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct sk_buff *skb)
33958 vcc->pop(vcc, skb);
33960 dev_kfree_skb_any(skb);
33961 - atomic_inc(&vcc->stats->tx);
33962 + atomic_inc_unchecked(&vcc->stats->tx);
33966 diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
33967 index 77a7480d..05cde58 100644
33968 --- a/drivers/atm/ambassador.c
33969 +++ b/drivers/atm/ambassador.c
33970 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
33971 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
33974 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
33975 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
33977 // free the descriptor
33979 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
33980 dump_skb ("<<<", vc, skb);
33983 - atomic_inc(&atm_vcc->stats->rx);
33984 + atomic_inc_unchecked(&atm_vcc->stats->rx);
33985 __net_timestamp(skb);
33986 // end of our responsibility
33987 atm_vcc->push (atm_vcc, skb);
33988 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
33990 PRINTK (KERN_INFO, "dropped over-size frame");
33991 // should we count this?
33992 - atomic_inc(&atm_vcc->stats->rx_drop);
33993 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
33997 @@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * atm_vcc, struct sk_buff * skb) {
34000 if (check_area (skb->data, skb->len)) {
34001 - atomic_inc(&atm_vcc->stats->tx_err);
34002 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
34003 return -ENOMEM; // ?
34006 diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
34007 index 0e3f8f9..765a7a5 100644
34008 --- a/drivers/atm/atmtcp.c
34009 +++ b/drivers/atm/atmtcp.c
34010 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
34011 if (vcc->pop) vcc->pop(vcc,skb);
34012 else dev_kfree_skb(skb);
34013 if (dev_data) return 0;
34014 - atomic_inc(&vcc->stats->tx_err);
34015 + atomic_inc_unchecked(&vcc->stats->tx_err);
34018 size = skb->len+sizeof(struct atmtcp_hdr);
34019 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
34021 if (vcc->pop) vcc->pop(vcc,skb);
34022 else dev_kfree_skb(skb);
34023 - atomic_inc(&vcc->stats->tx_err);
34024 + atomic_inc_unchecked(&vcc->stats->tx_err);
34027 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
34028 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
34029 if (vcc->pop) vcc->pop(vcc,skb);
34030 else dev_kfree_skb(skb);
34031 out_vcc->push(out_vcc,new_skb);
34032 - atomic_inc(&vcc->stats->tx);
34033 - atomic_inc(&out_vcc->stats->rx);
34034 + atomic_inc_unchecked(&vcc->stats->tx);
34035 + atomic_inc_unchecked(&out_vcc->stats->rx);
34039 @@ -299,7 +299,7 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
34040 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
34041 read_unlock(&vcc_sklist_lock);
34043 - atomic_inc(&vcc->stats->tx_err);
34044 + atomic_inc_unchecked(&vcc->stats->tx_err);
34047 skb_pull(skb,sizeof(struct atmtcp_hdr));
34048 @@ -311,8 +311,8 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
34049 __net_timestamp(new_skb);
34050 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
34051 out_vcc->push(out_vcc,new_skb);
34052 - atomic_inc(&vcc->stats->tx);
34053 - atomic_inc(&out_vcc->stats->rx);
34054 + atomic_inc_unchecked(&vcc->stats->tx);
34055 + atomic_inc_unchecked(&out_vcc->stats->rx);
34057 if (vcc->pop) vcc->pop(vcc,skb);
34058 else dev_kfree_skb(skb);
34059 diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
34060 index b1955ba..b179940 100644
34061 --- a/drivers/atm/eni.c
34062 +++ b/drivers/atm/eni.c
34063 @@ -522,7 +522,7 @@ static int rx_aal0(struct atm_vcc *vcc)
34064 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
34067 - atomic_inc(&vcc->stats->rx_err);
34068 + atomic_inc_unchecked(&vcc->stats->rx_err);
34071 length = ATM_CELL_SIZE-1; /* no HEC */
34072 @@ -577,7 +577,7 @@ static int rx_aal5(struct atm_vcc *vcc)
34076 - atomic_inc(&vcc->stats->rx_err);
34077 + atomic_inc_unchecked(&vcc->stats->rx_err);
34080 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
34081 @@ -594,7 +594,7 @@ static int rx_aal5(struct atm_vcc *vcc)
34082 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
34083 vcc->dev->number,vcc->vci,length,size << 2,descr);
34085 - atomic_inc(&vcc->stats->rx_err);
34086 + atomic_inc_unchecked(&vcc->stats->rx_err);
34089 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
34090 @@ -767,7 +767,7 @@ rx_dequeued++;
34091 vcc->push(vcc,skb);
34094 - atomic_inc(&vcc->stats->rx);
34095 + atomic_inc_unchecked(&vcc->stats->rx);
34097 wake_up(&eni_dev->rx_wait);
34099 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *dev)
34101 if (vcc->pop) vcc->pop(vcc,skb);
34102 else dev_kfree_skb_irq(skb);
34103 - atomic_inc(&vcc->stats->tx);
34104 + atomic_inc_unchecked(&vcc->stats->tx);
34105 wake_up(&eni_dev->tx_wait);
34108 diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c
34109 index b41c948..a002b17 100644
34110 --- a/drivers/atm/firestream.c
34111 +++ b/drivers/atm/firestream.c
34112 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct fs_dev *dev, struct queue *q)
34116 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
34117 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
34119 fs_dprintk (FS_DEBUG_TXMEM, "i");
34120 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
34121 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
34123 skb_put (skb, qe->p1 & 0xffff);
34124 ATM_SKB(skb)->vcc = atm_vcc;
34125 - atomic_inc(&atm_vcc->stats->rx);
34126 + atomic_inc_unchecked(&atm_vcc->stats->rx);
34127 __net_timestamp(skb);
34128 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
34129 atm_vcc->push (atm_vcc, skb);
34130 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
34134 - atomic_inc(&atm_vcc->stats->rx_drop);
34135 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
34137 case 0x1f: /* Reassembly abort: no buffers. */
34138 /* Silently increment error counter. */
34140 - atomic_inc(&atm_vcc->stats->rx_drop);
34141 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
34143 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
34144 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
34145 diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c
34146 index 204814e..cede831 100644
34147 --- a/drivers/atm/fore200e.c
34148 +++ b/drivers/atm/fore200e.c
34149 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200e)
34151 /* check error condition */
34152 if (*entry->status & STATUS_ERROR)
34153 - atomic_inc(&vcc->stats->tx_err);
34154 + atomic_inc_unchecked(&vcc->stats->tx_err);
34156 - atomic_inc(&vcc->stats->tx);
34157 + atomic_inc_unchecked(&vcc->stats->tx);
34161 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
34163 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
34165 - atomic_inc(&vcc->stats->rx_drop);
34166 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34170 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
34172 dev_kfree_skb_any(skb);
34174 - atomic_inc(&vcc->stats->rx_drop);
34175 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34179 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
34181 vcc->push(vcc, skb);
34182 - atomic_inc(&vcc->stats->rx);
34183 + atomic_inc_unchecked(&vcc->stats->rx);
34185 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
34187 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200e)
34188 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
34189 fore200e->atm_dev->number,
34190 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
34191 - atomic_inc(&vcc->stats->rx_err);
34192 + atomic_inc_unchecked(&vcc->stats->rx_err);
34196 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb)
34200 - atomic_inc(&vcc->stats->tx_err);
34201 + atomic_inc_unchecked(&vcc->stats->tx_err);
34203 fore200e->tx_sat++;
34204 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
34205 diff --git a/drivers/atm/he.c b/drivers/atm/he.c
34206 index 507362a..a845e57 100644
34207 --- a/drivers/atm/he.c
34208 +++ b/drivers/atm/he.c
34209 @@ -1698,7 +1698,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
34211 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
34212 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
34213 - atomic_inc(&vcc->stats->rx_drop);
34214 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34215 goto return_host_buffers;
34218 @@ -1725,7 +1725,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
34219 RBRQ_LEN_ERR(he_dev->rbrq_head)
34221 vcc->vpi, vcc->vci);
34222 - atomic_inc(&vcc->stats->rx_err);
34223 + atomic_inc_unchecked(&vcc->stats->rx_err);
34224 goto return_host_buffers;
34227 @@ -1777,7 +1777,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
34228 vcc->push(vcc, skb);
34229 spin_lock(&he_dev->global_lock);
34231 - atomic_inc(&vcc->stats->rx);
34232 + atomic_inc_unchecked(&vcc->stats->rx);
34234 return_host_buffers:
34236 @@ -2103,7 +2103,7 @@ __enqueue_tpd(struct he_dev *he_dev, struct he_tpd *tpd, unsigned cid)
34237 tpd->vcc->pop(tpd->vcc, tpd->skb);
34239 dev_kfree_skb_any(tpd->skb);
34240 - atomic_inc(&tpd->vcc->stats->tx_err);
34241 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
34243 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
34245 @@ -2515,7 +2515,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
34246 vcc->pop(vcc, skb);
34248 dev_kfree_skb_any(skb);
34249 - atomic_inc(&vcc->stats->tx_err);
34250 + atomic_inc_unchecked(&vcc->stats->tx_err);
34254 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
34255 vcc->pop(vcc, skb);
34257 dev_kfree_skb_any(skb);
34258 - atomic_inc(&vcc->stats->tx_err);
34259 + atomic_inc_unchecked(&vcc->stats->tx_err);
34263 @@ -2538,7 +2538,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
34264 vcc->pop(vcc, skb);
34266 dev_kfree_skb_any(skb);
34267 - atomic_inc(&vcc->stats->tx_err);
34268 + atomic_inc_unchecked(&vcc->stats->tx_err);
34269 spin_unlock_irqrestore(&he_dev->global_lock, flags);
34272 @@ -2580,7 +2580,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
34273 vcc->pop(vcc, skb);
34275 dev_kfree_skb_any(skb);
34276 - atomic_inc(&vcc->stats->tx_err);
34277 + atomic_inc_unchecked(&vcc->stats->tx_err);
34278 spin_unlock_irqrestore(&he_dev->global_lock, flags);
34281 @@ -2611,7 +2611,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
34282 __enqueue_tpd(he_dev, tpd, cid);
34283 spin_unlock_irqrestore(&he_dev->global_lock, flags);
34285 - atomic_inc(&vcc->stats->tx);
34286 + atomic_inc_unchecked(&vcc->stats->tx);
34290 diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c
34291 index 1dc0519..1aadaf7 100644
34292 --- a/drivers/atm/horizon.c
34293 +++ b/drivers/atm/horizon.c
34294 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev, int irq) {
34296 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
34298 - atomic_inc(&vcc->stats->rx);
34299 + atomic_inc_unchecked(&vcc->stats->rx);
34300 __net_timestamp(skb);
34301 // end of our responsibility
34302 vcc->push (vcc, skb);
34303 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const dev, int irq) {
34304 dev->tx_iovec = NULL;
34307 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
34308 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
34311 hrz_kfree_skb (skb);
34312 diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
34313 index 272f009..a18ba55 100644
34314 --- a/drivers/atm/idt77252.c
34315 +++ b/drivers/atm/idt77252.c
34316 @@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
34318 dev_kfree_skb(skb);
34320 - atomic_inc(&vcc->stats->tx);
34321 + atomic_inc_unchecked(&vcc->stats->tx);
34324 atomic_dec(&scq->used);
34325 @@ -1075,13 +1075,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34326 if ((sb = dev_alloc_skb(64)) == NULL) {
34327 printk("%s: Can't allocate buffers for aal0.\n",
34329 - atomic_add(i, &vcc->stats->rx_drop);
34330 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
34333 if (!atm_charge(vcc, sb->truesize)) {
34334 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
34336 - atomic_add(i - 1, &vcc->stats->rx_drop);
34337 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
34341 @@ -1098,7 +1098,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34342 ATM_SKB(sb)->vcc = vcc;
34343 __net_timestamp(sb);
34344 vcc->push(vcc, sb);
34345 - atomic_inc(&vcc->stats->rx);
34346 + atomic_inc_unchecked(&vcc->stats->rx);
34348 cell += ATM_CELL_PAYLOAD;
34350 @@ -1135,13 +1135,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34352 card->name, len, rpp->len, readl(SAR_REG_CDC));
34353 recycle_rx_pool_skb(card, rpp);
34354 - atomic_inc(&vcc->stats->rx_err);
34355 + atomic_inc_unchecked(&vcc->stats->rx_err);
34358 if (stat & SAR_RSQE_CRC) {
34359 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
34360 recycle_rx_pool_skb(card, rpp);
34361 - atomic_inc(&vcc->stats->rx_err);
34362 + atomic_inc_unchecked(&vcc->stats->rx_err);
34365 if (skb_queue_len(&rpp->queue) > 1) {
34366 @@ -1152,7 +1152,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34367 RXPRINTK("%s: Can't alloc RX skb.\n",
34369 recycle_rx_pool_skb(card, rpp);
34370 - atomic_inc(&vcc->stats->rx_err);
34371 + atomic_inc_unchecked(&vcc->stats->rx_err);
34374 if (!atm_charge(vcc, skb->truesize)) {
34375 @@ -1171,7 +1171,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34376 __net_timestamp(skb);
34378 vcc->push(vcc, skb);
34379 - atomic_inc(&vcc->stats->rx);
34380 + atomic_inc_unchecked(&vcc->stats->rx);
34384 @@ -1193,7 +1193,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
34385 __net_timestamp(skb);
34387 vcc->push(vcc, skb);
34388 - atomic_inc(&vcc->stats->rx);
34389 + atomic_inc_unchecked(&vcc->stats->rx);
34391 if (skb->truesize > SAR_FB_SIZE_3)
34392 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
34393 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *card)
34394 if (vcc->qos.aal != ATM_AAL0) {
34395 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
34396 card->name, vpi, vci);
34397 - atomic_inc(&vcc->stats->rx_drop);
34398 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34402 if ((sb = dev_alloc_skb(64)) == NULL) {
34403 printk("%s: Can't allocate buffers for AAL0.\n",
34405 - atomic_inc(&vcc->stats->rx_err);
34406 + atomic_inc_unchecked(&vcc->stats->rx_err);
34410 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *card)
34411 ATM_SKB(sb)->vcc = vcc;
34412 __net_timestamp(sb);
34413 vcc->push(vcc, sb);
34414 - atomic_inc(&vcc->stats->rx);
34415 + atomic_inc_unchecked(&vcc->stats->rx);
34418 skb_pull(queue, 64);
34419 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
34422 printk("%s: NULL connection in send().\n", card->name);
34423 - atomic_inc(&vcc->stats->tx_err);
34424 + atomic_inc_unchecked(&vcc->stats->tx_err);
34425 dev_kfree_skb(skb);
34428 if (!test_bit(VCF_TX, &vc->flags)) {
34429 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
34430 - atomic_inc(&vcc->stats->tx_err);
34431 + atomic_inc_unchecked(&vcc->stats->tx_err);
34432 dev_kfree_skb(skb);
34435 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
34438 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
34439 - atomic_inc(&vcc->stats->tx_err);
34440 + atomic_inc_unchecked(&vcc->stats->tx_err);
34441 dev_kfree_skb(skb);
34445 if (skb_shinfo(skb)->nr_frags != 0) {
34446 printk("%s: No scatter-gather yet.\n", card->name);
34447 - atomic_inc(&vcc->stats->tx_err);
34448 + atomic_inc_unchecked(&vcc->stats->tx_err);
34449 dev_kfree_skb(skb);
34452 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
34454 err = queue_skb(card, vc, skb, oam);
34456 - atomic_inc(&vcc->stats->tx_err);
34457 + atomic_inc_unchecked(&vcc->stats->tx_err);
34458 dev_kfree_skb(skb);
34461 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, void *cell, int flags)
34462 skb = dev_alloc_skb(64);
34464 printk("%s: Out of memory in send_oam().\n", card->name);
34465 - atomic_inc(&vcc->stats->tx_err);
34466 + atomic_inc_unchecked(&vcc->stats->tx_err);
34469 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
34470 diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
34471 index 4217f29..88f547a 100644
34472 --- a/drivers/atm/iphase.c
34473 +++ b/drivers/atm/iphase.c
34474 @@ -1145,7 +1145,7 @@ static int rx_pkt(struct atm_dev *dev)
34475 status = (u_short) (buf_desc_ptr->desc_mode);
34476 if (status & (RX_CER | RX_PTE | RX_OFL))
34478 - atomic_inc(&vcc->stats->rx_err);
34479 + atomic_inc_unchecked(&vcc->stats->rx_err);
34480 IF_ERR(printk("IA: bad packet, dropping it");)
34481 if (status & RX_CER) {
34482 IF_ERR(printk(" cause: packet CRC error\n");)
34483 @@ -1168,7 +1168,7 @@ static int rx_pkt(struct atm_dev *dev)
34484 len = dma_addr - buf_addr;
34485 if (len > iadev->rx_buf_sz) {
34486 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
34487 - atomic_inc(&vcc->stats->rx_err);
34488 + atomic_inc_unchecked(&vcc->stats->rx_err);
34489 goto out_free_desc;
34492 @@ -1318,7 +1318,7 @@ static void rx_dle_intr(struct atm_dev *dev)
34493 ia_vcc = INPH_IA_VCC(vcc);
34494 if (ia_vcc == NULL)
34496 - atomic_inc(&vcc->stats->rx_err);
34497 + atomic_inc_unchecked(&vcc->stats->rx_err);
34498 atm_return(vcc, skb->truesize);
34499 dev_kfree_skb_any(skb);
34501 @@ -1330,7 +1330,7 @@ static void rx_dle_intr(struct atm_dev *dev)
34502 if ((length > iadev->rx_buf_sz) || (length >
34503 (skb->len - sizeof(struct cpcs_trailer))))
34505 - atomic_inc(&vcc->stats->rx_err);
34506 + atomic_inc_unchecked(&vcc->stats->rx_err);
34507 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
34508 length, skb->len);)
34509 atm_return(vcc, skb->truesize);
34510 @@ -1346,7 +1346,7 @@ static void rx_dle_intr(struct atm_dev *dev)
34512 IF_RX(printk("rx_dle_intr: skb push");)
34513 vcc->push(vcc,skb);
34514 - atomic_inc(&vcc->stats->rx);
34515 + atomic_inc_unchecked(&vcc->stats->rx);
34516 iadev->rx_pkt_cnt++;
34519 @@ -2826,15 +2826,15 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
34521 struct k_sonet_stats *stats;
34522 stats = &PRIV(_ia_dev[board])->sonet_stats;
34523 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
34524 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
34525 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
34526 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
34527 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
34528 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
34529 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
34530 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
34531 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
34532 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
34533 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
34534 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
34535 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
34536 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
34537 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
34538 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
34539 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
34540 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
34542 ia_cmds.status = 0;
34544 @@ -2939,7 +2939,7 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
34545 if ((desc == 0) || (desc > iadev->num_tx_desc))
34547 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
34548 - atomic_inc(&vcc->stats->tx);
34549 + atomic_inc_unchecked(&vcc->stats->tx);
34551 vcc->pop(vcc, skb);
34553 @@ -3044,14 +3044,14 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
34554 ATM_DESC(skb) = vcc->vci;
34555 skb_queue_tail(&iadev->tx_dma_q, skb);
34557 - atomic_inc(&vcc->stats->tx);
34558 + atomic_inc_unchecked(&vcc->stats->tx);
34559 iadev->tx_pkt_cnt++;
34560 /* Increment transaction counter */
34561 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
34564 /* add flow control logic */
34565 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
34566 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
34567 if (iavcc->vc_desc_cnt > 10) {
34568 vcc->tx_quota = vcc->tx_quota * 3 / 4;
34569 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
34570 diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c
34571 index fa7d701..1e404c7 100644
34572 --- a/drivers/atm/lanai.c
34573 +++ b/drivers/atm/lanai.c
34574 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai,
34575 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
34576 lanai_endtx(lanai, lvcc);
34577 lanai_free_skb(lvcc->tx.atmvcc, skb);
34578 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
34579 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
34582 /* Try to fill the buffer - don't call unless there is backlog */
34583 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc *lvcc, int endptr)
34584 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
34585 __net_timestamp(skb);
34586 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
34587 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
34588 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
34590 lvcc->rx.buf.ptr = end;
34591 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
34592 @@ -1667,7 +1667,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
34593 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
34594 "vcc %d\n", lanai->number, (unsigned int) s, vci);
34595 lanai->stats.service_rxnotaal5++;
34596 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
34597 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
34600 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
34601 @@ -1679,7 +1679,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
34603 read_unlock(&vcc_sklist_lock);
34604 DPRINTK("got trashed rx pdu on vci %d\n", vci);
34605 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
34606 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
34607 lvcc->stats.x.aal5.service_trash++;
34608 bytes = (SERVICE_GET_END(s) * 16) -
34609 (((unsigned long) lvcc->rx.buf.ptr) -
34610 @@ -1691,7 +1691,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
34612 if (s & SERVICE_STREAM) {
34613 read_unlock(&vcc_sklist_lock);
34614 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
34615 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
34616 lvcc->stats.x.aal5.service_stream++;
34617 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
34618 "PDU on VCI %d!\n", lanai->number, vci);
34619 @@ -1699,7 +1699,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
34622 DPRINTK("got rx crc error on vci %d\n", vci);
34623 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
34624 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
34625 lvcc->stats.x.aal5.service_rxcrc++;
34626 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
34627 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
34628 diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
34629 index 6587dc2..149833d 100644
34630 --- a/drivers/atm/nicstar.c
34631 +++ b/drivers/atm/nicstar.c
34632 @@ -1641,7 +1641,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
34633 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
34634 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
34636 - atomic_inc(&vcc->stats->tx_err);
34637 + atomic_inc_unchecked(&vcc->stats->tx_err);
34638 dev_kfree_skb_any(skb);
34641 @@ -1649,7 +1649,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
34643 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
34645 - atomic_inc(&vcc->stats->tx_err);
34646 + atomic_inc_unchecked(&vcc->stats->tx_err);
34647 dev_kfree_skb_any(skb);
34650 @@ -1657,14 +1657,14 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
34651 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
34652 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
34654 - atomic_inc(&vcc->stats->tx_err);
34655 + atomic_inc_unchecked(&vcc->stats->tx_err);
34656 dev_kfree_skb_any(skb);
34660 if (skb_shinfo(skb)->nr_frags != 0) {
34661 printk("nicstar%d: No scatter-gather yet.\n", card->index);
34662 - atomic_inc(&vcc->stats->tx_err);
34663 + atomic_inc_unchecked(&vcc->stats->tx_err);
34664 dev_kfree_skb_any(skb);
34667 @@ -1712,11 +1712,11 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
34670 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
34671 - atomic_inc(&vcc->stats->tx_err);
34672 + atomic_inc_unchecked(&vcc->stats->tx_err);
34673 dev_kfree_skb_any(skb);
34676 - atomic_inc(&vcc->stats->tx);
34677 + atomic_inc_unchecked(&vcc->stats->tx);
34681 @@ -2033,14 +2033,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34683 ("nicstar%d: Can't allocate buffers for aal0.\n",
34685 - atomic_add(i, &vcc->stats->rx_drop);
34686 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
34689 if (!atm_charge(vcc, sb->truesize)) {
34691 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
34693 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
34694 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
34695 dev_kfree_skb_any(sb);
34698 @@ -2055,7 +2055,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34699 ATM_SKB(sb)->vcc = vcc;
34700 __net_timestamp(sb);
34701 vcc->push(vcc, sb);
34702 - atomic_inc(&vcc->stats->rx);
34703 + atomic_inc_unchecked(&vcc->stats->rx);
34704 cell += ATM_CELL_PAYLOAD;
34707 @@ -2072,7 +2072,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34708 if (iovb == NULL) {
34709 printk("nicstar%d: Out of iovec buffers.\n",
34711 - atomic_inc(&vcc->stats->rx_drop);
34712 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34713 recycle_rx_buf(card, skb);
34716 @@ -2096,7 +2096,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34717 small or large buffer itself. */
34718 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
34719 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
34720 - atomic_inc(&vcc->stats->rx_err);
34721 + atomic_inc_unchecked(&vcc->stats->rx_err);
34722 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
34724 NS_PRV_IOVCNT(iovb) = 0;
34725 @@ -2116,7 +2116,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34726 ("nicstar%d: Expected a small buffer, and this is not one.\n",
34728 which_list(card, skb);
34729 - atomic_inc(&vcc->stats->rx_err);
34730 + atomic_inc_unchecked(&vcc->stats->rx_err);
34731 recycle_rx_buf(card, skb);
34733 recycle_iov_buf(card, iovb);
34734 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34735 ("nicstar%d: Expected a large buffer, and this is not one.\n",
34737 which_list(card, skb);
34738 - atomic_inc(&vcc->stats->rx_err);
34739 + atomic_inc_unchecked(&vcc->stats->rx_err);
34740 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
34741 NS_PRV_IOVCNT(iovb));
34743 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34744 printk(" - PDU size mismatch.\n");
34747 - atomic_inc(&vcc->stats->rx_err);
34748 + atomic_inc_unchecked(&vcc->stats->rx_err);
34749 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
34750 NS_PRV_IOVCNT(iovb));
34752 @@ -2166,7 +2166,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34753 /* skb points to a small buffer */
34754 if (!atm_charge(vcc, skb->truesize)) {
34755 push_rxbufs(card, skb);
34756 - atomic_inc(&vcc->stats->rx_drop);
34757 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34760 dequeue_sm_buf(card, skb);
34761 @@ -2176,7 +2176,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34762 ATM_SKB(skb)->vcc = vcc;
34763 __net_timestamp(skb);
34764 vcc->push(vcc, skb);
34765 - atomic_inc(&vcc->stats->rx);
34766 + atomic_inc_unchecked(&vcc->stats->rx);
34768 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
34769 struct sk_buff *sb;
34770 @@ -2187,7 +2187,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34771 if (len <= NS_SMBUFSIZE) {
34772 if (!atm_charge(vcc, sb->truesize)) {
34773 push_rxbufs(card, sb);
34774 - atomic_inc(&vcc->stats->rx_drop);
34775 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34778 dequeue_sm_buf(card, sb);
34779 @@ -2197,7 +2197,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34780 ATM_SKB(sb)->vcc = vcc;
34781 __net_timestamp(sb);
34782 vcc->push(vcc, sb);
34783 - atomic_inc(&vcc->stats->rx);
34784 + atomic_inc_unchecked(&vcc->stats->rx);
34787 push_rxbufs(card, skb);
34788 @@ -2206,7 +2206,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34790 if (!atm_charge(vcc, skb->truesize)) {
34791 push_rxbufs(card, skb);
34792 - atomic_inc(&vcc->stats->rx_drop);
34793 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34795 dequeue_lg_buf(card, skb);
34796 #ifdef NS_USE_DESTRUCTORS
34797 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34798 ATM_SKB(skb)->vcc = vcc;
34799 __net_timestamp(skb);
34800 vcc->push(vcc, skb);
34801 - atomic_inc(&vcc->stats->rx);
34802 + atomic_inc_unchecked(&vcc->stats->rx);
34805 push_rxbufs(card, sb);
34806 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34808 ("nicstar%d: Out of huge buffers.\n",
34810 - atomic_inc(&vcc->stats->rx_drop);
34811 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34812 recycle_iovec_rx_bufs(card,
34815 @@ -2291,7 +2291,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34816 card->hbpool.count++;
34818 dev_kfree_skb_any(hb);
34819 - atomic_inc(&vcc->stats->rx_drop);
34820 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34822 /* Copy the small buffer to the huge buffer */
34823 sb = (struct sk_buff *)iov->iov_base;
34824 @@ -2328,7 +2328,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
34825 #endif /* NS_USE_DESTRUCTORS */
34826 __net_timestamp(hb);
34827 vcc->push(vcc, hb);
34828 - atomic_inc(&vcc->stats->rx);
34829 + atomic_inc_unchecked(&vcc->stats->rx);
34833 diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c
34834 index 32784d1..4a8434a 100644
34835 --- a/drivers/atm/solos-pci.c
34836 +++ b/drivers/atm/solos-pci.c
34837 @@ -838,7 +838,7 @@ void solos_bh(unsigned long card_arg)
34839 atm_charge(vcc, skb->truesize);
34840 vcc->push(vcc, skb);
34841 - atomic_inc(&vcc->stats->rx);
34842 + atomic_inc_unchecked(&vcc->stats->rx);
34846 @@ -1116,7 +1116,7 @@ static uint32_t fpga_tx(struct solos_card *card)
34847 vcc = SKB_CB(oldskb)->vcc;
34850 - atomic_inc(&vcc->stats->tx);
34851 + atomic_inc_unchecked(&vcc->stats->tx);
34852 solos_pop(vcc, oldskb);
34854 dev_kfree_skb_irq(oldskb);
34855 diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c
34856 index 0215934..ce9f5b1 100644
34857 --- a/drivers/atm/suni.c
34858 +++ b/drivers/atm/suni.c
34859 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
34862 #define ADD_LIMITED(s,v) \
34863 - atomic_add((v),&stats->s); \
34864 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
34865 + atomic_add_unchecked((v),&stats->s); \
34866 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
34869 static void suni_hz(unsigned long from_timer)
34870 diff --git a/drivers/atm/uPD98402.c b/drivers/atm/uPD98402.c
34871 index 5120a96..e2572bd 100644
34872 --- a/drivers/atm/uPD98402.c
34873 +++ b/drivers/atm/uPD98402.c
34874 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *dev,struct sonet_stats __user *arg,int ze
34875 struct sonet_stats tmp;
34878 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
34879 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
34880 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
34881 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
34882 if (zero && !error) {
34883 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
34886 #define ADD_LIMITED(s,v) \
34887 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
34888 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
34889 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
34890 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
34891 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
34892 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
34895 static void stat_event(struct atm_dev *dev)
34896 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev *dev)
34897 if (reason & uPD98402_INT_PFM) stat_event(dev);
34898 if (reason & uPD98402_INT_PCO) {
34899 (void) GET(PCOCR); /* clear interrupt cause */
34900 - atomic_add(GET(HECCT),
34901 + atomic_add_unchecked(GET(HECCT),
34902 &PRIV(dev)->sonet_stats.uncorr_hcs);
34904 if ((reason & uPD98402_INT_RFO) &&
34905 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev *dev)
34906 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
34907 uPD98402_INT_LOS),PIMR); /* enable them */
34908 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
34909 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
34910 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
34911 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
34912 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
34913 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
34914 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
34918 diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
34919 index 969c3c2..9b72956 100644
34920 --- a/drivers/atm/zatm.c
34921 +++ b/drivers/atm/zatm.c
34922 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
34925 dev_kfree_skb_irq(skb);
34926 - if (vcc) atomic_inc(&vcc->stats->rx_err);
34927 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
34930 if (!atm_charge(vcc,skb->truesize)) {
34931 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
34933 ATM_SKB(skb)->vcc = vcc;
34934 vcc->push(vcc,skb);
34935 - atomic_inc(&vcc->stats->rx);
34936 + atomic_inc_unchecked(&vcc->stats->rx);
34938 zout(pos & 0xffff,MTA(mbx));
34939 #if 0 /* probably a stupid idea */
34940 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD_V | uPD98401_TXPD_DP |
34941 skb_queue_head(&zatm_vcc->backlog,skb);
34944 - atomic_inc(&vcc->stats->tx);
34945 + atomic_inc_unchecked(&vcc->stats->tx);
34946 wake_up(&zatm_vcc->tx_wait);
34949 diff --git a/drivers/base/attribute_container.c b/drivers/base/attribute_container.c
34950 index d78b204..ecc1929 100644
34951 --- a/drivers/base/attribute_container.c
34952 +++ b/drivers/base/attribute_container.c
34953 @@ -167,7 +167,7 @@ attribute_container_add_device(struct device *dev,
34954 ic->classdev.parent = get_device(dev);
34955 ic->classdev.class = cont->class;
34956 cont->class->dev_release = attribute_container_release;
34957 - dev_set_name(&ic->classdev, dev_name(dev));
34958 + dev_set_name(&ic->classdev, "%s", dev_name(dev));
34960 fn(cont, dev, &ic->classdev);
34962 diff --git a/drivers/base/bus.c b/drivers/base/bus.c
34963 index d414331..b4dd4ba 100644
34964 --- a/drivers/base/bus.c
34965 +++ b/drivers/base/bus.c
34966 @@ -1163,7 +1163,7 @@ int subsys_interface_register(struct subsys_interface *sif)
34969 mutex_lock(&subsys->p->mutex);
34970 - list_add_tail(&sif->node, &subsys->p->interfaces);
34971 + pax_list_add_tail((struct list_head *)&sif->node, &subsys->p->interfaces);
34972 if (sif->add_dev) {
34973 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
34974 while ((dev = subsys_dev_iter_next(&iter)))
34975 @@ -1188,7 +1188,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
34976 subsys = sif->subsys;
34978 mutex_lock(&subsys->p->mutex);
34979 - list_del_init(&sif->node);
34980 + pax_list_del_init((struct list_head *)&sif->node);
34981 if (sif->remove_dev) {
34982 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
34983 while ((dev = subsys_dev_iter_next(&iter)))
34984 diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
34985 index 7413d06..79155fa 100644
34986 --- a/drivers/base/devtmpfs.c
34987 +++ b/drivers/base/devtmpfs.c
34988 @@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir)
34992 - err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
34993 + err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
34995 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
34997 @@ -380,11 +380,11 @@ static int devtmpfsd(void *p)
34998 *err = sys_unshare(CLONE_NEWNS);
35001 - *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
35002 + *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
35005 - sys_chdir("/.."); /* will traverse into overmounted root */
35007 + sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
35008 + sys_chroot((char __force_user *)".");
35009 complete(&setup_done);
35011 spin_lock(&req_lock);
35012 diff --git a/drivers/base/node.c b/drivers/base/node.c
35013 index 7616a77c..8f57f51 100644
35014 --- a/drivers/base/node.c
35015 +++ b/drivers/base/node.c
35016 @@ -626,7 +626,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
35018 struct device_attribute attr;
35019 enum node_states state;
35023 static ssize_t show_node_state(struct device *dev,
35024 struct device_attribute *attr, char *buf)
35025 diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
35026 index 7072404..76dcebd 100644
35027 --- a/drivers/base/power/domain.c
35028 +++ b/drivers/base/power/domain.c
35029 @@ -1850,7 +1850,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state)
35031 struct cpuidle_driver *cpuidle_drv;
35032 struct gpd_cpu_data *cpu_data;
35033 - struct cpuidle_state *idle_state;
35034 + cpuidle_state_no_const *idle_state;
35037 if (IS_ERR_OR_NULL(genpd) || state < 0)
35038 @@ -1918,7 +1918,7 @@ int pm_genpd_name_attach_cpuidle(const char *name, int state)
35039 int pm_genpd_detach_cpuidle(struct generic_pm_domain *genpd)
35041 struct gpd_cpu_data *cpu_data;
35042 - struct cpuidle_state *idle_state;
35043 + cpuidle_state_no_const *idle_state;
35046 if (IS_ERR_OR_NULL(genpd))
35047 diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c
35048 index a53ebd2..8f73eeb 100644
35049 --- a/drivers/base/power/sysfs.c
35050 +++ b/drivers/base/power/sysfs.c
35051 @@ -185,7 +185,7 @@ static ssize_t rtpm_status_show(struct device *dev,
35055 - return sprintf(buf, p);
35056 + return sprintf(buf, "%s", p);
35059 static DEVICE_ATTR(runtime_status, 0444, rtpm_status_show, NULL);
35060 diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
35061 index 79715e7..df06b3b 100644
35062 --- a/drivers/base/power/wakeup.c
35063 +++ b/drivers/base/power/wakeup.c
35064 @@ -29,14 +29,14 @@ bool events_check_enabled __read_mostly;
35065 * They need to be modified together atomically, so it's better to use one
35066 * atomic variable to hold them both.
35068 -static atomic_t combined_event_count = ATOMIC_INIT(0);
35069 +static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
35071 #define IN_PROGRESS_BITS (sizeof(int) * 4)
35072 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
35074 static void split_counters(unsigned int *cnt, unsigned int *inpr)
35076 - unsigned int comb = atomic_read(&combined_event_count);
35077 + unsigned int comb = atomic_read_unchecked(&combined_event_count);
35079 *cnt = (comb >> IN_PROGRESS_BITS);
35080 *inpr = comb & MAX_IN_PROGRESS;
35081 @@ -395,7 +395,7 @@ static void wakeup_source_activate(struct wakeup_source *ws)
35082 ws->start_prevent_time = ws->last_time;
35084 /* Increment the counter of events in progress. */
35085 - cec = atomic_inc_return(&combined_event_count);
35086 + cec = atomic_inc_return_unchecked(&combined_event_count);
35088 trace_wakeup_source_activate(ws->name, cec);
35090 @@ -521,7 +521,7 @@ static void wakeup_source_deactivate(struct wakeup_source *ws)
35091 * Increment the counter of registered wakeup events and decrement the
35092 * couter of wakeup events in progress simultaneously.
35094 - cec = atomic_add_return(MAX_IN_PROGRESS, &combined_event_count);
35095 + cec = atomic_add_return_unchecked(MAX_IN_PROGRESS, &combined_event_count);
35096 trace_wakeup_source_deactivate(ws->name, cec);
35098 split_counters(&cnt, &inpr);
35099 diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c
35100 index e8d11b6..7b1b36f 100644
35101 --- a/drivers/base/syscore.c
35102 +++ b/drivers/base/syscore.c
35103 @@ -21,7 +21,7 @@ static DEFINE_MUTEX(syscore_ops_lock);
35104 void register_syscore_ops(struct syscore_ops *ops)
35106 mutex_lock(&syscore_ops_lock);
35107 - list_add_tail(&ops->node, &syscore_ops_list);
35108 + pax_list_add_tail((struct list_head *)&ops->node, &syscore_ops_list);
35109 mutex_unlock(&syscore_ops_lock);
35111 EXPORT_SYMBOL_GPL(register_syscore_ops);
35112 @@ -33,7 +33,7 @@ EXPORT_SYMBOL_GPL(register_syscore_ops);
35113 void unregister_syscore_ops(struct syscore_ops *ops)
35115 mutex_lock(&syscore_ops_lock);
35116 - list_del(&ops->node);
35117 + pax_list_del((struct list_head *)&ops->node);
35118 mutex_unlock(&syscore_ops_lock);
35120 EXPORT_SYMBOL_GPL(unregister_syscore_ops);
35121 diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
35122 index 62b6c2c..4a11354 100644
35123 --- a/drivers/block/cciss.c
35124 +++ b/drivers/block/cciss.c
35125 @@ -1189,6 +1189,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
35129 + memset(&arg64, 0, sizeof(arg64));
35133 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
35134 @@ -3010,7 +3012,7 @@ static void start_io(ctlr_info_t *h)
35135 while (!list_empty(&h->reqQ)) {
35136 c = list_entry(h->reqQ.next, CommandList_struct, list);
35137 /* can't do anything if fifo is full */
35138 - if ((h->access.fifo_full(h))) {
35139 + if ((h->access->fifo_full(h))) {
35140 dev_warn(&h->pdev->dev, "fifo full\n");
35143 @@ -3020,7 +3022,7 @@ static void start_io(ctlr_info_t *h)
35146 /* Tell the controller execute command */
35147 - h->access.submit_command(h, c);
35148 + h->access->submit_command(h, c);
35150 /* Put job onto the completed Q */
35152 @@ -3446,17 +3448,17 @@ startio:
35154 static inline unsigned long get_next_completion(ctlr_info_t *h)
35156 - return h->access.command_completed(h);
35157 + return h->access->command_completed(h);
35160 static inline int interrupt_pending(ctlr_info_t *h)
35162 - return h->access.intr_pending(h);
35163 + return h->access->intr_pending(h);
35166 static inline long interrupt_not_for_us(ctlr_info_t *h)
35168 - return ((h->access.intr_pending(h) == 0) ||
35169 + return ((h->access->intr_pending(h) == 0) ||
35170 (h->interrupts_enabled == 0));
35173 @@ -3489,7 +3491,7 @@ static inline u32 next_command(ctlr_info_t *h)
35176 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
35177 - return h->access.command_completed(h);
35178 + return h->access->command_completed(h);
35180 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
35181 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
35182 @@ -4046,7 +4048,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
35183 trans_support & CFGTBL_Trans_use_short_tags);
35185 /* Change the access methods to the performant access methods */
35186 - h->access = SA5_performant_access;
35187 + h->access = &SA5_performant_access;
35188 h->transMethod = CFGTBL_Trans_Performant;
35191 @@ -4319,7 +4321,7 @@ static int cciss_pci_init(ctlr_info_t *h)
35192 if (prod_index < 0)
35194 h->product_name = products[prod_index].product_name;
35195 - h->access = *(products[prod_index].access);
35196 + h->access = products[prod_index].access;
35198 if (cciss_board_disabled(h)) {
35199 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
35200 @@ -5051,7 +5053,7 @@ reinit_after_soft_reset:
35203 /* make sure the board interrupts are off */
35204 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
35205 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
35206 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
35209 @@ -5101,7 +5103,7 @@ reinit_after_soft_reset:
35210 * fake ones to scoop up any residual completions.
35212 spin_lock_irqsave(&h->lock, flags);
35213 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
35214 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
35215 spin_unlock_irqrestore(&h->lock, flags);
35216 free_irq(h->intr[h->intr_mode], h);
35217 rc = cciss_request_irq(h, cciss_msix_discard_completions,
35218 @@ -5121,9 +5123,9 @@ reinit_after_soft_reset:
35219 dev_info(&h->pdev->dev, "Board READY.\n");
35220 dev_info(&h->pdev->dev,
35221 "Waiting for stale completions to drain.\n");
35222 - h->access.set_intr_mask(h, CCISS_INTR_ON);
35223 + h->access->set_intr_mask(h, CCISS_INTR_ON);
35225 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
35226 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
35228 rc = controller_reset_failed(h->cfgtable);
35230 @@ -5146,7 +5148,7 @@ reinit_after_soft_reset:
35231 cciss_scsi_setup(h);
35233 /* Turn the interrupts on so we can service requests */
35234 - h->access.set_intr_mask(h, CCISS_INTR_ON);
35235 + h->access->set_intr_mask(h, CCISS_INTR_ON);
35237 /* Get the firmware version */
35238 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
35239 @@ -5218,7 +5220,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
35241 if (return_code != IO_OK)
35242 dev_warn(&h->pdev->dev, "Error flushing cache\n");
35243 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
35244 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
35245 free_irq(h->intr[h->intr_mode], h);
35248 diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
35249 index 7fda30e..eb5dfe0 100644
35250 --- a/drivers/block/cciss.h
35251 +++ b/drivers/block/cciss.h
35252 @@ -101,7 +101,7 @@ struct ctlr_info
35253 /* information about each logical volume */
35254 drive_info_struct *drv[CISS_MAX_LUN];
35256 - struct access_method access;
35257 + struct access_method *access;
35259 /* queue and queue Info */
35260 struct list_head reqQ;
35261 diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
35262 index 639d26b..fd6ad1f 100644
35263 --- a/drivers/block/cpqarray.c
35264 +++ b/drivers/block/cpqarray.c
35265 @@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
35266 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
35269 - hba[i]->access.set_intr_mask(hba[i], 0);
35270 + hba[i]->access->set_intr_mask(hba[i], 0);
35271 if (request_irq(hba[i]->intr, do_ida_intr,
35272 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
35274 @@ -459,7 +459,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
35275 add_timer(&hba[i]->timer);
35277 /* Enable IRQ now that spinlock and rate limit timer are set up */
35278 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
35279 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
35281 for(j=0; j<NWD; j++) {
35282 struct gendisk *disk = ida_gendisk[i][j];
35283 @@ -694,7 +694,7 @@ DBGINFO(
35284 for(i=0; i<NR_PRODUCTS; i++) {
35285 if (board_id == products[i].board_id) {
35286 c->product_name = products[i].product_name;
35287 - c->access = *(products[i].access);
35288 + c->access = products[i].access;
35292 @@ -792,7 +792,7 @@ static int cpqarray_eisa_detect(void)
35293 hba[ctlr]->intr = intr;
35294 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
35295 hba[ctlr]->product_name = products[j].product_name;
35296 - hba[ctlr]->access = *(products[j].access);
35297 + hba[ctlr]->access = products[j].access;
35298 hba[ctlr]->ctlr = ctlr;
35299 hba[ctlr]->board_id = board_id;
35300 hba[ctlr]->pci_dev = NULL; /* not PCI */
35301 @@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h)
35303 while((c = h->reqQ) != NULL) {
35304 /* Can't do anything if we're busy */
35305 - if (h->access.fifo_full(h) == 0)
35306 + if (h->access->fifo_full(h) == 0)
35309 /* Get the first entry from the request Q */
35310 @@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h)
35313 /* Tell the controller to do our bidding */
35314 - h->access.submit_command(h, c);
35315 + h->access->submit_command(h, c);
35317 /* Get onto the completion Q */
35319 @@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
35320 unsigned long flags;
35323 - istat = h->access.intr_pending(h);
35324 + istat = h->access->intr_pending(h);
35325 /* Is this interrupt for us? */
35328 @@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
35330 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
35331 if (istat & FIFO_NOT_EMPTY) {
35332 - while((a = h->access.command_completed(h))) {
35333 + while((a = h->access->command_completed(h))) {
35335 if ((c = h->cmpQ) == NULL)
35337 @@ -1193,6 +1193,7 @@ out_passthru:
35338 ida_pci_info_struct pciinfo;
35340 if (!arg) return -EINVAL;
35341 + memset(&pciinfo, 0, sizeof(pciinfo));
35342 pciinfo.bus = host->pci_dev->bus->number;
35343 pciinfo.dev_fn = host->pci_dev->devfn;
35344 pciinfo.board_id = host->board_id;
35345 @@ -1447,11 +1448,11 @@ static int sendcmd(
35347 * Disable interrupt
35349 - info_p->access.set_intr_mask(info_p, 0);
35350 + info_p->access->set_intr_mask(info_p, 0);
35351 /* Make sure there is room in the command FIFO */
35352 /* Actually it should be completely empty at this time. */
35353 for (i = 200000; i > 0; i--) {
35354 - temp = info_p->access.fifo_full(info_p);
35355 + temp = info_p->access->fifo_full(info_p);
35359 @@ -1464,7 +1465,7 @@ DBG(
35363 - info_p->access.submit_command(info_p, c);
35364 + info_p->access->submit_command(info_p, c);
35365 complete = pollcomplete(ctlr);
35367 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
35368 @@ -1547,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
35369 * we check the new geometry. Then turn interrupts back on when
35372 - host->access.set_intr_mask(host, 0);
35373 + host->access->set_intr_mask(host, 0);
35375 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
35376 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
35378 for(i=0; i<NWD; i++) {
35379 struct gendisk *disk = ida_gendisk[ctlr][i];
35380 @@ -1589,7 +1590,7 @@ static int pollcomplete(int ctlr)
35381 /* Wait (up to 2 seconds) for a command to complete */
35383 for (i = 200000; i > 0; i--) {
35384 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
35385 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
35387 udelay(10); /* a short fixed delay */
35389 diff --git a/drivers/block/cpqarray.h b/drivers/block/cpqarray.h
35390 index be73e9d..7fbf140 100644
35391 --- a/drivers/block/cpqarray.h
35392 +++ b/drivers/block/cpqarray.h
35393 @@ -99,7 +99,7 @@ struct ctlr_info {
35394 drv_info_t drv[NWD];
35395 struct proc_dir_entry *proc;
35397 - struct access_method access;
35398 + struct access_method *access;
35402 diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
35403 index f943aac..99bfd19 100644
35404 --- a/drivers/block/drbd/drbd_int.h
35405 +++ b/drivers/block/drbd/drbd_int.h
35406 @@ -582,7 +582,7 @@ struct drbd_epoch {
35407 struct drbd_tconn *tconn;
35408 struct list_head list;
35409 unsigned int barrier_nr;
35410 - atomic_t epoch_size; /* increased on every request added. */
35411 + atomic_unchecked_t epoch_size; /* increased on every request added. */
35412 atomic_t active; /* increased on every req. added, and dec on every finished. */
35413 unsigned long flags;
35415 @@ -1021,7 +1021,7 @@ struct drbd_conf {
35416 unsigned int al_tr_number;
35418 wait_queue_head_t seq_wait;
35419 - atomic_t packet_seq;
35420 + atomic_unchecked_t packet_seq;
35421 unsigned int peer_seq;
35422 spinlock_t peer_seq_lock;
35423 unsigned int minor;
35424 @@ -1562,7 +1562,7 @@ static inline int drbd_setsockopt(struct socket *sock, int level, int optname,
35425 char __user *uoptval;
35428 - uoptval = (char __user __force *)optval;
35429 + uoptval = (char __force_user *)optval;
35432 if (level == SOL_SOCKET)
35433 diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
35434 index a5dca6a..bb27967 100644
35435 --- a/drivers/block/drbd/drbd_main.c
35436 +++ b/drivers/block/drbd/drbd_main.c
35437 @@ -1317,7 +1317,7 @@ static int _drbd_send_ack(struct drbd_conf *mdev, enum drbd_packet cmd,
35438 p->sector = sector;
35439 p->block_id = block_id;
35440 p->blksize = blksize;
35441 - p->seq_num = cpu_to_be32(atomic_inc_return(&mdev->packet_seq));
35442 + p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
35443 return drbd_send_command(mdev, sock, cmd, sizeof(*p), NULL, 0);
35446 @@ -1619,7 +1619,7 @@ int drbd_send_dblock(struct drbd_conf *mdev, struct drbd_request *req)
35448 p->sector = cpu_to_be64(req->i.sector);
35449 p->block_id = (unsigned long)req;
35450 - p->seq_num = cpu_to_be32(atomic_inc_return(&mdev->packet_seq));
35451 + p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&mdev->packet_seq));
35452 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
35453 if (mdev->state.conn >= C_SYNC_SOURCE &&
35454 mdev->state.conn <= C_PAUSED_SYNC_T)
35455 @@ -2574,8 +2574,8 @@ void conn_destroy(struct kref *kref)
35457 struct drbd_tconn *tconn = container_of(kref, struct drbd_tconn, kref);
35459 - if (atomic_read(&tconn->current_epoch->epoch_size) != 0)
35460 - conn_err(tconn, "epoch_size:%d\n", atomic_read(&tconn->current_epoch->epoch_size));
35461 + if (atomic_read_unchecked(&tconn->current_epoch->epoch_size) != 0)
35462 + conn_err(tconn, "epoch_size:%d\n", atomic_read_unchecked(&tconn->current_epoch->epoch_size));
35463 kfree(tconn->current_epoch);
35465 idr_destroy(&tconn->volumes);
35466 diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
35467 index 4222aff..1f79506 100644
35468 --- a/drivers/block/drbd/drbd_receiver.c
35469 +++ b/drivers/block/drbd/drbd_receiver.c
35470 @@ -834,7 +834,7 @@ int drbd_connected(struct drbd_conf *mdev)
35474 - atomic_set(&mdev->packet_seq, 0);
35475 + atomic_set_unchecked(&mdev->packet_seq, 0);
35476 mdev->peer_seq = 0;
35478 mdev->state_mutex = mdev->tconn->agreed_pro_version < 100 ?
35479 @@ -1193,7 +1193,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn,
35483 - epoch_size = atomic_read(&epoch->epoch_size);
35484 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
35486 switch (ev & ~EV_CLEANUP) {
35488 @@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_tconn *tconn,
35492 - atomic_set(&epoch->epoch_size, 0);
35493 + atomic_set_unchecked(&epoch->epoch_size, 0);
35494 /* atomic_set(&epoch->active, 0); is already zero */
35495 if (rv == FE_STILL_LIVE)
35497 @@ -1451,7 +1451,7 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi)
35498 conn_wait_active_ee_empty(tconn);
35501 - if (atomic_read(&tconn->current_epoch->epoch_size)) {
35502 + if (atomic_read_unchecked(&tconn->current_epoch->epoch_size)) {
35503 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
35506 @@ -1464,11 +1464,11 @@ static int receive_Barrier(struct drbd_tconn *tconn, struct packet_info *pi)
35510 - atomic_set(&epoch->epoch_size, 0);
35511 + atomic_set_unchecked(&epoch->epoch_size, 0);
35512 atomic_set(&epoch->active, 0);
35514 spin_lock(&tconn->epoch_lock);
35515 - if (atomic_read(&tconn->current_epoch->epoch_size)) {
35516 + if (atomic_read_unchecked(&tconn->current_epoch->epoch_size)) {
35517 list_add(&epoch->list, &tconn->current_epoch->list);
35518 tconn->current_epoch = epoch;
35520 @@ -2172,7 +2172,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi)
35522 err = wait_for_and_update_peer_seq(mdev, peer_seq);
35523 drbd_send_ack_dp(mdev, P_NEG_ACK, p, pi->size);
35524 - atomic_inc(&tconn->current_epoch->epoch_size);
35525 + atomic_inc_unchecked(&tconn->current_epoch->epoch_size);
35526 err2 = drbd_drain_block(mdev, pi->size);
35529 @@ -2206,7 +2206,7 @@ static int receive_Data(struct drbd_tconn *tconn, struct packet_info *pi)
35531 spin_lock(&tconn->epoch_lock);
35532 peer_req->epoch = tconn->current_epoch;
35533 - atomic_inc(&peer_req->epoch->epoch_size);
35534 + atomic_inc_unchecked(&peer_req->epoch->epoch_size);
35535 atomic_inc(&peer_req->epoch->active);
35536 spin_unlock(&tconn->epoch_lock);
35538 @@ -4347,7 +4347,7 @@ struct data_cmd {
35539 int expect_payload;
35541 int (*fn)(struct drbd_tconn *, struct packet_info *);
35545 static struct data_cmd drbd_cmd_handler[] = {
35546 [P_DATA] = { 1, sizeof(struct p_data), receive_Data },
35547 @@ -4467,7 +4467,7 @@ static void conn_disconnect(struct drbd_tconn *tconn)
35548 if (!list_empty(&tconn->current_epoch->list))
35549 conn_err(tconn, "ASSERTION FAILED: tconn->current_epoch->list not empty\n");
35550 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
35551 - atomic_set(&tconn->current_epoch->epoch_size, 0);
35552 + atomic_set_unchecked(&tconn->current_epoch->epoch_size, 0);
35553 tconn->send.seen_any_write_yet = false;
35555 conn_info(tconn, "Connection closed\n");
35556 @@ -5223,7 +5223,7 @@ static int tconn_finish_peer_reqs(struct drbd_tconn *tconn)
35557 struct asender_cmd {
35559 int (*fn)(struct drbd_tconn *tconn, struct packet_info *);
35563 static struct asender_cmd asender_tbl[] = {
35564 [P_PING] = { 0, got_Ping },
35565 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
35566 index d92d50f..a7e9d97 100644
35567 --- a/drivers/block/loop.c
35568 +++ b/drivers/block/loop.c
35569 @@ -232,7 +232,7 @@ static int __do_lo_send_write(struct file *file,
35571 file_start_write(file);
35573 - bw = file->f_op->write(file, buf, len, &pos);
35574 + bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
35576 file_end_write(file);
35577 if (likely(bw == len))
35578 diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
35579 index f5d0ea1..c62380a 100644
35580 --- a/drivers/block/pktcdvd.c
35581 +++ b/drivers/block/pktcdvd.c
35583 #define MAX_SPEED 0xffff
35585 #define ZONE(sector, pd) (((sector) + (pd)->offset) & \
35586 - ~(sector_t)((pd)->settings.size - 1))
35587 + ~(sector_t)((pd)->settings.size - 1UL))
35589 static DEFINE_MUTEX(pktcdvd_mutex);
35590 static struct pktcdvd_device *pkt_devs[MAX_WRITERS];
35591 diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
35592 index 8a3aff7..d7538c2 100644
35593 --- a/drivers/cdrom/cdrom.c
35594 +++ b/drivers/cdrom/cdrom.c
35595 @@ -416,7 +416,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
35596 ENSURE(reset, CDC_RESET);
35597 ENSURE(generic_packet, CDC_GENERIC_PACKET);
35599 - cdo->n_minors = 0;
35600 cdi->options = CDO_USE_FFLAGS;
35602 if (autoclose==1 && CDROM_CAN(CDC_CLOSE_TRAY))
35603 @@ -436,8 +435,11 @@ int register_cdrom(struct cdrom_device_info *cdi)
35605 cdi->cdda_method = CDDA_OLD;
35607 - if (!cdo->generic_packet)
35608 - cdo->generic_packet = cdrom_dummy_generic_packet;
35609 + if (!cdo->generic_packet) {
35610 + pax_open_kernel();
35611 + *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet;
35612 + pax_close_kernel();
35615 cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
35616 mutex_lock(&cdrom_mutex);
35617 @@ -458,7 +460,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi)
35621 - cdi->ops->n_minors--;
35622 cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name);
35625 @@ -2107,7 +2108,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
35629 - cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
35630 + cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
35634 @@ -3429,7 +3430,7 @@ static int cdrom_print_info(const char *header, int val, char *info,
35635 struct cdrom_device_info *cdi;
35638 - ret = scnprintf(info + *pos, max_size - *pos, header);
35639 + ret = scnprintf(info + *pos, max_size - *pos, "%s", header);
35643 diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
35644 index 4afcb65..a68a32d 100644
35645 --- a/drivers/cdrom/gdrom.c
35646 +++ b/drivers/cdrom/gdrom.c
35647 @@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = {
35648 .audio_ioctl = gdrom_audio_ioctl,
35649 .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED |
35650 CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R,
35654 static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
35655 diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
35656 index 3bb6fa3..34013fb 100644
35657 --- a/drivers/char/Kconfig
35658 +++ b/drivers/char/Kconfig
35659 @@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
35662 bool "/dev/kmem virtual device support"
35665 + depends on !GRKERNSEC_KMEM
35667 Say Y here if you want to support the /dev/kmem device. The
35668 /dev/kmem device is rarely used, but can be used for certain
35669 @@ -582,6 +583,7 @@ config DEVPORT
35672 depends on ISA || PCI
35673 + depends on !GRKERNSEC_KMEM
35676 source "drivers/s390/char/Kconfig"
35677 diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
35678 index a48e05b..6bac831 100644
35679 --- a/drivers/char/agp/compat_ioctl.c
35680 +++ b/drivers/char/agp/compat_ioctl.c
35681 @@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
35685 - if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
35686 + if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
35687 sizeof(*usegment) * ureserve.seg_count)) {
35690 diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
35691 index 2e04433..771f2cc 100644
35692 --- a/drivers/char/agp/frontend.c
35693 +++ b/drivers/char/agp/frontend.c
35694 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
35695 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
35698 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
35699 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
35702 client = agp_find_client_by_pid(reserve.pid);
35703 @@ -847,7 +847,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
35704 if (segment == NULL)
35707 - if (copy_from_user(segment, (void __user *) reserve.seg_list,
35708 + if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
35709 sizeof(struct agp_segment) * reserve.seg_count)) {
35712 diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
35713 index 4f94375..413694e 100644
35714 --- a/drivers/char/genrtc.c
35715 +++ b/drivers/char/genrtc.c
35716 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file,
35720 + memset(&pll, 0, sizeof(pll));
35721 if (get_rtc_pll(&pll))
35724 diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
35725 index d784650..e8bfd69 100644
35726 --- a/drivers/char/hpet.c
35727 +++ b/drivers/char/hpet.c
35728 @@ -559,7 +559,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets,
35732 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
35733 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
35734 struct hpet_info *info)
35736 struct hpet_timer __iomem *timer;
35737 diff --git a/drivers/char/hw_random/intel-rng.c b/drivers/char/hw_random/intel-rng.c
35738 index 86fe45c..c0ea948 100644
35739 --- a/drivers/char/hw_random/intel-rng.c
35740 +++ b/drivers/char/hw_random/intel-rng.c
35741 @@ -314,7 +314,7 @@ PFX "RNG, try using the 'no_fwh_detect' option.\n";
35746 + printk("%s", warning);
35750 diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
35751 index 4445fa1..7c6de37 100644
35752 --- a/drivers/char/ipmi/ipmi_msghandler.c
35753 +++ b/drivers/char/ipmi/ipmi_msghandler.c
35754 @@ -420,7 +420,7 @@ struct ipmi_smi {
35755 struct proc_dir_entry *proc_dir;
35756 char proc_dir_name[10];
35758 - atomic_t stats[IPMI_NUM_STATS];
35759 + atomic_unchecked_t stats[IPMI_NUM_STATS];
35762 * run_to_completion duplicate of smb_info, smi_info
35763 @@ -453,9 +453,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
35766 #define ipmi_inc_stat(intf, stat) \
35767 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
35768 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
35769 #define ipmi_get_stat(intf, stat) \
35770 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
35771 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
35773 static int is_lan_addr(struct ipmi_addr *addr)
35775 @@ -2883,7 +2883,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers,
35776 INIT_LIST_HEAD(&intf->cmd_rcvrs);
35777 init_waitqueue_head(&intf->waitq);
35778 for (i = 0; i < IPMI_NUM_STATS; i++)
35779 - atomic_set(&intf->stats[i], 0);
35780 + atomic_set_unchecked(&intf->stats[i], 0);
35782 intf->proc_dir = NULL;
35784 diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
35785 index af4b23f..79806fc 100644
35786 --- a/drivers/char/ipmi/ipmi_si_intf.c
35787 +++ b/drivers/char/ipmi/ipmi_si_intf.c
35788 @@ -275,7 +275,7 @@ struct smi_info {
35789 unsigned char slave_addr;
35791 /* Counters and things for the proc filesystem. */
35792 - atomic_t stats[SI_NUM_STATS];
35793 + atomic_unchecked_t stats[SI_NUM_STATS];
35795 struct task_struct *thread;
35797 @@ -284,9 +284,9 @@ struct smi_info {
35800 #define smi_inc_stat(smi, stat) \
35801 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
35802 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
35803 #define smi_get_stat(smi, stat) \
35804 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
35805 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
35807 #define SI_MAX_PARMS 4
35809 @@ -3258,7 +3258,7 @@ static int try_smi_init(struct smi_info *new_smi)
35810 atomic_set(&new_smi->req_events, 0);
35811 new_smi->run_to_completion = 0;
35812 for (i = 0; i < SI_NUM_STATS; i++)
35813 - atomic_set(&new_smi->stats[i], 0);
35814 + atomic_set_unchecked(&new_smi->stats[i], 0);
35816 new_smi->interrupt_disabled = 1;
35817 atomic_set(&new_smi->stop_operation, 0);
35818 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
35819 index 1ccbe94..6ad651a 100644
35820 --- a/drivers/char/mem.c
35821 +++ b/drivers/char/mem.c
35823 #include <linux/raw.h>
35824 #include <linux/tty.h>
35825 #include <linux/capability.h>
35826 +#include <linux/security.h>
35827 #include <linux/ptrace.h>
35828 #include <linux/device.h>
35829 #include <linux/highmem.h>
35832 #define DEVPORT_MINOR 4
35834 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
35835 +extern const struct file_operations grsec_fops;
35838 static inline unsigned long size_inside_page(unsigned long start,
35839 unsigned long size)
35841 @@ -69,9 +74,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
35843 while (cursor < to) {
35844 if (!devmem_is_allowed(pfn)) {
35845 +#ifdef CONFIG_GRKERNSEC_KMEM
35846 + gr_handle_mem_readwrite(from, to);
35849 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
35850 current->comm, from, to);
35854 cursor += PAGE_SIZE;
35855 @@ -79,6 +88,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
35859 +#elif defined(CONFIG_GRKERNSEC_KMEM)
35860 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
35865 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
35867 @@ -121,6 +135,7 @@ static ssize_t read_mem(struct file *file, char __user *buf,
35869 while (count > 0) {
35870 unsigned long remaining;
35873 sz = size_inside_page(p, count);
35875 @@ -136,7 +151,23 @@ static ssize_t read_mem(struct file *file, char __user *buf,
35879 - remaining = copy_to_user(buf, ptr, sz);
35880 +#ifdef CONFIG_PAX_USERCOPY
35881 + temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
35883 + unxlate_dev_mem_ptr(p, ptr);
35886 + memcpy(temp, ptr, sz);
35891 + remaining = copy_to_user(buf, temp, sz);
35893 +#ifdef CONFIG_PAX_USERCOPY
35897 unxlate_dev_mem_ptr(p, ptr);
35900 @@ -379,7 +410,7 @@ static ssize_t read_oldmem(struct file *file, char __user *buf,
35904 - rc = copy_oldmem_page(pfn, buf, csize, offset, 1);
35905 + rc = copy_oldmem_page(pfn, (char __force_kernel *)buf, csize, offset, 1);
35909 @@ -399,9 +430,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
35910 size_t count, loff_t *ppos)
35912 unsigned long p = *ppos;
35913 - ssize_t low_count, read, sz;
35914 + ssize_t low_count, read, sz, err = 0;
35915 char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
35919 if (p < (unsigned long) high_memory) {
35920 @@ -423,6 +453,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
35923 while (low_count > 0) {
35926 sz = size_inside_page(p, low_count);
35929 @@ -432,7 +464,22 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
35931 kbuf = xlate_dev_kmem_ptr((char *)p);
35933 - if (copy_to_user(buf, kbuf, sz))
35934 +#ifdef CONFIG_PAX_USERCOPY
35935 + temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
35938 + memcpy(temp, kbuf, sz);
35943 + err = copy_to_user(buf, temp, sz);
35945 +#ifdef CONFIG_PAX_USERCOPY
35953 @@ -869,6 +916,9 @@ static const struct memdev {
35954 #ifdef CONFIG_CRASH_DUMP
35955 [12] = { "oldmem", 0, &oldmem_fops, NULL },
35957 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
35958 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
35962 static int memory_open(struct inode *inode, struct file *filp)
35963 @@ -940,7 +990,7 @@ static int __init chr_dev_init(void)
35966 device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
35967 - NULL, devlist[minor].name);
35968 + NULL, "%s", devlist[minor].name);
35972 diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
35973 index c689697..04e6d6a2 100644
35974 --- a/drivers/char/mwave/tp3780i.c
35975 +++ b/drivers/char/mwave/tp3780i.c
35976 @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
35977 PRINTK_2(TRACE_TP3780I,
35978 "tp3780i::tp3780I_QueryAbilities entry pBDData %p\n", pBDData);
35980 + memset(pAbilities, 0, sizeof(*pAbilities));
35981 /* fill out standard constant fields */
35982 pAbilities->instr_per_sec = pBDData->rDspSettings.uIps;
35983 pAbilities->data_size = pBDData->rDspSettings.uDStoreSize;
35984 diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
35985 index 9df78e2..01ba9ae 100644
35986 --- a/drivers/char/nvram.c
35987 +++ b/drivers/char/nvram.c
35988 @@ -247,7 +247,7 @@ static ssize_t nvram_read(struct file *file, char __user *buf,
35990 spin_unlock_irq(&rtc_lock);
35992 - if (copy_to_user(buf, contents, tmp - contents))
35993 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
35997 diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c
35998 index 5c5cc00..ac9edb7 100644
35999 --- a/drivers/char/pcmcia/synclink_cs.c
36000 +++ b/drivers/char/pcmcia/synclink_cs.c
36001 @@ -2345,9 +2345,9 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
36003 if (debug_level >= DEBUG_LEVEL_INFO)
36004 printk("%s(%d):mgslpc_close(%s) entry, count=%d\n",
36005 - __FILE__, __LINE__, info->device_name, port->count);
36006 + __FILE__, __LINE__, info->device_name, atomic_read(&port->count));
36008 - WARN_ON(!port->count);
36009 + WARN_ON(!atomic_read(&port->count));
36011 if (tty_port_close_start(port, tty, filp) == 0)
36013 @@ -2365,7 +2365,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
36015 if (debug_level >= DEBUG_LEVEL_INFO)
36016 printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__,
36017 - tty->driver->name, port->count);
36018 + tty->driver->name, atomic_read(&port->count));
36021 /* Wait until the transmitter is empty.
36022 @@ -2507,7 +2507,7 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
36024 if (debug_level >= DEBUG_LEVEL_INFO)
36025 printk("%s(%d):mgslpc_open(%s), old ref count = %d\n",
36026 - __FILE__, __LINE__, tty->driver->name, port->count);
36027 + __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
36029 /* If port is closing, signal caller to try again */
36030 if (tty_hung_up_p(filp) || port->flags & ASYNC_CLOSING){
36031 @@ -2527,11 +2527,11 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
36034 spin_lock(&port->lock);
36036 + atomic_inc(&port->count);
36037 spin_unlock(&port->lock);
36038 spin_unlock_irqrestore(&info->netlock, flags);
36040 - if (port->count == 1) {
36041 + if (atomic_read(&port->count) == 1) {
36042 /* 1st open on this device, init hardware */
36043 retval = startup(info, tty);
36045 @@ -3920,7 +3920,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
36046 unsigned short new_crctype;
36048 /* return error if TTY interface open */
36049 - if (info->port.count)
36050 + if (atomic_read(&info->port.count))
36054 @@ -4024,7 +4024,7 @@ static int hdlcdev_open(struct net_device *dev)
36056 /* arbitrate between network and tty opens */
36057 spin_lock_irqsave(&info->netlock, flags);
36058 - if (info->port.count != 0 || info->netcount != 0) {
36059 + if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
36060 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
36061 spin_unlock_irqrestore(&info->netlock, flags);
36063 @@ -4114,7 +4114,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
36064 printk("%s:hdlcdev_ioctl(%s)\n", __FILE__, dev->name);
36066 /* return error if TTY interface open */
36067 - if (info->port.count)
36068 + if (atomic_read(&info->port.count))
36071 if (cmd != SIOCWANDEV)
36072 diff --git a/drivers/char/random.c b/drivers/char/random.c
36073 index 35487e8..dac8bd1 100644
36074 --- a/drivers/char/random.c
36075 +++ b/drivers/char/random.c
36076 @@ -272,8 +272,13 @@
36078 * Configuration information
36080 +#ifdef CONFIG_GRKERNSEC_RANDNET
36081 +#define INPUT_POOL_WORDS 512
36082 +#define OUTPUT_POOL_WORDS 128
36084 #define INPUT_POOL_WORDS 128
36085 #define OUTPUT_POOL_WORDS 32
36087 #define SEC_XFER_SIZE 512
36088 #define EXTRACT_SIZE 10
36090 @@ -313,10 +318,17 @@ static struct poolinfo {
36092 int tap1, tap2, tap3, tap4, tap5;
36093 } poolinfo_table[] = {
36094 +#ifdef CONFIG_GRKERNSEC_RANDNET
36095 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
36096 + { 512, 411, 308, 208, 104, 1 },
36097 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
36098 + { 128, 103, 76, 51, 25, 1 },
36100 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
36101 { 128, 103, 76, 51, 25, 1 },
36102 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
36103 { 32, 26, 20, 14, 7, 1 },
36106 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
36107 { 2048, 1638, 1231, 819, 411, 1 },
36108 @@ -524,8 +536,8 @@ static void _mix_pool_bytes(struct entropy_store *r, const void *in,
36109 input_rotate += i ? 7 : 14;
36112 - ACCESS_ONCE(r->input_rotate) = input_rotate;
36113 - ACCESS_ONCE(r->add_ptr) = i;
36114 + ACCESS_ONCE_RW(r->input_rotate) = input_rotate;
36115 + ACCESS_ONCE_RW(r->add_ptr) = i;
36119 @@ -1032,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
36121 extract_buf(r, tmp);
36122 i = min_t(int, nbytes, EXTRACT_SIZE);
36123 - if (copy_to_user(buf, tmp, i)) {
36124 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
36128 @@ -1368,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid);
36129 #include <linux/sysctl.h>
36131 static int min_read_thresh = 8, min_write_thresh;
36132 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
36133 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
36134 static int max_write_thresh = INPUT_POOL_WORDS * 32;
36135 static char sysctl_bootid[16];
36137 @@ -1384,7 +1396,7 @@ static char sysctl_bootid[16];
36138 static int proc_do_uuid(ctl_table *table, int write,
36139 void __user *buffer, size_t *lenp, loff_t *ppos)
36141 - ctl_table fake_table;
36142 + ctl_table_no_const fake_table;
36143 unsigned char buf[64], tmp_uuid[16], *uuid;
36145 uuid = table->data;
36146 diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c
36147 index bf2349db..5456d53 100644
36148 --- a/drivers/char/sonypi.c
36149 +++ b/drivers/char/sonypi.c
36152 #include <asm/uaccess.h>
36153 #include <asm/io.h>
36154 +#include <asm/local.h>
36156 #include <linux/sonypi.h>
36158 @@ -490,7 +491,7 @@ static struct sonypi_device {
36159 spinlock_t fifo_lock;
36160 wait_queue_head_t fifo_proc_list;
36161 struct fasync_struct *fifo_async;
36163 + local_t open_count;
36165 struct input_dev *input_jog_dev;
36166 struct input_dev *input_key_dev;
36167 @@ -897,7 +898,7 @@ static int sonypi_misc_fasync(int fd, struct file *filp, int on)
36168 static int sonypi_misc_release(struct inode *inode, struct file *file)
36170 mutex_lock(&sonypi_device.lock);
36171 - sonypi_device.open_count--;
36172 + local_dec(&sonypi_device.open_count);
36173 mutex_unlock(&sonypi_device.lock);
36176 @@ -906,9 +907,9 @@ static int sonypi_misc_open(struct inode *inode, struct file *file)
36178 mutex_lock(&sonypi_device.lock);
36179 /* Flush input queue on first open */
36180 - if (!sonypi_device.open_count)
36181 + if (!local_read(&sonypi_device.open_count))
36182 kfifo_reset(&sonypi_device.fifo);
36183 - sonypi_device.open_count++;
36184 + local_inc(&sonypi_device.open_count);
36185 mutex_unlock(&sonypi_device.lock);
36188 diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c
36189 index 64420b3..5c40b56 100644
36190 --- a/drivers/char/tpm/tpm_acpi.c
36191 +++ b/drivers/char/tpm/tpm_acpi.c
36192 @@ -98,11 +98,12 @@ int read_log(struct tpm_bios_log *log)
36193 virt = acpi_os_map_memory(start, len);
36195 kfree(log->bios_event_log);
36196 + log->bios_event_log = NULL;
36197 printk("%s: ERROR - Unable to map memory\n", __func__);
36201 - memcpy_fromio(log->bios_event_log, virt, len);
36202 + memcpy_fromio(log->bios_event_log, (const char __force_kernel *)virt, len);
36204 acpi_os_unmap_memory(virt, len);
36206 diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
36207 index 84ddc55..1d32f1e 100644
36208 --- a/drivers/char/tpm/tpm_eventlog.c
36209 +++ b/drivers/char/tpm/tpm_eventlog.c
36210 @@ -95,7 +95,7 @@ static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos)
36213 if ((event->event_type == 0 && event->event_size == 0) ||
36214 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
36215 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
36219 @@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v,
36222 if ((event->event_type == 0 && event->event_size == 0) ||
36223 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
36224 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
36228 @@ -213,7 +213,8 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
36231 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
36232 - seq_putc(m, data[i]);
36233 + if (!seq_putc(m, data[i]))
36238 diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
36239 index fc45567..fa2a590 100644
36240 --- a/drivers/char/virtio_console.c
36241 +++ b/drivers/char/virtio_console.c
36242 @@ -682,7 +682,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count,
36246 - ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
36247 + ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
36251 @@ -785,7 +785,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
36252 if (!port_has_data(port) && !port->host_connected)
36255 - return fill_readbuf(port, ubuf, count, true);
36256 + return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
36259 static int wait_port_writable(struct port *port, bool nonblock)
36260 diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c
36261 index a33f46f..a720eed 100644
36262 --- a/drivers/clk/clk-composite.c
36263 +++ b/drivers/clk/clk-composite.c
36264 @@ -122,7 +122,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name,
36266 struct clk_init_data init;
36267 struct clk_composite *composite;
36268 - struct clk_ops *clk_composite_ops;
36269 + clk_ops_no_const *clk_composite_ops;
36271 composite = kzalloc(sizeof(*composite), GFP_KERNEL);
36273 diff --git a/drivers/clk/socfpga/clk.c b/drivers/clk/socfpga/clk.c
36274 index bd11315..7f87098 100644
36275 --- a/drivers/clk/socfpga/clk.c
36276 +++ b/drivers/clk/socfpga/clk.c
36278 #include <linux/clk-provider.h>
36279 #include <linux/io.h>
36280 #include <linux/of.h>
36281 +#include <asm/pgtable.h>
36283 /* Clock Manager offsets */
36284 #define CLKMGR_CTRL 0x0
36285 @@ -135,8 +136,10 @@ static __init struct clk *socfpga_clk_init(struct device_node *node,
36286 if (strcmp(clk_name, "main_pll") || strcmp(clk_name, "periph_pll") ||
36287 strcmp(clk_name, "sdram_pll")) {
36288 socfpga_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
36289 - clk_pll_ops.enable = clk_gate_ops.enable;
36290 - clk_pll_ops.disable = clk_gate_ops.disable;
36291 + pax_open_kernel();
36292 + *(void **)&clk_pll_ops.enable = clk_gate_ops.enable;
36293 + *(void **)&clk_pll_ops.disable = clk_gate_ops.disable;
36294 + pax_close_kernel();
36297 clk = clk_register(NULL, &socfpga_clk->hw.hw);
36298 diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c
36299 index a2b2541..bc1e7ff 100644
36300 --- a/drivers/clocksource/arm_arch_timer.c
36301 +++ b/drivers/clocksource/arm_arch_timer.c
36302 @@ -264,7 +264,7 @@ static int __cpuinit arch_timer_cpu_notify(struct notifier_block *self,
36306 -static struct notifier_block arch_timer_cpu_nb __cpuinitdata = {
36307 +static struct notifier_block arch_timer_cpu_nb = {
36308 .notifier_call = arch_timer_cpu_notify,
36311 diff --git a/drivers/clocksource/bcm_kona_timer.c b/drivers/clocksource/bcm_kona_timer.c
36312 index 350f493..489479e 100644
36313 --- a/drivers/clocksource/bcm_kona_timer.c
36314 +++ b/drivers/clocksource/bcm_kona_timer.c
36315 @@ -199,7 +199,7 @@ static struct irqaction kona_timer_irq = {
36316 .handler = kona_timer_interrupt,
36319 -static void __init kona_timer_init(void)
36320 +static void __init kona_timer_init(struct device_node *np)
36322 kona_timers_init();
36323 kona_timer_clockevents_init();
36324 diff --git a/drivers/clocksource/metag_generic.c b/drivers/clocksource/metag_generic.c
36325 index ade7513..069445f 100644
36326 --- a/drivers/clocksource/metag_generic.c
36327 +++ b/drivers/clocksource/metag_generic.c
36328 @@ -169,7 +169,7 @@ static int __cpuinit arch_timer_cpu_notify(struct notifier_block *self,
36332 -static struct notifier_block __cpuinitdata arch_timer_cpu_nb = {
36333 +static struct notifier_block arch_timer_cpu_nb = {
36334 .notifier_call = arch_timer_cpu_notify,
36337 diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
36338 index edc089e..bc7c0bc 100644
36339 --- a/drivers/cpufreq/acpi-cpufreq.c
36340 +++ b/drivers/cpufreq/acpi-cpufreq.c
36341 @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj,
36342 return sprintf(buf, "%u\n", boost_enabled);
36345 -static struct global_attr global_boost = __ATTR(boost, 0644,
36346 +static global_attr_no_const global_boost = __ATTR(boost, 0644,
36348 store_global_boost);
36350 @@ -705,8 +705,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
36351 data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu);
36352 per_cpu(acfreq_data, cpu) = data;
36354 - if (cpu_has(c, X86_FEATURE_CONSTANT_TSC))
36355 - acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
36356 + if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) {
36357 + pax_open_kernel();
36358 + *(u8 *)&acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
36359 + pax_close_kernel();
36362 result = acpi_processor_register_performance(data->acpi_data, cpu);
36364 @@ -832,7 +835,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
36365 policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu);
36367 case ACPI_ADR_SPACE_FIXED_HARDWARE:
36368 - acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
36369 + pax_open_kernel();
36370 + *(void **)&acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
36371 + pax_close_kernel();
36372 policy->cur = get_cur_freq_on_cpu(cpu);
36375 @@ -843,8 +848,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
36376 acpi_processor_notify_smm(THIS_MODULE);
36378 /* Check for APERF/MPERF support in hardware */
36379 - if (boot_cpu_has(X86_FEATURE_APERFMPERF))
36380 - acpi_cpufreq_driver.getavg = cpufreq_get_measured_perf;
36381 + if (boot_cpu_has(X86_FEATURE_APERFMPERF)) {
36382 + pax_open_kernel();
36383 + *(void **)&acpi_cpufreq_driver.getavg = cpufreq_get_measured_perf;
36384 + pax_close_kernel();
36387 pr_debug("CPU%u - ACPI performance management activated.\n", cpu);
36388 for (i = 0; i < perf->state_count; i++)
36389 diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
36390 index 6485547..477033e 100644
36391 --- a/drivers/cpufreq/cpufreq.c
36392 +++ b/drivers/cpufreq/cpufreq.c
36393 @@ -1854,7 +1854,7 @@ static int __cpuinit cpufreq_cpu_callback(struct notifier_block *nfb,
36397 -static struct notifier_block __refdata cpufreq_cpu_notifier = {
36398 +static struct notifier_block cpufreq_cpu_notifier = {
36399 .notifier_call = cpufreq_cpu_callback,
36402 @@ -1886,8 +1886,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
36404 pr_debug("trying to register driver %s\n", driver_data->name);
36406 - if (driver_data->setpolicy)
36407 - driver_data->flags |= CPUFREQ_CONST_LOOPS;
36408 + if (driver_data->setpolicy) {
36409 + pax_open_kernel();
36410 + *(u8 *)&driver_data->flags |= CPUFREQ_CONST_LOOPS;
36411 + pax_close_kernel();
36414 write_lock_irqsave(&cpufreq_driver_lock, flags);
36415 if (cpufreq_driver) {
36416 diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
36417 index a86ff72..aad2b03 100644
36418 --- a/drivers/cpufreq/cpufreq_governor.c
36419 +++ b/drivers/cpufreq/cpufreq_governor.c
36420 @@ -235,7 +235,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy,
36421 struct dbs_data *dbs_data;
36422 struct od_cpu_dbs_info_s *od_dbs_info = NULL;
36423 struct cs_cpu_dbs_info_s *cs_dbs_info = NULL;
36424 - struct od_ops *od_ops = NULL;
36425 + const struct od_ops *od_ops = NULL;
36426 struct od_dbs_tuners *od_tuners = NULL;
36427 struct cs_dbs_tuners *cs_tuners = NULL;
36428 struct cpu_dbs_common_info *cpu_cdbs;
36429 @@ -298,7 +298,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy,
36431 if ((cdata->governor == GOV_CONSERVATIVE) &&
36432 (!policy->governor->initialized)) {
36433 - struct cs_ops *cs_ops = dbs_data->cdata->gov_ops;
36434 + const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops;
36436 cpufreq_register_notifier(cs_ops->notifier_block,
36437 CPUFREQ_TRANSITION_NOTIFIER);
36438 @@ -315,7 +315,7 @@ int cpufreq_governor_dbs(struct cpufreq_policy *policy,
36440 if ((dbs_data->cdata->governor == GOV_CONSERVATIVE) &&
36441 (policy->governor->initialized == 1)) {
36442 - struct cs_ops *cs_ops = dbs_data->cdata->gov_ops;
36443 + const struct cs_ops *cs_ops = dbs_data->cdata->gov_ops;
36445 cpufreq_unregister_notifier(cs_ops->notifier_block,
36446 CPUFREQ_TRANSITION_NOTIFIER);
36447 diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h
36448 index 0d9e6be..461fd3b 100644
36449 --- a/drivers/cpufreq/cpufreq_governor.h
36450 +++ b/drivers/cpufreq/cpufreq_governor.h
36451 @@ -204,7 +204,7 @@ struct common_dbs_data {
36452 void (*exit)(struct dbs_data *dbs_data);
36454 /* Governor specific ops, see below */
36456 + const void *gov_ops;
36459 /* Governer Per policy data */
36460 diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c
36461 index c087347..dad6268 100644
36462 --- a/drivers/cpufreq/cpufreq_ondemand.c
36463 +++ b/drivers/cpufreq/cpufreq_ondemand.c
36464 @@ -615,14 +615,18 @@ void od_register_powersave_bias_handler(unsigned int (*f)
36465 (struct cpufreq_policy *, unsigned int, unsigned int),
36466 unsigned int powersave_bias)
36468 - od_ops.powersave_bias_target = f;
36469 + pax_open_kernel();
36470 + *(void **)&od_ops.powersave_bias_target = f;
36471 + pax_close_kernel();
36472 od_set_powersave_bias(powersave_bias);
36474 EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler);
36476 void od_unregister_powersave_bias_handler(void)
36478 - od_ops.powersave_bias_target = generic_powersave_bias_target;
36479 + pax_open_kernel();
36480 + *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target;
36481 + pax_close_kernel();
36482 od_set_powersave_bias(0);
36484 EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
36485 diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c
36486 index bfd6273..e39dd63 100644
36487 --- a/drivers/cpufreq/cpufreq_stats.c
36488 +++ b/drivers/cpufreq/cpufreq_stats.c
36489 @@ -365,7 +365,7 @@ static int __cpuinit cpufreq_stat_cpu_callback(struct notifier_block *nfb,
36492 /* priority=1 so this will get called before cpufreq_remove_dev */
36493 -static struct notifier_block cpufreq_stat_cpu_notifier __refdata = {
36494 +static struct notifier_block cpufreq_stat_cpu_notifier = {
36495 .notifier_call = cpufreq_stat_cpu_callback,
36498 diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c
36499 index 421ef37..e708530c 100644
36500 --- a/drivers/cpufreq/p4-clockmod.c
36501 +++ b/drivers/cpufreq/p4-clockmod.c
36502 @@ -160,10 +160,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
36503 case 0x0F: /* Core Duo */
36504 case 0x16: /* Celeron Core */
36505 case 0x1C: /* Atom */
36506 - p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36507 + pax_open_kernel();
36508 + *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36509 + pax_close_kernel();
36510 return speedstep_get_frequency(SPEEDSTEP_CPU_PCORE);
36511 case 0x0D: /* Pentium M (Dothan) */
36512 - p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36513 + pax_open_kernel();
36514 + *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36515 + pax_close_kernel();
36517 case 0x09: /* Pentium M (Banias) */
36518 return speedstep_get_frequency(SPEEDSTEP_CPU_PM);
36519 @@ -175,7 +179,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
36521 /* on P-4s, the TSC runs with constant frequency independent whether
36522 * throttling is active or not. */
36523 - p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36524 + pax_open_kernel();
36525 + *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
36526 + pax_close_kernel();
36528 if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) {
36529 printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. "
36530 diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c
36531 index c71ee14..7c2e183 100644
36532 --- a/drivers/cpufreq/sparc-us3-cpufreq.c
36533 +++ b/drivers/cpufreq/sparc-us3-cpufreq.c
36534 @@ -18,14 +18,12 @@
36535 #include <asm/head.h>
36536 #include <asm/timer.h>
36538 -static struct cpufreq_driver *cpufreq_us3_driver;
36540 struct us3_freq_percpu_info {
36541 struct cpufreq_frequency_table table[4];
36544 /* Indexed by cpu number. */
36545 -static struct us3_freq_percpu_info *us3_freq_table;
36546 +static struct us3_freq_percpu_info us3_freq_table[NR_CPUS];
36548 /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled
36549 * in the Safari config register.
36550 @@ -186,12 +184,25 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy)
36552 static int us3_freq_cpu_exit(struct cpufreq_policy *policy)
36554 - if (cpufreq_us3_driver)
36555 - us3_set_cpu_divider_index(policy, 0);
36556 + us3_set_cpu_divider_index(policy->cpu, 0);
36561 +static int __init us3_freq_init(void);
36562 +static void __exit us3_freq_exit(void);
36564 +static struct cpufreq_driver cpufreq_us3_driver = {
36565 + .init = us3_freq_cpu_init,
36566 + .verify = us3_freq_verify,
36567 + .target = us3_freq_target,
36568 + .get = us3_freq_get,
36569 + .exit = us3_freq_cpu_exit,
36570 + .owner = THIS_MODULE,
36571 + .name = "UltraSPARC-III",
36575 static int __init us3_freq_init(void)
36577 unsigned long manuf, impl, ver;
36578 @@ -208,57 +219,15 @@ static int __init us3_freq_init(void)
36579 (impl == CHEETAH_IMPL ||
36580 impl == CHEETAH_PLUS_IMPL ||
36581 impl == JAGUAR_IMPL ||
36582 - impl == PANTHER_IMPL)) {
36583 - struct cpufreq_driver *driver;
36586 - driver = kzalloc(sizeof(struct cpufreq_driver), GFP_KERNEL);
36590 - us3_freq_table = kzalloc(
36591 - (NR_CPUS * sizeof(struct us3_freq_percpu_info)),
36593 - if (!us3_freq_table)
36596 - driver->init = us3_freq_cpu_init;
36597 - driver->verify = us3_freq_verify;
36598 - driver->target = us3_freq_target;
36599 - driver->get = us3_freq_get;
36600 - driver->exit = us3_freq_cpu_exit;
36601 - driver->owner = THIS_MODULE,
36602 - strcpy(driver->name, "UltraSPARC-III");
36604 - cpufreq_us3_driver = driver;
36605 - ret = cpufreq_register_driver(driver);
36614 - cpufreq_us3_driver = NULL;
36616 - kfree(us3_freq_table);
36617 - us3_freq_table = NULL;
36620 + impl == PANTHER_IMPL))
36621 + return cpufreq_register_driver(&cpufreq_us3_driver);
36626 static void __exit us3_freq_exit(void)
36628 - if (cpufreq_us3_driver) {
36629 - cpufreq_unregister_driver(cpufreq_us3_driver);
36630 - kfree(cpufreq_us3_driver);
36631 - cpufreq_us3_driver = NULL;
36632 - kfree(us3_freq_table);
36633 - us3_freq_table = NULL;
36635 + cpufreq_unregister_driver(&cpufreq_us3_driver);
36638 MODULE_AUTHOR("David S. Miller <davem@redhat.com>");
36639 diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c
36640 index 618e6f4..e89d915 100644
36641 --- a/drivers/cpufreq/speedstep-centrino.c
36642 +++ b/drivers/cpufreq/speedstep-centrino.c
36643 @@ -353,8 +353,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy)
36644 !cpu_has(cpu, X86_FEATURE_EST))
36647 - if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC))
36648 - centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
36649 + if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) {
36650 + pax_open_kernel();
36651 + *(u8 *)¢rino_driver.flags |= CPUFREQ_CONST_LOOPS;
36652 + pax_close_kernel();
36655 if (policy->cpu != 0)
36657 diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
36658 index c3a93fe..e808f24 100644
36659 --- a/drivers/cpuidle/cpuidle.c
36660 +++ b/drivers/cpuidle/cpuidle.c
36661 @@ -254,7 +254,7 @@ static int poll_idle(struct cpuidle_device *dev,
36663 static void poll_idle_init(struct cpuidle_driver *drv)
36665 - struct cpuidle_state *state = &drv->states[0];
36666 + cpuidle_state_no_const *state = &drv->states[0];
36668 snprintf(state->name, CPUIDLE_NAME_LEN, "POLL");
36669 snprintf(state->desc, CPUIDLE_DESC_LEN, "CPUIDLE CORE POLL IDLE");
36670 diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c
36671 index ea2f8e7..70ac501 100644
36672 --- a/drivers/cpuidle/governor.c
36673 +++ b/drivers/cpuidle/governor.c
36674 @@ -87,7 +87,7 @@ int cpuidle_register_governor(struct cpuidle_governor *gov)
36675 mutex_lock(&cpuidle_lock);
36676 if (__cpuidle_find_governor(gov->name) == NULL) {
36678 - list_add_tail(&gov->governor_list, &cpuidle_governors);
36679 + pax_list_add_tail((struct list_head *)&gov->governor_list, &cpuidle_governors);
36680 if (!cpuidle_curr_governor ||
36681 cpuidle_curr_governor->rating < gov->rating)
36682 cpuidle_switch_governor(gov);
36683 @@ -135,7 +135,7 @@ void cpuidle_unregister_governor(struct cpuidle_governor *gov)
36684 new_gov = cpuidle_replace_governor(gov->rating);
36685 cpuidle_switch_governor(new_gov);
36687 - list_del(&gov->governor_list);
36688 + pax_list_del((struct list_head *)&gov->governor_list);
36689 mutex_unlock(&cpuidle_lock);
36692 diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
36693 index 428754a..8bdf9cc 100644
36694 --- a/drivers/cpuidle/sysfs.c
36695 +++ b/drivers/cpuidle/sysfs.c
36696 @@ -131,7 +131,7 @@ static struct attribute *cpuidle_switch_attrs[] = {
36700 -static struct attribute_group cpuidle_attr_group = {
36701 +static attribute_group_no_const cpuidle_attr_group = {
36702 .attrs = cpuidle_default_attrs,
36705 diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
36706 index 3b36797..db0b0c0 100644
36707 --- a/drivers/devfreq/devfreq.c
36708 +++ b/drivers/devfreq/devfreq.c
36709 @@ -477,7 +477,7 @@ struct devfreq *devfreq_add_device(struct device *dev,
36711 devfreq->last_stat_updated = jiffies;
36713 - dev_set_name(&devfreq->dev, dev_name(dev));
36714 + dev_set_name(&devfreq->dev, "%s", dev_name(dev));
36715 err = device_register(&devfreq->dev);
36717 put_device(&devfreq->dev);
36718 @@ -588,7 +588,7 @@ int devfreq_add_governor(struct devfreq_governor *governor)
36722 - list_add(&governor->node, &devfreq_governor_list);
36723 + pax_list_add((struct list_head *)&governor->node, &devfreq_governor_list);
36725 list_for_each_entry(devfreq, &devfreq_list, node) {
36727 @@ -676,7 +676,7 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
36731 - list_del(&governor->node);
36732 + pax_list_del((struct list_head *)&governor->node);
36734 mutex_unlock(&devfreq_list_lock);
36736 diff --git a/drivers/dma/sh/shdma.c b/drivers/dma/sh/shdma.c
36737 index b70709b..1d8d02a 100644
36738 --- a/drivers/dma/sh/shdma.c
36739 +++ b/drivers/dma/sh/shdma.c
36740 @@ -476,7 +476,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self,
36744 -static struct notifier_block sh_dmae_nmi_notifier __read_mostly = {
36745 +static struct notifier_block sh_dmae_nmi_notifier = {
36746 .notifier_call = sh_dmae_nmi_handler,
36748 /* Run before NMI debug handler and KGDB */
36749 diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
36750 index c4d700a..0b57abd 100644
36751 --- a/drivers/edac/edac_mc_sysfs.c
36752 +++ b/drivers/edac/edac_mc_sysfs.c
36753 @@ -148,7 +148,7 @@ static const char * const edac_caps[] = {
36754 struct dev_ch_attribute {
36755 struct device_attribute attr;
36760 #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \
36761 struct dev_ch_attribute dev_attr_legacy_##_name = \
36762 @@ -1005,14 +1005,16 @@ int edac_create_sysfs_mci_device(struct mem_ctl_info *mci)
36765 if (mci->set_sdram_scrub_rate || mci->get_sdram_scrub_rate) {
36766 + pax_open_kernel();
36767 if (mci->get_sdram_scrub_rate) {
36768 - dev_attr_sdram_scrub_rate.attr.mode |= S_IRUGO;
36769 - dev_attr_sdram_scrub_rate.show = &mci_sdram_scrub_rate_show;
36770 + *(umode_t *)&dev_attr_sdram_scrub_rate.attr.mode |= S_IRUGO;
36771 + *(void **)&dev_attr_sdram_scrub_rate.show = &mci_sdram_scrub_rate_show;
36773 if (mci->set_sdram_scrub_rate) {
36774 - dev_attr_sdram_scrub_rate.attr.mode |= S_IWUSR;
36775 - dev_attr_sdram_scrub_rate.store = &mci_sdram_scrub_rate_store;
36776 + *(umode_t *)&dev_attr_sdram_scrub_rate.attr.mode |= S_IWUSR;
36777 + *(void **)&dev_attr_sdram_scrub_rate.store = &mci_sdram_scrub_rate_store;
36779 + pax_close_kernel();
36780 err = device_create_file(&mci->dev,
36781 &dev_attr_sdram_scrub_rate);
36783 diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
36784 index e8658e4..22746d6 100644
36785 --- a/drivers/edac/edac_pci_sysfs.c
36786 +++ b/drivers/edac/edac_pci_sysfs.c
36787 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */
36788 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
36789 static int edac_pci_poll_msec = 1000; /* one second workq period */
36791 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
36792 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
36793 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
36794 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
36796 static struct kobject *edac_pci_top_main_kobj;
36797 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
36798 @@ -235,7 +235,7 @@ struct edac_pci_dev_attribute {
36800 ssize_t(*show) (void *, char *);
36801 ssize_t(*store) (void *, const char *, size_t);
36805 /* Set of show/store abstract level functions for PCI Parity object */
36806 static ssize_t edac_pci_dev_show(struct kobject *kobj, struct attribute *attr,
36807 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36808 edac_printk(KERN_CRIT, EDAC_PCI,
36809 "Signaled System Error on %s\n",
36811 - atomic_inc(&pci_nonparity_count);
36812 + atomic_inc_unchecked(&pci_nonparity_count);
36815 if (status & (PCI_STATUS_PARITY)) {
36816 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36817 "Master Data Parity Error on %s\n",
36820 - atomic_inc(&pci_parity_count);
36821 + atomic_inc_unchecked(&pci_parity_count);
36824 if (status & (PCI_STATUS_DETECTED_PARITY)) {
36825 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36826 "Detected Parity Error on %s\n",
36829 - atomic_inc(&pci_parity_count);
36830 + atomic_inc_unchecked(&pci_parity_count);
36834 @@ -618,7 +618,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36835 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
36836 "Signaled System Error on %s\n",
36838 - atomic_inc(&pci_nonparity_count);
36839 + atomic_inc_unchecked(&pci_nonparity_count);
36842 if (status & (PCI_STATUS_PARITY)) {
36843 @@ -626,7 +626,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36844 "Master Data Parity Error on "
36845 "%s\n", pci_name(dev));
36847 - atomic_inc(&pci_parity_count);
36848 + atomic_inc_unchecked(&pci_parity_count);
36851 if (status & (PCI_STATUS_DETECTED_PARITY)) {
36852 @@ -634,7 +634,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
36853 "Detected Parity Error on %s\n",
36856 - atomic_inc(&pci_parity_count);
36857 + atomic_inc_unchecked(&pci_parity_count);
36861 @@ -672,7 +672,7 @@ void edac_pci_do_parity_check(void)
36862 if (!check_pci_errors)
36865 - before_count = atomic_read(&pci_parity_count);
36866 + before_count = atomic_read_unchecked(&pci_parity_count);
36868 /* scan all PCI devices looking for a Parity Error on devices and
36870 @@ -684,7 +684,7 @@ void edac_pci_do_parity_check(void)
36871 /* Only if operator has selected panic on PCI Error */
36872 if (edac_pci_get_panic_on_pe()) {
36873 /* If the count is different 'after' from 'before' */
36874 - if (before_count != atomic_read(&pci_parity_count))
36875 + if (before_count != atomic_read_unchecked(&pci_parity_count))
36876 panic("EDAC: PCI Parity Error");
36879 diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h
36880 index 51b7e3a..aa8a3e8 100644
36881 --- a/drivers/edac/mce_amd.h
36882 +++ b/drivers/edac/mce_amd.h
36883 @@ -77,7 +77,7 @@ struct amd_decoder_ops {
36884 bool (*mc0_mce)(u16, u8);
36885 bool (*mc1_mce)(u16, u8);
36886 bool (*mc2_mce)(u16, u8);
36890 void amd_report_gart_errors(bool);
36891 void amd_register_ecc_decoder(void (*f)(int, struct mce *));
36892 diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c
36893 index 57ea7f4..789e3c3 100644
36894 --- a/drivers/firewire/core-card.c
36895 +++ b/drivers/firewire/core-card.c
36896 @@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release);
36898 void fw_core_remove_card(struct fw_card *card)
36900 - struct fw_card_driver dummy_driver = dummy_driver_template;
36901 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
36903 card->driver->update_phy_reg(card, 4,
36904 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
36905 diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
36906 index 664a6ff..af13580 100644
36907 --- a/drivers/firewire/core-device.c
36908 +++ b/drivers/firewire/core-device.c
36909 @@ -232,7 +232,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma);
36910 struct config_rom_attribute {
36911 struct device_attribute attr;
36916 static ssize_t show_immediate(struct device *dev,
36917 struct device_attribute *dattr, char *buf)
36918 diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
36919 index 28a94c7..58da63a 100644
36920 --- a/drivers/firewire/core-transaction.c
36921 +++ b/drivers/firewire/core-transaction.c
36923 #include <linux/timer.h>
36924 #include <linux/types.h>
36925 #include <linux/workqueue.h>
36926 +#include <linux/sched.h>
36928 #include <asm/byteorder.h>
36930 diff --git a/drivers/firewire/core.h b/drivers/firewire/core.h
36931 index 515a42c..5ecf3ba 100644
36932 --- a/drivers/firewire/core.h
36933 +++ b/drivers/firewire/core.h
36934 @@ -111,6 +111,7 @@ struct fw_card_driver {
36936 int (*stop_iso)(struct fw_iso_context *ctx);
36938 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
36940 void fw_card_initialize(struct fw_card *card,
36941 const struct fw_card_driver *driver, struct device *device);
36942 diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c
36943 index 94a58a0..f5eba42 100644
36944 --- a/drivers/firmware/dmi-id.c
36945 +++ b/drivers/firmware/dmi-id.c
36947 struct dmi_device_attribute{
36948 struct device_attribute dev_attr;
36952 #define to_dmi_dev_attr(_dev_attr) \
36953 container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
36955 diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
36956 index b95159b..841ae55 100644
36957 --- a/drivers/firmware/dmi_scan.c
36958 +++ b/drivers/firmware/dmi_scan.c
36959 @@ -497,11 +497,6 @@ void __init dmi_scan_machine(void)
36964 - * no iounmap() for that ioremap(); it would be a no-op, but
36965 - * it's so early in setup that sucker gets confused into doing
36966 - * what it shouldn't if we actually call it.
36968 p = dmi_ioremap(0xF0000, 0x10000);
36971 @@ -786,7 +781,7 @@ int dmi_walk(void (*decode)(const struct dmi_header *, void *),
36975 - dmi_table(buf, dmi_len, dmi_num, decode, private_data);
36976 + dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
36980 diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
36981 index 5145fa3..0d3babd 100644
36982 --- a/drivers/firmware/efi/efi.c
36983 +++ b/drivers/firmware/efi/efi.c
36984 @@ -65,14 +65,16 @@ static struct attribute_group efi_subsys_attr_group = {
36987 static struct efivars generic_efivars;
36988 -static struct efivar_operations generic_ops;
36989 +static efivar_operations_no_const generic_ops __read_only;
36991 static int generic_ops_register(void)
36993 - generic_ops.get_variable = efi.get_variable;
36994 - generic_ops.set_variable = efi.set_variable;
36995 - generic_ops.get_next_variable = efi.get_next_variable;
36996 - generic_ops.query_variable_store = efi_query_variable_store;
36997 + pax_open_kernel();
36998 + *(void **)&generic_ops.get_variable = efi.get_variable;
36999 + *(void **)&generic_ops.set_variable = efi.set_variable;
37000 + *(void **)&generic_ops.get_next_variable = efi.get_next_variable;
37001 + *(void **)&generic_ops.query_variable_store = efi_query_variable_store;
37002 + pax_close_kernel();
37004 return efivars_register(&generic_efivars, &generic_ops, efi_kobj);
37006 diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c
37007 index 8bd1bb6..c48b0c6 100644
37008 --- a/drivers/firmware/efi/efivars.c
37009 +++ b/drivers/firmware/efi/efivars.c
37010 @@ -452,7 +452,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var)
37012 create_efivars_bin_attributes(void)
37014 - struct bin_attribute *attr;
37015 + bin_attribute_no_const *attr;
37019 diff --git a/drivers/firmware/google/memconsole.c b/drivers/firmware/google/memconsole.c
37020 index 2a90ba6..07f3733 100644
37021 --- a/drivers/firmware/google/memconsole.c
37022 +++ b/drivers/firmware/google/memconsole.c
37023 @@ -147,7 +147,9 @@ static int __init memconsole_init(void)
37024 if (!found_memconsole())
37027 - memconsole_bin_attr.size = memconsole_length;
37028 + pax_open_kernel();
37029 + *(size_t *)&memconsole_bin_attr.size = memconsole_length;
37030 + pax_close_kernel();
37032 ret = sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr);
37034 diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
37035 index e16d932..f0206ef 100644
37036 --- a/drivers/gpio/gpio-ich.c
37037 +++ b/drivers/gpio/gpio-ich.c
37038 @@ -69,7 +69,7 @@ struct ichx_desc {
37039 /* Some chipsets have quirks, let these use their own request/get */
37040 int (*request)(struct gpio_chip *chip, unsigned offset);
37041 int (*get)(struct gpio_chip *chip, unsigned offset);
37047 diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c
37048 index 9902732..64b62dd 100644
37049 --- a/drivers/gpio/gpio-vr41xx.c
37050 +++ b/drivers/gpio/gpio-vr41xx.c
37051 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
37052 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
37053 maskl, pendl, maskh, pendh);
37055 - atomic_inc(&irq_err_count);
37056 + atomic_inc_unchecked(&irq_err_count);
37060 diff --git a/drivers/gpu/drm/drm_crtc_helper.c b/drivers/gpu/drm/drm_crtc_helper.c
37061 index ed1334e..ee0dd42 100644
37062 --- a/drivers/gpu/drm/drm_crtc_helper.c
37063 +++ b/drivers/gpu/drm/drm_crtc_helper.c
37064 @@ -321,7 +321,7 @@ static bool drm_encoder_crtc_ok(struct drm_encoder *encoder,
37065 struct drm_crtc *tmp;
37068 - WARN(!crtc, "checking null crtc?\n");
37073 diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
37074 index 9cc247f..36aa285 100644
37075 --- a/drivers/gpu/drm/drm_drv.c
37076 +++ b/drivers/gpu/drm/drm_drv.c
37077 @@ -306,7 +306,7 @@ module_exit(drm_core_exit);
37079 * Copy and IOCTL return string to user space
37081 -static int drm_copy_field(char *buf, size_t *buf_len, const char *value)
37082 +static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
37086 @@ -376,7 +376,7 @@ long drm_ioctl(struct file *filp,
37087 struct drm_file *file_priv = filp->private_data;
37088 struct drm_device *dev;
37089 const struct drm_ioctl_desc *ioctl = NULL;
37090 - drm_ioctl_t *func;
37091 + drm_ioctl_no_const_t func;
37092 unsigned int nr = DRM_IOCTL_NR(cmd);
37093 int retcode = -EINVAL;
37094 char stack_kdata[128];
37095 @@ -389,7 +389,7 @@ long drm_ioctl(struct file *filp,
37098 atomic_inc(&dev->ioctl_count);
37099 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
37100 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
37101 ++file_priv->ioctl_count;
37103 if ((nr >= DRM_CORE_IOCTL_COUNT) &&
37104 diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
37105 index 429e07d..e681a2c 100644
37106 --- a/drivers/gpu/drm/drm_fops.c
37107 +++ b/drivers/gpu/drm/drm_fops.c
37108 @@ -71,7 +71,7 @@ static int drm_setup(struct drm_device * dev)
37111 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
37112 - atomic_set(&dev->counts[i], 0);
37113 + atomic_set_unchecked(&dev->counts[i], 0);
37115 dev->sigdata.lock = NULL;
37117 @@ -135,7 +135,7 @@ int drm_open(struct inode *inode, struct file *filp)
37118 if (drm_device_is_unplugged(dev))
37121 - if (!dev->open_count++)
37122 + if (local_inc_return(&dev->open_count) == 1)
37124 mutex_lock(&dev->struct_mutex);
37125 old_imapping = inode->i_mapping;
37126 @@ -151,7 +151,7 @@ int drm_open(struct inode *inode, struct file *filp)
37127 retcode = drm_open_helper(inode, filp, dev);
37130 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
37131 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
37133 retcode = drm_setup(dev);
37135 @@ -166,7 +166,7 @@ err_undo:
37136 iput(container_of(dev->dev_mapping, struct inode, i_data));
37137 dev->dev_mapping = old_mapping;
37138 mutex_unlock(&dev->struct_mutex);
37139 - dev->open_count--;
37140 + local_dec(&dev->open_count);
37143 EXPORT_SYMBOL(drm_open);
37144 @@ -441,7 +441,7 @@ int drm_release(struct inode *inode, struct file *filp)
37146 mutex_lock(&drm_global_mutex);
37148 - DRM_DEBUG("open_count = %d\n", dev->open_count);
37149 + DRM_DEBUG("open_count = %ld\n", local_read(&dev->open_count));
37151 if (dev->driver->preclose)
37152 dev->driver->preclose(dev, file_priv);
37153 @@ -450,10 +450,10 @@ int drm_release(struct inode *inode, struct file *filp)
37154 * Begin inline drm_release
37157 - DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
37158 + DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %ld\n",
37159 task_pid_nr(current),
37160 (long)old_encode_dev(file_priv->minor->device),
37161 - dev->open_count);
37162 + local_read(&dev->open_count));
37164 /* Release any auth tokens that might point to this file_priv,
37165 (do that under the drm_global_mutex) */
37166 @@ -550,8 +550,8 @@ int drm_release(struct inode *inode, struct file *filp)
37167 * End inline drm_release
37170 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
37171 - if (!--dev->open_count) {
37172 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
37173 + if (local_dec_and_test(&dev->open_count)) {
37174 if (atomic_read(&dev->ioctl_count)) {
37175 DRM_ERROR("Device busy: %d\n",
37176 atomic_read(&dev->ioctl_count));
37177 diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
37178 index f731116..629842c 100644
37179 --- a/drivers/gpu/drm/drm_global.c
37180 +++ b/drivers/gpu/drm/drm_global.c
37182 struct drm_global_item {
37183 struct mutex mutex;
37186 + atomic_t refcount;
37189 static struct drm_global_item glob[DRM_GLOBAL_NUM];
37190 @@ -49,7 +49,7 @@ void drm_global_init(void)
37191 struct drm_global_item *item = &glob[i];
37192 mutex_init(&item->mutex);
37193 item->object = NULL;
37194 - item->refcount = 0;
37195 + atomic_set(&item->refcount, 0);
37199 @@ -59,7 +59,7 @@ void drm_global_release(void)
37200 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
37201 struct drm_global_item *item = &glob[i];
37202 BUG_ON(item->object != NULL);
37203 - BUG_ON(item->refcount != 0);
37204 + BUG_ON(atomic_read(&item->refcount) != 0);
37208 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
37211 mutex_lock(&item->mutex);
37212 - if (item->refcount == 0) {
37213 + if (atomic_read(&item->refcount) == 0) {
37214 item->object = kzalloc(ref->size, GFP_KERNEL);
37215 if (unlikely(item->object == NULL)) {
37217 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
37221 - ++item->refcount;
37222 + atomic_inc(&item->refcount);
37223 ref->object = item->object;
37224 object = item->object;
37225 mutex_unlock(&item->mutex);
37226 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_global_reference *ref)
37227 struct drm_global_item *item = &glob[ref->global_type];
37229 mutex_lock(&item->mutex);
37230 - BUG_ON(item->refcount == 0);
37231 + BUG_ON(atomic_read(&item->refcount) == 0);
37232 BUG_ON(ref->object != item->object);
37233 - if (--item->refcount == 0) {
37234 + if (atomic_dec_and_test(&item->refcount)) {
37236 item->object = NULL;
37238 diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c
37239 index d4b20ce..77a8d41 100644
37240 --- a/drivers/gpu/drm/drm_info.c
37241 +++ b/drivers/gpu/drm/drm_info.c
37242 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void *data)
37243 struct drm_local_map *map;
37244 struct drm_map_list *r_list;
37246 - /* Hardcoded from _DRM_FRAME_BUFFER,
37247 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
37248 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
37249 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
37250 + static const char * const types[] = {
37251 + [_DRM_FRAME_BUFFER] = "FB",
37252 + [_DRM_REGISTERS] = "REG",
37253 + [_DRM_SHM] = "SHM",
37254 + [_DRM_AGP] = "AGP",
37255 + [_DRM_SCATTER_GATHER] = "SG",
37256 + [_DRM_CONSISTENT] = "PCI",
37257 + [_DRM_GEM] = "GEM" };
37261 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void *data)
37265 - if (map->type < 0 || map->type > 5)
37266 + if (map->type >= ARRAY_SIZE(types))
37269 type = types[map->type];
37270 @@ -253,7 +257,11 @@ int drm_vma_info(struct seq_file *m, void *data)
37271 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
37272 vma->vm_flags & VM_LOCKED ? 'l' : '-',
37273 vma->vm_flags & VM_IO ? 'i' : '-',
37274 +#ifdef CONFIG_GRKERNSEC_HIDESYM
37280 #if defined(__i386__)
37281 pgprot = pgprot_val(vma->vm_page_prot);
37282 diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
37283 index 2f4c434..dd12cd2 100644
37284 --- a/drivers/gpu/drm/drm_ioc32.c
37285 +++ b/drivers/gpu/drm/drm_ioc32.c
37286 @@ -457,7 +457,7 @@ static int compat_drm_infobufs(struct file *file, unsigned int cmd,
37287 request = compat_alloc_user_space(nbytes);
37288 if (!access_ok(VERIFY_WRITE, request, nbytes))
37290 - list = (struct drm_buf_desc *) (request + 1);
37291 + list = (struct drm_buf_desc __user *) (request + 1);
37293 if (__put_user(count, &request->count)
37294 || __put_user(list, &request->list))
37295 @@ -518,7 +518,7 @@ static int compat_drm_mapbufs(struct file *file, unsigned int cmd,
37296 request = compat_alloc_user_space(nbytes);
37297 if (!access_ok(VERIFY_WRITE, request, nbytes))
37299 - list = (struct drm_buf_pub *) (request + 1);
37300 + list = (struct drm_buf_pub __user *) (request + 1);
37302 if (__put_user(count, &request->count)
37303 || __put_user(list, &request->list))
37304 @@ -1016,7 +1016,7 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
37308 -drm_ioctl_compat_t *drm_compat_ioctls[] = {
37309 +drm_ioctl_compat_t drm_compat_ioctls[] = {
37310 [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
37311 [DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE32)] = compat_drm_getunique,
37312 [DRM_IOCTL_NR(DRM_IOCTL_GET_MAP32)] = compat_drm_getmap,
37313 @@ -1062,7 +1062,6 @@ drm_ioctl_compat_t *drm_compat_ioctls[] = {
37314 long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
37316 unsigned int nr = DRM_IOCTL_NR(cmd);
37317 - drm_ioctl_compat_t *fn;
37320 /* Assume that ioctls without an explicit compat routine will just
37321 @@ -1072,10 +1071,8 @@ long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
37322 if (nr >= ARRAY_SIZE(drm_compat_ioctls))
37323 return drm_ioctl(filp, cmd, arg);
37325 - fn = drm_compat_ioctls[nr];
37328 - ret = (*fn) (filp, cmd, arg);
37329 + if (drm_compat_ioctls[nr] != NULL)
37330 + ret = (*drm_compat_ioctls[nr]) (filp, cmd, arg);
37332 ret = drm_ioctl(filp, cmd, arg);
37334 diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
37335 index e77bd8b..1571b85 100644
37336 --- a/drivers/gpu/drm/drm_ioctl.c
37337 +++ b/drivers/gpu/drm/drm_ioctl.c
37338 @@ -252,7 +252,7 @@ int drm_getstats(struct drm_device *dev, void *data,
37339 stats->data[i].value =
37340 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
37342 - stats->data[i].value = atomic_read(&dev->counts[i]);
37343 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
37344 stats->data[i].type = dev->types[i];
37347 diff --git a/drivers/gpu/drm/drm_lock.c b/drivers/gpu/drm/drm_lock.c
37348 index d752c96..fe08455 100644
37349 --- a/drivers/gpu/drm/drm_lock.c
37350 +++ b/drivers/gpu/drm/drm_lock.c
37351 @@ -86,7 +86,7 @@ int drm_lock(struct drm_device *dev, void *data, struct drm_file *file_priv)
37352 if (drm_lock_take(&master->lock, lock->context)) {
37353 master->lock.file_priv = file_priv;
37354 master->lock.lock_time = jiffies;
37355 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
37356 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
37357 break; /* Got lock */
37360 @@ -157,7 +157,7 @@ int drm_unlock(struct drm_device *dev, void *data, struct drm_file *file_priv)
37364 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
37365 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
37367 if (drm_lock_free(&master->lock, lock->context)) {
37368 /* FIXME: Should really bail out here. */
37369 diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c
37370 index 16f3ec5..b28f9ca 100644
37371 --- a/drivers/gpu/drm/drm_stub.c
37372 +++ b/drivers/gpu/drm/drm_stub.c
37373 @@ -501,7 +501,7 @@ void drm_unplug_dev(struct drm_device *dev)
37375 drm_device_set_unplugged(dev);
37377 - if (dev->open_count == 0) {
37378 + if (local_read(&dev->open_count) == 0) {
37381 mutex_unlock(&drm_global_mutex);
37382 diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c
37383 index 0229665..f61329c 100644
37384 --- a/drivers/gpu/drm/drm_sysfs.c
37385 +++ b/drivers/gpu/drm/drm_sysfs.c
37386 @@ -499,7 +499,7 @@ EXPORT_SYMBOL(drm_sysfs_hotplug_event);
37387 int drm_sysfs_device_add(struct drm_minor *minor)
37391 + const char *minor_str;
37393 minor->kdev.parent = minor->dev->dev;
37395 diff --git a/drivers/gpu/drm/i810/i810_dma.c b/drivers/gpu/drm/i810/i810_dma.c
37396 index 004ecdf..db1f6e0 100644
37397 --- a/drivers/gpu/drm/i810/i810_dma.c
37398 +++ b/drivers/gpu/drm/i810/i810_dma.c
37399 @@ -945,8 +945,8 @@ static int i810_dma_vertex(struct drm_device *dev, void *data,
37400 dma->buflist[vertex->idx],
37401 vertex->discard, vertex->used);
37403 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
37404 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
37405 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
37406 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
37407 sarea_priv->last_enqueue = dev_priv->counter - 1;
37408 sarea_priv->last_dispatch = (int)hw_status[5];
37410 @@ -1106,8 +1106,8 @@ static int i810_dma_mc(struct drm_device *dev, void *data,
37411 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
37414 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
37415 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
37416 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
37417 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
37418 sarea_priv->last_enqueue = dev_priv->counter - 1;
37419 sarea_priv->last_dispatch = (int)hw_status[5];
37421 diff --git a/drivers/gpu/drm/i810/i810_drv.h b/drivers/gpu/drm/i810/i810_drv.h
37422 index 6e0acad..93c8289 100644
37423 --- a/drivers/gpu/drm/i810/i810_drv.h
37424 +++ b/drivers/gpu/drm/i810/i810_drv.h
37425 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
37428 wait_queue_head_t irq_queue;
37429 - atomic_t irq_received;
37430 - atomic_t irq_emitted;
37431 + atomic_unchecked_t irq_received;
37432 + atomic_unchecked_t irq_emitted;
37435 } drm_i810_private_t;
37436 diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
37437 index e913d32..4d9b351 100644
37438 --- a/drivers/gpu/drm/i915/i915_debugfs.c
37439 +++ b/drivers/gpu/drm/i915/i915_debugfs.c
37440 @@ -499,7 +499,7 @@ static int i915_interrupt_info(struct seq_file *m, void *data)
37443 seq_printf(m, "Interrupts received: %d\n",
37444 - atomic_read(&dev_priv->irq_received));
37445 + atomic_read_unchecked(&dev_priv->irq_received));
37446 for_each_ring(ring, dev_priv, i) {
37447 if (IS_GEN6(dev) || IS_GEN7(dev)) {
37449 diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
37450 index 17d9b0b..860e6d9 100644
37451 --- a/drivers/gpu/drm/i915/i915_dma.c
37452 +++ b/drivers/gpu/drm/i915/i915_dma.c
37453 @@ -1259,7 +1259,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
37456 spin_lock(&dev->count_lock);
37457 - can_switch = (dev->open_count == 0);
37458 + can_switch = (local_read(&dev->open_count) == 0);
37459 spin_unlock(&dev->count_lock);
37462 diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
37463 index 47d8b68..52f5d8d 100644
37464 --- a/drivers/gpu/drm/i915/i915_drv.h
37465 +++ b/drivers/gpu/drm/i915/i915_drv.h
37466 @@ -916,7 +916,7 @@ typedef struct drm_i915_private {
37467 drm_dma_handle_t *status_page_dmah;
37468 struct resource mch_res;
37470 - atomic_t irq_received;
37471 + atomic_unchecked_t irq_received;
37473 /* protects the irq masks */
37474 spinlock_t irq_lock;
37475 @@ -1813,7 +1813,7 @@ extern struct i2c_adapter *intel_gmbus_get_adapter(
37476 struct drm_i915_private *dev_priv, unsigned port);
37477 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
37478 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
37479 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
37480 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
37482 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
37484 diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
37485 index 117ce38..eefd237 100644
37486 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
37487 +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
37488 @@ -727,9 +727,9 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
37491 validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
37493 + unsigned int count)
37497 int relocs_total = 0;
37498 int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
37500 diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
37501 index 3c59584..500f2e9 100644
37502 --- a/drivers/gpu/drm/i915/i915_ioc32.c
37503 +++ b/drivers/gpu/drm/i915/i915_ioc32.c
37504 @@ -181,7 +181,7 @@ static int compat_i915_alloc(struct file *file, unsigned int cmd,
37505 (unsigned long)request);
37508 -static drm_ioctl_compat_t *i915_compat_ioctls[] = {
37509 +static drm_ioctl_compat_t i915_compat_ioctls[] = {
37510 [DRM_I915_BATCHBUFFER] = compat_i915_batchbuffer,
37511 [DRM_I915_CMDBUFFER] = compat_i915_cmdbuffer,
37512 [DRM_I915_GETPARAM] = compat_i915_getparam,
37513 @@ -202,18 +202,15 @@ static drm_ioctl_compat_t *i915_compat_ioctls[] = {
37514 long i915_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
37516 unsigned int nr = DRM_IOCTL_NR(cmd);
37517 - drm_ioctl_compat_t *fn = NULL;
37520 if (nr < DRM_COMMAND_BASE)
37521 return drm_compat_ioctl(filp, cmd, arg);
37523 - if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(i915_compat_ioctls))
37524 - fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE];
37527 + if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(i915_compat_ioctls)) {
37528 + drm_ioctl_compat_t fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE];
37529 ret = (*fn) (filp, cmd, arg);
37532 ret = drm_ioctl(filp, cmd, arg);
37535 diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
37536 index e5e32869..1678f36 100644
37537 --- a/drivers/gpu/drm/i915/i915_irq.c
37538 +++ b/drivers/gpu/drm/i915/i915_irq.c
37539 @@ -670,7 +670,7 @@ static irqreturn_t valleyview_irq_handler(int irq, void *arg)
37541 u32 pipe_stats[I915_MAX_PIPES];
37543 - atomic_inc(&dev_priv->irq_received);
37544 + atomic_inc_unchecked(&dev_priv->irq_received);
37547 iir = I915_READ(VLV_IIR);
37548 @@ -835,7 +835,7 @@ static irqreturn_t ivybridge_irq_handler(int irq, void *arg)
37549 irqreturn_t ret = IRQ_NONE;
37552 - atomic_inc(&dev_priv->irq_received);
37553 + atomic_inc_unchecked(&dev_priv->irq_received);
37555 /* disable master interrupt before clearing iir */
37556 de_ier = I915_READ(DEIER);
37557 @@ -925,7 +925,7 @@ static irqreturn_t ironlake_irq_handler(int irq, void *arg)
37558 int ret = IRQ_NONE;
37559 u32 de_iir, gt_iir, de_ier, pm_iir, sde_ier;
37561 - atomic_inc(&dev_priv->irq_received);
37562 + atomic_inc_unchecked(&dev_priv->irq_received);
37564 /* disable master interrupt before clearing iir */
37565 de_ier = I915_READ(DEIER);
37566 @@ -2089,7 +2089,7 @@ static void ironlake_irq_preinstall(struct drm_device *dev)
37568 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
37570 - atomic_set(&dev_priv->irq_received, 0);
37571 + atomic_set_unchecked(&dev_priv->irq_received, 0);
37573 I915_WRITE(HWSTAM, 0xeffe);
37575 @@ -2124,7 +2124,7 @@ static void valleyview_irq_preinstall(struct drm_device *dev)
37576 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
37579 - atomic_set(&dev_priv->irq_received, 0);
37580 + atomic_set_unchecked(&dev_priv->irq_received, 0);
37583 I915_WRITE(VLV_IMR, 0);
37584 @@ -2411,7 +2411,7 @@ static void i8xx_irq_preinstall(struct drm_device * dev)
37585 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
37588 - atomic_set(&dev_priv->irq_received, 0);
37589 + atomic_set_unchecked(&dev_priv->irq_received, 0);
37591 for_each_pipe(pipe)
37592 I915_WRITE(PIPESTAT(pipe), 0);
37593 @@ -2490,7 +2490,7 @@ static irqreturn_t i8xx_irq_handler(int irq, void *arg)
37594 I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
37595 I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
37597 - atomic_inc(&dev_priv->irq_received);
37598 + atomic_inc_unchecked(&dev_priv->irq_received);
37600 iir = I915_READ16(IIR);
37602 @@ -2565,7 +2565,7 @@ static void i915_irq_preinstall(struct drm_device * dev)
37603 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
37606 - atomic_set(&dev_priv->irq_received, 0);
37607 + atomic_set_unchecked(&dev_priv->irq_received, 0);
37609 if (I915_HAS_HOTPLUG(dev)) {
37610 I915_WRITE(PORT_HOTPLUG_EN, 0);
37611 @@ -2664,7 +2664,7 @@ static irqreturn_t i915_irq_handler(int irq, void *arg)
37612 I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
37613 int pipe, ret = IRQ_NONE;
37615 - atomic_inc(&dev_priv->irq_received);
37616 + atomic_inc_unchecked(&dev_priv->irq_received);
37618 iir = I915_READ(IIR);
37620 @@ -2791,7 +2791,7 @@ static void i965_irq_preinstall(struct drm_device * dev)
37621 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
37624 - atomic_set(&dev_priv->irq_received, 0);
37625 + atomic_set_unchecked(&dev_priv->irq_received, 0);
37627 I915_WRITE(PORT_HOTPLUG_EN, 0);
37628 I915_WRITE(PORT_HOTPLUG_STAT, I915_READ(PORT_HOTPLUG_STAT));
37629 @@ -2898,7 +2898,7 @@ static irqreturn_t i965_irq_handler(int irq, void *arg)
37630 I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
37631 I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
37633 - atomic_inc(&dev_priv->irq_received);
37634 + atomic_inc_unchecked(&dev_priv->irq_received);
37636 iir = I915_READ(IIR);
37638 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
37639 index eea5982..eeef407 100644
37640 --- a/drivers/gpu/drm/i915/intel_display.c
37641 +++ b/drivers/gpu/drm/i915/intel_display.c
37642 @@ -8935,13 +8935,13 @@ struct intel_quirk {
37643 int subsystem_vendor;
37644 int subsystem_device;
37645 void (*hook)(struct drm_device *dev);
37649 /* For systems that don't have a meaningful PCI subdevice/subvendor ID */
37650 struct intel_dmi_quirk {
37651 void (*hook)(struct drm_device *dev);
37652 const struct dmi_system_id (*dmi_id_list)[];
37656 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
37658 @@ -8949,18 +8949,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
37662 -static const struct intel_dmi_quirk intel_dmi_quirks[] = {
37663 +static const struct dmi_system_id intel_dmi_quirks_table[] = {
37665 - .dmi_id_list = &(const struct dmi_system_id[]) {
37667 - .callback = intel_dmi_reverse_brightness,
37668 - .ident = "NCR Corporation",
37669 - .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
37670 - DMI_MATCH(DMI_PRODUCT_NAME, ""),
37673 - { } /* terminating entry */
37674 + .callback = intel_dmi_reverse_brightness,
37675 + .ident = "NCR Corporation",
37676 + .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
37677 + DMI_MATCH(DMI_PRODUCT_NAME, ""),
37680 + { } /* terminating entry */
37683 +static const struct intel_dmi_quirk intel_dmi_quirks[] = {
37685 + .dmi_id_list = &intel_dmi_quirks_table,
37686 .hook = quirk_invert_brightness,
37689 diff --git a/drivers/gpu/drm/mga/mga_drv.h b/drivers/gpu/drm/mga/mga_drv.h
37690 index 54558a0..2d97005 100644
37691 --- a/drivers/gpu/drm/mga/mga_drv.h
37692 +++ b/drivers/gpu/drm/mga/mga_drv.h
37693 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
37697 - atomic_t vbl_received; /**< Number of vblanks received. */
37698 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
37699 wait_queue_head_t fence_queue;
37700 - atomic_t last_fence_retired;
37701 + atomic_unchecked_t last_fence_retired;
37702 u32 next_fence_to_post;
37704 unsigned int fb_cpp;
37705 diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c
37706 index 709e90d..89a1c0d 100644
37707 --- a/drivers/gpu/drm/mga/mga_ioc32.c
37708 +++ b/drivers/gpu/drm/mga/mga_ioc32.c
37709 @@ -189,7 +189,7 @@ static int compat_mga_dma_bootstrap(struct file *file, unsigned int cmd,
37713 -drm_ioctl_compat_t *mga_compat_ioctls[] = {
37714 +drm_ioctl_compat_t mga_compat_ioctls[] = {
37715 [DRM_MGA_INIT] = compat_mga_init,
37716 [DRM_MGA_GETPARAM] = compat_mga_getparam,
37717 [DRM_MGA_DMA_BOOTSTRAP] = compat_mga_dma_bootstrap,
37718 @@ -207,18 +207,15 @@ drm_ioctl_compat_t *mga_compat_ioctls[] = {
37719 long mga_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
37721 unsigned int nr = DRM_IOCTL_NR(cmd);
37722 - drm_ioctl_compat_t *fn = NULL;
37725 if (nr < DRM_COMMAND_BASE)
37726 return drm_compat_ioctl(filp, cmd, arg);
37728 - if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(mga_compat_ioctls))
37729 - fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE];
37732 + if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(mga_compat_ioctls)) {
37733 + drm_ioctl_compat_t fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE];
37734 ret = (*fn) (filp, cmd, arg);
37737 ret = drm_ioctl(filp, cmd, arg);
37740 diff --git a/drivers/gpu/drm/mga/mga_irq.c b/drivers/gpu/drm/mga/mga_irq.c
37741 index 598c281..60d590e 100644
37742 --- a/drivers/gpu/drm/mga/mga_irq.c
37743 +++ b/drivers/gpu/drm/mga/mga_irq.c
37744 @@ -43,7 +43,7 @@ u32 mga_get_vblank_counter(struct drm_device *dev, int crtc)
37748 - return atomic_read(&dev_priv->vbl_received);
37749 + return atomic_read_unchecked(&dev_priv->vbl_received);
37753 @@ -59,7 +59,7 @@ irqreturn_t mga_driver_irq_handler(DRM_IRQ_ARGS)
37754 /* VBLANK interrupt */
37755 if (status & MGA_VLINEPEN) {
37756 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
37757 - atomic_inc(&dev_priv->vbl_received);
37758 + atomic_inc_unchecked(&dev_priv->vbl_received);
37759 drm_handle_vblank(dev, 0);
37762 @@ -78,7 +78,7 @@ irqreturn_t mga_driver_irq_handler(DRM_IRQ_ARGS)
37763 if ((prim_start & ~0x03) != (prim_end & ~0x03))
37764 MGA_WRITE(MGA_PRIMEND, prim_end);
37766 - atomic_inc(&dev_priv->last_fence_retired);
37767 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
37768 DRM_WAKEUP(&dev_priv->fence_queue);
37771 @@ -129,7 +129,7 @@ int mga_driver_fence_wait(struct drm_device *dev, unsigned int *sequence)
37774 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
37775 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
37776 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
37777 - *sequence) <= (1 << 23)));
37779 *sequence = cur_fence;
37780 diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c
37781 index 6aa2137..fe8dc55 100644
37782 --- a/drivers/gpu/drm/nouveau/nouveau_bios.c
37783 +++ b/drivers/gpu/drm/nouveau/nouveau_bios.c
37784 @@ -965,7 +965,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios,
37787 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
37791 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
37793 diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h
37794 index f2b30f8..d0f9a95 100644
37795 --- a/drivers/gpu/drm/nouveau/nouveau_drm.h
37796 +++ b/drivers/gpu/drm/nouveau/nouveau_drm.h
37797 @@ -92,7 +92,7 @@ struct nouveau_drm {
37798 struct drm_global_reference mem_global_ref;
37799 struct ttm_bo_global_ref bo_global_ref;
37800 struct ttm_bo_device bdev;
37801 - atomic_t validate_sequence;
37802 + atomic_unchecked_t validate_sequence;
37803 int (*move)(struct nouveau_channel *,
37804 struct ttm_buffer_object *,
37805 struct ttm_mem_reg *, struct ttm_mem_reg *);
37806 diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
37807 index b4b4d0c..b7edc15 100644
37808 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
37809 +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
37810 @@ -322,7 +322,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
37812 struct nouveau_bo *res_bo = NULL;
37814 - sequence = atomic_add_return(1, &drm->ttm.validate_sequence);
37815 + sequence = atomic_add_return_unchecked(1, &drm->ttm.validate_sequence);
37817 if (++trycnt > 100000) {
37818 NV_ERROR(cli, "%s failed and gave up.\n", __func__);
37819 @@ -359,7 +359,7 @@ retry:
37821 validate_fini(op, NULL);
37822 if (unlikely(ret == -EAGAIN)) {
37823 - sequence = atomic_add_return(1, &drm->ttm.validate_sequence);
37824 + sequence = atomic_add_return_unchecked(1, &drm->ttm.validate_sequence);
37825 ret = ttm_bo_reserve_slowpath(&nvbo->bo, true,
37828 diff --git a/drivers/gpu/drm/nouveau/nouveau_ioc32.c b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
37829 index 08214bc..9208577 100644
37830 --- a/drivers/gpu/drm/nouveau/nouveau_ioc32.c
37831 +++ b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
37832 @@ -50,7 +50,7 @@ long nouveau_compat_ioctl(struct file *filp, unsigned int cmd,
37835 unsigned int nr = DRM_IOCTL_NR(cmd);
37836 - drm_ioctl_compat_t *fn = NULL;
37837 + drm_ioctl_compat_t fn = NULL;
37840 if (nr < DRM_COMMAND_BASE)
37841 diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c
37842 index 25d3495..d81aaf6 100644
37843 --- a/drivers/gpu/drm/nouveau/nouveau_vga.c
37844 +++ b/drivers/gpu/drm/nouveau/nouveau_vga.c
37845 @@ -62,7 +62,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev)
37848 spin_lock(&dev->count_lock);
37849 - can_switch = (dev->open_count == 0);
37850 + can_switch = (local_read(&dev->open_count) == 0);
37851 spin_unlock(&dev->count_lock);
37854 diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c
37855 index 489cb8c..0b8d0d3 100644
37856 --- a/drivers/gpu/drm/qxl/qxl_ttm.c
37857 +++ b/drivers/gpu/drm/qxl/qxl_ttm.c
37858 @@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev)
37862 -static struct vm_operations_struct qxl_ttm_vm_ops;
37863 +static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only;
37864 static const struct vm_operations_struct *ttm_vm_ops;
37866 static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
37867 @@ -147,8 +147,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma)
37869 if (unlikely(ttm_vm_ops == NULL)) {
37870 ttm_vm_ops = vma->vm_ops;
37871 + pax_open_kernel();
37872 qxl_ttm_vm_ops = *ttm_vm_ops;
37873 qxl_ttm_vm_ops.fault = &qxl_ttm_fault;
37874 + pax_close_kernel();
37876 vma->vm_ops = &qxl_ttm_vm_ops;
37878 @@ -556,25 +558,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data)
37879 static int qxl_ttm_debugfs_init(struct qxl_device *qdev)
37881 #if defined(CONFIG_DEBUG_FS)
37882 - static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES];
37883 - static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32];
37885 + static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = {
37887 + .name = "qxl_mem_mm",
37888 + .show = &qxl_mm_dump_table,
37891 + .name = "qxl_surf_mm",
37892 + .show = &qxl_mm_dump_table,
37896 - for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) {
37898 - sprintf(qxl_mem_types_names[i], "qxl_mem_mm");
37900 - sprintf(qxl_mem_types_names[i], "qxl_surf_mm");
37901 - qxl_mem_types_list[i].name = qxl_mem_types_names[i];
37902 - qxl_mem_types_list[i].show = &qxl_mm_dump_table;
37903 - qxl_mem_types_list[i].driver_features = 0;
37905 - qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
37907 - qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
37908 + pax_open_kernel();
37909 + *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
37910 + *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
37911 + pax_close_kernel();
37914 - return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i);
37915 + return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES);
37919 diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c
37920 index d4660cf..70dbe65 100644
37921 --- a/drivers/gpu/drm/r128/r128_cce.c
37922 +++ b/drivers/gpu/drm/r128/r128_cce.c
37923 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_device *dev, drm_r128_init_t *init)
37925 /* GH: Simple idle check.
37927 - atomic_set(&dev_priv->idle_count, 0);
37928 + atomic_set_unchecked(&dev_priv->idle_count, 0);
37930 /* We don't support anything other than bus-mastering ring mode,
37931 * but the ring can be in either AGP or PCI space for the ring
37932 diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h
37933 index 930c71b..499aded 100644
37934 --- a/drivers/gpu/drm/r128/r128_drv.h
37935 +++ b/drivers/gpu/drm/r128/r128_drv.h
37936 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
37938 unsigned long cce_buffers_offset;
37940 - atomic_t idle_count;
37941 + atomic_unchecked_t idle_count;
37946 u32 crtc_offset_cntl;
37948 - atomic_t vbl_received;
37949 + atomic_unchecked_t vbl_received;
37952 unsigned int front_offset;
37953 diff --git a/drivers/gpu/drm/r128/r128_ioc32.c b/drivers/gpu/drm/r128/r128_ioc32.c
37954 index a954c54..9cc595c 100644
37955 --- a/drivers/gpu/drm/r128/r128_ioc32.c
37956 +++ b/drivers/gpu/drm/r128/r128_ioc32.c
37957 @@ -177,7 +177,7 @@ static int compat_r128_getparam(struct file *file, unsigned int cmd,
37958 return drm_ioctl(file, DRM_IOCTL_R128_GETPARAM, (unsigned long)getparam);
37961 -drm_ioctl_compat_t *r128_compat_ioctls[] = {
37962 +drm_ioctl_compat_t r128_compat_ioctls[] = {
37963 [DRM_R128_INIT] = compat_r128_init,
37964 [DRM_R128_DEPTH] = compat_r128_depth,
37965 [DRM_R128_STIPPLE] = compat_r128_stipple,
37966 @@ -196,18 +196,15 @@ drm_ioctl_compat_t *r128_compat_ioctls[] = {
37967 long r128_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
37969 unsigned int nr = DRM_IOCTL_NR(cmd);
37970 - drm_ioctl_compat_t *fn = NULL;
37973 if (nr < DRM_COMMAND_BASE)
37974 return drm_compat_ioctl(filp, cmd, arg);
37976 - if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(r128_compat_ioctls))
37977 - fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE];
37980 + if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(r128_compat_ioctls)) {
37981 + drm_ioctl_compat_t fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE];
37982 ret = (*fn) (filp, cmd, arg);
37985 ret = drm_ioctl(filp, cmd, arg);
37988 diff --git a/drivers/gpu/drm/r128/r128_irq.c b/drivers/gpu/drm/r128/r128_irq.c
37989 index 2ea4f09..d391371 100644
37990 --- a/drivers/gpu/drm/r128/r128_irq.c
37991 +++ b/drivers/gpu/drm/r128/r128_irq.c
37992 @@ -41,7 +41,7 @@ u32 r128_get_vblank_counter(struct drm_device *dev, int crtc)
37996 - return atomic_read(&dev_priv->vbl_received);
37997 + return atomic_read_unchecked(&dev_priv->vbl_received);
38000 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
38001 @@ -55,7 +55,7 @@ irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
38002 /* VBLANK interrupt */
38003 if (status & R128_CRTC_VBLANK_INT) {
38004 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
38005 - atomic_inc(&dev_priv->vbl_received);
38006 + atomic_inc_unchecked(&dev_priv->vbl_received);
38007 drm_handle_vblank(dev, 0);
38008 return IRQ_HANDLED;
38010 diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c
38011 index 19bb7e6..de7e2a2 100644
38012 --- a/drivers/gpu/drm/r128/r128_state.c
38013 +++ b/drivers/gpu/drm/r128/r128_state.c
38014 @@ -320,10 +320,10 @@ static void r128_clear_box(drm_r128_private_t *dev_priv,
38016 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
38018 - if (atomic_read(&dev_priv->idle_count) == 0)
38019 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
38020 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
38022 - atomic_set(&dev_priv->idle_count, 0);
38023 + atomic_set_unchecked(&dev_priv->idle_count, 0);
38027 diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c
38028 index 5a82b6b..9e69c73 100644
38029 --- a/drivers/gpu/drm/radeon/mkregtable.c
38030 +++ b/drivers/gpu/drm/radeon/mkregtable.c
38031 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t, const char *filename)
38033 regmatch_t match[4];
38041 struct offset *offset;
38042 char last_reg_s[10];
38044 + unsigned long last_reg;
38047 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
38048 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
38049 index b0dc0b6..a9bfe9c 100644
38050 --- a/drivers/gpu/drm/radeon/radeon_device.c
38051 +++ b/drivers/gpu/drm/radeon/radeon_device.c
38052 @@ -1014,7 +1014,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
38055 spin_lock(&dev->count_lock);
38056 - can_switch = (dev->open_count == 0);
38057 + can_switch = (local_read(&dev->open_count) == 0);
38058 spin_unlock(&dev->count_lock);
38061 diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h
38062 index b369d42..8dd04eb 100644
38063 --- a/drivers/gpu/drm/radeon/radeon_drv.h
38064 +++ b/drivers/gpu/drm/radeon/radeon_drv.h
38065 @@ -258,7 +258,7 @@ typedef struct drm_radeon_private {
38068 wait_queue_head_t swi_queue;
38069 - atomic_t swi_emitted;
38070 + atomic_unchecked_t swi_emitted;
38072 uint32_t irq_enable_reg;
38073 uint32_t r500_disp_irq_reg;
38074 diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
38075 index c180df8..5fd8186 100644
38076 --- a/drivers/gpu/drm/radeon/radeon_ioc32.c
38077 +++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
38078 @@ -358,7 +358,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
38079 request = compat_alloc_user_space(sizeof(*request));
38080 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
38081 || __put_user(req32.param, &request->param)
38082 - || __put_user((void __user *)(unsigned long)req32.value,
38083 + || __put_user((unsigned long)req32.value,
38087 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
38088 #define compat_radeon_cp_setparam NULL
38089 #endif /* X86_64 || IA64 */
38091 -static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
38092 +static drm_ioctl_compat_t radeon_compat_ioctls[] = {
38093 [DRM_RADEON_CP_INIT] = compat_radeon_cp_init,
38094 [DRM_RADEON_CLEAR] = compat_radeon_cp_clear,
38095 [DRM_RADEON_STIPPLE] = compat_radeon_cp_stipple,
38096 @@ -393,18 +393,15 @@ static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
38097 long radeon_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
38099 unsigned int nr = DRM_IOCTL_NR(cmd);
38100 - drm_ioctl_compat_t *fn = NULL;
38103 if (nr < DRM_COMMAND_BASE)
38104 return drm_compat_ioctl(filp, cmd, arg);
38106 - if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(radeon_compat_ioctls))
38107 - fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE];
38110 + if (nr < DRM_COMMAND_BASE + DRM_ARRAY_SIZE(radeon_compat_ioctls)) {
38111 + drm_ioctl_compat_t fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE];
38112 ret = (*fn) (filp, cmd, arg);
38115 ret = drm_ioctl(filp, cmd, arg);
38118 diff --git a/drivers/gpu/drm/radeon/radeon_irq.c b/drivers/gpu/drm/radeon/radeon_irq.c
38119 index 8d68e97..9dcfed8 100644
38120 --- a/drivers/gpu/drm/radeon/radeon_irq.c
38121 +++ b/drivers/gpu/drm/radeon/radeon_irq.c
38122 @@ -226,8 +226,8 @@ static int radeon_emit_irq(struct drm_device * dev)
38126 - atomic_inc(&dev_priv->swi_emitted);
38127 - ret = atomic_read(&dev_priv->swi_emitted);
38128 + atomic_inc_unchecked(&dev_priv->swi_emitted);
38129 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
38132 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
38133 @@ -353,7 +353,7 @@ int radeon_driver_irq_postinstall(struct drm_device *dev)
38134 drm_radeon_private_t *dev_priv =
38135 (drm_radeon_private_t *) dev->dev_private;
38137 - atomic_set(&dev_priv->swi_emitted, 0);
38138 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
38139 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
38141 dev->max_vblank_count = 0x001fffff;
38142 diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
38143 index 4d20910..6726b6d 100644
38144 --- a/drivers/gpu/drm/radeon/radeon_state.c
38145 +++ b/drivers/gpu/drm/radeon/radeon_state.c
38146 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file *
38147 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
38148 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
38150 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
38151 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
38152 sarea_priv->nbox * sizeof(depth_boxes[0])))
38155 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm_device *dev, void *data, struct drm_fil
38157 drm_radeon_private_t *dev_priv = dev->dev_private;
38158 drm_radeon_getparam_t *param = data;
38162 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
38164 diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
38165 index 6c0ce89..57a2529 100644
38166 --- a/drivers/gpu/drm/radeon/radeon_ttm.c
38167 +++ b/drivers/gpu/drm/radeon/radeon_ttm.c
38168 @@ -782,7 +782,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
38169 man->size = size >> PAGE_SHIFT;
38172 -static struct vm_operations_struct radeon_ttm_vm_ops;
38173 +static vm_operations_struct_no_const radeon_ttm_vm_ops __read_only;
38174 static const struct vm_operations_struct *ttm_vm_ops = NULL;
38176 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
38177 @@ -823,8 +823,10 @@ int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
38179 if (unlikely(ttm_vm_ops == NULL)) {
38180 ttm_vm_ops = vma->vm_ops;
38181 + pax_open_kernel();
38182 radeon_ttm_vm_ops = *ttm_vm_ops;
38183 radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
38184 + pax_close_kernel();
38186 vma->vm_ops = &radeon_ttm_vm_ops;
38188 @@ -853,38 +855,33 @@ static int radeon_mm_dump_table(struct seq_file *m, void *data)
38189 static int radeon_ttm_debugfs_init(struct radeon_device *rdev)
38191 #if defined(CONFIG_DEBUG_FS)
38192 - static struct drm_info_list radeon_mem_types_list[RADEON_DEBUGFS_MEM_TYPES+2];
38193 - static char radeon_mem_types_names[RADEON_DEBUGFS_MEM_TYPES+2][32];
38194 + static struct drm_info_list radeon_mem_types_list[RADEON_DEBUGFS_MEM_TYPES+2] = {
38196 + .name = "radeon_vram_mm",
38197 + .show = &radeon_mm_dump_table,
38200 + .name = "radeon_gtt_mm",
38201 + .show = &radeon_mm_dump_table,
38204 + .name = "ttm_page_pool",
38205 + .show = &ttm_page_alloc_debugfs,
38208 + .name = "ttm_dma_page_pool",
38209 + .show = &ttm_dma_page_alloc_debugfs,
38214 - for (i = 0; i < RADEON_DEBUGFS_MEM_TYPES; i++) {
38216 - sprintf(radeon_mem_types_names[i], "radeon_vram_mm");
38218 - sprintf(radeon_mem_types_names[i], "radeon_gtt_mm");
38219 - radeon_mem_types_list[i].name = radeon_mem_types_names[i];
38220 - radeon_mem_types_list[i].show = &radeon_mm_dump_table;
38221 - radeon_mem_types_list[i].driver_features = 0;
38223 - radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_VRAM].priv;
38225 - radeon_mem_types_list[i].data = rdev->mman.bdev.man[TTM_PL_TT].priv;
38228 - /* Add ttm page pool to debugfs */
38229 - sprintf(radeon_mem_types_names[i], "ttm_page_pool");
38230 - radeon_mem_types_list[i].name = radeon_mem_types_names[i];
38231 - radeon_mem_types_list[i].show = &ttm_page_alloc_debugfs;
38232 - radeon_mem_types_list[i].driver_features = 0;
38233 - radeon_mem_types_list[i++].data = NULL;
38234 + pax_open_kernel();
38235 + *(void **)&radeon_mem_types_list[0].data = rdev->mman.bdev.man[TTM_PL_VRAM].priv;
38236 + *(void **)&radeon_mem_types_list[1].data = rdev->mman.bdev.man[TTM_PL_TT].priv;
38237 + pax_close_kernel();
38238 #ifdef CONFIG_SWIOTLB
38239 - if (swiotlb_nr_tbl()) {
38240 - sprintf(radeon_mem_types_names[i], "ttm_dma_page_pool");
38241 - radeon_mem_types_list[i].name = radeon_mem_types_names[i];
38242 - radeon_mem_types_list[i].show = &ttm_dma_page_alloc_debugfs;
38243 - radeon_mem_types_list[i].driver_features = 0;
38244 - radeon_mem_types_list[i++].data = NULL;
38246 + if (swiotlb_nr_tbl())
38249 return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i);
38251 diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
38252 index 55880d5..9e95342 100644
38253 --- a/drivers/gpu/drm/radeon/rs690.c
38254 +++ b/drivers/gpu/drm/radeon/rs690.c
38255 @@ -327,9 +327,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
38256 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
38257 rdev->pm.sideport_bandwidth.full)
38258 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
38259 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
38260 + read_delay_latency.full = dfixed_const(800 * 1000);
38261 read_delay_latency.full = dfixed_div(read_delay_latency,
38262 rdev->pm.igp_sideport_mclk);
38263 + a.full = dfixed_const(370);
38264 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
38266 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
38267 rdev->pm.k8_bandwidth.full)
38268 diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
38269 index dbc2def..0a9f710 100644
38270 --- a/drivers/gpu/drm/ttm/ttm_memory.c
38271 +++ b/drivers/gpu/drm/ttm/ttm_memory.c
38272 @@ -264,7 +264,7 @@ static int ttm_mem_init_kernel_zone(struct ttm_mem_global *glob,
38274 glob->zone_kernel = zone;
38275 ret = kobject_init_and_add(
38276 - &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
38277 + &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
38278 if (unlikely(ret != 0)) {
38279 kobject_put(&zone->kobj);
38281 @@ -347,7 +347,7 @@ static int ttm_mem_init_dma32_zone(struct ttm_mem_global *glob,
38283 glob->zone_dma32 = zone;
38284 ret = kobject_init_and_add(
38285 - &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
38286 + &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
38287 if (unlikely(ret != 0)) {
38288 kobject_put(&zone->kobj);
38290 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
38291 index bd2a3b4..122d9ad 100644
38292 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
38293 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
38294 @@ -394,9 +394,9 @@ static int ttm_pool_get_num_unused_pages(void)
38295 static int ttm_pool_mm_shrink(struct shrinker *shrink,
38296 struct shrink_control *sc)
38298 - static atomic_t start_pool = ATOMIC_INIT(0);
38299 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
38301 - unsigned pool_offset = atomic_add_return(1, &start_pool);
38302 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
38303 struct ttm_page_pool *pool;
38304 int shrink_pages = sc->nr_to_scan;
38306 diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
38307 index dc0c065..58a0782 100644
38308 --- a/drivers/gpu/drm/udl/udl_fb.c
38309 +++ b/drivers/gpu/drm/udl/udl_fb.c
38310 @@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user)
38311 fb_deferred_io_cleanup(info);
38312 kfree(info->fbdefio);
38313 info->fbdefio = NULL;
38314 - info->fbops->fb_mmap = udl_fb_mmap;
38317 pr_warn("released /dev/fb%d user=%d count=%d\n",
38318 diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h
38319 index 893a650..6190d3b 100644
38320 --- a/drivers/gpu/drm/via/via_drv.h
38321 +++ b/drivers/gpu/drm/via/via_drv.h
38322 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
38323 typedef uint32_t maskarray_t[5];
38325 typedef struct drm_via_irq {
38326 - atomic_t irq_received;
38327 + atomic_unchecked_t irq_received;
38328 uint32_t pending_mask;
38329 uint32_t enable_mask;
38330 wait_queue_head_t irq_queue;
38331 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
38332 struct timeval last_vblank;
38333 int last_vblank_valid;
38334 unsigned usec_per_vblank;
38335 - atomic_t vbl_received;
38336 + atomic_unchecked_t vbl_received;
38337 drm_via_state_t hc_state;
38338 char pci_buf[VIA_PCI_BUF_SIZE];
38339 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
38340 diff --git a/drivers/gpu/drm/via/via_irq.c b/drivers/gpu/drm/via/via_irq.c
38341 index ac98964..5dbf512 100644
38342 --- a/drivers/gpu/drm/via/via_irq.c
38343 +++ b/drivers/gpu/drm/via/via_irq.c
38344 @@ -101,7 +101,7 @@ u32 via_get_vblank_counter(struct drm_device *dev, int crtc)
38348 - return atomic_read(&dev_priv->vbl_received);
38349 + return atomic_read_unchecked(&dev_priv->vbl_received);
38352 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
38353 @@ -116,8 +116,8 @@ irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
38355 status = VIA_READ(VIA_REG_INTERRUPT);
38356 if (status & VIA_IRQ_VBLANK_PENDING) {
38357 - atomic_inc(&dev_priv->vbl_received);
38358 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
38359 + atomic_inc_unchecked(&dev_priv->vbl_received);
38360 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
38361 do_gettimeofday(&cur_vblank);
38362 if (dev_priv->last_vblank_valid) {
38363 dev_priv->usec_per_vblank =
38364 @@ -127,7 +127,7 @@ irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
38365 dev_priv->last_vblank = cur_vblank;
38366 dev_priv->last_vblank_valid = 1;
38368 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
38369 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
38370 DRM_DEBUG("US per vblank is: %u\n",
38371 dev_priv->usec_per_vblank);
38373 @@ -137,7 +137,7 @@ irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
38375 for (i = 0; i < dev_priv->num_irqs; ++i) {
38376 if (status & cur_irq->pending_mask) {
38377 - atomic_inc(&cur_irq->irq_received);
38378 + atomic_inc_unchecked(&cur_irq->irq_received);
38379 DRM_WAKEUP(&cur_irq->irq_queue);
38381 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
38382 @@ -242,11 +242,11 @@ via_driver_irq_wait(struct drm_device *dev, unsigned int irq, int force_sequence
38383 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
38384 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
38386 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
38387 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
38389 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
38390 (((cur_irq_sequence =
38391 - atomic_read(&cur_irq->irq_received)) -
38392 + atomic_read_unchecked(&cur_irq->irq_received)) -
38393 *sequence) <= (1 << 23)));
38395 *sequence = cur_irq_sequence;
38396 @@ -284,7 +284,7 @@ void via_driver_irq_preinstall(struct drm_device *dev)
38399 for (i = 0; i < dev_priv->num_irqs; ++i) {
38400 - atomic_set(&cur_irq->irq_received, 0);
38401 + atomic_set_unchecked(&cur_irq->irq_received, 0);
38402 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
38403 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
38404 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
38405 @@ -366,7 +366,7 @@ int via_wait_irq(struct drm_device *dev, void *data, struct drm_file *file_priv)
38406 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
38407 case VIA_IRQ_RELATIVE:
38408 irqwait->request.sequence +=
38409 - atomic_read(&cur_irq->irq_received);
38410 + atomic_read_unchecked(&cur_irq->irq_received);
38411 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
38412 case VIA_IRQ_ABSOLUTE:
38414 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
38415 index 13aeda7..4a952d1 100644
38416 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
38417 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
38418 @@ -290,7 +290,7 @@ struct vmw_private {
38419 * Fencing and IRQs.
38422 - atomic_t marker_seq;
38423 + atomic_unchecked_t marker_seq;
38424 wait_queue_head_t fence_queue;
38425 wait_queue_head_t fifo_queue;
38426 int fence_queue_waiters; /* Protected by hw_mutex */
38427 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
38428 index 3eb1486..0a47ee9 100644
38429 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
38430 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
38431 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
38432 (unsigned int) min,
38433 (unsigned int) fifo->capabilities);
38435 - atomic_set(&dev_priv->marker_seq, dev_priv->last_read_seqno);
38436 + atomic_set_unchecked(&dev_priv->marker_seq, dev_priv->last_read_seqno);
38437 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE);
38438 vmw_marker_queue_init(&fifo->marker_queue);
38439 return vmw_fifo_send_fence(dev_priv, &dummy);
38440 @@ -355,7 +355,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
38442 iowrite32(bytes, fifo_mem +
38443 SVGA_FIFO_RESERVED);
38444 - return fifo_mem + (next_cmd >> 2);
38445 + return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
38447 need_bounce = true;
38449 @@ -475,7 +475,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
38451 fm = vmw_fifo_reserve(dev_priv, bytes);
38452 if (unlikely(fm == NULL)) {
38453 - *seqno = atomic_read(&dev_priv->marker_seq);
38454 + *seqno = atomic_read_unchecked(&dev_priv->marker_seq);
38456 (void)vmw_fallback_wait(dev_priv, false, true, *seqno,
38458 @@ -483,7 +483,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
38462 - *seqno = atomic_add_return(1, &dev_priv->marker_seq);
38463 + *seqno = atomic_add_return_unchecked(1, &dev_priv->marker_seq);
38464 } while (*seqno == 0);
38466 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
38467 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
38468 index c509d40..3b640c3 100644
38469 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
38470 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
38471 @@ -138,7 +138,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
38474 num_clips = arg->num_clips;
38475 - clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
38476 + clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
38478 if (unlikely(num_clips == 0))
38480 @@ -222,7 +222,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
38483 num_clips = arg->num_clips;
38484 - clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
38485 + clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
38487 if (unlikely(num_clips == 0))
38489 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
38490 index 4640adb..e1384ed 100644
38491 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
38492 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
38493 @@ -107,7 +107,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
38494 * emitted. Then the fence is stale and signaled.
38497 - ret = ((atomic_read(&dev_priv->marker_seq) - seqno)
38498 + ret = ((atomic_read_unchecked(&dev_priv->marker_seq) - seqno)
38502 @@ -138,7 +138,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
38505 down_read(&fifo_state->rwsem);
38506 - signal_seq = atomic_read(&dev_priv->marker_seq);
38507 + signal_seq = atomic_read_unchecked(&dev_priv->marker_seq);
38511 diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
38512 index 8a8725c2..afed796 100644
38513 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
38514 +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
38515 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
38516 while (!vmw_lag_lt(queue, us)) {
38517 spin_lock(&queue->lock);
38518 if (list_empty(&queue->head))
38519 - seqno = atomic_read(&dev_priv->marker_seq);
38520 + seqno = atomic_read_unchecked(&dev_priv->marker_seq);
38522 marker = list_first_entry(&queue->head,
38523 struct vmw_marker, head);
38524 diff --git a/drivers/gpu/host1x/drm/dc.c b/drivers/gpu/host1x/drm/dc.c
38525 index 8c04943..4370ed9 100644
38526 --- a/drivers/gpu/host1x/drm/dc.c
38527 +++ b/drivers/gpu/host1x/drm/dc.c
38528 @@ -999,7 +999,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor)
38531 for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
38532 - dc->debugfs_files[i].data = dc;
38533 + *(void **)&dc->debugfs_files[i].data = dc;
38535 err = drm_debugfs_create_files(dc->debugfs_files,
38536 ARRAY_SIZE(debugfs_files),
38537 diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
38538 index 402f486..f862d7e 100644
38539 --- a/drivers/hid/hid-core.c
38540 +++ b/drivers/hid/hid-core.c
38541 @@ -2275,7 +2275,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
38543 int hid_add_device(struct hid_device *hdev)
38545 - static atomic_t id = ATOMIC_INIT(0);
38546 + static atomic_unchecked_t id = ATOMIC_INIT(0);
38549 if (WARN_ON(hdev->status & HID_STAT_ADDED))
38550 @@ -2309,7 +2309,7 @@ int hid_add_device(struct hid_device *hdev)
38551 /* XXX hack, any other cleaner solution after the driver core
38552 * is converted to allow more than 20 bytes as the device name? */
38553 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
38554 - hdev->vendor, hdev->product, atomic_inc_return(&id));
38555 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
38557 hid_debug_register(hdev, dev_name(&hdev->dev));
38558 ret = device_add(&hdev->dev);
38559 diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
38560 index 90124ff..3761764 100644
38561 --- a/drivers/hid/hid-wiimote-debug.c
38562 +++ b/drivers/hid/hid-wiimote-debug.c
38563 @@ -66,7 +66,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s,
38564 else if (size == 0)
38567 - if (copy_to_user(u, buf, size))
38568 + if (size > sizeof(buf) || copy_to_user(u, buf, size))
38572 diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
38573 index 0b122f8..b1d8160 100644
38574 --- a/drivers/hv/channel.c
38575 +++ b/drivers/hv/channel.c
38576 @@ -394,8 +394,8 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
38580 - next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
38581 - atomic_inc(&vmbus_connection.next_gpadl_handle);
38582 + next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
38583 + atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
38585 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
38587 diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
38588 index ae49237..380d4c9 100644
38589 --- a/drivers/hv/hv.c
38590 +++ b/drivers/hv/hv.c
38591 @@ -112,7 +112,7 @@ static u64 do_hypercall(u64 control, void *input, void *output)
38592 u64 output_address = (output) ? virt_to_phys(output) : 0;
38593 u32 output_address_hi = output_address >> 32;
38594 u32 output_address_lo = output_address & 0xFFFFFFFF;
38595 - void *hypercall_page = hv_context.hypercall_page;
38596 + void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
38598 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
38599 "=a"(hv_status_lo) : "d" (control_hi),
38600 diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
38601 index 12f2f9e..679603c 100644
38602 --- a/drivers/hv/hyperv_vmbus.h
38603 +++ b/drivers/hv/hyperv_vmbus.h
38604 @@ -591,7 +591,7 @@ enum vmbus_connect_state {
38605 struct vmbus_connection {
38606 enum vmbus_connect_state conn_state;
38608 - atomic_t next_gpadl_handle;
38609 + atomic_unchecked_t next_gpadl_handle;
38612 * Represents channel interrupts. Each bit position represents a
38613 diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
38614 index 4004e54..c2de226 100644
38615 --- a/drivers/hv/vmbus_drv.c
38616 +++ b/drivers/hv/vmbus_drv.c
38617 @@ -668,10 +668,10 @@ int vmbus_device_register(struct hv_device *child_device_obj)
38621 - static atomic_t device_num = ATOMIC_INIT(0);
38622 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
38624 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
38625 - atomic_inc_return(&device_num));
38626 + atomic_inc_return_unchecked(&device_num));
38628 child_device_obj->device.bus = &hv_bus;
38629 child_device_obj->device.parent = &hv_acpi_dev->dev;
38630 diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c
38631 index 6351aba..dc4aaf4 100644
38632 --- a/drivers/hwmon/acpi_power_meter.c
38633 +++ b/drivers/hwmon/acpi_power_meter.c
38634 @@ -117,7 +117,7 @@ struct sensor_template {
38635 struct device_attribute *devattr,
38636 const char *buf, size_t count);
38641 /* Averaging interval */
38642 static int update_avg_interval(struct acpi_power_meter_resource *resource)
38643 @@ -629,7 +629,7 @@ static int register_attrs(struct acpi_power_meter_resource *resource,
38644 struct sensor_template *attrs)
38646 struct device *dev = &resource->acpi_dev->dev;
38647 - struct sensor_device_attribute *sensors =
38648 + sensor_device_attribute_no_const *sensors =
38649 &resource->sensors[resource->num_sensors];
38652 diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
38653 index 62c2e32..8f2859a 100644
38654 --- a/drivers/hwmon/applesmc.c
38655 +++ b/drivers/hwmon/applesmc.c
38656 @@ -1084,7 +1084,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
38658 struct applesmc_node_group *grp;
38659 struct applesmc_dev_attr *node;
38660 - struct attribute *attr;
38661 + attribute_no_const *attr;
38664 for (grp = groups; grp->format; grp++) {
38665 diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
38666 index b25c643..a13460d 100644
38667 --- a/drivers/hwmon/asus_atk0110.c
38668 +++ b/drivers/hwmon/asus_atk0110.c
38669 @@ -152,10 +152,10 @@ MODULE_DEVICE_TABLE(acpi, atk_ids);
38670 struct atk_sensor_data {
38671 struct list_head list;
38672 struct atk_data *data;
38673 - struct device_attribute label_attr;
38674 - struct device_attribute input_attr;
38675 - struct device_attribute limit1_attr;
38676 - struct device_attribute limit2_attr;
38677 + device_attribute_no_const label_attr;
38678 + device_attribute_no_const input_attr;
38679 + device_attribute_no_const limit1_attr;
38680 + device_attribute_no_const limit2_attr;
38681 char label_attr_name[ATTR_NAME_SIZE];
38682 char input_attr_name[ATTR_NAME_SIZE];
38683 char limit1_attr_name[ATTR_NAME_SIZE];
38684 @@ -275,7 +275,7 @@ static ssize_t atk_name_show(struct device *dev,
38685 static struct device_attribute atk_name_attr =
38686 __ATTR(name, 0444, atk_name_show, NULL);
38688 -static void atk_init_attribute(struct device_attribute *attr, char *name,
38689 +static void atk_init_attribute(device_attribute_no_const *attr, char *name,
38690 sysfs_show_func show)
38692 sysfs_attr_init(&attr->attr);
38693 diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
38694 index 658ce3a..0d0c2f3 100644
38695 --- a/drivers/hwmon/coretemp.c
38696 +++ b/drivers/hwmon/coretemp.c
38697 @@ -790,7 +790,7 @@ static int __cpuinit coretemp_cpu_callback(struct notifier_block *nfb,
38701 -static struct notifier_block coretemp_cpu_notifier __refdata = {
38702 +static struct notifier_block coretemp_cpu_notifier = {
38703 .notifier_call = coretemp_cpu_callback,
38706 diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
38707 index 1429f6e..ee03d59 100644
38708 --- a/drivers/hwmon/ibmaem.c
38709 +++ b/drivers/hwmon/ibmaem.c
38710 @@ -926,7 +926,7 @@ static int aem_register_sensors(struct aem_data *data,
38711 struct aem_rw_sensor_template *rw)
38713 struct device *dev = &data->pdev->dev;
38714 - struct sensor_device_attribute *sensors = data->sensors;
38715 + sensor_device_attribute_no_const *sensors = data->sensors;
38718 /* Set up read-only sensors */
38719 diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c
38720 index 52b77af..aed1ddf 100644
38721 --- a/drivers/hwmon/iio_hwmon.c
38722 +++ b/drivers/hwmon/iio_hwmon.c
38723 @@ -73,7 +73,7 @@ static int iio_hwmon_probe(struct platform_device *pdev)
38725 struct device *dev = &pdev->dev;
38726 struct iio_hwmon_state *st;
38727 - struct sensor_device_attribute *a;
38728 + sensor_device_attribute_no_const *a;
38730 int in_i = 1, temp_i = 1, curr_i = 1;
38731 enum iio_chan_type type;
38732 diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
38733 index 9add6092..ee7ba3f 100644
38734 --- a/drivers/hwmon/pmbus/pmbus_core.c
38735 +++ b/drivers/hwmon/pmbus/pmbus_core.c
38736 @@ -781,7 +781,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr)
38740 -static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
38741 +static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr,
38744 ssize_t (*show)(struct device *dev,
38745 @@ -798,7 +798,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
38746 dev_attr->store = store;
38749 -static void pmbus_attr_init(struct sensor_device_attribute *a,
38750 +static void pmbus_attr_init(sensor_device_attribute_no_const *a,
38753 ssize_t (*show)(struct device *dev,
38754 @@ -820,7 +820,7 @@ static int pmbus_add_boolean(struct pmbus_data *data,
38757 struct pmbus_boolean *boolean;
38758 - struct sensor_device_attribute *a;
38759 + sensor_device_attribute_no_const *a;
38761 boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL);
38763 @@ -845,7 +845,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
38764 bool update, bool readonly)
38766 struct pmbus_sensor *sensor;
38767 - struct device_attribute *a;
38768 + device_attribute_no_const *a;
38770 sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL);
38772 @@ -876,7 +876,7 @@ static int pmbus_add_label(struct pmbus_data *data,
38773 const char *lstring, int index)
38775 struct pmbus_label *label;
38776 - struct device_attribute *a;
38777 + device_attribute_no_const *a;
38779 label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL);
38781 diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
38782 index 2507f90..1645765 100644
38783 --- a/drivers/hwmon/sht15.c
38784 +++ b/drivers/hwmon/sht15.c
38785 @@ -169,7 +169,7 @@ struct sht15_data {
38787 bool supply_uv_valid;
38788 struct work_struct update_supply_work;
38789 - atomic_t interrupt_handled;
38790 + atomic_unchecked_t interrupt_handled;
38794 @@ -542,13 +542,13 @@ static int sht15_measurement(struct sht15_data *data,
38795 ret = gpio_direction_input(data->pdata->gpio_data);
38798 - atomic_set(&data->interrupt_handled, 0);
38799 + atomic_set_unchecked(&data->interrupt_handled, 0);
38801 enable_irq(gpio_to_irq(data->pdata->gpio_data));
38802 if (gpio_get_value(data->pdata->gpio_data) == 0) {
38803 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
38804 /* Only relevant if the interrupt hasn't occurred. */
38805 - if (!atomic_read(&data->interrupt_handled))
38806 + if (!atomic_read_unchecked(&data->interrupt_handled))
38807 schedule_work(&data->read_work);
38809 ret = wait_event_timeout(data->wait_queue,
38810 @@ -820,7 +820,7 @@ static irqreturn_t sht15_interrupt_fired(int irq, void *d)
38812 /* First disable the interrupt */
38813 disable_irq_nosync(irq);
38814 - atomic_inc(&data->interrupt_handled);
38815 + atomic_inc_unchecked(&data->interrupt_handled);
38816 /* Then schedule a reading work struct */
38817 if (data->state != SHT15_READING_NOTHING)
38818 schedule_work(&data->read_work);
38819 @@ -842,11 +842,11 @@ static void sht15_bh_read_data(struct work_struct *work_s)
38820 * If not, then start the interrupt again - care here as could
38821 * have gone low in meantime so verify it hasn't!
38823 - atomic_set(&data->interrupt_handled, 0);
38824 + atomic_set_unchecked(&data->interrupt_handled, 0);
38825 enable_irq(gpio_to_irq(data->pdata->gpio_data));
38826 /* If still not occurred or another handler was scheduled */
38827 if (gpio_get_value(data->pdata->gpio_data)
38828 - || atomic_read(&data->interrupt_handled))
38829 + || atomic_read_unchecked(&data->interrupt_handled))
38833 diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c
38834 index 76f157b..9c0db1b 100644
38835 --- a/drivers/hwmon/via-cputemp.c
38836 +++ b/drivers/hwmon/via-cputemp.c
38837 @@ -296,7 +296,7 @@ static int __cpuinit via_cputemp_cpu_callback(struct notifier_block *nfb,
38841 -static struct notifier_block via_cputemp_cpu_notifier __refdata = {
38842 +static struct notifier_block via_cputemp_cpu_notifier = {
38843 .notifier_call = via_cputemp_cpu_callback,
38846 diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c
38847 index 07f01ac..d79ad3d 100644
38848 --- a/drivers/i2c/busses/i2c-amd756-s4882.c
38849 +++ b/drivers/i2c/busses/i2c-amd756-s4882.c
38851 extern struct i2c_adapter amd756_smbus;
38853 static struct i2c_adapter *s4882_adapter;
38854 -static struct i2c_algorithm *s4882_algo;
38855 +static i2c_algorithm_no_const *s4882_algo;
38857 /* Wrapper access functions for multiplexed SMBus */
38858 static DEFINE_MUTEX(amd756_lock);
38859 diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c
38860 index 2ca268d..c6acbdf 100644
38861 --- a/drivers/i2c/busses/i2c-nforce2-s4985.c
38862 +++ b/drivers/i2c/busses/i2c-nforce2-s4985.c
38864 extern struct i2c_adapter *nforce2_smbus;
38866 static struct i2c_adapter *s4985_adapter;
38867 -static struct i2c_algorithm *s4985_algo;
38868 +static i2c_algorithm_no_const *s4985_algo;
38870 /* Wrapper access functions for multiplexed SMBus */
38871 static DEFINE_MUTEX(nforce2_lock);
38872 diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
38873 index c3ccdea..5b3dc1a 100644
38874 --- a/drivers/i2c/i2c-dev.c
38875 +++ b/drivers/i2c/i2c-dev.c
38876 @@ -271,7 +271,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
38880 - data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
38881 + data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
38882 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
38883 if (IS_ERR(rdwr_pa[i].buf)) {
38884 res = PTR_ERR(rdwr_pa[i].buf);
38885 diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
38886 index 2ff6204..218c16e 100644
38887 --- a/drivers/ide/ide-cd.c
38888 +++ b/drivers/ide/ide-cd.c
38889 @@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq)
38890 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
38891 if ((unsigned long)buf & alignment
38892 || blk_rq_bytes(rq) & q->dma_pad_mask
38893 - || object_is_on_stack(buf))
38894 + || object_starts_on_stack(buf))
38898 diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
38899 index e145931..08bfc59 100644
38900 --- a/drivers/iio/industrialio-core.c
38901 +++ b/drivers/iio/industrialio-core.c
38902 @@ -506,7 +506,7 @@ static ssize_t iio_write_channel_info(struct device *dev,
38906 -int __iio_device_attr_init(struct device_attribute *dev_attr,
38907 +int __iio_device_attr_init(device_attribute_no_const *dev_attr,
38908 const char *postfix,
38909 struct iio_chan_spec const *chan,
38910 ssize_t (*readfunc)(struct device *dev,
38911 diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
38912 index 784b97c..c9ceadf 100644
38913 --- a/drivers/infiniband/core/cm.c
38914 +++ b/drivers/infiniband/core/cm.c
38915 @@ -114,7 +114,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
38917 struct cm_counter_group {
38918 struct kobject obj;
38919 - atomic_long_t counter[CM_ATTR_COUNT];
38920 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
38923 struct cm_counter_attribute {
38924 @@ -1395,7 +1395,7 @@ static void cm_dup_req_handler(struct cm_work *work,
38925 struct ib_mad_send_buf *msg = NULL;
38928 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38929 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38930 counter[CM_REQ_COUNTER]);
38932 /* Quick state check to discard duplicate REQs. */
38933 @@ -1779,7 +1779,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
38937 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38938 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38939 counter[CM_REP_COUNTER]);
38940 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
38942 @@ -1946,7 +1946,7 @@ static int cm_rtu_handler(struct cm_work *work)
38943 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
38944 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
38945 spin_unlock_irq(&cm_id_priv->lock);
38946 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38947 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38948 counter[CM_RTU_COUNTER]);
38951 @@ -2129,7 +2129,7 @@ static int cm_dreq_handler(struct cm_work *work)
38952 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
38953 dreq_msg->local_comm_id);
38955 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38956 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38957 counter[CM_DREQ_COUNTER]);
38958 cm_issue_drep(work->port, work->mad_recv_wc);
38960 @@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_work *work)
38961 case IB_CM_MRA_REP_RCVD:
38963 case IB_CM_TIMEWAIT:
38964 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38965 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38966 counter[CM_DREQ_COUNTER]);
38967 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
38969 @@ -2168,7 +2168,7 @@ static int cm_dreq_handler(struct cm_work *work)
38972 case IB_CM_DREQ_RCVD:
38973 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38974 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38975 counter[CM_DREQ_COUNTER]);
38978 @@ -2535,7 +2535,7 @@ static int cm_mra_handler(struct cm_work *work)
38979 ib_modify_mad(cm_id_priv->av.port->mad_agent,
38980 cm_id_priv->msg, timeout)) {
38981 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
38982 - atomic_long_inc(&work->port->
38983 + atomic_long_inc_unchecked(&work->port->
38984 counter_group[CM_RECV_DUPLICATES].
38985 counter[CM_MRA_COUNTER]);
38987 @@ -2544,7 +2544,7 @@ static int cm_mra_handler(struct cm_work *work)
38989 case IB_CM_MRA_REQ_RCVD:
38990 case IB_CM_MRA_REP_RCVD:
38991 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
38992 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
38993 counter[CM_MRA_COUNTER]);
38996 @@ -2706,7 +2706,7 @@ static int cm_lap_handler(struct cm_work *work)
38997 case IB_CM_LAP_IDLE:
38999 case IB_CM_MRA_LAP_SENT:
39000 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
39001 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
39002 counter[CM_LAP_COUNTER]);
39003 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
39005 @@ -2722,7 +2722,7 @@ static int cm_lap_handler(struct cm_work *work)
39008 case IB_CM_LAP_RCVD:
39009 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
39010 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
39011 counter[CM_LAP_COUNTER]);
39014 @@ -3006,7 +3006,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
39015 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
39016 if (cur_cm_id_priv) {
39017 spin_unlock_irq(&cm.lock);
39018 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
39019 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
39020 counter[CM_SIDR_REQ_COUNTER]);
39021 goto out; /* Duplicate message. */
39023 @@ -3218,10 +3218,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
39024 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
39027 - atomic_long_add(1 + msg->retries,
39028 + atomic_long_add_unchecked(1 + msg->retries,
39029 &port->counter_group[CM_XMIT].counter[attr_index]);
39031 - atomic_long_add(msg->retries,
39032 + atomic_long_add_unchecked(msg->retries,
39033 &port->counter_group[CM_XMIT_RETRIES].
39034 counter[attr_index]);
39036 @@ -3431,7 +3431,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
39039 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
39040 - atomic_long_inc(&port->counter_group[CM_RECV].
39041 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
39042 counter[attr_id - CM_ATTR_ID_OFFSET]);
39044 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
39045 @@ -3636,7 +3636,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
39046 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
39048 return sprintf(buf, "%ld\n",
39049 - atomic_long_read(&group->counter[cm_attr->index]));
39050 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
39053 static const struct sysfs_ops cm_counter_ops = {
39054 diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c
39055 index 9f5ad7c..588cd84 100644
39056 --- a/drivers/infiniband/core/fmr_pool.c
39057 +++ b/drivers/infiniband/core/fmr_pool.c
39058 @@ -98,8 +98,8 @@ struct ib_fmr_pool {
39060 struct task_struct *thread;
39062 - atomic_t req_ser;
39063 - atomic_t flush_ser;
39064 + atomic_unchecked_t req_ser;
39065 + atomic_unchecked_t flush_ser;
39067 wait_queue_head_t force_wait;
39069 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
39070 struct ib_fmr_pool *pool = pool_ptr;
39073 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
39074 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
39075 ib_fmr_batch_release(pool);
39077 - atomic_inc(&pool->flush_ser);
39078 + atomic_inc_unchecked(&pool->flush_ser);
39079 wake_up_interruptible(&pool->force_wait);
39081 if (pool->flush_function)
39082 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
39085 set_current_state(TASK_INTERRUPTIBLE);
39086 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
39087 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
39088 !kthread_should_stop())
39090 __set_current_state(TASK_RUNNING);
39091 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(struct ib_pd *pd,
39092 pool->dirty_watermark = params->dirty_watermark;
39093 pool->dirty_len = 0;
39094 spin_lock_init(&pool->pool_lock);
39095 - atomic_set(&pool->req_ser, 0);
39096 - atomic_set(&pool->flush_ser, 0);
39097 + atomic_set_unchecked(&pool->req_ser, 0);
39098 + atomic_set_unchecked(&pool->flush_ser, 0);
39099 init_waitqueue_head(&pool->force_wait);
39101 pool->thread = kthread_run(ib_fmr_cleanup_thread,
39102 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool *pool)
39104 spin_unlock_irq(&pool->pool_lock);
39106 - serial = atomic_inc_return(&pool->req_ser);
39107 + serial = atomic_inc_return_unchecked(&pool->req_ser);
39108 wake_up_process(pool->thread);
39110 if (wait_event_interruptible(pool->force_wait,
39111 - atomic_read(&pool->flush_ser) - serial >= 0))
39112 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
39116 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr *fmr)
39118 list_add_tail(&fmr->list, &pool->dirty_list);
39119 if (++pool->dirty_len >= pool->dirty_watermark) {
39120 - atomic_inc(&pool->req_ser);
39121 + atomic_inc_unchecked(&pool->req_ser);
39122 wake_up_process(pool->thread);
39125 diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
39126 index 4cb8eb2..146bf60 100644
39127 --- a/drivers/infiniband/hw/cxgb4/mem.c
39128 +++ b/drivers/infiniband/hw/cxgb4/mem.c
39129 @@ -249,7 +249,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
39131 struct fw_ri_tpte tpt;
39133 - static atomic_t key;
39134 + static atomic_unchecked_t key;
39136 if (c4iw_fatal_error(rdev))
39138 @@ -266,7 +266,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
39139 if (rdev->stats.stag.cur > rdev->stats.stag.max)
39140 rdev->stats.stag.max = rdev->stats.stag.cur;
39141 mutex_unlock(&rdev->stats.lock);
39142 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
39143 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
39145 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
39146 __func__, stag_state, type, pdid, stag_idx);
39147 diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c
39148 index 79b3dbc..96e5fcc 100644
39149 --- a/drivers/infiniband/hw/ipath/ipath_rc.c
39150 +++ b/drivers/infiniband/hw/ipath/ipath_rc.c
39151 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
39152 struct ib_atomic_eth *ateth;
39153 struct ipath_ack_entry *e;
39155 - atomic64_t *maddr;
39156 + atomic64_unchecked_t *maddr;
39160 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
39161 IB_ACCESS_REMOTE_ATOMIC)))
39162 goto nack_acc_unlck;
39163 /* Perform atomic OP and save result. */
39164 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
39165 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
39166 sdata = be64_to_cpu(ateth->swap_data);
39167 e = &qp->s_ack_queue[qp->r_head_ack_queue];
39168 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
39169 - (u64) atomic64_add_return(sdata, maddr) - sdata :
39170 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
39171 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
39172 be64_to_cpu(ateth->compare_data),
39174 diff --git a/drivers/infiniband/hw/ipath/ipath_ruc.c b/drivers/infiniband/hw/ipath/ipath_ruc.c
39175 index 1f95bba..9530f87 100644
39176 --- a/drivers/infiniband/hw/ipath/ipath_ruc.c
39177 +++ b/drivers/infiniband/hw/ipath/ipath_ruc.c
39178 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ipath_qp *sqp)
39179 unsigned long flags;
39182 - atomic64_t *maddr;
39183 + atomic64_unchecked_t *maddr;
39184 enum ib_wc_status send_status;
39187 @@ -382,11 +382,11 @@ again:
39188 IB_ACCESS_REMOTE_ATOMIC)))
39190 /* Perform atomic OP and save result. */
39191 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
39192 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
39193 sdata = wqe->wr.wr.atomic.compare_add;
39194 *(u64 *) sqp->s_sge.sge.vaddr =
39195 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
39196 - (u64) atomic64_add_return(sdata, maddr) - sdata :
39197 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
39198 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
39199 sdata, wqe->wr.wr.atomic.swap);
39201 diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
39202 index 9d3e5c1..d9afe4a 100644
39203 --- a/drivers/infiniband/hw/mthca/mthca_cmd.c
39204 +++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
39205 @@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base)
39206 mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n");
39209 -int mthca_QUERY_FW(struct mthca_dev *dev)
39210 +int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev)
39212 struct mthca_mailbox *mailbox;
39214 diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c
39215 index ed9a989..e0c5871 100644
39216 --- a/drivers/infiniband/hw/mthca/mthca_mr.c
39217 +++ b/drivers/infiniband/hw/mthca/mthca_mr.c
39218 @@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key)
39222 -int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
39223 +int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
39224 u64 iova, u64 total_size, u32 access, struct mthca_mr *mr)
39226 struct mthca_mailbox *mailbox;
39227 diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
39228 index 4291410..d2ab1fb 100644
39229 --- a/drivers/infiniband/hw/nes/nes.c
39230 +++ b/drivers/infiniband/hw/nes/nes.c
39231 @@ -98,7 +98,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limit max read request size to 256 Bytes");
39232 LIST_HEAD(nes_adapter_list);
39233 static LIST_HEAD(nes_dev_list);
39235 -atomic_t qps_destroyed;
39236 +atomic_unchecked_t qps_destroyed;
39238 static unsigned int ee_flsh_adapter;
39239 static unsigned int sysfs_nonidx_addr;
39240 @@ -269,7 +269,7 @@ static void nes_cqp_rem_ref_callback(struct nes_device *nesdev, struct nes_cqp_r
39241 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
39242 struct nes_adapter *nesadapter = nesdev->nesadapter;
39244 - atomic_inc(&qps_destroyed);
39245 + atomic_inc_unchecked(&qps_destroyed);
39247 /* Free the control structures */
39249 diff --git a/drivers/infiniband/hw/nes/nes.h b/drivers/infiniband/hw/nes/nes.h
39250 index 33cc589..3bd6538 100644
39251 --- a/drivers/infiniband/hw/nes/nes.h
39252 +++ b/drivers/infiniband/hw/nes/nes.h
39253 @@ -177,17 +177,17 @@ extern unsigned int nes_debug_level;
39254 extern unsigned int wqm_quanta;
39255 extern struct list_head nes_adapter_list;
39257 -extern atomic_t cm_connects;
39258 -extern atomic_t cm_accepts;
39259 -extern atomic_t cm_disconnects;
39260 -extern atomic_t cm_closes;
39261 -extern atomic_t cm_connecteds;
39262 -extern atomic_t cm_connect_reqs;
39263 -extern atomic_t cm_rejects;
39264 -extern atomic_t mod_qp_timouts;
39265 -extern atomic_t qps_created;
39266 -extern atomic_t qps_destroyed;
39267 -extern atomic_t sw_qps_destroyed;
39268 +extern atomic_unchecked_t cm_connects;
39269 +extern atomic_unchecked_t cm_accepts;
39270 +extern atomic_unchecked_t cm_disconnects;
39271 +extern atomic_unchecked_t cm_closes;
39272 +extern atomic_unchecked_t cm_connecteds;
39273 +extern atomic_unchecked_t cm_connect_reqs;
39274 +extern atomic_unchecked_t cm_rejects;
39275 +extern atomic_unchecked_t mod_qp_timouts;
39276 +extern atomic_unchecked_t qps_created;
39277 +extern atomic_unchecked_t qps_destroyed;
39278 +extern atomic_unchecked_t sw_qps_destroyed;
39279 extern u32 mh_detected;
39280 extern u32 mh_pauses_sent;
39281 extern u32 cm_packets_sent;
39282 @@ -196,16 +196,16 @@ extern u32 cm_packets_created;
39283 extern u32 cm_packets_received;
39284 extern u32 cm_packets_dropped;
39285 extern u32 cm_packets_retrans;
39286 -extern atomic_t cm_listens_created;
39287 -extern atomic_t cm_listens_destroyed;
39288 +extern atomic_unchecked_t cm_listens_created;
39289 +extern atomic_unchecked_t cm_listens_destroyed;
39290 extern u32 cm_backlog_drops;
39291 -extern atomic_t cm_loopbacks;
39292 -extern atomic_t cm_nodes_created;
39293 -extern atomic_t cm_nodes_destroyed;
39294 -extern atomic_t cm_accel_dropped_pkts;
39295 -extern atomic_t cm_resets_recvd;
39296 -extern atomic_t pau_qps_created;
39297 -extern atomic_t pau_qps_destroyed;
39298 +extern atomic_unchecked_t cm_loopbacks;
39299 +extern atomic_unchecked_t cm_nodes_created;
39300 +extern atomic_unchecked_t cm_nodes_destroyed;
39301 +extern atomic_unchecked_t cm_accel_dropped_pkts;
39302 +extern atomic_unchecked_t cm_resets_recvd;
39303 +extern atomic_unchecked_t pau_qps_created;
39304 +extern atomic_unchecked_t pau_qps_destroyed;
39306 extern u32 int_mod_timer_init;
39307 extern u32 int_mod_cq_depth_256;
39308 diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
39309 index 24b9f1a..00fd004 100644
39310 --- a/drivers/infiniband/hw/nes/nes_cm.c
39311 +++ b/drivers/infiniband/hw/nes/nes_cm.c
39312 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
39313 u32 cm_packets_retrans;
39314 u32 cm_packets_created;
39315 u32 cm_packets_received;
39316 -atomic_t cm_listens_created;
39317 -atomic_t cm_listens_destroyed;
39318 +atomic_unchecked_t cm_listens_created;
39319 +atomic_unchecked_t cm_listens_destroyed;
39320 u32 cm_backlog_drops;
39321 -atomic_t cm_loopbacks;
39322 -atomic_t cm_nodes_created;
39323 -atomic_t cm_nodes_destroyed;
39324 -atomic_t cm_accel_dropped_pkts;
39325 -atomic_t cm_resets_recvd;
39326 +atomic_unchecked_t cm_loopbacks;
39327 +atomic_unchecked_t cm_nodes_created;
39328 +atomic_unchecked_t cm_nodes_destroyed;
39329 +atomic_unchecked_t cm_accel_dropped_pkts;
39330 +atomic_unchecked_t cm_resets_recvd;
39332 static inline int mini_cm_accelerated(struct nes_cm_core *, struct nes_cm_node *);
39333 static struct nes_cm_listener *mini_cm_listen(struct nes_cm_core *, struct nes_vnic *, struct nes_cm_info *);
39334 @@ -148,13 +148,13 @@ static struct nes_cm_ops nes_cm_api = {
39336 static struct nes_cm_core *g_cm_core;
39338 -atomic_t cm_connects;
39339 -atomic_t cm_accepts;
39340 -atomic_t cm_disconnects;
39341 -atomic_t cm_closes;
39342 -atomic_t cm_connecteds;
39343 -atomic_t cm_connect_reqs;
39344 -atomic_t cm_rejects;
39345 +atomic_unchecked_t cm_connects;
39346 +atomic_unchecked_t cm_accepts;
39347 +atomic_unchecked_t cm_disconnects;
39348 +atomic_unchecked_t cm_closes;
39349 +atomic_unchecked_t cm_connecteds;
39350 +atomic_unchecked_t cm_connect_reqs;
39351 +atomic_unchecked_t cm_rejects;
39353 int nes_add_ref_cm_node(struct nes_cm_node *cm_node)
39355 @@ -1272,7 +1272,7 @@ static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
39359 - atomic_inc(&cm_listens_destroyed);
39360 + atomic_inc_unchecked(&cm_listens_destroyed);
39362 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
39364 @@ -1466,7 +1466,7 @@ static struct nes_cm_node *make_cm_node(struct nes_cm_core *cm_core,
39367 add_hte_node(cm_core, cm_node);
39368 - atomic_inc(&cm_nodes_created);
39369 + atomic_inc_unchecked(&cm_nodes_created);
39373 @@ -1524,7 +1524,7 @@ static int rem_ref_cm_node(struct nes_cm_core *cm_core,
39376 atomic_dec(&cm_core->node_cnt);
39377 - atomic_inc(&cm_nodes_destroyed);
39378 + atomic_inc_unchecked(&cm_nodes_destroyed);
39379 nesqp = cm_node->nesqp;
39381 nesqp->cm_node = NULL;
39382 @@ -1588,7 +1588,7 @@ static int process_options(struct nes_cm_node *cm_node, u8 *optionsloc,
39384 static void drop_packet(struct sk_buff *skb)
39386 - atomic_inc(&cm_accel_dropped_pkts);
39387 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
39388 dev_kfree_skb_any(skb);
39391 @@ -1651,7 +1651,7 @@ static void handle_rst_pkt(struct nes_cm_node *cm_node, struct sk_buff *skb,
39394 int reset = 0; /* whether to send reset in case of err.. */
39395 - atomic_inc(&cm_resets_recvd);
39396 + atomic_inc_unchecked(&cm_resets_recvd);
39397 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
39398 " refcnt=%d\n", cm_node, cm_node->state,
39399 atomic_read(&cm_node->ref_count));
39400 @@ -2292,7 +2292,7 @@ static struct nes_cm_node *mini_cm_connect(struct nes_cm_core *cm_core,
39401 rem_ref_cm_node(cm_node->cm_core, cm_node);
39404 - atomic_inc(&cm_loopbacks);
39405 + atomic_inc_unchecked(&cm_loopbacks);
39406 loopbackremotenode->loopbackpartner = cm_node;
39407 loopbackremotenode->tcp_cntxt.rcv_wscale =
39408 NES_CM_DEFAULT_RCV_WND_SCALE;
39409 @@ -2567,7 +2567,7 @@ static int mini_cm_recv_pkt(struct nes_cm_core *cm_core,
39410 nes_queue_mgt_skbs(skb, nesvnic, cm_node->nesqp);
39412 rem_ref_cm_node(cm_core, cm_node);
39413 - atomic_inc(&cm_accel_dropped_pkts);
39414 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
39415 dev_kfree_skb_any(skb);
39418 @@ -2875,7 +2875,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
39420 if ((cm_id) && (cm_id->event_handler)) {
39421 if (issue_disconn) {
39422 - atomic_inc(&cm_disconnects);
39423 + atomic_inc_unchecked(&cm_disconnects);
39424 cm_event.event = IW_CM_EVENT_DISCONNECT;
39425 cm_event.status = disconn_status;
39426 cm_event.local_addr = cm_id->local_addr;
39427 @@ -2897,7 +2897,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
39431 - atomic_inc(&cm_closes);
39432 + atomic_inc_unchecked(&cm_closes);
39433 nes_disconnect(nesqp, 1);
39435 cm_id->provider_data = nesqp;
39436 @@ -3033,7 +3033,7 @@ int nes_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
39438 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
39439 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
39440 - atomic_inc(&cm_accepts);
39441 + atomic_inc_unchecked(&cm_accepts);
39443 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
39444 netdev_refcnt_read(nesvnic->netdev));
39445 @@ -3228,7 +3228,7 @@ int nes_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len)
39446 struct nes_cm_core *cm_core;
39449 - atomic_inc(&cm_rejects);
39450 + atomic_inc_unchecked(&cm_rejects);
39451 cm_node = (struct nes_cm_node *)cm_id->provider_data;
39452 loopback = cm_node->loopbackpartner;
39453 cm_core = cm_node->cm_core;
39454 @@ -3288,7 +3288,7 @@ int nes_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
39455 ntohl(cm_id->local_addr.sin_addr.s_addr),
39456 ntohs(cm_id->local_addr.sin_port));
39458 - atomic_inc(&cm_connects);
39459 + atomic_inc_unchecked(&cm_connects);
39460 nesqp->active_conn = 1;
39462 /* cache the cm_id in the qp */
39463 @@ -3398,7 +3398,7 @@ int nes_create_listen(struct iw_cm_id *cm_id, int backlog)
39464 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
39467 - atomic_inc(&cm_listens_created);
39468 + atomic_inc_unchecked(&cm_listens_created);
39471 cm_id->add_ref(cm_id);
39472 @@ -3499,7 +3499,7 @@ static void cm_event_connected(struct nes_cm_event *event)
39474 if (nesqp->destroyed)
39476 - atomic_inc(&cm_connecteds);
39477 + atomic_inc_unchecked(&cm_connecteds);
39478 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
39479 " local port 0x%04X. jiffies = %lu.\n",
39481 @@ -3679,7 +3679,7 @@ static void cm_event_reset(struct nes_cm_event *event)
39483 cm_id->add_ref(cm_id);
39484 ret = cm_id->event_handler(cm_id, &cm_event);
39485 - atomic_inc(&cm_closes);
39486 + atomic_inc_unchecked(&cm_closes);
39487 cm_event.event = IW_CM_EVENT_CLOSE;
39488 cm_event.status = 0;
39489 cm_event.provider_data = cm_id->provider_data;
39490 @@ -3715,7 +3715,7 @@ static void cm_event_mpa_req(struct nes_cm_event *event)
39492 cm_id = cm_node->cm_id;
39494 - atomic_inc(&cm_connect_reqs);
39495 + atomic_inc_unchecked(&cm_connect_reqs);
39496 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
39497 cm_node, cm_id, jiffies);
39499 @@ -3755,7 +3755,7 @@ static void cm_event_mpa_reject(struct nes_cm_event *event)
39501 cm_id = cm_node->cm_id;
39503 - atomic_inc(&cm_connect_reqs);
39504 + atomic_inc_unchecked(&cm_connect_reqs);
39505 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
39506 cm_node, cm_id, jiffies);
39508 diff --git a/drivers/infiniband/hw/nes/nes_mgt.c b/drivers/infiniband/hw/nes/nes_mgt.c
39509 index 4166452..fc952c3 100644
39510 --- a/drivers/infiniband/hw/nes/nes_mgt.c
39511 +++ b/drivers/infiniband/hw/nes/nes_mgt.c
39514 #include "nes_mgt.h"
39516 -atomic_t pau_qps_created;
39517 -atomic_t pau_qps_destroyed;
39518 +atomic_unchecked_t pau_qps_created;
39519 +atomic_unchecked_t pau_qps_destroyed;
39521 static void nes_replenish_mgt_rq(struct nes_vnic_mgt *mgtvnic)
39523 @@ -621,7 +621,7 @@ void nes_destroy_pau_qp(struct nes_device *nesdev, struct nes_qp *nesqp)
39525 struct sk_buff *skb;
39526 unsigned long flags;
39527 - atomic_inc(&pau_qps_destroyed);
39528 + atomic_inc_unchecked(&pau_qps_destroyed);
39530 /* Free packets that have not yet been forwarded */
39531 /* Lock is acquired by skb_dequeue when removing the skb */
39532 @@ -810,7 +810,7 @@ static void nes_mgt_ce_handler(struct nes_device *nesdev, struct nes_hw_nic_cq *
39533 cq->cq_vbase[head].cqe_words[NES_NIC_CQE_HASH_RCVNXT]);
39534 skb_queue_head_init(&nesqp->pau_list);
39535 spin_lock_init(&nesqp->pau_lock);
39536 - atomic_inc(&pau_qps_created);
39537 + atomic_inc_unchecked(&pau_qps_created);
39538 nes_change_quad_hash(nesdev, mgtvnic->nesvnic, nesqp);
39541 diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c
39542 index 49eb511..a774366 100644
39543 --- a/drivers/infiniband/hw/nes/nes_nic.c
39544 +++ b/drivers/infiniband/hw/nes/nes_nic.c
39545 @@ -1273,39 +1273,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev,
39546 target_stat_values[++index] = mh_detected;
39547 target_stat_values[++index] = mh_pauses_sent;
39548 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
39549 - target_stat_values[++index] = atomic_read(&cm_connects);
39550 - target_stat_values[++index] = atomic_read(&cm_accepts);
39551 - target_stat_values[++index] = atomic_read(&cm_disconnects);
39552 - target_stat_values[++index] = atomic_read(&cm_connecteds);
39553 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
39554 - target_stat_values[++index] = atomic_read(&cm_rejects);
39555 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
39556 - target_stat_values[++index] = atomic_read(&qps_created);
39557 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
39558 - target_stat_values[++index] = atomic_read(&qps_destroyed);
39559 - target_stat_values[++index] = atomic_read(&cm_closes);
39560 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
39561 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
39562 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
39563 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
39564 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
39565 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
39566 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
39567 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
39568 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
39569 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
39570 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
39571 target_stat_values[++index] = cm_packets_sent;
39572 target_stat_values[++index] = cm_packets_bounced;
39573 target_stat_values[++index] = cm_packets_created;
39574 target_stat_values[++index] = cm_packets_received;
39575 target_stat_values[++index] = cm_packets_dropped;
39576 target_stat_values[++index] = cm_packets_retrans;
39577 - target_stat_values[++index] = atomic_read(&cm_listens_created);
39578 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
39579 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
39580 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
39581 target_stat_values[++index] = cm_backlog_drops;
39582 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
39583 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
39584 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
39585 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
39586 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
39587 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
39588 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
39589 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
39590 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
39591 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
39592 target_stat_values[++index] = nesadapter->free_4kpbl;
39593 target_stat_values[++index] = nesadapter->free_256pbl;
39594 target_stat_values[++index] = int_mod_timer_init;
39595 target_stat_values[++index] = nesvnic->lro_mgr.stats.aggregated;
39596 target_stat_values[++index] = nesvnic->lro_mgr.stats.flushed;
39597 target_stat_values[++index] = nesvnic->lro_mgr.stats.no_desc;
39598 - target_stat_values[++index] = atomic_read(&pau_qps_created);
39599 - target_stat_values[++index] = atomic_read(&pau_qps_destroyed);
39600 + target_stat_values[++index] = atomic_read_unchecked(&pau_qps_created);
39601 + target_stat_values[++index] = atomic_read_unchecked(&pau_qps_destroyed);
39605 diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
39606 index 8f67fe2..8960859 100644
39607 --- a/drivers/infiniband/hw/nes/nes_verbs.c
39608 +++ b/drivers/infiniband/hw/nes/nes_verbs.c
39611 #include <rdma/ib_umem.h>
39613 -atomic_t mod_qp_timouts;
39614 -atomic_t qps_created;
39615 -atomic_t sw_qps_destroyed;
39616 +atomic_unchecked_t mod_qp_timouts;
39617 +atomic_unchecked_t qps_created;
39618 +atomic_unchecked_t sw_qps_destroyed;
39620 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
39622 @@ -1134,7 +1134,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
39623 if (init_attr->create_flags)
39624 return ERR_PTR(-EINVAL);
39626 - atomic_inc(&qps_created);
39627 + atomic_inc_unchecked(&qps_created);
39628 switch (init_attr->qp_type) {
39630 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
39631 @@ -1465,7 +1465,7 @@ static int nes_destroy_qp(struct ib_qp *ibqp)
39632 struct iw_cm_event cm_event;
39635 - atomic_inc(&sw_qps_destroyed);
39636 + atomic_inc_unchecked(&sw_qps_destroyed);
39637 nesqp->destroyed = 1;
39639 /* Blow away the connection if it exists. */
39640 diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
39641 index 4d11575..3e890e5 100644
39642 --- a/drivers/infiniband/hw/qib/qib.h
39643 +++ b/drivers/infiniband/hw/qib/qib.h
39645 #include <linux/completion.h>
39646 #include <linux/kref.h>
39647 #include <linux/sched.h>
39648 +#include <linux/slab.h>
39650 #include "qib_common.h"
39651 #include "qib_verbs.h"
39652 diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
39653 index da739d9..da1c7f4 100644
39654 --- a/drivers/input/gameport/gameport.c
39655 +++ b/drivers/input/gameport/gameport.c
39656 @@ -487,14 +487,14 @@ EXPORT_SYMBOL(gameport_set_phys);
39658 static void gameport_init_port(struct gameport *gameport)
39660 - static atomic_t gameport_no = ATOMIC_INIT(0);
39661 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
39663 __module_get(THIS_MODULE);
39665 mutex_init(&gameport->drv_mutex);
39666 device_initialize(&gameport->dev);
39667 dev_set_name(&gameport->dev, "gameport%lu",
39668 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
39669 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
39670 gameport->dev.bus = &gameport_bus;
39671 gameport->dev.release = gameport_release_port;
39672 if (gameport->parent)
39673 diff --git a/drivers/input/input.c b/drivers/input/input.c
39674 index c044699..174d71a 100644
39675 --- a/drivers/input/input.c
39676 +++ b/drivers/input/input.c
39677 @@ -2019,7 +2019,7 @@ static void devm_input_device_unregister(struct device *dev, void *res)
39679 int input_register_device(struct input_dev *dev)
39681 - static atomic_t input_no = ATOMIC_INIT(0);
39682 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
39683 struct input_devres *devres = NULL;
39684 struct input_handler *handler;
39685 unsigned int packet_size;
39686 @@ -2074,7 +2074,7 @@ int input_register_device(struct input_dev *dev)
39687 dev->setkeycode = input_default_setkeycode;
39689 dev_set_name(&dev->dev, "input%ld",
39690 - (unsigned long) atomic_inc_return(&input_no) - 1);
39691 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
39693 error = device_add(&dev->dev);
39695 diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c
39696 index 04c69af..5f92d00 100644
39697 --- a/drivers/input/joystick/sidewinder.c
39698 +++ b/drivers/input/joystick/sidewinder.c
39700 #include <linux/kernel.h>
39701 #include <linux/module.h>
39702 #include <linux/slab.h>
39703 +#include <linux/sched.h>
39704 #include <linux/init.h>
39705 #include <linux/input.h>
39706 #include <linux/gameport.h>
39707 diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
39708 index fa061d4..4a6957c 100644
39709 --- a/drivers/input/joystick/xpad.c
39710 +++ b/drivers/input/joystick/xpad.c
39711 @@ -735,7 +735,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
39713 static int xpad_led_probe(struct usb_xpad *xpad)
39715 - static atomic_t led_seq = ATOMIC_INIT(0);
39716 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
39718 struct xpad_led *led;
39719 struct led_classdev *led_cdev;
39720 @@ -748,7 +748,7 @@ static int xpad_led_probe(struct usb_xpad *xpad)
39724 - led_no = (long)atomic_inc_return(&led_seq) - 1;
39725 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
39727 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
39729 diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h
39730 index 2f0b39d..7370f13 100644
39731 --- a/drivers/input/mouse/psmouse.h
39732 +++ b/drivers/input/mouse/psmouse.h
39733 @@ -116,7 +116,7 @@ struct psmouse_attribute {
39734 ssize_t (*set)(struct psmouse *psmouse, void *data,
39735 const char *buf, size_t count);
39739 #define to_psmouse_attr(a) container_of((a), struct psmouse_attribute, dattr)
39741 ssize_t psmouse_attr_show_helper(struct device *dev, struct device_attribute *attr,
39742 diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
39743 index 4c842c3..590b0bf 100644
39744 --- a/drivers/input/mousedev.c
39745 +++ b/drivers/input/mousedev.c
39746 @@ -738,7 +738,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
39748 spin_unlock_irq(&client->packet_lock);
39750 - if (copy_to_user(buffer, data, count))
39751 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
39755 diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c
39756 index 25fc597..558bf3b3 100644
39757 --- a/drivers/input/serio/serio.c
39758 +++ b/drivers/input/serio/serio.c
39759 @@ -496,7 +496,7 @@ static void serio_release_port(struct device *dev)
39761 static void serio_init_port(struct serio *serio)
39763 - static atomic_t serio_no = ATOMIC_INIT(0);
39764 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
39766 __module_get(THIS_MODULE);
39768 @@ -507,7 +507,7 @@ static void serio_init_port(struct serio *serio)
39769 mutex_init(&serio->drv_mutex);
39770 device_initialize(&serio->dev);
39771 dev_set_name(&serio->dev, "serio%ld",
39772 - (long)atomic_inc_return(&serio_no) - 1);
39773 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
39774 serio->dev.bus = &serio_bus;
39775 serio->dev.release = serio_release_port;
39776 serio->dev.groups = serio_device_attr_groups;
39777 diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
39778 index d8f98b1..f62a640 100644
39779 --- a/drivers/iommu/iommu.c
39780 +++ b/drivers/iommu/iommu.c
39781 @@ -583,7 +583,7 @@ static struct notifier_block iommu_bus_nb = {
39782 static void iommu_bus_init(struct bus_type *bus, struct iommu_ops *ops)
39784 bus_register_notifier(bus, &iommu_bus_nb);
39785 - bus_for_each_dev(bus, NULL, ops, add_iommu_group);
39786 + bus_for_each_dev(bus, NULL, (void *)ops, add_iommu_group);
39790 diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
39791 index dcfea4e..f4226b2 100644
39792 --- a/drivers/iommu/irq_remapping.c
39793 +++ b/drivers/iommu/irq_remapping.c
39794 @@ -354,7 +354,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id)
39795 void panic_if_irq_remap(const char *msg)
39797 if (irq_remapping_enabled)
39799 + panic("%s", msg);
39802 static void ir_ack_apic_edge(struct irq_data *data)
39803 @@ -375,10 +375,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p)
39805 void irq_remap_modify_chip_defaults(struct irq_chip *chip)
39807 - chip->irq_print_chip = ir_print_prefix;
39808 - chip->irq_ack = ir_ack_apic_edge;
39809 - chip->irq_eoi = ir_ack_apic_level;
39810 - chip->irq_set_affinity = x86_io_apic_ops.set_affinity;
39811 + pax_open_kernel();
39812 + *(void **)&chip->irq_print_chip = ir_print_prefix;
39813 + *(void **)&chip->irq_ack = ir_ack_apic_edge;
39814 + *(void **)&chip->irq_eoi = ir_ack_apic_level;
39815 + *(void **)&chip->irq_set_affinity = x86_io_apic_ops.set_affinity;
39816 + pax_close_kernel();
39819 bool setup_remapped_irq(int irq, struct irq_cfg *cfg, struct irq_chip *chip)
39820 diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
39821 index 19ceaa6..3625818 100644
39822 --- a/drivers/irqchip/irq-gic.c
39823 +++ b/drivers/irqchip/irq-gic.c
39824 @@ -84,7 +84,7 @@ static u8 gic_cpu_map[NR_GIC_CPU_IF] __read_mostly;
39825 * Supported arch specific GIC irq extension.
39826 * Default make them NULL.
39828 -struct irq_chip gic_arch_extn = {
39829 +irq_chip_no_const gic_arch_extn = {
39832 .irq_unmask = NULL,
39833 @@ -333,7 +333,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc)
39834 chained_irq_exit(chip, desc);
39837 -static struct irq_chip gic_chip = {
39838 +static irq_chip_no_const gic_chip __read_only = {
39840 .irq_mask = gic_mask_irq,
39841 .irq_unmask = gic_unmask_irq,
39842 diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c
39843 index ac6f72b..81150f2 100644
39844 --- a/drivers/isdn/capi/capi.c
39845 +++ b/drivers/isdn/capi/capi.c
39846 @@ -81,8 +81,8 @@ struct capiminor {
39848 struct capi20_appl *ap;
39850 - atomic_t datahandle;
39852 + atomic_unchecked_t datahandle;
39853 + atomic_unchecked_t msgid;
39855 struct tty_port port;
39857 @@ -391,7 +391,7 @@ gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb)
39858 capimsg_setu16(s, 2, mp->ap->applid);
39859 capimsg_setu8 (s, 4, CAPI_DATA_B3);
39860 capimsg_setu8 (s, 5, CAPI_RESP);
39861 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
39862 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
39863 capimsg_setu32(s, 8, mp->ncci);
39864 capimsg_setu16(s, 12, datahandle);
39866 @@ -512,14 +512,14 @@ static void handle_minor_send(struct capiminor *mp)
39867 mp->outbytes -= len;
39868 spin_unlock_bh(&mp->outlock);
39870 - datahandle = atomic_inc_return(&mp->datahandle);
39871 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
39872 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
39873 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
39874 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
39875 capimsg_setu16(skb->data, 2, mp->ap->applid);
39876 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
39877 capimsg_setu8 (skb->data, 5, CAPI_REQ);
39878 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
39879 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
39880 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
39881 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
39882 capimsg_setu16(skb->data, 16, len); /* Data length */
39883 diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
39884 index 600c79b..3752bab 100644
39885 --- a/drivers/isdn/gigaset/interface.c
39886 +++ b/drivers/isdn/gigaset/interface.c
39887 @@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp)
39889 tty->driver_data = cs;
39891 - ++cs->port.count;
39892 + atomic_inc(&cs->port.count);
39894 - if (cs->port.count == 1) {
39895 + if (atomic_read(&cs->port.count) == 1) {
39896 tty_port_tty_set(&cs->port, tty);
39897 cs->port.low_latency = 1;
39899 @@ -156,9 +156,9 @@ static void if_close(struct tty_struct *tty, struct file *filp)
39901 if (!cs->connected)
39902 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
39903 - else if (!cs->port.count)
39904 + else if (!atomic_read(&cs->port.count))
39905 dev_warn(cs->dev, "%s: device not opened\n", __func__);
39906 - else if (!--cs->port.count)
39907 + else if (!atomic_dec_return(&cs->port.count))
39908 tty_port_tty_set(&cs->port, NULL);
39910 mutex_unlock(&cs->mutex);
39911 diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
39912 index 4d9b195..455075c 100644
39913 --- a/drivers/isdn/hardware/avm/b1.c
39914 +++ b/drivers/isdn/hardware/avm/b1.c
39915 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file)
39918 if (t4file->user) {
39919 - if (copy_from_user(buf, dp, left))
39920 + if (left > sizeof buf || copy_from_user(buf, dp, left))
39923 memcpy(buf, dp, left);
39924 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capiloaddatapart *config)
39927 if (config->user) {
39928 - if (copy_from_user(buf, dp, left))
39929 + if (left > sizeof buf || copy_from_user(buf, dp, left))
39932 memcpy(buf, dp, left);
39933 diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
39934 index 3c5f249..5fac4d0 100644
39935 --- a/drivers/isdn/i4l/isdn_tty.c
39936 +++ b/drivers/isdn/i4l/isdn_tty.c
39937 @@ -1508,9 +1508,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp)
39939 #ifdef ISDN_DEBUG_MODEM_OPEN
39940 printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name,
39942 + atomic_read(&port->count));
39945 + atomic_inc(&port->count);
39948 * Start up serial port
39949 @@ -1554,7 +1554,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
39953 - if ((tty->count == 1) && (port->count != 1)) {
39954 + if ((tty->count == 1) && (atomic_read(&port->count) != 1)) {
39956 * Uh, oh. tty->count is 1, which means that the tty
39957 * structure will be freed. Info->count should always
39958 @@ -1563,15 +1563,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
39959 * serial port won't be shutdown.
39961 printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, "
39962 - "info->count is %d\n", port->count);
39964 + "info->count is %d\n", atomic_read(&port->count));
39965 + atomic_set(&port->count, 1);
39967 - if (--port->count < 0) {
39968 + if (atomic_dec_return(&port->count) < 0) {
39969 printk(KERN_ERR "isdn_tty_close: bad port count for ttyi%d: %d\n",
39970 - info->line, port->count);
39972 + info->line, atomic_read(&port->count));
39973 + atomic_set(&port->count, 0);
39975 - if (port->count) {
39976 + if (atomic_read(&port->count)) {
39977 #ifdef ISDN_DEBUG_MODEM_OPEN
39978 printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n");
39980 @@ -1625,7 +1625,7 @@ isdn_tty_hangup(struct tty_struct *tty)
39981 if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup"))
39983 isdn_tty_shutdown(info);
39985 + atomic_set(&port->count, 0);
39986 port->flags &= ~ASYNC_NORMAL_ACTIVE;
39988 wake_up_interruptible(&port->open_wait);
39989 @@ -1970,7 +1970,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup)
39990 for (i = 0; i < ISDN_MAX_CHANNELS; i++) {
39991 modem_info *info = &dev->mdm.info[i];
39993 - if (info->port.count == 0)
39994 + if (atomic_read(&info->port.count) == 0)
39996 if ((info->emu.mdmreg[REG_SI1] & si2bit[si1]) && /* SI1 is matching */
39997 (info->emu.mdmreg[REG_SI2] == si2)) { /* SI2 is matching */
39998 diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
39999 index e74df7c..03a03ba 100644
40000 --- a/drivers/isdn/icn/icn.c
40001 +++ b/drivers/isdn/icn/icn.c
40002 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card)
40006 - if (copy_from_user(msg, buf, count))
40007 + if (count > sizeof msg || copy_from_user(msg, buf, count))
40010 memcpy(msg, buf, count);
40011 diff --git a/drivers/leds/leds-clevo-mail.c b/drivers/leds/leds-clevo-mail.c
40012 index 6a8405d..0bd1c7e 100644
40013 --- a/drivers/leds/leds-clevo-mail.c
40014 +++ b/drivers/leds/leds-clevo-mail.c
40015 @@ -40,7 +40,7 @@ static int __init clevo_mail_led_dmi_callback(const struct dmi_system_id *id)
40016 * detected as working, but in reality it is not) as low as
40019 -static struct dmi_system_id __initdata clevo_mail_led_dmi_table[] = {
40020 +static const struct dmi_system_id __initconst clevo_mail_led_dmi_table[] = {
40022 .callback = clevo_mail_led_dmi_callback,
40023 .ident = "Clevo D410J",
40024 diff --git a/drivers/leds/leds-ss4200.c b/drivers/leds/leds-ss4200.c
40025 index 64e204e..c6bf189 100644
40026 --- a/drivers/leds/leds-ss4200.c
40027 +++ b/drivers/leds/leds-ss4200.c
40028 @@ -91,7 +91,7 @@ MODULE_PARM_DESC(nodetect, "Skip DMI-based hardware detection");
40029 * detected as working, but in reality it is not) as low as
40032 -static struct dmi_system_id __initdata nas_led_whitelist[] = {
40033 +static const struct dmi_system_id __initconst nas_led_whitelist[] = {
40035 .callback = ss4200_led_dmi_callback,
40036 .ident = "Intel SS4200-E",
40037 diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
40038 index 0bf1e4e..b4bf44e 100644
40039 --- a/drivers/lguest/core.c
40040 +++ b/drivers/lguest/core.c
40041 @@ -97,9 +97,17 @@ static __init int map_switcher(void)
40042 * The end address needs +1 because __get_vm_area allocates an
40043 * extra guard page, so we need space for that.
40046 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
40047 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
40048 + VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr
40049 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
40051 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
40052 VM_ALLOC, switcher_addr, switcher_addr
40053 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
40056 if (!switcher_vma) {
40058 printk("lguest: could not map switcher pages high\n");
40059 @@ -124,7 +132,7 @@ static __init int map_switcher(void)
40060 * Now the Switcher is mapped at the right address, we can't fail!
40061 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
40063 - memcpy(switcher_vma->addr, start_switcher_text,
40064 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
40065 end_switcher_text - start_switcher_text);
40067 printk(KERN_INFO "lguest: mapped switcher at %p\n",
40068 diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
40069 index 5b9ac32..2ef4f26 100644
40070 --- a/drivers/lguest/page_tables.c
40071 +++ b/drivers/lguest/page_tables.c
40072 @@ -559,7 +559,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr)
40075 #ifdef CONFIG_X86_PAE
40076 -static void release_pmd(pmd_t *spmd)
40077 +static void __intentional_overflow(-1) release_pmd(pmd_t *spmd)
40079 /* If the entry's not present, there's nothing to release. */
40080 if (pmd_flags(*spmd) & _PAGE_PRESENT) {
40081 diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
40082 index f0a3347..f6608b2 100644
40083 --- a/drivers/lguest/x86/core.c
40084 +++ b/drivers/lguest/x86/core.c
40085 @@ -59,7 +59,7 @@ static struct {
40086 /* Offset from where switcher.S was compiled to where we've copied it */
40087 static unsigned long switcher_offset(void)
40089 - return switcher_addr - (unsigned long)start_switcher_text;
40090 + return switcher_addr - (unsigned long)ktla_ktva(start_switcher_text);
40093 /* This cpu's struct lguest_pages (after the Switcher text page) */
40094 @@ -99,7 +99,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages)
40095 * These copies are pretty cheap, so we do them unconditionally: */
40096 /* Save the current Host top-level page directory.
40099 +#ifdef CONFIG_PAX_PER_CPU_PGD
40100 + pages->state.host_cr3 = read_cr3();
40102 pages->state.host_cr3 = __pa(current->mm->pgd);
40106 * Set up the Guest's page tables to see this CPU's pages (and no
40107 * other CPU's pages).
40108 @@ -475,7 +481,7 @@ void __init lguest_arch_host_init(void)
40109 * compiled-in switcher code and the high-mapped copy we just made.
40111 for (i = 0; i < IDT_ENTRIES; i++)
40112 - default_idt_entries[i] += switcher_offset();
40113 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
40116 * Set up the Switcher's per-cpu areas.
40117 @@ -558,7 +564,7 @@ void __init lguest_arch_host_init(void)
40118 * it will be undisturbed when we switch. To change %cs and jump we
40119 * need this structure to feed to Intel's "lcall" instruction.
40121 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
40122 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
40123 lguest_entry.segment = LGUEST_CS;
40126 diff --git a/drivers/lguest/x86/switcher_32.S b/drivers/lguest/x86/switcher_32.S
40127 index 40634b0..4f5855e 100644
40128 --- a/drivers/lguest/x86/switcher_32.S
40129 +++ b/drivers/lguest/x86/switcher_32.S
40131 #include <asm/page.h>
40132 #include <asm/segment.h>
40133 #include <asm/lguest.h>
40134 +#include <asm/processor-flags.h>
40136 // We mark the start of the code to copy
40137 // It's placed in .text tho it's never run here
40138 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
40139 // Changes type when we load it: damn Intel!
40140 // For after we switch over our page tables
40141 // That entry will be read-only: we'd crash.
40143 +#ifdef CONFIG_PAX_KERNEXEC
40145 + xor $X86_CR0_WP, %edx
40149 movl $(GDT_ENTRY_TSS*8), %edx
40152 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
40153 // Let's clear it again for our return.
40154 // The GDT descriptor of the Host
40155 // Points to the table after two "size" bytes
40156 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
40157 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
40158 // Clear "used" from type field (byte 5, bit 2)
40159 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
40160 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
40162 +#ifdef CONFIG_PAX_KERNEXEC
40164 + xor $X86_CR0_WP, %eax
40168 // Once our page table's switched, the Guest is live!
40169 // The Host fades as we run this final step.
40170 @@ -295,13 +309,12 @@ deliver_to_host:
40171 // I consulted gcc, and it gave
40172 // These instructions, which I gladly credit:
40173 leal (%edx,%ebx,8), %eax
40174 - movzwl (%eax),%edx
40175 - movl 4(%eax), %eax
40178 + movl 4(%eax), %edx
40180 // Now the address of the handler's in %edx
40181 // We call it now: its "iret" drops us home.
40183 + ljmp $__KERNEL_CS, $1f
40186 // Every interrupt can come to us here
40187 // But we must truly tell each apart.
40188 diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h
40189 index 0003992..854bbce 100644
40190 --- a/drivers/md/bcache/closure.h
40191 +++ b/drivers/md/bcache/closure.h
40192 @@ -622,7 +622,7 @@ static inline void closure_wake_up(struct closure_waitlist *list)
40193 static inline void set_closure_fn(struct closure *cl, closure_fn *fn,
40194 struct workqueue_struct *wq)
40196 - BUG_ON(object_is_on_stack(cl));
40197 + BUG_ON(object_starts_on_stack(cl));
40198 closure_set_ip(cl);
40201 diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
40202 index 5a2c754..0fa55db 100644
40203 --- a/drivers/md/bitmap.c
40204 +++ b/drivers/md/bitmap.c
40205 @@ -1779,7 +1779,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
40206 chunk_kb ? "KB" : "B");
40207 if (bitmap->storage.file) {
40208 seq_printf(seq, ", file: ");
40209 - seq_path(seq, &bitmap->storage.file->f_path, " \t\n");
40210 + seq_path(seq, &bitmap->storage.file->f_path, " \t\n\\");
40213 seq_printf(seq, "\n");
40214 diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
40215 index 81a79b7..87a0f73 100644
40216 --- a/drivers/md/dm-ioctl.c
40217 +++ b/drivers/md/dm-ioctl.c
40218 @@ -1697,7 +1697,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
40219 cmd == DM_LIST_VERSIONS_CMD)
40222 - if ((cmd == DM_DEV_CREATE_CMD)) {
40223 + if (cmd == DM_DEV_CREATE_CMD) {
40224 if (!*param->name) {
40225 DMWARN("name not supplied when creating device");
40227 diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
40228 index 699b5be..eac0a15 100644
40229 --- a/drivers/md/dm-raid1.c
40230 +++ b/drivers/md/dm-raid1.c
40231 @@ -40,7 +40,7 @@ enum dm_raid1_error {
40234 struct mirror_set *ms;
40235 - atomic_t error_count;
40236 + atomic_unchecked_t error_count;
40237 unsigned long error_type;
40238 struct dm_dev *dev;
40240 @@ -186,7 +186,7 @@ static struct mirror *get_valid_mirror(struct mirror_set *ms)
40243 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
40244 - if (!atomic_read(&m->error_count))
40245 + if (!atomic_read_unchecked(&m->error_count))
40249 @@ -218,7 +218,7 @@ static void fail_mirror(struct mirror *m, enum dm_raid1_error error_type)
40250 * simple way to tell if a device has encountered
40253 - atomic_inc(&m->error_count);
40254 + atomic_inc_unchecked(&m->error_count);
40256 if (test_and_set_bit(error_type, &m->error_type))
40258 @@ -409,7 +409,7 @@ static struct mirror *choose_mirror(struct mirror_set *ms, sector_t sector)
40259 struct mirror *m = get_default_mirror(ms);
40262 - if (likely(!atomic_read(&m->error_count)))
40263 + if (likely(!atomic_read_unchecked(&m->error_count)))
40266 if (m-- == ms->mirror)
40267 @@ -423,7 +423,7 @@ static int default_ok(struct mirror *m)
40269 struct mirror *default_mirror = get_default_mirror(m->ms);
40271 - return !atomic_read(&default_mirror->error_count);
40272 + return !atomic_read_unchecked(&default_mirror->error_count);
40275 static int mirror_available(struct mirror_set *ms, struct bio *bio)
40276 @@ -560,7 +560,7 @@ static void do_reads(struct mirror_set *ms, struct bio_list *reads)
40278 if (likely(region_in_sync(ms, region, 1)))
40279 m = choose_mirror(ms, bio->bi_sector);
40280 - else if (m && atomic_read(&m->error_count))
40281 + else if (m && atomic_read_unchecked(&m->error_count))
40285 @@ -927,7 +927,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
40288 ms->mirror[mirror].ms = ms;
40289 - atomic_set(&(ms->mirror[mirror].error_count), 0);
40290 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
40291 ms->mirror[mirror].error_type = 0;
40292 ms->mirror[mirror].offset = offset;
40294 @@ -1340,7 +1340,7 @@ static void mirror_resume(struct dm_target *ti)
40296 static char device_status_char(struct mirror *m)
40298 - if (!atomic_read(&(m->error_count)))
40299 + if (!atomic_read_unchecked(&(m->error_count)))
40302 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
40303 diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
40304 index d907ca6..cfb8384 100644
40305 --- a/drivers/md/dm-stripe.c
40306 +++ b/drivers/md/dm-stripe.c
40307 @@ -20,7 +20,7 @@ struct stripe {
40308 struct dm_dev *dev;
40309 sector_t physical_start;
40311 - atomic_t error_count;
40312 + atomic_unchecked_t error_count;
40316 @@ -185,7 +185,7 @@ static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
40320 - atomic_set(&(sc->stripe[i].error_count), 0);
40321 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
40325 @@ -326,7 +326,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
40326 DMEMIT("%d ", sc->stripes);
40327 for (i = 0; i < sc->stripes; i++) {
40328 DMEMIT("%s ", sc->stripe[i].dev->name);
40329 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
40330 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
40334 @@ -371,8 +371,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
40336 for (i = 0; i < sc->stripes; i++)
40337 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
40338 - atomic_inc(&(sc->stripe[i].error_count));
40339 - if (atomic_read(&(sc->stripe[i].error_count)) <
40340 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
40341 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
40342 DM_IO_ERROR_THRESHOLD)
40343 schedule_work(&sc->trigger_event);
40345 diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
40346 index 1ff252a..ee384c1 100644
40347 --- a/drivers/md/dm-table.c
40348 +++ b/drivers/md/dm-table.c
40349 @@ -389,7 +389,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
40353 - if ((start >= dev_size) || (start + len > dev_size)) {
40354 + if ((start >= dev_size) || (len > dev_size - start)) {
40355 DMWARN("%s: %s too small for target: "
40356 "start=%llu, len=%llu, dev_size=%llu",
40357 dm_device_name(ti->table->md), bdevname(bdev, b),
40358 diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
40359 index 60bce43..9b997d0 100644
40360 --- a/drivers/md/dm-thin-metadata.c
40361 +++ b/drivers/md/dm-thin-metadata.c
40362 @@ -397,7 +397,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
40364 pmd->info.tm = pmd->tm;
40365 pmd->info.levels = 2;
40366 - pmd->info.value_type.context = pmd->data_sm;
40367 + pmd->info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
40368 pmd->info.value_type.size = sizeof(__le64);
40369 pmd->info.value_type.inc = data_block_inc;
40370 pmd->info.value_type.dec = data_block_dec;
40371 @@ -416,7 +416,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
40373 pmd->bl_info.tm = pmd->tm;
40374 pmd->bl_info.levels = 1;
40375 - pmd->bl_info.value_type.context = pmd->data_sm;
40376 + pmd->bl_info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
40377 pmd->bl_info.value_type.size = sizeof(__le64);
40378 pmd->bl_info.value_type.inc = data_block_inc;
40379 pmd->bl_info.value_type.dec = data_block_dec;
40380 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
40381 index 33f2010..23fb84c 100644
40382 --- a/drivers/md/dm.c
40383 +++ b/drivers/md/dm.c
40384 @@ -169,9 +169,9 @@ struct mapped_device {
40388 - atomic_t event_nr;
40389 + atomic_unchecked_t event_nr;
40390 wait_queue_head_t eventq;
40391 - atomic_t uevent_seq;
40392 + atomic_unchecked_t uevent_seq;
40393 struct list_head uevent_list;
40394 spinlock_t uevent_lock; /* Protect access to uevent_list */
40396 @@ -1884,8 +1884,8 @@ static struct mapped_device *alloc_dev(int minor)
40397 rwlock_init(&md->map_lock);
40398 atomic_set(&md->holders, 1);
40399 atomic_set(&md->open_count, 0);
40400 - atomic_set(&md->event_nr, 0);
40401 - atomic_set(&md->uevent_seq, 0);
40402 + atomic_set_unchecked(&md->event_nr, 0);
40403 + atomic_set_unchecked(&md->uevent_seq, 0);
40404 INIT_LIST_HEAD(&md->uevent_list);
40405 spin_lock_init(&md->uevent_lock);
40407 @@ -2033,7 +2033,7 @@ static void event_callback(void *context)
40409 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
40411 - atomic_inc(&md->event_nr);
40412 + atomic_inc_unchecked(&md->event_nr);
40413 wake_up(&md->eventq);
40416 @@ -2690,18 +2690,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
40418 uint32_t dm_next_uevent_seq(struct mapped_device *md)
40420 - return atomic_add_return(1, &md->uevent_seq);
40421 + return atomic_add_return_unchecked(1, &md->uevent_seq);
40424 uint32_t dm_get_event_nr(struct mapped_device *md)
40426 - return atomic_read(&md->event_nr);
40427 + return atomic_read_unchecked(&md->event_nr);
40430 int dm_wait_event(struct mapped_device *md, int event_nr)
40432 return wait_event_interruptible(md->eventq,
40433 - (event_nr != atomic_read(&md->event_nr)));
40434 + (event_nr != atomic_read_unchecked(&md->event_nr)));
40437 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
40438 diff --git a/drivers/md/md.c b/drivers/md/md.c
40439 index 51f0345..c77810e 100644
40440 --- a/drivers/md/md.c
40441 +++ b/drivers/md/md.c
40442 @@ -234,10 +234,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
40443 * start build, activate spare
40445 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
40446 -static atomic_t md_event_count;
40447 +static atomic_unchecked_t md_event_count;
40448 void md_new_event(struct mddev *mddev)
40450 - atomic_inc(&md_event_count);
40451 + atomic_inc_unchecked(&md_event_count);
40452 wake_up(&md_event_waiters);
40454 EXPORT_SYMBOL_GPL(md_new_event);
40455 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
40457 static void md_new_event_inintr(struct mddev *mddev)
40459 - atomic_inc(&md_event_count);
40460 + atomic_inc_unchecked(&md_event_count);
40461 wake_up(&md_event_waiters);
40464 @@ -1501,7 +1501,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
40465 if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
40466 (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
40467 rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
40468 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
40469 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
40471 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
40472 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
40473 @@ -1745,7 +1745,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
40475 sb->resync_offset = cpu_to_le64(0);
40477 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
40478 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
40480 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
40481 sb->size = cpu_to_le64(mddev->dev_sectors);
40482 @@ -2750,7 +2750,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_show, state_store);
40484 errors_show(struct md_rdev *rdev, char *page)
40486 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
40487 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
40491 @@ -2759,7 +2759,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
40493 unsigned long n = simple_strtoul(buf, &e, 10);
40494 if (*buf && (*e == 0 || *e == '\n')) {
40495 - atomic_set(&rdev->corrected_errors, n);
40496 + atomic_set_unchecked(&rdev->corrected_errors, n);
40500 @@ -3207,8 +3207,8 @@ int md_rdev_init(struct md_rdev *rdev)
40501 rdev->sb_loaded = 0;
40502 rdev->bb_page = NULL;
40503 atomic_set(&rdev->nr_pending, 0);
40504 - atomic_set(&rdev->read_errors, 0);
40505 - atomic_set(&rdev->corrected_errors, 0);
40506 + atomic_set_unchecked(&rdev->read_errors, 0);
40507 + atomic_set_unchecked(&rdev->corrected_errors, 0);
40509 INIT_LIST_HEAD(&rdev->same_set);
40510 init_waitqueue_head(&rdev->blocked_wait);
40511 @@ -7009,7 +7009,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
40513 spin_unlock(&pers_lock);
40514 seq_printf(seq, "\n");
40515 - seq->poll_event = atomic_read(&md_event_count);
40516 + seq->poll_event = atomic_read_unchecked(&md_event_count);
40519 if (v == (void*)2) {
40520 @@ -7112,7 +7112,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
40523 seq = file->private_data;
40524 - seq->poll_event = atomic_read(&md_event_count);
40525 + seq->poll_event = atomic_read_unchecked(&md_event_count);
40529 @@ -7126,7 +7126,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
40530 /* always allow read */
40531 mask = POLLIN | POLLRDNORM;
40533 - if (seq->poll_event != atomic_read(&md_event_count))
40534 + if (seq->poll_event != atomic_read_unchecked(&md_event_count))
40535 mask |= POLLERR | POLLPRI;
40538 @@ -7170,7 +7170,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
40539 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
40540 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
40541 (int)part_stat_read(&disk->part0, sectors[1]) -
40542 - atomic_read(&disk->sync_io);
40543 + atomic_read_unchecked(&disk->sync_io);
40544 /* sync IO will cause sync_io to increase before the disk_stats
40545 * as sync_io is counted when a request starts, and
40546 * disk_stats is counted when it completes.
40547 diff --git a/drivers/md/md.h b/drivers/md/md.h
40548 index 653f992b6..6af6c40 100644
40549 --- a/drivers/md/md.h
40550 +++ b/drivers/md/md.h
40551 @@ -94,13 +94,13 @@ struct md_rdev {
40552 * only maintained for arrays that
40553 * support hot removal
40555 - atomic_t read_errors; /* number of consecutive read errors that
40556 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
40557 * we have tried to ignore.
40559 struct timespec last_read_error; /* monotonic time since our
40562 - atomic_t corrected_errors; /* number of corrected read errors,
40563 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
40564 * for reporting to userspace and storing
40567 @@ -434,7 +434,7 @@ static inline void rdev_dec_pending(struct md_rdev *rdev, struct mddev *mddev)
40569 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
40571 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
40572 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
40575 struct md_personality
40576 diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h
40577 index 3e6d115..ffecdeb 100644
40578 --- a/drivers/md/persistent-data/dm-space-map.h
40579 +++ b/drivers/md/persistent-data/dm-space-map.h
40580 @@ -71,6 +71,7 @@ struct dm_space_map {
40581 dm_sm_threshold_fn fn,
40584 +typedef struct dm_space_map __no_const dm_space_map_no_const;
40586 /*----------------------------------------------------------------*/
40588 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
40589 index 6f48244..7d29145 100644
40590 --- a/drivers/md/raid1.c
40591 +++ b/drivers/md/raid1.c
40592 @@ -1822,7 +1822,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
40593 if (r1_sync_page_io(rdev, sect, s,
40594 bio->bi_io_vec[idx].bv_page,
40596 - atomic_add(s, &rdev->corrected_errors);
40597 + atomic_add_unchecked(s, &rdev->corrected_errors);
40601 @@ -2049,7 +2049,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
40602 test_bit(In_sync, &rdev->flags)) {
40603 if (r1_sync_page_io(rdev, sect, s,
40604 conf->tmppage, READ)) {
40605 - atomic_add(s, &rdev->corrected_errors);
40606 + atomic_add_unchecked(s, &rdev->corrected_errors);
40608 "md/raid1:%s: read error corrected "
40609 "(%d sectors at %llu on %s)\n",
40610 diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
40611 index 081bb33..3c4b287 100644
40612 --- a/drivers/md/raid10.c
40613 +++ b/drivers/md/raid10.c
40614 @@ -1940,7 +1940,7 @@ static void end_sync_read(struct bio *bio, int error)
40615 /* The write handler will notice the lack of
40616 * R10BIO_Uptodate and record any errors etc
40618 - atomic_add(r10_bio->sectors,
40619 + atomic_add_unchecked(r10_bio->sectors,
40620 &conf->mirrors[d].rdev->corrected_errors);
40622 /* for reconstruct, we always reschedule after a read.
40623 @@ -2298,7 +2298,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
40625 struct timespec cur_time_mon;
40626 unsigned long hours_since_last;
40627 - unsigned int read_errors = atomic_read(&rdev->read_errors);
40628 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
40630 ktime_get_ts(&cur_time_mon);
40632 @@ -2320,9 +2320,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
40633 * overflowing the shift of read_errors by hours_since_last.
40635 if (hours_since_last >= 8 * sizeof(read_errors))
40636 - atomic_set(&rdev->read_errors, 0);
40637 + atomic_set_unchecked(&rdev->read_errors, 0);
40639 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
40640 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
40643 static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
40644 @@ -2376,8 +2376,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
40647 check_decay_read_errors(mddev, rdev);
40648 - atomic_inc(&rdev->read_errors);
40649 - if (atomic_read(&rdev->read_errors) > max_read_errors) {
40650 + atomic_inc_unchecked(&rdev->read_errors);
40651 + if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
40652 char b[BDEVNAME_SIZE];
40653 bdevname(rdev->bdev, b);
40655 @@ -2385,7 +2385,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
40656 "md/raid10:%s: %s: Raid device exceeded "
40657 "read_error threshold [cur %d:max %d]\n",
40659 - atomic_read(&rdev->read_errors), max_read_errors);
40660 + atomic_read_unchecked(&rdev->read_errors), max_read_errors);
40662 "md/raid10:%s: %s: Failing raid device\n",
40664 @@ -2540,7 +2540,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
40666 choose_data_offset(r10_bio, rdev)),
40667 bdevname(rdev->bdev, b));
40668 - atomic_add(s, &rdev->corrected_errors);
40669 + atomic_add_unchecked(s, &rdev->corrected_errors);
40672 rdev_dec_pending(rdev, mddev);
40673 diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
40674 index a35b846..e295c6d 100644
40675 --- a/drivers/md/raid5.c
40676 +++ b/drivers/md/raid5.c
40677 @@ -1764,21 +1764,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
40678 mdname(conf->mddev), STRIPE_SECTORS,
40679 (unsigned long long)s,
40680 bdevname(rdev->bdev, b));
40681 - atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
40682 + atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
40683 clear_bit(R5_ReadError, &sh->dev[i].flags);
40684 clear_bit(R5_ReWrite, &sh->dev[i].flags);
40685 } else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
40686 clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
40688 - if (atomic_read(&rdev->read_errors))
40689 - atomic_set(&rdev->read_errors, 0);
40690 + if (atomic_read_unchecked(&rdev->read_errors))
40691 + atomic_set_unchecked(&rdev->read_errors, 0);
40693 const char *bdn = bdevname(rdev->bdev, b);
40697 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
40698 - atomic_inc(&rdev->read_errors);
40699 + atomic_inc_unchecked(&rdev->read_errors);
40700 if (test_bit(R5_ReadRepl, &sh->dev[i].flags))
40701 printk_ratelimited(
40703 @@ -1806,7 +1806,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
40704 mdname(conf->mddev),
40705 (unsigned long long)s,
40707 - } else if (atomic_read(&rdev->read_errors)
40708 + } else if (atomic_read_unchecked(&rdev->read_errors)
40709 > conf->max_nr_stripes)
40710 printk(KERN_WARNING
40711 "md/raid:%s: Too many read errors, failing device %s.\n",
40712 diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
40713 index 401ef64..836e563 100644
40714 --- a/drivers/media/dvb-core/dvbdev.c
40715 +++ b/drivers/media/dvb-core/dvbdev.c
40716 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
40717 const struct dvb_device *template, void *priv, int type)
40719 struct dvb_device *dvbdev;
40720 - struct file_operations *dvbdevfops;
40721 + file_operations_no_const *dvbdevfops;
40722 struct device *clsdev;
40725 diff --git a/drivers/media/dvb-frontends/dib3000.h b/drivers/media/dvb-frontends/dib3000.h
40726 index 9b6c3bb..baeb5c7 100644
40727 --- a/drivers/media/dvb-frontends/dib3000.h
40728 +++ b/drivers/media/dvb-frontends/dib3000.h
40729 @@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
40730 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
40731 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
40732 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
40736 #if IS_ENABLED(CONFIG_DVB_DIB3000MB)
40737 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
40738 diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
40739 index c7a9be1..683f6f8 100644
40740 --- a/drivers/media/pci/cx88/cx88-video.c
40741 +++ b/drivers/media/pci/cx88/cx88-video.c
40742 @@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION);
40744 /* ------------------------------------------------------------------ */
40746 -static unsigned int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40747 -static unsigned int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40748 -static unsigned int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40749 +static int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40750 +static int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40751 +static int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
40753 module_param_array(video_nr, int, NULL, 0444);
40754 module_param_array(vbi_nr, int, NULL, 0444);
40755 diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
40756 index d338b19..aae4f9e 100644
40757 --- a/drivers/media/platform/omap/omap_vout.c
40758 +++ b/drivers/media/platform/omap/omap_vout.c
40759 @@ -63,7 +63,6 @@ enum omap_vout_channels {
40763 -static struct videobuf_queue_ops video_vbq_ops;
40764 /* Variables configurable through module params*/
40765 static u32 video1_numbuffers = 3;
40766 static u32 video2_numbuffers = 3;
40767 @@ -1015,6 +1014,12 @@ static int omap_vout_open(struct file *file)
40769 struct videobuf_queue *q;
40770 struct omap_vout_device *vout = NULL;
40771 + static struct videobuf_queue_ops video_vbq_ops = {
40772 + .buf_setup = omap_vout_buffer_setup,
40773 + .buf_prepare = omap_vout_buffer_prepare,
40774 + .buf_release = omap_vout_buffer_release,
40775 + .buf_queue = omap_vout_buffer_queue,
40778 vout = video_drvdata(file);
40779 v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__);
40780 @@ -1032,10 +1037,6 @@ static int omap_vout_open(struct file *file)
40781 vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
40784 - video_vbq_ops.buf_setup = omap_vout_buffer_setup;
40785 - video_vbq_ops.buf_prepare = omap_vout_buffer_prepare;
40786 - video_vbq_ops.buf_release = omap_vout_buffer_release;
40787 - video_vbq_ops.buf_queue = omap_vout_buffer_queue;
40788 spin_lock_init(&vout->vbq_lock);
40790 videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev,
40791 diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h
40792 index 04e6490..2df65bf 100644
40793 --- a/drivers/media/platform/s5p-tv/mixer.h
40794 +++ b/drivers/media/platform/s5p-tv/mixer.h
40795 @@ -156,7 +156,7 @@ struct mxr_layer {
40796 /** layer index (unique identifier) */
40798 /** callbacks for layer methods */
40799 - struct mxr_layer_ops ops;
40800 + struct mxr_layer_ops *ops;
40801 /** format array */
40802 const struct mxr_format **fmt_array;
40803 /** size of format array */
40804 diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
40805 index b93a21f..2535195 100644
40806 --- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c
40807 +++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
40808 @@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx)
40810 struct mxr_layer *layer;
40812 - struct mxr_layer_ops ops = {
40813 + static struct mxr_layer_ops ops = {
40814 .release = mxr_graph_layer_release,
40815 .buffer_set = mxr_graph_buffer_set,
40816 .stream_set = mxr_graph_stream_set,
40817 diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c
40818 index b713403..53cb5ad 100644
40819 --- a/drivers/media/platform/s5p-tv/mixer_reg.c
40820 +++ b/drivers/media/platform/s5p-tv/mixer_reg.c
40821 @@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer)
40822 layer->update_buf = next;
40825 - layer->ops.buffer_set(layer, layer->update_buf);
40826 + layer->ops->buffer_set(layer, layer->update_buf);
40828 if (done && done != layer->shadow_buf)
40829 vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE);
40830 diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c
40831 index ef0efdf..8c78eb6 100644
40832 --- a/drivers/media/platform/s5p-tv/mixer_video.c
40833 +++ b/drivers/media/platform/s5p-tv/mixer_video.c
40834 @@ -209,7 +209,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer)
40835 layer->geo.src.height = layer->geo.src.full_height;
40837 mxr_geometry_dump(mdev, &layer->geo);
40838 - layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
40839 + layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
40840 mxr_geometry_dump(mdev, &layer->geo);
40843 @@ -227,7 +227,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer)
40844 layer->geo.dst.full_width = mbus_fmt.width;
40845 layer->geo.dst.full_height = mbus_fmt.height;
40846 layer->geo.dst.field = mbus_fmt.field;
40847 - layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
40848 + layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
40850 mxr_geometry_dump(mdev, &layer->geo);
40852 @@ -333,7 +333,7 @@ static int mxr_s_fmt(struct file *file, void *priv,
40853 /* set source size to highest accepted value */
40854 geo->src.full_width = max(geo->dst.full_width, pix->width);
40855 geo->src.full_height = max(geo->dst.full_height, pix->height);
40856 - layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
40857 + layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
40858 mxr_geometry_dump(mdev, &layer->geo);
40859 /* set cropping to total visible screen */
40860 geo->src.width = pix->width;
40861 @@ -341,12 +341,12 @@ static int mxr_s_fmt(struct file *file, void *priv,
40862 geo->src.x_offset = 0;
40863 geo->src.y_offset = 0;
40864 /* assure consistency of geometry */
40865 - layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
40866 + layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
40867 mxr_geometry_dump(mdev, &layer->geo);
40868 /* set full size to lowest possible value */
40869 geo->src.full_width = 0;
40870 geo->src.full_height = 0;
40871 - layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
40872 + layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
40873 mxr_geometry_dump(mdev, &layer->geo);
40875 /* returning results */
40876 @@ -473,7 +473,7 @@ static int mxr_s_selection(struct file *file, void *fh,
40877 target->width = s->r.width;
40878 target->height = s->r.height;
40880 - layer->ops.fix_geometry(layer, stage, s->flags);
40881 + layer->ops->fix_geometry(layer, stage, s->flags);
40883 /* retrieve update selection rectangle */
40884 res.left = target->x_offset;
40885 @@ -954,13 +954,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count)
40886 mxr_output_get(mdev);
40888 mxr_layer_update_output(layer);
40889 - layer->ops.format_set(layer);
40890 + layer->ops->format_set(layer);
40891 /* enabling layer in hardware */
40892 spin_lock_irqsave(&layer->enq_slock, flags);
40893 layer->state = MXR_LAYER_STREAMING;
40894 spin_unlock_irqrestore(&layer->enq_slock, flags);
40896 - layer->ops.stream_set(layer, MXR_ENABLE);
40897 + layer->ops->stream_set(layer, MXR_ENABLE);
40898 mxr_streamer_get(mdev);
40901 @@ -1030,7 +1030,7 @@ static int stop_streaming(struct vb2_queue *vq)
40902 spin_unlock_irqrestore(&layer->enq_slock, flags);
40904 /* disabling layer in hardware */
40905 - layer->ops.stream_set(layer, MXR_DISABLE);
40906 + layer->ops->stream_set(layer, MXR_DISABLE);
40907 /* remove one streamer */
40908 mxr_streamer_put(mdev);
40909 /* allow changes in output configuration */
40910 @@ -1069,8 +1069,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer)
40912 void mxr_layer_release(struct mxr_layer *layer)
40914 - if (layer->ops.release)
40915 - layer->ops.release(layer);
40916 + if (layer->ops->release)
40917 + layer->ops->release(layer);
40920 void mxr_base_layer_release(struct mxr_layer *layer)
40921 @@ -1096,7 +1096,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev,
40923 layer->mdev = mdev;
40925 - layer->ops = *ops;
40926 + layer->ops = ops;
40928 spin_lock_init(&layer->enq_slock);
40929 INIT_LIST_HEAD(&layer->enq_list);
40930 diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
40931 index 3d13a63..da31bf1 100644
40932 --- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c
40933 +++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
40934 @@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx)
40936 struct mxr_layer *layer;
40938 - struct mxr_layer_ops ops = {
40939 + static struct mxr_layer_ops ops = {
40940 .release = mxr_vp_layer_release,
40941 .buffer_set = mxr_vp_buffer_set,
40942 .stream_set = mxr_vp_stream_set,
40943 diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
40944 index 545c04c..a14bded 100644
40945 --- a/drivers/media/radio/radio-cadet.c
40946 +++ b/drivers/media/radio/radio-cadet.c
40947 @@ -324,6 +324,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
40948 unsigned char readbuf[RDS_BUFFER];
40951 + if (count > RDS_BUFFER)
40953 mutex_lock(&dev->lock);
40954 if (dev->rdsstat == 0)
40955 cadet_start_rds(dev);
40956 @@ -339,7 +341,7 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
40957 while (i < count && dev->rdsin != dev->rdsout)
40958 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
40960 - if (i && copy_to_user(data, readbuf, i))
40961 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
40964 mutex_unlock(&dev->lock);
40965 diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
40966 index 3940bb0..fb3952a 100644
40967 --- a/drivers/media/usb/dvb-usb/cxusb.c
40968 +++ b/drivers/media/usb/dvb-usb/cxusb.c
40969 @@ -1068,7 +1068,7 @@ static struct dib0070_config dib7070p_dib0070_config = {
40971 struct dib0700_adapter_state {
40972 int (*set_param_save) (struct dvb_frontend *);
40976 static int dib7070_set_param_override(struct dvb_frontend *fe)
40978 diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
40979 index 6e237b6..dc25556 100644
40980 --- a/drivers/media/usb/dvb-usb/dw2102.c
40981 +++ b/drivers/media/usb/dvb-usb/dw2102.c
40982 @@ -118,7 +118,7 @@ struct su3000_state {
40984 struct s6x0_state {
40985 int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
40990 static int dvb_usb_dw2102_debug;
40991 diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
40992 index f129551..ecf6514 100644
40993 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
40994 +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
40995 @@ -326,7 +326,7 @@ struct v4l2_buffer32 {
40999 -static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
41000 +static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
41001 enum v4l2_memory memory)
41003 void __user *up_pln;
41004 @@ -355,7 +355,7 @@ static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
41008 -static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
41009 +static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
41010 enum v4l2_memory memory)
41012 if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
41013 @@ -772,7 +772,7 @@ static int put_v4l2_subdev_edid32(struct v4l2_subdev_edid *kp, struct v4l2_subde
41014 put_user(kp->start_block, &up->start_block) ||
41015 put_user(kp->blocks, &up->blocks) ||
41016 put_user(tmp, &up->edid) ||
41017 - copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
41018 + copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
41022 diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
41023 index 7658586..1079260 100644
41024 --- a/drivers/media/v4l2-core/v4l2-ioctl.c
41025 +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
41026 @@ -1995,7 +1995,8 @@ struct v4l2_ioctl_info {
41027 struct file *file, void *fh, void *p);
41029 void (*debug)(const void *arg, bool write_only);
41032 +typedef struct v4l2_ioctl_info __no_const v4l2_ioctl_info_no_const;
41034 /* This control needs a priority check */
41035 #define INFO_FL_PRIO (1 << 0)
41036 @@ -2177,7 +2178,7 @@ static long __video_do_ioctl(struct file *file,
41037 struct video_device *vfd = video_devdata(file);
41038 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
41039 bool write_only = false;
41040 - struct v4l2_ioctl_info default_info;
41041 + v4l2_ioctl_info_no_const default_info;
41042 const struct v4l2_ioctl_info *info;
41043 void *fh = file->private_data;
41044 struct v4l2_fh *vfh = NULL;
41045 @@ -2251,7 +2252,7 @@ done:
41048 static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
41049 - void * __user *user_ptr, void ***kernel_ptr)
41050 + void __user **user_ptr, void ***kernel_ptr)
41054 @@ -2267,7 +2268,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
41058 - *user_ptr = (void __user *)buf->m.planes;
41059 + *user_ptr = (void __force_user *)buf->m.planes;
41060 *kernel_ptr = (void *)&buf->m.planes;
41061 *array_size = sizeof(struct v4l2_plane) * buf->length;
41063 @@ -2302,7 +2303,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
41067 - *user_ptr = (void __user *)ctrls->controls;
41068 + *user_ptr = (void __force_user *)ctrls->controls;
41069 *kernel_ptr = (void *)&ctrls->controls;
41070 *array_size = sizeof(struct v4l2_ext_control)
41072 diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
41073 index 767ff4d..c69d259 100644
41074 --- a/drivers/message/fusion/mptbase.c
41075 +++ b/drivers/message/fusion/mptbase.c
41076 @@ -6755,8 +6755,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
41077 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
41078 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
41080 +#ifdef CONFIG_GRKERNSEC_HIDESYM
41081 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
41083 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
41084 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
41088 * Rounding UP to nearest 4-kB boundary here...
41090 @@ -6769,7 +6774,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
41091 ioc->facts.GlobalCredits);
41093 seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
41094 +#ifdef CONFIG_GRKERNSEC_HIDESYM
41097 (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
41099 sz = (ioc->reply_sz * ioc->reply_depth) + 128;
41100 seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
41101 ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
41102 diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
41103 index dd239bd..689c4f7 100644
41104 --- a/drivers/message/fusion/mptsas.c
41105 +++ b/drivers/message/fusion/mptsas.c
41106 @@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached)
41110 +static inline void
41111 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
41113 + if (phy_info->port_details) {
41114 + phy_info->port_details->rphy = rphy;
41115 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
41116 + ioc->name, rphy));
41120 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
41121 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
41122 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
41123 + ioc->name, rphy, rphy->dev.release));
41129 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
41130 @@ -484,23 +501,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *phy_info)
41134 -static inline void
41135 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
41137 - if (phy_info->port_details) {
41138 - phy_info->port_details->rphy = rphy;
41139 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
41140 - ioc->name, rphy));
41144 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
41145 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
41146 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
41147 - ioc->name, rphy, rphy->dev.release));
41151 static inline struct sas_port *
41152 mptsas_get_port(struct mptsas_phyinfo *phy_info)
41154 diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
41155 index 727819c..ad74694 100644
41156 --- a/drivers/message/fusion/mptscsih.c
41157 +++ b/drivers/message/fusion/mptscsih.c
41158 @@ -1271,15 +1271,16 @@ mptscsih_info(struct Scsi_Host *SChost)
41160 h = shost_priv(SChost);
41163 - if (h->info_kbuf == NULL)
41164 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
41165 - return h->info_kbuf;
41166 - h->info_kbuf[0] = '\0';
41170 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
41171 - h->info_kbuf[size-1] = '\0';
41173 + if (h->info_kbuf == NULL)
41174 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
41175 + return h->info_kbuf;
41176 + h->info_kbuf[0] = '\0';
41178 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
41179 + h->info_kbuf[size-1] = '\0';
41181 return h->info_kbuf;
41183 diff --git a/drivers/message/i2o/i2o_proc.c b/drivers/message/i2o/i2o_proc.c
41184 index b7d87cd..9890039 100644
41185 --- a/drivers/message/i2o/i2o_proc.c
41186 +++ b/drivers/message/i2o/i2o_proc.c
41187 @@ -255,12 +255,6 @@ static char *scsi_devices[] = {
41188 "Array Controller Device"
41191 -static char *chtostr(char *tmp, u8 *chars, int n)
41194 - return strncat(tmp, (char *)chars, n);
41197 static int i2o_report_query_status(struct seq_file *seq, int block_status,
41200 @@ -790,7 +784,6 @@ static int i2o_seq_show_ddm_table(struct seq_file *seq, void *v)
41203 i2o_exec_execute_ddm_table ddm_table;
41204 - char tmp[28 + 1];
41206 result = kmalloc(sizeof(*result), GFP_KERNEL);
41208 @@ -825,8 +818,7 @@ static int i2o_seq_show_ddm_table(struct seq_file *seq, void *v)
41210 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
41211 seq_printf(seq, "%-#8x", ddm_table.module_id);
41212 - seq_printf(seq, "%-29s",
41213 - chtostr(tmp, ddm_table.module_name_version, 28));
41214 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
41215 seq_printf(seq, "%9d ", ddm_table.data_size);
41216 seq_printf(seq, "%8d", ddm_table.code_size);
41218 @@ -893,7 +885,6 @@ static int i2o_seq_show_drivers_stored(struct seq_file *seq, void *v)
41220 i2o_driver_result_table *result;
41221 i2o_driver_store_table *dst;
41222 - char tmp[28 + 1];
41224 result = kmalloc(sizeof(i2o_driver_result_table), GFP_KERNEL);
41225 if (result == NULL)
41226 @@ -928,9 +919,8 @@ static int i2o_seq_show_drivers_stored(struct seq_file *seq, void *v)
41228 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
41229 seq_printf(seq, "%-#8x", dst->module_id);
41230 - seq_printf(seq, "%-29s",
41231 - chtostr(tmp, dst->module_name_version, 28));
41232 - seq_printf(seq, "%-9s", chtostr(tmp, dst->date, 8));
41233 + seq_printf(seq, "%-.28s", dst->module_name_version);
41234 + seq_printf(seq, "%-.8s", dst->date);
41235 seq_printf(seq, "%8d ", dst->module_size);
41236 seq_printf(seq, "%8d ", dst->mpb_size);
41237 seq_printf(seq, "0x%04x", dst->module_flags);
41238 @@ -1250,7 +1240,6 @@ static int i2o_seq_show_dev_identity(struct seq_file *seq, void *v)
41239 // == (allow) 512d bytes (max)
41240 static u16 *work16 = (u16 *) work32;
41242 - char tmp[16 + 1];
41244 token = i2o_parm_field_get(d, 0xF100, -1, &work32, sizeof(work32));
41246 @@ -1262,14 +1251,10 @@ static int i2o_seq_show_dev_identity(struct seq_file *seq, void *v)
41247 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
41248 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
41249 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
41250 - seq_printf(seq, "Vendor info : %s\n",
41251 - chtostr(tmp, (u8 *) (work32 + 2), 16));
41252 - seq_printf(seq, "Product info : %s\n",
41253 - chtostr(tmp, (u8 *) (work32 + 6), 16));
41254 - seq_printf(seq, "Description : %s\n",
41255 - chtostr(tmp, (u8 *) (work32 + 10), 16));
41256 - seq_printf(seq, "Product rev. : %s\n",
41257 - chtostr(tmp, (u8 *) (work32 + 14), 8));
41258 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
41259 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
41260 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
41261 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
41263 seq_printf(seq, "Serial number : ");
41264 print_serial_number(seq, (u8 *) (work32 + 16),
41265 @@ -1306,8 +1291,6 @@ static int i2o_seq_show_ddm_identity(struct seq_file *seq, void *v)
41266 u8 pad[256]; // allow up to 256 byte (max) serial number
41269 - char tmp[24 + 1];
41271 token = i2o_parm_field_get(d, 0xF101, -1, &result, sizeof(result));
41274 @@ -1316,10 +1299,8 @@ static int i2o_seq_show_ddm_identity(struct seq_file *seq, void *v)
41277 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
41278 - seq_printf(seq, "Module name : %s\n",
41279 - chtostr(tmp, result.module_name, 24));
41280 - seq_printf(seq, "Module revision : %s\n",
41281 - chtostr(tmp, result.module_rev, 8));
41282 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
41283 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
41285 seq_printf(seq, "Serial number : ");
41286 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
41287 @@ -1343,8 +1324,6 @@ static int i2o_seq_show_uinfo(struct seq_file *seq, void *v)
41288 u8 instance_number[4];
41291 - char tmp[64 + 1];
41293 token = i2o_parm_field_get(d, 0xF102, -1, &result, sizeof(result));
41296 @@ -1352,14 +1331,10 @@ static int i2o_seq_show_uinfo(struct seq_file *seq, void *v)
41300 - seq_printf(seq, "Device name : %s\n",
41301 - chtostr(tmp, result.device_name, 64));
41302 - seq_printf(seq, "Service name : %s\n",
41303 - chtostr(tmp, result.service_name, 64));
41304 - seq_printf(seq, "Physical name : %s\n",
41305 - chtostr(tmp, result.physical_location, 64));
41306 - seq_printf(seq, "Instance number : %s\n",
41307 - chtostr(tmp, result.instance_number, 4));
41308 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
41309 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
41310 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
41311 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
41315 diff --git a/drivers/message/i2o/iop.c b/drivers/message/i2o/iop.c
41316 index a8c08f3..155fe3d 100644
41317 --- a/drivers/message/i2o/iop.c
41318 +++ b/drivers/message/i2o/iop.c
41319 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_controller * c, void *ptr)
41321 spin_lock_irqsave(&c->context_list_lock, flags);
41323 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
41324 - atomic_inc(&c->context_list_counter);
41325 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
41326 + atomic_inc_unchecked(&c->context_list_counter);
41328 - entry->context = atomic_read(&c->context_list_counter);
41329 + entry->context = atomic_read_unchecked(&c->context_list_counter);
41331 list_add(&entry->list, &c->context_list);
41333 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(void)
41335 #if BITS_PER_LONG == 64
41336 spin_lock_init(&c->context_list_lock);
41337 - atomic_set(&c->context_list_counter, 0);
41338 + atomic_set_unchecked(&c->context_list_counter, 0);
41339 INIT_LIST_HEAD(&c->context_list);
41342 diff --git a/drivers/mfd/janz-cmodio.c b/drivers/mfd/janz-cmodio.c
41343 index 45ece11..8efa218 100644
41344 --- a/drivers/mfd/janz-cmodio.c
41345 +++ b/drivers/mfd/janz-cmodio.c
41348 #include <linux/kernel.h>
41349 #include <linux/module.h>
41350 +#include <linux/slab.h>
41351 #include <linux/init.h>
41352 #include <linux/pci.h>
41353 #include <linux/interrupt.h>
41354 diff --git a/drivers/mfd/twl4030-irq.c b/drivers/mfd/twl4030-irq.c
41355 index a5f9888..1c0ed56 100644
41356 --- a/drivers/mfd/twl4030-irq.c
41357 +++ b/drivers/mfd/twl4030-irq.c
41359 #include <linux/of.h>
41360 #include <linux/irqdomain.h>
41361 #include <linux/i2c/twl.h>
41362 +#include <asm/pgtable.h>
41364 #include "twl-core.h"
41366 @@ -728,10 +729,12 @@ int twl4030_init_irq(struct device *dev, int irq_num)
41367 * Install an irq handler for each of the SIH modules;
41368 * clone dummy irq_chip since PIH can't *do* anything
41370 - twl4030_irq_chip = dummy_irq_chip;
41371 - twl4030_irq_chip.name = "twl4030";
41372 + pax_open_kernel();
41373 + memcpy((void *)&twl4030_irq_chip, &dummy_irq_chip, sizeof twl4030_irq_chip);
41374 + *(const char **)&twl4030_irq_chip.name = "twl4030";
41376 - twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
41377 + *(void **)&twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
41378 + pax_close_kernel();
41380 for (i = irq_base; i < irq_end; i++) {
41381 irq_set_chip_and_handler(i, &twl4030_irq_chip,
41382 diff --git a/drivers/mfd/twl6030-irq.c b/drivers/mfd/twl6030-irq.c
41383 index 277a8db..0e0b754 100644
41384 --- a/drivers/mfd/twl6030-irq.c
41385 +++ b/drivers/mfd/twl6030-irq.c
41386 @@ -387,10 +387,12 @@ int twl6030_init_irq(struct device *dev, int irq_num)
41387 * install an irq handler for each of the modules;
41388 * clone dummy irq_chip since PIH can't *do* anything
41390 - twl6030_irq_chip = dummy_irq_chip;
41391 - twl6030_irq_chip.name = "twl6030";
41392 - twl6030_irq_chip.irq_set_type = NULL;
41393 - twl6030_irq_chip.irq_set_wake = twl6030_irq_set_wake;
41394 + pax_open_kernel();
41395 + memcpy((void *)&twl6030_irq_chip, &dummy_irq_chip, sizeof twl6030_irq_chip);
41396 + *(const char **)&twl6030_irq_chip.name = "twl6030";
41397 + *(void **)&twl6030_irq_chip.irq_set_type = NULL;
41398 + *(void **)&twl6030_irq_chip.irq_set_wake = twl6030_irq_set_wake;
41399 + pax_close_kernel();
41401 for (i = irq_base; i < irq_end; i++) {
41402 irq_set_chip_and_handler(i, &twl6030_irq_chip,
41403 diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
41404 index f32550a..e3e52a2 100644
41405 --- a/drivers/misc/c2port/core.c
41406 +++ b/drivers/misc/c2port/core.c
41407 @@ -920,7 +920,9 @@ struct c2port_device *c2port_device_register(char *name,
41408 mutex_init(&c2dev->mutex);
41410 /* Create binary file */
41411 - c2port_bin_attrs.size = ops->blocks_num * ops->block_size;
41412 + pax_open_kernel();
41413 + *(size_t *)&c2port_bin_attrs.size = ops->blocks_num * ops->block_size;
41414 + pax_close_kernel();
41415 ret = device_create_bin_file(c2dev->dev, &c2port_bin_attrs);
41417 goto error_device_create_bin_file;
41418 diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
41419 index 36f5d52..32311c3 100644
41420 --- a/drivers/misc/kgdbts.c
41421 +++ b/drivers/misc/kgdbts.c
41422 @@ -834,7 +834,7 @@ static void run_plant_and_detach_test(int is_early)
41423 char before[BREAK_INSTR_SIZE];
41424 char after[BREAK_INSTR_SIZE];
41426 - probe_kernel_read(before, (char *)kgdbts_break_test,
41427 + probe_kernel_read(before, ktla_ktva((char *)kgdbts_break_test),
41429 init_simple_test();
41430 ts.tst = plant_and_detach_test;
41431 @@ -842,7 +842,7 @@ static void run_plant_and_detach_test(int is_early)
41432 /* Activate test with initial breakpoint */
41435 - probe_kernel_read(after, (char *)kgdbts_break_test,
41436 + probe_kernel_read(after, ktla_ktva((char *)kgdbts_break_test),
41438 if (memcmp(before, after, BREAK_INSTR_SIZE)) {
41439 printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n");
41440 diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c
41441 index 4cd4a3d..b48cbc7 100644
41442 --- a/drivers/misc/lis3lv02d/lis3lv02d.c
41443 +++ b/drivers/misc/lis3lv02d/lis3lv02d.c
41444 @@ -498,7 +498,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data)
41445 * the lid is closed. This leads to interrupts as soon as a little move
41448 - atomic_inc(&lis3->count);
41449 + atomic_inc_unchecked(&lis3->count);
41451 wake_up_interruptible(&lis3->misc_wait);
41452 kill_fasync(&lis3->async_queue, SIGIO, POLL_IN);
41453 @@ -584,7 +584,7 @@ static int lis3lv02d_misc_open(struct inode *inode, struct file *file)
41455 pm_runtime_get_sync(lis3->pm_dev);
41457 - atomic_set(&lis3->count, 0);
41458 + atomic_set_unchecked(&lis3->count, 0);
41462 @@ -616,7 +616,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf,
41463 add_wait_queue(&lis3->misc_wait, &wait);
41465 set_current_state(TASK_INTERRUPTIBLE);
41466 - data = atomic_xchg(&lis3->count, 0);
41467 + data = atomic_xchg_unchecked(&lis3->count, 0);
41471 @@ -657,7 +657,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
41472 struct lis3lv02d, miscdev);
41474 poll_wait(file, &lis3->misc_wait, wait);
41475 - if (atomic_read(&lis3->count))
41476 + if (atomic_read_unchecked(&lis3->count))
41477 return POLLIN | POLLRDNORM;
41480 diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h
41481 index c439c82..1f20f57 100644
41482 --- a/drivers/misc/lis3lv02d/lis3lv02d.h
41483 +++ b/drivers/misc/lis3lv02d/lis3lv02d.h
41484 @@ -297,7 +297,7 @@ struct lis3lv02d {
41485 struct input_polled_dev *idev; /* input device */
41486 struct platform_device *pdev; /* platform device */
41487 struct regulator_bulk_data regulators[2];
41488 - atomic_t count; /* interrupt count after last read */
41489 + atomic_unchecked_t count; /* interrupt count after last read */
41490 union axis_conversion ac; /* hw -> logical axis */
41491 int mapped_btns[3];
41493 diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
41494 index 2f30bad..c4c13d0 100644
41495 --- a/drivers/misc/sgi-gru/gruhandles.c
41496 +++ b/drivers/misc/sgi-gru/gruhandles.c
41497 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op op, unsigned long clks)
41498 unsigned long nsec;
41500 nsec = CLKS2NSEC(clks);
41501 - atomic_long_inc(&mcs_op_statistics[op].count);
41502 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
41503 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
41504 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
41505 if (mcs_op_statistics[op].max < nsec)
41506 mcs_op_statistics[op].max = nsec;
41508 diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
41509 index 797d796..ae8f01e 100644
41510 --- a/drivers/misc/sgi-gru/gruprocfs.c
41511 +++ b/drivers/misc/sgi-gru/gruprocfs.c
41514 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
41516 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
41517 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
41519 - unsigned long val = atomic_long_read(v);
41520 + unsigned long val = atomic_long_read_unchecked(v);
41522 seq_printf(s, "%16lu %s\n", val, id);
41524 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct seq_file *s, void *p)
41526 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
41527 for (op = 0; op < mcsop_last; op++) {
41528 - count = atomic_long_read(&mcs_op_statistics[op].count);
41529 - total = atomic_long_read(&mcs_op_statistics[op].total);
41530 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
41531 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
41532 max = mcs_op_statistics[op].max;
41533 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
41534 count ? total / count : 0, max);
41535 diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
41536 index 5c3ce24..4915ccb 100644
41537 --- a/drivers/misc/sgi-gru/grutables.h
41538 +++ b/drivers/misc/sgi-gru/grutables.h
41539 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
41542 struct gru_stats_s {
41543 - atomic_long_t vdata_alloc;
41544 - atomic_long_t vdata_free;
41545 - atomic_long_t gts_alloc;
41546 - atomic_long_t gts_free;
41547 - atomic_long_t gms_alloc;
41548 - atomic_long_t gms_free;
41549 - atomic_long_t gts_double_allocate;
41550 - atomic_long_t assign_context;
41551 - atomic_long_t assign_context_failed;
41552 - atomic_long_t free_context;
41553 - atomic_long_t load_user_context;
41554 - atomic_long_t load_kernel_context;
41555 - atomic_long_t lock_kernel_context;
41556 - atomic_long_t unlock_kernel_context;
41557 - atomic_long_t steal_user_context;
41558 - atomic_long_t steal_kernel_context;
41559 - atomic_long_t steal_context_failed;
41560 - atomic_long_t nopfn;
41561 - atomic_long_t asid_new;
41562 - atomic_long_t asid_next;
41563 - atomic_long_t asid_wrap;
41564 - atomic_long_t asid_reuse;
41565 - atomic_long_t intr;
41566 - atomic_long_t intr_cbr;
41567 - atomic_long_t intr_tfh;
41568 - atomic_long_t intr_spurious;
41569 - atomic_long_t intr_mm_lock_failed;
41570 - atomic_long_t call_os;
41571 - atomic_long_t call_os_wait_queue;
41572 - atomic_long_t user_flush_tlb;
41573 - atomic_long_t user_unload_context;
41574 - atomic_long_t user_exception;
41575 - atomic_long_t set_context_option;
41576 - atomic_long_t check_context_retarget_intr;
41577 - atomic_long_t check_context_unload;
41578 - atomic_long_t tlb_dropin;
41579 - atomic_long_t tlb_preload_page;
41580 - atomic_long_t tlb_dropin_fail_no_asid;
41581 - atomic_long_t tlb_dropin_fail_upm;
41582 - atomic_long_t tlb_dropin_fail_invalid;
41583 - atomic_long_t tlb_dropin_fail_range_active;
41584 - atomic_long_t tlb_dropin_fail_idle;
41585 - atomic_long_t tlb_dropin_fail_fmm;
41586 - atomic_long_t tlb_dropin_fail_no_exception;
41587 - atomic_long_t tfh_stale_on_fault;
41588 - atomic_long_t mmu_invalidate_range;
41589 - atomic_long_t mmu_invalidate_page;
41590 - atomic_long_t flush_tlb;
41591 - atomic_long_t flush_tlb_gru;
41592 - atomic_long_t flush_tlb_gru_tgh;
41593 - atomic_long_t flush_tlb_gru_zero_asid;
41594 + atomic_long_unchecked_t vdata_alloc;
41595 + atomic_long_unchecked_t vdata_free;
41596 + atomic_long_unchecked_t gts_alloc;
41597 + atomic_long_unchecked_t gts_free;
41598 + atomic_long_unchecked_t gms_alloc;
41599 + atomic_long_unchecked_t gms_free;
41600 + atomic_long_unchecked_t gts_double_allocate;
41601 + atomic_long_unchecked_t assign_context;
41602 + atomic_long_unchecked_t assign_context_failed;
41603 + atomic_long_unchecked_t free_context;
41604 + atomic_long_unchecked_t load_user_context;
41605 + atomic_long_unchecked_t load_kernel_context;
41606 + atomic_long_unchecked_t lock_kernel_context;
41607 + atomic_long_unchecked_t unlock_kernel_context;
41608 + atomic_long_unchecked_t steal_user_context;
41609 + atomic_long_unchecked_t steal_kernel_context;
41610 + atomic_long_unchecked_t steal_context_failed;
41611 + atomic_long_unchecked_t nopfn;
41612 + atomic_long_unchecked_t asid_new;
41613 + atomic_long_unchecked_t asid_next;
41614 + atomic_long_unchecked_t asid_wrap;
41615 + atomic_long_unchecked_t asid_reuse;
41616 + atomic_long_unchecked_t intr;
41617 + atomic_long_unchecked_t intr_cbr;
41618 + atomic_long_unchecked_t intr_tfh;
41619 + atomic_long_unchecked_t intr_spurious;
41620 + atomic_long_unchecked_t intr_mm_lock_failed;
41621 + atomic_long_unchecked_t call_os;
41622 + atomic_long_unchecked_t call_os_wait_queue;
41623 + atomic_long_unchecked_t user_flush_tlb;
41624 + atomic_long_unchecked_t user_unload_context;
41625 + atomic_long_unchecked_t user_exception;
41626 + atomic_long_unchecked_t set_context_option;
41627 + atomic_long_unchecked_t check_context_retarget_intr;
41628 + atomic_long_unchecked_t check_context_unload;
41629 + atomic_long_unchecked_t tlb_dropin;
41630 + atomic_long_unchecked_t tlb_preload_page;
41631 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
41632 + atomic_long_unchecked_t tlb_dropin_fail_upm;
41633 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
41634 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
41635 + atomic_long_unchecked_t tlb_dropin_fail_idle;
41636 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
41637 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
41638 + atomic_long_unchecked_t tfh_stale_on_fault;
41639 + atomic_long_unchecked_t mmu_invalidate_range;
41640 + atomic_long_unchecked_t mmu_invalidate_page;
41641 + atomic_long_unchecked_t flush_tlb;
41642 + atomic_long_unchecked_t flush_tlb_gru;
41643 + atomic_long_unchecked_t flush_tlb_gru_tgh;
41644 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
41646 - atomic_long_t copy_gpa;
41647 - atomic_long_t read_gpa;
41648 + atomic_long_unchecked_t copy_gpa;
41649 + atomic_long_unchecked_t read_gpa;
41651 - atomic_long_t mesq_receive;
41652 - atomic_long_t mesq_receive_none;
41653 - atomic_long_t mesq_send;
41654 - atomic_long_t mesq_send_failed;
41655 - atomic_long_t mesq_noop;
41656 - atomic_long_t mesq_send_unexpected_error;
41657 - atomic_long_t mesq_send_lb_overflow;
41658 - atomic_long_t mesq_send_qlimit_reached;
41659 - atomic_long_t mesq_send_amo_nacked;
41660 - atomic_long_t mesq_send_put_nacked;
41661 - atomic_long_t mesq_page_overflow;
41662 - atomic_long_t mesq_qf_locked;
41663 - atomic_long_t mesq_qf_noop_not_full;
41664 - atomic_long_t mesq_qf_switch_head_failed;
41665 - atomic_long_t mesq_qf_unexpected_error;
41666 - atomic_long_t mesq_noop_unexpected_error;
41667 - atomic_long_t mesq_noop_lb_overflow;
41668 - atomic_long_t mesq_noop_qlimit_reached;
41669 - atomic_long_t mesq_noop_amo_nacked;
41670 - atomic_long_t mesq_noop_put_nacked;
41671 - atomic_long_t mesq_noop_page_overflow;
41672 + atomic_long_unchecked_t mesq_receive;
41673 + atomic_long_unchecked_t mesq_receive_none;
41674 + atomic_long_unchecked_t mesq_send;
41675 + atomic_long_unchecked_t mesq_send_failed;
41676 + atomic_long_unchecked_t mesq_noop;
41677 + atomic_long_unchecked_t mesq_send_unexpected_error;
41678 + atomic_long_unchecked_t mesq_send_lb_overflow;
41679 + atomic_long_unchecked_t mesq_send_qlimit_reached;
41680 + atomic_long_unchecked_t mesq_send_amo_nacked;
41681 + atomic_long_unchecked_t mesq_send_put_nacked;
41682 + atomic_long_unchecked_t mesq_page_overflow;
41683 + atomic_long_unchecked_t mesq_qf_locked;
41684 + atomic_long_unchecked_t mesq_qf_noop_not_full;
41685 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
41686 + atomic_long_unchecked_t mesq_qf_unexpected_error;
41687 + atomic_long_unchecked_t mesq_noop_unexpected_error;
41688 + atomic_long_unchecked_t mesq_noop_lb_overflow;
41689 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
41690 + atomic_long_unchecked_t mesq_noop_amo_nacked;
41691 + atomic_long_unchecked_t mesq_noop_put_nacked;
41692 + atomic_long_unchecked_t mesq_noop_page_overflow;
41696 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start, cchop_interrupt, cchop_interrupt_sync,
41697 tghop_invalidate, mcsop_last};
41699 struct mcs_op_statistic {
41700 - atomic_long_t count;
41701 - atomic_long_t total;
41702 + atomic_long_unchecked_t count;
41703 + atomic_long_unchecked_t total;
41707 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_statistics[mcsop_last];
41709 #define STAT(id) do { \
41710 if (gru_options & OPT_STATS) \
41711 - atomic_long_inc(&gru_stats.id); \
41712 + atomic_long_inc_unchecked(&gru_stats.id); \
41715 #ifdef CONFIG_SGI_GRU_DEBUG
41716 diff --git a/drivers/misc/sgi-xp/xp.h b/drivers/misc/sgi-xp/xp.h
41717 index c862cd4..0d176fe 100644
41718 --- a/drivers/misc/sgi-xp/xp.h
41719 +++ b/drivers/misc/sgi-xp/xp.h
41720 @@ -288,7 +288,7 @@ struct xpc_interface {
41721 xpc_notify_func, void *);
41722 void (*received) (short, int, void *);
41723 enum xp_retval (*partid_to_nasids) (short, void *);
41727 extern struct xpc_interface xpc_interface;
41729 diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h
41730 index b94d5f7..7f494c5 100644
41731 --- a/drivers/misc/sgi-xp/xpc.h
41732 +++ b/drivers/misc/sgi-xp/xpc.h
41733 @@ -835,6 +835,7 @@ struct xpc_arch_operations {
41734 void (*received_payload) (struct xpc_channel *, void *);
41735 void (*notify_senders_of_disconnect) (struct xpc_channel *);
41737 +typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
41739 /* struct xpc_partition act_state values (for XPC HB) */
41741 @@ -876,7 +877,7 @@ extern struct xpc_registration xpc_registrations[];
41742 /* found in xpc_main.c */
41743 extern struct device *xpc_part;
41744 extern struct device *xpc_chan;
41745 -extern struct xpc_arch_operations xpc_arch_ops;
41746 +extern xpc_arch_operations_no_const xpc_arch_ops;
41747 extern int xpc_disengage_timelimit;
41748 extern int xpc_disengage_timedout;
41749 extern int xpc_activate_IRQ_rcvd;
41750 diff --git a/drivers/misc/sgi-xp/xpc_main.c b/drivers/misc/sgi-xp/xpc_main.c
41751 index d971817..33bdca5 100644
41752 --- a/drivers/misc/sgi-xp/xpc_main.c
41753 +++ b/drivers/misc/sgi-xp/xpc_main.c
41754 @@ -166,7 +166,7 @@ static struct notifier_block xpc_die_notifier = {
41755 .notifier_call = xpc_system_die,
41758 -struct xpc_arch_operations xpc_arch_ops;
41759 +xpc_arch_operations_no_const xpc_arch_ops;
41762 * Timer function to enforce the timelimit on the partition disengage.
41763 @@ -1210,7 +1210,7 @@ xpc_system_die(struct notifier_block *nb, unsigned long event, void *_die_args)
41765 if (((die_args->trapnr == X86_TRAP_MF) ||
41766 (die_args->trapnr == X86_TRAP_XF)) &&
41767 - !user_mode_vm(die_args->regs))
41768 + !user_mode(die_args->regs))
41769 xpc_die_deactivate();
41772 diff --git a/drivers/mmc/core/mmc_ops.c b/drivers/mmc/core/mmc_ops.c
41773 index 49f04bc..65660c2 100644
41774 --- a/drivers/mmc/core/mmc_ops.c
41775 +++ b/drivers/mmc/core/mmc_ops.c
41776 @@ -247,7 +247,7 @@ mmc_send_cxd_data(struct mmc_card *card, struct mmc_host *host,
41780 - is_on_stack = object_is_on_stack(buf);
41781 + is_on_stack = object_starts_on_stack(buf);
41784 * dma onto stack is unsafe/nonportable, but callers to this
41785 diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
41786 index 0b74189..818358f 100644
41787 --- a/drivers/mmc/host/dw_mmc.h
41788 +++ b/drivers/mmc/host/dw_mmc.h
41789 @@ -202,5 +202,5 @@ struct dw_mci_drv_data {
41790 void (*prepare_command)(struct dw_mci *host, u32 *cmdr);
41791 void (*set_ios)(struct dw_mci *host, struct mmc_ios *ios);
41792 int (*parse_dt)(struct dw_mci *host);
41795 #endif /* _DW_MMC_H_ */
41796 diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
41797 index c6f6246..60760a8 100644
41798 --- a/drivers/mmc/host/sdhci-s3c.c
41799 +++ b/drivers/mmc/host/sdhci-s3c.c
41800 @@ -664,9 +664,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev)
41801 * we can use overriding functions instead of default.
41803 if (host->quirks & SDHCI_QUIRK_NONSTANDARD_CLOCK) {
41804 - sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
41805 - sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
41806 - sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
41807 + pax_open_kernel();
41808 + *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
41809 + *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
41810 + *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
41811 + pax_close_kernel();
41814 /* It supports additional host capabilities if needed */
41815 diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c
41816 index 0c8bb6b..6f35deb 100644
41817 --- a/drivers/mtd/nand/denali.c
41818 +++ b/drivers/mtd/nand/denali.c
41820 #include <linux/slab.h>
41821 #include <linux/mtd/mtd.h>
41822 #include <linux/module.h>
41823 +#include <linux/slab.h>
41825 #include "denali.h"
41827 diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
41828 index 51b9d6a..52af9a7 100644
41829 --- a/drivers/mtd/nftlmount.c
41830 +++ b/drivers/mtd/nftlmount.c
41832 #include <asm/errno.h>
41833 #include <linux/delay.h>
41834 #include <linux/slab.h>
41835 +#include <linux/sched.h>
41836 #include <linux/mtd/mtd.h>
41837 #include <linux/mtd/nand.h>
41838 #include <linux/mtd/nftl.h>
41839 diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
41840 index f9d5615..99dd95f 100644
41841 --- a/drivers/mtd/sm_ftl.c
41842 +++ b/drivers/mtd/sm_ftl.c
41843 @@ -56,7 +56,7 @@ ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr,
41844 #define SM_CIS_VENDOR_OFFSET 0x59
41845 struct attribute_group *sm_create_sysfs_attributes(struct sm_ftl *ftl)
41847 - struct attribute_group *attr_group;
41848 + attribute_group_no_const *attr_group;
41849 struct attribute **attributes;
41850 struct sm_sysfs_attribute *vendor_attribute;
41852 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
41853 index f975696..4597e21 100644
41854 --- a/drivers/net/bonding/bond_main.c
41855 +++ b/drivers/net/bonding/bond_main.c
41856 @@ -4870,7 +4870,7 @@ static unsigned int bond_get_num_tx_queues(void)
41860 -static struct rtnl_link_ops bond_link_ops __read_mostly = {
41861 +static struct rtnl_link_ops bond_link_ops = {
41863 .priv_size = sizeof(struct bonding),
41864 .setup = bond_setup,
41865 @@ -4995,8 +4995,8 @@ static void __exit bonding_exit(void)
41867 bond_destroy_debugfs();
41869 - rtnl_link_unregister(&bond_link_ops);
41870 unregister_pernet_subsys(&bond_net_ops);
41871 + rtnl_link_unregister(&bond_link_ops);
41873 #ifdef CONFIG_NET_POLL_CONTROLLER
41875 diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
41876 index e1d2643..7f4133b 100644
41877 --- a/drivers/net/ethernet/8390/ax88796.c
41878 +++ b/drivers/net/ethernet/8390/ax88796.c
41879 @@ -872,9 +872,11 @@ static int ax_probe(struct platform_device *pdev)
41880 if (ax->plat->reg_offsets)
41881 ei_local->reg_offset = ax->plat->reg_offsets;
41883 + resource_size_t _mem_size = mem_size;
41884 + do_div(_mem_size, 0x18);
41885 ei_local->reg_offset = ax->reg_offsets;
41886 for (ret = 0; ret < 0x18; ret++)
41887 - ax->reg_offsets[ret] = (mem_size / 0x18) * ret;
41888 + ax->reg_offsets[ret] = _mem_size * ret;
41891 if (!request_mem_region(mem->start, mem_size, pdev->name)) {
41892 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
41893 index 151675d..0139a9d 100644
41894 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
41895 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
41896 @@ -1112,7 +1112,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
41897 static inline void bnx2x_init_bp_objs(struct bnx2x *bp)
41899 /* RX_MODE controlling object */
41900 - bnx2x_init_rx_mode_obj(bp, &bp->rx_mode_obj);
41901 + bnx2x_init_rx_mode_obj(bp);
41903 /* multicast configuration controlling object */
41904 bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid,
41905 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
41906 index ce1a916..10b52b0 100644
41907 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
41908 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
41909 @@ -960,6 +960,9 @@ static int bnx2x_set_dump(struct net_device *dev, struct ethtool_dump *val)
41910 struct bnx2x *bp = netdev_priv(dev);
41912 /* Use the ethtool_dump "flag" field as the dump preset index */
41913 + if (val->flag < 1 || val->flag > DUMP_MAX_PRESETS)
41916 bp->dump_preset_idx = val->flag;
41919 @@ -986,8 +989,6 @@ static int bnx2x_get_dump_data(struct net_device *dev,
41920 struct bnx2x *bp = netdev_priv(dev);
41921 struct dump_header dump_hdr = {0};
41923 - memset(p, 0, dump->len);
41925 /* Disable parity attentions as long as following dump may
41926 * cause false alarms by reading never written registers. We
41927 * will re-enable parity attentions right after the dump.
41928 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
41929 index b4c9dea..2a9927f 100644
41930 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
41931 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
41932 @@ -11497,6 +11497,8 @@ static int bnx2x_init_bp(struct bnx2x *bp)
41933 bp->min_msix_vec_cnt = 2;
41934 BNX2X_DEV_INFO("bp->min_msix_vec_cnt %d", bp->min_msix_vec_cnt);
41936 + bp->dump_preset_idx = 1;
41941 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
41942 index 32a9609..0b1c53a 100644
41943 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
41944 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
41945 @@ -2387,15 +2387,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp,
41949 -void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
41950 - struct bnx2x_rx_mode_obj *o)
41951 +void bnx2x_init_rx_mode_obj(struct bnx2x *bp)
41953 if (CHIP_IS_E1x(bp)) {
41954 - o->wait_comp = bnx2x_empty_rx_mode_wait;
41955 - o->config_rx_mode = bnx2x_set_rx_mode_e1x;
41956 + bp->rx_mode_obj.wait_comp = bnx2x_empty_rx_mode_wait;
41957 + bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e1x;
41959 - o->wait_comp = bnx2x_wait_rx_mode_comp_e2;
41960 - o->config_rx_mode = bnx2x_set_rx_mode_e2;
41961 + bp->rx_mode_obj.wait_comp = bnx2x_wait_rx_mode_comp_e2;
41962 + bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e2;
41966 diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
41967 index 43c00bc..dd1d03d 100644
41968 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
41969 +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
41970 @@ -1321,8 +1321,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp,
41972 /********************* RX MODE ****************/
41974 -void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
41975 - struct bnx2x_rx_mode_obj *o);
41976 +void bnx2x_init_rx_mode_obj(struct bnx2x *bp);
41979 * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
41980 diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
41981 index ff6e30e..87e8452 100644
41982 --- a/drivers/net/ethernet/broadcom/tg3.h
41983 +++ b/drivers/net/ethernet/broadcom/tg3.h
41984 @@ -147,6 +147,7 @@
41985 #define CHIPREV_ID_5750_A0 0x4000
41986 #define CHIPREV_ID_5750_A1 0x4001
41987 #define CHIPREV_ID_5750_A3 0x4003
41988 +#define CHIPREV_ID_5750_C1 0x4201
41989 #define CHIPREV_ID_5750_C2 0x4202
41990 #define CHIPREV_ID_5752_A0_HW 0x5000
41991 #define CHIPREV_ID_5752_A0 0x6000
41992 diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
41993 index 71497e8..b650951 100644
41994 --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
41995 +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
41996 @@ -3037,7 +3037,9 @@ static void t3_io_resume(struct pci_dev *pdev)
41997 CH_ALERT(adapter, "adapter recovering, PEX ERR 0x%x\n",
41998 t3_read_reg(adapter, A_PCIE_PEX_ERR));
42001 t3_resume_ports(adapter);
42005 static const struct pci_error_handlers t3_err_handler = {
42006 diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
42007 index 8cffcdf..aadf043 100644
42008 --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
42009 +++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
42010 @@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
42012 struct l2t_skb_cb {
42013 arp_failure_handler_func arp_failure_handler;
42017 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
42019 diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
42020 index 4c83003..2a2a5b9 100644
42021 --- a/drivers/net/ethernet/dec/tulip/de4x5.c
42022 +++ b/drivers/net/ethernet/dec/tulip/de4x5.c
42023 @@ -5388,7 +5388,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
42024 for (i=0; i<ETH_ALEN; i++) {
42025 tmp.addr[i] = dev->dev_addr[i];
42027 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
42028 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
42031 case DE4X5_SET_HWADDR: /* Set the hardware address */
42032 @@ -5428,7 +5428,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
42033 spin_lock_irqsave(&lp->lock, flags);
42034 memcpy(&statbuf, &lp->pktStats, ioc->len);
42035 spin_unlock_irqrestore(&lp->lock, flags);
42036 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
42037 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
42041 diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
42042 index 6e43426..1bd8365 100644
42043 --- a/drivers/net/ethernet/emulex/benet/be_main.c
42044 +++ b/drivers/net/ethernet/emulex/benet/be_main.c
42045 @@ -469,7 +469,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
42049 - ACCESS_ONCE(*acc) = newacc;
42050 + ACCESS_ONCE_RW(*acc) = newacc;
42053 void populate_erx_stats(struct be_adapter *adapter,
42054 diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
42055 index 21b85fb..b49e5fc 100644
42056 --- a/drivers/net/ethernet/faraday/ftgmac100.c
42057 +++ b/drivers/net/ethernet/faraday/ftgmac100.c
42059 #include <linux/netdevice.h>
42060 #include <linux/phy.h>
42061 #include <linux/platform_device.h>
42062 +#include <linux/interrupt.h>
42063 +#include <linux/irqreturn.h>
42064 #include <net/ip.h>
42066 #include "ftgmac100.h"
42067 diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
42068 index a6eda8d..935d273 100644
42069 --- a/drivers/net/ethernet/faraday/ftmac100.c
42070 +++ b/drivers/net/ethernet/faraday/ftmac100.c
42072 #include <linux/module.h>
42073 #include <linux/netdevice.h>
42074 #include <linux/platform_device.h>
42075 +#include <linux/interrupt.h>
42076 +#include <linux/irqreturn.h>
42078 #include "ftmac100.h"
42080 diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
42081 index 331987d..3be1135 100644
42082 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
42083 +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
42084 @@ -776,7 +776,7 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
42087 /* update the base incval used to calculate frequency adjustment */
42088 - ACCESS_ONCE(adapter->base_incval) = incval;
42089 + ACCESS_ONCE_RW(adapter->base_incval) = incval;
42092 /* need lock to prevent incorrect read while modifying cyclecounter */
42093 diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
42094 index fbe5363..266b4e3 100644
42095 --- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
42096 +++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
42097 @@ -3461,7 +3461,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
42098 struct __vxge_hw_fifo *fifo;
42099 struct vxge_hw_fifo_config *config;
42100 u32 txdl_size, txdl_per_memblock;
42101 - struct vxge_hw_mempool_cbs fifo_mp_callback;
42102 + static struct vxge_hw_mempool_cbs fifo_mp_callback = {
42103 + .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc,
42106 struct __vxge_hw_virtualpath *vpath;
42108 if ((vp == NULL) || (attr == NULL)) {
42109 @@ -3544,8 +3547,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
42113 - fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc;
42116 __vxge_hw_mempool_create(vpath->hldev,
42117 fifo->config->memblock_size,
42118 diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
42119 index 5e7fb1d..f8d1810 100644
42120 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
42121 +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
42122 @@ -1948,7 +1948,9 @@ int qlcnic_83xx_config_default_opmode(struct qlcnic_adapter *adapter)
42123 op_mode = QLC_83XX_DEFAULT_OPMODE;
42125 if (op_mode == QLC_83XX_DEFAULT_OPMODE) {
42126 - adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
42127 + pax_open_kernel();
42128 + *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
42129 + pax_close_kernel();
42130 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
42133 diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
42134 index b0c3de9..fc5857e 100644
42135 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
42136 +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
42137 @@ -200,15 +200,21 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter)
42138 if (priv_level == QLCNIC_NON_PRIV_FUNC) {
42139 ahw->op_mode = QLCNIC_NON_PRIV_FUNC;
42140 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
42141 - nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
42142 + pax_open_kernel();
42143 + *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
42144 + pax_close_kernel();
42145 } else if (priv_level == QLCNIC_PRIV_FUNC) {
42146 ahw->op_mode = QLCNIC_PRIV_FUNC;
42147 ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry;
42148 - nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
42149 + pax_open_kernel();
42150 + *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
42151 + pax_close_kernel();
42152 } else if (priv_level == QLCNIC_MGMT_FUNC) {
42153 ahw->op_mode = QLCNIC_MGMT_FUNC;
42154 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
42155 - nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
42156 + pax_open_kernel();
42157 + *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
42158 + pax_close_kernel();
42162 diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
42163 index 6acf82b..14b097e 100644
42164 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
42165 +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
42166 @@ -206,10 +206,10 @@ int qlcnic_fw_cmd_set_drv_version(struct qlcnic_adapter *adapter)
42168 dev_info(&adapter->pdev->dev,
42169 "Failed to set driver version in firmware\n");
42175 + qlcnic_free_mbx_args(&cmd);
42180 diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
42181 index d3f8797..82a03d3 100644
42182 --- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
42183 +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
42184 @@ -262,7 +262,7 @@ void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter, u64 *uaddr,
42186 mac_req = (struct qlcnic_mac_req *)&(req->words[0]);
42187 mac_req->op = vlan_id ? QLCNIC_MAC_VLAN_ADD : QLCNIC_MAC_ADD;
42188 - memcpy(mac_req->mac_addr, &uaddr, ETH_ALEN);
42189 + memcpy(mac_req->mac_addr, uaddr, ETH_ALEN);
42191 vlan_req = (struct qlcnic_vlan_req *)&req->words[1];
42192 vlan_req->vlan_id = cpu_to_le16(vlan_id);
42193 diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
42194 index 887aebe..9095ff9 100644
42195 --- a/drivers/net/ethernet/realtek/8139cp.c
42196 +++ b/drivers/net/ethernet/realtek/8139cp.c
42197 @@ -524,6 +524,7 @@ rx_status_loop:
42198 PCI_DMA_FROMDEVICE);
42199 if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
42200 dev->stats.rx_dropped++;
42201 + kfree_skb(new_skb);
42205 diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
42206 index 393f961..d343034 100644
42207 --- a/drivers/net/ethernet/realtek/r8169.c
42208 +++ b/drivers/net/ethernet/realtek/r8169.c
42209 @@ -753,22 +753,22 @@ struct rtl8169_private {
42211 void (*write)(struct rtl8169_private *, int, int);
42212 int (*read)(struct rtl8169_private *, int);
42214 + } __no_const mdio_ops;
42216 struct pll_power_ops {
42217 void (*down)(struct rtl8169_private *);
42218 void (*up)(struct rtl8169_private *);
42220 + } __no_const pll_power_ops;
42223 void (*enable)(struct rtl8169_private *);
42224 void (*disable)(struct rtl8169_private *);
42226 + } __no_const jumbo_ops;
42229 void (*write)(struct rtl8169_private *, int, int);
42230 u32 (*read)(struct rtl8169_private *, int);
42232 + } __no_const csi_ops;
42234 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
42235 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
42236 diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
42237 index 9a95abf..36df7f9 100644
42238 --- a/drivers/net/ethernet/sfc/ptp.c
42239 +++ b/drivers/net/ethernet/sfc/ptp.c
42240 @@ -535,7 +535,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
42241 (u32)((u64)ptp->start.dma_addr >> 32));
42243 /* Clear flag that signals MC ready */
42244 - ACCESS_ONCE(*start) = 0;
42245 + ACCESS_ONCE_RW(*start) = 0;
42246 efx_mcdi_rpc_start(efx, MC_CMD_PTP, synch_buf,
42247 MC_CMD_PTP_IN_SYNCHRONIZE_LEN);
42249 diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
42250 index 50617c5..b13724c 100644
42251 --- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
42252 +++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
42253 @@ -140,8 +140,8 @@ void dwmac_mmc_ctrl(void __iomem *ioaddr, unsigned int mode)
42255 writel(value, ioaddr + MMC_CNTRL);
42257 - pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
42258 - MMC_CNTRL, value);
42259 +// pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
42260 +// MMC_CNTRL, value);
42263 /* To mask all all interrupts.*/
42264 diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
42265 index e6fe0d8..2b7d752 100644
42266 --- a/drivers/net/hyperv/hyperv_net.h
42267 +++ b/drivers/net/hyperv/hyperv_net.h
42268 @@ -101,7 +101,7 @@ struct rndis_device {
42270 enum rndis_device_state state;
42272 - atomic_t new_req_id;
42273 + atomic_unchecked_t new_req_id;
42275 spinlock_t request_lock;
42276 struct list_head req_list;
42277 diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
42278 index 0775f0a..d4fb316 100644
42279 --- a/drivers/net/hyperv/rndis_filter.c
42280 +++ b/drivers/net/hyperv/rndis_filter.c
42281 @@ -104,7 +104,7 @@ static struct rndis_request *get_rndis_request(struct rndis_device *dev,
42284 set = &rndis_msg->msg.set_req;
42285 - set->req_id = atomic_inc_return(&dev->new_req_id);
42286 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
42288 /* Add to the request list */
42289 spin_lock_irqsave(&dev->request_lock, flags);
42290 @@ -752,7 +752,7 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
42292 /* Setup the rndis set */
42293 halt = &request->request_msg.msg.halt_req;
42294 - halt->req_id = atomic_inc_return(&dev->new_req_id);
42295 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
42297 /* Ignore return since this msg is optional. */
42298 rndis_filter_send_request(dev, request);
42299 diff --git a/drivers/net/ieee802154/fakehard.c b/drivers/net/ieee802154/fakehard.c
42300 index bf0d55e..82bcfbd1 100644
42301 --- a/drivers/net/ieee802154/fakehard.c
42302 +++ b/drivers/net/ieee802154/fakehard.c
42303 @@ -364,7 +364,7 @@ static int ieee802154fake_probe(struct platform_device *pdev)
42304 phy->transmit_power = 0xbf;
42306 dev->netdev_ops = &fake_ops;
42307 - dev->ml_priv = &fake_mlme;
42308 + dev->ml_priv = (void *)&fake_mlme;
42310 priv = netdev_priv(dev);
42312 diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
42313 index 6e91931..2b0ebe7 100644
42314 --- a/drivers/net/macvlan.c
42315 +++ b/drivers/net/macvlan.c
42316 @@ -905,13 +905,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
42317 int macvlan_link_register(struct rtnl_link_ops *ops)
42319 /* common fields */
42320 - ops->priv_size = sizeof(struct macvlan_dev);
42321 - ops->validate = macvlan_validate;
42322 - ops->maxtype = IFLA_MACVLAN_MAX;
42323 - ops->policy = macvlan_policy;
42324 - ops->changelink = macvlan_changelink;
42325 - ops->get_size = macvlan_get_size;
42326 - ops->fill_info = macvlan_fill_info;
42327 + pax_open_kernel();
42328 + *(size_t *)&ops->priv_size = sizeof(struct macvlan_dev);
42329 + *(void **)&ops->validate = macvlan_validate;
42330 + *(int *)&ops->maxtype = IFLA_MACVLAN_MAX;
42331 + *(const void **)&ops->policy = macvlan_policy;
42332 + *(void **)&ops->changelink = macvlan_changelink;
42333 + *(void **)&ops->get_size = macvlan_get_size;
42334 + *(void **)&ops->fill_info = macvlan_fill_info;
42335 + pax_close_kernel();
42337 return rtnl_link_register(ops);
42339 @@ -967,7 +969,7 @@ static int macvlan_device_event(struct notifier_block *unused,
42340 return NOTIFY_DONE;
42343 -static struct notifier_block macvlan_notifier_block __read_mostly = {
42344 +static struct notifier_block macvlan_notifier_block = {
42345 .notifier_call = macvlan_device_event,
42348 diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
42349 index 523d6b2..5e16aa1 100644
42350 --- a/drivers/net/macvtap.c
42351 +++ b/drivers/net/macvtap.c
42352 @@ -1110,7 +1110,7 @@ static int macvtap_device_event(struct notifier_block *unused,
42353 return NOTIFY_DONE;
42356 -static struct notifier_block macvtap_notifier_block __read_mostly = {
42357 +static struct notifier_block macvtap_notifier_block = {
42358 .notifier_call = macvtap_device_event,
42361 diff --git a/drivers/net/phy/mdio-bitbang.c b/drivers/net/phy/mdio-bitbang.c
42362 index daec9b0..6428fcb 100644
42363 --- a/drivers/net/phy/mdio-bitbang.c
42364 +++ b/drivers/net/phy/mdio-bitbang.c
42365 @@ -234,6 +234,7 @@ void free_mdio_bitbang(struct mii_bus *bus)
42366 struct mdiobb_ctrl *ctrl = bus->priv;
42368 module_put(ctrl->ops->owner);
42369 + mdiobus_unregister(bus);
42372 EXPORT_SYMBOL(free_mdio_bitbang);
42373 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
42374 index 72ff14b..11d442d 100644
42375 --- a/drivers/net/ppp/ppp_generic.c
42376 +++ b/drivers/net/ppp/ppp_generic.c
42377 @@ -999,7 +999,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
42378 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
42379 struct ppp_stats stats;
42380 struct ppp_comp_stats cstats;
42384 case SIOCGPPPSTATS:
42385 @@ -1021,8 +1020,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
42389 - vers = PPP_VERSION;
42390 - if (copy_to_user(addr, vers, strlen(vers) + 1))
42391 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
42395 diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
42396 index 1252d9c..80e660b 100644
42397 --- a/drivers/net/slip/slhc.c
42398 +++ b/drivers/net/slip/slhc.c
42399 @@ -488,7 +488,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
42400 register struct tcphdr *thp;
42401 register struct iphdr *ip;
42402 register struct cstate *cs;
42404 + long len, hdrlen;
42405 unsigned char *cp = icp;
42407 /* We've got a compressed packet; read the change byte */
42408 diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
42409 index b305105..8ead6df 100644
42410 --- a/drivers/net/team/team.c
42411 +++ b/drivers/net/team/team.c
42412 @@ -2682,7 +2682,7 @@ static int team_device_event(struct notifier_block *unused,
42413 return NOTIFY_DONE;
42416 -static struct notifier_block team_notifier_block __read_mostly = {
42417 +static struct notifier_block team_notifier_block = {
42418 .notifier_call = team_device_event,
42421 diff --git a/drivers/net/tun.c b/drivers/net/tun.c
42422 index 2491eb2..1a453eb 100644
42423 --- a/drivers/net/tun.c
42424 +++ b/drivers/net/tun.c
42425 @@ -1076,8 +1076,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
42428 if (!(tun->flags & TUN_NO_PI)) {
42429 - if ((len -= sizeof(pi)) > total_len)
42430 + if (len < sizeof(pi))
42432 + len -= sizeof(pi);
42434 if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
42436 @@ -1085,8 +1086,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
42439 if (tun->flags & TUN_VNET_HDR) {
42440 - if ((len -= tun->vnet_hdr_sz) > total_len)
42441 + if (len < tun->vnet_hdr_sz)
42443 + len -= tun->vnet_hdr_sz;
42445 if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
42447 @@ -1869,7 +1871,7 @@ unlock:
42450 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
42451 - unsigned long arg, int ifreq_len)
42452 + unsigned long arg, size_t ifreq_len)
42454 struct tun_file *tfile = file->private_data;
42455 struct tun_struct *tun;
42456 @@ -1881,6 +1883,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
42460 + if (ifreq_len > sizeof ifr)
42463 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
42464 if (copy_from_user(&ifr, argp, ifreq_len))
42466 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
42467 index cba1d46..f703766 100644
42468 --- a/drivers/net/usb/hso.c
42469 +++ b/drivers/net/usb/hso.c
42471 #include <asm/byteorder.h>
42472 #include <linux/serial_core.h>
42473 #include <linux/serial.h>
42475 +#include <asm/local.h>
42477 #define MOD_AUTHOR "Option Wireless"
42478 #define MOD_DESCRIPTION "USB High Speed Option driver"
42479 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_ctrl_urb(struct hso_serial *serial)
42482 urb = serial->rx_urb[0];
42483 - if (serial->port.count > 0) {
42484 + if (atomic_read(&serial->port.count) > 0) {
42485 count = put_rxbuf_data(urb, serial);
42488 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_callback(struct urb *urb)
42489 DUMP1(urb->transfer_buffer, urb->actual_length);
42491 /* Anyone listening? */
42492 - if (serial->port.count == 0)
42493 + if (atomic_read(&serial->port.count) == 0)
42497 @@ -1298,8 +1298,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
42498 tty_port_tty_set(&serial->port, tty);
42500 /* check for port already opened, if not set the termios */
42501 - serial->port.count++;
42502 - if (serial->port.count == 1) {
42503 + if (atomic_inc_return(&serial->port.count) == 1) {
42504 serial->rx_state = RX_IDLE;
42505 /* Force default termio settings */
42506 _hso_serial_set_termios(tty, NULL);
42507 @@ -1311,7 +1310,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
42508 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
42510 hso_stop_serial_device(serial->parent);
42511 - serial->port.count--;
42512 + atomic_dec(&serial->port.count);
42513 kref_put(&serial->parent->ref, hso_serial_ref_free);
42516 @@ -1348,10 +1347,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp)
42518 /* reset the rts and dtr */
42519 /* do the actual close */
42520 - serial->port.count--;
42521 + atomic_dec(&serial->port.count);
42523 - if (serial->port.count <= 0) {
42524 - serial->port.count = 0;
42525 + if (atomic_read(&serial->port.count) <= 0) {
42526 + atomic_set(&serial->port.count, 0);
42527 tty_port_tty_set(&serial->port, NULL);
42529 hso_stop_serial_device(serial->parent);
42530 @@ -1427,7 +1426,7 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
42532 /* the actual setup */
42533 spin_lock_irqsave(&serial->serial_lock, flags);
42534 - if (serial->port.count)
42535 + if (atomic_read(&serial->port.count))
42536 _hso_serial_set_termios(tty, old);
42538 tty->termios = *old;
42539 @@ -1886,7 +1885,7 @@ static void intr_callback(struct urb *urb)
42540 D1("Pending read interrupt on port %d\n", i);
42541 spin_lock(&serial->serial_lock);
42542 if (serial->rx_state == RX_IDLE &&
42543 - serial->port.count > 0) {
42544 + atomic_read(&serial->port.count) > 0) {
42545 /* Setup and send a ctrl req read on
42547 if (!serial->rx_urb_filled[0]) {
42548 @@ -3057,7 +3056,7 @@ static int hso_resume(struct usb_interface *iface)
42549 /* Start all serial ports */
42550 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
42551 if (serial_table[i] && (serial_table[i]->interface == iface)) {
42552 - if (dev2ser(serial_table[i])->port.count) {
42553 + if (atomic_read(&dev2ser(serial_table[i])->port.count)) {
42555 hso_start_serial_device(serial_table[i], GFP_NOIO);
42556 hso_kick_transmit(dev2ser(serial_table[i]));
42557 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
42558 index 57325f3..36b181f 100644
42559 --- a/drivers/net/vxlan.c
42560 +++ b/drivers/net/vxlan.c
42561 @@ -1579,7 +1579,7 @@ nla_put_failure:
42565 -static struct rtnl_link_ops vxlan_link_ops __read_mostly = {
42566 +static struct rtnl_link_ops vxlan_link_ops = {
42568 .maxtype = IFLA_VXLAN_MAX,
42569 .policy = vxlan_policy,
42570 diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
42571 index 34c8a33..3261fdc 100644
42572 --- a/drivers/net/wireless/at76c50x-usb.c
42573 +++ b/drivers/net/wireless/at76c50x-usb.c
42574 @@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state)
42577 /* Convert timeout from the DFU status to jiffies */
42578 -static inline unsigned long at76_get_timeout(struct dfu_status *s)
42579 +static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s)
42581 return msecs_to_jiffies((s->poll_timeout[2] << 16)
42582 | (s->poll_timeout[1] << 8)
42583 diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
42584 index 8d78253..bebbb68 100644
42585 --- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
42586 +++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
42587 @@ -184,8 +184,8 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42588 ads->ds_txstatus6 = ads->ds_txstatus7 = 0;
42589 ads->ds_txstatus8 = ads->ds_txstatus9 = 0;
42591 - ACCESS_ONCE(ads->ds_link) = i->link;
42592 - ACCESS_ONCE(ads->ds_data) = i->buf_addr[0];
42593 + ACCESS_ONCE_RW(ads->ds_link) = i->link;
42594 + ACCESS_ONCE_RW(ads->ds_data) = i->buf_addr[0];
42596 ctl1 = i->buf_len[0] | (i->is_last ? 0 : AR_TxMore);
42597 ctl6 = SM(i->keytype, AR_EncrType);
42598 @@ -199,26 +199,26 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42600 if ((i->is_first || i->is_last) &&
42601 i->aggr != AGGR_BUF_MIDDLE && i->aggr != AGGR_BUF_LAST) {
42602 - ACCESS_ONCE(ads->ds_ctl2) = set11nTries(i->rates, 0)
42603 + ACCESS_ONCE_RW(ads->ds_ctl2) = set11nTries(i->rates, 0)
42604 | set11nTries(i->rates, 1)
42605 | set11nTries(i->rates, 2)
42606 | set11nTries(i->rates, 3)
42607 | (i->dur_update ? AR_DurUpdateEna : 0)
42608 | SM(0, AR_BurstDur);
42610 - ACCESS_ONCE(ads->ds_ctl3) = set11nRate(i->rates, 0)
42611 + ACCESS_ONCE_RW(ads->ds_ctl3) = set11nRate(i->rates, 0)
42612 | set11nRate(i->rates, 1)
42613 | set11nRate(i->rates, 2)
42614 | set11nRate(i->rates, 3);
42616 - ACCESS_ONCE(ads->ds_ctl2) = 0;
42617 - ACCESS_ONCE(ads->ds_ctl3) = 0;
42618 + ACCESS_ONCE_RW(ads->ds_ctl2) = 0;
42619 + ACCESS_ONCE_RW(ads->ds_ctl3) = 0;
42622 if (!i->is_first) {
42623 - ACCESS_ONCE(ads->ds_ctl0) = 0;
42624 - ACCESS_ONCE(ads->ds_ctl1) = ctl1;
42625 - ACCESS_ONCE(ads->ds_ctl6) = ctl6;
42626 + ACCESS_ONCE_RW(ads->ds_ctl0) = 0;
42627 + ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
42628 + ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
42632 @@ -243,7 +243,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42636 - ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
42637 + ACCESS_ONCE_RW(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
42638 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
42639 | SM(i->txpower, AR_XmitPower)
42640 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
42641 @@ -253,19 +253,19 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42642 | (i->flags & ATH9K_TXDESC_RTSENA ? AR_RTSEnable :
42643 (i->flags & ATH9K_TXDESC_CTSENA ? AR_CTSEnable : 0));
42645 - ACCESS_ONCE(ads->ds_ctl1) = ctl1;
42646 - ACCESS_ONCE(ads->ds_ctl6) = ctl6;
42647 + ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
42648 + ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
42650 if (i->aggr == AGGR_BUF_MIDDLE || i->aggr == AGGR_BUF_LAST)
42653 - ACCESS_ONCE(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
42654 + ACCESS_ONCE_RW(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
42655 | set11nPktDurRTSCTS(i->rates, 1);
42657 - ACCESS_ONCE(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
42658 + ACCESS_ONCE_RW(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
42659 | set11nPktDurRTSCTS(i->rates, 3);
42661 - ACCESS_ONCE(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
42662 + ACCESS_ONCE_RW(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
42663 | set11nRateFlags(i->rates, 1)
42664 | set11nRateFlags(i->rates, 2)
42665 | set11nRateFlags(i->rates, 3)
42666 diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
42667 index 301bf72..3f5654f 100644
42668 --- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
42669 +++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
42670 @@ -39,47 +39,47 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42671 (i->qcu << AR_TxQcuNum_S) | desc_len;
42674 - ACCESS_ONCE(ads->info) = val;
42675 + ACCESS_ONCE_RW(ads->info) = val;
42677 checksum += i->link;
42678 - ACCESS_ONCE(ads->link) = i->link;
42679 + ACCESS_ONCE_RW(ads->link) = i->link;
42681 checksum += i->buf_addr[0];
42682 - ACCESS_ONCE(ads->data0) = i->buf_addr[0];
42683 + ACCESS_ONCE_RW(ads->data0) = i->buf_addr[0];
42684 checksum += i->buf_addr[1];
42685 - ACCESS_ONCE(ads->data1) = i->buf_addr[1];
42686 + ACCESS_ONCE_RW(ads->data1) = i->buf_addr[1];
42687 checksum += i->buf_addr[2];
42688 - ACCESS_ONCE(ads->data2) = i->buf_addr[2];
42689 + ACCESS_ONCE_RW(ads->data2) = i->buf_addr[2];
42690 checksum += i->buf_addr[3];
42691 - ACCESS_ONCE(ads->data3) = i->buf_addr[3];
42692 + ACCESS_ONCE_RW(ads->data3) = i->buf_addr[3];
42694 checksum += (val = (i->buf_len[0] << AR_BufLen_S) & AR_BufLen);
42695 - ACCESS_ONCE(ads->ctl3) = val;
42696 + ACCESS_ONCE_RW(ads->ctl3) = val;
42697 checksum += (val = (i->buf_len[1] << AR_BufLen_S) & AR_BufLen);
42698 - ACCESS_ONCE(ads->ctl5) = val;
42699 + ACCESS_ONCE_RW(ads->ctl5) = val;
42700 checksum += (val = (i->buf_len[2] << AR_BufLen_S) & AR_BufLen);
42701 - ACCESS_ONCE(ads->ctl7) = val;
42702 + ACCESS_ONCE_RW(ads->ctl7) = val;
42703 checksum += (val = (i->buf_len[3] << AR_BufLen_S) & AR_BufLen);
42704 - ACCESS_ONCE(ads->ctl9) = val;
42705 + ACCESS_ONCE_RW(ads->ctl9) = val;
42707 checksum = (u16) (((checksum & 0xffff) + (checksum >> 16)) & 0xffff);
42708 - ACCESS_ONCE(ads->ctl10) = checksum;
42709 + ACCESS_ONCE_RW(ads->ctl10) = checksum;
42711 if (i->is_first || i->is_last) {
42712 - ACCESS_ONCE(ads->ctl13) = set11nTries(i->rates, 0)
42713 + ACCESS_ONCE_RW(ads->ctl13) = set11nTries(i->rates, 0)
42714 | set11nTries(i->rates, 1)
42715 | set11nTries(i->rates, 2)
42716 | set11nTries(i->rates, 3)
42717 | (i->dur_update ? AR_DurUpdateEna : 0)
42718 | SM(0, AR_BurstDur);
42720 - ACCESS_ONCE(ads->ctl14) = set11nRate(i->rates, 0)
42721 + ACCESS_ONCE_RW(ads->ctl14) = set11nRate(i->rates, 0)
42722 | set11nRate(i->rates, 1)
42723 | set11nRate(i->rates, 2)
42724 | set11nRate(i->rates, 3);
42726 - ACCESS_ONCE(ads->ctl13) = 0;
42727 - ACCESS_ONCE(ads->ctl14) = 0;
42728 + ACCESS_ONCE_RW(ads->ctl13) = 0;
42729 + ACCESS_ONCE_RW(ads->ctl14) = 0;
42733 @@ -89,17 +89,17 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42735 ctl17 = SM(i->keytype, AR_EncrType);
42736 if (!i->is_first) {
42737 - ACCESS_ONCE(ads->ctl11) = 0;
42738 - ACCESS_ONCE(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
42739 - ACCESS_ONCE(ads->ctl15) = 0;
42740 - ACCESS_ONCE(ads->ctl16) = 0;
42741 - ACCESS_ONCE(ads->ctl17) = ctl17;
42742 - ACCESS_ONCE(ads->ctl18) = 0;
42743 - ACCESS_ONCE(ads->ctl19) = 0;
42744 + ACCESS_ONCE_RW(ads->ctl11) = 0;
42745 + ACCESS_ONCE_RW(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
42746 + ACCESS_ONCE_RW(ads->ctl15) = 0;
42747 + ACCESS_ONCE_RW(ads->ctl16) = 0;
42748 + ACCESS_ONCE_RW(ads->ctl17) = ctl17;
42749 + ACCESS_ONCE_RW(ads->ctl18) = 0;
42750 + ACCESS_ONCE_RW(ads->ctl19) = 0;
42754 - ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen)
42755 + ACCESS_ONCE_RW(ads->ctl11) = (i->pkt_len & AR_FrameLen)
42756 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
42757 | SM(i->txpower, AR_XmitPower)
42758 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
42759 @@ -135,22 +135,22 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
42760 val = (i->flags & ATH9K_TXDESC_PAPRD) >> ATH9K_TXDESC_PAPRD_S;
42761 ctl12 |= SM(val, AR_PAPRDChainMask);
42763 - ACCESS_ONCE(ads->ctl12) = ctl12;
42764 - ACCESS_ONCE(ads->ctl17) = ctl17;
42765 + ACCESS_ONCE_RW(ads->ctl12) = ctl12;
42766 + ACCESS_ONCE_RW(ads->ctl17) = ctl17;
42768 - ACCESS_ONCE(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
42769 + ACCESS_ONCE_RW(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
42770 | set11nPktDurRTSCTS(i->rates, 1);
42772 - ACCESS_ONCE(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
42773 + ACCESS_ONCE_RW(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
42774 | set11nPktDurRTSCTS(i->rates, 3);
42776 - ACCESS_ONCE(ads->ctl18) = set11nRateFlags(i->rates, 0)
42777 + ACCESS_ONCE_RW(ads->ctl18) = set11nRateFlags(i->rates, 0)
42778 | set11nRateFlags(i->rates, 1)
42779 | set11nRateFlags(i->rates, 2)
42780 | set11nRateFlags(i->rates, 3)
42781 | SM(i->rtscts_rate, AR_RTSCTSRate);
42783 - ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding;
42784 + ACCESS_ONCE_RW(ads->ctl19) = AR_Not_Sounding;
42787 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
42788 diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
42789 index ae30343..a117806 100644
42790 --- a/drivers/net/wireless/ath/ath9k/hw.h
42791 +++ b/drivers/net/wireless/ath/ath9k/hw.h
42792 @@ -652,7 +652,7 @@ struct ath_hw_private_ops {
42795 void (*ani_cache_ini_regs)(struct ath_hw *ah);
42800 * struct ath_spec_scan - parameters for Atheros spectral scan
42801 @@ -721,7 +721,7 @@ struct ath_hw_ops {
42802 struct ath_spec_scan *param);
42803 void (*spectral_scan_trigger)(struct ath_hw *ah);
42804 void (*spectral_scan_wait)(struct ath_hw *ah);
42808 struct ath_nf_limits {
42810 diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
42811 index b37a582..680835d 100644
42812 --- a/drivers/net/wireless/iwlegacy/3945-mac.c
42813 +++ b/drivers/net/wireless/iwlegacy/3945-mac.c
42814 @@ -3639,7 +3639,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
42816 if (il3945_mod_params.disable_hw_scan) {
42817 D_INFO("Disabling hw_scan\n");
42818 - il3945_mac_ops.hw_scan = NULL;
42819 + pax_open_kernel();
42820 + *(void **)&il3945_mac_ops.hw_scan = NULL;
42821 + pax_close_kernel();
42824 D_INFO("*** LOAD DRIVER ***\n");
42825 diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
42826 index d532948..e0d8bb1 100644
42827 --- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
42828 +++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
42829 @@ -203,7 +203,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
42831 struct iwl_priv *priv = file->private_data;
42837 memset(buf, 0, sizeof(buf));
42838 @@ -473,7 +473,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
42839 struct iwl_priv *priv = file->private_data;
42846 memset(buf, 0, sizeof(buf));
42847 @@ -554,7 +554,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
42849 struct iwl_priv *priv = file->private_data;
42855 memset(buf, 0, sizeof(buf));
42856 @@ -606,7 +606,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
42858 struct iwl_priv *priv = file->private_data;
42864 memset(buf, 0, sizeof(buf));
42865 @@ -698,10 +698,10 @@ DEBUGFS_READ_FILE_OPS(temperature);
42866 DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override);
42867 DEBUGFS_READ_FILE_OPS(current_sleep_command);
42869 -static const char *fmt_value = " %-30s %10u\n";
42870 -static const char *fmt_hex = " %-30s 0x%02X\n";
42871 -static const char *fmt_table = " %-30s %10u %10u %10u %10u\n";
42872 -static const char *fmt_header =
42873 +static const char fmt_value[] = " %-30s %10u\n";
42874 +static const char fmt_hex[] = " %-30s 0x%02X\n";
42875 +static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n";
42876 +static const char fmt_header[] =
42877 "%-32s current cumulative delta max\n";
42879 static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz)
42880 @@ -1871,7 +1871,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
42882 struct iwl_priv *priv = file->private_data;
42888 memset(buf, 0, sizeof(buf));
42889 @@ -1916,7 +1916,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
42891 struct iwl_priv *priv = file->private_data;
42897 memset(buf, 0, sizeof(buf));
42898 @@ -1987,7 +1987,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
42900 struct iwl_priv *priv = file->private_data;
42906 memset(buf, 0, sizeof(buf));
42907 @@ -2028,7 +2028,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
42909 struct iwl_priv *priv = file->private_data;
42915 memset(buf, 0, sizeof(buf));
42916 @@ -2088,7 +2088,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
42918 struct iwl_priv *priv = file->private_data;
42924 memset(buf, 0, sizeof(buf));
42925 @@ -2178,7 +2178,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
42927 struct iwl_priv *priv = file->private_data;
42933 if (!priv->cfg->ht_params)
42934 @@ -2220,7 +2220,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
42936 struct iwl_priv *priv = file->private_data;
42941 memset(buf, 0, sizeof(buf));
42942 buf_size = min(count, sizeof(buf) - 1);
42943 @@ -2254,7 +2254,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file,
42944 struct iwl_priv *priv = file->private_data;
42945 u32 event_log_flag;
42950 /* check that the interface is up */
42951 if (!iwl_is_ready(priv))
42952 @@ -2308,7 +2308,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file,
42953 struct iwl_priv *priv = file->private_data;
42955 u32 calib_disabled;
42959 memset(buf, 0, sizeof(buf));
42960 buf_size = min(count, sizeof(buf) - 1);
42961 diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
42962 index 50ba0a4..29424e7 100644
42963 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c
42964 +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
42965 @@ -1329,7 +1329,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
42966 struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
42973 memset(buf, 0, sizeof(buf));
42974 @@ -1350,7 +1350,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
42976 struct iwl_trans *trans = file->private_data;
42982 memset(buf, 0, sizeof(buf));
42983 diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
42984 index cb34c78..9fec0dc 100644
42985 --- a/drivers/net/wireless/mac80211_hwsim.c
42986 +++ b/drivers/net/wireless/mac80211_hwsim.c
42987 @@ -2195,25 +2195,19 @@ static int __init init_mac80211_hwsim(void)
42989 if (channels > 1) {
42990 hwsim_if_comb.num_different_channels = channels;
42991 - mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
42992 - mac80211_hwsim_ops.cancel_hw_scan =
42993 - mac80211_hwsim_cancel_hw_scan;
42994 - mac80211_hwsim_ops.sw_scan_start = NULL;
42995 - mac80211_hwsim_ops.sw_scan_complete = NULL;
42996 - mac80211_hwsim_ops.remain_on_channel =
42997 - mac80211_hwsim_roc;
42998 - mac80211_hwsim_ops.cancel_remain_on_channel =
42999 - mac80211_hwsim_croc;
43000 - mac80211_hwsim_ops.add_chanctx =
43001 - mac80211_hwsim_add_chanctx;
43002 - mac80211_hwsim_ops.remove_chanctx =
43003 - mac80211_hwsim_remove_chanctx;
43004 - mac80211_hwsim_ops.change_chanctx =
43005 - mac80211_hwsim_change_chanctx;
43006 - mac80211_hwsim_ops.assign_vif_chanctx =
43007 - mac80211_hwsim_assign_vif_chanctx;
43008 - mac80211_hwsim_ops.unassign_vif_chanctx =
43009 - mac80211_hwsim_unassign_vif_chanctx;
43010 + pax_open_kernel();
43011 + *(void **)&mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
43012 + *(void **)&mac80211_hwsim_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
43013 + *(void **)&mac80211_hwsim_ops.sw_scan_start = NULL;
43014 + *(void **)&mac80211_hwsim_ops.sw_scan_complete = NULL;
43015 + *(void **)&mac80211_hwsim_ops.remain_on_channel = mac80211_hwsim_roc;
43016 + *(void **)&mac80211_hwsim_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
43017 + *(void **)&mac80211_hwsim_ops.add_chanctx = mac80211_hwsim_add_chanctx;
43018 + *(void **)&mac80211_hwsim_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
43019 + *(void **)&mac80211_hwsim_ops.change_chanctx = mac80211_hwsim_change_chanctx;
43020 + *(void **)&mac80211_hwsim_ops.assign_vif_chanctx = mac80211_hwsim_assign_vif_chanctx;
43021 + *(void **)&mac80211_hwsim_ops.unassign_vif_chanctx = mac80211_hwsim_unassign_vif_chanctx;
43022 + pax_close_kernel();
43025 spin_lock_init(&hwsim_radio_lock);
43026 diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
43027 index 8169a85..7fa3b47 100644
43028 --- a/drivers/net/wireless/rndis_wlan.c
43029 +++ b/drivers/net/wireless/rndis_wlan.c
43030 @@ -1238,7 +1238,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold)
43032 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
43034 - if (rts_threshold < 0 || rts_threshold > 2347)
43035 + if (rts_threshold > 2347)
43036 rts_threshold = 2347;
43038 tmp = cpu_to_le32(rts_threshold);
43039 diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
43040 index 7510723..5ba37f5 100644
43041 --- a/drivers/net/wireless/rt2x00/rt2x00.h
43042 +++ b/drivers/net/wireless/rt2x00/rt2x00.h
43043 @@ -386,7 +386,7 @@ struct rt2x00_intf {
43044 * for hardware which doesn't support hardware
43045 * sequence counting.
43048 + atomic_unchecked_t seqno;
43051 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif)
43052 diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
43053 index d955741..8730748 100644
43054 --- a/drivers/net/wireless/rt2x00/rt2x00queue.c
43055 +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
43056 @@ -252,9 +252,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
43057 * sequence counter given by mac80211.
43059 if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags))
43060 - seqno = atomic_add_return(0x10, &intf->seqno);
43061 + seqno = atomic_add_return_unchecked(0x10, &intf->seqno);
43063 - seqno = atomic_read(&intf->seqno);
43064 + seqno = atomic_read_unchecked(&intf->seqno);
43066 hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG);
43067 hdr->seq_ctrl |= cpu_to_le16(seqno);
43068 diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c
43069 index e2b3d9c..67a5184 100644
43070 --- a/drivers/net/wireless/ti/wl1251/sdio.c
43071 +++ b/drivers/net/wireless/ti/wl1251/sdio.c
43072 @@ -271,13 +271,17 @@ static int wl1251_sdio_probe(struct sdio_func *func,
43074 irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING);
43076 - wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
43077 - wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
43078 + pax_open_kernel();
43079 + *(void **)&wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
43080 + *(void **)&wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
43081 + pax_close_kernel();
43083 wl1251_info("using dedicated interrupt line");
43085 - wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
43086 - wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
43087 + pax_open_kernel();
43088 + *(void **)&wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
43089 + *(void **)&wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
43090 + pax_close_kernel();
43092 wl1251_info("using SDIO interrupt");
43094 diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
43095 index 1c627da..69f7d17 100644
43096 --- a/drivers/net/wireless/ti/wl12xx/main.c
43097 +++ b/drivers/net/wireless/ti/wl12xx/main.c
43098 @@ -656,7 +656,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
43099 sizeof(wl->conf.mem));
43101 /* read data preparation is only needed by wl127x */
43102 - wl->ops->prepare_read = wl127x_prepare_read;
43103 + pax_open_kernel();
43104 + *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
43105 + pax_close_kernel();
43107 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
43108 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
43109 @@ -681,7 +683,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
43110 sizeof(wl->conf.mem));
43112 /* read data preparation is only needed by wl127x */
43113 - wl->ops->prepare_read = wl127x_prepare_read;
43114 + pax_open_kernel();
43115 + *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
43116 + pax_close_kernel();
43118 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
43119 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
43120 diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
43121 index 9fa692d..b31fee0 100644
43122 --- a/drivers/net/wireless/ti/wl18xx/main.c
43123 +++ b/drivers/net/wireless/ti/wl18xx/main.c
43124 @@ -1687,8 +1687,10 @@ static int wl18xx_setup(struct wl1271 *wl)
43127 if (!checksum_param) {
43128 - wl18xx_ops.set_rx_csum = NULL;
43129 - wl18xx_ops.init_vif = NULL;
43130 + pax_open_kernel();
43131 + *(void **)&wl18xx_ops.set_rx_csum = NULL;
43132 + *(void **)&wl18xx_ops.init_vif = NULL;
43133 + pax_close_kernel();
43136 /* Enable 11a Band only if we have 5G antennas */
43137 diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
43138 index 7ef0b4a..ff65c28 100644
43139 --- a/drivers/net/wireless/zd1211rw/zd_usb.c
43140 +++ b/drivers/net/wireless/zd1211rw/zd_usb.c
43141 @@ -386,7 +386,7 @@ static inline void handle_regs_int(struct urb *urb)
43143 struct zd_usb *usb = urb->context;
43144 struct zd_usb_interrupt *intr = &usb->intr;
43146 + unsigned int len;
43149 ZD_ASSERT(in_interrupt());
43150 diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c
43151 index d93b2b6..ae50401 100644
43152 --- a/drivers/oprofile/buffer_sync.c
43153 +++ b/drivers/oprofile/buffer_sync.c
43154 @@ -332,7 +332,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
43155 if (cookie == NO_COOKIE)
43157 if (cookie == INVALID_COOKIE) {
43158 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
43159 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
43162 if (cookie != last_cookie) {
43163 @@ -376,14 +376,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
43164 /* add userspace sample */
43167 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
43168 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
43172 cookie = lookup_dcookie(mm, s->eip, &offset);
43174 if (cookie == INVALID_COOKIE) {
43175 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
43176 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
43180 @@ -552,7 +552,7 @@ void sync_buffer(int cpu)
43181 /* ignore backtraces if failed to add a sample */
43182 if (state == sb_bt_start) {
43183 state = sb_bt_ignore;
43184 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
43185 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
43189 diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c
43190 index c0cc4e7..44d4e54 100644
43191 --- a/drivers/oprofile/event_buffer.c
43192 +++ b/drivers/oprofile/event_buffer.c
43193 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value)
43196 if (buffer_pos == buffer_size) {
43197 - atomic_inc(&oprofile_stats.event_lost_overflow);
43198 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
43202 diff --git a/drivers/oprofile/oprof.c b/drivers/oprofile/oprof.c
43203 index ed2c3ec..deda85a 100644
43204 --- a/drivers/oprofile/oprof.c
43205 +++ b/drivers/oprofile/oprof.c
43206 @@ -110,7 +110,7 @@ static void switch_worker(struct work_struct *work)
43207 if (oprofile_ops.switch_events())
43210 - atomic_inc(&oprofile_stats.multiplex_counter);
43211 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
43212 start_switch_worker();
43215 diff --git a/drivers/oprofile/oprofile_files.c b/drivers/oprofile/oprofile_files.c
43216 index 84a208d..d61b0a1 100644
43217 --- a/drivers/oprofile/oprofile_files.c
43218 +++ b/drivers/oprofile/oprofile_files.c
43219 @@ -27,7 +27,7 @@ unsigned long oprofile_time_slice;
43221 #ifdef CONFIG_OPROFILE_EVENT_MULTIPLEX
43223 -static ssize_t timeout_read(struct file *file, char __user *buf,
43224 +static ssize_t __intentional_overflow(-1) timeout_read(struct file *file, char __user *buf,
43225 size_t count, loff_t *offset)
43227 return oprofilefs_ulong_to_user(jiffies_to_msecs(oprofile_time_slice),
43228 diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
43229 index 917d28e..d62d981 100644
43230 --- a/drivers/oprofile/oprofile_stats.c
43231 +++ b/drivers/oprofile/oprofile_stats.c
43232 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
43233 cpu_buf->sample_invalid_eip = 0;
43236 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
43237 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
43238 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
43239 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
43240 - atomic_set(&oprofile_stats.multiplex_counter, 0);
43241 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
43242 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
43243 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
43244 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
43245 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
43249 diff --git a/drivers/oprofile/oprofile_stats.h b/drivers/oprofile/oprofile_stats.h
43250 index 38b6fc0..b5cbfce 100644
43251 --- a/drivers/oprofile/oprofile_stats.h
43252 +++ b/drivers/oprofile/oprofile_stats.h
43253 @@ -13,11 +13,11 @@
43254 #include <linux/atomic.h>
43256 struct oprofile_stat_struct {
43257 - atomic_t sample_lost_no_mm;
43258 - atomic_t sample_lost_no_mapping;
43259 - atomic_t bt_lost_no_mapping;
43260 - atomic_t event_lost_overflow;
43261 - atomic_t multiplex_counter;
43262 + atomic_unchecked_t sample_lost_no_mm;
43263 + atomic_unchecked_t sample_lost_no_mapping;
43264 + atomic_unchecked_t bt_lost_no_mapping;
43265 + atomic_unchecked_t event_lost_overflow;
43266 + atomic_unchecked_t multiplex_counter;
43269 extern struct oprofile_stat_struct oprofile_stats;
43270 diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
43271 index 7c12d9c..558bf3bb 100644
43272 --- a/drivers/oprofile/oprofilefs.c
43273 +++ b/drivers/oprofile/oprofilefs.c
43274 @@ -190,7 +190,7 @@ static const struct file_operations atomic_ro_fops = {
43277 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
43278 - char const *name, atomic_t *val)
43279 + char const *name, atomic_unchecked_t *val)
43281 return __oprofilefs_create_file(sb, root, name,
43282 &atomic_ro_fops, 0444, val);
43283 diff --git a/drivers/oprofile/timer_int.c b/drivers/oprofile/timer_int.c
43284 index 93404f7..4a313d8 100644
43285 --- a/drivers/oprofile/timer_int.c
43286 +++ b/drivers/oprofile/timer_int.c
43287 @@ -93,7 +93,7 @@ static int __cpuinit oprofile_cpu_notify(struct notifier_block *self,
43291 -static struct notifier_block __refdata oprofile_cpu_notifier = {
43292 +static struct notifier_block oprofile_cpu_notifier = {
43293 .notifier_call = oprofile_cpu_notify,
43296 diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
43297 index 92ed045..62d39bd7 100644
43298 --- a/drivers/parport/procfs.c
43299 +++ b/drivers/parport/procfs.c
43300 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *table, int write,
43304 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
43305 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
43308 #ifdef CONFIG_PARPORT_1284
43309 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table, int write,
43313 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
43314 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
43316 #endif /* IEEE1284.3 support. */
43318 diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
43319 index c35e8ad..fc33beb 100644
43320 --- a/drivers/pci/hotplug/acpiphp_ibm.c
43321 +++ b/drivers/pci/hotplug/acpiphp_ibm.c
43322 @@ -464,7 +464,9 @@ static int __init ibm_acpiphp_init(void)
43326 - ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
43327 + pax_open_kernel();
43328 + *(size_t *)&ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
43329 + pax_close_kernel();
43330 retval = sysfs_create_bin_file(sysdir, &ibm_apci_table_attr);
43333 diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c
43334 index a6a71c4..c91097b 100644
43335 --- a/drivers/pci/hotplug/cpcihp_generic.c
43336 +++ b/drivers/pci/hotplug/cpcihp_generic.c
43337 @@ -73,7 +73,6 @@ static u16 port;
43338 static unsigned int enum_bit;
43339 static u8 enum_mask;
43341 -static struct cpci_hp_controller_ops generic_hpc_ops;
43342 static struct cpci_hp_controller generic_hpc;
43344 static int __init validate_parameters(void)
43345 @@ -139,6 +138,10 @@ static int query_enum(void)
43346 return ((value & enum_mask) == enum_mask);
43349 +static struct cpci_hp_controller_ops generic_hpc_ops = {
43350 + .query_enum = query_enum,
43353 static int __init cpcihp_generic_init(void)
43356 @@ -165,7 +168,6 @@ static int __init cpcihp_generic_init(void)
43359 memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller));
43360 - generic_hpc_ops.query_enum = query_enum;
43361 generic_hpc.ops = &generic_hpc_ops;
43363 status = cpci_hp_register_controller(&generic_hpc);
43364 diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c
43365 index 449b4bb..257e2e8 100644
43366 --- a/drivers/pci/hotplug/cpcihp_zt5550.c
43367 +++ b/drivers/pci/hotplug/cpcihp_zt5550.c
43369 /* local variables */
43372 -static struct cpci_hp_controller_ops zt5550_hpc_ops;
43373 static struct cpci_hp_controller zt5550_hpc;
43375 /* Primary cPCI bus bridge device */
43376 @@ -205,6 +204,10 @@ static int zt5550_hc_disable_irq(void)
43380 +static struct cpci_hp_controller_ops zt5550_hpc_ops = {
43381 + .query_enum = zt5550_hc_query_enum,
43384 static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
43387 @@ -216,16 +219,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id
43388 dbg("returned from zt5550_hc_config");
43390 memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller));
43391 - zt5550_hpc_ops.query_enum = zt5550_hc_query_enum;
43392 zt5550_hpc.ops = &zt5550_hpc_ops;
43394 zt5550_hpc.irq = hc_dev->irq;
43395 zt5550_hpc.irq_flags = IRQF_SHARED;
43396 zt5550_hpc.dev_id = hc_dev;
43398 - zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
43399 - zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
43400 - zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
43401 + pax_open_kernel();
43402 + *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
43403 + *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
43404 + *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
43405 + pax_open_kernel();
43407 info("using ENUM# polling mode");
43409 diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c
43410 index 76ba8a1..20ca857 100644
43411 --- a/drivers/pci/hotplug/cpqphp_nvram.c
43412 +++ b/drivers/pci/hotplug/cpqphp_nvram.c
43413 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_start)
43415 void compaq_nvram_init (void __iomem *rom_start)
43418 +#ifndef CONFIG_PAX_KERNEXEC
43420 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
43424 dbg("int15 entry = %p\n", compaq_int15_entry_point);
43426 /* initialize our int15 lock */
43427 diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c
43428 index ec20f74..c1d961e 100644
43429 --- a/drivers/pci/hotplug/pci_hotplug_core.c
43430 +++ b/drivers/pci/hotplug/pci_hotplug_core.c
43431 @@ -441,8 +441,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus,
43435 - slot->ops->owner = owner;
43436 - slot->ops->mod_name = mod_name;
43437 + pax_open_kernel();
43438 + *(struct module **)&slot->ops->owner = owner;
43439 + *(const char **)&slot->ops->mod_name = mod_name;
43440 + pax_close_kernel();
43442 mutex_lock(&pci_hp_mutex);
43444 diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
43445 index 7d72c5e..edce02c 100644
43446 --- a/drivers/pci/hotplug/pciehp_core.c
43447 +++ b/drivers/pci/hotplug/pciehp_core.c
43448 @@ -91,7 +91,7 @@ static int init_slot(struct controller *ctrl)
43449 struct slot *slot = ctrl->slot;
43450 struct hotplug_slot *hotplug = NULL;
43451 struct hotplug_slot_info *info = NULL;
43452 - struct hotplug_slot_ops *ops = NULL;
43453 + hotplug_slot_ops_no_const *ops = NULL;
43454 char name[SLOT_NAME_SIZE];
43455 int retval = -ENOMEM;
43457 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
43458 index 5b4a9d9..cd5ac1f 100644
43459 --- a/drivers/pci/pci-sysfs.c
43460 +++ b/drivers/pci/pci-sysfs.c
43461 @@ -1071,7 +1071,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
43463 /* allocate attribute structure, piggyback attribute name */
43464 int name_len = write_combine ? 13 : 10;
43465 - struct bin_attribute *res_attr;
43466 + bin_attribute_no_const *res_attr;
43469 res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
43470 @@ -1256,7 +1256,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
43471 static int pci_create_capabilities_sysfs(struct pci_dev *dev)
43474 - struct bin_attribute *attr;
43475 + bin_attribute_no_const *attr;
43477 /* If the device has VPD, try to expose it in sysfs. */
43479 @@ -1303,7 +1303,7 @@ int __must_check pci_create_sysfs_dev_files (struct pci_dev *pdev)
43483 - struct bin_attribute *attr;
43484 + bin_attribute_no_const *attr;
43486 if (!sysfs_initialized)
43488 diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
43489 index d1182c4..2a138ec 100644
43490 --- a/drivers/pci/pci.h
43491 +++ b/drivers/pci/pci.h
43492 @@ -92,7 +92,7 @@ struct pci_vpd_ops {
43495 const struct pci_vpd_ops *ops;
43496 - struct bin_attribute *attr; /* descriptor for sysfs VPD entry */
43497 + bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */
43500 int pci_vpd_pci22_init(struct pci_dev *dev);
43501 diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
43502 index d320df6..ca9a8f6 100644
43503 --- a/drivers/pci/pcie/aspm.c
43504 +++ b/drivers/pci/pcie/aspm.c
43506 #define MODULE_PARAM_PREFIX "pcie_aspm."
43508 /* Note: those are not register definitions */
43509 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
43510 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
43511 -#define ASPM_STATE_L1 (4) /* L1 state */
43512 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
43513 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
43514 +#define ASPM_STATE_L1 (4U) /* L1 state */
43515 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
43516 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
43518 diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
43519 index ea37072..10e58e56 100644
43520 --- a/drivers/pci/probe.c
43521 +++ b/drivers/pci/probe.c
43522 @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
43523 struct pci_bus_region region;
43524 bool bar_too_big = false, bar_disabled = false;
43526 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
43527 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
43529 /* No printks while decoding is disabled! */
43530 if (!dev->mmio_always_on) {
43531 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
43532 index 0812608..b04018c4 100644
43533 --- a/drivers/pci/proc.c
43534 +++ b/drivers/pci/proc.c
43535 @@ -453,7 +453,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
43536 static int __init pci_proc_init(void)
43538 struct pci_dev *dev = NULL;
43540 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
43541 +#ifdef CONFIG_GRKERNSEC_PROC_USER
43542 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
43543 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
43544 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
43547 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
43549 proc_create("devices", 0, proc_bus_pci_dir,
43550 &proc_bus_pci_dev_operations);
43551 proc_initialized = 1;
43552 diff --git a/drivers/platform/x86/chromeos_laptop.c b/drivers/platform/x86/chromeos_laptop.c
43553 index 3e5b4497..dcdfb70 100644
43554 --- a/drivers/platform/x86/chromeos_laptop.c
43555 +++ b/drivers/platform/x86/chromeos_laptop.c
43556 @@ -301,7 +301,7 @@ static int __init setup_tsl2563_als(const struct dmi_system_id *id)
43560 -static struct dmi_system_id __initdata chromeos_laptop_dmi_table[] = {
43561 +static struct dmi_system_id __initconst chromeos_laptop_dmi_table[] = {
43563 .ident = "Samsung Series 5 550 - Touchpad",
43565 diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
43566 index 6b22938..bc9700e 100644
43567 --- a/drivers/platform/x86/msi-laptop.c
43568 +++ b/drivers/platform/x86/msi-laptop.c
43569 @@ -1000,12 +1000,14 @@ static int __init load_scm_model_init(struct platform_device *sdev)
43571 if (!quirks->ec_read_only) {
43572 /* allow userland write sysfs file */
43573 - dev_attr_bluetooth.store = store_bluetooth;
43574 - dev_attr_wlan.store = store_wlan;
43575 - dev_attr_threeg.store = store_threeg;
43576 - dev_attr_bluetooth.attr.mode |= S_IWUSR;
43577 - dev_attr_wlan.attr.mode |= S_IWUSR;
43578 - dev_attr_threeg.attr.mode |= S_IWUSR;
43579 + pax_open_kernel();
43580 + *(void **)&dev_attr_bluetooth.store = store_bluetooth;
43581 + *(void **)&dev_attr_wlan.store = store_wlan;
43582 + *(void **)&dev_attr_threeg.store = store_threeg;
43583 + *(umode_t *)&dev_attr_bluetooth.attr.mode |= S_IWUSR;
43584 + *(umode_t *)&dev_attr_wlan.attr.mode |= S_IWUSR;
43585 + *(umode_t *)&dev_attr_threeg.attr.mode |= S_IWUSR;
43586 + pax_close_kernel();
43589 /* disable hardware control by fn key */
43590 diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
43591 index 2ac045f..39c443d 100644
43592 --- a/drivers/platform/x86/sony-laptop.c
43593 +++ b/drivers/platform/x86/sony-laptop.c
43594 @@ -2483,7 +2483,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
43597 /* High speed charging function */
43598 -static struct device_attribute *hsc_handle;
43599 +static device_attribute_no_const *hsc_handle;
43601 static ssize_t sony_nc_highspeed_charging_store(struct device *dev,
43602 struct device_attribute *attr,
43603 diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
43604 index 54d31c0..3f896d3 100644
43605 --- a/drivers/platform/x86/thinkpad_acpi.c
43606 +++ b/drivers/platform/x86/thinkpad_acpi.c
43607 @@ -2093,7 +2093,7 @@ static int hotkey_mask_get(void)
43611 -void static hotkey_mask_warn_incomplete_mask(void)
43612 +static void hotkey_mask_warn_incomplete_mask(void)
43614 /* log only what the user can fix... */
43615 const u32 wantedmask = hotkey_driver_mask &
43616 @@ -2324,11 +2324,6 @@ static void hotkey_read_nvram(struct tp_nvram_state *n, const u32 m)
43620 -static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43621 - struct tp_nvram_state *newn,
43622 - const u32 event_mask)
43625 #define TPACPI_COMPARE_KEY(__scancode, __member) \
43627 if ((event_mask & (1 << __scancode)) && \
43628 @@ -2342,36 +2337,42 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43629 tpacpi_hotkey_send_key(__scancode); \
43632 - void issue_volchange(const unsigned int oldvol,
43633 - const unsigned int newvol)
43635 - unsigned int i = oldvol;
43636 +static void issue_volchange(const unsigned int oldvol,
43637 + const unsigned int newvol,
43638 + const u32 event_mask)
43640 + unsigned int i = oldvol;
43642 - while (i > newvol) {
43643 - TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEDOWN);
43646 - while (i < newvol) {
43647 - TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP);
43650 + while (i > newvol) {
43651 + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEDOWN);
43654 + while (i < newvol) {
43655 + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP);
43660 - void issue_brightnesschange(const unsigned int oldbrt,
43661 - const unsigned int newbrt)
43663 - unsigned int i = oldbrt;
43664 +static void issue_brightnesschange(const unsigned int oldbrt,
43665 + const unsigned int newbrt,
43666 + const u32 event_mask)
43668 + unsigned int i = oldbrt;
43670 - while (i > newbrt) {
43671 - TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNEND);
43674 - while (i < newbrt) {
43675 - TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
43678 + while (i > newbrt) {
43679 + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNEND);
43682 + while (i < newbrt) {
43683 + TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
43688 +static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43689 + struct tp_nvram_state *newn,
43690 + const u32 event_mask)
43692 TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_THINKPAD, thinkpad_toggle);
43693 TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_FNSPACE, zoom_toggle);
43694 TPACPI_COMPARE_KEY(TP_ACPI_HOTKEYSCAN_FNF7, display_toggle);
43695 @@ -2405,7 +2406,7 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43696 oldn->volume_level != newn->volume_level) {
43697 /* recently muted, or repeated mute keypress, or
43698 * multiple presses ending in mute */
43699 - issue_volchange(oldn->volume_level, newn->volume_level);
43700 + issue_volchange(oldn->volume_level, newn->volume_level, event_mask);
43701 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_MUTE);
43704 @@ -2415,7 +2416,7 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43705 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_VOLUMEUP);
43707 if (oldn->volume_level != newn->volume_level) {
43708 - issue_volchange(oldn->volume_level, newn->volume_level);
43709 + issue_volchange(oldn->volume_level, newn->volume_level, event_mask);
43710 } else if (oldn->volume_toggle != newn->volume_toggle) {
43711 /* repeated vol up/down keypress at end of scale ? */
43712 if (newn->volume_level == 0)
43713 @@ -2428,7 +2429,8 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43714 /* handle brightness */
43715 if (oldn->brightness_level != newn->brightness_level) {
43716 issue_brightnesschange(oldn->brightness_level,
43717 - newn->brightness_level);
43718 + newn->brightness_level,
43720 } else if (oldn->brightness_toggle != newn->brightness_toggle) {
43721 /* repeated key presses that didn't change state */
43722 if (newn->brightness_level == 0)
43723 @@ -2437,10 +2439,10 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
43724 && !tp_features.bright_unkfw)
43725 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
43729 #undef TPACPI_COMPARE_KEY
43730 #undef TPACPI_MAY_SEND_KEY
43735 diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
43736 index 769d265..a3a05ca 100644
43737 --- a/drivers/pnp/pnpbios/bioscalls.c
43738 +++ b/drivers/pnp/pnpbios/bioscalls.c
43739 @@ -58,7 +58,7 @@ do { \
43740 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
43743 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
43744 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
43745 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
43748 @@ -95,7 +95,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
43751 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
43753 + pax_open_kernel();
43754 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
43755 + pax_close_kernel();
43757 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
43758 spin_lock_irqsave(&pnp_bios_lock, flags);
43759 @@ -133,7 +136,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
43761 spin_unlock_irqrestore(&pnp_bios_lock, flags);
43763 + pax_open_kernel();
43764 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
43765 + pax_close_kernel();
43769 /* If we get here and this is set then the PnP BIOS faulted on us. */
43770 @@ -467,7 +473,7 @@ int pnp_bios_read_escd(char *data, u32 nvram_base)
43774 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
43775 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
43779 @@ -475,6 +481,8 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
43780 pnp_bios_callpoint.offset = header->fields.pm16offset;
43781 pnp_bios_callpoint.segment = PNP_CS16;
43783 + pax_open_kernel();
43785 for_each_possible_cpu(i) {
43786 struct desc_struct *gdt = get_cpu_gdt_table(i);
43788 @@ -486,4 +494,6 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
43789 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
43790 (unsigned long)__va(header->fields.pm16dseg));
43793 + pax_close_kernel();
43795 diff --git a/drivers/pnp/resource.c b/drivers/pnp/resource.c
43796 index 3e6db1c..1fbbdae 100644
43797 --- a/drivers/pnp/resource.c
43798 +++ b/drivers/pnp/resource.c
43799 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, struct resource *res)
43802 /* check if the resource is valid */
43803 - if (*irq < 0 || *irq > 15)
43807 /* check if the resource is reserved */
43808 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, struct resource *res)
43811 /* check if the resource is valid */
43812 - if (*dma < 0 || *dma == 4 || *dma > 7)
43813 + if (*dma == 4 || *dma > 7)
43816 /* check if the resource is reserved */
43817 diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
43818 index 0c52e2a..3421ab7 100644
43819 --- a/drivers/power/pda_power.c
43820 +++ b/drivers/power/pda_power.c
43821 @@ -37,7 +37,11 @@ static int polling;
43823 #if IS_ENABLED(CONFIG_USB_PHY)
43824 static struct usb_phy *transceiver;
43825 -static struct notifier_block otg_nb;
43826 +static int otg_handle_notification(struct notifier_block *nb,
43827 + unsigned long event, void *unused);
43828 +static struct notifier_block otg_nb = {
43829 + .notifier_call = otg_handle_notification
43833 static struct regulator *ac_draw;
43834 @@ -369,7 +373,6 @@ static int pda_power_probe(struct platform_device *pdev)
43836 #if IS_ENABLED(CONFIG_USB_PHY)
43837 if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) {
43838 - otg_nb.notifier_call = otg_handle_notification;
43839 ret = usb_register_notifier(transceiver, &otg_nb);
43841 dev_err(dev, "failure to register otg notifier\n");
43842 diff --git a/drivers/power/power_supply.h b/drivers/power/power_supply.h
43843 index cc439fd..8fa30df 100644
43844 --- a/drivers/power/power_supply.h
43845 +++ b/drivers/power/power_supply.h
43846 @@ -16,12 +16,12 @@ struct power_supply;
43848 #ifdef CONFIG_SYSFS
43850 -extern void power_supply_init_attrs(struct device_type *dev_type);
43851 +extern void power_supply_init_attrs(void);
43852 extern int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env);
43856 -static inline void power_supply_init_attrs(struct device_type *dev_type) {}
43857 +static inline void power_supply_init_attrs(void) {}
43858 #define power_supply_uevent NULL
43860 #endif /* CONFIG_SYSFS */
43861 diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c
43862 index 1c517c3..ffa2f17 100644
43863 --- a/drivers/power/power_supply_core.c
43864 +++ b/drivers/power/power_supply_core.c
43866 struct class *power_supply_class;
43867 EXPORT_SYMBOL_GPL(power_supply_class);
43869 -static struct device_type power_supply_dev_type;
43870 +extern const struct attribute_group *power_supply_attr_groups[];
43871 +static struct device_type power_supply_dev_type = {
43872 + .groups = power_supply_attr_groups,
43875 static bool __power_supply_is_supplied_by(struct power_supply *supplier,
43876 struct power_supply *supply)
43877 @@ -554,7 +557,7 @@ static int __init power_supply_class_init(void)
43878 return PTR_ERR(power_supply_class);
43880 power_supply_class->dev_uevent = power_supply_uevent;
43881 - power_supply_init_attrs(&power_supply_dev_type);
43882 + power_supply_init_attrs();
43886 diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
43887 index 29178f7..c65f324 100644
43888 --- a/drivers/power/power_supply_sysfs.c
43889 +++ b/drivers/power/power_supply_sysfs.c
43890 @@ -230,17 +230,15 @@ static struct attribute_group power_supply_attr_group = {
43891 .is_visible = power_supply_attr_is_visible,
43894 -static const struct attribute_group *power_supply_attr_groups[] = {
43895 +const struct attribute_group *power_supply_attr_groups[] = {
43896 &power_supply_attr_group,
43900 -void power_supply_init_attrs(struct device_type *dev_type)
43901 +void power_supply_init_attrs(void)
43905 - dev_type->groups = power_supply_attr_groups;
43907 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++)
43908 __power_supply_attrs[i] = &power_supply_attrs[i].attr;
43910 diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c
43911 index d428ef9..fdc0357 100644
43912 --- a/drivers/regulator/max8660.c
43913 +++ b/drivers/regulator/max8660.c
43914 @@ -333,8 +333,10 @@ static int max8660_probe(struct i2c_client *client,
43915 max8660->shadow_regs[MAX8660_OVER1] = 5;
43917 /* Otherwise devices can be toggled via software */
43918 - max8660_dcdc_ops.enable = max8660_dcdc_enable;
43919 - max8660_dcdc_ops.disable = max8660_dcdc_disable;
43920 + pax_open_kernel();
43921 + *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
43922 + *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
43923 + pax_close_kernel();
43927 diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c
43928 index adb1414..c13e0ce 100644
43929 --- a/drivers/regulator/max8973-regulator.c
43930 +++ b/drivers/regulator/max8973-regulator.c
43931 @@ -401,9 +401,11 @@ static int max8973_probe(struct i2c_client *client,
43932 if (!pdata->enable_ext_control) {
43933 max->desc.enable_reg = MAX8973_VOUT;
43934 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
43935 - max8973_dcdc_ops.enable = regulator_enable_regmap;
43936 - max8973_dcdc_ops.disable = regulator_disable_regmap;
43937 - max8973_dcdc_ops.is_enabled = regulator_is_enabled_regmap;
43938 + pax_open_kernel();
43939 + *(void **)&max8973_dcdc_ops.enable = regulator_enable_regmap;
43940 + *(void **)&max8973_dcdc_ops.disable = regulator_disable_regmap;
43941 + *(void **)&max8973_dcdc_ops.is_enabled = regulator_is_enabled_regmap;
43942 + pax_close_kernel();
43945 max->enable_external_control = pdata->enable_ext_control;
43946 diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
43947 index b716283..3cc4349 100644
43948 --- a/drivers/regulator/mc13892-regulator.c
43949 +++ b/drivers/regulator/mc13892-regulator.c
43950 @@ -582,10 +582,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
43952 mc13xxx_unlock(mc13892);
43954 - mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
43955 + pax_open_kernel();
43956 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
43957 = mc13892_vcam_set_mode;
43958 - mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
43959 + *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
43960 = mc13892_vcam_get_mode;
43961 + pax_close_kernel();
43963 mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
43964 ARRAY_SIZE(mc13892_regulators));
43965 diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
43966 index f1cb706..4c7832a 100644
43967 --- a/drivers/rtc/rtc-cmos.c
43968 +++ b/drivers/rtc/rtc-cmos.c
43969 @@ -724,7 +724,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
43970 hpet_rtc_timer_init();
43972 /* export at least the first block of NVRAM */
43973 - nvram.size = address_space - NVRAM_OFFSET;
43974 + pax_open_kernel();
43975 + *(size_t *)&nvram.size = address_space - NVRAM_OFFSET;
43976 + pax_close_kernel();
43977 retval = sysfs_create_bin_file(&dev->kobj, &nvram);
43979 dev_dbg(dev, "can't create nvram file? %d\n", retval);
43980 diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c
43981 index d049393..bb20be0 100644
43982 --- a/drivers/rtc/rtc-dev.c
43983 +++ b/drivers/rtc/rtc-dev.c
43985 #include <linux/module.h>
43986 #include <linux/rtc.h>
43987 #include <linux/sched.h>
43988 +#include <linux/grsecurity.h>
43989 #include "rtc-core.h"
43991 static dev_t rtc_devt;
43992 @@ -347,6 +348,8 @@ static long rtc_dev_ioctl(struct file *file,
43993 if (copy_from_user(&tm, uarg, sizeof(tm)))
43996 + gr_log_timechange();
43998 return rtc_set_time(rtc, &tm);
44001 diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
44002 index b53992a..776df84 100644
44003 --- a/drivers/rtc/rtc-ds1307.c
44004 +++ b/drivers/rtc/rtc-ds1307.c
44005 @@ -107,7 +107,7 @@ struct ds1307 {
44006 u8 offset; /* register's offset */
44009 - struct bin_attribute *nvram;
44010 + bin_attribute_no_const *nvram;
44012 unsigned long flags;
44013 #define HAS_NVRAM 0 /* bit 0 == sysfs file active */
44014 diff --git a/drivers/rtc/rtc-m48t59.c b/drivers/rtc/rtc-m48t59.c
44015 index 130f29a..6179d03 100644
44016 --- a/drivers/rtc/rtc-m48t59.c
44017 +++ b/drivers/rtc/rtc-m48t59.c
44018 @@ -482,7 +482,9 @@ static int m48t59_rtc_probe(struct platform_device *pdev)
44022 - m48t59_nvram_attr.size = pdata->offset;
44023 + pax_open_kernel();
44024 + *(size_t *)&m48t59_nvram_attr.size = pdata->offset;
44025 + pax_close_kernel();
44027 ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
44029 diff --git a/drivers/scsi/bfa/bfa_fcpim.h b/drivers/scsi/bfa/bfa_fcpim.h
44030 index e693af6..2e525b6 100644
44031 --- a/drivers/scsi/bfa/bfa_fcpim.h
44032 +++ b/drivers/scsi/bfa/bfa_fcpim.h
44033 @@ -36,7 +36,7 @@ struct bfa_iotag_s {
44036 bfa_isr_func_t isr;
44040 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
44041 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
44042 diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h
44043 index 23a90e7..9cf04ee 100644
44044 --- a/drivers/scsi/bfa/bfa_ioc.h
44045 +++ b/drivers/scsi/bfa/bfa_ioc.h
44046 @@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
44047 bfa_ioc_disable_cbfn_t disable_cbfn;
44048 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
44049 bfa_ioc_reset_cbfn_t reset_cbfn;
44054 * IOC event notification mechanism.
44055 @@ -346,7 +346,7 @@ struct bfa_ioc_hwif_s {
44056 void (*ioc_sync_ack) (struct bfa_ioc_s *ioc);
44057 bfa_boolean_t (*ioc_sync_complete) (struct bfa_ioc_s *ioc);
44058 bfa_boolean_t (*ioc_lpu_read_stat) (struct bfa_ioc_s *ioc);
44063 * Queue element to wait for room in request queue. FIFO order is
44064 diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
44065 index df0c3c7..b00e1d0 100644
44066 --- a/drivers/scsi/hosts.c
44067 +++ b/drivers/scsi/hosts.c
44069 #include "scsi_logging.h"
44072 -static atomic_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
44073 +static atomic_unchecked_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
44076 static void scsi_host_cls_release(struct device *dev)
44077 @@ -361,7 +361,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
44078 * subtract one because we increment first then return, but we need to
44079 * know what the next host number was before increment
44081 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
44082 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
44083 shost->dma_channel = 0xff;
44085 /* These three are default values which can be overridden */
44086 diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
44087 index 7f4f790..b75b92a 100644
44088 --- a/drivers/scsi/hpsa.c
44089 +++ b/drivers/scsi/hpsa.c
44090 @@ -554,7 +554,7 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
44091 unsigned long flags;
44093 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
44094 - return h->access.command_completed(h, q);
44095 + return h->access->command_completed(h, q);
44097 if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
44098 a = rq->head[rq->current_entry];
44099 @@ -3422,7 +3422,7 @@ static void start_io(struct ctlr_info *h)
44100 while (!list_empty(&h->reqQ)) {
44101 c = list_entry(h->reqQ.next, struct CommandList, list);
44102 /* can't do anything if fifo is full */
44103 - if ((h->access.fifo_full(h))) {
44104 + if ((h->access->fifo_full(h))) {
44105 dev_warn(&h->pdev->dev, "fifo full\n");
44108 @@ -3444,7 +3444,7 @@ static void start_io(struct ctlr_info *h)
44110 /* Tell the controller execute command */
44111 spin_unlock_irqrestore(&h->lock, flags);
44112 - h->access.submit_command(h, c);
44113 + h->access->submit_command(h, c);
44114 spin_lock_irqsave(&h->lock, flags);
44116 spin_unlock_irqrestore(&h->lock, flags);
44117 @@ -3452,17 +3452,17 @@ static void start_io(struct ctlr_info *h)
44119 static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
44121 - return h->access.command_completed(h, q);
44122 + return h->access->command_completed(h, q);
44125 static inline bool interrupt_pending(struct ctlr_info *h)
44127 - return h->access.intr_pending(h);
44128 + return h->access->intr_pending(h);
44131 static inline long interrupt_not_for_us(struct ctlr_info *h)
44133 - return (h->access.intr_pending(h) == 0) ||
44134 + return (h->access->intr_pending(h) == 0) ||
44135 (h->interrupts_enabled == 0);
44138 @@ -4364,7 +4364,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
44139 if (prod_index < 0)
44141 h->product_name = products[prod_index].product_name;
44142 - h->access = *(products[prod_index].access);
44143 + h->access = products[prod_index].access;
44145 pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S |
44146 PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
44147 @@ -4646,7 +4646,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
44149 assert_spin_locked(&lockup_detector_lock);
44150 remove_ctlr_from_lockup_detector_list(h);
44151 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
44152 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
44153 spin_lock_irqsave(&h->lock, flags);
44154 h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
44155 spin_unlock_irqrestore(&h->lock, flags);
44156 @@ -4823,7 +4823,7 @@ reinit_after_soft_reset:
44159 /* make sure the board interrupts are off */
44160 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
44161 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
44163 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
44165 @@ -4857,7 +4857,7 @@ reinit_after_soft_reset:
44166 * fake ones to scoop up any residual completions.
44168 spin_lock_irqsave(&h->lock, flags);
44169 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
44170 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
44171 spin_unlock_irqrestore(&h->lock, flags);
44173 rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
44174 @@ -4876,9 +4876,9 @@ reinit_after_soft_reset:
44175 dev_info(&h->pdev->dev, "Board READY.\n");
44176 dev_info(&h->pdev->dev,
44177 "Waiting for stale completions to drain.\n");
44178 - h->access.set_intr_mask(h, HPSA_INTR_ON);
44179 + h->access->set_intr_mask(h, HPSA_INTR_ON);
44181 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
44182 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
44184 rc = controller_reset_failed(h->cfgtable);
44186 @@ -4899,7 +4899,7 @@ reinit_after_soft_reset:
44189 /* Turn the interrupts on so we can service requests */
44190 - h->access.set_intr_mask(h, HPSA_INTR_ON);
44191 + h->access->set_intr_mask(h, HPSA_INTR_ON);
44193 hpsa_hba_inquiry(h);
44194 hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
44195 @@ -4954,7 +4954,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
44196 * To write all data in the battery backed cache to disks
44198 hpsa_flush_cache(h);
44199 - h->access.set_intr_mask(h, HPSA_INTR_OFF);
44200 + h->access->set_intr_mask(h, HPSA_INTR_OFF);
44201 hpsa_free_irqs_and_disable_msix(h);
44204 @@ -5122,7 +5122,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 use_short_tags)
44207 /* Change the access methods to the performant access methods */
44208 - h->access = SA5_performant_access;
44209 + h->access = &SA5_performant_access;
44210 h->transMethod = CFGTBL_Trans_Performant;
44213 diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
44214 index 9816479..c5d4e97 100644
44215 --- a/drivers/scsi/hpsa.h
44216 +++ b/drivers/scsi/hpsa.h
44217 @@ -79,7 +79,7 @@ struct ctlr_info {
44218 unsigned int msix_vector;
44219 unsigned int msi_vector;
44220 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
44221 - struct access_method access;
44222 + struct access_method *access;
44224 /* queue and queue Info */
44225 struct list_head reqQ;
44226 diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
44227 index 8b928c6..9c76300 100644
44228 --- a/drivers/scsi/libfc/fc_exch.c
44229 +++ b/drivers/scsi/libfc/fc_exch.c
44230 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
44231 u16 pool_max_index;
44234 - atomic_t no_free_exch;
44235 - atomic_t no_free_exch_xid;
44236 - atomic_t xid_not_found;
44237 - atomic_t xid_busy;
44238 - atomic_t seq_not_found;
44239 - atomic_t non_bls_resp;
44240 + atomic_unchecked_t no_free_exch;
44241 + atomic_unchecked_t no_free_exch_xid;
44242 + atomic_unchecked_t xid_not_found;
44243 + atomic_unchecked_t xid_busy;
44244 + atomic_unchecked_t seq_not_found;
44245 + atomic_unchecked_t non_bls_resp;
44249 @@ -736,7 +736,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport,
44250 /* allocate memory for exchange */
44251 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
44253 - atomic_inc(&mp->stats.no_free_exch);
44254 + atomic_inc_unchecked(&mp->stats.no_free_exch);
44257 memset(ep, 0, sizeof(*ep));
44258 @@ -797,7 +797,7 @@ out:
44261 spin_unlock_bh(&pool->lock);
44262 - atomic_inc(&mp->stats.no_free_exch_xid);
44263 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
44264 mempool_free(ep, mp->ep_pool);
44267 @@ -940,7 +940,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
44268 xid = ntohs(fh->fh_ox_id); /* we originated exch */
44269 ep = fc_exch_find(mp, xid);
44271 - atomic_inc(&mp->stats.xid_not_found);
44272 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44273 reject = FC_RJT_OX_ID;
44276 @@ -970,7 +970,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
44277 ep = fc_exch_find(mp, xid);
44278 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
44280 - atomic_inc(&mp->stats.xid_busy);
44281 + atomic_inc_unchecked(&mp->stats.xid_busy);
44282 reject = FC_RJT_RX_ID;
44285 @@ -981,7 +981,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
44287 xid = ep->xid; /* get our XID */
44289 - atomic_inc(&mp->stats.xid_not_found);
44290 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44291 reject = FC_RJT_RX_ID; /* XID not found */
44294 @@ -998,7 +998,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
44297 if (sp->id != fh->fh_seq_id) {
44298 - atomic_inc(&mp->stats.seq_not_found);
44299 + atomic_inc_unchecked(&mp->stats.seq_not_found);
44300 if (f_ctl & FC_FC_END_SEQ) {
44302 * Update sequence_id based on incoming last
44303 @@ -1448,22 +1448,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
44305 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
44307 - atomic_inc(&mp->stats.xid_not_found);
44308 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44311 if (ep->esb_stat & ESB_ST_COMPLETE) {
44312 - atomic_inc(&mp->stats.xid_not_found);
44313 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44316 if (ep->rxid == FC_XID_UNKNOWN)
44317 ep->rxid = ntohs(fh->fh_rx_id);
44318 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
44319 - atomic_inc(&mp->stats.xid_not_found);
44320 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44323 if (ep->did != ntoh24(fh->fh_s_id) &&
44324 ep->did != FC_FID_FLOGI) {
44325 - atomic_inc(&mp->stats.xid_not_found);
44326 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44330 @@ -1472,7 +1472,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
44331 sp->ssb_stat |= SSB_ST_RESP;
44332 sp->id = fh->fh_seq_id;
44333 } else if (sp->id != fh->fh_seq_id) {
44334 - atomic_inc(&mp->stats.seq_not_found);
44335 + atomic_inc_unchecked(&mp->stats.seq_not_found);
44339 @@ -1536,9 +1536,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
44340 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
44343 - atomic_inc(&mp->stats.xid_not_found);
44344 + atomic_inc_unchecked(&mp->stats.xid_not_found);
44346 - atomic_inc(&mp->stats.non_bls_resp);
44347 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
44351 @@ -2185,13 +2185,13 @@ void fc_exch_update_stats(struct fc_lport *lport)
44353 list_for_each_entry(ema, &lport->ema_list, ema_list) {
44355 - st->fc_no_free_exch += atomic_read(&mp->stats.no_free_exch);
44356 + st->fc_no_free_exch += atomic_read_unchecked(&mp->stats.no_free_exch);
44357 st->fc_no_free_exch_xid +=
44358 - atomic_read(&mp->stats.no_free_exch_xid);
44359 - st->fc_xid_not_found += atomic_read(&mp->stats.xid_not_found);
44360 - st->fc_xid_busy += atomic_read(&mp->stats.xid_busy);
44361 - st->fc_seq_not_found += atomic_read(&mp->stats.seq_not_found);
44362 - st->fc_non_bls_resp += atomic_read(&mp->stats.non_bls_resp);
44363 + atomic_read_unchecked(&mp->stats.no_free_exch_xid);
44364 + st->fc_xid_not_found += atomic_read_unchecked(&mp->stats.xid_not_found);
44365 + st->fc_xid_busy += atomic_read_unchecked(&mp->stats.xid_busy);
44366 + st->fc_seq_not_found += atomic_read_unchecked(&mp->stats.seq_not_found);
44367 + st->fc_non_bls_resp += atomic_read_unchecked(&mp->stats.non_bls_resp);
44370 EXPORT_SYMBOL(fc_exch_update_stats);
44371 diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
44372 index 161c98e..6d563b3 100644
44373 --- a/drivers/scsi/libsas/sas_ata.c
44374 +++ b/drivers/scsi/libsas/sas_ata.c
44375 @@ -554,7 +554,7 @@ static struct ata_port_operations sas_sata_ops = {
44376 .postreset = ata_std_postreset,
44377 .error_handler = ata_std_error_handler,
44378 .post_internal_cmd = sas_ata_post_internal,
44379 - .qc_defer = ata_std_qc_defer,
44380 + .qc_defer = ata_std_qc_defer,
44381 .qc_prep = ata_noop_qc_prep,
44382 .qc_issue = sas_ata_qc_issue,
44383 .qc_fill_rtf = sas_ata_qc_fill_rtf,
44384 diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
44385 index bcc56ca..6f4174a 100644
44386 --- a/drivers/scsi/lpfc/lpfc.h
44387 +++ b/drivers/scsi/lpfc/lpfc.h
44388 @@ -431,7 +431,7 @@ struct lpfc_vport {
44389 struct dentry *debug_nodelist;
44390 struct dentry *vport_debugfs_root;
44391 struct lpfc_debugfs_trc *disc_trc;
44392 - atomic_t disc_trc_cnt;
44393 + atomic_unchecked_t disc_trc_cnt;
44395 uint8_t stat_data_enabled;
44396 uint8_t stat_data_blocked;
44397 @@ -865,8 +865,8 @@ struct lpfc_hba {
44398 struct timer_list fabric_block_timer;
44399 unsigned long bit_flags;
44400 #define FABRIC_COMANDS_BLOCKED 0
44401 - atomic_t num_rsrc_err;
44402 - atomic_t num_cmd_success;
44403 + atomic_unchecked_t num_rsrc_err;
44404 + atomic_unchecked_t num_cmd_success;
44405 unsigned long last_rsrc_error_time;
44406 unsigned long last_ramp_down_time;
44407 unsigned long last_ramp_up_time;
44408 @@ -902,7 +902,7 @@ struct lpfc_hba {
44410 struct dentry *debug_slow_ring_trc;
44411 struct lpfc_debugfs_trc *slow_ring_trc;
44412 - atomic_t slow_ring_trc_cnt;
44413 + atomic_unchecked_t slow_ring_trc_cnt;
44414 /* iDiag debugfs sub-directory */
44415 struct dentry *idiag_root;
44416 struct dentry *idiag_pci_cfg;
44417 diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
44418 index f525ecb..32549a4 100644
44419 --- a/drivers/scsi/lpfc/lpfc_debugfs.c
44420 +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
44421 @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
44423 #include <linux/debugfs.h>
44425 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
44426 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
44427 static unsigned long lpfc_debugfs_start_time = 0L;
44430 @@ -147,7 +147,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
44431 lpfc_debugfs_enable = 0;
44434 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
44435 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
44436 (lpfc_debugfs_max_disc_trc - 1);
44437 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
44438 dtp = vport->disc_trc + i;
44439 @@ -213,7 +213,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
44440 lpfc_debugfs_enable = 0;
44443 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
44444 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
44445 (lpfc_debugfs_max_slow_ring_trc - 1);
44446 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
44447 dtp = phba->slow_ring_trc + i;
44448 @@ -646,14 +646,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport *vport, int mask, char *fmt,
44449 !vport || !vport->disc_trc)
44452 - index = atomic_inc_return(&vport->disc_trc_cnt) &
44453 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
44454 (lpfc_debugfs_max_disc_trc - 1);
44455 dtp = vport->disc_trc + index;
44457 dtp->data1 = data1;
44458 dtp->data2 = data2;
44459 dtp->data3 = data3;
44460 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
44461 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
44462 dtp->jif = jiffies;
44465 @@ -684,14 +684,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_hba *phba, char *fmt,
44466 !phba || !phba->slow_ring_trc)
44469 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
44470 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
44471 (lpfc_debugfs_max_slow_ring_trc - 1);
44472 dtp = phba->slow_ring_trc + index;
44474 dtp->data1 = data1;
44475 dtp->data2 = data2;
44476 dtp->data3 = data3;
44477 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
44478 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
44479 dtp->jif = jiffies;
44482 @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
44483 "slow_ring buffer\n");
44486 - atomic_set(&phba->slow_ring_trc_cnt, 0);
44487 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
44488 memset(phba->slow_ring_trc, 0,
44489 (sizeof(struct lpfc_debugfs_trc) *
44490 lpfc_debugfs_max_slow_ring_trc));
44491 @@ -4228,7 +4228,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
44495 - atomic_set(&vport->disc_trc_cnt, 0);
44496 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
44498 snprintf(name, sizeof(name), "discovery_trace");
44499 vport->debug_disc_trc =
44500 diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
44501 index cb465b2..2e7b25f 100644
44502 --- a/drivers/scsi/lpfc/lpfc_init.c
44503 +++ b/drivers/scsi/lpfc/lpfc_init.c
44504 @@ -10950,8 +10950,10 @@ lpfc_init(void)
44505 "misc_register returned with status %d", error);
44507 if (lpfc_enable_npiv) {
44508 - lpfc_transport_functions.vport_create = lpfc_vport_create;
44509 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
44510 + pax_open_kernel();
44511 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
44512 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
44513 + pax_close_kernel();
44515 lpfc_transport_template =
44516 fc_attach_transport(&lpfc_transport_functions);
44517 diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
44518 index 8523b278e..ce1d812 100644
44519 --- a/drivers/scsi/lpfc/lpfc_scsi.c
44520 +++ b/drivers/scsi/lpfc/lpfc_scsi.c
44521 @@ -331,7 +331,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba)
44522 uint32_t evt_posted;
44524 spin_lock_irqsave(&phba->hbalock, flags);
44525 - atomic_inc(&phba->num_rsrc_err);
44526 + atomic_inc_unchecked(&phba->num_rsrc_err);
44527 phba->last_rsrc_error_time = jiffies;
44529 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
44530 @@ -372,7 +372,7 @@ lpfc_rampup_queue_depth(struct lpfc_vport *vport,
44531 unsigned long flags;
44532 struct lpfc_hba *phba = vport->phba;
44533 uint32_t evt_posted;
44534 - atomic_inc(&phba->num_cmd_success);
44535 + atomic_inc_unchecked(&phba->num_cmd_success);
44537 if (vport->cfg_lun_queue_depth <= queue_depth)
44539 @@ -416,8 +416,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
44540 unsigned long num_rsrc_err, num_cmd_success;
44543 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
44544 - num_cmd_success = atomic_read(&phba->num_cmd_success);
44545 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
44546 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
44549 * The error and success command counters are global per
44550 @@ -445,8 +445,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
44553 lpfc_destroy_vport_work_array(phba, vports);
44554 - atomic_set(&phba->num_rsrc_err, 0);
44555 - atomic_set(&phba->num_cmd_success, 0);
44556 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
44557 + atomic_set_unchecked(&phba->num_cmd_success, 0);
44561 @@ -480,8 +480,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_hba *phba)
44564 lpfc_destroy_vport_work_array(phba, vports);
44565 - atomic_set(&phba->num_rsrc_err, 0);
44566 - atomic_set(&phba->num_cmd_success, 0);
44567 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
44568 + atomic_set_unchecked(&phba->num_cmd_success, 0);
44572 diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
44573 index 8e1b737..50ff510 100644
44574 --- a/drivers/scsi/pmcraid.c
44575 +++ b/drivers/scsi/pmcraid.c
44576 @@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev)
44577 res->scsi_dev = scsi_dev;
44578 scsi_dev->hostdata = res;
44579 res->change_detected = 0;
44580 - atomic_set(&res->read_failures, 0);
44581 - atomic_set(&res->write_failures, 0);
44582 + atomic_set_unchecked(&res->read_failures, 0);
44583 + atomic_set_unchecked(&res->write_failures, 0);
44586 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
44587 @@ -2676,9 +2676,9 @@ static int pmcraid_error_handler(struct pmcraid_cmd *cmd)
44589 /* If this was a SCSI read/write command keep count of errors */
44590 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
44591 - atomic_inc(&res->read_failures);
44592 + atomic_inc_unchecked(&res->read_failures);
44593 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
44594 - atomic_inc(&res->write_failures);
44595 + atomic_inc_unchecked(&res->write_failures);
44597 if (!RES_IS_GSCSI(res->cfg_entry) &&
44598 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
44599 @@ -3534,7 +3534,7 @@ static int pmcraid_queuecommand_lck(
44600 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
44601 * hrrq_id assigned here in queuecommand
44603 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
44604 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
44605 pinstance->num_hrrq;
44606 cmd->cmd_done = pmcraid_io_done;
44608 @@ -3846,7 +3846,7 @@ static long pmcraid_ioctl_passthrough(
44609 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
44610 * hrrq_id assigned here in queuecommand
44612 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
44613 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
44614 pinstance->num_hrrq;
44616 if (request_size) {
44617 @@ -4483,7 +4483,7 @@ static void pmcraid_worker_function(struct work_struct *workp)
44619 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
44620 /* add resources only after host is added into system */
44621 - if (!atomic_read(&pinstance->expose_resources))
44622 + if (!atomic_read_unchecked(&pinstance->expose_resources))
44625 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
44626 @@ -5310,8 +5310,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host,
44627 init_waitqueue_head(&pinstance->reset_wait_q);
44629 atomic_set(&pinstance->outstanding_cmds, 0);
44630 - atomic_set(&pinstance->last_message_id, 0);
44631 - atomic_set(&pinstance->expose_resources, 0);
44632 + atomic_set_unchecked(&pinstance->last_message_id, 0);
44633 + atomic_set_unchecked(&pinstance->expose_resources, 0);
44635 INIT_LIST_HEAD(&pinstance->free_res_q);
44636 INIT_LIST_HEAD(&pinstance->used_res_q);
44637 @@ -6024,7 +6024,7 @@ static int pmcraid_probe(struct pci_dev *pdev,
44638 /* Schedule worker thread to handle CCN and take care of adding and
44639 * removing devices to OS
44641 - atomic_set(&pinstance->expose_resources, 1);
44642 + atomic_set_unchecked(&pinstance->expose_resources, 1);
44643 schedule_work(&pinstance->worker_q);
44646 diff --git a/drivers/scsi/pmcraid.h b/drivers/scsi/pmcraid.h
44647 index e1d150f..6c6df44 100644
44648 --- a/drivers/scsi/pmcraid.h
44649 +++ b/drivers/scsi/pmcraid.h
44650 @@ -748,7 +748,7 @@ struct pmcraid_instance {
44651 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
44653 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
44654 - atomic_t last_message_id;
44655 + atomic_unchecked_t last_message_id;
44657 /* configuration table */
44658 struct pmcraid_config_table *cfg_table;
44659 @@ -777,7 +777,7 @@ struct pmcraid_instance {
44660 atomic_t outstanding_cmds;
44662 /* should add/delete resources to mid-layer now ?*/
44663 - atomic_t expose_resources;
44664 + atomic_unchecked_t expose_resources;
44668 @@ -813,8 +813,8 @@ struct pmcraid_resource_entry {
44669 struct pmcraid_config_table_entry_ext cfg_entry_ext;
44671 struct scsi_device *scsi_dev; /* Link scsi_device structure */
44672 - atomic_t read_failures; /* count of failed READ commands */
44673 - atomic_t write_failures; /* count of failed WRITE commands */
44674 + atomic_unchecked_t read_failures; /* count of failed READ commands */
44675 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
44677 /* To indicate add/delete/modify during CCN */
44678 u8 change_detected;
44679 diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
44680 index bf60c63..74d4dce 100644
44681 --- a/drivers/scsi/qla2xxx/qla_attr.c
44682 +++ b/drivers/scsi/qla2xxx/qla_attr.c
44683 @@ -2001,7 +2001,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
44687 -struct fc_function_template qla2xxx_transport_functions = {
44688 +fc_function_template_no_const qla2xxx_transport_functions = {
44690 .show_host_node_name = 1,
44691 .show_host_port_name = 1,
44692 @@ -2048,7 +2048,7 @@ struct fc_function_template qla2xxx_transport_functions = {
44693 .bsg_timeout = qla24xx_bsg_timeout,
44696 -struct fc_function_template qla2xxx_transport_vport_functions = {
44697 +fc_function_template_no_const qla2xxx_transport_vport_functions = {
44699 .show_host_node_name = 1,
44700 .show_host_port_name = 1,
44701 diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
44702 index 026bfde..90c4018 100644
44703 --- a/drivers/scsi/qla2xxx/qla_gbl.h
44704 +++ b/drivers/scsi/qla2xxx/qla_gbl.h
44705 @@ -528,8 +528,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *);
44706 struct device_attribute;
44707 extern struct device_attribute *qla2x00_host_attrs[];
44708 struct fc_function_template;
44709 -extern struct fc_function_template qla2xxx_transport_functions;
44710 -extern struct fc_function_template qla2xxx_transport_vport_functions;
44711 +extern fc_function_template_no_const qla2xxx_transport_functions;
44712 +extern fc_function_template_no_const qla2xxx_transport_vport_functions;
44713 extern void qla2x00_alloc_sysfs_attr(scsi_qla_host_t *);
44714 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *);
44715 extern void qla2x00_init_host_attr(scsi_qla_host_t *);
44716 diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
44717 index ad72c1d..afc9a98 100644
44718 --- a/drivers/scsi/qla2xxx/qla_os.c
44719 +++ b/drivers/scsi/qla2xxx/qla_os.c
44720 @@ -1571,8 +1571,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha)
44721 !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) {
44722 /* Ok, a 64bit DMA mask is applicable. */
44723 ha->flags.enable_64bit_addressing = 1;
44724 - ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
44725 - ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
44726 + pax_open_kernel();
44727 + *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
44728 + *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
44729 + pax_close_kernel();
44733 diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
44734 index ddf16a8..80f4dd0 100644
44735 --- a/drivers/scsi/qla4xxx/ql4_def.h
44736 +++ b/drivers/scsi/qla4xxx/ql4_def.h
44737 @@ -291,7 +291,7 @@ struct ddb_entry {
44739 atomic_t relogin_timer; /* Max Time to wait for
44740 * relogin to complete */
44741 - atomic_t relogin_retry_count; /* Num of times relogin has been
44742 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
44744 uint32_t default_time2wait; /* Default Min time between
44745 * relogins (+aens) */
44746 diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
44747 index 4d231c1..2892c37 100644
44748 --- a/drivers/scsi/qla4xxx/ql4_os.c
44749 +++ b/drivers/scsi/qla4xxx/ql4_os.c
44750 @@ -2971,12 +2971,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
44752 if (!iscsi_is_session_online(cls_sess)) {
44753 /* Reset retry relogin timer */
44754 - atomic_inc(&ddb_entry->relogin_retry_count);
44755 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
44756 DEBUG2(ql4_printk(KERN_INFO, ha,
44757 "%s: index[%d] relogin timed out-retrying"
44758 " relogin (%d), retry (%d)\n", __func__,
44759 ddb_entry->fw_ddb_index,
44760 - atomic_read(&ddb_entry->relogin_retry_count),
44761 + atomic_read_unchecked(&ddb_entry->relogin_retry_count),
44762 ddb_entry->default_time2wait + 4));
44763 set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags);
44764 atomic_set(&ddb_entry->retry_relogin_timer,
44765 @@ -5081,7 +5081,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
44767 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
44768 atomic_set(&ddb_entry->relogin_timer, 0);
44769 - atomic_set(&ddb_entry->relogin_retry_count, 0);
44770 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
44771 def_timeout = le16_to_cpu(ddb_entry->fw_ddb_entry.def_timeout);
44772 ddb_entry->default_relogin_timeout =
44773 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ?
44774 diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
44775 index eaa808e..95f8841 100644
44776 --- a/drivers/scsi/scsi.c
44777 +++ b/drivers/scsi/scsi.c
44778 @@ -661,7 +661,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
44779 unsigned long timeout;
44782 - atomic_inc(&cmd->device->iorequest_cnt);
44783 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
44785 /* check if the device is still usable */
44786 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
44787 diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
44788 index 86d5220..f22c51a 100644
44789 --- a/drivers/scsi/scsi_lib.c
44790 +++ b/drivers/scsi/scsi_lib.c
44791 @@ -1458,7 +1458,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
44792 shost = sdev->host;
44793 scsi_init_cmd_errh(cmd);
44794 cmd->result = DID_NO_CONNECT << 16;
44795 - atomic_inc(&cmd->device->iorequest_cnt);
44796 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
44799 * SCSI request completion path will do scsi_device_unbusy(),
44800 @@ -1484,9 +1484,9 @@ static void scsi_softirq_done(struct request *rq)
44802 INIT_LIST_HEAD(&cmd->eh_entry);
44804 - atomic_inc(&cmd->device->iodone_cnt);
44805 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
44807 - atomic_inc(&cmd->device->ioerr_cnt);
44808 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
44810 disposition = scsi_decide_disposition(cmd);
44811 if (disposition != SUCCESS &&
44812 diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
44813 index 931a7d9..0c2a754 100644
44814 --- a/drivers/scsi/scsi_sysfs.c
44815 +++ b/drivers/scsi/scsi_sysfs.c
44816 @@ -658,7 +658,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \
44819 struct scsi_device *sdev = to_scsi_device(dev); \
44820 - unsigned long long count = atomic_read(&sdev->field); \
44821 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
44822 return snprintf(buf, 20, "0x%llx\n", count); \
44824 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
44825 diff --git a/drivers/scsi/scsi_tgt_lib.c b/drivers/scsi/scsi_tgt_lib.c
44826 index 84a1fdf..693b0d6 100644
44827 --- a/drivers/scsi/scsi_tgt_lib.c
44828 +++ b/drivers/scsi/scsi_tgt_lib.c
44829 @@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct scsi_tgt_cmd *tcmd, struct scsi_cmnd *cmd,
44832 dprintk("%lx %u\n", uaddr, len);
44833 - err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
44834 + err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
44837 * TODO: need to fixup sg_tablesize, max_segment_size,
44838 diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
44839 index e106c27..11a380e 100644
44840 --- a/drivers/scsi/scsi_transport_fc.c
44841 +++ b/drivers/scsi/scsi_transport_fc.c
44842 @@ -497,7 +497,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class,
44843 * Netlink Infrastructure
44846 -static atomic_t fc_event_seq;
44847 +static atomic_unchecked_t fc_event_seq;
44850 * fc_get_event_number - Obtain the next sequential FC event number
44851 @@ -510,7 +510,7 @@ static atomic_t fc_event_seq;
44853 fc_get_event_number(void)
44855 - return atomic_add_return(1, &fc_event_seq);
44856 + return atomic_add_return_unchecked(1, &fc_event_seq);
44858 EXPORT_SYMBOL(fc_get_event_number);
44860 @@ -654,7 +654,7 @@ static __init int fc_transport_init(void)
44864 - atomic_set(&fc_event_seq, 0);
44865 + atomic_set_unchecked(&fc_event_seq, 0);
44867 error = transport_class_register(&fc_host_class);
44869 @@ -844,7 +844,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val)
44872 *val = simple_strtoul(buf, &cp, 0);
44873 - if ((*cp && (*cp != '\n')) || (*val < 0))
44874 + if (*cp && (*cp != '\n'))
44877 * Check for overflow; dev_loss_tmo is u32
44878 diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
44879 index 133926b..903000d 100644
44880 --- a/drivers/scsi/scsi_transport_iscsi.c
44881 +++ b/drivers/scsi/scsi_transport_iscsi.c
44882 @@ -80,7 +80,7 @@ struct iscsi_internal {
44883 struct transport_container session_cont;
44886 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
44887 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
44888 static struct workqueue_struct *iscsi_eh_timer_workq;
44890 static DEFINE_IDA(iscsi_sess_ida);
44891 @@ -1738,7 +1738,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)
44894 ihost = shost->shost_data;
44895 - session->sid = atomic_add_return(1, &iscsi_session_nr);
44896 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
44898 if (target_id == ISCSI_MAX_TARGET) {
44899 id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL);
44900 @@ -3944,7 +3944,7 @@ static __init int iscsi_transport_init(void)
44901 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
44902 ISCSI_TRANSPORT_VERSION);
44904 - atomic_set(&iscsi_session_nr, 0);
44905 + atomic_set_unchecked(&iscsi_session_nr, 0);
44907 err = class_register(&iscsi_transport_class);
44909 diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c
44910 index f379c7f..e8fc69c 100644
44911 --- a/drivers/scsi/scsi_transport_srp.c
44912 +++ b/drivers/scsi/scsi_transport_srp.c
44914 #include "scsi_transport_srp_internal.h"
44916 struct srp_host_attrs {
44917 - atomic_t next_port_id;
44918 + atomic_unchecked_t next_port_id;
44920 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
44922 @@ -61,7 +61,7 @@ static int srp_host_setup(struct transport_container *tc, struct device *dev,
44923 struct Scsi_Host *shost = dev_to_shost(dev);
44924 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
44926 - atomic_set(&srp_host->next_port_id, 0);
44927 + atomic_set_unchecked(&srp_host->next_port_id, 0);
44931 @@ -210,7 +210,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost,
44932 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
44933 rport->roles = ids->roles;
44935 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
44936 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
44937 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
44939 transport_setup_device(&rport->dev);
44940 diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
44941 index 610417e..1544fa9 100644
44942 --- a/drivers/scsi/sd.c
44943 +++ b/drivers/scsi/sd.c
44944 @@ -2928,7 +2928,7 @@ static int sd_probe(struct device *dev)
44946 sdkp->index = index;
44947 atomic_set(&sdkp->openers, 0);
44948 - atomic_set(&sdkp->device->ioerr_cnt, 0);
44949 + atomic_set_unchecked(&sdkp->device->ioerr_cnt, 0);
44951 if (!sdp->request_queue->rq_timeout) {
44952 if (sdp->type != TYPE_MOD)
44953 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
44954 index df5e961..df6b97f 100644
44955 --- a/drivers/scsi/sg.c
44956 +++ b/drivers/scsi/sg.c
44957 @@ -1102,7 +1102,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
44958 sdp->disk->disk_name,
44959 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
44962 + (char __user *)arg);
44963 case BLKTRACESTART:
44964 return blk_trace_startstop(sdp->device->request_queue, 1);
44966 diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
44967 index 32b7bb1..2f1c4bd 100644
44968 --- a/drivers/spi/spi.c
44969 +++ b/drivers/spi/spi.c
44970 @@ -1631,7 +1631,7 @@ int spi_bus_unlock(struct spi_master *master)
44971 EXPORT_SYMBOL_GPL(spi_bus_unlock);
44973 /* portable code must never pass more than 32 bytes */
44974 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
44975 +#define SPI_BUFSIZ max(32UL,SMP_CACHE_BYTES)
44979 diff --git a/drivers/staging/media/solo6x10/solo6x10-core.c b/drivers/staging/media/solo6x10/solo6x10-core.c
44980 index 3675020..e80d92c 100644
44981 --- a/drivers/staging/media/solo6x10/solo6x10-core.c
44982 +++ b/drivers/staging/media/solo6x10/solo6x10-core.c
44983 @@ -434,7 +434,7 @@ static void solo_device_release(struct device *dev)
44985 static int solo_sysfs_init(struct solo_dev *solo_dev)
44987 - struct bin_attribute *sdram_attr = &solo_dev->sdram_attr;
44988 + bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr;
44989 struct device *dev = &solo_dev->dev;
44990 const char *driver;
44992 diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
44993 index 34afc16..ffe44dd 100644
44994 --- a/drivers/staging/octeon/ethernet-rx.c
44995 +++ b/drivers/staging/octeon/ethernet-rx.c
44996 @@ -421,11 +421,11 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
44997 /* Increment RX stats for virtual ports */
44998 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
44999 #ifdef CONFIG_64BIT
45000 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
45001 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
45002 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
45003 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
45005 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
45006 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
45007 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
45008 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
45011 netif_receive_skb(skb);
45012 @@ -437,9 +437,9 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
45015 #ifdef CONFIG_64BIT
45016 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
45017 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
45019 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
45020 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
45022 dev_kfree_skb_irq(skb);
45024 diff --git a/drivers/staging/octeon/ethernet.c b/drivers/staging/octeon/ethernet.c
45025 index c3a90e7..023619a 100644
45026 --- a/drivers/staging/octeon/ethernet.c
45027 +++ b/drivers/staging/octeon/ethernet.c
45028 @@ -252,11 +252,11 @@ static struct net_device_stats *cvm_oct_common_get_stats(struct net_device *dev)
45029 * since the RX tasklet also increments it.
45031 #ifdef CONFIG_64BIT
45032 - atomic64_add(rx_status.dropped_packets,
45033 - (atomic64_t *)&priv->stats.rx_dropped);
45034 + atomic64_add_unchecked(rx_status.dropped_packets,
45035 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
45037 - atomic_add(rx_status.dropped_packets,
45038 - (atomic_t *)&priv->stats.rx_dropped);
45039 + atomic_add_unchecked(rx_status.dropped_packets,
45040 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
45044 diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h
45045 index dc23395..cf7e9b1 100644
45046 --- a/drivers/staging/rtl8712/rtl871x_io.h
45047 +++ b/drivers/staging/rtl8712/rtl871x_io.h
45048 @@ -108,7 +108,7 @@ struct _io_ops {
45050 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
45056 struct list_head list;
45057 diff --git a/drivers/staging/sbe-2t3e3/netdev.c b/drivers/staging/sbe-2t3e3/netdev.c
45058 index 1f5088b..0e59820 100644
45059 --- a/drivers/staging/sbe-2t3e3/netdev.c
45060 +++ b/drivers/staging/sbe-2t3e3/netdev.c
45061 @@ -51,7 +51,7 @@ static int t3e3_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
45062 t3e3_if_config(sc, cmd_2t3e3, (char *)¶m, &resp, &rlen);
45065 - if (copy_to_user(data, &resp, rlen))
45066 + if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
45070 diff --git a/drivers/staging/usbip/vhci.h b/drivers/staging/usbip/vhci.h
45071 index a863a98..d272795 100644
45072 --- a/drivers/staging/usbip/vhci.h
45073 +++ b/drivers/staging/usbip/vhci.h
45074 @@ -83,7 +83,7 @@ struct vhci_hcd {
45075 unsigned resuming:1;
45076 unsigned long re_timeout;
45079 + atomic_unchecked_t seqnum;
45083 diff --git a/drivers/staging/usbip/vhci_hcd.c b/drivers/staging/usbip/vhci_hcd.c
45084 index d7974cb..d78076b 100644
45085 --- a/drivers/staging/usbip/vhci_hcd.c
45086 +++ b/drivers/staging/usbip/vhci_hcd.c
45087 @@ -441,7 +441,7 @@ static void vhci_tx_urb(struct urb *urb)
45089 spin_lock(&vdev->priv_lock);
45091 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
45092 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
45093 if (priv->seqnum == 0xffff)
45094 dev_info(&urb->dev->dev, "seqnum max\n");
45096 @@ -687,7 +687,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
45100 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
45101 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
45102 if (unlink->seqnum == 0xffff)
45103 pr_info("seqnum max\n");
45105 @@ -891,7 +891,7 @@ static int vhci_start(struct usb_hcd *hcd)
45106 vdev->rhport = rhport;
45109 - atomic_set(&vhci->seqnum, 0);
45110 + atomic_set_unchecked(&vhci->seqnum, 0);
45111 spin_lock_init(&vhci->lock);
45113 hcd->power_budget = 0; /* no limit */
45114 diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c
45115 index d07fcb5..358e1e1 100644
45116 --- a/drivers/staging/usbip/vhci_rx.c
45117 +++ b/drivers/staging/usbip/vhci_rx.c
45118 @@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
45120 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
45121 pr_info("max seqnum %d\n",
45122 - atomic_read(&the_controller->seqnum));
45123 + atomic_read_unchecked(&the_controller->seqnum));
45124 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
45127 diff --git a/drivers/staging/vt6655/hostap.c b/drivers/staging/vt6655/hostap.c
45128 index 8417c2f..ef5ebd6 100644
45129 --- a/drivers/staging/vt6655/hostap.c
45130 +++ b/drivers/staging/vt6655/hostap.c
45131 @@ -69,14 +69,13 @@ static int msglevel = MSG_LEVEL_INFO;
45135 +static net_device_ops_no_const apdev_netdev_ops;
45137 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
45139 PSDevice apdev_priv;
45140 struct net_device *dev = pDevice->dev;
45142 - const struct net_device_ops apdev_netdev_ops = {
45143 - .ndo_start_xmit = pDevice->tx_80211,
45146 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
45148 @@ -88,6 +87,8 @@ static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
45149 *apdev_priv = *pDevice;
45150 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
45152 + /* only half broken now */
45153 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
45154 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
45156 pDevice->apdev->type = ARPHRD_IEEE80211;
45157 diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c
45158 index c699a30..b90a5fd 100644
45159 --- a/drivers/staging/vt6656/hostap.c
45160 +++ b/drivers/staging/vt6656/hostap.c
45161 @@ -60,14 +60,13 @@ static int msglevel =MSG_LEVEL_INFO;
45165 +static net_device_ops_no_const apdev_netdev_ops;
45167 static int hostap_enable_hostapd(struct vnt_private *pDevice, int rtnl_locked)
45169 struct vnt_private *apdev_priv;
45170 struct net_device *dev = pDevice->dev;
45172 - const struct net_device_ops apdev_netdev_ops = {
45173 - .ndo_start_xmit = pDevice->tx_80211,
45176 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
45178 @@ -79,6 +78,8 @@ static int hostap_enable_hostapd(struct vnt_private *pDevice, int rtnl_locked)
45179 *apdev_priv = *pDevice;
45180 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
45182 + /* only half broken now */
45183 + apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
45184 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
45186 pDevice->apdev->type = ARPHRD_IEEE80211;
45187 diff --git a/drivers/staging/zcache/tmem.h b/drivers/staging/zcache/tmem.h
45188 index d128ce2..fc1f9a1 100644
45189 --- a/drivers/staging/zcache/tmem.h
45190 +++ b/drivers/staging/zcache/tmem.h
45191 @@ -225,7 +225,7 @@ struct tmem_pamops {
45192 bool (*is_remote)(void *);
45193 int (*replace_in_obj)(void *, struct tmem_obj *);
45197 extern void tmem_register_pamops(struct tmem_pamops *m);
45199 /* memory allocation methods provided by the host implementation */
45200 @@ -234,7 +234,7 @@ struct tmem_hostops {
45201 void (*obj_free)(struct tmem_obj *, struct tmem_pool *);
45202 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
45203 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
45206 extern void tmem_register_hostops(struct tmem_hostops *m);
45208 /* core tmem accessor functions */
45209 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
45210 index 4630481..c26782a 100644
45211 --- a/drivers/target/target_core_device.c
45212 +++ b/drivers/target/target_core_device.c
45213 @@ -1400,7 +1400,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
45214 spin_lock_init(&dev->se_port_lock);
45215 spin_lock_init(&dev->se_tmr_lock);
45216 spin_lock_init(&dev->qf_cmd_lock);
45217 - atomic_set(&dev->dev_ordered_id, 0);
45218 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
45219 INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list);
45220 spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
45221 INIT_LIST_HEAD(&dev->t10_pr.registration_list);
45222 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
45223 index 21e3158..43c6004 100644
45224 --- a/drivers/target/target_core_transport.c
45225 +++ b/drivers/target/target_core_transport.c
45226 @@ -1080,7 +1080,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
45227 * Used to determine when ORDERED commands should go from
45228 * Dormant to Active status.
45230 - cmd->se_ordered_id = atomic_inc_return(&dev->dev_ordered_id);
45231 + cmd->se_ordered_id = atomic_inc_return_unchecked(&dev->dev_ordered_id);
45232 smp_mb__after_atomic_inc();
45233 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
45234 cmd->se_ordered_id, cmd->sam_task_attr,
45235 diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
45236 index 33f83fe..d80f8e1 100644
45237 --- a/drivers/tty/cyclades.c
45238 +++ b/drivers/tty/cyclades.c
45239 @@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp)
45240 printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line,
45243 - info->port.count++;
45244 + atomic_inc(&info->port.count);
45245 #ifdef CY_DEBUG_COUNT
45246 printk(KERN_DEBUG "cyc:cy_open (%d): incrementing count to %d\n",
45247 - current->pid, info->port.count);
45248 + current->pid, atomic_read(&info->port.count));
45252 @@ -3972,7 +3972,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v)
45253 for (j = 0; j < cy_card[i].nports; j++) {
45254 info = &cy_card[i].ports[j];
45256 - if (info->port.count) {
45257 + if (atomic_read(&info->port.count)) {
45258 /* XXX is the ldisc num worth this? */
45259 struct tty_struct *tty;
45260 struct tty_ldisc *ld;
45261 diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
45262 index eb255e8..f637a57 100644
45263 --- a/drivers/tty/hvc/hvc_console.c
45264 +++ b/drivers/tty/hvc/hvc_console.c
45265 @@ -338,7 +338,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
45267 spin_lock_irqsave(&hp->port.lock, flags);
45268 /* Check and then increment for fast path open. */
45269 - if (hp->port.count++ > 0) {
45270 + if (atomic_inc_return(&hp->port.count) > 1) {
45271 spin_unlock_irqrestore(&hp->port.lock, flags);
45274 @@ -388,7 +388,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
45276 spin_lock_irqsave(&hp->port.lock, flags);
45278 - if (--hp->port.count == 0) {
45279 + if (atomic_dec_return(&hp->port.count) == 0) {
45280 spin_unlock_irqrestore(&hp->port.lock, flags);
45281 /* We are done with the tty pointer now. */
45282 tty_port_tty_set(&hp->port, NULL);
45283 @@ -406,9 +406,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
45285 tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT);
45287 - if (hp->port.count < 0)
45288 + if (atomic_read(&hp->port.count) < 0)
45289 printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
45290 - hp->vtermno, hp->port.count);
45291 + hp->vtermno, atomic_read(&hp->port.count));
45292 spin_unlock_irqrestore(&hp->port.lock, flags);
45295 @@ -438,12 +438,12 @@ static void hvc_hangup(struct tty_struct *tty)
45296 * open->hangup case this can be called after the final close so prevent
45297 * that from happening for now.
45299 - if (hp->port.count <= 0) {
45300 + if (atomic_read(&hp->port.count) <= 0) {
45301 spin_unlock_irqrestore(&hp->port.lock, flags);
45305 - hp->port.count = 0;
45306 + atomic_set(&hp->port.count, 0);
45307 spin_unlock_irqrestore(&hp->port.lock, flags);
45308 tty_port_tty_set(&hp->port, NULL);
45310 @@ -491,7 +491,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
45313 /* FIXME what's this (unprotected) check for? */
45314 - if (hp->port.count <= 0)
45315 + if (atomic_read(&hp->port.count) <= 0)
45318 spin_lock_irqsave(&hp->lock, flags);
45319 diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
45320 index 81e939e..95ead10 100644
45321 --- a/drivers/tty/hvc/hvcs.c
45322 +++ b/drivers/tty/hvc/hvcs.c
45324 #include <asm/hvcserver.h>
45325 #include <asm/uaccess.h>
45326 #include <asm/vio.h>
45327 +#include <asm/local.h>
45330 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
45331 @@ -416,7 +417,7 @@ static ssize_t hvcs_vterm_state_store(struct device *dev, struct device_attribut
45333 spin_lock_irqsave(&hvcsd->lock, flags);
45335 - if (hvcsd->port.count > 0) {
45336 + if (atomic_read(&hvcsd->port.count) > 0) {
45337 spin_unlock_irqrestore(&hvcsd->lock, flags);
45338 printk(KERN_INFO "HVCS: vterm state unchanged. "
45339 "The hvcs device node is still in use.\n");
45340 @@ -1127,7 +1128,7 @@ static int hvcs_install(struct tty_driver *driver, struct tty_struct *tty)
45344 - hvcsd->port.count = 0;
45345 + atomic_set(&hvcsd->port.count, 0);
45346 hvcsd->port.tty = tty;
45347 tty->driver_data = hvcsd;
45349 @@ -1180,7 +1181,7 @@ static int hvcs_open(struct tty_struct *tty, struct file *filp)
45350 unsigned long flags;
45352 spin_lock_irqsave(&hvcsd->lock, flags);
45353 - hvcsd->port.count++;
45354 + atomic_inc(&hvcsd->port.count);
45355 hvcsd->todo_mask |= HVCS_SCHED_READ;
45356 spin_unlock_irqrestore(&hvcsd->lock, flags);
45358 @@ -1216,7 +1217,7 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
45359 hvcsd = tty->driver_data;
45361 spin_lock_irqsave(&hvcsd->lock, flags);
45362 - if (--hvcsd->port.count == 0) {
45363 + if (atomic_dec_and_test(&hvcsd->port.count)) {
45365 vio_disable_interrupts(hvcsd->vdev);
45367 @@ -1241,10 +1242,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
45369 free_irq(irq, hvcsd);
45371 - } else if (hvcsd->port.count < 0) {
45372 + } else if (atomic_read(&hvcsd->port.count) < 0) {
45373 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
45374 " is missmanaged.\n",
45375 - hvcsd->vdev->unit_address, hvcsd->port.count);
45376 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->port.count));
45379 spin_unlock_irqrestore(&hvcsd->lock, flags);
45380 @@ -1266,7 +1267,7 @@ static void hvcs_hangup(struct tty_struct * tty)
45382 spin_lock_irqsave(&hvcsd->lock, flags);
45383 /* Preserve this so that we know how many kref refs to put */
45384 - temp_open_count = hvcsd->port.count;
45385 + temp_open_count = atomic_read(&hvcsd->port.count);
45388 * Don't kref put inside the spinlock because the destruction
45389 @@ -1281,7 +1282,7 @@ static void hvcs_hangup(struct tty_struct * tty)
45390 tty->driver_data = NULL;
45391 hvcsd->port.tty = NULL;
45393 - hvcsd->port.count = 0;
45394 + atomic_set(&hvcsd->port.count, 0);
45396 /* This will drop any buffered data on the floor which is OK in a hangup
45398 @@ -1352,7 +1353,7 @@ static int hvcs_write(struct tty_struct *tty,
45399 * the middle of a write operation? This is a crummy place to do this
45400 * but we want to keep it all in the spinlock.
45402 - if (hvcsd->port.count <= 0) {
45403 + if (atomic_read(&hvcsd->port.count) <= 0) {
45404 spin_unlock_irqrestore(&hvcsd->lock, flags);
45407 @@ -1426,7 +1427,7 @@ static int hvcs_write_room(struct tty_struct *tty)
45409 struct hvcs_struct *hvcsd = tty->driver_data;
45411 - if (!hvcsd || hvcsd->port.count <= 0)
45412 + if (!hvcsd || atomic_read(&hvcsd->port.count) <= 0)
45415 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
45416 diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
45417 index 8fd72ff..34a0bed 100644
45418 --- a/drivers/tty/ipwireless/tty.c
45419 +++ b/drivers/tty/ipwireless/tty.c
45421 #include <linux/tty_driver.h>
45422 #include <linux/tty_flip.h>
45423 #include <linux/uaccess.h>
45424 +#include <asm/local.h>
45427 #include "network.h"
45428 @@ -99,10 +100,10 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
45429 mutex_unlock(&tty->ipw_tty_mutex);
45432 - if (tty->port.count == 0)
45433 + if (atomic_read(&tty->port.count) == 0)
45434 tty->tx_bytes_queued = 0;
45436 - tty->port.count++;
45437 + atomic_inc(&tty->port.count);
45439 tty->port.tty = linux_tty;
45440 linux_tty->driver_data = tty;
45441 @@ -118,9 +119,7 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
45443 static void do_ipw_close(struct ipw_tty *tty)
45445 - tty->port.count--;
45447 - if (tty->port.count == 0) {
45448 + if (atomic_dec_return(&tty->port.count) == 0) {
45449 struct tty_struct *linux_tty = tty->port.tty;
45451 if (linux_tty != NULL) {
45452 @@ -141,7 +140,7 @@ static void ipw_hangup(struct tty_struct *linux_tty)
45455 mutex_lock(&tty->ipw_tty_mutex);
45456 - if (tty->port.count == 0) {
45457 + if (atomic_read(&tty->port.count) == 0) {
45458 mutex_unlock(&tty->ipw_tty_mutex);
45461 @@ -164,7 +163,7 @@ void ipwireless_tty_received(struct ipw_tty *tty, unsigned char *data,
45463 mutex_lock(&tty->ipw_tty_mutex);
45465 - if (!tty->port.count) {
45466 + if (!atomic_read(&tty->port.count)) {
45467 mutex_unlock(&tty->ipw_tty_mutex);
45470 @@ -206,7 +205,7 @@ static int ipw_write(struct tty_struct *linux_tty,
45473 mutex_lock(&tty->ipw_tty_mutex);
45474 - if (!tty->port.count) {
45475 + if (!atomic_read(&tty->port.count)) {
45476 mutex_unlock(&tty->ipw_tty_mutex);
45479 @@ -246,7 +245,7 @@ static int ipw_write_room(struct tty_struct *linux_tty)
45483 - if (!tty->port.count)
45484 + if (!atomic_read(&tty->port.count))
45487 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
45488 @@ -288,7 +287,7 @@ static int ipw_chars_in_buffer(struct tty_struct *linux_tty)
45492 - if (!tty->port.count)
45493 + if (!atomic_read(&tty->port.count))
45496 return tty->tx_bytes_queued;
45497 @@ -369,7 +368,7 @@ static int ipw_tiocmget(struct tty_struct *linux_tty)
45501 - if (!tty->port.count)
45502 + if (!atomic_read(&tty->port.count))
45505 return get_control_lines(tty);
45506 @@ -385,7 +384,7 @@ ipw_tiocmset(struct tty_struct *linux_tty,
45510 - if (!tty->port.count)
45511 + if (!atomic_read(&tty->port.count))
45514 return set_control_lines(tty, set, clear);
45515 @@ -399,7 +398,7 @@ static int ipw_ioctl(struct tty_struct *linux_tty,
45519 - if (!tty->port.count)
45520 + if (!atomic_read(&tty->port.count))
45523 /* FIXME: Exactly how is the tty object locked here .. */
45524 @@ -555,7 +554,7 @@ void ipwireless_tty_free(struct ipw_tty *tty)
45526 mutex_lock(&ttyj->ipw_tty_mutex);
45528 - while (ttyj->port.count)
45529 + while (atomic_read(&ttyj->port.count))
45530 do_ipw_close(ttyj);
45531 ipwireless_disassociate_network_ttys(network,
45532 ttyj->channel_idx);
45533 diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
45534 index 1deaca4..c8582d4 100644
45535 --- a/drivers/tty/moxa.c
45536 +++ b/drivers/tty/moxa.c
45537 @@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp)
45540 ch = &brd->ports[port % MAX_PORTS_PER_BOARD];
45541 - ch->port.count++;
45542 + atomic_inc(&ch->port.count);
45543 tty->driver_data = ch;
45544 tty_port_tty_set(&ch->port, tty);
45545 mutex_lock(&ch->port.mutex);
45546 diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
45547 index 6422390..49003ac8 100644
45548 --- a/drivers/tty/n_gsm.c
45549 +++ b/drivers/tty/n_gsm.c
45550 @@ -1632,7 +1632,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
45551 spin_lock_init(&dlci->lock);
45552 mutex_init(&dlci->mutex);
45553 dlci->fifo = &dlci->_fifo;
45554 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
45555 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
45559 @@ -2932,7 +2932,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
45560 struct gsm_dlci *dlci = tty->driver_data;
45561 struct tty_port *port = &dlci->port;
45564 + atomic_inc(&port->count);
45566 dlci_get(dlci->gsm->dlci[0]);
45567 mux_get(dlci->gsm);
45568 diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
45569 index 6c7fe90..9241dab 100644
45570 --- a/drivers/tty/n_tty.c
45571 +++ b/drivers/tty/n_tty.c
45572 @@ -2203,6 +2203,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
45574 *ops = tty_ldisc_N_TTY;
45576 - ops->refcount = ops->flags = 0;
45577 + atomic_set(&ops->refcount, 0);
45580 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
45581 diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
45582 index abfd990..5ab5da9 100644
45583 --- a/drivers/tty/pty.c
45584 +++ b/drivers/tty/pty.c
45585 @@ -796,8 +796,10 @@ static void __init unix98_pty_init(void)
45586 panic("Couldn't register Unix98 pts driver");
45588 /* Now create the /dev/ptmx special device */
45589 + pax_open_kernel();
45590 tty_default_fops(&ptmx_fops);
45591 - ptmx_fops.open = ptmx_open;
45592 + *(void **)&ptmx_fops.open = ptmx_open;
45593 + pax_close_kernel();
45595 cdev_init(&ptmx_cdev, &ptmx_fops);
45596 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
45597 diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
45598 index 354564e..fe50d9a 100644
45599 --- a/drivers/tty/rocket.c
45600 +++ b/drivers/tty/rocket.c
45601 @@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
45602 tty->driver_data = info;
45603 tty_port_tty_set(port, tty);
45605 - if (port->count++ == 0) {
45606 + if (atomic_inc_return(&port->count) == 1) {
45607 atomic_inc(&rp_num_ports_open);
45609 #ifdef ROCKET_DEBUG_OPEN
45610 @@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
45613 #ifdef ROCKET_DEBUG_OPEN
45614 - printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, info->port.count);
45615 + printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, atomic-read(&info->port.count));
45619 @@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty)
45620 spin_unlock_irqrestore(&info->port.lock, flags);
45623 - if (info->port.count)
45624 + if (atomic_read(&info->port.count))
45625 atomic_dec(&rp_num_ports_open);
45626 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]);
45627 spin_unlock_irqrestore(&info->port.lock, flags);
45628 diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
45629 index 1002054..dd644a8 100644
45630 --- a/drivers/tty/serial/kgdboc.c
45631 +++ b/drivers/tty/serial/kgdboc.c
45633 #define MAX_CONFIG_LEN 40
45635 static struct kgdb_io kgdboc_io_ops;
45636 +static struct kgdb_io kgdboc_io_ops_console;
45638 -/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
45639 +/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
45640 static int configured = -1;
45642 static char config[MAX_CONFIG_LEN];
45643 @@ -151,6 +152,8 @@ static void cleanup_kgdboc(void)
45644 kgdboc_unregister_kbd();
45645 if (configured == 1)
45646 kgdb_unregister_io_module(&kgdboc_io_ops);
45647 + else if (configured == 2)
45648 + kgdb_unregister_io_module(&kgdboc_io_ops_console);
45651 static int configure_kgdboc(void)
45652 @@ -160,13 +163,13 @@ static int configure_kgdboc(void)
45654 char *cptr = config;
45655 struct console *cons;
45656 + int is_console = 0;
45658 err = kgdboc_option_setup(config);
45659 if (err || !strlen(config) || isspace(config[0]))
45663 - kgdboc_io_ops.is_console = 0;
45664 kgdb_tty_driver = NULL;
45666 kgdboc_use_kms = 0;
45667 @@ -187,7 +190,7 @@ static int configure_kgdboc(void)
45669 if (cons->device && cons->device(cons, &idx) == p &&
45671 - kgdboc_io_ops.is_console = 1;
45676 @@ -197,7 +200,13 @@ static int configure_kgdboc(void)
45677 kgdb_tty_line = tty_line;
45680 - err = kgdb_register_io_module(&kgdboc_io_ops);
45681 + if (is_console) {
45682 + err = kgdb_register_io_module(&kgdboc_io_ops_console);
45685 + err = kgdb_register_io_module(&kgdboc_io_ops);
45691 @@ -205,8 +214,6 @@ do_register:
45693 goto nmi_con_failed;
45700 @@ -223,7 +230,7 @@ noconfig:
45701 static int __init init_kgdboc(void)
45703 /* Already configured? */
45704 - if (configured == 1)
45705 + if (configured >= 1)
45708 return configure_kgdboc();
45709 @@ -272,7 +279,7 @@ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
45710 if (config[len - 1] == '\n')
45711 config[len - 1] = '\0';
45713 - if (configured == 1)
45714 + if (configured >= 1)
45717 /* Go and configure with the new params. */
45718 @@ -312,6 +319,15 @@ static struct kgdb_io kgdboc_io_ops = {
45719 .post_exception = kgdboc_post_exp_handler,
45722 +static struct kgdb_io kgdboc_io_ops_console = {
45723 + .name = "kgdboc",
45724 + .read_char = kgdboc_get_char,
45725 + .write_char = kgdboc_put_char,
45726 + .pre_exception = kgdboc_pre_exp_handler,
45727 + .post_exception = kgdboc_post_exp_handler,
45731 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
45732 /* This is only available if kgdboc is a built in for early debugging */
45733 static int __init kgdboc_early_init(char *opt)
45734 diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
45735 index 0c8a9fa..234a95f 100644
45736 --- a/drivers/tty/serial/samsung.c
45737 +++ b/drivers/tty/serial/samsung.c
45738 @@ -453,11 +453,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
45742 +static int s3c64xx_serial_startup(struct uart_port *port);
45743 static int s3c24xx_serial_startup(struct uart_port *port)
45745 struct s3c24xx_uart_port *ourport = to_ourport(port);
45748 + /* Startup sequence is different for s3c64xx and higher SoC's */
45749 + if (s3c24xx_serial_has_interrupt_mask(port))
45750 + return s3c64xx_serial_startup(port);
45752 dbg("s3c24xx_serial_startup: port=%p (%08lx,%p)\n",
45753 port->mapbase, port->membase);
45755 @@ -1124,10 +1129,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
45756 /* setup info for port */
45757 port->dev = &platdev->dev;
45759 - /* Startup sequence is different for s3c64xx and higher SoC's */
45760 - if (s3c24xx_serial_has_interrupt_mask(port))
45761 - s3c24xx_serial_ops.startup = s3c64xx_serial_startup;
45765 if (cfg->uart_flags & UPF_CONS_FLOW) {
45766 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
45767 index f87dbfd..42ad4b1 100644
45768 --- a/drivers/tty/serial/serial_core.c
45769 +++ b/drivers/tty/serial/serial_core.c
45770 @@ -1454,7 +1454,7 @@ static void uart_hangup(struct tty_struct *tty)
45771 uart_flush_buffer(tty);
45772 uart_shutdown(tty, state);
45773 spin_lock_irqsave(&port->lock, flags);
45775 + atomic_set(&port->count, 0);
45776 clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags);
45777 spin_unlock_irqrestore(&port->lock, flags);
45778 tty_port_tty_set(port, NULL);
45779 @@ -1550,7 +1550,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
45784 + atomic_inc(&port->count);
45785 if (!state->uart_port || state->uart_port->flags & UPF_DEAD) {
45787 goto err_dec_count;
45788 @@ -1578,7 +1578,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
45790 * Make sure the device is in D0 state.
45792 - if (port->count == 1)
45793 + if (atomic_read(&port->count) == 1)
45794 uart_change_pm(state, UART_PM_STATE_ON);
45797 @@ -1596,7 +1596,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
45802 + atomic_inc(&port->count);
45803 mutex_unlock(&port->mutex);
45806 diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c
45807 index 8eaf1ab..85c030d 100644
45808 --- a/drivers/tty/synclink.c
45809 +++ b/drivers/tty/synclink.c
45810 @@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
45812 if (debug_level >= DEBUG_LEVEL_INFO)
45813 printk("%s(%d):mgsl_close(%s) entry, count=%d\n",
45814 - __FILE__,__LINE__, info->device_name, info->port.count);
45815 + __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
45817 if (tty_port_close_start(&info->port, tty, filp) == 0)
45819 @@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
45821 if (debug_level >= DEBUG_LEVEL_INFO)
45822 printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__,
45823 - tty->driver->name, info->port.count);
45824 + tty->driver->name, atomic_read(&info->port.count));
45826 } /* end of mgsl_close() */
45828 @@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty)
45830 mgsl_flush_buffer(tty);
45833 - info->port.count = 0;
45835 + atomic_set(&info->port.count, 0);
45836 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
45837 info->port.tty = NULL;
45839 @@ -3297,12 +3297,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
45841 if (debug_level >= DEBUG_LEVEL_INFO)
45842 printk("%s(%d):block_til_ready before block on %s count=%d\n",
45843 - __FILE__,__LINE__, tty->driver->name, port->count );
45844 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
45846 spin_lock_irqsave(&info->irq_spinlock, flags);
45847 if (!tty_hung_up_p(filp)) {
45848 extra_count = true;
45850 + atomic_dec(&port->count);
45852 spin_unlock_irqrestore(&info->irq_spinlock, flags);
45853 port->blocked_open++;
45854 @@ -3331,7 +3331,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
45856 if (debug_level >= DEBUG_LEVEL_INFO)
45857 printk("%s(%d):block_til_ready blocking on %s count=%d\n",
45858 - __FILE__,__LINE__, tty->driver->name, port->count );
45859 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
45863 @@ -3343,12 +3343,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
45865 /* FIXME: Racy on hangup during close wait */
45868 + atomic_inc(&port->count);
45869 port->blocked_open--;
45871 if (debug_level >= DEBUG_LEVEL_INFO)
45872 printk("%s(%d):block_til_ready after blocking on %s count=%d\n",
45873 - __FILE__,__LINE__, tty->driver->name, port->count );
45874 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
45877 port->flags |= ASYNC_NORMAL_ACTIVE;
45878 @@ -3400,7 +3400,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
45880 if (debug_level >= DEBUG_LEVEL_INFO)
45881 printk("%s(%d):mgsl_open(%s), old ref count = %d\n",
45882 - __FILE__,__LINE__,tty->driver->name, info->port.count);
45883 + __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
45885 /* If port is closing, signal caller to try again */
45886 if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){
45887 @@ -3419,10 +3419,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
45888 spin_unlock_irqrestore(&info->netlock, flags);
45891 - info->port.count++;
45892 + atomic_inc(&info->port.count);
45893 spin_unlock_irqrestore(&info->netlock, flags);
45895 - if (info->port.count == 1) {
45896 + if (atomic_read(&info->port.count) == 1) {
45897 /* 1st open on this device, init hardware */
45898 retval = startup(info);
45900 @@ -3446,8 +3446,8 @@ cleanup:
45902 if (tty->count == 1)
45903 info->port.tty = NULL; /* tty layer will release tty struct */
45904 - if(info->port.count)
45905 - info->port.count--;
45906 + if (atomic_read(&info->port.count))
45907 + atomic_dec(&info->port.count);
45911 @@ -7665,7 +7665,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
45912 unsigned short new_crctype;
45914 /* return error if TTY interface open */
45915 - if (info->port.count)
45916 + if (atomic_read(&info->port.count))
45920 @@ -7760,7 +7760,7 @@ static int hdlcdev_open(struct net_device *dev)
45922 /* arbitrate between network and tty opens */
45923 spin_lock_irqsave(&info->netlock, flags);
45924 - if (info->port.count != 0 || info->netcount != 0) {
45925 + if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
45926 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
45927 spin_unlock_irqrestore(&info->netlock, flags);
45929 @@ -7846,7 +7846,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
45930 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
45932 /* return error if TTY interface open */
45933 - if (info->port.count)
45934 + if (atomic_read(&info->port.count))
45937 if (cmd != SIOCWANDEV)
45938 diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
45939 index 1abf946..1ee34fc 100644
45940 --- a/drivers/tty/synclink_gt.c
45941 +++ b/drivers/tty/synclink_gt.c
45942 @@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp)
45943 tty->driver_data = info;
45944 info->port.tty = tty;
45946 - DBGINFO(("%s open, old ref count = %d\n", info->device_name, info->port.count));
45947 + DBGINFO(("%s open, old ref count = %d\n", info->device_name, atomic_read(&info->port.count)));
45949 /* If port is closing, signal caller to try again */
45950 if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){
45951 @@ -691,10 +691,10 @@ static int open(struct tty_struct *tty, struct file *filp)
45952 mutex_unlock(&info->port.mutex);
45955 - info->port.count++;
45956 + atomic_inc(&info->port.count);
45957 spin_unlock_irqrestore(&info->netlock, flags);
45959 - if (info->port.count == 1) {
45960 + if (atomic_read(&info->port.count) == 1) {
45961 /* 1st open on this device, init hardware */
45962 retval = startup(info);
45964 @@ -715,8 +715,8 @@ cleanup:
45966 if (tty->count == 1)
45967 info->port.tty = NULL; /* tty layer will release tty struct */
45968 - if(info->port.count)
45969 - info->port.count--;
45970 + if(atomic_read(&info->port.count))
45971 + atomic_dec(&info->port.count);
45974 DBGINFO(("%s open rc=%d\n", info->device_name, retval));
45975 @@ -729,7 +729,7 @@ static void close(struct tty_struct *tty, struct file *filp)
45977 if (sanity_check(info, tty->name, "close"))
45979 - DBGINFO(("%s close entry, count=%d\n", info->device_name, info->port.count));
45980 + DBGINFO(("%s close entry, count=%d\n", info->device_name, atomic_read(&info->port.count)));
45982 if (tty_port_close_start(&info->port, tty, filp) == 0)
45984 @@ -746,7 +746,7 @@ static void close(struct tty_struct *tty, struct file *filp)
45985 tty_port_close_end(&info->port, tty);
45986 info->port.tty = NULL;
45988 - DBGINFO(("%s close exit, count=%d\n", tty->driver->name, info->port.count));
45989 + DBGINFO(("%s close exit, count=%d\n", tty->driver->name, atomic_read(&info->port.count)));
45992 static void hangup(struct tty_struct *tty)
45993 @@ -764,7 +764,7 @@ static void hangup(struct tty_struct *tty)
45996 spin_lock_irqsave(&info->port.lock, flags);
45997 - info->port.count = 0;
45998 + atomic_set(&info->port.count, 0);
45999 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
46000 info->port.tty = NULL;
46001 spin_unlock_irqrestore(&info->port.lock, flags);
46002 @@ -1449,7 +1449,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
46003 unsigned short new_crctype;
46005 /* return error if TTY interface open */
46006 - if (info->port.count)
46007 + if (atomic_read(&info->port.count))
46010 DBGINFO(("%s hdlcdev_attach\n", info->device_name));
46011 @@ -1544,7 +1544,7 @@ static int hdlcdev_open(struct net_device *dev)
46013 /* arbitrate between network and tty opens */
46014 spin_lock_irqsave(&info->netlock, flags);
46015 - if (info->port.count != 0 || info->netcount != 0) {
46016 + if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
46017 DBGINFO(("%s hdlc_open busy\n", dev->name));
46018 spin_unlock_irqrestore(&info->netlock, flags);
46020 @@ -1629,7 +1629,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
46021 DBGINFO(("%s hdlcdev_ioctl\n", dev->name));
46023 /* return error if TTY interface open */
46024 - if (info->port.count)
46025 + if (atomic_read(&info->port.count))
46028 if (cmd != SIOCWANDEV)
46029 @@ -2413,7 +2413,7 @@ static irqreturn_t slgt_interrupt(int dummy, void *dev_id)
46032 spin_lock(&port->lock);
46033 - if ((port->port.count || port->netcount) &&
46034 + if ((atomic_read(&port->port.count) || port->netcount) &&
46035 port->pending_bh && !port->bh_running &&
46036 !port->bh_requested) {
46037 DBGISR(("%s bh queued\n", port->device_name));
46038 @@ -3302,7 +3302,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
46039 spin_lock_irqsave(&info->lock, flags);
46040 if (!tty_hung_up_p(filp)) {
46041 extra_count = true;
46043 + atomic_dec(&port->count);
46045 spin_unlock_irqrestore(&info->lock, flags);
46046 port->blocked_open++;
46047 @@ -3339,7 +3339,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
46048 remove_wait_queue(&port->open_wait, &wait);
46052 + atomic_inc(&port->count);
46053 port->blocked_open--;
46056 diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c
46057 index ff17138..e38b41e 100644
46058 --- a/drivers/tty/synclinkmp.c
46059 +++ b/drivers/tty/synclinkmp.c
46060 @@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp)
46062 if (debug_level >= DEBUG_LEVEL_INFO)
46063 printk("%s(%d):%s open(), old ref count = %d\n",
46064 - __FILE__,__LINE__,tty->driver->name, info->port.count);
46065 + __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
46067 /* If port is closing, signal caller to try again */
46068 if (tty_hung_up_p(filp) || info->port.flags & ASYNC_CLOSING){
46069 @@ -769,10 +769,10 @@ static int open(struct tty_struct *tty, struct file *filp)
46070 spin_unlock_irqrestore(&info->netlock, flags);
46073 - info->port.count++;
46074 + atomic_inc(&info->port.count);
46075 spin_unlock_irqrestore(&info->netlock, flags);
46077 - if (info->port.count == 1) {
46078 + if (atomic_read(&info->port.count) == 1) {
46079 /* 1st open on this device, init hardware */
46080 retval = startup(info);
46082 @@ -796,8 +796,8 @@ cleanup:
46084 if (tty->count == 1)
46085 info->port.tty = NULL; /* tty layer will release tty struct */
46086 - if(info->port.count)
46087 - info->port.count--;
46088 + if(atomic_read(&info->port.count))
46089 + atomic_dec(&info->port.count);
46093 @@ -815,7 +815,7 @@ static void close(struct tty_struct *tty, struct file *filp)
46095 if (debug_level >= DEBUG_LEVEL_INFO)
46096 printk("%s(%d):%s close() entry, count=%d\n",
46097 - __FILE__,__LINE__, info->device_name, info->port.count);
46098 + __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
46100 if (tty_port_close_start(&info->port, tty, filp) == 0)
46102 @@ -834,7 +834,7 @@ static void close(struct tty_struct *tty, struct file *filp)
46104 if (debug_level >= DEBUG_LEVEL_INFO)
46105 printk("%s(%d):%s close() exit, count=%d\n", __FILE__,__LINE__,
46106 - tty->driver->name, info->port.count);
46107 + tty->driver->name, atomic_read(&info->port.count));
46110 /* Called by tty_hangup() when a hangup is signaled.
46111 @@ -857,7 +857,7 @@ static void hangup(struct tty_struct *tty)
46114 spin_lock_irqsave(&info->port.lock, flags);
46115 - info->port.count = 0;
46116 + atomic_set(&info->port.count, 0);
46117 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
46118 info->port.tty = NULL;
46119 spin_unlock_irqrestore(&info->port.lock, flags);
46120 @@ -1565,7 +1565,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
46121 unsigned short new_crctype;
46123 /* return error if TTY interface open */
46124 - if (info->port.count)
46125 + if (atomic_read(&info->port.count))
46129 @@ -1660,7 +1660,7 @@ static int hdlcdev_open(struct net_device *dev)
46131 /* arbitrate between network and tty opens */
46132 spin_lock_irqsave(&info->netlock, flags);
46133 - if (info->port.count != 0 || info->netcount != 0) {
46134 + if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
46135 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
46136 spin_unlock_irqrestore(&info->netlock, flags);
46138 @@ -1746,7 +1746,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
46139 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
46141 /* return error if TTY interface open */
46142 - if (info->port.count)
46143 + if (atomic_read(&info->port.count))
46146 if (cmd != SIOCWANDEV)
46147 @@ -2620,7 +2620,7 @@ static irqreturn_t synclinkmp_interrupt(int dummy, void *dev_id)
46148 * do not request bottom half processing if the
46149 * device is not open in a normal mode.
46151 - if ( port && (port->port.count || port->netcount) &&
46152 + if ( port && (atomic_read(&port->port.count) || port->netcount) &&
46153 port->pending_bh && !port->bh_running &&
46154 !port->bh_requested ) {
46155 if ( debug_level >= DEBUG_LEVEL_ISR )
46156 @@ -3318,12 +3318,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
46158 if (debug_level >= DEBUG_LEVEL_INFO)
46159 printk("%s(%d):%s block_til_ready() before block, count=%d\n",
46160 - __FILE__,__LINE__, tty->driver->name, port->count );
46161 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
46163 spin_lock_irqsave(&info->lock, flags);
46164 if (!tty_hung_up_p(filp)) {
46165 extra_count = true;
46167 + atomic_dec(&port->count);
46169 spin_unlock_irqrestore(&info->lock, flags);
46170 port->blocked_open++;
46171 @@ -3352,7 +3352,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
46173 if (debug_level >= DEBUG_LEVEL_INFO)
46174 printk("%s(%d):%s block_til_ready() count=%d\n",
46175 - __FILE__,__LINE__, tty->driver->name, port->count );
46176 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
46180 @@ -3363,12 +3363,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
46181 remove_wait_queue(&port->open_wait, &wait);
46185 + atomic_inc(&port->count);
46186 port->blocked_open--;
46188 if (debug_level >= DEBUG_LEVEL_INFO)
46189 printk("%s(%d):%s block_til_ready() after, count=%d\n",
46190 - __FILE__,__LINE__, tty->driver->name, port->count );
46191 + __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
46194 port->flags |= ASYNC_NORMAL_ACTIVE;
46195 diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
46196 index b51c154..17d55d1 100644
46197 --- a/drivers/tty/sysrq.c
46198 +++ b/drivers/tty/sysrq.c
46199 @@ -1022,7 +1022,7 @@ EXPORT_SYMBOL(unregister_sysrq_key);
46200 static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
46201 size_t count, loff_t *ppos)
46204 + if (count && capable(CAP_SYS_ADMIN)) {
46207 if (get_user(c, buf))
46208 diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
46209 index 4476682..d77e748 100644
46210 --- a/drivers/tty/tty_io.c
46211 +++ b/drivers/tty/tty_io.c
46212 @@ -3466,7 +3466,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
46214 void tty_default_fops(struct file_operations *fops)
46216 - *fops = tty_fops;
46217 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
46221 diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
46222 index 1afe192..73d2c20 100644
46223 --- a/drivers/tty/tty_ldisc.c
46224 +++ b/drivers/tty/tty_ldisc.c
46225 @@ -66,7 +66,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc)
46226 raw_spin_lock_irqsave(&tty_ldisc_lock, flags);
46227 tty_ldiscs[disc] = new_ldisc;
46228 new_ldisc->num = disc;
46229 - new_ldisc->refcount = 0;
46230 + atomic_set(&new_ldisc->refcount, 0);
46231 raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags);
46234 @@ -94,7 +94,7 @@ int tty_unregister_ldisc(int disc)
46237 raw_spin_lock_irqsave(&tty_ldisc_lock, flags);
46238 - if (tty_ldiscs[disc]->refcount)
46239 + if (atomic_read(&tty_ldiscs[disc]->refcount))
46242 tty_ldiscs[disc] = NULL;
46243 @@ -115,7 +115,7 @@ static struct tty_ldisc_ops *get_ldops(int disc)
46245 ret = ERR_PTR(-EAGAIN);
46246 if (try_module_get(ldops->owner)) {
46247 - ldops->refcount++;
46248 + atomic_inc(&ldops->refcount);
46252 @@ -128,7 +128,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops)
46253 unsigned long flags;
46255 raw_spin_lock_irqsave(&tty_ldisc_lock, flags);
46256 - ldops->refcount--;
46257 + atomic_dec(&ldops->refcount);
46258 module_put(ldops->owner);
46259 raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags);
46261 @@ -196,7 +196,7 @@ static inline void tty_ldisc_put(struct tty_ldisc *ld)
46262 /* unreleased reader reference(s) will cause this WARN */
46263 WARN_ON(!atomic_dec_and_test(&ld->users));
46265 - ld->ops->refcount--;
46266 + atomic_dec(&ld->ops->refcount);
46267 module_put(ld->ops->owner);
46269 raw_spin_unlock_irqrestore(&tty_ldisc_lock, flags);
46270 diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
46271 index f597e88..b7f68ed 100644
46272 --- a/drivers/tty/tty_port.c
46273 +++ b/drivers/tty/tty_port.c
46274 @@ -232,7 +232,7 @@ void tty_port_hangup(struct tty_port *port)
46275 unsigned long flags;
46277 spin_lock_irqsave(&port->lock, flags);
46279 + atomic_set(&port->count, 0);
46280 port->flags &= ~ASYNC_NORMAL_ACTIVE;
46283 @@ -390,7 +390,7 @@ int tty_port_block_til_ready(struct tty_port *port,
46284 /* The port lock protects the port counts */
46285 spin_lock_irqsave(&port->lock, flags);
46286 if (!tty_hung_up_p(filp))
46288 + atomic_dec(&port->count);
46289 port->blocked_open++;
46290 spin_unlock_irqrestore(&port->lock, flags);
46292 @@ -432,7 +432,7 @@ int tty_port_block_til_ready(struct tty_port *port,
46293 we must not mess that up further */
46294 spin_lock_irqsave(&port->lock, flags);
46295 if (!tty_hung_up_p(filp))
46297 + atomic_inc(&port->count);
46298 port->blocked_open--;
46300 port->flags |= ASYNC_NORMAL_ACTIVE;
46301 @@ -466,19 +466,19 @@ int tty_port_close_start(struct tty_port *port,
46305 - if (tty->count == 1 && port->count != 1) {
46306 + if (tty->count == 1 && atomic_read(&port->count) != 1) {
46307 printk(KERN_WARNING
46308 "tty_port_close_start: tty->count = 1 port count = %d.\n",
46311 + atomic_read(&port->count));
46312 + atomic_set(&port->count, 1);
46314 - if (--port->count < 0) {
46315 + if (atomic_dec_return(&port->count) < 0) {
46316 printk(KERN_WARNING "tty_port_close_start: count = %d\n",
46319 + atomic_read(&port->count));
46320 + atomic_set(&port->count, 0);
46323 - if (port->count) {
46324 + if (atomic_read(&port->count)) {
46325 spin_unlock_irqrestore(&port->lock, flags);
46326 if (port->ops->drop)
46327 port->ops->drop(port);
46328 @@ -564,7 +564,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty,
46330 spin_lock_irq(&port->lock);
46331 if (!tty_hung_up_p(filp))
46333 + atomic_inc(&port->count);
46334 spin_unlock_irq(&port->lock);
46335 tty_port_tty_set(port, tty);
46337 diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
46338 index a9af1b9a..1e08e7f 100644
46339 --- a/drivers/tty/vt/keyboard.c
46340 +++ b/drivers/tty/vt/keyboard.c
46341 @@ -647,6 +647,16 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag)
46342 kbd->kbdmode == VC_OFF) &&
46343 value != KVAL(K_SAK))
46344 return; /* SAK is allowed even in raw mode */
46346 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
46348 + void *func = fn_handler[value];
46349 + if (func == fn_show_state || func == fn_show_ptregs ||
46350 + func == fn_show_mem)
46355 fn_handler[value](vc);
46358 @@ -1795,9 +1805,6 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
46359 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
46362 - if (!capable(CAP_SYS_TTY_CONFIG))
46367 /* Ensure another thread doesn't free it under us */
46368 @@ -1812,6 +1819,9 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
46369 spin_unlock_irqrestore(&kbd_event_lock, flags);
46370 return put_user(val, &user_kbe->kb_value);
46372 + if (!capable(CAP_SYS_TTY_CONFIG))
46377 if (!i && v == K_NOSUCHMAP) {
46378 @@ -1902,9 +1912,6 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
46382 - if (!capable(CAP_SYS_TTY_CONFIG))
46385 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
46388 @@ -1938,6 +1945,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
46390 return ((p && *p) ? -EOVERFLOW : 0);
46392 + if (!capable(CAP_SYS_TTY_CONFIG))
46398 diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
46399 index b645c47..a55c182 100644
46400 --- a/drivers/uio/uio.c
46401 +++ b/drivers/uio/uio.c
46403 #include <linux/kobject.h>
46404 #include <linux/cdev.h>
46405 #include <linux/uio_driver.h>
46406 +#include <asm/local.h>
46408 #define UIO_MAX_DEVICES (1U << MINORBITS)
46410 @@ -32,10 +33,10 @@ struct uio_device {
46411 struct module *owner;
46412 struct device *dev;
46415 + atomic_unchecked_t event;
46416 struct fasync_struct *async_queue;
46417 wait_queue_head_t wait;
46419 + local_t vma_count;
46420 struct uio_info *info;
46421 struct kobject *map_dir;
46422 struct kobject *portio_dir;
46423 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device *dev,
46424 struct device_attribute *attr, char *buf)
46426 struct uio_device *idev = dev_get_drvdata(dev);
46427 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
46428 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
46431 static struct device_attribute uio_class_attributes[] = {
46432 @@ -398,7 +399,7 @@ void uio_event_notify(struct uio_info *info)
46434 struct uio_device *idev = info->uio_dev;
46436 - atomic_inc(&idev->event);
46437 + atomic_inc_unchecked(&idev->event);
46438 wake_up_interruptible(&idev->wait);
46439 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
46441 @@ -451,7 +452,7 @@ static int uio_open(struct inode *inode, struct file *filep)
46444 listener->dev = idev;
46445 - listener->event_count = atomic_read(&idev->event);
46446 + listener->event_count = atomic_read_unchecked(&idev->event);
46447 filep->private_data = listener;
46449 if (idev->info->open) {
46450 @@ -502,7 +503,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
46453 poll_wait(filep, &idev->wait, wait);
46454 - if (listener->event_count != atomic_read(&idev->event))
46455 + if (listener->event_count != atomic_read_unchecked(&idev->event))
46456 return POLLIN | POLLRDNORM;
46459 @@ -527,7 +528,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
46461 set_current_state(TASK_INTERRUPTIBLE);
46463 - event_count = atomic_read(&idev->event);
46464 + event_count = atomic_read_unchecked(&idev->event);
46465 if (event_count != listener->event_count) {
46466 if (copy_to_user(buf, &event_count, count))
46468 @@ -596,13 +597,13 @@ static int uio_find_mem_index(struct vm_area_struct *vma)
46469 static void uio_vma_open(struct vm_area_struct *vma)
46471 struct uio_device *idev = vma->vm_private_data;
46472 - idev->vma_count++;
46473 + local_inc(&idev->vma_count);
46476 static void uio_vma_close(struct vm_area_struct *vma)
46478 struct uio_device *idev = vma->vm_private_data;
46479 - idev->vma_count--;
46480 + local_dec(&idev->vma_count);
46483 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
46484 @@ -809,7 +810,7 @@ int __uio_register_device(struct module *owner,
46485 idev->owner = owner;
46487 init_waitqueue_head(&idev->wait);
46488 - atomic_set(&idev->event, 0);
46489 + atomic_set_unchecked(&idev->event, 0);
46491 ret = uio_get_minor(idev);
46493 diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
46494 index 8a7eb77..c00402f 100644
46495 --- a/drivers/usb/atm/cxacru.c
46496 +++ b/drivers/usb/atm/cxacru.c
46497 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
46498 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
46501 - if (index < 0 || index > 0x7f)
46502 + if (index > 0x7f)
46506 diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
46507 index d3527dd..26effa2 100644
46508 --- a/drivers/usb/atm/usbatm.c
46509 +++ b/drivers/usb/atm/usbatm.c
46510 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
46511 if (printk_ratelimit())
46512 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
46513 __func__, vpi, vci);
46514 - atomic_inc(&vcc->stats->rx_err);
46515 + atomic_inc_unchecked(&vcc->stats->rx_err);
46519 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
46520 if (length > ATM_MAX_AAL5_PDU) {
46521 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
46522 __func__, length, vcc);
46523 - atomic_inc(&vcc->stats->rx_err);
46524 + atomic_inc_unchecked(&vcc->stats->rx_err);
46528 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
46529 if (sarb->len < pdu_length) {
46530 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
46531 __func__, pdu_length, sarb->len, vcc);
46532 - atomic_inc(&vcc->stats->rx_err);
46533 + atomic_inc_unchecked(&vcc->stats->rx_err);
46537 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
46538 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
46540 - atomic_inc(&vcc->stats->rx_err);
46541 + atomic_inc_unchecked(&vcc->stats->rx_err);
46545 @@ -389,7 +389,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
46546 if (printk_ratelimit())
46547 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
46549 - atomic_inc(&vcc->stats->rx_drop);
46550 + atomic_inc_unchecked(&vcc->stats->rx_drop);
46554 @@ -417,7 +417,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
46556 vcc->push(vcc, skb);
46558 - atomic_inc(&vcc->stats->rx);
46559 + atomic_inc_unchecked(&vcc->stats->rx);
46563 @@ -623,7 +623,7 @@ static void usbatm_tx_process(unsigned long data)
46564 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
46566 usbatm_pop(vcc, skb);
46567 - atomic_inc(&vcc->stats->tx);
46568 + atomic_inc_unchecked(&vcc->stats->tx);
46570 skb = skb_dequeue(&instance->sndqueue);
46572 @@ -779,11 +779,11 @@ static int usbatm_atm_proc_read(struct atm_dev *atm_dev, loff_t * pos, char *pag
46574 return sprintf(page,
46575 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
46576 - atomic_read(&atm_dev->stats.aal5.tx),
46577 - atomic_read(&atm_dev->stats.aal5.tx_err),
46578 - atomic_read(&atm_dev->stats.aal5.rx),
46579 - atomic_read(&atm_dev->stats.aal5.rx_err),
46580 - atomic_read(&atm_dev->stats.aal5.rx_drop));
46581 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
46582 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
46583 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
46584 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
46585 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
46588 if (instance->disconnected)
46589 diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
46590 index 2a3bbdf..91d72cf 100644
46591 --- a/drivers/usb/core/devices.c
46592 +++ b/drivers/usb/core/devices.c
46593 @@ -126,7 +126,7 @@ static const char format_endpt[] =
46594 * time it gets called.
46596 static struct device_connect_event {
46598 + atomic_unchecked_t count;
46599 wait_queue_head_t wait;
46601 .count = ATOMIC_INIT(1),
46602 @@ -164,7 +164,7 @@ static const struct class_info clas_info[] = {
46604 void usbfs_conn_disc_event(void)
46606 - atomic_add(2, &device_event.count);
46607 + atomic_add_unchecked(2, &device_event.count);
46608 wake_up(&device_event.wait);
46611 @@ -652,7 +652,7 @@ static unsigned int usb_device_poll(struct file *file,
46613 poll_wait(file, &device_event.wait, wait);
46615 - event_count = atomic_read(&device_event.count);
46616 + event_count = atomic_read_unchecked(&device_event.count);
46617 if (file->f_version != event_count) {
46618 file->f_version = event_count;
46619 return POLLIN | POLLRDNORM;
46620 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
46621 index d53547d..6a22d02 100644
46622 --- a/drivers/usb/core/hcd.c
46623 +++ b/drivers/usb/core/hcd.c
46624 @@ -1526,7 +1526,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
46627 atomic_inc(&urb->use_count);
46628 - atomic_inc(&urb->dev->urbnum);
46629 + atomic_inc_unchecked(&urb->dev->urbnum);
46630 usbmon_urb_submit(&hcd->self, urb);
46632 /* NOTE requirements on root-hub callers (usbfs and the hub
46633 @@ -1553,7 +1553,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
46634 urb->hcpriv = NULL;
46635 INIT_LIST_HEAD(&urb->urb_list);
46636 atomic_dec(&urb->use_count);
46637 - atomic_dec(&urb->dev->urbnum);
46638 + atomic_dec_unchecked(&urb->dev->urbnum);
46639 if (atomic_read(&urb->reject))
46640 wake_up(&usb_kill_urb_queue);
46642 diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
46643 index 444d30e..f15c850 100644
46644 --- a/drivers/usb/core/message.c
46645 +++ b/drivers/usb/core/message.c
46646 @@ -129,7 +129,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev,
46647 * method can wait for it to complete. Since you don't have a handle on the
46648 * URB used, you can't cancel the request.
46650 -int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
46651 +int __intentional_overflow(-1) usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
46652 __u8 requesttype, __u16 value, __u16 index, void *data,
46653 __u16 size, int timeout)
46655 diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
46656 index aa38db4..0a08682 100644
46657 --- a/drivers/usb/core/sysfs.c
46658 +++ b/drivers/usb/core/sysfs.c
46659 @@ -239,7 +239,7 @@ show_urbnum(struct device *dev, struct device_attribute *attr, char *buf)
46660 struct usb_device *udev;
46662 udev = to_usb_device(dev);
46663 - return sprintf(buf, "%d\n", atomic_read(&udev->urbnum));
46664 + return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum));
46666 static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL);
46668 diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
46669 index b10da72..43aa0b2 100644
46670 --- a/drivers/usb/core/usb.c
46671 +++ b/drivers/usb/core/usb.c
46672 @@ -389,7 +389,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
46673 set_dev_node(&dev->dev, dev_to_node(bus->controller));
46674 dev->state = USB_STATE_ATTACHED;
46675 dev->lpm_disable_count = 1;
46676 - atomic_set(&dev->urbnum, 0);
46677 + atomic_set_unchecked(&dev->urbnum, 0);
46679 INIT_LIST_HEAD(&dev->ep0.urb_list);
46680 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
46681 diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
46682 index 5e29dde..eca992f 100644
46683 --- a/drivers/usb/early/ehci-dbgp.c
46684 +++ b/drivers/usb/early/ehci-dbgp.c
46685 @@ -98,7 +98,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len)
46688 static struct kgdb_io kgdbdbgp_io_ops;
46689 -#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
46690 +static struct kgdb_io kgdbdbgp_io_ops_console;
46691 +#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
46693 #define dbgp_kgdb_mode (0)
46695 @@ -1047,6 +1048,13 @@ static struct kgdb_io kgdbdbgp_io_ops = {
46696 .write_char = kgdbdbgp_write_char,
46699 +static struct kgdb_io kgdbdbgp_io_ops_console = {
46700 + .name = "kgdbdbgp",
46701 + .read_char = kgdbdbgp_read_char,
46702 + .write_char = kgdbdbgp_write_char,
46706 static int kgdbdbgp_wait_time;
46708 static int __init kgdbdbgp_parse_config(char *str)
46709 @@ -1062,8 +1070,10 @@ static int __init kgdbdbgp_parse_config(char *str)
46711 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
46713 - kgdb_register_io_module(&kgdbdbgp_io_ops);
46714 - kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
46715 + if (early_dbgp_console.index != -1)
46716 + kgdb_register_io_module(&kgdbdbgp_io_ops_console);
46718 + kgdb_register_io_module(&kgdbdbgp_io_ops);
46722 diff --git a/drivers/usb/gadget/u_serial.c b/drivers/usb/gadget/u_serial.c
46723 index b369292..9f3ba40 100644
46724 --- a/drivers/usb/gadget/u_serial.c
46725 +++ b/drivers/usb/gadget/u_serial.c
46726 @@ -733,9 +733,9 @@ static int gs_open(struct tty_struct *tty, struct file *file)
46727 spin_lock_irq(&port->port_lock);
46729 /* already open? Great. */
46730 - if (port->port.count) {
46731 + if (atomic_read(&port->port.count)) {
46733 - port->port.count++;
46734 + atomic_inc(&port->port.count);
46736 /* currently opening/closing? wait ... */
46737 } else if (port->openclose) {
46738 @@ -794,7 +794,7 @@ static int gs_open(struct tty_struct *tty, struct file *file)
46739 tty->driver_data = port;
46740 port->port.tty = tty;
46742 - port->port.count = 1;
46743 + atomic_set(&port->port.count, 1);
46744 port->openclose = false;
46746 /* if connected, start the I/O stream */
46747 @@ -836,11 +836,11 @@ static void gs_close(struct tty_struct *tty, struct file *file)
46749 spin_lock_irq(&port->port_lock);
46751 - if (port->port.count != 1) {
46752 - if (port->port.count == 0)
46753 + if (atomic_read(&port->port.count) != 1) {
46754 + if (atomic_read(&port->port.count) == 0)
46757 - --port->port.count;
46758 + atomic_dec(&port->port.count);
46762 @@ -850,7 +850,7 @@ static void gs_close(struct tty_struct *tty, struct file *file)
46763 * and sleep if necessary
46765 port->openclose = true;
46766 - port->port.count = 0;
46767 + atomic_set(&port->port.count, 0);
46769 gser = port->port_usb;
46770 if (gser && gser->disconnect)
46771 @@ -1066,7 +1066,7 @@ static int gs_closed(struct gs_port *port)
46774 spin_lock_irq(&port->port_lock);
46775 - cond = (port->port.count == 0) && !port->openclose;
46776 + cond = (atomic_read(&port->port.count) == 0) && !port->openclose;
46777 spin_unlock_irq(&port->port_lock);
46780 @@ -1209,7 +1209,7 @@ int gserial_connect(struct gserial *gser, u8 port_num)
46781 /* if it's already open, start I/O ... and notify the serial
46782 * protocol about open/close status (connect/disconnect).
46784 - if (port->port.count) {
46785 + if (atomic_read(&port->port.count)) {
46786 pr_debug("gserial_connect: start ttyGS%d\n", port->port_num);
46789 @@ -1256,7 +1256,7 @@ void gserial_disconnect(struct gserial *gser)
46791 port->port_usb = NULL;
46792 gser->ioport = NULL;
46793 - if (port->port.count > 0 || port->openclose) {
46794 + if (atomic_read(&port->port.count) > 0 || port->openclose) {
46795 wake_up_interruptible(&port->drain_wait);
46796 if (port->port.tty)
46797 tty_hangup(port->port.tty);
46798 @@ -1272,7 +1272,7 @@ void gserial_disconnect(struct gserial *gser)
46800 /* finally, free any unused/unusable I/O buffers */
46801 spin_lock_irqsave(&port->port_lock, flags);
46802 - if (port->port.count == 0 && !port->openclose)
46803 + if (atomic_read(&port->port.count) == 0 && !port->openclose)
46804 gs_buf_free(&port->port_write_buf);
46805 gs_free_requests(gser->out, &port->read_pool, NULL);
46806 gs_free_requests(gser->out, &port->read_queue, NULL);
46807 diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
46808 index 5f3bcd3..bfca43f 100644
46809 --- a/drivers/usb/serial/console.c
46810 +++ b/drivers/usb/serial/console.c
46811 @@ -124,7 +124,7 @@ static int usb_console_setup(struct console *co, char *options)
46815 - ++port->port.count;
46816 + atomic_inc(&port->port.count);
46817 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
46818 if (serial->type->set_termios) {
46820 @@ -174,7 +174,7 @@ static int usb_console_setup(struct console *co, char *options)
46822 /* Now that any required fake tty operations are completed restore
46823 * the tty port count */
46824 - --port->port.count;
46825 + atomic_dec(&port->port.count);
46826 /* The console is special in terms of closing the device so
46827 * indicate this port is now acting as a system console. */
46828 port->port.console = 1;
46829 @@ -187,7 +187,7 @@ static int usb_console_setup(struct console *co, char *options)
46833 - port->port.count = 0;
46834 + atomic_set(&port->port.count, 0);
46835 usb_autopm_put_interface(serial->interface);
46836 error_get_interface:
46837 usb_serial_put(serial);
46838 diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h
46839 index 75f70f0..d467e1a 100644
46840 --- a/drivers/usb/storage/usb.h
46841 +++ b/drivers/usb/storage/usb.h
46842 @@ -63,7 +63,7 @@ struct us_unusual_dev {
46845 int (*initFunction)(struct us_data *);
46850 /* Dynamic bitflag definitions (us->dflags): used in set_bit() etc. */
46851 diff --git a/drivers/usb/wusbcore/wa-hc.h b/drivers/usb/wusbcore/wa-hc.h
46852 index d6bea3e..60b250e 100644
46853 --- a/drivers/usb/wusbcore/wa-hc.h
46854 +++ b/drivers/usb/wusbcore/wa-hc.h
46855 @@ -192,7 +192,7 @@ struct wahc {
46856 struct list_head xfer_delayed_list;
46857 spinlock_t xfer_list_lock;
46858 struct work_struct xfer_work;
46859 - atomic_t xfer_id_count;
46860 + atomic_unchecked_t xfer_id_count;
46864 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *wa)
46865 INIT_LIST_HEAD(&wa->xfer_delayed_list);
46866 spin_lock_init(&wa->xfer_list_lock);
46867 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
46868 - atomic_set(&wa->xfer_id_count, 1);
46869 + atomic_set_unchecked(&wa->xfer_id_count, 1);
46873 diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
46874 index 028fc83..65bb105 100644
46875 --- a/drivers/usb/wusbcore/wa-xfer.c
46876 +++ b/drivers/usb/wusbcore/wa-xfer.c
46877 @@ -296,7 +296,7 @@ out:
46879 static void wa_xfer_id_init(struct wa_xfer *xfer)
46881 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
46882 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
46886 diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
46887 index 5174eba..86e764a 100644
46888 --- a/drivers/vhost/vringh.c
46889 +++ b/drivers/vhost/vringh.c
46890 @@ -800,7 +800,7 @@ static inline int getu16_kern(u16 *val, const u16 *p)
46892 static inline int putu16_kern(u16 *p, u16 val)
46894 - ACCESS_ONCE(*p) = val;
46895 + ACCESS_ONCE_RW(*p) = val;
46899 diff --git a/drivers/video/aty/aty128fb.c b/drivers/video/aty/aty128fb.c
46900 index 8c55011..eed4ae1a 100644
46901 --- a/drivers/video/aty/aty128fb.c
46902 +++ b/drivers/video/aty/aty128fb.c
46903 @@ -149,7 +149,7 @@ enum {
46906 /* Must match above enum */
46907 -static char * const r128_family[] = {
46908 +static const char * const r128_family[] = {
46912 diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c
46913 index 4f27fdc..d3537e6 100644
46914 --- a/drivers/video/aty/atyfb_base.c
46915 +++ b/drivers/video/aty/atyfb_base.c
46916 @@ -1325,10 +1325,14 @@ static int atyfb_set_par(struct fb_info *info)
46917 par->accel_flags = var->accel_flags; /* hack */
46919 if (var->accel_flags) {
46920 - info->fbops->fb_sync = atyfb_sync;
46921 + pax_open_kernel();
46922 + *(void **)&info->fbops->fb_sync = atyfb_sync;
46923 + pax_close_kernel();
46924 info->flags &= ~FBINFO_HWACCEL_DISABLED;
46926 - info->fbops->fb_sync = NULL;
46927 + pax_open_kernel();
46928 + *(void **)&info->fbops->fb_sync = NULL;
46929 + pax_close_kernel();
46930 info->flags |= FBINFO_HWACCEL_DISABLED;
46933 diff --git a/drivers/video/aty/mach64_cursor.c b/drivers/video/aty/mach64_cursor.c
46934 index 95ec042..e6affdd 100644
46935 --- a/drivers/video/aty/mach64_cursor.c
46936 +++ b/drivers/video/aty/mach64_cursor.c
46938 #include <linux/string.h>
46940 #include <asm/io.h>
46941 +#include <asm/pgtable.h>
46944 #include <asm/fbio.h>
46945 @@ -208,7 +209,9 @@ int aty_init_cursor(struct fb_info *info)
46946 info->sprite.buf_align = 16; /* and 64 lines tall. */
46947 info->sprite.flags = FB_PIXMAP_IO;
46949 - info->fbops->fb_cursor = atyfb_cursor;
46950 + pax_open_kernel();
46951 + *(void **)&info->fbops->fb_cursor = atyfb_cursor;
46952 + pax_close_kernel();
46956 diff --git a/drivers/video/backlight/backlight.c b/drivers/video/backlight/backlight.c
46957 index c74e7aa..e3c2790 100644
46958 --- a/drivers/video/backlight/backlight.c
46959 +++ b/drivers/video/backlight/backlight.c
46960 @@ -304,7 +304,7 @@ struct backlight_device *backlight_device_register(const char *name,
46961 new_bd->dev.class = backlight_class;
46962 new_bd->dev.parent = parent;
46963 new_bd->dev.release = bl_device_release;
46964 - dev_set_name(&new_bd->dev, name);
46965 + dev_set_name(&new_bd->dev, "%s", name);
46966 dev_set_drvdata(&new_bd->dev, devdata);
46968 /* Set default properties */
46969 diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c
46970 index bca6ccc..252107e 100644
46971 --- a/drivers/video/backlight/kb3886_bl.c
46972 +++ b/drivers/video/backlight/kb3886_bl.c
46973 @@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo;
46974 static unsigned long kb3886bl_flags;
46975 #define KB3886BL_SUSPENDED 0x01
46977 -static struct dmi_system_id __initdata kb3886bl_device_table[] = {
46978 +static const struct dmi_system_id __initconst kb3886bl_device_table[] = {
46980 .ident = "Sahara Touch-iT",
46982 diff --git a/drivers/video/backlight/lcd.c b/drivers/video/backlight/lcd.c
46983 index 34fb6bd..3649fd9 100644
46984 --- a/drivers/video/backlight/lcd.c
46985 +++ b/drivers/video/backlight/lcd.c
46986 @@ -219,7 +219,7 @@ struct lcd_device *lcd_device_register(const char *name, struct device *parent,
46987 new_ld->dev.class = lcd_class;
46988 new_ld->dev.parent = parent;
46989 new_ld->dev.release = lcd_device_release;
46990 - dev_set_name(&new_ld->dev, name);
46991 + dev_set_name(&new_ld->dev, "%s", name);
46992 dev_set_drvdata(&new_ld->dev, devdata);
46994 rc = device_register(&new_ld->dev);
46995 diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c
46996 index 900aa4e..6d49418 100644
46997 --- a/drivers/video/fb_defio.c
46998 +++ b/drivers/video/fb_defio.c
46999 @@ -206,7 +206,9 @@ void fb_deferred_io_init(struct fb_info *info)
47002 mutex_init(&fbdefio->lock);
47003 - info->fbops->fb_mmap = fb_deferred_io_mmap;
47004 + pax_open_kernel();
47005 + *(void **)&info->fbops->fb_mmap = fb_deferred_io_mmap;
47006 + pax_close_kernel();
47007 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
47008 INIT_LIST_HEAD(&fbdefio->pagelist);
47009 if (fbdefio->delay == 0) /* set a default of 1 s */
47010 @@ -237,7 +239,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
47011 page->mapping = NULL;
47014 - info->fbops->fb_mmap = NULL;
47015 + *(void **)&info->fbops->fb_mmap = NULL;
47016 mutex_destroy(&fbdefio->lock);
47018 EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
47019 diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
47020 index 5c3960d..15cf8fc 100644
47021 --- a/drivers/video/fbcmap.c
47022 +++ b/drivers/video/fbcmap.c
47023 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user *cmap, struct fb_info *info)
47027 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
47028 - !info->fbops->fb_setcmap)) {
47029 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
47033 diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
47034 index 098bfc6..796841d 100644
47035 --- a/drivers/video/fbmem.c
47036 +++ b/drivers/video/fbmem.c
47037 @@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
47038 image->dx += image->width + 8;
47040 } else if (rotate == FB_ROTATE_UD) {
47041 - for (x = 0; x < num && image->dx >= 0; x++) {
47042 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
47043 info->fbops->fb_imageblit(info, image);
47044 image->dx -= image->width + 8;
47046 @@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
47047 image->dy += image->height + 8;
47049 } else if (rotate == FB_ROTATE_CCW) {
47050 - for (x = 0; x < num && image->dy >= 0; x++) {
47051 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
47052 info->fbops->fb_imageblit(info, image);
47053 image->dy -= image->height + 8;
47055 @@ -1166,7 +1166,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
47057 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
47059 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
47060 + if (con2fb.framebuffer >= FB_MAX)
47062 if (!registered_fb[con2fb.framebuffer])
47063 request_module("fb%d", con2fb.framebuffer);
47064 diff --git a/drivers/video/i810/i810_accel.c b/drivers/video/i810/i810_accel.c
47065 index 7672d2e..b56437f 100644
47066 --- a/drivers/video/i810/i810_accel.c
47067 +++ b/drivers/video/i810/i810_accel.c
47068 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct fb_info *info, u32 space)
47071 printk("ringbuffer lockup!!!\n");
47072 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
47073 i810_report_error(mmio);
47074 par->dev_flags |= LOCKUP;
47075 info->pixmap.scan_align = 1;
47076 diff --git a/drivers/video/logo/logo_linux_clut224.ppm b/drivers/video/logo/logo_linux_clut224.ppm
47077 index 3c14e43..eafa544 100644
47078 --- a/drivers/video/logo/logo_linux_clut224.ppm
47079 +++ b/drivers/video/logo/logo_linux_clut224.ppm
47080 @@ -1,1604 +1,1123 @@
47082 -# Standard 224-color Linux logo
47085 - 0 0 0 0 0 0 0 0 0 0 0 0
47086 - 0 0 0 0 0 0 0 0 0 0 0 0
47087 - 0 0 0 0 0 0 0 0 0 0 0 0
47088 - 0 0 0 0 0 0 0 0 0 0 0 0
47089 - 0 0 0 0 0 0 0 0 0 0 0 0
47090 - 0 0 0 0 0 0 0 0 0 0 0 0
47091 - 0 0 0 0 0 0 0 0 0 0 0 0
47092 - 0 0 0 0 0 0 0 0 0 0 0 0
47093 - 0 0 0 0 0 0 0 0 0 0 0 0
47094 - 6 6 6 6 6 6 10 10 10 10 10 10
47095 - 10 10 10 6 6 6 6 6 6 6 6 6
47096 - 0 0 0 0 0 0 0 0 0 0 0 0
47097 - 0 0 0 0 0 0 0 0 0 0 0 0
47098 - 0 0 0 0 0 0 0 0 0 0 0 0
47099 - 0 0 0 0 0 0 0 0 0 0 0 0
47100 - 0 0 0 0 0 0 0 0 0 0 0 0
47101 - 0 0 0 0 0 0 0 0 0 0 0 0
47102 - 0 0 0 0 0 0 0 0 0 0 0 0
47103 - 0 0 0 0 0 0 0 0 0 0 0 0
47104 - 0 0 0 0 0 0 0 0 0 0 0 0
47105 - 0 0 0 0 0 0 0 0 0 0 0 0
47106 - 0 0 0 0 0 0 0 0 0 0 0 0
47107 - 0 0 0 0 0 0 0 0 0 0 0 0
47108 - 0 0 0 0 0 0 0 0 0 0 0 0
47109 - 0 0 0 0 0 0 0 0 0 0 0 0
47110 - 0 0 0 0 0 0 0 0 0 0 0 0
47111 - 0 0 0 0 0 0 0 0 0 0 0 0
47112 - 0 0 0 0 0 0 0 0 0 0 0 0
47113 - 0 0 0 6 6 6 10 10 10 14 14 14
47114 - 22 22 22 26 26 26 30 30 30 34 34 34
47115 - 30 30 30 30 30 30 26 26 26 18 18 18
47116 - 14 14 14 10 10 10 6 6 6 0 0 0
47117 - 0 0 0 0 0 0 0 0 0 0 0 0
47118 - 0 0 0 0 0 0 0 0 0 0 0 0
47119 - 0 0 0 0 0 0 0 0 0 0 0 0
47120 - 0 0 0 0 0 0 0 0 0 0 0 0
47121 - 0 0 0 0 0 0 0 0 0 0 0 0
47122 - 0 0 0 0 0 0 0 0 0 0 0 0
47123 - 0 0 0 0 0 0 0 0 0 0 0 0
47124 - 0 0 0 0 0 0 0 0 0 0 0 0
47125 - 0 0 0 0 0 0 0 0 0 0 0 0
47126 - 0 0 0 0 0 1 0 0 1 0 0 0
47127 - 0 0 0 0 0 0 0 0 0 0 0 0
47128 - 0 0 0 0 0 0 0 0 0 0 0 0
47129 - 0 0 0 0 0 0 0 0 0 0 0 0
47130 - 0 0 0 0 0 0 0 0 0 0 0 0
47131 - 0 0 0 0 0 0 0 0 0 0 0 0
47132 - 0 0 0 0 0 0 0 0 0 0 0 0
47133 - 6 6 6 14 14 14 26 26 26 42 42 42
47134 - 54 54 54 66 66 66 78 78 78 78 78 78
47135 - 78 78 78 74 74 74 66 66 66 54 54 54
47136 - 42 42 42 26 26 26 18 18 18 10 10 10
47137 - 6 6 6 0 0 0 0 0 0 0 0 0
47138 - 0 0 0 0 0 0 0 0 0 0 0 0
47139 - 0 0 0 0 0 0 0 0 0 0 0 0
47140 - 0 0 0 0 0 0 0 0 0 0 0 0
47141 - 0 0 0 0 0 0 0 0 0 0 0 0
47142 - 0 0 0 0 0 0 0 0 0 0 0 0
47143 - 0 0 0 0 0 0 0 0 0 0 0 0
47144 - 0 0 0 0 0 0 0 0 0 0 0 0
47145 - 0 0 0 0 0 0 0 0 0 0 0 0
47146 - 0 0 1 0 0 0 0 0 0 0 0 0
47147 - 0 0 0 0 0 0 0 0 0 0 0 0
47148 - 0 0 0 0 0 0 0 0 0 0 0 0
47149 - 0 0 0 0 0 0 0 0 0 0 0 0
47150 - 0 0 0 0 0 0 0 0 0 0 0 0
47151 - 0 0 0 0 0 0 0 0 0 0 0 0
47152 - 0 0 0 0 0 0 0 0 0 10 10 10
47153 - 22 22 22 42 42 42 66 66 66 86 86 86
47154 - 66 66 66 38 38 38 38 38 38 22 22 22
47155 - 26 26 26 34 34 34 54 54 54 66 66 66
47156 - 86 86 86 70 70 70 46 46 46 26 26 26
47157 - 14 14 14 6 6 6 0 0 0 0 0 0
47158 - 0 0 0 0 0 0 0 0 0 0 0 0
47159 - 0 0 0 0 0 0 0 0 0 0 0 0
47160 - 0 0 0 0 0 0 0 0 0 0 0 0
47161 - 0 0 0 0 0 0 0 0 0 0 0 0
47162 - 0 0 0 0 0 0 0 0 0 0 0 0
47163 - 0 0 0 0 0 0 0 0 0 0 0 0
47164 - 0 0 0 0 0 0 0 0 0 0 0 0
47165 - 0 0 0 0 0 0 0 0 0 0 0 0
47166 - 0 0 1 0 0 1 0 0 1 0 0 0
47167 - 0 0 0 0 0 0 0 0 0 0 0 0
47168 - 0 0 0 0 0 0 0 0 0 0 0 0
47169 - 0 0 0 0 0 0 0 0 0 0 0 0
47170 - 0 0 0 0 0 0 0 0 0 0 0 0
47171 - 0 0 0 0 0 0 0 0 0 0 0 0
47172 - 0 0 0 0 0 0 10 10 10 26 26 26
47173 - 50 50 50 82 82 82 58 58 58 6 6 6
47174 - 2 2 6 2 2 6 2 2 6 2 2 6
47175 - 2 2 6 2 2 6 2 2 6 2 2 6
47176 - 6 6 6 54 54 54 86 86 86 66 66 66
47177 - 38 38 38 18 18 18 6 6 6 0 0 0
47178 - 0 0 0 0 0 0 0 0 0 0 0 0
47179 - 0 0 0 0 0 0 0 0 0 0 0 0
47180 - 0 0 0 0 0 0 0 0 0 0 0 0
47181 - 0 0 0 0 0 0 0 0 0 0 0 0
47182 - 0 0 0 0 0 0 0 0 0 0 0 0
47183 - 0 0 0 0 0 0 0 0 0 0 0 0
47184 - 0 0 0 0 0 0 0 0 0 0 0 0
47185 - 0 0 0 0 0 0 0 0 0 0 0 0
47186 - 0 0 0 0 0 0 0 0 0 0 0 0
47187 - 0 0 0 0 0 0 0 0 0 0 0 0
47188 - 0 0 0 0 0 0 0 0 0 0 0 0
47189 - 0 0 0 0 0 0 0 0 0 0 0 0
47190 - 0 0 0 0 0 0 0 0 0 0 0 0
47191 - 0 0 0 0 0 0 0 0 0 0 0 0
47192 - 0 0 0 6 6 6 22 22 22 50 50 50
47193 - 78 78 78 34 34 34 2 2 6 2 2 6
47194 - 2 2 6 2 2 6 2 2 6 2 2 6
47195 - 2 2 6 2 2 6 2 2 6 2 2 6
47196 - 2 2 6 2 2 6 6 6 6 70 70 70
47197 - 78 78 78 46 46 46 22 22 22 6 6 6
47198 - 0 0 0 0 0 0 0 0 0 0 0 0
47199 - 0 0 0 0 0 0 0 0 0 0 0 0
47200 - 0 0 0 0 0 0 0 0 0 0 0 0
47201 - 0 0 0 0 0 0 0 0 0 0 0 0
47202 - 0 0 0 0 0 0 0 0 0 0 0 0
47203 - 0 0 0 0 0 0 0 0 0 0 0 0
47204 - 0 0 0 0 0 0 0 0 0 0 0 0
47205 - 0 0 0 0 0 0 0 0 0 0 0 0
47206 - 0 0 1 0 0 1 0 0 1 0 0 0
47207 - 0 0 0 0 0 0 0 0 0 0 0 0
47208 - 0 0 0 0 0 0 0 0 0 0 0 0
47209 - 0 0 0 0 0 0 0 0 0 0 0 0
47210 - 0 0 0 0 0 0 0 0 0 0 0 0
47211 - 0 0 0 0 0 0 0 0 0 0 0 0
47212 - 6 6 6 18 18 18 42 42 42 82 82 82
47213 - 26 26 26 2 2 6 2 2 6 2 2 6
47214 - 2 2 6 2 2 6 2 2 6 2 2 6
47215 - 2 2 6 2 2 6 2 2 6 14 14 14
47216 - 46 46 46 34 34 34 6 6 6 2 2 6
47217 - 42 42 42 78 78 78 42 42 42 18 18 18
47218 - 6 6 6 0 0 0 0 0 0 0 0 0
47219 - 0 0 0 0 0 0 0 0 0 0 0 0
47220 - 0 0 0 0 0 0 0 0 0 0 0 0
47221 - 0 0 0 0 0 0 0 0 0 0 0 0
47222 - 0 0 0 0 0 0 0 0 0 0 0 0
47223 - 0 0 0 0 0 0 0 0 0 0 0 0
47224 - 0 0 0 0 0 0 0 0 0 0 0 0
47225 - 0 0 0 0 0 0 0 0 0 0 0 0
47226 - 0 0 1 0 0 0 0 0 1 0 0 0
47227 - 0 0 0 0 0 0 0 0 0 0 0 0
47228 - 0 0 0 0 0 0 0 0 0 0 0 0
47229 - 0 0 0 0 0 0 0 0 0 0 0 0
47230 - 0 0 0 0 0 0 0 0 0 0 0 0
47231 - 0 0 0 0 0 0 0 0 0 0 0 0
47232 - 10 10 10 30 30 30 66 66 66 58 58 58
47233 - 2 2 6 2 2 6 2 2 6 2 2 6
47234 - 2 2 6 2 2 6 2 2 6 2 2 6
47235 - 2 2 6 2 2 6 2 2 6 26 26 26
47236 - 86 86 86 101 101 101 46 46 46 10 10 10
47237 - 2 2 6 58 58 58 70 70 70 34 34 34
47238 - 10 10 10 0 0 0 0 0 0 0 0 0
47239 - 0 0 0 0 0 0 0 0 0 0 0 0
47240 - 0 0 0 0 0 0 0 0 0 0 0 0
47241 - 0 0 0 0 0 0 0 0 0 0 0 0
47242 - 0 0 0 0 0 0 0 0 0 0 0 0
47243 - 0 0 0 0 0 0 0 0 0 0 0 0
47244 - 0 0 0 0 0 0 0 0 0 0 0 0
47245 - 0 0 0 0 0 0 0 0 0 0 0 0
47246 - 0 0 1 0 0 1 0 0 1 0 0 0
47247 - 0 0 0 0 0 0 0 0 0 0 0 0
47248 - 0 0 0 0 0 0 0 0 0 0 0 0
47249 - 0 0 0 0 0 0 0 0 0 0 0 0
47250 - 0 0 0 0 0 0 0 0 0 0 0 0
47251 - 0 0 0 0 0 0 0 0 0 0 0 0
47252 - 14 14 14 42 42 42 86 86 86 10 10 10
47253 - 2 2 6 2 2 6 2 2 6 2 2 6
47254 - 2 2 6 2 2 6 2 2 6 2 2 6
47255 - 2 2 6 2 2 6 2 2 6 30 30 30
47256 - 94 94 94 94 94 94 58 58 58 26 26 26
47257 - 2 2 6 6 6 6 78 78 78 54 54 54
47258 - 22 22 22 6 6 6 0 0 0 0 0 0
47259 - 0 0 0 0 0 0 0 0 0 0 0 0
47260 - 0 0 0 0 0 0 0 0 0 0 0 0
47261 - 0 0 0 0 0 0 0 0 0 0 0 0
47262 - 0 0 0 0 0 0 0 0 0 0 0 0
47263 - 0 0 0 0 0 0 0 0 0 0 0 0
47264 - 0 0 0 0 0 0 0 0 0 0 0 0
47265 - 0 0 0 0 0 0 0 0 0 0 0 0
47266 - 0 0 0 0 0 0 0 0 0 0 0 0
47267 - 0 0 0 0 0 0 0 0 0 0 0 0
47268 - 0 0 0 0 0 0 0 0 0 0 0 0
47269 - 0 0 0 0 0 0 0 0 0 0 0 0
47270 - 0 0 0 0 0 0 0 0 0 0 0 0
47271 - 0 0 0 0 0 0 0 0 0 6 6 6
47272 - 22 22 22 62 62 62 62 62 62 2 2 6
47273 - 2 2 6 2 2 6 2 2 6 2 2 6
47274 - 2 2 6 2 2 6 2 2 6 2 2 6
47275 - 2 2 6 2 2 6 2 2 6 26 26 26
47276 - 54 54 54 38 38 38 18 18 18 10 10 10
47277 - 2 2 6 2 2 6 34 34 34 82 82 82
47278 - 38 38 38 14 14 14 0 0 0 0 0 0
47279 - 0 0 0 0 0 0 0 0 0 0 0 0
47280 - 0 0 0 0 0 0 0 0 0 0 0 0
47281 - 0 0 0 0 0 0 0 0 0 0 0 0
47282 - 0 0 0 0 0 0 0 0 0 0 0 0
47283 - 0 0 0 0 0 0 0 0 0 0 0 0
47284 - 0 0 0 0 0 0 0 0 0 0 0 0
47285 - 0 0 0 0 0 0 0 0 0 0 0 0
47286 - 0 0 0 0 0 1 0 0 1 0 0 0
47287 - 0 0 0 0 0 0 0 0 0 0 0 0
47288 - 0 0 0 0 0 0 0 0 0 0 0 0
47289 - 0 0 0 0 0 0 0 0 0 0 0 0
47290 - 0 0 0 0 0 0 0 0 0 0 0 0
47291 - 0 0 0 0 0 0 0 0 0 6 6 6
47292 - 30 30 30 78 78 78 30 30 30 2 2 6
47293 - 2 2 6 2 2 6 2 2 6 2 2 6
47294 - 2 2 6 2 2 6 2 2 6 2 2 6
47295 - 2 2 6 2 2 6 2 2 6 10 10 10
47296 - 10 10 10 2 2 6 2 2 6 2 2 6
47297 - 2 2 6 2 2 6 2 2 6 78 78 78
47298 - 50 50 50 18 18 18 6 6 6 0 0 0
47299 - 0 0 0 0 0 0 0 0 0 0 0 0
47300 - 0 0 0 0 0 0 0 0 0 0 0 0
47301 - 0 0 0 0 0 0 0 0 0 0 0 0
47302 - 0 0 0 0 0 0 0 0 0 0 0 0
47303 - 0 0 0 0 0 0 0 0 0 0 0 0
47304 - 0 0 0 0 0 0 0 0 0 0 0 0
47305 - 0 0 0 0 0 0 0 0 0 0 0 0
47306 - 0 0 1 0 0 0 0 0 0 0 0 0
47307 - 0 0 0 0 0 0 0 0 0 0 0 0
47308 - 0 0 0 0 0 0 0 0 0 0 0 0
47309 - 0 0 0 0 0 0 0 0 0 0 0 0
47310 - 0 0 0 0 0 0 0 0 0 0 0 0
47311 - 0 0 0 0 0 0 0 0 0 10 10 10
47312 - 38 38 38 86 86 86 14 14 14 2 2 6
47313 - 2 2 6 2 2 6 2 2 6 2 2 6
47314 - 2 2 6 2 2 6 2 2 6 2 2 6
47315 - 2 2 6 2 2 6 2 2 6 2 2 6
47316 - 2 2 6 2 2 6 2 2 6 2 2 6
47317 - 2 2 6 2 2 6 2 2 6 54 54 54
47318 - 66 66 66 26 26 26 6 6 6 0 0 0
47319 - 0 0 0 0 0 0 0 0 0 0 0 0
47320 - 0 0 0 0 0 0 0 0 0 0 0 0
47321 - 0 0 0 0 0 0 0 0 0 0 0 0
47322 - 0 0 0 0 0 0 0 0 0 0 0 0
47323 - 0 0 0 0 0 0 0 0 0 0 0 0
47324 - 0 0 0 0 0 0 0 0 0 0 0 0
47325 - 0 0 0 0 0 0 0 0 0 0 0 0
47326 - 0 0 0 0 0 1 0 0 1 0 0 0
47327 - 0 0 0 0 0 0 0 0 0 0 0 0
47328 - 0 0 0 0 0 0 0 0 0 0 0 0
47329 - 0 0 0 0 0 0 0 0 0 0 0 0
47330 - 0 0 0 0 0 0 0 0 0 0 0 0
47331 - 0 0 0 0 0 0 0 0 0 14 14 14
47332 - 42 42 42 82 82 82 2 2 6 2 2 6
47333 - 2 2 6 6 6 6 10 10 10 2 2 6
47334 - 2 2 6 2 2 6 2 2 6 2 2 6
47335 - 2 2 6 2 2 6 2 2 6 6 6 6
47336 - 14 14 14 10 10 10 2 2 6 2 2 6
47337 - 2 2 6 2 2 6 2 2 6 18 18 18
47338 - 82 82 82 34 34 34 10 10 10 0 0 0
47339 - 0 0 0 0 0 0 0 0 0 0 0 0
47340 - 0 0 0 0 0 0 0 0 0 0 0 0
47341 - 0 0 0 0 0 0 0 0 0 0 0 0
47342 - 0 0 0 0 0 0 0 0 0 0 0 0
47343 - 0 0 0 0 0 0 0 0 0 0 0 0
47344 - 0 0 0 0 0 0 0 0 0 0 0 0
47345 - 0 0 0 0 0 0 0 0 0 0 0 0
47346 - 0 0 1 0 0 0 0 0 0 0 0 0
47347 - 0 0 0 0 0 0 0 0 0 0 0 0
47348 - 0 0 0 0 0 0 0 0 0 0 0 0
47349 - 0 0 0 0 0 0 0 0 0 0 0 0
47350 - 0 0 0 0 0 0 0 0 0 0 0 0
47351 - 0 0 0 0 0 0 0 0 0 14 14 14
47352 - 46 46 46 86 86 86 2 2 6 2 2 6
47353 - 6 6 6 6 6 6 22 22 22 34 34 34
47354 - 6 6 6 2 2 6 2 2 6 2 2 6
47355 - 2 2 6 2 2 6 18 18 18 34 34 34
47356 - 10 10 10 50 50 50 22 22 22 2 2 6
47357 - 2 2 6 2 2 6 2 2 6 10 10 10
47358 - 86 86 86 42 42 42 14 14 14 0 0 0
47359 - 0 0 0 0 0 0 0 0 0 0 0 0
47360 - 0 0 0 0 0 0 0 0 0 0 0 0
47361 - 0 0 0 0 0 0 0 0 0 0 0 0
47362 - 0 0 0 0 0 0 0 0 0 0 0 0
47363 - 0 0 0 0 0 0 0 0 0 0 0 0
47364 - 0 0 0 0 0 0 0 0 0 0 0 0
47365 - 0 0 0 0 0 0 0 0 0 0 0 0
47366 - 0 0 1 0 0 1 0 0 1 0 0 0
47367 - 0 0 0 0 0 0 0 0 0 0 0 0
47368 - 0 0 0 0 0 0 0 0 0 0 0 0
47369 - 0 0 0 0 0 0 0 0 0 0 0 0
47370 - 0 0 0 0 0 0 0 0 0 0 0 0
47371 - 0 0 0 0 0 0 0 0 0 14 14 14
47372 - 46 46 46 86 86 86 2 2 6 2 2 6
47373 - 38 38 38 116 116 116 94 94 94 22 22 22
47374 - 22 22 22 2 2 6 2 2 6 2 2 6
47375 - 14 14 14 86 86 86 138 138 138 162 162 162
47376 -154 154 154 38 38 38 26 26 26 6 6 6
47377 - 2 2 6 2 2 6 2 2 6 2 2 6
47378 - 86 86 86 46 46 46 14 14 14 0 0 0
47379 - 0 0 0 0 0 0 0 0 0 0 0 0
47380 - 0 0 0 0 0 0 0 0 0 0 0 0
47381 - 0 0 0 0 0 0 0 0 0 0 0 0
47382 - 0 0 0 0 0 0 0 0 0 0 0 0
47383 - 0 0 0 0 0 0 0 0 0 0 0 0
47384 - 0 0 0 0 0 0 0 0 0 0 0 0
47385 - 0 0 0 0 0 0 0 0 0 0 0 0
47386 - 0 0 0 0 0 0 0 0 0 0 0 0
47387 - 0 0 0 0 0 0 0 0 0 0 0 0
47388 - 0 0 0 0 0 0 0 0 0 0 0 0
47389 - 0 0 0 0 0 0 0 0 0 0 0 0
47390 - 0 0 0 0 0 0 0 0 0 0 0 0
47391 - 0 0 0 0 0 0 0 0 0 14 14 14
47392 - 46 46 46 86 86 86 2 2 6 14 14 14
47393 -134 134 134 198 198 198 195 195 195 116 116 116
47394 - 10 10 10 2 2 6 2 2 6 6 6 6
47395 -101 98 89 187 187 187 210 210 210 218 218 218
47396 -214 214 214 134 134 134 14 14 14 6 6 6
47397 - 2 2 6 2 2 6 2 2 6 2 2 6
47398 - 86 86 86 50 50 50 18 18 18 6 6 6
47399 - 0 0 0 0 0 0 0 0 0 0 0 0
47400 - 0 0 0 0 0 0 0 0 0 0 0 0
47401 - 0 0 0 0 0 0 0 0 0 0 0 0
47402 - 0 0 0 0 0 0 0 0 0 0 0 0
47403 - 0 0 0 0 0 0 0 0 0 0 0 0
47404 - 0 0 0 0 0 0 0 0 0 0 0 0
47405 - 0 0 0 0 0 0 0 0 1 0 0 0
47406 - 0 0 1 0 0 1 0 0 1 0 0 0
47407 - 0 0 0 0 0 0 0 0 0 0 0 0
47408 - 0 0 0 0 0 0 0 0 0 0 0 0
47409 - 0 0 0 0 0 0 0 0 0 0 0 0
47410 - 0 0 0 0 0 0 0 0 0 0 0 0
47411 - 0 0 0 0 0 0 0 0 0 14 14 14
47412 - 46 46 46 86 86 86 2 2 6 54 54 54
47413 -218 218 218 195 195 195 226 226 226 246 246 246
47414 - 58 58 58 2 2 6 2 2 6 30 30 30
47415 -210 210 210 253 253 253 174 174 174 123 123 123
47416 -221 221 221 234 234 234 74 74 74 2 2 6
47417 - 2 2 6 2 2 6 2 2 6 2 2 6
47418 - 70 70 70 58 58 58 22 22 22 6 6 6
47419 - 0 0 0 0 0 0 0 0 0 0 0 0
47420 - 0 0 0 0 0 0 0 0 0 0 0 0
47421 - 0 0 0 0 0 0 0 0 0 0 0 0
47422 - 0 0 0 0 0 0 0 0 0 0 0 0
47423 - 0 0 0 0 0 0 0 0 0 0 0 0
47424 - 0 0 0 0 0 0 0 0 0 0 0 0
47425 - 0 0 0 0 0 0 0 0 0 0 0 0
47426 - 0 0 0 0 0 0 0 0 0 0 0 0
47427 - 0 0 0 0 0 0 0 0 0 0 0 0
47428 - 0 0 0 0 0 0 0 0 0 0 0 0
47429 - 0 0 0 0 0 0 0 0 0 0 0 0
47430 - 0 0 0 0 0 0 0 0 0 0 0 0
47431 - 0 0 0 0 0 0 0 0 0 14 14 14
47432 - 46 46 46 82 82 82 2 2 6 106 106 106
47433 -170 170 170 26 26 26 86 86 86 226 226 226
47434 -123 123 123 10 10 10 14 14 14 46 46 46
47435 -231 231 231 190 190 190 6 6 6 70 70 70
47436 - 90 90 90 238 238 238 158 158 158 2 2 6
47437 - 2 2 6 2 2 6 2 2 6 2 2 6
47438 - 70 70 70 58 58 58 22 22 22 6 6 6
47439 - 0 0 0 0 0 0 0 0 0 0 0 0
47440 - 0 0 0 0 0 0 0 0 0 0 0 0
47441 - 0 0 0 0 0 0 0 0 0 0 0 0
47442 - 0 0 0 0 0 0 0 0 0 0 0 0
47443 - 0 0 0 0 0 0 0 0 0 0 0 0
47444 - 0 0 0 0 0 0 0 0 0 0 0 0
47445 - 0 0 0 0 0 0 0 0 1 0 0 0
47446 - 0 0 1 0 0 1 0 0 1 0 0 0
47447 - 0 0 0 0 0 0 0 0 0 0 0 0
47448 - 0 0 0 0 0 0 0 0 0 0 0 0
47449 - 0 0 0 0 0 0 0 0 0 0 0 0
47450 - 0 0 0 0 0 0 0 0 0 0 0 0
47451 - 0 0 0 0 0 0 0 0 0 14 14 14
47452 - 42 42 42 86 86 86 6 6 6 116 116 116
47453 -106 106 106 6 6 6 70 70 70 149 149 149
47454 -128 128 128 18 18 18 38 38 38 54 54 54
47455 -221 221 221 106 106 106 2 2 6 14 14 14
47456 - 46 46 46 190 190 190 198 198 198 2 2 6
47457 - 2 2 6 2 2 6 2 2 6 2 2 6
47458 - 74 74 74 62 62 62 22 22 22 6 6 6
47459 - 0 0 0 0 0 0 0 0 0 0 0 0
47460 - 0 0 0 0 0 0 0 0 0 0 0 0
47461 - 0 0 0 0 0 0 0 0 0 0 0 0
47462 - 0 0 0 0 0 0 0 0 0 0 0 0
47463 - 0 0 0 0 0 0 0 0 0 0 0 0
47464 - 0 0 0 0 0 0 0 0 0 0 0 0
47465 - 0 0 0 0 0 0 0 0 1 0 0 0
47466 - 0 0 1 0 0 0 0 0 1 0 0 0
47467 - 0 0 0 0 0 0 0 0 0 0 0 0
47468 - 0 0 0 0 0 0 0 0 0 0 0 0
47469 - 0 0 0 0 0 0 0 0 0 0 0 0
47470 - 0 0 0 0 0 0 0 0 0 0 0 0
47471 - 0 0 0 0 0 0 0 0 0 14 14 14
47472 - 42 42 42 94 94 94 14 14 14 101 101 101
47473 -128 128 128 2 2 6 18 18 18 116 116 116
47474 -118 98 46 121 92 8 121 92 8 98 78 10
47475 -162 162 162 106 106 106 2 2 6 2 2 6
47476 - 2 2 6 195 195 195 195 195 195 6 6 6
47477 - 2 2 6 2 2 6 2 2 6 2 2 6
47478 - 74 74 74 62 62 62 22 22 22 6 6 6
47479 - 0 0 0 0 0 0 0 0 0 0 0 0
47480 - 0 0 0 0 0 0 0 0 0 0 0 0
47481 - 0 0 0 0 0 0 0 0 0 0 0 0
47482 - 0 0 0 0 0 0 0 0 0 0 0 0
47483 - 0 0 0 0 0 0 0 0 0 0 0 0
47484 - 0 0 0 0 0 0 0 0 0 0 0 0
47485 - 0 0 0 0 0 0 0 0 1 0 0 1
47486 - 0 0 1 0 0 0 0 0 1 0 0 0
47487 - 0 0 0 0 0 0 0 0 0 0 0 0
47488 - 0 0 0 0 0 0 0 0 0 0 0 0
47489 - 0 0 0 0 0 0 0 0 0 0 0 0
47490 - 0 0 0 0 0 0 0 0 0 0 0 0
47491 - 0 0 0 0 0 0 0 0 0 10 10 10
47492 - 38 38 38 90 90 90 14 14 14 58 58 58
47493 -210 210 210 26 26 26 54 38 6 154 114 10
47494 -226 170 11 236 186 11 225 175 15 184 144 12
47495 -215 174 15 175 146 61 37 26 9 2 2 6
47496 - 70 70 70 246 246 246 138 138 138 2 2 6
47497 - 2 2 6 2 2 6 2 2 6 2 2 6
47498 - 70 70 70 66 66 66 26 26 26 6 6 6
47499 - 0 0 0 0 0 0 0 0 0 0 0 0
47500 - 0 0 0 0 0 0 0 0 0 0 0 0
47501 - 0 0 0 0 0 0 0 0 0 0 0 0
47502 - 0 0 0 0 0 0 0 0 0 0 0 0
47503 - 0 0 0 0 0 0 0 0 0 0 0 0
47504 - 0 0 0 0 0 0 0 0 0 0 0 0
47505 - 0 0 0 0 0 0 0 0 0 0 0 0
47506 - 0 0 0 0 0 0 0 0 0 0 0 0
47507 - 0 0 0 0 0 0 0 0 0 0 0 0
47508 - 0 0 0 0 0 0 0 0 0 0 0 0
47509 - 0 0 0 0 0 0 0 0 0 0 0 0
47510 - 0 0 0 0 0 0 0 0 0 0 0 0
47511 - 0 0 0 0 0 0 0 0 0 10 10 10
47512 - 38 38 38 86 86 86 14 14 14 10 10 10
47513 -195 195 195 188 164 115 192 133 9 225 175 15
47514 -239 182 13 234 190 10 232 195 16 232 200 30
47515 -245 207 45 241 208 19 232 195 16 184 144 12
47516 -218 194 134 211 206 186 42 42 42 2 2 6
47517 - 2 2 6 2 2 6 2 2 6 2 2 6
47518 - 50 50 50 74 74 74 30 30 30 6 6 6
47519 - 0 0 0 0 0 0 0 0 0 0 0 0
47520 - 0 0 0 0 0 0 0 0 0 0 0 0
47521 - 0 0 0 0 0 0 0 0 0 0 0 0
47522 - 0 0 0 0 0 0 0 0 0 0 0 0
47523 - 0 0 0 0 0 0 0 0 0 0 0 0
47524 - 0 0 0 0 0 0 0 0 0 0 0 0
47525 - 0 0 0 0 0 0 0 0 0 0 0 0
47526 - 0 0 0 0 0 0 0 0 0 0 0 0
47527 - 0 0 0 0 0 0 0 0 0 0 0 0
47528 - 0 0 0 0 0 0 0 0 0 0 0 0
47529 - 0 0 0 0 0 0 0 0 0 0 0 0
47530 - 0 0 0 0 0 0 0 0 0 0 0 0
47531 - 0 0 0 0 0 0 0 0 0 10 10 10
47532 - 34 34 34 86 86 86 14 14 14 2 2 6
47533 -121 87 25 192 133 9 219 162 10 239 182 13
47534 -236 186 11 232 195 16 241 208 19 244 214 54
47535 -246 218 60 246 218 38 246 215 20 241 208 19
47536 -241 208 19 226 184 13 121 87 25 2 2 6
47537 - 2 2 6 2 2 6 2 2 6 2 2 6
47538 - 50 50 50 82 82 82 34 34 34 10 10 10
47539 - 0 0 0 0 0 0 0 0 0 0 0 0
47540 - 0 0 0 0 0 0 0 0 0 0 0 0
47541 - 0 0 0 0 0 0 0 0 0 0 0 0
47542 - 0 0 0 0 0 0 0 0 0 0 0 0
47543 - 0 0 0 0 0 0 0 0 0 0 0 0
47544 - 0 0 0 0 0 0 0 0 0 0 0 0
47545 - 0 0 0 0 0 0 0 0 0 0 0 0
47546 - 0 0 0 0 0 0 0 0 0 0 0 0
47547 - 0 0 0 0 0 0 0 0 0 0 0 0
47548 - 0 0 0 0 0 0 0 0 0 0 0 0
47549 - 0 0 0 0 0 0 0 0 0 0 0 0
47550 - 0 0 0 0 0 0 0 0 0 0 0 0
47551 - 0 0 0 0 0 0 0 0 0 10 10 10
47552 - 34 34 34 82 82 82 30 30 30 61 42 6
47553 -180 123 7 206 145 10 230 174 11 239 182 13
47554 -234 190 10 238 202 15 241 208 19 246 218 74
47555 -246 218 38 246 215 20 246 215 20 246 215 20
47556 -226 184 13 215 174 15 184 144 12 6 6 6
47557 - 2 2 6 2 2 6 2 2 6 2 2 6
47558 - 26 26 26 94 94 94 42 42 42 14 14 14
47559 - 0 0 0 0 0 0 0 0 0 0 0 0
47560 - 0 0 0 0 0 0 0 0 0 0 0 0
47561 - 0 0 0 0 0 0 0 0 0 0 0 0
47562 - 0 0 0 0 0 0 0 0 0 0 0 0
47563 - 0 0 0 0 0 0 0 0 0 0 0 0
47564 - 0 0 0 0 0 0 0 0 0 0 0 0
47565 - 0 0 0 0 0 0 0 0 0 0 0 0
47566 - 0 0 0 0 0 0 0 0 0 0 0 0
47567 - 0 0 0 0 0 0 0 0 0 0 0 0
47568 - 0 0 0 0 0 0 0 0 0 0 0 0
47569 - 0 0 0 0 0 0 0 0 0 0 0 0
47570 - 0 0 0 0 0 0 0 0 0 0 0 0
47571 - 0 0 0 0 0 0 0 0 0 10 10 10
47572 - 30 30 30 78 78 78 50 50 50 104 69 6
47573 -192 133 9 216 158 10 236 178 12 236 186 11
47574 -232 195 16 241 208 19 244 214 54 245 215 43
47575 -246 215 20 246 215 20 241 208 19 198 155 10
47576 -200 144 11 216 158 10 156 118 10 2 2 6
47577 - 2 2 6 2 2 6 2 2 6 2 2 6
47578 - 6 6 6 90 90 90 54 54 54 18 18 18
47579 - 6 6 6 0 0 0 0 0 0 0 0 0
47580 - 0 0 0 0 0 0 0 0 0 0 0 0
47581 - 0 0 0 0 0 0 0 0 0 0 0 0
47582 - 0 0 0 0 0 0 0 0 0 0 0 0
47583 - 0 0 0 0 0 0 0 0 0 0 0 0
47584 - 0 0 0 0 0 0 0 0 0 0 0 0
47585 - 0 0 0 0 0 0 0 0 0 0 0 0
47586 - 0 0 0 0 0 0 0 0 0 0 0 0
47587 - 0 0 0 0 0 0 0 0 0 0 0 0
47588 - 0 0 0 0 0 0 0 0 0 0 0 0
47589 - 0 0 0 0 0 0 0 0 0 0 0 0
47590 - 0 0 0 0 0 0 0 0 0 0 0 0
47591 - 0 0 0 0 0 0 0 0 0 10 10 10
47592 - 30 30 30 78 78 78 46 46 46 22 22 22
47593 -137 92 6 210 162 10 239 182 13 238 190 10
47594 -238 202 15 241 208 19 246 215 20 246 215 20
47595 -241 208 19 203 166 17 185 133 11 210 150 10
47596 -216 158 10 210 150 10 102 78 10 2 2 6
47597 - 6 6 6 54 54 54 14 14 14 2 2 6
47598 - 2 2 6 62 62 62 74 74 74 30 30 30
47599 - 10 10 10 0 0 0 0 0 0 0 0 0
47600 - 0 0 0 0 0 0 0 0 0 0 0 0
47601 - 0 0 0 0 0 0 0 0 0 0 0 0
47602 - 0 0 0 0 0 0 0 0 0 0 0 0
47603 - 0 0 0 0 0 0 0 0 0 0 0 0
47604 - 0 0 0 0 0 0 0 0 0 0 0 0
47605 - 0 0 0 0 0 0 0 0 0 0 0 0
47606 - 0 0 0 0 0 0 0 0 0 0 0 0
47607 - 0 0 0 0 0 0 0 0 0 0 0 0
47608 - 0 0 0 0 0 0 0 0 0 0 0 0
47609 - 0 0 0 0 0 0 0 0 0 0 0 0
47610 - 0 0 0 0 0 0 0 0 0 0 0 0
47611 - 0 0 0 0 0 0 0 0 0 10 10 10
47612 - 34 34 34 78 78 78 50 50 50 6 6 6
47613 - 94 70 30 139 102 15 190 146 13 226 184 13
47614 -232 200 30 232 195 16 215 174 15 190 146 13
47615 -168 122 10 192 133 9 210 150 10 213 154 11
47616 -202 150 34 182 157 106 101 98 89 2 2 6
47617 - 2 2 6 78 78 78 116 116 116 58 58 58
47618 - 2 2 6 22 22 22 90 90 90 46 46 46
47619 - 18 18 18 6 6 6 0 0 0 0 0 0
47620 - 0 0 0 0 0 0 0 0 0 0 0 0
47621 - 0 0 0 0 0 0 0 0 0 0 0 0
47622 - 0 0 0 0 0 0 0 0 0 0 0 0
47623 - 0 0 0 0 0 0 0 0 0 0 0 0
47624 - 0 0 0 0 0 0 0 0 0 0 0 0
47625 - 0 0 0 0 0 0 0 0 0 0 0 0
47626 - 0 0 0 0 0 0 0 0 0 0 0 0
47627 - 0 0 0 0 0 0 0 0 0 0 0 0
47628 - 0 0 0 0 0 0 0 0 0 0 0 0
47629 - 0 0 0 0 0 0 0 0 0 0 0 0
47630 - 0 0 0 0 0 0 0 0 0 0 0 0
47631 - 0 0 0 0 0 0 0 0 0 10 10 10
47632 - 38 38 38 86 86 86 50 50 50 6 6 6
47633 -128 128 128 174 154 114 156 107 11 168 122 10
47634 -198 155 10 184 144 12 197 138 11 200 144 11
47635 -206 145 10 206 145 10 197 138 11 188 164 115
47636 -195 195 195 198 198 198 174 174 174 14 14 14
47637 - 2 2 6 22 22 22 116 116 116 116 116 116
47638 - 22 22 22 2 2 6 74 74 74 70 70 70
47639 - 30 30 30 10 10 10 0 0 0 0 0 0
47640 - 0 0 0 0 0 0 0 0 0 0 0 0
47641 - 0 0 0 0 0 0 0 0 0 0 0 0
47642 - 0 0 0 0 0 0 0 0 0 0 0 0
47643 - 0 0 0 0 0 0 0 0 0 0 0 0
47644 - 0 0 0 0 0 0 0 0 0 0 0 0
47645 - 0 0 0 0 0 0 0 0 0 0 0 0
47646 - 0 0 0 0 0 0 0 0 0 0 0 0
47647 - 0 0 0 0 0 0 0 0 0 0 0 0
47648 - 0 0 0 0 0 0 0 0 0 0 0 0
47649 - 0 0 0 0 0 0 0 0 0 0 0 0
47650 - 0 0 0 0 0 0 0 0 0 0 0 0
47651 - 0 0 0 0 0 0 6 6 6 18 18 18
47652 - 50 50 50 101 101 101 26 26 26 10 10 10
47653 -138 138 138 190 190 190 174 154 114 156 107 11
47654 -197 138 11 200 144 11 197 138 11 192 133 9
47655 -180 123 7 190 142 34 190 178 144 187 187 187
47656 -202 202 202 221 221 221 214 214 214 66 66 66
47657 - 2 2 6 2 2 6 50 50 50 62 62 62
47658 - 6 6 6 2 2 6 10 10 10 90 90 90
47659 - 50 50 50 18 18 18 6 6 6 0 0 0
47660 - 0 0 0 0 0 0 0 0 0 0 0 0
47661 - 0 0 0 0 0 0 0 0 0 0 0 0
47662 - 0 0 0 0 0 0 0 0 0 0 0 0
47663 - 0 0 0 0 0 0 0 0 0 0 0 0
47664 - 0 0 0 0 0 0 0 0 0 0 0 0
47665 - 0 0 0 0 0 0 0 0 0 0 0 0
47666 - 0 0 0 0 0 0 0 0 0 0 0 0
47667 - 0 0 0 0 0 0 0 0 0 0 0 0
47668 - 0 0 0 0 0 0 0 0 0 0 0 0
47669 - 0 0 0 0 0 0 0 0 0 0 0 0
47670 - 0 0 0 0 0 0 0 0 0 0 0 0
47671 - 0 0 0 0 0 0 10 10 10 34 34 34
47672 - 74 74 74 74 74 74 2 2 6 6 6 6
47673 -144 144 144 198 198 198 190 190 190 178 166 146
47674 -154 121 60 156 107 11 156 107 11 168 124 44
47675 -174 154 114 187 187 187 190 190 190 210 210 210
47676 -246 246 246 253 253 253 253 253 253 182 182 182
47677 - 6 6 6 2 2 6 2 2 6 2 2 6
47678 - 2 2 6 2 2 6 2 2 6 62 62 62
47679 - 74 74 74 34 34 34 14 14 14 0 0 0
47680 - 0 0 0 0 0 0 0 0 0 0 0 0
47681 - 0 0 0 0 0 0 0 0 0 0 0 0
47682 - 0 0 0 0 0 0 0 0 0 0 0 0
47683 - 0 0 0 0 0 0 0 0 0 0 0 0
47684 - 0 0 0 0 0 0 0 0 0 0 0 0
47685 - 0 0 0 0 0 0 0 0 0 0 0 0
47686 - 0 0 0 0 0 0 0 0 0 0 0 0
47687 - 0 0 0 0 0 0 0 0 0 0 0 0
47688 - 0 0 0 0 0 0 0 0 0 0 0 0
47689 - 0 0 0 0 0 0 0 0 0 0 0 0
47690 - 0 0 0 0 0 0 0 0 0 0 0 0
47691 - 0 0 0 10 10 10 22 22 22 54 54 54
47692 - 94 94 94 18 18 18 2 2 6 46 46 46
47693 -234 234 234 221 221 221 190 190 190 190 190 190
47694 -190 190 190 187 187 187 187 187 187 190 190 190
47695 -190 190 190 195 195 195 214 214 214 242 242 242
47696 -253 253 253 253 253 253 253 253 253 253 253 253
47697 - 82 82 82 2 2 6 2 2 6 2 2 6
47698 - 2 2 6 2 2 6 2 2 6 14 14 14
47699 - 86 86 86 54 54 54 22 22 22 6 6 6
47700 - 0 0 0 0 0 0 0 0 0 0 0 0
47701 - 0 0 0 0 0 0 0 0 0 0 0 0
47702 - 0 0 0 0 0 0 0 0 0 0 0 0
47703 - 0 0 0 0 0 0 0 0 0 0 0 0
47704 - 0 0 0 0 0 0 0 0 0 0 0 0
47705 - 0 0 0 0 0 0 0 0 0 0 0 0
47706 - 0 0 0 0 0 0 0 0 0 0 0 0
47707 - 0 0 0 0 0 0 0 0 0 0 0 0
47708 - 0 0 0 0 0 0 0 0 0 0 0 0
47709 - 0 0 0 0 0 0 0 0 0 0 0 0
47710 - 0 0 0 0 0 0 0 0 0 0 0 0
47711 - 6 6 6 18 18 18 46 46 46 90 90 90
47712 - 46 46 46 18 18 18 6 6 6 182 182 182
47713 -253 253 253 246 246 246 206 206 206 190 190 190
47714 -190 190 190 190 190 190 190 190 190 190 190 190
47715 -206 206 206 231 231 231 250 250 250 253 253 253
47716 -253 253 253 253 253 253 253 253 253 253 253 253
47717 -202 202 202 14 14 14 2 2 6 2 2 6
47718 - 2 2 6 2 2 6 2 2 6 2 2 6
47719 - 42 42 42 86 86 86 42 42 42 18 18 18
47720 - 6 6 6 0 0 0 0 0 0 0 0 0
47721 - 0 0 0 0 0 0 0 0 0 0 0 0
47722 - 0 0 0 0 0 0 0 0 0 0 0 0
47723 - 0 0 0 0 0 0 0 0 0 0 0 0
47724 - 0 0 0 0 0 0 0 0 0 0 0 0
47725 - 0 0 0 0 0 0 0 0 0 0 0 0
47726 - 0 0 0 0 0 0 0 0 0 0 0 0
47727 - 0 0 0 0 0 0 0 0 0 0 0 0
47728 - 0 0 0 0 0 0 0 0 0 0 0 0
47729 - 0 0 0 0 0 0 0 0 0 0 0 0
47730 - 0 0 0 0 0 0 0 0 0 6 6 6
47731 - 14 14 14 38 38 38 74 74 74 66 66 66
47732 - 2 2 6 6 6 6 90 90 90 250 250 250
47733 -253 253 253 253 253 253 238 238 238 198 198 198
47734 -190 190 190 190 190 190 195 195 195 221 221 221
47735 -246 246 246 253 253 253 253 253 253 253 253 253
47736 -253 253 253 253 253 253 253 253 253 253 253 253
47737 -253 253 253 82 82 82 2 2 6 2 2 6
47738 - 2 2 6 2 2 6 2 2 6 2 2 6
47739 - 2 2 6 78 78 78 70 70 70 34 34 34
47740 - 14 14 14 6 6 6 0 0 0 0 0 0
47741 - 0 0 0 0 0 0 0 0 0 0 0 0
47742 - 0 0 0 0 0 0 0 0 0 0 0 0
47743 - 0 0 0 0 0 0 0 0 0 0 0 0
47744 - 0 0 0 0 0 0 0 0 0 0 0 0
47745 - 0 0 0 0 0 0 0 0 0 0 0 0
47746 - 0 0 0 0 0 0 0 0 0 0 0 0
47747 - 0 0 0 0 0 0 0 0 0 0 0 0
47748 - 0 0 0 0 0 0 0 0 0 0 0 0
47749 - 0 0 0 0 0 0 0 0 0 0 0 0
47750 - 0 0 0 0 0 0 0 0 0 14 14 14
47751 - 34 34 34 66 66 66 78 78 78 6 6 6
47752 - 2 2 6 18 18 18 218 218 218 253 253 253
47753 -253 253 253 253 253 253 253 253 253 246 246 246
47754 -226 226 226 231 231 231 246 246 246 253 253 253
47755 -253 253 253 253 253 253 253 253 253 253 253 253
47756 -253 253 253 253 253 253 253 253 253 253 253 253
47757 -253 253 253 178 178 178 2 2 6 2 2 6
47758 - 2 2 6 2 2 6 2 2 6 2 2 6
47759 - 2 2 6 18 18 18 90 90 90 62 62 62
47760 - 30 30 30 10 10 10 0 0 0 0 0 0
47761 - 0 0 0 0 0 0 0 0 0 0 0 0
47762 - 0 0 0 0 0 0 0 0 0 0 0 0
47763 - 0 0 0 0 0 0 0 0 0 0 0 0
47764 - 0 0 0 0 0 0 0 0 0 0 0 0
47765 - 0 0 0 0 0 0 0 0 0 0 0 0
47766 - 0 0 0 0 0 0 0 0 0 0 0 0
47767 - 0 0 0 0 0 0 0 0 0 0 0 0
47768 - 0 0 0 0 0 0 0 0 0 0 0 0
47769 - 0 0 0 0 0 0 0 0 0 0 0 0
47770 - 0 0 0 0 0 0 10 10 10 26 26 26
47771 - 58 58 58 90 90 90 18 18 18 2 2 6
47772 - 2 2 6 110 110 110 253 253 253 253 253 253
47773 -253 253 253 253 253 253 253 253 253 253 253 253
47774 -250 250 250 253 253 253 253 253 253 253 253 253
47775 -253 253 253 253 253 253 253 253 253 253 253 253
47776 -253 253 253 253 253 253 253 253 253 253 253 253
47777 -253 253 253 231 231 231 18 18 18 2 2 6
47778 - 2 2 6 2 2 6 2 2 6 2 2 6
47779 - 2 2 6 2 2 6 18 18 18 94 94 94
47780 - 54 54 54 26 26 26 10 10 10 0 0 0
47781 - 0 0 0 0 0 0 0 0 0 0 0 0
47782 - 0 0 0 0 0 0 0 0 0 0 0 0
47783 - 0 0 0 0 0 0 0 0 0 0 0 0
47784 - 0 0 0 0 0 0 0 0 0 0 0 0
47785 - 0 0 0 0 0 0 0 0 0 0 0 0
47786 - 0 0 0 0 0 0 0 0 0 0 0 0
47787 - 0 0 0 0 0 0 0 0 0 0 0 0
47788 - 0 0 0 0 0 0 0 0 0 0 0 0
47789 - 0 0 0 0 0 0 0 0 0 0 0 0
47790 - 0 0 0 6 6 6 22 22 22 50 50 50
47791 - 90 90 90 26 26 26 2 2 6 2 2 6
47792 - 14 14 14 195 195 195 250 250 250 253 253 253
47793 -253 253 253 253 253 253 253 253 253 253 253 253
47794 -253 253 253 253 253 253 253 253 253 253 253 253
47795 -253 253 253 253 253 253 253 253 253 253 253 253
47796 -253 253 253 253 253 253 253 253 253 253 253 253
47797 -250 250 250 242 242 242 54 54 54 2 2 6
47798 - 2 2 6 2 2 6 2 2 6 2 2 6
47799 - 2 2 6 2 2 6 2 2 6 38 38 38
47800 - 86 86 86 50 50 50 22 22 22 6 6 6
47801 - 0 0 0 0 0 0 0 0 0 0 0 0
47802 - 0 0 0 0 0 0 0 0 0 0 0 0
47803 - 0 0 0 0 0 0 0 0 0 0 0 0
47804 - 0 0 0 0 0 0 0 0 0 0 0 0
47805 - 0 0 0 0 0 0 0 0 0 0 0 0
47806 - 0 0 0 0 0 0 0 0 0 0 0 0
47807 - 0 0 0 0 0 0 0 0 0 0 0 0
47808 - 0 0 0 0 0 0 0 0 0 0 0 0
47809 - 0 0 0 0 0 0 0 0 0 0 0 0
47810 - 6 6 6 14 14 14 38 38 38 82 82 82
47811 - 34 34 34 2 2 6 2 2 6 2 2 6
47812 - 42 42 42 195 195 195 246 246 246 253 253 253
47813 -253 253 253 253 253 253 253 253 253 250 250 250
47814 -242 242 242 242 242 242 250 250 250 253 253 253
47815 -253 253 253 253 253 253 253 253 253 253 253 253
47816 -253 253 253 250 250 250 246 246 246 238 238 238
47817 -226 226 226 231 231 231 101 101 101 6 6 6
47818 - 2 2 6 2 2 6 2 2 6 2 2 6
47819 - 2 2 6 2 2 6 2 2 6 2 2 6
47820 - 38 38 38 82 82 82 42 42 42 14 14 14
47821 - 6 6 6 0 0 0 0 0 0 0 0 0
47822 - 0 0 0 0 0 0 0 0 0 0 0 0
47823 - 0 0 0 0 0 0 0 0 0 0 0 0
47824 - 0 0 0 0 0 0 0 0 0 0 0 0
47825 - 0 0 0 0 0 0 0 0 0 0 0 0
47826 - 0 0 0 0 0 0 0 0 0 0 0 0
47827 - 0 0 0 0 0 0 0 0 0 0 0 0
47828 - 0 0 0 0 0 0 0 0 0 0 0 0
47829 - 0 0 0 0 0 0 0 0 0 0 0 0
47830 - 10 10 10 26 26 26 62 62 62 66 66 66
47831 - 2 2 6 2 2 6 2 2 6 6 6 6
47832 - 70 70 70 170 170 170 206 206 206 234 234 234
47833 -246 246 246 250 250 250 250 250 250 238 238 238
47834 -226 226 226 231 231 231 238 238 238 250 250 250
47835 -250 250 250 250 250 250 246 246 246 231 231 231
47836 -214 214 214 206 206 206 202 202 202 202 202 202
47837 -198 198 198 202 202 202 182 182 182 18 18 18
47838 - 2 2 6 2 2 6 2 2 6 2 2 6
47839 - 2 2 6 2 2 6 2 2 6 2 2 6
47840 - 2 2 6 62 62 62 66 66 66 30 30 30
47841 - 10 10 10 0 0 0 0 0 0 0 0 0
47842 - 0 0 0 0 0 0 0 0 0 0 0 0
47843 - 0 0 0 0 0 0 0 0 0 0 0 0
47844 - 0 0 0 0 0 0 0 0 0 0 0 0
47845 - 0 0 0 0 0 0 0 0 0 0 0 0
47846 - 0 0 0 0 0 0 0 0 0 0 0 0
47847 - 0 0 0 0 0 0 0 0 0 0 0 0
47848 - 0 0 0 0 0 0 0 0 0 0 0 0
47849 - 0 0 0 0 0 0 0 0 0 0 0 0
47850 - 14 14 14 42 42 42 82 82 82 18 18 18
47851 - 2 2 6 2 2 6 2 2 6 10 10 10
47852 - 94 94 94 182 182 182 218 218 218 242 242 242
47853 -250 250 250 253 253 253 253 253 253 250 250 250
47854 -234 234 234 253 253 253 253 253 253 253 253 253
47855 -253 253 253 253 253 253 253 253 253 246 246 246
47856 -238 238 238 226 226 226 210 210 210 202 202 202
47857 -195 195 195 195 195 195 210 210 210 158 158 158
47858 - 6 6 6 14 14 14 50 50 50 14 14 14
47859 - 2 2 6 2 2 6 2 2 6 2 2 6
47860 - 2 2 6 6 6 6 86 86 86 46 46 46
47861 - 18 18 18 6 6 6 0 0 0 0 0 0
47862 - 0 0 0 0 0 0 0 0 0 0 0 0
47863 - 0 0 0 0 0 0 0 0 0 0 0 0
47864 - 0 0 0 0 0 0 0 0 0 0 0 0
47865 - 0 0 0 0 0 0 0 0 0 0 0 0
47866 - 0 0 0 0 0 0 0 0 0 0 0 0
47867 - 0 0 0 0 0 0 0 0 0 0 0 0
47868 - 0 0 0 0 0 0 0 0 0 0 0 0
47869 - 0 0 0 0 0 0 0 0 0 6 6 6
47870 - 22 22 22 54 54 54 70 70 70 2 2 6
47871 - 2 2 6 10 10 10 2 2 6 22 22 22
47872 -166 166 166 231 231 231 250 250 250 253 253 253
47873 -253 253 253 253 253 253 253 253 253 250 250 250
47874 -242 242 242 253 253 253 253 253 253 253 253 253
47875 -253 253 253 253 253 253 253 253 253 253 253 253
47876 -253 253 253 253 253 253 253 253 253 246 246 246
47877 -231 231 231 206 206 206 198 198 198 226 226 226
47878 - 94 94 94 2 2 6 6 6 6 38 38 38
47879 - 30 30 30 2 2 6 2 2 6 2 2 6
47880 - 2 2 6 2 2 6 62 62 62 66 66 66
47881 - 26 26 26 10 10 10 0 0 0 0 0 0
47882 - 0 0 0 0 0 0 0 0 0 0 0 0
47883 - 0 0 0 0 0 0 0 0 0 0 0 0
47884 - 0 0 0 0 0 0 0 0 0 0 0 0
47885 - 0 0 0 0 0 0 0 0 0 0 0 0
47886 - 0 0 0 0 0 0 0 0 0 0 0 0
47887 - 0 0 0 0 0 0 0 0 0 0 0 0
47888 - 0 0 0 0 0 0 0 0 0 0 0 0
47889 - 0 0 0 0 0 0 0 0 0 10 10 10
47890 - 30 30 30 74 74 74 50 50 50 2 2 6
47891 - 26 26 26 26 26 26 2 2 6 106 106 106
47892 -238 238 238 253 253 253 253 253 253 253 253 253
47893 -253 253 253 253 253 253 253 253 253 253 253 253
47894 -253 253 253 253 253 253 253 253 253 253 253 253
47895 -253 253 253 253 253 253 253 253 253 253 253 253
47896 -253 253 253 253 253 253 253 253 253 253 253 253
47897 -253 253 253 246 246 246 218 218 218 202 202 202
47898 -210 210 210 14 14 14 2 2 6 2 2 6
47899 - 30 30 30 22 22 22 2 2 6 2 2 6
47900 - 2 2 6 2 2 6 18 18 18 86 86 86
47901 - 42 42 42 14 14 14 0 0 0 0 0 0
47902 - 0 0 0 0 0 0 0 0 0 0 0 0
47903 - 0 0 0 0 0 0 0 0 0 0 0 0
47904 - 0 0 0 0 0 0 0 0 0 0 0 0
47905 - 0 0 0 0 0 0 0 0 0 0 0 0
47906 - 0 0 0 0 0 0 0 0 0 0 0 0
47907 - 0 0 0 0 0 0 0 0 0 0 0 0
47908 - 0 0 0 0 0 0 0 0 0 0 0 0
47909 - 0 0 0 0 0 0 0 0 0 14 14 14
47910 - 42 42 42 90 90 90 22 22 22 2 2 6
47911 - 42 42 42 2 2 6 18 18 18 218 218 218
47912 -253 253 253 253 253 253 253 253 253 253 253 253
47913 -253 253 253 253 253 253 253 253 253 253 253 253
47914 -253 253 253 253 253 253 253 253 253 253 253 253
47915 -253 253 253 253 253 253 253 253 253 253 253 253
47916 -253 253 253 253 253 253 253 253 253 253 253 253
47917 -253 253 253 253 253 253 250 250 250 221 221 221
47918 -218 218 218 101 101 101 2 2 6 14 14 14
47919 - 18 18 18 38 38 38 10 10 10 2 2 6
47920 - 2 2 6 2 2 6 2 2 6 78 78 78
47921 - 58 58 58 22 22 22 6 6 6 0 0 0
47922 - 0 0 0 0 0 0 0 0 0 0 0 0
47923 - 0 0 0 0 0 0 0 0 0 0 0 0
47924 - 0 0 0 0 0 0 0 0 0 0 0 0
47925 - 0 0 0 0 0 0 0 0 0 0 0 0
47926 - 0 0 0 0 0 0 0 0 0 0 0 0
47927 - 0 0 0 0 0 0 0 0 0 0 0 0
47928 - 0 0 0 0 0 0 0 0 0 0 0 0
47929 - 0 0 0 0 0 0 6 6 6 18 18 18
47930 - 54 54 54 82 82 82 2 2 6 26 26 26
47931 - 22 22 22 2 2 6 123 123 123 253 253 253
47932 -253 253 253 253 253 253 253 253 253 253 253 253
47933 -253 253 253 253 253 253 253 253 253 253 253 253
47934 -253 253 253 253 253 253 253 253 253 253 253 253
47935 -253 253 253 253 253 253 253 253 253 253 253 253
47936 -253 253 253 253 253 253 253 253 253 253 253 253
47937 -253 253 253 253 253 253 253 253 253 250 250 250
47938 -238 238 238 198 198 198 6 6 6 38 38 38
47939 - 58 58 58 26 26 26 38 38 38 2 2 6
47940 - 2 2 6 2 2 6 2 2 6 46 46 46
47941 - 78 78 78 30 30 30 10 10 10 0 0 0
47942 - 0 0 0 0 0 0 0 0 0 0 0 0
47943 - 0 0 0 0 0 0 0 0 0 0 0 0
47944 - 0 0 0 0 0 0 0 0 0 0 0 0
47945 - 0 0 0 0 0 0 0 0 0 0 0 0
47946 - 0 0 0 0 0 0 0 0 0 0 0 0
47947 - 0 0 0 0 0 0 0 0 0 0 0 0
47948 - 0 0 0 0 0 0 0 0 0 0 0 0
47949 - 0 0 0 0 0 0 10 10 10 30 30 30
47950 - 74 74 74 58 58 58 2 2 6 42 42 42
47951 - 2 2 6 22 22 22 231 231 231 253 253 253
47952 -253 253 253 253 253 253 253 253 253 253 253 253
47953 -253 253 253 253 253 253 253 253 253 250 250 250
47954 -253 253 253 253 253 253 253 253 253 253 253 253
47955 -253 253 253 253 253 253 253 253 253 253 253 253
47956 -253 253 253 253 253 253 253 253 253 253 253 253
47957 -253 253 253 253 253 253 253 253 253 253 253 253
47958 -253 253 253 246 246 246 46 46 46 38 38 38
47959 - 42 42 42 14 14 14 38 38 38 14 14 14
47960 - 2 2 6 2 2 6 2 2 6 6 6 6
47961 - 86 86 86 46 46 46 14 14 14 0 0 0
47962 - 0 0 0 0 0 0 0 0 0 0 0 0
47963 - 0 0 0 0 0 0 0 0 0 0 0 0
47964 - 0 0 0 0 0 0 0 0 0 0 0 0
47965 - 0 0 0 0 0 0 0 0 0 0 0 0
47966 - 0 0 0 0 0 0 0 0 0 0 0 0
47967 - 0 0 0 0 0 0 0 0 0 0 0 0
47968 - 0 0 0 0 0 0 0 0 0 0 0 0
47969 - 0 0 0 6 6 6 14 14 14 42 42 42
47970 - 90 90 90 18 18 18 18 18 18 26 26 26
47971 - 2 2 6 116 116 116 253 253 253 253 253 253
47972 -253 253 253 253 253 253 253 253 253 253 253 253
47973 -253 253 253 253 253 253 250 250 250 238 238 238
47974 -253 253 253 253 253 253 253 253 253 253 253 253
47975 -253 253 253 253 253 253 253 253 253 253 253 253
47976 -253 253 253 253 253 253 253 253 253 253 253 253
47977 -253 253 253 253 253 253 253 253 253 253 253 253
47978 -253 253 253 253 253 253 94 94 94 6 6 6
47979 - 2 2 6 2 2 6 10 10 10 34 34 34
47980 - 2 2 6 2 2 6 2 2 6 2 2 6
47981 - 74 74 74 58 58 58 22 22 22 6 6 6
47982 - 0 0 0 0 0 0 0 0 0 0 0 0
47983 - 0 0 0 0 0 0 0 0 0 0 0 0
47984 - 0 0 0 0 0 0 0 0 0 0 0 0
47985 - 0 0 0 0 0 0 0 0 0 0 0 0
47986 - 0 0 0 0 0 0 0 0 0 0 0 0
47987 - 0 0 0 0 0 0 0 0 0 0 0 0
47988 - 0 0 0 0 0 0 0 0 0 0 0 0
47989 - 0 0 0 10 10 10 26 26 26 66 66 66
47990 - 82 82 82 2 2 6 38 38 38 6 6 6
47991 - 14 14 14 210 210 210 253 253 253 253 253 253
47992 -253 253 253 253 253 253 253 253 253 253 253 253
47993 -253 253 253 253 253 253 246 246 246 242 242 242
47994 -253 253 253 253 253 253 253 253 253 253 253 253
47995 -253 253 253 253 253 253 253 253 253 253 253 253
47996 -253 253 253 253 253 253 253 253 253 253 253 253
47997 -253 253 253 253 253 253 253 253 253 253 253 253
47998 -253 253 253 253 253 253 144 144 144 2 2 6
47999 - 2 2 6 2 2 6 2 2 6 46 46 46
48000 - 2 2 6 2 2 6 2 2 6 2 2 6
48001 - 42 42 42 74 74 74 30 30 30 10 10 10
48002 - 0 0 0 0 0 0 0 0 0 0 0 0
48003 - 0 0 0 0 0 0 0 0 0 0 0 0
48004 - 0 0 0 0 0 0 0 0 0 0 0 0
48005 - 0 0 0 0 0 0 0 0 0 0 0 0
48006 - 0 0 0 0 0 0 0 0 0 0 0 0
48007 - 0 0 0 0 0 0 0 0 0 0 0 0
48008 - 0 0 0 0 0 0 0 0 0 0 0 0
48009 - 6 6 6 14 14 14 42 42 42 90 90 90
48010 - 26 26 26 6 6 6 42 42 42 2 2 6
48011 - 74 74 74 250 250 250 253 253 253 253 253 253
48012 -253 253 253 253 253 253 253 253 253 253 253 253
48013 -253 253 253 253 253 253 242 242 242 242 242 242
48014 -253 253 253 253 253 253 253 253 253 253 253 253
48015 -253 253 253 253 253 253 253 253 253 253 253 253
48016 -253 253 253 253 253 253 253 253 253 253 253 253
48017 -253 253 253 253 253 253 253 253 253 253 253 253
48018 -253 253 253 253 253 253 182 182 182 2 2 6
48019 - 2 2 6 2 2 6 2 2 6 46 46 46
48020 - 2 2 6 2 2 6 2 2 6 2 2 6
48021 - 10 10 10 86 86 86 38 38 38 10 10 10
48022 - 0 0 0 0 0 0 0 0 0 0 0 0
48023 - 0 0 0 0 0 0 0 0 0 0 0 0
48024 - 0 0 0 0 0 0 0 0 0 0 0 0
48025 - 0 0 0 0 0 0 0 0 0 0 0 0
48026 - 0 0 0 0 0 0 0 0 0 0 0 0
48027 - 0 0 0 0 0 0 0 0 0 0 0 0
48028 - 0 0 0 0 0 0 0 0 0 0 0 0
48029 - 10 10 10 26 26 26 66 66 66 82 82 82
48030 - 2 2 6 22 22 22 18 18 18 2 2 6
48031 -149 149 149 253 253 253 253 253 253 253 253 253
48032 -253 253 253 253 253 253 253 253 253 253 253 253
48033 -253 253 253 253 253 253 234 234 234 242 242 242
48034 -253 253 253 253 253 253 253 253 253 253 253 253
48035 -253 253 253 253 253 253 253 253 253 253 253 253
48036 -253 253 253 253 253 253 253 253 253 253 253 253
48037 -253 253 253 253 253 253 253 253 253 253 253 253
48038 -253 253 253 253 253 253 206 206 206 2 2 6
48039 - 2 2 6 2 2 6 2 2 6 38 38 38
48040 - 2 2 6 2 2 6 2 2 6 2 2 6
48041 - 6 6 6 86 86 86 46 46 46 14 14 14
48042 - 0 0 0 0 0 0 0 0 0 0 0 0
48043 - 0 0 0 0 0 0 0 0 0 0 0 0
48044 - 0 0 0 0 0 0 0 0 0 0 0 0
48045 - 0 0 0 0 0 0 0 0 0 0 0 0
48046 - 0 0 0 0 0 0 0 0 0 0 0 0
48047 - 0 0 0 0 0 0 0 0 0 0 0 0
48048 - 0 0 0 0 0 0 0 0 0 6 6 6
48049 - 18 18 18 46 46 46 86 86 86 18 18 18
48050 - 2 2 6 34 34 34 10 10 10 6 6 6
48051 -210 210 210 253 253 253 253 253 253 253 253 253
48052 -253 253 253 253 253 253 253 253 253 253 253 253
48053 -253 253 253 253 253 253 234 234 234 242 242 242
48054 -253 253 253 253 253 253 253 253 253 253 253 253
48055 -253 253 253 253 253 253 253 253 253 253 253 253
48056 -253 253 253 253 253 253 253 253 253 253 253 253
48057 -253 253 253 253 253 253 253 253 253 253 253 253
48058 -253 253 253 253 253 253 221 221 221 6 6 6
48059 - 2 2 6 2 2 6 6 6 6 30 30 30
48060 - 2 2 6 2 2 6 2 2 6 2 2 6
48061 - 2 2 6 82 82 82 54 54 54 18 18 18
48062 - 6 6 6 0 0 0 0 0 0 0 0 0
48063 - 0 0 0 0 0 0 0 0 0 0 0 0
48064 - 0 0 0 0 0 0 0 0 0 0 0 0
48065 - 0 0 0 0 0 0 0 0 0 0 0 0
48066 - 0 0 0 0 0 0 0 0 0 0 0 0
48067 - 0 0 0 0 0 0 0 0 0 0 0 0
48068 - 0 0 0 0 0 0 0 0 0 10 10 10
48069 - 26 26 26 66 66 66 62 62 62 2 2 6
48070 - 2 2 6 38 38 38 10 10 10 26 26 26
48071 -238 238 238 253 253 253 253 253 253 253 253 253
48072 -253 253 253 253 253 253 253 253 253 253 253 253
48073 -253 253 253 253 253 253 231 231 231 238 238 238
48074 -253 253 253 253 253 253 253 253 253 253 253 253
48075 -253 253 253 253 253 253 253 253 253 253 253 253
48076 -253 253 253 253 253 253 253 253 253 253 253 253
48077 -253 253 253 253 253 253 253 253 253 253 253 253
48078 -253 253 253 253 253 253 231 231 231 6 6 6
48079 - 2 2 6 2 2 6 10 10 10 30 30 30
48080 - 2 2 6 2 2 6 2 2 6 2 2 6
48081 - 2 2 6 66 66 66 58 58 58 22 22 22
48082 - 6 6 6 0 0 0 0 0 0 0 0 0
48083 - 0 0 0 0 0 0 0 0 0 0 0 0
48084 - 0 0 0 0 0 0 0 0 0 0 0 0
48085 - 0 0 0 0 0 0 0 0 0 0 0 0
48086 - 0 0 0 0 0 0 0 0 0 0 0 0
48087 - 0 0 0 0 0 0 0 0 0 0 0 0
48088 - 0 0 0 0 0 0 0 0 0 10 10 10
48089 - 38 38 38 78 78 78 6 6 6 2 2 6
48090 - 2 2 6 46 46 46 14 14 14 42 42 42
48091 -246 246 246 253 253 253 253 253 253 253 253 253
48092 -253 253 253 253 253 253 253 253 253 253 253 253
48093 -253 253 253 253 253 253 231 231 231 242 242 242
48094 -253 253 253 253 253 253 253 253 253 253 253 253
48095 -253 253 253 253 253 253 253 253 253 253 253 253
48096 -253 253 253 253 253 253 253 253 253 253 253 253
48097 -253 253 253 253 253 253 253 253 253 253 253 253
48098 -253 253 253 253 253 253 234 234 234 10 10 10
48099 - 2 2 6 2 2 6 22 22 22 14 14 14
48100 - 2 2 6 2 2 6 2 2 6 2 2 6
48101 - 2 2 6 66 66 66 62 62 62 22 22 22
48102 - 6 6 6 0 0 0 0 0 0 0 0 0
48103 - 0 0 0 0 0 0 0 0 0 0 0 0
48104 - 0 0 0 0 0 0 0 0 0 0 0 0
48105 - 0 0 0 0 0 0 0 0 0 0 0 0
48106 - 0 0 0 0 0 0 0 0 0 0 0 0
48107 - 0 0 0 0 0 0 0 0 0 0 0 0
48108 - 0 0 0 0 0 0 6 6 6 18 18 18
48109 - 50 50 50 74 74 74 2 2 6 2 2 6
48110 - 14 14 14 70 70 70 34 34 34 62 62 62
48111 -250 250 250 253 253 253 253 253 253 253 253 253
48112 -253 253 253 253 253 253 253 253 253 253 253 253
48113 -253 253 253 253 253 253 231 231 231 246 246 246
48114 -253 253 253 253 253 253 253 253 253 253 253 253
48115 -253 253 253 253 253 253 253 253 253 253 253 253
48116 -253 253 253 253 253 253 253 253 253 253 253 253
48117 -253 253 253 253 253 253 253 253 253 253 253 253
48118 -253 253 253 253 253 253 234 234 234 14 14 14
48119 - 2 2 6 2 2 6 30 30 30 2 2 6
48120 - 2 2 6 2 2 6 2 2 6 2 2 6
48121 - 2 2 6 66 66 66 62 62 62 22 22 22
48122 - 6 6 6 0 0 0 0 0 0 0 0 0
48123 - 0 0 0 0 0 0 0 0 0 0 0 0
48124 - 0 0 0 0 0 0 0 0 0 0 0 0
48125 - 0 0 0 0 0 0 0 0 0 0 0 0
48126 - 0 0 0 0 0 0 0 0 0 0 0 0
48127 - 0 0 0 0 0 0 0 0 0 0 0 0
48128 - 0 0 0 0 0 0 6 6 6 18 18 18
48129 - 54 54 54 62 62 62 2 2 6 2 2 6
48130 - 2 2 6 30 30 30 46 46 46 70 70 70
48131 -250 250 250 253 253 253 253 253 253 253 253 253
48132 -253 253 253 253 253 253 253 253 253 253 253 253
48133 -253 253 253 253 253 253 231 231 231 246 246 246
48134 -253 253 253 253 253 253 253 253 253 253 253 253
48135 -253 253 253 253 253 253 253 253 253 253 253 253
48136 -253 253 253 253 253 253 253 253 253 253 253 253
48137 -253 253 253 253 253 253 253 253 253 253 253 253
48138 -253 253 253 253 253 253 226 226 226 10 10 10
48139 - 2 2 6 6 6 6 30 30 30 2 2 6
48140 - 2 2 6 2 2 6 2 2 6 2 2 6
48141 - 2 2 6 66 66 66 58 58 58 22 22 22
48142 - 6 6 6 0 0 0 0 0 0 0 0 0
48143 - 0 0 0 0 0 0 0 0 0 0 0 0
48144 - 0 0 0 0 0 0 0 0 0 0 0 0
48145 - 0 0 0 0 0 0 0 0 0 0 0 0
48146 - 0 0 0 0 0 0 0 0 0 0 0 0
48147 - 0 0 0 0 0 0 0 0 0 0 0 0
48148 - 0 0 0 0 0 0 6 6 6 22 22 22
48149 - 58 58 58 62 62 62 2 2 6 2 2 6
48150 - 2 2 6 2 2 6 30 30 30 78 78 78
48151 -250 250 250 253 253 253 253 253 253 253 253 253
48152 -253 253 253 253 253 253 253 253 253 253 253 253
48153 -253 253 253 253 253 253 231 231 231 246 246 246
48154 -253 253 253 253 253 253 253 253 253 253 253 253
48155 -253 253 253 253 253 253 253 253 253 253 253 253
48156 -253 253 253 253 253 253 253 253 253 253 253 253
48157 -253 253 253 253 253 253 253 253 253 253 253 253
48158 -253 253 253 253 253 253 206 206 206 2 2 6
48159 - 22 22 22 34 34 34 18 14 6 22 22 22
48160 - 26 26 26 18 18 18 6 6 6 2 2 6
48161 - 2 2 6 82 82 82 54 54 54 18 18 18
48162 - 6 6 6 0 0 0 0 0 0 0 0 0
48163 - 0 0 0 0 0 0 0 0 0 0 0 0
48164 - 0 0 0 0 0 0 0 0 0 0 0 0
48165 - 0 0 0 0 0 0 0 0 0 0 0 0
48166 - 0 0 0 0 0 0 0 0 0 0 0 0
48167 - 0 0 0 0 0 0 0 0 0 0 0 0
48168 - 0 0 0 0 0 0 6 6 6 26 26 26
48169 - 62 62 62 106 106 106 74 54 14 185 133 11
48170 -210 162 10 121 92 8 6 6 6 62 62 62
48171 -238 238 238 253 253 253 253 253 253 253 253 253
48172 -253 253 253 253 253 253 253 253 253 253 253 253
48173 -253 253 253 253 253 253 231 231 231 246 246 246
48174 -253 253 253 253 253 253 253 253 253 253 253 253
48175 -253 253 253 253 253 253 253 253 253 253 253 253
48176 -253 253 253 253 253 253 253 253 253 253 253 253
48177 -253 253 253 253 253 253 253 253 253 253 253 253
48178 -253 253 253 253 253 253 158 158 158 18 18 18
48179 - 14 14 14 2 2 6 2 2 6 2 2 6
48180 - 6 6 6 18 18 18 66 66 66 38 38 38
48181 - 6 6 6 94 94 94 50 50 50 18 18 18
48182 - 6 6 6 0 0 0 0 0 0 0 0 0
48183 - 0 0 0 0 0 0 0 0 0 0 0 0
48184 - 0 0 0 0 0 0 0 0 0 0 0 0
48185 - 0 0 0 0 0 0 0 0 0 0 0 0
48186 - 0 0 0 0 0 0 0 0 0 0 0 0
48187 - 0 0 0 0 0 0 0 0 0 6 6 6
48188 - 10 10 10 10 10 10 18 18 18 38 38 38
48189 - 78 78 78 142 134 106 216 158 10 242 186 14
48190 -246 190 14 246 190 14 156 118 10 10 10 10
48191 - 90 90 90 238 238 238 253 253 253 253 253 253
48192 -253 253 253 253 253 253 253 253 253 253 253 253
48193 -253 253 253 253 253 253 231 231 231 250 250 250
48194 -253 253 253 253 253 253 253 253 253 253 253 253
48195 -253 253 253 253 253 253 253 253 253 253 253 253
48196 -253 253 253 253 253 253 253 253 253 253 253 253
48197 -253 253 253 253 253 253 253 253 253 246 230 190
48198 -238 204 91 238 204 91 181 142 44 37 26 9
48199 - 2 2 6 2 2 6 2 2 6 2 2 6
48200 - 2 2 6 2 2 6 38 38 38 46 46 46
48201 - 26 26 26 106 106 106 54 54 54 18 18 18
48202 - 6 6 6 0 0 0 0 0 0 0 0 0
48203 - 0 0 0 0 0 0 0 0 0 0 0 0
48204 - 0 0 0 0 0 0 0 0 0 0 0 0
48205 - 0 0 0 0 0 0 0 0 0 0 0 0
48206 - 0 0 0 0 0 0 0 0 0 0 0 0
48207 - 0 0 0 6 6 6 14 14 14 22 22 22
48208 - 30 30 30 38 38 38 50 50 50 70 70 70
48209 -106 106 106 190 142 34 226 170 11 242 186 14
48210 -246 190 14 246 190 14 246 190 14 154 114 10
48211 - 6 6 6 74 74 74 226 226 226 253 253 253
48212 -253 253 253 253 253 253 253 253 253 253 253 253
48213 -253 253 253 253 253 253 231 231 231 250 250 250
48214 -253 253 253 253 253 253 253 253 253 253 253 253
48215 -253 253 253 253 253 253 253 253 253 253 253 253
48216 -253 253 253 253 253 253 253 253 253 253 253 253
48217 -253 253 253 253 253 253 253 253 253 228 184 62
48218 -241 196 14 241 208 19 232 195 16 38 30 10
48219 - 2 2 6 2 2 6 2 2 6 2 2 6
48220 - 2 2 6 6 6 6 30 30 30 26 26 26
48221 -203 166 17 154 142 90 66 66 66 26 26 26
48222 - 6 6 6 0 0 0 0 0 0 0 0 0
48223 - 0 0 0 0 0 0 0 0 0 0 0 0
48224 - 0 0 0 0 0 0 0 0 0 0 0 0
48225 - 0 0 0 0 0 0 0 0 0 0 0 0
48226 - 0 0 0 0 0 0 0 0 0 0 0 0
48227 - 6 6 6 18 18 18 38 38 38 58 58 58
48228 - 78 78 78 86 86 86 101 101 101 123 123 123
48229 -175 146 61 210 150 10 234 174 13 246 186 14
48230 -246 190 14 246 190 14 246 190 14 238 190 10
48231 -102 78 10 2 2 6 46 46 46 198 198 198
48232 -253 253 253 253 253 253 253 253 253 253 253 253
48233 -253 253 253 253 253 253 234 234 234 242 242 242
48234 -253 253 253 253 253 253 253 253 253 253 253 253
48235 -253 253 253 253 253 253 253 253 253 253 253 253
48236 -253 253 253 253 253 253 253 253 253 253 253 253
48237 -253 253 253 253 253 253 253 253 253 224 178 62
48238 -242 186 14 241 196 14 210 166 10 22 18 6
48239 - 2 2 6 2 2 6 2 2 6 2 2 6
48240 - 2 2 6 2 2 6 6 6 6 121 92 8
48241 -238 202 15 232 195 16 82 82 82 34 34 34
48242 - 10 10 10 0 0 0 0 0 0 0 0 0
48243 - 0 0 0 0 0 0 0 0 0 0 0 0
48244 - 0 0 0 0 0 0 0 0 0 0 0 0
48245 - 0 0 0 0 0 0 0 0 0 0 0 0
48246 - 0 0 0 0 0 0 0 0 0 0 0 0
48247 - 14 14 14 38 38 38 70 70 70 154 122 46
48248 -190 142 34 200 144 11 197 138 11 197 138 11
48249 -213 154 11 226 170 11 242 186 14 246 190 14
48250 -246 190 14 246 190 14 246 190 14 246 190 14
48251 -225 175 15 46 32 6 2 2 6 22 22 22
48252 -158 158 158 250 250 250 253 253 253 253 253 253
48253 -253 253 253 253 253 253 253 253 253 253 253 253
48254 -253 253 253 253 253 253 253 253 253 253 253 253
48255 -253 253 253 253 253 253 253 253 253 253 253 253
48256 -253 253 253 253 253 253 253 253 253 253 253 253
48257 -253 253 253 250 250 250 242 242 242 224 178 62
48258 -239 182 13 236 186 11 213 154 11 46 32 6
48259 - 2 2 6 2 2 6 2 2 6 2 2 6
48260 - 2 2 6 2 2 6 61 42 6 225 175 15
48261 -238 190 10 236 186 11 112 100 78 42 42 42
48262 - 14 14 14 0 0 0 0 0 0 0 0 0
48263 - 0 0 0 0 0 0 0 0 0 0 0 0
48264 - 0 0 0 0 0 0 0 0 0 0 0 0
48265 - 0 0 0 0 0 0 0 0 0 0 0 0
48266 - 0 0 0 0 0 0 0 0 0 6 6 6
48267 - 22 22 22 54 54 54 154 122 46 213 154 11
48268 -226 170 11 230 174 11 226 170 11 226 170 11
48269 -236 178 12 242 186 14 246 190 14 246 190 14
48270 -246 190 14 246 190 14 246 190 14 246 190 14
48271 -241 196 14 184 144 12 10 10 10 2 2 6
48272 - 6 6 6 116 116 116 242 242 242 253 253 253
48273 -253 253 253 253 253 253 253 253 253 253 253 253
48274 -253 253 253 253 253 253 253 253 253 253 253 253
48275 -253 253 253 253 253 253 253 253 253 253 253 253
48276 -253 253 253 253 253 253 253 253 253 253 253 253
48277 -253 253 253 231 231 231 198 198 198 214 170 54
48278 -236 178 12 236 178 12 210 150 10 137 92 6
48279 - 18 14 6 2 2 6 2 2 6 2 2 6
48280 - 6 6 6 70 47 6 200 144 11 236 178 12
48281 -239 182 13 239 182 13 124 112 88 58 58 58
48282 - 22 22 22 6 6 6 0 0 0 0 0 0
48283 - 0 0 0 0 0 0 0 0 0 0 0 0
48284 - 0 0 0 0 0 0 0 0 0 0 0 0
48285 - 0 0 0 0 0 0 0 0 0 0 0 0
48286 - 0 0 0 0 0 0 0 0 0 10 10 10
48287 - 30 30 30 70 70 70 180 133 36 226 170 11
48288 -239 182 13 242 186 14 242 186 14 246 186 14
48289 -246 190 14 246 190 14 246 190 14 246 190 14
48290 -246 190 14 246 190 14 246 190 14 246 190 14
48291 -246 190 14 232 195 16 98 70 6 2 2 6
48292 - 2 2 6 2 2 6 66 66 66 221 221 221
48293 -253 253 253 253 253 253 253 253 253 253 253 253
48294 -253 253 253 253 253 253 253 253 253 253 253 253
48295 -253 253 253 253 253 253 253 253 253 253 253 253
48296 -253 253 253 253 253 253 253 253 253 253 253 253
48297 -253 253 253 206 206 206 198 198 198 214 166 58
48298 -230 174 11 230 174 11 216 158 10 192 133 9
48299 -163 110 8 116 81 8 102 78 10 116 81 8
48300 -167 114 7 197 138 11 226 170 11 239 182 13
48301 -242 186 14 242 186 14 162 146 94 78 78 78
48302 - 34 34 34 14 14 14 6 6 6 0 0 0
48303 - 0 0 0 0 0 0 0 0 0 0 0 0
48304 - 0 0 0 0 0 0 0 0 0 0 0 0
48305 - 0 0 0 0 0 0 0 0 0 0 0 0
48306 - 0 0 0 0 0 0 0 0 0 6 6 6
48307 - 30 30 30 78 78 78 190 142 34 226 170 11
48308 -239 182 13 246 190 14 246 190 14 246 190 14
48309 -246 190 14 246 190 14 246 190 14 246 190 14
48310 -246 190 14 246 190 14 246 190 14 246 190 14
48311 -246 190 14 241 196 14 203 166 17 22 18 6
48312 - 2 2 6 2 2 6 2 2 6 38 38 38
48313 -218 218 218 253 253 253 253 253 253 253 253 253
48314 -253 253 253 253 253 253 253 253 253 253 253 253
48315 -253 253 253 253 253 253 253 253 253 253 253 253
48316 -253 253 253 253 253 253 253 253 253 253 253 253
48317 -250 250 250 206 206 206 198 198 198 202 162 69
48318 -226 170 11 236 178 12 224 166 10 210 150 10
48319 -200 144 11 197 138 11 192 133 9 197 138 11
48320 -210 150 10 226 170 11 242 186 14 246 190 14
48321 -246 190 14 246 186 14 225 175 15 124 112 88
48322 - 62 62 62 30 30 30 14 14 14 6 6 6
48323 - 0 0 0 0 0 0 0 0 0 0 0 0
48324 - 0 0 0 0 0 0 0 0 0 0 0 0
48325 - 0 0 0 0 0 0 0 0 0 0 0 0
48326 - 0 0 0 0 0 0 0 0 0 10 10 10
48327 - 30 30 30 78 78 78 174 135 50 224 166 10
48328 -239 182 13 246 190 14 246 190 14 246 190 14
48329 -246 190 14 246 190 14 246 190 14 246 190 14
48330 -246 190 14 246 190 14 246 190 14 246 190 14
48331 -246 190 14 246 190 14 241 196 14 139 102 15
48332 - 2 2 6 2 2 6 2 2 6 2 2 6
48333 - 78 78 78 250 250 250 253 253 253 253 253 253
48334 -253 253 253 253 253 253 253 253 253 253 253 253
48335 -253 253 253 253 253 253 253 253 253 253 253 253
48336 -253 253 253 253 253 253 253 253 253 253 253 253
48337 -250 250 250 214 214 214 198 198 198 190 150 46
48338 -219 162 10 236 178 12 234 174 13 224 166 10
48339 -216 158 10 213 154 11 213 154 11 216 158 10
48340 -226 170 11 239 182 13 246 190 14 246 190 14
48341 -246 190 14 246 190 14 242 186 14 206 162 42
48342 -101 101 101 58 58 58 30 30 30 14 14 14
48343 - 6 6 6 0 0 0 0 0 0 0 0 0
48344 - 0 0 0 0 0 0 0 0 0 0 0 0
48345 - 0 0 0 0 0 0 0 0 0 0 0 0
48346 - 0 0 0 0 0 0 0 0 0 10 10 10
48347 - 30 30 30 74 74 74 174 135 50 216 158 10
48348 -236 178 12 246 190 14 246 190 14 246 190 14
48349 -246 190 14 246 190 14 246 190 14 246 190 14
48350 -246 190 14 246 190 14 246 190 14 246 190 14
48351 -246 190 14 246 190 14 241 196 14 226 184 13
48352 - 61 42 6 2 2 6 2 2 6 2 2 6
48353 - 22 22 22 238 238 238 253 253 253 253 253 253
48354 -253 253 253 253 253 253 253 253 253 253 253 253
48355 -253 253 253 253 253 253 253 253 253 253 253 253
48356 -253 253 253 253 253 253 253 253 253 253 253 253
48357 -253 253 253 226 226 226 187 187 187 180 133 36
48358 -216 158 10 236 178 12 239 182 13 236 178 12
48359 -230 174 11 226 170 11 226 170 11 230 174 11
48360 -236 178 12 242 186 14 246 190 14 246 190 14
48361 -246 190 14 246 190 14 246 186 14 239 182 13
48362 -206 162 42 106 106 106 66 66 66 34 34 34
48363 - 14 14 14 6 6 6 0 0 0 0 0 0
48364 - 0 0 0 0 0 0 0 0 0 0 0 0
48365 - 0 0 0 0 0 0 0 0 0 0 0 0
48366 - 0 0 0 0 0 0 0 0 0 6 6 6
48367 - 26 26 26 70 70 70 163 133 67 213 154 11
48368 -236 178 12 246 190 14 246 190 14 246 190 14
48369 -246 190 14 246 190 14 246 190 14 246 190 14
48370 -246 190 14 246 190 14 246 190 14 246 190 14
48371 -246 190 14 246 190 14 246 190 14 241 196 14
48372 -190 146 13 18 14 6 2 2 6 2 2 6
48373 - 46 46 46 246 246 246 253 253 253 253 253 253
48374 -253 253 253 253 253 253 253 253 253 253 253 253
48375 -253 253 253 253 253 253 253 253 253 253 253 253
48376 -253 253 253 253 253 253 253 253 253 253 253 253
48377 -253 253 253 221 221 221 86 86 86 156 107 11
48378 -216 158 10 236 178 12 242 186 14 246 186 14
48379 -242 186 14 239 182 13 239 182 13 242 186 14
48380 -242 186 14 246 186 14 246 190 14 246 190 14
48381 -246 190 14 246 190 14 246 190 14 246 190 14
48382 -242 186 14 225 175 15 142 122 72 66 66 66
48383 - 30 30 30 10 10 10 0 0 0 0 0 0
48384 - 0 0 0 0 0 0 0 0 0 0 0 0
48385 - 0 0 0 0 0 0 0 0 0 0 0 0
48386 - 0 0 0 0 0 0 0 0 0 6 6 6
48387 - 26 26 26 70 70 70 163 133 67 210 150 10
48388 -236 178 12 246 190 14 246 190 14 246 190 14
48389 -246 190 14 246 190 14 246 190 14 246 190 14
48390 -246 190 14 246 190 14 246 190 14 246 190 14
48391 -246 190 14 246 190 14 246 190 14 246 190 14
48392 -232 195 16 121 92 8 34 34 34 106 106 106
48393 -221 221 221 253 253 253 253 253 253 253 253 253
48394 -253 253 253 253 253 253 253 253 253 253 253 253
48395 -253 253 253 253 253 253 253 253 253 253 253 253
48396 -253 253 253 253 253 253 253 253 253 253 253 253
48397 -242 242 242 82 82 82 18 14 6 163 110 8
48398 -216 158 10 236 178 12 242 186 14 246 190 14
48399 -246 190 14 246 190 14 246 190 14 246 190 14
48400 -246 190 14 246 190 14 246 190 14 246 190 14
48401 -246 190 14 246 190 14 246 190 14 246 190 14
48402 -246 190 14 246 190 14 242 186 14 163 133 67
48403 - 46 46 46 18 18 18 6 6 6 0 0 0
48404 - 0 0 0 0 0 0 0 0 0 0 0 0
48405 - 0 0 0 0 0 0 0 0 0 0 0 0
48406 - 0 0 0 0 0 0 0 0 0 10 10 10
48407 - 30 30 30 78 78 78 163 133 67 210 150 10
48408 -236 178 12 246 186 14 246 190 14 246 190 14
48409 -246 190 14 246 190 14 246 190 14 246 190 14
48410 -246 190 14 246 190 14 246 190 14 246 190 14
48411 -246 190 14 246 190 14 246 190 14 246 190 14
48412 -241 196 14 215 174 15 190 178 144 253 253 253
48413 -253 253 253 253 253 253 253 253 253 253 253 253
48414 -253 253 253 253 253 253 253 253 253 253 253 253
48415 -253 253 253 253 253 253 253 253 253 253 253 253
48416 -253 253 253 253 253 253 253 253 253 218 218 218
48417 - 58 58 58 2 2 6 22 18 6 167 114 7
48418 -216 158 10 236 178 12 246 186 14 246 190 14
48419 -246 190 14 246 190 14 246 190 14 246 190 14
48420 -246 190 14 246 190 14 246 190 14 246 190 14
48421 -246 190 14 246 190 14 246 190 14 246 190 14
48422 -246 190 14 246 186 14 242 186 14 190 150 46
48423 - 54 54 54 22 22 22 6 6 6 0 0 0
48424 - 0 0 0 0 0 0 0 0 0 0 0 0
48425 - 0 0 0 0 0 0 0 0 0 0 0 0
48426 - 0 0 0 0 0 0 0 0 0 14 14 14
48427 - 38 38 38 86 86 86 180 133 36 213 154 11
48428 -236 178 12 246 186 14 246 190 14 246 190 14
48429 -246 190 14 246 190 14 246 190 14 246 190 14
48430 -246 190 14 246 190 14 246 190 14 246 190 14
48431 -246 190 14 246 190 14 246 190 14 246 190 14
48432 -246 190 14 232 195 16 190 146 13 214 214 214
48433 -253 253 253 253 253 253 253 253 253 253 253 253
48434 -253 253 253 253 253 253 253 253 253 253 253 253
48435 -253 253 253 253 253 253 253 253 253 253 253 253
48436 -253 253 253 250 250 250 170 170 170 26 26 26
48437 - 2 2 6 2 2 6 37 26 9 163 110 8
48438 -219 162 10 239 182 13 246 186 14 246 190 14
48439 -246 190 14 246 190 14 246 190 14 246 190 14
48440 -246 190 14 246 190 14 246 190 14 246 190 14
48441 -246 190 14 246 190 14 246 190 14 246 190 14
48442 -246 186 14 236 178 12 224 166 10 142 122 72
48443 - 46 46 46 18 18 18 6 6 6 0 0 0
48444 - 0 0 0 0 0 0 0 0 0 0 0 0
48445 - 0 0 0 0 0 0 0 0 0 0 0 0
48446 - 0 0 0 0 0 0 6 6 6 18 18 18
48447 - 50 50 50 109 106 95 192 133 9 224 166 10
48448 -242 186 14 246 190 14 246 190 14 246 190 14
48449 -246 190 14 246 190 14 246 190 14 246 190 14
48450 -246 190 14 246 190 14 246 190 14 246 190 14
48451 -246 190 14 246 190 14 246 190 14 246 190 14
48452 -242 186 14 226 184 13 210 162 10 142 110 46
48453 -226 226 226 253 253 253 253 253 253 253 253 253
48454 -253 253 253 253 253 253 253 253 253 253 253 253
48455 -253 253 253 253 253 253 253 253 253 253 253 253
48456 -198 198 198 66 66 66 2 2 6 2 2 6
48457 - 2 2 6 2 2 6 50 34 6 156 107 11
48458 -219 162 10 239 182 13 246 186 14 246 190 14
48459 -246 190 14 246 190 14 246 190 14 246 190 14
48460 -246 190 14 246 190 14 246 190 14 246 190 14
48461 -246 190 14 246 190 14 246 190 14 242 186 14
48462 -234 174 13 213 154 11 154 122 46 66 66 66
48463 - 30 30 30 10 10 10 0 0 0 0 0 0
48464 - 0 0 0 0 0 0 0 0 0 0 0 0
48465 - 0 0 0 0 0 0 0 0 0 0 0 0
48466 - 0 0 0 0 0 0 6 6 6 22 22 22
48467 - 58 58 58 154 121 60 206 145 10 234 174 13
48468 -242 186 14 246 186 14 246 190 14 246 190 14
48469 -246 190 14 246 190 14 246 190 14 246 190 14
48470 -246 190 14 246 190 14 246 190 14 246 190 14
48471 -246 190 14 246 190 14 246 190 14 246 190 14
48472 -246 186 14 236 178 12 210 162 10 163 110 8
48473 - 61 42 6 138 138 138 218 218 218 250 250 250
48474 -253 253 253 253 253 253 253 253 253 250 250 250
48475 -242 242 242 210 210 210 144 144 144 66 66 66
48476 - 6 6 6 2 2 6 2 2 6 2 2 6
48477 - 2 2 6 2 2 6 61 42 6 163 110 8
48478 -216 158 10 236 178 12 246 190 14 246 190 14
48479 -246 190 14 246 190 14 246 190 14 246 190 14
48480 -246 190 14 246 190 14 246 190 14 246 190 14
48481 -246 190 14 239 182 13 230 174 11 216 158 10
48482 -190 142 34 124 112 88 70 70 70 38 38 38
48483 - 18 18 18 6 6 6 0 0 0 0 0 0
48484 - 0 0 0 0 0 0 0 0 0 0 0 0
48485 - 0 0 0 0 0 0 0 0 0 0 0 0
48486 - 0 0 0 0 0 0 6 6 6 22 22 22
48487 - 62 62 62 168 124 44 206 145 10 224 166 10
48488 -236 178 12 239 182 13 242 186 14 242 186 14
48489 -246 186 14 246 190 14 246 190 14 246 190 14
48490 -246 190 14 246 190 14 246 190 14 246 190 14
48491 -246 190 14 246 190 14 246 190 14 246 190 14
48492 -246 190 14 236 178 12 216 158 10 175 118 6
48493 - 80 54 7 2 2 6 6 6 6 30 30 30
48494 - 54 54 54 62 62 62 50 50 50 38 38 38
48495 - 14 14 14 2 2 6 2 2 6 2 2 6
48496 - 2 2 6 2 2 6 2 2 6 2 2 6
48497 - 2 2 6 6 6 6 80 54 7 167 114 7
48498 -213 154 11 236 178 12 246 190 14 246 190 14
48499 -246 190 14 246 190 14 246 190 14 246 190 14
48500 -246 190 14 242 186 14 239 182 13 239 182 13
48501 -230 174 11 210 150 10 174 135 50 124 112 88
48502 - 82 82 82 54 54 54 34 34 34 18 18 18
48503 - 6 6 6 0 0 0 0 0 0 0 0 0
48504 - 0 0 0 0 0 0 0 0 0 0 0 0
48505 - 0 0 0 0 0 0 0 0 0 0 0 0
48506 - 0 0 0 0 0 0 6 6 6 18 18 18
48507 - 50 50 50 158 118 36 192 133 9 200 144 11
48508 -216 158 10 219 162 10 224 166 10 226 170 11
48509 -230 174 11 236 178 12 239 182 13 239 182 13
48510 -242 186 14 246 186 14 246 190 14 246 190 14
48511 -246 190 14 246 190 14 246 190 14 246 190 14
48512 -246 186 14 230 174 11 210 150 10 163 110 8
48513 -104 69 6 10 10 10 2 2 6 2 2 6
48514 - 2 2 6 2 2 6 2 2 6 2 2 6
48515 - 2 2 6 2 2 6 2 2 6 2 2 6
48516 - 2 2 6 2 2 6 2 2 6 2 2 6
48517 - 2 2 6 6 6 6 91 60 6 167 114 7
48518 -206 145 10 230 174 11 242 186 14 246 190 14
48519 -246 190 14 246 190 14 246 186 14 242 186 14
48520 -239 182 13 230 174 11 224 166 10 213 154 11
48521 -180 133 36 124 112 88 86 86 86 58 58 58
48522 - 38 38 38 22 22 22 10 10 10 6 6 6
48523 - 0 0 0 0 0 0 0 0 0 0 0 0
48524 - 0 0 0 0 0 0 0 0 0 0 0 0
48525 - 0 0 0 0 0 0 0 0 0 0 0 0
48526 - 0 0 0 0 0 0 0 0 0 14 14 14
48527 - 34 34 34 70 70 70 138 110 50 158 118 36
48528 -167 114 7 180 123 7 192 133 9 197 138 11
48529 -200 144 11 206 145 10 213 154 11 219 162 10
48530 -224 166 10 230 174 11 239 182 13 242 186 14
48531 -246 186 14 246 186 14 246 186 14 246 186 14
48532 -239 182 13 216 158 10 185 133 11 152 99 6
48533 -104 69 6 18 14 6 2 2 6 2 2 6
48534 - 2 2 6 2 2 6 2 2 6 2 2 6
48535 - 2 2 6 2 2 6 2 2 6 2 2 6
48536 - 2 2 6 2 2 6 2 2 6 2 2 6
48537 - 2 2 6 6 6 6 80 54 7 152 99 6
48538 -192 133 9 219 162 10 236 178 12 239 182 13
48539 -246 186 14 242 186 14 239 182 13 236 178 12
48540 -224 166 10 206 145 10 192 133 9 154 121 60
48541 - 94 94 94 62 62 62 42 42 42 22 22 22
48542 - 14 14 14 6 6 6 0 0 0 0 0 0
48543 - 0 0 0 0 0 0 0 0 0 0 0 0
48544 - 0 0 0 0 0 0 0 0 0 0 0 0
48545 - 0 0 0 0 0 0 0 0 0 0 0 0
48546 - 0 0 0 0 0 0 0 0 0 6 6 6
48547 - 18 18 18 34 34 34 58 58 58 78 78 78
48548 -101 98 89 124 112 88 142 110 46 156 107 11
48549 -163 110 8 167 114 7 175 118 6 180 123 7
48550 -185 133 11 197 138 11 210 150 10 219 162 10
48551 -226 170 11 236 178 12 236 178 12 234 174 13
48552 -219 162 10 197 138 11 163 110 8 130 83 6
48553 - 91 60 6 10 10 10 2 2 6 2 2 6
48554 - 18 18 18 38 38 38 38 38 38 38 38 38
48555 - 38 38 38 38 38 38 38 38 38 38 38 38
48556 - 38 38 38 38 38 38 26 26 26 2 2 6
48557 - 2 2 6 6 6 6 70 47 6 137 92 6
48558 -175 118 6 200 144 11 219 162 10 230 174 11
48559 -234 174 13 230 174 11 219 162 10 210 150 10
48560 -192 133 9 163 110 8 124 112 88 82 82 82
48561 - 50 50 50 30 30 30 14 14 14 6 6 6
48562 - 0 0 0 0 0 0 0 0 0 0 0 0
48563 - 0 0 0 0 0 0 0 0 0 0 0 0
48564 - 0 0 0 0 0 0 0 0 0 0 0 0
48565 - 0 0 0 0 0 0 0 0 0 0 0 0
48566 - 0 0 0 0 0 0 0 0 0 0 0 0
48567 - 6 6 6 14 14 14 22 22 22 34 34 34
48568 - 42 42 42 58 58 58 74 74 74 86 86 86
48569 -101 98 89 122 102 70 130 98 46 121 87 25
48570 -137 92 6 152 99 6 163 110 8 180 123 7
48571 -185 133 11 197 138 11 206 145 10 200 144 11
48572 -180 123 7 156 107 11 130 83 6 104 69 6
48573 - 50 34 6 54 54 54 110 110 110 101 98 89
48574 - 86 86 86 82 82 82 78 78 78 78 78 78
48575 - 78 78 78 78 78 78 78 78 78 78 78 78
48576 - 78 78 78 82 82 82 86 86 86 94 94 94
48577 -106 106 106 101 101 101 86 66 34 124 80 6
48578 -156 107 11 180 123 7 192 133 9 200 144 11
48579 -206 145 10 200 144 11 192 133 9 175 118 6
48580 -139 102 15 109 106 95 70 70 70 42 42 42
48581 - 22 22 22 10 10 10 0 0 0 0 0 0
48582 - 0 0 0 0 0 0 0 0 0 0 0 0
48583 - 0 0 0 0 0 0 0 0 0 0 0 0
48584 - 0 0 0 0 0 0 0 0 0 0 0 0
48585 - 0 0 0 0 0 0 0 0 0 0 0 0
48586 - 0 0 0 0 0 0 0 0 0 0 0 0
48587 - 0 0 0 0 0 0 6 6 6 10 10 10
48588 - 14 14 14 22 22 22 30 30 30 38 38 38
48589 - 50 50 50 62 62 62 74 74 74 90 90 90
48590 -101 98 89 112 100 78 121 87 25 124 80 6
48591 -137 92 6 152 99 6 152 99 6 152 99 6
48592 -138 86 6 124 80 6 98 70 6 86 66 30
48593 -101 98 89 82 82 82 58 58 58 46 46 46
48594 - 38 38 38 34 34 34 34 34 34 34 34 34
48595 - 34 34 34 34 34 34 34 34 34 34 34 34
48596 - 34 34 34 34 34 34 38 38 38 42 42 42
48597 - 54 54 54 82 82 82 94 86 76 91 60 6
48598 -134 86 6 156 107 11 167 114 7 175 118 6
48599 -175 118 6 167 114 7 152 99 6 121 87 25
48600 -101 98 89 62 62 62 34 34 34 18 18 18
48601 - 6 6 6 0 0 0 0 0 0 0 0 0
48602 - 0 0 0 0 0 0 0 0 0 0 0 0
48603 - 0 0 0 0 0 0 0 0 0 0 0 0
48604 - 0 0 0 0 0 0 0 0 0 0 0 0
48605 - 0 0 0 0 0 0 0 0 0 0 0 0
48606 - 0 0 0 0 0 0 0 0 0 0 0 0
48607 - 0 0 0 0 0 0 0 0 0 0 0 0
48608 - 0 0 0 6 6 6 6 6 6 10 10 10
48609 - 18 18 18 22 22 22 30 30 30 42 42 42
48610 - 50 50 50 66 66 66 86 86 86 101 98 89
48611 -106 86 58 98 70 6 104 69 6 104 69 6
48612 -104 69 6 91 60 6 82 62 34 90 90 90
48613 - 62 62 62 38 38 38 22 22 22 14 14 14
48614 - 10 10 10 10 10 10 10 10 10 10 10 10
48615 - 10 10 10 10 10 10 6 6 6 10 10 10
48616 - 10 10 10 10 10 10 10 10 10 14 14 14
48617 - 22 22 22 42 42 42 70 70 70 89 81 66
48618 - 80 54 7 104 69 6 124 80 6 137 92 6
48619 -134 86 6 116 81 8 100 82 52 86 86 86
48620 - 58 58 58 30 30 30 14 14 14 6 6 6
48621 - 0 0 0 0 0 0 0 0 0 0 0 0
48622 - 0 0 0 0 0 0 0 0 0 0 0 0
48623 - 0 0 0 0 0 0 0 0 0 0 0 0
48624 - 0 0 0 0 0 0 0 0 0 0 0 0
48625 - 0 0 0 0 0 0 0 0 0 0 0 0
48626 - 0 0 0 0 0 0 0 0 0 0 0 0
48627 - 0 0 0 0 0 0 0 0 0 0 0 0
48628 - 0 0 0 0 0 0 0 0 0 0 0 0
48629 - 0 0 0 6 6 6 10 10 10 14 14 14
48630 - 18 18 18 26 26 26 38 38 38 54 54 54
48631 - 70 70 70 86 86 86 94 86 76 89 81 66
48632 - 89 81 66 86 86 86 74 74 74 50 50 50
48633 - 30 30 30 14 14 14 6 6 6 0 0 0
48634 - 0 0 0 0 0 0 0 0 0 0 0 0
48635 - 0 0 0 0 0 0 0 0 0 0 0 0
48636 - 0 0 0 0 0 0 0 0 0 0 0 0
48637 - 6 6 6 18 18 18 34 34 34 58 58 58
48638 - 82 82 82 89 81 66 89 81 66 89 81 66
48639 - 94 86 66 94 86 76 74 74 74 50 50 50
48640 - 26 26 26 14 14 14 6 6 6 0 0 0
48641 - 0 0 0 0 0 0 0 0 0 0 0 0
48642 - 0 0 0 0 0 0 0 0 0 0 0 0
48643 - 0 0 0 0 0 0 0 0 0 0 0 0
48644 - 0 0 0 0 0 0 0 0 0 0 0 0
48645 - 0 0 0 0 0 0 0 0 0 0 0 0
48646 - 0 0 0 0 0 0 0 0 0 0 0 0
48647 - 0 0 0 0 0 0 0 0 0 0 0 0
48648 - 0 0 0 0 0 0 0 0 0 0 0 0
48649 - 0 0 0 0 0 0 0 0 0 0 0 0
48650 - 6 6 6 6 6 6 14 14 14 18 18 18
48651 - 30 30 30 38 38 38 46 46 46 54 54 54
48652 - 50 50 50 42 42 42 30 30 30 18 18 18
48653 - 10 10 10 0 0 0 0 0 0 0 0 0
48654 - 0 0 0 0 0 0 0 0 0 0 0 0
48655 - 0 0 0 0 0 0 0 0 0 0 0 0
48656 - 0 0 0 0 0 0 0 0 0 0 0 0
48657 - 0 0 0 6 6 6 14 14 14 26 26 26
48658 - 38 38 38 50 50 50 58 58 58 58 58 58
48659 - 54 54 54 42 42 42 30 30 30 18 18 18
48660 - 10 10 10 0 0 0 0 0 0 0 0 0
48661 - 0 0 0 0 0 0 0 0 0 0 0 0
48662 - 0 0 0 0 0 0 0 0 0 0 0 0
48663 - 0 0 0 0 0 0 0 0 0 0 0 0
48664 - 0 0 0 0 0 0 0 0 0 0 0 0
48665 - 0 0 0 0 0 0 0 0 0 0 0 0
48666 - 0 0 0 0 0 0 0 0 0 0 0 0
48667 - 0 0 0 0 0 0 0 0 0 0 0 0
48668 - 0 0 0 0 0 0 0 0 0 0 0 0
48669 - 0 0 0 0 0 0 0 0 0 0 0 0
48670 - 0 0 0 0 0 0 0 0 0 6 6 6
48671 - 6 6 6 10 10 10 14 14 14 18 18 18
48672 - 18 18 18 14 14 14 10 10 10 6 6 6
48673 - 0 0 0 0 0 0 0 0 0 0 0 0
48674 - 0 0 0 0 0 0 0 0 0 0 0 0
48675 - 0 0 0 0 0 0 0 0 0 0 0 0
48676 - 0 0 0 0 0 0 0 0 0 0 0 0
48677 - 0 0 0 0 0 0 0 0 0 6 6 6
48678 - 14 14 14 18 18 18 22 22 22 22 22 22
48679 - 18 18 18 14 14 14 10 10 10 6 6 6
48680 - 0 0 0 0 0 0 0 0 0 0 0 0
48681 - 0 0 0 0 0 0 0 0 0 0 0 0
48682 - 0 0 0 0 0 0 0 0 0 0 0 0
48683 - 0 0 0 0 0 0 0 0 0 0 0 0
48684 - 0 0 0 0 0 0 0 0 0 0 0 0
48685 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48686 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48687 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48688 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48689 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48692 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48693 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48694 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48695 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48696 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48697 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48699 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48700 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48701 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48702 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48703 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48706 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48707 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48708 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48709 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48710 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48711 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48713 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48714 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48715 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48716 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48717 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48718 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48720 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48721 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48722 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48723 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48724 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48725 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48727 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48728 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48729 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48730 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48731 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48732 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48733 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48734 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48735 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48736 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48737 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48738 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48739 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48741 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48742 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48743 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48744 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48745 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48746 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48747 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48748 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48749 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48750 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48751 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48752 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48753 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48755 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48756 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48757 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48758 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48759 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48760 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48761 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48762 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48763 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48764 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48765 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48766 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48767 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48769 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48770 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48771 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48772 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48773 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
48774 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
48775 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48776 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48777 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48778 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
48779 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
48780 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
48781 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48783 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48784 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48785 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48786 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48787 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
48788 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
48789 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48790 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48791 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48792 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
48793 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
48794 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
48795 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48797 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48798 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48799 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48800 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48801 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
48802 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
48803 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
48804 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48805 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48806 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
48807 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
48808 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
48809 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
48811 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48812 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48813 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48814 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
48815 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
48816 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
48817 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
48818 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48819 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
48820 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
48821 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
48822 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
48823 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
48825 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48826 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48827 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48828 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
48829 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
48830 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
48831 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
48832 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
48833 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
48834 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
48835 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
48836 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
48837 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
48839 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48840 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48841 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
48842 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
48843 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
48844 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
48845 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
48846 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
48847 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
48848 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
48849 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
48850 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
48851 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
48853 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48854 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48855 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
48856 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
48857 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
48858 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
48859 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
48860 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
48861 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
48862 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
48863 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
48864 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
48865 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
48867 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48868 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48869 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
48870 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
48871 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
48872 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
48873 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
48874 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
48875 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
48876 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
48877 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
48878 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
48879 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
48881 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48882 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48883 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
48884 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
48885 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
48886 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
48887 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
48888 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
48889 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
48890 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
48891 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
48892 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
48893 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
48895 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48896 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48897 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
48898 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
48899 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
48900 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
48901 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
48902 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
48903 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
48904 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
48905 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
48906 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
48907 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
48909 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48910 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
48911 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
48912 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
48913 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
48914 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
48915 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
48916 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
48917 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
48918 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
48919 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
48920 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
48921 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
48923 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
48924 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
48925 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
48926 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
48927 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
48928 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
48929 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
48930 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
48931 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
48932 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
48933 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
48934 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
48935 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
48937 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
48938 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
48939 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
48940 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
48941 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
48942 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
48943 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
48944 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
48945 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
48946 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
48947 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
48948 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
48949 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
48951 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
48952 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
48953 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
48954 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
48955 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
48956 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
48957 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
48958 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
48959 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
48960 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
48961 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
48962 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
48963 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
48965 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
48966 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
48967 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
48968 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
48969 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
48970 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
48971 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
48972 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
48973 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
48974 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
48975 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
48976 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
48977 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
48979 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
48980 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
48981 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
48982 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
48983 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
48984 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
48985 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
48986 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
48987 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
48988 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
48989 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
48990 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
48991 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
48993 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
48994 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
48995 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
48996 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
48997 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
48998 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
48999 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
49000 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
49001 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
49002 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
49003 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
49004 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
49005 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
49007 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
49008 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
49009 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
49010 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
49011 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
49012 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
49013 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
49014 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
49015 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
49016 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
49017 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
49018 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
49019 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
49021 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
49022 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
49023 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
49024 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
49025 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
49026 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
49027 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
49028 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
49029 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
49030 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
49031 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
49032 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
49033 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
49035 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
49036 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
49037 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
49038 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
49039 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
49040 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
49041 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
49042 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
49043 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
49044 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
49045 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
49046 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
49047 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
49049 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
49050 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
49051 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
49052 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
49053 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
49054 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
49055 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
49056 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
49057 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
49058 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
49059 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
49060 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
49061 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
49063 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
49064 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
49065 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
49066 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
49067 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
49068 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
49069 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
49070 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
49071 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
49072 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
49073 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
49074 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
49075 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
49077 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
49078 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
49079 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
49080 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
49081 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
49082 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
49083 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
49084 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
49085 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
49086 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
49087 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
49088 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
49089 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
49091 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
49092 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
49093 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
49094 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
49095 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
49096 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
49097 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
49098 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
49099 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
49100 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
49101 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
49102 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
49103 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49105 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
49106 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
49107 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
49108 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
49109 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
49110 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
49111 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
49112 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
49113 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
49114 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
49115 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
49116 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
49117 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49119 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
49120 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
49121 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
49122 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
49123 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
49124 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
49125 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
49126 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
49127 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
49128 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
49129 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
49130 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49131 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49133 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
49134 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
49135 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
49136 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
49137 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
49138 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
49139 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
49140 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
49141 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
49142 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
49143 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
49144 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49145 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49147 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
49148 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
49149 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
49150 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
49151 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
49152 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
49153 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
49154 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
49155 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
49156 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
49157 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49158 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49159 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49161 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
49162 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
49163 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
49164 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
49165 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
49166 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
49167 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
49168 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
49169 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
49170 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
49171 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
49172 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49173 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49175 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
49176 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
49177 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
49178 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
49179 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
49180 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
49181 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
49182 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
49183 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
49184 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
49185 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
49186 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49187 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49189 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
49190 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
49191 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
49192 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
49193 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
49194 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
49195 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
49196 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
49197 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
49198 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
49199 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49200 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49201 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49203 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
49204 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
49205 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
49206 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
49207 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49208 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
49209 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
49210 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
49211 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
49212 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
49213 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49214 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49215 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49217 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
49218 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
49219 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
49220 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
49221 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49222 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
49223 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
49224 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
49225 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
49226 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
49227 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49228 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49229 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49231 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
49232 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
49233 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
49234 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
49235 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49236 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
49237 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
49238 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
49239 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
49240 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49241 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49242 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49243 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49245 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
49246 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
49247 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
49248 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
49249 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
49250 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
49251 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
49252 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
49253 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
49254 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49255 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49256 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49257 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49259 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
49260 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
49261 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
49262 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
49263 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49264 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
49265 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
49266 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
49267 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
49268 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49269 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49270 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49271 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49273 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
49274 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
49275 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
49276 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
49277 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
49278 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
49279 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
49280 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
49281 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
49282 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49283 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49284 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49285 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49287 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
49288 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
49289 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
49290 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
49291 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
49292 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
49293 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
49294 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
49295 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
49296 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49297 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49298 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49299 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49301 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
49302 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
49303 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
49304 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
49305 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
49306 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
49307 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
49308 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
49309 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
49310 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49311 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49312 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49313 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49315 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
49316 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
49317 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
49318 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
49319 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
49320 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
49321 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
49322 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
49323 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
49324 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49325 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49326 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49327 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49329 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
49330 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
49331 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
49332 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
49333 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
49334 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
49335 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
49336 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
49337 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
49338 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49339 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49340 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49341 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49343 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
49344 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
49345 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
49346 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
49347 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
49348 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
49349 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
49350 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
49351 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
49352 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49353 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49354 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49355 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49357 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
49358 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
49359 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
49360 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
49361 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
49362 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
49363 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49364 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
49365 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
49366 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49367 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49368 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49369 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49371 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
49372 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
49373 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
49374 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
49375 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
49376 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
49377 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
49378 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
49379 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
49380 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49381 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49382 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49383 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49385 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
49386 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
49387 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
49388 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
49389 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
49390 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
49391 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
49392 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
49393 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
49394 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49395 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49396 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49397 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49399 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
49400 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
49401 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
49402 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
49403 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
49404 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
49405 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
49406 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
49407 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
49408 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49409 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49410 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49411 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49413 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
49414 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
49415 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
49416 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
49417 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
49418 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
49419 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
49420 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
49421 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
49422 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49423 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49424 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49425 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49427 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
49428 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
49429 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
49430 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
49431 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
49432 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
49433 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
49434 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
49435 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
49436 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
49437 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49438 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49439 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49441 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
49442 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
49443 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
49444 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
49445 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
49446 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
49447 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
49448 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
49449 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
49450 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
49451 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49452 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49453 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49455 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
49456 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
49457 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
49458 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
49459 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
49460 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
49461 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
49462 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
49463 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
49464 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
49465 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49466 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49467 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49469 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
49470 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
49471 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
49472 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
49473 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
49474 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
49475 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49476 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
49477 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
49478 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
49479 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
49480 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49481 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49483 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
49484 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
49485 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
49486 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
49487 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
49488 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
49489 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
49490 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
49491 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
49492 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
49493 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49494 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49495 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49497 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
49498 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
49499 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
49500 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
49501 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
49502 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
49503 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
49504 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
49505 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
49506 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
49507 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49508 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49509 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49511 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
49512 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
49513 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
49514 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
49515 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
49516 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
49517 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
49518 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
49519 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
49520 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
49521 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49522 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49523 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49525 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
49526 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
49527 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
49528 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
49529 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
49530 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
49531 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
49532 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
49533 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
49534 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
49535 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49536 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49537 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49539 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
49540 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
49541 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
49542 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
49543 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
49544 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
49545 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
49546 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
49547 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
49548 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
49549 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49550 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49551 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49553 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
49554 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
49555 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
49556 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
49557 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
49558 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
49559 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
49560 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
49561 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
49562 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49563 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49564 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49565 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49567 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
49568 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
49569 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
49570 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
49571 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
49572 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
49573 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
49574 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
49575 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
49576 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49577 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49578 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49579 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49581 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
49582 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
49583 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
49584 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
49585 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
49586 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
49587 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
49588 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
49589 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49590 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49591 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49592 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49593 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49595 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
49596 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
49597 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
49598 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
49599 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
49600 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
49601 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
49602 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
49603 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49604 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49605 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49606 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49607 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49609 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
49610 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
49611 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
49612 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
49613 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
49614 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
49615 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
49616 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
49617 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49618 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49619 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49620 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49621 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49623 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
49624 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
49625 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
49626 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
49627 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
49628 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
49629 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
49630 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
49631 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49632 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49633 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49634 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49635 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49637 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49638 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
49639 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
49640 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
49641 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
49642 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
49643 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
49644 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
49645 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49646 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49647 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49648 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49649 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49651 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49652 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
49653 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
49654 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
49655 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
49656 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
49657 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
49658 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
49659 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49660 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49661 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49662 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49663 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49665 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49666 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49667 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
49668 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
49669 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
49670 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
49671 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
49672 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
49673 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49674 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49675 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49676 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49677 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49679 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49680 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49681 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
49682 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
49683 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
49684 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
49685 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
49686 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49687 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49688 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49689 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49690 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49691 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49693 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49694 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49695 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49696 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
49697 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
49698 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
49699 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
49700 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49701 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49702 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49703 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49704 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49705 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49707 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49708 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49709 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49710 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
49711 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
49712 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
49713 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
49714 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49715 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49716 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49717 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49718 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49719 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49721 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49722 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49723 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49724 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
49725 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
49726 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
49727 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
49728 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49729 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49730 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49731 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49732 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49733 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49735 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49736 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49737 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49738 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
49739 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
49740 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
49741 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
49742 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49743 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49744 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49745 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49746 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49747 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49749 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49750 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49751 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49752 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49753 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
49754 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
49755 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
49756 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49757 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49758 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49759 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49760 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49761 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49763 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49764 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49765 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49766 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49767 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
49768 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
49769 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49770 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49771 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49772 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49773 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49774 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49775 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49777 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49778 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49779 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49780 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49781 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
49782 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
49783 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49784 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49785 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49786 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49787 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49788 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49789 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49791 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49792 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49793 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49794 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49795 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
49796 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
49797 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49798 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49799 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49800 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49801 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49802 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49803 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
49805 diff --git a/drivers/video/mb862xx/mb862xxfb_accel.c b/drivers/video/mb862xx/mb862xxfb_accel.c
49806 index fe92eed..106e085 100644
49807 --- a/drivers/video/mb862xx/mb862xxfb_accel.c
49808 +++ b/drivers/video/mb862xx/mb862xxfb_accel.c
49809 @@ -312,14 +312,18 @@ void mb862xxfb_init_accel(struct fb_info *info, int xres)
49810 struct mb862xxfb_par *par = info->par;
49812 if (info->var.bits_per_pixel == 32) {
49813 - info->fbops->fb_fillrect = cfb_fillrect;
49814 - info->fbops->fb_copyarea = cfb_copyarea;
49815 - info->fbops->fb_imageblit = cfb_imageblit;
49816 + pax_open_kernel();
49817 + *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
49818 + *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
49819 + *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
49820 + pax_close_kernel();
49822 outreg(disp, GC_L0EM, 3);
49823 - info->fbops->fb_fillrect = mb86290fb_fillrect;
49824 - info->fbops->fb_copyarea = mb86290fb_copyarea;
49825 - info->fbops->fb_imageblit = mb86290fb_imageblit;
49826 + pax_open_kernel();
49827 + *(void **)&info->fbops->fb_fillrect = mb86290fb_fillrect;
49828 + *(void **)&info->fbops->fb_copyarea = mb86290fb_copyarea;
49829 + *(void **)&info->fbops->fb_imageblit = mb86290fb_imageblit;
49830 + pax_close_kernel();
49832 outreg(draw, GDC_REG_DRAW_BASE, 0);
49833 outreg(draw, GDC_REG_MODE_MISC, 0x8000);
49834 diff --git a/drivers/video/nvidia/nvidia.c b/drivers/video/nvidia/nvidia.c
49835 index ff22871..b129bed 100644
49836 --- a/drivers/video/nvidia/nvidia.c
49837 +++ b/drivers/video/nvidia/nvidia.c
49838 @@ -669,19 +669,23 @@ static int nvidiafb_set_par(struct fb_info *info)
49839 info->fix.line_length = (info->var.xres_virtual *
49840 info->var.bits_per_pixel) >> 3;
49841 if (info->var.accel_flags) {
49842 - info->fbops->fb_imageblit = nvidiafb_imageblit;
49843 - info->fbops->fb_fillrect = nvidiafb_fillrect;
49844 - info->fbops->fb_copyarea = nvidiafb_copyarea;
49845 - info->fbops->fb_sync = nvidiafb_sync;
49846 + pax_open_kernel();
49847 + *(void **)&info->fbops->fb_imageblit = nvidiafb_imageblit;
49848 + *(void **)&info->fbops->fb_fillrect = nvidiafb_fillrect;
49849 + *(void **)&info->fbops->fb_copyarea = nvidiafb_copyarea;
49850 + *(void **)&info->fbops->fb_sync = nvidiafb_sync;
49851 + pax_close_kernel();
49852 info->pixmap.scan_align = 4;
49853 info->flags &= ~FBINFO_HWACCEL_DISABLED;
49854 info->flags |= FBINFO_READS_FAST;
49855 NVResetGraphics(info);
49857 - info->fbops->fb_imageblit = cfb_imageblit;
49858 - info->fbops->fb_fillrect = cfb_fillrect;
49859 - info->fbops->fb_copyarea = cfb_copyarea;
49860 - info->fbops->fb_sync = NULL;
49861 + pax_open_kernel();
49862 + *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
49863 + *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
49864 + *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
49865 + *(void **)&info->fbops->fb_sync = NULL;
49866 + pax_close_kernel();
49867 info->pixmap.scan_align = 1;
49868 info->flags |= FBINFO_HWACCEL_DISABLED;
49869 info->flags &= ~FBINFO_READS_FAST;
49870 @@ -1173,8 +1177,11 @@ static int nvidia_set_fbinfo(struct fb_info *info)
49871 info->pixmap.size = 8 * 1024;
49872 info->pixmap.flags = FB_PIXMAP_SYSTEM;
49875 - info->fbops->fb_cursor = NULL;
49877 + pax_open_kernel();
49878 + *(void **)&info->fbops->fb_cursor = NULL;
49879 + pax_close_kernel();
49882 info->var.accel_flags = (!noaccel);
49884 diff --git a/drivers/video/output.c b/drivers/video/output.c
49885 index 0d6f2cd..6285b97 100644
49886 --- a/drivers/video/output.c
49887 +++ b/drivers/video/output.c
49888 @@ -97,7 +97,7 @@ struct output_device *video_output_register(const char *name,
49889 new_dev->props = op;
49890 new_dev->dev.class = &video_output_class;
49891 new_dev->dev.parent = dev;
49892 - dev_set_name(&new_dev->dev, name);
49893 + dev_set_name(&new_dev->dev, "%s", name);
49894 dev_set_drvdata(&new_dev->dev, devdata);
49895 ret_code = device_register(&new_dev->dev);
49897 diff --git a/drivers/video/s1d13xxxfb.c b/drivers/video/s1d13xxxfb.c
49898 index 05c2dc3..ea1f391 100644
49899 --- a/drivers/video/s1d13xxxfb.c
49900 +++ b/drivers/video/s1d13xxxfb.c
49901 @@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev)
49904 case S1D13506_PROD_ID: /* activate acceleration */
49905 - s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
49906 - s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
49907 + pax_open_kernel();
49908 + *(void **)&s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
49909 + *(void **)&s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
49910 + pax_close_kernel();
49911 info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN |
49912 FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA;
49914 diff --git a/drivers/video/smscufx.c b/drivers/video/smscufx.c
49915 index b2b33fc..f9f4658 100644
49916 --- a/drivers/video/smscufx.c
49917 +++ b/drivers/video/smscufx.c
49918 @@ -1175,7 +1175,9 @@ static int ufx_ops_release(struct fb_info *info, int user)
49919 fb_deferred_io_cleanup(info);
49920 kfree(info->fbdefio);
49921 info->fbdefio = NULL;
49922 - info->fbops->fb_mmap = ufx_ops_mmap;
49923 + pax_open_kernel();
49924 + *(void **)&info->fbops->fb_mmap = ufx_ops_mmap;
49925 + pax_close_kernel();
49928 pr_debug("released /dev/fb%d user=%d count=%d",
49929 diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c
49930 index ec03e72..f578436 100644
49931 --- a/drivers/video/udlfb.c
49932 +++ b/drivers/video/udlfb.c
49933 @@ -623,11 +623,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
49934 dlfb_urb_completion(urb);
49937 - atomic_add(bytes_sent, &dev->bytes_sent);
49938 - atomic_add(bytes_identical, &dev->bytes_identical);
49939 - atomic_add(width*height*2, &dev->bytes_rendered);
49940 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
49941 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
49942 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
49943 end_cycles = get_cycles();
49944 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
49945 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
49946 >> 10)), /* Kcycles */
49947 &dev->cpu_kcycles_used);
49949 @@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
49950 dlfb_urb_completion(urb);
49953 - atomic_add(bytes_sent, &dev->bytes_sent);
49954 - atomic_add(bytes_identical, &dev->bytes_identical);
49955 - atomic_add(bytes_rendered, &dev->bytes_rendered);
49956 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
49957 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
49958 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
49959 end_cycles = get_cycles();
49960 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
49961 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
49962 >> 10)), /* Kcycles */
49963 &dev->cpu_kcycles_used);
49965 @@ -993,7 +993,9 @@ static int dlfb_ops_release(struct fb_info *info, int user)
49966 fb_deferred_io_cleanup(info);
49967 kfree(info->fbdefio);
49968 info->fbdefio = NULL;
49969 - info->fbops->fb_mmap = dlfb_ops_mmap;
49970 + pax_open_kernel();
49971 + *(void **)&info->fbops->fb_mmap = dlfb_ops_mmap;
49972 + pax_close_kernel();
49975 pr_warn("released /dev/fb%d user=%d count=%d\n",
49976 @@ -1376,7 +1378,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
49977 struct fb_info *fb_info = dev_get_drvdata(fbdev);
49978 struct dlfb_data *dev = fb_info->par;
49979 return snprintf(buf, PAGE_SIZE, "%u\n",
49980 - atomic_read(&dev->bytes_rendered));
49981 + atomic_read_unchecked(&dev->bytes_rendered));
49984 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
49985 @@ -1384,7 +1386,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
49986 struct fb_info *fb_info = dev_get_drvdata(fbdev);
49987 struct dlfb_data *dev = fb_info->par;
49988 return snprintf(buf, PAGE_SIZE, "%u\n",
49989 - atomic_read(&dev->bytes_identical));
49990 + atomic_read_unchecked(&dev->bytes_identical));
49993 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
49994 @@ -1392,7 +1394,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
49995 struct fb_info *fb_info = dev_get_drvdata(fbdev);
49996 struct dlfb_data *dev = fb_info->par;
49997 return snprintf(buf, PAGE_SIZE, "%u\n",
49998 - atomic_read(&dev->bytes_sent));
49999 + atomic_read_unchecked(&dev->bytes_sent));
50002 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
50003 @@ -1400,7 +1402,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
50004 struct fb_info *fb_info = dev_get_drvdata(fbdev);
50005 struct dlfb_data *dev = fb_info->par;
50006 return snprintf(buf, PAGE_SIZE, "%u\n",
50007 - atomic_read(&dev->cpu_kcycles_used));
50008 + atomic_read_unchecked(&dev->cpu_kcycles_used));
50011 static ssize_t edid_show(
50012 @@ -1460,10 +1462,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
50013 struct fb_info *fb_info = dev_get_drvdata(fbdev);
50014 struct dlfb_data *dev = fb_info->par;
50016 - atomic_set(&dev->bytes_rendered, 0);
50017 - atomic_set(&dev->bytes_identical, 0);
50018 - atomic_set(&dev->bytes_sent, 0);
50019 - atomic_set(&dev->cpu_kcycles_used, 0);
50020 + atomic_set_unchecked(&dev->bytes_rendered, 0);
50021 + atomic_set_unchecked(&dev->bytes_identical, 0);
50022 + atomic_set_unchecked(&dev->bytes_sent, 0);
50023 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
50027 diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
50028 index e328a61..1b08ecb 100644
50029 --- a/drivers/video/uvesafb.c
50030 +++ b/drivers/video/uvesafb.c
50032 #include <linux/io.h>
50033 #include <linux/mutex.h>
50034 #include <linux/slab.h>
50035 +#include <linux/moduleloader.h>
50036 #include <video/edid.h>
50037 #include <video/uvesafb.h>
50039 @@ -569,10 +570,32 @@ static int uvesafb_vbe_getpmi(struct uvesafb_ktask *task,
50040 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
50041 par->pmi_setpal = par->ypan = 0;
50044 +#ifdef CONFIG_PAX_KERNEXEC
50045 +#ifdef CONFIG_MODULES
50046 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
50048 + if (!par->pmi_code) {
50049 + par->pmi_setpal = par->ypan = 0;
50054 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
50055 + task->t.regs.edi);
50057 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50058 + pax_open_kernel();
50059 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
50060 + pax_close_kernel();
50062 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
50063 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
50065 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
50066 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
50069 printk(KERN_INFO "uvesafb: protected mode interface info at "
50071 (u16)task->t.regs.es, (u16)task->t.regs.edi);
50072 @@ -817,13 +840,14 @@ static int uvesafb_vbe_init(struct fb_info *info)
50075 if (par->pmi_setpal || par->ypan) {
50076 +#if !defined(CONFIG_MODULES) || !defined(CONFIG_PAX_KERNEXEC)
50077 if (__supported_pte_mask & _PAGE_NX) {
50078 par->pmi_setpal = par->ypan = 0;
50079 printk(KERN_WARNING "uvesafb: NX protection is actively."
50080 "We have better not to use the PMI.\n");
50084 uvesafb_vbe_getpmi(task, par);
50088 /* The protected mode interface is not available on non-x86. */
50089 @@ -1457,8 +1481,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
50090 info->fix.ywrapstep = (par->ypan > 1) ? 1 : 0;
50092 /* Disable blanking if the user requested so. */
50094 - info->fbops->fb_blank = NULL;
50096 + pax_open_kernel();
50097 + *(void **)&info->fbops->fb_blank = NULL;
50098 + pax_close_kernel();
50102 * Find out how much IO memory is required for the mode with
50103 @@ -1534,8 +1561,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
50104 info->flags = FBINFO_FLAG_DEFAULT |
50105 (par->ypan ? FBINFO_HWACCEL_YPAN : 0);
50108 - info->fbops->fb_pan_display = NULL;
50109 + if (!par->ypan) {
50110 + pax_open_kernel();
50111 + *(void **)&info->fbops->fb_pan_display = NULL;
50112 + pax_close_kernel();
50116 static void uvesafb_init_mtrr(struct fb_info *info)
50117 @@ -1836,6 +1866,11 @@ out:
50118 if (par->vbe_modes)
50119 kfree(par->vbe_modes);
50121 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50122 + if (par->pmi_code)
50123 + module_free_exec(NULL, par->pmi_code);
50126 framebuffer_release(info);
50129 @@ -1862,6 +1897,12 @@ static int uvesafb_remove(struct platform_device *dev)
50130 kfree(par->vbe_state_orig);
50131 if (par->vbe_state_saved)
50132 kfree(par->vbe_state_saved);
50134 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50135 + if (par->pmi_code)
50136 + module_free_exec(NULL, par->pmi_code);
50141 framebuffer_release(info);
50142 diff --git a/drivers/video/vesafb.c b/drivers/video/vesafb.c
50143 index 501b340..d80aa17 100644
50144 --- a/drivers/video/vesafb.c
50145 +++ b/drivers/video/vesafb.c
50149 #include <linux/module.h>
50150 +#include <linux/moduleloader.h>
50151 #include <linux/kernel.h>
50152 #include <linux/errno.h>
50153 #include <linux/string.h>
50154 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /* Set amount of memory to be used */
50155 static int vram_total __initdata; /* Set total amount of memory */
50156 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
50157 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
50158 -static void (*pmi_start)(void) __read_mostly;
50159 -static void (*pmi_pal) (void) __read_mostly;
50160 +static void (*pmi_start)(void) __read_only;
50161 +static void (*pmi_pal) (void) __read_only;
50162 static int depth __read_mostly;
50163 static int vga_compat __read_mostly;
50164 /* --------------------------------------------------------------------- */
50165 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct platform_device *dev)
50166 unsigned int size_vmode;
50167 unsigned int size_remap;
50168 unsigned int size_total;
50169 + void *pmi_code = NULL;
50171 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
50173 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct platform_device *dev)
50174 size_remap = size_total;
50175 vesafb_fix.smem_len = size_remap;
50178 - screen_info.vesapm_seg = 0;
50181 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
50182 printk(KERN_WARNING
50183 "vesafb: cannot reserve video memory at 0x%lx\n",
50184 @@ -307,9 +305,21 @@ static int __init vesafb_probe(struct platform_device *dev)
50185 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
50186 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
50190 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50191 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
50193 +#elif !defined(CONFIG_PAX_KERNEXEC)
50198 + screen_info.vesapm_seg = 0;
50200 if (screen_info.vesapm_seg) {
50201 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
50202 - screen_info.vesapm_seg,screen_info.vesapm_off);
50203 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
50204 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
50207 if (screen_info.vesapm_seg < 0xc000)
50208 @@ -317,9 +327,25 @@ static int __init vesafb_probe(struct platform_device *dev)
50210 if (ypan || pmi_setpal) {
50211 unsigned short *pmi_base;
50213 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
50214 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
50215 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
50217 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50218 + pax_open_kernel();
50219 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
50221 + pmi_code = pmi_base;
50224 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
50225 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
50227 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50228 + pmi_start = ktva_ktla(pmi_start);
50229 + pmi_pal = ktva_ktla(pmi_pal);
50230 + pax_close_kernel();
50233 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
50235 printk(KERN_INFO "vesafb: pmi: ports = ");
50236 @@ -472,8 +498,11 @@ static int __init vesafb_probe(struct platform_device *dev)
50237 info->flags = FBINFO_FLAG_DEFAULT | FBINFO_MISC_FIRMWARE |
50238 (ypan ? FBINFO_HWACCEL_YPAN : 0);
50241 - info->fbops->fb_pan_display = NULL;
50243 + pax_open_kernel();
50244 + *(void **)&info->fbops->fb_pan_display = NULL;
50245 + pax_close_kernel();
50248 if (fb_alloc_cmap(&info->cmap, 256, 0) < 0) {
50250 @@ -488,6 +517,11 @@ static int __init vesafb_probe(struct platform_device *dev)
50251 info->node, info->fix.id);
50255 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
50256 + module_free_exec(NULL, pmi_code);
50259 if (info->screen_base)
50260 iounmap(info->screen_base);
50261 framebuffer_release(info);
50262 diff --git a/drivers/video/via/via_clock.h b/drivers/video/via/via_clock.h
50263 index 88714ae..16c2e11 100644
50264 --- a/drivers/video/via/via_clock.h
50265 +++ b/drivers/video/via/via_clock.h
50266 @@ -56,7 +56,7 @@ struct via_clock {
50268 void (*set_engine_pll_state)(u8 state);
50269 void (*set_engine_pll)(struct via_pll_config config);
50274 static inline u32 get_pll_internal_frequency(u32 ref_freq,
50275 diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
50276 index fef20db..d28b1ab 100644
50277 --- a/drivers/xen/xenfs/xenstored.c
50278 +++ b/drivers/xen/xenfs/xenstored.c
50279 @@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
50280 static int xsd_kva_open(struct inode *inode, struct file *file)
50282 file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
50283 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50286 xen_store_interface);
50289 if (!file->private_data)
50292 diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
50293 index 055562c..fdfb10d 100644
50294 --- a/fs/9p/vfs_addr.c
50295 +++ b/fs/9p/vfs_addr.c
50296 @@ -186,7 +186,7 @@ static int v9fs_vfs_writepage_locked(struct page *page)
50298 retval = v9fs_file_write_internal(inode,
50299 v9inode->writeback_fid,
50300 - (__force const char __user *)buffer,
50301 + (const char __force_user *)buffer,
50305 diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
50306 index d86edc8..40ff2fb 100644
50307 --- a/fs/9p/vfs_inode.c
50308 +++ b/fs/9p/vfs_inode.c
50309 @@ -1314,7 +1314,7 @@ static void *v9fs_vfs_follow_link(struct dentry *dentry, struct nameidata *nd)
50311 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
50313 - char *s = nd_get_link(nd);
50314 + const char *s = nd_get_link(nd);
50316 p9_debug(P9_DEBUG_VFS, " %s %s\n",
50317 dentry->d_name.name, IS_ERR(s) ? "<error>" : s);
50318 diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
50319 index 370b24c..ff0be7b 100644
50320 --- a/fs/Kconfig.binfmt
50321 +++ b/fs/Kconfig.binfmt
50322 @@ -103,7 +103,7 @@ config HAVE_AOUT
50325 tristate "Kernel support for a.out and ECOFF binaries"
50326 - depends on HAVE_AOUT
50327 + depends on HAVE_AOUT && BROKEN
50329 A.out (Assembler.OUTput) is a set of formats for libraries and
50330 executables used in the earliest versions of UNIX. Linux used
50331 diff --git a/fs/aio.c b/fs/aio.c
50332 index 2bbcacf..8614116 100644
50335 @@ -160,7 +160,7 @@ static int aio_setup_ring(struct kioctx *ctx)
50336 size += sizeof(struct io_event) * nr_events;
50337 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
50339 - if (nr_pages < 0)
50340 + if (nr_pages <= 0)
50343 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
50344 @@ -950,6 +950,7 @@ static ssize_t aio_rw_vect_retry(struct kiocb *iocb, int rw, aio_rw_op *rw_op)
50345 static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
50348 + struct iovec iovstack;
50350 kiocb->ki_nr_segs = kiocb->ki_nbytes;
50352 @@ -957,17 +958,22 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
50354 ret = compat_rw_copy_check_uvector(rw,
50355 (struct compat_iovec __user *)kiocb->ki_buf,
50356 - kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec,
50357 + kiocb->ki_nr_segs, 1, &iovstack,
50361 ret = rw_copy_check_uvector(rw,
50362 (struct iovec __user *)kiocb->ki_buf,
50363 - kiocb->ki_nr_segs, 1, &kiocb->ki_inline_vec,
50364 + kiocb->ki_nr_segs, 1, &iovstack,
50369 + if (kiocb->ki_iovec == &iovstack) {
50370 + kiocb->ki_inline_vec = iovstack;
50371 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
50374 /* ki_nbytes now reflect bytes instead of segs */
50375 kiocb->ki_nbytes = ret;
50377 diff --git a/fs/attr.c b/fs/attr.c
50378 index 1449adb..a2038c2 100644
50381 @@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
50382 unsigned long limit;
50384 limit = rlimit(RLIMIT_FSIZE);
50385 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
50386 if (limit != RLIM_INFINITY && offset > limit)
50388 if (offset > inode->i_sb->s_maxbytes)
50389 diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
50390 index 3db70da..7aeec5b 100644
50391 --- a/fs/autofs4/waitq.c
50392 +++ b/fs/autofs4/waitq.c
50393 @@ -59,7 +59,7 @@ static int autofs4_write(struct autofs_sb_info *sbi,
50395 unsigned long sigpipe, flags;
50397 - const char *data = (const char *)addr;
50398 + const char __user *data = (const char __force_user *)addr;
50401 sigpipe = sigismember(¤t->pending.signal, SIGPIPE);
50402 @@ -346,6 +346,10 @@ static int validate_request(struct autofs_wait_queue **wait,
50406 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50407 +static atomic_unchecked_t autofs_dummy_name_id = ATOMIC_INIT(0);
50410 int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
50411 enum autofs_notify notify)
50413 @@ -379,7 +383,12 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
50415 /* If this is a direct mount request create a dummy name */
50416 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
50417 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50418 + /* this name does get written to userland via autofs4_write() */
50419 + qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
50421 qstr.len = sprintf(name, "%p", dentry);
50424 qstr.len = autofs4_getpath(sbi, dentry, &name);
50426 diff --git a/fs/befs/endian.h b/fs/befs/endian.h
50427 index 2722387..c8dd2a7 100644
50428 --- a/fs/befs/endian.h
50429 +++ b/fs/befs/endian.h
50432 #include <asm/byteorder.h>
50435 +static inline u64 __intentional_overflow(-1)
50436 fs64_to_cpu(const struct super_block *sb, fs64 n)
50438 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
50439 @@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n)
50440 return (__force fs64)cpu_to_be64(n);
50444 +static inline u32 __intentional_overflow(-1)
50445 fs32_to_cpu(const struct super_block *sb, fs32 n)
50447 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
50448 diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
50449 index f95dddc..b1e2c1c 100644
50450 --- a/fs/befs/linuxvfs.c
50451 +++ b/fs/befs/linuxvfs.c
50452 @@ -510,7 +510,7 @@ static void befs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
50454 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
50455 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
50456 - char *link = nd_get_link(nd);
50457 + const char *link = nd_get_link(nd);
50461 diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
50462 index bce8769..7fc7544 100644
50463 --- a/fs/binfmt_aout.c
50464 +++ b/fs/binfmt_aout.c
50466 #include <linux/string.h>
50467 #include <linux/fs.h>
50468 #include <linux/file.h>
50469 +#include <linux/security.h>
50470 #include <linux/stat.h>
50471 #include <linux/fcntl.h>
50472 #include <linux/ptrace.h>
50473 @@ -59,6 +60,8 @@ static int aout_core_dump(struct coredump_params *cprm)
50475 # define START_STACK(u) ((void __user *)u.start_stack)
50477 + memset(&dump, 0, sizeof(dump));
50482 @@ -69,10 +72,12 @@ static int aout_core_dump(struct coredump_params *cprm)
50484 /* If the size of the dump file exceeds the rlimit, then see what would happen
50485 if we wrote the stack, but not the data area. */
50486 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
50487 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
50490 /* Make sure we have enough room to write the stack and data areas. */
50491 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
50492 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
50495 @@ -233,6 +238,8 @@ static int load_aout_binary(struct linux_binprm * bprm)
50496 rlim = rlimit(RLIMIT_DATA);
50497 if (rlim >= RLIM_INFINITY)
50500 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
50501 if (ex.a_data + ex.a_bss > rlim)
50504 @@ -267,6 +274,27 @@ static int load_aout_binary(struct linux_binprm * bprm)
50506 install_exec_creds(bprm);
50508 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50509 + current->mm->pax_flags = 0UL;
50512 +#ifdef CONFIG_PAX_PAGEEXEC
50513 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
50514 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
50516 +#ifdef CONFIG_PAX_EMUTRAMP
50517 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
50518 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
50521 +#ifdef CONFIG_PAX_MPROTECT
50522 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
50523 + current->mm->pax_flags |= MF_PAX_MPROTECT;
50529 if (N_MAGIC(ex) == OMAGIC) {
50530 unsigned long text_addr, map_size;
50532 @@ -324,7 +352,7 @@ static int load_aout_binary(struct linux_binprm * bprm)
50535 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
50536 - PROT_READ | PROT_WRITE | PROT_EXEC,
50537 + PROT_READ | PROT_WRITE,
50538 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
50539 fd_offset + ex.a_text);
50540 if (error != N_DATADDR(ex)) {
50541 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
50542 index f8a0b0e..6f036ed 100644
50543 --- a/fs/binfmt_elf.c
50544 +++ b/fs/binfmt_elf.c
50546 #include <linux/utsname.h>
50547 #include <linux/coredump.h>
50548 #include <linux/sched.h>
50549 +#include <linux/xattr.h>
50550 #include <asm/uaccess.h>
50551 #include <asm/param.h>
50552 #include <asm/page.h>
50553 @@ -60,6 +61,14 @@ static int elf_core_dump(struct coredump_params *cprm);
50554 #define elf_core_dump NULL
50557 +#ifdef CONFIG_PAX_MPROTECT
50558 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
50561 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
50562 +static void elf_handle_mmap(struct file *file);
50565 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
50566 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
50568 @@ -79,6 +88,15 @@ static struct linux_binfmt elf_format = {
50569 .load_binary = load_elf_binary,
50570 .load_shlib = load_elf_library,
50571 .core_dump = elf_core_dump,
50573 +#ifdef CONFIG_PAX_MPROTECT
50574 + .handle_mprotect= elf_handle_mprotect,
50577 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
50578 + .handle_mmap = elf_handle_mmap,
50581 .min_coredump = ELF_EXEC_PAGESIZE,
50584 @@ -86,6 +104,8 @@ static struct linux_binfmt elf_format = {
50586 static int set_brk(unsigned long start, unsigned long end)
50588 + unsigned long e = end;
50590 start = ELF_PAGEALIGN(start);
50591 end = ELF_PAGEALIGN(end);
50593 @@ -94,7 +114,7 @@ static int set_brk(unsigned long start, unsigned long end)
50594 if (BAD_ADDR(addr))
50597 - current->mm->start_brk = current->mm->brk = end;
50598 + current->mm->start_brk = current->mm->brk = e;
50602 @@ -155,12 +175,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
50603 elf_addr_t __user *u_rand_bytes;
50604 const char *k_platform = ELF_PLATFORM;
50605 const char *k_base_platform = ELF_BASE_PLATFORM;
50606 - unsigned char k_rand_bytes[16];
50607 + u32 k_rand_bytes[4];
50609 elf_addr_t *elf_info;
50611 const struct cred *cred = current_cred();
50612 struct vm_area_struct *vma;
50613 + unsigned long saved_auxv[AT_VECTOR_SIZE];
50616 * In some cases (e.g. Hyper-Threading), we want to avoid L1
50617 @@ -202,8 +223,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
50618 * Generate 16 random bytes for userspace PRNG seeding.
50620 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
50621 - u_rand_bytes = (elf_addr_t __user *)
50622 - STACK_ALLOC(p, sizeof(k_rand_bytes));
50623 + prandom_seed(k_rand_bytes[0] ^ prandom_u32());
50624 + prandom_seed(k_rand_bytes[1] ^ prandom_u32());
50625 + prandom_seed(k_rand_bytes[2] ^ prandom_u32());
50626 + prandom_seed(k_rand_bytes[3] ^ prandom_u32());
50627 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
50628 + u_rand_bytes = (elf_addr_t __user *) p;
50629 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
50632 @@ -318,9 +343,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
50634 current->mm->env_end = p;
50636 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
50638 /* Put the elf_info on the stack in the right place. */
50639 sp = (elf_addr_t __user *)envp + 1;
50640 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
50641 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
50645 @@ -388,15 +415,14 @@ static unsigned long total_mapping_size(struct elf_phdr *cmds, int nr)
50648 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
50649 - struct file *interpreter, unsigned long *interp_map_addr,
50650 - unsigned long no_base)
50651 + struct file *interpreter, unsigned long no_base)
50653 struct elf_phdr *elf_phdata;
50654 struct elf_phdr *eppnt;
50655 - unsigned long load_addr = 0;
50656 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
50657 int load_addr_set = 0;
50658 unsigned long last_bss = 0, elf_bss = 0;
50659 - unsigned long error = ~0UL;
50660 + unsigned long error = -EINVAL;
50661 unsigned long total_size;
50662 int retval, i, size;
50664 @@ -442,6 +468,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
50668 +#ifdef CONFIG_PAX_SEGMEXEC
50669 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
50670 + pax_task_size = SEGMEXEC_TASK_SIZE;
50673 eppnt = elf_phdata;
50674 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
50675 if (eppnt->p_type == PT_LOAD) {
50676 @@ -465,8 +496,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
50677 map_addr = elf_map(interpreter, load_addr + vaddr,
50678 eppnt, elf_prot, elf_type, total_size);
50680 - if (!*interp_map_addr)
50681 - *interp_map_addr = map_addr;
50683 if (BAD_ADDR(map_addr))
50685 @@ -485,8 +514,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
50686 k = load_addr + eppnt->p_vaddr;
50688 eppnt->p_filesz > eppnt->p_memsz ||
50689 - eppnt->p_memsz > TASK_SIZE ||
50690 - TASK_SIZE - eppnt->p_memsz < k) {
50691 + eppnt->p_memsz > pax_task_size ||
50692 + pax_task_size - eppnt->p_memsz < k) {
50696 @@ -538,6 +567,315 @@ out:
50700 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
50701 +#ifdef CONFIG_PAX_SOFTMODE
50702 +static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata)
50704 + unsigned long pax_flags = 0UL;
50706 +#ifdef CONFIG_PAX_PAGEEXEC
50707 + if (elf_phdata->p_flags & PF_PAGEEXEC)
50708 + pax_flags |= MF_PAX_PAGEEXEC;
50711 +#ifdef CONFIG_PAX_SEGMEXEC
50712 + if (elf_phdata->p_flags & PF_SEGMEXEC)
50713 + pax_flags |= MF_PAX_SEGMEXEC;
50716 +#ifdef CONFIG_PAX_EMUTRAMP
50717 + if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
50718 + pax_flags |= MF_PAX_EMUTRAMP;
50721 +#ifdef CONFIG_PAX_MPROTECT
50722 + if (elf_phdata->p_flags & PF_MPROTECT)
50723 + pax_flags |= MF_PAX_MPROTECT;
50726 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
50727 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
50728 + pax_flags |= MF_PAX_RANDMMAP;
50731 + return pax_flags;
50735 +static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata)
50737 + unsigned long pax_flags = 0UL;
50739 +#ifdef CONFIG_PAX_PAGEEXEC
50740 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
50741 + pax_flags |= MF_PAX_PAGEEXEC;
50744 +#ifdef CONFIG_PAX_SEGMEXEC
50745 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
50746 + pax_flags |= MF_PAX_SEGMEXEC;
50749 +#ifdef CONFIG_PAX_EMUTRAMP
50750 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
50751 + pax_flags |= MF_PAX_EMUTRAMP;
50754 +#ifdef CONFIG_PAX_MPROTECT
50755 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
50756 + pax_flags |= MF_PAX_MPROTECT;
50759 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
50760 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
50761 + pax_flags |= MF_PAX_RANDMMAP;
50764 + return pax_flags;
50768 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
50769 +#ifdef CONFIG_PAX_SOFTMODE
50770 +static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
50772 + unsigned long pax_flags = 0UL;
50774 +#ifdef CONFIG_PAX_PAGEEXEC
50775 + if (pax_flags_softmode & MF_PAX_PAGEEXEC)
50776 + pax_flags |= MF_PAX_PAGEEXEC;
50779 +#ifdef CONFIG_PAX_SEGMEXEC
50780 + if (pax_flags_softmode & MF_PAX_SEGMEXEC)
50781 + pax_flags |= MF_PAX_SEGMEXEC;
50784 +#ifdef CONFIG_PAX_EMUTRAMP
50785 + if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
50786 + pax_flags |= MF_PAX_EMUTRAMP;
50789 +#ifdef CONFIG_PAX_MPROTECT
50790 + if (pax_flags_softmode & MF_PAX_MPROTECT)
50791 + pax_flags |= MF_PAX_MPROTECT;
50794 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
50795 + if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
50796 + pax_flags |= MF_PAX_RANDMMAP;
50799 + return pax_flags;
50803 +static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
50805 + unsigned long pax_flags = 0UL;
50807 +#ifdef CONFIG_PAX_PAGEEXEC
50808 + if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
50809 + pax_flags |= MF_PAX_PAGEEXEC;
50812 +#ifdef CONFIG_PAX_SEGMEXEC
50813 + if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
50814 + pax_flags |= MF_PAX_SEGMEXEC;
50817 +#ifdef CONFIG_PAX_EMUTRAMP
50818 + if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
50819 + pax_flags |= MF_PAX_EMUTRAMP;
50822 +#ifdef CONFIG_PAX_MPROTECT
50823 + if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
50824 + pax_flags |= MF_PAX_MPROTECT;
50827 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
50828 + if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
50829 + pax_flags |= MF_PAX_RANDMMAP;
50832 + return pax_flags;
50836 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50837 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
50839 + unsigned long pax_flags = 0UL;
50841 +#ifdef CONFIG_PAX_EI_PAX
50843 +#ifdef CONFIG_PAX_PAGEEXEC
50844 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
50845 + pax_flags |= MF_PAX_PAGEEXEC;
50848 +#ifdef CONFIG_PAX_SEGMEXEC
50849 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
50850 + pax_flags |= MF_PAX_SEGMEXEC;
50853 +#ifdef CONFIG_PAX_EMUTRAMP
50854 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
50855 + pax_flags |= MF_PAX_EMUTRAMP;
50858 +#ifdef CONFIG_PAX_MPROTECT
50859 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
50860 + pax_flags |= MF_PAX_MPROTECT;
50863 +#ifdef CONFIG_PAX_ASLR
50864 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
50865 + pax_flags |= MF_PAX_RANDMMAP;
50870 +#ifdef CONFIG_PAX_PAGEEXEC
50871 + pax_flags |= MF_PAX_PAGEEXEC;
50874 +#ifdef CONFIG_PAX_SEGMEXEC
50875 + pax_flags |= MF_PAX_SEGMEXEC;
50878 +#ifdef CONFIG_PAX_MPROTECT
50879 + pax_flags |= MF_PAX_MPROTECT;
50882 +#ifdef CONFIG_PAX_RANDMMAP
50883 + if (randomize_va_space)
50884 + pax_flags |= MF_PAX_RANDMMAP;
50889 + return pax_flags;
50892 +static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
50895 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
50898 + for (i = 0UL; i < elf_ex->e_phnum; i++)
50899 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
50900 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
50901 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
50902 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
50903 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
50904 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
50907 +#ifdef CONFIG_PAX_SOFTMODE
50908 + if (pax_softmode)
50909 + return pax_parse_pt_pax_softmode(&elf_phdata[i]);
50913 + return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
50921 +static unsigned long pax_parse_xattr_pax(struct file * const file)
50924 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
50925 + ssize_t xattr_size, i;
50926 + unsigned char xattr_value[sizeof("pemrs") - 1];
50927 + unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
50929 + xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
50930 + if (xattr_size <= 0 || xattr_size > sizeof xattr_value)
50933 + for (i = 0; i < xattr_size; i++)
50934 + switch (xattr_value[i]) {
50938 +#define parse_flag(option1, option2, flag) \
50940 + if (pax_flags_hardmode & MF_PAX_##flag) \
50942 + pax_flags_hardmode |= MF_PAX_##flag; \
50945 + if (pax_flags_softmode & MF_PAX_##flag) \
50947 + pax_flags_softmode |= MF_PAX_##flag; \
50950 + parse_flag('p', 'P', PAGEEXEC);
50951 + parse_flag('e', 'E', EMUTRAMP);
50952 + parse_flag('m', 'M', MPROTECT);
50953 + parse_flag('r', 'R', RANDMMAP);
50954 + parse_flag('s', 'S', SEGMEXEC);
50959 + if (pax_flags_hardmode & pax_flags_softmode)
50962 +#ifdef CONFIG_PAX_SOFTMODE
50963 + if (pax_softmode)
50964 + return pax_parse_xattr_pax_softmode(pax_flags_softmode);
50968 + return pax_parse_xattr_pax_hardmode(pax_flags_hardmode);
50975 +static long pax_parse_pax_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata, struct file * const file)
50977 + unsigned long pax_flags, pt_pax_flags, xattr_pax_flags;
50979 + pax_flags = pax_parse_ei_pax(elf_ex);
50980 + pt_pax_flags = pax_parse_pt_pax(elf_ex, elf_phdata);
50981 + xattr_pax_flags = pax_parse_xattr_pax(file);
50983 + if (pt_pax_flags == ~0UL)
50984 + pt_pax_flags = xattr_pax_flags;
50985 + else if (xattr_pax_flags == ~0UL)
50986 + xattr_pax_flags = pt_pax_flags;
50987 + if (pt_pax_flags != xattr_pax_flags)
50989 + if (pt_pax_flags != ~0UL)
50990 + pax_flags = pt_pax_flags;
50992 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
50993 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
50994 + if ((__supported_pte_mask & _PAGE_NX))
50995 + pax_flags &= ~MF_PAX_SEGMEXEC;
50997 + pax_flags &= ~MF_PAX_PAGEEXEC;
51001 + if (0 > pax_check_flags(&pax_flags))
51004 + current->mm->pax_flags = pax_flags;
51010 * These are the functions used to load ELF style executables and shared
51011 * libraries. There is no binary dependent code anywhere else.
51012 @@ -554,6 +892,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
51014 unsigned int random_variable = 0;
51016 +#ifdef CONFIG_PAX_RANDUSTACK
51017 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
51018 + return stack_top - current->mm->delta_stack;
51021 if ((current->flags & PF_RANDOMIZE) &&
51022 !(current->personality & ADDR_NO_RANDOMIZE)) {
51023 random_variable = get_random_int() & STACK_RND_MASK;
51024 @@ -572,7 +915,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
51025 unsigned long load_addr = 0, load_bias = 0;
51026 int load_addr_set = 0;
51027 char * elf_interpreter = NULL;
51028 - unsigned long error;
51029 + unsigned long error = 0;
51030 struct elf_phdr *elf_ppnt, *elf_phdata;
51031 unsigned long elf_bss, elf_brk;
51033 @@ -582,12 +925,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
51034 unsigned long start_code, end_code, start_data, end_data;
51035 unsigned long reloc_func_desc __maybe_unused = 0;
51036 int executable_stack = EXSTACK_DEFAULT;
51037 - unsigned long def_flags = 0;
51038 struct pt_regs *regs = current_pt_regs();
51040 struct elfhdr elf_ex;
51041 struct elfhdr interp_elf_ex;
51043 + unsigned long pax_task_size = TASK_SIZE;
51045 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
51047 @@ -723,11 +1066,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
51048 goto out_free_dentry;
51050 /* OK, This is the point of no return */
51051 - current->mm->def_flags = def_flags;
51053 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51054 + current->mm->pax_flags = 0UL;
51057 +#ifdef CONFIG_PAX_DLRESOLVE
51058 + current->mm->call_dl_resolve = 0UL;
51061 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
51062 + current->mm->call_syscall = 0UL;
51065 +#ifdef CONFIG_PAX_ASLR
51066 + current->mm->delta_mmap = 0UL;
51067 + current->mm->delta_stack = 0UL;
51070 + current->mm->def_flags = 0;
51072 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51073 + if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) {
51074 + send_sig(SIGKILL, current, 0);
51075 + goto out_free_dentry;
51079 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
51080 + pax_set_initial_flags(bprm);
51081 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
51082 + if (pax_set_initial_flags_func)
51083 + (pax_set_initial_flags_func)(bprm);
51086 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
51087 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
51088 + current->mm->context.user_cs_limit = PAGE_SIZE;
51089 + current->mm->def_flags |= VM_PAGEEXEC | VM_NOHUGEPAGE;
51093 +#ifdef CONFIG_PAX_SEGMEXEC
51094 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
51095 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
51096 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
51097 + pax_task_size = SEGMEXEC_TASK_SIZE;
51098 + current->mm->def_flags |= VM_NOHUGEPAGE;
51102 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
51103 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
51104 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
51109 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
51110 may depend on the personality. */
51111 SET_PERSONALITY(loc->elf_ex);
51113 +#ifdef CONFIG_PAX_ASLR
51114 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
51115 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
51116 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
51120 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
51121 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
51122 + executable_stack = EXSTACK_DISABLE_X;
51123 + current->personality &= ~READ_IMPLIES_EXEC;
51127 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
51128 current->personality |= READ_IMPLIES_EXEC;
51130 @@ -819,6 +1232,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
51132 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
51135 +#ifdef CONFIG_PAX_RANDMMAP
51136 + /* PaX: randomize base address at the default exe base if requested */
51137 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
51138 +#ifdef CONFIG_SPARC64
51139 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
51141 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
51143 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
51144 + elf_flags |= MAP_FIXED;
51150 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
51151 @@ -851,9 +1278,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
51152 * allowed task size. Note that p_filesz must always be
51153 * <= p_memsz so it is only necessary to check p_memsz.
51155 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
51156 - elf_ppnt->p_memsz > TASK_SIZE ||
51157 - TASK_SIZE - elf_ppnt->p_memsz < k) {
51158 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
51159 + elf_ppnt->p_memsz > pax_task_size ||
51160 + pax_task_size - elf_ppnt->p_memsz < k) {
51161 /* set_brk can never work. Avoid overflows. */
51162 send_sig(SIGKILL, current, 0);
51164 @@ -892,17 +1319,45 @@ static int load_elf_binary(struct linux_binprm *bprm)
51165 goto out_free_dentry;
51167 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
51168 - send_sig(SIGSEGV, current, 0);
51169 - retval = -EFAULT; /* Nobody gets to see this, but.. */
51170 - goto out_free_dentry;
51172 + * This bss-zeroing can fail if the ELF
51173 + * file specifies odd protections. So
51174 + * we don't check the return value
51178 +#ifdef CONFIG_PAX_RANDMMAP
51179 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
51180 + unsigned long start, size, flags;
51181 + vm_flags_t vm_flags;
51183 + start = ELF_PAGEALIGN(elf_brk);
51184 + size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
51185 + flags = MAP_FIXED | MAP_PRIVATE;
51186 + vm_flags = VM_DONTEXPAND | VM_DONTDUMP;
51188 + down_write(¤t->mm->mmap_sem);
51189 + start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
51190 + retval = -ENOMEM;
51191 + if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
51192 +// if (current->personality & ADDR_NO_RANDOMIZE)
51193 +// vm_flags |= VM_READ | VM_MAYREAD;
51194 + start = mmap_region(NULL, start, PAGE_ALIGN(size), vm_flags, 0);
51195 + retval = IS_ERR_VALUE(start) ? start : 0;
51197 + up_write(¤t->mm->mmap_sem);
51199 + retval = set_brk(start + size, start + size + PAGE_SIZE);
51200 + if (retval < 0) {
51201 + send_sig(SIGKILL, current, 0);
51202 + goto out_free_dentry;
51207 if (elf_interpreter) {
51208 - unsigned long interp_map_addr = 0;
51210 elf_entry = load_elf_interp(&loc->interp_elf_ex,
51212 - &interp_map_addr,
51214 if (!IS_ERR((void *)elf_entry)) {
51216 @@ -1124,7 +1579,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
51217 * Decide what to dump of a segment, part, all or none.
51219 static unsigned long vma_dump_size(struct vm_area_struct *vma,
51220 - unsigned long mm_flags)
51221 + unsigned long mm_flags, long signr)
51223 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
51225 @@ -1162,7 +1617,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
51226 if (vma->vm_file == NULL)
51229 - if (FILTER(MAPPED_PRIVATE))
51230 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
51234 @@ -1387,9 +1842,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
51236 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
51241 - while (auxv[i - 2] != AT_NULL);
51242 + } while (auxv[i - 2] != AT_NULL);
51243 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
51246 @@ -1398,7 +1853,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
51248 mm_segment_t old_fs = get_fs();
51250 - copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
51251 + copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
51253 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
51255 @@ -2019,14 +2474,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
51258 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
51259 - unsigned long mm_flags)
51260 + struct coredump_params *cprm)
51262 struct vm_area_struct *vma;
51265 for (vma = first_vma(current, gate_vma); vma != NULL;
51266 vma = next_vma(vma, gate_vma))
51267 - size += vma_dump_size(vma, mm_flags);
51268 + size += vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
51272 @@ -2119,7 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51274 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
51276 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
51277 + offset += elf_core_vma_data_size(gate_vma, cprm);
51278 offset += elf_core_extra_data_size();
51281 @@ -2133,10 +2588,12 @@ static int elf_core_dump(struct coredump_params *cprm)
51284 size += sizeof(*elf);
51285 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
51286 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
51289 size += sizeof(*phdr4note);
51290 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
51291 if (size > cprm->limit
51292 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
51294 @@ -2150,7 +2607,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51295 phdr.p_offset = offset;
51296 phdr.p_vaddr = vma->vm_start;
51298 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
51299 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
51300 phdr.p_memsz = vma->vm_end - vma->vm_start;
51301 offset += phdr.p_filesz;
51302 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
51303 @@ -2161,6 +2618,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51304 phdr.p_align = ELF_EXEC_PAGESIZE;
51306 size += sizeof(phdr);
51307 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
51308 if (size > cprm->limit
51309 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
51311 @@ -2185,7 +2643,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51312 unsigned long addr;
51315 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
51316 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
51318 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
51320 @@ -2194,6 +2652,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51321 page = get_dump_page(addr);
51323 void *kaddr = kmap(page);
51324 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
51325 stop = ((size += PAGE_SIZE) > cprm->limit) ||
51326 !dump_write(cprm->file, kaddr,
51328 @@ -2211,6 +2670,7 @@ static int elf_core_dump(struct coredump_params *cprm)
51330 if (e_phnum == PN_XNUM) {
51331 size += sizeof(*shdr4extnum);
51332 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
51333 if (size > cprm->limit
51334 || !dump_write(cprm->file, shdr4extnum,
51335 sizeof(*shdr4extnum)))
51336 @@ -2231,6 +2691,167 @@ out:
51338 #endif /* CONFIG_ELF_CORE */
51340 +#ifdef CONFIG_PAX_MPROTECT
51341 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
51342 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
51343 + * we'll remove VM_MAYWRITE for good on RELRO segments.
51345 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
51346 + * basis because we want to allow the common case and not the special ones.
51348 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
51350 + struct elfhdr elf_h;
51351 + struct elf_phdr elf_p;
51353 + unsigned long oldflags;
51354 + bool is_textrel_rw, is_textrel_rx, is_relro;
51356 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file)
51359 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
51360 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
51362 +#ifdef CONFIG_PAX_ELFRELOCS
51363 + /* possible TEXTREL */
51364 + is_textrel_rw = !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
51365 + is_textrel_rx = vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
51367 + is_textrel_rw = false;
51368 + is_textrel_rx = false;
51371 + /* possible RELRO */
51372 + is_relro = vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
51374 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
51377 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
51378 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
51380 +#ifdef CONFIG_PAX_ETEXECRELOCS
51381 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
51383 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
51386 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
51387 + !elf_check_arch(&elf_h) ||
51388 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
51389 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
51392 + for (i = 0UL; i < elf_h.e_phnum; i++) {
51393 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
51395 + switch (elf_p.p_type) {
51397 + if (!is_textrel_rw && !is_textrel_rx)
51400 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
51403 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
51405 + if (dyn.d_tag == DT_NULL)
51407 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
51408 + gr_log_textrel(vma);
51409 + if (is_textrel_rw)
51410 + vma->vm_flags |= VM_MAYWRITE;
51412 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
51413 + vma->vm_flags &= ~VM_MAYWRITE;
51418 + is_textrel_rw = false;
51419 + is_textrel_rx = false;
51422 + case PT_GNU_RELRO:
51425 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
51426 + vma->vm_flags &= ~VM_MAYWRITE;
51427 + is_relro = false;
51430 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
51431 + case PT_PAX_FLAGS: {
51432 + const char *msg_mprotect = "", *msg_emutramp = "";
51433 + char *buffer_lib, *buffer_exe;
51435 + if (elf_p.p_flags & PF_NOMPROTECT)
51436 + msg_mprotect = "MPROTECT disabled";
51438 +#ifdef CONFIG_PAX_EMUTRAMP
51439 + if (!(vma->vm_mm->pax_flags & MF_PAX_EMUTRAMP) && !(elf_p.p_flags & PF_NOEMUTRAMP))
51440 + msg_emutramp = "EMUTRAMP enabled";
51443 + if (!msg_mprotect[0] && !msg_emutramp[0])
51446 + if (!printk_ratelimit())
51449 + buffer_lib = (char *)__get_free_page(GFP_KERNEL);
51450 + buffer_exe = (char *)__get_free_page(GFP_KERNEL);
51451 + if (buffer_lib && buffer_exe) {
51452 + char *path_lib, *path_exe;
51454 + path_lib = pax_get_path(&vma->vm_file->f_path, buffer_lib, PAGE_SIZE);
51455 + path_exe = pax_get_path(&vma->vm_mm->exe_file->f_path, buffer_exe, PAGE_SIZE);
51457 + pr_info("PAX: %s wants %s%s%s on %s\n", path_lib, msg_mprotect,
51458 + (msg_mprotect[0] && msg_emutramp[0] ? " and " : ""), msg_emutramp, path_exe);
51461 + free_page((unsigned long)buffer_exe);
51462 + free_page((unsigned long)buffer_lib);
51472 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
51474 +extern int grsec_enable_log_rwxmaps;
51476 +static void elf_handle_mmap(struct file *file)
51478 + struct elfhdr elf_h;
51479 + struct elf_phdr elf_p;
51482 + if (!grsec_enable_log_rwxmaps)
51485 + if (sizeof(elf_h) != kernel_read(file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
51486 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
51487 + (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) || !elf_check_arch(&elf_h) ||
51488 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
51489 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
51492 + for (i = 0UL; i < elf_h.e_phnum; i++) {
51493 + if (sizeof(elf_p) != kernel_read(file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
51495 + if (elf_p.p_type == PT_GNU_STACK && (elf_p.p_flags & PF_X))
51496 + gr_log_ptgnustack(file);
51501 static int __init init_elf_binfmt(void)
51503 register_binfmt(&elf_format);
51504 diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
51505 index d50bbe5..af3b649 100644
51506 --- a/fs/binfmt_flat.c
51507 +++ b/fs/binfmt_flat.c
51508 @@ -566,7 +566,9 @@ static int load_flat_file(struct linux_binprm * bprm,
51509 realdatastart = (unsigned long) -ENOMEM;
51510 printk("Unable to allocate RAM for process data, errno %d\n",
51511 (int)-realdatastart);
51512 + down_write(¤t->mm->mmap_sem);
51513 vm_munmap(textpos, text_len);
51514 + up_write(¤t->mm->mmap_sem);
51515 ret = realdatastart;
51518 @@ -590,8 +592,10 @@ static int load_flat_file(struct linux_binprm * bprm,
51520 if (IS_ERR_VALUE(result)) {
51521 printk("Unable to read data+bss, errno %d\n", (int)-result);
51522 + down_write(¤t->mm->mmap_sem);
51523 vm_munmap(textpos, text_len);
51524 vm_munmap(realdatastart, len);
51525 + up_write(¤t->mm->mmap_sem);
51529 @@ -653,8 +657,10 @@ static int load_flat_file(struct linux_binprm * bprm,
51531 if (IS_ERR_VALUE(result)) {
51532 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
51533 + down_write(¤t->mm->mmap_sem);
51534 vm_munmap(textpos, text_len + data_len + extra +
51535 MAX_SHARED_LIBS * sizeof(unsigned long));
51536 + up_write(¤t->mm->mmap_sem);
51540 diff --git a/fs/bio.c b/fs/bio.c
51541 index 94bbc04..6fe78a4 100644
51544 @@ -1096,7 +1096,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
51549 + if (end < start || end - start > INT_MAX - nr_pages)
51550 return ERR_PTR(-EINVAL);
51552 nr_pages += end - start;
51553 @@ -1230,7 +1230,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
51558 + if (end < start || end - start > INT_MAX - nr_pages)
51559 return ERR_PTR(-EINVAL);
51561 nr_pages += end - start;
51562 @@ -1492,7 +1492,7 @@ static void bio_copy_kern_endio(struct bio *bio, int err)
51563 const int read = bio_data_dir(bio) == READ;
51564 struct bio_map_data *bmd = bio->bi_private;
51566 - char *p = bmd->sgvecs[0].iov_base;
51567 + char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
51569 bio_for_each_segment_all(bvec, bio, i) {
51570 char *addr = page_address(bvec->bv_page);
51571 diff --git a/fs/block_dev.c b/fs/block_dev.c
51572 index 85f5c85..d6f0b1a 100644
51573 --- a/fs/block_dev.c
51574 +++ b/fs/block_dev.c
51575 @@ -658,7 +658,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
51576 else if (bdev->bd_contains == bdev)
51577 return true; /* is a whole device which isn't held */
51579 - else if (whole->bd_holder == bd_may_claim)
51580 + else if (whole->bd_holder == (void *)bd_may_claim)
51581 return true; /* is a partition of a device that is being partitioned */
51582 else if (whole->bd_holder != NULL)
51583 return false; /* is a partition of a held device */
51584 diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
51585 index 7fb054b..ad36c67 100644
51586 --- a/fs/btrfs/ctree.c
51587 +++ b/fs/btrfs/ctree.c
51588 @@ -1076,9 +1076,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
51589 free_extent_buffer(buf);
51590 add_root_to_dirty_list(root);
51592 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
51593 - parent_start = parent->start;
51595 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
51597 + parent_start = parent->start;
51599 + parent_start = 0;
51603 WARN_ON(trans->transid != btrfs_header_generation(parent));
51604 diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
51605 index 0f81d67..0ad55fe 100644
51606 --- a/fs/btrfs/ioctl.c
51607 +++ b/fs/btrfs/ioctl.c
51608 @@ -3084,9 +3084,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
51609 for (i = 0; i < num_types; i++) {
51610 struct btrfs_space_info *tmp;
51612 + /* Don't copy in more than we allocated */
51620 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
51621 @@ -3108,10 +3111,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
51622 memcpy(dest, &space, sizeof(space));
51624 space_args.total_spaces++;
51630 up_read(&info->groups_sem);
51632 diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
51633 index f0857e0..e7023c5 100644
51634 --- a/fs/btrfs/super.c
51635 +++ b/fs/btrfs/super.c
51636 @@ -265,7 +265,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans,
51637 function, line, errstr);
51640 - ACCESS_ONCE(trans->transaction->aborted) = errno;
51641 + ACCESS_ONCE_RW(trans->transaction->aborted) = errno;
51642 __btrfs_std_error(root->fs_info, function, line, errno, NULL);
51645 diff --git a/fs/buffer.c b/fs/buffer.c
51646 index d2a4d1b..df798ca 100644
51649 @@ -3367,7 +3367,7 @@ void __init buffer_init(void)
51650 bh_cachep = kmem_cache_create("buffer_head",
51651 sizeof(struct buffer_head), 0,
51652 (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
51653 - SLAB_MEM_SPREAD),
51654 + SLAB_MEM_SPREAD|SLAB_NO_SANITIZE),
51658 diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c
51659 index 622f469..e8d2d55 100644
51660 --- a/fs/cachefiles/bind.c
51661 +++ b/fs/cachefiles/bind.c
51662 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachefiles_cache *cache, char *args)
51665 /* start by checking things over */
51666 - ASSERT(cache->fstop_percent >= 0 &&
51667 - cache->fstop_percent < cache->fcull_percent &&
51668 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
51669 cache->fcull_percent < cache->frun_percent &&
51670 cache->frun_percent < 100);
51672 - ASSERT(cache->bstop_percent >= 0 &&
51673 - cache->bstop_percent < cache->bcull_percent &&
51674 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
51675 cache->bcull_percent < cache->brun_percent &&
51676 cache->brun_percent < 100);
51678 diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
51679 index 0a1467b..6a53245 100644
51680 --- a/fs/cachefiles/daemon.c
51681 +++ b/fs/cachefiles/daemon.c
51682 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(struct file *file, char __user *_buffer,
51686 - if (copy_to_user(_buffer, buffer, n) != 0)
51687 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
51691 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(struct file *file,
51692 if (test_bit(CACHEFILES_DEAD, &cache->flags))
51695 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
51696 + if (datalen > PAGE_SIZE - 1)
51697 return -EOPNOTSUPP;
51699 /* drag the command string into the kernel so we can parse it */
51700 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struct cachefiles_cache *cache, char *args)
51701 if (args[0] != '%' || args[1] != '\0')
51704 - if (fstop < 0 || fstop >= cache->fcull_percent)
51705 + if (fstop >= cache->fcull_percent)
51706 return cachefiles_daemon_range_error(cache, args);
51708 cache->fstop_percent = fstop;
51709 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struct cachefiles_cache *cache, char *args)
51710 if (args[0] != '%' || args[1] != '\0')
51713 - if (bstop < 0 || bstop >= cache->bcull_percent)
51714 + if (bstop >= cache->bcull_percent)
51715 return cachefiles_daemon_range_error(cache, args);
51717 cache->bstop_percent = bstop;
51718 diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
51719 index 4938251..7e01445 100644
51720 --- a/fs/cachefiles/internal.h
51721 +++ b/fs/cachefiles/internal.h
51722 @@ -59,7 +59,7 @@ struct cachefiles_cache {
51723 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
51724 struct rb_root active_nodes; /* active nodes (can't be culled) */
51725 rwlock_t active_lock; /* lock for active_nodes */
51726 - atomic_t gravecounter; /* graveyard uniquifier */
51727 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
51728 unsigned frun_percent; /* when to stop culling (% files) */
51729 unsigned fcull_percent; /* when to start culling (% files) */
51730 unsigned fstop_percent; /* when to stop allocating (% files) */
51731 @@ -171,19 +171,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
51734 #ifdef CONFIG_CACHEFILES_HISTOGRAM
51735 -extern atomic_t cachefiles_lookup_histogram[HZ];
51736 -extern atomic_t cachefiles_mkdir_histogram[HZ];
51737 -extern atomic_t cachefiles_create_histogram[HZ];
51738 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
51739 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
51740 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
51742 extern int __init cachefiles_proc_init(void);
51743 extern void cachefiles_proc_cleanup(void);
51745 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
51746 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
51748 unsigned long jif = jiffies - start_jif;
51751 - atomic_inc(&histogram[jif]);
51752 + atomic_inc_unchecked(&histogram[jif]);
51756 diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
51757 index 8c01c5fc..15f982e 100644
51758 --- a/fs/cachefiles/namei.c
51759 +++ b/fs/cachefiles/namei.c
51760 @@ -317,7 +317,7 @@ try_again:
51761 /* first step is to make up a grave dentry in the graveyard */
51762 sprintf(nbuffer, "%08x%08x",
51763 (uint32_t) get_seconds(),
51764 - (uint32_t) atomic_inc_return(&cache->gravecounter));
51765 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
51767 /* do the multiway lock magic */
51768 trap = lock_rename(cache->graveyard, dir);
51769 diff --git a/fs/cachefiles/proc.c b/fs/cachefiles/proc.c
51770 index eccd339..4c1d995 100644
51771 --- a/fs/cachefiles/proc.c
51772 +++ b/fs/cachefiles/proc.c
51774 #include <linux/seq_file.h>
51775 #include "internal.h"
51777 -atomic_t cachefiles_lookup_histogram[HZ];
51778 -atomic_t cachefiles_mkdir_histogram[HZ];
51779 -atomic_t cachefiles_create_histogram[HZ];
51780 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
51781 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
51782 +atomic_unchecked_t cachefiles_create_histogram[HZ];
51785 * display the latency histogram
51786 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(struct seq_file *m, void *v)
51789 index = (unsigned long) v - 3;
51790 - x = atomic_read(&cachefiles_lookup_histogram[index]);
51791 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
51792 - z = atomic_read(&cachefiles_create_histogram[index]);
51793 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
51794 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
51795 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
51796 if (x == 0 && y == 0 && z == 0)
51799 diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
51800 index 317f9ee..3d24511 100644
51801 --- a/fs/cachefiles/rdwr.c
51802 +++ b/fs/cachefiles/rdwr.c
51803 @@ -966,7 +966,7 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
51806 ret = file->f_op->write(
51807 - file, (const void __user *) data, len, &pos);
51808 + file, (const void __force_user *) data, len, &pos);
51811 file_end_write(file);
51812 diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
51813 index f02d82b..2632cf86 100644
51814 --- a/fs/ceph/dir.c
51815 +++ b/fs/ceph/dir.c
51816 @@ -243,7 +243,7 @@ static int ceph_readdir(struct file *filp, void *dirent, filldir_t filldir)
51817 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
51818 struct ceph_mds_client *mdsc = fsc->mdsc;
51819 unsigned frag = fpos_frag(filp->f_pos);
51820 - int off = fpos_off(filp->f_pos);
51821 + unsigned int off = fpos_off(filp->f_pos);
51824 struct ceph_mds_reply_info_parsed *rinfo;
51825 diff --git a/fs/ceph/super.c b/fs/ceph/super.c
51826 index 7d377c9..3fb6559 100644
51827 --- a/fs/ceph/super.c
51828 +++ b/fs/ceph/super.c
51829 @@ -839,7 +839,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
51831 * construct our own bdi so we can control readahead, etc.
51833 -static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
51834 +static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
51836 static int ceph_register_bdi(struct super_block *sb,
51837 struct ceph_fs_client *fsc)
51838 @@ -856,7 +856,7 @@ static int ceph_register_bdi(struct super_block *sb,
51839 default_backing_dev_info.ra_pages;
51841 err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld",
51842 - atomic_long_inc_return(&bdi_seq));
51843 + atomic_long_inc_return_unchecked(&bdi_seq));
51845 sb->s_bdi = &fsc->backing_dev_info;
51847 diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
51848 index d597483..747901b 100644
51849 --- a/fs/cifs/cifs_debug.c
51850 +++ b/fs/cifs/cifs_debug.c
51851 @@ -284,8 +284,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
51853 if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
51854 #ifdef CONFIG_CIFS_STATS2
51855 - atomic_set(&totBufAllocCount, 0);
51856 - atomic_set(&totSmBufAllocCount, 0);
51857 + atomic_set_unchecked(&totBufAllocCount, 0);
51858 + atomic_set_unchecked(&totSmBufAllocCount, 0);
51859 #endif /* CONFIG_CIFS_STATS2 */
51860 spin_lock(&cifs_tcp_ses_lock);
51861 list_for_each(tmp1, &cifs_tcp_ses_list) {
51862 @@ -298,7 +298,7 @@ static ssize_t cifs_stats_proc_write(struct file *file,
51863 tcon = list_entry(tmp3,
51866 - atomic_set(&tcon->num_smbs_sent, 0);
51867 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
51868 if (server->ops->clear_stats)
51869 server->ops->clear_stats(tcon);
51871 @@ -330,8 +330,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
51872 smBufAllocCount.counter, cifs_min_small);
51873 #ifdef CONFIG_CIFS_STATS2
51874 seq_printf(m, "Total Large %d Small %d Allocations\n",
51875 - atomic_read(&totBufAllocCount),
51876 - atomic_read(&totSmBufAllocCount));
51877 + atomic_read_unchecked(&totBufAllocCount),
51878 + atomic_read_unchecked(&totSmBufAllocCount));
51879 #endif /* CONFIG_CIFS_STATS2 */
51881 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
51882 @@ -360,7 +360,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
51883 if (tcon->need_reconnect)
51884 seq_puts(m, "\tDISCONNECTED ");
51885 seq_printf(m, "\nSMBs: %d",
51886 - atomic_read(&tcon->num_smbs_sent));
51887 + atomic_read_unchecked(&tcon->num_smbs_sent));
51888 if (server->ops->print_stats)
51889 server->ops->print_stats(m, tcon);
51891 diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
51892 index 3752b9f..8db5569 100644
51893 --- a/fs/cifs/cifsfs.c
51894 +++ b/fs/cifs/cifsfs.c
51895 @@ -1035,7 +1035,7 @@ cifs_init_request_bufs(void)
51897 cifs_req_cachep = kmem_cache_create("cifs_request",
51898 CIFSMaxBufSize + max_hdr_size, 0,
51899 - SLAB_HWCACHE_ALIGN, NULL);
51900 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
51901 if (cifs_req_cachep == NULL)
51904 @@ -1062,7 +1062,7 @@ cifs_init_request_bufs(void)
51905 efficient to alloc 1 per page off the slab compared to 17K (5page)
51906 alloc of large cifs buffers even when page debugging is on */
51907 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
51908 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
51909 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
51911 if (cifs_sm_req_cachep == NULL) {
51912 mempool_destroy(cifs_req_poolp);
51913 @@ -1147,8 +1147,8 @@ init_cifs(void)
51914 atomic_set(&bufAllocCount, 0);
51915 atomic_set(&smBufAllocCount, 0);
51916 #ifdef CONFIG_CIFS_STATS2
51917 - atomic_set(&totBufAllocCount, 0);
51918 - atomic_set(&totSmBufAllocCount, 0);
51919 + atomic_set_unchecked(&totBufAllocCount, 0);
51920 + atomic_set_unchecked(&totSmBufAllocCount, 0);
51921 #endif /* CONFIG_CIFS_STATS2 */
51923 atomic_set(&midCount, 0);
51924 diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
51925 index ea3a0b3..0194e39 100644
51926 --- a/fs/cifs/cifsglob.h
51927 +++ b/fs/cifs/cifsglob.h
51928 @@ -752,35 +752,35 @@ struct cifs_tcon {
51929 __u16 Flags; /* optional support bits */
51930 enum statusEnum tidStatus;
51931 #ifdef CONFIG_CIFS_STATS
51932 - atomic_t num_smbs_sent;
51933 + atomic_unchecked_t num_smbs_sent;
51936 - atomic_t num_writes;
51937 - atomic_t num_reads;
51938 - atomic_t num_flushes;
51939 - atomic_t num_oplock_brks;
51940 - atomic_t num_opens;
51941 - atomic_t num_closes;
51942 - atomic_t num_deletes;
51943 - atomic_t num_mkdirs;
51944 - atomic_t num_posixopens;
51945 - atomic_t num_posixmkdirs;
51946 - atomic_t num_rmdirs;
51947 - atomic_t num_renames;
51948 - atomic_t num_t2renames;
51949 - atomic_t num_ffirst;
51950 - atomic_t num_fnext;
51951 - atomic_t num_fclose;
51952 - atomic_t num_hardlinks;
51953 - atomic_t num_symlinks;
51954 - atomic_t num_locks;
51955 - atomic_t num_acl_get;
51956 - atomic_t num_acl_set;
51957 + atomic_unchecked_t num_writes;
51958 + atomic_unchecked_t num_reads;
51959 + atomic_unchecked_t num_flushes;
51960 + atomic_unchecked_t num_oplock_brks;
51961 + atomic_unchecked_t num_opens;
51962 + atomic_unchecked_t num_closes;
51963 + atomic_unchecked_t num_deletes;
51964 + atomic_unchecked_t num_mkdirs;
51965 + atomic_unchecked_t num_posixopens;
51966 + atomic_unchecked_t num_posixmkdirs;
51967 + atomic_unchecked_t num_rmdirs;
51968 + atomic_unchecked_t num_renames;
51969 + atomic_unchecked_t num_t2renames;
51970 + atomic_unchecked_t num_ffirst;
51971 + atomic_unchecked_t num_fnext;
51972 + atomic_unchecked_t num_fclose;
51973 + atomic_unchecked_t num_hardlinks;
51974 + atomic_unchecked_t num_symlinks;
51975 + atomic_unchecked_t num_locks;
51976 + atomic_unchecked_t num_acl_get;
51977 + atomic_unchecked_t num_acl_set;
51979 #ifdef CONFIG_CIFS_SMB2
51981 - atomic_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
51982 - atomic_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
51983 + atomic_unchecked_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
51984 + atomic_unchecked_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
51986 #endif /* CONFIG_CIFS_SMB2 */
51988 @@ -1081,7 +1081,7 @@ convert_delimiter(char *path, char delim)
51991 #ifdef CONFIG_CIFS_STATS
51992 -#define cifs_stats_inc atomic_inc
51993 +#define cifs_stats_inc atomic_inc_unchecked
51995 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
51996 unsigned int bytes)
51997 @@ -1446,8 +1446,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount;
51998 /* Various Debug counters */
51999 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
52000 #ifdef CONFIG_CIFS_STATS2
52001 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
52002 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
52003 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
52004 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
52006 GLOBAL_EXTERN atomic_t smBufAllocCount;
52007 GLOBAL_EXTERN atomic_t midCount;
52008 diff --git a/fs/cifs/link.c b/fs/cifs/link.c
52009 index b83c3f5..6437caa 100644
52010 --- a/fs/cifs/link.c
52011 +++ b/fs/cifs/link.c
52012 @@ -616,7 +616,7 @@ symlink_exit:
52014 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
52016 - char *p = nd_get_link(nd);
52017 + const char *p = nd_get_link(nd);
52021 diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
52022 index 1bec014..f329411 100644
52023 --- a/fs/cifs/misc.c
52024 +++ b/fs/cifs/misc.c
52025 @@ -169,7 +169,7 @@ cifs_buf_get(void)
52026 memset(ret_buf, 0, buf_size + 3);
52027 atomic_inc(&bufAllocCount);
52028 #ifdef CONFIG_CIFS_STATS2
52029 - atomic_inc(&totBufAllocCount);
52030 + atomic_inc_unchecked(&totBufAllocCount);
52031 #endif /* CONFIG_CIFS_STATS2 */
52034 @@ -204,7 +204,7 @@ cifs_small_buf_get(void)
52035 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
52036 atomic_inc(&smBufAllocCount);
52037 #ifdef CONFIG_CIFS_STATS2
52038 - atomic_inc(&totSmBufAllocCount);
52039 + atomic_inc_unchecked(&totSmBufAllocCount);
52040 #endif /* CONFIG_CIFS_STATS2 */
52043 diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
52044 index 3efdb9d..e845a5e 100644
52045 --- a/fs/cifs/smb1ops.c
52046 +++ b/fs/cifs/smb1ops.c
52047 @@ -591,27 +591,27 @@ static void
52048 cifs_clear_stats(struct cifs_tcon *tcon)
52050 #ifdef CONFIG_CIFS_STATS
52051 - atomic_set(&tcon->stats.cifs_stats.num_writes, 0);
52052 - atomic_set(&tcon->stats.cifs_stats.num_reads, 0);
52053 - atomic_set(&tcon->stats.cifs_stats.num_flushes, 0);
52054 - atomic_set(&tcon->stats.cifs_stats.num_oplock_brks, 0);
52055 - atomic_set(&tcon->stats.cifs_stats.num_opens, 0);
52056 - atomic_set(&tcon->stats.cifs_stats.num_posixopens, 0);
52057 - atomic_set(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
52058 - atomic_set(&tcon->stats.cifs_stats.num_closes, 0);
52059 - atomic_set(&tcon->stats.cifs_stats.num_deletes, 0);
52060 - atomic_set(&tcon->stats.cifs_stats.num_mkdirs, 0);
52061 - atomic_set(&tcon->stats.cifs_stats.num_rmdirs, 0);
52062 - atomic_set(&tcon->stats.cifs_stats.num_renames, 0);
52063 - atomic_set(&tcon->stats.cifs_stats.num_t2renames, 0);
52064 - atomic_set(&tcon->stats.cifs_stats.num_ffirst, 0);
52065 - atomic_set(&tcon->stats.cifs_stats.num_fnext, 0);
52066 - atomic_set(&tcon->stats.cifs_stats.num_fclose, 0);
52067 - atomic_set(&tcon->stats.cifs_stats.num_hardlinks, 0);
52068 - atomic_set(&tcon->stats.cifs_stats.num_symlinks, 0);
52069 - atomic_set(&tcon->stats.cifs_stats.num_locks, 0);
52070 - atomic_set(&tcon->stats.cifs_stats.num_acl_get, 0);
52071 - atomic_set(&tcon->stats.cifs_stats.num_acl_set, 0);
52072 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_writes, 0);
52073 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_reads, 0);
52074 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_flushes, 0);
52075 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_oplock_brks, 0);
52076 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_opens, 0);
52077 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixopens, 0);
52078 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
52079 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_closes, 0);
52080 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_deletes, 0);
52081 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_mkdirs, 0);
52082 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_rmdirs, 0);
52083 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_renames, 0);
52084 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_t2renames, 0);
52085 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_ffirst, 0);
52086 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_fnext, 0);
52087 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_fclose, 0);
52088 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_hardlinks, 0);
52089 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_symlinks, 0);
52090 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_locks, 0);
52091 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_get, 0);
52092 + atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_set, 0);
52096 @@ -620,36 +620,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
52098 #ifdef CONFIG_CIFS_STATS
52099 seq_printf(m, " Oplocks breaks: %d",
52100 - atomic_read(&tcon->stats.cifs_stats.num_oplock_brks));
52101 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_oplock_brks));
52102 seq_printf(m, "\nReads: %d Bytes: %llu",
52103 - atomic_read(&tcon->stats.cifs_stats.num_reads),
52104 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_reads),
52105 (long long)(tcon->bytes_read));
52106 seq_printf(m, "\nWrites: %d Bytes: %llu",
52107 - atomic_read(&tcon->stats.cifs_stats.num_writes),
52108 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_writes),
52109 (long long)(tcon->bytes_written));
52110 seq_printf(m, "\nFlushes: %d",
52111 - atomic_read(&tcon->stats.cifs_stats.num_flushes));
52112 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_flushes));
52113 seq_printf(m, "\nLocks: %d HardLinks: %d Symlinks: %d",
52114 - atomic_read(&tcon->stats.cifs_stats.num_locks),
52115 - atomic_read(&tcon->stats.cifs_stats.num_hardlinks),
52116 - atomic_read(&tcon->stats.cifs_stats.num_symlinks));
52117 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_locks),
52118 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_hardlinks),
52119 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_symlinks));
52120 seq_printf(m, "\nOpens: %d Closes: %d Deletes: %d",
52121 - atomic_read(&tcon->stats.cifs_stats.num_opens),
52122 - atomic_read(&tcon->stats.cifs_stats.num_closes),
52123 - atomic_read(&tcon->stats.cifs_stats.num_deletes));
52124 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_opens),
52125 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_closes),
52126 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_deletes));
52127 seq_printf(m, "\nPosix Opens: %d Posix Mkdirs: %d",
52128 - atomic_read(&tcon->stats.cifs_stats.num_posixopens),
52129 - atomic_read(&tcon->stats.cifs_stats.num_posixmkdirs));
52130 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixopens),
52131 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs));
52132 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
52133 - atomic_read(&tcon->stats.cifs_stats.num_mkdirs),
52134 - atomic_read(&tcon->stats.cifs_stats.num_rmdirs));
52135 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_mkdirs),
52136 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_rmdirs));
52137 seq_printf(m, "\nRenames: %d T2 Renames %d",
52138 - atomic_read(&tcon->stats.cifs_stats.num_renames),
52139 - atomic_read(&tcon->stats.cifs_stats.num_t2renames));
52140 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_renames),
52141 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_t2renames));
52142 seq_printf(m, "\nFindFirst: %d FNext %d FClose %d",
52143 - atomic_read(&tcon->stats.cifs_stats.num_ffirst),
52144 - atomic_read(&tcon->stats.cifs_stats.num_fnext),
52145 - atomic_read(&tcon->stats.cifs_stats.num_fclose));
52146 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_ffirst),
52147 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_fnext),
52148 + atomic_read_unchecked(&tcon->stats.cifs_stats.num_fclose));
52152 diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
52153 index f2e76f3..c44fac7 100644
52154 --- a/fs/cifs/smb2ops.c
52155 +++ b/fs/cifs/smb2ops.c
52156 @@ -274,8 +274,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
52157 #ifdef CONFIG_CIFS_STATS
52159 for (i = 0; i < NUMBER_OF_SMB2_COMMANDS; i++) {
52160 - atomic_set(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
52161 - atomic_set(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
52162 + atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
52163 + atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
52167 @@ -284,66 +284,66 @@ static void
52168 smb2_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
52170 #ifdef CONFIG_CIFS_STATS
52171 - atomic_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
52172 - atomic_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
52173 + atomic_unchecked_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
52174 + atomic_unchecked_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
52175 seq_printf(m, "\nNegotiates: %d sent %d failed",
52176 - atomic_read(&sent[SMB2_NEGOTIATE_HE]),
52177 - atomic_read(&failed[SMB2_NEGOTIATE_HE]));
52178 + atomic_read_unchecked(&sent[SMB2_NEGOTIATE_HE]),
52179 + atomic_read_unchecked(&failed[SMB2_NEGOTIATE_HE]));
52180 seq_printf(m, "\nSessionSetups: %d sent %d failed",
52181 - atomic_read(&sent[SMB2_SESSION_SETUP_HE]),
52182 - atomic_read(&failed[SMB2_SESSION_SETUP_HE]));
52183 + atomic_read_unchecked(&sent[SMB2_SESSION_SETUP_HE]),
52184 + atomic_read_unchecked(&failed[SMB2_SESSION_SETUP_HE]));
52185 #define SMB2LOGOFF 0x0002 /* trivial request/resp */
52186 seq_printf(m, "\nLogoffs: %d sent %d failed",
52187 - atomic_read(&sent[SMB2_LOGOFF_HE]),
52188 - atomic_read(&failed[SMB2_LOGOFF_HE]));
52189 + atomic_read_unchecked(&sent[SMB2_LOGOFF_HE]),
52190 + atomic_read_unchecked(&failed[SMB2_LOGOFF_HE]));
52191 seq_printf(m, "\nTreeConnects: %d sent %d failed",
52192 - atomic_read(&sent[SMB2_TREE_CONNECT_HE]),
52193 - atomic_read(&failed[SMB2_TREE_CONNECT_HE]));
52194 + atomic_read_unchecked(&sent[SMB2_TREE_CONNECT_HE]),
52195 + atomic_read_unchecked(&failed[SMB2_TREE_CONNECT_HE]));
52196 seq_printf(m, "\nTreeDisconnects: %d sent %d failed",
52197 - atomic_read(&sent[SMB2_TREE_DISCONNECT_HE]),
52198 - atomic_read(&failed[SMB2_TREE_DISCONNECT_HE]));
52199 + atomic_read_unchecked(&sent[SMB2_TREE_DISCONNECT_HE]),
52200 + atomic_read_unchecked(&failed[SMB2_TREE_DISCONNECT_HE]));
52201 seq_printf(m, "\nCreates: %d sent %d failed",
52202 - atomic_read(&sent[SMB2_CREATE_HE]),
52203 - atomic_read(&failed[SMB2_CREATE_HE]));
52204 + atomic_read_unchecked(&sent[SMB2_CREATE_HE]),
52205 + atomic_read_unchecked(&failed[SMB2_CREATE_HE]));
52206 seq_printf(m, "\nCloses: %d sent %d failed",
52207 - atomic_read(&sent[SMB2_CLOSE_HE]),
52208 - atomic_read(&failed[SMB2_CLOSE_HE]));
52209 + atomic_read_unchecked(&sent[SMB2_CLOSE_HE]),
52210 + atomic_read_unchecked(&failed[SMB2_CLOSE_HE]));
52211 seq_printf(m, "\nFlushes: %d sent %d failed",
52212 - atomic_read(&sent[SMB2_FLUSH_HE]),
52213 - atomic_read(&failed[SMB2_FLUSH_HE]));
52214 + atomic_read_unchecked(&sent[SMB2_FLUSH_HE]),
52215 + atomic_read_unchecked(&failed[SMB2_FLUSH_HE]));
52216 seq_printf(m, "\nReads: %d sent %d failed",
52217 - atomic_read(&sent[SMB2_READ_HE]),
52218 - atomic_read(&failed[SMB2_READ_HE]));
52219 + atomic_read_unchecked(&sent[SMB2_READ_HE]),
52220 + atomic_read_unchecked(&failed[SMB2_READ_HE]));
52221 seq_printf(m, "\nWrites: %d sent %d failed",
52222 - atomic_read(&sent[SMB2_WRITE_HE]),
52223 - atomic_read(&failed[SMB2_WRITE_HE]));
52224 + atomic_read_unchecked(&sent[SMB2_WRITE_HE]),
52225 + atomic_read_unchecked(&failed[SMB2_WRITE_HE]));
52226 seq_printf(m, "\nLocks: %d sent %d failed",
52227 - atomic_read(&sent[SMB2_LOCK_HE]),
52228 - atomic_read(&failed[SMB2_LOCK_HE]));
52229 + atomic_read_unchecked(&sent[SMB2_LOCK_HE]),
52230 + atomic_read_unchecked(&failed[SMB2_LOCK_HE]));
52231 seq_printf(m, "\nIOCTLs: %d sent %d failed",
52232 - atomic_read(&sent[SMB2_IOCTL_HE]),
52233 - atomic_read(&failed[SMB2_IOCTL_HE]));
52234 + atomic_read_unchecked(&sent[SMB2_IOCTL_HE]),
52235 + atomic_read_unchecked(&failed[SMB2_IOCTL_HE]));
52236 seq_printf(m, "\nCancels: %d sent %d failed",
52237 - atomic_read(&sent[SMB2_CANCEL_HE]),
52238 - atomic_read(&failed[SMB2_CANCEL_HE]));
52239 + atomic_read_unchecked(&sent[SMB2_CANCEL_HE]),
52240 + atomic_read_unchecked(&failed[SMB2_CANCEL_HE]));
52241 seq_printf(m, "\nEchos: %d sent %d failed",
52242 - atomic_read(&sent[SMB2_ECHO_HE]),
52243 - atomic_read(&failed[SMB2_ECHO_HE]));
52244 + atomic_read_unchecked(&sent[SMB2_ECHO_HE]),
52245 + atomic_read_unchecked(&failed[SMB2_ECHO_HE]));
52246 seq_printf(m, "\nQueryDirectories: %d sent %d failed",
52247 - atomic_read(&sent[SMB2_QUERY_DIRECTORY_HE]),
52248 - atomic_read(&failed[SMB2_QUERY_DIRECTORY_HE]));
52249 + atomic_read_unchecked(&sent[SMB2_QUERY_DIRECTORY_HE]),
52250 + atomic_read_unchecked(&failed[SMB2_QUERY_DIRECTORY_HE]));
52251 seq_printf(m, "\nChangeNotifies: %d sent %d failed",
52252 - atomic_read(&sent[SMB2_CHANGE_NOTIFY_HE]),
52253 - atomic_read(&failed[SMB2_CHANGE_NOTIFY_HE]));
52254 + atomic_read_unchecked(&sent[SMB2_CHANGE_NOTIFY_HE]),
52255 + atomic_read_unchecked(&failed[SMB2_CHANGE_NOTIFY_HE]));
52256 seq_printf(m, "\nQueryInfos: %d sent %d failed",
52257 - atomic_read(&sent[SMB2_QUERY_INFO_HE]),
52258 - atomic_read(&failed[SMB2_QUERY_INFO_HE]));
52259 + atomic_read_unchecked(&sent[SMB2_QUERY_INFO_HE]),
52260 + atomic_read_unchecked(&failed[SMB2_QUERY_INFO_HE]));
52261 seq_printf(m, "\nSetInfos: %d sent %d failed",
52262 - atomic_read(&sent[SMB2_SET_INFO_HE]),
52263 - atomic_read(&failed[SMB2_SET_INFO_HE]));
52264 + atomic_read_unchecked(&sent[SMB2_SET_INFO_HE]),
52265 + atomic_read_unchecked(&failed[SMB2_SET_INFO_HE]));
52266 seq_printf(m, "\nOplockBreaks: %d sent %d failed",
52267 - atomic_read(&sent[SMB2_OPLOCK_BREAK_HE]),
52268 - atomic_read(&failed[SMB2_OPLOCK_BREAK_HE]));
52269 + atomic_read_unchecked(&sent[SMB2_OPLOCK_BREAK_HE]),
52270 + atomic_read_unchecked(&failed[SMB2_OPLOCK_BREAK_HE]));
52274 diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
52275 index 2b95ce2..d079d75 100644
52276 --- a/fs/cifs/smb2pdu.c
52277 +++ b/fs/cifs/smb2pdu.c
52278 @@ -1760,8 +1760,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
52280 cifs_dbg(VFS, "info level %u isn't supported\n",
52281 srch_inf->info_level);
52287 req->FileIndex = cpu_to_le32(index);
52288 diff --git a/fs/coda/cache.c b/fs/coda/cache.c
52289 index 1da168c..8bc7ff6 100644
52290 --- a/fs/coda/cache.c
52291 +++ b/fs/coda/cache.c
52293 #include "coda_linux.h"
52294 #include "coda_cache.h"
52296 -static atomic_t permission_epoch = ATOMIC_INIT(0);
52297 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
52299 /* replace or extend an acl cache hit */
52300 void coda_cache_enter(struct inode *inode, int mask)
52301 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inode, int mask)
52302 struct coda_inode_info *cii = ITOC(inode);
52304 spin_lock(&cii->c_lock);
52305 - cii->c_cached_epoch = atomic_read(&permission_epoch);
52306 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
52307 if (!uid_eq(cii->c_uid, current_fsuid())) {
52308 cii->c_uid = current_fsuid();
52309 cii->c_cached_perm = mask;
52310 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode *inode)
52312 struct coda_inode_info *cii = ITOC(inode);
52313 spin_lock(&cii->c_lock);
52314 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
52315 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
52316 spin_unlock(&cii->c_lock);
52319 /* remove all acl caches */
52320 void coda_cache_clear_all(struct super_block *sb)
52322 - atomic_inc(&permission_epoch);
52323 + atomic_inc_unchecked(&permission_epoch);
52327 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode, int mask)
52328 spin_lock(&cii->c_lock);
52329 hit = (mask & cii->c_cached_perm) == mask &&
52330 uid_eq(cii->c_uid, current_fsuid()) &&
52331 - cii->c_cached_epoch == atomic_read(&permission_epoch);
52332 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
52333 spin_unlock(&cii->c_lock);
52336 diff --git a/fs/compat.c b/fs/compat.c
52337 index fc3b55d..7b568ae 100644
52341 #include <asm/ioctls.h>
52342 #include "internal.h"
52344 -int compat_log = 1;
52345 +int compat_log = 0;
52347 int compat_printk(const char *fmt, ...)
52349 @@ -488,7 +488,7 @@ compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
52352 /* The __user pointer cast is valid because of the set_fs() */
52353 - ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
52354 + ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
52356 /* truncating is ok because it's a user address */
52358 @@ -546,7 +546,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
52362 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
52363 + if (nr_segs > UIO_MAXIOV)
52365 if (nr_segs > fast_segs) {
52367 @@ -833,6 +833,7 @@ struct compat_old_linux_dirent {
52369 struct compat_readdir_callback {
52370 struct compat_old_linux_dirent __user *dirent;
52371 + struct file * file;
52375 @@ -850,6 +851,10 @@ static int compat_fillonedir(void *__buf, const char *name, int namlen,
52376 buf->result = -EOVERFLOW;
52380 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52384 dirent = buf->dirent;
52385 if (!access_ok(VERIFY_WRITE, dirent,
52386 @@ -880,6 +885,7 @@ asmlinkage long compat_sys_old_readdir(unsigned int fd,
52389 buf.dirent = dirent;
52390 + buf.file = f.file;
52392 error = vfs_readdir(f.file, compat_fillonedir, &buf);
52394 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
52395 struct compat_getdents_callback {
52396 struct compat_linux_dirent __user *current_dir;
52397 struct compat_linux_dirent __user *previous;
52398 + struct file * file;
52402 @@ -920,6 +927,10 @@ static int compat_filldir(void *__buf, const char *name, int namlen,
52403 buf->error = -EOVERFLOW;
52407 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52410 dirent = buf->previous;
52412 if (__put_user(offset, &dirent->d_off))
52413 @@ -965,6 +976,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
52414 buf.previous = NULL;
52417 + buf.file = f.file;
52419 error = vfs_readdir(f.file, compat_filldir, &buf);
52421 @@ -985,6 +997,7 @@ asmlinkage long compat_sys_getdents(unsigned int fd,
52422 struct compat_getdents_callback64 {
52423 struct linux_dirent64 __user *current_dir;
52424 struct linux_dirent64 __user *previous;
52425 + struct file * file;
52429 @@ -1001,6 +1014,10 @@ static int compat_filldir64(void * __buf, const char * name, int namlen, loff_t
52430 buf->error = -EINVAL; /* only used if we fail.. */
52431 if (reclen > buf->count)
52434 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52437 dirent = buf->previous;
52440 @@ -1050,13 +1067,14 @@ asmlinkage long compat_sys_getdents64(unsigned int fd,
52441 buf.previous = NULL;
52444 + buf.file = f.file;
52446 error = vfs_readdir(f.file, compat_filldir64, &buf);
52449 lastdirent = buf.previous;
52451 - typeof(lastdirent->d_off) d_off = f.file->f_pos;
52452 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = f.file->f_pos;
52453 if (__put_user_unaligned(d_off, &lastdirent->d_off))
52456 diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
52457 index a81147e..20bf2b5 100644
52458 --- a/fs/compat_binfmt_elf.c
52459 +++ b/fs/compat_binfmt_elf.c
52460 @@ -30,11 +30,13 @@
52466 #define elfhdr elf32_hdr
52467 #define elf_phdr elf32_phdr
52468 #define elf_shdr elf32_shdr
52469 #define elf_note elf32_note
52470 +#define elf_dyn Elf32_Dyn
52471 #define elf_addr_t Elf32_Addr
52474 diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
52475 index 996cdc5..15e2f33 100644
52476 --- a/fs/compat_ioctl.c
52477 +++ b/fs/compat_ioctl.c
52478 @@ -622,7 +622,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
52480 if (__get_user(udata, &ss32->iomem_base))
52482 - ss.iomem_base = compat_ptr(udata);
52483 + ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
52484 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
52485 __get_user(ss.port_high, &ss32->port_high))
52487 @@ -703,8 +703,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
52488 for (i = 0; i < nmsgs; i++) {
52489 if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
52491 - if (get_user(datap, &umsgs[i].buf) ||
52492 - put_user(compat_ptr(datap), &tmsgs[i].buf))
52493 + if (get_user(datap, (u8 __user * __user *)&umsgs[i].buf) ||
52494 + put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
52497 return sys_ioctl(fd, cmd, (unsigned long)tdata);
52498 @@ -797,7 +797,7 @@ static int compat_ioctl_preallocate(struct file *file,
52499 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
52500 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
52501 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
52502 - copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
52503 + copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
52506 return ioctl_preallocate(file, p);
52507 @@ -1619,8 +1619,8 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd,
52508 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
52511 - a = *(unsigned int *)p;
52512 - b = *(unsigned int *)q;
52513 + a = *(const unsigned int *)p;
52514 + b = *(const unsigned int *)q;
52518 diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
52519 index 7aabc6a..34c1197 100644
52520 --- a/fs/configfs/dir.c
52521 +++ b/fs/configfs/dir.c
52522 @@ -1565,7 +1565,8 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
52524 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
52525 struct configfs_dirent *next;
52526 - const char * name;
52527 + const unsigned char * name;
52528 + char d_name[sizeof(next->s_dentry->d_iname)];
52530 struct inode *inode = NULL;
52532 @@ -1575,7 +1576,12 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
52535 name = configfs_get_name(next);
52536 - len = strlen(name);
52537 + if (next->s_dentry && name == next->s_dentry->d_iname) {
52538 + len = next->s_dentry->d_name.len;
52539 + memcpy(d_name, name, len);
52542 + len = strlen(name);
52545 * We'll have a dentry and an inode for
52546 diff --git a/fs/coredump.c b/fs/coredump.c
52547 index dafafba..10b3b27 100644
52548 --- a/fs/coredump.c
52549 +++ b/fs/coredump.c
52550 @@ -52,7 +52,7 @@ struct core_name {
52554 -static atomic_t call_count = ATOMIC_INIT(1);
52555 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
52557 /* The maximal length of core_pattern is also specified in sysctl.c */
52559 @@ -60,7 +60,7 @@ static int expand_corename(struct core_name *cn)
52561 char *old_corename = cn->corename;
52563 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
52564 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
52565 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
52567 if (!cn->corename) {
52568 @@ -157,7 +157,7 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm)
52569 int pid_in_pattern = 0;
52572 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
52573 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
52574 cn->corename = kmalloc(cn->size, GFP_KERNEL);
52577 @@ -435,8 +435,8 @@ static void wait_for_dump_helpers(struct file *file)
52578 struct pipe_inode_info *pipe = file->private_data;
52583 + atomic_inc(&pipe->readers);
52584 + atomic_dec(&pipe->writers);
52585 wake_up_interruptible_sync(&pipe->wait);
52586 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
52588 @@ -445,11 +445,11 @@ static void wait_for_dump_helpers(struct file *file)
52589 * We actually want wait_event_freezable() but then we need
52590 * to clear TIF_SIGPENDING and improve dump_interrupted().
52592 - wait_event_interruptible(pipe->wait, pipe->readers == 1);
52593 + wait_event_interruptible(pipe->wait, atomic_read(&pipe->readers) == 1);
52598 + atomic_dec(&pipe->readers);
52599 + atomic_inc(&pipe->writers);
52603 @@ -496,7 +496,8 @@ void do_coredump(siginfo_t *siginfo)
52604 struct files_struct *displaced;
52605 bool need_nonrelative = false;
52606 bool core_dumped = false;
52607 - static atomic_t core_dump_count = ATOMIC_INIT(0);
52608 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
52609 + long signr = siginfo->si_signo;
52610 struct coredump_params cprm = {
52611 .siginfo = siginfo,
52612 .regs = signal_pt_regs(),
52613 @@ -509,7 +510,10 @@ void do_coredump(siginfo_t *siginfo)
52614 .mm_flags = mm->flags,
52617 - audit_core_dumps(siginfo->si_signo);
52618 + audit_core_dumps(signr);
52620 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
52621 + gr_handle_brute_attach(cprm.mm_flags);
52623 binfmt = mm->binfmt;
52624 if (!binfmt || !binfmt->core_dump)
52625 @@ -533,7 +537,7 @@ void do_coredump(siginfo_t *siginfo)
52626 need_nonrelative = true;
52629 - retval = coredump_wait(siginfo->si_signo, &core_state);
52630 + retval = coredump_wait(signr, &core_state);
52634 @@ -576,7 +580,7 @@ void do_coredump(siginfo_t *siginfo)
52636 cprm.limit = RLIM_INFINITY;
52638 - dump_count = atomic_inc_return(&core_dump_count);
52639 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
52640 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
52641 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
52642 task_tgid_vnr(current), current->comm);
52643 @@ -608,6 +612,8 @@ void do_coredump(siginfo_t *siginfo)
52645 struct inode *inode;
52647 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
52649 if (cprm.limit < binfmt->min_coredump)
52652 @@ -666,7 +672,7 @@ close_fail:
52653 filp_close(cprm.file, NULL);
52656 - atomic_dec(&core_dump_count);
52657 + atomic_dec_unchecked(&core_dump_count);
52659 kfree(cn.corename);
52661 @@ -687,7 +693,7 @@ int dump_write(struct file *file, const void *addr, int nr)
52663 return !dump_interrupted() &&
52664 access_ok(VERIFY_READ, addr, nr) &&
52665 - file->f_op->write(file, addr, nr, &file->f_pos) == nr;
52666 + file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr;
52668 EXPORT_SYMBOL(dump_write);
52670 diff --git a/fs/dcache.c b/fs/dcache.c
52671 index f09b908..04b9690 100644
52674 @@ -3086,7 +3086,8 @@ void __init vfs_caches_init(unsigned long mempages)
52675 mempages -= reserve;
52677 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
52678 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
52679 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY|
52680 + SLAB_NO_SANITIZE, NULL);
52684 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
52685 index c7c83ff..bda9461 100644
52686 --- a/fs/debugfs/inode.c
52687 +++ b/fs/debugfs/inode.c
52688 @@ -415,7 +415,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
52690 struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
52692 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
52693 + return __create_file(name, S_IFDIR | S_IRWXU,
52695 return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
52697 parent, NULL, NULL);
52699 EXPORT_SYMBOL_GPL(debugfs_create_dir);
52700 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
52701 index 5eab400..810a3f5 100644
52702 --- a/fs/ecryptfs/inode.c
52703 +++ b/fs/ecryptfs/inode.c
52704 @@ -674,7 +674,7 @@ static int ecryptfs_readlink_lower(struct dentry *dentry, char **buf,
52707 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
52708 - (char __user *)lower_buf,
52709 + (char __force_user *)lower_buf,
52713 @@ -706,7 +706,7 @@ out:
52715 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
52717 - char *buf = nd_get_link(nd);
52718 + const char *buf = nd_get_link(nd);
52719 if (!IS_ERR(buf)) {
52720 /* Free the char* */
52722 diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
52723 index e4141f2..d8263e8 100644
52724 --- a/fs/ecryptfs/miscdev.c
52725 +++ b/fs/ecryptfs/miscdev.c
52726 @@ -304,7 +304,7 @@ check_list:
52727 goto out_unlock_msg_ctx;
52728 i = PKT_TYPE_SIZE + PKT_CTR_SIZE;
52729 if (msg_ctx->msg) {
52730 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
52731 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
52732 goto out_unlock_msg_ctx;
52733 i += packet_length_size;
52734 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
52735 diff --git a/fs/exec.c b/fs/exec.c
52736 index 1f44670..3c84660 100644
52740 #include <linux/pipe_fs_i.h>
52741 #include <linux/oom.h>
52742 #include <linux/compat.h>
52743 +#include <linux/random.h>
52744 +#include <linux/seq_file.h>
52745 +#include <linux/coredump.h>
52746 +#include <linux/mman.h>
52748 +#ifdef CONFIG_PAX_REFCOUNT
52749 +#include <linux/kallsyms.h>
52750 +#include <linux/kdebug.h>
52753 +#include <trace/events/fs.h>
52755 #include <asm/uaccess.h>
52756 +#include <asm/sections.h>
52757 #include <asm/mmu_context.h>
52758 #include <asm/tlb.h>
52760 @@ -66,17 +78,32 @@
52762 #include <trace/events/sched.h>
52764 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
52765 +void __weak pax_set_initial_flags(struct linux_binprm *bprm)
52767 + pr_warn_once("PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n");
52771 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
52772 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
52773 +EXPORT_SYMBOL(pax_set_initial_flags_func);
52776 int suid_dumpable = 0;
52778 static LIST_HEAD(formats);
52779 static DEFINE_RWLOCK(binfmt_lock);
52781 +extern int gr_process_kernel_exec_ban(void);
52782 +extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
52784 void __register_binfmt(struct linux_binfmt * fmt, int insert)
52787 write_lock(&binfmt_lock);
52788 - insert ? list_add(&fmt->lh, &formats) :
52789 - list_add_tail(&fmt->lh, &formats);
52790 + insert ? pax_list_add((struct list_head *)&fmt->lh, &formats) :
52791 + pax_list_add_tail((struct list_head *)&fmt->lh, &formats);
52792 write_unlock(&binfmt_lock);
52795 @@ -85,7 +112,7 @@ EXPORT_SYMBOL(__register_binfmt);
52796 void unregister_binfmt(struct linux_binfmt * fmt)
52798 write_lock(&binfmt_lock);
52799 - list_del(&fmt->lh);
52800 + pax_list_del((struct list_head *)&fmt->lh);
52801 write_unlock(&binfmt_lock);
52804 @@ -180,18 +207,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
52810 -#ifdef CONFIG_STACK_GROWSUP
52812 - ret = expand_downwards(bprm->vma, pos);
52817 - ret = get_user_pages(current, bprm->mm, pos,
52818 - 1, write, 1, &page, NULL);
52820 + if (0 > expand_downwards(bprm->vma, pos))
52822 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
52826 @@ -207,6 +226,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
52827 if (size <= ARG_MAX)
52830 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52831 + // only allow 512KB for argv+env on suid/sgid binaries
52832 + // to prevent easy ASLR exhaustion
52833 + if (((!uid_eq(bprm->cred->euid, current_euid())) ||
52834 + (!gid_eq(bprm->cred->egid, current_egid()))) &&
52835 + (size > (512 * 1024))) {
52842 * Limit to 1/4-th the stack size for the argv+env strings.
52843 * This ensures that:
52844 @@ -266,6 +296,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
52845 vma->vm_end = STACK_TOP_MAX;
52846 vma->vm_start = vma->vm_end - PAGE_SIZE;
52847 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
52849 +#ifdef CONFIG_PAX_SEGMEXEC
52850 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
52853 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52854 INIT_LIST_HEAD(&vma->anon_vma_chain);
52856 @@ -276,6 +311,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
52857 mm->stack_vm = mm->total_vm = 1;
52858 up_write(&mm->mmap_sem);
52859 bprm->p = vma->vm_end - sizeof(void *);
52861 +#ifdef CONFIG_PAX_RANDUSTACK
52862 + if (randomize_va_space)
52863 + bprm->p ^= prandom_u32() & ~PAGE_MASK;
52868 up_write(&mm->mmap_sem);
52869 @@ -396,7 +437,7 @@ struct user_arg_ptr {
52873 -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
52874 +const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
52876 const char __user *native;
52878 @@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
52879 compat_uptr_t compat;
52881 if (get_user(compat, argv.ptr.compat + nr))
52882 - return ERR_PTR(-EFAULT);
52883 + return (const char __force_user *)ERR_PTR(-EFAULT);
52885 return compat_ptr(compat);
52889 if (get_user(native, argv.ptr.native + nr))
52890 - return ERR_PTR(-EFAULT);
52891 + return (const char __force_user *)ERR_PTR(-EFAULT);
52895 @@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max)
52900 + if (IS_ERR((const char __force_kernel *)p))
52904 @@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
52907 str = get_user_arg_ptr(argv, argc);
52909 + if (IS_ERR((const char __force_kernel *)str))
52912 len = strnlen_user(str, MAX_ARG_STRLEN);
52913 @@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
52915 mm_segment_t oldfs = get_fs();
52916 struct user_arg_ptr argv = {
52917 - .ptr.native = (const char __user *const __user *)__argv,
52918 + .ptr.native = (const char __force_user * const __force_user *)__argv,
52922 @@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
52923 unsigned long new_end = old_end - shift;
52924 struct mmu_gather tlb;
52926 - BUG_ON(new_start > new_end);
52927 + if (new_start >= new_end || new_start < mmap_min_addr)
52931 * ensure there are no vmas between where we want to go
52932 @@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
52933 if (vma != find_vma(mm, new_start))
52936 +#ifdef CONFIG_PAX_SEGMEXEC
52937 + BUG_ON(pax_find_mirror_vma(vma));
52941 * cover the whole range: [new_start, old_end)
52943 @@ -672,10 +718,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
52944 stack_top = arch_align_stack(stack_top);
52945 stack_top = PAGE_ALIGN(stack_top);
52947 - if (unlikely(stack_top < mmap_min_addr) ||
52948 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
52951 stack_shift = vma->vm_end - stack_top;
52953 bprm->p -= stack_shift;
52954 @@ -687,8 +729,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
52955 bprm->exec -= stack_shift;
52957 down_write(&mm->mmap_sem);
52959 + /* Move stack pages down in memory. */
52960 + if (stack_shift) {
52961 + ret = shift_arg_pages(vma, stack_shift);
52966 vm_flags = VM_STACK_FLAGS;
52968 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52969 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52970 + vm_flags &= ~VM_EXEC;
52972 +#ifdef CONFIG_PAX_MPROTECT
52973 + if (mm->pax_flags & MF_PAX_MPROTECT)
52974 + vm_flags &= ~VM_MAYEXEC;
52981 * Adjust stack execute permissions; explicitly enable for
52982 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
52983 @@ -707,13 +769,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
52985 BUG_ON(prev != vma);
52987 - /* Move stack pages down in memory. */
52988 - if (stack_shift) {
52989 - ret = shift_arg_pages(vma, stack_shift);
52994 /* mprotect_fixup is overkill to remove the temporary stack flags */
52995 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
52997 @@ -737,6 +792,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
52999 current->mm->start_stack = bprm->p;
53000 ret = expand_stack(vma, stack_base);
53002 +#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
53003 + if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
53004 + unsigned long size;
53005 + vm_flags_t vm_flags;
53007 + size = STACK_TOP - vma->vm_end;
53008 + vm_flags = VM_NONE | VM_DONTEXPAND | VM_DONTDUMP;
53010 + ret = vma->vm_end != mmap_region(NULL, vma->vm_end, size, vm_flags, 0);
53014 + size = PAGE_SIZE + mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
53015 + ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), vm_flags, 0);
53025 @@ -772,6 +848,8 @@ struct file *open_exec(const char *name)
53027 fsnotify_open(file);
53029 + trace_open_exec(name);
53031 err = deny_write_access(file);
53034 @@ -795,7 +873,7 @@ int kernel_read(struct file *file, loff_t offset,
53037 /* The cast to a user pointer is valid due to the set_fs() */
53038 - result = vfs_read(file, (void __user *)addr, count, &pos);
53039 + result = vfs_read(file, (void __force_user *)addr, count, &pos);
53043 @@ -1251,7 +1329,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
53047 - if (p->fs->users > n_fs) {
53048 + if (atomic_read(&p->fs->users) > n_fs) {
53049 bprm->unsafe |= LSM_UNSAFE_SHARE;
53052 @@ -1451,6 +1529,31 @@ int search_binary_handler(struct linux_binprm *bprm)
53054 EXPORT_SYMBOL(search_binary_handler);
53056 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53057 +static DEFINE_PER_CPU(u64, exec_counter);
53058 +static int __init init_exec_counters(void)
53060 + unsigned int cpu;
53062 + for_each_possible_cpu(cpu) {
53063 + per_cpu(exec_counter, cpu) = (u64)cpu;
53068 +early_initcall(init_exec_counters);
53069 +static inline void increment_exec_counter(void)
53071 + BUILD_BUG_ON(NR_CPUS > (1 << 16));
53072 + current->exec_id = this_cpu_add_return(exec_counter, 1 << 16);
53075 +static inline void increment_exec_counter(void) {}
53078 +extern void gr_handle_exec_args(struct linux_binprm *bprm,
53079 + struct user_arg_ptr argv);
53082 * sys_execve() executes a new program.
53084 @@ -1458,6 +1561,11 @@ static int do_execve_common(const char *filename,
53085 struct user_arg_ptr argv,
53086 struct user_arg_ptr envp)
53088 +#ifdef CONFIG_GRKERNSEC
53089 + struct file *old_exec_file;
53090 + struct acl_subject_label *old_acl;
53091 + struct rlimit old_rlim[RLIM_NLIMITS];
53093 struct linux_binprm *bprm;
53095 struct files_struct *displaced;
53096 @@ -1465,6 +1573,8 @@ static int do_execve_common(const char *filename,
53098 const struct cred *cred = current_cred();
53100 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&cred->user->processes), 1);
53103 * We move the actual failure in case of RLIMIT_NPROC excess from
53104 * set*uid() to execve() because too many poorly written programs
53105 @@ -1505,12 +1615,22 @@ static int do_execve_common(const char *filename,
53109 + if (gr_ptrace_readexec(file, bprm->unsafe)) {
53117 bprm->filename = filename;
53118 bprm->interp = filename;
53120 + if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) {
53121 + retval = -EACCES;
53125 retval = bprm_mm_init(bprm);
53128 @@ -1527,24 +1647,70 @@ static int do_execve_common(const char *filename,
53132 +#ifdef CONFIG_GRKERNSEC
53133 + old_acl = current->acl;
53134 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
53135 + old_exec_file = current->exec_file;
53137 + current->exec_file = file;
53139 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53140 + /* limit suid stack to 8MB
53141 + * we saved the old limits above and will restore them if this exec fails
53143 + if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) &&
53144 + (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024)))
53145 + current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
53148 + if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
53153 + if (!gr_tpe_allow(file)) {
53154 + retval = -EACCES;
53158 + if (gr_check_crash_exec(file)) {
53159 + retval = -EACCES;
53163 + retval = gr_set_proc_label(file->f_path.dentry, file->f_path.mnt,
53168 retval = copy_strings_kernel(1, &bprm->filename, bprm);
53173 bprm->exec = bprm->p;
53174 retval = copy_strings(bprm->envc, envp, bprm);
53179 retval = copy_strings(bprm->argc, argv, bprm);
53184 + gr_log_chroot_exec(file->f_path.dentry, file->f_path.mnt);
53186 + gr_handle_exec_args(bprm, argv);
53188 retval = search_binary_handler(bprm);
53192 +#ifdef CONFIG_GRKERNSEC
53193 + if (old_exec_file)
53194 + fput(old_exec_file);
53197 /* execve succeeded */
53199 + increment_exec_counter();
53200 current->fs->in_exec = 0;
53201 current->in_execve = 0;
53202 acct_update_integrals(current);
53203 @@ -1553,6 +1719,14 @@ static int do_execve_common(const char *filename,
53204 put_files_struct(displaced);
53208 +#ifdef CONFIG_GRKERNSEC
53209 + current->acl = old_acl;
53210 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
53211 + fput(current->exec_file);
53212 + current->exec_file = old_exec_file;
53217 acct_arg_size(bprm, 0);
53218 @@ -1701,3 +1875,287 @@ asmlinkage long compat_sys_execve(const char __user * filename,
53223 +int pax_check_flags(unsigned long *flags)
53227 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
53228 + if (*flags & MF_PAX_SEGMEXEC)
53230 + *flags &= ~MF_PAX_SEGMEXEC;
53231 + retval = -EINVAL;
53235 + if ((*flags & MF_PAX_PAGEEXEC)
53237 +#ifdef CONFIG_PAX_PAGEEXEC
53238 + && (*flags & MF_PAX_SEGMEXEC)
53243 + *flags &= ~MF_PAX_PAGEEXEC;
53244 + retval = -EINVAL;
53247 + if ((*flags & MF_PAX_MPROTECT)
53249 +#ifdef CONFIG_PAX_MPROTECT
53250 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53255 + *flags &= ~MF_PAX_MPROTECT;
53256 + retval = -EINVAL;
53259 + if ((*flags & MF_PAX_EMUTRAMP)
53261 +#ifdef CONFIG_PAX_EMUTRAMP
53262 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
53267 + *flags &= ~MF_PAX_EMUTRAMP;
53268 + retval = -EINVAL;
53274 +EXPORT_SYMBOL(pax_check_flags);
53276 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53277 +char *pax_get_path(const struct path *path, char *buf, int buflen)
53279 + char *pathname = d_path(path, buf, buflen);
53281 + if (IS_ERR(pathname))
53284 + pathname = mangle_path(buf, pathname, "\t\n\\");
53292 + return "<path too long>";
53294 +EXPORT_SYMBOL(pax_get_path);
53296 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
53298 + struct task_struct *tsk = current;
53299 + struct mm_struct *mm = current->mm;
53300 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
53301 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
53302 + char *path_exec = NULL;
53303 + char *path_fault = NULL;
53304 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
53305 + siginfo_t info = { };
53307 + if (buffer_exec && buffer_fault) {
53308 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
53310 + down_read(&mm->mmap_sem);
53312 + while (vma && (!vma_exec || !vma_fault)) {
53313 + if (vma->vm_file && mm->exe_file == vma->vm_file && (vma->vm_flags & VM_EXEC))
53315 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
53317 + vma = vma->vm_next;
53320 + path_exec = pax_get_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
53322 + start = vma_fault->vm_start;
53323 + end = vma_fault->vm_end;
53324 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
53325 + if (vma_fault->vm_file)
53326 + path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
53327 + else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk)
53328 + path_fault = "<heap>";
53329 + else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
53330 + path_fault = "<stack>";
53332 + path_fault = "<anonymous mapping>";
53334 + up_read(&mm->mmap_sem);
53336 + if (tsk->signal->curr_ip)
53337 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
53339 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
53340 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
53341 + from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp);
53342 + free_page((unsigned long)buffer_exec);
53343 + free_page((unsigned long)buffer_fault);
53344 + pax_report_insns(regs, pc, sp);
53345 + info.si_signo = SIGKILL;
53346 + info.si_errno = 0;
53347 + info.si_code = SI_KERNEL;
53350 + do_coredump(&info);
53354 +#ifdef CONFIG_PAX_REFCOUNT
53355 +void pax_report_refcount_overflow(struct pt_regs *regs)
53357 + if (current->signal->curr_ip)
53358 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
53359 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current),
53360 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
53362 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
53363 + from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
53364 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
53365 + preempt_disable();
53367 + preempt_enable();
53368 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
53372 +#ifdef CONFIG_PAX_USERCOPY
53373 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
53374 +static noinline int check_stack_object(const void *obj, unsigned long len)
53376 + const void * const stack = task_stack_page(current);
53377 + const void * const stackend = stack + THREAD_SIZE;
53379 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
53380 + const void *frame = NULL;
53381 + const void *oldframe;
53384 + if (obj + len < obj)
53387 + if (obj + len <= stack || stackend <= obj)
53390 + if (obj < stack || stackend < obj + len)
53393 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
53394 + oldframe = __builtin_frame_address(1);
53396 + frame = __builtin_frame_address(2);
53398 + low ----------------------------------------------> high
53399 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
53400 + ^----------------^
53401 + allow copies only within here
53403 + while (stack <= frame && frame < stackend) {
53404 + /* if obj + len extends past the last frame, this
53405 + check won't pass and the next frame will be 0,
53406 + causing us to bail out and correctly report
53407 + the copy as invalid
53409 + if (obj + len <= frame)
53410 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
53411 + oldframe = frame;
53412 + frame = *(const void * const *)frame;
53420 +static __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to_user, const char *type)
53422 + if (current->signal->curr_ip)
53423 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
53424 + ¤t->signal->curr_ip, to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
53426 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
53427 + to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
53429 + gr_handle_kernel_exploit();
53430 + do_group_exit(SIGKILL);
53434 +#ifdef CONFIG_PAX_USERCOPY
53435 +static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
53437 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53438 + unsigned long textlow = ktla_ktva((unsigned long)_stext);
53439 +#ifdef CONFIG_MODULES
53440 + unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
53442 + unsigned long texthigh = ktla_ktva((unsigned long)_etext);
53446 + unsigned long textlow = (unsigned long)_stext;
53447 + unsigned long texthigh = (unsigned long)_etext;
53450 + if (high <= textlow || low > texthigh)
53457 +void __check_object_size(const void *ptr, unsigned long n, bool to_user)
53460 +#ifdef CONFIG_PAX_USERCOPY
53461 + const char *type;
53466 + type = check_heap_object(ptr, n);
53468 + int ret = check_stack_object(ptr, n);
53469 + if (ret == 1 || ret == 2)
53472 + if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n))
53473 + type = "<kernel text>";
53477 + type = "<process stack>";
53480 + pax_report_usercopy(ptr, n, to_user, type);
53484 +EXPORT_SYMBOL(__check_object_size);
53486 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
53487 +void pax_track_stack(void)
53489 + unsigned long sp = (unsigned long)&sp;
53490 + if (sp < current_thread_info()->lowest_stack &&
53491 + sp > (unsigned long)task_stack_page(current))
53492 + current_thread_info()->lowest_stack = sp;
53494 +EXPORT_SYMBOL(pax_track_stack);
53497 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
53498 +void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
53500 + printk(KERN_ERR "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
53502 + do_group_exit(SIGKILL);
53504 +EXPORT_SYMBOL(report_size_overflow);
53506 diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c
53507 index 9f9992b..8b59411 100644
53508 --- a/fs/ext2/balloc.c
53509 +++ b/fs/ext2/balloc.c
53510 @@ -1184,10 +1184,10 @@ static int ext2_has_free_blocks(struct ext2_sb_info *sbi)
53512 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53513 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53514 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53515 + if (free_blocks < root_blocks + 1 &&
53516 !uid_eq(sbi->s_resuid, current_fsuid()) &&
53517 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
53518 - !in_group_p (sbi->s_resgid))) {
53519 + !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
53523 diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
53524 index 22548f5..41521d8 100644
53525 --- a/fs/ext3/balloc.c
53526 +++ b/fs/ext3/balloc.c
53527 @@ -1438,10 +1438,10 @@ static int ext3_has_free_blocks(struct ext3_sb_info *sbi, int use_reservation)
53529 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
53530 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
53531 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
53532 + if (free_blocks < root_blocks + 1 &&
53533 !use_reservation && !uid_eq(sbi->s_resuid, current_fsuid()) &&
53534 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
53535 - !in_group_p (sbi->s_resgid))) {
53536 + !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
53540 diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
53541 index 3742e4c..69a797f 100644
53542 --- a/fs/ext4/balloc.c
53543 +++ b/fs/ext4/balloc.c
53544 @@ -528,8 +528,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
53545 /* Hm, nope. Are (enough) root reserved clusters available? */
53546 if (uid_eq(sbi->s_resuid, current_fsuid()) ||
53547 (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
53548 - capable(CAP_SYS_RESOURCE) ||
53549 - (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
53550 + (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
53551 + capable_nolog(CAP_SYS_RESOURCE)) {
53553 if (free_clusters >= (nclusters + dirty_clusters +
53555 diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
53556 index 5aae3d1..b5da7f8 100644
53557 --- a/fs/ext4/ext4.h
53558 +++ b/fs/ext4/ext4.h
53559 @@ -1252,19 +1252,19 @@ struct ext4_sb_info {
53560 unsigned long s_mb_last_start;
53562 /* stats for buddy allocator */
53563 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
53564 - atomic_t s_bal_success; /* we found long enough chunks */
53565 - atomic_t s_bal_allocated; /* in blocks */
53566 - atomic_t s_bal_ex_scanned; /* total extents scanned */
53567 - atomic_t s_bal_goals; /* goal hits */
53568 - atomic_t s_bal_breaks; /* too long searches */
53569 - atomic_t s_bal_2orders; /* 2^order hits */
53570 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
53571 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
53572 + atomic_unchecked_t s_bal_allocated; /* in blocks */
53573 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
53574 + atomic_unchecked_t s_bal_goals; /* goal hits */
53575 + atomic_unchecked_t s_bal_breaks; /* too long searches */
53576 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
53577 spinlock_t s_bal_lock;
53578 unsigned long s_mb_buddies_generated;
53579 unsigned long long s_mb_generation_time;
53580 - atomic_t s_mb_lost_chunks;
53581 - atomic_t s_mb_preallocated;
53582 - atomic_t s_mb_discarded;
53583 + atomic_unchecked_t s_mb_lost_chunks;
53584 + atomic_unchecked_t s_mb_preallocated;
53585 + atomic_unchecked_t s_mb_discarded;
53586 atomic_t s_lock_busy;
53588 /* locality groups */
53589 diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
53590 index 59c6750..a549154 100644
53591 --- a/fs/ext4/mballoc.c
53592 +++ b/fs/ext4/mballoc.c
53593 @@ -1865,7 +1865,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
53594 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
53596 if (EXT4_SB(sb)->s_mb_stats)
53597 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
53598 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
53602 @@ -2170,7 +2170,7 @@ repeat:
53603 ac->ac_status = AC_STATUS_CONTINUE;
53604 ac->ac_flags |= EXT4_MB_HINT_FIRST;
53606 - atomic_inc(&sbi->s_mb_lost_chunks);
53607 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
53611 @@ -2678,25 +2678,25 @@ int ext4_mb_release(struct super_block *sb)
53612 if (sbi->s_mb_stats) {
53613 ext4_msg(sb, KERN_INFO,
53614 "mballoc: %u blocks %u reqs (%u success)",
53615 - atomic_read(&sbi->s_bal_allocated),
53616 - atomic_read(&sbi->s_bal_reqs),
53617 - atomic_read(&sbi->s_bal_success));
53618 + atomic_read_unchecked(&sbi->s_bal_allocated),
53619 + atomic_read_unchecked(&sbi->s_bal_reqs),
53620 + atomic_read_unchecked(&sbi->s_bal_success));
53621 ext4_msg(sb, KERN_INFO,
53622 "mballoc: %u extents scanned, %u goal hits, "
53623 "%u 2^N hits, %u breaks, %u lost",
53624 - atomic_read(&sbi->s_bal_ex_scanned),
53625 - atomic_read(&sbi->s_bal_goals),
53626 - atomic_read(&sbi->s_bal_2orders),
53627 - atomic_read(&sbi->s_bal_breaks),
53628 - atomic_read(&sbi->s_mb_lost_chunks));
53629 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
53630 + atomic_read_unchecked(&sbi->s_bal_goals),
53631 + atomic_read_unchecked(&sbi->s_bal_2orders),
53632 + atomic_read_unchecked(&sbi->s_bal_breaks),
53633 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
53634 ext4_msg(sb, KERN_INFO,
53635 "mballoc: %lu generated and it took %Lu",
53636 sbi->s_mb_buddies_generated,
53637 sbi->s_mb_generation_time);
53638 ext4_msg(sb, KERN_INFO,
53639 "mballoc: %u preallocated, %u discarded",
53640 - atomic_read(&sbi->s_mb_preallocated),
53641 - atomic_read(&sbi->s_mb_discarded));
53642 + atomic_read_unchecked(&sbi->s_mb_preallocated),
53643 + atomic_read_unchecked(&sbi->s_mb_discarded));
53646 free_percpu(sbi->s_locality_groups);
53647 @@ -3150,16 +3150,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
53648 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
53650 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
53651 - atomic_inc(&sbi->s_bal_reqs);
53652 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
53653 + atomic_inc_unchecked(&sbi->s_bal_reqs);
53654 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
53655 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
53656 - atomic_inc(&sbi->s_bal_success);
53657 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
53658 + atomic_inc_unchecked(&sbi->s_bal_success);
53659 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
53660 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
53661 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
53662 - atomic_inc(&sbi->s_bal_goals);
53663 + atomic_inc_unchecked(&sbi->s_bal_goals);
53664 if (ac->ac_found > sbi->s_mb_max_to_scan)
53665 - atomic_inc(&sbi->s_bal_breaks);
53666 + atomic_inc_unchecked(&sbi->s_bal_breaks);
53669 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
53670 @@ -3559,7 +3559,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
53671 trace_ext4_mb_new_inode_pa(ac, pa);
53673 ext4_mb_use_inode_pa(ac, pa);
53674 - atomic_add(pa->pa_free, &sbi->s_mb_preallocated);
53675 + atomic_add_unchecked(pa->pa_free, &sbi->s_mb_preallocated);
53677 ei = EXT4_I(ac->ac_inode);
53678 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
53679 @@ -3619,7 +3619,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
53680 trace_ext4_mb_new_group_pa(ac, pa);
53682 ext4_mb_use_group_pa(ac, pa);
53683 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
53684 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
53686 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
53688 @@ -3708,7 +3708,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
53689 * from the bitmap and continue.
53692 - atomic_add(free, &sbi->s_mb_discarded);
53693 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
53697 @@ -3726,7 +3726,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
53698 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
53699 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
53700 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
53701 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
53702 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
53703 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
53706 diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
53707 index 214461e..3614c89 100644
53708 --- a/fs/ext4/mmp.c
53709 +++ b/fs/ext4/mmp.c
53710 @@ -113,7 +113,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
53711 void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp,
53712 const char *function, unsigned int line, const char *msg)
53714 - __ext4_warning(sb, function, line, msg);
53715 + __ext4_warning(sb, function, line, "%s", msg);
53716 __ext4_warning(sb, function, line,
53717 "MMP failure info: last update time: %llu, last update "
53718 "node: %s, last update device: %s\n",
53719 diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
53720 index 49d3c01..9579efd 100644
53721 --- a/fs/ext4/resize.c
53722 +++ b/fs/ext4/resize.c
53723 @@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb,
53724 ext4_fsblk_t end = start + input->blocks_count;
53725 ext4_group_t group = input->group;
53726 ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;
53727 - unsigned overhead = ext4_group_overhead_blocks(sb, group);
53728 - ext4_fsblk_t metaend = start + overhead;
53729 + unsigned overhead;
53730 + ext4_fsblk_t metaend;
53731 struct buffer_head *bh = NULL;
53732 ext4_grpblk_t free_blocks_count, offset;
53735 + if (group != sbi->s_groups_count) {
53736 + ext4_warning(sb, "Cannot add at group %u (only %u groups)",
53737 + input->group, sbi->s_groups_count);
53741 + overhead = ext4_group_overhead_blocks(sb, group);
53742 + metaend = start + overhead;
53743 input->free_blocks_count = free_blocks_count =
53744 input->blocks_count - 2 - overhead - sbi->s_itb_per_group;
53746 @@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb,
53747 free_blocks_count, input->reserved_blocks);
53749 ext4_get_group_no_and_offset(sb, start, NULL, &offset);
53750 - if (group != sbi->s_groups_count)
53751 - ext4_warning(sb, "Cannot add at group %u (only %u groups)",
53752 - input->group, sbi->s_groups_count);
53753 - else if (offset != 0)
53755 ext4_warning(sb, "Last group not full");
53756 else if (input->reserved_blocks > input->blocks_count / 5)
53757 ext4_warning(sb, "Reserved blocks too high (%u)",
53758 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
53759 index 3f7c39e..227f24f 100644
53760 --- a/fs/ext4/super.c
53761 +++ b/fs/ext4/super.c
53762 @@ -1236,7 +1236,7 @@ static ext4_fsblk_t get_sb_block(void **data)
53765 #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
53766 -static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
53767 +static const char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
53768 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
53770 #ifdef CONFIG_QUOTA
53771 @@ -2372,7 +2372,7 @@ struct ext4_attr {
53772 ssize_t (*store)(struct ext4_attr *, struct ext4_sb_info *,
53773 const char *, size_t);
53778 static int parse_strtoull(const char *buf,
53779 unsigned long long max, unsigned long long *value)
53780 diff --git a/fs/fcntl.c b/fs/fcntl.c
53781 index 6599222..e7bf0de 100644
53784 @@ -107,6 +107,11 @@ int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
53788 + if (gr_handle_chroot_fowner(pid, type))
53790 + if (gr_check_protected_task_fowner(pid, type))
53793 f_modown(filp, pid, type, force);
53796 diff --git a/fs/fhandle.c b/fs/fhandle.c
53797 index 999ff5c..41f4109 100644
53800 @@ -67,8 +67,7 @@ static long do_sys_name_to_handle(struct path *path,
53803 /* copy the mount id */
53804 - if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id,
53805 - sizeof(*mnt_id)) ||
53806 + if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
53807 copy_to_user(ufh, handle,
53808 sizeof(struct file_handle) + handle_bytes))
53810 diff --git a/fs/file.c b/fs/file.c
53811 index 4a78f98..9447397 100644
53815 #include <linux/slab.h>
53816 #include <linux/vmalloc.h>
53817 #include <linux/file.h>
53818 +#include <linux/security.h>
53819 #include <linux/fdtable.h>
53820 #include <linux/bitops.h>
53821 #include <linux/interrupt.h>
53822 @@ -828,6 +829,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
53824 return __close_fd(files, fd);
53826 + gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
53827 if (fd >= rlimit(RLIMIT_NOFILE))
53830 @@ -854,6 +856,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
53831 if (unlikely(oldfd == newfd))
53834 + gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
53835 if (newfd >= rlimit(RLIMIT_NOFILE))
53838 @@ -909,6 +912,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
53839 int f_dupfd(unsigned int from, struct file *file, unsigned flags)
53842 + gr_learn_resource(current, RLIMIT_NOFILE, from, 0);
53843 if (from >= rlimit(RLIMIT_NOFILE))
53845 err = alloc_fd(from, flags);
53846 diff --git a/fs/filesystems.c b/fs/filesystems.c
53847 index 92567d9..fcd8cbf 100644
53848 --- a/fs/filesystems.c
53849 +++ b/fs/filesystems.c
53850 @@ -273,7 +273,11 @@ struct file_system_type *get_fs_type(const char *name)
53851 int len = dot ? dot - name : strlen(name);
53853 fs = __get_fs_type(name, len);
53854 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
53855 + if (!fs && (___request_module(true, "grsec_modharden_fs", "fs-%.*s", len, name) == 0))
53857 if (!fs && (request_module("fs-%.*s", len, name) == 0))
53859 fs = __get_fs_type(name, len);
53861 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
53862 diff --git a/fs/fs_struct.c b/fs/fs_struct.c
53863 index d8ac61d..79a36f0 100644
53864 --- a/fs/fs_struct.c
53865 +++ b/fs/fs_struct.c
53867 #include <linux/path.h>
53868 #include <linux/slab.h>
53869 #include <linux/fs_struct.h>
53870 +#include <linux/grsecurity.h>
53871 #include "internal.h"
53874 @@ -19,6 +20,7 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
53875 write_seqcount_begin(&fs->seq);
53876 old_root = fs->root;
53878 + gr_set_chroot_entries(current, path);
53879 write_seqcount_end(&fs->seq);
53880 spin_unlock(&fs->lock);
53881 if (old_root.dentry)
53882 @@ -67,6 +69,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
53884 spin_lock(&fs->lock);
53885 write_seqcount_begin(&fs->seq);
53886 + /* this root replacement is only done by pivot_root,
53887 + leave grsec's chroot tagging alone for this task
53888 + so that a pivoted root isn't treated as a chroot
53890 hits += replace_path(&fs->root, old_root, new_root);
53891 hits += replace_path(&fs->pwd, old_root, new_root);
53892 write_seqcount_end(&fs->seq);
53893 @@ -99,7 +105,8 @@ void exit_fs(struct task_struct *tsk)
53895 spin_lock(&fs->lock);
53897 - kill = !--fs->users;
53898 + gr_clear_chroot_entries(tsk);
53899 + kill = !atomic_dec_return(&fs->users);
53900 spin_unlock(&fs->lock);
53903 @@ -112,7 +119,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
53904 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
53905 /* We don't need to lock fs - think why ;-) */
53908 + atomic_set(&fs->users, 1);
53910 spin_lock_init(&fs->lock);
53911 seqcount_init(&fs->seq);
53912 @@ -121,6 +128,9 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
53913 spin_lock(&old->lock);
53914 fs->root = old->root;
53915 path_get(&fs->root);
53916 + /* instead of calling gr_set_chroot_entries here,
53917 + we call it from every caller of this function
53919 fs->pwd = old->pwd;
53920 path_get(&fs->pwd);
53921 spin_unlock(&old->lock);
53922 @@ -139,8 +149,9 @@ int unshare_fs_struct(void)
53924 task_lock(current);
53925 spin_lock(&fs->lock);
53926 - kill = !--fs->users;
53927 + kill = !atomic_dec_return(&fs->users);
53928 current->fs = new_fs;
53929 + gr_set_chroot_entries(current, &new_fs->root);
53930 spin_unlock(&fs->lock);
53931 task_unlock(current);
53933 @@ -153,13 +164,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
53935 int current_umask(void)
53937 - return current->fs->umask;
53938 + return current->fs->umask | gr_acl_umask();
53940 EXPORT_SYMBOL(current_umask);
53942 /* to be mentioned only in INIT_TASK */
53943 struct fs_struct init_fs = {
53945 + .users = ATOMIC_INIT(1),
53946 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
53947 .seq = SEQCNT_ZERO,
53949 diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
53950 index e2cba1f..17a25bb 100644
53951 --- a/fs/fscache/cookie.c
53952 +++ b/fs/fscache/cookie.c
53953 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire_cookie(
53954 parent ? (char *) parent->def->name : "<no-parent>",
53955 def->name, netfs_data);
53957 - fscache_stat(&fscache_n_acquires);
53958 + fscache_stat_unchecked(&fscache_n_acquires);
53960 /* if there's no parent cookie, then we don't create one here either */
53962 - fscache_stat(&fscache_n_acquires_null);
53963 + fscache_stat_unchecked(&fscache_n_acquires_null);
53964 _leave(" [no parent]");
53967 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
53968 /* allocate and initialise a cookie */
53969 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
53971 - fscache_stat(&fscache_n_acquires_oom);
53972 + fscache_stat_unchecked(&fscache_n_acquires_oom);
53973 _leave(" [ENOMEM]");
53976 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire_cookie(
53978 switch (cookie->def->type) {
53979 case FSCACHE_COOKIE_TYPE_INDEX:
53980 - fscache_stat(&fscache_n_cookie_index);
53981 + fscache_stat_unchecked(&fscache_n_cookie_index);
53983 case FSCACHE_COOKIE_TYPE_DATAFILE:
53984 - fscache_stat(&fscache_n_cookie_data);
53985 + fscache_stat_unchecked(&fscache_n_cookie_data);
53988 - fscache_stat(&fscache_n_cookie_special);
53989 + fscache_stat_unchecked(&fscache_n_cookie_special);
53993 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire_cookie(
53994 if (fscache_acquire_non_index_cookie(cookie) < 0) {
53995 atomic_dec(&parent->n_children);
53996 __fscache_cookie_put(cookie);
53997 - fscache_stat(&fscache_n_acquires_nobufs);
53998 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
54004 - fscache_stat(&fscache_n_acquires_ok);
54005 + fscache_stat_unchecked(&fscache_n_acquires_ok);
54006 _leave(" = %p", cookie);
54009 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie)
54010 cache = fscache_select_cache_for_object(cookie->parent);
54012 up_read(&fscache_addremove_sem);
54013 - fscache_stat(&fscache_n_acquires_no_cache);
54014 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
54015 _leave(" = -ENOMEDIUM [no cache]");
54018 @@ -255,12 +255,12 @@ static int fscache_alloc_object(struct fscache_cache *cache,
54019 object = cache->ops->alloc_object(cache, cookie);
54020 fscache_stat_d(&fscache_n_cop_alloc_object);
54021 if (IS_ERR(object)) {
54022 - fscache_stat(&fscache_n_object_no_alloc);
54023 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
54024 ret = PTR_ERR(object);
54028 - fscache_stat(&fscache_n_object_alloc);
54029 + fscache_stat_unchecked(&fscache_n_object_alloc);
54031 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
54033 @@ -376,7 +376,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie)
54035 _enter("{%s}", cookie->def->name);
54037 - fscache_stat(&fscache_n_invalidates);
54038 + fscache_stat_unchecked(&fscache_n_invalidates);
54040 /* Only permit invalidation of data files. Invalidating an index will
54041 * require the caller to release all its attachments to the tree rooted
54042 @@ -434,10 +434,10 @@ void __fscache_update_cookie(struct fscache_cookie *cookie)
54044 struct fscache_object *object;
54046 - fscache_stat(&fscache_n_updates);
54047 + fscache_stat_unchecked(&fscache_n_updates);
54050 - fscache_stat(&fscache_n_updates_null);
54051 + fscache_stat_unchecked(&fscache_n_updates_null);
54052 _leave(" [no cookie]");
54055 @@ -471,12 +471,12 @@ void __fscache_relinquish_cookie(struct fscache_cookie *cookie, int retire)
54056 struct fscache_object *object;
54057 unsigned long event;
54059 - fscache_stat(&fscache_n_relinquishes);
54060 + fscache_stat_unchecked(&fscache_n_relinquishes);
54062 - fscache_stat(&fscache_n_relinquishes_retire);
54063 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
54066 - fscache_stat(&fscache_n_relinquishes_null);
54067 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
54068 _leave(" [no cookie]");
54071 @@ -492,7 +492,7 @@ void __fscache_relinquish_cookie(struct fscache_cookie *cookie, int retire)
54073 /* wait for the cookie to finish being instantiated (or to fail) */
54074 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
54075 - fscache_stat(&fscache_n_relinquishes_waitcrt);
54076 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
54077 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
54078 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
54080 diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
54081 index ee38fef..0a326d4 100644
54082 --- a/fs/fscache/internal.h
54083 +++ b/fs/fscache/internal.h
54084 @@ -148,101 +148,101 @@ extern void fscache_proc_cleanup(void);
54087 #ifdef CONFIG_FSCACHE_STATS
54088 -extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
54089 -extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
54090 +extern atomic_unchecked_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
54091 +extern atomic_unchecked_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
54093 -extern atomic_t fscache_n_op_pend;
54094 -extern atomic_t fscache_n_op_run;
54095 -extern atomic_t fscache_n_op_enqueue;
54096 -extern atomic_t fscache_n_op_deferred_release;
54097 -extern atomic_t fscache_n_op_release;
54098 -extern atomic_t fscache_n_op_gc;
54099 -extern atomic_t fscache_n_op_cancelled;
54100 -extern atomic_t fscache_n_op_rejected;
54101 +extern atomic_unchecked_t fscache_n_op_pend;
54102 +extern atomic_unchecked_t fscache_n_op_run;
54103 +extern atomic_unchecked_t fscache_n_op_enqueue;
54104 +extern atomic_unchecked_t fscache_n_op_deferred_release;
54105 +extern atomic_unchecked_t fscache_n_op_release;
54106 +extern atomic_unchecked_t fscache_n_op_gc;
54107 +extern atomic_unchecked_t fscache_n_op_cancelled;
54108 +extern atomic_unchecked_t fscache_n_op_rejected;
54110 -extern atomic_t fscache_n_attr_changed;
54111 -extern atomic_t fscache_n_attr_changed_ok;
54112 -extern atomic_t fscache_n_attr_changed_nobufs;
54113 -extern atomic_t fscache_n_attr_changed_nomem;
54114 -extern atomic_t fscache_n_attr_changed_calls;
54115 +extern atomic_unchecked_t fscache_n_attr_changed;
54116 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
54117 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
54118 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
54119 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
54121 -extern atomic_t fscache_n_allocs;
54122 -extern atomic_t fscache_n_allocs_ok;
54123 -extern atomic_t fscache_n_allocs_wait;
54124 -extern atomic_t fscache_n_allocs_nobufs;
54125 -extern atomic_t fscache_n_allocs_intr;
54126 -extern atomic_t fscache_n_allocs_object_dead;
54127 -extern atomic_t fscache_n_alloc_ops;
54128 -extern atomic_t fscache_n_alloc_op_waits;
54129 +extern atomic_unchecked_t fscache_n_allocs;
54130 +extern atomic_unchecked_t fscache_n_allocs_ok;
54131 +extern atomic_unchecked_t fscache_n_allocs_wait;
54132 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
54133 +extern atomic_unchecked_t fscache_n_allocs_intr;
54134 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
54135 +extern atomic_unchecked_t fscache_n_alloc_ops;
54136 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
54138 -extern atomic_t fscache_n_retrievals;
54139 -extern atomic_t fscache_n_retrievals_ok;
54140 -extern atomic_t fscache_n_retrievals_wait;
54141 -extern atomic_t fscache_n_retrievals_nodata;
54142 -extern atomic_t fscache_n_retrievals_nobufs;
54143 -extern atomic_t fscache_n_retrievals_intr;
54144 -extern atomic_t fscache_n_retrievals_nomem;
54145 -extern atomic_t fscache_n_retrievals_object_dead;
54146 -extern atomic_t fscache_n_retrieval_ops;
54147 -extern atomic_t fscache_n_retrieval_op_waits;
54148 +extern atomic_unchecked_t fscache_n_retrievals;
54149 +extern atomic_unchecked_t fscache_n_retrievals_ok;
54150 +extern atomic_unchecked_t fscache_n_retrievals_wait;
54151 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
54152 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
54153 +extern atomic_unchecked_t fscache_n_retrievals_intr;
54154 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
54155 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
54156 +extern atomic_unchecked_t fscache_n_retrieval_ops;
54157 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
54159 -extern atomic_t fscache_n_stores;
54160 -extern atomic_t fscache_n_stores_ok;
54161 -extern atomic_t fscache_n_stores_again;
54162 -extern atomic_t fscache_n_stores_nobufs;
54163 -extern atomic_t fscache_n_stores_oom;
54164 -extern atomic_t fscache_n_store_ops;
54165 -extern atomic_t fscache_n_store_calls;
54166 -extern atomic_t fscache_n_store_pages;
54167 -extern atomic_t fscache_n_store_radix_deletes;
54168 -extern atomic_t fscache_n_store_pages_over_limit;
54169 +extern atomic_unchecked_t fscache_n_stores;
54170 +extern atomic_unchecked_t fscache_n_stores_ok;
54171 +extern atomic_unchecked_t fscache_n_stores_again;
54172 +extern atomic_unchecked_t fscache_n_stores_nobufs;
54173 +extern atomic_unchecked_t fscache_n_stores_oom;
54174 +extern atomic_unchecked_t fscache_n_store_ops;
54175 +extern atomic_unchecked_t fscache_n_store_calls;
54176 +extern atomic_unchecked_t fscache_n_store_pages;
54177 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
54178 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
54180 -extern atomic_t fscache_n_store_vmscan_not_storing;
54181 -extern atomic_t fscache_n_store_vmscan_gone;
54182 -extern atomic_t fscache_n_store_vmscan_busy;
54183 -extern atomic_t fscache_n_store_vmscan_cancelled;
54184 -extern atomic_t fscache_n_store_vmscan_wait;
54185 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
54186 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
54187 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
54188 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
54189 +extern atomic_unchecked_t fscache_n_store_vmscan_wait;
54191 -extern atomic_t fscache_n_marks;
54192 -extern atomic_t fscache_n_uncaches;
54193 +extern atomic_unchecked_t fscache_n_marks;
54194 +extern atomic_unchecked_t fscache_n_uncaches;
54196 -extern atomic_t fscache_n_acquires;
54197 -extern atomic_t fscache_n_acquires_null;
54198 -extern atomic_t fscache_n_acquires_no_cache;
54199 -extern atomic_t fscache_n_acquires_ok;
54200 -extern atomic_t fscache_n_acquires_nobufs;
54201 -extern atomic_t fscache_n_acquires_oom;
54202 +extern atomic_unchecked_t fscache_n_acquires;
54203 +extern atomic_unchecked_t fscache_n_acquires_null;
54204 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
54205 +extern atomic_unchecked_t fscache_n_acquires_ok;
54206 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
54207 +extern atomic_unchecked_t fscache_n_acquires_oom;
54209 -extern atomic_t fscache_n_invalidates;
54210 -extern atomic_t fscache_n_invalidates_run;
54211 +extern atomic_unchecked_t fscache_n_invalidates;
54212 +extern atomic_unchecked_t fscache_n_invalidates_run;
54214 -extern atomic_t fscache_n_updates;
54215 -extern atomic_t fscache_n_updates_null;
54216 -extern atomic_t fscache_n_updates_run;
54217 +extern atomic_unchecked_t fscache_n_updates;
54218 +extern atomic_unchecked_t fscache_n_updates_null;
54219 +extern atomic_unchecked_t fscache_n_updates_run;
54221 -extern atomic_t fscache_n_relinquishes;
54222 -extern atomic_t fscache_n_relinquishes_null;
54223 -extern atomic_t fscache_n_relinquishes_waitcrt;
54224 -extern atomic_t fscache_n_relinquishes_retire;
54225 +extern atomic_unchecked_t fscache_n_relinquishes;
54226 +extern atomic_unchecked_t fscache_n_relinquishes_null;
54227 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
54228 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
54230 -extern atomic_t fscache_n_cookie_index;
54231 -extern atomic_t fscache_n_cookie_data;
54232 -extern atomic_t fscache_n_cookie_special;
54233 +extern atomic_unchecked_t fscache_n_cookie_index;
54234 +extern atomic_unchecked_t fscache_n_cookie_data;
54235 +extern atomic_unchecked_t fscache_n_cookie_special;
54237 -extern atomic_t fscache_n_object_alloc;
54238 -extern atomic_t fscache_n_object_no_alloc;
54239 -extern atomic_t fscache_n_object_lookups;
54240 -extern atomic_t fscache_n_object_lookups_negative;
54241 -extern atomic_t fscache_n_object_lookups_positive;
54242 -extern atomic_t fscache_n_object_lookups_timed_out;
54243 -extern atomic_t fscache_n_object_created;
54244 -extern atomic_t fscache_n_object_avail;
54245 -extern atomic_t fscache_n_object_dead;
54246 +extern atomic_unchecked_t fscache_n_object_alloc;
54247 +extern atomic_unchecked_t fscache_n_object_no_alloc;
54248 +extern atomic_unchecked_t fscache_n_object_lookups;
54249 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
54250 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
54251 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
54252 +extern atomic_unchecked_t fscache_n_object_created;
54253 +extern atomic_unchecked_t fscache_n_object_avail;
54254 +extern atomic_unchecked_t fscache_n_object_dead;
54256 -extern atomic_t fscache_n_checkaux_none;
54257 -extern atomic_t fscache_n_checkaux_okay;
54258 -extern atomic_t fscache_n_checkaux_update;
54259 -extern atomic_t fscache_n_checkaux_obsolete;
54260 +extern atomic_unchecked_t fscache_n_checkaux_none;
54261 +extern atomic_unchecked_t fscache_n_checkaux_okay;
54262 +extern atomic_unchecked_t fscache_n_checkaux_update;
54263 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
54265 extern atomic_t fscache_n_cop_alloc_object;
54266 extern atomic_t fscache_n_cop_lookup_object;
54267 @@ -267,6 +267,11 @@ static inline void fscache_stat(atomic_t *stat)
54271 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
54273 + atomic_inc_unchecked(stat);
54276 static inline void fscache_stat_d(atomic_t *stat)
54279 @@ -279,6 +284,7 @@ extern const struct file_operations fscache_stats_fops;
54281 #define __fscache_stat(stat) (NULL)
54282 #define fscache_stat(stat) do {} while (0)
54283 +#define fscache_stat_unchecked(stat) do {} while (0)
54284 #define fscache_stat_d(stat) do {} while (0)
54287 diff --git a/fs/fscache/object.c b/fs/fscache/object.c
54288 index 50d41c1..10ee117 100644
54289 --- a/fs/fscache/object.c
54290 +++ b/fs/fscache/object.c
54291 @@ -143,7 +143,7 @@ static void fscache_object_state_machine(struct fscache_object *object)
54292 /* Invalidate an object on disk */
54293 case FSCACHE_OBJECT_INVALIDATING:
54294 clear_bit(FSCACHE_OBJECT_EV_INVALIDATE, &object->events);
54295 - fscache_stat(&fscache_n_invalidates_run);
54296 + fscache_stat_unchecked(&fscache_n_invalidates_run);
54297 fscache_stat(&fscache_n_cop_invalidate_object);
54298 fscache_invalidate_object(object);
54299 fscache_stat_d(&fscache_n_cop_invalidate_object);
54300 @@ -153,7 +153,7 @@ static void fscache_object_state_machine(struct fscache_object *object)
54301 /* update the object metadata on disk */
54302 case FSCACHE_OBJECT_UPDATING:
54303 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
54304 - fscache_stat(&fscache_n_updates_run);
54305 + fscache_stat_unchecked(&fscache_n_updates_run);
54306 fscache_stat(&fscache_n_cop_update_object);
54307 object->cache->ops->update_object(object);
54308 fscache_stat_d(&fscache_n_cop_update_object);
54309 @@ -242,7 +242,7 @@ static void fscache_object_state_machine(struct fscache_object *object)
54310 spin_lock(&object->lock);
54311 object->state = FSCACHE_OBJECT_DEAD;
54312 spin_unlock(&object->lock);
54313 - fscache_stat(&fscache_n_object_dead);
54314 + fscache_stat_unchecked(&fscache_n_object_dead);
54315 goto terminal_transit;
54317 /* handle the parent cache of this object being withdrawn from
54318 @@ -257,7 +257,7 @@ static void fscache_object_state_machine(struct fscache_object *object)
54319 spin_lock(&object->lock);
54320 object->state = FSCACHE_OBJECT_DEAD;
54321 spin_unlock(&object->lock);
54322 - fscache_stat(&fscache_n_object_dead);
54323 + fscache_stat_unchecked(&fscache_n_object_dead);
54324 goto terminal_transit;
54326 /* complain about the object being woken up once it is
54327 @@ -495,7 +495,7 @@ static void fscache_lookup_object(struct fscache_object *object)
54328 parent->cookie->def->name, cookie->def->name,
54329 object->cache->tag->name);
54331 - fscache_stat(&fscache_n_object_lookups);
54332 + fscache_stat_unchecked(&fscache_n_object_lookups);
54333 fscache_stat(&fscache_n_cop_lookup_object);
54334 ret = object->cache->ops->lookup_object(object);
54335 fscache_stat_d(&fscache_n_cop_lookup_object);
54336 @@ -506,7 +506,7 @@ static void fscache_lookup_object(struct fscache_object *object)
54337 if (ret == -ETIMEDOUT) {
54338 /* probably stuck behind another object, so move this one to
54339 * the back of the queue */
54340 - fscache_stat(&fscache_n_object_lookups_timed_out);
54341 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
54342 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
54345 @@ -529,7 +529,7 @@ void fscache_object_lookup_negative(struct fscache_object *object)
54347 spin_lock(&object->lock);
54348 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
54349 - fscache_stat(&fscache_n_object_lookups_negative);
54350 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
54352 /* transit here to allow write requests to begin stacking up
54353 * and read requests to begin returning ENODATA */
54354 @@ -575,7 +575,7 @@ void fscache_obtained_object(struct fscache_object *object)
54355 * result, in which case there may be data available */
54356 spin_lock(&object->lock);
54357 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
54358 - fscache_stat(&fscache_n_object_lookups_positive);
54359 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
54361 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
54363 @@ -589,7 +589,7 @@ void fscache_obtained_object(struct fscache_object *object)
54364 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
54366 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
54367 - fscache_stat(&fscache_n_object_created);
54368 + fscache_stat_unchecked(&fscache_n_object_created);
54370 object->state = FSCACHE_OBJECT_AVAILABLE;
54371 spin_unlock(&object->lock);
54372 @@ -634,7 +634,7 @@ static void fscache_object_available(struct fscache_object *object)
54373 fscache_enqueue_dependents(object);
54375 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
54376 - fscache_stat(&fscache_n_object_avail);
54377 + fscache_stat_unchecked(&fscache_n_object_avail);
54381 @@ -894,7 +894,7 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
54382 enum fscache_checkaux result;
54384 if (!object->cookie->def->check_aux) {
54385 - fscache_stat(&fscache_n_checkaux_none);
54386 + fscache_stat_unchecked(&fscache_n_checkaux_none);
54387 return FSCACHE_CHECKAUX_OKAY;
54390 @@ -903,17 +903,17 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
54392 /* entry okay as is */
54393 case FSCACHE_CHECKAUX_OKAY:
54394 - fscache_stat(&fscache_n_checkaux_okay);
54395 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
54398 /* entry requires update */
54399 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
54400 - fscache_stat(&fscache_n_checkaux_update);
54401 + fscache_stat_unchecked(&fscache_n_checkaux_update);
54404 /* entry requires deletion */
54405 case FSCACHE_CHECKAUX_OBSOLETE:
54406 - fscache_stat(&fscache_n_checkaux_obsolete);
54407 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
54411 diff --git a/fs/fscache/operation.c b/fs/fscache/operation.c
54412 index 762a9ec..2023284 100644
54413 --- a/fs/fscache/operation.c
54414 +++ b/fs/fscache/operation.c
54416 #include <linux/slab.h>
54417 #include "internal.h"
54419 -atomic_t fscache_op_debug_id;
54420 +atomic_unchecked_t fscache_op_debug_id;
54421 EXPORT_SYMBOL(fscache_op_debug_id);
54424 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fscache_operation *op)
54425 ASSERTCMP(atomic_read(&op->usage), >, 0);
54426 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
54428 - fscache_stat(&fscache_n_op_enqueue);
54429 + fscache_stat_unchecked(&fscache_n_op_enqueue);
54430 switch (op->flags & FSCACHE_OP_TYPE) {
54431 case FSCACHE_OP_ASYNC:
54432 _debug("queue async");
54433 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscache_object *object,
54434 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
54436 fscache_enqueue_operation(op);
54437 - fscache_stat(&fscache_n_op_run);
54438 + fscache_stat_unchecked(&fscache_n_op_run);
54442 @@ -105,11 +105,11 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
54443 if (object->n_in_progress > 0) {
54444 atomic_inc(&op->usage);
54445 list_add_tail(&op->pend_link, &object->pending_ops);
54446 - fscache_stat(&fscache_n_op_pend);
54447 + fscache_stat_unchecked(&fscache_n_op_pend);
54448 } else if (!list_empty(&object->pending_ops)) {
54449 atomic_inc(&op->usage);
54450 list_add_tail(&op->pend_link, &object->pending_ops);
54451 - fscache_stat(&fscache_n_op_pend);
54452 + fscache_stat_unchecked(&fscache_n_op_pend);
54453 fscache_start_operations(object);
54455 ASSERTCMP(object->n_in_progress, ==, 0);
54456 @@ -125,7 +125,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
54457 object->n_exclusive++; /* reads and writes must wait */
54458 atomic_inc(&op->usage);
54459 list_add_tail(&op->pend_link, &object->pending_ops);
54460 - fscache_stat(&fscache_n_op_pend);
54461 + fscache_stat_unchecked(&fscache_n_op_pend);
54464 /* If we're in any other state, there must have been an I/O
54465 @@ -215,11 +215,11 @@ int fscache_submit_op(struct fscache_object *object,
54466 if (object->n_exclusive > 0) {
54467 atomic_inc(&op->usage);
54468 list_add_tail(&op->pend_link, &object->pending_ops);
54469 - fscache_stat(&fscache_n_op_pend);
54470 + fscache_stat_unchecked(&fscache_n_op_pend);
54471 } else if (!list_empty(&object->pending_ops)) {
54472 atomic_inc(&op->usage);
54473 list_add_tail(&op->pend_link, &object->pending_ops);
54474 - fscache_stat(&fscache_n_op_pend);
54475 + fscache_stat_unchecked(&fscache_n_op_pend);
54476 fscache_start_operations(object);
54478 ASSERTCMP(object->n_exclusive, ==, 0);
54479 @@ -231,12 +231,12 @@ int fscache_submit_op(struct fscache_object *object,
54481 atomic_inc(&op->usage);
54482 list_add_tail(&op->pend_link, &object->pending_ops);
54483 - fscache_stat(&fscache_n_op_pend);
54484 + fscache_stat_unchecked(&fscache_n_op_pend);
54486 } else if (object->state == FSCACHE_OBJECT_DYING ||
54487 object->state == FSCACHE_OBJECT_LC_DYING ||
54488 object->state == FSCACHE_OBJECT_WITHDRAWING) {
54489 - fscache_stat(&fscache_n_op_rejected);
54490 + fscache_stat_unchecked(&fscache_n_op_rejected);
54491 op->state = FSCACHE_OP_ST_CANCELLED;
54493 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
54494 @@ -315,7 +315,7 @@ int fscache_cancel_op(struct fscache_operation *op,
54496 if (op->state == FSCACHE_OP_ST_PENDING) {
54497 ASSERT(!list_empty(&op->pend_link));
54498 - fscache_stat(&fscache_n_op_cancelled);
54499 + fscache_stat_unchecked(&fscache_n_op_cancelled);
54500 list_del_init(&op->pend_link);
54503 @@ -347,7 +347,7 @@ void fscache_cancel_all_ops(struct fscache_object *object)
54504 while (!list_empty(&object->pending_ops)) {
54505 op = list_entry(object->pending_ops.next,
54506 struct fscache_operation, pend_link);
54507 - fscache_stat(&fscache_n_op_cancelled);
54508 + fscache_stat_unchecked(&fscache_n_op_cancelled);
54509 list_del_init(&op->pend_link);
54511 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_PENDING);
54512 @@ -419,7 +419,7 @@ void fscache_put_operation(struct fscache_operation *op)
54513 op->state, ==, FSCACHE_OP_ST_CANCELLED);
54514 op->state = FSCACHE_OP_ST_DEAD;
54516 - fscache_stat(&fscache_n_op_release);
54517 + fscache_stat_unchecked(&fscache_n_op_release);
54521 @@ -442,7 +442,7 @@ void fscache_put_operation(struct fscache_operation *op)
54522 * lock, and defer it otherwise */
54523 if (!spin_trylock(&object->lock)) {
54524 _debug("defer put");
54525 - fscache_stat(&fscache_n_op_deferred_release);
54526 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
54528 cache = object->cache;
54529 spin_lock(&cache->op_gc_list_lock);
54530 @@ -495,7 +495,7 @@ void fscache_operation_gc(struct work_struct *work)
54532 _debug("GC DEFERRED REL OBJ%x OP%x",
54533 object->debug_id, op->debug_id);
54534 - fscache_stat(&fscache_n_op_gc);
54535 + fscache_stat_unchecked(&fscache_n_op_gc);
54537 ASSERTCMP(atomic_read(&op->usage), ==, 0);
54538 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_DEAD);
54539 diff --git a/fs/fscache/page.c b/fs/fscache/page.c
54540 index ff000e5..c44ec6d 100644
54541 --- a/fs/fscache/page.c
54542 +++ b/fs/fscache/page.c
54543 @@ -61,7 +61,7 @@ try_again:
54544 val = radix_tree_lookup(&cookie->stores, page->index);
54547 - fscache_stat(&fscache_n_store_vmscan_not_storing);
54548 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
54549 __fscache_uncache_page(cookie, page);
54552 @@ -91,11 +91,11 @@ try_again:
54553 spin_unlock(&cookie->stores_lock);
54556 - fscache_stat(&fscache_n_store_vmscan_cancelled);
54557 - fscache_stat(&fscache_n_store_radix_deletes);
54558 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
54559 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
54560 ASSERTCMP(xpage, ==, page);
54562 - fscache_stat(&fscache_n_store_vmscan_gone);
54563 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
54566 wake_up_bit(&cookie->flags, 0);
54567 @@ -110,11 +110,11 @@ page_busy:
54568 * sleeping on memory allocation, so we may need to impose a timeout
54570 if (!(gfp & __GFP_WAIT)) {
54571 - fscache_stat(&fscache_n_store_vmscan_busy);
54572 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
54576 - fscache_stat(&fscache_n_store_vmscan_wait);
54577 + fscache_stat_unchecked(&fscache_n_store_vmscan_wait);
54578 __fscache_wait_on_page_write(cookie, page);
54579 gfp &= ~__GFP_WAIT;
54581 @@ -140,7 +140,7 @@ static void fscache_end_page_write(struct fscache_object *object,
54582 FSCACHE_COOKIE_STORING_TAG);
54583 if (!radix_tree_tag_get(&cookie->stores, page->index,
54584 FSCACHE_COOKIE_PENDING_TAG)) {
54585 - fscache_stat(&fscache_n_store_radix_deletes);
54586 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
54587 xpage = radix_tree_delete(&cookie->stores, page->index);
54589 spin_unlock(&cookie->stores_lock);
54590 @@ -161,7 +161,7 @@ static void fscache_attr_changed_op(struct fscache_operation *op)
54592 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
54594 - fscache_stat(&fscache_n_attr_changed_calls);
54595 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
54597 if (fscache_object_is_active(object)) {
54598 fscache_stat(&fscache_n_cop_attr_changed);
54599 @@ -187,11 +187,11 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
54601 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
54603 - fscache_stat(&fscache_n_attr_changed);
54604 + fscache_stat_unchecked(&fscache_n_attr_changed);
54606 op = kzalloc(sizeof(*op), GFP_KERNEL);
54608 - fscache_stat(&fscache_n_attr_changed_nomem);
54609 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
54610 _leave(" = -ENOMEM");
54613 @@ -209,7 +209,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
54614 if (fscache_submit_exclusive_op(object, op) < 0)
54616 spin_unlock(&cookie->lock);
54617 - fscache_stat(&fscache_n_attr_changed_ok);
54618 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
54619 fscache_put_operation(op);
54622 @@ -217,7 +217,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
54624 spin_unlock(&cookie->lock);
54626 - fscache_stat(&fscache_n_attr_changed_nobufs);
54627 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
54628 _leave(" = %d", -ENOBUFS);
54631 @@ -255,7 +255,7 @@ static struct fscache_retrieval *fscache_alloc_retrieval(
54632 /* allocate a retrieval operation and attempt to submit it */
54633 op = kzalloc(sizeof(*op), GFP_NOIO);
54635 - fscache_stat(&fscache_n_retrievals_nomem);
54636 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
54640 @@ -283,13 +283,13 @@ static int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
54644 - fscache_stat(&fscache_n_retrievals_wait);
54645 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
54648 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
54649 fscache_wait_bit_interruptible,
54650 TASK_INTERRUPTIBLE) != 0) {
54651 - fscache_stat(&fscache_n_retrievals_intr);
54652 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
54653 _leave(" = -ERESTARTSYS");
54654 return -ERESTARTSYS;
54656 @@ -318,8 +318,8 @@ static void fscache_do_cancel_retrieval(struct fscache_operation *_op)
54658 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
54659 struct fscache_retrieval *op,
54660 - atomic_t *stat_op_waits,
54661 - atomic_t *stat_object_dead)
54662 + atomic_unchecked_t *stat_op_waits,
54663 + atomic_unchecked_t *stat_object_dead)
54667 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
54668 goto check_if_dead;
54671 - fscache_stat(stat_op_waits);
54672 + fscache_stat_unchecked(stat_op_waits);
54673 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
54674 fscache_wait_bit_interruptible,
54675 TASK_INTERRUPTIBLE) != 0) {
54676 @@ -344,14 +344,14 @@ static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
54679 if (op->op.state == FSCACHE_OP_ST_CANCELLED) {
54680 - fscache_stat(stat_object_dead);
54681 + fscache_stat_unchecked(stat_object_dead);
54682 _leave(" = -ENOBUFS [cancelled]");
54685 if (unlikely(fscache_object_is_dead(object))) {
54686 pr_err("%s() = -ENOBUFS [obj dead %d]\n", __func__, op->op.state);
54687 fscache_cancel_op(&op->op, fscache_do_cancel_retrieval);
54688 - fscache_stat(stat_object_dead);
54689 + fscache_stat_unchecked(stat_object_dead);
54693 @@ -378,7 +378,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
54695 _enter("%p,%p,,,", cookie, page);
54697 - fscache_stat(&fscache_n_retrievals);
54698 + fscache_stat_unchecked(&fscache_n_retrievals);
54700 if (hlist_empty(&cookie->backing_objects))
54702 @@ -417,7 +417,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
54703 goto nobufs_unlock_dec;
54704 spin_unlock(&cookie->lock);
54706 - fscache_stat(&fscache_n_retrieval_ops);
54707 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
54709 /* pin the netfs read context in case we need to do the actual netfs
54710 * read because we've encountered a cache read failure */
54711 @@ -447,15 +447,15 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
54714 if (ret == -ENOMEM)
54715 - fscache_stat(&fscache_n_retrievals_nomem);
54716 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
54717 else if (ret == -ERESTARTSYS)
54718 - fscache_stat(&fscache_n_retrievals_intr);
54719 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
54720 else if (ret == -ENODATA)
54721 - fscache_stat(&fscache_n_retrievals_nodata);
54722 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
54724 - fscache_stat(&fscache_n_retrievals_nobufs);
54725 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
54727 - fscache_stat(&fscache_n_retrievals_ok);
54728 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
54730 fscache_put_retrieval(op);
54731 _leave(" = %d", ret);
54732 @@ -467,7 +467,7 @@ nobufs_unlock:
54733 spin_unlock(&cookie->lock);
54736 - fscache_stat(&fscache_n_retrievals_nobufs);
54737 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
54738 _leave(" = -ENOBUFS");
54741 @@ -505,7 +505,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
54743 _enter("%p,,%d,,,", cookie, *nr_pages);
54745 - fscache_stat(&fscache_n_retrievals);
54746 + fscache_stat_unchecked(&fscache_n_retrievals);
54748 if (hlist_empty(&cookie->backing_objects))
54750 @@ -541,7 +541,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
54751 goto nobufs_unlock_dec;
54752 spin_unlock(&cookie->lock);
54754 - fscache_stat(&fscache_n_retrieval_ops);
54755 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
54757 /* pin the netfs read context in case we need to do the actual netfs
54758 * read because we've encountered a cache read failure */
54759 @@ -571,15 +571,15 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
54762 if (ret == -ENOMEM)
54763 - fscache_stat(&fscache_n_retrievals_nomem);
54764 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
54765 else if (ret == -ERESTARTSYS)
54766 - fscache_stat(&fscache_n_retrievals_intr);
54767 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
54768 else if (ret == -ENODATA)
54769 - fscache_stat(&fscache_n_retrievals_nodata);
54770 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
54772 - fscache_stat(&fscache_n_retrievals_nobufs);
54773 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
54775 - fscache_stat(&fscache_n_retrievals_ok);
54776 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
54778 fscache_put_retrieval(op);
54779 _leave(" = %d", ret);
54780 @@ -591,7 +591,7 @@ nobufs_unlock:
54781 spin_unlock(&cookie->lock);
54784 - fscache_stat(&fscache_n_retrievals_nobufs);
54785 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
54786 _leave(" = -ENOBUFS");
54789 @@ -615,7 +615,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
54791 _enter("%p,%p,,,", cookie, page);
54793 - fscache_stat(&fscache_n_allocs);
54794 + fscache_stat_unchecked(&fscache_n_allocs);
54796 if (hlist_empty(&cookie->backing_objects))
54798 @@ -647,7 +647,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
54799 goto nobufs_unlock;
54800 spin_unlock(&cookie->lock);
54802 - fscache_stat(&fscache_n_alloc_ops);
54803 + fscache_stat_unchecked(&fscache_n_alloc_ops);
54805 ret = fscache_wait_for_retrieval_activation(
54807 @@ -663,11 +663,11 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
54810 if (ret == -ERESTARTSYS)
54811 - fscache_stat(&fscache_n_allocs_intr);
54812 + fscache_stat_unchecked(&fscache_n_allocs_intr);
54814 - fscache_stat(&fscache_n_allocs_nobufs);
54815 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
54817 - fscache_stat(&fscache_n_allocs_ok);
54818 + fscache_stat_unchecked(&fscache_n_allocs_ok);
54820 fscache_put_retrieval(op);
54821 _leave(" = %d", ret);
54822 @@ -677,7 +677,7 @@ nobufs_unlock:
54823 spin_unlock(&cookie->lock);
54826 - fscache_stat(&fscache_n_allocs_nobufs);
54827 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
54828 _leave(" = -ENOBUFS");
54831 @@ -736,7 +736,7 @@ static void fscache_write_op(struct fscache_operation *_op)
54833 spin_lock(&cookie->stores_lock);
54835 - fscache_stat(&fscache_n_store_calls);
54836 + fscache_stat_unchecked(&fscache_n_store_calls);
54838 /* find a page to store */
54840 @@ -747,7 +747,7 @@ static void fscache_write_op(struct fscache_operation *_op)
54842 _debug("gang %d [%lx]", n, page->index);
54843 if (page->index > op->store_limit) {
54844 - fscache_stat(&fscache_n_store_pages_over_limit);
54845 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
54849 @@ -759,7 +759,7 @@ static void fscache_write_op(struct fscache_operation *_op)
54850 spin_unlock(&cookie->stores_lock);
54851 spin_unlock(&object->lock);
54853 - fscache_stat(&fscache_n_store_pages);
54854 + fscache_stat_unchecked(&fscache_n_store_pages);
54855 fscache_stat(&fscache_n_cop_write_page);
54856 ret = object->cache->ops->write_page(op, page);
54857 fscache_stat_d(&fscache_n_cop_write_page);
54858 @@ -860,7 +860,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
54859 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
54860 ASSERT(PageFsCache(page));
54862 - fscache_stat(&fscache_n_stores);
54863 + fscache_stat_unchecked(&fscache_n_stores);
54865 if (test_bit(FSCACHE_COOKIE_INVALIDATING, &cookie->flags)) {
54866 _leave(" = -ENOBUFS [invalidating]");
54867 @@ -916,7 +916,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
54868 spin_unlock(&cookie->stores_lock);
54869 spin_unlock(&object->lock);
54871 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
54872 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
54873 op->store_limit = object->store_limit;
54875 if (fscache_submit_op(object, &op->op) < 0)
54876 @@ -924,8 +924,8 @@ int __fscache_write_page(struct fscache_cookie *cookie,
54878 spin_unlock(&cookie->lock);
54879 radix_tree_preload_end();
54880 - fscache_stat(&fscache_n_store_ops);
54881 - fscache_stat(&fscache_n_stores_ok);
54882 + fscache_stat_unchecked(&fscache_n_store_ops);
54883 + fscache_stat_unchecked(&fscache_n_stores_ok);
54885 /* the work queue now carries its own ref on the object */
54886 fscache_put_operation(&op->op);
54887 @@ -933,14 +933,14 @@ int __fscache_write_page(struct fscache_cookie *cookie,
54891 - fscache_stat(&fscache_n_stores_again);
54892 + fscache_stat_unchecked(&fscache_n_stores_again);
54894 spin_unlock(&cookie->stores_lock);
54895 spin_unlock(&object->lock);
54896 spin_unlock(&cookie->lock);
54897 radix_tree_preload_end();
54899 - fscache_stat(&fscache_n_stores_ok);
54900 + fscache_stat_unchecked(&fscache_n_stores_ok);
54904 @@ -959,14 +959,14 @@ nobufs:
54905 spin_unlock(&cookie->lock);
54906 radix_tree_preload_end();
54908 - fscache_stat(&fscache_n_stores_nobufs);
54909 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
54910 _leave(" = -ENOBUFS");
54916 - fscache_stat(&fscache_n_stores_oom);
54917 + fscache_stat_unchecked(&fscache_n_stores_oom);
54918 _leave(" = -ENOMEM");
54921 @@ -984,7 +984,7 @@ void __fscache_uncache_page(struct fscache_cookie *cookie, struct page *page)
54922 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
54923 ASSERTCMP(page, !=, NULL);
54925 - fscache_stat(&fscache_n_uncaches);
54926 + fscache_stat_unchecked(&fscache_n_uncaches);
54928 /* cache withdrawal may beat us to it */
54929 if (!PageFsCache(page))
54930 @@ -1035,7 +1035,7 @@ void fscache_mark_page_cached(struct fscache_retrieval *op, struct page *page)
54931 struct fscache_cookie *cookie = op->op.object->cookie;
54933 #ifdef CONFIG_FSCACHE_STATS
54934 - atomic_inc(&fscache_n_marks);
54935 + atomic_inc_unchecked(&fscache_n_marks);
54938 _debug("- mark %p{%lx}", page, page->index);
54939 diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
54940 index 40d13c7..ddf52b9 100644
54941 --- a/fs/fscache/stats.c
54942 +++ b/fs/fscache/stats.c
54943 @@ -18,99 +18,99 @@
54945 * operation counters
54947 -atomic_t fscache_n_op_pend;
54948 -atomic_t fscache_n_op_run;
54949 -atomic_t fscache_n_op_enqueue;
54950 -atomic_t fscache_n_op_requeue;
54951 -atomic_t fscache_n_op_deferred_release;
54952 -atomic_t fscache_n_op_release;
54953 -atomic_t fscache_n_op_gc;
54954 -atomic_t fscache_n_op_cancelled;
54955 -atomic_t fscache_n_op_rejected;
54956 +atomic_unchecked_t fscache_n_op_pend;
54957 +atomic_unchecked_t fscache_n_op_run;
54958 +atomic_unchecked_t fscache_n_op_enqueue;
54959 +atomic_unchecked_t fscache_n_op_requeue;
54960 +atomic_unchecked_t fscache_n_op_deferred_release;
54961 +atomic_unchecked_t fscache_n_op_release;
54962 +atomic_unchecked_t fscache_n_op_gc;
54963 +atomic_unchecked_t fscache_n_op_cancelled;
54964 +atomic_unchecked_t fscache_n_op_rejected;
54966 -atomic_t fscache_n_attr_changed;
54967 -atomic_t fscache_n_attr_changed_ok;
54968 -atomic_t fscache_n_attr_changed_nobufs;
54969 -atomic_t fscache_n_attr_changed_nomem;
54970 -atomic_t fscache_n_attr_changed_calls;
54971 +atomic_unchecked_t fscache_n_attr_changed;
54972 +atomic_unchecked_t fscache_n_attr_changed_ok;
54973 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
54974 +atomic_unchecked_t fscache_n_attr_changed_nomem;
54975 +atomic_unchecked_t fscache_n_attr_changed_calls;
54977 -atomic_t fscache_n_allocs;
54978 -atomic_t fscache_n_allocs_ok;
54979 -atomic_t fscache_n_allocs_wait;
54980 -atomic_t fscache_n_allocs_nobufs;
54981 -atomic_t fscache_n_allocs_intr;
54982 -atomic_t fscache_n_allocs_object_dead;
54983 -atomic_t fscache_n_alloc_ops;
54984 -atomic_t fscache_n_alloc_op_waits;
54985 +atomic_unchecked_t fscache_n_allocs;
54986 +atomic_unchecked_t fscache_n_allocs_ok;
54987 +atomic_unchecked_t fscache_n_allocs_wait;
54988 +atomic_unchecked_t fscache_n_allocs_nobufs;
54989 +atomic_unchecked_t fscache_n_allocs_intr;
54990 +atomic_unchecked_t fscache_n_allocs_object_dead;
54991 +atomic_unchecked_t fscache_n_alloc_ops;
54992 +atomic_unchecked_t fscache_n_alloc_op_waits;
54994 -atomic_t fscache_n_retrievals;
54995 -atomic_t fscache_n_retrievals_ok;
54996 -atomic_t fscache_n_retrievals_wait;
54997 -atomic_t fscache_n_retrievals_nodata;
54998 -atomic_t fscache_n_retrievals_nobufs;
54999 -atomic_t fscache_n_retrievals_intr;
55000 -atomic_t fscache_n_retrievals_nomem;
55001 -atomic_t fscache_n_retrievals_object_dead;
55002 -atomic_t fscache_n_retrieval_ops;
55003 -atomic_t fscache_n_retrieval_op_waits;
55004 +atomic_unchecked_t fscache_n_retrievals;
55005 +atomic_unchecked_t fscache_n_retrievals_ok;
55006 +atomic_unchecked_t fscache_n_retrievals_wait;
55007 +atomic_unchecked_t fscache_n_retrievals_nodata;
55008 +atomic_unchecked_t fscache_n_retrievals_nobufs;
55009 +atomic_unchecked_t fscache_n_retrievals_intr;
55010 +atomic_unchecked_t fscache_n_retrievals_nomem;
55011 +atomic_unchecked_t fscache_n_retrievals_object_dead;
55012 +atomic_unchecked_t fscache_n_retrieval_ops;
55013 +atomic_unchecked_t fscache_n_retrieval_op_waits;
55015 -atomic_t fscache_n_stores;
55016 -atomic_t fscache_n_stores_ok;
55017 -atomic_t fscache_n_stores_again;
55018 -atomic_t fscache_n_stores_nobufs;
55019 -atomic_t fscache_n_stores_oom;
55020 -atomic_t fscache_n_store_ops;
55021 -atomic_t fscache_n_store_calls;
55022 -atomic_t fscache_n_store_pages;
55023 -atomic_t fscache_n_store_radix_deletes;
55024 -atomic_t fscache_n_store_pages_over_limit;
55025 +atomic_unchecked_t fscache_n_stores;
55026 +atomic_unchecked_t fscache_n_stores_ok;
55027 +atomic_unchecked_t fscache_n_stores_again;
55028 +atomic_unchecked_t fscache_n_stores_nobufs;
55029 +atomic_unchecked_t fscache_n_stores_oom;
55030 +atomic_unchecked_t fscache_n_store_ops;
55031 +atomic_unchecked_t fscache_n_store_calls;
55032 +atomic_unchecked_t fscache_n_store_pages;
55033 +atomic_unchecked_t fscache_n_store_radix_deletes;
55034 +atomic_unchecked_t fscache_n_store_pages_over_limit;
55036 -atomic_t fscache_n_store_vmscan_not_storing;
55037 -atomic_t fscache_n_store_vmscan_gone;
55038 -atomic_t fscache_n_store_vmscan_busy;
55039 -atomic_t fscache_n_store_vmscan_cancelled;
55040 -atomic_t fscache_n_store_vmscan_wait;
55041 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
55042 +atomic_unchecked_t fscache_n_store_vmscan_gone;
55043 +atomic_unchecked_t fscache_n_store_vmscan_busy;
55044 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
55045 +atomic_unchecked_t fscache_n_store_vmscan_wait;
55047 -atomic_t fscache_n_marks;
55048 -atomic_t fscache_n_uncaches;
55049 +atomic_unchecked_t fscache_n_marks;
55050 +atomic_unchecked_t fscache_n_uncaches;
55052 -atomic_t fscache_n_acquires;
55053 -atomic_t fscache_n_acquires_null;
55054 -atomic_t fscache_n_acquires_no_cache;
55055 -atomic_t fscache_n_acquires_ok;
55056 -atomic_t fscache_n_acquires_nobufs;
55057 -atomic_t fscache_n_acquires_oom;
55058 +atomic_unchecked_t fscache_n_acquires;
55059 +atomic_unchecked_t fscache_n_acquires_null;
55060 +atomic_unchecked_t fscache_n_acquires_no_cache;
55061 +atomic_unchecked_t fscache_n_acquires_ok;
55062 +atomic_unchecked_t fscache_n_acquires_nobufs;
55063 +atomic_unchecked_t fscache_n_acquires_oom;
55065 -atomic_t fscache_n_invalidates;
55066 -atomic_t fscache_n_invalidates_run;
55067 +atomic_unchecked_t fscache_n_invalidates;
55068 +atomic_unchecked_t fscache_n_invalidates_run;
55070 -atomic_t fscache_n_updates;
55071 -atomic_t fscache_n_updates_null;
55072 -atomic_t fscache_n_updates_run;
55073 +atomic_unchecked_t fscache_n_updates;
55074 +atomic_unchecked_t fscache_n_updates_null;
55075 +atomic_unchecked_t fscache_n_updates_run;
55077 -atomic_t fscache_n_relinquishes;
55078 -atomic_t fscache_n_relinquishes_null;
55079 -atomic_t fscache_n_relinquishes_waitcrt;
55080 -atomic_t fscache_n_relinquishes_retire;
55081 +atomic_unchecked_t fscache_n_relinquishes;
55082 +atomic_unchecked_t fscache_n_relinquishes_null;
55083 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
55084 +atomic_unchecked_t fscache_n_relinquishes_retire;
55086 -atomic_t fscache_n_cookie_index;
55087 -atomic_t fscache_n_cookie_data;
55088 -atomic_t fscache_n_cookie_special;
55089 +atomic_unchecked_t fscache_n_cookie_index;
55090 +atomic_unchecked_t fscache_n_cookie_data;
55091 +atomic_unchecked_t fscache_n_cookie_special;
55093 -atomic_t fscache_n_object_alloc;
55094 -atomic_t fscache_n_object_no_alloc;
55095 -atomic_t fscache_n_object_lookups;
55096 -atomic_t fscache_n_object_lookups_negative;
55097 -atomic_t fscache_n_object_lookups_positive;
55098 -atomic_t fscache_n_object_lookups_timed_out;
55099 -atomic_t fscache_n_object_created;
55100 -atomic_t fscache_n_object_avail;
55101 -atomic_t fscache_n_object_dead;
55102 +atomic_unchecked_t fscache_n_object_alloc;
55103 +atomic_unchecked_t fscache_n_object_no_alloc;
55104 +atomic_unchecked_t fscache_n_object_lookups;
55105 +atomic_unchecked_t fscache_n_object_lookups_negative;
55106 +atomic_unchecked_t fscache_n_object_lookups_positive;
55107 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
55108 +atomic_unchecked_t fscache_n_object_created;
55109 +atomic_unchecked_t fscache_n_object_avail;
55110 +atomic_unchecked_t fscache_n_object_dead;
55112 -atomic_t fscache_n_checkaux_none;
55113 -atomic_t fscache_n_checkaux_okay;
55114 -atomic_t fscache_n_checkaux_update;
55115 -atomic_t fscache_n_checkaux_obsolete;
55116 +atomic_unchecked_t fscache_n_checkaux_none;
55117 +atomic_unchecked_t fscache_n_checkaux_okay;
55118 +atomic_unchecked_t fscache_n_checkaux_update;
55119 +atomic_unchecked_t fscache_n_checkaux_obsolete;
55121 atomic_t fscache_n_cop_alloc_object;
55122 atomic_t fscache_n_cop_lookup_object;
55123 @@ -138,118 +138,118 @@ static int fscache_stats_show(struct seq_file *m, void *v)
55124 seq_puts(m, "FS-Cache statistics\n");
55126 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
55127 - atomic_read(&fscache_n_cookie_index),
55128 - atomic_read(&fscache_n_cookie_data),
55129 - atomic_read(&fscache_n_cookie_special));
55130 + atomic_read_unchecked(&fscache_n_cookie_index),
55131 + atomic_read_unchecked(&fscache_n_cookie_data),
55132 + atomic_read_unchecked(&fscache_n_cookie_special));
55134 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
55135 - atomic_read(&fscache_n_object_alloc),
55136 - atomic_read(&fscache_n_object_no_alloc),
55137 - atomic_read(&fscache_n_object_avail),
55138 - atomic_read(&fscache_n_object_dead));
55139 + atomic_read_unchecked(&fscache_n_object_alloc),
55140 + atomic_read_unchecked(&fscache_n_object_no_alloc),
55141 + atomic_read_unchecked(&fscache_n_object_avail),
55142 + atomic_read_unchecked(&fscache_n_object_dead));
55143 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
55144 - atomic_read(&fscache_n_checkaux_none),
55145 - atomic_read(&fscache_n_checkaux_okay),
55146 - atomic_read(&fscache_n_checkaux_update),
55147 - atomic_read(&fscache_n_checkaux_obsolete));
55148 + atomic_read_unchecked(&fscache_n_checkaux_none),
55149 + atomic_read_unchecked(&fscache_n_checkaux_okay),
55150 + atomic_read_unchecked(&fscache_n_checkaux_update),
55151 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
55153 seq_printf(m, "Pages : mrk=%u unc=%u\n",
55154 - atomic_read(&fscache_n_marks),
55155 - atomic_read(&fscache_n_uncaches));
55156 + atomic_read_unchecked(&fscache_n_marks),
55157 + atomic_read_unchecked(&fscache_n_uncaches));
55159 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
55161 - atomic_read(&fscache_n_acquires),
55162 - atomic_read(&fscache_n_acquires_null),
55163 - atomic_read(&fscache_n_acquires_no_cache),
55164 - atomic_read(&fscache_n_acquires_ok),
55165 - atomic_read(&fscache_n_acquires_nobufs),
55166 - atomic_read(&fscache_n_acquires_oom));
55167 + atomic_read_unchecked(&fscache_n_acquires),
55168 + atomic_read_unchecked(&fscache_n_acquires_null),
55169 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
55170 + atomic_read_unchecked(&fscache_n_acquires_ok),
55171 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
55172 + atomic_read_unchecked(&fscache_n_acquires_oom));
55174 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
55175 - atomic_read(&fscache_n_object_lookups),
55176 - atomic_read(&fscache_n_object_lookups_negative),
55177 - atomic_read(&fscache_n_object_lookups_positive),
55178 - atomic_read(&fscache_n_object_created),
55179 - atomic_read(&fscache_n_object_lookups_timed_out));
55180 + atomic_read_unchecked(&fscache_n_object_lookups),
55181 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
55182 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
55183 + atomic_read_unchecked(&fscache_n_object_created),
55184 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
55186 seq_printf(m, "Invals : n=%u run=%u\n",
55187 - atomic_read(&fscache_n_invalidates),
55188 - atomic_read(&fscache_n_invalidates_run));
55189 + atomic_read_unchecked(&fscache_n_invalidates),
55190 + atomic_read_unchecked(&fscache_n_invalidates_run));
55192 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
55193 - atomic_read(&fscache_n_updates),
55194 - atomic_read(&fscache_n_updates_null),
55195 - atomic_read(&fscache_n_updates_run));
55196 + atomic_read_unchecked(&fscache_n_updates),
55197 + atomic_read_unchecked(&fscache_n_updates_null),
55198 + atomic_read_unchecked(&fscache_n_updates_run));
55200 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
55201 - atomic_read(&fscache_n_relinquishes),
55202 - atomic_read(&fscache_n_relinquishes_null),
55203 - atomic_read(&fscache_n_relinquishes_waitcrt),
55204 - atomic_read(&fscache_n_relinquishes_retire));
55205 + atomic_read_unchecked(&fscache_n_relinquishes),
55206 + atomic_read_unchecked(&fscache_n_relinquishes_null),
55207 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
55208 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
55210 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
55211 - atomic_read(&fscache_n_attr_changed),
55212 - atomic_read(&fscache_n_attr_changed_ok),
55213 - atomic_read(&fscache_n_attr_changed_nobufs),
55214 - atomic_read(&fscache_n_attr_changed_nomem),
55215 - atomic_read(&fscache_n_attr_changed_calls));
55216 + atomic_read_unchecked(&fscache_n_attr_changed),
55217 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
55218 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
55219 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
55220 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
55222 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
55223 - atomic_read(&fscache_n_allocs),
55224 - atomic_read(&fscache_n_allocs_ok),
55225 - atomic_read(&fscache_n_allocs_wait),
55226 - atomic_read(&fscache_n_allocs_nobufs),
55227 - atomic_read(&fscache_n_allocs_intr));
55228 + atomic_read_unchecked(&fscache_n_allocs),
55229 + atomic_read_unchecked(&fscache_n_allocs_ok),
55230 + atomic_read_unchecked(&fscache_n_allocs_wait),
55231 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
55232 + atomic_read_unchecked(&fscache_n_allocs_intr));
55233 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
55234 - atomic_read(&fscache_n_alloc_ops),
55235 - atomic_read(&fscache_n_alloc_op_waits),
55236 - atomic_read(&fscache_n_allocs_object_dead));
55237 + atomic_read_unchecked(&fscache_n_alloc_ops),
55238 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
55239 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
55241 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
55242 " int=%u oom=%u\n",
55243 - atomic_read(&fscache_n_retrievals),
55244 - atomic_read(&fscache_n_retrievals_ok),
55245 - atomic_read(&fscache_n_retrievals_wait),
55246 - atomic_read(&fscache_n_retrievals_nodata),
55247 - atomic_read(&fscache_n_retrievals_nobufs),
55248 - atomic_read(&fscache_n_retrievals_intr),
55249 - atomic_read(&fscache_n_retrievals_nomem));
55250 + atomic_read_unchecked(&fscache_n_retrievals),
55251 + atomic_read_unchecked(&fscache_n_retrievals_ok),
55252 + atomic_read_unchecked(&fscache_n_retrievals_wait),
55253 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
55254 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
55255 + atomic_read_unchecked(&fscache_n_retrievals_intr),
55256 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
55257 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
55258 - atomic_read(&fscache_n_retrieval_ops),
55259 - atomic_read(&fscache_n_retrieval_op_waits),
55260 - atomic_read(&fscache_n_retrievals_object_dead));
55261 + atomic_read_unchecked(&fscache_n_retrieval_ops),
55262 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
55263 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
55265 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
55266 - atomic_read(&fscache_n_stores),
55267 - atomic_read(&fscache_n_stores_ok),
55268 - atomic_read(&fscache_n_stores_again),
55269 - atomic_read(&fscache_n_stores_nobufs),
55270 - atomic_read(&fscache_n_stores_oom));
55271 + atomic_read_unchecked(&fscache_n_stores),
55272 + atomic_read_unchecked(&fscache_n_stores_ok),
55273 + atomic_read_unchecked(&fscache_n_stores_again),
55274 + atomic_read_unchecked(&fscache_n_stores_nobufs),
55275 + atomic_read_unchecked(&fscache_n_stores_oom));
55276 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
55277 - atomic_read(&fscache_n_store_ops),
55278 - atomic_read(&fscache_n_store_calls),
55279 - atomic_read(&fscache_n_store_pages),
55280 - atomic_read(&fscache_n_store_radix_deletes),
55281 - atomic_read(&fscache_n_store_pages_over_limit));
55282 + atomic_read_unchecked(&fscache_n_store_ops),
55283 + atomic_read_unchecked(&fscache_n_store_calls),
55284 + atomic_read_unchecked(&fscache_n_store_pages),
55285 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
55286 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
55288 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u wt=%u\n",
55289 - atomic_read(&fscache_n_store_vmscan_not_storing),
55290 - atomic_read(&fscache_n_store_vmscan_gone),
55291 - atomic_read(&fscache_n_store_vmscan_busy),
55292 - atomic_read(&fscache_n_store_vmscan_cancelled),
55293 - atomic_read(&fscache_n_store_vmscan_wait));
55294 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
55295 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
55296 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
55297 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled),
55298 + atomic_read_unchecked(&fscache_n_store_vmscan_wait));
55300 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
55301 - atomic_read(&fscache_n_op_pend),
55302 - atomic_read(&fscache_n_op_run),
55303 - atomic_read(&fscache_n_op_enqueue),
55304 - atomic_read(&fscache_n_op_cancelled),
55305 - atomic_read(&fscache_n_op_rejected));
55306 + atomic_read_unchecked(&fscache_n_op_pend),
55307 + atomic_read_unchecked(&fscache_n_op_run),
55308 + atomic_read_unchecked(&fscache_n_op_enqueue),
55309 + atomic_read_unchecked(&fscache_n_op_cancelled),
55310 + atomic_read_unchecked(&fscache_n_op_rejected));
55311 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
55312 - atomic_read(&fscache_n_op_deferred_release),
55313 - atomic_read(&fscache_n_op_release),
55314 - atomic_read(&fscache_n_op_gc));
55315 + atomic_read_unchecked(&fscache_n_op_deferred_release),
55316 + atomic_read_unchecked(&fscache_n_op_release),
55317 + atomic_read_unchecked(&fscache_n_op_gc));
55319 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
55320 atomic_read(&fscache_n_cop_alloc_object),
55321 diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
55322 index aef34b1..59bfd7b 100644
55323 --- a/fs/fuse/cuse.c
55324 +++ b/fs/fuse/cuse.c
55325 @@ -600,10 +600,12 @@ static int __init cuse_init(void)
55326 INIT_LIST_HEAD(&cuse_conntbl[i]);
55328 /* inherit and extend fuse_dev_operations */
55329 - cuse_channel_fops = fuse_dev_operations;
55330 - cuse_channel_fops.owner = THIS_MODULE;
55331 - cuse_channel_fops.open = cuse_channel_open;
55332 - cuse_channel_fops.release = cuse_channel_release;
55333 + pax_open_kernel();
55334 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
55335 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
55336 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
55337 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
55338 + pax_close_kernel();
55340 cuse_class = class_create(THIS_MODULE, "cuse");
55341 if (IS_ERR(cuse_class))
55342 diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
55343 index 1d55f94..088da65 100644
55344 --- a/fs/fuse/dev.c
55345 +++ b/fs/fuse/dev.c
55346 @@ -1339,7 +1339,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
55350 - if (!pipe->readers) {
55351 + if (!atomic_read(&pipe->readers)) {
55352 send_sig(SIGPIPE, current, 0);
55355 @@ -1364,7 +1364,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
55360 + if (atomic_read(&pipe->files))
55364 diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
55365 index 5b12746..b481b03 100644
55366 --- a/fs/fuse/dir.c
55367 +++ b/fs/fuse/dir.c
55368 @@ -1437,7 +1437,7 @@ static char *read_link(struct dentry *dentry)
55372 -static void free_link(char *link)
55373 +static void free_link(const char *link)
55376 free_page((unsigned long) link);
55377 diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
55378 index 62b484e..0f9a140 100644
55379 --- a/fs/gfs2/inode.c
55380 +++ b/fs/gfs2/inode.c
55381 @@ -1441,7 +1441,7 @@ out:
55383 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
55385 - char *s = nd_get_link(nd);
55386 + const char *s = nd_get_link(nd);
55390 diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
55391 index a3f868a..bb308ae 100644
55392 --- a/fs/hugetlbfs/inode.c
55393 +++ b/fs/hugetlbfs/inode.c
55394 @@ -152,6 +152,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
55395 struct mm_struct *mm = current->mm;
55396 struct vm_area_struct *vma;
55397 struct hstate *h = hstate_file(file);
55398 + unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
55399 struct vm_unmapped_area_info info;
55401 if (len & ~huge_page_mask(h))
55402 @@ -165,17 +166,26 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
55406 +#ifdef CONFIG_PAX_RANDMMAP
55407 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
55411 addr = ALIGN(addr, huge_page_size(h));
55412 vma = find_vma(mm, addr);
55413 - if (TASK_SIZE - len >= addr &&
55414 - (!vma || addr + len <= vma->vm_start))
55415 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
55421 info.low_limit = TASK_UNMAPPED_BASE;
55423 +#ifdef CONFIG_PAX_RANDMMAP
55424 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55425 + info.low_limit += mm->delta_mmap;
55428 info.high_limit = TASK_SIZE;
55429 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
55430 info.align_offset = 0;
55431 @@ -898,7 +908,7 @@ static struct file_system_type hugetlbfs_fs_type = {
55433 MODULE_ALIAS_FS("hugetlbfs");
55435 -static struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
55436 +struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
55438 static int can_do_hugetlb_shm(void)
55440 diff --git a/fs/inode.c b/fs/inode.c
55441 index 00d5fc3..98ce7d7 100644
55444 @@ -878,8 +878,8 @@ unsigned int get_next_ino(void)
55447 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
55448 - static atomic_t shared_last_ino;
55449 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
55450 + static atomic_unchecked_t shared_last_ino;
55451 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
55453 res = next - LAST_INO_BATCH;
55455 diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
55456 index 4a6cf28..d3a29d3 100644
55457 --- a/fs/jffs2/erase.c
55458 +++ b/fs/jffs2/erase.c
55459 @@ -452,7 +452,8 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
55460 struct jffs2_unknown_node marker = {
55461 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
55462 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
55463 - .totlen = cpu_to_je32(c->cleanmarker_size)
55464 + .totlen = cpu_to_je32(c->cleanmarker_size),
55465 + .hdr_crc = cpu_to_je32(0)
55468 jffs2_prealloc_raw_node_refs(c, jeb, 1);
55469 diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
55470 index a6597d6..41b30ec 100644
55471 --- a/fs/jffs2/wbuf.c
55472 +++ b/fs/jffs2/wbuf.c
55473 @@ -1023,7 +1023,8 @@ static const struct jffs2_unknown_node oob_cleanmarker =
55475 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
55476 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
55477 - .totlen = constant_cpu_to_je32(8)
55478 + .totlen = constant_cpu_to_je32(8),
55479 + .hdr_crc = constant_cpu_to_je32(0)
55483 diff --git a/fs/jfs/super.c b/fs/jfs/super.c
55484 index 788e0a9..8433098 100644
55485 --- a/fs/jfs/super.c
55486 +++ b/fs/jfs/super.c
55487 @@ -878,7 +878,7 @@ static int __init init_jfs_fs(void)
55490 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
55491 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
55492 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
55494 if (jfs_inode_cachep == NULL)
55496 diff --git a/fs/libfs.c b/fs/libfs.c
55497 index 916da8c..1588998 100644
55500 @@ -165,6 +165,9 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
55502 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
55503 struct dentry *next;
55504 + char d_name[sizeof(next->d_iname)];
55505 + const unsigned char *name;
55507 next = list_entry(p, struct dentry, d_u.d_child);
55508 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
55509 if (!simple_positive(next)) {
55510 @@ -174,7 +177,12 @@ int dcache_readdir(struct file * filp, void * dirent, filldir_t filldir)
55512 spin_unlock(&next->d_lock);
55513 spin_unlock(&dentry->d_lock);
55514 - if (filldir(dirent, next->d_name.name,
55515 + name = next->d_name.name;
55516 + if (name == next->d_iname) {
55517 + memcpy(d_name, name, next->d_name.len);
55520 + if (filldir(dirent, name,
55521 next->d_name.len, filp->f_pos,
55522 next->d_inode->i_ino,
55523 dt_type(next->d_inode)) < 0)
55524 diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
55525 index acd3947..1f896e2 100644
55526 --- a/fs/lockd/clntproc.c
55527 +++ b/fs/lockd/clntproc.c
55528 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
55530 * Cookie counter for NLM requests
55532 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
55533 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
55535 void nlmclnt_next_cookie(struct nlm_cookie *c)
55537 - u32 cookie = atomic_inc_return(&nlm_cookie);
55538 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
55540 memcpy(c->data, &cookie, 4);
55542 diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
55543 index a2aa97d..10d6c41 100644
55544 --- a/fs/lockd/svc.c
55545 +++ b/fs/lockd/svc.c
55546 @@ -305,7 +305,7 @@ static int lockd_start_svc(struct svc_serv *serv)
55547 svc_sock_update_bufs(serv);
55548 serv->sv_maxconn = nlm_max_connections;
55550 - nlmsvc_task = kthread_run(lockd, nlmsvc_rqst, serv->sv_name);
55551 + nlmsvc_task = kthread_run(lockd, nlmsvc_rqst, "%s", serv->sv_name);
55552 if (IS_ERR(nlmsvc_task)) {
55553 error = PTR_ERR(nlmsvc_task);
55554 printk(KERN_WARNING
55555 diff --git a/fs/locks.c b/fs/locks.c
55556 index cb424a4..850e4dd 100644
55559 @@ -2064,16 +2064,16 @@ void locks_remove_flock(struct file *filp)
55562 if (filp->f_op && filp->f_op->flock) {
55563 - struct file_lock fl = {
55564 + struct file_lock flock = {
55565 .fl_pid = current->tgid,
55567 .fl_flags = FL_FLOCK,
55568 .fl_type = F_UNLCK,
55569 .fl_end = OFFSET_MAX,
55571 - filp->f_op->flock(filp, F_SETLKW, &fl);
55572 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
55573 - fl.fl_ops->fl_release_private(&fl);
55574 + filp->f_op->flock(filp, F_SETLKW, &flock);
55575 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
55576 + flock.fl_ops->fl_release_private(&flock);
55580 diff --git a/fs/namei.c b/fs/namei.c
55581 index 9ed9361..2b72db1 100644
55584 @@ -319,16 +319,32 @@ int generic_permission(struct inode *inode, int mask)
55585 if (ret != -EACCES)
55588 +#ifdef CONFIG_GRKERNSEC
55589 + /* we'll block if we have to log due to a denied capability use */
55590 + if (mask & MAY_NOT_BLOCK)
55594 if (S_ISDIR(inode->i_mode)) {
55595 /* DACs are overridable for directories */
55596 - if (inode_capable(inode, CAP_DAC_OVERRIDE))
55598 if (!(mask & MAY_WRITE))
55599 - if (inode_capable(inode, CAP_DAC_READ_SEARCH))
55600 + if (inode_capable_nolog(inode, CAP_DAC_OVERRIDE) ||
55601 + inode_capable(inode, CAP_DAC_READ_SEARCH))
55603 + if (inode_capable(inode, CAP_DAC_OVERRIDE))
55608 + * Searching includes executable on directories, else just read.
55610 + mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
55611 + if (mask == MAY_READ)
55612 + if (inode_capable_nolog(inode, CAP_DAC_OVERRIDE) ||
55613 + inode_capable(inode, CAP_DAC_READ_SEARCH))
55617 * Read/write DACs are always overridable.
55618 * Executable DACs are overridable when there is
55619 * at least one exec bit set.
55620 @@ -337,14 +353,6 @@ int generic_permission(struct inode *inode, int mask)
55621 if (inode_capable(inode, CAP_DAC_OVERRIDE))
55625 - * Searching includes executable on directories, else just read.
55627 - mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
55628 - if (mask == MAY_READ)
55629 - if (inode_capable(inode, CAP_DAC_READ_SEARCH))
55635 @@ -820,7 +828,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
55637 struct dentry *dentry = link->dentry;
55642 BUG_ON(nd->flags & LOOKUP_RCU);
55644 @@ -841,6 +849,12 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
55646 goto out_put_nd_path;
55648 + if (gr_handle_follow_link(dentry->d_parent->d_inode,
55649 + dentry->d_inode, dentry, nd->path.mnt)) {
55651 + goto out_put_nd_path;
55654 nd->last_type = LAST_BIND;
55655 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
55656 error = PTR_ERR(*p);
55657 @@ -1588,6 +1602,8 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
55660 res = walk_component(nd, path, LOOKUP_FOLLOW);
55661 + if (res >= 0 && gr_handle_symlink_owner(&link, nd->inode))
55663 put_link(nd, &link, cookie);
55666 @@ -1686,7 +1702,7 @@ EXPORT_SYMBOL(full_name_hash);
55667 static inline unsigned long hash_name(const char *name, unsigned int *hashp)
55669 unsigned long a, b, adata, bdata, mask, hash, len;
55670 - const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
55671 + static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
55674 len = -sizeof(unsigned long);
55675 @@ -1968,6 +1984,8 @@ static int path_lookupat(int dfd, const char *name,
55678 err = lookup_last(nd, &path);
55679 + if (!err && gr_handle_symlink_owner(&link, nd->inode))
55681 put_link(nd, &link, cookie);
55684 @@ -1975,6 +1993,13 @@ static int path_lookupat(int dfd, const char *name,
55686 err = complete_walk(nd);
55688 + if (!err && !(nd->flags & LOOKUP_PARENT)) {
55689 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
55690 + path_put(&nd->path);
55695 if (!err && nd->flags & LOOKUP_DIRECTORY) {
55696 if (!can_lookup(nd->inode)) {
55697 path_put(&nd->path);
55698 @@ -2002,8 +2027,15 @@ static int filename_lookup(int dfd, struct filename *name,
55699 retval = path_lookupat(dfd, name->name,
55700 flags | LOOKUP_REVAL, nd);
55702 - if (likely(!retval))
55703 + if (likely(!retval)) {
55704 audit_inode(name, nd->path.dentry, flags & LOOKUP_PARENT);
55705 + if (name->name[0] != '/' && nd->path.dentry && nd->inode) {
55706 + if (!gr_chroot_fchdir(nd->path.dentry, nd->path.mnt)) {
55707 + path_put(&nd->path);
55715 @@ -2381,6 +2413,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
55716 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
55719 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode))
55721 + if (gr_handle_rawio(inode))
55723 + if (!gr_acl_handle_open(dentry, path->mnt, acc_mode))
55729 @@ -2602,7 +2641,7 @@ looked_up:
55730 * cleared otherwise prior to returning.
55732 static int lookup_open(struct nameidata *nd, struct path *path,
55733 - struct file *file,
55734 + struct path *link, struct file *file,
55735 const struct open_flags *op,
55736 bool got_write, int *opened)
55738 @@ -2637,6 +2676,17 @@ static int lookup_open(struct nameidata *nd, struct path *path,
55739 /* Negative dentry, just create the file */
55740 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
55741 umode_t mode = op->mode;
55743 + if (link && gr_handle_symlink_owner(link, dir->d_inode)) {
55748 + if (!gr_acl_handle_creat(dentry, dir, nd->path.mnt, op->open_flag, op->acc_mode, mode)) {
55753 if (!IS_POSIXACL(dir->d_inode))
55754 mode &= ~current_umask();
55756 @@ -2658,6 +2708,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
55757 nd->flags & LOOKUP_EXCL);
55761 + gr_handle_create(dentry, nd->path.mnt);
55764 path->dentry = dentry;
55765 @@ -2672,7 +2724,7 @@ out_dput:
55767 * Handle the last step of open()
55769 -static int do_last(struct nameidata *nd, struct path *path,
55770 +static int do_last(struct nameidata *nd, struct path *path, struct path *link,
55771 struct file *file, const struct open_flags *op,
55772 int *opened, struct filename *name)
55774 @@ -2701,16 +2753,32 @@ static int do_last(struct nameidata *nd, struct path *path,
55775 error = complete_walk(nd);
55778 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
55782 audit_inode(name, nd->path.dentry, 0);
55783 if (open_flag & O_CREAT) {
55787 + if (link && gr_handle_symlink_owner(link, nd->inode)) {
55793 error = complete_walk(nd);
55796 + if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
55800 + if (link && gr_handle_symlink_owner(link, nd->inode)) {
55804 audit_inode(name, dir, 0);
55807 @@ -2759,7 +2827,7 @@ retry_lookup:
55810 mutex_lock(&dir->d_inode->i_mutex);
55811 - error = lookup_open(nd, path, file, op, got_write, opened);
55812 + error = lookup_open(nd, path, link, file, op, got_write, opened);
55813 mutex_unlock(&dir->d_inode->i_mutex);
55816 @@ -2783,11 +2851,28 @@ retry_lookup:
55817 goto finish_open_created;
55820 + if (!gr_acl_handle_hidden_file(path->dentry, nd->path.mnt)) {
55824 + if (link && gr_handle_symlink_owner(link, path->dentry->d_inode)) {
55830 * create/update audit record if it already exists.
55832 - if (path->dentry->d_inode)
55833 + if (path->dentry->d_inode) {
55834 + /* only check if O_CREAT is specified, all other checks need to go
55836 + if (gr_handle_fifo(path->dentry, path->mnt, dir, open_flag, acc_mode)) {
55841 audit_inode(name, path->dentry, 0);
55845 * If atomic_open() acquired write access it is dropped now due to
55846 @@ -2828,6 +2913,11 @@ finish_lookup:
55849 BUG_ON(inode != path->dentry->d_inode);
55850 + /* if we're resolving a symlink to another symlink */
55851 + if (link && gr_handle_symlink_owner(link, inode)) {
55858 @@ -2837,7 +2927,6 @@ finish_lookup:
55859 save_parent.dentry = nd->path.dentry;
55860 save_parent.mnt = mntget(path->mnt);
55861 nd->path.dentry = path->dentry;
55865 /* Why this, you ask? _Now_ we might have grown LOOKUP_JUMPED... */
55866 @@ -2846,6 +2935,16 @@ finish_lookup:
55867 path_put(&save_parent);
55871 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
55875 + if (link && gr_handle_symlink_owner(link, nd->inode)) {
55881 if ((open_flag & O_CREAT) && S_ISDIR(nd->inode->i_mode))
55883 @@ -2944,7 +3043,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
55884 if (unlikely(error))
55887 - error = do_last(nd, &path, file, op, &opened, pathname);
55888 + error = do_last(nd, &path, NULL, file, op, &opened, pathname);
55889 while (unlikely(error > 0)) { /* trailing symlink */
55890 struct path link = path;
55892 @@ -2962,7 +3061,7 @@ static struct file *path_openat(int dfd, struct filename *pathname,
55893 error = follow_link(&link, nd, &cookie);
55894 if (unlikely(error))
55896 - error = do_last(nd, &path, file, op, &opened, pathname);
55897 + error = do_last(nd, &path, &link, file, op, &opened, pathname);
55898 put_link(nd, &link, cookie);
55901 @@ -3062,8 +3161,12 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
55905 - if (dentry->d_inode)
55906 + if (dentry->d_inode) {
55907 + if (!gr_acl_handle_hidden_file(dentry, nd.path.mnt)) {
55913 * Special case - lookup gave negative, but... we had foo/bar/
55914 * From the vfs_mknod() POV we just have a negative dentry -
55915 @@ -3115,6 +3218,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
55917 EXPORT_SYMBOL(user_path_create);
55919 +static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, struct filename **to, unsigned int lookup_flags)
55921 + struct filename *tmp = getname(pathname);
55922 + struct dentry *res;
55924 + return ERR_CAST(tmp);
55925 + res = kern_path_create(dfd, tmp->name, path, lookup_flags);
55933 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
55935 int error = may_create(dir, dentry);
55936 @@ -3177,6 +3294,17 @@ retry:
55938 if (!IS_POSIXACL(path.dentry->d_inode))
55939 mode &= ~current_umask();
55941 + if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
55946 + if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
55951 error = security_path_mknod(&path, dentry, mode, dev);
55954 @@ -3193,6 +3321,8 @@ retry:
55959 + gr_handle_create(dentry, path.mnt);
55960 done_path_create(&path, dentry);
55961 if (retry_estale(error, lookup_flags)) {
55962 lookup_flags |= LOOKUP_REVAL;
55963 @@ -3245,9 +3375,16 @@ retry:
55965 if (!IS_POSIXACL(path.dentry->d_inode))
55966 mode &= ~current_umask();
55967 + if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
55971 error = security_path_mkdir(&path, dentry, mode);
55973 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
55975 + gr_handle_create(dentry, path.mnt);
55977 done_path_create(&path, dentry);
55978 if (retry_estale(error, lookup_flags)) {
55979 lookup_flags |= LOOKUP_REVAL;
55980 @@ -3328,6 +3465,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
55981 struct filename *name;
55982 struct dentry *dentry;
55983 struct nameidata nd;
55984 + ino_t saved_ino = 0;
55985 + dev_t saved_dev = 0;
55986 unsigned int lookup_flags = 0;
55988 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
55989 @@ -3360,10 +3499,21 @@ retry:
55994 + saved_ino = dentry->d_inode->i_ino;
55995 + saved_dev = gr_get_dev_from_dentry(dentry);
55997 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
56002 error = security_path_rmdir(&nd.path, dentry);
56005 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
56006 + if (!error && (saved_dev || saved_ino))
56007 + gr_handle_delete(saved_ino, saved_dev);
56011 @@ -3429,6 +3579,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
56012 struct dentry *dentry;
56013 struct nameidata nd;
56014 struct inode *inode = NULL;
56015 + ino_t saved_ino = 0;
56016 + dev_t saved_dev = 0;
56017 unsigned int lookup_flags = 0;
56019 name = user_path_parent(dfd, pathname, &nd, lookup_flags);
56020 @@ -3455,10 +3607,22 @@ retry:
56025 + if (inode->i_nlink <= 1) {
56026 + saved_ino = inode->i_ino;
56027 + saved_dev = gr_get_dev_from_dentry(dentry);
56029 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
56034 error = security_path_unlink(&nd.path, dentry);
56037 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
56038 + if (!error && (saved_ino || saved_dev))
56039 + gr_handle_delete(saved_ino, saved_dev);
56043 @@ -3536,9 +3700,17 @@ retry:
56044 if (IS_ERR(dentry))
56047 + if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
56052 error = security_path_symlink(&path, dentry, from->name);
56054 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
56056 + gr_handle_create(dentry, path.mnt);
56058 done_path_create(&path, dentry);
56059 if (retry_estale(error, lookup_flags)) {
56060 lookup_flags |= LOOKUP_REVAL;
56061 @@ -3612,6 +3784,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
56063 struct dentry *new_dentry;
56064 struct path old_path, new_path;
56065 + struct filename *to = NULL;
56069 @@ -3635,7 +3808,7 @@ retry:
56073 - new_dentry = user_path_create(newdfd, newname, &new_path,
56074 + new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to,
56075 (how & LOOKUP_REVAL));
56076 error = PTR_ERR(new_dentry);
56077 if (IS_ERR(new_dentry))
56078 @@ -3647,11 +3820,28 @@ retry:
56079 error = may_linkat(&old_path);
56080 if (unlikely(error))
56083 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
56084 + old_path.dentry->d_inode,
56085 + old_path.dentry->d_inode->i_mode, to)) {
56090 + if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
56091 + old_path.dentry, old_path.mnt, to)) {
56096 error = security_path_link(old_path.dentry, &new_path, new_dentry);
56099 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry);
56101 + gr_handle_create(new_dentry, new_path.mnt);
56104 done_path_create(&new_path, new_dentry);
56105 if (retry_estale(error, how)) {
56106 how |= LOOKUP_REVAL;
56107 @@ -3897,12 +4087,21 @@ retry:
56108 if (new_dentry == trap)
56111 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
56112 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
56117 error = security_path_rename(&oldnd.path, old_dentry,
56118 &newnd.path, new_dentry);
56121 error = vfs_rename(old_dir->d_inode, old_dentry,
56122 new_dir->d_inode, new_dentry);
56124 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
56125 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
56129 @@ -3934,6 +4133,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
56131 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
56134 + const char *newlink;
56137 len = PTR_ERR(link);
56138 @@ -3943,7 +4144,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
56139 len = strlen(link);
56140 if (len > (unsigned) buflen)
56142 - if (copy_to_user(buffer, link, len))
56144 + if (len < sizeof(tmpbuf)) {
56145 + memcpy(tmpbuf, link, len);
56146 + newlink = tmpbuf;
56150 + if (copy_to_user(buffer, newlink, len))
56154 diff --git a/fs/namespace.c b/fs/namespace.c
56155 index 7b1ca9b..6faeccf 100644
56156 --- a/fs/namespace.c
56157 +++ b/fs/namespace.c
56158 @@ -1265,6 +1265,9 @@ static int do_umount(struct mount *mnt, int flags)
56159 if (!(sb->s_flags & MS_RDONLY))
56160 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
56161 up_write(&sb->s_umount);
56163 + gr_log_remount(mnt->mnt_devname, retval);
56168 @@ -1283,6 +1286,9 @@ static int do_umount(struct mount *mnt, int flags)
56170 br_write_unlock(&vfsmount_lock);
56171 namespace_unlock();
56173 + gr_log_unmount(mnt->mnt_devname, retval);
56178 @@ -1302,7 +1308,7 @@ static inline bool may_mount(void)
56179 * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
56182 -SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
56183 +SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
56187 @@ -1342,7 +1348,7 @@ out:
56189 * The 2.0 compatible umount. No flags.
56191 -SYSCALL_DEFINE1(oldumount, char __user *, name)
56192 +SYSCALL_DEFINE1(oldumount, const char __user *, name)
56194 return sys_umount(name, 0);
56196 @@ -2313,6 +2319,16 @@ long do_mount(const char *dev_name, const char *dir_name,
56197 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
56200 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
56205 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
56210 if (flags & MS_REMOUNT)
56211 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
56213 @@ -2327,6 +2343,9 @@ long do_mount(const char *dev_name, const char *dir_name,
56214 dev_name, data_page);
56218 + gr_log_mount(dev_name, dir_name, retval);
56223 @@ -2500,8 +2519,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
56225 EXPORT_SYMBOL(mount_subtree);
56227 -SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
56228 - char __user *, type, unsigned long, flags, void __user *, data)
56229 +SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
56230 + const char __user *, type, unsigned long, flags, void __user *, data)
56234 @@ -2614,6 +2633,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
56238 + if (gr_handle_chroot_pivot()) {
56243 get_fs_root(current->fs, &root);
56244 old_mp = lock_mount(&old);
56245 error = PTR_ERR(old_mp);
56246 @@ -2864,7 +2888,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
56247 !nsown_capable(CAP_SYS_ADMIN))
56250 - if (fs->users != 1)
56251 + if (atomic_read(&fs->users) != 1)
56254 get_mnt_ns(mnt_ns);
56255 diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
56256 index cff089a..4c3d57a 100644
56257 --- a/fs/nfs/callback.c
56258 +++ b/fs/nfs/callback.c
56259 @@ -211,7 +211,6 @@ static int nfs_callback_start_svc(int minorversion, struct rpc_xprt *xprt,
56260 struct svc_rqst *rqstp;
56261 int (*callback_svc)(void *vrqstp);
56262 struct nfs_callback_data *cb_info = &nfs_callback_info[minorversion];
56263 - char svc_name[12];
56266 nfs_callback_bc_serv(minorversion, xprt, serv);
56267 @@ -235,10 +234,9 @@ static int nfs_callback_start_svc(int minorversion, struct rpc_xprt *xprt,
56269 svc_sock_update_bufs(serv);
56271 - sprintf(svc_name, "nfsv4.%u-svc", minorversion);
56272 cb_info->serv = serv;
56273 cb_info->rqst = rqstp;
56274 - cb_info->task = kthread_run(callback_svc, cb_info->rqst, svc_name);
56275 + cb_info->task = kthread_run(callback_svc, cb_info->rqst, "nfsv4.%u-svc", minorversion);
56276 if (IS_ERR(cb_info->task)) {
56277 ret = PTR_ERR(cb_info->task);
56278 svc_exit_thread(cb_info->rqst);
56279 diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
56280 index a35582c..ebbdcd5 100644
56281 --- a/fs/nfs/callback_xdr.c
56282 +++ b/fs/nfs/callback_xdr.c
56283 @@ -51,7 +51,7 @@ struct callback_op {
56284 callback_decode_arg_t decode_args;
56285 callback_encode_res_t encode_res;
56290 static struct callback_op callback_ops[];
56292 diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
56293 index c1c7a9d..7afa0b8 100644
56294 --- a/fs/nfs/inode.c
56295 +++ b/fs/nfs/inode.c
56296 @@ -1043,16 +1043,16 @@ static int nfs_size_need_update(const struct inode *inode, const struct nfs_fatt
56297 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
56300 -static atomic_long_t nfs_attr_generation_counter;
56301 +static atomic_long_unchecked_t nfs_attr_generation_counter;
56303 static unsigned long nfs_read_attr_generation_counter(void)
56305 - return atomic_long_read(&nfs_attr_generation_counter);
56306 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
56309 unsigned long nfs_inc_attr_generation_counter(void)
56311 - return atomic_long_inc_return(&nfs_attr_generation_counter);
56312 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
56315 void nfs_fattr_init(struct nfs_fattr *fattr)
56316 diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
56317 index 2c37442..9b9538b 100644
56318 --- a/fs/nfs/nfs4state.c
56319 +++ b/fs/nfs/nfs4state.c
56320 @@ -1193,7 +1193,7 @@ void nfs4_schedule_state_manager(struct nfs_client *clp)
56321 snprintf(buf, sizeof(buf), "%s-manager",
56322 rpc_peeraddr2str(clp->cl_rpcclient, RPC_DISPLAY_ADDR));
56324 - task = kthread_run(nfs4_run_state_manager, clp, buf);
56325 + task = kthread_run(nfs4_run_state_manager, clp, "%s", buf);
56326 if (IS_ERR(task)) {
56327 printk(KERN_ERR "%s: kthread_run: %ld\n",
56328 __func__, PTR_ERR(task));
56329 diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
56330 index 27d74a2..c4c2a73 100644
56331 --- a/fs/nfsd/nfs4proc.c
56332 +++ b/fs/nfsd/nfs4proc.c
56333 @@ -1126,7 +1126,7 @@ struct nfsd4_operation {
56334 nfsd4op_rsize op_rsize_bop;
56335 stateid_getter op_get_currentstateid;
56336 stateid_setter op_set_currentstateid;
56340 static struct nfsd4_operation nfsd4_ops[];
56342 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
56343 index 582321a..0224663 100644
56344 --- a/fs/nfsd/nfs4xdr.c
56345 +++ b/fs/nfsd/nfs4xdr.c
56346 @@ -1458,7 +1458,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
56348 typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *);
56350 -static nfsd4_dec nfsd4_dec_ops[] = {
56351 +static const nfsd4_dec nfsd4_dec_ops[] = {
56352 [OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
56353 [OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
56354 [OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
56355 @@ -1498,7 +1498,7 @@ static nfsd4_dec nfsd4_dec_ops[] = {
56356 [OP_RELEASE_LOCKOWNER] = (nfsd4_dec)nfsd4_decode_release_lockowner,
56359 -static nfsd4_dec nfsd41_dec_ops[] = {
56360 +static const nfsd4_dec nfsd41_dec_ops[] = {
56361 [OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
56362 [OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
56363 [OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
56364 @@ -1560,7 +1560,7 @@ static nfsd4_dec nfsd41_dec_ops[] = {
56367 struct nfsd4_minorversion_ops {
56368 - nfsd4_dec *decoders;
56369 + const nfsd4_dec *decoders;
56373 diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
56374 index e76244e..9fe8f2f1 100644
56375 --- a/fs/nfsd/nfscache.c
56376 +++ b/fs/nfsd/nfscache.c
56377 @@ -526,14 +526,17 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
56379 struct svc_cacherep *rp = rqstp->rq_cacherep;
56380 struct kvec *resv = &rqstp->rq_res.head[0], *cachv;
56383 size_t bufsize = 0;
56388 - len = resv->iov_len - ((char*)statp - (char*)resv->iov_base);
56391 + len = (char*)statp - (char*)resv->iov_base;
56392 + len = resv->iov_len - len;
56396 /* Don't cache excessive amounts of data and XDR failures */
56397 if (!statp || len > (256 >> 2)) {
56398 diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
56399 index baf149a..76b86ad 100644
56400 --- a/fs/nfsd/vfs.c
56401 +++ b/fs/nfsd/vfs.c
56402 @@ -940,7 +940,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
56406 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
56407 + host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
56411 @@ -1027,7 +1027,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
56413 /* Write the data. */
56414 oldfs = get_fs(); set_fs(KERNEL_DS);
56415 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &pos);
56416 + host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &pos);
56420 @@ -1573,7 +1573,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
56423 oldfs = get_fs(); set_fs(KERNEL_DS);
56424 - host_err = inode->i_op->readlink(path.dentry, (char __user *)buf, *lenp);
56425 + host_err = inode->i_op->readlink(path.dentry, (char __force_user *)buf, *lenp);
56429 diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
56430 index fea6bd5..8ee9d81 100644
56431 --- a/fs/nls/nls_base.c
56432 +++ b/fs/nls/nls_base.c
56433 @@ -234,20 +234,22 @@ EXPORT_SYMBOL(utf16s_to_utf8s);
56435 int register_nls(struct nls_table * nls)
56437 - struct nls_table ** tmp = &tables;
56438 + struct nls_table *tmp = tables;
56443 spin_lock(&nls_lock);
56445 - if (nls == *tmp) {
56447 + if (nls == tmp) {
56448 spin_unlock(&nls_lock);
56451 - tmp = &(*tmp)->next;
56454 - nls->next = tables;
56455 + pax_open_kernel();
56456 + *(struct nls_table **)&nls->next = tables;
56457 + pax_close_kernel();
56459 spin_unlock(&nls_lock);
56461 @@ -255,12 +257,14 @@ int register_nls(struct nls_table * nls)
56463 int unregister_nls(struct nls_table * nls)
56465 - struct nls_table ** tmp = &tables;
56466 + struct nls_table * const * tmp = &tables;
56468 spin_lock(&nls_lock);
56471 - *tmp = nls->next;
56472 + pax_open_kernel();
56473 + *(struct nls_table **)tmp = nls->next;
56474 + pax_close_kernel();
56475 spin_unlock(&nls_lock);
56478 diff --git a/fs/nls/nls_euc-jp.c b/fs/nls/nls_euc-jp.c
56479 index 7424929..35f6be5 100644
56480 --- a/fs/nls/nls_euc-jp.c
56481 +++ b/fs/nls/nls_euc-jp.c
56482 @@ -561,8 +561,10 @@ static int __init init_nls_euc_jp(void)
56483 p_nls = load_nls("cp932");
56486 - table.charset2upper = p_nls->charset2upper;
56487 - table.charset2lower = p_nls->charset2lower;
56488 + pax_open_kernel();
56489 + *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
56490 + *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
56491 + pax_close_kernel();
56492 return register_nls(&table);
56495 diff --git a/fs/nls/nls_koi8-ru.c b/fs/nls/nls_koi8-ru.c
56496 index e7bc1d7..06bd4bb 100644
56497 --- a/fs/nls/nls_koi8-ru.c
56498 +++ b/fs/nls/nls_koi8-ru.c
56499 @@ -63,8 +63,10 @@ static int __init init_nls_koi8_ru(void)
56500 p_nls = load_nls("koi8-u");
56503 - table.charset2upper = p_nls->charset2upper;
56504 - table.charset2lower = p_nls->charset2lower;
56505 + pax_open_kernel();
56506 + *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
56507 + *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
56508 + pax_close_kernel();
56509 return register_nls(&table);
56512 diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
56513 index 77cc85d..a1e6299 100644
56514 --- a/fs/notify/fanotify/fanotify_user.c
56515 +++ b/fs/notify/fanotify/fanotify_user.c
56516 @@ -253,8 +253,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
56518 fd = fanotify_event_metadata.fd;
56520 - if (copy_to_user(buf, &fanotify_event_metadata,
56521 - fanotify_event_metadata.event_len))
56522 + if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
56523 + copy_to_user(buf, &fanotify_event_metadata, fanotify_event_metadata.event_len))
56526 ret = prepare_for_access_response(group, event, fd);
56527 diff --git a/fs/notify/notification.c b/fs/notify/notification.c
56528 index 7b51b05..5ea5ef6 100644
56529 --- a/fs/notify/notification.c
56530 +++ b/fs/notify/notification.c
56531 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event_holder_cachep;
56532 * get set to 0 so it will never get 'freed'
56534 static struct fsnotify_event *q_overflow_event;
56535 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
56536 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
56539 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
56540 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
56542 u32 fsnotify_get_cookie(void)
56544 - return atomic_inc_return(&fsnotify_sync_cookie);
56545 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
56547 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
56549 diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c
56550 index aa411c3..c260a84 100644
56551 --- a/fs/ntfs/dir.c
56552 +++ b/fs/ntfs/dir.c
56553 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
56554 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
56555 ~(s64)(ndir->itype.index.block_size - 1)));
56556 /* Bounds checks. */
56557 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
56558 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
56559 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
56560 "inode 0x%lx or driver bug.", vdir->i_ino);
56562 diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
56563 index c5670b8..01a3656 100644
56564 --- a/fs/ntfs/file.c
56565 +++ b/fs/ntfs/file.c
56566 @@ -2241,6 +2241,6 @@ const struct inode_operations ntfs_file_inode_ops = {
56567 #endif /* NTFS_RW */
56570 -const struct file_operations ntfs_empty_file_ops = {};
56571 +const struct file_operations ntfs_empty_file_ops __read_only;
56573 -const struct inode_operations ntfs_empty_inode_ops = {};
56574 +const struct inode_operations ntfs_empty_inode_ops __read_only;
56575 diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
56576 index 20dfec7..e238cb7 100644
56577 --- a/fs/ocfs2/aops.c
56578 +++ b/fs/ocfs2/aops.c
56579 @@ -1756,7 +1756,7 @@ try_again:
56581 } else if (ret == 1) {
56582 clusters_need = wc->w_clen;
56583 - ret = ocfs2_refcount_cow(inode, filp, di_bh,
56584 + ret = ocfs2_refcount_cow(inode, di_bh,
56585 wc->w_cpos, wc->w_clen, UINT_MAX);
56588 diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
56589 index ff54014..ff125fd 100644
56590 --- a/fs/ocfs2/file.c
56591 +++ b/fs/ocfs2/file.c
56592 @@ -370,7 +370,7 @@ static int ocfs2_cow_file_pos(struct inode *inode,
56593 if (!(ext_flags & OCFS2_EXT_REFCOUNTED))
56596 - return ocfs2_refcount_cow(inode, NULL, fe_bh, cpos, 1, cpos+1);
56597 + return ocfs2_refcount_cow(inode, fe_bh, cpos, 1, cpos+1);
56601 @@ -899,7 +899,7 @@ static int ocfs2_zero_extend_get_range(struct inode *inode,
56602 zero_clusters = last_cpos - zero_cpos;
56605 - rc = ocfs2_refcount_cow(inode, NULL, di_bh, zero_cpos,
56606 + rc = ocfs2_refcount_cow(inode, di_bh, zero_cpos,
56607 zero_clusters, UINT_MAX);
56610 @@ -2078,7 +2078,7 @@ static int ocfs2_prepare_inode_for_refcount(struct inode *inode,
56614 - ret = ocfs2_refcount_cow(inode, file, di_bh, cpos, clusters, UINT_MAX);
56615 + ret = ocfs2_refcount_cow(inode, di_bh, cpos, clusters, UINT_MAX);
56619 diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
56620 index aebeacd..0dcdd26 100644
56621 --- a/fs/ocfs2/localalloc.c
56622 +++ b/fs/ocfs2/localalloc.c
56623 @@ -1278,7 +1278,7 @@ static int ocfs2_local_alloc_slide_window(struct ocfs2_super *osb,
56627 - atomic_inc(&osb->alloc_stats.moves);
56628 + atomic_inc_unchecked(&osb->alloc_stats.moves);
56632 diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
56633 index f1fc172..452068b 100644
56634 --- a/fs/ocfs2/move_extents.c
56635 +++ b/fs/ocfs2/move_extents.c
56636 @@ -69,7 +69,7 @@ static int __ocfs2_move_extent(handle_t *handle,
56637 u64 ino = ocfs2_metadata_cache_owner(context->et.et_ci);
56638 u64 old_blkno = ocfs2_clusters_to_blocks(inode->i_sb, p_cpos);
56640 - ret = ocfs2_duplicate_clusters_by_page(handle, context->file, cpos,
56641 + ret = ocfs2_duplicate_clusters_by_page(handle, inode, cpos,
56642 p_cpos, new_p_cpos, len);
56645 diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h
56646 index d355e6e..578d905 100644
56647 --- a/fs/ocfs2/ocfs2.h
56648 +++ b/fs/ocfs2/ocfs2.h
56649 @@ -235,11 +235,11 @@ enum ocfs2_vol_state
56651 struct ocfs2_alloc_stats
56654 - atomic_t local_data;
56655 - atomic_t bitmap_data;
56656 - atomic_t bg_allocs;
56657 - atomic_t bg_extends;
56658 + atomic_unchecked_t moves;
56659 + atomic_unchecked_t local_data;
56660 + atomic_unchecked_t bitmap_data;
56661 + atomic_unchecked_t bg_allocs;
56662 + atomic_unchecked_t bg_extends;
56665 enum ocfs2_local_alloc_state
56666 diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
56667 index 998b17e..aefe414 100644
56668 --- a/fs/ocfs2/refcounttree.c
56669 +++ b/fs/ocfs2/refcounttree.c
56672 struct ocfs2_cow_context {
56673 struct inode *inode;
56674 - struct file *file;
56677 struct ocfs2_extent_tree data_et;
56678 @@ -66,7 +65,7 @@ struct ocfs2_cow_context {
56680 unsigned int *extent_flags);
56681 int (*cow_duplicate_clusters)(handle_t *handle,
56682 - struct file *file,
56683 + struct inode *inode,
56684 u32 cpos, u32 old_cluster,
56685 u32 new_cluster, u32 new_len);
56687 @@ -2922,14 +2921,12 @@ static int ocfs2_clear_cow_buffer(handle_t *handle, struct buffer_head *bh)
56690 int ocfs2_duplicate_clusters_by_page(handle_t *handle,
56691 - struct file *file,
56692 + struct inode *inode,
56693 u32 cpos, u32 old_cluster,
56694 u32 new_cluster, u32 new_len)
56696 int ret = 0, partial;
56697 - struct inode *inode = file_inode(file);
56698 - struct ocfs2_caching_info *ci = INODE_CACHE(inode);
56699 - struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
56700 + struct super_block *sb = inode->i_sb;
56701 u64 new_block = ocfs2_clusters_to_blocks(sb, new_cluster);
56703 pgoff_t page_index;
56704 @@ -2973,13 +2970,6 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
56705 if (PAGE_CACHE_SIZE <= OCFS2_SB(sb)->s_clustersize)
56706 BUG_ON(PageDirty(page));
56708 - if (PageReadahead(page)) {
56709 - page_cache_async_readahead(mapping,
56710 - &file->f_ra, file,
56711 - page, page_index,
56712 - readahead_pages);
56715 if (!PageUptodate(page)) {
56716 ret = block_read_full_page(page, ocfs2_get_block);
56718 @@ -2999,7 +2989,8 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
56722 - ocfs2_map_and_dirty_page(inode, handle, from, to,
56723 + ocfs2_map_and_dirty_page(inode,
56724 + handle, from, to,
56725 page, 0, &new_block);
56726 mark_page_accessed(page);
56728 @@ -3015,12 +3006,11 @@ unlock:
56731 int ocfs2_duplicate_clusters_by_jbd(handle_t *handle,
56732 - struct file *file,
56733 + struct inode *inode,
56734 u32 cpos, u32 old_cluster,
56735 u32 new_cluster, u32 new_len)
56738 - struct inode *inode = file_inode(file);
56739 struct super_block *sb = inode->i_sb;
56740 struct ocfs2_caching_info *ci = INODE_CACHE(inode);
56741 int i, blocks = ocfs2_clusters_to_blocks(sb, new_len);
56742 @@ -3145,7 +3135,7 @@ static int ocfs2_replace_clusters(handle_t *handle,
56744 /*If the old clusters is unwritten, no need to duplicate. */
56745 if (!(ext_flags & OCFS2_EXT_UNWRITTEN)) {
56746 - ret = context->cow_duplicate_clusters(handle, context->file,
56747 + ret = context->cow_duplicate_clusters(handle, context->inode,
56748 cpos, old, new, len);
56751 @@ -3423,35 +3413,12 @@ static int ocfs2_replace_cow(struct ocfs2_cow_context *context)
56755 -static void ocfs2_readahead_for_cow(struct inode *inode,
56756 - struct file *file,
56757 - u32 start, u32 len)
56759 - struct address_space *mapping;
56761 - unsigned long num_pages;
56762 - int cs_bits = OCFS2_SB(inode->i_sb)->s_clustersize_bits;
56767 - mapping = file->f_mapping;
56768 - num_pages = (len << cs_bits) >> PAGE_CACHE_SHIFT;
56772 - index = ((loff_t)start << cs_bits) >> PAGE_CACHE_SHIFT;
56773 - page_cache_sync_readahead(mapping, &file->f_ra, file,
56774 - index, num_pages);
56778 * Starting at cpos, try to CoW write_len clusters. Don't CoW
56779 * past max_cpos. This will stop when it runs into a hole or an
56780 * unrefcounted extent.
56782 static int ocfs2_refcount_cow_hunk(struct inode *inode,
56783 - struct file *file,
56784 struct buffer_head *di_bh,
56785 u32 cpos, u32 write_len, u32 max_cpos)
56787 @@ -3480,8 +3447,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode,
56789 BUG_ON(cow_len == 0);
56791 - ocfs2_readahead_for_cow(inode, file, cow_start, cow_len);
56793 context = kzalloc(sizeof(struct ocfs2_cow_context), GFP_NOFS);
56796 @@ -3503,7 +3468,6 @@ static int ocfs2_refcount_cow_hunk(struct inode *inode,
56797 context->ref_root_bh = ref_root_bh;
56798 context->cow_duplicate_clusters = ocfs2_duplicate_clusters_by_page;
56799 context->get_clusters = ocfs2_di_get_clusters;
56800 - context->file = file;
56802 ocfs2_init_dinode_extent_tree(&context->data_et,
56803 INODE_CACHE(inode), di_bh);
56804 @@ -3532,7 +3496,6 @@ out:
56805 * clusters between cpos and cpos+write_len are safe to modify.
56807 int ocfs2_refcount_cow(struct inode *inode,
56808 - struct file *file,
56809 struct buffer_head *di_bh,
56810 u32 cpos, u32 write_len, u32 max_cpos)
56812 @@ -3552,7 +3515,7 @@ int ocfs2_refcount_cow(struct inode *inode,
56813 num_clusters = write_len;
56815 if (ext_flags & OCFS2_EXT_REFCOUNTED) {
56816 - ret = ocfs2_refcount_cow_hunk(inode, file, di_bh, cpos,
56817 + ret = ocfs2_refcount_cow_hunk(inode, di_bh, cpos,
56818 num_clusters, max_cpos);
56821 diff --git a/fs/ocfs2/refcounttree.h b/fs/ocfs2/refcounttree.h
56822 index 7754608..6422bbcdb 100644
56823 --- a/fs/ocfs2/refcounttree.h
56824 +++ b/fs/ocfs2/refcounttree.h
56825 @@ -53,7 +53,7 @@ int ocfs2_prepare_refcount_change_for_del(struct inode *inode,
56828 int ocfs2_refcount_cow(struct inode *inode,
56829 - struct file *filep, struct buffer_head *di_bh,
56830 + struct buffer_head *di_bh,
56831 u32 cpos, u32 write_len, u32 max_cpos);
56833 typedef int (ocfs2_post_refcount_func)(struct inode *inode,
56834 @@ -85,11 +85,11 @@ int ocfs2_refcount_cow_xattr(struct inode *inode,
56835 u32 cpos, u32 write_len,
56836 struct ocfs2_post_refcount *post);
56837 int ocfs2_duplicate_clusters_by_page(handle_t *handle,
56838 - struct file *file,
56839 + struct inode *inode,
56840 u32 cpos, u32 old_cluster,
56841 u32 new_cluster, u32 new_len);
56842 int ocfs2_duplicate_clusters_by_jbd(handle_t *handle,
56843 - struct file *file,
56844 + struct inode *inode,
56845 u32 cpos, u32 old_cluster,
56846 u32 new_cluster, u32 new_len);
56847 int ocfs2_cow_sync_writeback(struct super_block *sb,
56848 diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
56849 index b7e74b5..19c6536 100644
56850 --- a/fs/ocfs2/suballoc.c
56851 +++ b/fs/ocfs2/suballoc.c
56852 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
56853 mlog_errno(status);
56856 - atomic_inc(&osb->alloc_stats.bg_extends);
56857 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
56859 /* You should never ask for this much metadata */
56860 BUG_ON(bits_wanted >
56861 @@ -2007,7 +2007,7 @@ int ocfs2_claim_metadata(handle_t *handle,
56862 mlog_errno(status);
56865 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56866 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56868 *suballoc_loc = res.sr_bg_blkno;
56869 *suballoc_bit_start = res.sr_bit_offset;
56870 @@ -2171,7 +2171,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
56871 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
56874 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56875 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56877 BUG_ON(res->sr_bits != 1);
56879 @@ -2213,7 +2213,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
56880 mlog_errno(status);
56883 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56884 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
56886 BUG_ON(res.sr_bits != 1);
56888 @@ -2317,7 +2317,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
56892 - atomic_inc(&osb->alloc_stats.local_data);
56893 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
56895 if (min_clusters > (osb->bitmap_cpg - 1)) {
56896 /* The only paths asking for contiguousness
56897 @@ -2343,7 +2343,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
56898 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
56900 res.sr_bit_offset);
56901 - atomic_inc(&osb->alloc_stats.bitmap_data);
56902 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
56903 *num_clusters = res.sr_bits;
56906 diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
56907 index 01b8516..579c4df 100644
56908 --- a/fs/ocfs2/super.c
56909 +++ b/fs/ocfs2/super.c
56910 @@ -301,11 +301,11 @@ static int ocfs2_osb_dump(struct ocfs2_super *osb, char *buf, int len)
56911 "%10s => GlobalAllocs: %d LocalAllocs: %d "
56912 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
56914 - atomic_read(&osb->alloc_stats.bitmap_data),
56915 - atomic_read(&osb->alloc_stats.local_data),
56916 - atomic_read(&osb->alloc_stats.bg_allocs),
56917 - atomic_read(&osb->alloc_stats.moves),
56918 - atomic_read(&osb->alloc_stats.bg_extends));
56919 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
56920 + atomic_read_unchecked(&osb->alloc_stats.local_data),
56921 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
56922 + atomic_read_unchecked(&osb->alloc_stats.moves),
56923 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
56925 out += snprintf(buf + out, len - out,
56926 "%10s => State: %u Descriptor: %llu Size: %u bits "
56927 @@ -2122,11 +2122,11 @@ static int ocfs2_initialize_super(struct super_block *sb,
56928 spin_lock_init(&osb->osb_xattr_lock);
56929 ocfs2_init_steal_slots(osb);
56931 - atomic_set(&osb->alloc_stats.moves, 0);
56932 - atomic_set(&osb->alloc_stats.local_data, 0);
56933 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
56934 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
56935 - atomic_set(&osb->alloc_stats.bg_extends, 0);
56936 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
56937 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
56938 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
56939 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
56940 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
56942 /* Copy the blockcheck stats from the superblock probe */
56943 osb->osb_ecc_stats = *stats;
56944 diff --git a/fs/open.c b/fs/open.c
56945 index 8c74100..4239c48 100644
56949 #include <linux/dnotify.h>
56950 #include <linux/compat.h>
56952 +#define CREATE_TRACE_POINTS
56953 +#include <trace/events/fs.h>
56954 #include "internal.h"
56956 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
56957 @@ -102,6 +104,8 @@ long vfs_truncate(struct path *path, loff_t length)
56958 error = locks_verify_truncate(inode, NULL, length);
56960 error = security_path_truncate(path);
56961 + if (!error && !gr_acl_handle_truncate(path->dentry, path->mnt))
56964 error = do_truncate(path->dentry, length, 0, NULL);
56966 @@ -186,6 +190,8 @@ static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
56967 error = locks_verify_truncate(inode, f.file, length);
56969 error = security_path_truncate(&f.file->f_path);
56970 + if (!error && !gr_acl_handle_truncate(f.file->f_path.dentry, f.file->f_path.mnt))
56973 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, f.file);
56974 sb_end_write(inode->i_sb);
56975 @@ -360,6 +366,9 @@ retry:
56976 if (__mnt_is_readonly(path.mnt))
56979 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
56984 if (retry_estale(res, lookup_flags)) {
56985 @@ -391,6 +400,8 @@ retry:
56989 + gr_log_chdir(path.dentry, path.mnt);
56991 set_fs_pwd(current->fs, &path);
56994 @@ -420,6 +431,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
56997 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
56999 + if (!error && !gr_chroot_fchdir(f.file->f_path.dentry, f.file->f_path.mnt))
57003 + gr_log_chdir(f.file->f_path.dentry, f.file->f_path.mnt);
57006 set_fs_pwd(current->fs, &f.file->f_path);
57008 @@ -449,7 +467,13 @@ retry:
57012 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
57013 + goto dput_and_out;
57015 set_fs_root(current->fs, &path);
57017 + gr_handle_chroot_chdir(&path);
57022 @@ -471,6 +495,16 @@ static int chmod_common(struct path *path, umode_t mode)
57025 mutex_lock(&inode->i_mutex);
57027 + if (!gr_acl_handle_chmod(path->dentry, path->mnt, &mode)) {
57031 + if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
57036 error = security_path_chmod(path, mode);
57039 @@ -531,6 +565,9 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
57040 uid = make_kuid(current_user_ns(), user);
57041 gid = make_kgid(current_user_ns(), group);
57043 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
57046 newattrs.ia_valid = ATTR_CTIME;
57047 if (user != (uid_t) -1) {
57048 if (!uid_valid(uid))
57049 @@ -946,6 +983,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
57053 + trace_do_sys_open(tmp->name, flags, mode);
57057 diff --git a/fs/pipe.c b/fs/pipe.c
57058 index d2c45e1..009fe1c 100644
57061 @@ -56,7 +56,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
57063 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
57066 + if (atomic_read(&pipe->files))
57067 mutex_lock_nested(&pipe->mutex, subclass);
57070 @@ -71,7 +71,7 @@ EXPORT_SYMBOL(pipe_lock);
57072 void pipe_unlock(struct pipe_inode_info *pipe)
57075 + if (atomic_read(&pipe->files))
57076 mutex_unlock(&pipe->mutex);
57078 EXPORT_SYMBOL(pipe_unlock);
57079 @@ -449,9 +449,9 @@ redo:
57081 if (bufs) /* More to do? */
57083 - if (!pipe->writers)
57084 + if (!atomic_read(&pipe->writers))
57086 - if (!pipe->waiting_writers) {
57087 + if (!atomic_read(&pipe->waiting_writers)) {
57088 /* syscall merging: Usually we must not sleep
57089 * if O_NONBLOCK is set, or if we got some data.
57090 * But if a writer sleeps in kernel space, then
57091 @@ -513,7 +513,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
57095 - if (!pipe->readers) {
57096 + if (!atomic_read(&pipe->readers)) {
57097 send_sig(SIGPIPE, current, 0);
57100 @@ -562,7 +562,7 @@ redo1:
57104 - if (!pipe->readers) {
57105 + if (!atomic_read(&pipe->readers)) {
57106 send_sig(SIGPIPE, current, 0);
57109 @@ -653,9 +653,9 @@ redo2:
57110 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
57113 - pipe->waiting_writers++;
57114 + atomic_inc(&pipe->waiting_writers);
57116 - pipe->waiting_writers--;
57117 + atomic_dec(&pipe->waiting_writers);
57120 __pipe_unlock(pipe);
57121 @@ -709,7 +709,7 @@ pipe_poll(struct file *filp, poll_table *wait)
57123 if (filp->f_mode & FMODE_READ) {
57124 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
57125 - if (!pipe->writers && filp->f_version != pipe->w_counter)
57126 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
57130 @@ -719,7 +719,7 @@ pipe_poll(struct file *filp, poll_table *wait)
57131 * Most Unices do not set POLLERR for FIFOs but on Linux they
57132 * behave exactly like pipes for poll().
57134 - if (!pipe->readers)
57135 + if (!atomic_read(&pipe->readers))
57139 @@ -734,17 +734,17 @@ pipe_release(struct inode *inode, struct file *file)
57142 if (file->f_mode & FMODE_READ)
57144 + atomic_dec(&pipe->readers);
57145 if (file->f_mode & FMODE_WRITE)
57147 + atomic_dec(&pipe->writers);
57149 - if (pipe->readers || pipe->writers) {
57150 + if (atomic_read(&pipe->readers) || atomic_read(&pipe->writers)) {
57151 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
57152 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
57153 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
57155 spin_lock(&inode->i_lock);
57156 - if (!--pipe->files) {
57157 + if (atomic_dec_and_test(&pipe->files)) {
57158 inode->i_pipe = NULL;
57161 @@ -811,7 +811,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
57165 -static struct vfsmount *pipe_mnt __read_mostly;
57166 +struct vfsmount *pipe_mnt __read_mostly;
57169 * pipefs_dname() is called from d_path().
57170 @@ -841,8 +841,9 @@ static struct inode * get_pipe_inode(void)
57173 inode->i_pipe = pipe;
57175 - pipe->readers = pipe->writers = 1;
57176 + atomic_set(&pipe->files, 2);
57177 + atomic_set(&pipe->readers, 1);
57178 + atomic_set(&pipe->writers, 1);
57179 inode->i_fop = &pipefifo_fops;
57182 @@ -1022,17 +1023,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
57183 spin_lock(&inode->i_lock);
57184 if (inode->i_pipe) {
57185 pipe = inode->i_pipe;
57187 + atomic_inc(&pipe->files);
57188 spin_unlock(&inode->i_lock);
57190 spin_unlock(&inode->i_lock);
57191 pipe = alloc_pipe_info();
57195 + atomic_set(&pipe->files, 1);
57196 spin_lock(&inode->i_lock);
57197 if (unlikely(inode->i_pipe)) {
57198 - inode->i_pipe->files++;
57199 + atomic_inc(&inode->i_pipe->files);
57200 spin_unlock(&inode->i_lock);
57201 free_pipe_info(pipe);
57202 pipe = inode->i_pipe;
57203 @@ -1057,10 +1058,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
57204 * opened, even when there is no process writing the FIFO.
57207 - if (pipe->readers++ == 0)
57208 + if (atomic_inc_return(&pipe->readers) == 1)
57209 wake_up_partner(pipe);
57211 - if (!is_pipe && !pipe->writers) {
57212 + if (!is_pipe && !atomic_read(&pipe->writers)) {
57213 if ((filp->f_flags & O_NONBLOCK)) {
57214 /* suppress POLLHUP until we have
57216 @@ -1079,14 +1080,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
57217 * errno=ENXIO when there is no process reading the FIFO.
57220 - if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !pipe->readers)
57221 + if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
57225 - if (!pipe->writers++)
57226 + if (atomic_inc_return(&pipe->writers) == 1)
57227 wake_up_partner(pipe);
57229 - if (!is_pipe && !pipe->readers) {
57230 + if (!is_pipe && !atomic_read(&pipe->readers)) {
57231 if (wait_for_partner(pipe, &pipe->r_counter))
57234 @@ -1100,11 +1101,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
57235 * the process can at least talk to itself.
57240 + atomic_inc(&pipe->readers);
57241 + atomic_inc(&pipe->writers);
57244 - if (pipe->readers == 1 || pipe->writers == 1)
57245 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
57246 wake_up_partner(pipe);
57249 @@ -1118,20 +1119,20 @@ static int fifo_open(struct inode *inode, struct file *filp)
57253 - if (!--pipe->readers)
57254 + if (atomic_dec_and_test(&pipe->readers))
57255 wake_up_interruptible(&pipe->wait);
57256 ret = -ERESTARTSYS;
57260 - if (!--pipe->writers)
57261 + if (atomic_dec_and_test(&pipe->writers))
57262 wake_up_interruptible(&pipe->wait);
57263 ret = -ERESTARTSYS;
57267 spin_lock(&inode->i_lock);
57268 - if (!--pipe->files) {
57269 + if (atomic_dec_and_test(&pipe->files)) {
57270 inode->i_pipe = NULL;
57273 diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
57274 index 15af622..0e9f4467 100644
57275 --- a/fs/proc/Kconfig
57276 +++ b/fs/proc/Kconfig
57277 @@ -30,12 +30,12 @@ config PROC_FS
57280 bool "/proc/kcore support" if !ARM
57281 - depends on PROC_FS && MMU
57282 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
57285 bool "/proc/vmcore support"
57286 - depends on PROC_FS && CRASH_DUMP
57288 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
57291 Exports the dump image of crashed kernel in ELF format.
57293 @@ -59,8 +59,8 @@ config PROC_SYSCTL
57296 config PROC_PAGE_MONITOR
57298 - depends on PROC_FS && MMU
57300 + depends on PROC_FS && MMU && !GRKERNSEC
57301 bool "Enable /proc page monitoring" if EXPERT
57303 Various /proc files exist to monitor process memory utilization:
57304 diff --git a/fs/proc/array.c b/fs/proc/array.c
57305 index cbd0f1b..adec3f0 100644
57306 --- a/fs/proc/array.c
57307 +++ b/fs/proc/array.c
57309 #include <linux/tty.h>
57310 #include <linux/string.h>
57311 #include <linux/mman.h>
57312 +#include <linux/grsecurity.h>
57313 #include <linux/proc_fs.h>
57314 #include <linux/ioport.h>
57315 #include <linux/uaccess.h>
57316 @@ -363,6 +364,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
57320 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
57321 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
57324 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
57325 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
57326 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
57327 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
57328 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
57329 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
57331 + seq_printf(m, "PaX:\t-----\n");
57335 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
57336 struct pid *pid, struct task_struct *task)
57338 @@ -381,9 +397,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
57339 task_cpus_allowed(m, task);
57340 cpuset_task_status_allowed(m, task);
57341 task_context_switch_counts(m, task);
57343 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
57344 + task_pax(m, task);
57347 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
57348 + task_grsec_rbac(m, task);
57354 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57355 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
57356 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
57357 + _mm->pax_flags & MF_PAX_SEGMEXEC))
57360 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
57361 struct pid *pid, struct task_struct *task, int whole)
57363 @@ -405,6 +436,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
57364 char tcomm[sizeof(task->comm)];
57365 unsigned long flags;
57367 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57368 + if (current->exec_id != m->exec_id) {
57369 + gr_log_badprocpid("stat");
57374 state = *get_task_state(task);
57375 vsize = eip = esp = 0;
57376 permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
57377 @@ -476,6 +514,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
57378 gtime = task_gtime(task);
57381 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57382 + if (PAX_RAND_FLAGS(mm)) {
57388 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57394 /* scale priority and nice values from timeslices to -20..20 */
57395 /* to make it look like a "normal" Unix priority/nice value */
57396 priority = task_prio(task);
57397 @@ -512,9 +563,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
57398 seq_put_decimal_ull(m, ' ', vsize);
57399 seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0);
57400 seq_put_decimal_ull(m, ' ', rsslim);
57401 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57402 + seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0));
57403 + seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0));
57404 + seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0));
57406 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->start_code : 1) : 0);
57407 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->end_code : 1) : 0);
57408 seq_put_decimal_ull(m, ' ', (permitted && mm) ? mm->start_stack : 0);
57410 seq_put_decimal_ull(m, ' ', esp);
57411 seq_put_decimal_ull(m, ' ', eip);
57412 /* The signal information here is obsolete.
57413 @@ -536,7 +593,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
57414 seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
57415 seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
57417 - if (mm && permitted) {
57418 + if (mm && permitted
57419 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57420 + && !PAX_RAND_FLAGS(mm)
57423 seq_put_decimal_ull(m, ' ', mm->start_data);
57424 seq_put_decimal_ull(m, ' ', mm->end_data);
57425 seq_put_decimal_ull(m, ' ', mm->start_brk);
57426 @@ -574,8 +635,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
57427 struct pid *pid, struct task_struct *task)
57429 unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
57430 - struct mm_struct *mm = get_task_mm(task);
57431 + struct mm_struct *mm;
57433 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57434 + if (current->exec_id != m->exec_id) {
57435 + gr_log_badprocpid("statm");
57439 + mm = get_task_mm(task);
57441 size = task_statm(mm, &shared, &text, &data, &resident);
57443 @@ -598,6 +666,13 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
57447 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
57448 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
57450 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
57454 #ifdef CONFIG_CHECKPOINT_RESTORE
57455 static struct pid *
57456 get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
57457 diff --git a/fs/proc/base.c b/fs/proc/base.c
57458 index c3834da..b402b2b 100644
57459 --- a/fs/proc/base.c
57460 +++ b/fs/proc/base.c
57461 @@ -113,6 +113,14 @@ struct pid_entry {
57465 +struct getdents_callback {
57466 + struct linux_dirent __user * current_dir;
57467 + struct linux_dirent __user * previous;
57468 + struct file * file;
57473 #define NOD(NAME, MODE, IOP, FOP, OP) { \
57475 .len = sizeof(NAME) - 1, \
57476 @@ -210,6 +218,9 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
57478 goto out_mm; /* Shh! No looking before we're done */
57480 + if (gr_acl_handle_procpidmem(task))
57483 len = mm->arg_end - mm->arg_start;
57485 if (len > PAGE_SIZE)
57486 @@ -237,12 +248,28 @@ out:
57490 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57491 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
57492 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
57493 + _mm->pax_flags & MF_PAX_SEGMEXEC))
57496 static int proc_pid_auxv(struct task_struct *task, char *buffer)
57498 struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
57499 int res = PTR_ERR(mm);
57500 if (mm && !IS_ERR(mm)) {
57501 unsigned int nwords = 0;
57503 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57504 + /* allow if we're currently ptracing this task */
57505 + if (PAX_RAND_FLAGS(mm) &&
57506 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
57514 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
57515 @@ -256,7 +283,7 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer)
57519 -#ifdef CONFIG_KALLSYMS
57520 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57522 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
57523 * Returns the resolved symbol. If that fails, simply return the address.
57524 @@ -295,7 +322,7 @@ static void unlock_trace(struct task_struct *task)
57525 mutex_unlock(&task->signal->cred_guard_mutex);
57528 -#ifdef CONFIG_STACKTRACE
57529 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57531 #define MAX_STACK_TRACE_DEPTH 64
57533 @@ -518,7 +545,7 @@ static int proc_pid_limits(struct task_struct *task, char *buffer)
57537 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
57538 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
57539 static int proc_pid_syscall(struct task_struct *task, char *buffer)
57542 @@ -547,7 +574,7 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer)
57543 /************************************************************************/
57545 /* permission checks */
57546 -static int proc_fd_access_allowed(struct inode *inode)
57547 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
57549 struct task_struct *task;
57551 @@ -557,7 +584,10 @@ static int proc_fd_access_allowed(struct inode *inode)
57553 task = get_proc_task(inode);
57555 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
57557 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
57559 + allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
57560 put_task_struct(task);
57563 @@ -588,10 +618,35 @@ static bool has_pid_permissions(struct pid_namespace *pid,
57564 struct task_struct *task,
57567 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
57570 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57573 + const struct cred *tmpcred = current_cred();
57574 + const struct cred *cred = __task_cred(task);
57576 + if (uid_eq(tmpcred->uid, GLOBAL_ROOT_UID) || uid_eq(tmpcred->uid, cred->uid)
57577 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57578 + || in_group_p(grsec_proc_gid)
57581 + rcu_read_unlock();
57585 + rcu_read_unlock();
57587 + if (!pid->hide_pid)
57591 if (pid->hide_pid < hide_pid_min)
57593 if (in_group_p(pid->pid_gid))
57596 return ptrace_may_access(task, PTRACE_MODE_READ);
57599 @@ -609,7 +664,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
57600 put_task_struct(task);
57603 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57606 if (pid->hide_pid == 2) {
57609 * Let's make getdents(), stat(), and open()
57610 * consistent with each other. If a process
57611 @@ -707,6 +766,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
57615 + if (gr_acl_handle_procpidmem(task)) {
57616 + put_task_struct(task);
57620 mm = mm_access(task, mode);
57621 put_task_struct(task);
57623 @@ -722,6 +786,10 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
57625 file->private_data = mm;
57627 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57628 + file->f_version = current->exec_id;
57634 @@ -743,6 +811,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
57638 +#ifdef CONFIG_GRKERNSEC
57642 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57643 + if (file->f_version != current->exec_id) {
57644 + gr_log_badprocpid("mem");
57652 @@ -755,7 +834,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
57655 while (count > 0) {
57656 - int this_len = min_t(int, count, PAGE_SIZE);
57657 + ssize_t this_len = min_t(ssize_t, count, PAGE_SIZE);
57659 if (write && copy_from_user(page, buf, this_len)) {
57661 @@ -847,6 +926,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
57665 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
57666 + if (file->f_version != current->exec_id) {
57667 + gr_log_badprocpid("environ");
57672 page = (char *)__get_free_page(GFP_TEMPORARY);
57675 @@ -856,7 +942,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
57677 while (count > 0) {
57678 size_t this_len, max_len;
57682 if (src >= (mm->env_end - mm->env_start))
57684 @@ -1461,7 +1547,7 @@ static void *proc_pid_follow_link(struct dentry *dentry, struct nameidata *nd)
57685 int error = -EACCES;
57687 /* Are we allowed to snoop on the tasks file descriptors? */
57688 - if (!proc_fd_access_allowed(inode))
57689 + if (!proc_fd_access_allowed(inode, 0))
57692 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
57693 @@ -1505,8 +1591,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
57696 /* Are we allowed to snoop on the tasks file descriptors? */
57697 - if (!proc_fd_access_allowed(inode))
57699 + /* logging this is needed for learning on chromium to work properly,
57700 + but we don't want to flood the logs from 'ps' which does a readlink
57701 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
57702 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
57704 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
57705 + if (!proc_fd_access_allowed(inode,0))
57708 + if (!proc_fd_access_allowed(inode,1))
57712 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
57714 @@ -1556,7 +1652,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
57716 cred = __task_cred(task);
57717 inode->i_uid = cred->euid;
57718 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57719 + inode->i_gid = grsec_proc_gid;
57721 inode->i_gid = cred->egid;
57725 security_task_to_inode(task, inode);
57726 @@ -1592,10 +1692,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
57729 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
57730 +#ifdef CONFIG_GRKERNSEC_PROC_USER
57731 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
57732 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57733 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
57735 task_dumpable(task)) {
57736 cred = __task_cred(task);
57737 stat->uid = cred->euid;
57738 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57739 + stat->gid = grsec_proc_gid;
57741 stat->gid = cred->egid;
57746 @@ -1633,11 +1742,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
57749 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
57750 +#ifdef CONFIG_GRKERNSEC_PROC_USER
57751 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
57752 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57753 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
57755 task_dumpable(task)) {
57757 cred = __task_cred(task);
57758 inode->i_uid = cred->euid;
57759 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57760 + inode->i_gid = grsec_proc_gid;
57762 inode->i_gid = cred->egid;
57766 inode->i_uid = GLOBAL_ROOT_UID;
57767 @@ -2196,6 +2314,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
57771 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
57775 * Yes, it does not scale. And it should not. Don't add
57776 * new entries into /proc/<tgid>/ without very good reasons.
57777 @@ -2240,6 +2361,9 @@ static int proc_pident_readdir(struct file *filp,
57781 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
57787 @@ -2653,7 +2777,7 @@ static const struct pid_entry tgid_base_stuff[] = {
57788 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
57790 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
57791 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
57792 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
57793 INF("syscall", S_IRUGO, proc_pid_syscall),
57795 INF("cmdline", S_IRUGO, proc_pid_cmdline),
57796 @@ -2678,10 +2802,10 @@ static const struct pid_entry tgid_base_stuff[] = {
57797 #ifdef CONFIG_SECURITY
57798 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
57800 -#ifdef CONFIG_KALLSYMS
57801 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57802 INF("wchan", S_IRUGO, proc_pid_wchan),
57804 -#ifdef CONFIG_STACKTRACE
57805 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57806 ONE("stack", S_IRUGO, proc_pid_stack),
57808 #ifdef CONFIG_SCHEDSTATS
57809 @@ -2715,6 +2839,9 @@ static const struct pid_entry tgid_base_stuff[] = {
57810 #ifdef CONFIG_HARDWALL
57811 INF("hardwall", S_IRUGO, proc_pid_hardwall),
57813 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
57814 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
57816 #ifdef CONFIG_USER_NS
57817 REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
57818 REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
57819 @@ -2847,7 +2974,14 @@ static struct dentry *proc_pid_instantiate(struct inode *dir,
57823 +#ifdef CONFIG_GRKERNSEC_PROC_USER
57824 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
57825 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57826 + inode->i_gid = grsec_proc_gid;
57827 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
57829 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
57831 inode->i_op = &proc_tgid_base_inode_operations;
57832 inode->i_fop = &proc_tgid_base_operations;
57833 inode->i_flags|=S_IMMUTABLE;
57834 @@ -2885,7 +3019,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
57838 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
57839 + goto out_put_task;
57841 result = proc_pid_instantiate(dir, dentry, task, NULL);
57843 put_task_struct(task);
57846 @@ -2948,6 +3086,8 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
57847 static int fake_filldir(void *buf, const char *name, int namelen,
57848 loff_t offset, u64 ino, unsigned d_type)
57850 + struct getdents_callback * __buf = (struct getdents_callback *) buf;
57851 + __buf->error = -EINVAL;
57855 @@ -3007,7 +3147,7 @@ static const struct pid_entry tid_base_stuff[] = {
57856 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
57858 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
57859 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
57860 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
57861 INF("syscall", S_IRUGO, proc_pid_syscall),
57863 INF("cmdline", S_IRUGO, proc_pid_cmdline),
57864 @@ -3034,10 +3174,10 @@ static const struct pid_entry tid_base_stuff[] = {
57865 #ifdef CONFIG_SECURITY
57866 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
57868 -#ifdef CONFIG_KALLSYMS
57869 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57870 INF("wchan", S_IRUGO, proc_pid_wchan),
57872 -#ifdef CONFIG_STACKTRACE
57873 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
57874 ONE("stack", S_IRUGO, proc_pid_stack),
57876 #ifdef CONFIG_SCHEDSTATS
57877 diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c
57878 index 82676e3..5f8518a 100644
57879 --- a/fs/proc/cmdline.c
57880 +++ b/fs/proc/cmdline.c
57881 @@ -23,7 +23,11 @@ static const struct file_operations cmdline_proc_fops = {
57883 static int __init proc_cmdline_init(void)
57885 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57886 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
57888 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
57892 module_init(proc_cmdline_init);
57893 diff --git a/fs/proc/devices.c b/fs/proc/devices.c
57894 index b143471..bb105e5 100644
57895 --- a/fs/proc/devices.c
57896 +++ b/fs/proc/devices.c
57897 @@ -64,7 +64,11 @@ static const struct file_operations proc_devinfo_operations = {
57899 static int __init proc_devices_init(void)
57901 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57902 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
57904 proc_create("devices", 0, NULL, &proc_devinfo_operations);
57908 module_init(proc_devices_init);
57909 diff --git a/fs/proc/fd.c b/fs/proc/fd.c
57910 index d7a4a28..0201742 100644
57913 @@ -25,7 +25,8 @@ static int seq_show(struct seq_file *m, void *v)
57917 - files = get_files_struct(task);
57918 + if (!gr_acl_handle_procpidmem(task))
57919 + files = get_files_struct(task);
57920 put_task_struct(task);
57923 @@ -302,11 +303,21 @@ static struct dentry *proc_lookupfd(struct inode *dir, struct dentry *dentry,
57925 int proc_fd_permission(struct inode *inode, int mask)
57927 + struct task_struct *task;
57928 int rv = generic_permission(inode, mask);
57932 if (task_pid(current) == proc_pid(inode))
57935 + task = get_proc_task(inode);
57936 + if (task == NULL)
57939 + if (gr_acl_handle_procpidmem(task))
57942 + put_task_struct(task);
57947 diff --git a/fs/proc/inode.c b/fs/proc/inode.c
57948 index 073aea6..0630370 100644
57949 --- a/fs/proc/inode.c
57950 +++ b/fs/proc/inode.c
57951 @@ -23,11 +23,17 @@
57952 #include <linux/slab.h>
57953 #include <linux/mount.h>
57954 #include <linux/magic.h>
57955 +#include <linux/grsecurity.h>
57957 #include <asm/uaccess.h>
57959 #include "internal.h"
57961 +#ifdef CONFIG_PROC_SYSCTL
57962 +extern const struct inode_operations proc_sys_inode_operations;
57963 +extern const struct inode_operations proc_sys_dir_operations;
57966 static void proc_evict_inode(struct inode *inode)
57968 struct proc_dir_entry *de;
57969 @@ -55,6 +61,13 @@ static void proc_evict_inode(struct inode *inode)
57970 ns = PROC_I(inode)->ns.ns;
57974 +#ifdef CONFIG_PROC_SYSCTL
57975 + if (inode->i_op == &proc_sys_inode_operations ||
57976 + inode->i_op == &proc_sys_dir_operations)
57977 + gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
57982 static struct kmem_cache * proc_inode_cachep;
57983 @@ -385,7 +398,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
57985 inode->i_mode = de->mode;
57986 inode->i_uid = de->uid;
57987 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57988 + inode->i_gid = grsec_proc_gid;
57990 inode->i_gid = de->gid;
57994 inode->i_size = de->size;
57995 diff --git a/fs/proc/internal.h b/fs/proc/internal.h
57996 index d600fb0..3b495fe 100644
57997 --- a/fs/proc/internal.h
57998 +++ b/fs/proc/internal.h
57999 @@ -155,6 +155,9 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
58000 struct pid *, struct task_struct *);
58001 extern int proc_pid_statm(struct seq_file *, struct pid_namespace *,
58002 struct pid *, struct task_struct *);
58003 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
58004 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
58009 diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
58010 index 0a22194..a9fc8c1 100644
58011 --- a/fs/proc/kcore.c
58012 +++ b/fs/proc/kcore.c
58013 @@ -484,9 +484,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
58014 * the addresses in the elf_phdr on our list.
58016 start = kc_offset_to_vaddr(*fpos - elf_buflen);
58017 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
58018 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
58019 + if (tsz > buflen)
58024 struct kcore_list *m;
58026 @@ -515,20 +516,23 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
58029 if (kern_addr_valid(start)) {
58032 + mm_segment_t oldfs;
58034 - n = copy_to_user(buffer, (char *)start, tsz);
58036 - * We cannot distinguish between fault on source
58037 - * and fault on destination. When this happens
58038 - * we clear too and hope it will trigger the
58042 - if (clear_user(buffer + tsz - n,
58044 + elf_buf = kmalloc(tsz, GFP_KERNEL);
58047 + oldfs = get_fs();
58048 + set_fs(KERNEL_DS);
58049 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
58051 + if (copy_to_user(buffer, elf_buf, tsz)) {
58059 if (clear_user(buffer, tsz))
58061 @@ -548,6 +552,9 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
58063 static int open_kcore(struct inode *inode, struct file *filp)
58065 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
58068 if (!capable(CAP_SYS_RAWIO))
58070 if (kcore_need_update)
58071 diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
58072 index 5aa847a..f77c8d4 100644
58073 --- a/fs/proc/meminfo.c
58074 +++ b/fs/proc/meminfo.c
58075 @@ -159,7 +159,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
58077 vmi.largest_chunk >> 10
58078 #ifdef CONFIG_MEMORY_FAILURE
58079 - ,atomic_long_read(&num_poisoned_pages) << (PAGE_SHIFT - 10)
58080 + ,atomic_long_read_unchecked(&num_poisoned_pages) << (PAGE_SHIFT - 10)
58082 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
58083 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
58084 diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
58085 index ccfd99b..1b7e255 100644
58086 --- a/fs/proc/nommu.c
58087 +++ b/fs/proc/nommu.c
58088 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
58091 seq_printf(m, "%*c", len, ' ');
58092 - seq_path(m, &file->f_path, "");
58093 + seq_path(m, &file->f_path, "\n\\");
58097 diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
58098 index 986e832..6e8e859 100644
58099 --- a/fs/proc/proc_net.c
58100 +++ b/fs/proc/proc_net.c
58102 #include <linux/nsproxy.h>
58103 #include <net/net_namespace.h>
58104 #include <linux/seq_file.h>
58105 +#include <linux/grsecurity.h>
58107 #include "internal.h"
58109 @@ -109,6 +110,17 @@ static struct net *get_proc_task_net(struct inode *dir)
58110 struct task_struct *task;
58111 struct nsproxy *ns;
58112 struct net *net = NULL;
58113 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58114 + const struct cred *cred = current_cred();
58117 +#ifdef CONFIG_GRKERNSEC_PROC_USER
58118 + if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
58120 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58121 + if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
58126 task = pid_task(proc_pid(dir), PIDTYPE_PID);
58127 diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
58128 index ac05f33..1e6dc7e 100644
58129 --- a/fs/proc/proc_sysctl.c
58130 +++ b/fs/proc/proc_sysctl.c
58131 @@ -13,11 +13,15 @@
58132 #include <linux/module.h>
58133 #include "internal.h"
58135 +extern int gr_handle_chroot_sysctl(const int op);
58136 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
58139 static const struct dentry_operations proc_sys_dentry_operations;
58140 static const struct file_operations proc_sys_file_operations;
58141 -static const struct inode_operations proc_sys_inode_operations;
58142 +const struct inode_operations proc_sys_inode_operations;
58143 static const struct file_operations proc_sys_dir_file_operations;
58144 -static const struct inode_operations proc_sys_dir_operations;
58145 +const struct inode_operations proc_sys_dir_operations;
58147 void proc_sys_poll_notify(struct ctl_table_poll *poll)
58149 @@ -467,6 +471,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
58152 d_set_d_op(dentry, &proc_sys_dentry_operations);
58154 + gr_handle_proc_create(dentry, inode);
58156 d_add(dentry, inode);
58159 @@ -482,6 +489,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
58160 struct inode *inode = file_inode(filp);
58161 struct ctl_table_header *head = grab_header(inode);
58162 struct ctl_table *table = PROC_I(inode)->sysctl_entry;
58163 + int op = write ? MAY_WRITE : MAY_READ;
58167 @@ -493,7 +501,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
58168 * and won't be until we finish.
58171 - if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ))
58172 + if (sysctl_perm(head, table, op))
58175 /* if that can happen at all, it should be -EINVAL, not -EISDIR */
58176 @@ -501,6 +509,22 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
58177 if (!table->proc_handler)
58180 +#ifdef CONFIG_GRKERNSEC
58182 + if (gr_handle_chroot_sysctl(op))
58184 + dget(filp->f_path.dentry);
58185 + if (gr_handle_sysctl_mod(filp->f_path.dentry->d_parent->d_name.name, table->procname, op)) {
58186 + dput(filp->f_path.dentry);
58189 + dput(filp->f_path.dentry);
58190 + if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
58192 + if (write && !capable(CAP_SYS_ADMIN))
58196 /* careful: calling conventions are nasty here */
58198 error = table->proc_handler(table, write, buf, &res, ppos);
58199 @@ -598,6 +622,9 @@ static int proc_sys_fill_cache(struct file *filp, void *dirent,
58202 d_set_d_op(child, &proc_sys_dentry_operations);
58204 + gr_handle_proc_create(child, inode);
58206 d_add(child, inode);
58209 @@ -641,6 +668,9 @@ static int scan(struct ctl_table_header *head, ctl_table *table,
58210 if ((*pos)++ < file->f_pos)
58213 + if (!gr_acl_handle_hidden_file(file->f_path.dentry, file->f_path.mnt))
58216 if (unlikely(S_ISLNK(table->mode)))
58217 res = proc_sys_link_fill_cache(file, dirent, filldir, head, table);
58219 @@ -751,6 +781,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
58221 return PTR_ERR(head);
58223 + if (table && !gr_acl_handle_hidden_file(dentry, mnt))
58226 generic_fillattr(inode, stat);
58228 stat->mode = (stat->mode & S_IFMT) | table->mode;
58229 @@ -773,13 +806,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
58230 .llseek = generic_file_llseek,
58233 -static const struct inode_operations proc_sys_inode_operations = {
58234 +const struct inode_operations proc_sys_inode_operations = {
58235 .permission = proc_sys_permission,
58236 .setattr = proc_sys_setattr,
58237 .getattr = proc_sys_getattr,
58240 -static const struct inode_operations proc_sys_dir_operations = {
58241 +const struct inode_operations proc_sys_dir_operations = {
58242 .lookup = proc_sys_lookup,
58243 .permission = proc_sys_permission,
58244 .setattr = proc_sys_setattr,
58245 @@ -855,7 +888,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
58246 static struct ctl_dir *new_dir(struct ctl_table_set *set,
58247 const char *name, int namelen)
58249 - struct ctl_table *table;
58250 + ctl_table_no_const *table;
58251 struct ctl_dir *new;
58252 struct ctl_node *node;
58254 @@ -867,7 +900,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
58257 node = (struct ctl_node *)(new + 1);
58258 - table = (struct ctl_table *)(node + 1);
58259 + table = (ctl_table_no_const *)(node + 1);
58260 new_name = (char *)(table + 2);
58261 memcpy(new_name, name, namelen);
58262 new_name[namelen] = '\0';
58263 @@ -1036,7 +1069,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
58264 static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
58265 struct ctl_table_root *link_root)
58267 - struct ctl_table *link_table, *entry, *link;
58268 + ctl_table_no_const *link_table, *link;
58269 + struct ctl_table *entry;
58270 struct ctl_table_header *links;
58271 struct ctl_node *node;
58273 @@ -1059,7 +1093,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
58276 node = (struct ctl_node *)(links + 1);
58277 - link_table = (struct ctl_table *)(node + nr_entries);
58278 + link_table = (ctl_table_no_const *)(node + nr_entries);
58279 link_name = (char *)&link_table[nr_entries + 1];
58281 for (link = link_table, entry = table; entry->procname; link++, entry++) {
58282 @@ -1307,8 +1341,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
58283 struct ctl_table_header ***subheader, struct ctl_table_set *set,
58284 struct ctl_table *table)
58286 - struct ctl_table *ctl_table_arg = NULL;
58287 - struct ctl_table *entry, *files;
58288 + ctl_table_no_const *ctl_table_arg = NULL, *files = NULL;
58289 + struct ctl_table *entry;
58293 @@ -1320,10 +1354,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
58298 /* If there are mixed files and directories we need a new table */
58299 if (nr_dirs && nr_files) {
58300 - struct ctl_table *new;
58301 + ctl_table_no_const *new;
58302 files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
58305 @@ -1341,7 +1374,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
58306 /* Register everything except a directory full of subdirectories */
58307 if (nr_files || !nr_dirs) {
58308 struct ctl_table_header *header;
58309 - header = __register_sysctl_table(set, path, files);
58310 + header = __register_sysctl_table(set, path, files ? files : table);
58312 kfree(ctl_table_arg);
58314 diff --git a/fs/proc/root.c b/fs/proc/root.c
58315 index 41a6ea9..23eaa92 100644
58316 --- a/fs/proc/root.c
58317 +++ b/fs/proc/root.c
58318 @@ -182,7 +182,15 @@ void __init proc_root_init(void)
58319 #ifdef CONFIG_PROC_DEVICETREE
58320 proc_device_tree_init();
58322 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
58323 +#ifdef CONFIG_GRKERNSEC_PROC_USER
58324 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
58325 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58326 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
58329 proc_mkdir("bus", NULL);
58334 diff --git a/fs/proc/self.c b/fs/proc/self.c
58335 index 6b6a993..807cccc 100644
58336 --- a/fs/proc/self.c
58337 +++ b/fs/proc/self.c
58338 @@ -39,7 +39,7 @@ static void *proc_self_follow_link(struct dentry *dentry, struct nameidata *nd)
58339 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
58342 - char *s = nd_get_link(nd);
58343 + const char *s = nd_get_link(nd);
58347 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
58348 index 65fc60a..350cc48 100644
58349 --- a/fs/proc/task_mmu.c
58350 +++ b/fs/proc/task_mmu.c
58351 @@ -11,12 +11,19 @@
58352 #include <linux/rmap.h>
58353 #include <linux/swap.h>
58354 #include <linux/swapops.h>
58355 +#include <linux/grsecurity.h>
58357 #include <asm/elf.h>
58358 #include <asm/uaccess.h>
58359 #include <asm/tlbflush.h>
58360 #include "internal.h"
58362 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58363 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
58364 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
58365 + _mm->pax_flags & MF_PAX_SEGMEXEC))
58368 void task_mem(struct seq_file *m, struct mm_struct *mm)
58370 unsigned long data, text, lib, swap;
58371 @@ -52,8 +59,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
58372 "VmExe:\t%8lu kB\n"
58373 "VmLib:\t%8lu kB\n"
58374 "VmPTE:\t%8lu kB\n"
58375 - "VmSwap:\t%8lu kB\n",
58376 - hiwater_vm << (PAGE_SHIFT-10),
58377 + "VmSwap:\t%8lu kB\n"
58379 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
58380 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
58383 + ,hiwater_vm << (PAGE_SHIFT-10),
58384 total_vm << (PAGE_SHIFT-10),
58385 mm->locked_vm << (PAGE_SHIFT-10),
58386 mm->pinned_vm << (PAGE_SHIFT-10),
58387 @@ -62,7 +74,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
58388 data << (PAGE_SHIFT-10),
58389 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
58390 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
58391 - swap << (PAGE_SHIFT-10));
58392 + swap << (PAGE_SHIFT-10)
58394 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
58395 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58396 + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
58397 + , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
58399 + , mm->context.user_cs_base
58400 + , mm->context.user_cs_limit
58407 unsigned long task_vsize(struct mm_struct *mm)
58408 @@ -277,13 +301,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
58409 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
58412 - /* We don't show the stack guard page in /proc/maps */
58413 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58414 + start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
58415 + end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
58417 start = vma->vm_start;
58418 - if (stack_guard_page_start(vma, start))
58419 - start += PAGE_SIZE;
58421 - if (stack_guard_page_end(vma, end))
58422 - end -= PAGE_SIZE;
58425 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
58427 @@ -292,7 +316,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
58428 flags & VM_WRITE ? 'w' : '-',
58429 flags & VM_EXEC ? 'x' : '-',
58430 flags & VM_MAYSHARE ? 's' : 'p',
58431 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58432 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
58436 MAJOR(dev), MINOR(dev), ino, &len);
58439 @@ -301,7 +329,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
58442 pad_len_spaces(m, len);
58443 - seq_path(m, &file->f_path, "\n");
58444 + seq_path(m, &file->f_path, "\n\\");
58448 @@ -327,8 +355,9 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
58449 * Thread stack in /proc/PID/task/TID/maps or
58450 * the main process stack.
58452 - if (!is_pid || (vma->vm_start <= mm->start_stack &&
58453 - vma->vm_end >= mm->start_stack)) {
58454 + if (!is_pid || (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
58455 + (vma->vm_start <= mm->start_stack &&
58456 + vma->vm_end >= mm->start_stack)) {
58459 /* Thread stack in /proc/PID/maps */
58460 @@ -352,6 +381,13 @@ static int show_map(struct seq_file *m, void *v, int is_pid)
58461 struct proc_maps_private *priv = m->private;
58462 struct task_struct *task = priv->task;
58464 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58465 + if (current->exec_id != m->exec_id) {
58466 + gr_log_badprocpid("maps");
58471 show_map_vma(m, vma, is_pid);
58473 if (m->count < m->size) /* vma is copied successfully */
58474 @@ -589,12 +625,23 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
58478 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58479 + if (current->exec_id != m->exec_id) {
58480 + gr_log_badprocpid("smaps");
58484 memset(&mss, 0, sizeof mss);
58486 - /* mmap_sem is held in m_start */
58487 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
58488 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
58490 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58491 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
58494 + /* mmap_sem is held in m_start */
58495 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
58496 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
58497 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58500 show_map_vma(m, vma, is_pid);
58503 @@ -612,7 +659,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
58504 "KernelPageSize: %8lu kB\n"
58505 "MMUPageSize: %8lu kB\n"
58506 "Locked: %8lu kB\n",
58507 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58508 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
58510 (vma->vm_end - vma->vm_start) >> 10,
58512 mss.resident >> 10,
58513 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
58514 mss.shared_clean >> 10,
58515 @@ -1264,6 +1315,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
58519 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58520 + if (current->exec_id != m->exec_id) {
58521 + gr_log_badprocpid("numa_maps");
58529 @@ -1281,11 +1339,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
58530 mpol_to_str(buffer, sizeof(buffer), pol);
58531 mpol_cond_put(pol);
58533 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58534 + seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer);
58536 seq_printf(m, "%08lx %s", vma->vm_start, buffer);
58540 seq_printf(m, " file=");
58541 - seq_path(m, &file->f_path, "\n\t= ");
58542 + seq_path(m, &file->f_path, "\n\t\\= ");
58543 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
58544 seq_printf(m, " heap");
58546 diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
58547 index 56123a6..5a2f6ec 100644
58548 --- a/fs/proc/task_nommu.c
58549 +++ b/fs/proc/task_nommu.c
58550 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
58552 bytes += kobjsize(mm);
58554 - if (current->fs && current->fs->users > 1)
58555 + if (current->fs && atomic_read(¤t->fs->users) > 1)
58556 sbytes += kobjsize(current->fs);
58558 bytes += kobjsize(current->fs);
58559 @@ -168,7 +168,7 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
58562 pad_len_spaces(m, len);
58563 - seq_path(m, &file->f_path, "");
58564 + seq_path(m, &file->f_path, "\n\\");
58566 pid_t tid = vm_is_stack(priv->task, vma, is_pid);
58568 diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
58569 index 17f7e08..e4b1529 100644
58570 --- a/fs/proc/vmcore.c
58571 +++ b/fs/proc/vmcore.c
58572 @@ -99,9 +99,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
58575 /* If pfn is not ram, return zeros for sparse dump files */
58576 - if (pfn_is_ram(pfn) == 0)
58577 - memset(buf, 0, nr_bytes);
58579 + if (pfn_is_ram(pfn) == 0) {
58581 + if (clear_user((char __force_user *)buf, nr_bytes))
58584 + memset(buf, 0, nr_bytes);
58586 tmp = copy_oldmem_page(pfn, buf, nr_bytes,
58589 @@ -186,7 +190,7 @@ static ssize_t read_vmcore(struct file *file, char __user *buffer,
58590 if (tsz > nr_bytes)
58593 - tmp = read_from_oldmem(buffer, tsz, &start, 1);
58594 + tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, 1);
58598 diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
58599 index b00fcc9..e0c6381 100644
58600 --- a/fs/qnx6/qnx6.h
58601 +++ b/fs/qnx6/qnx6.h
58602 @@ -74,7 +74,7 @@ enum {
58606 -static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
58607 +static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
58609 if (sbi->s_bytesex == BYTESEX_LE)
58610 return le64_to_cpu((__force __le64)n);
58611 @@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n)
58612 return (__force __fs64)cpu_to_be64(n);
58615 -static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
58616 +static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
58618 if (sbi->s_bytesex == BYTESEX_LE)
58619 return le32_to_cpu((__force __le32)n);
58620 diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
58621 index 16e8abb..2dcf914 100644
58622 --- a/fs/quota/netlink.c
58623 +++ b/fs/quota/netlink.c
58624 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_family = {
58625 void quota_send_warning(struct kqid qid, dev_t dev,
58626 const char warntype)
58628 - static atomic_t seq;
58629 + static atomic_unchecked_t seq;
58630 struct sk_buff *skb;
58633 @@ -49,7 +49,7 @@ void quota_send_warning(struct kqid qid, dev_t dev,
58634 "VFS: Not enough memory to send quota warning.\n");
58637 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
58638 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
58639 "a_genl_family, 0, QUOTA_NL_C_WARNING);
58642 diff --git a/fs/read_write.c b/fs/read_write.c
58643 index 2cefa41..c7e2fe0 100644
58644 --- a/fs/read_write.c
58645 +++ b/fs/read_write.c
58646 @@ -411,7 +411,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
58650 - p = (__force const char __user *)buf;
58651 + p = (const char __force_user *)buf;
58652 if (count > MAX_RW_COUNT)
58653 count = MAX_RW_COUNT;
58654 if (file->f_op->write)
58655 diff --git a/fs/readdir.c b/fs/readdir.c
58656 index fee38e0..12fdf47 100644
58660 #include <linux/security.h>
58661 #include <linux/syscalls.h>
58662 #include <linux/unistd.h>
58663 +#include <linux/namei.h>
58665 #include <asm/uaccess.h>
58667 @@ -67,6 +68,7 @@ struct old_linux_dirent {
58669 struct readdir_callback {
58670 struct old_linux_dirent __user * dirent;
58671 + struct file * file;
58675 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset
58676 buf->result = -EOVERFLOW;
58680 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
58684 dirent = buf->dirent;
58685 if (!access_ok(VERIFY_WRITE, dirent,
58686 @@ -114,6 +120,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
58689 buf.dirent = dirent;
58690 + buf.file = f.file;
58692 error = vfs_readdir(f.file, fillonedir, &buf);
58694 @@ -139,6 +146,7 @@ struct linux_dirent {
58695 struct getdents_callback {
58696 struct linux_dirent __user * current_dir;
58697 struct linux_dirent __user * previous;
58698 + struct file * file;
58702 @@ -160,6 +168,10 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
58703 buf->error = -EOVERFLOW;
58707 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
58710 dirent = buf->previous;
58712 if (__put_user(offset, &dirent->d_off))
58713 @@ -205,6 +217,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
58714 buf.previous = NULL;
58717 + buf.file = f.file;
58719 error = vfs_readdir(f.file, filldir, &buf);
58721 @@ -223,6 +236,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
58722 struct getdents_callback64 {
58723 struct linux_dirent64 __user * current_dir;
58724 struct linux_dirent64 __user * previous;
58725 + struct file *file;
58729 @@ -238,6 +252,10 @@ static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
58730 buf->error = -EINVAL; /* only used if we fail.. */
58731 if (reclen > buf->count)
58734 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
58737 dirent = buf->previous;
58739 if (__put_user(offset, &dirent->d_off))
58740 @@ -283,6 +301,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
58742 buf.current_dir = dirent;
58743 buf.previous = NULL;
58744 + buf.file = f.file;
58748 @@ -291,7 +310,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
58750 lastdirent = buf.previous;
58752 - typeof(lastdirent->d_off) d_off = f.file->f_pos;
58753 + typeof(((struct linux_dirent64 *)0)->d_off) d_off = f.file->f_pos;
58754 if (__put_user(d_off, &lastdirent->d_off))
58757 diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
58758 index 2b7882b..1c5ef48 100644
58759 --- a/fs/reiserfs/do_balan.c
58760 +++ b/fs/reiserfs/do_balan.c
58761 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb, /* tree_balance structure */
58765 - atomic_inc(&(fs_generation(tb->tb_sb)));
58766 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
58767 do_balance_starts(tb);
58769 /* balance leaf returns 0 except if combining L R and S into
58770 diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
58771 index 1d48974..2f8f4e0 100644
58772 --- a/fs/reiserfs/procfs.c
58773 +++ b/fs/reiserfs/procfs.c
58774 @@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused)
58775 "SMALL_TAILS " : "NO_TAILS ",
58776 replay_only(sb) ? "REPLAY_ONLY " : "",
58777 convert_reiserfs(sb) ? "CONV " : "",
58778 - atomic_read(&r->s_generation_counter),
58779 + atomic_read_unchecked(&r->s_generation_counter),
58780 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
58781 SF(s_do_balance), SF(s_unneeded_left_neighbor),
58782 SF(s_good_search_by_key_reada), SF(s_bmaps),
58783 diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
58784 index 157e474..65a6114 100644
58785 --- a/fs/reiserfs/reiserfs.h
58786 +++ b/fs/reiserfs/reiserfs.h
58787 @@ -453,7 +453,7 @@ struct reiserfs_sb_info {
58788 /* Comment? -Hans */
58789 wait_queue_head_t s_wait;
58790 /* To be obsoleted soon by per buffer seals.. -Hans */
58791 - atomic_t s_generation_counter; // increased by one every time the
58792 + atomic_unchecked_t s_generation_counter; // increased by one every time the
58793 // tree gets re-balanced
58794 unsigned long s_properties; /* File system properties. Currently holds
58795 on-disk FS format */
58796 @@ -1978,7 +1978,7 @@ static inline loff_t max_reiserfs_offset(struct inode *inode)
58797 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
58799 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
58800 -#define get_generation(s) atomic_read (&fs_generation(s))
58801 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
58802 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
58803 #define __fs_changed(gen,s) (gen != get_generation (s))
58804 #define fs_changed(gen,s) \
58805 diff --git a/fs/select.c b/fs/select.c
58806 index 8c1c96c..a0f9b6d 100644
58810 #include <linux/export.h>
58811 #include <linux/slab.h>
58812 #include <linux/poll.h>
58813 +#include <linux/security.h>
58814 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
58815 #include <linux/file.h>
58816 #include <linux/fdtable.h>
58817 @@ -827,6 +828,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
58818 struct poll_list *walk = head;
58819 unsigned long todo = nfds;
58821 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
58822 if (nfds > rlimit(RLIMIT_NOFILE))
58825 diff --git a/fs/seq_file.c b/fs/seq_file.c
58826 index 774c1eb..b67582a 100644
58827 --- a/fs/seq_file.c
58828 +++ b/fs/seq_file.c
58830 #include <linux/seq_file.h>
58831 #include <linux/slab.h>
58832 #include <linux/cred.h>
58833 +#include <linux/sched.h>
58835 #include <asm/uaccess.h>
58836 #include <asm/page.h>
58837 @@ -60,6 +61,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
58838 #ifdef CONFIG_USER_NS
58839 p->user_ns = file->f_cred->user_ns;
58841 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58842 + p->exec_id = current->exec_id;
58846 * Wrappers around seq_open(e.g. swaps_open) need to be
58847 @@ -96,7 +100,7 @@ static int traverse(struct seq_file *m, loff_t offset)
58851 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
58852 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
58856 @@ -136,7 +140,7 @@ static int traverse(struct seq_file *m, loff_t offset)
58860 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
58861 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
58862 return !m->buf ? -ENOMEM : -EAGAIN;
58865 @@ -191,7 +195,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
58867 /* grab buffer if we didn't have one */
58869 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
58870 + m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL | GFP_USERCOPY);
58874 @@ -232,7 +236,7 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
58878 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
58879 + m->buf = kmalloc(m->size <<= 1, GFP_KERNEL | GFP_USERCOPY);
58883 @@ -581,7 +585,7 @@ static void single_stop(struct seq_file *p, void *v)
58884 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
58887 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
58888 + seq_operations_no_const *op = kzalloc(sizeof(*op), GFP_KERNEL);
58892 diff --git a/fs/splice.c b/fs/splice.c
58893 index d37431d..81c3044 100644
58896 @@ -196,7 +196,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
58900 - if (!pipe->readers) {
58901 + if (!atomic_read(&pipe->readers)) {
58902 send_sig(SIGPIPE, current, 0);
58905 @@ -219,7 +219,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
58910 + if (atomic_read(&pipe->files))
58913 if (!--spd->nr_pages)
58914 @@ -250,9 +250,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
58918 - pipe->waiting_writers++;
58919 + atomic_inc(&pipe->waiting_writers);
58921 - pipe->waiting_writers--;
58922 + atomic_dec(&pipe->waiting_writers);
58926 @@ -565,7 +565,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
58929 /* The cast to a user pointer is valid due to the set_fs() */
58930 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
58931 + res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
58935 @@ -580,7 +580,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
58938 /* The cast to a user pointer is valid due to the set_fs() */
58939 - res = vfs_write(file, (__force const char __user *)buf, count, &pos);
58940 + res = vfs_write(file, (const char __force_user *)buf, count, &pos);
58944 @@ -633,7 +633,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
58947 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
58948 - vec[i].iov_base = (void __user *) page_address(page);
58949 + vec[i].iov_base = (void __force_user *) page_address(page);
58950 vec[i].iov_len = this_len;
58951 spd.pages[i] = page;
58953 @@ -829,7 +829,7 @@ int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
58954 ops->release(pipe, buf);
58955 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
58958 + if (atomic_read(&pipe->files))
58959 sd->need_wakeup = true;
58962 @@ -854,10 +854,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
58963 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
58965 while (!pipe->nrbufs) {
58966 - if (!pipe->writers)
58967 + if (!atomic_read(&pipe->writers))
58970 - if (!pipe->waiting_writers && sd->num_spliced)
58971 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
58974 if (sd->flags & SPLICE_F_NONBLOCK)
58975 @@ -1193,7 +1193,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
58976 * out of the pipe right after the splice_to_pipe(). So set
58977 * PIPE_READERS appropriately.
58979 - pipe->readers = 1;
58980 + atomic_set(&pipe->readers, 1);
58982 current->splice_pipe = pipe;
58984 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
58985 ret = -ERESTARTSYS;
58988 - if (!pipe->writers)
58989 + if (!atomic_read(&pipe->writers))
58991 - if (!pipe->waiting_writers) {
58992 + if (!atomic_read(&pipe->waiting_writers)) {
58993 if (flags & SPLICE_F_NONBLOCK) {
58996 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
58999 while (pipe->nrbufs >= pipe->buffers) {
59000 - if (!pipe->readers) {
59001 + if (!atomic_read(&pipe->readers)) {
59002 send_sig(SIGPIPE, current, 0);
59005 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
59006 ret = -ERESTARTSYS;
59009 - pipe->waiting_writers++;
59010 + atomic_inc(&pipe->waiting_writers);
59012 - pipe->waiting_writers--;
59013 + atomic_dec(&pipe->waiting_writers);
59017 @@ -1854,14 +1854,14 @@ retry:
59018 pipe_double_lock(ipipe, opipe);
59021 - if (!opipe->readers) {
59022 + if (!atomic_read(&opipe->readers)) {
59023 send_sig(SIGPIPE, current, 0);
59029 - if (!ipipe->nrbufs && !ipipe->writers)
59030 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
59034 @@ -1958,7 +1958,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
59035 pipe_double_lock(ipipe, opipe);
59038 - if (!opipe->readers) {
59039 + if (!atomic_read(&opipe->readers)) {
59040 send_sig(SIGPIPE, current, 0);
59043 @@ -2003,7 +2003,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
59044 * return EAGAIN if we have the potential of some data in the
59045 * future, otherwise just return 0
59047 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
59048 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
59051 pipe_unlock(ipipe);
59052 diff --git a/fs/stat.c b/fs/stat.c
59053 index 04ce1ac..a13dd1e 100644
59056 @@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
59057 stat->gid = inode->i_gid;
59058 stat->rdev = inode->i_rdev;
59059 stat->size = i_size_read(inode);
59060 - stat->atime = inode->i_atime;
59061 - stat->mtime = inode->i_mtime;
59062 + if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
59063 + stat->atime = inode->i_ctime;
59064 + stat->mtime = inode->i_ctime;
59066 + stat->atime = inode->i_atime;
59067 + stat->mtime = inode->i_mtime;
59069 stat->ctime = inode->i_ctime;
59070 stat->blksize = (1 << inode->i_blkbits);
59071 stat->blocks = inode->i_blocks;
59072 @@ -46,8 +51,14 @@ int vfs_getattr(struct path *path, struct kstat *stat)
59076 - if (inode->i_op->getattr)
59077 - return inode->i_op->getattr(path->mnt, path->dentry, stat);
59078 + if (inode->i_op->getattr) {
59079 + retval = inode->i_op->getattr(path->mnt, path->dentry, stat);
59080 + if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
59081 + stat->atime = stat->ctime;
59082 + stat->mtime = stat->ctime;
59087 generic_fillattr(inode, stat);
59089 diff --git a/fs/sysfs/bin.c b/fs/sysfs/bin.c
59090 index 15c68f9..36a8b3e 100644
59091 --- a/fs/sysfs/bin.c
59092 +++ b/fs/sysfs/bin.c
59093 @@ -235,13 +235,13 @@ static int bin_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf)
59097 -static int bin_access(struct vm_area_struct *vma, unsigned long addr,
59098 - void *buf, int len, int write)
59099 +static ssize_t bin_access(struct vm_area_struct *vma, unsigned long addr,
59100 + void *buf, size_t len, int write)
59102 struct file *file = vma->vm_file;
59103 struct bin_buffer *bb = file->private_data;
59104 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
59110 diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
59111 index e8e0e71..79c28ac5 100644
59112 --- a/fs/sysfs/dir.c
59113 +++ b/fs/sysfs/dir.c
59114 @@ -40,7 +40,7 @@ static DEFINE_IDA(sysfs_ino_ida);
59116 * Returns 31 bit hash of ns + name (so it fits in an off_t )
59118 -static unsigned int sysfs_name_hash(const void *ns, const char *name)
59119 +static unsigned int sysfs_name_hash(const void *ns, const unsigned char *name)
59121 unsigned long hash = init_name_hash();
59122 unsigned int len = strlen(name);
59123 @@ -679,6 +679,18 @@ static int create_dir(struct kobject *kobj, struct sysfs_dirent *parent_sd,
59124 struct sysfs_dirent *sd;
59127 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
59128 + const char *parent_name = parent_sd->s_name;
59130 + mode = S_IFDIR | S_IRWXU;
59132 + if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
59133 + (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
59134 + (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
59135 + (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
59136 + mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
59140 sd = sysfs_new_dirent(name, mode, SYSFS_DIR);
59142 diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
59143 index 602f56d..6853db8 100644
59144 --- a/fs/sysfs/file.c
59145 +++ b/fs/sysfs/file.c
59146 @@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent_lock);
59148 struct sysfs_open_dirent {
59151 + atomic_unchecked_t event;
59152 wait_queue_head_t poll;
59153 struct list_head buffers; /* goes through sysfs_buffer.list */
59155 @@ -81,7 +81,7 @@ static int fill_read_buffer(struct dentry * dentry, struct sysfs_buffer * buffer
59156 if (!sysfs_get_active(attr_sd))
59159 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
59160 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
59161 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
59163 sysfs_put_active(attr_sd);
59164 @@ -287,7 +287,7 @@ static int sysfs_get_open_dirent(struct sysfs_dirent *sd,
59167 atomic_set(&new_od->refcnt, 0);
59168 - atomic_set(&new_od->event, 1);
59169 + atomic_set_unchecked(&new_od->event, 1);
59170 init_waitqueue_head(&new_od->poll);
59171 INIT_LIST_HEAD(&new_od->buffers);
59173 @@ -432,7 +432,7 @@ static unsigned int sysfs_poll(struct file *filp, poll_table *wait)
59175 sysfs_put_active(attr_sd);
59177 - if (buffer->event != atomic_read(&od->event))
59178 + if (buffer->event != atomic_read_unchecked(&od->event))
59181 return DEFAULT_POLLMASK;
59182 @@ -451,7 +451,7 @@ void sysfs_notify_dirent(struct sysfs_dirent *sd)
59184 od = sd->s_attr.open;
59186 - atomic_inc(&od->event);
59187 + atomic_inc_unchecked(&od->event);
59188 wake_up_interruptible(&od->poll);
59191 diff --git a/fs/sysfs/symlink.c b/fs/sysfs/symlink.c
59192 index 8c940df..25b733e 100644
59193 --- a/fs/sysfs/symlink.c
59194 +++ b/fs/sysfs/symlink.c
59195 @@ -305,7 +305,7 @@ static void *sysfs_follow_link(struct dentry *dentry, struct nameidata *nd)
59197 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
59199 - char *page = nd_get_link(nd);
59200 + const char *page = nd_get_link(nd);
59202 free_page((unsigned long)page);
59204 diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
59205 index 69d4889..a810bd4 100644
59206 --- a/fs/sysv/sysv.h
59207 +++ b/fs/sysv/sysv.h
59208 @@ -188,7 +188,7 @@ static inline u32 PDP_swab(u32 x)
59212 -static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
59213 +static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
59215 if (sbi->s_bytesex == BYTESEX_PDP)
59216 return PDP_swab((__force __u32)n);
59217 diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
59218 index e18b988..f1d4ad0f 100644
59219 --- a/fs/ubifs/io.c
59220 +++ b/fs/ubifs/io.c
59221 @@ -155,7 +155,7 @@ int ubifs_leb_change(struct ubifs_info *c, int lnum, const void *buf, int len)
59225 -int ubifs_leb_unmap(struct ubifs_info *c, int lnum)
59226 +int __intentional_overflow(-1) ubifs_leb_unmap(struct ubifs_info *c, int lnum)
59230 diff --git a/fs/udf/misc.c b/fs/udf/misc.c
59231 index c175b4d..8f36a16 100644
59232 --- a/fs/udf/misc.c
59233 +++ b/fs/udf/misc.c
59234 @@ -289,7 +289,7 @@ void udf_new_tag(char *data, uint16_t ident, uint16_t version, uint16_t snum,
59236 u8 udf_tag_checksum(const struct tag *t)
59238 - u8 *data = (u8 *)t;
59239 + const u8 *data = (const u8 *)t;
59242 for (i = 0; i < sizeof(struct tag); ++i)
59243 diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
59244 index 8d974c4..b82f6ec 100644
59245 --- a/fs/ufs/swab.h
59246 +++ b/fs/ufs/swab.h
59247 @@ -22,7 +22,7 @@ enum {
59252 +static inline u64 __intentional_overflow(-1)
59253 fs64_to_cpu(struct super_block *sbp, __fs64 n)
59255 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
59256 @@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n)
59257 return (__force __fs64)cpu_to_be64(n);
59261 +static inline u32 __intentional_overflow(-1)
59262 fs32_to_cpu(struct super_block *sbp, __fs32 n)
59264 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
59265 diff --git a/fs/utimes.c b/fs/utimes.c
59266 index f4fb7ec..3fe03c0 100644
59270 #include <linux/compiler.h>
59271 #include <linux/file.h>
59272 #include <linux/fs.h>
59273 +#include <linux/security.h>
59274 #include <linux/linkage.h>
59275 #include <linux/mount.h>
59276 #include <linux/namei.h>
59277 @@ -101,6 +102,12 @@ static int utimes_common(struct path *path, struct timespec *times)
59278 goto mnt_drop_write_and_out;
59282 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
59284 + goto mnt_drop_write_and_out;
59287 mutex_lock(&inode->i_mutex);
59288 error = notify_change(path->dentry, &newattrs);
59289 mutex_unlock(&inode->i_mutex);
59290 diff --git a/fs/xattr.c b/fs/xattr.c
59291 index 3377dff..4d074d9 100644
59294 @@ -227,6 +227,27 @@ int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
59298 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
59300 +pax_getxattr(struct dentry *dentry, void *value, size_t size)
59302 + struct inode *inode = dentry->d_inode;
59305 + error = inode_permission(inode, MAY_EXEC);
59309 + if (inode->i_op->getxattr)
59310 + error = inode->i_op->getxattr(dentry, XATTR_NAME_PAX_FLAGS, value, size);
59312 + error = -EOPNOTSUPP;
59316 +EXPORT_SYMBOL(pax_getxattr);
59320 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
59322 @@ -319,7 +340,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
59323 * Extended attribute SET operations
59326 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
59327 +setxattr(struct path *path, const char __user *name, const void __user *value,
59328 size_t size, int flags)
59331 @@ -355,7 +376,12 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
59332 posix_acl_fix_xattr_from_user(kvalue, size);
59335 - error = vfs_setxattr(d, kname, kvalue, size, flags);
59336 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
59341 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
59345 @@ -377,7 +403,7 @@ retry:
59347 error = mnt_want_write(path.mnt);
59349 - error = setxattr(path.dentry, name, value, size, flags);
59350 + error = setxattr(&path, name, value, size, flags);
59351 mnt_drop_write(path.mnt);
59354 @@ -401,7 +427,7 @@ retry:
59356 error = mnt_want_write(path.mnt);
59358 - error = setxattr(path.dentry, name, value, size, flags);
59359 + error = setxattr(&path, name, value, size, flags);
59360 mnt_drop_write(path.mnt);
59363 @@ -416,16 +442,14 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
59364 const void __user *,value, size_t, size, int, flags)
59366 struct fd f = fdget(fd);
59367 - struct dentry *dentry;
59368 int error = -EBADF;
59372 - dentry = f.file->f_path.dentry;
59373 - audit_inode(NULL, dentry, 0);
59374 + audit_inode(NULL, f.file->f_path.dentry, 0);
59375 error = mnt_want_write_file(f.file);
59377 - error = setxattr(dentry, name, value, size, flags);
59378 + error = setxattr(&f.file->f_path, name, value, size, flags);
59379 mnt_drop_write_file(f.file);
59382 diff --git a/fs/xattr_acl.c b/fs/xattr_acl.c
59383 index 9fbea87..6b19972 100644
59384 --- a/fs/xattr_acl.c
59385 +++ b/fs/xattr_acl.c
59386 @@ -76,8 +76,8 @@ struct posix_acl *
59387 posix_acl_from_xattr(struct user_namespace *user_ns,
59388 const void *value, size_t size)
59390 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
59391 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
59392 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
59393 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
59395 struct posix_acl *acl;
59396 struct posix_acl_entry *acl_e;
59397 diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
59398 index 8904284..ee0e14b 100644
59399 --- a/fs/xfs/xfs_bmap.c
59400 +++ b/fs/xfs/xfs_bmap.c
59401 @@ -765,7 +765,7 @@ xfs_bmap_validate_ret(
59404 #define xfs_bmap_check_leaf_extents(cur, ip, whichfork) do { } while (0)
59405 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
59406 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do { } while (0)
59410 diff --git a/fs/xfs/xfs_dir2_sf.c b/fs/xfs/xfs_dir2_sf.c
59411 index 6157424..ac98f6d 100644
59412 --- a/fs/xfs/xfs_dir2_sf.c
59413 +++ b/fs/xfs/xfs_dir2_sf.c
59414 @@ -851,7 +851,15 @@ xfs_dir2_sf_getdents(
59417 ino = xfs_dir2_sfe_get_ino(sfp, sfep);
59418 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
59419 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
59420 + char name[sfep->namelen];
59421 + memcpy(name, sfep->name, sfep->namelen);
59422 + if (filldir(dirent, name, sfep->namelen,
59423 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
59424 + *offset = off & 0x7fffffff;
59427 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
59428 off & 0x7fffffff, ino, DT_UNKNOWN)) {
59429 *offset = off & 0x7fffffff;
59431 diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
59432 index 5e99968..45bd327 100644
59433 --- a/fs/xfs/xfs_ioctl.c
59434 +++ b/fs/xfs/xfs_ioctl.c
59435 @@ -127,7 +127,7 @@ xfs_find_handle(
59439 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
59440 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
59441 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
59444 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
59445 index ca9ecaa..60100c7 100644
59446 --- a/fs/xfs/xfs_iops.c
59447 +++ b/fs/xfs/xfs_iops.c
59448 @@ -395,7 +395,7 @@ xfs_vn_put_link(
59449 struct nameidata *nd,
59452 - char *s = nd_get_link(nd);
59453 + const char *s = nd_get_link(nd);
59457 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
59458 new file mode 100644
59459 index 0000000..712a85d
59461 +++ b/grsecurity/Kconfig
59464 +# grecurity configuration
59466 +menu "Memory Protections"
59467 +depends on GRKERNSEC
59469 +config GRKERNSEC_KMEM
59470 + bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
59471 + default y if GRKERNSEC_CONFIG_AUTO
59472 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
59474 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
59475 + be written to or read from to modify or leak the contents of the running
59476 + kernel. /dev/port will also not be allowed to be opened and support
59477 + for /dev/cpu/*/msr will be removed. If you have module
59478 + support disabled, enabling this will close up five ways that are
59479 + currently used to insert malicious code into the running kernel.
59481 + Even with all these features enabled, we still highly recommend that
59482 + you use the RBAC system, as it is still possible for an attacker to
59483 + modify the running kernel through privileged I/O granted by ioperm/iopl.
59485 + If you are not using XFree86, you may be able to stop this additional
59486 + case by enabling the 'Disable privileged I/O' option. Though nothing
59487 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
59488 + but only to video memory, which is the only writing we allow in this
59489 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
59490 + not be allowed to mprotect it with PROT_WRITE later.
59491 + Enabling this feature will prevent the "cpupower" and "powertop" tools
59494 + It is highly recommended that you say Y here if you meet all the
59495 + conditions above.
59497 +config GRKERNSEC_VM86
59498 + bool "Restrict VM86 mode"
59499 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
59500 + depends on X86_32
59503 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
59504 + make use of a special execution mode on 32bit x86 processors called
59505 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
59506 + video cards and will still work with this option enabled. The purpose
59507 + of the option is to prevent exploitation of emulation errors in
59508 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
59509 + Nearly all users should be able to enable this option.
59511 +config GRKERNSEC_IO
59512 + bool "Disable privileged I/O"
59513 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
59516 + select RTC_INTF_DEV
59517 + select RTC_DRV_CMOS
59520 + If you say Y here, all ioperm and iopl calls will return an error.
59521 + Ioperm and iopl can be used to modify the running kernel.
59522 + Unfortunately, some programs need this access to operate properly,
59523 + the most notable of which are XFree86 and hwclock. hwclock can be
59524 + remedied by having RTC support in the kernel, so real-time
59525 + clock support is enabled if this option is enabled, to ensure
59526 + that hwclock operates correctly. XFree86 still will not
59527 + operate correctly with this option enabled, so DO NOT CHOOSE Y
59528 + IF YOU USE XFree86. If you use XFree86 and you still want to
59529 + protect your kernel against modification, use the RBAC system.
59531 +config GRKERNSEC_JIT_HARDEN
59532 + bool "Harden BPF JIT against spray attacks"
59533 + default y if GRKERNSEC_CONFIG_AUTO
59534 + depends on BPF_JIT
59536 + If you say Y here, the native code generated by the kernel's Berkeley
59537 + Packet Filter (BPF) JIT engine will be hardened against JIT-spraying
59538 + attacks that attempt to fit attacker-beneficial instructions in
59539 + 32bit immediate fields of JIT-generated native instructions. The
59540 + attacker will generally aim to cause an unintended instruction sequence
59541 + of JIT-generated native code to execute by jumping into the middle of
59542 + a generated instruction. This feature effectively randomizes the 32bit
59543 + immediate constants present in the generated code to thwart such attacks.
59545 + If you're using KERNEXEC, it's recommended that you enable this option
59546 + to supplement the hardening of the kernel.
59548 +config GRKERNSEC_PERF_HARDEN
59549 + bool "Disable unprivileged PERF_EVENTS usage by default"
59550 + default y if GRKERNSEC_CONFIG_AUTO
59551 + depends on PERF_EVENTS
59553 + If you say Y here, the range of acceptable values for the
59554 + /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
59555 + default to a new value: 3. When the sysctl is set to this value, no
59556 + unprivileged use of the PERF_EVENTS syscall interface will be permitted.
59558 + Though PERF_EVENTS can be used legitimately for performance monitoring
59559 + and low-level application profiling, it is forced on regardless of
59560 + configuration, has been at fault for several vulnerabilities, and
59561 + creates new opportunities for side channels and other information leaks.
59563 + This feature puts PERF_EVENTS into a secure default state and permits
59564 + the administrator to change out of it temporarily if unprivileged
59565 + application profiling is needed.
59567 +config GRKERNSEC_RAND_THREADSTACK
59568 + bool "Insert random gaps between thread stacks"
59569 + default y if GRKERNSEC_CONFIG_AUTO
59570 + depends on PAX_RANDMMAP && !PPC
59572 + If you say Y here, a random-sized gap will be enforced between allocated
59573 + thread stacks. Glibc's NPTL and other threading libraries that
59574 + pass MAP_STACK to the kernel for thread stack allocation are supported.
59575 + The implementation currently provides 8 bits of entropy for the gap.
59577 + Many distributions do not compile threaded remote services with the
59578 + -fstack-check argument to GCC, causing the variable-sized stack-based
59579 + allocator, alloca(), to not probe the stack on allocation. This
59580 + permits an unbounded alloca() to skip over any guard page and potentially
59581 + modify another thread's stack reliably. An enforced random gap
59582 + reduces the reliability of such an attack and increases the chance
59583 + that such a read/write to another thread's stack instead lands in
59584 + an unmapped area, causing a crash and triggering grsecurity's
59585 + anti-bruteforcing logic.
59587 +config GRKERNSEC_PROC_MEMMAP
59588 + bool "Harden ASLR against information leaks and entropy reduction"
59589 + default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
59590 + depends on PAX_NOEXEC || PAX_ASLR
59592 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
59593 + give no information about the addresses of its mappings if
59594 + PaX features that rely on random addresses are enabled on the task.
59595 + In addition to sanitizing this information and disabling other
59596 + dangerous sources of information, this option causes reads of sensitive
59597 + /proc/<pid> entries where the file descriptor was opened in a different
59598 + task than the one performing the read. Such attempts are logged.
59599 + This option also limits argv/env strings for suid/sgid binaries
59600 + to 512KB to prevent a complete exhaustion of the stack entropy provided
59601 + by ASLR. Finally, it places an 8MB stack resource limit on suid/sgid
59602 + binaries to prevent alternative mmap layouts from being abused.
59604 + If you use PaX it is essential that you say Y here as it closes up
59605 + several holes that make full ASLR useless locally.
59607 +config GRKERNSEC_BRUTE
59608 + bool "Deter exploit bruteforcing"
59609 + default y if GRKERNSEC_CONFIG_AUTO
59611 + If you say Y here, attempts to bruteforce exploits against forking
59612 + daemons such as apache or sshd, as well as against suid/sgid binaries
59613 + will be deterred. When a child of a forking daemon is killed by PaX
59614 + or crashes due to an illegal instruction or other suspicious signal,
59615 + the parent process will be delayed 30 seconds upon every subsequent
59616 + fork until the administrator is able to assess the situation and
59617 + restart the daemon.
59618 + In the suid/sgid case, the attempt is logged, the user has all their
59619 + existing instances of the suid/sgid binary terminated and will
59620 + be unable to execute any suid/sgid binaries for 15 minutes.
59622 + It is recommended that you also enable signal logging in the auditing
59623 + section so that logs are generated when a process triggers a suspicious
59625 + If the sysctl option is enabled, a sysctl option with name
59626 + "deter_bruteforce" is created.
59629 +config GRKERNSEC_MODHARDEN
59630 + bool "Harden module auto-loading"
59631 + default y if GRKERNSEC_CONFIG_AUTO
59632 + depends on MODULES
59634 + If you say Y here, module auto-loading in response to use of some
59635 + feature implemented by an unloaded module will be restricted to
59636 + root users. Enabling this option helps defend against attacks
59637 + by unprivileged users who abuse the auto-loading behavior to
59638 + cause a vulnerable module to load that is then exploited.
59640 + If this option prevents a legitimate use of auto-loading for a
59641 + non-root user, the administrator can execute modprobe manually
59642 + with the exact name of the module mentioned in the alert log.
59643 + Alternatively, the administrator can add the module to the list
59644 + of modules loaded at boot by modifying init scripts.
59646 + Modification of init scripts will most likely be needed on
59647 + Ubuntu servers with encrypted home directory support enabled,
59648 + as the first non-root user logging in will cause the ecb(aes),
59649 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
59651 +config GRKERNSEC_HIDESYM
59652 + bool "Hide kernel symbols"
59653 + default y if GRKERNSEC_CONFIG_AUTO
59654 + select PAX_USERCOPY_SLABS
59656 + If you say Y here, getting information on loaded modules, and
59657 + displaying all kernel symbols through a syscall will be restricted
59658 + to users with CAP_SYS_MODULE. For software compatibility reasons,
59659 + /proc/kallsyms will be restricted to the root user. The RBAC
59660 + system can hide that entry even from root.
59662 + This option also prevents leaking of kernel addresses through
59663 + several /proc entries.
59665 + Note that this option is only effective provided the following
59666 + conditions are met:
59667 + 1) The kernel using grsecurity is not precompiled by some distribution
59668 + 2) You have also enabled GRKERNSEC_DMESG
59669 + 3) You are using the RBAC system and hiding other files such as your
59670 + kernel image and System.map. Alternatively, enabling this option
59671 + causes the permissions on /boot, /lib/modules, and the kernel
59672 + source directory to change at compile time to prevent
59673 + reading by non-root users.
59674 + If the above conditions are met, this option will aid in providing a
59675 + useful protection against local kernel exploitation of overflows
59676 + and arbitrary read/write vulnerabilities.
59678 + It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
59679 + in addition to this feature.
59681 +config GRKERNSEC_KERN_LOCKOUT
59682 + bool "Active kernel exploit response"
59683 + default y if GRKERNSEC_CONFIG_AUTO
59684 + depends on X86 || ARM || PPC || SPARC
59686 + If you say Y here, when a PaX alert is triggered due to suspicious
59687 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
59688 + or an OOPS occurs due to bad memory accesses, instead of just
59689 + terminating the offending process (and potentially allowing
59690 + a subsequent exploit from the same user), we will take one of two
59692 + If the user was root, we will panic the system
59693 + If the user was non-root, we will log the attempt, terminate
59694 + all processes owned by the user, then prevent them from creating
59695 + any new processes until the system is restarted
59696 + This deters repeated kernel exploitation/bruteforcing attempts
59697 + and is useful for later forensics.
59700 +menu "Role Based Access Control Options"
59701 +depends on GRKERNSEC
59703 +config GRKERNSEC_RBAC_DEBUG
59706 +config GRKERNSEC_NO_RBAC
59707 + bool "Disable RBAC system"
59709 + If you say Y here, the /dev/grsec device will be removed from the kernel,
59710 + preventing the RBAC system from being enabled. You should only say Y
59711 + here if you have no intention of using the RBAC system, so as to prevent
59712 + an attacker with root access from misusing the RBAC system to hide files
59713 + and processes when loadable module support and /dev/[k]mem have been
59716 +config GRKERNSEC_ACL_HIDEKERN
59717 + bool "Hide kernel processes"
59719 + If you say Y here, all kernel threads will be hidden to all
59720 + processes but those whose subject has the "view hidden processes"
59723 +config GRKERNSEC_ACL_MAXTRIES
59724 + int "Maximum tries before password lockout"
59727 + This option enforces the maximum number of times a user can attempt
59728 + to authorize themselves with the grsecurity RBAC system before being
59729 + denied the ability to attempt authorization again for a specified time.
59730 + The lower the number, the harder it will be to brute-force a password.
59732 +config GRKERNSEC_ACL_TIMEOUT
59733 + int "Time to wait after max password tries, in seconds"
59736 + This option specifies the time the user must wait after attempting to
59737 + authorize to the RBAC system with the maximum number of invalid
59738 + passwords. The higher the number, the harder it will be to brute-force
59742 +menu "Filesystem Protections"
59743 +depends on GRKERNSEC
59745 +config GRKERNSEC_PROC
59746 + bool "Proc restrictions"
59747 + default y if GRKERNSEC_CONFIG_AUTO
59749 + If you say Y here, the permissions of the /proc filesystem
59750 + will be altered to enhance system security and privacy. You MUST
59751 + choose either a user only restriction or a user and group restriction.
59752 + Depending upon the option you choose, you can either restrict users to
59753 + see only the processes they themselves run, or choose a group that can
59754 + view all processes and files normally restricted to root if you choose
59755 + the "restrict to user only" option. NOTE: If you're running identd or
59756 + ntpd as a non-root user, you will have to run it as the group you
59759 +config GRKERNSEC_PROC_USER
59760 + bool "Restrict /proc to user only"
59761 + depends on GRKERNSEC_PROC
59763 + If you say Y here, non-root users will only be able to view their own
59764 + processes, and restricts them from viewing network-related information,
59765 + and viewing kernel symbol and module information.
59767 +config GRKERNSEC_PROC_USERGROUP
59768 + bool "Allow special group"
59769 + default y if GRKERNSEC_CONFIG_AUTO
59770 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
59772 + If you say Y here, you will be able to select a group that will be
59773 + able to view all processes and network-related information. If you've
59774 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
59775 + remain hidden. This option is useful if you want to run identd as
59776 + a non-root user. The group you select may also be chosen at boot time
59777 + via "grsec_proc_gid=" on the kernel commandline.
59779 +config GRKERNSEC_PROC_GID
59780 + int "GID for special group"
59781 + depends on GRKERNSEC_PROC_USERGROUP
59784 +config GRKERNSEC_PROC_ADD
59785 + bool "Additional restrictions"
59786 + default y if GRKERNSEC_CONFIG_AUTO
59787 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
59789 + If you say Y here, additional restrictions will be placed on
59790 + /proc that keep normal users from viewing device information and
59791 + slabinfo information that could be useful for exploits.
59793 +config GRKERNSEC_LINK
59794 + bool "Linking restrictions"
59795 + default y if GRKERNSEC_CONFIG_AUTO
59797 + If you say Y here, /tmp race exploits will be prevented, since users
59798 + will no longer be able to follow symlinks owned by other users in
59799 + world-writable +t directories (e.g. /tmp), unless the owner of the
59800 + symlink is the owner of the directory. users will also not be
59801 + able to hardlink to files they do not own. If the sysctl option is
59802 + enabled, a sysctl option with name "linking_restrictions" is created.
59804 +config GRKERNSEC_SYMLINKOWN
59805 + bool "Kernel-enforced SymlinksIfOwnerMatch"
59806 + default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
59808 + Apache's SymlinksIfOwnerMatch option has an inherent race condition
59809 + that prevents it from being used as a security feature. As Apache
59810 + verifies the symlink by performing a stat() against the target of
59811 + the symlink before it is followed, an attacker can setup a symlink
59812 + to point to a same-owned file, then replace the symlink with one
59813 + that targets another user's file just after Apache "validates" the
59814 + symlink -- a classic TOCTOU race. If you say Y here, a complete,
59815 + race-free replacement for Apache's "SymlinksIfOwnerMatch" option
59816 + will be in place for the group you specify. If the sysctl option
59817 + is enabled, a sysctl option with name "enforce_symlinksifowner" is
59820 +config GRKERNSEC_SYMLINKOWN_GID
59821 + int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
59822 + depends on GRKERNSEC_SYMLINKOWN
59825 + Setting this GID determines what group kernel-enforced
59826 + SymlinksIfOwnerMatch will be enabled for. If the sysctl option
59827 + is enabled, a sysctl option with name "symlinkown_gid" is created.
59829 +config GRKERNSEC_FIFO
59830 + bool "FIFO restrictions"
59831 + default y if GRKERNSEC_CONFIG_AUTO
59833 + If you say Y here, users will not be able to write to FIFOs they don't
59834 + own in world-writable +t directories (e.g. /tmp), unless the owner of
59835 + the FIFO is the same owner of the directory it's held in. If the sysctl
59836 + option is enabled, a sysctl option with name "fifo_restrictions" is
59839 +config GRKERNSEC_SYSFS_RESTRICT
59840 + bool "Sysfs/debugfs restriction"
59841 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
59844 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
59845 + any filesystem normally mounted under it (e.g. debugfs) will be
59846 + mostly accessible only by root. These filesystems generally provide access
59847 + to hardware and debug information that isn't appropriate for unprivileged
59848 + users of the system. Sysfs and debugfs have also become a large source
59849 + of new vulnerabilities, ranging from infoleaks to local compromise.
59850 + There has been very little oversight with an eye toward security involved
59851 + in adding new exporters of information to these filesystems, so their
59852 + use is discouraged.
59853 + For reasons of compatibility, a few directories have been whitelisted
59854 + for access by non-root users:
59857 + /sys/devices/system/cpu
59859 +config GRKERNSEC_ROFS
59860 + bool "Runtime read-only mount protection"
59862 + If you say Y here, a sysctl option with name "romount_protect" will
59863 + be created. By setting this option to 1 at runtime, filesystems
59864 + will be protected in the following ways:
59865 + * No new writable mounts will be allowed
59866 + * Existing read-only mounts won't be able to be remounted read/write
59867 + * Write operations will be denied on all block devices
59868 + This option acts independently of grsec_lock: once it is set to 1,
59869 + it cannot be turned off. Therefore, please be mindful of the resulting
59870 + behavior if this option is enabled in an init script on a read-only
59871 + filesystem. This feature is mainly intended for secure embedded systems.
59873 +config GRKERNSEC_DEVICE_SIDECHANNEL
59874 + bool "Eliminate stat/notify-based device sidechannels"
59875 + default y if GRKERNSEC_CONFIG_AUTO
59877 + If you say Y here, timing analyses on block or character
59878 + devices like /dev/ptmx using stat or inotify/dnotify/fanotify
59879 + will be thwarted for unprivileged users. If a process without
59880 + CAP_MKNOD stats such a device, the last access and last modify times
59881 + will match the device's create time. No access or modify events
59882 + will be triggered through inotify/dnotify/fanotify for such devices.
59883 + This feature will prevent attacks that may at a minimum
59884 + allow an attacker to determine the administrator's password length.
59886 +config GRKERNSEC_CHROOT
59887 + bool "Chroot jail restrictions"
59888 + default y if GRKERNSEC_CONFIG_AUTO
59890 + If you say Y here, you will be able to choose several options that will
59891 + make breaking out of a chrooted jail much more difficult. If you
59892 + encounter no software incompatibilities with the following options, it
59893 + is recommended that you enable each one.
59895 +config GRKERNSEC_CHROOT_MOUNT
59896 + bool "Deny mounts"
59897 + default y if GRKERNSEC_CONFIG_AUTO
59898 + depends on GRKERNSEC_CHROOT
59900 + If you say Y here, processes inside a chroot will not be able to
59901 + mount or remount filesystems. If the sysctl option is enabled, a
59902 + sysctl option with name "chroot_deny_mount" is created.
59904 +config GRKERNSEC_CHROOT_DOUBLE
59905 + bool "Deny double-chroots"
59906 + default y if GRKERNSEC_CONFIG_AUTO
59907 + depends on GRKERNSEC_CHROOT
59909 + If you say Y here, processes inside a chroot will not be able to chroot
59910 + again outside the chroot. This is a widely used method of breaking
59911 + out of a chroot jail and should not be allowed. If the sysctl
59912 + option is enabled, a sysctl option with name
59913 + "chroot_deny_chroot" is created.
59915 +config GRKERNSEC_CHROOT_PIVOT
59916 + bool "Deny pivot_root in chroot"
59917 + default y if GRKERNSEC_CONFIG_AUTO
59918 + depends on GRKERNSEC_CHROOT
59920 + If you say Y here, processes inside a chroot will not be able to use
59921 + a function called pivot_root() that was introduced in Linux 2.3.41. It
59922 + works similar to chroot in that it changes the root filesystem. This
59923 + function could be misused in a chrooted process to attempt to break out
59924 + of the chroot, and therefore should not be allowed. If the sysctl
59925 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
59928 +config GRKERNSEC_CHROOT_CHDIR
59929 + bool "Enforce chdir(\"/\") on all chroots"
59930 + default y if GRKERNSEC_CONFIG_AUTO
59931 + depends on GRKERNSEC_CHROOT
59933 + If you say Y here, the current working directory of all newly-chrooted
59934 + applications will be set to the the root directory of the chroot.
59935 + The man page on chroot(2) states:
59936 + Note that this call does not change the current working
59937 + directory, so that `.' can be outside the tree rooted at
59938 + `/'. In particular, the super-user can escape from a
59939 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
59941 + It is recommended that you say Y here, since it's not known to break
59942 + any software. If the sysctl option is enabled, a sysctl option with
59943 + name "chroot_enforce_chdir" is created.
59945 +config GRKERNSEC_CHROOT_CHMOD
59946 + bool "Deny (f)chmod +s"
59947 + default y if GRKERNSEC_CONFIG_AUTO
59948 + depends on GRKERNSEC_CHROOT
59950 + If you say Y here, processes inside a chroot will not be able to chmod
59951 + or fchmod files to make them have suid or sgid bits. This protects
59952 + against another published method of breaking a chroot. If the sysctl
59953 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
59956 +config GRKERNSEC_CHROOT_FCHDIR
59957 + bool "Deny fchdir out of chroot"
59958 + default y if GRKERNSEC_CONFIG_AUTO
59959 + depends on GRKERNSEC_CHROOT
59961 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
59962 + to a file descriptor of the chrooting process that points to a directory
59963 + outside the filesystem will be stopped. If the sysctl option
59964 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
59966 +config GRKERNSEC_CHROOT_MKNOD
59967 + bool "Deny mknod"
59968 + default y if GRKERNSEC_CONFIG_AUTO
59969 + depends on GRKERNSEC_CHROOT
59971 + If you say Y here, processes inside a chroot will not be allowed to
59972 + mknod. The problem with using mknod inside a chroot is that it
59973 + would allow an attacker to create a device entry that is the same
59974 + as one on the physical root of your system, which could range from
59975 + anything from the console device to a device for your harddrive (which
59976 + they could then use to wipe the drive or steal data). It is recommended
59977 + that you say Y here, unless you run into software incompatibilities.
59978 + If the sysctl option is enabled, a sysctl option with name
59979 + "chroot_deny_mknod" is created.
59981 +config GRKERNSEC_CHROOT_SHMAT
59982 + bool "Deny shmat() out of chroot"
59983 + default y if GRKERNSEC_CONFIG_AUTO
59984 + depends on GRKERNSEC_CHROOT
59986 + If you say Y here, processes inside a chroot will not be able to attach
59987 + to shared memory segments that were created outside of the chroot jail.
59988 + It is recommended that you say Y here. If the sysctl option is enabled,
59989 + a sysctl option with name "chroot_deny_shmat" is created.
59991 +config GRKERNSEC_CHROOT_UNIX
59992 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
59993 + default y if GRKERNSEC_CONFIG_AUTO
59994 + depends on GRKERNSEC_CHROOT
59996 + If you say Y here, processes inside a chroot will not be able to
59997 + connect to abstract (meaning not belonging to a filesystem) Unix
59998 + domain sockets that were bound outside of a chroot. It is recommended
59999 + that you say Y here. If the sysctl option is enabled, a sysctl option
60000 + with name "chroot_deny_unix" is created.
60002 +config GRKERNSEC_CHROOT_FINDTASK
60003 + bool "Protect outside processes"
60004 + default y if GRKERNSEC_CONFIG_AUTO
60005 + depends on GRKERNSEC_CHROOT
60007 + If you say Y here, processes inside a chroot will not be able to
60008 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
60009 + getsid, or view any process outside of the chroot. If the sysctl
60010 + option is enabled, a sysctl option with name "chroot_findtask" is
60013 +config GRKERNSEC_CHROOT_NICE
60014 + bool "Restrict priority changes"
60015 + default y if GRKERNSEC_CONFIG_AUTO
60016 + depends on GRKERNSEC_CHROOT
60018 + If you say Y here, processes inside a chroot will not be able to raise
60019 + the priority of processes in the chroot, or alter the priority of
60020 + processes outside the chroot. This provides more security than simply
60021 + removing CAP_SYS_NICE from the process' capability set. If the
60022 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
60025 +config GRKERNSEC_CHROOT_SYSCTL
60026 + bool "Deny sysctl writes"
60027 + default y if GRKERNSEC_CONFIG_AUTO
60028 + depends on GRKERNSEC_CHROOT
60030 + If you say Y here, an attacker in a chroot will not be able to
60031 + write to sysctl entries, either by sysctl(2) or through a /proc
60032 + interface. It is strongly recommended that you say Y here. If the
60033 + sysctl option is enabled, a sysctl option with name
60034 + "chroot_deny_sysctl" is created.
60036 +config GRKERNSEC_CHROOT_CAPS
60037 + bool "Capability restrictions"
60038 + default y if GRKERNSEC_CONFIG_AUTO
60039 + depends on GRKERNSEC_CHROOT
60041 + If you say Y here, the capabilities on all processes within a
60042 + chroot jail will be lowered to stop module insertion, raw i/o,
60043 + system and net admin tasks, rebooting the system, modifying immutable
60044 + files, modifying IPC owned by another, and changing the system time.
60045 + This is left an option because it can break some apps. Disable this
60046 + if your chrooted apps are having problems performing those kinds of
60047 + tasks. If the sysctl option is enabled, a sysctl option with
60048 + name "chroot_caps" is created.
60050 +config GRKERNSEC_CHROOT_INITRD
60051 + bool "Exempt initrd tasks from restrictions"
60052 + default y if GRKERNSEC_CONFIG_AUTO
60053 + depends on GRKERNSEC_CHROOT && BLK_DEV_RAM
60055 + If you say Y here, tasks started prior to init will be exempted from
60056 + grsecurity's chroot restrictions. This option is mainly meant to
60057 + resolve Plymouth's performing privileged operations unnecessarily
60061 +menu "Kernel Auditing"
60062 +depends on GRKERNSEC
60064 +config GRKERNSEC_AUDIT_GROUP
60065 + bool "Single group for auditing"
60067 + If you say Y here, the exec and chdir logging features will only operate
60068 + on a group you specify. This option is recommended if you only want to
60069 + watch certain users instead of having a large amount of logs from the
60070 + entire system. If the sysctl option is enabled, a sysctl option with
60071 + name "audit_group" is created.
60073 +config GRKERNSEC_AUDIT_GID
60074 + int "GID for auditing"
60075 + depends on GRKERNSEC_AUDIT_GROUP
60078 +config GRKERNSEC_EXECLOG
60079 + bool "Exec logging"
60081 + If you say Y here, all execve() calls will be logged (since the
60082 + other exec*() calls are frontends to execve(), all execution
60083 + will be logged). Useful for shell-servers that like to keep track
60084 + of their users. If the sysctl option is enabled, a sysctl option with
60085 + name "exec_logging" is created.
60086 + WARNING: This option when enabled will produce a LOT of logs, especially
60087 + on an active system.
60089 +config GRKERNSEC_RESLOG
60090 + bool "Resource logging"
60091 + default y if GRKERNSEC_CONFIG_AUTO
60093 + If you say Y here, all attempts to overstep resource limits will
60094 + be logged with the resource name, the requested size, and the current
60095 + limit. It is highly recommended that you say Y here. If the sysctl
60096 + option is enabled, a sysctl option with name "resource_logging" is
60097 + created. If the RBAC system is enabled, the sysctl value is ignored.
60099 +config GRKERNSEC_CHROOT_EXECLOG
60100 + bool "Log execs within chroot"
60102 + If you say Y here, all executions inside a chroot jail will be logged
60103 + to syslog. This can cause a large amount of logs if certain
60104 + applications (eg. djb's daemontools) are installed on the system, and
60105 + is therefore left as an option. If the sysctl option is enabled, a
60106 + sysctl option with name "chroot_execlog" is created.
60108 +config GRKERNSEC_AUDIT_PTRACE
60109 + bool "Ptrace logging"
60111 + If you say Y here, all attempts to attach to a process via ptrace
60112 + will be logged. If the sysctl option is enabled, a sysctl option
60113 + with name "audit_ptrace" is created.
60115 +config GRKERNSEC_AUDIT_CHDIR
60116 + bool "Chdir logging"
60118 + If you say Y here, all chdir() calls will be logged. If the sysctl
60119 + option is enabled, a sysctl option with name "audit_chdir" is created.
60121 +config GRKERNSEC_AUDIT_MOUNT
60122 + bool "(Un)Mount logging"
60124 + If you say Y here, all mounts and unmounts will be logged. If the
60125 + sysctl option is enabled, a sysctl option with name "audit_mount" is
60128 +config GRKERNSEC_SIGNAL
60129 + bool "Signal logging"
60130 + default y if GRKERNSEC_CONFIG_AUTO
60132 + If you say Y here, certain important signals will be logged, such as
60133 + SIGSEGV, which will as a result inform you of when a error in a program
60134 + occurred, which in some cases could mean a possible exploit attempt.
60135 + If the sysctl option is enabled, a sysctl option with name
60136 + "signal_logging" is created.
60138 +config GRKERNSEC_FORKFAIL
60139 + bool "Fork failure logging"
60141 + If you say Y here, all failed fork() attempts will be logged.
60142 + This could suggest a fork bomb, or someone attempting to overstep
60143 + their process limit. If the sysctl option is enabled, a sysctl option
60144 + with name "forkfail_logging" is created.
60146 +config GRKERNSEC_TIME
60147 + bool "Time change logging"
60148 + default y if GRKERNSEC_CONFIG_AUTO
60150 + If you say Y here, any changes of the system clock will be logged.
60151 + If the sysctl option is enabled, a sysctl option with name
60152 + "timechange_logging" is created.
60154 +config GRKERNSEC_PROC_IPADDR
60155 + bool "/proc/<pid>/ipaddr support"
60156 + default y if GRKERNSEC_CONFIG_AUTO
60158 + If you say Y here, a new entry will be added to each /proc/<pid>
60159 + directory that contains the IP address of the person using the task.
60160 + The IP is carried across local TCP and AF_UNIX stream sockets.
60161 + This information can be useful for IDS/IPSes to perform remote response
60162 + to a local attack. The entry is readable by only the owner of the
60163 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
60164 + the RBAC system), and thus does not create privacy concerns.
60166 +config GRKERNSEC_RWXMAP_LOG
60167 + bool 'Denied RWX mmap/mprotect logging'
60168 + default y if GRKERNSEC_CONFIG_AUTO
60169 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
60171 + If you say Y here, calls to mmap() and mprotect() with explicit
60172 + usage of PROT_WRITE and PROT_EXEC together will be logged when
60173 + denied by the PAX_MPROTECT feature. This feature will also
60174 + log other problematic scenarios that can occur when PAX_MPROTECT
60175 + is enabled on a binary, like textrels and PT_GNU_STACK. If the
60176 + sysctl option is enabled, a sysctl option with name "rwxmap_logging"
60181 +menu "Executable Protections"
60182 +depends on GRKERNSEC
60184 +config GRKERNSEC_DMESG
60185 + bool "Dmesg(8) restriction"
60186 + default y if GRKERNSEC_CONFIG_AUTO
60188 + If you say Y here, non-root users will not be able to use dmesg(8)
60189 + to view the contents of the kernel's circular log buffer.
60190 + The kernel's log buffer often contains kernel addresses and other
60191 + identifying information useful to an attacker in fingerprinting a
60192 + system for a targeted exploit.
60193 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
60196 +config GRKERNSEC_HARDEN_PTRACE
60197 + bool "Deter ptrace-based process snooping"
60198 + default y if GRKERNSEC_CONFIG_AUTO
60200 + If you say Y here, TTY sniffers and other malicious monitoring
60201 + programs implemented through ptrace will be defeated. If you
60202 + have been using the RBAC system, this option has already been
60203 + enabled for several years for all users, with the ability to make
60204 + fine-grained exceptions.
60206 + This option only affects the ability of non-root users to ptrace
60207 + processes that are not a descendent of the ptracing process.
60208 + This means that strace ./binary and gdb ./binary will still work,
60209 + but attaching to arbitrary processes will not. If the sysctl
60210 + option is enabled, a sysctl option with name "harden_ptrace" is
60213 +config GRKERNSEC_PTRACE_READEXEC
60214 + bool "Require read access to ptrace sensitive binaries"
60215 + default y if GRKERNSEC_CONFIG_AUTO
60217 + If you say Y here, unprivileged users will not be able to ptrace unreadable
60218 + binaries. This option is useful in environments that
60219 + remove the read bits (e.g. file mode 4711) from suid binaries to
60220 + prevent infoleaking of their contents. This option adds
60221 + consistency to the use of that file mode, as the binary could normally
60222 + be read out when run without privileges while ptracing.
60224 + If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
60227 +config GRKERNSEC_SETXID
60228 + bool "Enforce consistent multithreaded privileges"
60229 + default y if GRKERNSEC_CONFIG_AUTO
60230 + depends on (X86 || SPARC64 || PPC || ARM || MIPS)
60232 + If you say Y here, a change from a root uid to a non-root uid
60233 + in a multithreaded application will cause the resulting uids,
60234 + gids, supplementary groups, and capabilities in that thread
60235 + to be propagated to the other threads of the process. In most
60236 + cases this is unnecessary, as glibc will emulate this behavior
60237 + on behalf of the application. Other libcs do not act in the
60238 + same way, allowing the other threads of the process to continue
60239 + running with root privileges. If the sysctl option is enabled,
60240 + a sysctl option with name "consistent_setxid" is created.
60242 +config GRKERNSEC_TPE
60243 + bool "Trusted Path Execution (TPE)"
60244 + default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
60246 + If you say Y here, you will be able to choose a gid to add to the
60247 + supplementary groups of users you want to mark as "untrusted."
60248 + These users will not be able to execute any files that are not in
60249 + root-owned directories writable only by root. If the sysctl option
60250 + is enabled, a sysctl option with name "tpe" is created.
60252 +config GRKERNSEC_TPE_ALL
60253 + bool "Partially restrict all non-root users"
60254 + depends on GRKERNSEC_TPE
60256 + If you say Y here, all non-root users will be covered under
60257 + a weaker TPE restriction. This is separate from, and in addition to,
60258 + the main TPE options that you have selected elsewhere. Thus, if a
60259 + "trusted" GID is chosen, this restriction applies to even that GID.
60260 + Under this restriction, all non-root users will only be allowed to
60261 + execute files in directories they own that are not group or
60262 + world-writable, or in directories owned by root and writable only by
60263 + root. If the sysctl option is enabled, a sysctl option with name
60264 + "tpe_restrict_all" is created.
60266 +config GRKERNSEC_TPE_INVERT
60267 + bool "Invert GID option"
60268 + depends on GRKERNSEC_TPE
60270 + If you say Y here, the group you specify in the TPE configuration will
60271 + decide what group TPE restrictions will be *disabled* for. This
60272 + option is useful if you want TPE restrictions to be applied to most
60273 + users on the system. If the sysctl option is enabled, a sysctl option
60274 + with name "tpe_invert" is created. Unlike other sysctl options, this
60275 + entry will default to on for backward-compatibility.
60277 +config GRKERNSEC_TPE_GID
60279 + default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
60280 + default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
60282 +config GRKERNSEC_TPE_UNTRUSTED_GID
60283 + int "GID for TPE-untrusted users"
60284 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
60287 + Setting this GID determines what group TPE restrictions will be
60288 + *enabled* for. If the sysctl option is enabled, a sysctl option
60289 + with name "tpe_gid" is created.
60291 +config GRKERNSEC_TPE_TRUSTED_GID
60292 + int "GID for TPE-trusted users"
60293 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
60296 + Setting this GID determines what group TPE restrictions will be
60297 + *disabled* for. If the sysctl option is enabled, a sysctl option
60298 + with name "tpe_gid" is created.
60301 +menu "Network Protections"
60302 +depends on GRKERNSEC
60304 +config GRKERNSEC_RANDNET
60305 + bool "Larger entropy pools"
60306 + default y if GRKERNSEC_CONFIG_AUTO
60308 + If you say Y here, the entropy pools used for many features of Linux
60309 + and grsecurity will be doubled in size. Since several grsecurity
60310 + features use additional randomness, it is recommended that you say Y
60311 + here. Saying Y here has a similar effect as modifying
60312 + /proc/sys/kernel/random/poolsize.
60314 +config GRKERNSEC_BLACKHOLE
60315 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
60316 + default y if GRKERNSEC_CONFIG_AUTO
60319 + If you say Y here, neither TCP resets nor ICMP
60320 + destination-unreachable packets will be sent in response to packets
60321 + sent to ports for which no associated listening process exists.
60322 + This feature supports both IPV4 and IPV6 and exempts the
60323 + loopback interface from blackholing. Enabling this feature
60324 + makes a host more resilient to DoS attacks and reduces network
60325 + visibility against scanners.
60327 + The blackhole feature as-implemented is equivalent to the FreeBSD
60328 + blackhole feature, as it prevents RST responses to all packets, not
60329 + just SYNs. Under most application behavior this causes no
60330 + problems, but applications (like haproxy) may not close certain
60331 + connections in a way that cleanly terminates them on the remote
60332 + end, leaving the remote host in LAST_ACK state. Because of this
60333 + side-effect and to prevent intentional LAST_ACK DoSes, this
60334 + feature also adds automatic mitigation against such attacks.
60335 + The mitigation drastically reduces the amount of time a socket
60336 + can spend in LAST_ACK state. If you're using haproxy and not
60337 + all servers it connects to have this option enabled, consider
60338 + disabling this feature on the haproxy host.
60340 + If the sysctl option is enabled, two sysctl options with names
60341 + "ip_blackhole" and "lastack_retries" will be created.
60342 + While "ip_blackhole" takes the standard zero/non-zero on/off
60343 + toggle, "lastack_retries" uses the same kinds of values as
60344 + "tcp_retries1" and "tcp_retries2". The default value of 4
60345 + prevents a socket from lasting more than 45 seconds in LAST_ACK
60348 +config GRKERNSEC_NO_SIMULT_CONNECT
60349 + bool "Disable TCP Simultaneous Connect"
60350 + default y if GRKERNSEC_CONFIG_AUTO
60353 + If you say Y here, a feature by Willy Tarreau will be enabled that
60354 + removes a weakness in Linux's strict implementation of TCP that
60355 + allows two clients to connect to each other without either entering
60356 + a listening state. The weakness allows an attacker to easily prevent
60357 + a client from connecting to a known server provided the source port
60358 + for the connection is guessed correctly.
60360 + As the weakness could be used to prevent an antivirus or IPS from
60361 + fetching updates, or prevent an SSL gateway from fetching a CRL,
60362 + it should be eliminated by enabling this option. Though Linux is
60363 + one of few operating systems supporting simultaneous connect, it
60364 + has no legitimate use in practice and is rarely supported by firewalls.
60366 +config GRKERNSEC_SOCKET
60367 + bool "Socket restrictions"
60370 + If you say Y here, you will be able to choose from several options.
60371 + If you assign a GID on your system and add it to the supplementary
60372 + groups of users you want to restrict socket access to, this patch
60373 + will perform up to three things, based on the option(s) you choose.
60375 +config GRKERNSEC_SOCKET_ALL
60376 + bool "Deny any sockets to group"
60377 + depends on GRKERNSEC_SOCKET
60379 + If you say Y here, you will be able to choose a GID of whose users will
60380 + be unable to connect to other hosts from your machine or run server
60381 + applications from your machine. If the sysctl option is enabled, a
60382 + sysctl option with name "socket_all" is created.
60384 +config GRKERNSEC_SOCKET_ALL_GID
60385 + int "GID to deny all sockets for"
60386 + depends on GRKERNSEC_SOCKET_ALL
60389 + Here you can choose the GID to disable socket access for. Remember to
60390 + add the users you want socket access disabled for to the GID
60391 + specified here. If the sysctl option is enabled, a sysctl option
60392 + with name "socket_all_gid" is created.
60394 +config GRKERNSEC_SOCKET_CLIENT
60395 + bool "Deny client sockets to group"
60396 + depends on GRKERNSEC_SOCKET
60398 + If you say Y here, you will be able to choose a GID of whose users will
60399 + be unable to connect to other hosts from your machine, but will be
60400 + able to run servers. If this option is enabled, all users in the group
60401 + you specify will have to use passive mode when initiating ftp transfers
60402 + from the shell on your machine. If the sysctl option is enabled, a
60403 + sysctl option with name "socket_client" is created.
60405 +config GRKERNSEC_SOCKET_CLIENT_GID
60406 + int "GID to deny client sockets for"
60407 + depends on GRKERNSEC_SOCKET_CLIENT
60410 + Here you can choose the GID to disable client socket access for.
60411 + Remember to add the users you want client socket access disabled for to
60412 + the GID specified here. If the sysctl option is enabled, a sysctl
60413 + option with name "socket_client_gid" is created.
60415 +config GRKERNSEC_SOCKET_SERVER
60416 + bool "Deny server sockets to group"
60417 + depends on GRKERNSEC_SOCKET
60419 + If you say Y here, you will be able to choose a GID of whose users will
60420 + be unable to run server applications from your machine. If the sysctl
60421 + option is enabled, a sysctl option with name "socket_server" is created.
60423 +config GRKERNSEC_SOCKET_SERVER_GID
60424 + int "GID to deny server sockets for"
60425 + depends on GRKERNSEC_SOCKET_SERVER
60428 + Here you can choose the GID to disable server socket access for.
60429 + Remember to add the users you want server socket access disabled for to
60430 + the GID specified here. If the sysctl option is enabled, a sysctl
60431 + option with name "socket_server_gid" is created.
60434 +menu "Sysctl Support"
60435 +depends on GRKERNSEC && SYSCTL
60437 +config GRKERNSEC_SYSCTL
60438 + bool "Sysctl support"
60439 + default y if GRKERNSEC_CONFIG_AUTO
60441 + If you say Y here, you will be able to change the options that
60442 + grsecurity runs with at bootup, without having to recompile your
60443 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
60444 + to enable (1) or disable (0) various features. All the sysctl entries
60445 + are mutable until the "grsec_lock" entry is set to a non-zero value.
60446 + All features enabled in the kernel configuration are disabled at boot
60447 + if you do not say Y to the "Turn on features by default" option.
60448 + All options should be set at startup, and the grsec_lock entry should
60449 + be set to a non-zero value after all the options are set.
60450 + *THIS IS EXTREMELY IMPORTANT*
60452 +config GRKERNSEC_SYSCTL_DISTRO
60453 + bool "Extra sysctl support for distro makers (READ HELP)"
60454 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
60456 + If you say Y here, additional sysctl options will be created
60457 + for features that affect processes running as root. Therefore,
60458 + it is critical when using this option that the grsec_lock entry be
60459 + enabled after boot. Only distros with prebuilt kernel packages
60460 + with this option enabled that can ensure grsec_lock is enabled
60461 + after boot should use this option.
60462 + *Failure to set grsec_lock after boot makes all grsec features
60463 + this option covers useless*
60465 + Currently this option creates the following sysctl entries:
60466 + "Disable Privileged I/O": "disable_priv_io"
60468 +config GRKERNSEC_SYSCTL_ON
60469 + bool "Turn on features by default"
60470 + default y if GRKERNSEC_CONFIG_AUTO
60471 + depends on GRKERNSEC_SYSCTL
60473 + If you say Y here, instead of having all features enabled in the
60474 + kernel configuration disabled at boot time, the features will be
60475 + enabled at boot time. It is recommended you say Y here unless
60476 + there is some reason you would want all sysctl-tunable features to
60477 + be disabled by default. As mentioned elsewhere, it is important
60478 + to enable the grsec_lock entry once you have finished modifying
60479 + the sysctl entries.
60482 +menu "Logging Options"
60483 +depends on GRKERNSEC
60485 +config GRKERNSEC_FLOODTIME
60486 + int "Seconds in between log messages (minimum)"
60489 + This option allows you to enforce the number of seconds between
60490 + grsecurity log messages. The default should be suitable for most
60491 + people, however, if you choose to change it, choose a value small enough
60492 + to allow informative logs to be produced, but large enough to
60493 + prevent flooding.
60495 +config GRKERNSEC_FLOODBURST
60496 + int "Number of messages in a burst (maximum)"
60499 + This option allows you to choose the maximum number of messages allowed
60500 + within the flood time interval you chose in a separate option. The
60501 + default should be suitable for most people, however if you find that
60502 + many of your logs are being interpreted as flooding, you may want to
60503 + raise this value.
60506 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
60507 new file mode 100644
60508 index 0000000..36845aa
60510 +++ b/grsecurity/Makefile
60512 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
60513 +# during 2001-2009 it has been completely redesigned by Brad Spengler
60514 +# into an RBAC system
60516 +# All code in this directory and various hooks inserted throughout the kernel
60517 +# are copyright Brad Spengler - Open Source Security, Inc., and released
60518 +# under the GPL v2 or higher
60520 +KBUILD_CFLAGS += -Werror
60522 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
60523 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
60524 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
60526 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
60527 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
60528 + gracl_learn.o grsec_log.o
60529 +ifdef CONFIG_COMPAT
60530 +obj-$(CONFIG_GRKERNSEC) += gracl_compat.o
60533 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
60536 +obj-y += grsec_sock.o
60537 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
60540 +ifndef CONFIG_GRKERNSEC
60541 +obj-y += grsec_disabled.o
60544 +ifdef CONFIG_GRKERNSEC_HIDESYM
60545 +extra-y := grsec_hidesym.o
60546 +$(obj)/grsec_hidesym.o:
60547 + @-chmod -f 500 /boot
60548 + @-chmod -f 500 /lib/modules
60549 + @-chmod -f 500 /lib64/modules
60550 + @-chmod -f 500 /lib32/modules
60552 + @echo ' grsec: protected kernel image paths'
60554 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
60555 new file mode 100644
60556 index 0000000..c0793fd
60558 +++ b/grsecurity/gracl.c
60560 +#include <linux/kernel.h>
60561 +#include <linux/module.h>
60562 +#include <linux/sched.h>
60563 +#include <linux/mm.h>
60564 +#include <linux/file.h>
60565 +#include <linux/fs.h>
60566 +#include <linux/namei.h>
60567 +#include <linux/mount.h>
60568 +#include <linux/tty.h>
60569 +#include <linux/proc_fs.h>
60570 +#include <linux/lglock.h>
60571 +#include <linux/slab.h>
60572 +#include <linux/vmalloc.h>
60573 +#include <linux/types.h>
60574 +#include <linux/sysctl.h>
60575 +#include <linux/netdevice.h>
60576 +#include <linux/ptrace.h>
60577 +#include <linux/gracl.h>
60578 +#include <linux/gralloc.h>
60579 +#include <linux/security.h>
60580 +#include <linux/grinternal.h>
60581 +#include <linux/pid_namespace.h>
60582 +#include <linux/stop_machine.h>
60583 +#include <linux/fdtable.h>
60584 +#include <linux/percpu.h>
60585 +#include <linux/lglock.h>
60586 +#include <linux/hugetlb.h>
60587 +#include <linux/posix-timers.h>
60588 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
60589 +#include <linux/magic.h>
60590 +#include <linux/pagemap.h>
60591 +#include "../fs/btrfs/async-thread.h"
60592 +#include "../fs/btrfs/ctree.h"
60593 +#include "../fs/btrfs/btrfs_inode.h"
60595 +#include "../fs/mount.h"
60597 +#include <asm/uaccess.h>
60598 +#include <asm/errno.h>
60599 +#include <asm/mman.h>
60601 +extern struct lglock vfsmount_lock;
60603 +static struct acl_role_db acl_role_set;
60604 +static struct name_db name_set;
60605 +static struct inodev_db inodev_set;
60607 +/* for keeping track of userspace pointers used for subjects, so we
60608 + can share references in the kernel as well
60611 +static struct path real_root;
60613 +static struct acl_subj_map_db subj_map_set;
60615 +static struct acl_role_label *default_role;
60617 +static struct acl_role_label *role_list;
60619 +static u16 acl_sp_role_value;
60621 +extern char *gr_shared_page[4];
60622 +static DEFINE_MUTEX(gr_dev_mutex);
60623 +DEFINE_RWLOCK(gr_inode_lock);
60625 +struct gr_arg *gr_usermode;
60627 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
60629 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
60630 +extern void gr_clear_learn_entries(void);
60632 +unsigned char *gr_system_salt;
60633 +unsigned char *gr_system_sum;
60635 +static struct sprole_pw **acl_special_roles = NULL;
60636 +static __u16 num_sprole_pws = 0;
60638 +static struct acl_role_label *kernel_role = NULL;
60640 +static unsigned int gr_auth_attempts = 0;
60641 +static unsigned long gr_auth_expires = 0UL;
60644 +extern struct vfsmount *sock_mnt;
60647 +extern struct vfsmount *pipe_mnt;
60648 +extern struct vfsmount *shm_mnt;
60650 +#ifdef CONFIG_HUGETLBFS
60651 +extern struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
60654 +static struct acl_object_label *fakefs_obj_rw;
60655 +static struct acl_object_label *fakefs_obj_rwx;
60657 +extern int gr_init_uidset(void);
60658 +extern void gr_free_uidset(void);
60659 +extern void gr_remove_uid(uid_t uid);
60660 +extern int gr_find_uid(uid_t uid);
60662 +static int copy_acl_object_label_normal(struct acl_object_label *obj, const struct acl_object_label *userp)
60664 + if (copy_from_user(obj, userp, sizeof(struct acl_object_label)))
60670 +static int copy_acl_ip_label_normal(struct acl_ip_label *ip, const struct acl_ip_label *userp)
60672 + if (copy_from_user(ip, userp, sizeof(struct acl_ip_label)))
60678 +static int copy_acl_subject_label_normal(struct acl_subject_label *subj, const struct acl_subject_label *userp)
60680 + if (copy_from_user(subj, userp, sizeof(struct acl_subject_label)))
60686 +static int copy_acl_role_label_normal(struct acl_role_label *role, const struct acl_role_label *userp)
60688 + if (copy_from_user(role, userp, sizeof(struct acl_role_label)))
60694 +static int copy_role_allowed_ip_normal(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
60696 + if (copy_from_user(roleip, userp, sizeof(struct role_allowed_ip)))
60702 +static int copy_sprole_pw_normal(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
60704 + if (copy_from_user(pw, userp + idx, sizeof(struct sprole_pw)))
60710 +static int copy_gr_hash_struct_normal(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
60712 + if (copy_from_user(hash, userp, sizeof(struct gr_hash_struct)))
60718 +static int copy_role_transition_normal(struct role_transition *trans, const struct role_transition *userp)
60720 + if (copy_from_user(trans, userp, sizeof(struct role_transition)))
60726 +int copy_pointer_from_array_normal(void *ptr, unsigned long idx, const void *userp)
60728 + if (copy_from_user(ptr, userp + (idx * sizeof(void *)), sizeof(void *)))
60734 +static int copy_gr_arg_wrapper_normal(const char __user *buf, struct gr_arg_wrapper *uwrap)
60736 + if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
60739 + if ((uwrap->version != GRSECURITY_VERSION) || (uwrap->size != sizeof(struct gr_arg)))
60745 +static int copy_gr_arg_normal(const struct gr_arg __user *buf, struct gr_arg *arg)
60747 + if (copy_from_user(arg, buf, sizeof (struct gr_arg)))
60753 +static size_t get_gr_arg_wrapper_size_normal(void)
60755 + return sizeof(struct gr_arg_wrapper);
60758 +#ifdef CONFIG_COMPAT
60759 +extern int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap);
60760 +extern int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg);
60761 +extern int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp);
60762 +extern int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp);
60763 +extern int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp);
60764 +extern int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp);
60765 +extern int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp);
60766 +extern int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp);
60767 +extern int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp);
60768 +extern int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp);
60769 +extern int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp);
60770 +extern size_t get_gr_arg_wrapper_size_compat(void);
60772 +int (* copy_gr_arg_wrapper)(const char *buf, struct gr_arg_wrapper *uwrap) __read_only;
60773 +int (* copy_gr_arg)(const struct gr_arg *buf, struct gr_arg *arg) __read_only;
60774 +int (* copy_acl_object_label)(struct acl_object_label *obj, const struct acl_object_label *userp) __read_only;
60775 +int (* copy_acl_subject_label)(struct acl_subject_label *subj, const struct acl_subject_label *userp) __read_only;
60776 +int (* copy_acl_role_label)(struct acl_role_label *role, const struct acl_role_label *userp) __read_only;
60777 +int (* copy_acl_ip_label)(struct acl_ip_label *ip, const struct acl_ip_label *userp) __read_only;
60778 +int (* copy_pointer_from_array)(void *ptr, unsigned long idx, const void *userp) __read_only;
60779 +int (* copy_sprole_pw)(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp) __read_only;
60780 +int (* copy_gr_hash_struct)(struct gr_hash_struct *hash, const struct gr_hash_struct *userp) __read_only;
60781 +int (* copy_role_transition)(struct role_transition *trans, const struct role_transition *userp) __read_only;
60782 +int (* copy_role_allowed_ip)(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp) __read_only;
60783 +size_t (* get_gr_arg_wrapper_size)(void) __read_only;
60786 +#define copy_gr_arg_wrapper copy_gr_arg_wrapper_normal
60787 +#define copy_gr_arg copy_gr_arg_normal
60788 +#define copy_gr_hash_struct copy_gr_hash_struct_normal
60789 +#define copy_acl_object_label copy_acl_object_label_normal
60790 +#define copy_acl_subject_label copy_acl_subject_label_normal
60791 +#define copy_acl_role_label copy_acl_role_label_normal
60792 +#define copy_acl_ip_label copy_acl_ip_label_normal
60793 +#define copy_pointer_from_array copy_pointer_from_array_normal
60794 +#define copy_sprole_pw copy_sprole_pw_normal
60795 +#define copy_role_transition copy_role_transition_normal
60796 +#define copy_role_allowed_ip copy_role_allowed_ip_normal
60797 +#define get_gr_arg_wrapper_size get_gr_arg_wrapper_size_normal
60801 +gr_acl_is_enabled(void)
60803 + return (gr_status & GR_READY);
60806 +static inline dev_t __get_dev(const struct dentry *dentry)
60808 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
60809 + if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
60810 + return BTRFS_I(dentry->d_inode)->root->anon_dev;
60813 + return dentry->d_sb->s_dev;
60816 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
60818 + return __get_dev(dentry);
60821 +static char gr_task_roletype_to_char(struct task_struct *task)
60823 + switch (task->role->roletype &
60824 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
60825 + GR_ROLE_SPECIAL)) {
60826 + case GR_ROLE_DEFAULT:
60828 + case GR_ROLE_USER:
60830 + case GR_ROLE_GROUP:
60832 + case GR_ROLE_SPECIAL:
60839 +char gr_roletype_to_char(void)
60841 + return gr_task_roletype_to_char(current);
60845 +gr_acl_tpe_check(void)
60847 + if (unlikely(!(gr_status & GR_READY)))
60849 + if (current->role->roletype & GR_ROLE_TPE)
60856 +gr_handle_rawio(const struct inode *inode)
60858 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60859 + if (inode && S_ISBLK(inode->i_mode) &&
60860 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
60861 + !capable(CAP_SYS_RAWIO))
60868 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
60870 + if (likely(lena != lenb))
60873 + return !memcmp(a, b, lena);
60876 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
60878 + *buflen -= namelen;
60880 + return -ENAMETOOLONG;
60881 + *buffer -= namelen;
60882 + memcpy(*buffer, str, namelen);
60886 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
60888 + return prepend(buffer, buflen, name->name, name->len);
60891 +static int prepend_path(const struct path *path, struct path *root,
60892 + char **buffer, int *buflen)
60894 + struct dentry *dentry = path->dentry;
60895 + struct vfsmount *vfsmnt = path->mnt;
60896 + struct mount *mnt = real_mount(vfsmnt);
60897 + bool slash = false;
60900 + while (dentry != root->dentry || vfsmnt != root->mnt) {
60901 + struct dentry * parent;
60903 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
60904 + /* Global root? */
60905 + if (!mnt_has_parent(mnt)) {
60908 + dentry = mnt->mnt_mountpoint;
60909 + mnt = mnt->mnt_parent;
60910 + vfsmnt = &mnt->mnt;
60913 + parent = dentry->d_parent;
60914 + prefetch(parent);
60915 + spin_lock(&dentry->d_lock);
60916 + error = prepend_name(buffer, buflen, &dentry->d_name);
60917 + spin_unlock(&dentry->d_lock);
60919 + error = prepend(buffer, buflen, "/", 1);
60928 + if (!error && !slash)
60929 + error = prepend(buffer, buflen, "/", 1);
60934 +/* this must be called with vfsmount_lock and rename_lock held */
60936 +static char *__our_d_path(const struct path *path, struct path *root,
60937 + char *buf, int buflen)
60939 + char *res = buf + buflen;
60942 + prepend(&res, &buflen, "\0", 1);
60943 + error = prepend_path(path, root, &res, &buflen);
60945 + return ERR_PTR(error);
60951 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
60955 + retval = __our_d_path(path, root, buf, buflen);
60956 + if (unlikely(IS_ERR(retval)))
60957 + retval = strcpy(buf, "<path too long>");
60958 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
60959 + retval[1] = '\0';
60965 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
60966 + char *buf, int buflen)
60968 + struct path path;
60971 + path.dentry = (struct dentry *)dentry;
60972 + path.mnt = (struct vfsmount *)vfsmnt;
60974 + /* we can use real_root.dentry, real_root.mnt, because this is only called
60975 + by the RBAC system */
60976 + res = gen_full_path(&path, &real_root, buf, buflen);
60982 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
60983 + char *buf, int buflen)
60986 + struct path path;
60987 + struct path root;
60988 + struct task_struct *reaper = init_pid_ns.child_reaper;
60990 + path.dentry = (struct dentry *)dentry;
60991 + path.mnt = (struct vfsmount *)vfsmnt;
60993 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
60994 + get_fs_root(reaper->fs, &root);
60996 + br_read_lock(&vfsmount_lock);
60997 + write_seqlock(&rename_lock);
60998 + res = gen_full_path(&path, &root, buf, buflen);
60999 + write_sequnlock(&rename_lock);
61000 + br_read_unlock(&vfsmount_lock);
61007 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
61010 + br_read_lock(&vfsmount_lock);
61011 + write_seqlock(&rename_lock);
61012 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
61014 + write_sequnlock(&rename_lock);
61015 + br_read_unlock(&vfsmount_lock);
61020 +gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
61026 + br_read_lock(&vfsmount_lock);
61027 + write_seqlock(&rename_lock);
61028 + buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
61029 + ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
61030 + buflen = (int)(ret - buf);
61032 + prepend(&ret, &buflen, "/proc", 5);
61034 + ret = strcpy(buf, "<path too long>");
61035 + write_sequnlock(&rename_lock);
61036 + br_read_unlock(&vfsmount_lock);
61041 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
61043 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
61048 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
61050 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
61055 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
61057 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
61062 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
61064 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
61069 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
61071 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
61076 +to_gr_audit(const __u32 reqmode)
61078 + /* masks off auditable permission flags, then shifts them to create
61079 + auditing flags, and adds the special case of append auditing if
61080 + we're requesting write */
61081 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
61084 +struct acl_subject_label *
61085 +lookup_subject_map(const struct acl_subject_label *userp)
61087 + unsigned int index = gr_shash(userp, subj_map_set.s_size);
61088 + struct subject_map *match;
61090 + match = subj_map_set.s_hash[index];
61092 + while (match && match->user != userp)
61093 + match = match->next;
61095 + if (match != NULL)
61096 + return match->kernel;
61102 +insert_subj_map_entry(struct subject_map *subjmap)
61104 + unsigned int index = gr_shash(subjmap->user, subj_map_set.s_size);
61105 + struct subject_map **curr;
61107 + subjmap->prev = NULL;
61109 + curr = &subj_map_set.s_hash[index];
61110 + if (*curr != NULL)
61111 + (*curr)->prev = subjmap;
61113 + subjmap->next = *curr;
61119 +static struct acl_role_label *
61120 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
61123 + unsigned int index = gr_rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
61124 + struct acl_role_label *match;
61125 + struct role_allowed_ip *ipp;
61127 + u32 curr_ip = task->signal->curr_ip;
61129 + task->signal->saved_ip = curr_ip;
61131 + match = acl_role_set.r_hash[index];
61134 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
61135 + for (x = 0; x < match->domain_child_num; x++) {
61136 + if (match->domain_children[x] == uid)
61139 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
61141 + match = match->next;
61144 + if (match == NULL) {
61146 + index = gr_rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
61147 + match = acl_role_set.r_hash[index];
61150 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
61151 + for (x = 0; x < match->domain_child_num; x++) {
61152 + if (match->domain_children[x] == gid)
61155 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
61157 + match = match->next;
61160 + if (match == NULL)
61161 + match = default_role;
61162 + if (match->allowed_ips == NULL)
61165 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
61167 + ((ntohl(curr_ip) & ipp->netmask) ==
61168 + (ntohl(ipp->addr) & ipp->netmask)))
61171 + match = default_role;
61173 + } else if (match->allowed_ips == NULL) {
61176 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
61178 + ((ntohl(curr_ip) & ipp->netmask) ==
61179 + (ntohl(ipp->addr) & ipp->netmask)))
61188 +struct acl_subject_label *
61189 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
61190 + const struct acl_role_label *role)
61192 + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
61193 + struct acl_subject_label *match;
61195 + match = role->subj_hash[index];
61197 + while (match && (match->inode != ino || match->device != dev ||
61198 + (match->mode & GR_DELETED))) {
61199 + match = match->next;
61202 + if (match && !(match->mode & GR_DELETED))
61208 +struct acl_subject_label *
61209 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
61210 + const struct acl_role_label *role)
61212 + unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
61213 + struct acl_subject_label *match;
61215 + match = role->subj_hash[index];
61217 + while (match && (match->inode != ino || match->device != dev ||
61218 + !(match->mode & GR_DELETED))) {
61219 + match = match->next;
61222 + if (match && (match->mode & GR_DELETED))
61228 +static struct acl_object_label *
61229 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
61230 + const struct acl_subject_label *subj)
61232 + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
61233 + struct acl_object_label *match;
61235 + match = subj->obj_hash[index];
61237 + while (match && (match->inode != ino || match->device != dev ||
61238 + (match->mode & GR_DELETED))) {
61239 + match = match->next;
61242 + if (match && !(match->mode & GR_DELETED))
61248 +static struct acl_object_label *
61249 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
61250 + const struct acl_subject_label *subj)
61252 + unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
61253 + struct acl_object_label *match;
61255 + match = subj->obj_hash[index];
61257 + while (match && (match->inode != ino || match->device != dev ||
61258 + !(match->mode & GR_DELETED))) {
61259 + match = match->next;
61262 + if (match && (match->mode & GR_DELETED))
61265 + match = subj->obj_hash[index];
61267 + while (match && (match->inode != ino || match->device != dev ||
61268 + (match->mode & GR_DELETED))) {
61269 + match = match->next;
61272 + if (match && !(match->mode & GR_DELETED))
61278 +static struct name_entry *
61279 +lookup_name_entry(const char *name)
61281 + unsigned int len = strlen(name);
61282 + unsigned int key = full_name_hash(name, len);
61283 + unsigned int index = key % name_set.n_size;
61284 + struct name_entry *match;
61286 + match = name_set.n_hash[index];
61288 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
61289 + match = match->next;
61294 +static struct name_entry *
61295 +lookup_name_entry_create(const char *name)
61297 + unsigned int len = strlen(name);
61298 + unsigned int key = full_name_hash(name, len);
61299 + unsigned int index = key % name_set.n_size;
61300 + struct name_entry *match;
61302 + match = name_set.n_hash[index];
61304 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
61305 + !match->deleted))
61306 + match = match->next;
61308 + if (match && match->deleted)
61311 + match = name_set.n_hash[index];
61313 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
61315 + match = match->next;
61317 + if (match && !match->deleted)
61323 +static struct inodev_entry *
61324 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
61326 + unsigned int index = gr_fhash(ino, dev, inodev_set.i_size);
61327 + struct inodev_entry *match;
61329 + match = inodev_set.i_hash[index];
61331 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
61332 + match = match->next;
61338 +insert_inodev_entry(struct inodev_entry *entry)
61340 + unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device,
61341 + inodev_set.i_size);
61342 + struct inodev_entry **curr;
61344 + entry->prev = NULL;
61346 + curr = &inodev_set.i_hash[index];
61347 + if (*curr != NULL)
61348 + (*curr)->prev = entry;
61350 + entry->next = *curr;
61357 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
61359 + unsigned int index =
61360 + gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
61361 + struct acl_role_label **curr;
61362 + struct acl_role_label *tmp, *tmp2;
61364 + curr = &acl_role_set.r_hash[index];
61366 + /* simple case, slot is empty, just set it to our role */
61367 + if (*curr == NULL) {
61371 + 1 -> 2 -> 3 (adding 2 -> 3 to here)
61374 + /* first check to see if we can already be reached via this slot */
61376 + while (tmp && tmp != role)
61378 + if (tmp == role) {
61379 + /* we don't need to add ourselves to this slot's chain */
61382 + /* we need to add ourselves to this chain, two cases */
61383 + if (role->next == NULL) {
61384 + /* simple case, append the current chain to our role */
61385 + role->next = *curr;
61388 + /* 1 -> 2 -> 3 -> 4
61390 + 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
61392 + /* trickier case: walk our role's chain until we find
61393 + the role for the start of the current slot's chain */
61396 + while (tmp->next && tmp->next != tmp2)
61398 + if (tmp->next == tmp2) {
61399 + /* from example above, we found 3, so just
61400 + replace this slot's chain with ours */
61403 + /* we didn't find a subset of our role's chain
61404 + in the current slot's chain, so append their
61405 + chain to ours, and set us as the first role in
61408 + we could fold this case with the case above,
61409 + but making it explicit for clarity
61411 + tmp->next = tmp2;
61421 +insert_acl_role_label(struct acl_role_label *role)
61425 + if (role_list == NULL) {
61426 + role_list = role;
61427 + role->prev = NULL;
61429 + role->prev = role_list;
61430 + role_list = role;
61433 + /* used for hash chains */
61434 + role->next = NULL;
61436 + if (role->roletype & GR_ROLE_DOMAIN) {
61437 + for (i = 0; i < role->domain_child_num; i++)
61438 + __insert_acl_role_label(role, role->domain_children[i]);
61440 + __insert_acl_role_label(role, role->uidgid);
61444 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
61446 + struct name_entry **curr, *nentry;
61447 + struct inodev_entry *ientry;
61448 + unsigned int len = strlen(name);
61449 + unsigned int key = full_name_hash(name, len);
61450 + unsigned int index = key % name_set.n_size;
61452 + curr = &name_set.n_hash[index];
61454 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
61455 + curr = &((*curr)->next);
61457 + if (*curr != NULL)
61460 + nentry = acl_alloc(sizeof (struct name_entry));
61461 + if (nentry == NULL)
61463 + ientry = acl_alloc(sizeof (struct inodev_entry));
61464 + if (ientry == NULL)
61466 + ientry->nentry = nentry;
61468 + nentry->key = key;
61469 + nentry->name = name;
61470 + nentry->inode = inode;
61471 + nentry->device = device;
61472 + nentry->len = len;
61473 + nentry->deleted = deleted;
61475 + nentry->prev = NULL;
61476 + curr = &name_set.n_hash[index];
61477 + if (*curr != NULL)
61478 + (*curr)->prev = nentry;
61479 + nentry->next = *curr;
61482 + /* insert us into the table searchable by inode/dev */
61483 + insert_inodev_entry(ientry);
61489 +insert_acl_obj_label(struct acl_object_label *obj,
61490 + struct acl_subject_label *subj)
61492 + unsigned int index =
61493 + gr_fhash(obj->inode, obj->device, subj->obj_hash_size);
61494 + struct acl_object_label **curr;
61497 + obj->prev = NULL;
61499 + curr = &subj->obj_hash[index];
61500 + if (*curr != NULL)
61501 + (*curr)->prev = obj;
61503 + obj->next = *curr;
61510 +insert_acl_subj_label(struct acl_subject_label *obj,
61511 + struct acl_role_label *role)
61513 + unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size);
61514 + struct acl_subject_label **curr;
61516 + obj->prev = NULL;
61518 + curr = &role->subj_hash[index];
61519 + if (*curr != NULL)
61520 + (*curr)->prev = obj;
61522 + obj->next = *curr;
61528 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
61531 +create_table(__u32 * len, int elementsize)
61533 + unsigned int table_sizes[] = {
61534 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
61535 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
61536 + 4194301, 8388593, 16777213, 33554393, 67108859
61538 + void *newtable = NULL;
61539 + unsigned int pwr = 0;
61541 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
61542 + table_sizes[pwr] <= *len)
61545 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
61548 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
61550 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
61552 + newtable = vmalloc(table_sizes[pwr] * elementsize);
61554 + *len = table_sizes[pwr];
61560 +init_variables(const struct gr_arg *arg)
61562 + struct task_struct *reaper = init_pid_ns.child_reaper;
61563 + unsigned int stacksize;
61565 + subj_map_set.s_size = arg->role_db.num_subjects;
61566 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
61567 + name_set.n_size = arg->role_db.num_objects;
61568 + inodev_set.i_size = arg->role_db.num_objects;
61570 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
61571 + !name_set.n_size || !inodev_set.i_size)
61574 + if (!gr_init_uidset())
61577 + /* set up the stack that holds allocation info */
61579 + stacksize = arg->role_db.num_pointers + 5;
61581 + if (!acl_alloc_stack_init(stacksize))
61584 + /* grab reference for the real root dentry and vfsmount */
61585 + get_fs_root(reaper->fs, &real_root);
61587 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
61588 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
61591 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
61592 + if (fakefs_obj_rw == NULL)
61594 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
61596 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
61597 + if (fakefs_obj_rwx == NULL)
61599 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
61601 + subj_map_set.s_hash =
61602 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
61603 + acl_role_set.r_hash =
61604 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
61605 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
61606 + inodev_set.i_hash =
61607 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
61609 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
61610 + !name_set.n_hash || !inodev_set.i_hash)
61613 + memset(subj_map_set.s_hash, 0,
61614 + sizeof(struct subject_map *) * subj_map_set.s_size);
61615 + memset(acl_role_set.r_hash, 0,
61616 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
61617 + memset(name_set.n_hash, 0,
61618 + sizeof (struct name_entry *) * name_set.n_size);
61619 + memset(inodev_set.i_hash, 0,
61620 + sizeof (struct inodev_entry *) * inodev_set.i_size);
61625 +/* free information not needed after startup
61626 + currently contains user->kernel pointer mappings for subjects
61630 +free_init_variables(void)
61634 + if (subj_map_set.s_hash) {
61635 + for (i = 0; i < subj_map_set.s_size; i++) {
61636 + if (subj_map_set.s_hash[i]) {
61637 + kfree(subj_map_set.s_hash[i]);
61638 + subj_map_set.s_hash[i] = NULL;
61642 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
61644 + kfree(subj_map_set.s_hash);
61646 + vfree(subj_map_set.s_hash);
61653 +free_variables(void)
61655 + struct acl_subject_label *s;
61656 + struct acl_role_label *r;
61657 + struct task_struct *task, *task2;
61660 + gr_clear_learn_entries();
61662 + read_lock(&tasklist_lock);
61663 + do_each_thread(task2, task) {
61664 + task->acl_sp_role = 0;
61665 + task->acl_role_id = 0;
61666 + task->acl = NULL;
61667 + task->role = NULL;
61668 + } while_each_thread(task2, task);
61669 + read_unlock(&tasklist_lock);
61671 + /* release the reference to the real root dentry and vfsmount */
61672 + path_put(&real_root);
61673 + memset(&real_root, 0, sizeof(real_root));
61675 + /* free all object hash tables */
61677 + FOR_EACH_ROLE_START(r)
61678 + if (r->subj_hash == NULL)
61680 + FOR_EACH_SUBJECT_START(r, s, x)
61681 + if (s->obj_hash == NULL)
61683 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
61684 + kfree(s->obj_hash);
61686 + vfree(s->obj_hash);
61687 + FOR_EACH_SUBJECT_END(s, x)
61688 + FOR_EACH_NESTED_SUBJECT_START(r, s)
61689 + if (s->obj_hash == NULL)
61691 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
61692 + kfree(s->obj_hash);
61694 + vfree(s->obj_hash);
61695 + FOR_EACH_NESTED_SUBJECT_END(s)
61696 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
61697 + kfree(r->subj_hash);
61699 + vfree(r->subj_hash);
61700 + r->subj_hash = NULL;
61702 + FOR_EACH_ROLE_END(r)
61706 + if (acl_role_set.r_hash) {
61707 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
61709 + kfree(acl_role_set.r_hash);
61711 + vfree(acl_role_set.r_hash);
61713 + if (name_set.n_hash) {
61714 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
61716 + kfree(name_set.n_hash);
61718 + vfree(name_set.n_hash);
61721 + if (inodev_set.i_hash) {
61722 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
61724 + kfree(inodev_set.i_hash);
61726 + vfree(inodev_set.i_hash);
61729 + gr_free_uidset();
61731 + memset(&name_set, 0, sizeof (struct name_db));
61732 + memset(&inodev_set, 0, sizeof (struct inodev_db));
61733 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
61734 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
61736 + default_role = NULL;
61737 + kernel_role = NULL;
61738 + role_list = NULL;
61743 +static struct acl_subject_label *
61744 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
61746 +static int alloc_and_copy_string(char **name, unsigned int maxlen)
61748 + unsigned int len = strnlen_user(*name, maxlen);
61751 + if (!len || len >= maxlen)
61754 + if ((tmp = (char *) acl_alloc(len)) == NULL)
61757 + if (copy_from_user(tmp, *name, len))
61760 + tmp[len-1] = '\0';
61767 +copy_user_glob(struct acl_object_label *obj)
61769 + struct acl_object_label *g_tmp, **guser;
61772 + if (obj->globbed == NULL)
61775 + guser = &obj->globbed;
61777 + g_tmp = (struct acl_object_label *)
61778 + acl_alloc(sizeof (struct acl_object_label));
61779 + if (g_tmp == NULL)
61782 + if (copy_acl_object_label(g_tmp, *guser))
61785 + error = alloc_and_copy_string(&g_tmp->filename, PATH_MAX);
61790 + guser = &(g_tmp->next);
61797 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
61798 + struct acl_role_label *role)
61800 + struct acl_object_label *o_tmp;
61804 + if ((o_tmp = (struct acl_object_label *)
61805 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
61808 + if (copy_acl_object_label(o_tmp, userp))
61811 + userp = o_tmp->prev;
61813 + ret = alloc_and_copy_string(&o_tmp->filename, PATH_MAX);
61817 + insert_acl_obj_label(o_tmp, subj);
61818 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
61819 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
61822 + ret = copy_user_glob(o_tmp);
61826 + if (o_tmp->nested) {
61827 + int already_copied;
61829 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
61830 + if (IS_ERR(o_tmp->nested))
61831 + return PTR_ERR(o_tmp->nested);
61833 + /* insert into nested subject list if we haven't copied this one yet
61834 + to prevent duplicate entries */
61835 + if (!already_copied) {
61836 + o_tmp->nested->next = role->hash->first;
61837 + role->hash->first = o_tmp->nested;
61846 +count_user_subjs(struct acl_subject_label *userp)
61848 + struct acl_subject_label s_tmp;
61852 + if (copy_acl_subject_label(&s_tmp, userp))
61855 + userp = s_tmp.prev;
61862 +copy_user_allowedips(struct acl_role_label *rolep)
61864 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
61866 + ruserip = rolep->allowed_ips;
61868 + while (ruserip) {
61871 + if ((rtmp = (struct role_allowed_ip *)
61872 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
61875 + if (copy_role_allowed_ip(rtmp, ruserip))
61878 + ruserip = rtmp->prev;
61881 + rtmp->prev = NULL;
61882 + rolep->allowed_ips = rtmp;
61884 + rlast->next = rtmp;
61885 + rtmp->prev = rlast;
61889 + rtmp->next = NULL;
61896 +copy_user_transitions(struct acl_role_label *rolep)
61898 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
61901 + rusertp = rolep->transitions;
61903 + while (rusertp) {
61906 + if ((rtmp = (struct role_transition *)
61907 + acl_alloc(sizeof (struct role_transition))) == NULL)
61910 + if (copy_role_transition(rtmp, rusertp))
61913 + rusertp = rtmp->prev;
61915 + error = alloc_and_copy_string(&rtmp->rolename, GR_SPROLE_LEN);
61920 + rtmp->prev = NULL;
61921 + rolep->transitions = rtmp;
61923 + rlast->next = rtmp;
61924 + rtmp->prev = rlast;
61928 + rtmp->next = NULL;
61934 +static __u32 count_user_objs(const struct acl_object_label __user *userp)
61936 + struct acl_object_label o_tmp;
61940 + if (copy_acl_object_label(&o_tmp, userp))
61943 + userp = o_tmp.prev;
61950 +static struct acl_subject_label *
61951 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
61953 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
61955 + struct acl_ip_label **i_tmp, *i_utmp2;
61956 + struct gr_hash_struct ghash;
61957 + struct subject_map *subjmap;
61958 + unsigned int i_num;
61961 + if (already_copied != NULL)
61962 + *already_copied = 0;
61964 + s_tmp = lookup_subject_map(userp);
61966 + /* we've already copied this subject into the kernel, just return
61967 + the reference to it, and don't copy it over again
61970 + if (already_copied != NULL)
61971 + *already_copied = 1;
61975 + if ((s_tmp = (struct acl_subject_label *)
61976 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
61977 + return ERR_PTR(-ENOMEM);
61979 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
61980 + if (subjmap == NULL)
61981 + return ERR_PTR(-ENOMEM);
61983 + subjmap->user = userp;
61984 + subjmap->kernel = s_tmp;
61985 + insert_subj_map_entry(subjmap);
61987 + if (copy_acl_subject_label(s_tmp, userp))
61988 + return ERR_PTR(-EFAULT);
61990 + err = alloc_and_copy_string(&s_tmp->filename, PATH_MAX);
61992 + return ERR_PTR(err);
61994 + if (!strcmp(s_tmp->filename, "/"))
61995 + role->root_label = s_tmp;
61997 + if (copy_gr_hash_struct(&ghash, s_tmp->hash))
61998 + return ERR_PTR(-EFAULT);
62000 + /* copy user and group transition tables */
62002 + if (s_tmp->user_trans_num) {
62005 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
62006 + if (uidlist == NULL)
62007 + return ERR_PTR(-ENOMEM);
62008 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
62009 + return ERR_PTR(-EFAULT);
62011 + s_tmp->user_transitions = uidlist;
62014 + if (s_tmp->group_trans_num) {
62017 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
62018 + if (gidlist == NULL)
62019 + return ERR_PTR(-ENOMEM);
62020 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
62021 + return ERR_PTR(-EFAULT);
62023 + s_tmp->group_transitions = gidlist;
62026 + /* set up object hash table */
62027 + num_objs = count_user_objs(ghash.first);
62029 + s_tmp->obj_hash_size = num_objs;
62030 + s_tmp->obj_hash =
62031 + (struct acl_object_label **)
62032 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
62034 + if (!s_tmp->obj_hash)
62035 + return ERR_PTR(-ENOMEM);
62037 + memset(s_tmp->obj_hash, 0,
62038 + s_tmp->obj_hash_size *
62039 + sizeof (struct acl_object_label *));
62041 + /* add in objects */
62042 + err = copy_user_objs(ghash.first, s_tmp, role);
62045 + return ERR_PTR(err);
62047 + /* set pointer for parent subject */
62048 + if (s_tmp->parent_subject) {
62049 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
62051 + if (IS_ERR(s_tmp2))
62054 + s_tmp->parent_subject = s_tmp2;
62057 + /* add in ip acls */
62059 + if (!s_tmp->ip_num) {
62060 + s_tmp->ips = NULL;
62065 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
62066 + sizeof (struct acl_ip_label *));
62069 + return ERR_PTR(-ENOMEM);
62071 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
62072 + *(i_tmp + i_num) =
62073 + (struct acl_ip_label *)
62074 + acl_alloc(sizeof (struct acl_ip_label));
62075 + if (!*(i_tmp + i_num))
62076 + return ERR_PTR(-ENOMEM);
62078 + if (copy_pointer_from_array(&i_utmp2, i_num, s_tmp->ips))
62079 + return ERR_PTR(-EFAULT);
62081 + if (copy_acl_ip_label(*(i_tmp + i_num), i_utmp2))
62082 + return ERR_PTR(-EFAULT);
62084 + if ((*(i_tmp + i_num))->iface == NULL)
62087 + err = alloc_and_copy_string(&(*(i_tmp + i_num))->iface, IFNAMSIZ);
62089 + return ERR_PTR(err);
62092 + s_tmp->ips = i_tmp;
62095 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
62096 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
62097 + return ERR_PTR(-ENOMEM);
62103 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
62105 + struct acl_subject_label s_pre;
62106 + struct acl_subject_label * ret;
62110 + if (copy_acl_subject_label(&s_pre, userp))
62113 + ret = do_copy_user_subj(userp, role, NULL);
62115 + err = PTR_ERR(ret);
62119 + insert_acl_subj_label(ret, role);
62121 + userp = s_pre.prev;
62128 +copy_user_acl(struct gr_arg *arg)
62130 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
62131 + struct acl_subject_label *subj_list;
62132 + struct sprole_pw *sptmp;
62133 + struct gr_hash_struct *ghash;
62134 + uid_t *domainlist;
62135 + unsigned int r_num;
62140 + /* we need a default and kernel role */
62141 + if (arg->role_db.num_roles < 2)
62144 + /* copy special role authentication info from userspace */
62146 + num_sprole_pws = arg->num_sprole_pws;
62147 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
62149 + if (!acl_special_roles && num_sprole_pws)
62152 + for (i = 0; i < num_sprole_pws; i++) {
62153 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
62156 + if (copy_sprole_pw(sptmp, i, arg->sprole_pws))
62159 + err = alloc_and_copy_string((char **)&sptmp->rolename, GR_SPROLE_LEN);
62163 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
62164 + printk(KERN_ALERT "Copying special role %s\n", sptmp->rolename);
62167 + acl_special_roles[i] = sptmp;
62170 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
62172 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
62173 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
62178 + if (copy_pointer_from_array(&r_utmp2, r_num, r_utmp))
62181 + if (copy_acl_role_label(r_tmp, r_utmp2))
62184 + err = alloc_and_copy_string(&r_tmp->rolename, GR_SPROLE_LEN);
62188 + if (!strcmp(r_tmp->rolename, "default")
62189 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
62190 + default_role = r_tmp;
62191 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
62192 + kernel_role = r_tmp;
62195 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL)
62198 + if (copy_gr_hash_struct(ghash, r_tmp->hash))
62201 + r_tmp->hash = ghash;
62203 + num_subjs = count_user_subjs(r_tmp->hash->first);
62205 + r_tmp->subj_hash_size = num_subjs;
62206 + r_tmp->subj_hash =
62207 + (struct acl_subject_label **)
62208 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
62210 + if (!r_tmp->subj_hash)
62213 + err = copy_user_allowedips(r_tmp);
62217 + /* copy domain info */
62218 + if (r_tmp->domain_children != NULL) {
62219 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
62220 + if (domainlist == NULL)
62223 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t)))
62226 + r_tmp->domain_children = domainlist;
62229 + err = copy_user_transitions(r_tmp);
62233 + memset(r_tmp->subj_hash, 0,
62234 + r_tmp->subj_hash_size *
62235 + sizeof (struct acl_subject_label *));
62237 + /* acquire the list of subjects, then NULL out
62238 + the list prior to parsing the subjects for this role,
62239 + as during this parsing the list is replaced with a list
62240 + of *nested* subjects for the role
62242 + subj_list = r_tmp->hash->first;
62244 + /* set nested subject list to null */
62245 + r_tmp->hash->first = NULL;
62247 + err = copy_user_subjs(subj_list, r_tmp);
62252 + insert_acl_role_label(r_tmp);
62255 + if (default_role == NULL || kernel_role == NULL)
62262 +gracl_init(struct gr_arg *args)
62266 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
62267 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
62269 + if (init_variables(args)) {
62270 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
62272 + free_variables();
62276 + error = copy_user_acl(args);
62277 + free_init_variables();
62279 + free_variables();
62283 + if ((error = gr_set_acls(0))) {
62284 + free_variables();
62288 + pax_open_kernel();
62289 + gr_status |= GR_READY;
62290 + pax_close_kernel();
62296 +/* derived from glibc fnmatch() 0: match, 1: no match*/
62299 +glob_match(const char *p, const char *n)
62303 + while ((c = *p++) != '\0') {
62308 + else if (*n == '/')
62316 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
62319 + else if (c == '?') {
62329 + const char *endp;
62331 + if ((endp = strchr(n, '/')) == NULL)
62332 + endp = n + strlen(n);
62335 + for (--p; n < endp; ++n)
62336 + if (!glob_match(p, n))
62338 + } else if (c == '/') {
62339 + while (*n != '\0' && *n != '/')
62341 + if (*n == '/' && !glob_match(p, n + 1))
62344 + for (--p; n < endp; ++n)
62345 + if (*n == c && !glob_match(p, n))
62356 + if (*n == '\0' || *n == '/')
62359 + not = (*p == '!' || *p == '^');
62365 + unsigned char fn = (unsigned char)*n;
62375 + if (c == '-' && *p != ']') {
62376 + unsigned char cend = *p++;
62378 + if (cend == '\0')
62381 + if (cold <= fn && fn <= cend)
62395 + while (c != ']') {
62422 +static struct acl_object_label *
62423 +chk_glob_label(struct acl_object_label *globbed,
62424 + const struct dentry *dentry, const struct vfsmount *mnt, char **path)
62426 + struct acl_object_label *tmp;
62428 + if (*path == NULL)
62429 + *path = gr_to_filename_nolock(dentry, mnt);
62434 + if (!glob_match(tmp->filename, *path))
62442 +static struct acl_object_label *
62443 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
62444 + const ino_t curr_ino, const dev_t curr_dev,
62445 + const struct acl_subject_label *subj, char **path, const int checkglob)
62447 + struct acl_subject_label *tmpsubj;
62448 + struct acl_object_label *retval;
62449 + struct acl_object_label *retval2;
62451 + tmpsubj = (struct acl_subject_label *) subj;
62452 + read_lock(&gr_inode_lock);
62454 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
62456 + if (checkglob && retval->globbed) {
62457 + retval2 = chk_glob_label(retval->globbed, orig_dentry, orig_mnt, path);
62459 + retval = retval2;
62463 + } while ((tmpsubj = tmpsubj->parent_subject));
62464 + read_unlock(&gr_inode_lock);
62469 +static __inline__ struct acl_object_label *
62470 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
62471 + struct dentry *curr_dentry,
62472 + const struct acl_subject_label *subj, char **path, const int checkglob)
62474 + int newglob = checkglob;
62478 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
62479 + as we don't want a / * rule to match instead of the / object
62480 + don't do this for create lookups that call this function though, since they're looking up
62481 + on the parent and thus need globbing checks on all paths
62483 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
62484 + newglob = GR_NO_GLOB;
62486 + spin_lock(&curr_dentry->d_lock);
62487 + inode = curr_dentry->d_inode->i_ino;
62488 + device = __get_dev(curr_dentry);
62489 + spin_unlock(&curr_dentry->d_lock);
62491 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
62494 +#ifdef CONFIG_HUGETLBFS
62495 +static inline bool
62496 +is_hugetlbfs_mnt(const struct vfsmount *mnt)
62499 + for (i = 0; i < HUGE_MAX_HSTATE; i++) {
62500 + if (unlikely(hugetlbfs_vfsmount[i] == mnt))
62508 +static struct acl_object_label *
62509 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
62510 + const struct acl_subject_label *subj, char *path, const int checkglob)
62512 + struct dentry *dentry = (struct dentry *) l_dentry;
62513 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
62514 + struct mount *real_mnt = real_mount(mnt);
62515 + struct acl_object_label *retval;
62516 + struct dentry *parent;
62518 + br_read_lock(&vfsmount_lock);
62519 + write_seqlock(&rename_lock);
62521 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
62523 + mnt == sock_mnt ||
62525 +#ifdef CONFIG_HUGETLBFS
62526 + (is_hugetlbfs_mnt(mnt) && dentry->d_inode->i_nlink == 0) ||
62528 + /* ignore Eric Biederman */
62529 + IS_PRIVATE(l_dentry->d_inode))) {
62530 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
62535 + if (dentry == real_root.dentry && mnt == real_root.mnt)
62538 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
62539 + if (!mnt_has_parent(real_mnt))
62542 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
62543 + if (retval != NULL)
62546 + dentry = real_mnt->mnt_mountpoint;
62547 + real_mnt = real_mnt->mnt_parent;
62548 + mnt = &real_mnt->mnt;
62552 + parent = dentry->d_parent;
62553 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
62554 + if (retval != NULL)
62560 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
62562 + /* real_root is pinned so we don't have to hold a reference */
62563 + if (retval == NULL)
62564 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
62566 + write_sequnlock(&rename_lock);
62567 + br_read_unlock(&vfsmount_lock);
62569 + BUG_ON(retval == NULL);
62574 +static __inline__ struct acl_object_label *
62575 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
62576 + const struct acl_subject_label *subj)
62578 + char *path = NULL;
62579 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
62582 +static __inline__ struct acl_object_label *
62583 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
62584 + const struct acl_subject_label *subj)
62586 + char *path = NULL;
62587 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
62590 +static __inline__ struct acl_object_label *
62591 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
62592 + const struct acl_subject_label *subj, char *path)
62594 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
62597 +static struct acl_subject_label *
62598 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
62599 + const struct acl_role_label *role)
62601 + struct dentry *dentry = (struct dentry *) l_dentry;
62602 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
62603 + struct mount *real_mnt = real_mount(mnt);
62604 + struct acl_subject_label *retval;
62605 + struct dentry *parent;
62607 + br_read_lock(&vfsmount_lock);
62608 + write_seqlock(&rename_lock);
62611 + if (dentry == real_root.dentry && mnt == real_root.mnt)
62613 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
62614 + if (!mnt_has_parent(real_mnt))
62617 + spin_lock(&dentry->d_lock);
62618 + read_lock(&gr_inode_lock);
62620 + lookup_acl_subj_label(dentry->d_inode->i_ino,
62621 + __get_dev(dentry), role);
62622 + read_unlock(&gr_inode_lock);
62623 + spin_unlock(&dentry->d_lock);
62624 + if (retval != NULL)
62627 + dentry = real_mnt->mnt_mountpoint;
62628 + real_mnt = real_mnt->mnt_parent;
62629 + mnt = &real_mnt->mnt;
62633 + spin_lock(&dentry->d_lock);
62634 + read_lock(&gr_inode_lock);
62635 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
62636 + __get_dev(dentry), role);
62637 + read_unlock(&gr_inode_lock);
62638 + parent = dentry->d_parent;
62639 + spin_unlock(&dentry->d_lock);
62641 + if (retval != NULL)
62647 + spin_lock(&dentry->d_lock);
62648 + read_lock(&gr_inode_lock);
62649 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
62650 + __get_dev(dentry), role);
62651 + read_unlock(&gr_inode_lock);
62652 + spin_unlock(&dentry->d_lock);
62654 + if (unlikely(retval == NULL)) {
62655 + /* real_root is pinned, we don't need to hold a reference */
62656 + read_lock(&gr_inode_lock);
62657 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
62658 + __get_dev(real_root.dentry), role);
62659 + read_unlock(&gr_inode_lock);
62662 + write_sequnlock(&rename_lock);
62663 + br_read_unlock(&vfsmount_lock);
62665 + BUG_ON(retval == NULL);
62671 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
62673 + struct task_struct *task = current;
62674 + const struct cred *cred = current_cred();
62676 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
62677 + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
62678 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
62679 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
62685 +gr_log_learn_uid_change(const kuid_t real, const kuid_t effective, const kuid_t fs)
62687 + struct task_struct *task = current;
62688 + const struct cred *cred = current_cred();
62690 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
62691 + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
62692 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
62693 + 'u', GR_GLOBAL_UID(real), GR_GLOBAL_UID(effective), GR_GLOBAL_UID(fs), &task->signal->saved_ip);
62699 +gr_log_learn_gid_change(const kgid_t real, const kgid_t effective, const kgid_t fs)
62701 + struct task_struct *task = current;
62702 + const struct cred *cred = current_cred();
62704 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
62705 + GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
62706 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
62707 + 'g', GR_GLOBAL_GID(real), GR_GLOBAL_GID(effective), GR_GLOBAL_GID(fs), &task->signal->saved_ip);
62713 +gr_search_file(const struct dentry * dentry, const __u32 mode,
62714 + const struct vfsmount * mnt)
62716 + __u32 retval = mode;
62717 + struct acl_subject_label *curracl;
62718 + struct acl_object_label *currobj;
62720 + if (unlikely(!(gr_status & GR_READY)))
62721 + return (mode & ~GR_AUDITS);
62723 + curracl = current->acl;
62725 + currobj = chk_obj_label(dentry, mnt, curracl);
62726 + retval = currobj->mode & mode;
62728 + /* if we're opening a specified transfer file for writing
62729 + (e.g. /dev/initctl), then transfer our role to init
62731 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
62732 + current->role->roletype & GR_ROLE_PERSIST)) {
62733 + struct task_struct *task = init_pid_ns.child_reaper;
62735 + if (task->role != current->role) {
62736 + task->acl_sp_role = 0;
62737 + task->acl_role_id = current->acl_role_id;
62738 + task->role = current->role;
62740 + read_lock(&grsec_exec_file_lock);
62741 + gr_apply_subject_to_task(task);
62742 + read_unlock(&grsec_exec_file_lock);
62743 + rcu_read_unlock();
62744 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
62749 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
62750 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
62751 + __u32 new_mode = mode;
62753 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
62755 + retval = new_mode;
62757 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
62758 + new_mode |= GR_INHERIT;
62760 + if (!(mode & GR_NOLEARN))
62761 + gr_log_learn(dentry, mnt, new_mode);
62767 +struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
62768 + const struct dentry *parent,
62769 + const struct vfsmount *mnt)
62771 + struct name_entry *match;
62772 + struct acl_object_label *matchpo;
62773 + struct acl_subject_label *curracl;
62776 + if (unlikely(!(gr_status & GR_READY)))
62779 + preempt_disable();
62780 + path = gr_to_filename_rbac(new_dentry, mnt);
62781 + match = lookup_name_entry_create(path);
62783 + curracl = current->acl;
62786 + read_lock(&gr_inode_lock);
62787 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
62788 + read_unlock(&gr_inode_lock);
62791 + preempt_enable();
62798 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
62800 + preempt_enable();
62805 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
62806 + const struct vfsmount * mnt, const __u32 mode)
62808 + struct acl_object_label *matchpo;
62811 + if (unlikely(!(gr_status & GR_READY)))
62812 + return (mode & ~GR_AUDITS);
62814 + matchpo = gr_get_create_object(new_dentry, parent, mnt);
62816 + retval = matchpo->mode & mode;
62818 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
62819 + && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
62820 + __u32 new_mode = mode;
62822 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
62824 + gr_log_learn(new_dentry, mnt, new_mode);
62832 +gr_check_link(const struct dentry * new_dentry,
62833 + const struct dentry * parent_dentry,
62834 + const struct vfsmount * parent_mnt,
62835 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
62837 + struct acl_object_label *obj;
62838 + __u32 oldmode, newmode;
62840 + __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
62841 + GR_DELETE | GR_INHERIT;
62843 + if (unlikely(!(gr_status & GR_READY)))
62844 + return (GR_CREATE | GR_LINK);
62846 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
62847 + oldmode = obj->mode;
62849 + obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
62850 + newmode = obj->mode;
62852 + needmode = newmode & checkmodes;
62854 + // old name for hardlink must have at least the permissions of the new name
62855 + if ((oldmode & needmode) != needmode)
62858 + // if old name had restrictions/auditing, make sure the new name does as well
62859 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
62861 + // don't allow hardlinking of suid/sgid/fcapped files without permission
62862 + if (is_privileged_binary(old_dentry))
62863 + needmode |= GR_SETID;
62865 + if ((newmode & needmode) != needmode)
62868 + // enforce minimum permissions
62869 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
62872 + needmode = oldmode;
62873 + if (is_privileged_binary(old_dentry))
62874 + needmode |= GR_SETID;
62876 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
62877 + gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
62878 + return (GR_CREATE | GR_LINK);
62879 + } else if (newmode & GR_SUPPRESS)
62880 + return GR_SUPPRESS;
62886 +gr_check_hidden_task(const struct task_struct *task)
62888 + if (unlikely(!(gr_status & GR_READY)))
62891 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
62898 +gr_check_protected_task(const struct task_struct *task)
62900 + if (unlikely(!(gr_status & GR_READY) || !task))
62903 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
62904 + task->acl != current->acl)
62911 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
62913 + struct task_struct *p;
62916 + if (unlikely(!(gr_status & GR_READY) || !pid))
62919 + read_lock(&tasklist_lock);
62920 + do_each_pid_task(pid, type, p) {
62921 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
62922 + p->acl != current->acl) {
62926 + } while_each_pid_task(pid, type, p);
62928 + read_unlock(&tasklist_lock);
62934 +gr_copy_label(struct task_struct *tsk)
62936 + tsk->signal->used_accept = 0;
62937 + tsk->acl_sp_role = 0;
62938 + tsk->acl_role_id = current->acl_role_id;
62939 + tsk->acl = current->acl;
62940 + tsk->role = current->role;
62941 + tsk->signal->curr_ip = current->signal->curr_ip;
62942 + tsk->signal->saved_ip = current->signal->saved_ip;
62943 + if (current->exec_file)
62944 + get_file(current->exec_file);
62945 + tsk->exec_file = current->exec_file;
62946 + tsk->is_writable = current->is_writable;
62947 + if (unlikely(current->signal->used_accept)) {
62948 + current->signal->curr_ip = 0;
62949 + current->signal->saved_ip = 0;
62956 +gr_set_proc_res(struct task_struct *task)
62958 + struct acl_subject_label *proc;
62959 + unsigned short i;
62961 + proc = task->acl;
62963 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
62966 + for (i = 0; i < RLIM_NLIMITS; i++) {
62967 + if (!(proc->resmask & (1U << i)))
62970 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
62971 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
62973 + if (i == RLIMIT_CPU)
62974 + update_rlimit_cpu(task, proc->res[i].rlim_cur);
62980 +extern int gr_process_kernel_setuid_ban(struct user_struct *user);
62983 +gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
62990 + int effectiveok = 0;
62992 + uid_t globalreal, globaleffective, globalfs;
62994 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT)
62995 + struct user_struct *user;
62997 + if (!uid_valid(real))
63000 + /* find user based on global namespace */
63002 + globalreal = GR_GLOBAL_UID(real);
63004 + user = find_user(make_kuid(&init_user_ns, globalreal));
63005 + if (user == NULL)
63008 + if (gr_process_kernel_setuid_ban(user)) {
63009 + /* for find_user */
63014 + /* for find_user */
63020 + if (unlikely(!(gr_status & GR_READY)))
63023 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
63024 + gr_log_learn_uid_change(real, effective, fs);
63026 + num = current->acl->user_trans_num;
63027 + uidlist = current->acl->user_transitions;
63029 + if (uidlist == NULL)
63032 + if (!uid_valid(real)) {
63034 + globalreal = (uid_t)-1;
63036 + globalreal = GR_GLOBAL_UID(real);
63038 + if (!uid_valid(effective)) {
63040 + globaleffective = (uid_t)-1;
63042 + globaleffective = GR_GLOBAL_UID(effective);
63044 + if (!uid_valid(fs)) {
63046 + globalfs = (uid_t)-1;
63048 + globalfs = GR_GLOBAL_UID(fs);
63051 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
63052 + for (i = 0; i < num; i++) {
63053 + curuid = uidlist[i];
63054 + if (globalreal == curuid)
63056 + if (globaleffective == curuid)
63058 + if (globalfs == curuid)
63061 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
63062 + for (i = 0; i < num; i++) {
63063 + curuid = uidlist[i];
63064 + if (globalreal == curuid)
63066 + if (globaleffective == curuid)
63068 + if (globalfs == curuid)
63071 + /* not in deny list */
63079 + if (realok && effectiveok && fsok)
63082 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
63088 +gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
63095 + int effectiveok = 0;
63097 + gid_t globalreal, globaleffective, globalfs;
63099 + if (unlikely(!(gr_status & GR_READY)))
63102 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
63103 + gr_log_learn_gid_change(real, effective, fs);
63105 + num = current->acl->group_trans_num;
63106 + gidlist = current->acl->group_transitions;
63108 + if (gidlist == NULL)
63111 + if (!gid_valid(real)) {
63113 + globalreal = (gid_t)-1;
63115 + globalreal = GR_GLOBAL_GID(real);
63117 + if (!gid_valid(effective)) {
63119 + globaleffective = (gid_t)-1;
63121 + globaleffective = GR_GLOBAL_GID(effective);
63123 + if (!gid_valid(fs)) {
63125 + globalfs = (gid_t)-1;
63127 + globalfs = GR_GLOBAL_GID(fs);
63130 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
63131 + for (i = 0; i < num; i++) {
63132 + curgid = gidlist[i];
63133 + if (globalreal == curgid)
63135 + if (globaleffective == curgid)
63137 + if (globalfs == curgid)
63140 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
63141 + for (i = 0; i < num; i++) {
63142 + curgid = gidlist[i];
63143 + if (globalreal == curgid)
63145 + if (globaleffective == curgid)
63147 + if (globalfs == curgid)
63150 + /* not in deny list */
63158 + if (realok && effectiveok && fsok)
63161 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
63166 +extern int gr_acl_is_capable(const int cap);
63169 +gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
63171 + struct acl_role_label *role = task->role;
63172 + struct acl_subject_label *subj = NULL;
63173 + struct acl_object_label *obj;
63174 + struct file *filp;
63178 + if (unlikely(!(gr_status & GR_READY)))
63181 + uid = GR_GLOBAL_UID(kuid);
63182 + gid = GR_GLOBAL_GID(kgid);
63184 + filp = task->exec_file;
63186 + /* kernel process, we'll give them the kernel role */
63187 + if (unlikely(!filp)) {
63188 + task->role = kernel_role;
63189 + task->acl = kernel_role->root_label;
63191 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
63192 + role = lookup_acl_role_label(task, uid, gid);
63194 + /* don't change the role if we're not a privileged process */
63195 + if (role && task->role != role &&
63196 + (((role->roletype & GR_ROLE_USER) && !gr_acl_is_capable(CAP_SETUID)) ||
63197 + ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
63200 + /* perform subject lookup in possibly new role
63201 + we can use this result below in the case where role == task->role
63203 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
63205 + /* if we changed uid/gid, but result in the same role
63206 + and are using inheritance, don't lose the inherited subject
63207 + if current subject is other than what normal lookup
63208 + would result in, we arrived via inheritance, don't
63211 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
63212 + (subj == task->acl)))
63213 + task->acl = subj;
63215 + task->role = role;
63217 + task->is_writable = 0;
63219 + /* ignore additional mmap checks for processes that are writable
63220 + by the default ACL */
63221 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
63222 + if (unlikely(obj->mode & GR_WRITE))
63223 + task->is_writable = 1;
63224 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
63225 + if (unlikely(obj->mode & GR_WRITE))
63226 + task->is_writable = 1;
63228 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
63229 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
63232 + gr_set_proc_res(task);
63238 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
63239 + const int unsafe_flags)
63241 + struct task_struct *task = current;
63242 + struct acl_subject_label *newacl;
63243 + struct acl_object_label *obj;
63246 + if (unlikely(!(gr_status & GR_READY)))
63249 + newacl = chk_subj_label(dentry, mnt, task->role);
63251 + /* special handling for if we did an strace -f -p <pid> from an admin role, where pid then
63255 + read_lock(&tasklist_lock);
63256 + if (task->ptrace && task->parent && ((task->parent->role->roletype & GR_ROLE_GOD) ||
63257 + (task->parent->acl->mode & GR_POVERRIDE))) {
63258 + read_unlock(&tasklist_lock);
63259 + rcu_read_unlock();
63262 + read_unlock(&tasklist_lock);
63263 + rcu_read_unlock();
63265 + if (unsafe_flags && !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
63266 + !(task->role->roletype & GR_ROLE_GOD) &&
63267 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
63268 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
63269 + if (unsafe_flags & LSM_UNSAFE_SHARE)
63270 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
63272 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
63278 + obj = chk_obj_label(dentry, mnt, task->acl);
63279 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
63281 + if (!(task->acl->mode & GR_INHERITLEARN) &&
63282 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
63284 + task->acl = obj->nested;
63286 + task->acl = newacl;
63287 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
63288 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
63290 + task->is_writable = 0;
63292 + /* ignore additional mmap checks for processes that are writable
63293 + by the default ACL */
63294 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
63295 + if (unlikely(obj->mode & GR_WRITE))
63296 + task->is_writable = 1;
63297 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
63298 + if (unlikely(obj->mode & GR_WRITE))
63299 + task->is_writable = 1;
63301 + gr_set_proc_res(task);
63303 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
63304 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
63309 +/* always called with valid inodev ptr */
63311 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
63313 + struct acl_object_label *matchpo;
63314 + struct acl_subject_label *matchps;
63315 + struct acl_subject_label *subj;
63316 + struct acl_role_label *role;
63319 + FOR_EACH_ROLE_START(role)
63320 + FOR_EACH_SUBJECT_START(role, subj, x)
63321 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
63322 + matchpo->mode |= GR_DELETED;
63323 + FOR_EACH_SUBJECT_END(subj,x)
63324 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
63325 + /* nested subjects aren't in the role's subj_hash table */
63326 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
63327 + matchpo->mode |= GR_DELETED;
63328 + FOR_EACH_NESTED_SUBJECT_END(subj)
63329 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
63330 + matchps->mode |= GR_DELETED;
63331 + FOR_EACH_ROLE_END(role)
63333 + inodev->nentry->deleted = 1;
63339 +gr_handle_delete(const ino_t ino, const dev_t dev)
63341 + struct inodev_entry *inodev;
63343 + if (unlikely(!(gr_status & GR_READY)))
63346 + write_lock(&gr_inode_lock);
63347 + inodev = lookup_inodev_entry(ino, dev);
63348 + if (inodev != NULL)
63349 + do_handle_delete(inodev, ino, dev);
63350 + write_unlock(&gr_inode_lock);
63356 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
63357 + const ino_t newinode, const dev_t newdevice,
63358 + struct acl_subject_label *subj)
63360 + unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
63361 + struct acl_object_label *match;
63363 + match = subj->obj_hash[index];
63365 + while (match && (match->inode != oldinode ||
63366 + match->device != olddevice ||
63367 + !(match->mode & GR_DELETED)))
63368 + match = match->next;
63370 + if (match && (match->inode == oldinode)
63371 + && (match->device == olddevice)
63372 + && (match->mode & GR_DELETED)) {
63373 + if (match->prev == NULL) {
63374 + subj->obj_hash[index] = match->next;
63375 + if (match->next != NULL)
63376 + match->next->prev = NULL;
63378 + match->prev->next = match->next;
63379 + if (match->next != NULL)
63380 + match->next->prev = match->prev;
63382 + match->prev = NULL;
63383 + match->next = NULL;
63384 + match->inode = newinode;
63385 + match->device = newdevice;
63386 + match->mode &= ~GR_DELETED;
63388 + insert_acl_obj_label(match, subj);
63395 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
63396 + const ino_t newinode, const dev_t newdevice,
63397 + struct acl_role_label *role)
63399 + unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size);
63400 + struct acl_subject_label *match;
63402 + match = role->subj_hash[index];
63404 + while (match && (match->inode != oldinode ||
63405 + match->device != olddevice ||
63406 + !(match->mode & GR_DELETED)))
63407 + match = match->next;
63409 + if (match && (match->inode == oldinode)
63410 + && (match->device == olddevice)
63411 + && (match->mode & GR_DELETED)) {
63412 + if (match->prev == NULL) {
63413 + role->subj_hash[index] = match->next;
63414 + if (match->next != NULL)
63415 + match->next->prev = NULL;
63417 + match->prev->next = match->next;
63418 + if (match->next != NULL)
63419 + match->next->prev = match->prev;
63421 + match->prev = NULL;
63422 + match->next = NULL;
63423 + match->inode = newinode;
63424 + match->device = newdevice;
63425 + match->mode &= ~GR_DELETED;
63427 + insert_acl_subj_label(match, role);
63434 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
63435 + const ino_t newinode, const dev_t newdevice)
63437 + unsigned int index = gr_fhash(oldinode, olddevice, inodev_set.i_size);
63438 + struct inodev_entry *match;
63440 + match = inodev_set.i_hash[index];
63442 + while (match && (match->nentry->inode != oldinode ||
63443 + match->nentry->device != olddevice || !match->nentry->deleted))
63444 + match = match->next;
63446 + if (match && (match->nentry->inode == oldinode)
63447 + && (match->nentry->device == olddevice) &&
63448 + match->nentry->deleted) {
63449 + if (match->prev == NULL) {
63450 + inodev_set.i_hash[index] = match->next;
63451 + if (match->next != NULL)
63452 + match->next->prev = NULL;
63454 + match->prev->next = match->next;
63455 + if (match->next != NULL)
63456 + match->next->prev = match->prev;
63458 + match->prev = NULL;
63459 + match->next = NULL;
63460 + match->nentry->inode = newinode;
63461 + match->nentry->device = newdevice;
63462 + match->nentry->deleted = 0;
63464 + insert_inodev_entry(match);
63471 +__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
63473 + struct acl_subject_label *subj;
63474 + struct acl_role_label *role;
63477 + FOR_EACH_ROLE_START(role)
63478 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
63480 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
63481 + if ((subj->inode == ino) && (subj->device == dev)) {
63482 + subj->inode = ino;
63483 + subj->device = dev;
63485 + /* nested subjects aren't in the role's subj_hash table */
63486 + update_acl_obj_label(matchn->inode, matchn->device,
63488 + FOR_EACH_NESTED_SUBJECT_END(subj)
63489 + FOR_EACH_SUBJECT_START(role, subj, x)
63490 + update_acl_obj_label(matchn->inode, matchn->device,
63492 + FOR_EACH_SUBJECT_END(subj,x)
63493 + FOR_EACH_ROLE_END(role)
63495 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
63501 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
63502 + const struct vfsmount *mnt)
63504 + ino_t ino = dentry->d_inode->i_ino;
63505 + dev_t dev = __get_dev(dentry);
63507 + __do_handle_create(matchn, ino, dev);
63513 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
63515 + struct name_entry *matchn;
63517 + if (unlikely(!(gr_status & GR_READY)))
63520 + preempt_disable();
63521 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
63523 + if (unlikely((unsigned long)matchn)) {
63524 + write_lock(&gr_inode_lock);
63525 + do_handle_create(matchn, dentry, mnt);
63526 + write_unlock(&gr_inode_lock);
63528 + preempt_enable();
63534 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
63536 + struct name_entry *matchn;
63538 + if (unlikely(!(gr_status & GR_READY)))
63541 + preempt_disable();
63542 + matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
63544 + if (unlikely((unsigned long)matchn)) {
63545 + write_lock(&gr_inode_lock);
63546 + __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
63547 + write_unlock(&gr_inode_lock);
63549 + preempt_enable();
63555 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
63556 + struct dentry *old_dentry,
63557 + struct dentry *new_dentry,
63558 + struct vfsmount *mnt, const __u8 replace)
63560 + struct name_entry *matchn;
63561 + struct inodev_entry *inodev;
63562 + struct inode *inode = new_dentry->d_inode;
63563 + ino_t old_ino = old_dentry->d_inode->i_ino;
63564 + dev_t old_dev = __get_dev(old_dentry);
63566 + /* vfs_rename swaps the name and parent link for old_dentry and
63568 + at this point, old_dentry has the new name, parent link, and inode
63569 + for the renamed file
63570 + if a file is being replaced by a rename, new_dentry has the inode
63571 + and name for the replaced file
63574 + if (unlikely(!(gr_status & GR_READY)))
63577 + preempt_disable();
63578 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
63580 + /* we wouldn't have to check d_inode if it weren't for
63581 + NFS silly-renaming
63584 + write_lock(&gr_inode_lock);
63585 + if (unlikely(replace && inode)) {
63586 + ino_t new_ino = inode->i_ino;
63587 + dev_t new_dev = __get_dev(new_dentry);
63589 + inodev = lookup_inodev_entry(new_ino, new_dev);
63590 + if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
63591 + do_handle_delete(inodev, new_ino, new_dev);
63594 + inodev = lookup_inodev_entry(old_ino, old_dev);
63595 + if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
63596 + do_handle_delete(inodev, old_ino, old_dev);
63598 + if (unlikely((unsigned long)matchn))
63599 + do_handle_create(matchn, old_dentry, mnt);
63601 + write_unlock(&gr_inode_lock);
63602 + preempt_enable();
63608 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
63609 + unsigned char **sum)
63611 + struct acl_role_label *r;
63612 + struct role_allowed_ip *ipp;
63613 + struct role_transition *trans;
63616 + u32 curr_ip = current->signal->curr_ip;
63618 + current->signal->saved_ip = curr_ip;
63620 + /* check transition table */
63622 + for (trans = current->role->transitions; trans; trans = trans->next) {
63623 + if (!strcmp(rolename, trans->rolename)) {
63632 + /* handle special roles that do not require authentication
63635 + FOR_EACH_ROLE_START(r)
63636 + if (!strcmp(rolename, r->rolename) &&
63637 + (r->roletype & GR_ROLE_SPECIAL)) {
63639 + if (r->allowed_ips != NULL) {
63640 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
63641 + if ((ntohl(curr_ip) & ipp->netmask) ==
63642 + (ntohl(ipp->addr) & ipp->netmask))
63650 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
63651 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
63657 + FOR_EACH_ROLE_END(r)
63659 + for (i = 0; i < num_sprole_pws; i++) {
63660 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
63661 + *salt = acl_special_roles[i]->salt;
63662 + *sum = acl_special_roles[i]->sum;
63671 +assign_special_role(char *rolename)
63673 + struct acl_object_label *obj;
63674 + struct acl_role_label *r;
63675 + struct acl_role_label *assigned = NULL;
63676 + struct task_struct *tsk;
63677 + struct file *filp;
63679 + FOR_EACH_ROLE_START(r)
63680 + if (!strcmp(rolename, r->rolename) &&
63681 + (r->roletype & GR_ROLE_SPECIAL)) {
63685 + FOR_EACH_ROLE_END(r)
63690 + read_lock(&tasklist_lock);
63691 + read_lock(&grsec_exec_file_lock);
63693 + tsk = current->real_parent;
63697 + filp = tsk->exec_file;
63698 + if (filp == NULL)
63701 + tsk->is_writable = 0;
63703 + tsk->acl_sp_role = 1;
63704 + tsk->acl_role_id = ++acl_sp_role_value;
63705 + tsk->role = assigned;
63706 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
63708 + /* ignore additional mmap checks for processes that are writable
63709 + by the default ACL */
63710 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
63711 + if (unlikely(obj->mode & GR_WRITE))
63712 + tsk->is_writable = 1;
63713 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
63714 + if (unlikely(obj->mode & GR_WRITE))
63715 + tsk->is_writable = 1;
63717 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
63718 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, task_pid_nr(tsk));
63722 + read_unlock(&grsec_exec_file_lock);
63723 + read_unlock(&tasklist_lock);
63727 +int gr_check_secure_terminal(struct task_struct *task)
63729 + struct task_struct *p, *p2, *p3;
63730 + struct files_struct *files;
63731 + struct fdtable *fdt;
63732 + struct file *our_file = NULL, *file;
63735 + if (task->signal->tty == NULL)
63738 + files = get_files_struct(task);
63739 + if (files != NULL) {
63741 + fdt = files_fdtable(files);
63742 + for (i=0; i < fdt->max_fds; i++) {
63743 + file = fcheck_files(files, i);
63744 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
63749 + rcu_read_unlock();
63750 + put_files_struct(files);
63753 + if (our_file == NULL)
63756 + read_lock(&tasklist_lock);
63757 + do_each_thread(p2, p) {
63758 + files = get_files_struct(p);
63759 + if (files == NULL ||
63760 + (p->signal && p->signal->tty == task->signal->tty)) {
63761 + if (files != NULL)
63762 + put_files_struct(files);
63766 + fdt = files_fdtable(files);
63767 + for (i=0; i < fdt->max_fds; i++) {
63768 + file = fcheck_files(files, i);
63769 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
63770 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
63772 + while (task_pid_nr(p3) > 0) {
63775 + p3 = p3->real_parent;
63779 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
63780 + gr_handle_alertkill(p);
63781 + rcu_read_unlock();
63782 + put_files_struct(files);
63783 + read_unlock(&tasklist_lock);
63788 + rcu_read_unlock();
63789 + put_files_struct(files);
63790 + } while_each_thread(p2, p);
63791 + read_unlock(&tasklist_lock);
63797 +static int gr_rbac_disable(void *unused)
63799 + pax_open_kernel();
63800 + gr_status &= ~GR_READY;
63801 + pax_close_kernel();
63807 +write_grsec_handler(struct file *file, const char __user * buf, size_t count, loff_t *ppos)
63809 + struct gr_arg_wrapper uwrap;
63810 + unsigned char *sprole_salt = NULL;
63811 + unsigned char *sprole_sum = NULL;
63814 + size_t req_count = 0;
63816 + mutex_lock(&gr_dev_mutex);
63818 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
63823 +#ifdef CONFIG_COMPAT
63824 + pax_open_kernel();
63825 + if (is_compat_task()) {
63826 + copy_gr_arg_wrapper = ©_gr_arg_wrapper_compat;
63827 + copy_gr_arg = ©_gr_arg_compat;
63828 + copy_acl_object_label = ©_acl_object_label_compat;
63829 + copy_acl_subject_label = ©_acl_subject_label_compat;
63830 + copy_acl_role_label = ©_acl_role_label_compat;
63831 + copy_acl_ip_label = ©_acl_ip_label_compat;
63832 + copy_role_allowed_ip = ©_role_allowed_ip_compat;
63833 + copy_role_transition = ©_role_transition_compat;
63834 + copy_sprole_pw = ©_sprole_pw_compat;
63835 + copy_gr_hash_struct = ©_gr_hash_struct_compat;
63836 + copy_pointer_from_array = ©_pointer_from_array_compat;
63837 + get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_compat;
63839 + copy_gr_arg_wrapper = ©_gr_arg_wrapper_normal;
63840 + copy_gr_arg = ©_gr_arg_normal;
63841 + copy_acl_object_label = ©_acl_object_label_normal;
63842 + copy_acl_subject_label = ©_acl_subject_label_normal;
63843 + copy_acl_role_label = ©_acl_role_label_normal;
63844 + copy_acl_ip_label = ©_acl_ip_label_normal;
63845 + copy_role_allowed_ip = ©_role_allowed_ip_normal;
63846 + copy_role_transition = ©_role_transition_normal;
63847 + copy_sprole_pw = ©_sprole_pw_normal;
63848 + copy_gr_hash_struct = ©_gr_hash_struct_normal;
63849 + copy_pointer_from_array = ©_pointer_from_array_normal;
63850 + get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_normal;
63852 + pax_close_kernel();
63855 + req_count = get_gr_arg_wrapper_size();
63857 + if (count != req_count) {
63858 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)req_count);
63864 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
63865 + gr_auth_expires = 0;
63866 + gr_auth_attempts = 0;
63869 + error = copy_gr_arg_wrapper(buf, &uwrap);
63873 + error = copy_gr_arg(uwrap.arg, gr_usermode);
63877 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
63878 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
63879 + time_after(gr_auth_expires, get_seconds())) {
63884 + /* if non-root trying to do anything other than use a special role,
63885 + do not attempt authentication, do not count towards authentication
63889 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
63890 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
63891 + gr_is_global_nonroot(current_uid())) {
63896 + /* ensure pw and special role name are null terminated */
63898 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
63899 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
63902 + * We have our enough of the argument structure..(we have yet
63903 + * to copy_from_user the tables themselves) . Copy the tables
63904 + * only if we need them, i.e. for loading operations. */
63906 + switch (gr_usermode->mode) {
63908 + if (gr_status & GR_READY) {
63910 + if (!gr_check_secure_terminal(current))
63915 + case GR_SHUTDOWN:
63916 + if ((gr_status & GR_READY)
63917 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
63918 + stop_machine(gr_rbac_disable, NULL, NULL);
63919 + free_variables();
63920 + memset(gr_usermode, 0, sizeof (struct gr_arg));
63921 + memset(gr_system_salt, 0, GR_SALT_LEN);
63922 + memset(gr_system_sum, 0, GR_SHA_LEN);
63923 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
63924 + } else if (gr_status & GR_READY) {
63925 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
63928 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
63933 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
63934 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
63936 + if (gr_status & GR_READY)
63940 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
63944 + if (!(gr_status & GR_READY)) {
63945 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
63947 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
63948 + stop_machine(gr_rbac_disable, NULL, NULL);
63949 + free_variables();
63950 + error2 = gracl_init(gr_usermode);
63952 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
63954 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
63958 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
63963 + if (unlikely(!(gr_status & GR_READY))) {
63964 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
63969 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
63970 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
63971 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
63972 + struct acl_subject_label *segvacl;
63974 + lookup_acl_subj_label(gr_usermode->segv_inode,
63975 + gr_usermode->segv_device,
63978 + segvacl->crashes = 0;
63979 + segvacl->expires = 0;
63981 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
63982 + gr_remove_uid(gr_usermode->segv_uid);
63985 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
63990 + case GR_SPROLEPAM:
63991 + if (unlikely(!(gr_status & GR_READY))) {
63992 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
63997 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
63998 + current->role->expires = 0;
63999 + current->role->auth_attempts = 0;
64002 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
64003 + time_after(current->role->expires, get_seconds())) {
64008 + if (lookup_special_role_auth
64009 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
64010 + && ((!sprole_salt && !sprole_sum)
64011 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
64013 + assign_special_role(gr_usermode->sp_role);
64014 + read_lock(&tasklist_lock);
64015 + if (current->real_parent)
64016 + p = current->real_parent->role->rolename;
64017 + read_unlock(&tasklist_lock);
64018 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
64019 + p, acl_sp_role_value);
64021 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
64023 + if(!(current->role->auth_attempts++))
64024 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
64029 + case GR_UNSPROLE:
64030 + if (unlikely(!(gr_status & GR_READY))) {
64031 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
64036 + if (current->role->roletype & GR_ROLE_SPECIAL) {
64040 + read_lock(&tasklist_lock);
64041 + if (current->real_parent) {
64042 + p = current->real_parent->role->rolename;
64043 + i = current->real_parent->acl_role_id;
64045 + read_unlock(&tasklist_lock);
64047 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
64055 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
64060 + if (error != -EPERM)
64063 + if(!(gr_auth_attempts++))
64064 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
64067 + mutex_unlock(&gr_dev_mutex);
64070 + error = req_count;
64075 +/* must be called with
64077 + read_lock(&tasklist_lock);
64078 + read_lock(&grsec_exec_file_lock);
64080 +int gr_apply_subject_to_task(struct task_struct *task)
64082 + struct acl_object_label *obj;
64084 + struct acl_subject_label *tmpsubj;
64085 + struct file *filp;
64086 + struct name_entry *nmatch;
64088 + filp = task->exec_file;
64089 + if (filp == NULL)
64092 + /* the following is to apply the correct subject
64093 + on binaries running when the RBAC system
64094 + is enabled, when the binaries have been
64095 + replaced or deleted since their execution
64097 + when the RBAC system starts, the inode/dev
64098 + from exec_file will be one the RBAC system
64099 + is unaware of. It only knows the inode/dev
64100 + of the present file on disk, or the absence
64103 + preempt_disable();
64104 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
64106 + nmatch = lookup_name_entry(tmpname);
64107 + preempt_enable();
64110 + if (nmatch->deleted)
64111 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
64113 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
64114 + if (tmpsubj != NULL)
64115 + task->acl = tmpsubj;
64117 + if (tmpsubj == NULL)
64118 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
64121 + task->is_writable = 0;
64122 + /* ignore additional mmap checks for processes that are writable
64123 + by the default ACL */
64124 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
64125 + if (unlikely(obj->mode & GR_WRITE))
64126 + task->is_writable = 1;
64127 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
64128 + if (unlikely(obj->mode & GR_WRITE))
64129 + task->is_writable = 1;
64131 + gr_set_proc_res(task);
64133 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
64134 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
64144 +gr_set_acls(const int type)
64146 + struct task_struct *task, *task2;
64147 + struct acl_role_label *role = current->role;
64148 + __u16 acl_role_id = current->acl_role_id;
64149 + const struct cred *cred;
64153 + read_lock(&tasklist_lock);
64154 + read_lock(&grsec_exec_file_lock);
64155 + do_each_thread(task2, task) {
64156 + /* check to see if we're called from the exit handler,
64157 + if so, only replace ACLs that have inherited the admin
64160 + if (type && (task->role != role ||
64161 + task->acl_role_id != acl_role_id))
64164 + task->acl_role_id = 0;
64165 + task->acl_sp_role = 0;
64167 + if (task->exec_file) {
64168 + cred = __task_cred(task);
64169 + task->role = lookup_acl_role_label(task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
64170 + ret = gr_apply_subject_to_task(task);
64172 + read_unlock(&grsec_exec_file_lock);
64173 + read_unlock(&tasklist_lock);
64174 + rcu_read_unlock();
64175 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task_pid_nr(task));
64179 + // it's a kernel process
64180 + task->role = kernel_role;
64181 + task->acl = kernel_role->root_label;
64182 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
64183 + task->acl->mode &= ~GR_PROCFIND;
64186 + } while_each_thread(task2, task);
64187 + read_unlock(&grsec_exec_file_lock);
64188 + read_unlock(&tasklist_lock);
64189 + rcu_read_unlock();
64194 +#if defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC)
64195 +static const unsigned long res_learn_bumps[GR_NLIMITS] = {
64196 + [RLIMIT_CPU] = GR_RLIM_CPU_BUMP,
64197 + [RLIMIT_FSIZE] = GR_RLIM_FSIZE_BUMP,
64198 + [RLIMIT_DATA] = GR_RLIM_DATA_BUMP,
64199 + [RLIMIT_STACK] = GR_RLIM_STACK_BUMP,
64200 + [RLIMIT_CORE] = GR_RLIM_CORE_BUMP,
64201 + [RLIMIT_RSS] = GR_RLIM_RSS_BUMP,
64202 + [RLIMIT_NPROC] = GR_RLIM_NPROC_BUMP,
64203 + [RLIMIT_NOFILE] = GR_RLIM_NOFILE_BUMP,
64204 + [RLIMIT_MEMLOCK] = GR_RLIM_MEMLOCK_BUMP,
64205 + [RLIMIT_AS] = GR_RLIM_AS_BUMP,
64206 + [RLIMIT_LOCKS] = GR_RLIM_LOCKS_BUMP,
64207 + [RLIMIT_SIGPENDING] = GR_RLIM_SIGPENDING_BUMP,
64208 + [RLIMIT_MSGQUEUE] = GR_RLIM_MSGQUEUE_BUMP,
64209 + [RLIMIT_NICE] = GR_RLIM_NICE_BUMP,
64210 + [RLIMIT_RTPRIO] = GR_RLIM_RTPRIO_BUMP,
64211 + [RLIMIT_RTTIME] = GR_RLIM_RTTIME_BUMP
64215 +gr_learn_resource(const struct task_struct *task,
64216 + const int res, const unsigned long wanted, const int gt)
64218 + struct acl_subject_label *acl;
64219 + const struct cred *cred;
64221 + if (unlikely((gr_status & GR_READY) &&
64222 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
64223 + goto skip_reslog;
64225 + gr_log_resource(task, res, wanted, gt);
64228 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
64233 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
64234 + !(acl->resmask & (1U << (unsigned short) res))))
64237 + if (wanted >= acl->res[res].rlim_cur) {
64238 + unsigned long res_add;
64240 + res_add = wanted + res_learn_bumps[res];
64242 + acl->res[res].rlim_cur = res_add;
64244 + if (wanted > acl->res[res].rlim_max)
64245 + acl->res[res].rlim_max = res_add;
64247 + /* only log the subject filename, since resource logging is supported for
64248 + single-subject learning only */
64250 + cred = __task_cred(task);
64251 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
64252 + task->role->roletype, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), acl->filename,
64253 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
64254 + "", (unsigned long) res, &task->signal->saved_ip);
64255 + rcu_read_unlock();
64260 +EXPORT_SYMBOL(gr_learn_resource);
64263 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
64265 +pax_set_initial_flags(struct linux_binprm *bprm)
64267 + struct task_struct *task = current;
64268 + struct acl_subject_label *proc;
64269 + unsigned long flags;
64271 + if (unlikely(!(gr_status & GR_READY)))
64274 + flags = pax_get_flags(task);
64276 + proc = task->acl;
64278 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
64279 + flags &= ~MF_PAX_PAGEEXEC;
64280 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
64281 + flags &= ~MF_PAX_SEGMEXEC;
64282 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
64283 + flags &= ~MF_PAX_RANDMMAP;
64284 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
64285 + flags &= ~MF_PAX_EMUTRAMP;
64286 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
64287 + flags &= ~MF_PAX_MPROTECT;
64289 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
64290 + flags |= MF_PAX_PAGEEXEC;
64291 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
64292 + flags |= MF_PAX_SEGMEXEC;
64293 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
64294 + flags |= MF_PAX_RANDMMAP;
64295 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
64296 + flags |= MF_PAX_EMUTRAMP;
64297 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
64298 + flags |= MF_PAX_MPROTECT;
64300 + pax_set_flags(task, flags);
64307 +gr_handle_proc_ptrace(struct task_struct *task)
64309 + struct file *filp;
64310 + struct task_struct *tmp = task;
64311 + struct task_struct *curtemp = current;
64314 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
64315 + if (unlikely(!(gr_status & GR_READY)))
64319 + read_lock(&tasklist_lock);
64320 + read_lock(&grsec_exec_file_lock);
64321 + filp = task->exec_file;
64323 + while (task_pid_nr(tmp) > 0) {
64324 + if (tmp == curtemp)
64326 + tmp = tmp->real_parent;
64329 + if (!filp || (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
64330 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
64331 + read_unlock(&grsec_exec_file_lock);
64332 + read_unlock(&tasklist_lock);
64336 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
64337 + if (!(gr_status & GR_READY)) {
64338 + read_unlock(&grsec_exec_file_lock);
64339 + read_unlock(&tasklist_lock);
64344 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
64345 + read_unlock(&grsec_exec_file_lock);
64346 + read_unlock(&tasklist_lock);
64348 + if (retmode & GR_NOPTRACE)
64351 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
64352 + && (current->acl != task->acl || (current->acl != current->role->root_label
64353 + && task_pid_nr(current) != task_pid_nr(task))))
64359 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
64361 + if (unlikely(!(gr_status & GR_READY)))
64364 + if (!(current->role->roletype & GR_ROLE_GOD))
64367 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
64368 + p->role->rolename, gr_task_roletype_to_char(p),
64369 + p->acl->filename);
64373 +gr_handle_ptrace(struct task_struct *task, const long request)
64375 + struct task_struct *tmp = task;
64376 + struct task_struct *curtemp = current;
64379 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
64380 + if (unlikely(!(gr_status & GR_READY)))
64383 + if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
64384 + read_lock(&tasklist_lock);
64385 + while (task_pid_nr(tmp) > 0) {
64386 + if (tmp == curtemp)
64388 + tmp = tmp->real_parent;
64391 + if (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
64392 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
64393 + read_unlock(&tasklist_lock);
64394 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
64397 + read_unlock(&tasklist_lock);
64400 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
64401 + if (!(gr_status & GR_READY))
64405 + read_lock(&grsec_exec_file_lock);
64406 + if (unlikely(!task->exec_file)) {
64407 + read_unlock(&grsec_exec_file_lock);
64411 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
64412 + read_unlock(&grsec_exec_file_lock);
64414 + if (retmode & GR_NOPTRACE) {
64415 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
64419 + if (retmode & GR_PTRACERD) {
64420 + switch (request) {
64421 + case PTRACE_SEIZE:
64422 + case PTRACE_POKETEXT:
64423 + case PTRACE_POKEDATA:
64424 + case PTRACE_POKEUSR:
64425 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
64426 + case PTRACE_SETREGS:
64427 + case PTRACE_SETFPREGS:
64430 + case PTRACE_SETFPXREGS:
64432 +#ifdef CONFIG_ALTIVEC
64433 + case PTRACE_SETVRREGS:
64439 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
64440 + !(current->role->roletype & GR_ROLE_GOD) &&
64441 + (current->acl != task->acl)) {
64442 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
64449 +static int is_writable_mmap(const struct file *filp)
64451 + struct task_struct *task = current;
64452 + struct acl_object_label *obj, *obj2;
64454 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
64455 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
64456 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
64457 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
64458 + task->role->root_label);
64459 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
64460 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
64468 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
64472 + if (unlikely(!file || !(prot & PROT_EXEC)))
64475 + if (is_writable_mmap(file))
64479 + gr_search_file(file->f_path.dentry,
64480 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
64481 + file->f_path.mnt);
64483 + if (!gr_tpe_allow(file))
64486 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
64487 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
64489 + } else if (unlikely(!(mode & GR_EXEC))) {
64491 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
64492 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
64500 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
64504 + if (unlikely(!file || !(prot & PROT_EXEC)))
64507 + if (is_writable_mmap(file))
64511 + gr_search_file(file->f_path.dentry,
64512 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
64513 + file->f_path.mnt);
64515 + if (!gr_tpe_allow(file))
64518 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
64519 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
64521 + } else if (unlikely(!(mode & GR_EXEC))) {
64523 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
64524 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
64532 +gr_acl_handle_psacct(struct task_struct *task, const long code)
64534 + unsigned long runtime;
64535 + unsigned long cputime;
64536 + unsigned int wday, cday;
64540 + struct timespec timeval;
64542 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
64543 + !(task->acl->mode & GR_PROCACCT)))
64546 + do_posix_clock_monotonic_gettime(&timeval);
64547 + runtime = timeval.tv_sec - task->start_time.tv_sec;
64548 + wday = runtime / (3600 * 24);
64549 + runtime -= wday * (3600 * 24);
64550 + whr = runtime / 3600;
64551 + runtime -= whr * 3600;
64552 + wmin = runtime / 60;
64553 + runtime -= wmin * 60;
64556 + cputime = (task->utime + task->stime) / HZ;
64557 + cday = cputime / (3600 * 24);
64558 + cputime -= cday * (3600 * 24);
64559 + chr = cputime / 3600;
64560 + cputime -= chr * 3600;
64561 + cmin = cputime / 60;
64562 + cputime -= cmin * 60;
64565 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
64570 +void gr_set_kernel_label(struct task_struct *task)
64572 + if (gr_status & GR_READY) {
64573 + task->role = kernel_role;
64574 + task->acl = kernel_role->root_label;
64579 +#ifdef CONFIG_TASKSTATS
64580 +int gr_is_taskstats_denied(int pid)
64582 + struct task_struct *task;
64583 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64584 + const struct cred *cred;
64588 + /* restrict taskstats viewing to un-chrooted root users
64589 + who have the 'view' subject flag if the RBAC system is enabled
64593 + read_lock(&tasklist_lock);
64594 + task = find_task_by_vpid(pid);
64596 +#ifdef CONFIG_GRKERNSEC_CHROOT
64597 + if (proc_is_chrooted(task))
64600 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64601 + cred = __task_cred(task);
64602 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64603 + if (gr_is_global_nonroot(cred->uid))
64605 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64606 + if (gr_is_global_nonroot(cred->uid) && !groups_search(cred->group_info, grsec_proc_gid))
64610 + if (gr_status & GR_READY) {
64611 + if (!(task->acl->mode & GR_VIEW))
64617 + read_unlock(&tasklist_lock);
64618 + rcu_read_unlock();
64624 +/* AUXV entries are filled via a descendant of search_binary_handler
64625 + after we've already applied the subject for the target
64627 +int gr_acl_enable_at_secure(void)
64629 + if (unlikely(!(gr_status & GR_READY)))
64632 + if (current->acl->mode & GR_ATSECURE)
64638 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
64640 + struct task_struct *task = current;
64641 + struct dentry *dentry = file->f_path.dentry;
64642 + struct vfsmount *mnt = file->f_path.mnt;
64643 + struct acl_object_label *obj, *tmp;
64644 + struct acl_subject_label *subj;
64645 + unsigned int bufsize;
64648 + dev_t dev = __get_dev(dentry);
64650 + if (unlikely(!(gr_status & GR_READY)))
64653 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
64656 + /* ignore Eric Biederman */
64657 + if (IS_PRIVATE(dentry->d_inode))
64660 + subj = task->acl;
64661 + read_lock(&gr_inode_lock);
64663 + obj = lookup_acl_obj_label(ino, dev, subj);
64664 + if (obj != NULL) {
64665 + read_unlock(&gr_inode_lock);
64666 + return (obj->mode & GR_FIND) ? 1 : 0;
64668 + } while ((subj = subj->parent_subject));
64669 + read_unlock(&gr_inode_lock);
64671 + /* this is purely an optimization since we're looking for an object
64672 + for the directory we're doing a readdir on
64673 + if it's possible for any globbed object to match the entry we're
64674 + filling into the directory, then the object we find here will be
64675 + an anchor point with attached globbed objects
64677 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
64678 + if (obj->globbed == NULL)
64679 + return (obj->mode & GR_FIND) ? 1 : 0;
64681 + is_not_root = ((obj->filename[0] == '/') &&
64682 + (obj->filename[1] == '\0')) ? 0 : 1;
64683 + bufsize = PAGE_SIZE - namelen - is_not_root;
64685 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
64686 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
64689 + preempt_disable();
64690 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
64693 + bufsize = strlen(path);
64695 + /* if base is "/", don't append an additional slash */
64697 + *(path + bufsize) = '/';
64698 + memcpy(path + bufsize + is_not_root, name, namelen);
64699 + *(path + bufsize + namelen + is_not_root) = '\0';
64701 + tmp = obj->globbed;
64703 + if (!glob_match(tmp->filename, path)) {
64704 + preempt_enable();
64705 + return (tmp->mode & GR_FIND) ? 1 : 0;
64709 + preempt_enable();
64710 + return (obj->mode & GR_FIND) ? 1 : 0;
64713 +void gr_put_exec_file(struct task_struct *task)
64715 + struct file *filp;
64717 + write_lock(&grsec_exec_file_lock);
64718 + filp = task->exec_file;
64719 + task->exec_file = NULL;
64720 + write_unlock(&grsec_exec_file_lock);
64729 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
64730 +EXPORT_SYMBOL(gr_acl_is_enabled);
64732 +EXPORT_SYMBOL(gr_set_kernel_label);
64733 +#ifdef CONFIG_SECURITY
64734 +EXPORT_SYMBOL(gr_check_user_change);
64735 +EXPORT_SYMBOL(gr_check_group_change);
64738 diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
64739 new file mode 100644
64740 index 0000000..34fefda
64742 +++ b/grsecurity/gracl_alloc.c
64744 +#include <linux/kernel.h>
64745 +#include <linux/mm.h>
64746 +#include <linux/slab.h>
64747 +#include <linux/vmalloc.h>
64748 +#include <linux/gracl.h>
64749 +#include <linux/grsecurity.h>
64751 +static unsigned long alloc_stack_next = 1;
64752 +static unsigned long alloc_stack_size = 1;
64753 +static void **alloc_stack;
64755 +static __inline__ int
64758 + if (alloc_stack_next == 1)
64761 + kfree(alloc_stack[alloc_stack_next - 2]);
64763 + alloc_stack_next--;
64768 +static __inline__ int
64769 +alloc_push(void *buf)
64771 + if (alloc_stack_next >= alloc_stack_size)
64774 + alloc_stack[alloc_stack_next - 1] = buf;
64776 + alloc_stack_next++;
64782 +acl_alloc(unsigned long len)
64784 + void *ret = NULL;
64786 + if (!len || len > PAGE_SIZE)
64789 + ret = kmalloc(len, GFP_KERNEL);
64792 + if (alloc_push(ret)) {
64803 +acl_alloc_num(unsigned long num, unsigned long len)
64805 + if (!len || (num > (PAGE_SIZE / len)))
64808 + return acl_alloc(num * len);
64812 +acl_free_all(void)
64814 + if (gr_acl_is_enabled() || !alloc_stack)
64817 + while (alloc_pop()) ;
64819 + if (alloc_stack) {
64820 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
64821 + kfree(alloc_stack);
64823 + vfree(alloc_stack);
64826 + alloc_stack = NULL;
64827 + alloc_stack_size = 1;
64828 + alloc_stack_next = 1;
64834 +acl_alloc_stack_init(unsigned long size)
64836 + if ((size * sizeof (void *)) <= PAGE_SIZE)
64838 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
64840 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
64842 + alloc_stack_size = size;
64844 + if (!alloc_stack)
64849 diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
64850 new file mode 100644
64851 index 0000000..bdd51ea
64853 +++ b/grsecurity/gracl_cap.c
64855 +#include <linux/kernel.h>
64856 +#include <linux/module.h>
64857 +#include <linux/sched.h>
64858 +#include <linux/gracl.h>
64859 +#include <linux/grsecurity.h>
64860 +#include <linux/grinternal.h>
64862 +extern const char *captab_log[];
64863 +extern int captab_log_entries;
64865 +int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
64867 + struct acl_subject_label *curracl;
64868 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
64869 + kernel_cap_t cap_audit = __cap_empty_set;
64871 + if (!gr_acl_is_enabled())
64874 + curracl = task->acl;
64876 + cap_drop = curracl->cap_lower;
64877 + cap_mask = curracl->cap_mask;
64878 + cap_audit = curracl->cap_invert_audit;
64880 + while ((curracl = curracl->parent_subject)) {
64881 + /* if the cap isn't specified in the current computed mask but is specified in the
64882 + current level subject, and is lowered in the current level subject, then add
64883 + it to the set of dropped capabilities
64884 + otherwise, add the current level subject's mask to the current computed mask
64886 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
64887 + cap_raise(cap_mask, cap);
64888 + if (cap_raised(curracl->cap_lower, cap))
64889 + cap_raise(cap_drop, cap);
64890 + if (cap_raised(curracl->cap_invert_audit, cap))
64891 + cap_raise(cap_audit, cap);
64895 + if (!cap_raised(cap_drop, cap)) {
64896 + if (cap_raised(cap_audit, cap))
64897 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
64901 + curracl = task->acl;
64903 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
64904 + && cap_raised(cred->cap_effective, cap)) {
64905 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
64906 + task->role->roletype, GR_GLOBAL_UID(cred->uid),
64907 + GR_GLOBAL_GID(cred->gid), task->exec_file ?
64908 + gr_to_filename(task->exec_file->f_path.dentry,
64909 + task->exec_file->f_path.mnt) : curracl->filename,
64910 + curracl->filename, 0UL,
64911 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
64915 + if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
64916 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
64922 +gr_acl_is_capable(const int cap)
64924 + return gr_task_acl_is_capable(current, current_cred(), cap);
64927 +int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
64929 + struct acl_subject_label *curracl;
64930 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
64932 + if (!gr_acl_is_enabled())
64935 + curracl = task->acl;
64937 + cap_drop = curracl->cap_lower;
64938 + cap_mask = curracl->cap_mask;
64940 + while ((curracl = curracl->parent_subject)) {
64941 + /* if the cap isn't specified in the current computed mask but is specified in the
64942 + current level subject, and is lowered in the current level subject, then add
64943 + it to the set of dropped capabilities
64944 + otherwise, add the current level subject's mask to the current computed mask
64946 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
64947 + cap_raise(cap_mask, cap);
64948 + if (cap_raised(curracl->cap_lower, cap))
64949 + cap_raise(cap_drop, cap);
64953 + if (!cap_raised(cap_drop, cap))
64960 +gr_acl_is_capable_nolog(const int cap)
64962 + return gr_task_acl_is_capable_nolog(current, cap);
64965 diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
64966 new file mode 100644
64967 index 0000000..a43dd06
64969 +++ b/grsecurity/gracl_compat.c
64971 +#include <linux/kernel.h>
64972 +#include <linux/gracl.h>
64973 +#include <linux/compat.h>
64974 +#include <linux/gracl_compat.h>
64976 +#include <asm/uaccess.h>
64978 +int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap)
64980 + struct gr_arg_wrapper_compat uwrapcompat;
64982 + if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
64985 + if ((uwrapcompat.version != GRSECURITY_VERSION) ||
64986 + (uwrapcompat.size != sizeof(struct gr_arg_compat)))
64989 + uwrap->arg = compat_ptr(uwrapcompat.arg);
64990 + uwrap->version = uwrapcompat.version;
64991 + uwrap->size = sizeof(struct gr_arg);
64996 +int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg)
64998 + struct gr_arg_compat argcompat;
65000 + if (copy_from_user(&argcompat, buf, sizeof(argcompat)))
65003 + arg->role_db.r_table = compat_ptr(argcompat.role_db.r_table);
65004 + arg->role_db.num_pointers = argcompat.role_db.num_pointers;
65005 + arg->role_db.num_roles = argcompat.role_db.num_roles;
65006 + arg->role_db.num_domain_children = argcompat.role_db.num_domain_children;
65007 + arg->role_db.num_subjects = argcompat.role_db.num_subjects;
65008 + arg->role_db.num_objects = argcompat.role_db.num_objects;
65010 + memcpy(&arg->pw, &argcompat.pw, sizeof(arg->pw));
65011 + memcpy(&arg->salt, &argcompat.salt, sizeof(arg->salt));
65012 + memcpy(&arg->sum, &argcompat.sum, sizeof(arg->sum));
65013 + memcpy(&arg->sp_role, &argcompat.sp_role, sizeof(arg->sp_role));
65014 + arg->sprole_pws = compat_ptr(argcompat.sprole_pws);
65015 + arg->segv_device = argcompat.segv_device;
65016 + arg->segv_inode = argcompat.segv_inode;
65017 + arg->segv_uid = argcompat.segv_uid;
65018 + arg->num_sprole_pws = argcompat.num_sprole_pws;
65019 + arg->mode = argcompat.mode;
65024 +int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp)
65026 + struct acl_object_label_compat objcompat;
65028 + if (copy_from_user(&objcompat, userp, sizeof(objcompat)))
65031 + obj->filename = compat_ptr(objcompat.filename);
65032 + obj->inode = objcompat.inode;
65033 + obj->device = objcompat.device;
65034 + obj->mode = objcompat.mode;
65036 + obj->nested = compat_ptr(objcompat.nested);
65037 + obj->globbed = compat_ptr(objcompat.globbed);
65039 + obj->prev = compat_ptr(objcompat.prev);
65040 + obj->next = compat_ptr(objcompat.next);
65045 +int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp)
65048 + struct acl_subject_label_compat subjcompat;
65050 + if (copy_from_user(&subjcompat, userp, sizeof(subjcompat)))
65053 + subj->filename = compat_ptr(subjcompat.filename);
65054 + subj->inode = subjcompat.inode;
65055 + subj->device = subjcompat.device;
65056 + subj->mode = subjcompat.mode;
65057 + subj->cap_mask = subjcompat.cap_mask;
65058 + subj->cap_lower = subjcompat.cap_lower;
65059 + subj->cap_invert_audit = subjcompat.cap_invert_audit;
65061 + for (i = 0; i < GR_NLIMITS; i++) {
65062 + if (subjcompat.res[i].rlim_cur == COMPAT_RLIM_INFINITY)
65063 + subj->res[i].rlim_cur = RLIM_INFINITY;
65065 + subj->res[i].rlim_cur = subjcompat.res[i].rlim_cur;
65066 + if (subjcompat.res[i].rlim_max == COMPAT_RLIM_INFINITY)
65067 + subj->res[i].rlim_max = RLIM_INFINITY;
65069 + subj->res[i].rlim_max = subjcompat.res[i].rlim_max;
65071 + subj->resmask = subjcompat.resmask;
65073 + subj->user_trans_type = subjcompat.user_trans_type;
65074 + subj->group_trans_type = subjcompat.group_trans_type;
65075 + subj->user_transitions = compat_ptr(subjcompat.user_transitions);
65076 + subj->group_transitions = compat_ptr(subjcompat.group_transitions);
65077 + subj->user_trans_num = subjcompat.user_trans_num;
65078 + subj->group_trans_num = subjcompat.group_trans_num;
65080 + memcpy(&subj->sock_families, &subjcompat.sock_families, sizeof(subj->sock_families));
65081 + memcpy(&subj->ip_proto, &subjcompat.ip_proto, sizeof(subj->ip_proto));
65082 + subj->ip_type = subjcompat.ip_type;
65083 + subj->ips = compat_ptr(subjcompat.ips);
65084 + subj->ip_num = subjcompat.ip_num;
65085 + subj->inaddr_any_override = subjcompat.inaddr_any_override;
65087 + subj->crashes = subjcompat.crashes;
65088 + subj->expires = subjcompat.expires;
65090 + subj->parent_subject = compat_ptr(subjcompat.parent_subject);
65091 + subj->hash = compat_ptr(subjcompat.hash);
65092 + subj->prev = compat_ptr(subjcompat.prev);
65093 + subj->next = compat_ptr(subjcompat.next);
65095 + subj->obj_hash = compat_ptr(subjcompat.obj_hash);
65096 + subj->obj_hash_size = subjcompat.obj_hash_size;
65097 + subj->pax_flags = subjcompat.pax_flags;
65102 +int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp)
65104 + struct acl_role_label_compat rolecompat;
65106 + if (copy_from_user(&rolecompat, userp, sizeof(rolecompat)))
65109 + role->rolename = compat_ptr(rolecompat.rolename);
65110 + role->uidgid = rolecompat.uidgid;
65111 + role->roletype = rolecompat.roletype;
65113 + role->auth_attempts = rolecompat.auth_attempts;
65114 + role->expires = rolecompat.expires;
65116 + role->root_label = compat_ptr(rolecompat.root_label);
65117 + role->hash = compat_ptr(rolecompat.hash);
65119 + role->prev = compat_ptr(rolecompat.prev);
65120 + role->next = compat_ptr(rolecompat.next);
65122 + role->transitions = compat_ptr(rolecompat.transitions);
65123 + role->allowed_ips = compat_ptr(rolecompat.allowed_ips);
65124 + role->domain_children = compat_ptr(rolecompat.domain_children);
65125 + role->domain_child_num = rolecompat.domain_child_num;
65127 + role->umask = rolecompat.umask;
65129 + role->subj_hash = compat_ptr(rolecompat.subj_hash);
65130 + role->subj_hash_size = rolecompat.subj_hash_size;
65135 +int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
65137 + struct role_allowed_ip_compat roleip_compat;
65139 + if (copy_from_user(&roleip_compat, userp, sizeof(roleip_compat)))
65142 + roleip->addr = roleip_compat.addr;
65143 + roleip->netmask = roleip_compat.netmask;
65145 + roleip->prev = compat_ptr(roleip_compat.prev);
65146 + roleip->next = compat_ptr(roleip_compat.next);
65151 +int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp)
65153 + struct role_transition_compat trans_compat;
65155 + if (copy_from_user(&trans_compat, userp, sizeof(trans_compat)))
65158 + trans->rolename = compat_ptr(trans_compat.rolename);
65160 + trans->prev = compat_ptr(trans_compat.prev);
65161 + trans->next = compat_ptr(trans_compat.next);
65167 +int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
65169 + struct gr_hash_struct_compat hash_compat;
65171 + if (copy_from_user(&hash_compat, userp, sizeof(hash_compat)))
65174 + hash->table = compat_ptr(hash_compat.table);
65175 + hash->nametable = compat_ptr(hash_compat.nametable);
65176 + hash->first = compat_ptr(hash_compat.first);
65178 + hash->table_size = hash_compat.table_size;
65179 + hash->used_size = hash_compat.used_size;
65181 + hash->type = hash_compat.type;
65186 +int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp)
65188 + compat_uptr_t ptrcompat;
65190 + if (copy_from_user(&ptrcompat, userp + (idx * sizeof(ptrcompat)), sizeof(ptrcompat)))
65193 + *(void **)ptr = compat_ptr(ptrcompat);
65198 +int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp)
65200 + struct acl_ip_label_compat ip_compat;
65202 + if (copy_from_user(&ip_compat, userp, sizeof(ip_compat)))
65205 + ip->iface = compat_ptr(ip_compat.iface);
65206 + ip->addr = ip_compat.addr;
65207 + ip->netmask = ip_compat.netmask;
65208 + ip->low = ip_compat.low;
65209 + ip->high = ip_compat.high;
65210 + ip->mode = ip_compat.mode;
65211 + ip->type = ip_compat.type;
65213 + memcpy(&ip->proto, &ip_compat.proto, sizeof(ip->proto));
65215 + ip->prev = compat_ptr(ip_compat.prev);
65216 + ip->next = compat_ptr(ip_compat.next);
65221 +int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
65223 + struct sprole_pw_compat pw_compat;
65225 + if (copy_from_user(&pw_compat, (const void *)userp + (sizeof(pw_compat) * idx), sizeof(pw_compat)))
65228 + pw->rolename = compat_ptr(pw_compat.rolename);
65229 + memcpy(&pw->salt, pw_compat.salt, sizeof(pw->salt));
65230 + memcpy(&pw->sum, pw_compat.sum, sizeof(pw->sum));
65235 +size_t get_gr_arg_wrapper_size_compat(void)
65237 + return sizeof(struct gr_arg_wrapper_compat);
65240 diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
65241 new file mode 100644
65242 index 0000000..a340c17
65244 +++ b/grsecurity/gracl_fs.c
65246 +#include <linux/kernel.h>
65247 +#include <linux/sched.h>
65248 +#include <linux/types.h>
65249 +#include <linux/fs.h>
65250 +#include <linux/file.h>
65251 +#include <linux/stat.h>
65252 +#include <linux/grsecurity.h>
65253 +#include <linux/grinternal.h>
65254 +#include <linux/gracl.h>
65257 +gr_acl_umask(void)
65259 + if (unlikely(!gr_acl_is_enabled()))
65262 + return current->role->umask;
65266 +gr_acl_handle_hidden_file(const struct dentry * dentry,
65267 + const struct vfsmount * mnt)
65271 + if (unlikely(!dentry->d_inode))
65275 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
65277 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
65278 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
65280 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
65281 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
65283 + } else if (unlikely(!(mode & GR_FIND)))
65290 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
65293 + __u32 reqmode = GR_FIND;
65296 + if (unlikely(!dentry->d_inode))
65299 + if (acc_mode & MAY_APPEND)
65300 + reqmode |= GR_APPEND;
65301 + else if (acc_mode & MAY_WRITE)
65302 + reqmode |= GR_WRITE;
65303 + if ((acc_mode & MAY_READ) && !S_ISDIR(dentry->d_inode->i_mode))
65304 + reqmode |= GR_READ;
65307 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
65310 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
65311 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
65312 + reqmode & GR_READ ? " reading" : "",
65313 + reqmode & GR_WRITE ? " writing" : reqmode &
65314 + GR_APPEND ? " appending" : "");
65317 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
65319 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
65320 + reqmode & GR_READ ? " reading" : "",
65321 + reqmode & GR_WRITE ? " writing" : reqmode &
65322 + GR_APPEND ? " appending" : "");
65324 + } else if (unlikely((mode & reqmode) != reqmode))
65331 +gr_acl_handle_creat(const struct dentry * dentry,
65332 + const struct dentry * p_dentry,
65333 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
65336 + __u32 reqmode = GR_WRITE | GR_CREATE;
65339 + if (acc_mode & MAY_APPEND)
65340 + reqmode |= GR_APPEND;
65341 + // if a directory was required or the directory already exists, then
65342 + // don't count this open as a read
65343 + if ((acc_mode & MAY_READ) &&
65344 + !((open_flags & O_DIRECTORY) || (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode))))
65345 + reqmode |= GR_READ;
65346 + if ((open_flags & O_CREAT) &&
65347 + ((imode & S_ISUID) || ((imode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
65348 + reqmode |= GR_SETID;
65351 + gr_check_create(dentry, p_dentry, p_mnt,
65352 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
65354 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
65355 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
65356 + reqmode & GR_READ ? " reading" : "",
65357 + reqmode & GR_WRITE ? " writing" : reqmode &
65358 + GR_APPEND ? " appending" : "");
65361 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
65363 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
65364 + reqmode & GR_READ ? " reading" : "",
65365 + reqmode & GR_WRITE ? " writing" : reqmode &
65366 + GR_APPEND ? " appending" : "");
65368 + } else if (unlikely((mode & reqmode) != reqmode))
65375 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
65378 + __u32 mode, reqmode = GR_FIND;
65380 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
65381 + reqmode |= GR_EXEC;
65382 + if (fmode & S_IWOTH)
65383 + reqmode |= GR_WRITE;
65384 + if (fmode & S_IROTH)
65385 + reqmode |= GR_READ;
65388 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
65391 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
65392 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
65393 + reqmode & GR_READ ? " reading" : "",
65394 + reqmode & GR_WRITE ? " writing" : "",
65395 + reqmode & GR_EXEC ? " executing" : "");
65398 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
65400 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
65401 + reqmode & GR_READ ? " reading" : "",
65402 + reqmode & GR_WRITE ? " writing" : "",
65403 + reqmode & GR_EXEC ? " executing" : "");
65405 + } else if (unlikely((mode & reqmode) != reqmode))
65411 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
65415 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
65417 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
65418 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
65420 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
65421 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
65423 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
65426 + return (reqmode);
65430 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
65432 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
65436 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
65438 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
65442 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
65444 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
65448 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
65450 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
65454 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
65455 + umode_t *modeptr)
65459 + *modeptr &= ~gr_acl_umask();
65462 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
65465 + if (unlikely(dentry->d_inode && !S_ISDIR(dentry->d_inode->i_mode) &&
65466 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))) {
65467 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
65468 + GR_CHMOD_ACL_MSG);
65470 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
65475 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
65477 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
65481 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
65483 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
65487 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
65489 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
65493 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
65495 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
65496 + GR_UNIXCONNECT_ACL_MSG);
65499 +/* hardlinks require at minimum create and link permission,
65500 + any additional privilege required is based on the
65501 + privilege of the file being linked to
65504 +gr_acl_handle_link(const struct dentry * new_dentry,
65505 + const struct dentry * parent_dentry,
65506 + const struct vfsmount * parent_mnt,
65507 + const struct dentry * old_dentry,
65508 + const struct vfsmount * old_mnt, const struct filename *to)
65511 + __u32 needmode = GR_CREATE | GR_LINK;
65512 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
65515 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
65518 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
65519 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
65521 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
65522 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
65524 + } else if (unlikely((mode & needmode) != needmode))
65531 +gr_acl_handle_symlink(const struct dentry * new_dentry,
65532 + const struct dentry * parent_dentry,
65533 + const struct vfsmount * parent_mnt, const struct filename *from)
65535 + __u32 needmode = GR_WRITE | GR_CREATE;
65539 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
65540 + GR_CREATE | GR_AUDIT_CREATE |
65541 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
65543 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
65544 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
65546 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
65547 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
65549 + } else if (unlikely((mode & needmode) != needmode))
65552 + return (GR_WRITE | GR_CREATE);
65555 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
65559 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
65561 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
65562 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
65564 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
65565 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
65567 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
65570 + return (reqmode);
65574 +gr_acl_handle_mknod(const struct dentry * new_dentry,
65575 + const struct dentry * parent_dentry,
65576 + const struct vfsmount * parent_mnt,
65579 + __u32 reqmode = GR_WRITE | GR_CREATE;
65580 + if (unlikely((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
65581 + reqmode |= GR_SETID;
65583 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
65584 + reqmode, GR_MKNOD_ACL_MSG);
65588 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
65589 + const struct dentry *parent_dentry,
65590 + const struct vfsmount *parent_mnt)
65592 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
65593 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
65596 +#define RENAME_CHECK_SUCCESS(old, new) \
65597 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
65598 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
65601 +gr_acl_handle_rename(struct dentry *new_dentry,
65602 + struct dentry *parent_dentry,
65603 + const struct vfsmount *parent_mnt,
65604 + struct dentry *old_dentry,
65605 + struct inode *old_parent_inode,
65606 + struct vfsmount *old_mnt, const struct filename *newname)
65608 + __u32 comp1, comp2;
65611 + if (unlikely(!gr_acl_is_enabled()))
65614 + if (!new_dentry->d_inode) {
65615 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
65616 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
65617 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
65618 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
65619 + GR_DELETE | GR_AUDIT_DELETE |
65620 + GR_AUDIT_READ | GR_AUDIT_WRITE |
65621 + GR_SUPPRESS, old_mnt);
65623 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
65624 + GR_CREATE | GR_DELETE |
65625 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
65626 + GR_AUDIT_READ | GR_AUDIT_WRITE |
65627 + GR_SUPPRESS, parent_mnt);
65629 + gr_search_file(old_dentry,
65630 + GR_READ | GR_WRITE | GR_AUDIT_READ |
65631 + GR_DELETE | GR_AUDIT_DELETE |
65632 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
65635 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
65636 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
65637 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
65638 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
65639 + && !(comp2 & GR_SUPPRESS)) {
65640 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
65642 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
65649 +gr_acl_handle_exit(void)
65654 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
65655 + !(current->role->roletype & GR_ROLE_PERSIST))) {
65656 + id = current->acl_role_id;
65657 + rolename = current->role->rolename;
65659 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
65662 + gr_put_exec_file(current);
65667 +gr_acl_handle_procpidmem(const struct task_struct *task)
65669 + if (unlikely(!gr_acl_is_enabled()))
65672 + if (task != current && task->acl->mode & GR_PROTPROCFD)
65677 diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
65678 new file mode 100644
65679 index 0000000..8132048
65681 +++ b/grsecurity/gracl_ip.c
65683 +#include <linux/kernel.h>
65684 +#include <asm/uaccess.h>
65685 +#include <asm/errno.h>
65686 +#include <net/sock.h>
65687 +#include <linux/file.h>
65688 +#include <linux/fs.h>
65689 +#include <linux/net.h>
65690 +#include <linux/in.h>
65691 +#include <linux/skbuff.h>
65692 +#include <linux/ip.h>
65693 +#include <linux/udp.h>
65694 +#include <linux/types.h>
65695 +#include <linux/sched.h>
65696 +#include <linux/netdevice.h>
65697 +#include <linux/inetdevice.h>
65698 +#include <linux/gracl.h>
65699 +#include <linux/grsecurity.h>
65700 +#include <linux/grinternal.h>
65702 +#define GR_BIND 0x01
65703 +#define GR_CONNECT 0x02
65704 +#define GR_INVERT 0x04
65705 +#define GR_BINDOVERRIDE 0x08
65706 +#define GR_CONNECTOVERRIDE 0x10
65707 +#define GR_SOCK_FAMILY 0x20
65709 +static const char * gr_protocols[IPPROTO_MAX] = {
65710 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
65711 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
65712 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
65713 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
65714 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
65715 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
65716 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
65717 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
65718 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
65719 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
65720 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
65721 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
65722 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
65723 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
65724 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
65725 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
65726 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
65727 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
65728 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
65729 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
65730 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
65731 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
65732 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
65733 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
65734 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
65735 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
65736 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
65737 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
65738 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
65739 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
65740 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
65741 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
65744 +static const char * gr_socktypes[SOCK_MAX] = {
65745 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
65746 + "unknown:7", "unknown:8", "unknown:9", "packet"
65749 +static const char * gr_sockfamilies[AF_MAX+1] = {
65750 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
65751 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
65752 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
65753 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
65757 +gr_proto_to_name(unsigned char proto)
65759 + return gr_protocols[proto];
65763 +gr_socktype_to_name(unsigned char type)
65765 + return gr_socktypes[type];
65769 +gr_sockfamily_to_name(unsigned char family)
65771 + return gr_sockfamilies[family];
65775 +gr_search_socket(const int domain, const int type, const int protocol)
65777 + struct acl_subject_label *curr;
65778 + const struct cred *cred = current_cred();
65780 + if (unlikely(!gr_acl_is_enabled()))
65783 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
65784 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
65785 + goto exit; // let the kernel handle it
65787 + curr = current->acl;
65789 + if (curr->sock_families[domain / 32] & (1U << (domain % 32))) {
65790 + /* the family is allowed, if this is PF_INET allow it only if
65791 + the extra sock type/protocol checks pass */
65792 + if (domain == PF_INET)
65796 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
65797 + __u32 fakeip = 0;
65798 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
65799 + current->role->roletype, GR_GLOBAL_UID(cred->uid),
65800 + GR_GLOBAL_GID(cred->gid), current->exec_file ?
65801 + gr_to_filename(current->exec_file->f_path.dentry,
65802 + current->exec_file->f_path.mnt) :
65803 + curr->filename, curr->filename,
65804 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
65805 + ¤t->signal->saved_ip);
65812 + /* the rest of this checking is for IPv4 only */
65816 + if ((curr->ip_type & (1U << type)) &&
65817 + (curr->ip_proto[protocol / 32] & (1U << (protocol % 32))))
65820 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
65821 + /* we don't place acls on raw sockets , and sometimes
65822 + dgram/ip sockets are opened for ioctl and not
65823 + bind/connect, so we'll fake a bind learn log */
65824 + if (type == SOCK_RAW || type == SOCK_PACKET) {
65825 + __u32 fakeip = 0;
65826 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
65827 + current->role->roletype, GR_GLOBAL_UID(cred->uid),
65828 + GR_GLOBAL_GID(cred->gid), current->exec_file ?
65829 + gr_to_filename(current->exec_file->f_path.dentry,
65830 + current->exec_file->f_path.mnt) :
65831 + curr->filename, curr->filename,
65832 + &fakeip, 0, type,
65833 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
65834 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
65835 + __u32 fakeip = 0;
65836 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
65837 + current->role->roletype, GR_GLOBAL_UID(cred->uid),
65838 + GR_GLOBAL_GID(cred->gid), current->exec_file ?
65839 + gr_to_filename(current->exec_file->f_path.dentry,
65840 + current->exec_file->f_path.mnt) :
65841 + curr->filename, curr->filename,
65842 + &fakeip, 0, type,
65843 + protocol, GR_BIND, ¤t->signal->saved_ip);
65845 + /* we'll log when they use connect or bind */
65850 + if (domain == PF_INET)
65851 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
65852 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
65854 +#ifndef CONFIG_IPV6
65855 + if (domain != PF_INET6)
65857 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
65858 + gr_socktype_to_name(type), protocol);
65865 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
65867 + if ((ip->mode & mode) &&
65868 + (ip_port >= ip->low) &&
65869 + (ip_port <= ip->high) &&
65870 + ((ntohl(ip_addr) & our_netmask) ==
65871 + (ntohl(our_addr) & our_netmask))
65872 + && (ip->proto[protocol / 32] & (1U << (protocol % 32)))
65873 + && (ip->type & (1U << type))) {
65874 + if (ip->mode & GR_INVERT)
65875 + return 2; // specifically denied
65877 + return 1; // allowed
65880 + return 0; // not specifically allowed, may continue parsing
65884 +gr_search_connectbind(const int full_mode, struct sock *sk,
65885 + struct sockaddr_in *addr, const int type)
65887 + char iface[IFNAMSIZ] = {0};
65888 + struct acl_subject_label *curr;
65889 + struct acl_ip_label *ip;
65890 + struct inet_sock *isk;
65891 + struct net_device *dev;
65892 + struct in_device *idev;
65895 + int mode = full_mode & (GR_BIND | GR_CONNECT);
65896 + __u32 ip_addr = 0;
65898 + __u32 our_netmask;
65900 + __u16 ip_port = 0;
65901 + const struct cred *cred = current_cred();
65903 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
65906 + curr = current->acl;
65907 + isk = inet_sk(sk);
65909 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
65910 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
65911 + addr->sin_addr.s_addr = curr->inaddr_any_override;
65912 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
65913 + struct sockaddr_in saddr;
65916 + saddr.sin_family = AF_INET;
65917 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
65918 + saddr.sin_port = isk->inet_sport;
65920 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
65924 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
65932 + ip_addr = addr->sin_addr.s_addr;
65933 + ip_port = ntohs(addr->sin_port);
65935 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
65936 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
65937 + current->role->roletype, GR_GLOBAL_UID(cred->uid),
65938 + GR_GLOBAL_GID(cred->gid), current->exec_file ?
65939 + gr_to_filename(current->exec_file->f_path.dentry,
65940 + current->exec_file->f_path.mnt) :
65941 + curr->filename, curr->filename,
65942 + &ip_addr, ip_port, type,
65943 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
65947 + for (i = 0; i < curr->ip_num; i++) {
65948 + ip = *(curr->ips + i);
65949 + if (ip->iface != NULL) {
65950 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
65951 + p = strchr(iface, ':');
65954 + dev = dev_get_by_name(sock_net(sk), iface);
65957 + idev = in_dev_get(dev);
65958 + if (idev == NULL) {
65964 + if (!strcmp(ip->iface, ifa->ifa_label)) {
65965 + our_addr = ifa->ifa_address;
65966 + our_netmask = 0xffffffff;
65967 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
65969 + rcu_read_unlock();
65970 + in_dev_put(idev);
65973 + } else if (ret == 2) {
65974 + rcu_read_unlock();
65975 + in_dev_put(idev);
65980 + } endfor_ifa(idev);
65981 + rcu_read_unlock();
65982 + in_dev_put(idev);
65985 + our_addr = ip->addr;
65986 + our_netmask = ip->netmask;
65987 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
65990 + else if (ret == 2)
65996 + if (mode == GR_BIND)
65997 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
65998 + else if (mode == GR_CONNECT)
65999 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
66005 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
66007 + /* always allow disconnection of dgram sockets with connect */
66008 + if (addr->sin_family == AF_UNSPEC)
66010 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
66014 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
66016 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
66019 +int gr_search_listen(struct socket *sock)
66021 + struct sock *sk = sock->sk;
66022 + struct sockaddr_in addr;
66024 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
66025 + addr.sin_port = inet_sk(sk)->inet_sport;
66027 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
66030 +int gr_search_accept(struct socket *sock)
66032 + struct sock *sk = sock->sk;
66033 + struct sockaddr_in addr;
66035 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
66036 + addr.sin_port = inet_sk(sk)->inet_sport;
66038 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
66042 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
66045 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
66047 + struct sockaddr_in sin;
66048 + const struct inet_sock *inet = inet_sk(sk);
66050 + sin.sin_addr.s_addr = inet->inet_daddr;
66051 + sin.sin_port = inet->inet_dport;
66053 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
66058 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
66060 + struct sockaddr_in sin;
66062 + if (unlikely(skb->len < sizeof (struct udphdr)))
66063 + return 0; // skip this packet
66065 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
66066 + sin.sin_port = udp_hdr(skb)->source;
66068 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
66070 diff --git a/grsecurity/gracl_learn.c b/grsecurity/gracl_learn.c
66071 new file mode 100644
66072 index 0000000..25f54ef
66074 +++ b/grsecurity/gracl_learn.c
66076 +#include <linux/kernel.h>
66077 +#include <linux/mm.h>
66078 +#include <linux/sched.h>
66079 +#include <linux/poll.h>
66080 +#include <linux/string.h>
66081 +#include <linux/file.h>
66082 +#include <linux/types.h>
66083 +#include <linux/vmalloc.h>
66084 +#include <linux/grinternal.h>
66086 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
66087 + size_t count, loff_t *ppos);
66088 +extern int gr_acl_is_enabled(void);
66090 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
66091 +static int gr_learn_attached;
66093 +/* use a 512k buffer */
66094 +#define LEARN_BUFFER_SIZE (512 * 1024)
66096 +static DEFINE_SPINLOCK(gr_learn_lock);
66097 +static DEFINE_MUTEX(gr_learn_user_mutex);
66099 +/* we need to maintain two buffers, so that the kernel context of grlearn
66100 + uses a semaphore around the userspace copying, and the other kernel contexts
66101 + use a spinlock when copying into the buffer, since they cannot sleep
66103 +static char *learn_buffer;
66104 +static char *learn_buffer_user;
66105 +static int learn_buffer_len;
66106 +static int learn_buffer_user_len;
66109 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
66111 + DECLARE_WAITQUEUE(wait, current);
66112 + ssize_t retval = 0;
66114 + add_wait_queue(&learn_wait, &wait);
66115 + set_current_state(TASK_INTERRUPTIBLE);
66117 + mutex_lock(&gr_learn_user_mutex);
66118 + spin_lock(&gr_learn_lock);
66119 + if (learn_buffer_len)
66121 + spin_unlock(&gr_learn_lock);
66122 + mutex_unlock(&gr_learn_user_mutex);
66123 + if (file->f_flags & O_NONBLOCK) {
66124 + retval = -EAGAIN;
66127 + if (signal_pending(current)) {
66128 + retval = -ERESTARTSYS;
66135 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
66136 + learn_buffer_user_len = learn_buffer_len;
66137 + retval = learn_buffer_len;
66138 + learn_buffer_len = 0;
66140 + spin_unlock(&gr_learn_lock);
66142 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
66143 + retval = -EFAULT;
66145 + mutex_unlock(&gr_learn_user_mutex);
66147 + set_current_state(TASK_RUNNING);
66148 + remove_wait_queue(&learn_wait, &wait);
66152 +static unsigned int
66153 +poll_learn(struct file * file, poll_table * wait)
66155 + poll_wait(file, &learn_wait, wait);
66157 + if (learn_buffer_len)
66158 + return (POLLIN | POLLRDNORM);
66164 +gr_clear_learn_entries(void)
66168 + mutex_lock(&gr_learn_user_mutex);
66169 + spin_lock(&gr_learn_lock);
66170 + tmp = learn_buffer;
66171 + learn_buffer = NULL;
66172 + spin_unlock(&gr_learn_lock);
66175 + if (learn_buffer_user != NULL) {
66176 + vfree(learn_buffer_user);
66177 + learn_buffer_user = NULL;
66179 + learn_buffer_len = 0;
66180 + mutex_unlock(&gr_learn_user_mutex);
66186 +gr_add_learn_entry(const char *fmt, ...)
66189 + unsigned int len;
66191 + if (!gr_learn_attached)
66194 + spin_lock(&gr_learn_lock);
66196 + /* leave a gap at the end so we know when it's "full" but don't have to
66197 + compute the exact length of the string we're trying to append
66199 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
66200 + spin_unlock(&gr_learn_lock);
66201 + wake_up_interruptible(&learn_wait);
66204 + if (learn_buffer == NULL) {
66205 + spin_unlock(&gr_learn_lock);
66209 + va_start(args, fmt);
66210 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
66213 + learn_buffer_len += len + 1;
66215 + spin_unlock(&gr_learn_lock);
66216 + wake_up_interruptible(&learn_wait);
66222 +open_learn(struct inode *inode, struct file *file)
66224 + if (file->f_mode & FMODE_READ && gr_learn_attached)
66226 + if (file->f_mode & FMODE_READ) {
66228 + mutex_lock(&gr_learn_user_mutex);
66229 + if (learn_buffer == NULL)
66230 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
66231 + if (learn_buffer_user == NULL)
66232 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
66233 + if (learn_buffer == NULL) {
66234 + retval = -ENOMEM;
66237 + if (learn_buffer_user == NULL) {
66238 + retval = -ENOMEM;
66241 + learn_buffer_len = 0;
66242 + learn_buffer_user_len = 0;
66243 + gr_learn_attached = 1;
66245 + mutex_unlock(&gr_learn_user_mutex);
66252 +close_learn(struct inode *inode, struct file *file)
66254 + if (file->f_mode & FMODE_READ) {
66255 + char *tmp = NULL;
66256 + mutex_lock(&gr_learn_user_mutex);
66257 + spin_lock(&gr_learn_lock);
66258 + tmp = learn_buffer;
66259 + learn_buffer = NULL;
66260 + spin_unlock(&gr_learn_lock);
66263 + if (learn_buffer_user != NULL) {
66264 + vfree(learn_buffer_user);
66265 + learn_buffer_user = NULL;
66267 + learn_buffer_len = 0;
66268 + learn_buffer_user_len = 0;
66269 + gr_learn_attached = 0;
66270 + mutex_unlock(&gr_learn_user_mutex);
66276 +const struct file_operations grsec_fops = {
66277 + .read = read_learn,
66278 + .write = write_grsec_handler,
66279 + .open = open_learn,
66280 + .release = close_learn,
66281 + .poll = poll_learn,
66283 diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
66284 new file mode 100644
66285 index 0000000..39645c9
66287 +++ b/grsecurity/gracl_res.c
66289 +#include <linux/kernel.h>
66290 +#include <linux/sched.h>
66291 +#include <linux/gracl.h>
66292 +#include <linux/grinternal.h>
66294 +static const char *restab_log[] = {
66295 + [RLIMIT_CPU] = "RLIMIT_CPU",
66296 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
66297 + [RLIMIT_DATA] = "RLIMIT_DATA",
66298 + [RLIMIT_STACK] = "RLIMIT_STACK",
66299 + [RLIMIT_CORE] = "RLIMIT_CORE",
66300 + [RLIMIT_RSS] = "RLIMIT_RSS",
66301 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
66302 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
66303 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
66304 + [RLIMIT_AS] = "RLIMIT_AS",
66305 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
66306 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
66307 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
66308 + [RLIMIT_NICE] = "RLIMIT_NICE",
66309 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
66310 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
66311 + [GR_CRASH_RES] = "RLIMIT_CRASH"
66315 +gr_log_resource(const struct task_struct *task,
66316 + const int res, const unsigned long wanted, const int gt)
66318 + const struct cred *cred;
66319 + unsigned long rlim;
66321 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
66324 + // not yet supported resource
66325 + if (unlikely(!restab_log[res]))
66328 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
66329 + rlim = task_rlimit_max(task, res);
66331 + rlim = task_rlimit(task, res);
66333 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
66337 + cred = __task_cred(task);
66339 + if (res == RLIMIT_NPROC &&
66340 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
66341 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
66342 + goto out_rcu_unlock;
66343 + else if (res == RLIMIT_MEMLOCK &&
66344 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
66345 + goto out_rcu_unlock;
66346 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
66347 + goto out_rcu_unlock;
66348 + rcu_read_unlock();
66350 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
66354 + rcu_read_unlock();
66357 diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
66358 new file mode 100644
66359 index 0000000..3c38bfe
66361 +++ b/grsecurity/gracl_segv.c
66363 +#include <linux/kernel.h>
66364 +#include <linux/mm.h>
66365 +#include <asm/uaccess.h>
66366 +#include <asm/errno.h>
66367 +#include <asm/mman.h>
66368 +#include <net/sock.h>
66369 +#include <linux/file.h>
66370 +#include <linux/fs.h>
66371 +#include <linux/net.h>
66372 +#include <linux/in.h>
66373 +#include <linux/slab.h>
66374 +#include <linux/types.h>
66375 +#include <linux/sched.h>
66376 +#include <linux/timer.h>
66377 +#include <linux/gracl.h>
66378 +#include <linux/grsecurity.h>
66379 +#include <linux/grinternal.h>
66380 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
66381 +#include <linux/magic.h>
66382 +#include <linux/pagemap.h>
66383 +#include "../fs/btrfs/async-thread.h"
66384 +#include "../fs/btrfs/ctree.h"
66385 +#include "../fs/btrfs/btrfs_inode.h"
66388 +static struct crash_uid *uid_set;
66389 +static unsigned short uid_used;
66390 +static DEFINE_SPINLOCK(gr_uid_lock);
66391 +extern rwlock_t gr_inode_lock;
66392 +extern struct acl_subject_label *
66393 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
66394 + struct acl_role_label *role);
66396 +static inline dev_t __get_dev(const struct dentry *dentry)
66398 +#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
66399 + if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
66400 + return BTRFS_I(dentry->d_inode)->root->anon_dev;
66403 + return dentry->d_sb->s_dev;
66407 +gr_init_uidset(void)
66410 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
66413 + return uid_set ? 1 : 0;
66417 +gr_free_uidset(void)
66426 +gr_find_uid(const uid_t uid)
66428 + struct crash_uid *tmp = uid_set;
66430 + int low = 0, high = uid_used - 1, mid;
66432 + while (high >= low) {
66433 + mid = (low + high) >> 1;
66434 + buid = tmp[mid].uid;
66446 +static __inline__ void
66447 +gr_insertsort(void)
66449 + unsigned short i, j;
66450 + struct crash_uid index;
66452 + for (i = 1; i < uid_used; i++) {
66453 + index = uid_set[i];
66455 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
66456 + uid_set[j] = uid_set[j - 1];
66459 + uid_set[j] = index;
66465 +static __inline__ void
66466 +gr_insert_uid(const kuid_t kuid, const unsigned long expires)
66469 + uid_t uid = GR_GLOBAL_UID(kuid);
66471 + if (uid_used == GR_UIDTABLE_MAX)
66474 + loc = gr_find_uid(uid);
66477 + uid_set[loc].expires = expires;
66481 + uid_set[uid_used].uid = uid;
66482 + uid_set[uid_used].expires = expires;
66491 +gr_remove_uid(const unsigned short loc)
66493 + unsigned short i;
66495 + for (i = loc + 1; i < uid_used; i++)
66496 + uid_set[i - 1] = uid_set[i];
66504 +gr_check_crash_uid(const kuid_t kuid)
66510 + if (unlikely(!gr_acl_is_enabled()))
66513 + uid = GR_GLOBAL_UID(kuid);
66515 + spin_lock(&gr_uid_lock);
66516 + loc = gr_find_uid(uid);
66521 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
66522 + gr_remove_uid(loc);
66527 + spin_unlock(&gr_uid_lock);
66531 +static __inline__ int
66532 +proc_is_setxid(const struct cred *cred)
66534 + if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
66535 + !uid_eq(cred->uid, cred->fsuid))
66537 + if (!gid_eq(cred->gid, cred->egid) || !gid_eq(cred->gid, cred->sgid) ||
66538 + !gid_eq(cred->gid, cred->fsgid))
66544 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
66547 +gr_handle_crash(struct task_struct *task, const int sig)
66549 + struct acl_subject_label *curr;
66550 + struct task_struct *tsk, *tsk2;
66551 + const struct cred *cred;
66552 + const struct cred *cred2;
66554 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
66557 + if (unlikely(!gr_acl_is_enabled()))
66560 + curr = task->acl;
66562 + if (!(curr->resmask & (1U << GR_CRASH_RES)))
66565 + if (time_before_eq(curr->expires, get_seconds())) {
66566 + curr->expires = 0;
66567 + curr->crashes = 0;
66572 + if (!curr->expires)
66573 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
66575 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
66576 + time_after(curr->expires, get_seconds())) {
66578 + cred = __task_cred(task);
66579 + if (gr_is_global_nonroot(cred->uid) && proc_is_setxid(cred)) {
66580 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
66581 + spin_lock(&gr_uid_lock);
66582 + gr_insert_uid(cred->uid, curr->expires);
66583 + spin_unlock(&gr_uid_lock);
66584 + curr->expires = 0;
66585 + curr->crashes = 0;
66586 + read_lock(&tasklist_lock);
66587 + do_each_thread(tsk2, tsk) {
66588 + cred2 = __task_cred(tsk);
66589 + if (tsk != task && uid_eq(cred2->uid, cred->uid))
66590 + gr_fake_force_sig(SIGKILL, tsk);
66591 + } while_each_thread(tsk2, tsk);
66592 + read_unlock(&tasklist_lock);
66594 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
66595 + read_lock(&tasklist_lock);
66596 + read_lock(&grsec_exec_file_lock);
66597 + do_each_thread(tsk2, tsk) {
66598 + if (likely(tsk != task)) {
66599 + // if this thread has the same subject as the one that triggered
66600 + // RES_CRASH and it's the same binary, kill it
66601 + if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file))
66602 + gr_fake_force_sig(SIGKILL, tsk);
66604 + } while_each_thread(tsk2, tsk);
66605 + read_unlock(&grsec_exec_file_lock);
66606 + read_unlock(&tasklist_lock);
66608 + rcu_read_unlock();
66615 +gr_check_crash_exec(const struct file *filp)
66617 + struct acl_subject_label *curr;
66619 + if (unlikely(!gr_acl_is_enabled()))
66622 + read_lock(&gr_inode_lock);
66623 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
66624 + __get_dev(filp->f_path.dentry),
66626 + read_unlock(&gr_inode_lock);
66628 + if (!curr || !(curr->resmask & (1U << GR_CRASH_RES)) ||
66629 + (!curr->crashes && !curr->expires))
66632 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
66633 + time_after(curr->expires, get_seconds()))
66635 + else if (time_before_eq(curr->expires, get_seconds())) {
66636 + curr->crashes = 0;
66637 + curr->expires = 0;
66644 +gr_handle_alertkill(struct task_struct *task)
66646 + struct acl_subject_label *curracl;
66648 + struct task_struct *p, *p2;
66650 + if (unlikely(!gr_acl_is_enabled()))
66653 + curracl = task->acl;
66654 + curr_ip = task->signal->curr_ip;
66656 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
66657 + read_lock(&tasklist_lock);
66658 + do_each_thread(p2, p) {
66659 + if (p->signal->curr_ip == curr_ip)
66660 + gr_fake_force_sig(SIGKILL, p);
66661 + } while_each_thread(p2, p);
66662 + read_unlock(&tasklist_lock);
66663 + } else if (curracl->mode & GR_KILLPROC)
66664 + gr_fake_force_sig(SIGKILL, task);
66668 diff --git a/grsecurity/gracl_shm.c b/grsecurity/gracl_shm.c
66669 new file mode 100644
66670 index 0000000..98011b0
66672 +++ b/grsecurity/gracl_shm.c
66674 +#include <linux/kernel.h>
66675 +#include <linux/mm.h>
66676 +#include <linux/sched.h>
66677 +#include <linux/file.h>
66678 +#include <linux/ipc.h>
66679 +#include <linux/gracl.h>
66680 +#include <linux/grsecurity.h>
66681 +#include <linux/grinternal.h>
66684 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66685 + const time_t shm_createtime, const kuid_t cuid, const int shmid)
66687 + struct task_struct *task;
66689 + if (!gr_acl_is_enabled())
66693 + read_lock(&tasklist_lock);
66695 + task = find_task_by_vpid(shm_cprid);
66697 + if (unlikely(!task))
66698 + task = find_task_by_vpid(shm_lapid);
66700 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
66701 + (task_pid_nr(task) == shm_lapid)) &&
66702 + (task->acl->mode & GR_PROTSHM) &&
66703 + (task->acl != current->acl))) {
66704 + read_unlock(&tasklist_lock);
66705 + rcu_read_unlock();
66706 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, GR_GLOBAL_UID(cuid), shm_cprid, shmid);
66709 + read_unlock(&tasklist_lock);
66710 + rcu_read_unlock();
66714 diff --git a/grsecurity/grsec_chdir.c b/grsecurity/grsec_chdir.c
66715 new file mode 100644
66716 index 0000000..bc0be01
66718 +++ b/grsecurity/grsec_chdir.c
66720 +#include <linux/kernel.h>
66721 +#include <linux/sched.h>
66722 +#include <linux/fs.h>
66723 +#include <linux/file.h>
66724 +#include <linux/grsecurity.h>
66725 +#include <linux/grinternal.h>
66728 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
66730 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
66731 + if ((grsec_enable_chdir && grsec_enable_group &&
66732 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
66733 + !grsec_enable_group)) {
66734 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
66739 diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
66740 new file mode 100644
66741 index 0000000..bd6e105
66743 +++ b/grsecurity/grsec_chroot.c
66745 +#include <linux/kernel.h>
66746 +#include <linux/module.h>
66747 +#include <linux/sched.h>
66748 +#include <linux/file.h>
66749 +#include <linux/fs.h>
66750 +#include <linux/mount.h>
66751 +#include <linux/types.h>
66752 +#include "../fs/mount.h"
66753 +#include <linux/grsecurity.h>
66754 +#include <linux/grinternal.h>
66756 +#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
66757 +static int gr_init_ran;
66760 +void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
66762 +#ifdef CONFIG_GRKERNSEC
66763 + if (task_pid_nr(task) > 1 && path->dentry != init_task.fs->root.dentry &&
66764 + path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root
66765 +#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
66769 + task->gr_is_chrooted = 1;
66771 +#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
66772 + if (task_pid_nr(task) == 1 && !gr_init_ran)
66775 + task->gr_is_chrooted = 0;
66778 + task->gr_chroot_dentry = path->dentry;
66783 +void gr_clear_chroot_entries(struct task_struct *task)
66785 +#ifdef CONFIG_GRKERNSEC
66786 + task->gr_is_chrooted = 0;
66787 + task->gr_chroot_dentry = NULL;
66793 +gr_handle_chroot_unix(const pid_t pid)
66795 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
66796 + struct task_struct *p;
66798 + if (unlikely(!grsec_enable_chroot_unix))
66801 + if (likely(!proc_is_chrooted(current)))
66805 + read_lock(&tasklist_lock);
66806 + p = find_task_by_vpid_unrestricted(pid);
66807 + if (unlikely(p && !have_same_root(current, p))) {
66808 + read_unlock(&tasklist_lock);
66809 + rcu_read_unlock();
66810 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
66813 + read_unlock(&tasklist_lock);
66814 + rcu_read_unlock();
66820 +gr_handle_chroot_nice(void)
66822 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
66823 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
66824 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
66832 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
66834 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
66835 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
66836 + && proc_is_chrooted(current)) {
66837 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, task_pid_nr(p));
66845 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
66847 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
66848 + struct task_struct *p;
66850 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
66853 + read_lock(&tasklist_lock);
66854 + do_each_pid_task(pid, type, p) {
66855 + if (!have_same_root(current, p)) {
66859 + } while_each_pid_task(pid, type, p);
66861 + read_unlock(&tasklist_lock);
66868 +gr_pid_is_chrooted(struct task_struct *p)
66870 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
66871 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
66874 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
66875 + !have_same_root(current, p)) {
66882 +EXPORT_SYMBOL(gr_pid_is_chrooted);
66884 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
66885 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
66887 + struct path path, currentroot;
66890 + path.dentry = (struct dentry *)u_dentry;
66891 + path.mnt = (struct vfsmount *)u_mnt;
66892 + get_fs_root(current->fs, ¤troot);
66893 + if (path_is_under(&path, ¤troot))
66895 + path_put(¤troot);
66902 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
66904 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
66905 + if (!grsec_enable_chroot_fchdir)
66908 + if (!proc_is_chrooted(current))
66910 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
66911 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
66919 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66920 + const time_t shm_createtime)
66922 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
66923 + struct task_struct *p;
66924 + time_t starttime;
66926 + if (unlikely(!grsec_enable_chroot_shmat))
66929 + if (likely(!proc_is_chrooted(current)))
66933 + read_lock(&tasklist_lock);
66935 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
66936 + starttime = p->start_time.tv_sec;
66937 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
66938 + if (have_same_root(current, p)) {
66941 + read_unlock(&tasklist_lock);
66942 + rcu_read_unlock();
66943 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
66947 + /* creator exited, pid reuse, fall through to next check */
66949 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
66950 + if (unlikely(!have_same_root(current, p))) {
66951 + read_unlock(&tasklist_lock);
66952 + rcu_read_unlock();
66953 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
66959 + read_unlock(&tasklist_lock);
66960 + rcu_read_unlock();
66966 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
66968 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
66969 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
66970 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
66976 +gr_handle_chroot_mknod(const struct dentry *dentry,
66977 + const struct vfsmount *mnt, const int mode)
66979 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
66980 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
66981 + proc_is_chrooted(current)) {
66982 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
66990 +gr_handle_chroot_mount(const struct dentry *dentry,
66991 + const struct vfsmount *mnt, const char *dev_name)
66993 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
66994 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
66995 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
67003 +gr_handle_chroot_pivot(void)
67005 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
67006 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
67007 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
67015 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
67017 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
67018 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
67019 + !gr_is_outside_chroot(dentry, mnt)) {
67020 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
67027 +extern const char *captab_log[];
67028 +extern int captab_log_entries;
67031 +gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
67033 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
67034 + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
67035 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
67036 + if (cap_raised(chroot_caps, cap)) {
67037 + if (cap_raised(cred->cap_effective, cap) && cap < captab_log_entries) {
67038 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, task, captab_log[cap]);
67048 +gr_chroot_is_capable(const int cap)
67050 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
67051 + return gr_task_chroot_is_capable(current, current_cred(), cap);
67057 +gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap)
67059 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
67060 + if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
67061 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
67062 + if (cap_raised(chroot_caps, cap)) {
67071 +gr_chroot_is_capable_nolog(const int cap)
67073 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
67074 + return gr_task_chroot_is_capable_nolog(current, cap);
67080 +gr_handle_chroot_sysctl(const int op)
67082 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
67083 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
67084 + proc_is_chrooted(current))
67091 +gr_handle_chroot_chdir(const struct path *path)
67093 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
67094 + if (grsec_enable_chroot_chdir)
67095 + set_fs_pwd(current->fs, path);
67101 +gr_handle_chroot_chmod(const struct dentry *dentry,
67102 + const struct vfsmount *mnt, const int mode)
67104 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
67105 + /* allow chmod +s on directories, but not files */
67106 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
67107 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
67108 + proc_is_chrooted(current)) {
67109 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
67115 diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
67116 new file mode 100644
67117 index 0000000..ce65ceb
67119 +++ b/grsecurity/grsec_disabled.c
67121 +#include <linux/kernel.h>
67122 +#include <linux/module.h>
67123 +#include <linux/sched.h>
67124 +#include <linux/file.h>
67125 +#include <linux/fs.h>
67126 +#include <linux/kdev_t.h>
67127 +#include <linux/net.h>
67128 +#include <linux/in.h>
67129 +#include <linux/ip.h>
67130 +#include <linux/skbuff.h>
67131 +#include <linux/sysctl.h>
67133 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
67135 +pax_set_initial_flags(struct linux_binprm *bprm)
67141 +#ifdef CONFIG_SYSCTL
67143 +gr_handle_sysctl(const struct ctl_table * table, const int op)
67149 +#ifdef CONFIG_TASKSTATS
67150 +int gr_is_taskstats_denied(int pid)
67157 +gr_acl_is_enabled(void)
67163 +gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
67169 +gr_handle_rawio(const struct inode *inode)
67175 +gr_acl_handle_psacct(struct task_struct *task, const long code)
67181 +gr_handle_ptrace(struct task_struct *task, const long request)
67187 +gr_handle_proc_ptrace(struct task_struct *task)
67193 +gr_set_acls(const int type)
67199 +gr_check_hidden_task(const struct task_struct *tsk)
67205 +gr_check_protected_task(const struct task_struct *task)
67211 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
67217 +gr_copy_label(struct task_struct *tsk)
67223 +gr_set_pax_flags(struct task_struct *task)
67229 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
67230 + const int unsafe_share)
67236 +gr_handle_delete(const ino_t ino, const dev_t dev)
67242 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
67248 +gr_handle_crash(struct task_struct *task, const int sig)
67254 +gr_check_crash_exec(const struct file *filp)
67260 +gr_check_crash_uid(const kuid_t uid)
67266 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
67267 + struct dentry *old_dentry,
67268 + struct dentry *new_dentry,
67269 + struct vfsmount *mnt, const __u8 replace)
67275 +gr_search_socket(const int family, const int type, const int protocol)
67281 +gr_search_connectbind(const int mode, const struct socket *sock,
67282 + const struct sockaddr_in *addr)
67288 +gr_handle_alertkill(struct task_struct *task)
67294 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
67300 +gr_acl_handle_hidden_file(const struct dentry * dentry,
67301 + const struct vfsmount * mnt)
67307 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
67314 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
67320 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
67326 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
67327 + unsigned int *vm_flags)
67333 +gr_acl_handle_truncate(const struct dentry * dentry,
67334 + const struct vfsmount * mnt)
67340 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
67346 +gr_acl_handle_access(const struct dentry * dentry,
67347 + const struct vfsmount * mnt, const int fmode)
67353 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
67360 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
67366 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
67372 +grsecurity_init(void)
67377 +umode_t gr_acl_umask(void)
67383 +gr_acl_handle_mknod(const struct dentry * new_dentry,
67384 + const struct dentry * parent_dentry,
67385 + const struct vfsmount * parent_mnt,
67392 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
67393 + const struct dentry * parent_dentry,
67394 + const struct vfsmount * parent_mnt)
67400 +gr_acl_handle_symlink(const struct dentry * new_dentry,
67401 + const struct dentry * parent_dentry,
67402 + const struct vfsmount * parent_mnt, const struct filename *from)
67408 +gr_acl_handle_link(const struct dentry * new_dentry,
67409 + const struct dentry * parent_dentry,
67410 + const struct vfsmount * parent_mnt,
67411 + const struct dentry * old_dentry,
67412 + const struct vfsmount * old_mnt, const struct filename *to)
67418 +gr_acl_handle_rename(const struct dentry *new_dentry,
67419 + const struct dentry *parent_dentry,
67420 + const struct vfsmount *parent_mnt,
67421 + const struct dentry *old_dentry,
67422 + const struct inode *old_parent_inode,
67423 + const struct vfsmount *old_mnt, const struct filename *newname)
67429 +gr_acl_handle_filldir(const struct file *file, const char *name,
67430 + const int namelen, const ino_t ino)
67436 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67437 + const time_t shm_createtime, const kuid_t cuid, const int shmid)
67443 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
67449 +gr_search_accept(const struct socket *sock)
67455 +gr_search_listen(const struct socket *sock)
67461 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
67467 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
67473 +gr_acl_handle_creat(const struct dentry * dentry,
67474 + const struct dentry * p_dentry,
67475 + const struct vfsmount * p_mnt, int open_flags, int acc_mode,
67482 +gr_acl_handle_exit(void)
67488 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
67494 +gr_set_role_label(const kuid_t uid, const kgid_t gid)
67500 +gr_acl_handle_procpidmem(const struct task_struct *task)
67506 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
67512 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
67518 +gr_set_kernel_label(struct task_struct *task)
67524 +gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
67530 +gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
67535 +int gr_acl_enable_at_secure(void)
67540 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
67542 + return dentry->d_sb->s_dev;
67545 +void gr_put_exec_file(struct task_struct *task)
67550 +EXPORT_SYMBOL(gr_set_kernel_label);
67551 +#ifdef CONFIG_SECURITY
67552 +EXPORT_SYMBOL(gr_check_user_change);
67553 +EXPORT_SYMBOL(gr_check_group_change);
67555 diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
67556 new file mode 100644
67557 index 0000000..387032b
67559 +++ b/grsecurity/grsec_exec.c
67561 +#include <linux/kernel.h>
67562 +#include <linux/sched.h>
67563 +#include <linux/file.h>
67564 +#include <linux/binfmts.h>
67565 +#include <linux/fs.h>
67566 +#include <linux/types.h>
67567 +#include <linux/grdefs.h>
67568 +#include <linux/grsecurity.h>
67569 +#include <linux/grinternal.h>
67570 +#include <linux/capability.h>
67571 +#include <linux/module.h>
67572 +#include <linux/compat.h>
67574 +#include <asm/uaccess.h>
67576 +#ifdef CONFIG_GRKERNSEC_EXECLOG
67577 +static char gr_exec_arg_buf[132];
67578 +static DEFINE_MUTEX(gr_exec_arg_mutex);
67581 +struct user_arg_ptr {
67582 +#ifdef CONFIG_COMPAT
67586 + const char __user *const __user *native;
67587 +#ifdef CONFIG_COMPAT
67588 + const compat_uptr_t __user *compat;
67593 +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
67596 +gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
67598 +#ifdef CONFIG_GRKERNSEC_EXECLOG
67599 + char *grarg = gr_exec_arg_buf;
67600 + unsigned int i, x, execlen = 0;
67603 + if (!((grsec_enable_execlog && grsec_enable_group &&
67604 + in_group_p(grsec_audit_gid))
67605 + || (grsec_enable_execlog && !grsec_enable_group)))
67608 + mutex_lock(&gr_exec_arg_mutex);
67609 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
67611 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
67612 + const char __user *p;
67613 + unsigned int len;
67615 + p = get_user_arg_ptr(argv, i);
67619 + len = strnlen_user(p, 128 - execlen);
67620 + if (len > 128 - execlen)
67621 + len = 128 - execlen;
67622 + else if (len > 0)
67624 + if (copy_from_user(grarg + execlen, p, len))
67627 + /* rewrite unprintable characters */
67628 + for (x = 0; x < len; x++) {
67629 + c = *(grarg + execlen + x);
67630 + if (c < 32 || c > 126)
67631 + *(grarg + execlen + x) = ' ';
67635 + *(grarg + execlen) = ' ';
67636 + *(grarg + execlen + 1) = '\0';
67641 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
67642 + bprm->file->f_path.mnt, grarg);
67643 + mutex_unlock(&gr_exec_arg_mutex);
67648 +#ifdef CONFIG_GRKERNSEC
67649 +extern int gr_acl_is_capable(const int cap);
67650 +extern int gr_acl_is_capable_nolog(const int cap);
67651 +extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
67652 +extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
67653 +extern int gr_chroot_is_capable(const int cap);
67654 +extern int gr_chroot_is_capable_nolog(const int cap);
67655 +extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
67656 +extern int gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap);
67659 +const char *captab_log[] = {
67661 + "CAP_DAC_OVERRIDE",
67662 + "CAP_DAC_READ_SEARCH",
67669 + "CAP_LINUX_IMMUTABLE",
67670 + "CAP_NET_BIND_SERVICE",
67671 + "CAP_NET_BROADCAST",
67676 + "CAP_SYS_MODULE",
67678 + "CAP_SYS_CHROOT",
67679 + "CAP_SYS_PTRACE",
67684 + "CAP_SYS_RESOURCE",
67686 + "CAP_SYS_TTY_CONFIG",
67689 + "CAP_AUDIT_WRITE",
67690 + "CAP_AUDIT_CONTROL",
67692 + "CAP_MAC_OVERRIDE",
67698 +int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
67700 +int gr_is_capable(const int cap)
67702 +#ifdef CONFIG_GRKERNSEC
67703 + if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
67711 +int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
67713 +#ifdef CONFIG_GRKERNSEC
67714 + if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
67722 +int gr_is_capable_nolog(const int cap)
67724 +#ifdef CONFIG_GRKERNSEC
67725 + if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
67733 +int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
67735 +#ifdef CONFIG_GRKERNSEC
67736 + if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
67744 +EXPORT_SYMBOL(gr_is_capable);
67745 +EXPORT_SYMBOL(gr_is_capable_nolog);
67746 +EXPORT_SYMBOL(gr_task_is_capable);
67747 +EXPORT_SYMBOL(gr_task_is_capable_nolog);
67748 diff --git a/grsecurity/grsec_fifo.c b/grsecurity/grsec_fifo.c
67749 new file mode 100644
67750 index 0000000..06cc6ea
67752 +++ b/grsecurity/grsec_fifo.c
67754 +#include <linux/kernel.h>
67755 +#include <linux/sched.h>
67756 +#include <linux/fs.h>
67757 +#include <linux/file.h>
67758 +#include <linux/grinternal.h>
67761 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
67762 + const struct dentry *dir, const int flag, const int acc_mode)
67764 +#ifdef CONFIG_GRKERNSEC_FIFO
67765 + const struct cred *cred = current_cred();
67767 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
67768 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
67769 + !uid_eq(dentry->d_inode->i_uid, dir->d_inode->i_uid) &&
67770 + !uid_eq(cred->fsuid, dentry->d_inode->i_uid)) {
67771 + if (!inode_permission(dentry->d_inode, acc_mode))
67772 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, GR_GLOBAL_UID(dentry->d_inode->i_uid), GR_GLOBAL_GID(dentry->d_inode->i_gid));
67778 diff --git a/grsecurity/grsec_fork.c b/grsecurity/grsec_fork.c
67779 new file mode 100644
67780 index 0000000..8ca18bf
67782 +++ b/grsecurity/grsec_fork.c
67784 +#include <linux/kernel.h>
67785 +#include <linux/sched.h>
67786 +#include <linux/grsecurity.h>
67787 +#include <linux/grinternal.h>
67788 +#include <linux/errno.h>
67791 +gr_log_forkfail(const int retval)
67793 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
67794 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
67795 + switch (retval) {
67797 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
67800 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
67807 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
67808 new file mode 100644
67809 index 0000000..ab2d875
67811 +++ b/grsecurity/grsec_init.c
67813 +#include <linux/kernel.h>
67814 +#include <linux/sched.h>
67815 +#include <linux/mm.h>
67816 +#include <linux/gracl.h>
67817 +#include <linux/slab.h>
67818 +#include <linux/vmalloc.h>
67819 +#include <linux/percpu.h>
67820 +#include <linux/module.h>
67822 +int grsec_enable_ptrace_readexec;
67823 +int grsec_enable_setxid;
67824 +int grsec_enable_symlinkown;
67825 +kgid_t grsec_symlinkown_gid;
67826 +int grsec_enable_brute;
67827 +int grsec_enable_link;
67828 +int grsec_enable_dmesg;
67829 +int grsec_enable_harden_ptrace;
67830 +int grsec_enable_fifo;
67831 +int grsec_enable_execlog;
67832 +int grsec_enable_signal;
67833 +int grsec_enable_forkfail;
67834 +int grsec_enable_audit_ptrace;
67835 +int grsec_enable_time;
67836 +int grsec_enable_group;
67837 +kgid_t grsec_audit_gid;
67838 +int grsec_enable_chdir;
67839 +int grsec_enable_mount;
67840 +int grsec_enable_rofs;
67841 +int grsec_enable_chroot_findtask;
67842 +int grsec_enable_chroot_mount;
67843 +int grsec_enable_chroot_shmat;
67844 +int grsec_enable_chroot_fchdir;
67845 +int grsec_enable_chroot_double;
67846 +int grsec_enable_chroot_pivot;
67847 +int grsec_enable_chroot_chdir;
67848 +int grsec_enable_chroot_chmod;
67849 +int grsec_enable_chroot_mknod;
67850 +int grsec_enable_chroot_nice;
67851 +int grsec_enable_chroot_execlog;
67852 +int grsec_enable_chroot_caps;
67853 +int grsec_enable_chroot_sysctl;
67854 +int grsec_enable_chroot_unix;
67855 +int grsec_enable_tpe;
67856 +kgid_t grsec_tpe_gid;
67857 +int grsec_enable_blackhole;
67858 +#ifdef CONFIG_IPV6_MODULE
67859 +EXPORT_SYMBOL(grsec_enable_blackhole);
67861 +int grsec_lastack_retries;
67862 +int grsec_enable_tpe_all;
67863 +int grsec_enable_tpe_invert;
67864 +int grsec_enable_socket_all;
67865 +kgid_t grsec_socket_all_gid;
67866 +int grsec_enable_socket_client;
67867 +kgid_t grsec_socket_client_gid;
67868 +int grsec_enable_socket_server;
67869 +kgid_t grsec_socket_server_gid;
67870 +int grsec_resource_logging;
67871 +int grsec_disable_privio;
67872 +int grsec_enable_log_rwxmaps;
67875 +DEFINE_SPINLOCK(grsec_alert_lock);
67876 +unsigned long grsec_alert_wtime = 0;
67877 +unsigned long grsec_alert_fyet = 0;
67879 +DEFINE_SPINLOCK(grsec_audit_lock);
67881 +DEFINE_RWLOCK(grsec_exec_file_lock);
67883 +char *gr_shared_page[4];
67885 +char *gr_alert_log_fmt;
67886 +char *gr_audit_log_fmt;
67887 +char *gr_alert_log_buf;
67888 +char *gr_audit_log_buf;
67890 +extern struct gr_arg *gr_usermode;
67891 +extern unsigned char *gr_system_salt;
67892 +extern unsigned char *gr_system_sum;
67895 +grsecurity_init(void)
67898 + /* create the per-cpu shared pages */
67901 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
67904 + for (j = 0; j < 4; j++) {
67905 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
67906 + if (gr_shared_page[j] == NULL) {
67907 + panic("Unable to allocate grsecurity shared page");
67912 + /* allocate log buffers */
67913 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
67914 + if (!gr_alert_log_fmt) {
67915 + panic("Unable to allocate grsecurity alert log format buffer");
67918 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
67919 + if (!gr_audit_log_fmt) {
67920 + panic("Unable to allocate grsecurity audit log format buffer");
67923 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
67924 + if (!gr_alert_log_buf) {
67925 + panic("Unable to allocate grsecurity alert log buffer");
67928 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
67929 + if (!gr_audit_log_buf) {
67930 + panic("Unable to allocate grsecurity audit log buffer");
67934 + /* allocate memory for authentication structure */
67935 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
67936 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
67937 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
67939 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
67940 + panic("Unable to allocate grsecurity authentication structure");
67945 +#ifdef CONFIG_GRKERNSEC_IO
67946 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
67947 + grsec_disable_privio = 1;
67948 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
67949 + grsec_disable_privio = 1;
67951 + grsec_disable_privio = 0;
67955 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
67956 + /* for backward compatibility, tpe_invert always defaults to on if
67957 + enabled in the kernel
67959 + grsec_enable_tpe_invert = 1;
67962 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
67963 +#ifndef CONFIG_GRKERNSEC_SYSCTL
67967 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
67968 + grsec_enable_log_rwxmaps = 1;
67970 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
67971 + grsec_enable_group = 1;
67972 + grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
67974 +#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
67975 + grsec_enable_ptrace_readexec = 1;
67977 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
67978 + grsec_enable_chdir = 1;
67980 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
67981 + grsec_enable_harden_ptrace = 1;
67983 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
67984 + grsec_enable_mount = 1;
67986 +#ifdef CONFIG_GRKERNSEC_LINK
67987 + grsec_enable_link = 1;
67989 +#ifdef CONFIG_GRKERNSEC_BRUTE
67990 + grsec_enable_brute = 1;
67992 +#ifdef CONFIG_GRKERNSEC_DMESG
67993 + grsec_enable_dmesg = 1;
67995 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67996 + grsec_enable_blackhole = 1;
67997 + grsec_lastack_retries = 4;
67999 +#ifdef CONFIG_GRKERNSEC_FIFO
68000 + grsec_enable_fifo = 1;
68002 +#ifdef CONFIG_GRKERNSEC_EXECLOG
68003 + grsec_enable_execlog = 1;
68005 +#ifdef CONFIG_GRKERNSEC_SETXID
68006 + grsec_enable_setxid = 1;
68008 +#ifdef CONFIG_GRKERNSEC_SIGNAL
68009 + grsec_enable_signal = 1;
68011 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
68012 + grsec_enable_forkfail = 1;
68014 +#ifdef CONFIG_GRKERNSEC_TIME
68015 + grsec_enable_time = 1;
68017 +#ifdef CONFIG_GRKERNSEC_RESLOG
68018 + grsec_resource_logging = 1;
68020 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
68021 + grsec_enable_chroot_findtask = 1;
68023 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
68024 + grsec_enable_chroot_unix = 1;
68026 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
68027 + grsec_enable_chroot_mount = 1;
68029 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
68030 + grsec_enable_chroot_fchdir = 1;
68032 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
68033 + grsec_enable_chroot_shmat = 1;
68035 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
68036 + grsec_enable_audit_ptrace = 1;
68038 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
68039 + grsec_enable_chroot_double = 1;
68041 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
68042 + grsec_enable_chroot_pivot = 1;
68044 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
68045 + grsec_enable_chroot_chdir = 1;
68047 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
68048 + grsec_enable_chroot_chmod = 1;
68050 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
68051 + grsec_enable_chroot_mknod = 1;
68053 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
68054 + grsec_enable_chroot_nice = 1;
68056 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
68057 + grsec_enable_chroot_execlog = 1;
68059 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
68060 + grsec_enable_chroot_caps = 1;
68062 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
68063 + grsec_enable_chroot_sysctl = 1;
68065 +#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
68066 + grsec_enable_symlinkown = 1;
68067 + grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
68069 +#ifdef CONFIG_GRKERNSEC_TPE
68070 + grsec_enable_tpe = 1;
68071 + grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
68072 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
68073 + grsec_enable_tpe_all = 1;
68076 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
68077 + grsec_enable_socket_all = 1;
68078 + grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
68080 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
68081 + grsec_enable_socket_client = 1;
68082 + grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
68084 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
68085 + grsec_enable_socket_server = 1;
68086 + grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
68092 diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c
68093 new file mode 100644
68094 index 0000000..5e05e20
68096 +++ b/grsecurity/grsec_link.c
68098 +#include <linux/kernel.h>
68099 +#include <linux/sched.h>
68100 +#include <linux/fs.h>
68101 +#include <linux/file.h>
68102 +#include <linux/grinternal.h>
68104 +int gr_handle_symlink_owner(const struct path *link, const struct inode *target)
68106 +#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
68107 + const struct inode *link_inode = link->dentry->d_inode;
68109 + if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid) &&
68110 + /* ignore root-owned links, e.g. /proc/self */
68111 + gr_is_global_nonroot(link_inode->i_uid) && target &&
68112 + !uid_eq(link_inode->i_uid, target->i_uid)) {
68113 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, link_inode->i_uid, target->i_uid);
68121 +gr_handle_follow_link(const struct inode *parent,
68122 + const struct inode *inode,
68123 + const struct dentry *dentry, const struct vfsmount *mnt)
68125 +#ifdef CONFIG_GRKERNSEC_LINK
68126 + const struct cred *cred = current_cred();
68128 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
68129 + (parent->i_mode & S_ISVTX) && !uid_eq(parent->i_uid, inode->i_uid) &&
68130 + (parent->i_mode & S_IWOTH) && !uid_eq(cred->fsuid, inode->i_uid)) {
68131 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
68139 +gr_handle_hardlink(const struct dentry *dentry,
68140 + const struct vfsmount *mnt,
68141 + struct inode *inode, const int mode, const struct filename *to)
68143 +#ifdef CONFIG_GRKERNSEC_LINK
68144 + const struct cred *cred = current_cred();
68146 + if (grsec_enable_link && !uid_eq(cred->fsuid, inode->i_uid) &&
68147 + (!S_ISREG(mode) || is_privileged_binary(dentry) ||
68148 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
68149 + !capable(CAP_FOWNER) && gr_is_global_nonroot(cred->uid)) {
68150 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to->name);
68156 diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c
68157 new file mode 100644
68158 index 0000000..dbe0a6b
68160 +++ b/grsecurity/grsec_log.c
68162 +#include <linux/kernel.h>
68163 +#include <linux/sched.h>
68164 +#include <linux/file.h>
68165 +#include <linux/tty.h>
68166 +#include <linux/fs.h>
68167 +#include <linux/mm.h>
68168 +#include <linux/grinternal.h>
68170 +#ifdef CONFIG_TREE_PREEMPT_RCU
68171 +#define DISABLE_PREEMPT() preempt_disable()
68172 +#define ENABLE_PREEMPT() preempt_enable()
68174 +#define DISABLE_PREEMPT()
68175 +#define ENABLE_PREEMPT()
68178 +#define BEGIN_LOCKS(x) \
68179 + DISABLE_PREEMPT(); \
68180 + rcu_read_lock(); \
68181 + read_lock(&tasklist_lock); \
68182 + read_lock(&grsec_exec_file_lock); \
68183 + if (x != GR_DO_AUDIT) \
68184 + spin_lock(&grsec_alert_lock); \
68186 + spin_lock(&grsec_audit_lock)
68188 +#define END_LOCKS(x) \
68189 + if (x != GR_DO_AUDIT) \
68190 + spin_unlock(&grsec_alert_lock); \
68192 + spin_unlock(&grsec_audit_lock); \
68193 + read_unlock(&grsec_exec_file_lock); \
68194 + read_unlock(&tasklist_lock); \
68195 + rcu_read_unlock(); \
68196 + ENABLE_PREEMPT(); \
68197 + if (x == GR_DONT_AUDIT) \
68198 + gr_handle_alertkill(current)
68205 +extern char *gr_alert_log_fmt;
68206 +extern char *gr_audit_log_fmt;
68207 +extern char *gr_alert_log_buf;
68208 +extern char *gr_audit_log_buf;
68210 +static int gr_log_start(int audit)
68212 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
68213 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
68214 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
68215 +#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
68216 + unsigned long curr_secs = get_seconds();
68218 + if (audit == GR_DO_AUDIT)
68221 + if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
68222 + grsec_alert_wtime = curr_secs;
68223 + grsec_alert_fyet = 0;
68224 + } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
68225 + && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
68226 + grsec_alert_fyet++;
68227 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
68228 + grsec_alert_wtime = curr_secs;
68229 + grsec_alert_fyet++;
68230 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
68233 + else return FLOODING;
68237 + memset(buf, 0, PAGE_SIZE);
68238 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
68239 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
68240 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
68241 + } else if (current->signal->curr_ip) {
68242 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
68243 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
68244 + } else if (gr_acl_is_enabled()) {
68245 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
68246 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
68248 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
68249 + strcpy(buf, fmt);
68252 + return NO_FLOODING;
68255 +static void gr_log_middle(int audit, const char *msg, va_list ap)
68256 + __attribute__ ((format (printf, 2, 0)));
68258 +static void gr_log_middle(int audit, const char *msg, va_list ap)
68260 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
68261 + unsigned int len = strlen(buf);
68263 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
68268 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
68269 + __attribute__ ((format (printf, 2, 3)));
68271 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
68273 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
68274 + unsigned int len = strlen(buf);
68277 + va_start(ap, msg);
68278 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
68284 +static void gr_log_end(int audit, int append_default)
68286 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
68287 + if (append_default) {
68288 + struct task_struct *task = current;
68289 + struct task_struct *parent = task->real_parent;
68290 + const struct cred *cred = __task_cred(task);
68291 + const struct cred *pcred = __task_cred(parent);
68292 + unsigned int len = strlen(buf);
68294 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
68297 + printk("%s\n", buf);
68302 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
68305 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
68306 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
68307 + void *voidptr = NULL;
68308 + int num1 = 0, num2 = 0;
68309 + unsigned long ulong1 = 0, ulong2 = 0;
68310 + struct dentry *dentry = NULL;
68311 + struct vfsmount *mnt = NULL;
68312 + struct file *file = NULL;
68313 + struct task_struct *task = NULL;
68314 + struct vm_area_struct *vma = NULL;
68315 + const struct cred *cred, *pcred;
68318 + BEGIN_LOCKS(audit);
68319 + logtype = gr_log_start(audit);
68320 + if (logtype == FLOODING) {
68321 + END_LOCKS(audit);
68324 + va_start(ap, argtypes);
68325 + switch (argtypes) {
68326 + case GR_TTYSNIFF:
68327 + task = va_arg(ap, struct task_struct *);
68328 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task_pid_nr(task), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent));
68330 + case GR_SYSCTL_HIDDEN:
68331 + str1 = va_arg(ap, char *);
68332 + gr_log_middle_varargs(audit, msg, result, str1);
68335 + dentry = va_arg(ap, struct dentry *);
68336 + mnt = va_arg(ap, struct vfsmount *);
68337 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
68339 + case GR_RBAC_STR:
68340 + dentry = va_arg(ap, struct dentry *);
68341 + mnt = va_arg(ap, struct vfsmount *);
68342 + str1 = va_arg(ap, char *);
68343 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
68345 + case GR_STR_RBAC:
68346 + str1 = va_arg(ap, char *);
68347 + dentry = va_arg(ap, struct dentry *);
68348 + mnt = va_arg(ap, struct vfsmount *);
68349 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
68351 + case GR_RBAC_MODE2:
68352 + dentry = va_arg(ap, struct dentry *);
68353 + mnt = va_arg(ap, struct vfsmount *);
68354 + str1 = va_arg(ap, char *);
68355 + str2 = va_arg(ap, char *);
68356 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
68358 + case GR_RBAC_MODE3:
68359 + dentry = va_arg(ap, struct dentry *);
68360 + mnt = va_arg(ap, struct vfsmount *);
68361 + str1 = va_arg(ap, char *);
68362 + str2 = va_arg(ap, char *);
68363 + str3 = va_arg(ap, char *);
68364 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
68366 + case GR_FILENAME:
68367 + dentry = va_arg(ap, struct dentry *);
68368 + mnt = va_arg(ap, struct vfsmount *);
68369 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
68371 + case GR_STR_FILENAME:
68372 + str1 = va_arg(ap, char *);
68373 + dentry = va_arg(ap, struct dentry *);
68374 + mnt = va_arg(ap, struct vfsmount *);
68375 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
68377 + case GR_FILENAME_STR:
68378 + dentry = va_arg(ap, struct dentry *);
68379 + mnt = va_arg(ap, struct vfsmount *);
68380 + str1 = va_arg(ap, char *);
68381 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
68383 + case GR_FILENAME_TWO_INT:
68384 + dentry = va_arg(ap, struct dentry *);
68385 + mnt = va_arg(ap, struct vfsmount *);
68386 + num1 = va_arg(ap, int);
68387 + num2 = va_arg(ap, int);
68388 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
68390 + case GR_FILENAME_TWO_INT_STR:
68391 + dentry = va_arg(ap, struct dentry *);
68392 + mnt = va_arg(ap, struct vfsmount *);
68393 + num1 = va_arg(ap, int);
68394 + num2 = va_arg(ap, int);
68395 + str1 = va_arg(ap, char *);
68396 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
68399 + file = va_arg(ap, struct file *);
68400 + ulong1 = va_arg(ap, unsigned long);
68401 + ulong2 = va_arg(ap, unsigned long);
68402 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
68405 + task = va_arg(ap, struct task_struct *);
68406 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task_pid_nr(task));
68408 + case GR_RESOURCE:
68409 + task = va_arg(ap, struct task_struct *);
68410 + cred = __task_cred(task);
68411 + pcred = __task_cred(task->real_parent);
68412 + ulong1 = va_arg(ap, unsigned long);
68413 + str1 = va_arg(ap, char *);
68414 + ulong2 = va_arg(ap, unsigned long);
68415 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
68418 + task = va_arg(ap, struct task_struct *);
68419 + cred = __task_cred(task);
68420 + pcred = __task_cred(task->real_parent);
68421 + str1 = va_arg(ap, char *);
68422 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
68425 + str1 = va_arg(ap, char *);
68426 + voidptr = va_arg(ap, void *);
68427 + gr_log_middle_varargs(audit, msg, str1, voidptr);
68430 + task = va_arg(ap, struct task_struct *);
68431 + cred = __task_cred(task);
68432 + pcred = __task_cred(task->real_parent);
68433 + num1 = va_arg(ap, int);
68434 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
68437 + task = va_arg(ap, struct task_struct *);
68438 + cred = __task_cred(task);
68439 + pcred = __task_cred(task->real_parent);
68440 + ulong1 = va_arg(ap, unsigned long);
68441 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), GR_GLOBAL_UID(cred->uid), ulong1);
68444 + task = va_arg(ap, struct task_struct *);
68445 + cred = __task_cred(task);
68446 + pcred = __task_cred(task->real_parent);
68447 + ulong1 = va_arg(ap, unsigned long);
68448 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), ulong1);
68451 + file = va_arg(ap, struct file *);
68452 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
68454 + case GR_RWXMAPVMA:
68455 + vma = va_arg(ap, struct vm_area_struct *);
68456 + if (vma->vm_file)
68457 + str1 = gr_to_filename(vma->vm_file->f_path.dentry, vma->vm_file->f_path.mnt);
68458 + else if (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
68459 + str1 = "<stack>";
68460 + else if (vma->vm_start <= current->mm->brk &&
68461 + vma->vm_end >= current->mm->start_brk)
68464 + str1 = "<anonymous mapping>";
68465 + gr_log_middle_varargs(audit, msg, str1);
68469 + unsigned int wday, cday;
68473 + char cur_tty[64] = { 0 };
68474 + char parent_tty[64] = { 0 };
68476 + task = va_arg(ap, struct task_struct *);
68477 + wday = va_arg(ap, unsigned int);
68478 + cday = va_arg(ap, unsigned int);
68479 + whr = va_arg(ap, int);
68480 + chr = va_arg(ap, int);
68481 + wmin = va_arg(ap, int);
68482 + cmin = va_arg(ap, int);
68483 + wsec = va_arg(ap, int);
68484 + csec = va_arg(ap, int);
68485 + ulong1 = va_arg(ap, unsigned long);
68486 + cred = __task_cred(task);
68487 + pcred = __task_cred(task->real_parent);
68489 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
68493 + gr_log_middle(audit, msg, ap);
68496 + // these don't need DEFAULTSECARGS printed on the end
68497 + if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
68498 + gr_log_end(audit, 0);
68500 + gr_log_end(audit, 1);
68501 + END_LOCKS(audit);
68503 diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c
68504 new file mode 100644
68505 index 0000000..f536303
68507 +++ b/grsecurity/grsec_mem.c
68509 +#include <linux/kernel.h>
68510 +#include <linux/sched.h>
68511 +#include <linux/mm.h>
68512 +#include <linux/mman.h>
68513 +#include <linux/grinternal.h>
68516 +gr_handle_ioperm(void)
68518 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
68523 +gr_handle_iopl(void)
68525 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
68530 +gr_handle_mem_readwrite(u64 from, u64 to)
68532 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
68537 +gr_handle_vm86(void)
68539 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
68544 +gr_log_badprocpid(const char *entry)
68546 + gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry);
68549 diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
68550 new file mode 100644
68551 index 0000000..2131422
68553 +++ b/grsecurity/grsec_mount.c
68555 +#include <linux/kernel.h>
68556 +#include <linux/sched.h>
68557 +#include <linux/mount.h>
68558 +#include <linux/grsecurity.h>
68559 +#include <linux/grinternal.h>
68562 +gr_log_remount(const char *devname, const int retval)
68564 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
68565 + if (grsec_enable_mount && (retval >= 0))
68566 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
68572 +gr_log_unmount(const char *devname, const int retval)
68574 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
68575 + if (grsec_enable_mount && (retval >= 0))
68576 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
68582 +gr_log_mount(const char *from, const char *to, const int retval)
68584 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
68585 + if (grsec_enable_mount && (retval >= 0))
68586 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
68592 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
68594 +#ifdef CONFIG_GRKERNSEC_ROFS
68595 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
68596 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
68605 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
68607 +#ifdef CONFIG_GRKERNSEC_ROFS
68608 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
68609 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
68610 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
68617 diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c
68618 new file mode 100644
68619 index 0000000..6ee9d50
68621 +++ b/grsecurity/grsec_pax.c
68623 +#include <linux/kernel.h>
68624 +#include <linux/sched.h>
68625 +#include <linux/mm.h>
68626 +#include <linux/file.h>
68627 +#include <linux/grinternal.h>
68628 +#include <linux/grsecurity.h>
68631 +gr_log_textrel(struct vm_area_struct * vma)
68633 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
68634 + if (grsec_enable_log_rwxmaps)
68635 + gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
68640 +void gr_log_ptgnustack(struct file *file)
68642 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
68643 + if (grsec_enable_log_rwxmaps)
68644 + gr_log_rwxmap(GR_DONT_AUDIT, GR_PTGNUSTACK_MSG, file);
68650 +gr_log_rwxmmap(struct file *file)
68652 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
68653 + if (grsec_enable_log_rwxmaps)
68654 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
68660 +gr_log_rwxmprotect(struct vm_area_struct *vma)
68662 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
68663 + if (grsec_enable_log_rwxmaps)
68664 + gr_log_rwxmap_vma(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, vma);
68668 diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
68669 new file mode 100644
68670 index 0000000..f7f29aa
68672 +++ b/grsecurity/grsec_ptrace.c
68674 +#include <linux/kernel.h>
68675 +#include <linux/sched.h>
68676 +#include <linux/grinternal.h>
68677 +#include <linux/security.h>
68680 +gr_audit_ptrace(struct task_struct *task)
68682 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
68683 + if (grsec_enable_audit_ptrace)
68684 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
68690 +gr_ptrace_readexec(struct file *file, int unsafe_flags)
68692 +#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
68693 + const struct dentry *dentry = file->f_path.dentry;
68694 + const struct vfsmount *mnt = file->f_path.mnt;
68696 + if (grsec_enable_ptrace_readexec && (unsafe_flags & LSM_UNSAFE_PTRACE) &&
68697 + (inode_permission(dentry->d_inode, MAY_READ) || !gr_acl_handle_open(dentry, mnt, MAY_READ))) {
68698 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_READEXEC_MSG, dentry, mnt);
68704 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
68705 new file mode 100644
68706 index 0000000..4e29cc7
68708 +++ b/grsecurity/grsec_sig.c
68710 +#include <linux/kernel.h>
68711 +#include <linux/sched.h>
68712 +#include <linux/fs.h>
68713 +#include <linux/delay.h>
68714 +#include <linux/grsecurity.h>
68715 +#include <linux/grinternal.h>
68716 +#include <linux/hardirq.h>
68718 +char *signames[] = {
68719 + [SIGSEGV] = "Segmentation fault",
68720 + [SIGILL] = "Illegal instruction",
68721 + [SIGABRT] = "Abort",
68722 + [SIGBUS] = "Invalid alignment/Bus error"
68726 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
68728 +#ifdef CONFIG_GRKERNSEC_SIGNAL
68729 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
68730 + (sig == SIGABRT) || (sig == SIGBUS))) {
68731 + if (task_pid_nr(t) == task_pid_nr(current)) {
68732 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
68734 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
68742 +gr_handle_signal(const struct task_struct *p, const int sig)
68744 +#ifdef CONFIG_GRKERNSEC
68745 + /* ignore the 0 signal for protected task checks */
68746 + if (task_pid_nr(current) > 1 && sig && gr_check_protected_task(p)) {
68747 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
68749 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
68756 +#ifdef CONFIG_GRKERNSEC
68757 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
68759 +int gr_fake_force_sig(int sig, struct task_struct *t)
68761 + unsigned long int flags;
68762 + int ret, blocked, ignored;
68763 + struct k_sigaction *action;
68765 + spin_lock_irqsave(&t->sighand->siglock, flags);
68766 + action = &t->sighand->action[sig-1];
68767 + ignored = action->sa.sa_handler == SIG_IGN;
68768 + blocked = sigismember(&t->blocked, sig);
68769 + if (blocked || ignored) {
68770 + action->sa.sa_handler = SIG_DFL;
68772 + sigdelset(&t->blocked, sig);
68773 + recalc_sigpending_and_wake(t);
68776 + if (action->sa.sa_handler == SIG_DFL)
68777 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
68778 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
68780 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
68786 +#ifdef CONFIG_GRKERNSEC_BRUTE
68787 +#define GR_USER_BAN_TIME (15 * 60)
68788 +#define GR_DAEMON_BRUTE_TIME (30 * 60)
68790 +static int __get_dumpable(unsigned long mm_flags)
68794 + ret = mm_flags & MMF_DUMPABLE_MASK;
68795 + return (ret >= 2) ? 2 : ret;
68799 +void gr_handle_brute_attach(unsigned long mm_flags)
68801 +#ifdef CONFIG_GRKERNSEC_BRUTE
68802 + struct task_struct *p = current;
68803 + kuid_t uid = GLOBAL_ROOT_UID;
68806 + if (!grsec_enable_brute)
68810 + read_lock(&tasklist_lock);
68811 + read_lock(&grsec_exec_file_lock);
68812 + if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) {
68813 + p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
68814 + p->real_parent->brute = 1;
68817 + const struct cred *cred = __task_cred(p), *cred2;
68818 + struct task_struct *tsk, *tsk2;
68820 + if (!__get_dumpable(mm_flags) && gr_is_global_nonroot(cred->uid)) {
68821 + struct user_struct *user;
68825 + /* this is put upon execution past expiration */
68826 + user = find_user(uid);
68827 + if (user == NULL)
68829 + user->suid_banned = 1;
68830 + user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
68831 + if (user->suid_ban_expires == ~0UL)
68832 + user->suid_ban_expires--;
68834 + /* only kill other threads of the same binary, from the same user */
68835 + do_each_thread(tsk2, tsk) {
68836 + cred2 = __task_cred(tsk);
68837 + if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file))
68838 + gr_fake_force_sig(SIGKILL, tsk);
68839 + } while_each_thread(tsk2, tsk);
68843 + read_unlock(&grsec_exec_file_lock);
68844 + read_unlock(&tasklist_lock);
68845 + rcu_read_unlock();
68847 + if (gr_is_global_nonroot(uid))
68848 + gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
68850 + gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
68856 +void gr_handle_brute_check(void)
68858 +#ifdef CONFIG_GRKERNSEC_BRUTE
68859 + struct task_struct *p = current;
68861 + if (unlikely(p->brute)) {
68862 + if (!grsec_enable_brute)
68864 + else if (time_before(get_seconds(), p->brute_expires))
68865 + msleep(30 * 1000);
68871 +void gr_handle_kernel_exploit(void)
68873 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
68874 + const struct cred *cred;
68875 + struct task_struct *tsk, *tsk2;
68876 + struct user_struct *user;
68879 + if (in_irq() || in_serving_softirq() || in_nmi())
68880 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
68882 + uid = current_uid();
68884 + if (gr_is_global_root(uid))
68885 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
68887 + /* kill all the processes of this user, hold a reference
68888 + to their creds struct, and prevent them from creating
68889 + another process until system reset
68891 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n",
68892 + GR_GLOBAL_UID(uid));
68893 + /* we intentionally leak this ref */
68894 + user = get_uid(current->cred->user);
68896 + user->kernel_banned = 1;
68898 + /* kill all processes of this user */
68899 + read_lock(&tasklist_lock);
68900 + do_each_thread(tsk2, tsk) {
68901 + cred = __task_cred(tsk);
68902 + if (uid_eq(cred->uid, uid))
68903 + gr_fake_force_sig(SIGKILL, tsk);
68904 + } while_each_thread(tsk2, tsk);
68905 + read_unlock(&tasklist_lock);
68910 +#ifdef CONFIG_GRKERNSEC_BRUTE
68911 +static bool suid_ban_expired(struct user_struct *user)
68913 + if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
68914 + user->suid_banned = 0;
68915 + user->suid_ban_expires = 0;
68924 +int gr_process_kernel_exec_ban(void)
68926 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
68927 + if (unlikely(current->cred->user->kernel_banned))
68933 +int gr_process_kernel_setuid_ban(struct user_struct *user)
68935 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
68936 + if (unlikely(user->kernel_banned))
68937 + gr_fake_force_sig(SIGKILL, current);
68942 +int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
68944 +#ifdef CONFIG_GRKERNSEC_BRUTE
68945 + struct user_struct *user = current->cred->user;
68946 + if (unlikely(user->suid_banned)) {
68947 + if (suid_ban_expired(user))
68949 + /* disallow execution of suid binaries only */
68950 + else if (!uid_eq(bprm->cred->euid, current->cred->uid))
68956 diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
68957 new file mode 100644
68958 index 0000000..4030d57
68960 +++ b/grsecurity/grsec_sock.c
68962 +#include <linux/kernel.h>
68963 +#include <linux/module.h>
68964 +#include <linux/sched.h>
68965 +#include <linux/file.h>
68966 +#include <linux/net.h>
68967 +#include <linux/in.h>
68968 +#include <linux/ip.h>
68969 +#include <net/sock.h>
68970 +#include <net/inet_sock.h>
68971 +#include <linux/grsecurity.h>
68972 +#include <linux/grinternal.h>
68973 +#include <linux/gracl.h>
68975 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
68976 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
68978 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
68979 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
68981 +#ifdef CONFIG_UNIX_MODULE
68982 +EXPORT_SYMBOL(gr_acl_handle_unix);
68983 +EXPORT_SYMBOL(gr_acl_handle_mknod);
68984 +EXPORT_SYMBOL(gr_handle_chroot_unix);
68985 +EXPORT_SYMBOL(gr_handle_create);
68988 +#ifdef CONFIG_GRKERNSEC
68989 +#define gr_conn_table_size 32749
68990 +struct conn_table_entry {
68991 + struct conn_table_entry *next;
68992 + struct signal_struct *sig;
68995 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
68996 +DEFINE_SPINLOCK(gr_conn_table_lock);
68998 +extern const char * gr_socktype_to_name(unsigned char type);
68999 +extern const char * gr_proto_to_name(unsigned char proto);
69000 +extern const char * gr_sockfamily_to_name(unsigned char family);
69002 +static __inline__ int
69003 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
69005 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
69008 +static __inline__ int
69009 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
69010 + __u16 sport, __u16 dport)
69012 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
69013 + sig->gr_sport == sport && sig->gr_dport == dport))
69019 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
69021 + struct conn_table_entry **match;
69022 + unsigned int index;
69024 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
69025 + sig->gr_sport, sig->gr_dport,
69026 + gr_conn_table_size);
69028 + newent->sig = sig;
69030 + match = &gr_conn_table[index];
69031 + newent->next = *match;
69037 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
69039 + struct conn_table_entry *match, *last = NULL;
69040 + unsigned int index;
69042 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
69043 + sig->gr_sport, sig->gr_dport,
69044 + gr_conn_table_size);
69046 + match = gr_conn_table[index];
69047 + while (match && !conn_match(match->sig,
69048 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
69049 + sig->gr_dport)) {
69051 + match = match->next;
69056 + last->next = match->next;
69058 + gr_conn_table[index] = NULL;
69065 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
69066 + __u16 sport, __u16 dport)
69068 + struct conn_table_entry *match;
69069 + unsigned int index;
69071 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
69073 + match = gr_conn_table[index];
69074 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
69075 + match = match->next;
69078 + return match->sig;
69085 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
69087 +#ifdef CONFIG_GRKERNSEC
69088 + struct signal_struct *sig = task->signal;
69089 + struct conn_table_entry *newent;
69091 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
69092 + if (newent == NULL)
69094 + /* no bh lock needed since we are called with bh disabled */
69095 + spin_lock(&gr_conn_table_lock);
69096 + gr_del_task_from_ip_table_nolock(sig);
69097 + sig->gr_saddr = inet->inet_rcv_saddr;
69098 + sig->gr_daddr = inet->inet_daddr;
69099 + sig->gr_sport = inet->inet_sport;
69100 + sig->gr_dport = inet->inet_dport;
69101 + gr_add_to_task_ip_table_nolock(sig, newent);
69102 + spin_unlock(&gr_conn_table_lock);
69107 +void gr_del_task_from_ip_table(struct task_struct *task)
69109 +#ifdef CONFIG_GRKERNSEC
69110 + spin_lock_bh(&gr_conn_table_lock);
69111 + gr_del_task_from_ip_table_nolock(task->signal);
69112 + spin_unlock_bh(&gr_conn_table_lock);
69118 +gr_attach_curr_ip(const struct sock *sk)
69120 +#ifdef CONFIG_GRKERNSEC
69121 + struct signal_struct *p, *set;
69122 + const struct inet_sock *inet = inet_sk(sk);
69124 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
69127 + set = current->signal;
69129 + spin_lock_bh(&gr_conn_table_lock);
69130 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
69131 + inet->inet_dport, inet->inet_sport);
69132 + if (unlikely(p != NULL)) {
69133 + set->curr_ip = p->curr_ip;
69134 + set->used_accept = 1;
69135 + gr_del_task_from_ip_table_nolock(p);
69136 + spin_unlock_bh(&gr_conn_table_lock);
69139 + spin_unlock_bh(&gr_conn_table_lock);
69141 + set->curr_ip = inet->inet_daddr;
69142 + set->used_accept = 1;
69148 +gr_handle_sock_all(const int family, const int type, const int protocol)
69150 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
69151 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
69152 + (family != AF_UNIX)) {
69153 + if (family == AF_INET)
69154 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
69156 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
69164 +gr_handle_sock_server(const struct sockaddr *sck)
69166 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
69167 + if (grsec_enable_socket_server &&
69168 + in_group_p(grsec_socket_server_gid) &&
69169 + sck && (sck->sa_family != AF_UNIX) &&
69170 + (sck->sa_family != AF_LOCAL)) {
69171 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
69179 +gr_handle_sock_server_other(const struct sock *sck)
69181 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
69182 + if (grsec_enable_socket_server &&
69183 + in_group_p(grsec_socket_server_gid) &&
69184 + sck && (sck->sk_family != AF_UNIX) &&
69185 + (sck->sk_family != AF_LOCAL)) {
69186 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
69194 +gr_handle_sock_client(const struct sockaddr *sck)
69196 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
69197 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
69198 + sck && (sck->sa_family != AF_UNIX) &&
69199 + (sck->sa_family != AF_LOCAL)) {
69200 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
69206 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
69207 new file mode 100644
69208 index 0000000..7624d1c
69210 +++ b/grsecurity/grsec_sysctl.c
69212 +#include <linux/kernel.h>
69213 +#include <linux/sched.h>
69214 +#include <linux/sysctl.h>
69215 +#include <linux/grsecurity.h>
69216 +#include <linux/grinternal.h>
69219 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
69221 +#ifdef CONFIG_GRKERNSEC_SYSCTL
69222 + if (dirname == NULL || name == NULL)
69224 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
69225 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
69232 +#ifdef CONFIG_GRKERNSEC_ROFS
69233 +static int __maybe_unused one = 1;
69236 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
69237 +struct ctl_table grsecurity_table[] = {
69238 +#ifdef CONFIG_GRKERNSEC_SYSCTL
69239 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
69240 +#ifdef CONFIG_GRKERNSEC_IO
69242 + .procname = "disable_priv_io",
69243 + .data = &grsec_disable_privio,
69244 + .maxlen = sizeof(int),
69246 + .proc_handler = &proc_dointvec,
69250 +#ifdef CONFIG_GRKERNSEC_LINK
69252 + .procname = "linking_restrictions",
69253 + .data = &grsec_enable_link,
69254 + .maxlen = sizeof(int),
69256 + .proc_handler = &proc_dointvec,
69259 +#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
69261 + .procname = "enforce_symlinksifowner",
69262 + .data = &grsec_enable_symlinkown,
69263 + .maxlen = sizeof(int),
69265 + .proc_handler = &proc_dointvec,
69268 + .procname = "symlinkown_gid",
69269 + .data = &grsec_symlinkown_gid,
69270 + .maxlen = sizeof(int),
69272 + .proc_handler = &proc_dointvec,
69275 +#ifdef CONFIG_GRKERNSEC_BRUTE
69277 + .procname = "deter_bruteforce",
69278 + .data = &grsec_enable_brute,
69279 + .maxlen = sizeof(int),
69281 + .proc_handler = &proc_dointvec,
69284 +#ifdef CONFIG_GRKERNSEC_FIFO
69286 + .procname = "fifo_restrictions",
69287 + .data = &grsec_enable_fifo,
69288 + .maxlen = sizeof(int),
69290 + .proc_handler = &proc_dointvec,
69293 +#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
69295 + .procname = "ptrace_readexec",
69296 + .data = &grsec_enable_ptrace_readexec,
69297 + .maxlen = sizeof(int),
69299 + .proc_handler = &proc_dointvec,
69302 +#ifdef CONFIG_GRKERNSEC_SETXID
69304 + .procname = "consistent_setxid",
69305 + .data = &grsec_enable_setxid,
69306 + .maxlen = sizeof(int),
69308 + .proc_handler = &proc_dointvec,
69311 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
69313 + .procname = "ip_blackhole",
69314 + .data = &grsec_enable_blackhole,
69315 + .maxlen = sizeof(int),
69317 + .proc_handler = &proc_dointvec,
69320 + .procname = "lastack_retries",
69321 + .data = &grsec_lastack_retries,
69322 + .maxlen = sizeof(int),
69324 + .proc_handler = &proc_dointvec,
69327 +#ifdef CONFIG_GRKERNSEC_EXECLOG
69329 + .procname = "exec_logging",
69330 + .data = &grsec_enable_execlog,
69331 + .maxlen = sizeof(int),
69333 + .proc_handler = &proc_dointvec,
69336 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
69338 + .procname = "rwxmap_logging",
69339 + .data = &grsec_enable_log_rwxmaps,
69340 + .maxlen = sizeof(int),
69342 + .proc_handler = &proc_dointvec,
69345 +#ifdef CONFIG_GRKERNSEC_SIGNAL
69347 + .procname = "signal_logging",
69348 + .data = &grsec_enable_signal,
69349 + .maxlen = sizeof(int),
69351 + .proc_handler = &proc_dointvec,
69354 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
69356 + .procname = "forkfail_logging",
69357 + .data = &grsec_enable_forkfail,
69358 + .maxlen = sizeof(int),
69360 + .proc_handler = &proc_dointvec,
69363 +#ifdef CONFIG_GRKERNSEC_TIME
69365 + .procname = "timechange_logging",
69366 + .data = &grsec_enable_time,
69367 + .maxlen = sizeof(int),
69369 + .proc_handler = &proc_dointvec,
69372 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
69374 + .procname = "chroot_deny_shmat",
69375 + .data = &grsec_enable_chroot_shmat,
69376 + .maxlen = sizeof(int),
69378 + .proc_handler = &proc_dointvec,
69381 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
69383 + .procname = "chroot_deny_unix",
69384 + .data = &grsec_enable_chroot_unix,
69385 + .maxlen = sizeof(int),
69387 + .proc_handler = &proc_dointvec,
69390 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
69392 + .procname = "chroot_deny_mount",
69393 + .data = &grsec_enable_chroot_mount,
69394 + .maxlen = sizeof(int),
69396 + .proc_handler = &proc_dointvec,
69399 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
69401 + .procname = "chroot_deny_fchdir",
69402 + .data = &grsec_enable_chroot_fchdir,
69403 + .maxlen = sizeof(int),
69405 + .proc_handler = &proc_dointvec,
69408 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
69410 + .procname = "chroot_deny_chroot",
69411 + .data = &grsec_enable_chroot_double,
69412 + .maxlen = sizeof(int),
69414 + .proc_handler = &proc_dointvec,
69417 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
69419 + .procname = "chroot_deny_pivot",
69420 + .data = &grsec_enable_chroot_pivot,
69421 + .maxlen = sizeof(int),
69423 + .proc_handler = &proc_dointvec,
69426 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
69428 + .procname = "chroot_enforce_chdir",
69429 + .data = &grsec_enable_chroot_chdir,
69430 + .maxlen = sizeof(int),
69432 + .proc_handler = &proc_dointvec,
69435 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
69437 + .procname = "chroot_deny_chmod",
69438 + .data = &grsec_enable_chroot_chmod,
69439 + .maxlen = sizeof(int),
69441 + .proc_handler = &proc_dointvec,
69444 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
69446 + .procname = "chroot_deny_mknod",
69447 + .data = &grsec_enable_chroot_mknod,
69448 + .maxlen = sizeof(int),
69450 + .proc_handler = &proc_dointvec,
69453 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
69455 + .procname = "chroot_restrict_nice",
69456 + .data = &grsec_enable_chroot_nice,
69457 + .maxlen = sizeof(int),
69459 + .proc_handler = &proc_dointvec,
69462 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
69464 + .procname = "chroot_execlog",
69465 + .data = &grsec_enable_chroot_execlog,
69466 + .maxlen = sizeof(int),
69468 + .proc_handler = &proc_dointvec,
69471 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
69473 + .procname = "chroot_caps",
69474 + .data = &grsec_enable_chroot_caps,
69475 + .maxlen = sizeof(int),
69477 + .proc_handler = &proc_dointvec,
69480 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
69482 + .procname = "chroot_deny_sysctl",
69483 + .data = &grsec_enable_chroot_sysctl,
69484 + .maxlen = sizeof(int),
69486 + .proc_handler = &proc_dointvec,
69489 +#ifdef CONFIG_GRKERNSEC_TPE
69491 + .procname = "tpe",
69492 + .data = &grsec_enable_tpe,
69493 + .maxlen = sizeof(int),
69495 + .proc_handler = &proc_dointvec,
69498 + .procname = "tpe_gid",
69499 + .data = &grsec_tpe_gid,
69500 + .maxlen = sizeof(int),
69502 + .proc_handler = &proc_dointvec,
69505 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
69507 + .procname = "tpe_invert",
69508 + .data = &grsec_enable_tpe_invert,
69509 + .maxlen = sizeof(int),
69511 + .proc_handler = &proc_dointvec,
69514 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
69516 + .procname = "tpe_restrict_all",
69517 + .data = &grsec_enable_tpe_all,
69518 + .maxlen = sizeof(int),
69520 + .proc_handler = &proc_dointvec,
69523 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
69525 + .procname = "socket_all",
69526 + .data = &grsec_enable_socket_all,
69527 + .maxlen = sizeof(int),
69529 + .proc_handler = &proc_dointvec,
69532 + .procname = "socket_all_gid",
69533 + .data = &grsec_socket_all_gid,
69534 + .maxlen = sizeof(int),
69536 + .proc_handler = &proc_dointvec,
69539 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
69541 + .procname = "socket_client",
69542 + .data = &grsec_enable_socket_client,
69543 + .maxlen = sizeof(int),
69545 + .proc_handler = &proc_dointvec,
69548 + .procname = "socket_client_gid",
69549 + .data = &grsec_socket_client_gid,
69550 + .maxlen = sizeof(int),
69552 + .proc_handler = &proc_dointvec,
69555 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
69557 + .procname = "socket_server",
69558 + .data = &grsec_enable_socket_server,
69559 + .maxlen = sizeof(int),
69561 + .proc_handler = &proc_dointvec,
69564 + .procname = "socket_server_gid",
69565 + .data = &grsec_socket_server_gid,
69566 + .maxlen = sizeof(int),
69568 + .proc_handler = &proc_dointvec,
69571 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
69573 + .procname = "audit_group",
69574 + .data = &grsec_enable_group,
69575 + .maxlen = sizeof(int),
69577 + .proc_handler = &proc_dointvec,
69580 + .procname = "audit_gid",
69581 + .data = &grsec_audit_gid,
69582 + .maxlen = sizeof(int),
69584 + .proc_handler = &proc_dointvec,
69587 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
69589 + .procname = "audit_chdir",
69590 + .data = &grsec_enable_chdir,
69591 + .maxlen = sizeof(int),
69593 + .proc_handler = &proc_dointvec,
69596 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
69598 + .procname = "audit_mount",
69599 + .data = &grsec_enable_mount,
69600 + .maxlen = sizeof(int),
69602 + .proc_handler = &proc_dointvec,
69605 +#ifdef CONFIG_GRKERNSEC_DMESG
69607 + .procname = "dmesg",
69608 + .data = &grsec_enable_dmesg,
69609 + .maxlen = sizeof(int),
69611 + .proc_handler = &proc_dointvec,
69614 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
69616 + .procname = "chroot_findtask",
69617 + .data = &grsec_enable_chroot_findtask,
69618 + .maxlen = sizeof(int),
69620 + .proc_handler = &proc_dointvec,
69623 +#ifdef CONFIG_GRKERNSEC_RESLOG
69625 + .procname = "resource_logging",
69626 + .data = &grsec_resource_logging,
69627 + .maxlen = sizeof(int),
69629 + .proc_handler = &proc_dointvec,
69632 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
69634 + .procname = "audit_ptrace",
69635 + .data = &grsec_enable_audit_ptrace,
69636 + .maxlen = sizeof(int),
69638 + .proc_handler = &proc_dointvec,
69641 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
69643 + .procname = "harden_ptrace",
69644 + .data = &grsec_enable_harden_ptrace,
69645 + .maxlen = sizeof(int),
69647 + .proc_handler = &proc_dointvec,
69651 + .procname = "grsec_lock",
69652 + .data = &grsec_lock,
69653 + .maxlen = sizeof(int),
69655 + .proc_handler = &proc_dointvec,
69658 +#ifdef CONFIG_GRKERNSEC_ROFS
69660 + .procname = "romount_protect",
69661 + .data = &grsec_enable_rofs,
69662 + .maxlen = sizeof(int),
69664 + .proc_handler = &proc_dointvec_minmax,
69672 diff --git a/grsecurity/grsec_time.c b/grsecurity/grsec_time.c
69673 new file mode 100644
69674 index 0000000..0dc13c3
69676 +++ b/grsecurity/grsec_time.c
69678 +#include <linux/kernel.h>
69679 +#include <linux/sched.h>
69680 +#include <linux/grinternal.h>
69681 +#include <linux/module.h>
69684 +gr_log_timechange(void)
69686 +#ifdef CONFIG_GRKERNSEC_TIME
69687 + if (grsec_enable_time)
69688 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
69693 +EXPORT_SYMBOL(gr_log_timechange);
69694 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
69695 new file mode 100644
69696 index 0000000..ee57dcf
69698 +++ b/grsecurity/grsec_tpe.c
69700 +#include <linux/kernel.h>
69701 +#include <linux/sched.h>
69702 +#include <linux/file.h>
69703 +#include <linux/fs.h>
69704 +#include <linux/grinternal.h>
69706 +extern int gr_acl_tpe_check(void);
69709 +gr_tpe_allow(const struct file *file)
69711 +#ifdef CONFIG_GRKERNSEC
69712 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
69713 + const struct cred *cred = current_cred();
69714 + char *msg = NULL;
69715 + char *msg2 = NULL;
69717 + // never restrict root
69718 + if (gr_is_global_root(cred->uid))
69721 + if (grsec_enable_tpe) {
69722 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
69723 + if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
69724 + msg = "not being in trusted group";
69725 + else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
69726 + msg = "being in untrusted group";
69728 + if (in_group_p(grsec_tpe_gid))
69729 + msg = "being in untrusted group";
69732 + if (!msg && gr_acl_tpe_check())
69733 + msg = "being in untrusted role";
69735 + // not in any affected group/role
69739 + if (gr_is_global_nonroot(inode->i_uid))
69740 + msg2 = "file in non-root-owned directory";
69741 + else if (inode->i_mode & S_IWOTH)
69742 + msg2 = "file in world-writable directory";
69743 + else if (inode->i_mode & S_IWGRP)
69744 + msg2 = "file in group-writable directory";
69746 + if (msg && msg2) {
69747 + char fullmsg[70] = {0};
69748 + snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
69749 + gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
69754 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
69755 + if (!grsec_enable_tpe || !grsec_enable_tpe_all)
69758 + if (gr_is_global_nonroot(inode->i_uid) && !uid_eq(inode->i_uid, cred->uid))
69759 + msg = "directory not owned by user";
69760 + else if (inode->i_mode & S_IWOTH)
69761 + msg = "file in world-writable directory";
69762 + else if (inode->i_mode & S_IWGRP)
69763 + msg = "file in group-writable directory";
69766 + gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
69773 diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
69774 new file mode 100644
69775 index 0000000..9f7b1ac
69777 +++ b/grsecurity/grsum.c
69779 +#include <linux/err.h>
69780 +#include <linux/kernel.h>
69781 +#include <linux/sched.h>
69782 +#include <linux/mm.h>
69783 +#include <linux/scatterlist.h>
69784 +#include <linux/crypto.h>
69785 +#include <linux/gracl.h>
69788 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
69789 +#error "crypto and sha256 must be built into the kernel"
69793 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
69796 + struct crypto_hash *tfm;
69797 + struct hash_desc desc;
69798 + struct scatterlist sg;
69799 + unsigned char temp_sum[GR_SHA_LEN];
69800 + volatile int retval = 0;
69801 + volatile int dummy = 0;
69804 + sg_init_table(&sg, 1);
69806 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
69807 + if (IS_ERR(tfm)) {
69808 + /* should never happen, since sha256 should be built in */
69815 + crypto_hash_init(&desc);
69818 + sg_set_buf(&sg, p, GR_SALT_LEN);
69819 + crypto_hash_update(&desc, &sg, sg.length);
69822 + sg_set_buf(&sg, p, strlen(p));
69824 + crypto_hash_update(&desc, &sg, sg.length);
69826 + crypto_hash_final(&desc, temp_sum);
69828 + memset(entry->pw, 0, GR_PW_LEN);
69830 + for (i = 0; i < GR_SHA_LEN; i++)
69831 + if (sum[i] != temp_sum[i])
69834 + dummy = 1; // waste a cycle
69836 + crypto_free_hash(tfm);
69840 diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h
69841 index 77ff547..181834f 100644
69842 --- a/include/asm-generic/4level-fixup.h
69843 +++ b/include/asm-generic/4level-fixup.h
69845 #define pmd_alloc(mm, pud, address) \
69846 ((unlikely(pgd_none(*(pud))) && __pmd_alloc(mm, pud, address))? \
69847 NULL: pmd_offset(pud, address))
69848 +#define pmd_alloc_kernel(mm, pud, address) pmd_alloc((mm), (pud), (address))
69850 #define pud_alloc(mm, pgd, address) (pgd)
69851 +#define pud_alloc_kernel(mm, pgd, address) pud_alloc((mm), (pgd), (address))
69852 #define pud_offset(pgd, start) (pgd)
69853 #define pud_none(pud) 0
69854 #define pud_bad(pud) 0
69855 diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h
69856 index b7babf0..04ad282 100644
69857 --- a/include/asm-generic/atomic-long.h
69858 +++ b/include/asm-generic/atomic-long.h
69861 typedef atomic64_t atomic_long_t;
69863 +#ifdef CONFIG_PAX_REFCOUNT
69864 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
69866 +typedef atomic64_t atomic_long_unchecked_t;
69869 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
69871 static inline long atomic_long_read(atomic_long_t *l)
69872 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atomic_long_t *l)
69873 return (long)atomic64_read(v);
69876 +#ifdef CONFIG_PAX_REFCOUNT
69877 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
69879 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69881 + return (long)atomic64_read_unchecked(v);
69885 static inline void atomic_long_set(atomic_long_t *l, long i)
69887 atomic64_t *v = (atomic64_t *)l;
69888 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
69889 atomic64_set(v, i);
69892 +#ifdef CONFIG_PAX_REFCOUNT
69893 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
69895 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69897 + atomic64_set_unchecked(v, i);
69901 static inline void atomic_long_inc(atomic_long_t *l)
69903 atomic64_t *v = (atomic64_t *)l;
69904 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
69908 +#ifdef CONFIG_PAX_REFCOUNT
69909 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
69911 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69913 + atomic64_inc_unchecked(v);
69917 static inline void atomic_long_dec(atomic_long_t *l)
69919 atomic64_t *v = (atomic64_t *)l;
69920 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
69924 +#ifdef CONFIG_PAX_REFCOUNT
69925 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
69927 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69929 + atomic64_dec_unchecked(v);
69933 static inline void atomic_long_add(long i, atomic_long_t *l)
69935 atomic64_t *v = (atomic64_t *)l;
69936 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
69937 atomic64_add(i, v);
69940 +#ifdef CONFIG_PAX_REFCOUNT
69941 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
69943 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69945 + atomic64_add_unchecked(i, v);
69949 static inline void atomic_long_sub(long i, atomic_long_t *l)
69951 atomic64_t *v = (atomic64_t *)l;
69952 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
69953 atomic64_sub(i, v);
69956 +#ifdef CONFIG_PAX_REFCOUNT
69957 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
69959 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69961 + atomic64_sub_unchecked(i, v);
69965 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
69967 atomic64_t *v = (atomic64_t *)l;
69968 @@ -101,6 +161,15 @@ static inline long atomic_long_add_return(long i, atomic_long_t *l)
69969 return (long)atomic64_add_return(i, v);
69972 +#ifdef CONFIG_PAX_REFCOUNT
69973 +static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
69975 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69977 + return (long)atomic64_add_return_unchecked(i, v);
69981 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
69983 atomic64_t *v = (atomic64_t *)l;
69984 @@ -115,6 +184,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
69985 return (long)atomic64_inc_return(v);
69988 +#ifdef CONFIG_PAX_REFCOUNT
69989 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
69991 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
69993 + return (long)atomic64_inc_return_unchecked(v);
69997 static inline long atomic_long_dec_return(atomic_long_t *l)
69999 atomic64_t *v = (atomic64_t *)l;
70000 @@ -140,6 +218,12 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
70002 typedef atomic_t atomic_long_t;
70004 +#ifdef CONFIG_PAX_REFCOUNT
70005 +typedef atomic_unchecked_t atomic_long_unchecked_t;
70007 +typedef atomic_t atomic_long_unchecked_t;
70010 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
70011 static inline long atomic_long_read(atomic_long_t *l)
70013 @@ -148,6 +232,15 @@ static inline long atomic_long_read(atomic_long_t *l)
70014 return (long)atomic_read(v);
70017 +#ifdef CONFIG_PAX_REFCOUNT
70018 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
70020 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70022 + return (long)atomic_read_unchecked(v);
70026 static inline void atomic_long_set(atomic_long_t *l, long i)
70028 atomic_t *v = (atomic_t *)l;
70029 @@ -155,6 +248,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
70033 +#ifdef CONFIG_PAX_REFCOUNT
70034 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
70036 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70038 + atomic_set_unchecked(v, i);
70042 static inline void atomic_long_inc(atomic_long_t *l)
70044 atomic_t *v = (atomic_t *)l;
70045 @@ -162,6 +264,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
70049 +#ifdef CONFIG_PAX_REFCOUNT
70050 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
70052 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70054 + atomic_inc_unchecked(v);
70058 static inline void atomic_long_dec(atomic_long_t *l)
70060 atomic_t *v = (atomic_t *)l;
70061 @@ -169,6 +280,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
70065 +#ifdef CONFIG_PAX_REFCOUNT
70066 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
70068 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70070 + atomic_dec_unchecked(v);
70074 static inline void atomic_long_add(long i, atomic_long_t *l)
70076 atomic_t *v = (atomic_t *)l;
70077 @@ -176,6 +296,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
70081 +#ifdef CONFIG_PAX_REFCOUNT
70082 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
70084 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70086 + atomic_add_unchecked(i, v);
70090 static inline void atomic_long_sub(long i, atomic_long_t *l)
70092 atomic_t *v = (atomic_t *)l;
70093 @@ -183,6 +312,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
70097 +#ifdef CONFIG_PAX_REFCOUNT
70098 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
70100 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70102 + atomic_sub_unchecked(i, v);
70106 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
70108 atomic_t *v = (atomic_t *)l;
70109 @@ -218,6 +356,16 @@ static inline long atomic_long_add_return(long i, atomic_long_t *l)
70110 return (long)atomic_add_return(i, v);
70113 +#ifdef CONFIG_PAX_REFCOUNT
70114 +static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
70116 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70118 + return (long)atomic_add_return_unchecked(i, v);
70123 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
70125 atomic_t *v = (atomic_t *)l;
70126 @@ -232,6 +380,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
70127 return (long)atomic_inc_return(v);
70130 +#ifdef CONFIG_PAX_REFCOUNT
70131 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
70133 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
70135 + return (long)atomic_inc_return_unchecked(v);
70139 static inline long atomic_long_dec_return(atomic_long_t *l)
70141 atomic_t *v = (atomic_t *)l;
70142 @@ -255,4 +412,57 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
70144 #endif /* BITS_PER_LONG == 64 */
70146 +#ifdef CONFIG_PAX_REFCOUNT
70147 +static inline void pax_refcount_needs_these_functions(void)
70149 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
70150 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
70151 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
70152 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
70153 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
70154 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
70155 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
70156 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
70157 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
70158 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
70159 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
70161 + atomic_clear_mask_unchecked(0, NULL);
70162 + atomic_set_mask_unchecked(0, NULL);
70165 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
70166 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
70167 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
70168 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
70169 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
70170 + atomic_long_add_return_unchecked(0, (atomic_long_unchecked_t *)NULL);
70171 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
70172 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
70175 +#define atomic_read_unchecked(v) atomic_read(v)
70176 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
70177 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
70178 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
70179 +#define atomic_inc_unchecked(v) atomic_inc(v)
70180 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
70181 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
70182 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
70183 +#define atomic_dec_unchecked(v) atomic_dec(v)
70184 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
70185 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
70186 +#define atomic_clear_mask_unchecked(mask, v) atomic_clear_mask((mask), (v))
70187 +#define atomic_set_mask_unchecked(mask, v) atomic_set_mask((mask), (v))
70189 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
70190 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
70191 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
70192 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
70193 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
70194 +#define atomic_long_add_return_unchecked(i, v) atomic_long_add_return((i), (v))
70195 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
70196 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
70199 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
70200 diff --git a/include/asm-generic/atomic.h b/include/asm-generic/atomic.h
70201 index 33bd2de..f31bff97 100644
70202 --- a/include/asm-generic/atomic.h
70203 +++ b/include/asm-generic/atomic.h
70204 @@ -153,7 +153,7 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
70205 * Atomically clears the bits set in @mask from @v
70207 #ifndef atomic_clear_mask
70208 -static inline void atomic_clear_mask(unsigned long mask, atomic_t *v)
70209 +static inline void atomic_clear_mask(unsigned int mask, atomic_t *v)
70211 unsigned long flags;
70213 diff --git a/include/asm-generic/atomic64.h b/include/asm-generic/atomic64.h
70214 index b18ce4f..2ee2843 100644
70215 --- a/include/asm-generic/atomic64.h
70216 +++ b/include/asm-generic/atomic64.h
70217 @@ -16,6 +16,8 @@ typedef struct {
70221 +typedef atomic64_t atomic64_unchecked_t;
70223 #define ATOMIC64_INIT(i) { (i) }
70225 extern long long atomic64_read(const atomic64_t *v);
70226 @@ -39,4 +41,14 @@ extern int atomic64_add_unless(atomic64_t *v, long long a, long long u);
70227 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
70228 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
70230 +#define atomic64_read_unchecked(v) atomic64_read(v)
70231 +#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
70232 +#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
70233 +#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
70234 +#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
70235 +#define atomic64_inc_unchecked(v) atomic64_inc(v)
70236 +#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
70237 +#define atomic64_dec_unchecked(v) atomic64_dec(v)
70238 +#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
70240 #endif /* _ASM_GENERIC_ATOMIC64_H */
70241 diff --git a/include/asm-generic/cache.h b/include/asm-generic/cache.h
70242 index 1bfcfe5..e04c5c9 100644
70243 --- a/include/asm-generic/cache.h
70244 +++ b/include/asm-generic/cache.h
70246 * cache lines need to provide their own cache.h.
70249 -#define L1_CACHE_SHIFT 5
70250 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
70251 +#define L1_CACHE_SHIFT 5UL
70252 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
70254 #endif /* __ASM_GENERIC_CACHE_H */
70255 diff --git a/include/asm-generic/emergency-restart.h b/include/asm-generic/emergency-restart.h
70256 index 0d68a1e..b74a761 100644
70257 --- a/include/asm-generic/emergency-restart.h
70258 +++ b/include/asm-generic/emergency-restart.h
70260 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
70261 #define _ASM_GENERIC_EMERGENCY_RESTART_H
70263 -static inline void machine_emergency_restart(void)
70264 +static inline __noreturn void machine_emergency_restart(void)
70266 machine_restart(NULL);
70268 diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
70269 index 90f99c7..00ce236 100644
70270 --- a/include/asm-generic/kmap_types.h
70271 +++ b/include/asm-generic/kmap_types.h
70273 #define _ASM_GENERIC_KMAP_TYPES_H
70275 #ifdef __WITH_KM_FENCE
70276 -# define KM_TYPE_NR 41
70277 +# define KM_TYPE_NR 42
70279 -# define KM_TYPE_NR 20
70280 +# define KM_TYPE_NR 21
70284 diff --git a/include/asm-generic/local.h b/include/asm-generic/local.h
70285 index 9ceb03b..62b0b8f 100644
70286 --- a/include/asm-generic/local.h
70287 +++ b/include/asm-generic/local.h
70288 @@ -23,24 +23,37 @@ typedef struct
70293 + atomic_long_unchecked_t a;
70294 +} local_unchecked_t;
70296 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
70298 #define local_read(l) atomic_long_read(&(l)->a)
70299 +#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
70300 #define local_set(l,i) atomic_long_set((&(l)->a),(i))
70301 +#define local_set_unchecked(l,i) atomic_long_set_unchecked((&(l)->a),(i))
70302 #define local_inc(l) atomic_long_inc(&(l)->a)
70303 +#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
70304 #define local_dec(l) atomic_long_dec(&(l)->a)
70305 +#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
70306 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
70307 +#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
70308 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
70309 +#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
70311 #define local_sub_and_test(i, l) atomic_long_sub_and_test((i), (&(l)->a))
70312 #define local_dec_and_test(l) atomic_long_dec_and_test(&(l)->a)
70313 #define local_inc_and_test(l) atomic_long_inc_and_test(&(l)->a)
70314 #define local_add_negative(i, l) atomic_long_add_negative((i), (&(l)->a))
70315 #define local_add_return(i, l) atomic_long_add_return((i), (&(l)->a))
70316 +#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a))
70317 #define local_sub_return(i, l) atomic_long_sub_return((i), (&(l)->a))
70318 #define local_inc_return(l) atomic_long_inc_return(&(l)->a)
70319 +#define local_dec_return(l) atomic_long_dec_return(&(l)->a)
70321 #define local_cmpxchg(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
70322 +#define local_cmpxchg_unchecked(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
70323 #define local_xchg(l, n) atomic_long_xchg((&(l)->a), (n))
70324 #define local_add_unless(l, _a, u) atomic_long_add_unless((&(l)->a), (_a), (u))
70325 #define local_inc_not_zero(l) atomic_long_inc_not_zero(&(l)->a)
70326 diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
70327 index 725612b..9cc513a 100644
70328 --- a/include/asm-generic/pgtable-nopmd.h
70329 +++ b/include/asm-generic/pgtable-nopmd.h
70331 #ifndef _PGTABLE_NOPMD_H
70332 #define _PGTABLE_NOPMD_H
70334 -#ifndef __ASSEMBLY__
70336 #include <asm-generic/pgtable-nopud.h>
70340 #define __PAGETABLE_PMD_FOLDED
70342 +#define PMD_SHIFT PUD_SHIFT
70343 +#define PTRS_PER_PMD 1
70344 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
70345 +#define PMD_MASK (~(PMD_SIZE-1))
70347 +#ifndef __ASSEMBLY__
70352 * Having the pmd type consist of a pud gets the size right, and allows
70353 * us to conceptually access the pud entry that this pmd is folded into
70354 @@ -16,11 +21,6 @@ struct mm_struct;
70356 typedef struct { pud_t pud; } pmd_t;
70358 -#define PMD_SHIFT PUD_SHIFT
70359 -#define PTRS_PER_PMD 1
70360 -#define PMD_SIZE (1UL << PMD_SHIFT)
70361 -#define PMD_MASK (~(PMD_SIZE-1))
70364 * The "pud_xxx()" functions here are trivial for a folded two-level
70365 * setup: the pmd is never bad, and a pmd always exists (as it's folded
70366 diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h
70367 index 810431d..0ec4804f 100644
70368 --- a/include/asm-generic/pgtable-nopud.h
70369 +++ b/include/asm-generic/pgtable-nopud.h
70371 #ifndef _PGTABLE_NOPUD_H
70372 #define _PGTABLE_NOPUD_H
70374 -#ifndef __ASSEMBLY__
70376 #define __PAGETABLE_PUD_FOLDED
70378 +#define PUD_SHIFT PGDIR_SHIFT
70379 +#define PTRS_PER_PUD 1
70380 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
70381 +#define PUD_MASK (~(PUD_SIZE-1))
70383 +#ifndef __ASSEMBLY__
70386 * Having the pud type consist of a pgd gets the size right, and allows
70387 * us to conceptually access the pgd entry that this pud is folded into
70390 typedef struct { pgd_t pgd; } pud_t;
70392 -#define PUD_SHIFT PGDIR_SHIFT
70393 -#define PTRS_PER_PUD 1
70394 -#define PUD_SIZE (1UL << PUD_SHIFT)
70395 -#define PUD_MASK (~(PUD_SIZE-1))
70398 * The "pgd_xxx()" functions here are trivial for a folded two-level
70399 * setup: the pud is never bad, and a pud always exists (as it's folded
70400 @@ -29,6 +29,7 @@ static inline void pgd_clear(pgd_t *pgd) { }
70401 #define pud_ERROR(pud) (pgd_ERROR((pud).pgd))
70403 #define pgd_populate(mm, pgd, pud) do { } while (0)
70404 +#define pgd_populate_kernel(mm, pgd, pud) do { } while (0)
70406 * (puds are folded into pgds so this doesn't get actually called,
70407 * but the define is needed for a generic inline function.)
70408 diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
70409 index a59ff51..2594a70 100644
70410 --- a/include/asm-generic/pgtable.h
70411 +++ b/include/asm-generic/pgtable.h
70412 @@ -688,6 +688,14 @@ static inline pmd_t pmd_mknuma(pmd_t pmd)
70414 #endif /* CONFIG_NUMA_BALANCING */
70416 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
70417 +static inline unsigned long pax_open_kernel(void) { return 0; }
70420 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
70421 +static inline unsigned long pax_close_kernel(void) { return 0; }
70424 #endif /* CONFIG_MMU */
70426 #endif /* !__ASSEMBLY__ */
70427 diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
70428 index c184aa8..d049942 100644
70429 --- a/include/asm-generic/uaccess.h
70430 +++ b/include/asm-generic/uaccess.h
70431 @@ -343,4 +343,12 @@ clear_user(void __user *to, unsigned long n)
70432 return __clear_user(to, n);
70435 +#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND
70436 +//static inline unsigned long pax_open_userland(void) { return 0; }
70439 +#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND
70440 +//static inline unsigned long pax_close_userland(void) { return 0; }
70443 #endif /* __ASM_GENERIC_UACCESS_H */
70444 diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
70445 index eb58d2d..df131bf 100644
70446 --- a/include/asm-generic/vmlinux.lds.h
70447 +++ b/include/asm-generic/vmlinux.lds.h
70448 @@ -239,6 +239,7 @@
70449 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
70450 VMLINUX_SYMBOL(__start_rodata) = .; \
70451 *(.rodata) *(.rodata.*) \
70452 + *(.data..read_only) \
70453 *(__vermagic) /* Kernel version magic */ \
70455 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
70456 @@ -749,17 +750,18 @@
70457 * section in the linker script will go there too. @phdr should have
70460 - * Note that this macros defines __per_cpu_load as an absolute symbol.
70461 + * Note that this macros defines per_cpu_load as an absolute symbol.
70462 * If there is no need to put the percpu section at a predetermined
70463 * address, use PERCPU_SECTION.
70465 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
70466 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
70467 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
70468 + per_cpu_load = .; \
70469 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
70471 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
70472 PERCPU_INPUT(cacheline) \
70474 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
70475 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
70478 * PERCPU_SECTION - define output section for percpu area, simple version
70479 diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
70480 index 418d270..bfd2794 100644
70481 --- a/include/crypto/algapi.h
70482 +++ b/include/crypto/algapi.h
70483 @@ -34,7 +34,7 @@ struct crypto_type {
70484 unsigned int maskclear;
70485 unsigned int maskset;
70486 unsigned int tfmsize;
70490 struct crypto_instance {
70491 struct crypto_alg alg;
70492 diff --git a/include/drm/drmP.h b/include/drm/drmP.h
70493 index 63d17ee..716de2b 100644
70494 --- a/include/drm/drmP.h
70495 +++ b/include/drm/drmP.h
70497 #include <linux/workqueue.h>
70498 #include <linux/poll.h>
70499 #include <asm/pgalloc.h>
70500 +#include <asm/local.h>
70501 #include <drm/drm.h>
70502 #include <drm/drm_sarea.h>
70504 @@ -296,10 +297,12 @@ do { \
70505 * \param cmd command.
70506 * \param arg argument.
70508 -typedef int drm_ioctl_t(struct drm_device *dev, void *data,
70509 +typedef int (* const drm_ioctl_t)(struct drm_device *dev, void *data,
70510 + struct drm_file *file_priv);
70511 +typedef int (* drm_ioctl_no_const_t)(struct drm_device *dev, void *data,
70512 struct drm_file *file_priv);
70514 -typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
70515 +typedef int (* const drm_ioctl_compat_t)(struct file *filp, unsigned int cmd,
70516 unsigned long arg);
70518 #define DRM_IOCTL_NR(n) _IOC_NR(n)
70519 @@ -314,10 +317,10 @@ typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
70520 struct drm_ioctl_desc {
70523 - drm_ioctl_t *func;
70524 + drm_ioctl_t func;
70525 unsigned int cmd_drv;
70531 * Creates a driver or general drm_ioctl_desc array entry for the given
70532 @@ -1015,7 +1018,7 @@ struct drm_info_list {
70533 int (*show)(struct seq_file*, void*); /** show callback */
70534 u32 driver_features; /**< Required driver features for this entry */
70540 * debugfs node structure. This structure represents a debugfs file.
70541 @@ -1088,7 +1091,7 @@ struct drm_device {
70543 /** \name Usage Counters */
70545 - int open_count; /**< Outstanding files open */
70546 + local_t open_count; /**< Outstanding files open */
70547 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
70548 atomic_t vma_count; /**< Outstanding vma areas open */
70549 int buf_use; /**< Buffers in use -- cannot alloc */
70550 @@ -1099,7 +1102,7 @@ struct drm_device {
70552 unsigned long counters;
70553 enum drm_stat_type types[15];
70554 - atomic_t counts[15];
70555 + atomic_unchecked_t counts[15];
70558 struct list_head filelist;
70559 diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h
70560 index f43d556..94d9343 100644
70561 --- a/include/drm/drm_crtc_helper.h
70562 +++ b/include/drm/drm_crtc_helper.h
70563 @@ -109,7 +109,7 @@ struct drm_encoder_helper_funcs {
70564 struct drm_connector *connector);
70565 /* disable encoder when not in use - more explicit than dpms off */
70566 void (*disable)(struct drm_encoder *encoder);
70571 * drm_connector_helper_funcs - helper operations for connectors
70572 diff --git a/include/drm/ttm/ttm_memory.h b/include/drm/ttm/ttm_memory.h
70573 index 72dcbe8..8db58d7 100644
70574 --- a/include/drm/ttm/ttm_memory.h
70575 +++ b/include/drm/ttm/ttm_memory.h
70578 struct ttm_mem_shrink {
70579 int (*do_shrink) (struct ttm_mem_shrink *);
70584 * struct ttm_mem_global - Global memory accounting structure.
70585 diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
70586 index 4b840e8..155d235 100644
70587 --- a/include/keys/asymmetric-subtype.h
70588 +++ b/include/keys/asymmetric-subtype.h
70589 @@ -37,7 +37,7 @@ struct asymmetric_key_subtype {
70590 /* Verify the signature on a key of this subtype (optional) */
70591 int (*verify_signature)(const struct key *key,
70592 const struct public_key_signature *sig);
70597 * asymmetric_key_subtype - Get the subtype from an asymmetric key
70598 diff --git a/include/linux/atmdev.h b/include/linux/atmdev.h
70599 index c1da539..1dcec55 100644
70600 --- a/include/linux/atmdev.h
70601 +++ b/include/linux/atmdev.h
70602 @@ -28,7 +28,7 @@ struct compat_atm_iobuf {
70605 struct k_atm_aal_stats {
70606 -#define __HANDLE_ITEM(i) atomic_t i
70607 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
70609 #undef __HANDLE_ITEM
70611 @@ -200,7 +200,7 @@ struct atmdev_ops { /* only send is required */
70612 int (*change_qos)(struct atm_vcc *vcc,struct atm_qos *qos,int flags);
70613 int (*proc_read)(struct atm_dev *dev,loff_t *pos,char *page);
70614 struct module *owner;
70618 struct atmphy_ops {
70619 int (*start)(struct atm_dev *dev);
70620 diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
70621 index 70cf138..0418ee2 100644
70622 --- a/include/linux/binfmts.h
70623 +++ b/include/linux/binfmts.h
70624 @@ -73,8 +73,10 @@ struct linux_binfmt {
70625 int (*load_binary)(struct linux_binprm *);
70626 int (*load_shlib)(struct file *);
70627 int (*core_dump)(struct coredump_params *cprm);
70628 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
70629 + void (*handle_mmap)(struct file *);
70630 unsigned long min_coredump; /* minimal dump size */
70634 extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
70636 diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
70637 index 2fdb4a4..54aad7e 100644
70638 --- a/include/linux/blkdev.h
70639 +++ b/include/linux/blkdev.h
70640 @@ -1526,7 +1526,7 @@ struct block_device_operations {
70641 /* this callback is with swap_lock and sometimes page table lock held */
70642 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
70643 struct module *owner;
70647 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
70649 diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
70650 index 7c2e030..b72475d 100644
70651 --- a/include/linux/blktrace_api.h
70652 +++ b/include/linux/blktrace_api.h
70653 @@ -23,7 +23,7 @@ struct blk_trace {
70654 struct dentry *dir;
70655 struct dentry *dropped_file;
70656 struct dentry *msg_file;
70657 - atomic_t dropped;
70658 + atomic_unchecked_t dropped;
70661 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
70662 diff --git a/include/linux/cache.h b/include/linux/cache.h
70663 index 4c57065..4307975 100644
70664 --- a/include/linux/cache.h
70665 +++ b/include/linux/cache.h
70667 #define __read_mostly
70670 +#ifndef __read_only
70671 +#define __read_only __read_mostly
70674 #ifndef ____cacheline_aligned
70675 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
70677 diff --git a/include/linux/capability.h b/include/linux/capability.h
70678 index d9a4f7f4..19f77d6 100644
70679 --- a/include/linux/capability.h
70680 +++ b/include/linux/capability.h
70681 @@ -213,8 +213,13 @@ extern bool ns_capable(struct user_namespace *ns, int cap);
70682 extern bool nsown_capable(int cap);
70683 extern bool inode_capable(const struct inode *inode, int cap);
70684 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
70685 +extern bool capable_nolog(int cap);
70686 +extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
70687 +extern bool inode_capable_nolog(const struct inode *inode, int cap);
70689 /* audit system wants to get cap info from files as well */
70690 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
70692 +extern int is_privileged_binary(const struct dentry *dentry);
70694 #endif /* !_LINUX_CAPABILITY_H */
70695 diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
70696 index 8609d57..86e4d79 100644
70697 --- a/include/linux/cdrom.h
70698 +++ b/include/linux/cdrom.h
70699 @@ -87,7 +87,6 @@ struct cdrom_device_ops {
70701 /* driver specifications */
70702 const int capability; /* capability flags */
70703 - int n_minors; /* number of active minor devices */
70704 /* handle uniform packets for scsi type devices (scsi,atapi) */
70705 int (*generic_packet) (struct cdrom_device_info *,
70706 struct packet_command *);
70707 diff --git a/include/linux/cleancache.h b/include/linux/cleancache.h
70708 index 4ce9056..86caac6 100644
70709 --- a/include/linux/cleancache.h
70710 +++ b/include/linux/cleancache.h
70711 @@ -31,7 +31,7 @@ struct cleancache_ops {
70712 void (*invalidate_page)(int, struct cleancache_filekey, pgoff_t);
70713 void (*invalidate_inode)(int, struct cleancache_filekey);
70714 void (*invalidate_fs)(int);
70718 extern struct cleancache_ops *
70719 cleancache_register_ops(struct cleancache_ops *ops);
70720 diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
70721 index 1186098..f87e53d 100644
70722 --- a/include/linux/clk-provider.h
70723 +++ b/include/linux/clk-provider.h
70724 @@ -132,6 +132,7 @@ struct clk_ops {
70726 void (*init)(struct clk_hw *hw);
70728 +typedef struct clk_ops __no_const clk_ops_no_const;
70731 * struct clk_init_data - holds init data that's common to all clocks and is
70732 diff --git a/include/linux/compat.h b/include/linux/compat.h
70733 index 7f0c1dd..206ac34 100644
70734 --- a/include/linux/compat.h
70735 +++ b/include/linux/compat.h
70736 @@ -312,7 +312,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
70737 compat_size_t __user *len_ptr);
70739 asmlinkage long compat_sys_ipc(u32, int, int, u32, compat_uptr_t, u32);
70740 -asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg);
70741 +asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0);
70742 asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
70743 asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
70744 compat_ssize_t msgsz, int msgflg);
70745 @@ -419,7 +419,7 @@ extern int compat_ptrace_request(struct task_struct *child,
70746 extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
70747 compat_ulong_t addr, compat_ulong_t data);
70748 asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
70749 - compat_long_t addr, compat_long_t data);
70750 + compat_ulong_t addr, compat_ulong_t data);
70752 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, size_t);
70754 @@ -669,6 +669,7 @@ asmlinkage long compat_sys_sigaltstack(const compat_stack_t __user *uss_ptr,
70756 int compat_restore_altstack(const compat_stack_t __user *uss);
70757 int __compat_save_altstack(compat_stack_t __user *, unsigned long);
70758 +void __compat_save_altstack_ex(compat_stack_t __user *, unsigned long);
70760 asmlinkage long compat_sys_sched_rr_get_interval(compat_pid_t pid,
70761 struct compat_timespec __user *interval);
70762 diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
70763 index 842de22..7f3a41f 100644
70764 --- a/include/linux/compiler-gcc4.h
70765 +++ b/include/linux/compiler-gcc4.h
70767 # define __compiletime_warning(message) __attribute__((warning(message)))
70768 # define __compiletime_error(message) __attribute__((error(message)))
70769 #endif /* __CHECKER__ */
70771 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
70772 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
70773 +#define __bos0(ptr) __bos((ptr), 0)
70774 +#define __bos1(ptr) __bos((ptr), 1)
70775 #endif /* GCC_VERSION >= 40300 */
70777 #if GCC_VERSION >= 40500
70779 +#ifdef CONSTIFY_PLUGIN
70780 +#define __no_const __attribute__((no_const))
70781 +#define __do_const __attribute__((do_const))
70784 +#ifdef SIZE_OVERFLOW_PLUGIN
70785 +#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
70786 +#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
70789 +#ifdef LATENT_ENTROPY_PLUGIN
70790 +#define __latent_entropy __attribute__((latent_entropy))
70794 * Mark a position in code as unreachable. This can be used to
70795 * suppress control flow warnings after asm blocks that transfer
70796 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
70797 index 92669cd..1771a15 100644
70798 --- a/include/linux/compiler.h
70799 +++ b/include/linux/compiler.h
70803 # define __user __attribute__((noderef, address_space(1)))
70804 +# define __force_user __force __user
70805 # define __kernel __attribute__((address_space(0)))
70806 +# define __force_kernel __force __kernel
70807 # define __safe __attribute__((safe))
70808 # define __force __attribute__((force))
70809 # define __nocast __attribute__((nocast))
70810 # define __iomem __attribute__((noderef, address_space(2)))
70811 +# define __force_iomem __force __iomem
70812 # define __must_hold(x) __attribute__((context(x,1,1)))
70813 # define __acquires(x) __attribute__((context(x,0,1)))
70814 # define __releases(x) __attribute__((context(x,1,0)))
70815 @@ -17,20 +20,37 @@
70816 # define __release(x) __context__(x,-1)
70817 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
70818 # define __percpu __attribute__((noderef, address_space(3)))
70819 +# define __force_percpu __force __percpu
70820 #ifdef CONFIG_SPARSE_RCU_POINTER
70821 # define __rcu __attribute__((noderef, address_space(4)))
70822 +# define __force_rcu __force __rcu
70825 +# define __force_rcu
70827 extern void __chk_user_ptr(const volatile void __user *);
70828 extern void __chk_io_ptr(const volatile void __iomem *);
70832 +# ifdef CHECKER_PLUGIN
70834 +//# define __force_user
70835 +//# define __kernel
70836 +//# define __force_kernel
70838 +# ifdef STRUCTLEAK_PLUGIN
70839 +# define __user __attribute__((user))
70843 +# define __force_user
70845 +# define __force_kernel
70851 +# define __force_iomem
70852 # define __chk_user_ptr(x) (void)0
70853 # define __chk_io_ptr(x) (void)0
70854 # define __builtin_warning(x, y...) (1)
70855 @@ -41,7 +61,9 @@ extern void __chk_io_ptr(const volatile void __iomem *);
70856 # define __release(x) (void)0
70857 # define __cond_lock(x,c) (c)
70859 +# define __force_percpu
70861 +# define __force_rcu
70864 /* Indirect macros required for expanded argument pasting, eg. __LINE__. */
70865 @@ -275,6 +297,26 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
70866 # define __attribute_const__ /* unimplemented */
70869 +#ifndef __no_const
70870 +# define __no_const
70873 +#ifndef __do_const
70874 +# define __do_const
70877 +#ifndef __size_overflow
70878 +# define __size_overflow(...)
70881 +#ifndef __intentional_overflow
70882 +# define __intentional_overflow(...)
70885 +#ifndef __latent_entropy
70886 +# define __latent_entropy
70890 * Tell gcc if a function is cold. The compiler will assume any path
70891 * directly leading to the call is unlikely.
70892 @@ -284,6 +326,22 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
70896 +#ifndef __alloc_size
70897 +#define __alloc_size(...)
70901 +#define __bos(ptr, arg)
70905 +#define __bos0(ptr)
70909 +#define __bos1(ptr)
70912 /* Simple shorthand for a section definition */
70914 # define __section(S) __attribute__ ((__section__(#S)))
70915 @@ -349,7 +407,8 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
70916 * use is to mediate communication between process-level code and irq/NMI
70917 * handlers, all running on the same CPU.
70919 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
70920 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
70921 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
70923 /* Ignore/forbid kprobes attach on very low level functions marked by this attribute: */
70924 #ifdef CONFIG_KPROBES
70925 diff --git a/include/linux/completion.h b/include/linux/completion.h
70926 index 33f0280..35c6568 100644
70927 --- a/include/linux/completion.h
70928 +++ b/include/linux/completion.h
70929 @@ -79,15 +79,15 @@ static inline void init_completion(struct completion *x)
70930 extern void wait_for_completion(struct completion *);
70931 extern void wait_for_completion_io(struct completion *);
70932 extern int wait_for_completion_interruptible(struct completion *x);
70933 -extern int wait_for_completion_killable(struct completion *x);
70934 +extern int wait_for_completion_killable(struct completion *x) __intentional_overflow(-1);
70935 extern unsigned long wait_for_completion_timeout(struct completion *x,
70936 unsigned long timeout);
70937 extern unsigned long wait_for_completion_io_timeout(struct completion *x,
70938 unsigned long timeout);
70939 extern long wait_for_completion_interruptible_timeout(
70940 - struct completion *x, unsigned long timeout);
70941 + struct completion *x, unsigned long timeout) __intentional_overflow(-1);
70942 extern long wait_for_completion_killable_timeout(
70943 - struct completion *x, unsigned long timeout);
70944 + struct completion *x, unsigned long timeout) __intentional_overflow(-1);
70945 extern bool try_wait_for_completion(struct completion *x);
70946 extern bool completion_done(struct completion *x);
70948 diff --git a/include/linux/configfs.h b/include/linux/configfs.h
70949 index 34025df..d94bbbc 100644
70950 --- a/include/linux/configfs.h
70951 +++ b/include/linux/configfs.h
70952 @@ -125,7 +125,7 @@ struct configfs_attribute {
70953 const char *ca_name;
70954 struct module *ca_owner;
70960 * Users often need to create attribute structures for their configurable
70961 diff --git a/include/linux/cpu.h b/include/linux/cpu.h
70962 index 9f3c7e8..a18c7b6 100644
70963 --- a/include/linux/cpu.h
70964 +++ b/include/linux/cpu.h
70965 @@ -115,7 +115,7 @@ enum {
70966 /* Need to know about CPUs going up/down? */
70967 #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE)
70968 #define cpu_notifier(fn, pri) { \
70969 - static struct notifier_block fn##_nb __cpuinitdata = \
70970 + static struct notifier_block fn##_nb = \
70971 { .notifier_call = fn, .priority = pri }; \
70972 register_cpu_notifier(&fn##_nb); \
70974 diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
70975 index 037d36a..ca5fe6e 100644
70976 --- a/include/linux/cpufreq.h
70977 +++ b/include/linux/cpufreq.h
70978 @@ -262,7 +262,7 @@ struct cpufreq_driver {
70979 int (*suspend) (struct cpufreq_policy *policy);
70980 int (*resume) (struct cpufreq_policy *policy);
70981 struct freq_attr **attr;
70987 @@ -321,6 +321,7 @@ struct global_attr {
70988 ssize_t (*store)(struct kobject *a, struct attribute *b,
70989 const char *c, size_t count);
70991 +typedef struct global_attr __no_const global_attr_no_const;
70993 #define define_one_global_ro(_name) \
70994 static struct global_attr _name = \
70995 diff --git a/include/linux/cpuidle.h b/include/linux/cpuidle.h
70996 index 8f04062..900239a 100644
70997 --- a/include/linux/cpuidle.h
70998 +++ b/include/linux/cpuidle.h
70999 @@ -52,7 +52,8 @@ struct cpuidle_state {
71002 int (*enter_dead) (struct cpuidle_device *dev, int index);
71005 +typedef struct cpuidle_state __no_const cpuidle_state_no_const;
71007 /* Idle State Flags */
71008 #define CPUIDLE_FLAG_TIME_VALID (0x01) /* is residency time measurable? */
71009 @@ -191,7 +192,7 @@ struct cpuidle_governor {
71010 void (*reflect) (struct cpuidle_device *dev, int index);
71012 struct module *owner;
71016 #ifdef CONFIG_CPU_IDLE
71018 diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
71019 index d08e4d2..95fad61 100644
71020 --- a/include/linux/cpumask.h
71021 +++ b/include/linux/cpumask.h
71022 @@ -118,17 +118,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
71025 /* Valid inputs for n are -1 and 0. */
71026 -static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
71027 +static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
71032 -static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
71033 +static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
71038 -static inline unsigned int cpumask_next_and(int n,
71039 +static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n,
71040 const struct cpumask *srcp,
71041 const struct cpumask *andp)
71043 @@ -167,7 +167,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
71045 * Returns >= nr_cpu_ids if no further cpus set.
71047 -static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
71048 +static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
71050 /* -1 is a legal arg here. */
71052 @@ -182,7 +182,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
71054 * Returns >= nr_cpu_ids if no further cpus unset.
71056 -static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
71057 +static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
71059 /* -1 is a legal arg here. */
71061 @@ -190,7 +190,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
71062 return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
71065 -int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
71066 +int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1);
71067 int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
71070 diff --git a/include/linux/cred.h b/include/linux/cred.h
71071 index 04421e8..6bce4ef 100644
71072 --- a/include/linux/cred.h
71073 +++ b/include/linux/cred.h
71074 @@ -194,6 +194,9 @@ static inline void validate_creds_for_do_exit(struct task_struct *tsk)
71075 static inline void validate_process_creds(void)
71078 +static inline void validate_task_creds(struct task_struct *task)
71084 diff --git a/include/linux/crypto.h b/include/linux/crypto.h
71085 index b92eadf..b4ecdc1 100644
71086 --- a/include/linux/crypto.h
71087 +++ b/include/linux/crypto.h
71088 @@ -373,7 +373,7 @@ struct cipher_tfm {
71089 const u8 *key, unsigned int keylen);
71090 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
71091 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
71096 int (*init)(struct hash_desc *desc);
71097 @@ -394,13 +394,13 @@ struct compress_tfm {
71098 int (*cot_decompress)(struct crypto_tfm *tfm,
71099 const u8 *src, unsigned int slen,
71100 u8 *dst, unsigned int *dlen);
71105 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
71106 unsigned int dlen);
71107 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
71111 #define crt_ablkcipher crt_u.ablkcipher
71112 #define crt_aead crt_u.aead
71113 diff --git a/include/linux/ctype.h b/include/linux/ctype.h
71114 index 653589e..4ef254a 100644
71115 --- a/include/linux/ctype.h
71116 +++ b/include/linux/ctype.h
71117 @@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c)
71118 * Fast implementation of tolower() for internal usage. Do not use in your
71121 -static inline char _tolower(const char c)
71122 +static inline unsigned char _tolower(const unsigned char c)
71126 diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
71127 index 7925bf0..d5143d2 100644
71128 --- a/include/linux/decompress/mm.h
71129 +++ b/include/linux/decompress/mm.h
71130 @@ -77,7 +77,7 @@ static void free(void *where)
71131 * warnings when not needed (indeed large_malloc / large_free are not
71132 * needed by inflate */
71134 -#define malloc(a) kmalloc(a, GFP_KERNEL)
71135 +#define malloc(a) kmalloc((a), GFP_KERNEL)
71136 #define free(a) kfree(a)
71138 #define large_malloc(a) vmalloc(a)
71139 diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h
71140 index fe8c447..bdc1f33 100644
71141 --- a/include/linux/devfreq.h
71142 +++ b/include/linux/devfreq.h
71143 @@ -114,7 +114,7 @@ struct devfreq_governor {
71144 int (*get_target_freq)(struct devfreq *this, unsigned long *freq);
71145 int (*event_handler)(struct devfreq *devfreq,
71146 unsigned int event, void *data);
71151 * struct devfreq - Device devfreq structure
71152 diff --git a/include/linux/device.h b/include/linux/device.h
71153 index c0a1261..dba7569 100644
71154 --- a/include/linux/device.h
71155 +++ b/include/linux/device.h
71156 @@ -290,7 +290,7 @@ struct subsys_interface {
71157 struct list_head node;
71158 int (*add_dev)(struct device *dev, struct subsys_interface *sif);
71159 int (*remove_dev)(struct device *dev, struct subsys_interface *sif);
71163 int subsys_interface_register(struct subsys_interface *sif);
71164 void subsys_interface_unregister(struct subsys_interface *sif);
71165 @@ -473,7 +473,7 @@ struct device_type {
71166 void (*release)(struct device *dev);
71168 const struct dev_pm_ops *pm;
71172 /* interface for exporting device attributes */
71173 struct device_attribute {
71174 @@ -483,11 +483,12 @@ struct device_attribute {
71175 ssize_t (*store)(struct device *dev, struct device_attribute *attr,
71176 const char *buf, size_t count);
71178 +typedef struct device_attribute __no_const device_attribute_no_const;
71180 struct dev_ext_attribute {
71181 struct device_attribute attr;
71186 ssize_t device_show_ulong(struct device *dev, struct device_attribute *attr,
71188 diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
71189 index 94af418..b1ca7a2 100644
71190 --- a/include/linux/dma-mapping.h
71191 +++ b/include/linux/dma-mapping.h
71192 @@ -54,7 +54,7 @@ struct dma_map_ops {
71193 u64 (*get_required_mask)(struct device *dev);
71199 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
71201 diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h
71202 index 96d3e4a..dc36433 100644
71203 --- a/include/linux/dmaengine.h
71204 +++ b/include/linux/dmaengine.h
71205 @@ -1035,9 +1035,9 @@ struct dma_pinned_list {
71206 struct dma_pinned_list *dma_pin_iovec_pages(struct iovec *iov, size_t len);
71207 void dma_unpin_iovec_pages(struct dma_pinned_list* pinned_list);
71209 -dma_cookie_t dma_memcpy_to_iovec(struct dma_chan *chan, struct iovec *iov,
71210 +dma_cookie_t __intentional_overflow(0) dma_memcpy_to_iovec(struct dma_chan *chan, struct iovec *iov,
71211 struct dma_pinned_list *pinned_list, unsigned char *kdata, size_t len);
71212 -dma_cookie_t dma_memcpy_pg_to_iovec(struct dma_chan *chan, struct iovec *iov,
71213 +dma_cookie_t __intentional_overflow(0) dma_memcpy_pg_to_iovec(struct dma_chan *chan, struct iovec *iov,
71214 struct dma_pinned_list *pinned_list, struct page *page,
71215 unsigned int offset, size_t len);
71217 diff --git a/include/linux/efi.h b/include/linux/efi.h
71218 index 2bc0ad7..3f7b006 100644
71219 --- a/include/linux/efi.h
71220 +++ b/include/linux/efi.h
71221 @@ -745,6 +745,7 @@ struct efivar_operations {
71222 efi_set_variable_t *set_variable;
71223 efi_query_variable_store_t *query_variable_store;
71225 +typedef struct efivar_operations __no_const efivar_operations_no_const;
71229 diff --git a/include/linux/elf.h b/include/linux/elf.h
71230 index 40a3c0e..4c45a38 100644
71231 --- a/include/linux/elf.h
71232 +++ b/include/linux/elf.h
71233 @@ -24,6 +24,7 @@ extern Elf32_Dyn _DYNAMIC [];
71234 #define elf_note elf32_note
71235 #define elf_addr_t Elf32_Off
71236 #define Elf_Half Elf32_Half
71237 +#define elf_dyn Elf32_Dyn
71241 @@ -34,6 +35,7 @@ extern Elf64_Dyn _DYNAMIC [];
71242 #define elf_note elf64_note
71243 #define elf_addr_t Elf64_Off
71244 #define Elf_Half Elf64_Half
71245 +#define elf_dyn Elf64_Dyn
71249 diff --git a/include/linux/err.h b/include/linux/err.h
71250 index f2edce2..cc2082c 100644
71251 --- a/include/linux/err.h
71252 +++ b/include/linux/err.h
71253 @@ -19,12 +19,12 @@
71255 #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
71257 -static inline void * __must_check ERR_PTR(long error)
71258 +static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error)
71260 return (void *) error;
71263 -static inline long __must_check PTR_ERR(const void *ptr)
71264 +static inline long __must_check __intentional_overflow(-1) PTR_ERR(const void *ptr)
71268 diff --git a/include/linux/extcon.h b/include/linux/extcon.h
71269 index fcb51c8..bdafcf6 100644
71270 --- a/include/linux/extcon.h
71271 +++ b/include/linux/extcon.h
71272 @@ -134,7 +134,7 @@ struct extcon_dev {
71273 /* /sys/class/extcon/.../mutually_exclusive/... */
71274 struct attribute_group attr_g_muex;
71275 struct attribute **attrs_muex;
71276 - struct device_attribute *d_attrs_muex;
71277 + device_attribute_no_const *d_attrs_muex;
71281 diff --git a/include/linux/fb.h b/include/linux/fb.h
71282 index d49c60f..2834fbe 100644
71283 --- a/include/linux/fb.h
71284 +++ b/include/linux/fb.h
71285 @@ -304,7 +304,7 @@ struct fb_ops {
71286 /* called at KDB enter and leave time to prepare the console */
71287 int (*fb_debug_enter)(struct fb_info *info);
71288 int (*fb_debug_leave)(struct fb_info *info);
71292 #ifdef CONFIG_FB_TILEBLITTING
71293 #define FB_TILE_CURSOR_NONE 0
71294 diff --git a/include/linux/filter.h b/include/linux/filter.h
71295 index f65f5a6..2f4f93a 100644
71296 --- a/include/linux/filter.h
71297 +++ b/include/linux/filter.h
71298 @@ -20,6 +20,7 @@ struct compat_sock_fprog {
71302 +struct bpf_jit_work;
71306 @@ -27,6 +28,9 @@ struct sk_filter
71307 unsigned int len; /* Number of filter blocks */
71308 unsigned int (*bpf_func)(const struct sk_buff *skb,
71309 const struct sock_filter *filter);
71310 +#ifdef CONFIG_BPF_JIT
71311 + struct bpf_jit_work *work;
71313 struct rcu_head rcu;
71314 struct sock_filter insns[0];
71316 diff --git a/include/linux/frontswap.h b/include/linux/frontswap.h
71317 index 8293262..2b3b8bd 100644
71318 --- a/include/linux/frontswap.h
71319 +++ b/include/linux/frontswap.h
71320 @@ -11,7 +11,7 @@ struct frontswap_ops {
71321 int (*load)(unsigned, pgoff_t, struct page *);
71322 void (*invalidate_page)(unsigned, pgoff_t);
71323 void (*invalidate_area)(unsigned);
71327 extern bool frontswap_enabled;
71328 extern struct frontswap_ops *
71329 diff --git a/include/linux/fs.h b/include/linux/fs.h
71330 index 65c2be2..4c53f6e 100644
71331 --- a/include/linux/fs.h
71332 +++ b/include/linux/fs.h
71333 @@ -1543,7 +1543,8 @@ struct file_operations {
71334 long (*fallocate)(struct file *file, int mode, loff_t offset,
71336 int (*show_fdinfo)(struct seq_file *m, struct file *f);
71339 +typedef struct file_operations __no_const file_operations_no_const;
71341 struct inode_operations {
71342 struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
71343 @@ -2688,4 +2689,14 @@ static inline void inode_has_no_xattr(struct inode *inode)
71344 inode->i_flags |= S_NOSEC;
71347 +static inline bool is_sidechannel_device(const struct inode *inode)
71349 +#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL
71350 + umode_t mode = inode->i_mode;
71351 + return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH)));
71357 #endif /* _LINUX_FS_H */
71358 diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h
71359 index 2b93a9a..855d94a 100644
71360 --- a/include/linux/fs_struct.h
71361 +++ b/include/linux/fs_struct.h
71363 #include <linux/seqlock.h>
71371 diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
71372 index 5dfa0aa..6acf322 100644
71373 --- a/include/linux/fscache-cache.h
71374 +++ b/include/linux/fscache-cache.h
71375 @@ -112,7 +112,7 @@ struct fscache_operation {
71376 fscache_operation_release_t release;
71379 -extern atomic_t fscache_op_debug_id;
71380 +extern atomic_unchecked_t fscache_op_debug_id;
71381 extern void fscache_op_work_func(struct work_struct *work);
71383 extern void fscache_enqueue_operation(struct fscache_operation *);
71384 @@ -134,7 +134,7 @@ static inline void fscache_operation_init(struct fscache_operation *op,
71385 INIT_WORK(&op->work, fscache_op_work_func);
71386 atomic_set(&op->usage, 1);
71387 op->state = FSCACHE_OP_ST_INITIALISED;
71388 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
71389 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
71390 op->processor = processor;
71391 op->release = release;
71392 INIT_LIST_HEAD(&op->pend_link);
71393 diff --git a/include/linux/fscache.h b/include/linux/fscache.h
71394 index 7a08623..4c07b0f 100644
71395 --- a/include/linux/fscache.h
71396 +++ b/include/linux/fscache.h
71397 @@ -152,7 +152,7 @@ struct fscache_cookie_def {
71398 * - this is mandatory for any object that may have data
71400 void (*now_uncached)(void *cookie_netfs_data);
71405 * fscache cached network filesystem type
71406 diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
71407 index a78680a..87bd73e 100644
71408 --- a/include/linux/fsnotify.h
71409 +++ b/include/linux/fsnotify.h
71410 @@ -195,6 +195,9 @@ static inline void fsnotify_access(struct file *file)
71411 struct inode *inode = path->dentry->d_inode;
71412 __u32 mask = FS_ACCESS;
71414 + if (is_sidechannel_device(inode))
71417 if (S_ISDIR(inode->i_mode))
71420 @@ -213,6 +216,9 @@ static inline void fsnotify_modify(struct file *file)
71421 struct inode *inode = path->dentry->d_inode;
71422 __u32 mask = FS_MODIFY;
71424 + if (is_sidechannel_device(inode))
71427 if (S_ISDIR(inode->i_mode))
71430 @@ -315,7 +321,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
71432 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
71434 - return kstrdup(name, GFP_KERNEL);
71435 + return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
71439 diff --git a/include/linux/genhd.h b/include/linux/genhd.h
71440 index 9f3c275..911b591 100644
71441 --- a/include/linux/genhd.h
71442 +++ b/include/linux/genhd.h
71443 @@ -194,7 +194,7 @@ struct gendisk {
71444 struct kobject *slave_dir;
71446 struct timer_rand_state *random;
71447 - atomic_t sync_io; /* RAID */
71448 + atomic_unchecked_t sync_io; /* RAID */
71449 struct disk_events *ev;
71450 #ifdef CONFIG_BLK_DEV_INTEGRITY
71451 struct blk_integrity *integrity;
71452 diff --git a/include/linux/genl_magic_func.h b/include/linux/genl_magic_func.h
71453 index 023bc34..b02b46a 100644
71454 --- a/include/linux/genl_magic_func.h
71455 +++ b/include/linux/genl_magic_func.h
71456 @@ -246,7 +246,7 @@ const char *CONCAT_(GENL_MAGIC_FAMILY, _genl_cmd_to_str)(__u8 cmd)
71459 #define ZZZ_genl_ops CONCAT_(GENL_MAGIC_FAMILY, _genl_ops)
71460 -static struct genl_ops ZZZ_genl_ops[] __read_mostly = {
71461 +static struct genl_ops ZZZ_genl_ops[] = {
71462 #include GENL_MAGIC_INCLUDE_FILE
71465 diff --git a/include/linux/gfp.h b/include/linux/gfp.h
71466 index 0f615eb..5c3832f 100644
71467 --- a/include/linux/gfp.h
71468 +++ b/include/linux/gfp.h
71469 @@ -35,6 +35,13 @@ struct vm_area_struct;
71470 #define ___GFP_NO_KSWAPD 0x400000u
71471 #define ___GFP_OTHER_NODE 0x800000u
71472 #define ___GFP_WRITE 0x1000000u
71474 +#ifdef CONFIG_PAX_USERCOPY_SLABS
71475 +#define ___GFP_USERCOPY 0x2000000u
71477 +#define ___GFP_USERCOPY 0
71480 /* If the above are modified, __GFP_BITS_SHIFT may need updating */
71483 @@ -92,6 +99,7 @@ struct vm_area_struct;
71484 #define __GFP_OTHER_NODE ((__force gfp_t)___GFP_OTHER_NODE) /* On behalf of other node */
71485 #define __GFP_KMEMCG ((__force gfp_t)___GFP_KMEMCG) /* Allocation comes from a memcg-accounted resource */
71486 #define __GFP_WRITE ((__force gfp_t)___GFP_WRITE) /* Allocator intends to dirty page */
71487 +#define __GFP_USERCOPY ((__force gfp_t)___GFP_USERCOPY)/* Allocator intends to copy page to/from userland */
71490 * This may seem redundant, but it's a way of annotating false positives vs.
71491 @@ -99,7 +107,7 @@ struct vm_area_struct;
71493 #define __GFP_NOTRACK_FALSE_POSITIVE (__GFP_NOTRACK)
71495 -#define __GFP_BITS_SHIFT 25 /* Room for N __GFP_FOO bits */
71496 +#define __GFP_BITS_SHIFT 26 /* Room for N __GFP_FOO bits */
71497 #define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1))
71499 /* This equals 0, but use constants in case they ever change */
71500 @@ -153,6 +161,8 @@ struct vm_area_struct;
71501 /* 4GB DMA on some platforms */
71502 #define GFP_DMA32 __GFP_DMA32
71504 +#define GFP_USERCOPY __GFP_USERCOPY
71506 /* Convert GFP flags to their corresponding migrate type */
71507 static inline int allocflags_to_migratetype(gfp_t gfp_flags)
71509 diff --git a/include/linux/gracl.h b/include/linux/gracl.h
71510 new file mode 100644
71511 index 0000000..ebe6d72
71513 +++ b/include/linux/gracl.h
71518 +#include <linux/grdefs.h>
71519 +#include <linux/resource.h>
71520 +#include <linux/capability.h>
71521 +#include <linux/dcache.h>
71522 +#include <asm/resource.h>
71524 +/* Major status information */
71526 +#define GR_VERSION "grsecurity 2.9.1"
71527 +#define GRSECURITY_VERSION 0x2901
71538 + GR_SPROLEPAM = 8,
71541 +/* Password setup definitions
71542 + * kernel/grhash.c */
71545 + GR_SALT_LEN = 16,
71550 + GR_SPROLE_LEN = 64,
71559 +#define GR_NLIMITS 32
71561 +/* Begin Data Structures */
71563 +struct sprole_pw {
71564 + unsigned char *rolename;
71565 + unsigned char salt[GR_SALT_LEN];
71566 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
71569 +struct name_entry {
71576 + struct name_entry *prev;
71577 + struct name_entry *next;
71580 +struct inodev_entry {
71581 + struct name_entry *nentry;
71582 + struct inodev_entry *prev;
71583 + struct inodev_entry *next;
71586 +struct acl_role_db {
71587 + struct acl_role_label **r_hash;
71591 +struct inodev_db {
71592 + struct inodev_entry **i_hash;
71597 + struct name_entry **n_hash;
71601 +struct crash_uid {
71603 + unsigned long expires;
71606 +struct gr_hash_struct {
71608 + void **nametable;
71610 + __u32 table_size;
71615 +/* Userspace Grsecurity ACL data structures */
71617 +struct acl_subject_label {
71622 + kernel_cap_t cap_mask;
71623 + kernel_cap_t cap_lower;
71624 + kernel_cap_t cap_invert_audit;
71626 + struct rlimit res[GR_NLIMITS];
71629 + __u8 user_trans_type;
71630 + __u8 group_trans_type;
71631 + uid_t *user_transitions;
71632 + gid_t *group_transitions;
71633 + __u16 user_trans_num;
71634 + __u16 group_trans_num;
71636 + __u32 sock_families[2];
71637 + __u32 ip_proto[8];
71639 + struct acl_ip_label **ips;
71641 + __u32 inaddr_any_override;
71644 + unsigned long expires;
71646 + struct acl_subject_label *parent_subject;
71647 + struct gr_hash_struct *hash;
71648 + struct acl_subject_label *prev;
71649 + struct acl_subject_label *next;
71651 + struct acl_object_label **obj_hash;
71652 + __u32 obj_hash_size;
71656 +struct role_allowed_ip {
71660 + struct role_allowed_ip *prev;
71661 + struct role_allowed_ip *next;
71664 +struct role_transition {
71667 + struct role_transition *prev;
71668 + struct role_transition *next;
71671 +struct acl_role_label {
71676 + __u16 auth_attempts;
71677 + unsigned long expires;
71679 + struct acl_subject_label *root_label;
71680 + struct gr_hash_struct *hash;
71682 + struct acl_role_label *prev;
71683 + struct acl_role_label *next;
71685 + struct role_transition *transitions;
71686 + struct role_allowed_ip *allowed_ips;
71687 + uid_t *domain_children;
71688 + __u16 domain_child_num;
71692 + struct acl_subject_label **subj_hash;
71693 + __u32 subj_hash_size;
71696 +struct user_acl_role_db {
71697 + struct acl_role_label **r_table;
71698 + __u32 num_pointers; /* Number of allocations to track */
71699 + __u32 num_roles; /* Number of roles */
71700 + __u32 num_domain_children; /* Number of domain children */
71701 + __u32 num_subjects; /* Number of subjects */
71702 + __u32 num_objects; /* Number of objects */
71705 +struct acl_object_label {
71711 + struct acl_subject_label *nested;
71712 + struct acl_object_label *globbed;
71714 + /* next two structures not used */
71716 + struct acl_object_label *prev;
71717 + struct acl_object_label *next;
71720 +struct acl_ip_label {
71729 + /* next two structures not used */
71731 + struct acl_ip_label *prev;
71732 + struct acl_ip_label *next;
71736 + struct user_acl_role_db role_db;
71737 + unsigned char pw[GR_PW_LEN];
71738 + unsigned char salt[GR_SALT_LEN];
71739 + unsigned char sum[GR_SHA_LEN];
71740 + unsigned char sp_role[GR_SPROLE_LEN];
71741 + struct sprole_pw *sprole_pws;
71742 + dev_t segv_device;
71743 + ino_t segv_inode;
71745 + __u16 num_sprole_pws;
71749 +struct gr_arg_wrapper {
71750 + struct gr_arg *arg;
71755 +struct subject_map {
71756 + struct acl_subject_label *user;
71757 + struct acl_subject_label *kernel;
71758 + struct subject_map *prev;
71759 + struct subject_map *next;
71762 +struct acl_subj_map_db {
71763 + struct subject_map **s_hash;
71767 +/* End Data Structures Section */
71769 +/* Hash functions generated by empirical testing by Brad Spengler
71770 + Makes good use of the low bits of the inode. Generally 0-1 times
71771 + in loop for successful match. 0-3 for unsuccessful match.
71772 + Shift/add algorithm with modulus of table size and an XOR*/
71774 +static __inline__ unsigned int
71775 +gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz)
71777 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
71780 + static __inline__ unsigned int
71781 +gr_shash(const struct acl_subject_label *userp, const unsigned int sz)
71783 + return ((const unsigned long)userp % sz);
71786 +static __inline__ unsigned int
71787 +gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
71789 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
71792 +static __inline__ unsigned int
71793 +gr_nhash(const char *name, const __u16 len, const unsigned int sz)
71795 + return full_name_hash((const unsigned char *)name, len) % sz;
71798 +#define FOR_EACH_ROLE_START(role) \
71799 + role = role_list; \
71802 +#define FOR_EACH_ROLE_END(role) \
71803 + role = role->prev; \
71806 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
71809 + while (iter < role->subj_hash_size) { \
71810 + if (subj == NULL) \
71811 + subj = role->subj_hash[iter]; \
71812 + if (subj == NULL) { \
71817 +#define FOR_EACH_SUBJECT_END(subj,iter) \
71818 + subj = subj->next; \
71819 + if (subj == NULL) \
71824 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
71825 + subj = role->hash->first; \
71826 + while (subj != NULL) {
71828 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
71829 + subj = subj->next; \
71834 diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
71835 new file mode 100644
71836 index 0000000..33ebd1f
71838 +++ b/include/linux/gracl_compat.h
71840 +#ifndef GR_ACL_COMPAT_H
71841 +#define GR_ACL_COMPAT_H
71843 +#include <linux/resource.h>
71844 +#include <asm/resource.h>
71846 +struct sprole_pw_compat {
71847 + compat_uptr_t rolename;
71848 + unsigned char salt[GR_SALT_LEN];
71849 + unsigned char sum[GR_SHA_LEN];
71852 +struct gr_hash_struct_compat {
71853 + compat_uptr_t table;
71854 + compat_uptr_t nametable;
71855 + compat_uptr_t first;
71856 + __u32 table_size;
71861 +struct acl_subject_label_compat {
71862 + compat_uptr_t filename;
71863 + compat_ino_t inode;
71866 + kernel_cap_t cap_mask;
71867 + kernel_cap_t cap_lower;
71868 + kernel_cap_t cap_invert_audit;
71870 + struct compat_rlimit res[GR_NLIMITS];
71873 + __u8 user_trans_type;
71874 + __u8 group_trans_type;
71875 + compat_uptr_t user_transitions;
71876 + compat_uptr_t group_transitions;
71877 + __u16 user_trans_num;
71878 + __u16 group_trans_num;
71880 + __u32 sock_families[2];
71881 + __u32 ip_proto[8];
71883 + compat_uptr_t ips;
71885 + __u32 inaddr_any_override;
71888 + compat_ulong_t expires;
71890 + compat_uptr_t parent_subject;
71891 + compat_uptr_t hash;
71892 + compat_uptr_t prev;
71893 + compat_uptr_t next;
71895 + compat_uptr_t obj_hash;
71896 + __u32 obj_hash_size;
71900 +struct role_allowed_ip_compat {
71904 + compat_uptr_t prev;
71905 + compat_uptr_t next;
71908 +struct role_transition_compat {
71909 + compat_uptr_t rolename;
71911 + compat_uptr_t prev;
71912 + compat_uptr_t next;
71915 +struct acl_role_label_compat {
71916 + compat_uptr_t rolename;
71920 + __u16 auth_attempts;
71921 + compat_ulong_t expires;
71923 + compat_uptr_t root_label;
71924 + compat_uptr_t hash;
71926 + compat_uptr_t prev;
71927 + compat_uptr_t next;
71929 + compat_uptr_t transitions;
71930 + compat_uptr_t allowed_ips;
71931 + compat_uptr_t domain_children;
71932 + __u16 domain_child_num;
71936 + compat_uptr_t subj_hash;
71937 + __u32 subj_hash_size;
71940 +struct user_acl_role_db_compat {
71941 + compat_uptr_t r_table;
71942 + __u32 num_pointers;
71944 + __u32 num_domain_children;
71945 + __u32 num_subjects;
71946 + __u32 num_objects;
71949 +struct acl_object_label_compat {
71950 + compat_uptr_t filename;
71951 + compat_ino_t inode;
71955 + compat_uptr_t nested;
71956 + compat_uptr_t globbed;
71958 + compat_uptr_t prev;
71959 + compat_uptr_t next;
71962 +struct acl_ip_label_compat {
71963 + compat_uptr_t iface;
71971 + compat_uptr_t prev;
71972 + compat_uptr_t next;
71975 +struct gr_arg_compat {
71976 + struct user_acl_role_db_compat role_db;
71977 + unsigned char pw[GR_PW_LEN];
71978 + unsigned char salt[GR_SALT_LEN];
71979 + unsigned char sum[GR_SHA_LEN];
71980 + unsigned char sp_role[GR_SPROLE_LEN];
71981 + compat_uptr_t sprole_pws;
71982 + __u32 segv_device;
71983 + compat_ino_t segv_inode;
71985 + __u16 num_sprole_pws;
71989 +struct gr_arg_wrapper_compat {
71990 + compat_uptr_t arg;
71996 diff --git a/include/linux/gralloc.h b/include/linux/gralloc.h
71997 new file mode 100644
71998 index 0000000..323ecf2
72000 +++ b/include/linux/gralloc.h
72002 +#ifndef __GRALLOC_H
72003 +#define __GRALLOC_H
72005 +void acl_free_all(void);
72006 +int acl_alloc_stack_init(unsigned long size);
72007 +void *acl_alloc(unsigned long len);
72008 +void *acl_alloc_num(unsigned long num, unsigned long len);
72011 diff --git a/include/linux/grdefs.h b/include/linux/grdefs.h
72012 new file mode 100644
72013 index 0000000..be66033
72015 +++ b/include/linux/grdefs.h
72020 +/* Begin grsecurity status declarations */
72024 + GR_STATUS_INIT = 0x00 // disabled state
72027 +/* Begin ACL declarations */
72032 + GR_ROLE_USER = 0x0001,
72033 + GR_ROLE_GROUP = 0x0002,
72034 + GR_ROLE_DEFAULT = 0x0004,
72035 + GR_ROLE_SPECIAL = 0x0008,
72036 + GR_ROLE_AUTH = 0x0010,
72037 + GR_ROLE_NOPW = 0x0020,
72038 + GR_ROLE_GOD = 0x0040,
72039 + GR_ROLE_LEARN = 0x0080,
72040 + GR_ROLE_TPE = 0x0100,
72041 + GR_ROLE_DOMAIN = 0x0200,
72042 + GR_ROLE_PAM = 0x0400,
72043 + GR_ROLE_PERSIST = 0x0800
72046 +/* ACL Subject and Object mode flags */
72048 + GR_DELETED = 0x80000000
72051 +/* ACL Object-only mode flags */
72053 + GR_READ = 0x00000001,
72054 + GR_APPEND = 0x00000002,
72055 + GR_WRITE = 0x00000004,
72056 + GR_EXEC = 0x00000008,
72057 + GR_FIND = 0x00000010,
72058 + GR_INHERIT = 0x00000020,
72059 + GR_SETID = 0x00000040,
72060 + GR_CREATE = 0x00000080,
72061 + GR_DELETE = 0x00000100,
72062 + GR_LINK = 0x00000200,
72063 + GR_AUDIT_READ = 0x00000400,
72064 + GR_AUDIT_APPEND = 0x00000800,
72065 + GR_AUDIT_WRITE = 0x00001000,
72066 + GR_AUDIT_EXEC = 0x00002000,
72067 + GR_AUDIT_FIND = 0x00004000,
72068 + GR_AUDIT_INHERIT= 0x00008000,
72069 + GR_AUDIT_SETID = 0x00010000,
72070 + GR_AUDIT_CREATE = 0x00020000,
72071 + GR_AUDIT_DELETE = 0x00040000,
72072 + GR_AUDIT_LINK = 0x00080000,
72073 + GR_PTRACERD = 0x00100000,
72074 + GR_NOPTRACE = 0x00200000,
72075 + GR_SUPPRESS = 0x00400000,
72076 + GR_NOLEARN = 0x00800000,
72077 + GR_INIT_TRANSFER= 0x01000000
72080 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
72081 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
72082 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
72084 +/* ACL subject-only mode flags */
72086 + GR_KILL = 0x00000001,
72087 + GR_VIEW = 0x00000002,
72088 + GR_PROTECTED = 0x00000004,
72089 + GR_LEARN = 0x00000008,
72090 + GR_OVERRIDE = 0x00000010,
72091 + /* just a placeholder, this mode is only used in userspace */
72092 + GR_DUMMY = 0x00000020,
72093 + GR_PROTSHM = 0x00000040,
72094 + GR_KILLPROC = 0x00000080,
72095 + GR_KILLIPPROC = 0x00000100,
72096 + /* just a placeholder, this mode is only used in userspace */
72097 + GR_NOTROJAN = 0x00000200,
72098 + GR_PROTPROCFD = 0x00000400,
72099 + GR_PROCACCT = 0x00000800,
72100 + GR_RELAXPTRACE = 0x00001000,
72101 + //GR_NESTED = 0x00002000,
72102 + GR_INHERITLEARN = 0x00004000,
72103 + GR_PROCFIND = 0x00008000,
72104 + GR_POVERRIDE = 0x00010000,
72105 + GR_KERNELAUTH = 0x00020000,
72106 + GR_ATSECURE = 0x00040000,
72107 + GR_SHMEXEC = 0x00080000
72111 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
72112 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
72113 + GR_PAX_ENABLE_MPROTECT = 0x0004,
72114 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
72115 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
72116 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
72117 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
72118 + GR_PAX_DISABLE_MPROTECT = 0x0400,
72119 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
72120 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
72124 + GR_ID_USER = 0x01,
72125 + GR_ID_GROUP = 0x02,
72129 + GR_ID_ALLOW = 0x01,
72130 + GR_ID_DENY = 0x02,
72133 +#define GR_CRASH_RES 31
72134 +#define GR_UIDTABLE_MAX 500
72136 +/* begin resource learning section */
72138 + GR_RLIM_CPU_BUMP = 60,
72139 + GR_RLIM_FSIZE_BUMP = 50000,
72140 + GR_RLIM_DATA_BUMP = 10000,
72141 + GR_RLIM_STACK_BUMP = 1000,
72142 + GR_RLIM_CORE_BUMP = 10000,
72143 + GR_RLIM_RSS_BUMP = 500000,
72144 + GR_RLIM_NPROC_BUMP = 1,
72145 + GR_RLIM_NOFILE_BUMP = 5,
72146 + GR_RLIM_MEMLOCK_BUMP = 50000,
72147 + GR_RLIM_AS_BUMP = 500000,
72148 + GR_RLIM_LOCKS_BUMP = 2,
72149 + GR_RLIM_SIGPENDING_BUMP = 5,
72150 + GR_RLIM_MSGQUEUE_BUMP = 10000,
72151 + GR_RLIM_NICE_BUMP = 1,
72152 + GR_RLIM_RTPRIO_BUMP = 1,
72153 + GR_RLIM_RTTIME_BUMP = 1000000
72157 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
72158 new file mode 100644
72159 index 0000000..fd8598b
72161 +++ b/include/linux/grinternal.h
72163 +#ifndef __GRINTERNAL_H
72164 +#define __GRINTERNAL_H
72166 +#ifdef CONFIG_GRKERNSEC
72168 +#include <linux/fs.h>
72169 +#include <linux/mnt_namespace.h>
72170 +#include <linux/nsproxy.h>
72171 +#include <linux/gracl.h>
72172 +#include <linux/grdefs.h>
72173 +#include <linux/grmsg.h>
72175 +void gr_add_learn_entry(const char *fmt, ...)
72176 + __attribute__ ((format (printf, 1, 2)));
72177 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
72178 + const struct vfsmount *mnt);
72179 +__u32 gr_check_create(const struct dentry *new_dentry,
72180 + const struct dentry *parent,
72181 + const struct vfsmount *mnt, const __u32 mode);
72182 +int gr_check_protected_task(const struct task_struct *task);
72183 +__u32 to_gr_audit(const __u32 reqmode);
72184 +int gr_set_acls(const int type);
72185 +int gr_apply_subject_to_task(struct task_struct *task);
72186 +int gr_acl_is_enabled(void);
72187 +char gr_roletype_to_char(void);
72189 +void gr_handle_alertkill(struct task_struct *task);
72190 +char *gr_to_filename(const struct dentry *dentry,
72191 + const struct vfsmount *mnt);
72192 +char *gr_to_filename1(const struct dentry *dentry,
72193 + const struct vfsmount *mnt);
72194 +char *gr_to_filename2(const struct dentry *dentry,
72195 + const struct vfsmount *mnt);
72196 +char *gr_to_filename3(const struct dentry *dentry,
72197 + const struct vfsmount *mnt);
72199 +extern int grsec_enable_ptrace_readexec;
72200 +extern int grsec_enable_harden_ptrace;
72201 +extern int grsec_enable_link;
72202 +extern int grsec_enable_fifo;
72203 +extern int grsec_enable_execve;
72204 +extern int grsec_enable_shm;
72205 +extern int grsec_enable_execlog;
72206 +extern int grsec_enable_signal;
72207 +extern int grsec_enable_audit_ptrace;
72208 +extern int grsec_enable_forkfail;
72209 +extern int grsec_enable_time;
72210 +extern int grsec_enable_rofs;
72211 +extern int grsec_enable_chroot_shmat;
72212 +extern int grsec_enable_chroot_mount;
72213 +extern int grsec_enable_chroot_double;
72214 +extern int grsec_enable_chroot_pivot;
72215 +extern int grsec_enable_chroot_chdir;
72216 +extern int grsec_enable_chroot_chmod;
72217 +extern int grsec_enable_chroot_mknod;
72218 +extern int grsec_enable_chroot_fchdir;
72219 +extern int grsec_enable_chroot_nice;
72220 +extern int grsec_enable_chroot_execlog;
72221 +extern int grsec_enable_chroot_caps;
72222 +extern int grsec_enable_chroot_sysctl;
72223 +extern int grsec_enable_chroot_unix;
72224 +extern int grsec_enable_symlinkown;
72225 +extern kgid_t grsec_symlinkown_gid;
72226 +extern int grsec_enable_tpe;
72227 +extern kgid_t grsec_tpe_gid;
72228 +extern int grsec_enable_tpe_all;
72229 +extern int grsec_enable_tpe_invert;
72230 +extern int grsec_enable_socket_all;
72231 +extern kgid_t grsec_socket_all_gid;
72232 +extern int grsec_enable_socket_client;
72233 +extern kgid_t grsec_socket_client_gid;
72234 +extern int grsec_enable_socket_server;
72235 +extern kgid_t grsec_socket_server_gid;
72236 +extern kgid_t grsec_audit_gid;
72237 +extern int grsec_enable_group;
72238 +extern int grsec_enable_log_rwxmaps;
72239 +extern int grsec_enable_mount;
72240 +extern int grsec_enable_chdir;
72241 +extern int grsec_resource_logging;
72242 +extern int grsec_enable_blackhole;
72243 +extern int grsec_lastack_retries;
72244 +extern int grsec_enable_brute;
72245 +extern int grsec_lock;
72247 +extern spinlock_t grsec_alert_lock;
72248 +extern unsigned long grsec_alert_wtime;
72249 +extern unsigned long grsec_alert_fyet;
72251 +extern spinlock_t grsec_audit_lock;
72253 +extern rwlock_t grsec_exec_file_lock;
72255 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
72256 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
72257 + (tsk)->exec_file->f_path.mnt) : "/")
72259 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
72260 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
72261 + (tsk)->real_parent->exec_file->f_path.mnt) : "/")
72263 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
72264 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
72265 + (tsk)->exec_file->f_path.mnt) : "/")
72267 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
72268 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
72269 + (tsk)->real_parent->exec_file->f_path.mnt) : "/")
72271 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
72273 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
72275 +static inline bool gr_is_same_file(const struct file *file1, const struct file *file2)
72277 + if (file1 && file2) {
72278 + const struct inode *inode1 = file1->f_path.dentry->d_inode;
72279 + const struct inode *inode2 = file2->f_path.dentry->d_inode;
72280 + if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev)
72287 +#define GR_CHROOT_CAPS {{ \
72288 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
72289 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
72290 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
72291 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
72292 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
72293 + CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
72294 + CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
72296 +#define security_learn(normal_msg,args...) \
72298 + read_lock(&grsec_exec_file_lock); \
72299 + gr_add_learn_entry(normal_msg "\n", ## args); \
72300 + read_unlock(&grsec_exec_file_lock); \
72306 + /* used for non-audit messages that we shouldn't kill the task on */
72307 + GR_DONT_AUDIT_GOOD
72318 + GR_SYSCTL_HIDDEN,
72321 + GR_ONE_INT_TWO_STR,
72328 + GR_FIVE_INT_TWO_STR,
72334 + GR_FILENAME_TWO_INT,
72335 + GR_FILENAME_TWO_INT_STR,
72349 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
72350 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
72351 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
72352 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
72353 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
72354 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
72355 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
72356 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
72357 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
72358 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
72359 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
72360 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
72361 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
72362 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
72363 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
72364 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
72365 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
72366 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
72367 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
72368 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
72369 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
72370 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
72371 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
72372 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
72373 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
72374 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
72375 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
72376 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
72377 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
72378 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
72379 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
72380 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
72381 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
72382 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
72383 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
72384 +#define gr_log_rwxmap_vma(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAPVMA, str)
72386 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
72391 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
72392 new file mode 100644
72393 index 0000000..a4396b5
72395 +++ b/include/linux/grmsg.h
72397 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
72398 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
72399 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
72400 +#define GR_STOPMOD_MSG "denied modification of module state by "
72401 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
72402 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
72403 +#define GR_IOPERM_MSG "denied use of ioperm() by "
72404 +#define GR_IOPL_MSG "denied use of iopl() by "
72405 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
72406 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
72407 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
72408 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
72409 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
72410 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
72411 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
72412 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
72413 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
72414 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
72415 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
72416 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
72417 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
72418 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
72419 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
72420 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
72421 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
72422 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
72423 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
72424 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
72425 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
72426 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
72427 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
72428 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
72429 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
72430 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
72431 +#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
72432 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
72433 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
72434 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
72435 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
72436 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
72437 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
72438 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
72439 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
72440 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
72441 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
72442 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
72443 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
72444 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
72445 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
72446 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
72447 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
72448 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbage by "
72449 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
72450 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
72451 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
72452 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
72453 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
72454 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
72455 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
72456 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
72457 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
72458 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
72459 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
72460 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
72461 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
72462 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
72463 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
72464 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
72465 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
72466 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
72467 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
72468 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
72469 +#define GR_NICE_CHROOT_MSG "denied priority change by "
72470 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
72471 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
72472 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
72473 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
72474 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
72475 +#define GR_TIME_MSG "time set by "
72476 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
72477 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
72478 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
72479 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
72480 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
72481 +#define GR_BIND_MSG "denied bind() by "
72482 +#define GR_CONNECT_MSG "denied connect() by "
72483 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
72484 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
72485 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
72486 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
72487 +#define GR_CAP_ACL_MSG "use of %s denied for "
72488 +#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
72489 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
72490 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
72491 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
72492 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
72493 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
72494 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
72495 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
72496 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
72497 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
72498 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
72499 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
72500 +#define GR_TEXTREL_AUDIT_MSG "denied text relocation in %.950s, VMA:0x%08lx 0x%08lx by "
72501 +#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by "
72502 +#define GR_VM86_MSG "denied use of vm86 by "
72503 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
72504 +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by "
72505 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
72506 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
72507 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
72508 +#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
72509 +#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
72510 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
72511 new file mode 100644
72512 index 0000000..3676b0b
72514 +++ b/include/linux/grsecurity.h
72516 +#ifndef GR_SECURITY_H
72517 +#define GR_SECURITY_H
72518 +#include <linux/fs.h>
72519 +#include <linux/fs_struct.h>
72520 +#include <linux/binfmts.h>
72521 +#include <linux/gracl.h>
72523 +/* notify of brain-dead configs */
72524 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
72525 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
72527 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
72528 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
72530 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
72531 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
72533 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
72534 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
72537 +void gr_handle_brute_attach(unsigned long mm_flags);
72538 +void gr_handle_brute_check(void);
72539 +void gr_handle_kernel_exploit(void);
72541 +char gr_roletype_to_char(void);
72543 +int gr_acl_enable_at_secure(void);
72545 +int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
72546 +int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
72548 +void gr_del_task_from_ip_table(struct task_struct *p);
72550 +int gr_pid_is_chrooted(struct task_struct *p);
72551 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
72552 +int gr_handle_chroot_nice(void);
72553 +int gr_handle_chroot_sysctl(const int op);
72554 +int gr_handle_chroot_setpriority(struct task_struct *p,
72555 + const int niceval);
72556 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
72557 +int gr_handle_chroot_chroot(const struct dentry *dentry,
72558 + const struct vfsmount *mnt);
72559 +void gr_handle_chroot_chdir(const struct path *path);
72560 +int gr_handle_chroot_chmod(const struct dentry *dentry,
72561 + const struct vfsmount *mnt, const int mode);
72562 +int gr_handle_chroot_mknod(const struct dentry *dentry,
72563 + const struct vfsmount *mnt, const int mode);
72564 +int gr_handle_chroot_mount(const struct dentry *dentry,
72565 + const struct vfsmount *mnt,
72566 + const char *dev_name);
72567 +int gr_handle_chroot_pivot(void);
72568 +int gr_handle_chroot_unix(const pid_t pid);
72570 +int gr_handle_rawio(const struct inode *inode);
72572 +void gr_handle_ioperm(void);
72573 +void gr_handle_iopl(void);
72575 +umode_t gr_acl_umask(void);
72577 +int gr_tpe_allow(const struct file *file);
72579 +void gr_set_chroot_entries(struct task_struct *task, const struct path *path);
72580 +void gr_clear_chroot_entries(struct task_struct *task);
72582 +void gr_log_forkfail(const int retval);
72583 +void gr_log_timechange(void);
72584 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
72585 +void gr_log_chdir(const struct dentry *dentry,
72586 + const struct vfsmount *mnt);
72587 +void gr_log_chroot_exec(const struct dentry *dentry,
72588 + const struct vfsmount *mnt);
72589 +void gr_log_remount(const char *devname, const int retval);
72590 +void gr_log_unmount(const char *devname, const int retval);
72591 +void gr_log_mount(const char *from, const char *to, const int retval);
72592 +void gr_log_textrel(struct vm_area_struct *vma);
72593 +void gr_log_ptgnustack(struct file *file);
72594 +void gr_log_rwxmmap(struct file *file);
72595 +void gr_log_rwxmprotect(struct vm_area_struct *vma);
72597 +int gr_handle_follow_link(const struct inode *parent,
72598 + const struct inode *inode,
72599 + const struct dentry *dentry,
72600 + const struct vfsmount *mnt);
72601 +int gr_handle_fifo(const struct dentry *dentry,
72602 + const struct vfsmount *mnt,
72603 + const struct dentry *dir, const int flag,
72604 + const int acc_mode);
72605 +int gr_handle_hardlink(const struct dentry *dentry,
72606 + const struct vfsmount *mnt,
72607 + struct inode *inode,
72608 + const int mode, const struct filename *to);
72610 +int gr_is_capable(const int cap);
72611 +int gr_is_capable_nolog(const int cap);
72612 +int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
72613 +int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
72615 +void gr_copy_label(struct task_struct *tsk);
72616 +void gr_handle_crash(struct task_struct *task, const int sig);
72617 +int gr_handle_signal(const struct task_struct *p, const int sig);
72618 +int gr_check_crash_uid(const kuid_t uid);
72619 +int gr_check_protected_task(const struct task_struct *task);
72620 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
72621 +int gr_acl_handle_mmap(const struct file *file,
72622 + const unsigned long prot);
72623 +int gr_acl_handle_mprotect(const struct file *file,
72624 + const unsigned long prot);
72625 +int gr_check_hidden_task(const struct task_struct *tsk);
72626 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
72627 + const struct vfsmount *mnt);
72628 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
72629 + const struct vfsmount *mnt);
72630 +__u32 gr_acl_handle_access(const struct dentry *dentry,
72631 + const struct vfsmount *mnt, const int fmode);
72632 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
72633 + const struct vfsmount *mnt, umode_t *mode);
72634 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
72635 + const struct vfsmount *mnt);
72636 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
72637 + const struct vfsmount *mnt);
72638 +int gr_handle_ptrace(struct task_struct *task, const long request);
72639 +int gr_handle_proc_ptrace(struct task_struct *task);
72640 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
72641 + const struct vfsmount *mnt);
72642 +int gr_check_crash_exec(const struct file *filp);
72643 +int gr_acl_is_enabled(void);
72644 +void gr_set_kernel_label(struct task_struct *task);
72645 +void gr_set_role_label(struct task_struct *task, const kuid_t uid,
72646 + const kgid_t gid);
72647 +int gr_set_proc_label(const struct dentry *dentry,
72648 + const struct vfsmount *mnt,
72649 + const int unsafe_flags);
72650 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
72651 + const struct vfsmount *mnt);
72652 +__u32 gr_acl_handle_open(const struct dentry *dentry,
72653 + const struct vfsmount *mnt, int acc_mode);
72654 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
72655 + const struct dentry *p_dentry,
72656 + const struct vfsmount *p_mnt,
72657 + int open_flags, int acc_mode, const int imode);
72658 +void gr_handle_create(const struct dentry *dentry,
72659 + const struct vfsmount *mnt);
72660 +void gr_handle_proc_create(const struct dentry *dentry,
72661 + const struct inode *inode);
72662 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
72663 + const struct dentry *parent_dentry,
72664 + const struct vfsmount *parent_mnt,
72666 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
72667 + const struct dentry *parent_dentry,
72668 + const struct vfsmount *parent_mnt);
72669 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
72670 + const struct vfsmount *mnt);
72671 +void gr_handle_delete(const ino_t ino, const dev_t dev);
72672 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
72673 + const struct vfsmount *mnt);
72674 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
72675 + const struct dentry *parent_dentry,
72676 + const struct vfsmount *parent_mnt,
72677 + const struct filename *from);
72678 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
72679 + const struct dentry *parent_dentry,
72680 + const struct vfsmount *parent_mnt,
72681 + const struct dentry *old_dentry,
72682 + const struct vfsmount *old_mnt, const struct filename *to);
72683 +int gr_handle_symlink_owner(const struct path *link, const struct inode *target);
72684 +int gr_acl_handle_rename(struct dentry *new_dentry,
72685 + struct dentry *parent_dentry,
72686 + const struct vfsmount *parent_mnt,
72687 + struct dentry *old_dentry,
72688 + struct inode *old_parent_inode,
72689 + struct vfsmount *old_mnt, const struct filename *newname);
72690 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
72691 + struct dentry *old_dentry,
72692 + struct dentry *new_dentry,
72693 + struct vfsmount *mnt, const __u8 replace);
72694 +__u32 gr_check_link(const struct dentry *new_dentry,
72695 + const struct dentry *parent_dentry,
72696 + const struct vfsmount *parent_mnt,
72697 + const struct dentry *old_dentry,
72698 + const struct vfsmount *old_mnt);
72699 +int gr_acl_handle_filldir(const struct file *file, const char *name,
72700 + const unsigned int namelen, const ino_t ino);
72702 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
72703 + const struct vfsmount *mnt);
72704 +void gr_acl_handle_exit(void);
72705 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
72706 +int gr_acl_handle_procpidmem(const struct task_struct *task);
72707 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
72708 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
72709 +void gr_audit_ptrace(struct task_struct *task);
72710 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
72711 +void gr_put_exec_file(struct task_struct *task);
72713 +int gr_ptrace_readexec(struct file *file, int unsafe_flags);
72715 +#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC))
72716 +extern void gr_learn_resource(const struct task_struct *task, const int res,
72717 + const unsigned long wanted, const int gt);
72719 +static inline void gr_learn_resource(const struct task_struct *task, const int res,
72720 + const unsigned long wanted, const int gt)
72725 +#ifdef CONFIG_GRKERNSEC_RESLOG
72726 +extern void gr_log_resource(const struct task_struct *task, const int res,
72727 + const unsigned long wanted, const int gt);
72729 +static inline void gr_log_resource(const struct task_struct *task, const int res,
72730 + const unsigned long wanted, const int gt)
72735 +#ifdef CONFIG_GRKERNSEC
72736 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
72737 +void gr_handle_vm86(void);
72738 +void gr_handle_mem_readwrite(u64 from, u64 to);
72740 +void gr_log_badprocpid(const char *entry);
72742 +extern int grsec_enable_dmesg;
72743 +extern int grsec_disable_privio;
72745 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
72746 +extern kgid_t grsec_proc_gid;
72749 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
72750 +extern int grsec_enable_chroot_findtask;
72752 +#ifdef CONFIG_GRKERNSEC_SETXID
72753 +extern int grsec_enable_setxid;
72758 diff --git a/include/linux/grsock.h b/include/linux/grsock.h
72759 new file mode 100644
72760 index 0000000..e7ffaaf
72762 +++ b/include/linux/grsock.h
72764 +#ifndef __GRSOCK_H
72765 +#define __GRSOCK_H
72767 +extern void gr_attach_curr_ip(const struct sock *sk);
72768 +extern int gr_handle_sock_all(const int family, const int type,
72769 + const int protocol);
72770 +extern int gr_handle_sock_server(const struct sockaddr *sck);
72771 +extern int gr_handle_sock_server_other(const struct sock *sck);
72772 +extern int gr_handle_sock_client(const struct sockaddr *sck);
72773 +extern int gr_search_connect(struct socket * sock,
72774 + struct sockaddr_in * addr);
72775 +extern int gr_search_bind(struct socket * sock,
72776 + struct sockaddr_in * addr);
72777 +extern int gr_search_listen(struct socket * sock);
72778 +extern int gr_search_accept(struct socket * sock);
72779 +extern int gr_search_socket(const int domain, const int type,
72780 + const int protocol);
72783 diff --git a/include/linux/highmem.h b/include/linux/highmem.h
72784 index 7fb31da..08b5114 100644
72785 --- a/include/linux/highmem.h
72786 +++ b/include/linux/highmem.h
72787 @@ -189,6 +189,18 @@ static inline void clear_highpage(struct page *page)
72788 kunmap_atomic(kaddr);
72791 +static inline void sanitize_highpage(struct page *page)
72794 + unsigned long flags;
72796 + local_irq_save(flags);
72797 + kaddr = kmap_atomic(page);
72798 + clear_page(kaddr);
72799 + kunmap_atomic(kaddr);
72800 + local_irq_restore(flags);
72803 static inline void zero_user_segments(struct page *page,
72804 unsigned start1, unsigned end1,
72805 unsigned start2, unsigned end2)
72806 diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h
72807 index 1c7b89a..7f52502 100644
72808 --- a/include/linux/hwmon-sysfs.h
72809 +++ b/include/linux/hwmon-sysfs.h
72811 struct sensor_device_attribute{
72812 struct device_attribute dev_attr;
72816 +typedef struct sensor_device_attribute __no_const sensor_device_attribute_no_const;
72817 #define to_sensor_dev_attr(_dev_attr) \
72818 container_of(_dev_attr, struct sensor_device_attribute, dev_attr)
72820 @@ -41,7 +42,7 @@ struct sensor_device_attribute_2 {
72821 struct device_attribute dev_attr;
72826 #define to_sensor_dev_attr_2(_dev_attr) \
72827 container_of(_dev_attr, struct sensor_device_attribute_2, dev_attr)
72829 diff --git a/include/linux/i2c.h b/include/linux/i2c.h
72830 index e988fa9..ff9f17e 100644
72831 --- a/include/linux/i2c.h
72832 +++ b/include/linux/i2c.h
72833 @@ -366,6 +366,7 @@ struct i2c_algorithm {
72834 /* To determine what the adapter supports */
72835 u32 (*functionality) (struct i2c_adapter *);
72837 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
72840 * struct i2c_bus_recovery_info - I2C bus recovery information
72841 diff --git a/include/linux/i2o.h b/include/linux/i2o.h
72842 index d23c3c2..eb63c81 100644
72843 --- a/include/linux/i2o.h
72844 +++ b/include/linux/i2o.h
72845 @@ -565,7 +565,7 @@ struct i2o_controller {
72846 struct i2o_device *exec; /* Executive */
72847 #if BITS_PER_LONG == 64
72848 spinlock_t context_list_lock; /* lock for context_list */
72849 - atomic_t context_list_counter; /* needed for unique contexts */
72850 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
72851 struct list_head context_list; /* list of context id's
72854 diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h
72855 index aff7ad8..3942bbd 100644
72856 --- a/include/linux/if_pppox.h
72857 +++ b/include/linux/if_pppox.h
72858 @@ -76,7 +76,7 @@ struct pppox_proto {
72859 int (*ioctl)(struct socket *sock, unsigned int cmd,
72860 unsigned long arg);
72861 struct module *owner;
72865 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
72866 extern void unregister_pppox_proto(int proto_num);
72867 diff --git a/include/linux/init.h b/include/linux/init.h
72868 index 8618147..0821126 100644
72869 --- a/include/linux/init.h
72870 +++ b/include/linux/init.h
72872 * Also note, that this data cannot be "const".
72876 +#define add_init_latent_entropy
72877 +#define add_devinit_latent_entropy
72878 +#define add_cpuinit_latent_entropy
72879 +#define add_meminit_latent_entropy
72881 +#define add_init_latent_entropy __latent_entropy
72883 +#ifdef CONFIG_HOTPLUG
72884 +#define add_devinit_latent_entropy
72886 +#define add_devinit_latent_entropy __latent_entropy
72889 +#ifdef CONFIG_HOTPLUG_CPU
72890 +#define add_cpuinit_latent_entropy
72892 +#define add_cpuinit_latent_entropy __latent_entropy
72895 +#ifdef CONFIG_MEMORY_HOTPLUG
72896 +#define add_meminit_latent_entropy
72898 +#define add_meminit_latent_entropy __latent_entropy
72902 /* These are for everybody (although not all archs will actually
72903 discard it in modules) */
72904 -#define __init __section(.init.text) __cold notrace
72905 +#define __init __section(.init.text) __cold notrace add_init_latent_entropy
72906 #define __initdata __section(.init.data)
72907 #define __initconst __constsection(.init.rodata)
72908 #define __exitdata __section(.exit.data)
72910 #define __exit __section(.exit.text) __exitused __cold notrace
72912 /* Used for HOTPLUG_CPU */
72913 -#define __cpuinit __section(.cpuinit.text) __cold notrace
72914 +#define __cpuinit __section(.cpuinit.text) __cold notrace add_cpuinit_latent_entropy
72915 #define __cpuinitdata __section(.cpuinit.data)
72916 #define __cpuinitconst __constsection(.cpuinit.rodata)
72917 #define __cpuexit __section(.cpuexit.text) __exitused __cold notrace
72918 @@ -102,7 +129,7 @@
72919 #define __cpuexitconst __constsection(.cpuexit.rodata)
72921 /* Used for MEMORY_HOTPLUG */
72922 -#define __meminit __section(.meminit.text) __cold notrace
72923 +#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy
72924 #define __meminitdata __section(.meminit.data)
72925 #define __meminitconst __constsection(.meminit.rodata)
72926 #define __memexit __section(.memexit.text) __exitused __cold notrace
72927 diff --git a/include/linux/init_task.h b/include/linux/init_task.h
72928 index 5cd0f09..c9f67cc 100644
72929 --- a/include/linux/init_task.h
72930 +++ b/include/linux/init_task.h
72931 @@ -154,6 +154,12 @@ extern struct task_group root_task_group;
72933 #define INIT_TASK_COMM "swapper"
72936 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
72938 +#define INIT_TASK_THREAD_INFO
72942 * INIT_TASK is used to set up the first task table, touch at
72943 * your own risk!. Base=0, limit=0x1fffff (=2MB)
72944 @@ -193,6 +199,7 @@ extern struct task_group root_task_group;
72945 RCU_POINTER_INITIALIZER(cred, &init_cred), \
72946 .comm = INIT_TASK_COMM, \
72947 .thread = INIT_THREAD, \
72948 + INIT_TASK_THREAD_INFO \
72950 .files = &init_files, \
72951 .signal = &init_signals, \
72952 diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
72953 index 5fa5afe..ac55b25 100644
72954 --- a/include/linux/interrupt.h
72955 +++ b/include/linux/interrupt.h
72956 @@ -430,7 +430,7 @@ enum
72957 /* map softirq index to softirq name. update 'softirq_to_name' in
72958 * kernel/softirq.c when adding a new softirq.
72960 -extern char *softirq_to_name[NR_SOFTIRQS];
72961 +extern const char * const softirq_to_name[NR_SOFTIRQS];
72963 /* softirq mask and active fields moved to irq_cpustat_t in
72964 * asm/hardirq.h to get better cache usage. KAO
72965 @@ -438,12 +438,12 @@ extern char *softirq_to_name[NR_SOFTIRQS];
72967 struct softirq_action
72969 - void (*action)(struct softirq_action *);
72971 + void (*action)(void);
72974 asmlinkage void do_softirq(void);
72975 asmlinkage void __do_softirq(void);
72976 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
72977 +extern void open_softirq(int nr, void (*action)(void));
72978 extern void softirq_init(void);
72979 extern void __raise_softirq_irqoff(unsigned int nr);
72981 diff --git a/include/linux/iommu.h b/include/linux/iommu.h
72982 index 3aeb730..2177f39 100644
72983 --- a/include/linux/iommu.h
72984 +++ b/include/linux/iommu.h
72985 @@ -113,7 +113,7 @@ struct iommu_ops {
72986 u32 (*domain_get_windows)(struct iommu_domain *domain);
72988 unsigned long pgsize_bitmap;
72992 #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */
72993 #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */
72994 diff --git a/include/linux/ioport.h b/include/linux/ioport.h
72995 index 89b7c24..382af74 100644
72996 --- a/include/linux/ioport.h
72997 +++ b/include/linux/ioport.h
72998 @@ -161,7 +161,7 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
72999 int adjust_resource(struct resource *res, resource_size_t start,
73000 resource_size_t size);
73001 resource_size_t resource_alignment(struct resource *res);
73002 -static inline resource_size_t resource_size(const struct resource *res)
73003 +static inline resource_size_t __intentional_overflow(-1) resource_size(const struct resource *res)
73005 return res->end - res->start + 1;
73007 diff --git a/include/linux/irq.h b/include/linux/irq.h
73008 index bc4e066..50468a9 100644
73009 --- a/include/linux/irq.h
73010 +++ b/include/linux/irq.h
73011 @@ -328,7 +328,8 @@ struct irq_chip {
73012 void (*irq_print_chip)(struct irq_data *data, struct seq_file *p);
73014 unsigned long flags;
73017 +typedef struct irq_chip __no_const irq_chip_no_const;
73020 * irq_chip specific flags
73021 diff --git a/include/linux/irqchip/arm-gic.h b/include/linux/irqchip/arm-gic.h
73022 index 3e203eb..3fe68d0 100644
73023 --- a/include/linux/irqchip/arm-gic.h
73024 +++ b/include/linux/irqchip/arm-gic.h
73027 #ifndef __ASSEMBLY__
73029 +#include <linux/irq.h>
73031 struct device_node;
73033 -extern struct irq_chip gic_arch_extn;
73034 +extern irq_chip_no_const gic_arch_extn;
73036 void gic_init_bases(unsigned int, int, void __iomem *, void __iomem *,
73037 u32 offset, struct device_node *);
73038 diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
73039 index 6883e19..e854fcb 100644
73040 --- a/include/linux/kallsyms.h
73041 +++ b/include/linux/kallsyms.h
73046 -#ifdef CONFIG_KALLSYMS
73047 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
73048 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
73049 /* Lookup the address for a symbol. Returns 0 if not found. */
73050 unsigned long kallsyms_lookup_name(const char *name);
73052 @@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
73053 /* Stupid that this does nothing, but I didn't create this mess. */
73054 #define __print_symbol(fmt, addr)
73055 #endif /*CONFIG_KALLSYMS*/
73056 +#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or
73057 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
73058 +extern unsigned long kallsyms_lookup_name(const char *name);
73059 +extern void __print_symbol(const char *fmt, unsigned long address);
73060 +extern int sprint_backtrace(char *buffer, unsigned long address);
73061 +extern int sprint_symbol(char *buffer, unsigned long address);
73062 +extern int sprint_symbol_no_offset(char *buffer, unsigned long address);
73063 +const char *kallsyms_lookup(unsigned long addr,
73064 + unsigned long *symbolsize,
73065 + unsigned long *offset,
73066 + char **modname, char *namebuf);
73067 +extern int kallsyms_lookup_size_offset(unsigned long addr,
73068 + unsigned long *symbolsize,
73069 + unsigned long *offset);
73072 /* This macro allows us to keep printk typechecking */
73073 static __printf(1, 2)
73074 diff --git a/include/linux/key-type.h b/include/linux/key-type.h
73075 index 518a53a..5e28358 100644
73076 --- a/include/linux/key-type.h
73077 +++ b/include/linux/key-type.h
73078 @@ -125,7 +125,7 @@ struct key_type {
73079 /* internal fields */
73080 struct list_head link; /* link in types list */
73081 struct lock_class_key lock_class; /* key->sem lock class */
73085 extern struct key_type key_type_keyring;
73087 diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
73088 index c6e091b..a940adf 100644
73089 --- a/include/linux/kgdb.h
73090 +++ b/include/linux/kgdb.h
73091 @@ -52,7 +52,7 @@ extern int kgdb_connected;
73092 extern int kgdb_io_module_registered;
73094 extern atomic_t kgdb_setting_breakpoint;
73095 -extern atomic_t kgdb_cpu_doing_single_step;
73096 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
73098 extern struct task_struct *kgdb_usethread;
73099 extern struct task_struct *kgdb_contthread;
73100 @@ -254,7 +254,7 @@ struct kgdb_arch {
73101 void (*correct_hw_break)(void);
73103 void (*enable_nmi)(bool on);
73108 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
73109 @@ -279,7 +279,7 @@ struct kgdb_io {
73110 void (*pre_exception) (void);
73111 void (*post_exception) (void);
73116 extern struct kgdb_arch arch_kgdb_ops;
73118 diff --git a/include/linux/kmod.h b/include/linux/kmod.h
73119 index 0555cc6..b16a7a4 100644
73120 --- a/include/linux/kmod.h
73121 +++ b/include/linux/kmod.h
73122 @@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
73123 * usually useless though. */
73124 extern __printf(2, 3)
73125 int __request_module(bool wait, const char *name, ...);
73126 +extern __printf(3, 4)
73127 +int ___request_module(bool wait, char *param_name, const char *name, ...);
73128 #define request_module(mod...) __request_module(true, mod)
73129 #define request_module_nowait(mod...) __request_module(false, mod)
73130 #define try_then_request_module(x, mod...) \
73131 diff --git a/include/linux/kobject.h b/include/linux/kobject.h
73132 index 939b112..ed6ed51 100644
73133 --- a/include/linux/kobject.h
73134 +++ b/include/linux/kobject.h
73135 @@ -111,7 +111,7 @@ struct kobj_type {
73136 struct attribute **default_attrs;
73137 const struct kobj_ns_type_operations *(*child_ns_type)(struct kobject *kobj);
73138 const void *(*namespace)(struct kobject *kobj);
73142 struct kobj_uevent_env {
73143 char *envp[UEVENT_NUM_ENVP];
73144 @@ -134,6 +134,7 @@ struct kobj_attribute {
73145 ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
73146 const char *buf, size_t count);
73148 +typedef struct kobj_attribute __no_const kobj_attribute_no_const;
73150 extern const struct sysfs_ops kobj_sysfs_ops;
73152 diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h
73153 index f66b065..c2c29b4 100644
73154 --- a/include/linux/kobject_ns.h
73155 +++ b/include/linux/kobject_ns.h
73156 @@ -43,7 +43,7 @@ struct kobj_ns_type_operations {
73157 const void *(*netlink_ns)(struct sock *sk);
73158 const void *(*initial_ns)(void);
73159 void (*drop_ns)(void *);
73163 int kobj_ns_type_register(const struct kobj_ns_type_operations *ops);
73164 int kobj_ns_type_registered(enum kobj_ns_type type);
73165 diff --git a/include/linux/kref.h b/include/linux/kref.h
73166 index 484604d..0f6c5b6 100644
73167 --- a/include/linux/kref.h
73168 +++ b/include/linux/kref.h
73169 @@ -68,7 +68,7 @@ static inline void kref_get(struct kref *kref)
73170 static inline int kref_sub(struct kref *kref, unsigned int count,
73171 void (*release)(struct kref *kref))
73173 - WARN_ON(release == NULL);
73174 + BUG_ON(release == NULL);
73176 if (atomic_sub_and_test((int) count, &kref->refcount)) {
73178 diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
73179 index 8db53cf..c21121d 100644
73180 --- a/include/linux/kvm_host.h
73181 +++ b/include/linux/kvm_host.h
73182 @@ -444,7 +444,7 @@ static inline void kvm_irqfd_exit(void)
73186 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
73187 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
73188 struct module *module);
73189 void kvm_exit(void);
73191 @@ -616,7 +616,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
73192 struct kvm_guest_debug *dbg);
73193 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
73195 -int kvm_arch_init(void *opaque);
73196 +int kvm_arch_init(const void *opaque);
73197 void kvm_arch_exit(void);
73199 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
73200 diff --git a/include/linux/libata.h b/include/linux/libata.h
73201 index eae7a05..2cdd875 100644
73202 --- a/include/linux/libata.h
73203 +++ b/include/linux/libata.h
73204 @@ -919,7 +919,7 @@ struct ata_port_operations {
73205 * fields must be pointers.
73207 const struct ata_port_operations *inherits;
73211 struct ata_port_info {
73212 unsigned long flags;
73213 diff --git a/include/linux/list.h b/include/linux/list.h
73214 index b83e565..baa6c1d 100644
73215 --- a/include/linux/list.h
73216 +++ b/include/linux/list.h
73217 @@ -112,6 +112,19 @@ extern void __list_del_entry(struct list_head *entry);
73218 extern void list_del(struct list_head *entry);
73221 +extern void __pax_list_add(struct list_head *new,
73222 + struct list_head *prev,
73223 + struct list_head *next);
73224 +static inline void pax_list_add(struct list_head *new, struct list_head *head)
73226 + __pax_list_add(new, head, head->next);
73228 +static inline void pax_list_add_tail(struct list_head *new, struct list_head *head)
73230 + __pax_list_add(new, head->prev, head);
73232 +extern void pax_list_del(struct list_head *entry);
73235 * list_replace - replace old entry by new one
73236 * @old : the element to be replaced
73237 @@ -145,6 +158,8 @@ static inline void list_del_init(struct list_head *entry)
73238 INIT_LIST_HEAD(entry);
73241 +extern void pax_list_del_init(struct list_head *entry);
73244 * list_move - delete from one list and add as another's head
73245 * @list: the entry to move
73246 diff --git a/include/linux/math64.h b/include/linux/math64.h
73247 index 2913b86..8dcbb1e 100644
73248 --- a/include/linux/math64.h
73249 +++ b/include/linux/math64.h
73251 * This is commonly provided by 32bit archs to provide an optimized 64bit
73254 -static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
73255 +static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
73257 *remainder = dividend % divisor;
73258 return dividend / divisor;
73259 @@ -33,7 +33,7 @@ static inline s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
73261 * div64_u64 - unsigned 64bit divide with 64bit divisor
73263 -static inline u64 div64_u64(u64 dividend, u64 divisor)
73264 +static inline u64 __intentional_overflow(0) div64_u64(u64 dividend, u64 divisor)
73266 return dividend / divisor;
73268 @@ -52,7 +52,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
73269 #define div64_ul(x, y) div_u64((x), (y))
73271 #ifndef div_u64_rem
73272 -static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
73273 +static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
73275 *remainder = do_div(dividend, divisor);
73277 @@ -81,7 +81,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor);
73281 -static inline u64 div_u64(u64 dividend, u32 divisor)
73282 +static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor)
73285 return div_u64_rem(dividend, divisor, &remainder);
73286 diff --git a/include/linux/mm.h b/include/linux/mm.h
73287 index e0c8528..bcf0c29 100644
73288 --- a/include/linux/mm.h
73289 +++ b/include/linux/mm.h
73290 @@ -104,6 +104,11 @@ extern unsigned int kobjsize(const void *objp);
73291 #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */
73292 #define VM_NONLINEAR 0x00800000 /* Is non-linear (remap_file_pages) */
73293 #define VM_ARCH_1 0x01000000 /* Architecture-specific flag */
73295 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
73296 +#define VM_PAGEEXEC 0x02000000 /* vma->vm_page_prot needs special handling */
73299 #define VM_DONTDUMP 0x04000000 /* Do not include in the core dump */
73301 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
73302 @@ -205,8 +210,8 @@ struct vm_operations_struct {
73303 /* called by access_process_vm when get_user_pages() fails, typically
73304 * for use by special VMAs that can switch between memory and hardware
73306 - int (*access)(struct vm_area_struct *vma, unsigned long addr,
73307 - void *buf, int len, int write);
73308 + ssize_t (*access)(struct vm_area_struct *vma, unsigned long addr,
73309 + void *buf, size_t len, int write);
73312 * set_policy() op must add a reference to any non-NULL @new mempolicy
73313 @@ -236,6 +241,7 @@ struct vm_operations_struct {
73314 int (*remap_pages)(struct vm_area_struct *vma, unsigned long addr,
73315 unsigned long size, pgoff_t pgoff);
73317 +typedef struct vm_operations_struct __no_const vm_operations_struct_no_const;
73321 @@ -980,8 +986,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
73322 unsigned long *pfn);
73323 int follow_phys(struct vm_area_struct *vma, unsigned long address,
73324 unsigned int flags, unsigned long *prot, resource_size_t *phys);
73325 -int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
73326 - void *buf, int len, int write);
73327 +ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
73328 + void *buf, size_t len, int write);
73330 static inline void unmap_shared_mapping_range(struct address_space *mapping,
73331 loff_t const holebegin, loff_t const holelen)
73332 @@ -1020,9 +1026,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
73336 -extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
73337 -extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
73338 - void *buf, int len, int write);
73339 +extern ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write);
73340 +extern ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
73341 + void *buf, size_t len, int write);
73343 long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
73344 unsigned long start, unsigned long nr_pages,
73345 @@ -1053,34 +1059,6 @@ int set_page_dirty(struct page *page);
73346 int set_page_dirty_lock(struct page *page);
73347 int clear_page_dirty_for_io(struct page *page);
73349 -/* Is the vma a continuation of the stack vma above it? */
73350 -static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
73352 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
73355 -static inline int stack_guard_page_start(struct vm_area_struct *vma,
73356 - unsigned long addr)
73358 - return (vma->vm_flags & VM_GROWSDOWN) &&
73359 - (vma->vm_start == addr) &&
73360 - !vma_growsdown(vma->vm_prev, addr);
73363 -/* Is the vma a continuation of the stack vma below it? */
73364 -static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
73366 - return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
73369 -static inline int stack_guard_page_end(struct vm_area_struct *vma,
73370 - unsigned long addr)
73372 - return (vma->vm_flags & VM_GROWSUP) &&
73373 - (vma->vm_end == addr) &&
73374 - !vma_growsup(vma->vm_next, addr);
73378 vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
73380 @@ -1180,6 +1158,15 @@ static inline void sync_mm_rss(struct mm_struct *mm)
73385 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
73387 +static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
73389 + return __pgprot(0);
73393 int vma_wants_writenotify(struct vm_area_struct *vma);
73395 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
73396 @@ -1198,8 +1185,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
73401 +static inline int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd,
73402 + unsigned long address)
73407 int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
73408 +int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
73411 #ifdef __PAGETABLE_PMD_FOLDED
73412 @@ -1208,8 +1202,15 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
73417 +static inline int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud,
73418 + unsigned long address)
73423 int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address);
73424 +int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address);
73427 int __pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
73428 @@ -1227,11 +1228,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
73429 NULL: pud_offset(pgd, address);
73432 +static inline pud_t *pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
73434 + return (unlikely(pgd_none(*pgd)) && __pud_alloc_kernel(mm, pgd, address))?
73435 + NULL: pud_offset(pgd, address);
73438 static inline pmd_t *pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
73440 return (unlikely(pud_none(*pud)) && __pmd_alloc(mm, pud, address))?
73441 NULL: pmd_offset(pud, address);
73444 +static inline pmd_t *pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
73446 + return (unlikely(pud_none(*pud)) && __pmd_alloc_kernel(mm, pud, address))?
73447 + NULL: pmd_offset(pud, address);
73449 #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
73451 #if USE_SPLIT_PTLOCKS
73452 @@ -1517,6 +1530,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
73453 unsigned long len, unsigned long prot, unsigned long flags,
73454 unsigned long pgoff, unsigned long *populate);
73455 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
73456 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
73459 extern int __mm_populate(unsigned long addr, unsigned long len,
73460 @@ -1545,10 +1559,11 @@ struct vm_unmapped_area_info {
73461 unsigned long high_limit;
73462 unsigned long align_mask;
73463 unsigned long align_offset;
73464 + unsigned long threadstack_offset;
73467 -extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
73468 -extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
73469 +extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
73470 +extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
73473 * Search for an unmapped address range.
73474 @@ -1560,7 +1575,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
73475 * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
73477 static inline unsigned long
73478 -vm_unmapped_area(struct vm_unmapped_area_info *info)
73479 +vm_unmapped_area(const struct vm_unmapped_area_info *info)
73481 if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN))
73482 return unmapped_area(info);
73483 @@ -1623,6 +1638,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
73484 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
73485 struct vm_area_struct **pprev);
73487 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
73488 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
73489 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
73491 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
73492 NULL if none. Assume start_addr < end_addr. */
73493 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
73494 @@ -1651,15 +1670,6 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
73499 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
73501 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
73503 - return __pgprot(0);
73507 #ifdef CONFIG_ARCH_USES_NUMA_PROT_NONE
73508 unsigned long change_prot_numa(struct vm_area_struct *vma,
73509 unsigned long start, unsigned long end);
73510 @@ -1711,6 +1721,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
73511 static inline void vm_stat_account(struct mm_struct *mm,
73512 unsigned long flags, struct file *file, long pages)
73515 +#ifdef CONFIG_PAX_RANDMMAP
73516 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
73519 mm->total_vm += pages;
73521 #endif /* CONFIG_PROC_FS */
73522 @@ -1791,7 +1806,7 @@ extern int unpoison_memory(unsigned long pfn);
73523 extern int sysctl_memory_failure_early_kill;
73524 extern int sysctl_memory_failure_recovery;
73525 extern void shake_page(struct page *p, int access);
73526 -extern atomic_long_t num_poisoned_pages;
73527 +extern atomic_long_unchecked_t num_poisoned_pages;
73528 extern int soft_offline_page(struct page *page, int flags);
73530 extern void dump_page(struct page *page);
73531 @@ -1828,5 +1843,11 @@ void __init setup_nr_node_ids(void);
73532 static inline void setup_nr_node_ids(void) {}
73535 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
73536 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
73538 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
73541 #endif /* __KERNEL__ */
73542 #endif /* _LINUX_MM_H */
73543 diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
73544 index ace9a5f..81bdb59 100644
73545 --- a/include/linux/mm_types.h
73546 +++ b/include/linux/mm_types.h
73547 @@ -289,6 +289,8 @@ struct vm_area_struct {
73549 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
73552 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
73555 struct core_thread {
73556 @@ -437,6 +439,24 @@ struct mm_struct {
73559 struct uprobes_state uprobes_state;
73561 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
73562 + unsigned long pax_flags;
73565 +#ifdef CONFIG_PAX_DLRESOLVE
73566 + unsigned long call_dl_resolve;
73569 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
73570 + unsigned long call_syscall;
73573 +#ifdef CONFIG_PAX_ASLR
73574 + unsigned long delta_mmap; /* randomized offset */
73575 + unsigned long delta_stack; /* randomized offset */
73580 /* first nid will either be a valid NID or one of these values */
73581 diff --git a/include/linux/mmiotrace.h b/include/linux/mmiotrace.h
73582 index c5d5278..f0b68c8 100644
73583 --- a/include/linux/mmiotrace.h
73584 +++ b/include/linux/mmiotrace.h
73585 @@ -46,7 +46,7 @@ extern int kmmio_handler(struct pt_regs *regs, unsigned long addr);
73586 /* Called from ioremap.c */
73587 extern void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
73588 void __iomem *addr);
73589 -extern void mmiotrace_iounmap(volatile void __iomem *addr);
73590 +extern void mmiotrace_iounmap(const volatile void __iomem *addr);
73592 /* For anyone to insert markers. Remember trailing newline. */
73593 extern __printf(1, 2) int mmiotrace_printk(const char *fmt, ...);
73594 @@ -66,7 +66,7 @@ static inline void mmiotrace_ioremap(resource_size_t offset,
73598 -static inline void mmiotrace_iounmap(volatile void __iomem *addr)
73599 +static inline void mmiotrace_iounmap(const volatile void __iomem *addr)
73603 diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
73604 index 5c76737..61f518e 100644
73605 --- a/include/linux/mmzone.h
73606 +++ b/include/linux/mmzone.h
73607 @@ -396,7 +396,7 @@ struct zone {
73608 unsigned long flags; /* zone flags, see below */
73610 /* Zone statistics */
73611 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
73612 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
73615 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
73616 diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
73617 index b508016..237cfe5 100644
73618 --- a/include/linux/mod_devicetable.h
73619 +++ b/include/linux/mod_devicetable.h
73621 typedef unsigned long kernel_ulong_t;
73624 -#define PCI_ANY_ID (~0)
73625 +#define PCI_ANY_ID ((__u16)~0)
73627 struct pci_device_id {
73628 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
73629 @@ -139,7 +139,7 @@ struct usb_device_id {
73630 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
73631 #define USB_DEVICE_ID_MATCH_INT_NUMBER 0x0400
73633 -#define HID_ANY_ID (~0)
73634 +#define HID_ANY_ID (~0U)
73635 #define HID_BUS_ANY 0xffff
73636 #define HID_GROUP_ANY 0x0000
73638 @@ -465,7 +465,7 @@ struct dmi_system_id {
73640 struct dmi_strmatch matches[4];
73645 * struct dmi_device_id appears during expansion of
73646 * "MODULE_DEVICE_TABLE(dmi, x)". Compiler doesn't look inside it
73647 diff --git a/include/linux/module.h b/include/linux/module.h
73648 index 46f1ea0..a34ca37 100644
73649 --- a/include/linux/module.h
73650 +++ b/include/linux/module.h
73652 #include <linux/moduleparam.h>
73653 #include <linux/tracepoint.h>
73654 #include <linux/export.h>
73655 +#include <linux/fs.h>
73657 #include <linux/percpu.h>
73658 #include <asm/module.h>
73659 +#include <asm/pgtable.h>
73661 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
73662 #define MODULE_SIG_STRING "~Module signature appended~\n"
73663 @@ -54,12 +56,13 @@ struct module_attribute {
73664 int (*test)(struct module *);
73665 void (*free)(struct module *);
73667 +typedef struct module_attribute __no_const module_attribute_no_const;
73669 struct module_version_attribute {
73670 struct module_attribute mattr;
73671 const char *module_name;
73672 const char *version;
73673 -} __attribute__ ((__aligned__(sizeof(void *))));
73674 +} __do_const __attribute__ ((__aligned__(sizeof(void *))));
73676 extern ssize_t __modver_version_show(struct module_attribute *,
73677 struct module_kobject *, char *);
73678 @@ -232,7 +235,7 @@ struct module
73681 struct module_kobject mkobj;
73682 - struct module_attribute *modinfo_attrs;
73683 + module_attribute_no_const *modinfo_attrs;
73684 const char *version;
73685 const char *srcversion;
73686 struct kobject *holders_dir;
73687 @@ -281,19 +284,16 @@ struct module
73690 /* If this is non-NULL, vfree after init() returns */
73691 - void *module_init;
73692 + void *module_init_rx, *module_init_rw;
73694 /* Here is the actual code + data, vfree'd on unload. */
73695 - void *module_core;
73696 + void *module_core_rx, *module_core_rw;
73698 /* Here are the sizes of the init and core sections */
73699 - unsigned int init_size, core_size;
73700 + unsigned int init_size_rw, core_size_rw;
73702 /* The size of the executable code in each section. */
73703 - unsigned int init_text_size, core_text_size;
73705 - /* Size of RO sections of the module (text+rodata) */
73706 - unsigned int init_ro_size, core_ro_size;
73707 + unsigned int init_size_rx, core_size_rx;
73709 /* Arch-specific module values */
73710 struct mod_arch_specific arch;
73711 @@ -349,6 +349,10 @@ struct module
73712 #ifdef CONFIG_EVENT_TRACING
73713 struct ftrace_event_call **trace_events;
73714 unsigned int num_trace_events;
73715 + struct file_operations trace_id;
73716 + struct file_operations trace_enable;
73717 + struct file_operations trace_format;
73718 + struct file_operations trace_filter;
73720 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
73721 unsigned int num_ftrace_callsites;
73722 @@ -396,16 +400,46 @@ bool is_module_address(unsigned long addr);
73723 bool is_module_percpu_address(unsigned long addr);
73724 bool is_module_text_address(unsigned long addr);
73726 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
73729 +#ifdef CONFIG_PAX_KERNEXEC
73730 + if (ktla_ktva(addr) >= (unsigned long)start &&
73731 + ktla_ktva(addr) < (unsigned long)start + size)
73735 + return ((void *)addr >= start && (void *)addr < start + size);
73738 +static inline int within_module_core_rx(unsigned long addr, const struct module *mod)
73740 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
73743 +static inline int within_module_core_rw(unsigned long addr, const struct module *mod)
73745 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
73748 +static inline int within_module_init_rx(unsigned long addr, const struct module *mod)
73750 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
73753 +static inline int within_module_init_rw(unsigned long addr, const struct module *mod)
73755 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
73758 static inline int within_module_core(unsigned long addr, const struct module *mod)
73760 - return (unsigned long)mod->module_core <= addr &&
73761 - addr < (unsigned long)mod->module_core + mod->core_size;
73762 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
73765 static inline int within_module_init(unsigned long addr, const struct module *mod)
73767 - return (unsigned long)mod->module_init <= addr &&
73768 - addr < (unsigned long)mod->module_init + mod->init_size;
73769 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
73772 /* Search for module by name: must hold module_mutex. */
73773 diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
73774 index 560ca53..ef621ef 100644
73775 --- a/include/linux/moduleloader.h
73776 +++ b/include/linux/moduleloader.h
73777 @@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
73778 sections. Returns NULL on failure. */
73779 void *module_alloc(unsigned long size);
73781 +#ifdef CONFIG_PAX_KERNEXEC
73782 +void *module_alloc_exec(unsigned long size);
73784 +#define module_alloc_exec(x) module_alloc(x)
73787 /* Free memory returned from module_alloc. */
73788 void module_free(struct module *mod, void *module_region);
73790 +#ifdef CONFIG_PAX_KERNEXEC
73791 +void module_free_exec(struct module *mod, void *module_region);
73793 +#define module_free_exec(x, y) module_free((x), (y))
73797 * Apply the given relocation to the (simplified) ELF. Return -error
73799 @@ -45,7 +57,9 @@ static inline int apply_relocate(Elf_Shdr *sechdrs,
73800 unsigned int relsec,
73803 +#ifdef CONFIG_MODULES
73804 printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
73809 @@ -67,7 +81,9 @@ static inline int apply_relocate_add(Elf_Shdr *sechdrs,
73810 unsigned int relsec,
73813 +#ifdef CONFIG_MODULES
73814 printk(KERN_ERR "module %s: REL relocation unsupported\n", me->name);
73819 diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
73820 index 137b419..fe663ec 100644
73821 --- a/include/linux/moduleparam.h
73822 +++ b/include/linux/moduleparam.h
73823 @@ -284,7 +284,7 @@ static inline void __kernel_param_unlock(void)
73824 * @len is usually just sizeof(string).
73826 #define module_param_string(name, string, len, perm) \
73827 - static const struct kparam_string __param_string_##name \
73828 + static const struct kparam_string __param_string_##name __used \
73829 = { len, string }; \
73830 __module_param_call(MODULE_PARAM_PREFIX, name, \
73831 ¶m_ops_string, \
73832 @@ -423,7 +423,7 @@ extern int param_set_bint(const char *val, const struct kernel_param *kp);
73834 #define module_param_array_named(name, array, type, nump, perm) \
73835 param_check_##type(name, &(array)[0]); \
73836 - static const struct kparam_array __param_arr_##name \
73837 + static const struct kparam_array __param_arr_##name __used \
73838 = { .max = ARRAY_SIZE(array), .num = nump, \
73839 .ops = ¶m_ops_##type, \
73840 .elemsize = sizeof(array[0]), .elem = array }; \
73841 diff --git a/include/linux/namei.h b/include/linux/namei.h
73842 index 5a5ff57..5ae5070 100644
73843 --- a/include/linux/namei.h
73844 +++ b/include/linux/namei.h
73845 @@ -19,7 +19,7 @@ struct nameidata {
73849 - char *saved_names[MAX_NESTED_LINKS + 1];
73850 + const char *saved_names[MAX_NESTED_LINKS + 1];
73854 @@ -84,12 +84,12 @@ extern void unlock_rename(struct dentry *, struct dentry *);
73856 extern void nd_jump_link(struct nameidata *nd, struct path *path);
73858 -static inline void nd_set_link(struct nameidata *nd, char *path)
73859 +static inline void nd_set_link(struct nameidata *nd, const char *path)
73861 nd->saved_names[nd->depth] = path;
73864 -static inline char *nd_get_link(struct nameidata *nd)
73865 +static inline const char *nd_get_link(const struct nameidata *nd)
73867 return nd->saved_names[nd->depth];
73869 diff --git a/include/linux/net.h b/include/linux/net.h
73870 index 99c9f0c..e1cf296 100644
73871 --- a/include/linux/net.h
73872 +++ b/include/linux/net.h
73873 @@ -183,7 +183,7 @@ struct net_proto_family {
73874 int (*create)(struct net *net, struct socket *sock,
73875 int protocol, int kern);
73876 struct module *owner;
73882 diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
73883 index 96e4c21..9cc8278 100644
73884 --- a/include/linux/netdevice.h
73885 +++ b/include/linux/netdevice.h
73886 @@ -1026,6 +1026,7 @@ struct net_device_ops {
73887 int (*ndo_change_carrier)(struct net_device *dev,
73890 +typedef struct net_device_ops __no_const net_device_ops_no_const;
73893 * The DEVICE structure.
73894 @@ -1094,7 +1095,7 @@ struct net_device {
73897 struct net_device_stats stats;
73898 - atomic_long_t rx_dropped; /* dropped packets by core network
73899 + atomic_long_unchecked_t rx_dropped; /* dropped packets by core network
73900 * Do not use this in drivers.
73903 diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
73904 index 0060fde..481c6ae 100644
73905 --- a/include/linux/netfilter.h
73906 +++ b/include/linux/netfilter.h
73907 @@ -82,7 +82,7 @@ struct nf_sockopt_ops {
73909 /* Use the module struct to lock set/get code in place */
73910 struct module *owner;
73914 /* Function to register/unregister hook points. */
73915 int nf_register_hook(struct nf_hook_ops *reg);
73916 diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
73917 index d80e275..c3510b8 100644
73918 --- a/include/linux/netfilter/ipset/ip_set.h
73919 +++ b/include/linux/netfilter/ipset/ip_set.h
73920 @@ -124,7 +124,7 @@ struct ip_set_type_variant {
73921 /* Return true if "b" set is the same as "a"
73922 * according to the create set parameters */
73923 bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
73927 /* The core set type structure */
73928 struct ip_set_type {
73929 diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
73930 index cadb740..d7c37c0 100644
73931 --- a/include/linux/netfilter/nfnetlink.h
73932 +++ b/include/linux/netfilter/nfnetlink.h
73933 @@ -16,7 +16,7 @@ struct nfnl_callback {
73934 const struct nlattr * const cda[]);
73935 const struct nla_policy *policy; /* netlink attribute policy */
73936 const u_int16_t attr_count; /* number of nlattr's */
73940 struct nfnetlink_subsystem {
73942 diff --git a/include/linux/netfilter/xt_gradm.h b/include/linux/netfilter/xt_gradm.h
73943 new file mode 100644
73944 index 0000000..33f4af8
73946 +++ b/include/linux/netfilter/xt_gradm.h
73948 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
73949 +#define _LINUX_NETFILTER_XT_GRADM_H 1
73951 +struct xt_gradm_mtinfo {
73957 diff --git a/include/linux/nls.h b/include/linux/nls.h
73958 index 5dc635f..35f5e11 100644
73959 --- a/include/linux/nls.h
73960 +++ b/include/linux/nls.h
73961 @@ -31,7 +31,7 @@ struct nls_table {
73962 const unsigned char *charset2upper;
73963 struct module *owner;
73964 struct nls_table *next;
73968 /* this value hold the maximum octet of charset */
73969 #define NLS_MAX_CHARSET_SIZE 6 /* for UTF-8 */
73970 diff --git a/include/linux/notifier.h b/include/linux/notifier.h
73971 index d14a4c3..a078786 100644
73972 --- a/include/linux/notifier.h
73973 +++ b/include/linux/notifier.h
73974 @@ -54,7 +54,8 @@ struct notifier_block {
73975 notifier_fn_t notifier_call;
73976 struct notifier_block __rcu *next;
73980 +typedef struct notifier_block __no_const notifier_block_no_const;
73982 struct atomic_notifier_head {
73984 diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
73985 index a4c5624..79d6d88 100644
73986 --- a/include/linux/oprofile.h
73987 +++ b/include/linux/oprofile.h
73988 @@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super_block * sb, struct dentry * root,
73989 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
73990 char const * name, ulong * val);
73992 -/** Create a file for read-only access to an atomic_t. */
73993 +/** Create a file for read-only access to an atomic_unchecked_t. */
73994 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
73995 - char const * name, atomic_t * val);
73996 + char const * name, atomic_unchecked_t * val);
73998 /** create a directory */
73999 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
74000 diff --git a/include/linux/pci_hotplug.h b/include/linux/pci_hotplug.h
74001 index 8db71dc..a76bf2c 100644
74002 --- a/include/linux/pci_hotplug.h
74003 +++ b/include/linux/pci_hotplug.h
74004 @@ -80,7 +80,8 @@ struct hotplug_slot_ops {
74005 int (*get_attention_status) (struct hotplug_slot *slot, u8 *value);
74006 int (*get_latch_status) (struct hotplug_slot *slot, u8 *value);
74007 int (*get_adapter_status) (struct hotplug_slot *slot, u8 *value);
74010 +typedef struct hotplug_slot_ops __no_const hotplug_slot_ops_no_const;
74013 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
74014 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
74015 index c5b6dbf..b124155 100644
74016 --- a/include/linux/perf_event.h
74017 +++ b/include/linux/perf_event.h
74018 @@ -318,8 +318,8 @@ struct perf_event {
74020 enum perf_event_active_state state;
74021 unsigned int attach_state;
74023 - atomic64_t child_count;
74024 + local64_t count; /* PaX: fix it one day */
74025 + atomic64_unchecked_t child_count;
74028 * These are the total time in nanoseconds that the event
74029 @@ -370,8 +370,8 @@ struct perf_event {
74030 * These accumulate total time (in nanoseconds) that children
74031 * events have been enabled and running, respectively.
74033 - atomic64_t child_total_time_enabled;
74034 - atomic64_t child_total_time_running;
74035 + atomic64_unchecked_t child_total_time_enabled;
74036 + atomic64_unchecked_t child_total_time_running;
74039 * Protect attach/detach and child_list:
74040 @@ -692,7 +692,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
74041 entry->ip[entry->nr++] = ip;
74044 -extern int sysctl_perf_event_paranoid;
74045 +extern int sysctl_perf_event_legitimately_concerned;
74046 extern int sysctl_perf_event_mlock;
74047 extern int sysctl_perf_event_sample_rate;
74049 @@ -700,19 +700,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
74050 void __user *buffer, size_t *lenp,
74053 +static inline bool perf_paranoid_any(void)
74055 + return sysctl_perf_event_legitimately_concerned > 2;
74058 static inline bool perf_paranoid_tracepoint_raw(void)
74060 - return sysctl_perf_event_paranoid > -1;
74061 + return sysctl_perf_event_legitimately_concerned > -1;
74064 static inline bool perf_paranoid_cpu(void)
74066 - return sysctl_perf_event_paranoid > 0;
74067 + return sysctl_perf_event_legitimately_concerned > 0;
74070 static inline bool perf_paranoid_kernel(void)
74072 - return sysctl_perf_event_paranoid > 1;
74073 + return sysctl_perf_event_legitimately_concerned > 1;
74076 extern void perf_event_init(void);
74077 @@ -806,7 +811,7 @@ static inline void perf_restore_debug_store(void) { }
74079 #define perf_cpu_notifier(fn) \
74081 - static struct notifier_block fn##_nb __cpuinitdata = \
74082 + static struct notifier_block fn##_nb = \
74083 { .notifier_call = fn, .priority = CPU_PRI_PERF }; \
74084 unsigned long cpu = smp_processor_id(); \
74085 unsigned long flags; \
74086 @@ -826,7 +831,7 @@ struct perf_pmu_events_attr {
74087 struct device_attribute attr;
74089 const char *event_str;
74093 #define PMU_EVENT_ATTR(_name, _var, _id, _show) \
74094 static struct perf_pmu_events_attr _var = { \
74095 diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
74096 index b8809fe..ae4ccd0 100644
74097 --- a/include/linux/pipe_fs_i.h
74098 +++ b/include/linux/pipe_fs_i.h
74099 @@ -47,10 +47,10 @@ struct pipe_inode_info {
74100 struct mutex mutex;
74101 wait_queue_head_t wait;
74102 unsigned int nrbufs, curbuf, buffers;
74103 - unsigned int readers;
74104 - unsigned int writers;
74105 - unsigned int files;
74106 - unsigned int waiting_writers;
74107 + atomic_t readers;
74108 + atomic_t writers;
74110 + atomic_t waiting_writers;
74111 unsigned int r_counter;
74112 unsigned int w_counter;
74113 struct page *tmp_page;
74114 diff --git a/include/linux/platform_data/usb-ehci-s5p.h b/include/linux/platform_data/usb-ehci-s5p.h
74115 index 5f28cae..3d23723 100644
74116 --- a/include/linux/platform_data/usb-ehci-s5p.h
74117 +++ b/include/linux/platform_data/usb-ehci-s5p.h
74119 struct s5p_ehci_platdata {
74120 int (*phy_init)(struct platform_device *pdev, int type);
74121 int (*phy_exit)(struct platform_device *pdev, int type);
74125 extern void s5p_ehci_set_platdata(struct s5p_ehci_platdata *pd);
74127 diff --git a/include/linux/platform_data/usb-ohci-exynos.h b/include/linux/platform_data/usb-ohci-exynos.h
74128 index c256c59..8ea94c7 100644
74129 --- a/include/linux/platform_data/usb-ohci-exynos.h
74130 +++ b/include/linux/platform_data/usb-ohci-exynos.h
74132 struct exynos4_ohci_platdata {
74133 int (*phy_init)(struct platform_device *pdev, int type);
74134 int (*phy_exit)(struct platform_device *pdev, int type);
74138 extern void exynos4_ohci_set_platdata(struct exynos4_ohci_platdata *pd);
74140 diff --git a/include/linux/pm_domain.h b/include/linux/pm_domain.h
74141 index 7c1d252..c5c773e 100644
74142 --- a/include/linux/pm_domain.h
74143 +++ b/include/linux/pm_domain.h
74144 @@ -48,7 +48,7 @@ struct gpd_dev_ops {
74146 struct gpd_cpu_data {
74147 unsigned int saved_exit_latency;
74148 - struct cpuidle_state *idle_state;
74149 + cpuidle_state_no_const *idle_state;
74152 struct generic_pm_domain {
74153 diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
74154 index 7d7e09e..8671ef8 100644
74155 --- a/include/linux/pm_runtime.h
74156 +++ b/include/linux/pm_runtime.h
74157 @@ -104,7 +104,7 @@ static inline bool pm_runtime_callbacks_present(struct device *dev)
74159 static inline void pm_runtime_mark_last_busy(struct device *dev)
74161 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
74162 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
74165 #else /* !CONFIG_PM_RUNTIME */
74166 diff --git a/include/linux/pnp.h b/include/linux/pnp.h
74167 index 195aafc..49a7bc2 100644
74168 --- a/include/linux/pnp.h
74169 +++ b/include/linux/pnp.h
74170 @@ -297,7 +297,7 @@ static inline void pnp_set_drvdata(struct pnp_dev *pdev, void *data)
74173 void (*quirk_function) (struct pnp_dev * dev); /* fixup function */
74177 /* config parameters */
74178 #define PNP_CONFIG_NORMAL 0x0001
74179 diff --git a/include/linux/poison.h b/include/linux/poison.h
74180 index 2110a81..13a11bb 100644
74181 --- a/include/linux/poison.h
74182 +++ b/include/linux/poison.h
74184 * under normal circumstances, used to verify that nobody uses
74185 * non-initialized list entries.
74187 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
74188 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
74189 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
74190 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
74192 /********** include/linux/timer.h **********/
74194 diff --git a/include/linux/power/smartreflex.h b/include/linux/power/smartreflex.h
74195 index c0f44c2..1572583 100644
74196 --- a/include/linux/power/smartreflex.h
74197 +++ b/include/linux/power/smartreflex.h
74198 @@ -238,7 +238,7 @@ struct omap_sr_class_data {
74199 int (*notify)(struct omap_sr *sr, u32 status);
74206 * struct omap_sr_nvalue_table - Smartreflex n-target value info
74207 diff --git a/include/linux/ppp-comp.h b/include/linux/ppp-comp.h
74208 index 4ea1d37..80f4b33 100644
74209 --- a/include/linux/ppp-comp.h
74210 +++ b/include/linux/ppp-comp.h
74211 @@ -84,7 +84,7 @@ struct compressor {
74212 struct module *owner;
74213 /* Extra skb space needed by the compressor algorithm */
74214 unsigned int comp_extra;
74219 * The return value from decompress routine is the length of the
74220 diff --git a/include/linux/preempt.h b/include/linux/preempt.h
74221 index f5d4723..a6ea2fa 100644
74222 --- a/include/linux/preempt.h
74223 +++ b/include/linux/preempt.h
74225 # define sub_preempt_count(val) do { preempt_count() -= (val); } while (0)
74228 +#define raw_add_preempt_count(val) do { preempt_count() += (val); } while (0)
74229 +#define raw_sub_preempt_count(val) do { preempt_count() -= (val); } while (0)
74231 #define inc_preempt_count() add_preempt_count(1)
74232 +#define raw_inc_preempt_count() raw_add_preempt_count(1)
74233 #define dec_preempt_count() sub_preempt_count(1)
74234 +#define raw_dec_preempt_count() raw_sub_preempt_count(1)
74236 #define preempt_count() (current_thread_info()->preempt_count)
74238 @@ -64,6 +69,12 @@ do { \
74242 +#define raw_preempt_disable() \
74244 + raw_inc_preempt_count(); \
74248 #define sched_preempt_enable_no_resched() \
74251 @@ -72,6 +83,12 @@ do { \
74253 #define preempt_enable_no_resched() sched_preempt_enable_no_resched()
74255 +#define raw_preempt_enable_no_resched() \
74258 + raw_dec_preempt_count(); \
74261 #define preempt_enable() \
74263 preempt_enable_no_resched(); \
74264 @@ -116,8 +133,10 @@ do { \
74267 #define preempt_disable() barrier()
74268 +#define raw_preempt_disable() barrier()
74269 #define sched_preempt_enable_no_resched() barrier()
74270 #define preempt_enable_no_resched() barrier()
74271 +#define raw_preempt_enable_no_resched() barrier()
74272 #define preempt_enable() barrier()
74274 #define preempt_disable_notrace() barrier()
74275 diff --git a/include/linux/printk.h b/include/linux/printk.h
74276 index 22c7052..ad3fa0a 100644
74277 --- a/include/linux/printk.h
74278 +++ b/include/linux/printk.h
74279 @@ -106,6 +106,8 @@ static inline __printf(1, 2) __cold
74280 void early_printk(const char *s, ...) { }
74283 +extern int kptr_restrict;
74285 #ifdef CONFIG_PRINTK
74286 asmlinkage __printf(5, 0)
74287 int vprintk_emit(int facility, int level,
74288 @@ -140,7 +142,6 @@ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
74290 extern int printk_delay_msec;
74291 extern int dmesg_restrict;
74292 -extern int kptr_restrict;
74294 extern void wake_up_klogd(void);
74296 diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
74297 index 608e60a..c26f864 100644
74298 --- a/include/linux/proc_fs.h
74299 +++ b/include/linux/proc_fs.h
74300 @@ -34,6 +34,19 @@ static inline struct proc_dir_entry *proc_create(
74301 return proc_create_data(name, mode, parent, proc_fops, NULL);
74304 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, umode_t mode,
74305 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
74307 +#ifdef CONFIG_GRKERNSEC_PROC_USER
74308 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
74309 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
74310 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
74312 + return proc_create_data(name, mode, parent, proc_fops, NULL);
74317 extern void proc_set_size(struct proc_dir_entry *, loff_t);
74318 extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t);
74319 extern void *PDE_DATA(const struct inode *);
74320 diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
74321 index 34a1e10..03a6d03 100644
74322 --- a/include/linux/proc_ns.h
74323 +++ b/include/linux/proc_ns.h
74324 @@ -14,7 +14,7 @@ struct proc_ns_operations {
74325 void (*put)(void *ns);
74326 int (*install)(struct nsproxy *nsproxy, void *ns);
74327 unsigned int (*inum)(void *ns);
74333 diff --git a/include/linux/random.h b/include/linux/random.h
74334 index 3b9377d..61b506a 100644
74335 --- a/include/linux/random.h
74336 +++ b/include/linux/random.h
74337 @@ -32,6 +32,11 @@ void prandom_seed(u32 seed);
74338 u32 prandom_u32_state(struct rnd_state *);
74339 void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
74341 +static inline unsigned long pax_get_random_long(void)
74343 + return prandom_u32() + (sizeof(long) > 4 ? (unsigned long)prandom_u32() << 32 : 0);
74347 * Handle minimum values for seeds
74349 diff --git a/include/linux/rculist.h b/include/linux/rculist.h
74350 index f4b1001..8ddb2b6 100644
74351 --- a/include/linux/rculist.h
74352 +++ b/include/linux/rculist.h
74353 @@ -44,6 +44,9 @@ extern void __list_add_rcu(struct list_head *new,
74354 struct list_head *prev, struct list_head *next);
74357 +extern void __pax_list_add_rcu(struct list_head *new,
74358 + struct list_head *prev, struct list_head *next);
74361 * list_add_rcu - add a new entry to rcu-protected list
74362 * @new: new entry to be added
74363 @@ -65,6 +68,11 @@ static inline void list_add_rcu(struct list_head *new, struct list_head *head)
74364 __list_add_rcu(new, head, head->next);
74367 +static inline void pax_list_add_rcu(struct list_head *new, struct list_head *head)
74369 + __pax_list_add_rcu(new, head, head->next);
74373 * list_add_tail_rcu - add a new entry to rcu-protected list
74374 * @new: new entry to be added
74375 @@ -87,6 +95,12 @@ static inline void list_add_tail_rcu(struct list_head *new,
74376 __list_add_rcu(new, head->prev, head);
74379 +static inline void pax_list_add_tail_rcu(struct list_head *new,
74380 + struct list_head *head)
74382 + __pax_list_add_rcu(new, head->prev, head);
74386 * list_del_rcu - deletes entry from list without re-initialization
74387 * @entry: the element to delete from the list.
74388 @@ -117,6 +131,8 @@ static inline void list_del_rcu(struct list_head *entry)
74389 entry->prev = LIST_POISON2;
74392 +extern void pax_list_del_rcu(struct list_head *entry);
74395 * hlist_del_init_rcu - deletes entry from hash list with re-initialization
74396 * @n: the element to delete from the hash list.
74397 diff --git a/include/linux/reboot.h b/include/linux/reboot.h
74398 index 23b3630..e1bc12b 100644
74399 --- a/include/linux/reboot.h
74400 +++ b/include/linux/reboot.h
74401 @@ -18,9 +18,9 @@ extern int unregister_reboot_notifier(struct notifier_block *);
74402 * Architecture-specific implementations of sys_reboot commands.
74405 -extern void machine_restart(char *cmd);
74406 -extern void machine_halt(void);
74407 -extern void machine_power_off(void);
74408 +extern void machine_restart(char *cmd) __noreturn;
74409 +extern void machine_halt(void) __noreturn;
74410 +extern void machine_power_off(void) __noreturn;
74412 extern void machine_shutdown(void);
74414 @@ -31,9 +31,9 @@ extern void machine_crash_shutdown(struct pt_regs *);
74417 extern void kernel_restart_prepare(char *cmd);
74418 -extern void kernel_restart(char *cmd);
74419 -extern void kernel_halt(void);
74420 -extern void kernel_power_off(void);
74421 +extern void kernel_restart(char *cmd) __noreturn;
74422 +extern void kernel_halt(void) __noreturn;
74423 +extern void kernel_power_off(void) __noreturn;
74425 extern int C_A_D; /* for sysctl */
74426 void ctrl_alt_del(void);
74427 @@ -47,7 +47,7 @@ extern int orderly_poweroff(bool force);
74428 * Emergency restart, callable from an interrupt handler.
74431 -extern void emergency_restart(void);
74432 +extern void emergency_restart(void) __noreturn;
74433 #include <asm/emergency-restart.h>
74435 #endif /* _LINUX_REBOOT_H */
74436 diff --git a/include/linux/regset.h b/include/linux/regset.h
74437 index 8e0c9fe..ac4d221 100644
74438 --- a/include/linux/regset.h
74439 +++ b/include/linux/regset.h
74440 @@ -161,7 +161,8 @@ struct user_regset {
74441 unsigned int align;
74443 unsigned int core_note_type;
74446 +typedef struct user_regset __no_const user_regset_no_const;
74449 * struct user_regset_view - available regsets
74450 diff --git a/include/linux/relay.h b/include/linux/relay.h
74451 index d7c8359..818daf5 100644
74452 --- a/include/linux/relay.h
74453 +++ b/include/linux/relay.h
74454 @@ -157,7 +157,7 @@ struct rchan_callbacks
74455 * The callback should return 0 if successful, negative if not.
74457 int (*remove_buf_file)(struct dentry *dentry);
74462 * CONFIG_RELAY kernel API, kernel/relay.c
74463 diff --git a/include/linux/rio.h b/include/linux/rio.h
74464 index 18e0993..8ab5b21 100644
74465 --- a/include/linux/rio.h
74466 +++ b/include/linux/rio.h
74467 @@ -345,7 +345,7 @@ struct rio_ops {
74468 int (*map_inb)(struct rio_mport *mport, dma_addr_t lstart,
74469 u64 rstart, u32 size, u32 flags);
74470 void (*unmap_inb)(struct rio_mport *mport, dma_addr_t lstart);
74474 #define RIO_RESOURCE_MEM 0x00000100
74475 #define RIO_RESOURCE_DOORBELL 0x00000200
74476 diff --git a/include/linux/rmap.h b/include/linux/rmap.h
74477 index 6dacb93..6174423 100644
74478 --- a/include/linux/rmap.h
74479 +++ b/include/linux/rmap.h
74480 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock_read(struct anon_vma *anon_vma)
74481 void anon_vma_init(void); /* create anon_vma_cachep */
74482 int anon_vma_prepare(struct vm_area_struct *);
74483 void unlink_anon_vmas(struct vm_area_struct *);
74484 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
74485 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
74486 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
74487 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
74489 static inline void anon_vma_merge(struct vm_area_struct *vma,
74490 struct vm_area_struct *next)
74491 diff --git a/include/linux/sched.h b/include/linux/sched.h
74492 index 3aeb14b..73816a6 100644
74493 --- a/include/linux/sched.h
74494 +++ b/include/linux/sched.h
74495 @@ -62,6 +62,7 @@ struct bio_list;
74497 struct perf_event_context;
74499 +struct linux_binprm;
74502 * List of flags we want to share for kernel threads,
74503 @@ -303,7 +304,7 @@ extern char __sched_text_start[], __sched_text_end[];
74504 extern int in_sched_functions(unsigned long addr);
74506 #define MAX_SCHEDULE_TIMEOUT LONG_MAX
74507 -extern signed long schedule_timeout(signed long timeout);
74508 +extern signed long schedule_timeout(signed long timeout) __intentional_overflow(-1);
74509 extern signed long schedule_timeout_interruptible(signed long timeout);
74510 extern signed long schedule_timeout_killable(signed long timeout);
74511 extern signed long schedule_timeout_uninterruptible(signed long timeout);
74512 @@ -314,7 +315,19 @@ struct nsproxy;
74513 struct user_namespace;
74516 -extern unsigned long mmap_legacy_base(void);
74518 +#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
74519 +extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags);
74521 +static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
74527 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset);
74528 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset);
74529 +extern unsigned long mmap_legacy_base(struct mm_struct *mm);
74530 extern void arch_pick_mmap_layout(struct mm_struct *mm);
74531 extern unsigned long
74532 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
74533 @@ -592,6 +605,17 @@ struct signal_struct {
74534 #ifdef CONFIG_TASKSTATS
74535 struct taskstats *stats;
74538 +#ifdef CONFIG_GRKERNSEC
74545 + u8 used_accept:1;
74548 #ifdef CONFIG_AUDIT
74549 unsigned audit_tty;
74550 unsigned audit_tty_log_passwd;
74551 @@ -672,6 +696,14 @@ struct user_struct {
74552 struct key *session_keyring; /* UID's default session keyring */
74555 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
74556 + unsigned char kernel_banned;
74558 +#ifdef CONFIG_GRKERNSEC_BRUTE
74559 + unsigned char suid_banned;
74560 + unsigned long suid_ban_expires;
74563 /* Hash table maintenance information */
74564 struct hlist_node uidhash_node;
74566 @@ -1159,8 +1191,8 @@ struct task_struct {
74567 struct list_head thread_group;
74569 struct completion *vfork_done; /* for vfork() */
74570 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
74571 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
74572 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
74573 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
74575 cputime_t utime, stime, utimescaled, stimescaled;
74577 @@ -1185,11 +1217,6 @@ struct task_struct {
74578 struct task_cputime cputime_expires;
74579 struct list_head cpu_timers[3];
74581 -/* process credentials */
74582 - const struct cred __rcu *real_cred; /* objective and real subjective task
74583 - * credentials (COW) */
74584 - const struct cred __rcu *cred; /* effective (overridable) subjective task
74585 - * credentials (COW) */
74586 char comm[TASK_COMM_LEN]; /* executable name excluding path
74587 - access with [gs]et_task_comm (which lock
74588 it with task_lock())
74589 @@ -1206,6 +1233,10 @@ struct task_struct {
74591 /* CPU-specific state of this task */
74592 struct thread_struct thread;
74593 +/* thread_info moved to task_struct */
74595 + struct thread_info tinfo;
74597 /* filesystem information */
74598 struct fs_struct *fs;
74599 /* open file information */
74600 @@ -1279,6 +1310,10 @@ struct task_struct {
74601 gfp_t lockdep_reclaim_gfp;
74604 +/* process credentials */
74605 + const struct cred __rcu *real_cred; /* objective and real subjective task
74606 + * credentials (COW) */
74608 /* journalling filesystem info */
74609 void *journal_info;
74611 @@ -1317,6 +1352,10 @@ struct task_struct {
74612 /* cg_list protected by css_set_lock and tsk->alloc_lock */
74613 struct list_head cg_list;
74616 + const struct cred __rcu *cred; /* effective (overridable) subjective task
74617 + * credentials (COW) */
74619 #ifdef CONFIG_FUTEX
74620 struct robust_list_head __user *robust_list;
74621 #ifdef CONFIG_COMPAT
74622 @@ -1417,8 +1456,76 @@ struct task_struct {
74623 unsigned int sequential_io;
74624 unsigned int sequential_io_avg;
74627 +#ifdef CONFIG_GRKERNSEC
74629 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
74632 +#ifdef CONFIG_GRKERNSEC_SETXID
74633 + const struct cred *delayed_cred;
74635 + struct dentry *gr_chroot_dentry;
74636 + struct acl_subject_label *acl;
74637 + struct acl_role_label *role;
74638 + struct file *exec_file;
74639 + unsigned long brute_expires;
74641 + /* is this the task that authenticated to the special role */
74645 + u8 gr_is_chrooted;
74650 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
74651 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
74652 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
74653 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
74654 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
74655 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
74657 +#ifdef CONFIG_PAX_SOFTMODE
74658 +extern int pax_softmode;
74661 +extern int pax_check_flags(unsigned long *);
74663 +/* if tsk != current then task_lock must be held on it */
74664 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74665 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
74667 + if (likely(tsk->mm))
74668 + return tsk->mm->pax_flags;
74673 +/* if tsk != current then task_lock must be held on it */
74674 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
74676 + if (likely(tsk->mm)) {
74677 + tsk->mm->pax_flags = flags;
74684 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
74685 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
74686 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
74687 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
74691 +extern char *pax_get_path(const struct path *path, char *buf, int buflen);
74692 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
74693 +extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
74694 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
74696 /* Future-safe accessor for struct task_struct's cpus_allowed. */
74697 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
74699 @@ -1477,7 +1584,7 @@ struct pid_namespace;
74700 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
74701 struct pid_namespace *ns);
74703 -static inline pid_t task_pid_nr(struct task_struct *tsk)
74704 +static inline pid_t task_pid_nr(const struct task_struct *tsk)
74708 @@ -1920,7 +2027,9 @@ void yield(void);
74709 extern struct exec_domain default_exec_domain;
74711 union thread_union {
74712 +#ifndef CONFIG_X86
74713 struct thread_info thread_info;
74715 unsigned long stack[THREAD_SIZE/sizeof(long)];
74718 @@ -1953,6 +2062,7 @@ extern struct pid_namespace init_pid_ns;
74721 extern struct task_struct *find_task_by_vpid(pid_t nr);
74722 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
74723 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
74724 struct pid_namespace *ns);
74726 @@ -2119,7 +2229,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
74727 extern void exit_itimers(struct signal_struct *);
74728 extern void flush_itimer_signals(void);
74730 -extern void do_group_exit(int);
74731 +extern __noreturn void do_group_exit(int);
74733 extern int allow_signal(int);
74734 extern int disallow_signal(int);
74735 @@ -2310,9 +2420,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
74739 -static inline int object_is_on_stack(void *obj)
74740 +static inline int object_starts_on_stack(void *obj)
74742 - void *stack = task_stack_page(current);
74743 + const void *stack = task_stack_page(current);
74745 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
74747 diff --git a/include/linux/sched/sysctl.h b/include/linux/sched/sysctl.h
74748 index bf8086b..962b035 100644
74749 --- a/include/linux/sched/sysctl.h
74750 +++ b/include/linux/sched/sysctl.h
74751 @@ -30,6 +30,7 @@ enum { sysctl_hung_task_timeout_secs = 0 };
74752 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
74754 extern int sysctl_max_map_count;
74755 +extern unsigned long sysctl_heap_stack_gap;
74757 extern unsigned int sysctl_sched_latency;
74758 extern unsigned int sysctl_sched_min_granularity;
74759 diff --git a/include/linux/security.h b/include/linux/security.h
74760 index 4686491..2bd210e 100644
74761 --- a/include/linux/security.h
74762 +++ b/include/linux/security.h
74764 #include <linux/capability.h>
74765 #include <linux/slab.h>
74766 #include <linux/err.h>
74767 +#include <linux/grsecurity.h>
74769 struct linux_binprm;
74771 diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
74772 index 2da29ac..aac448ec 100644
74773 --- a/include/linux/seq_file.h
74774 +++ b/include/linux/seq_file.h
74775 @@ -26,6 +26,9 @@ struct seq_file {
74777 const struct seq_operations *op;
74779 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
74782 #ifdef CONFIG_USER_NS
74783 struct user_namespace *user_ns;
74785 @@ -38,6 +41,7 @@ struct seq_operations {
74786 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
74787 int (*show) (struct seq_file *m, void *v);
74789 +typedef struct seq_operations __no_const seq_operations_no_const;
74793 diff --git a/include/linux/shm.h b/include/linux/shm.h
74794 index 429c199..4d42e38 100644
74795 --- a/include/linux/shm.h
74796 +++ b/include/linux/shm.h
74797 @@ -21,6 +21,10 @@ struct shmid_kernel /* private to the kernel */
74799 /* The task created the shm object. NULL if the task is dead. */
74800 struct task_struct *shm_creator;
74801 +#ifdef CONFIG_GRKERNSEC
74802 + time_t shm_createtime;
74807 /* shm_mode upper byte flags */
74808 diff --git a/include/linux/signal.h b/include/linux/signal.h
74809 index d897484..323ba98 100644
74810 --- a/include/linux/signal.h
74811 +++ b/include/linux/signal.h
74812 @@ -433,6 +433,7 @@ void signals_init(void);
74814 int restore_altstack(const stack_t __user *);
74815 int __save_altstack(stack_t __user *, unsigned long);
74816 +void __save_altstack_ex(stack_t __user *, unsigned long);
74818 #ifdef CONFIG_PROC_FS
74820 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
74821 index dec1748..112c1f9 100644
74822 --- a/include/linux/skbuff.h
74823 +++ b/include/linux/skbuff.h
74824 @@ -640,7 +640,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
74825 extern struct sk_buff *__alloc_skb(unsigned int size,
74826 gfp_t priority, int flags, int node);
74827 extern struct sk_buff *build_skb(void *data, unsigned int frag_size);
74828 -static inline struct sk_buff *alloc_skb(unsigned int size,
74829 +static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
74832 return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
74833 @@ -756,7 +756,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb)
74835 static inline int skb_queue_empty(const struct sk_buff_head *list)
74837 - return list->next == (struct sk_buff *)list;
74838 + return list->next == (const struct sk_buff *)list;
74842 @@ -769,7 +769,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list)
74843 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
74844 const struct sk_buff *skb)
74846 - return skb->next == (struct sk_buff *)list;
74847 + return skb->next == (const struct sk_buff *)list;
74851 @@ -782,7 +782,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list,
74852 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
74853 const struct sk_buff *skb)
74855 - return skb->prev == (struct sk_buff *)list;
74856 + return skb->prev == (const struct sk_buff *)list;
74860 @@ -1848,7 +1848,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
74861 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
74863 #ifndef NET_SKB_PAD
74864 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
74865 +#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
74868 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
74869 @@ -2443,7 +2443,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags,
74870 int noblock, int *err);
74871 extern unsigned int datagram_poll(struct file *file, struct socket *sock,
74872 struct poll_table_struct *wait);
74873 -extern int skb_copy_datagram_iovec(const struct sk_buff *from,
74874 +extern int __intentional_overflow(0) skb_copy_datagram_iovec(const struct sk_buff *from,
74875 int offset, struct iovec *to,
74877 extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
74878 @@ -2733,6 +2733,9 @@ static inline void nf_reset(struct sk_buff *skb)
74879 nf_bridge_put(skb->nf_bridge);
74880 skb->nf_bridge = NULL;
74882 +#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
74883 + skb->nf_trace = 0;
74887 static inline void nf_reset_trace(struct sk_buff *skb)
74888 diff --git a/include/linux/slab.h b/include/linux/slab.h
74889 index 0c62175..f016ac1 100644
74890 --- a/include/linux/slab.h
74891 +++ b/include/linux/slab.h
74892 @@ -12,15 +12,29 @@
74893 #include <linux/gfp.h>
74894 #include <linux/types.h>
74895 #include <linux/workqueue.h>
74897 +#include <linux/err.h>
74900 * Flags to pass to kmem_cache_create().
74901 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
74903 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
74905 +#ifdef CONFIG_PAX_USERCOPY_SLABS
74906 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
74908 +#define SLAB_USERCOPY 0x00000000UL
74911 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
74912 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
74914 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
74915 +#define SLAB_NO_SANITIZE 0x00001000UL /* PaX: Do not sanitize objs on free */
74917 +#define SLAB_NO_SANITIZE 0x00000000UL
74920 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
74921 #define SLAB_CACHE_DMA 0x00004000UL /* Use GFP_DMA memory */
74922 #define SLAB_STORE_USER 0x00010000UL /* DEBUG: Store the last owner for bug hunting */
74923 @@ -89,10 +103,13 @@
74924 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
74925 * Both make kfree a no-op.
74927 -#define ZERO_SIZE_PTR ((void *)16)
74928 +#define ZERO_SIZE_PTR \
74930 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
74931 + (void *)(-MAX_ERRNO-1L); \
74934 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
74935 - (unsigned long)ZERO_SIZE_PTR)
74936 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
74940 @@ -132,6 +149,8 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
74941 void kfree(const void *);
74942 void kzfree(const void *);
74943 size_t ksize(const void *);
74944 +const char *check_heap_object(const void *ptr, unsigned long n);
74945 +bool is_usercopy_object(const void *ptr);
74948 * Some archs want to perform DMA into kmalloc caches and need a guaranteed
74949 @@ -164,7 +183,7 @@ struct kmem_cache {
74950 unsigned int align; /* Alignment as calculated */
74951 unsigned long flags; /* Active flags on the slab */
74952 const char *name; /* Slab name for sysfs */
74953 - int refcount; /* Use counter */
74954 + atomic_t refcount; /* Use counter */
74955 void (*ctor)(void *); /* Called on object slot creation */
74956 struct list_head list; /* List of all slab caches on the system */
74958 @@ -226,6 +245,10 @@ extern struct kmem_cache *kmalloc_caches[KMALLOC_SHIFT_HIGH + 1];
74959 extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
74962 +#ifdef CONFIG_PAX_USERCOPY_SLABS
74963 +extern struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
74967 * Figure out which kmalloc slab an allocation of a certain size
74969 @@ -234,7 +257,7 @@ extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
74970 * 2 = 120 .. 192 bytes
74971 * n = 2^(n-1) .. 2^n -1
74973 -static __always_inline int kmalloc_index(size_t size)
74974 +static __always_inline __size_overflow(1) int kmalloc_index(size_t size)
74978 @@ -406,6 +429,7 @@ void print_slabinfo_header(struct seq_file *m);
74979 * for general use, and so are not documented here. For a full list of
74980 * potential flags, always refer to linux/gfp.h.
74983 static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags)
74985 if (size != 0 && n > SIZE_MAX / size)
74986 @@ -465,7 +489,7 @@ static inline void *kmem_cache_alloc_node(struct kmem_cache *cachep,
74987 #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \
74988 (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) || \
74989 (defined(CONFIG_SLOB) && defined(CONFIG_TRACING))
74990 -extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
74991 +extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long) __size_overflow(1);
74992 #define kmalloc_track_caller(size, flags) \
74993 __kmalloc_track_caller(size, flags, _RET_IP_)
74995 @@ -485,7 +509,7 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
74996 #if defined(CONFIG_DEBUG_SLAB) || defined(CONFIG_SLUB) || \
74997 (defined(CONFIG_SLAB) && defined(CONFIG_TRACING)) || \
74998 (defined(CONFIG_SLOB) && defined(CONFIG_TRACING))
74999 -extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long);
75000 +extern void *__kmalloc_node_track_caller(size_t, gfp_t, int, unsigned long) __size_overflow(1);
75001 #define kmalloc_node_track_caller(size, flags, node) \
75002 __kmalloc_node_track_caller(size, flags, node, \
75004 diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
75005 index cd40158..4e2f7af 100644
75006 --- a/include/linux/slab_def.h
75007 +++ b/include/linux/slab_def.h
75008 @@ -50,7 +50,7 @@ struct kmem_cache {
75009 /* 4) cache creation/removal */
75011 struct list_head list;
75013 + atomic_t refcount;
75017 @@ -66,10 +66,14 @@ struct kmem_cache {
75018 unsigned long node_allocs;
75019 unsigned long node_frees;
75020 unsigned long node_overflow;
75021 - atomic_t allochit;
75022 - atomic_t allocmiss;
75023 - atomic_t freehit;
75024 - atomic_t freemiss;
75025 + atomic_unchecked_t allochit;
75026 + atomic_unchecked_t allocmiss;
75027 + atomic_unchecked_t freehit;
75028 + atomic_unchecked_t freemiss;
75029 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
75030 + atomic_unchecked_t sanitized;
75031 + atomic_unchecked_t not_sanitized;
75035 * If debugging is enabled, then the allocator can add additional
75036 @@ -103,7 +107,7 @@ struct kmem_cache {
75039 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
75040 -void *__kmalloc(size_t size, gfp_t flags);
75041 +void *__kmalloc(size_t size, gfp_t flags) __size_overflow(1);
75043 #ifdef CONFIG_TRACING
75044 extern void *kmem_cache_alloc_trace(struct kmem_cache *, gfp_t, size_t);
75045 @@ -136,6 +140,13 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
75046 cachep = kmalloc_dma_caches[i];
75050 +#ifdef CONFIG_PAX_USERCOPY_SLABS
75051 + if (flags & GFP_USERCOPY)
75052 + cachep = kmalloc_usercopy_caches[i];
75056 cachep = kmalloc_caches[i];
75058 ret = kmem_cache_alloc_trace(cachep, flags, size);
75059 @@ -146,7 +157,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
75063 -extern void *__kmalloc_node(size_t size, gfp_t flags, int node);
75064 +extern void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
75065 extern void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
75067 #ifdef CONFIG_TRACING
75068 @@ -185,6 +196,13 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
75069 cachep = kmalloc_dma_caches[i];
75073 +#ifdef CONFIG_PAX_USERCOPY_SLABS
75074 + if (flags & GFP_USERCOPY)
75075 + cachep = kmalloc_usercopy_caches[i];
75079 cachep = kmalloc_caches[i];
75081 return kmem_cache_alloc_node_trace(cachep, flags, node, size);
75082 diff --git a/include/linux/slob_def.h b/include/linux/slob_def.h
75083 index f28e14a..7831211 100644
75084 --- a/include/linux/slob_def.h
75085 +++ b/include/linux/slob_def.h
75086 @@ -11,7 +11,7 @@ static __always_inline void *kmem_cache_alloc(struct kmem_cache *cachep,
75087 return kmem_cache_alloc_node(cachep, flags, NUMA_NO_NODE);
75090 -void *__kmalloc_node(size_t size, gfp_t flags, int node);
75091 +void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
75093 static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
75095 @@ -31,7 +31,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
75096 return __kmalloc_node(size, flags, NUMA_NO_NODE);
75099 -static __always_inline void *__kmalloc(size_t size, gfp_t flags)
75100 +static __always_inline __size_overflow(1) void *__kmalloc(size_t size, gfp_t flags)
75102 return kmalloc(size, flags);
75104 diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
75105 index 027276f..092bfe8 100644
75106 --- a/include/linux/slub_def.h
75107 +++ b/include/linux/slub_def.h
75108 @@ -80,7 +80,7 @@ struct kmem_cache {
75109 struct kmem_cache_order_objects max;
75110 struct kmem_cache_order_objects min;
75111 gfp_t allocflags; /* gfp flags to use on each alloc */
75112 - int refcount; /* Refcount for slab cache destroy */
75113 + atomic_t refcount; /* Refcount for slab cache destroy */
75114 void (*ctor)(void *);
75115 int inuse; /* Offset to metadata */
75116 int align; /* Alignment */
75117 @@ -105,7 +105,7 @@ struct kmem_cache {
75120 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
75121 -void *__kmalloc(size_t size, gfp_t flags);
75122 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
75124 static __always_inline void *
75125 kmalloc_order(size_t size, gfp_t flags, unsigned int order)
75126 @@ -149,7 +149,7 @@ kmalloc_order_trace(size_t size, gfp_t flags, unsigned int order)
75130 -static __always_inline void *kmalloc_large(size_t size, gfp_t flags)
75131 +static __always_inline __size_overflow(1) void *kmalloc_large(size_t size, gfp_t flags)
75133 unsigned int order = get_order(size);
75134 return kmalloc_order_trace(size, flags, order);
75135 @@ -175,7 +175,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags)
75139 -void *__kmalloc_node(size_t size, gfp_t flags, int node);
75140 +void *__kmalloc_node(size_t size, gfp_t flags, int node) __size_overflow(1);
75141 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
75143 #ifdef CONFIG_TRACING
75144 diff --git a/include/linux/smp.h b/include/linux/smp.h
75145 index c848876..11e8a84 100644
75146 --- a/include/linux/smp.h
75147 +++ b/include/linux/smp.h
75148 @@ -221,7 +221,9 @@ static inline void kick_all_cpus_sync(void) { }
75151 #define get_cpu() ({ preempt_disable(); smp_processor_id(); })
75152 +#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); })
75153 #define put_cpu() preempt_enable()
75154 +#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched()
75157 * Callback to arch code if there's nosmp or maxcpus=0 on the
75158 diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
75159 index 54f91d3..be2c379 100644
75160 --- a/include/linux/sock_diag.h
75161 +++ b/include/linux/sock_diag.h
75162 @@ -11,7 +11,7 @@ struct sock;
75163 struct sock_diag_handler {
75165 int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
75169 int sock_diag_register(const struct sock_diag_handler *h);
75170 void sock_diag_unregister(const struct sock_diag_handler *h);
75171 diff --git a/include/linux/sonet.h b/include/linux/sonet.h
75172 index 680f9a3..f13aeb0 100644
75173 --- a/include/linux/sonet.h
75174 +++ b/include/linux/sonet.h
75176 #include <uapi/linux/sonet.h>
75178 struct k_sonet_stats {
75179 -#define __HANDLE_ITEM(i) atomic_t i
75180 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
75182 #undef __HANDLE_ITEM
75184 diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
75185 index 07d8e53..dc934c9 100644
75186 --- a/include/linux/sunrpc/addr.h
75187 +++ b/include/linux/sunrpc/addr.h
75188 @@ -23,9 +23,9 @@ static inline unsigned short rpc_get_port(const struct sockaddr *sap)
75190 switch (sap->sa_family) {
75192 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
75193 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
75195 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
75196 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
75200 @@ -58,7 +58,7 @@ static inline bool __rpc_cmp_addr4(const struct sockaddr *sap1,
75201 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
75202 const struct sockaddr *src)
75204 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
75205 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
75206 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
75208 dsin->sin_family = ssin->sin_family;
75209 @@ -164,7 +164,7 @@ static inline u32 rpc_get_scope_id(const struct sockaddr *sa)
75210 if (sa->sa_family != AF_INET6)
75213 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
75214 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
75217 #endif /* _LINUX_SUNRPC_ADDR_H */
75218 diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
75219 index bfe11be..12bc8c4 100644
75220 --- a/include/linux/sunrpc/clnt.h
75221 +++ b/include/linux/sunrpc/clnt.h
75222 @@ -96,7 +96,7 @@ struct rpc_procinfo {
75223 unsigned int p_timer; /* Which RTT timer to use */
75224 u32 p_statidx; /* Which procedure to account */
75225 const char * p_name; /* name of procedure */
75231 diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
75232 index 1f0216b..6a4fa50 100644
75233 --- a/include/linux/sunrpc/svc.h
75234 +++ b/include/linux/sunrpc/svc.h
75235 @@ -411,7 +411,7 @@ struct svc_procedure {
75236 unsigned int pc_count; /* call count */
75237 unsigned int pc_cachetype; /* cache info (NFS) */
75238 unsigned int pc_xdrressize; /* maximum size of XDR reply */
75243 * Function prototypes.
75244 diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
75245 index 0b8e3e6..33e0a01 100644
75246 --- a/include/linux/sunrpc/svc_rdma.h
75247 +++ b/include/linux/sunrpc/svc_rdma.h
75248 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
75249 extern unsigned int svcrdma_max_requests;
75250 extern unsigned int svcrdma_max_req_size;
75252 -extern atomic_t rdma_stat_recv;
75253 -extern atomic_t rdma_stat_read;
75254 -extern atomic_t rdma_stat_write;
75255 -extern atomic_t rdma_stat_sq_starve;
75256 -extern atomic_t rdma_stat_rq_starve;
75257 -extern atomic_t rdma_stat_rq_poll;
75258 -extern atomic_t rdma_stat_rq_prod;
75259 -extern atomic_t rdma_stat_sq_poll;
75260 -extern atomic_t rdma_stat_sq_prod;
75261 +extern atomic_unchecked_t rdma_stat_recv;
75262 +extern atomic_unchecked_t rdma_stat_read;
75263 +extern atomic_unchecked_t rdma_stat_write;
75264 +extern atomic_unchecked_t rdma_stat_sq_starve;
75265 +extern atomic_unchecked_t rdma_stat_rq_starve;
75266 +extern atomic_unchecked_t rdma_stat_rq_poll;
75267 +extern atomic_unchecked_t rdma_stat_rq_prod;
75268 +extern atomic_unchecked_t rdma_stat_sq_poll;
75269 +extern atomic_unchecked_t rdma_stat_sq_prod;
75271 #define RPCRDMA_VERSION 1
75273 diff --git a/include/linux/sunrpc/svcauth.h b/include/linux/sunrpc/svcauth.h
75274 index ff374ab..7fd2ecb 100644
75275 --- a/include/linux/sunrpc/svcauth.h
75276 +++ b/include/linux/sunrpc/svcauth.h
75277 @@ -109,7 +109,7 @@ struct auth_ops {
75278 int (*release)(struct svc_rqst *rq);
75279 void (*domain_release)(struct auth_domain *);
75280 int (*set_client)(struct svc_rqst *rq);
75284 #define SVC_GARBAGE 1
75285 #define SVC_SYSERR 2
75286 diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
75287 index a5ffd32..0935dea 100644
75288 --- a/include/linux/swiotlb.h
75289 +++ b/include/linux/swiotlb.h
75290 @@ -60,7 +60,8 @@ extern void
75293 swiotlb_free_coherent(struct device *hwdev, size_t size,
75294 - void *vaddr, dma_addr_t dma_handle);
75295 + void *vaddr, dma_addr_t dma_handle,
75296 + struct dma_attrs *attrs);
75298 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
75299 unsigned long offset, size_t size,
75300 diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
75301 index 84662ec..d8f8adb 100644
75302 --- a/include/linux/syscalls.h
75303 +++ b/include/linux/syscalls.h
75304 @@ -97,8 +97,12 @@ struct sigaltstack;
75305 #define __MAP(n,...) __MAP##n(__VA_ARGS__)
75307 #define __SC_DECL(t, a) t a
75308 -#define __TYPE_IS_LL(t) (__same_type((t)0, 0LL) || __same_type((t)0, 0ULL))
75309 -#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
75310 +#define __TYPE_IS_SL(t) (__same_type((t)0, 0L))
75311 +#define __TYPE_IS_UL(t) (__same_type((t)0, 0UL))
75312 +#define __TYPE_IS_SLL(t) (__same_type((t)0, 0LL))
75313 +#define __TYPE_IS_ULL(t) (__same_type((t)0, 0ULL))
75314 +#define __TYPE_IS_LL(t) (__TYPE_IS_SLL(t) || __TYPE_IS_ULL(t))
75315 +#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), __builtin_choose_expr(__TYPE_IS_ULL(t), 0ULL, 0LL), __builtin_choose_expr(__TYPE_IS_UL(t), 0UL, 0L))) a
75316 #define __SC_CAST(t, a) (t) a
75317 #define __SC_ARGS(t, a) a
75318 #define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
75319 @@ -362,11 +366,11 @@ asmlinkage long sys_sync(void);
75320 asmlinkage long sys_fsync(unsigned int fd);
75321 asmlinkage long sys_fdatasync(unsigned int fd);
75322 asmlinkage long sys_bdflush(int func, long data);
75323 -asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
75324 - char __user *type, unsigned long flags,
75325 +asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
75326 + const char __user *type, unsigned long flags,
75327 void __user *data);
75328 -asmlinkage long sys_umount(char __user *name, int flags);
75329 -asmlinkage long sys_oldumount(char __user *name);
75330 +asmlinkage long sys_umount(const char __user *name, int flags);
75331 +asmlinkage long sys_oldumount(const char __user *name);
75332 asmlinkage long sys_truncate(const char __user *path, long length);
75333 asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
75334 asmlinkage long sys_stat(const char __user *filename,
75335 @@ -578,7 +582,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
75336 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
75337 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
75338 asmlinkage long sys_sendto(int, void __user *, size_t, unsigned,
75339 - struct sockaddr __user *, int);
75340 + struct sockaddr __user *, int) __intentional_overflow(0);
75341 asmlinkage long sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
75342 asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
75343 unsigned int vlen, unsigned flags);
75344 diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
75345 index 27b3b0b..e093dd9 100644
75346 --- a/include/linux/syscore_ops.h
75347 +++ b/include/linux/syscore_ops.h
75348 @@ -16,7 +16,7 @@ struct syscore_ops {
75349 int (*suspend)(void);
75350 void (*resume)(void);
75351 void (*shutdown)(void);
75355 extern void register_syscore_ops(struct syscore_ops *ops);
75356 extern void unregister_syscore_ops(struct syscore_ops *ops);
75357 diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
75358 index 14a8ff2..af52bad 100644
75359 --- a/include/linux/sysctl.h
75360 +++ b/include/linux/sysctl.h
75361 @@ -34,13 +34,13 @@ struct ctl_table_root;
75362 struct ctl_table_header;
75365 -typedef struct ctl_table ctl_table;
75367 typedef int proc_handler (struct ctl_table *ctl, int write,
75368 void __user *buffer, size_t *lenp, loff_t *ppos);
75370 extern int proc_dostring(struct ctl_table *, int,
75371 void __user *, size_t *, loff_t *);
75372 +extern int proc_dostring_modpriv(struct ctl_table *, int,
75373 + void __user *, size_t *, loff_t *);
75374 extern int proc_dointvec(struct ctl_table *, int,
75375 void __user *, size_t *, loff_t *);
75376 extern int proc_dointvec_minmax(struct ctl_table *, int,
75377 @@ -115,7 +115,9 @@ struct ctl_table
75378 struct ctl_table_poll *poll;
75383 +typedef struct ctl_table __no_const ctl_table_no_const;
75384 +typedef struct ctl_table ctl_table;
75387 struct rb_node node;
75388 diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
75389 index e2cee22..3ddb921 100644
75390 --- a/include/linux/sysfs.h
75391 +++ b/include/linux/sysfs.h
75392 @@ -31,7 +31,8 @@ struct attribute {
75393 struct lock_class_key *key;
75394 struct lock_class_key skey;
75398 +typedef struct attribute __no_const attribute_no_const;
75401 * sysfs_attr_init - initialize a dynamically allocated sysfs attribute
75402 @@ -59,8 +60,8 @@ struct attribute_group {
75403 umode_t (*is_visible)(struct kobject *,
75404 struct attribute *, int);
75405 struct attribute **attrs;
75409 +typedef struct attribute_group __no_const attribute_group_no_const;
75413 @@ -107,7 +108,8 @@ struct bin_attribute {
75414 char *, loff_t, size_t);
75415 int (*mmap)(struct file *, struct kobject *, struct bin_attribute *attr,
75416 struct vm_area_struct *vma);
75419 +typedef struct bin_attribute __no_const bin_attribute_no_const;
75422 * sysfs_bin_attr_init - initialize a dynamically allocated bin_attribute
75423 diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
75424 index 7faf933..9b85a0c 100644
75425 --- a/include/linux/sysrq.h
75426 +++ b/include/linux/sysrq.h
75429 #include <linux/errno.h>
75430 #include <linux/types.h>
75431 +#include <linux/compiler.h>
75433 /* Enable/disable SYSRQ support by default (0==no, 1==yes). */
75434 #define SYSRQ_DEFAULT_ENABLE 1
75435 @@ -36,7 +37,7 @@ struct sysrq_key_op {
75442 #ifdef CONFIG_MAGIC_SYSRQ
75444 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
75445 index e7e0473..7989295 100644
75446 --- a/include/linux/thread_info.h
75447 +++ b/include/linux/thread_info.h
75448 @@ -148,6 +148,15 @@ static inline bool test_and_clear_restore_sigmask(void)
75449 #error "no set_restore_sigmask() provided and default one won't work"
75452 +extern void __check_object_size(const void *ptr, unsigned long n, bool to_user);
75453 +static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
75455 +#ifndef CONFIG_PAX_USERCOPY_DEBUG
75456 + if (!__builtin_constant_p(n))
75458 + __check_object_size(ptr, n, to_user);
75461 #endif /* __KERNEL__ */
75463 #endif /* _LINUX_THREAD_INFO_H */
75464 diff --git a/include/linux/tty.h b/include/linux/tty.h
75465 index 8780bd2..d1ae08b 100644
75466 --- a/include/linux/tty.h
75467 +++ b/include/linux/tty.h
75468 @@ -194,7 +194,7 @@ struct tty_port {
75469 const struct tty_port_operations *ops; /* Port operations */
75470 spinlock_t lock; /* Lock protecting tty field */
75471 int blocked_open; /* Waiting to open */
75472 - int count; /* Usage count */
75473 + atomic_t count; /* Usage count */
75474 wait_queue_head_t open_wait; /* Open waiters */
75475 wait_queue_head_t close_wait; /* Close waiters */
75476 wait_queue_head_t delta_msr_wait; /* Modem status change */
75477 @@ -550,7 +550,7 @@ extern int tty_port_open(struct tty_port *port,
75478 struct tty_struct *tty, struct file *filp);
75479 static inline int tty_port_users(struct tty_port *port)
75481 - return port->count + port->blocked_open;
75482 + return atomic_read(&port->count) + port->blocked_open;
75485 extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc);
75486 diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
75487 index 756a609..b302dd6 100644
75488 --- a/include/linux/tty_driver.h
75489 +++ b/include/linux/tty_driver.h
75490 @@ -285,7 +285,7 @@ struct tty_operations {
75491 void (*poll_put_char)(struct tty_driver *driver, int line, char ch);
75493 const struct file_operations *proc_fops;
75497 struct tty_driver {
75498 int magic; /* magic number for this structure */
75499 diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
75500 index 58390c7..95e214c 100644
75501 --- a/include/linux/tty_ldisc.h
75502 +++ b/include/linux/tty_ldisc.h
75503 @@ -146,7 +146,7 @@ struct tty_ldisc_ops {
75505 struct module *owner;
75508 + atomic_t refcount;
75512 diff --git a/include/linux/types.h b/include/linux/types.h
75513 index 4d118ba..c3ee9bf 100644
75514 --- a/include/linux/types.h
75515 +++ b/include/linux/types.h
75516 @@ -176,10 +176,26 @@ typedef struct {
75520 +#ifdef CONFIG_PAX_REFCOUNT
75523 +} atomic_unchecked_t;
75525 +typedef atomic_t atomic_unchecked_t;
75528 #ifdef CONFIG_64BIT
75533 +#ifdef CONFIG_PAX_REFCOUNT
75536 +} atomic64_unchecked_t;
75538 +typedef atomic64_t atomic64_unchecked_t;
75543 diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
75544 index 5ca0951..ab496a5 100644
75545 --- a/include/linux/uaccess.h
75546 +++ b/include/linux/uaccess.h
75547 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
75549 mm_segment_t old_fs = get_fs(); \
75551 - set_fs(KERNEL_DS); \
75552 pagefault_disable(); \
75553 - ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
75554 - pagefault_enable(); \
75555 + set_fs(KERNEL_DS); \
75556 + ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
75558 + pagefault_enable(); \
75562 diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
75563 index 8e522cbc..aa8572d 100644
75564 --- a/include/linux/uidgid.h
75565 +++ b/include/linux/uidgid.h
75566 @@ -197,4 +197,9 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
75568 #endif /* CONFIG_USER_NS */
75570 +#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x))
75571 +#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x))
75572 +#define gr_is_global_root(x) uid_eq((x), GLOBAL_ROOT_UID)
75573 +#define gr_is_global_nonroot(x) (!uid_eq((x), GLOBAL_ROOT_UID))
75575 #endif /* _LINUX_UIDGID_H */
75576 diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
75577 index 99c1b4d..562e6f3 100644
75578 --- a/include/linux/unaligned/access_ok.h
75579 +++ b/include/linux/unaligned/access_ok.h
75581 #include <linux/kernel.h>
75582 #include <asm/byteorder.h>
75584 -static inline u16 get_unaligned_le16(const void *p)
75585 +static inline u16 __intentional_overflow(-1) get_unaligned_le16(const void *p)
75587 - return le16_to_cpup((__le16 *)p);
75588 + return le16_to_cpup((const __le16 *)p);
75591 -static inline u32 get_unaligned_le32(const void *p)
75592 +static inline u32 __intentional_overflow(-1) get_unaligned_le32(const void *p)
75594 - return le32_to_cpup((__le32 *)p);
75595 + return le32_to_cpup((const __le32 *)p);
75598 -static inline u64 get_unaligned_le64(const void *p)
75599 +static inline u64 __intentional_overflow(-1) get_unaligned_le64(const void *p)
75601 - return le64_to_cpup((__le64 *)p);
75602 + return le64_to_cpup((const __le64 *)p);
75605 -static inline u16 get_unaligned_be16(const void *p)
75606 +static inline u16 __intentional_overflow(-1) get_unaligned_be16(const void *p)
75608 - return be16_to_cpup((__be16 *)p);
75609 + return be16_to_cpup((const __be16 *)p);
75612 -static inline u32 get_unaligned_be32(const void *p)
75613 +static inline u32 __intentional_overflow(-1) get_unaligned_be32(const void *p)
75615 - return be32_to_cpup((__be32 *)p);
75616 + return be32_to_cpup((const __be32 *)p);
75619 -static inline u64 get_unaligned_be64(const void *p)
75620 +static inline u64 __intentional_overflow(-1) get_unaligned_be64(const void *p)
75622 - return be64_to_cpup((__be64 *)p);
75623 + return be64_to_cpup((const __be64 *)p);
75626 static inline void put_unaligned_le16(u16 val, void *p)
75627 diff --git a/include/linux/usb.h b/include/linux/usb.h
75628 index a0bee5a..5533a52 100644
75629 --- a/include/linux/usb.h
75630 +++ b/include/linux/usb.h
75631 @@ -552,7 +552,7 @@ struct usb_device {
75636 + atomic_unchecked_t urbnum;
75638 unsigned long active_duration;
75640 @@ -1607,7 +1607,7 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in,
75642 extern int usb_control_msg(struct usb_device *dev, unsigned int pipe,
75643 __u8 request, __u8 requesttype, __u16 value, __u16 index,
75644 - void *data, __u16 size, int timeout);
75645 + void *data, __u16 size, int timeout) __intentional_overflow(-1);
75646 extern int usb_interrupt_msg(struct usb_device *usb_dev, unsigned int pipe,
75647 void *data, int len, int *actual_length, int timeout);
75648 extern int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe,
75649 diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h
75650 index e452ba6..78f8e80 100644
75651 --- a/include/linux/usb/renesas_usbhs.h
75652 +++ b/include/linux/usb/renesas_usbhs.h
75653 @@ -39,7 +39,7 @@ enum {
75655 struct renesas_usbhs_driver_callback {
75656 int (*notify_hotplug)(struct platform_device *pdev);
75661 * callback functions for platform
75662 diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
75663 index 6f8fbcf..8259001 100644
75664 --- a/include/linux/vermagic.h
75665 +++ b/include/linux/vermagic.h
75667 #define MODULE_ARCH_VERMAGIC ""
75670 +#ifdef CONFIG_PAX_REFCOUNT
75671 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
75673 +#define MODULE_PAX_REFCOUNT ""
75676 +#ifdef CONSTIFY_PLUGIN
75677 +#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
75679 +#define MODULE_CONSTIFY_PLUGIN ""
75682 +#ifdef STACKLEAK_PLUGIN
75683 +#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
75685 +#define MODULE_STACKLEAK_PLUGIN ""
75688 +#ifdef CONFIG_GRKERNSEC
75689 +#define MODULE_GRSEC "GRSEC "
75691 +#define MODULE_GRSEC ""
75694 #define VERMAGIC_STRING \
75696 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
75697 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
75698 - MODULE_ARCH_VERMAGIC
75699 + MODULE_ARCH_VERMAGIC \
75700 + MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
75703 diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
75704 index 7d5773a..541c01c 100644
75705 --- a/include/linux/vmalloc.h
75706 +++ b/include/linux/vmalloc.h
75707 @@ -16,6 +16,11 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
75708 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
75709 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
75710 #define VM_UNLIST 0x00000020 /* vm_struct is not listed in vmlist */
75712 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
75713 +#define VM_KERNEXEC 0x00000040 /* allocate from executable kernel memory range */
75716 /* bits [20..32] reserved for arch specific ioremap internals */
75719 @@ -75,7 +80,7 @@ extern void *vmalloc_32_user(unsigned long size);
75720 extern void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot);
75721 extern void *__vmalloc_node_range(unsigned long size, unsigned long align,
75722 unsigned long start, unsigned long end, gfp_t gfp_mask,
75723 - pgprot_t prot, int node, const void *caller);
75724 + pgprot_t prot, int node, const void *caller) __size_overflow(1);
75725 extern void vfree(const void *addr);
75727 extern void *vmap(struct page **pages, unsigned int count,
75728 @@ -137,8 +142,8 @@ extern struct vm_struct *alloc_vm_area(size_t size, pte_t **ptes);
75729 extern void free_vm_area(struct vm_struct *area);
75731 /* for /dev/kmem */
75732 -extern long vread(char *buf, char *addr, unsigned long count);
75733 -extern long vwrite(char *buf, char *addr, unsigned long count);
75734 +extern long vread(char *buf, char *addr, unsigned long count) __size_overflow(3);
75735 +extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
75738 * Internals. Dont't use..
75739 diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
75740 index c586679..f06b389 100644
75741 --- a/include/linux/vmstat.h
75742 +++ b/include/linux/vmstat.h
75743 @@ -90,18 +90,18 @@ static inline void vm_events_fold_cpu(int cpu)
75745 * Zone based page accounting with per cpu differentials.
75747 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75748 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
75750 static inline void zone_page_state_add(long x, struct zone *zone,
75751 enum zone_stat_item item)
75753 - atomic_long_add(x, &zone->vm_stat[item]);
75754 - atomic_long_add(x, &vm_stat[item]);
75755 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
75756 + atomic_long_add_unchecked(x, &vm_stat[item]);
75759 static inline unsigned long global_page_state(enum zone_stat_item item)
75761 - long x = atomic_long_read(&vm_stat[item]);
75762 + long x = atomic_long_read_unchecked(&vm_stat[item]);
75766 @@ -112,7 +112,7 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
75767 static inline unsigned long zone_page_state(struct zone *zone,
75768 enum zone_stat_item item)
75770 - long x = atomic_long_read(&zone->vm_stat[item]);
75771 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
75775 @@ -129,7 +129,7 @@ static inline unsigned long zone_page_state(struct zone *zone,
75776 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
75777 enum zone_stat_item item)
75779 - long x = atomic_long_read(&zone->vm_stat[item]);
75780 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
75784 @@ -221,8 +221,8 @@ static inline void __mod_zone_page_state(struct zone *zone,
75786 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
75788 - atomic_long_inc(&zone->vm_stat[item]);
75789 - atomic_long_inc(&vm_stat[item]);
75790 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
75791 + atomic_long_inc_unchecked(&vm_stat[item]);
75794 static inline void __inc_zone_page_state(struct page *page,
75795 @@ -233,8 +233,8 @@ static inline void __inc_zone_page_state(struct page *page,
75797 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
75799 - atomic_long_dec(&zone->vm_stat[item]);
75800 - atomic_long_dec(&vm_stat[item]);
75801 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
75802 + atomic_long_dec_unchecked(&vm_stat[item]);
75805 static inline void __dec_zone_page_state(struct page *page,
75806 diff --git a/include/linux/xattr.h b/include/linux/xattr.h
75807 index fdbafc6..49dfe4f 100644
75808 --- a/include/linux/xattr.h
75809 +++ b/include/linux/xattr.h
75810 @@ -28,7 +28,7 @@ struct xattr_handler {
75811 size_t size, int handler_flags);
75812 int (*set)(struct dentry *dentry, const char *name, const void *buffer,
75813 size_t size, int flags, int handler_flags);
75819 @@ -37,6 +37,9 @@ struct xattr {
75822 ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
75823 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
75824 +ssize_t pax_getxattr(struct dentry *, void *, size_t);
75826 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
75827 ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
75828 int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
75829 diff --git a/include/linux/zlib.h b/include/linux/zlib.h
75830 index 9c5a6b4..09c9438 100644
75831 --- a/include/linux/zlib.h
75832 +++ b/include/linux/zlib.h
75836 #include <linux/zconf.h>
75837 +#include <linux/compiler.h>
75839 /* zlib deflate based on ZLIB_VERSION "1.1.3" */
75840 /* zlib inflate based on ZLIB_VERSION "1.2.3" */
75841 @@ -179,7 +180,7 @@ typedef z_stream *z_streamp;
75843 /* basic functions */
75845 -extern int zlib_deflate_workspacesize (int windowBits, int memLevel);
75846 +extern int zlib_deflate_workspacesize (int windowBits, int memLevel) __intentional_overflow(0);
75848 Returns the number of bytes that needs to be allocated for a per-
75849 stream workspace with the specified parameters. A pointer to this
75850 diff --git a/include/media/v4l2-dev.h b/include/media/v4l2-dev.h
75851 index 95d1c91..6798cca 100644
75852 --- a/include/media/v4l2-dev.h
75853 +++ b/include/media/v4l2-dev.h
75854 @@ -76,7 +76,7 @@ struct v4l2_file_operations {
75855 int (*mmap) (struct file *, struct vm_area_struct *);
75856 int (*open) (struct file *);
75857 int (*release) (struct file *);
75862 * Newer version of video_device, handled by videodev2.c
75863 diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h
75864 index adcbb20..62c2559 100644
75865 --- a/include/net/9p/transport.h
75866 +++ b/include/net/9p/transport.h
75867 @@ -57,7 +57,7 @@ struct p9_trans_module {
75868 int (*cancel) (struct p9_client *, struct p9_req_t *req);
75869 int (*zc_request)(struct p9_client *, struct p9_req_t *,
75870 char *, char *, int , int, int, int);
75874 void v9fs_register_trans(struct p9_trans_module *m);
75875 void v9fs_unregister_trans(struct p9_trans_module *m);
75876 diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
75877 index fb94cf1..7c0c987 100644
75878 --- a/include/net/bluetooth/l2cap.h
75879 +++ b/include/net/bluetooth/l2cap.h
75880 @@ -551,7 +551,7 @@ struct l2cap_ops {
75881 void (*defer) (struct l2cap_chan *chan);
75882 struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan,
75883 unsigned long len, int nb);
75887 struct l2cap_conn {
75888 struct hci_conn *hcon;
75889 diff --git a/include/net/caif/cfctrl.h b/include/net/caif/cfctrl.h
75890 index f2ae33d..c457cf0 100644
75891 --- a/include/net/caif/cfctrl.h
75892 +++ b/include/net/caif/cfctrl.h
75893 @@ -52,7 +52,7 @@ struct cfctrl_rsp {
75894 void (*radioset_rsp)(void);
75895 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
75896 struct cflayer *client_layer);
75900 /* Link Setup Parameters for CAIF-Links. */
75901 struct cfctrl_link_param {
75902 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
75904 struct cfsrvl serv;
75905 struct cfctrl_rsp res;
75906 - atomic_t req_seq_no;
75907 - atomic_t rsp_seq_no;
75908 + atomic_unchecked_t req_seq_no;
75909 + atomic_unchecked_t rsp_seq_no;
75910 struct list_head list;
75911 /* Protects from simultaneous access to first_req list */
75912 spinlock_t info_list_lock;
75913 diff --git a/include/net/flow.h b/include/net/flow.h
75914 index 628e11b..4c475df 100644
75915 --- a/include/net/flow.h
75916 +++ b/include/net/flow.h
75917 @@ -221,6 +221,6 @@ extern struct flow_cache_object *flow_cache_lookup(
75919 extern void flow_cache_flush(void);
75920 extern void flow_cache_flush_deferred(void);
75921 -extern atomic_t flow_cache_genid;
75922 +extern atomic_unchecked_t flow_cache_genid;
75925 diff --git a/include/net/genetlink.h b/include/net/genetlink.h
75926 index 93024a4..eeb6b6e 100644
75927 --- a/include/net/genetlink.h
75928 +++ b/include/net/genetlink.h
75929 @@ -119,7 +119,7 @@ struct genl_ops {
75930 struct netlink_callback *cb);
75931 int (*done)(struct netlink_callback *cb);
75932 struct list_head ops_list;
75936 extern int genl_register_family(struct genl_family *family);
75937 extern int genl_register_family_with_ops(struct genl_family *family,
75938 diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
75939 index 734d9b5..48a9a4b 100644
75940 --- a/include/net/gro_cells.h
75941 +++ b/include/net/gro_cells.h
75942 @@ -29,7 +29,7 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s
75943 cell += skb_get_rx_queue(skb) & gcells->gro_cells_mask;
75945 if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
75946 - atomic_long_inc(&dev->rx_dropped);
75947 + atomic_long_inc_unchecked(&dev->rx_dropped);
75951 diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
75952 index de2c785..0588a6b 100644
75953 --- a/include/net/inet_connection_sock.h
75954 +++ b/include/net/inet_connection_sock.h
75955 @@ -62,7 +62,7 @@ struct inet_connection_sock_af_ops {
75956 void (*addr2sockaddr)(struct sock *sk, struct sockaddr *);
75957 int (*bind_conflict)(const struct sock *sk,
75958 const struct inet_bind_bucket *tb, bool relax);
75962 /** inet_connection_sock - INET connection oriented sock
75964 diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
75965 index 53f464d..ba76aaa 100644
75966 --- a/include/net/inetpeer.h
75967 +++ b/include/net/inetpeer.h
75968 @@ -47,8 +47,8 @@ struct inet_peer {
75972 - atomic_t rid; /* Frag reception counter */
75973 - atomic_t ip_id_count; /* IP ID for the next packet */
75974 + atomic_unchecked_t rid; /* Frag reception counter */
75975 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
75977 struct rcu_head rcu;
75978 struct inet_peer *gc_next;
75979 @@ -182,11 +182,11 @@ static inline int inet_getid(struct inet_peer *p, int more)
75981 inet_peer_refcheck(p);
75983 - old = atomic_read(&p->ip_id_count);
75984 + old = atomic_read_unchecked(&p->ip_id_count);
75988 - } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
75989 + } while (atomic_cmpxchg_unchecked(&p->ip_id_count, old, new) != old);
75993 diff --git a/include/net/ip.h b/include/net/ip.h
75994 index a68f838..74518ab 100644
75995 --- a/include/net/ip.h
75996 +++ b/include/net/ip.h
75997 @@ -202,7 +202,7 @@ extern struct local_ports {
75998 } sysctl_local_ports;
75999 extern void inet_get_local_port_range(int *low, int *high);
76001 -extern unsigned long *sysctl_local_reserved_ports;
76002 +extern unsigned long sysctl_local_reserved_ports[65536 / 8 / sizeof(unsigned long)];
76003 static inline int inet_is_reserved_local_port(int port)
76005 return test_bit(port, sysctl_local_reserved_ports);
76006 diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
76007 index e49db91..76a81de 100644
76008 --- a/include/net/ip_fib.h
76009 +++ b/include/net/ip_fib.h
76010 @@ -167,7 +167,7 @@ extern __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
76012 #define FIB_RES_SADDR(net, res) \
76013 ((FIB_RES_NH(res).nh_saddr_genid == \
76014 - atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
76015 + atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
76016 FIB_RES_NH(res).nh_saddr : \
76017 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
76018 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
76019 diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
76020 index 4c062cc..3562c31 100644
76021 --- a/include/net/ip_vs.h
76022 +++ b/include/net/ip_vs.h
76023 @@ -612,7 +612,7 @@ struct ip_vs_conn {
76024 struct ip_vs_conn *control; /* Master control connection */
76025 atomic_t n_control; /* Number of controlled ones */
76026 struct ip_vs_dest *dest; /* real server */
76027 - atomic_t in_pkts; /* incoming packet counter */
76028 + atomic_unchecked_t in_pkts; /* incoming packet counter */
76030 /* packet transmitter for different forwarding methods. If it
76031 mangles the packet, it must return NF_DROP or better NF_STOLEN,
76032 @@ -761,7 +761,7 @@ struct ip_vs_dest {
76033 __be16 port; /* port number of the server */
76034 union nf_inet_addr addr; /* IP address of the server */
76035 volatile unsigned int flags; /* dest status flags */
76036 - atomic_t conn_flags; /* flags to copy to conn */
76037 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
76038 atomic_t weight; /* server weight */
76040 atomic_t refcnt; /* reference counter */
76041 @@ -1013,11 +1013,11 @@ struct netns_ipvs {
76043 int sysctl_lblc_expiration;
76044 struct ctl_table_header *lblc_ctl_header;
76045 - struct ctl_table *lblc_ctl_table;
76046 + ctl_table_no_const *lblc_ctl_table;
76048 int sysctl_lblcr_expiration;
76049 struct ctl_table_header *lblcr_ctl_header;
76050 - struct ctl_table *lblcr_ctl_table;
76051 + ctl_table_no_const *lblcr_ctl_table;
76053 struct list_head est_list; /* estimator list */
76054 spinlock_t est_lock;
76055 diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h
76056 index 80ffde3..968b0f4 100644
76057 --- a/include/net/irda/ircomm_tty.h
76058 +++ b/include/net/irda/ircomm_tty.h
76060 #include <linux/termios.h>
76061 #include <linux/timer.h>
76062 #include <linux/tty.h> /* struct tty_struct */
76063 +#include <asm/local.h>
76065 #include <net/irda/irias_object.h>
76066 #include <net/irda/ircomm_core.h>
76067 diff --git a/include/net/iucv/af_iucv.h b/include/net/iucv/af_iucv.h
76068 index 714cc9a..ea05f3e 100644
76069 --- a/include/net/iucv/af_iucv.h
76070 +++ b/include/net/iucv/af_iucv.h
76071 @@ -149,7 +149,7 @@ struct iucv_skb_cb {
76072 struct iucv_sock_list {
76073 struct hlist_head head;
76075 - atomic_t autobind_name;
76076 + atomic_unchecked_t autobind_name;
76079 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
76080 diff --git a/include/net/llc_c_ac.h b/include/net/llc_c_ac.h
76081 index df83f69..9b640b8 100644
76082 --- a/include/net/llc_c_ac.h
76083 +++ b/include/net/llc_c_ac.h
76085 #define LLC_CONN_AC_STOP_SENDACK_TMR 70
76086 #define LLC_CONN_AC_START_SENDACK_TMR_IF_NOT_RUNNING 71
76088 -typedef int (*llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
76089 +typedef int (* const llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
76091 extern int llc_conn_ac_clear_remote_busy(struct sock *sk, struct sk_buff *skb);
76092 extern int llc_conn_ac_conn_ind(struct sock *sk, struct sk_buff *skb);
76093 diff --git a/include/net/llc_c_ev.h b/include/net/llc_c_ev.h
76094 index 6ca3113..f8026dd 100644
76095 --- a/include/net/llc_c_ev.h
76096 +++ b/include/net/llc_c_ev.h
76097 @@ -125,8 +125,8 @@ static __inline__ struct llc_conn_state_ev *llc_conn_ev(struct sk_buff *skb)
76098 return (struct llc_conn_state_ev *)skb->cb;
76101 -typedef int (*llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
76102 -typedef int (*llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
76103 +typedef int (* const llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
76104 +typedef int (* const llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
76106 extern int llc_conn_ev_conn_req(struct sock *sk, struct sk_buff *skb);
76107 extern int llc_conn_ev_data_req(struct sock *sk, struct sk_buff *skb);
76108 diff --git a/include/net/llc_c_st.h b/include/net/llc_c_st.h
76109 index 0e79cfb..f46db31 100644
76110 --- a/include/net/llc_c_st.h
76111 +++ b/include/net/llc_c_st.h
76112 @@ -37,7 +37,7 @@ struct llc_conn_state_trans {
76114 llc_conn_ev_qfyr_t *ev_qualifiers;
76115 llc_conn_action_t *ev_actions;
76119 struct llc_conn_state {
76121 diff --git a/include/net/llc_s_ac.h b/include/net/llc_s_ac.h
76122 index 37a3bbd..55a4241 100644
76123 --- a/include/net/llc_s_ac.h
76124 +++ b/include/net/llc_s_ac.h
76126 #define SAP_ACT_TEST_IND 9
76128 /* All action functions must look like this */
76129 -typedef int (*llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
76130 +typedef int (* const llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
76132 extern int llc_sap_action_unitdata_ind(struct llc_sap *sap,
76133 struct sk_buff *skb);
76134 diff --git a/include/net/llc_s_st.h b/include/net/llc_s_st.h
76135 index 567c681..cd73ac0 100644
76136 --- a/include/net/llc_s_st.h
76137 +++ b/include/net/llc_s_st.h
76138 @@ -20,7 +20,7 @@ struct llc_sap_state_trans {
76141 llc_sap_action_t *ev_actions;
76145 struct llc_sap_state {
76147 diff --git a/include/net/mac80211.h b/include/net/mac80211.h
76148 index 885898a..cdace34 100644
76149 --- a/include/net/mac80211.h
76150 +++ b/include/net/mac80211.h
76151 @@ -4205,7 +4205,7 @@ struct rate_control_ops {
76152 void (*add_sta_debugfs)(void *priv, void *priv_sta,
76153 struct dentry *dir);
76154 void (*remove_sta_debugfs)(void *priv, void *priv_sta);
76158 static inline int rate_supported(struct ieee80211_sta *sta,
76159 enum ieee80211_band band,
76160 diff --git a/include/net/neighbour.h b/include/net/neighbour.h
76161 index 7e748ad..5c6229b 100644
76162 --- a/include/net/neighbour.h
76163 +++ b/include/net/neighbour.h
76164 @@ -123,7 +123,7 @@ struct neigh_ops {
76165 void (*error_report)(struct neighbour *, struct sk_buff *);
76166 int (*output)(struct neighbour *, struct sk_buff *);
76167 int (*connected_output)(struct neighbour *, struct sk_buff *);
76171 struct pneigh_entry {
76172 struct pneigh_entry *next;
76173 diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
76174 index b176978..ea169f4 100644
76175 --- a/include/net/net_namespace.h
76176 +++ b/include/net/net_namespace.h
76177 @@ -117,7 +117,7 @@ struct net {
76179 struct netns_ipvs *ipvs;
76180 struct sock *diag_nlsk;
76181 - atomic_t rt_genid;
76182 + atomic_unchecked_t rt_genid;
76186 @@ -274,7 +274,11 @@ static inline struct net *read_pnet(struct net * const *pnet)
76187 #define __net_init __init
76188 #define __net_exit __exit_refok
76189 #define __net_initdata __initdata
76190 +#ifdef CONSTIFY_PLUGIN
76191 #define __net_initconst __initconst
76193 +#define __net_initconst __initdata
76197 struct pernet_operations {
76198 @@ -284,7 +288,7 @@ struct pernet_operations {
76199 void (*exit_batch)(struct list_head *net_exit_list);
76206 * Use these carefully. If you implement a network device and it
76207 @@ -332,12 +336,12 @@ static inline void unregister_net_sysctl_table(struct ctl_table_header *header)
76209 static inline int rt_genid(struct net *net)
76211 - return atomic_read(&net->rt_genid);
76212 + return atomic_read_unchecked(&net->rt_genid);
76215 static inline void rt_genid_bump(struct net *net)
76217 - atomic_inc(&net->rt_genid);
76218 + atomic_inc_unchecked(&net->rt_genid);
76221 #endif /* __NET_NET_NAMESPACE_H */
76222 diff --git a/include/net/netdma.h b/include/net/netdma.h
76223 index 8ba8ce2..99b7fff 100644
76224 --- a/include/net/netdma.h
76225 +++ b/include/net/netdma.h
76227 #include <linux/dmaengine.h>
76228 #include <linux/skbuff.h>
76230 -int dma_skb_copy_datagram_iovec(struct dma_chan* chan,
76231 +int __intentional_overflow(3,5) dma_skb_copy_datagram_iovec(struct dma_chan* chan,
76232 struct sk_buff *skb, int offset, struct iovec *to,
76233 size_t len, struct dma_pinned_list *pinned_list);
76235 diff --git a/include/net/netlink.h b/include/net/netlink.h
76236 index 9690b0f..87aded7 100644
76237 --- a/include/net/netlink.h
76238 +++ b/include/net/netlink.h
76239 @@ -534,7 +534,7 @@ static inline void *nlmsg_get_pos(struct sk_buff *skb)
76240 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
76243 - skb_trim(skb, (unsigned char *) mark - skb->data);
76244 + skb_trim(skb, (const unsigned char *) mark - skb->data);
76248 diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
76249 index c9c0c53..53f24c3 100644
76250 --- a/include/net/netns/conntrack.h
76251 +++ b/include/net/netns/conntrack.h
76252 @@ -12,10 +12,10 @@ struct nf_conntrack_ecache;
76253 struct nf_proto_net {
76254 #ifdef CONFIG_SYSCTL
76255 struct ctl_table_header *ctl_table_header;
76256 - struct ctl_table *ctl_table;
76257 + ctl_table_no_const *ctl_table;
76258 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
76259 struct ctl_table_header *ctl_compat_header;
76260 - struct ctl_table *ctl_compat_table;
76261 + ctl_table_no_const *ctl_compat_table;
76264 unsigned int users;
76265 @@ -58,7 +58,7 @@ struct nf_ip_net {
76266 struct nf_icmp_net icmpv6;
76267 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
76268 struct ctl_table_header *ctl_table_header;
76269 - struct ctl_table *ctl_table;
76270 + ctl_table_no_const *ctl_table;
76274 diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
76275 index 2ba9de8..47bd6c7 100644
76276 --- a/include/net/netns/ipv4.h
76277 +++ b/include/net/netns/ipv4.h
76278 @@ -67,7 +67,7 @@ struct netns_ipv4 {
76279 kgid_t sysctl_ping_group_range[2];
76280 long sysctl_tcp_mem[3];
76282 - atomic_t dev_addr_genid;
76283 + atomic_unchecked_t dev_addr_genid;
76285 #ifdef CONFIG_IP_MROUTE
76286 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
76287 diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
76288 index 005e2c2..023d340 100644
76289 --- a/include/net/netns/ipv6.h
76290 +++ b/include/net/netns/ipv6.h
76291 @@ -71,7 +71,7 @@ struct netns_ipv6 {
76292 struct fib_rules_ops *mr6_rules_ops;
76295 - atomic_t dev_addr_genid;
76296 + atomic_unchecked_t dev_addr_genid;
76299 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
76300 diff --git a/include/net/protocol.h b/include/net/protocol.h
76301 index 047c047..b9dad15 100644
76302 --- a/include/net/protocol.h
76303 +++ b/include/net/protocol.h
76304 @@ -44,7 +44,7 @@ struct net_protocol {
76305 void (*err_handler)(struct sk_buff *skb, u32 info);
76306 unsigned int no_policy:1,
76311 #if IS_ENABLED(CONFIG_IPV6)
76312 struct inet6_protocol {
76313 @@ -57,7 +57,7 @@ struct inet6_protocol {
76314 u8 type, u8 code, int offset,
76316 unsigned int flags; /* INET6_PROTO_xxx */
76320 #define INET6_PROTO_NOPOLICY 0x1
76321 #define INET6_PROTO_FINAL 0x2
76322 diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
76323 index 7026648..584cc8c 100644
76324 --- a/include/net/rtnetlink.h
76325 +++ b/include/net/rtnetlink.h
76326 @@ -81,7 +81,7 @@ struct rtnl_link_ops {
76327 const struct net_device *dev);
76328 unsigned int (*get_num_tx_queues)(void);
76329 unsigned int (*get_num_rx_queues)(void);
76333 extern int __rtnl_link_register(struct rtnl_link_ops *ops);
76334 extern void __rtnl_link_unregister(struct rtnl_link_ops *ops);
76335 diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
76336 index cd89510..d67810f 100644
76337 --- a/include/net/sctp/sctp.h
76338 +++ b/include/net/sctp/sctp.h
76339 @@ -330,9 +330,9 @@ do { \
76341 #else /* SCTP_DEBUG */
76343 -#define SCTP_DEBUG_PRINTK(whatever...)
76344 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
76345 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
76346 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
76347 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
76348 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
76349 #define SCTP_ENABLE_DEBUG
76350 #define SCTP_DISABLE_DEBUG
76351 #define SCTP_ASSERT(expr, str, func)
76352 diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
76353 index 2a82d13..62a31c2 100644
76354 --- a/include/net/sctp/sm.h
76355 +++ b/include/net/sctp/sm.h
76356 @@ -87,7 +87,7 @@ typedef void (sctp_timer_event_t) (unsigned long);
76358 sctp_state_fn_t *fn;
76360 -} sctp_sm_table_entry_t;
76361 +} __do_const sctp_sm_table_entry_t;
76363 /* A naming convention of "sctp_sf_xxx" applies to all the state functions
76364 * currently in use.
76365 @@ -299,7 +299,7 @@ __u32 sctp_generate_tag(const struct sctp_endpoint *);
76366 __u32 sctp_generate_tsn(const struct sctp_endpoint *);
76368 /* Extern declarations for major data structures. */
76369 -extern sctp_timer_event_t *sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
76370 +extern sctp_timer_event_t * const sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
76373 /* Get the size of a DATA chunk payload. */
76374 diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
76375 index 1bd4c41..9250b5b 100644
76376 --- a/include/net/sctp/structs.h
76377 +++ b/include/net/sctp/structs.h
76378 @@ -516,7 +516,7 @@ struct sctp_pf {
76379 struct sctp_association *asoc);
76380 void (*addr_v4map) (struct sctp_sock *, union sctp_addr *);
76381 struct sctp_af *af;
76386 /* Structure to track chunk fragments that have been acked, but peer
76387 diff --git a/include/net/sock.h b/include/net/sock.h
76388 index 66772cf..25bc45b 100644
76389 --- a/include/net/sock.h
76390 +++ b/include/net/sock.h
76391 @@ -325,7 +325,7 @@ struct sock {
76395 - atomic_t sk_drops;
76396 + atomic_unchecked_t sk_drops;
76399 struct sk_filter __rcu *sk_filter;
76400 @@ -1797,7 +1797,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags)
76403 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
76404 - char __user *from, char *to,
76405 + char __user *from, unsigned char *to,
76406 int copy, int offset)
76408 if (skb->ip_summed == CHECKSUM_NONE) {
76409 @@ -2056,7 +2056,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
76413 -struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp);
76414 +struct sk_buff * __intentional_overflow(0) sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp);
76417 * sk_page_frag - return an appropriate page_frag
76418 diff --git a/include/net/tcp.h b/include/net/tcp.h
76419 index 5bba80f..8520a82 100644
76420 --- a/include/net/tcp.h
76421 +++ b/include/net/tcp.h
76422 @@ -524,7 +524,7 @@ extern void tcp_retransmit_timer(struct sock *sk);
76423 extern void tcp_xmit_retransmit_queue(struct sock *);
76424 extern void tcp_simple_retransmit(struct sock *);
76425 extern int tcp_trim_head(struct sock *, struct sk_buff *, u32);
76426 -extern int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int);
76427 +extern int __intentional_overflow(3) tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int);
76429 extern void tcp_send_probe0(struct sock *);
76430 extern void tcp_send_partial(struct sock *);
76431 @@ -697,8 +697,8 @@ struct tcp_skb_cb {
76432 struct inet6_skb_parm h6;
76434 } header; /* For incoming frames */
76435 - __u32 seq; /* Starting sequence number */
76436 - __u32 end_seq; /* SEQ + FIN + SYN + datalen */
76437 + __u32 seq __intentional_overflow(0); /* Starting sequence number */
76438 + __u32 end_seq __intentional_overflow(0); /* SEQ + FIN + SYN + datalen */
76439 __u32 when; /* used to compute rtt's */
76440 __u8 tcp_flags; /* TCP header flags. (tcp[13]) */
76442 @@ -712,7 +712,7 @@ struct tcp_skb_cb {
76444 __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */
76446 - __u32 ack_seq; /* Sequence number ACK'd */
76447 + __u32 ack_seq __intentional_overflow(0); /* Sequence number ACK'd */
76450 #define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0]))
76451 diff --git a/include/net/xfrm.h b/include/net/xfrm.h
76452 index 94ce082..62b278d 100644
76453 --- a/include/net/xfrm.h
76454 +++ b/include/net/xfrm.h
76455 @@ -305,7 +305,7 @@ struct xfrm_policy_afinfo {
76456 struct net_device *dev,
76457 const struct flowi *fl);
76458 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
76462 extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
76463 extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
76464 @@ -341,7 +341,7 @@ struct xfrm_state_afinfo {
76465 struct sk_buff *skb);
76466 int (*transport_finish)(struct sk_buff *skb,
76471 extern int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
76472 extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
76473 @@ -424,7 +424,7 @@ struct xfrm_mode {
76474 struct module *owner;
76475 unsigned int encap;
76480 /* Flags for xfrm_mode. */
76482 @@ -521,7 +521,7 @@ struct xfrm_policy {
76483 struct timer_list timer;
76485 struct flow_cache_object flo;
76487 + atomic_unchecked_t genid;
76490 struct xfrm_mark mark;
76491 diff --git a/include/rdma/iw_cm.h b/include/rdma/iw_cm.h
76492 index 1a046b1..ee0bef0 100644
76493 --- a/include/rdma/iw_cm.h
76494 +++ b/include/rdma/iw_cm.h
76495 @@ -122,7 +122,7 @@ struct iw_cm_verbs {
76498 int (*destroy_listen)(struct iw_cm_id *cm_id);
76503 * iw_create_cm_id - Create an IW CM identifier.
76504 diff --git a/include/scsi/libfc.h b/include/scsi/libfc.h
76505 index e1379b4..67eafbe 100644
76506 --- a/include/scsi/libfc.h
76507 +++ b/include/scsi/libfc.h
76508 @@ -762,6 +762,7 @@ struct libfc_function_template {
76510 void (*disc_stop_final) (struct fc_lport *);
76512 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
76515 * struct fc_disc - Discovery context
76516 @@ -866,7 +867,7 @@ struct fc_lport {
76517 struct fc_vport *vport;
76519 /* Operational Information */
76520 - struct libfc_function_template tt;
76521 + libfc_function_template_no_const tt;
76524 enum fc_lport_state state;
76525 diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
76526 index cc64587..608f523 100644
76527 --- a/include/scsi/scsi_device.h
76528 +++ b/include/scsi/scsi_device.h
76529 @@ -171,9 +171,9 @@ struct scsi_device {
76530 unsigned int max_device_blocked; /* what device_blocked counts down from */
76531 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
76533 - atomic_t iorequest_cnt;
76534 - atomic_t iodone_cnt;
76535 - atomic_t ioerr_cnt;
76536 + atomic_unchecked_t iorequest_cnt;
76537 + atomic_unchecked_t iodone_cnt;
76538 + atomic_unchecked_t ioerr_cnt;
76540 struct device sdev_gendev,
76542 diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
76543 index b797e8f..8e2c3aa 100644
76544 --- a/include/scsi/scsi_transport_fc.h
76545 +++ b/include/scsi/scsi_transport_fc.h
76546 @@ -751,7 +751,8 @@ struct fc_function_template {
76547 unsigned long show_host_system_hostname:1;
76549 unsigned long disable_target_scan:1;
76552 +typedef struct fc_function_template __no_const fc_function_template_no_const;
76556 diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
76557 index 9031a26..750d592 100644
76558 --- a/include/sound/compress_driver.h
76559 +++ b/include/sound/compress_driver.h
76560 @@ -128,7 +128,7 @@ struct snd_compr_ops {
76561 struct snd_compr_caps *caps);
76562 int (*get_codec_caps) (struct snd_compr_stream *stream,
76563 struct snd_compr_codec_caps *codec);
76568 * struct snd_compr: Compressed device
76569 diff --git a/include/sound/soc.h b/include/sound/soc.h
76570 index 85c1522..f44bad1 100644
76571 --- a/include/sound/soc.h
76572 +++ b/include/sound/soc.h
76573 @@ -781,7 +781,7 @@ struct snd_soc_codec_driver {
76574 /* probe ordering - for components with runtime dependencies */
76580 /* SoC platform interface */
76581 struct snd_soc_platform_driver {
76582 @@ -827,7 +827,7 @@ struct snd_soc_platform_driver {
76583 unsigned int (*read)(struct snd_soc_platform *, unsigned int);
76584 int (*write)(struct snd_soc_platform *, unsigned int, unsigned int);
76585 int (*bespoke_trigger)(struct snd_pcm_substream *, int);
76589 struct snd_soc_platform {
76591 diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
76592 index 4ea4f98..a63629b 100644
76593 --- a/include/target/target_core_base.h
76594 +++ b/include/target/target_core_base.h
76595 @@ -653,7 +653,7 @@ struct se_device {
76596 spinlock_t stats_lock;
76597 /* Active commands on this virtual SE device */
76598 atomic_t simple_cmds;
76599 - atomic_t dev_ordered_id;
76600 + atomic_unchecked_t dev_ordered_id;
76601 atomic_t dev_ordered_sync;
76602 atomic_t dev_qf_count;
76604 diff --git a/include/trace/events/fs.h b/include/trace/events/fs.h
76605 new file mode 100644
76606 index 0000000..fb634b7
76608 +++ b/include/trace/events/fs.h
76610 +#undef TRACE_SYSTEM
76611 +#define TRACE_SYSTEM fs
76613 +#if !defined(_TRACE_FS_H) || defined(TRACE_HEADER_MULTI_READ)
76614 +#define _TRACE_FS_H
76616 +#include <linux/fs.h>
76617 +#include <linux/tracepoint.h>
76619 +TRACE_EVENT(do_sys_open,
76621 + TP_PROTO(const char *filename, int flags, int mode),
76623 + TP_ARGS(filename, flags, mode),
76625 + TP_STRUCT__entry(
76626 + __string( filename, filename )
76627 + __field( int, flags )
76628 + __field( int, mode )
76632 + __assign_str(filename, filename);
76633 + __entry->flags = flags;
76634 + __entry->mode = mode;
76637 + TP_printk("\"%s\" %x %o",
76638 + __get_str(filename), __entry->flags, __entry->mode)
76641 +TRACE_EVENT(open_exec,
76643 + TP_PROTO(const char *filename),
76645 + TP_ARGS(filename),
76647 + TP_STRUCT__entry(
76648 + __string( filename, filename )
76652 + __assign_str(filename, filename);
76655 + TP_printk("\"%s\"",
76656 + __get_str(filename))
76659 +#endif /* _TRACE_FS_H */
76661 +/* This part must be outside protection */
76662 +#include <trace/define_trace.h>
76663 diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h
76664 index 1c09820..7f5ec79 100644
76665 --- a/include/trace/events/irq.h
76666 +++ b/include/trace/events/irq.h
76667 @@ -36,7 +36,7 @@ struct softirq_action;
76669 TRACE_EVENT(irq_handler_entry,
76671 - TP_PROTO(int irq, struct irqaction *action),
76672 + TP_PROTO(int irq, const struct irqaction *action),
76674 TP_ARGS(irq, action),
76676 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
76678 TRACE_EVENT(irq_handler_exit,
76680 - TP_PROTO(int irq, struct irqaction *action, int ret),
76681 + TP_PROTO(int irq, const struct irqaction *action, int ret),
76683 TP_ARGS(irq, action, ret),
76685 diff --git a/include/uapi/linux/a.out.h b/include/uapi/linux/a.out.h
76686 index 7caf44c..23c6f27 100644
76687 --- a/include/uapi/linux/a.out.h
76688 +++ b/include/uapi/linux/a.out.h
76689 @@ -39,6 +39,14 @@ enum machine_type {
76690 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
76693 +/* Constants for the N_FLAGS field */
76694 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
76695 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
76696 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
76697 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
76698 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
76699 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
76701 #if !defined (N_MAGIC)
76702 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
76704 diff --git a/include/uapi/linux/byteorder/little_endian.h b/include/uapi/linux/byteorder/little_endian.h
76705 index d876736..ccce5c0 100644
76706 --- a/include/uapi/linux/byteorder/little_endian.h
76707 +++ b/include/uapi/linux/byteorder/little_endian.h
76708 @@ -42,51 +42,51 @@
76710 static inline __le64 __cpu_to_le64p(const __u64 *p)
76712 - return (__force __le64)*p;
76713 + return (__force const __le64)*p;
76715 -static inline __u64 __le64_to_cpup(const __le64 *p)
76716 +static inline __u64 __intentional_overflow(-1) __le64_to_cpup(const __le64 *p)
76718 - return (__force __u64)*p;
76719 + return (__force const __u64)*p;
76721 static inline __le32 __cpu_to_le32p(const __u32 *p)
76723 - return (__force __le32)*p;
76724 + return (__force const __le32)*p;
76726 static inline __u32 __le32_to_cpup(const __le32 *p)
76728 - return (__force __u32)*p;
76729 + return (__force const __u32)*p;
76731 static inline __le16 __cpu_to_le16p(const __u16 *p)
76733 - return (__force __le16)*p;
76734 + return (__force const __le16)*p;
76736 static inline __u16 __le16_to_cpup(const __le16 *p)
76738 - return (__force __u16)*p;
76739 + return (__force const __u16)*p;
76741 static inline __be64 __cpu_to_be64p(const __u64 *p)
76743 - return (__force __be64)__swab64p(p);
76744 + return (__force const __be64)__swab64p(p);
76746 static inline __u64 __be64_to_cpup(const __be64 *p)
76748 - return __swab64p((__u64 *)p);
76749 + return __swab64p((const __u64 *)p);
76751 static inline __be32 __cpu_to_be32p(const __u32 *p)
76753 - return (__force __be32)__swab32p(p);
76754 + return (__force const __be32)__swab32p(p);
76756 -static inline __u32 __be32_to_cpup(const __be32 *p)
76757 +static inline __u32 __intentional_overflow(-1) __be32_to_cpup(const __be32 *p)
76759 - return __swab32p((__u32 *)p);
76760 + return __swab32p((const __u32 *)p);
76762 static inline __be16 __cpu_to_be16p(const __u16 *p)
76764 - return (__force __be16)__swab16p(p);
76765 + return (__force const __be16)__swab16p(p);
76767 static inline __u16 __be16_to_cpup(const __be16 *p)
76769 - return __swab16p((__u16 *)p);
76770 + return __swab16p((const __u16 *)p);
76772 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
76773 #define __le64_to_cpus(x) do { (void)(x); } while (0)
76774 diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h
76775 index ef6103b..d4e65dd 100644
76776 --- a/include/uapi/linux/elf.h
76777 +++ b/include/uapi/linux/elf.h
76778 @@ -37,6 +37,17 @@ typedef __s64 Elf64_Sxword;
76779 #define PT_GNU_EH_FRAME 0x6474e550
76781 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
76782 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
76784 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
76786 +/* Constants for the e_flags field */
76787 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
76788 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
76789 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
76790 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
76791 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
76792 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
76795 * Extended Numbering
76796 @@ -94,6 +105,8 @@ typedef __s64 Elf64_Sxword;
76797 #define DT_DEBUG 21
76798 #define DT_TEXTREL 22
76799 #define DT_JMPREL 23
76800 +#define DT_FLAGS 30
76801 + #define DF_TEXTREL 0x00000004
76802 #define DT_ENCODING 32
76803 #define OLD_DT_LOOS 0x60000000
76804 #define DT_LOOS 0x6000000d
76805 @@ -240,6 +253,19 @@ typedef struct elf64_hdr {
76809 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
76810 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
76811 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
76812 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
76813 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
76814 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
76815 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
76816 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
76817 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
76818 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
76819 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
76820 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
76822 typedef struct elf32_phdr{
76824 Elf32_Off p_offset;
76825 @@ -332,6 +358,8 @@ typedef struct elf64_shdr {
76831 #define ELFMAG0 0x7f /* EI_MAG */
76832 #define ELFMAG1 'E'
76833 #define ELFMAG2 'L'
76834 diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
76835 index aa169c4..6a2771d 100644
76836 --- a/include/uapi/linux/personality.h
76837 +++ b/include/uapi/linux/personality.h
76838 @@ -30,6 +30,7 @@ enum {
76839 #define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
76840 ADDR_NO_RANDOMIZE | \
76841 ADDR_COMPAT_LAYOUT | \
76842 + ADDR_LIMIT_3GB | \
76846 diff --git a/include/uapi/linux/screen_info.h b/include/uapi/linux/screen_info.h
76847 index 7530e74..e714828 100644
76848 --- a/include/uapi/linux/screen_info.h
76849 +++ b/include/uapi/linux/screen_info.h
76850 @@ -43,7 +43,8 @@ struct screen_info {
76851 __u16 pages; /* 0x32 */
76852 __u16 vesa_attributes; /* 0x34 */
76853 __u32 capabilities; /* 0x36 */
76854 - __u8 _reserved[6]; /* 0x3a */
76855 + __u16 vesapm_size; /* 0x3a */
76856 + __u8 _reserved[4]; /* 0x3c */
76857 } __attribute__((packed));
76859 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
76860 diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
76861 index 0e011eb..82681b1 100644
76862 --- a/include/uapi/linux/swab.h
76863 +++ b/include/uapi/linux/swab.h
76865 * ___swab16, ___swab32, ___swab64, ___swahw32, ___swahb32
76868 -static inline __attribute_const__ __u16 __fswab16(__u16 val)
76869 +static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val)
76871 #ifdef __HAVE_BUILTIN_BSWAP16__
76872 return __builtin_bswap16(val);
76873 @@ -54,7 +54,7 @@ static inline __attribute_const__ __u16 __fswab16(__u16 val)
76877 -static inline __attribute_const__ __u32 __fswab32(__u32 val)
76878 +static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val)
76880 #ifdef __HAVE_BUILTIN_BSWAP32__
76881 return __builtin_bswap32(val);
76882 @@ -65,7 +65,7 @@ static inline __attribute_const__ __u32 __fswab32(__u32 val)
76886 -static inline __attribute_const__ __u64 __fswab64(__u64 val)
76887 +static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val)
76889 #ifdef __HAVE_BUILTIN_BSWAP64__
76890 return __builtin_bswap64(val);
76891 diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
76892 index 6d67213..8dab561 100644
76893 --- a/include/uapi/linux/sysctl.h
76894 +++ b/include/uapi/linux/sysctl.h
76895 @@ -155,7 +155,11 @@ enum
76896 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
76900 +#ifdef CONFIG_PAX_SOFTMODE
76902 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
76906 /* CTL_VM names: */
76908 diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
76909 index e4629b9..6958086 100644
76910 --- a/include/uapi/linux/xattr.h
76911 +++ b/include/uapi/linux/xattr.h
76913 #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
76914 #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
76916 +/* User namespace */
76917 +#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
76918 +#define XATTR_PAX_FLAGS_SUFFIX "flags"
76919 +#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
76921 #endif /* _UAPI_LINUX_XATTR_H */
76922 diff --git a/include/video/udlfb.h b/include/video/udlfb.h
76923 index f9466fa..f4e2b81 100644
76924 --- a/include/video/udlfb.h
76925 +++ b/include/video/udlfb.h
76926 @@ -53,10 +53,10 @@ struct dlfb_data {
76927 u32 pseudo_palette[256];
76928 int blank_mode; /*one of FB_BLANK_ */
76929 /* blit-only rendering path metrics, exposed through sysfs */
76930 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
76931 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
76932 - atomic_t bytes_sent; /* to usb, after compression including overhead */
76933 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
76934 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
76935 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
76936 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
76937 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
76940 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
76941 diff --git a/include/video/uvesafb.h b/include/video/uvesafb.h
76942 index 1a91850..28573f8 100644
76943 --- a/include/video/uvesafb.h
76944 +++ b/include/video/uvesafb.h
76945 @@ -122,6 +122,7 @@ struct uvesafb_par {
76946 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
76947 u8 pmi_setpal; /* PMI for palette changes */
76948 u16 *pmi_base; /* protected mode interface location */
76949 + u8 *pmi_code; /* protected mode code location */
76952 u8 *vbe_state_orig; /*
76953 diff --git a/init/Kconfig b/init/Kconfig
76954 index 2d9b831..ae4c8ac 100644
76957 @@ -1029,6 +1029,7 @@ endif # CGROUPS
76959 config CHECKPOINT_RESTORE
76960 bool "Checkpoint/restore support" if EXPERT
76961 + depends on !GRKERNSEC
76964 Enables additional kernel features in a sake of checkpoint/restore.
76965 @@ -1516,7 +1517,7 @@ config SLUB_DEBUG
76968 bool "Disable heap randomization"
76972 Randomizing heap placement makes heap exploits harder, but it
76973 also breaks ancient binaries (including anything libc5 based).
76974 @@ -1779,7 +1780,7 @@ config INIT_ALL_POSSIBLE
76975 config STOP_MACHINE
76978 - depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU
76979 + depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC
76981 Need stop_machine() primitive.
76983 diff --git a/init/Makefile b/init/Makefile
76984 index 7bc47ee..6da2dc7 100644
76985 --- a/init/Makefile
76986 +++ b/init/Makefile
76988 # Makefile for the linux kernel.
76991 +ccflags-y := $(GCC_PLUGINS_CFLAGS)
76992 +asflags-y := $(GCC_PLUGINS_AFLAGS)
76994 obj-y := main.o version.o mounts.o
76995 ifneq ($(CONFIG_BLK_DEV_INITRD),y)
76996 obj-y += noinitramfs.o
76997 diff --git a/init/do_mounts.c b/init/do_mounts.c
76998 index a2b49f2..03a0e17c 100644
76999 --- a/init/do_mounts.c
77000 +++ b/init/do_mounts.c
77001 @@ -355,11 +355,11 @@ static void __init get_fs_names(char *page)
77002 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
77004 struct super_block *s;
77005 - int err = sys_mount(name, "/root", fs, flags, data);
77006 + int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
77010 - sys_chdir("/root");
77011 + sys_chdir((const char __force_user *)"/root");
77012 s = current->fs->pwd.dentry->d_sb;
77013 ROOT_DEV = s->s_dev;
77015 @@ -480,18 +480,18 @@ void __init change_floppy(char *fmt, ...)
77016 va_start(args, fmt);
77017 vsprintf(buf, fmt, args);
77019 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
77020 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
77022 sys_ioctl(fd, FDEJECT, 0);
77025 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
77026 - fd = sys_open("/dev/console", O_RDWR, 0);
77027 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
77029 sys_ioctl(fd, TCGETS, (long)&termios);
77030 termios.c_lflag &= ~ICANON;
77031 sys_ioctl(fd, TCSETSF, (long)&termios);
77032 - sys_read(fd, &c, 1);
77033 + sys_read(fd, (char __user *)&c, 1);
77034 termios.c_lflag |= ICANON;
77035 sys_ioctl(fd, TCSETSF, (long)&termios);
77037 @@ -585,6 +585,6 @@ void __init prepare_namespace(void)
77040 devtmpfs_mount("dev");
77041 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
77043 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
77044 + sys_chroot((const char __force_user *)".");
77046 diff --git a/init/do_mounts.h b/init/do_mounts.h
77047 index f5b978a..69dbfe8 100644
77048 --- a/init/do_mounts.h
77049 +++ b/init/do_mounts.h
77050 @@ -15,15 +15,15 @@ extern int root_mountflags;
77052 static inline int create_dev(char *name, dev_t dev)
77054 - sys_unlink(name);
77055 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
77056 + sys_unlink((char __force_user *)name);
77057 + return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
77060 #if BITS_PER_LONG == 32
77061 static inline u32 bstat(char *name)
77063 struct stat64 stat;
77064 - if (sys_stat64(name, &stat) != 0)
77065 + if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
77067 if (!S_ISBLK(stat.st_mode))
77069 @@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
77070 static inline u32 bstat(char *name)
77073 - if (sys_newstat(name, &stat) != 0)
77074 + if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
77076 if (!S_ISBLK(stat.st_mode))
77078 diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
77079 index 3e0878e..8a9d7a0 100644
77080 --- a/init/do_mounts_initrd.c
77081 +++ b/init/do_mounts_initrd.c
77082 @@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
77084 sys_unshare(CLONE_FS | CLONE_FILES);
77085 /* stdin/stdout/stderr for /linuxrc */
77086 - sys_open("/dev/console", O_RDWR, 0);
77087 + sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
77090 /* move initrd over / and chdir/chroot in initrd root */
77091 - sys_chdir("/root");
77092 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
77094 + sys_chdir((const char __force_user *)"/root");
77095 + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
77096 + sys_chroot((const char __force_user *)".");
77100 @@ -59,8 +59,8 @@ static void __init handle_initrd(void)
77101 create_dev("/dev/root.old", Root_RAM0);
77102 /* mount initrd on rootfs' /root */
77103 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
77104 - sys_mkdir("/old", 0700);
77105 - sys_chdir("/old");
77106 + sys_mkdir((const char __force_user *)"/old", 0700);
77107 + sys_chdir((const char __force_user *)"/old");
77109 /* try loading default modules from initrd */
77110 load_default_modules();
77111 @@ -80,31 +80,31 @@ static void __init handle_initrd(void)
77112 current->flags &= ~PF_FREEZER_SKIP;
77114 /* move initrd to rootfs' /old */
77115 - sys_mount("..", ".", NULL, MS_MOVE, NULL);
77116 + sys_mount((char __force_user *)"..", (char __force_user *)".", NULL, MS_MOVE, NULL);
77117 /* switch root and cwd back to / of rootfs */
77118 - sys_chroot("..");
77119 + sys_chroot((const char __force_user *)"..");
77121 if (new_decode_dev(real_root_dev) == Root_RAM0) {
77122 - sys_chdir("/old");
77123 + sys_chdir((const char __force_user *)"/old");
77128 + sys_chdir((const char __force_user *)"/");
77129 ROOT_DEV = new_decode_dev(real_root_dev);
77132 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
77133 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
77134 + error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
77138 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
77139 + int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
77140 if (error == -ENOENT)
77141 printk("/initrd does not exist. Ignored.\n");
77143 printk("failed\n");
77144 printk(KERN_NOTICE "Unmounting old root\n");
77145 - sys_umount("/old", MNT_DETACH);
77146 + sys_umount((char __force_user *)"/old", MNT_DETACH);
77147 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
77150 @@ -127,11 +127,11 @@ int __init initrd_load(void)
77151 * mounted in the normal path.
77153 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
77154 - sys_unlink("/initrd.image");
77155 + sys_unlink((const char __force_user *)"/initrd.image");
77160 - sys_unlink("/initrd.image");
77161 + sys_unlink((const char __force_user *)"/initrd.image");
77164 diff --git a/init/do_mounts_md.c b/init/do_mounts_md.c
77165 index 8cb6db5..d729f50 100644
77166 --- a/init/do_mounts_md.c
77167 +++ b/init/do_mounts_md.c
77168 @@ -180,7 +180,7 @@ static void __init md_setup_drive(void)
77169 partitioned ? "_d" : "", minor,
77170 md_setup_args[ent].device_names);
77172 - fd = sys_open(name, 0, 0);
77173 + fd = sys_open((char __force_user *)name, 0, 0);
77175 printk(KERN_ERR "md: open failed - cannot start "
77176 "array %s\n", name);
77177 @@ -243,7 +243,7 @@ static void __init md_setup_drive(void)
77181 - fd = sys_open(name, 0, 0);
77182 + fd = sys_open((char __force_user *)name, 0, 0);
77183 sys_ioctl(fd, BLKRRPART, 0);
77186 @@ -293,7 +293,7 @@ static void __init autodetect_raid(void)
77188 wait_for_device_probe();
77190 - fd = sys_open("/dev/md0", 0, 0);
77191 + fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
77193 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
77195 diff --git a/init/init_task.c b/init/init_task.c
77196 index ba0a7f36..2bcf1d5 100644
77197 --- a/init/init_task.c
77198 +++ b/init/init_task.c
77199 @@ -22,5 +22,9 @@ EXPORT_SYMBOL(init_task);
77200 * Initial thread structure. Alignment of this is handled by a special
77201 * linker map entry.
77204 +union thread_union init_thread_union __init_task_data;
77206 union thread_union init_thread_union __init_task_data =
77207 { INIT_THREAD_INFO(init_task) };
77209 diff --git a/init/initramfs.c b/init/initramfs.c
77210 index a67ef9d..2d17ed9 100644
77211 --- a/init/initramfs.c
77212 +++ b/init/initramfs.c
77213 @@ -84,7 +84,7 @@ static void __init free_hash(void)
77217 -static long __init do_utime(char *filename, time_t mtime)
77218 +static long __init do_utime(char __force_user *filename, time_t mtime)
77220 struct timespec t[2];
77222 @@ -119,7 +119,7 @@ static void __init dir_utime(void)
77223 struct dir_entry *de, *tmp;
77224 list_for_each_entry_safe(de, tmp, &dir_list, list) {
77225 list_del(&de->list);
77226 - do_utime(de->name, de->mtime);
77227 + do_utime((char __force_user *)de->name, de->mtime);
77231 @@ -281,7 +281,7 @@ static int __init maybe_link(void)
77233 char *old = find_link(major, minor, ino, mode, collected);
77235 - return (sys_link(old, collected) < 0) ? -1 : 1;
77236 + return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
77240 @@ -290,11 +290,11 @@ static void __init clean_path(char *path, umode_t mode)
77244 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
77245 + if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
77246 if (S_ISDIR(st.st_mode))
77248 + sys_rmdir((char __force_user *)path);
77250 - sys_unlink(path);
77251 + sys_unlink((char __force_user *)path);
77255 @@ -315,7 +315,7 @@ static int __init do_name(void)
77256 int openflags = O_WRONLY|O_CREAT;
77258 openflags |= O_TRUNC;
77259 - wfd = sys_open(collected, openflags, mode);
77260 + wfd = sys_open((char __force_user *)collected, openflags, mode);
77263 sys_fchown(wfd, uid, gid);
77264 @@ -327,17 +327,17 @@ static int __init do_name(void)
77267 } else if (S_ISDIR(mode)) {
77268 - sys_mkdir(collected, mode);
77269 - sys_chown(collected, uid, gid);
77270 - sys_chmod(collected, mode);
77271 + sys_mkdir((char __force_user *)collected, mode);
77272 + sys_chown((char __force_user *)collected, uid, gid);
77273 + sys_chmod((char __force_user *)collected, mode);
77274 dir_add(collected, mtime);
77275 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
77276 S_ISFIFO(mode) || S_ISSOCK(mode)) {
77277 if (maybe_link() == 0) {
77278 - sys_mknod(collected, mode, rdev);
77279 - sys_chown(collected, uid, gid);
77280 - sys_chmod(collected, mode);
77281 - do_utime(collected, mtime);
77282 + sys_mknod((char __force_user *)collected, mode, rdev);
77283 + sys_chown((char __force_user *)collected, uid, gid);
77284 + sys_chmod((char __force_user *)collected, mode);
77285 + do_utime((char __force_user *)collected, mtime);
77289 @@ -346,15 +346,15 @@ static int __init do_name(void)
77290 static int __init do_copy(void)
77292 if (count >= body_len) {
77293 - sys_write(wfd, victim, body_len);
77294 + sys_write(wfd, (char __force_user *)victim, body_len);
77296 - do_utime(vcollected, mtime);
77297 + do_utime((char __force_user *)vcollected, mtime);
77303 - sys_write(wfd, victim, count);
77304 + sys_write(wfd, (char __force_user *)victim, count);
77308 @@ -365,9 +365,9 @@ static int __init do_symlink(void)
77310 collected[N_ALIGN(name_len) + body_len] = '\0';
77311 clean_path(collected, 0);
77312 - sys_symlink(collected + N_ALIGN(name_len), collected);
77313 - sys_lchown(collected, uid, gid);
77314 - do_utime(collected, mtime);
77315 + sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
77316 + sys_lchown((char __force_user *)collected, uid, gid);
77317 + do_utime((char __force_user *)collected, mtime);
77319 next_state = Reset;
77321 @@ -583,7 +583,7 @@ static int __init populate_rootfs(void)
77323 char *err = unpack_to_rootfs(__initramfs_start, __initramfs_size);
77325 - panic(err); /* Failed to decompress INTERNAL initramfs */
77326 + panic("%s", err); /* Failed to decompress INTERNAL initramfs */
77327 if (initrd_start) {
77328 #ifdef CONFIG_BLK_DEV_RAM
77330 diff --git a/init/main.c b/init/main.c
77331 index 9484f4b..0eac7c3 100644
77334 @@ -100,6 +100,8 @@ static inline void mark_rodata_ro(void) { }
77335 extern void tc_init(void);
77338 +extern void grsecurity_init(void);
77341 * Debug helper: via this flag we know that we are in 'early bootup code'
77342 * where only the boot processor is running with IRQ disabled. This means
77343 @@ -153,6 +155,74 @@ static int __init set_reset_devices(char *str)
77345 __setup("reset_devices", set_reset_devices);
77347 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
77348 +kgid_t grsec_proc_gid = KGIDT_INIT(CONFIG_GRKERNSEC_PROC_GID);
77349 +static int __init setup_grsec_proc_gid(char *str)
77351 + grsec_proc_gid = KGIDT_INIT(simple_strtol(str, NULL, 0));
77354 +__setup("grsec_proc_gid=", setup_grsec_proc_gid);
77357 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
77358 +unsigned long pax_user_shadow_base __read_only;
77359 +EXPORT_SYMBOL(pax_user_shadow_base);
77360 +extern char pax_enter_kernel_user[];
77361 +extern char pax_exit_kernel_user[];
77364 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
77365 +static int __init setup_pax_nouderef(char *str)
77367 +#ifdef CONFIG_X86_32
77368 + unsigned int cpu;
77369 + struct desc_struct *gdt;
77371 + for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
77372 + gdt = get_cpu_gdt_table(cpu);
77373 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
77374 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
77375 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
77376 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
77378 + loadsegment(ds, __KERNEL_DS);
77379 + loadsegment(es, __KERNEL_DS);
77380 + loadsegment(ss, __KERNEL_DS);
77382 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
77383 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
77384 + clone_pgd_mask = ~(pgdval_t)0UL;
77385 + pax_user_shadow_base = 0UL;
77386 + setup_clear_cpu_cap(X86_FEATURE_PCID);
77391 +early_param("pax_nouderef", setup_pax_nouderef);
77393 +#ifdef CONFIG_X86_64
77394 +static int __init setup_pax_weakuderef(char *str)
77396 + if (clone_pgd_mask != ~(pgdval_t)0UL)
77397 + pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
77400 +__setup("pax_weakuderef", setup_pax_weakuderef);
77404 +#ifdef CONFIG_PAX_SOFTMODE
77407 +static int __init setup_pax_softmode(char *str)
77409 + get_option(&str, &pax_softmode);
77412 +__setup("pax_softmode=", setup_pax_softmode);
77415 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
77416 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
77417 static const char *panic_later, *panic_param;
77418 @@ -655,8 +725,6 @@ static void __init do_ctors(void)
77419 bool initcall_debug;
77420 core_param(initcall_debug, initcall_debug, bool, 0644);
77422 -static char msgbuf[64];
77424 static int __init_or_module do_one_initcall_debug(initcall_t fn)
77426 ktime_t calltime, delta, rettime;
77427 @@ -679,23 +747,22 @@ int __init_or_module do_one_initcall(initcall_t fn)
77429 int count = preempt_count();
77431 + const char *msg1 = "", *msg2 = "";
77433 if (initcall_debug)
77434 ret = do_one_initcall_debug(fn);
77440 if (preempt_count() != count) {
77441 - sprintf(msgbuf, "preemption imbalance ");
77442 + msg1 = " preemption imbalance";
77443 preempt_count() = count;
77445 if (irqs_disabled()) {
77446 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
77447 + msg2 = " disabled interrupts";
77448 local_irq_enable();
77450 - WARN(msgbuf[0], "initcall %pF returned with %s\n", fn, msgbuf);
77451 + WARN(*msg1 || *msg2, "initcall %pF returned with%s%s\n", fn, msg1, msg2);
77455 @@ -748,8 +815,14 @@ static void __init do_initcall_level(int level)
77457 &repair_env_string);
77459 - for (fn = initcall_levels[level]; fn < initcall_levels[level+1]; fn++)
77460 + for (fn = initcall_levels[level]; fn < initcall_levels[level+1]; fn++) {
77461 do_one_initcall(*fn);
77463 +#ifdef LATENT_ENTROPY_PLUGIN
77464 + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
77470 static void __init do_initcalls(void)
77471 @@ -783,8 +856,14 @@ static void __init do_pre_smp_initcalls(void)
77475 - for (fn = __initcall_start; fn < __initcall0_start; fn++)
77476 + for (fn = __initcall_start; fn < __initcall0_start; fn++) {
77477 do_one_initcall(*fn);
77479 +#ifdef LATENT_ENTROPY_PLUGIN
77480 + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
77487 @@ -802,8 +881,8 @@ static int run_init_process(const char *init_filename)
77489 argv_init[0] = init_filename;
77490 return do_execve(init_filename,
77491 - (const char __user *const __user *)argv_init,
77492 - (const char __user *const __user *)envp_init);
77493 + (const char __user *const __force_user *)argv_init,
77494 + (const char __user *const __force_user *)envp_init);
77497 static noinline void __init kernel_init_freeable(void);
77498 @@ -880,7 +959,7 @@ static noinline void __init kernel_init_freeable(void)
77501 /* Open the /dev/console on the rootfs, this should never fail */
77502 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
77503 + if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
77504 pr_err("Warning: unable to open an initial console.\n");
77507 @@ -893,11 +972,13 @@ static noinline void __init kernel_init_freeable(void)
77508 if (!ramdisk_execute_command)
77509 ramdisk_execute_command = "/init";
77511 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
77512 + if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
77513 ramdisk_execute_command = NULL;
77514 prepare_namespace();
77517 + grsecurity_init();
77520 * Ok, we have completed the initial bootup, and
77521 * we're essentially up and running. Get rid of the
77522 diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
77523 index 130dfec..cc88451 100644
77524 --- a/ipc/ipc_sysctl.c
77525 +++ b/ipc/ipc_sysctl.c
77526 @@ -30,7 +30,7 @@ static void *get_ipc(ctl_table *table)
77527 static int proc_ipc_dointvec(ctl_table *table, int write,
77528 void __user *buffer, size_t *lenp, loff_t *ppos)
77530 - struct ctl_table ipc_table;
77531 + ctl_table_no_const ipc_table;
77533 memcpy(&ipc_table, table, sizeof(ipc_table));
77534 ipc_table.data = get_ipc(table);
77535 @@ -41,7 +41,7 @@ static int proc_ipc_dointvec(ctl_table *table, int write,
77536 static int proc_ipc_dointvec_minmax(ctl_table *table, int write,
77537 void __user *buffer, size_t *lenp, loff_t *ppos)
77539 - struct ctl_table ipc_table;
77540 + ctl_table_no_const ipc_table;
77542 memcpy(&ipc_table, table, sizeof(ipc_table));
77543 ipc_table.data = get_ipc(table);
77544 @@ -65,7 +65,7 @@ static int proc_ipc_dointvec_minmax_orphans(ctl_table *table, int write,
77545 static int proc_ipc_callback_dointvec(ctl_table *table, int write,
77546 void __user *buffer, size_t *lenp, loff_t *ppos)
77548 - struct ctl_table ipc_table;
77549 + ctl_table_no_const ipc_table;
77550 size_t lenp_bef = *lenp;
77553 @@ -88,7 +88,7 @@ static int proc_ipc_callback_dointvec(ctl_table *table, int write,
77554 static int proc_ipc_doulongvec_minmax(ctl_table *table, int write,
77555 void __user *buffer, size_t *lenp, loff_t *ppos)
77557 - struct ctl_table ipc_table;
77558 + ctl_table_no_const ipc_table;
77559 memcpy(&ipc_table, table, sizeof(ipc_table));
77560 ipc_table.data = get_ipc(table);
77562 @@ -122,7 +122,7 @@ static void ipc_auto_callback(int val)
77563 static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write,
77564 void __user *buffer, size_t *lenp, loff_t *ppos)
77566 - struct ctl_table ipc_table;
77567 + ctl_table_no_const ipc_table;
77568 size_t lenp_bef = *lenp;
77571 diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
77572 index 383d638..943fdbb 100644
77573 --- a/ipc/mq_sysctl.c
77574 +++ b/ipc/mq_sysctl.c
77575 @@ -25,7 +25,7 @@ static void *get_mq(ctl_table *table)
77576 static int proc_mq_dointvec_minmax(ctl_table *table, int write,
77577 void __user *buffer, size_t *lenp, loff_t *ppos)
77579 - struct ctl_table mq_table;
77580 + ctl_table_no_const mq_table;
77581 memcpy(&mq_table, table, sizeof(mq_table));
77582 mq_table.data = get_mq(table);
77584 diff --git a/ipc/mqueue.c b/ipc/mqueue.c
77585 index e4e47f6..a85e0ad 100644
77588 @@ -278,6 +278,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
77589 mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
77590 info->attr.mq_msgsize);
77592 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
77593 spin_lock(&mq_lock);
77594 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
77595 u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
77596 diff --git a/ipc/msg.c b/ipc/msg.c
77597 index d0c6d96..69a893c 100644
77600 @@ -296,18 +296,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
77601 return security_msg_queue_associate(msq, msgflg);
77604 +static struct ipc_ops msg_ops = {
77605 + .getnew = newque,
77606 + .associate = msg_security,
77607 + .more_checks = NULL
77610 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
77612 struct ipc_namespace *ns;
77613 - struct ipc_ops msg_ops;
77614 struct ipc_params msg_params;
77616 ns = current->nsproxy->ipc_ns;
77618 - msg_ops.getnew = newque;
77619 - msg_ops.associate = msg_security;
77620 - msg_ops.more_checks = NULL;
77622 msg_params.key = key;
77623 msg_params.flg = msgflg;
77625 diff --git a/ipc/sem.c b/ipc/sem.c
77626 index 70480a3..f4e8262 100644
77629 @@ -460,10 +460,15 @@ static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
77633 +static struct ipc_ops sem_ops = {
77634 + .getnew = newary,
77635 + .associate = sem_security,
77636 + .more_checks = sem_more_checks
77639 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
77641 struct ipc_namespace *ns;
77642 - struct ipc_ops sem_ops;
77643 struct ipc_params sem_params;
77645 ns = current->nsproxy->ipc_ns;
77646 @@ -471,10 +476,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
77647 if (nsems < 0 || nsems > ns->sc_semmsl)
77650 - sem_ops.getnew = newary;
77651 - sem_ops.associate = sem_security;
77652 - sem_ops.more_checks = sem_more_checks;
77654 sem_params.key = key;
77655 sem_params.flg = semflg;
77656 sem_params.u.nsems = nsems;
77657 diff --git a/ipc/shm.c b/ipc/shm.c
77658 index 7e199fa..180a1ca 100644
77661 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp);
77662 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
77665 +#ifdef CONFIG_GRKERNSEC
77666 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
77667 + const time_t shm_createtime, const kuid_t cuid,
77668 + const int shmid);
77669 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
77670 + const time_t shm_createtime);
77673 void shm_init_ns(struct ipc_namespace *ns)
77675 ns->shm_ctlmax = SHMMAX;
77676 @@ -531,6 +539,14 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
77677 shp->shm_lprid = 0;
77678 shp->shm_atim = shp->shm_dtim = 0;
77679 shp->shm_ctim = get_seconds();
77680 +#ifdef CONFIG_GRKERNSEC
77682 + struct timespec timeval;
77683 + do_posix_clock_monotonic_gettime(&timeval);
77685 + shp->shm_createtime = timeval.tv_sec;
77688 shp->shm_segsz = size;
77689 shp->shm_nattch = 0;
77690 shp->shm_file = file;
77691 @@ -582,18 +598,19 @@ static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
77695 +static struct ipc_ops shm_ops = {
77696 + .getnew = newseg,
77697 + .associate = shm_security,
77698 + .more_checks = shm_more_checks
77701 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
77703 struct ipc_namespace *ns;
77704 - struct ipc_ops shm_ops;
77705 struct ipc_params shm_params;
77707 ns = current->nsproxy->ipc_ns;
77709 - shm_ops.getnew = newseg;
77710 - shm_ops.associate = shm_security;
77711 - shm_ops.more_checks = shm_more_checks;
77713 shm_params.key = key;
77714 shm_params.flg = shmflg;
77715 shm_params.u.size = size;
77716 @@ -1014,6 +1031,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
77717 f_mode = FMODE_READ | FMODE_WRITE;
77719 if (shmflg & SHM_EXEC) {
77721 +#ifdef CONFIG_PAX_MPROTECT
77722 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
77727 acc_mode |= S_IXUGO;
77729 @@ -1037,9 +1060,21 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
77733 +#ifdef CONFIG_GRKERNSEC
77734 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
77735 + shp->shm_perm.cuid, shmid) ||
77736 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
77742 path = shp->shm_file->f_path;
77745 +#ifdef CONFIG_GRKERNSEC
77746 + shp->shm_lapid = current->pid;
77748 size = i_size_read(path.dentry->d_inode);
77751 diff --git a/kernel/acct.c b/kernel/acct.c
77752 index 8d6e145..33e0b1e 100644
77753 --- a/kernel/acct.c
77754 +++ b/kernel/acct.c
77755 @@ -556,7 +556,7 @@ static void do_acct_process(struct bsd_acct_struct *acct,
77757 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
77758 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
77759 - file->f_op->write(file, (char *)&ac,
77760 + file->f_op->write(file, (char __force_user *)&ac,
77761 sizeof(acct_t), &file->f_pos);
77762 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
77764 diff --git a/kernel/audit.c b/kernel/audit.c
77765 index 91e53d0..d9e3ec4 100644
77766 --- a/kernel/audit.c
77767 +++ b/kernel/audit.c
77768 @@ -118,7 +118,7 @@ u32 audit_sig_sid = 0;
77769 3) suppressed due to audit_rate_limit
77770 4) suppressed due to audit_backlog_limit
77772 -static atomic_t audit_lost = ATOMIC_INIT(0);
77773 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
77775 /* The netlink socket. */
77776 static struct sock *audit_sock;
77777 @@ -240,7 +240,7 @@ void audit_log_lost(const char *message)
77781 - atomic_inc(&audit_lost);
77782 + atomic_inc_unchecked(&audit_lost);
77784 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
77786 @@ -259,7 +259,7 @@ void audit_log_lost(const char *message)
77787 printk(KERN_WARNING
77788 "audit: audit_lost=%d audit_rate_limit=%d "
77789 "audit_backlog_limit=%d\n",
77790 - atomic_read(&audit_lost),
77791 + atomic_read_unchecked(&audit_lost),
77793 audit_backlog_limit);
77794 audit_panic(message);
77795 @@ -664,7 +664,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
77796 status_set.pid = audit_pid;
77797 status_set.rate_limit = audit_rate_limit;
77798 status_set.backlog_limit = audit_backlog_limit;
77799 - status_set.lost = atomic_read(&audit_lost);
77800 + status_set.lost = atomic_read_unchecked(&audit_lost);
77801 status_set.backlog = skb_queue_len(&audit_skb_queue);
77802 audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
77803 &status_set, sizeof(status_set));
77804 diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
77805 index 6bd4a90..0ee9eff 100644
77806 --- a/kernel/auditfilter.c
77807 +++ b/kernel/auditfilter.c
77808 @@ -423,7 +423,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
77809 f->lsm_rule = NULL;
77811 /* Support legacy tests for a valid loginuid */
77812 - if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295)) {
77813 + if ((f->type == AUDIT_LOGINUID) && (f->val == 4294967295U)) {
77814 f->type = AUDIT_LOGINUID_SET;
77817 diff --git a/kernel/auditsc.c b/kernel/auditsc.c
77818 index 3c8a601..3a416f6 100644
77819 --- a/kernel/auditsc.c
77820 +++ b/kernel/auditsc.c
77821 @@ -1956,7 +1956,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
77824 /* global counter which is incremented every time something logs in */
77825 -static atomic_t session_id = ATOMIC_INIT(0);
77826 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
77829 * audit_set_loginuid - set current task's audit_context loginuid
77830 @@ -1980,7 +1980,7 @@ int audit_set_loginuid(kuid_t loginuid)
77832 #endif /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
77834 - sessionid = atomic_inc_return(&session_id);
77835 + sessionid = atomic_inc_return_unchecked(&session_id);
77836 if (context && context->in_syscall) {
77837 struct audit_buffer *ab;
77839 diff --git a/kernel/capability.c b/kernel/capability.c
77840 index f6c2ce5..982c0f9 100644
77841 --- a/kernel/capability.c
77842 +++ b/kernel/capability.c
77843 @@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
77844 * before modification is attempted and the application
77847 + if (tocopy > ARRAY_SIZE(kdata))
77850 if (copy_to_user(dataptr, kdata, tocopy
77851 * sizeof(struct __user_cap_data_struct))) {
77853 @@ -303,10 +306,11 @@ bool has_ns_capability(struct task_struct *t,
77857 - ret = security_capable(__task_cred(t), ns, cap);
77858 + ret = security_capable(__task_cred(t), ns, cap) == 0 &&
77859 + gr_task_is_capable(t, __task_cred(t), cap);
77862 - return (ret == 0);
77867 @@ -343,10 +347,10 @@ bool has_ns_capability_noaudit(struct task_struct *t,
77871 - ret = security_capable_noaudit(__task_cred(t), ns, cap);
77872 + ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
77875 - return (ret == 0);
77880 @@ -384,7 +388,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
77884 - if (security_capable(current_cred(), ns, cap) == 0) {
77885 + if (security_capable(current_cred(), ns, cap) == 0 && gr_is_capable(cap)) {
77886 current->flags |= PF_SUPERPRIV;
77889 @@ -392,6 +396,21 @@ bool ns_capable(struct user_namespace *ns, int cap)
77891 EXPORT_SYMBOL(ns_capable);
77893 +bool ns_capable_nolog(struct user_namespace *ns, int cap)
77895 + if (unlikely(!cap_valid(cap))) {
77896 + printk(KERN_CRIT "capable_nolog() called with invalid cap=%u\n", cap);
77900 + if (security_capable_noaudit(current_cred(), ns, cap) == 0 && gr_is_capable_nolog(cap)) {
77901 + current->flags |= PF_SUPERPRIV;
77906 +EXPORT_SYMBOL(ns_capable_nolog);
77909 * file_ns_capable - Determine if the file's opener had a capability in effect
77910 * @file: The file we want to check
77911 @@ -432,6 +451,12 @@ bool capable(int cap)
77913 EXPORT_SYMBOL(capable);
77915 +bool capable_nolog(int cap)
77917 + return ns_capable_nolog(&init_user_ns, cap);
77919 +EXPORT_SYMBOL(capable_nolog);
77922 * nsown_capable - Check superior capability to one's own user_ns
77923 * @cap: The capability in question
77924 @@ -464,3 +489,10 @@ bool inode_capable(const struct inode *inode, int cap)
77926 return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
77929 +bool inode_capable_nolog(const struct inode *inode, int cap)
77931 + struct user_namespace *ns = current_user_ns();
77933 + return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
77935 diff --git a/kernel/cgroup.c b/kernel/cgroup.c
77936 index 2e9b387..61817b1 100644
77937 --- a/kernel/cgroup.c
77938 +++ b/kernel/cgroup.c
77939 @@ -5398,7 +5398,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
77940 struct css_set *cg = link->cg;
77941 struct task_struct *task;
77943 - seq_printf(seq, "css_set %p\n", cg);
77944 + seq_printf(seq, "css_set %pK\n", cg);
77945 list_for_each_entry(task, &cg->tasks, cg_list) {
77946 if (count++ > MAX_TASKS_SHOWN_PER_CSS) {
77947 seq_puts(seq, " ...\n");
77948 diff --git a/kernel/compat.c b/kernel/compat.c
77949 index 0a09e48..f44f3f0 100644
77950 --- a/kernel/compat.c
77951 +++ b/kernel/compat.c
77954 #include <linux/linkage.h>
77955 #include <linux/compat.h>
77956 +#include <linux/module.h>
77957 #include <linux/errno.h>
77958 #include <linux/time.h>
77959 #include <linux/signal.h>
77960 @@ -220,7 +221,7 @@ static long compat_nanosleep_restart(struct restart_block *restart)
77961 mm_segment_t oldfs;
77964 - restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
77965 + restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
77968 ret = hrtimer_nanosleep_restart(restart);
77969 @@ -252,7 +253,7 @@ asmlinkage long compat_sys_nanosleep(struct compat_timespec __user *rqtp,
77972 ret = hrtimer_nanosleep(&tu,
77973 - rmtp ? (struct timespec __user *)&rmt : NULL,
77974 + rmtp ? (struct timespec __force_user *)&rmt : NULL,
77975 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
77978 @@ -361,7 +362,7 @@ asmlinkage long compat_sys_sigpending(compat_old_sigset_t __user *set)
77979 mm_segment_t old_fs = get_fs();
77982 - ret = sys_sigpending((old_sigset_t __user *) &s);
77983 + ret = sys_sigpending((old_sigset_t __force_user *) &s);
77986 ret = put_user(s, set);
77987 @@ -451,7 +452,7 @@ asmlinkage long compat_sys_old_getrlimit(unsigned int resource,
77988 mm_segment_t old_fs = get_fs();
77991 - ret = sys_old_getrlimit(resource, &r);
77992 + ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
77996 @@ -533,8 +534,8 @@ COMPAT_SYSCALL_DEFINE4(wait4,
77997 set_fs (KERNEL_DS);
77998 ret = sys_wait4(pid,
78000 - (unsigned int __user *) &status : NULL),
78001 - options, (struct rusage __user *) &r);
78002 + (unsigned int __force_user *) &status : NULL),
78003 + options, (struct rusage __force_user *) &r);
78007 @@ -560,8 +561,8 @@ COMPAT_SYSCALL_DEFINE5(waitid,
78008 memset(&info, 0, sizeof(info));
78011 - ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
78012 - uru ? (struct rusage __user *)&ru : NULL);
78013 + ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
78014 + uru ? (struct rusage __force_user *)&ru : NULL);
78017 if ((ret < 0) || (info.si_signo == 0))
78018 @@ -695,8 +696,8 @@ long compat_sys_timer_settime(timer_t timer_id, int flags,
78021 err = sys_timer_settime(timer_id, flags,
78022 - (struct itimerspec __user *) &newts,
78023 - (struct itimerspec __user *) &oldts);
78024 + (struct itimerspec __force_user *) &newts,
78025 + (struct itimerspec __force_user *) &oldts);
78027 if (!err && old && put_compat_itimerspec(old, &oldts))
78029 @@ -713,7 +714,7 @@ long compat_sys_timer_gettime(timer_t timer_id,
78032 err = sys_timer_gettime(timer_id,
78033 - (struct itimerspec __user *) &ts);
78034 + (struct itimerspec __force_user *) &ts);
78036 if (!err && put_compat_itimerspec(setting, &ts))
78038 @@ -732,7 +733,7 @@ long compat_sys_clock_settime(clockid_t which_clock,
78041 err = sys_clock_settime(which_clock,
78042 - (struct timespec __user *) &ts);
78043 + (struct timespec __force_user *) &ts);
78047 @@ -747,7 +748,7 @@ long compat_sys_clock_gettime(clockid_t which_clock,
78050 err = sys_clock_gettime(which_clock,
78051 - (struct timespec __user *) &ts);
78052 + (struct timespec __force_user *) &ts);
78054 if (!err && put_compat_timespec(&ts, tp))
78056 @@ -767,7 +768,7 @@ long compat_sys_clock_adjtime(clockid_t which_clock,
78060 - ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
78061 + ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
78064 err = compat_put_timex(utp, &txc);
78065 @@ -787,7 +788,7 @@ long compat_sys_clock_getres(clockid_t which_clock,
78068 err = sys_clock_getres(which_clock,
78069 - (struct timespec __user *) &ts);
78070 + (struct timespec __force_user *) &ts);
78072 if (!err && tp && put_compat_timespec(&ts, tp))
78074 @@ -799,9 +800,9 @@ static long compat_clock_nanosleep_restart(struct restart_block *restart)
78076 mm_segment_t oldfs;
78077 struct timespec tu;
78078 - struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
78079 + struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
78081 - restart->nanosleep.rmtp = (struct timespec __user *) &tu;
78082 + restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
78085 err = clock_nanosleep_restart(restart);
78086 @@ -833,8 +834,8 @@ long compat_sys_clock_nanosleep(clockid_t which_clock, int flags,
78089 err = sys_clock_nanosleep(which_clock, flags,
78090 - (struct timespec __user *) &in,
78091 - (struct timespec __user *) &out);
78092 + (struct timespec __force_user *) &in,
78093 + (struct timespec __force_user *) &out);
78096 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
78097 diff --git a/kernel/configs.c b/kernel/configs.c
78098 index c18b1f1..b9a0132 100644
78099 --- a/kernel/configs.c
78100 +++ b/kernel/configs.c
78101 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
78102 struct proc_dir_entry *entry;
78104 /* create the current config file */
78105 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
78106 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
78107 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
78108 + &ikconfig_file_ops);
78109 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
78110 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
78111 + &ikconfig_file_ops);
78114 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
78115 &ikconfig_file_ops);
78121 diff --git a/kernel/cred.c b/kernel/cred.c
78122 index e0573a4..3874e41 100644
78123 --- a/kernel/cred.c
78124 +++ b/kernel/cred.c
78125 @@ -164,6 +164,16 @@ void exit_creds(struct task_struct *tsk)
78126 validate_creds(cred);
78127 alter_cred_subscribers(cred, -1);
78130 +#ifdef CONFIG_GRKERNSEC_SETXID
78131 + cred = (struct cred *) tsk->delayed_cred;
78132 + if (cred != NULL) {
78133 + tsk->delayed_cred = NULL;
78134 + validate_creds(cred);
78135 + alter_cred_subscribers(cred, -1);
78142 @@ -411,7 +421,7 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
78143 * Always returns 0 thus allowing this function to be tail-called at the end
78144 * of, say, sys_setgid().
78146 -int commit_creds(struct cred *new)
78147 +static int __commit_creds(struct cred *new)
78149 struct task_struct *task = current;
78150 const struct cred *old = task->real_cred;
78151 @@ -430,6 +440,8 @@ int commit_creds(struct cred *new)
78153 get_cred(new); /* we will require a ref for the subj creds too */
78155 + gr_set_role_label(task, new->uid, new->gid);
78157 /* dumpability changes */
78158 if (!uid_eq(old->euid, new->euid) ||
78159 !gid_eq(old->egid, new->egid) ||
78160 @@ -479,6 +491,102 @@ int commit_creds(struct cred *new)
78164 +#ifdef CONFIG_GRKERNSEC_SETXID
78165 +extern int set_user(struct cred *new);
78167 +void gr_delayed_cred_worker(void)
78169 + const struct cred *new = current->delayed_cred;
78170 + struct cred *ncred;
78172 + current->delayed_cred = NULL;
78174 + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) && new != NULL) {
78175 + // from doing get_cred on it when queueing this
78178 + } else if (new == NULL)
78181 + ncred = prepare_creds();
78185 + ncred->uid = new->uid;
78186 + ncred->euid = new->euid;
78187 + ncred->suid = new->suid;
78188 + ncred->fsuid = new->fsuid;
78190 + ncred->gid = new->gid;
78191 + ncred->egid = new->egid;
78192 + ncred->sgid = new->sgid;
78193 + ncred->fsgid = new->fsgid;
78195 + if (set_groups(ncred, new->group_info) < 0) {
78196 + abort_creds(ncred);
78200 + ncred->securebits = new->securebits;
78201 + ncred->cap_inheritable = new->cap_inheritable;
78202 + ncred->cap_permitted = new->cap_permitted;
78203 + ncred->cap_effective = new->cap_effective;
78204 + ncred->cap_bset = new->cap_bset;
78206 + if (set_user(ncred)) {
78207 + abort_creds(ncred);
78211 + // from doing get_cred on it when queueing this
78214 + __commit_creds(ncred);
78217 + // from doing get_cred on it when queueing this
78219 + do_group_exit(SIGKILL);
78223 +int commit_creds(struct cred *new)
78225 +#ifdef CONFIG_GRKERNSEC_SETXID
78227 + int schedule_it = 0;
78228 + struct task_struct *t;
78230 + /* we won't get called with tasklist_lock held for writing
78231 + and interrupts disabled as the cred struct in that case is
78234 + if (grsec_enable_setxid && !current_is_single_threaded() &&
78235 + uid_eq(current_uid(), GLOBAL_ROOT_UID) &&
78236 + !uid_eq(new->uid, GLOBAL_ROOT_UID)) {
78239 + ret = __commit_creds(new);
78240 + if (schedule_it) {
78242 + read_lock(&tasklist_lock);
78243 + for (t = next_thread(current); t != current;
78244 + t = next_thread(t)) {
78245 + if (t->delayed_cred == NULL) {
78246 + t->delayed_cred = get_cred(new);
78247 + set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
78248 + set_tsk_need_resched(t);
78251 + read_unlock(&tasklist_lock);
78252 + rcu_read_unlock();
78256 + return __commit_creds(new);
78260 EXPORT_SYMBOL(commit_creds);
78263 diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
78264 index 0506d44..2c20034 100644
78265 --- a/kernel/debug/debug_core.c
78266 +++ b/kernel/debug/debug_core.c
78267 @@ -123,7 +123,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_lock);
78269 static atomic_t masters_in_kgdb;
78270 static atomic_t slaves_in_kgdb;
78271 -static atomic_t kgdb_break_tasklet_var;
78272 +static atomic_unchecked_t kgdb_break_tasklet_var;
78273 atomic_t kgdb_setting_breakpoint;
78275 struct task_struct *kgdb_usethread;
78276 @@ -133,7 +133,7 @@ int kgdb_single_step;
78277 static pid_t kgdb_sstep_pid;
78279 /* to keep track of the CPU which is doing the single stepping*/
78280 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
78281 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
78284 * If you are debugging a problem where roundup (the collection of
78285 @@ -541,7 +541,7 @@ return_normal:
78286 * kernel will only try for the value of sstep_tries before
78287 * giving up and continuing on.
78289 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
78290 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
78291 (kgdb_info[cpu].task &&
78292 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
78293 atomic_set(&kgdb_active, -1);
78294 @@ -635,8 +635,8 @@ cpu_master_loop:
78298 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
78299 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
78300 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
78301 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
78302 if (kgdb_info[sstep_cpu].task)
78303 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
78305 @@ -888,18 +888,18 @@ static void kgdb_unregister_callbacks(void)
78306 static void kgdb_tasklet_bpt(unsigned long ing)
78309 - atomic_set(&kgdb_break_tasklet_var, 0);
78310 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
78313 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
78315 void kgdb_schedule_breakpoint(void)
78317 - if (atomic_read(&kgdb_break_tasklet_var) ||
78318 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
78319 atomic_read(&kgdb_active) != -1 ||
78320 atomic_read(&kgdb_setting_breakpoint))
78322 - atomic_inc(&kgdb_break_tasklet_var);
78323 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
78324 tasklet_schedule(&kgdb_tasklet_breakpoint);
78326 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
78327 diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
78328 index 00eb8f7..d7e3244 100644
78329 --- a/kernel/debug/kdb/kdb_main.c
78330 +++ b/kernel/debug/kdb/kdb_main.c
78331 @@ -1974,7 +1974,7 @@ static int kdb_lsmod(int argc, const char **argv)
78334 kdb_printf("%-20s%8u 0x%p ", mod->name,
78335 - mod->core_size, (void *)mod);
78336 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
78337 #ifdef CONFIG_MODULE_UNLOAD
78338 kdb_printf("%4ld ", module_refcount(mod));
78340 @@ -1984,7 +1984,7 @@ static int kdb_lsmod(int argc, const char **argv)
78341 kdb_printf(" (Loading)");
78343 kdb_printf(" (Live)");
78344 - kdb_printf(" 0x%p", mod->module_core);
78345 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
78347 #ifdef CONFIG_MODULE_UNLOAD
78349 diff --git a/kernel/events/core.c b/kernel/events/core.c
78350 index e76e495..cbfe63a 100644
78351 --- a/kernel/events/core.c
78352 +++ b/kernel/events/core.c
78353 @@ -156,8 +156,15 @@ static struct srcu_struct pmus_srcu;
78354 * 0 - disallow raw tracepoint access for unpriv
78355 * 1 - disallow cpu events for unpriv
78356 * 2 - disallow kernel profiling for unpriv
78357 + * 3 - disallow all unpriv perf event use
78359 -int sysctl_perf_event_paranoid __read_mostly = 1;
78360 +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
78361 +int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
78362 +#elif defined(CONFIG_GRKERNSEC_HIDESYM)
78363 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
78365 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
78368 /* Minimum for 512 kiB + 1 user control page */
78369 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
78370 @@ -184,7 +191,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
78374 -static atomic64_t perf_event_id;
78375 +static atomic64_unchecked_t perf_event_id;
78377 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
78378 enum event_type_t event_type);
78379 @@ -2747,7 +2754,7 @@ static void __perf_event_read(void *info)
78381 static inline u64 perf_event_count(struct perf_event *event)
78383 - return local64_read(&event->count) + atomic64_read(&event->child_count);
78384 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
78387 static u64 perf_event_read(struct perf_event *event)
78388 @@ -3093,9 +3100,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
78389 mutex_lock(&event->child_mutex);
78390 total += perf_event_read(event);
78391 *enabled += event->total_time_enabled +
78392 - atomic64_read(&event->child_total_time_enabled);
78393 + atomic64_read_unchecked(&event->child_total_time_enabled);
78394 *running += event->total_time_running +
78395 - atomic64_read(&event->child_total_time_running);
78396 + atomic64_read_unchecked(&event->child_total_time_running);
78398 list_for_each_entry(child, &event->child_list, child_list) {
78399 total += perf_event_read(child);
78400 @@ -3481,10 +3488,10 @@ void perf_event_update_userpage(struct perf_event *event)
78401 userpg->offset -= local64_read(&event->hw.prev_count);
78403 userpg->time_enabled = enabled +
78404 - atomic64_read(&event->child_total_time_enabled);
78405 + atomic64_read_unchecked(&event->child_total_time_enabled);
78407 userpg->time_running = running +
78408 - atomic64_read(&event->child_total_time_running);
78409 + atomic64_read_unchecked(&event->child_total_time_running);
78411 arch_perf_update_userpage(userpg, now);
78413 @@ -4034,7 +4041,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
78416 sp = perf_user_stack_pointer(regs);
78417 - rem = __output_copy_user(handle, (void *) sp, dump_size);
78418 + rem = __output_copy_user(handle, (void __user *) sp, dump_size);
78419 dyn_size = dump_size - rem;
78421 perf_output_skip(handle, rem);
78422 @@ -4122,11 +4129,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
78423 values[n++] = perf_event_count(event);
78424 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
78425 values[n++] = enabled +
78426 - atomic64_read(&event->child_total_time_enabled);
78427 + atomic64_read_unchecked(&event->child_total_time_enabled);
78429 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
78430 values[n++] = running +
78431 - atomic64_read(&event->child_total_time_running);
78432 + atomic64_read_unchecked(&event->child_total_time_running);
78434 if (read_format & PERF_FORMAT_ID)
78435 values[n++] = primary_event_id(event);
78436 @@ -4835,12 +4842,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
78437 * need to add enough zero bytes after the string to handle
78438 * the 64bit alignment we do later.
78440 - buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
78441 + buf = kzalloc(PATH_MAX, GFP_KERNEL);
78443 name = strncpy(tmp, "//enomem", sizeof(tmp));
78446 - name = d_path(&file->f_path, buf, PATH_MAX);
78447 + name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
78448 if (IS_ERR(name)) {
78449 name = strncpy(tmp, "//toolong", sizeof(tmp));
78451 @@ -6262,7 +6269,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
78452 event->parent = parent_event;
78454 event->ns = get_pid_ns(task_active_pid_ns(current));
78455 - event->id = atomic64_inc_return(&perf_event_id);
78456 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
78458 event->state = PERF_EVENT_STATE_INACTIVE;
78460 @@ -6572,6 +6579,11 @@ SYSCALL_DEFINE5(perf_event_open,
78461 if (flags & ~PERF_FLAG_ALL)
78464 +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
78465 + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
78469 err = perf_copy_attr(attr_uptr, &attr);
78472 @@ -6904,10 +6916,10 @@ static void sync_child_event(struct perf_event *child_event,
78474 * Add back the child's count to the parent's count:
78476 - atomic64_add(child_val, &parent_event->child_count);
78477 - atomic64_add(child_event->total_time_enabled,
78478 + atomic64_add_unchecked(child_val, &parent_event->child_count);
78479 + atomic64_add_unchecked(child_event->total_time_enabled,
78480 &parent_event->child_total_time_enabled);
78481 - atomic64_add(child_event->total_time_running,
78482 + atomic64_add_unchecked(child_event->total_time_running,
78483 &parent_event->child_total_time_running);
78486 diff --git a/kernel/events/internal.h b/kernel/events/internal.h
78487 index ca65997..cc8cee4 100644
78488 --- a/kernel/events/internal.h
78489 +++ b/kernel/events/internal.h
78490 @@ -81,10 +81,10 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb)
78491 return rb->nr_pages << (PAGE_SHIFT + page_order(rb));
78494 -#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
78495 +#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
78496 static inline unsigned int \
78497 func_name(struct perf_output_handle *handle, \
78498 - const void *buf, unsigned int len) \
78499 + const void user *buf, unsigned int len) \
78501 unsigned long size, written; \
78503 @@ -116,17 +116,17 @@ static inline int memcpy_common(void *dst, const void *src, size_t n)
78507 -DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
78508 +DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
78510 #define MEMCPY_SKIP(dst, src, n) (n)
78512 -DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP)
78513 +DEFINE_OUTPUT_COPY(__output_skip, MEMCPY_SKIP, )
78515 #ifndef arch_perf_out_copy_user
78516 #define arch_perf_out_copy_user __copy_from_user_inatomic
78519 -DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
78520 +DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
78522 /* Callchain handling */
78523 extern struct perf_callchain_entry *
78524 diff --git a/kernel/exit.c b/kernel/exit.c
78525 index 7bb73f9..d7978ed 100644
78526 --- a/kernel/exit.c
78527 +++ b/kernel/exit.c
78528 @@ -172,6 +172,10 @@ void release_task(struct task_struct * p)
78529 struct task_struct *leader;
78533 + gr_del_task_from_ip_table(p);
78536 /* don't need to get the RCU readlock here - the process is dead and
78537 * can't be modifying its own credentials. But shut RCU-lockdep up */
78539 @@ -340,7 +344,7 @@ int allow_signal(int sig)
78540 * know it'll be handled, so that they don't get converted to
78541 * SIGKILL or just silently dropped.
78543 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
78544 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
78545 recalc_sigpending();
78546 spin_unlock_irq(¤t->sighand->siglock);
78548 @@ -709,6 +713,8 @@ void do_exit(long code)
78549 struct task_struct *tsk = current;
78554 profile_task_exit(tsk);
78556 WARN_ON(blk_needs_flush_plug(tsk));
78557 @@ -725,7 +731,6 @@ void do_exit(long code)
78558 * mm_release()->clear_child_tid() from writing to a user-controlled
78563 ptrace_event(PTRACE_EVENT_EXIT, code);
78565 @@ -784,6 +789,9 @@ void do_exit(long code)
78566 tsk->exit_code = code;
78567 taskstats_exit(tsk, group_dead);
78569 + gr_acl_handle_psacct(tsk, code);
78570 + gr_acl_handle_exit();
78575 @@ -905,7 +913,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
78576 * Take down every thread in the group. This is called by fatal signals
78577 * as well as by sys_exit_group (below).
78581 do_group_exit(int exit_code)
78583 struct signal_struct *sig = current->signal;
78584 diff --git a/kernel/fork.c b/kernel/fork.c
78585 index ffbc090..08ceeee 100644
78586 --- a/kernel/fork.c
78587 +++ b/kernel/fork.c
78588 @@ -319,7 +319,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
78589 *stackend = STACK_END_MAGIC; /* for overflow detection */
78591 #ifdef CONFIG_CC_STACKPROTECTOR
78592 - tsk->stack_canary = get_random_int();
78593 + tsk->stack_canary = pax_get_random_long();
78597 @@ -345,13 +345,81 @@ free_tsk:
78601 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct mm_struct *oldmm, struct vm_area_struct *mpnt)
78603 + struct vm_area_struct *tmp;
78604 + unsigned long charge;
78605 + struct mempolicy *pol;
78606 + struct file *file;
78609 + if (mpnt->vm_flags & VM_ACCOUNT) {
78610 + unsigned long len = vma_pages(mpnt);
78612 + if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
78616 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
78621 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
78622 + pol = mpol_dup(vma_policy(mpnt));
78624 + goto fail_nomem_policy;
78625 + vma_set_policy(tmp, pol);
78626 + if (anon_vma_fork(tmp, mpnt))
78627 + goto fail_nomem_anon_vma_fork;
78628 + tmp->vm_flags &= ~VM_LOCKED;
78629 + tmp->vm_next = tmp->vm_prev = NULL;
78630 + tmp->vm_mirror = NULL;
78631 + file = tmp->vm_file;
78633 + struct inode *inode = file_inode(file);
78634 + struct address_space *mapping = file->f_mapping;
78637 + if (tmp->vm_flags & VM_DENYWRITE)
78638 + atomic_dec(&inode->i_writecount);
78639 + mutex_lock(&mapping->i_mmap_mutex);
78640 + if (tmp->vm_flags & VM_SHARED)
78641 + mapping->i_mmap_writable++;
78642 + flush_dcache_mmap_lock(mapping);
78643 + /* insert tmp into the share list, just after mpnt */
78644 + if (unlikely(tmp->vm_flags & VM_NONLINEAR))
78645 + vma_nonlinear_insert(tmp, &mapping->i_mmap_nonlinear);
78647 + vma_interval_tree_insert_after(tmp, mpnt, &mapping->i_mmap);
78648 + flush_dcache_mmap_unlock(mapping);
78649 + mutex_unlock(&mapping->i_mmap_mutex);
78653 + * Clear hugetlb-related page reserves for children. This only
78654 + * affects MAP_PRIVATE mappings. Faults generated by the child
78655 + * are not guaranteed to succeed, even if read-only
78657 + if (is_vm_hugetlb_page(tmp))
78658 + reset_vma_resv_huge_pages(tmp);
78662 +fail_nomem_anon_vma_fork:
78664 +fail_nomem_policy:
78665 + kmem_cache_free(vm_area_cachep, tmp);
78667 + vm_unacct_memory(charge);
78671 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
78673 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
78674 struct rb_node **rb_link, *rb_parent;
78676 - unsigned long charge;
78677 - struct mempolicy *pol;
78679 uprobe_start_dup_mmap();
78680 down_write(&oldmm->mmap_sem);
78681 @@ -365,8 +433,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
78684 mm->mmap_cache = NULL;
78685 - mm->free_area_cache = oldmm->mmap_base;
78686 - mm->cached_hole_size = ~0UL;
78687 + mm->free_area_cache = oldmm->free_area_cache;
78688 + mm->cached_hole_size = oldmm->cached_hole_size;
78690 cpumask_clear(mm_cpumask(mm));
78691 mm->mm_rb = RB_ROOT;
78692 @@ -382,57 +450,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
78695 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
78696 - struct file *file;
78698 if (mpnt->vm_flags & VM_DONTCOPY) {
78699 vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
78704 - if (mpnt->vm_flags & VM_ACCOUNT) {
78705 - unsigned long len = vma_pages(mpnt);
78707 - if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
78711 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
78715 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
78716 - pol = mpol_dup(vma_policy(mpnt));
78717 - retval = PTR_ERR(pol);
78719 - goto fail_nomem_policy;
78720 - vma_set_policy(tmp, pol);
78722 - if (anon_vma_fork(tmp, mpnt))
78723 - goto fail_nomem_anon_vma_fork;
78724 - tmp->vm_flags &= ~VM_LOCKED;
78725 - tmp->vm_next = tmp->vm_prev = NULL;
78726 - file = tmp->vm_file;
78728 - struct inode *inode = file_inode(file);
78729 - struct address_space *mapping = file->f_mapping;
78732 - if (tmp->vm_flags & VM_DENYWRITE)
78733 - atomic_dec(&inode->i_writecount);
78734 - mutex_lock(&mapping->i_mmap_mutex);
78735 - if (tmp->vm_flags & VM_SHARED)
78736 - mapping->i_mmap_writable++;
78737 - flush_dcache_mmap_lock(mapping);
78738 - /* insert tmp into the share list, just after mpnt */
78739 - if (unlikely(tmp->vm_flags & VM_NONLINEAR))
78740 - vma_nonlinear_insert(tmp,
78741 - &mapping->i_mmap_nonlinear);
78743 - vma_interval_tree_insert_after(tmp, mpnt,
78744 - &mapping->i_mmap);
78745 - flush_dcache_mmap_unlock(mapping);
78746 - mutex_unlock(&mapping->i_mmap_mutex);
78747 + tmp = dup_vma(mm, oldmm, mpnt);
78749 + retval = -ENOMEM;
78754 @@ -464,6 +490,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
78759 +#ifdef CONFIG_PAX_SEGMEXEC
78760 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
78761 + struct vm_area_struct *mpnt_m;
78763 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
78764 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
78766 + if (!mpnt->vm_mirror)
78769 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
78770 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
78771 + mpnt->vm_mirror = mpnt_m;
78773 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
78774 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
78775 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
78776 + mpnt->vm_mirror->vm_mirror = mpnt;
78783 /* a new mm has just been created */
78784 arch_dup_mmap(oldmm, mm);
78786 @@ -473,14 +524,6 @@ out:
78787 up_write(&oldmm->mmap_sem);
78788 uprobe_end_dup_mmap();
78790 -fail_nomem_anon_vma_fork:
78792 -fail_nomem_policy:
78793 - kmem_cache_free(vm_area_cachep, tmp);
78795 - retval = -ENOMEM;
78796 - vm_unacct_memory(charge);
78800 static inline int mm_alloc_pgd(struct mm_struct *mm)
78801 @@ -695,8 +738,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
78802 return ERR_PTR(err);
78804 mm = get_task_mm(task);
78805 - if (mm && mm != current->mm &&
78806 - !ptrace_may_access(task, mode)) {
78807 + if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
78808 + (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
78810 mm = ERR_PTR(-EACCES);
78812 @@ -918,13 +961,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
78813 spin_unlock(&fs->lock);
78817 + atomic_inc(&fs->users);
78818 spin_unlock(&fs->lock);
78821 tsk->fs = copy_fs_struct(fs);
78824 + /* Carry through gr_chroot_dentry and is_chrooted instead
78825 + of recomputing it here. Already copied when the task struct
78826 + is duplicated. This allows pivot_root to not be treated as
78829 + //gr_set_chroot_entries(tsk, &tsk->fs->root);
78834 @@ -1197,10 +1247,13 @@ static struct task_struct *copy_process(unsigned long clone_flags,
78835 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
78839 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
78841 if (atomic_read(&p->real_cred->user->processes) >=
78842 task_rlimit(p, RLIMIT_NPROC)) {
78843 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
78844 - p->real_cred->user != INIT_USER)
78845 + if (p->real_cred->user != INIT_USER &&
78846 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
78847 goto bad_fork_free;
78849 current->flags &= ~PF_NPROC_EXCEEDED;
78850 @@ -1446,6 +1499,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
78851 goto bad_fork_free_pid;
78854 + /* synchronizes with gr_set_acls()
78855 + we need to call this past the point of no return for fork()
78857 + gr_copy_label(p);
78859 if (clone_flags & CLONE_THREAD) {
78860 current->signal->nr_threads++;
78861 atomic_inc(¤t->signal->live);
78862 @@ -1529,6 +1587,8 @@ bad_fork_cleanup_count:
78866 + gr_log_forkfail(retval);
78868 return ERR_PTR(retval);
78871 @@ -1613,6 +1673,8 @@ long do_fork(unsigned long clone_flags,
78872 if (clone_flags & CLONE_PARENT_SETTID)
78873 put_user(nr, parent_tidptr);
78875 + gr_handle_brute_check();
78877 if (clone_flags & CLONE_VFORK) {
78878 p->vfork_done = &vfork;
78879 init_completion(&vfork);
78880 @@ -1729,7 +1791,7 @@ void __init proc_caches_init(void)
78881 mm_cachep = kmem_cache_create("mm_struct",
78882 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
78883 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
78884 - vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC);
78885 + vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC | SLAB_NO_SANITIZE);
78887 nsproxy_cache_init();
78889 @@ -1769,7 +1831,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
78892 /* don't need lock here; in the worst case we'll do useless copy */
78893 - if (fs->users == 1)
78894 + if (atomic_read(&fs->users) == 1)
78897 *new_fsp = copy_fs_struct(fs);
78898 @@ -1881,7 +1943,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
78900 spin_lock(&fs->lock);
78901 current->fs = new_fs;
78903 + gr_set_chroot_entries(current, ¤t->fs->root);
78904 + if (atomic_dec_return(&fs->users))
78908 diff --git a/kernel/futex.c b/kernel/futex.c
78909 index 49dacfb..5c6b450 100644
78910 --- a/kernel/futex.c
78911 +++ b/kernel/futex.c
78913 #include <linux/mount.h>
78914 #include <linux/pagemap.h>
78915 #include <linux/syscalls.h>
78916 +#include <linux/ptrace.h>
78917 #include <linux/signal.h>
78918 #include <linux/export.h>
78919 #include <linux/magic.h>
78920 @@ -242,6 +243,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
78921 struct page *page, *page_head;
78924 +#ifdef CONFIG_PAX_SEGMEXEC
78925 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
78930 * The futex address must be "naturally" aligned.
78932 @@ -2733,6 +2739,7 @@ static int __init futex_init(void)
78936 + mm_segment_t oldfs;
78939 * This will fail and we want it. Some arch implementations do
78940 @@ -2744,8 +2751,11 @@ static int __init futex_init(void)
78941 * implementation, the non-functional ones will return
78944 + oldfs = get_fs();
78946 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
78947 futex_cmpxchg_enabled = 1;
78950 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
78951 plist_head_init(&futex_queues[i].chain);
78952 diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
78953 index f9f44fd..29885e4 100644
78954 --- a/kernel/futex_compat.c
78955 +++ b/kernel/futex_compat.c
78956 @@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
78960 -static void __user *futex_uaddr(struct robust_list __user *entry,
78961 +static void __user __intentional_overflow(-1) *futex_uaddr(struct robust_list __user *entry,
78962 compat_long_t futex_offset)
78964 compat_uptr_t base = ptr_to_compat(entry);
78965 diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
78966 index 9b22d03..6295b62 100644
78967 --- a/kernel/gcov/base.c
78968 +++ b/kernel/gcov/base.c
78969 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
78972 #ifdef CONFIG_MODULES
78973 -static inline int within(void *addr, void *start, unsigned long size)
78975 - return ((addr >= start) && (addr < start + size));
78978 /* Update list and generate events when modules are unloaded. */
78979 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
78981 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
78983 /* Remove entries located in module from linked list. */
78984 for (info = gcov_info_head; info; info = info->next) {
78985 - if (within(info, mod->module_core, mod->core_size)) {
78986 + if (within_module_core_rw((unsigned long)info, mod)) {
78988 prev->next = info->next;
78990 diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
78991 index 2288fbd..0f3941f 100644
78992 --- a/kernel/hrtimer.c
78993 +++ b/kernel/hrtimer.c
78994 @@ -1435,7 +1435,7 @@ void hrtimer_peek_ahead_timers(void)
78995 local_irq_restore(flags);
78998 -static void run_hrtimer_softirq(struct softirq_action *h)
78999 +static void run_hrtimer_softirq(void)
79001 hrtimer_peek_ahead_timers();
79003 @@ -1770,7 +1770,7 @@ static int __cpuinit hrtimer_cpu_notify(struct notifier_block *self,
79007 -static struct notifier_block __cpuinitdata hrtimers_nb = {
79008 +static struct notifier_block hrtimers_nb = {
79009 .notifier_call = hrtimer_cpu_notify,
79012 diff --git a/kernel/irq_work.c b/kernel/irq_work.c
79013 index 55fcce6..0e4cf34 100644
79014 --- a/kernel/irq_work.c
79015 +++ b/kernel/irq_work.c
79016 @@ -189,12 +189,13 @@ static int irq_work_cpu_notify(struct notifier_block *self,
79020 -static struct notifier_block cpu_notify;
79021 +static struct notifier_block cpu_notify = {
79022 + .notifier_call = irq_work_cpu_notify,
79026 static __init int irq_work_init_cpu_notifier(void)
79028 - cpu_notify.notifier_call = irq_work_cpu_notify;
79029 - cpu_notify.priority = 0;
79030 register_cpu_notifier(&cpu_notify);
79033 diff --git a/kernel/jump_label.c b/kernel/jump_label.c
79034 index 60f48fa..7f3a770 100644
79035 --- a/kernel/jump_label.c
79036 +++ b/kernel/jump_label.c
79038 #include <linux/sort.h>
79039 #include <linux/err.h>
79040 #include <linux/static_key.h>
79041 +#include <linux/mm.h>
79043 #ifdef HAVE_JUMP_LABEL
79045 @@ -50,7 +51,9 @@ jump_label_sort_entries(struct jump_entry *start, struct jump_entry *stop)
79047 size = (((unsigned long)stop - (unsigned long)start)
79048 / sizeof(struct jump_entry));
79049 + pax_open_kernel();
79050 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
79051 + pax_close_kernel();
79054 static void jump_label_update(struct static_key *key, int enable);
79055 @@ -357,10 +360,12 @@ static void jump_label_invalidate_module_init(struct module *mod)
79056 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
79057 struct jump_entry *iter;
79059 + pax_open_kernel();
79060 for (iter = iter_start; iter < iter_stop; iter++) {
79061 if (within_module_init(iter->code, mod))
79064 + pax_close_kernel();
79068 diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
79069 index 3127ad5..159d880 100644
79070 --- a/kernel/kallsyms.c
79071 +++ b/kernel/kallsyms.c
79073 * Changed the compression method from stem compression to "table lookup"
79074 * compression (see scripts/kallsyms.c for a more complete description)
79076 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79077 +#define __INCLUDED_BY_HIDESYM 1
79079 #include <linux/kallsyms.h>
79080 #include <linux/module.h>
79081 #include <linux/init.h>
79082 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_markers[] __attribute__((weak));
79084 static inline int is_kernel_inittext(unsigned long addr)
79086 + if (system_state != SYSTEM_BOOTING)
79089 if (addr >= (unsigned long)_sinittext
79090 && addr <= (unsigned long)_einittext)
79095 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
79096 +#ifdef CONFIG_MODULES
79097 +static inline int is_module_text(unsigned long addr)
79099 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
79102 + addr = ktla_ktva(addr);
79103 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
79106 +static inline int is_module_text(unsigned long addr)
79113 static inline int is_kernel_text(unsigned long addr)
79115 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
79116 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigned long addr)
79118 static inline int is_kernel(unsigned long addr)
79121 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
79122 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
79125 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
79127 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
79131 return in_gate_area_no_mm(addr);
79134 static int is_ksym_addr(unsigned long addr)
79137 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
79138 + if (is_module_text(addr))
79143 return is_kernel(addr);
79145 @@ -480,7 +519,6 @@ static unsigned long get_ksymbol_core(struct kallsym_iter *iter)
79147 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
79149 - iter->name[0] = '\0';
79150 iter->nameoff = get_symbol_offset(new_pos);
79151 iter->pos = new_pos;
79153 @@ -528,6 +566,11 @@ static int s_show(struct seq_file *m, void *p)
79155 struct kallsym_iter *iter = m->private;
79157 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79158 + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID))
79162 /* Some debugging symbols have no name. Ignore them. */
79163 if (!iter->name[0])
79165 @@ -541,6 +584,7 @@ static int s_show(struct seq_file *m, void *p)
79167 type = iter->exported ? toupper(iter->type) :
79168 tolower(iter->type);
79170 seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value,
79171 type, iter->name, iter->module_name);
79173 @@ -566,7 +610,7 @@ static int kallsyms_open(struct inode *inode, struct file *file)
79174 struct kallsym_iter *iter;
79177 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
79178 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
79181 reset_iter(iter, 0);
79182 diff --git a/kernel/kcmp.c b/kernel/kcmp.c
79183 index e30ac0f..3528cac 100644
79184 --- a/kernel/kcmp.c
79185 +++ b/kernel/kcmp.c
79186 @@ -99,6 +99,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
79187 struct task_struct *task1, *task2;
79190 +#ifdef CONFIG_GRKERNSEC
79197 diff --git a/kernel/kexec.c b/kernel/kexec.c
79198 index 59f7b55..4022f65 100644
79199 --- a/kernel/kexec.c
79200 +++ b/kernel/kexec.c
79201 @@ -1041,7 +1041,8 @@ asmlinkage long compat_sys_kexec_load(unsigned long entry,
79202 unsigned long flags)
79204 struct compat_kexec_segment in;
79205 - struct kexec_segment out, __user *ksegments;
79206 + struct kexec_segment out;
79207 + struct kexec_segment __user *ksegments;
79208 unsigned long i, result;
79210 /* Don't allow clients that don't understand the native
79211 diff --git a/kernel/kmod.c b/kernel/kmod.c
79212 index 8241906..d625f2c 100644
79213 --- a/kernel/kmod.c
79214 +++ b/kernel/kmod.c
79215 @@ -75,7 +75,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
79219 -static int call_modprobe(char *module_name, int wait)
79220 +static int call_modprobe(char *module_name, char *module_param, int wait)
79222 struct subprocess_info *info;
79223 static char *envp[] = {
79224 @@ -85,7 +85,7 @@ static int call_modprobe(char *module_name, int wait)
79228 - char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
79229 + char **argv = kmalloc(sizeof(char *[6]), GFP_KERNEL);
79233 @@ -97,7 +97,8 @@ static int call_modprobe(char *module_name, int wait)
79236 argv[3] = module_name; /* check free_modprobe_argv() */
79238 + argv[4] = module_param;
79241 info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,
79242 NULL, free_modprobe_argv, NULL);
79243 @@ -129,9 +130,8 @@ out:
79244 * If module auto-loading support is disabled then this function
79245 * becomes a no-operation.
79247 -int __request_module(bool wait, const char *fmt, ...)
79248 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
79251 char module_name[MODULE_NAME_LEN];
79252 unsigned int max_modprobes;
79254 @@ -147,9 +147,7 @@ int __request_module(bool wait, const char *fmt, ...)
79256 WARN_ON_ONCE(wait && current_is_async());
79258 - va_start(args, fmt);
79259 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
79261 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
79262 if (ret >= MODULE_NAME_LEN)
79263 return -ENAMETOOLONG;
79265 @@ -157,6 +155,20 @@ int __request_module(bool wait, const char *fmt, ...)
79269 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
79270 + if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
79271 + /* hack to workaround consolekit/udisks stupidity */
79272 + read_lock(&tasklist_lock);
79273 + if (!strcmp(current->comm, "mount") &&
79274 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
79275 + read_unlock(&tasklist_lock);
79276 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
79279 + read_unlock(&tasklist_lock);
79283 /* If modprobe needs a service that is in a module, we get a recursive
79284 * loop. Limit the number of running kmod threads to max_threads/2 or
79285 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
79286 @@ -185,11 +197,52 @@ int __request_module(bool wait, const char *fmt, ...)
79288 trace_module_request(module_name, wait, _RET_IP_);
79290 - ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
79291 + ret = call_modprobe(module_name, module_param, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
79293 atomic_dec(&kmod_concurrent);
79297 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
79302 + va_start(args, fmt);
79303 + ret = ____request_module(wait, module_param, fmt, args);
79309 +int __request_module(bool wait, const char *fmt, ...)
79314 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
79315 + if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
79316 + char module_param[MODULE_NAME_LEN];
79318 + memset(module_param, 0, sizeof(module_param));
79320 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", GR_GLOBAL_UID(current_uid()));
79322 + va_start(args, fmt);
79323 + ret = ____request_module(wait, module_param, fmt, args);
79330 + va_start(args, fmt);
79331 + ret = ____request_module(wait, NULL, fmt, args);
79337 EXPORT_SYMBOL(__request_module);
79338 #endif /* CONFIG_MODULES */
79340 @@ -300,7 +353,7 @@ static int wait_for_helper(void *data)
79342 * Thus the __user pointer cast is valid here.
79344 - sys_wait4(pid, (int __user *)&ret, 0, NULL);
79345 + sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
79348 * If ret is 0, either ____call_usermodehelper failed and the
79349 @@ -651,7 +704,7 @@ EXPORT_SYMBOL(call_usermodehelper);
79350 static int proc_cap_handler(struct ctl_table *table, int write,
79351 void __user *buffer, size_t *lenp, loff_t *ppos)
79353 - struct ctl_table t;
79354 + ctl_table_no_const t;
79355 unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
79356 kernel_cap_t new_cap;
79358 diff --git a/kernel/kprobes.c b/kernel/kprobes.c
79359 index bddf3b2..233bf40 100644
79360 --- a/kernel/kprobes.c
79361 +++ b/kernel/kprobes.c
79363 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
79364 * <prasanna@in.ibm.com> added function-return probes.
79366 +#ifdef CONFIG_GRKERNSEC_HIDESYM
79367 +#define __INCLUDED_BY_HIDESYM 1
79369 #include <linux/kprobes.h>
79370 #include <linux/hash.h>
79371 #include <linux/init.h>
79372 @@ -185,7 +188,7 @@ static kprobe_opcode_t __kprobes *__get_insn_slot(struct kprobe_insn_cache *c)
79373 * kernel image and loaded module images reside. This is required
79374 * so x86_64 can correctly handle the %rip-relative fixups.
79376 - kip->insns = module_alloc(PAGE_SIZE);
79377 + kip->insns = module_alloc_exec(PAGE_SIZE);
79381 @@ -225,7 +228,7 @@ static int __kprobes collect_one_slot(struct kprobe_insn_page *kip, int idx)
79383 if (!list_is_singular(&kip->list)) {
79384 list_del(&kip->list);
79385 - module_free(NULL, kip->insns);
79386 + module_free_exec(NULL, kip->insns);
79390 @@ -2083,7 +2086,7 @@ static int __init init_kprobes(void)
79393 unsigned long offset = 0, size = 0;
79394 - char *modname, namebuf[128];
79395 + char *modname, namebuf[KSYM_NAME_LEN];
79396 const char *symbol_name;
79398 struct kprobe_blackpoint *kb;
79399 @@ -2168,11 +2171,11 @@ static void __kprobes report_probe(struct seq_file *pi, struct kprobe *p,
79403 - seq_printf(pi, "%p %s %s+0x%x %s ",
79404 + seq_printf(pi, "%pK %s %s+0x%x %s ",
79405 p->addr, kprobe_type, sym, offset,
79406 (modname ? modname : " "));
79408 - seq_printf(pi, "%p %s %p ",
79409 + seq_printf(pi, "%pK %s %pK ",
79410 p->addr, kprobe_type, p->addr);
79413 @@ -2209,7 +2212,7 @@ static int __kprobes show_kprobe_addr(struct seq_file *pi, void *v)
79414 const char *sym = NULL;
79415 unsigned int i = *(loff_t *) v;
79416 unsigned long offset = 0;
79417 - char *modname, namebuf[128];
79418 + char *modname, namebuf[KSYM_NAME_LEN];
79420 head = &kprobe_table[i];
79422 diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
79423 index 6ada93c..dce7d5d 100644
79424 --- a/kernel/ksysfs.c
79425 +++ b/kernel/ksysfs.c
79426 @@ -46,6 +46,8 @@ static ssize_t uevent_helper_store(struct kobject *kobj,
79428 if (count+1 > UEVENT_HELPER_PATH_LEN)
79430 + if (!capable(CAP_SYS_ADMIN))
79432 memcpy(uevent_helper, buf, count);
79433 uevent_helper[count] = '\0';
79434 if (count && uevent_helper[count-1] == '\n')
79435 @@ -172,7 +174,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
79439 -static struct bin_attribute notes_attr = {
79440 +static bin_attribute_no_const notes_attr __read_only = {
79444 diff --git a/kernel/lockdep.c b/kernel/lockdep.c
79445 index 1f3186b..bb7dbc6 100644
79446 --- a/kernel/lockdep.c
79447 +++ b/kernel/lockdep.c
79448 @@ -596,6 +596,10 @@ static int static_obj(void *obj)
79449 end = (unsigned long) &_end,
79450 addr = (unsigned long) obj;
79452 +#ifdef CONFIG_PAX_KERNEXEC
79453 + start = ktla_ktva(start);
79459 @@ -736,6 +740,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
79460 if (!static_obj(lock->key)) {
79462 printk("INFO: trying to register non-static key.\n");
79463 + printk("lock:%pS key:%pS.\n", lock, lock->key);
79464 printk("the code is fine but needs lockdep annotation.\n");
79465 printk("turning off the locking correctness validator.\n");
79467 @@ -3080,7 +3085,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
79471 - atomic_inc((atomic_t *)&class->ops);
79472 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
79473 if (very_verbose(class)) {
79474 printk("\nacquire class [%p] %s", class->key, class->name);
79475 if (class->name_version > 1)
79476 diff --git a/kernel/lockdep_proc.c b/kernel/lockdep_proc.c
79477 index b2c71c5..7b88d63 100644
79478 --- a/kernel/lockdep_proc.c
79479 +++ b/kernel/lockdep_proc.c
79480 @@ -65,7 +65,7 @@ static int l_show(struct seq_file *m, void *v)
79484 - seq_printf(m, "%p", class->key);
79485 + seq_printf(m, "%pK", class->key);
79486 #ifdef CONFIG_DEBUG_LOCKDEP
79487 seq_printf(m, " OPS:%8ld", class->ops);
79489 @@ -83,7 +83,7 @@ static int l_show(struct seq_file *m, void *v)
79491 list_for_each_entry(entry, &class->locks_after, entry) {
79492 if (entry->distance == 1) {
79493 - seq_printf(m, " -> [%p] ", entry->class->key);
79494 + seq_printf(m, " -> [%pK] ", entry->class->key);
79495 print_name(m, entry->class);
79498 @@ -152,7 +152,7 @@ static int lc_show(struct seq_file *m, void *v)
79502 - seq_printf(m, "[%p] ", class->key);
79503 + seq_printf(m, "[%pK] ", class->key);
79504 print_name(m, class);
79507 @@ -495,7 +495,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
79509 seq_line(m, '-', 40-namelen, namelen);
79511 - snprintf(ip, sizeof(ip), "[<%p>]",
79512 + snprintf(ip, sizeof(ip), "[<%pK>]",
79513 (void *)class->contention_point[i]);
79514 seq_printf(m, "%40s %14lu %29s %pS\n",
79515 name, stats->contention_point[i],
79516 @@ -510,7 +510,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
79518 seq_line(m, '-', 40-namelen, namelen);
79520 - snprintf(ip, sizeof(ip), "[<%p>]",
79521 + snprintf(ip, sizeof(ip), "[<%pK>]",
79522 (void *)class->contending_point[i]);
79523 seq_printf(m, "%40s %14lu %29s %pS\n",
79524 name, stats->contending_point[i],
79525 diff --git a/kernel/module.c b/kernel/module.c
79526 index fa53db8..6f17200 100644
79527 --- a/kernel/module.c
79528 +++ b/kernel/module.c
79530 #include <linux/pfn.h>
79531 #include <linux/bsearch.h>
79532 #include <linux/fips.h>
79533 +#include <linux/grsecurity.h>
79534 #include <uapi/linux/module.h>
79535 #include "module-internal.h"
79537 @@ -156,7 +157,8 @@ static BLOCKING_NOTIFIER_HEAD(module_notify_list);
79539 /* Bounds of module allocation, for speeding __module_address.
79540 * Protected by module_mutex. */
79541 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
79542 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
79543 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
79545 int register_module_notifier(struct notifier_block * nb)
79547 @@ -323,7 +325,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
79550 list_for_each_entry_rcu(mod, &modules, list) {
79551 - struct symsearch arr[] = {
79552 + struct symsearch modarr[] = {
79553 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
79554 NOT_GPL_ONLY, false },
79555 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
79556 @@ -348,7 +350,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
79557 if (mod->state == MODULE_STATE_UNFORMED)
79560 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
79561 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
79565 @@ -485,7 +487,7 @@ static inline void __percpu *mod_percpu(struct module *mod)
79566 static int percpu_modalloc(struct module *mod,
79567 unsigned long size, unsigned long align)
79569 - if (align > PAGE_SIZE) {
79570 + if (align-1 >= PAGE_SIZE) {
79571 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
79572 mod->name, align, PAGE_SIZE);
79574 @@ -1089,7 +1091,7 @@ struct module_attribute module_uevent =
79575 static ssize_t show_coresize(struct module_attribute *mattr,
79576 struct module_kobject *mk, char *buffer)
79578 - return sprintf(buffer, "%u\n", mk->mod->core_size);
79579 + return sprintf(buffer, "%u\n", mk->mod->core_size_rx + mk->mod->core_size_rw);
79582 static struct module_attribute modinfo_coresize =
79583 @@ -1098,7 +1100,7 @@ static struct module_attribute modinfo_coresize =
79584 static ssize_t show_initsize(struct module_attribute *mattr,
79585 struct module_kobject *mk, char *buffer)
79587 - return sprintf(buffer, "%u\n", mk->mod->init_size);
79588 + return sprintf(buffer, "%u\n", mk->mod->init_size_rx + mk->mod->init_size_rw);
79591 static struct module_attribute modinfo_initsize =
79592 @@ -1313,7 +1315,7 @@ resolve_symbol_wait(struct module *mod,
79594 #ifdef CONFIG_SYSFS
79596 -#ifdef CONFIG_KALLSYMS
79597 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
79598 static inline bool sect_empty(const Elf_Shdr *sect)
79600 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
79601 @@ -1453,7 +1455,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
79603 unsigned int notes, loaded, i;
79604 struct module_notes_attrs *notes_attrs;
79605 - struct bin_attribute *nattr;
79606 + bin_attribute_no_const *nattr;
79608 /* failed to create section attributes, so can't create notes */
79609 if (!mod->sect_attrs)
79610 @@ -1565,7 +1567,7 @@ static void del_usage_links(struct module *mod)
79611 static int module_add_modinfo_attrs(struct module *mod)
79613 struct module_attribute *attr;
79614 - struct module_attribute *temp_attr;
79615 + module_attribute_no_const *temp_attr;
79619 @@ -1779,21 +1781,21 @@ static void set_section_ro_nx(void *base,
79621 static void unset_module_core_ro_nx(struct module *mod)
79623 - set_page_attributes(mod->module_core + mod->core_text_size,
79624 - mod->module_core + mod->core_size,
79625 + set_page_attributes(mod->module_core_rw,
79626 + mod->module_core_rw + mod->core_size_rw,
79628 - set_page_attributes(mod->module_core,
79629 - mod->module_core + mod->core_ro_size,
79630 + set_page_attributes(mod->module_core_rx,
79631 + mod->module_core_rx + mod->core_size_rx,
79635 static void unset_module_init_ro_nx(struct module *mod)
79637 - set_page_attributes(mod->module_init + mod->init_text_size,
79638 - mod->module_init + mod->init_size,
79639 + set_page_attributes(mod->module_init_rw,
79640 + mod->module_init_rw + mod->init_size_rw,
79642 - set_page_attributes(mod->module_init,
79643 - mod->module_init + mod->init_ro_size,
79644 + set_page_attributes(mod->module_init_rx,
79645 + mod->module_init_rx + mod->init_size_rx,
79649 @@ -1806,14 +1808,14 @@ void set_all_modules_text_rw(void)
79650 list_for_each_entry_rcu(mod, &modules, list) {
79651 if (mod->state == MODULE_STATE_UNFORMED)
79653 - if ((mod->module_core) && (mod->core_text_size)) {
79654 - set_page_attributes(mod->module_core,
79655 - mod->module_core + mod->core_text_size,
79656 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
79657 + set_page_attributes(mod->module_core_rx,
79658 + mod->module_core_rx + mod->core_size_rx,
79661 - if ((mod->module_init) && (mod->init_text_size)) {
79662 - set_page_attributes(mod->module_init,
79663 - mod->module_init + mod->init_text_size,
79664 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
79665 + set_page_attributes(mod->module_init_rx,
79666 + mod->module_init_rx + mod->init_size_rx,
79670 @@ -1829,14 +1831,14 @@ void set_all_modules_text_ro(void)
79671 list_for_each_entry_rcu(mod, &modules, list) {
79672 if (mod->state == MODULE_STATE_UNFORMED)
79674 - if ((mod->module_core) && (mod->core_text_size)) {
79675 - set_page_attributes(mod->module_core,
79676 - mod->module_core + mod->core_text_size,
79677 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
79678 + set_page_attributes(mod->module_core_rx,
79679 + mod->module_core_rx + mod->core_size_rx,
79682 - if ((mod->module_init) && (mod->init_text_size)) {
79683 - set_page_attributes(mod->module_init,
79684 - mod->module_init + mod->init_text_size,
79685 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
79686 + set_page_attributes(mod->module_init_rx,
79687 + mod->module_init_rx + mod->init_size_rx,
79691 @@ -1887,16 +1889,19 @@ static void free_module(struct module *mod)
79693 /* This may be NULL, but that's OK */
79694 unset_module_init_ro_nx(mod);
79695 - module_free(mod, mod->module_init);
79696 + module_free(mod, mod->module_init_rw);
79697 + module_free_exec(mod, mod->module_init_rx);
79699 percpu_modfree(mod);
79701 /* Free lock-classes: */
79702 - lockdep_free_key_range(mod->module_core, mod->core_size);
79703 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
79704 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
79706 /* Finally, free the core (containing the module structure) */
79707 unset_module_core_ro_nx(mod);
79708 - module_free(mod, mod->module_core);
79709 + module_free_exec(mod, mod->module_core_rx);
79710 + module_free(mod, mod->module_core_rw);
79713 update_protections(current->mm);
79714 @@ -1966,9 +1971,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
79716 const struct kernel_symbol *ksym;
79718 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
79719 + int is_fs_load = 0;
79720 + int register_filesystem_found = 0;
79723 + p = strstr(mod->args, "grsec_modharden_fs");
79725 + char *endptr = p + sizeof("grsec_modharden_fs") - 1;
79726 + /* copy \0 as well */
79727 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
79732 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
79733 const char *name = info->strtab + sym[i].st_name;
79735 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
79736 + /* it's a real shame this will never get ripped and copied
79739 + if (is_fs_load && !strcmp(name, "register_filesystem"))
79740 + register_filesystem_found = 1;
79743 switch (sym[i].st_shndx) {
79745 /* We compiled with -fno-common. These are not
79746 @@ -1989,7 +2016,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
79747 ksym = resolve_symbol_wait(mod, info, name);
79748 /* Ok if resolved. */
79749 if (ksym && !IS_ERR(ksym)) {
79750 + pax_open_kernel();
79751 sym[i].st_value = ksym->value;
79752 + pax_close_kernel();
79756 @@ -2008,11 +2037,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
79757 secbase = (unsigned long)mod_percpu(mod);
79759 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
79760 + pax_open_kernel();
79761 sym[i].st_value += secbase;
79762 + pax_close_kernel();
79767 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
79768 + if (is_fs_load && !register_filesystem_found) {
79769 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
79777 @@ -2096,22 +2134,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
79778 || s->sh_entsize != ~0UL
79779 || strstarts(sname, ".init"))
79781 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
79782 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
79783 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
79785 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
79786 pr_debug("\t%s\n", sname);
79789 - case 0: /* executable */
79790 - mod->core_size = debug_align(mod->core_size);
79791 - mod->core_text_size = mod->core_size;
79793 - case 1: /* RO: text and ro-data */
79794 - mod->core_size = debug_align(mod->core_size);
79795 - mod->core_ro_size = mod->core_size;
79797 - case 3: /* whole core */
79798 - mod->core_size = debug_align(mod->core_size);
79803 pr_debug("Init section allocation order:\n");
79804 @@ -2125,23 +2153,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
79805 || s->sh_entsize != ~0UL
79806 || !strstarts(sname, ".init"))
79808 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
79809 - | INIT_OFFSET_MASK);
79810 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
79811 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
79813 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
79814 + s->sh_entsize |= INIT_OFFSET_MASK;
79815 pr_debug("\t%s\n", sname);
79818 - case 0: /* executable */
79819 - mod->init_size = debug_align(mod->init_size);
79820 - mod->init_text_size = mod->init_size;
79822 - case 1: /* RO: text and ro-data */
79823 - mod->init_size = debug_align(mod->init_size);
79824 - mod->init_ro_size = mod->init_size;
79826 - case 3: /* whole init */
79827 - mod->init_size = debug_align(mod->init_size);
79833 @@ -2314,7 +2332,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
79835 /* Put symbol section at end of init part of module. */
79836 symsect->sh_flags |= SHF_ALLOC;
79837 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
79838 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
79839 info->index.sym) | INIT_OFFSET_MASK;
79840 pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
79842 @@ -2331,13 +2349,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
79845 /* Append room for core symbols at end of core part. */
79846 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
79847 - info->stroffs = mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
79848 - mod->core_size += strtab_size;
79849 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
79850 + info->stroffs = mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
79851 + mod->core_size_rx += strtab_size;
79853 /* Put string table section at end of init part of module. */
79854 strsect->sh_flags |= SHF_ALLOC;
79855 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
79856 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
79857 info->index.str) | INIT_OFFSET_MASK;
79858 pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
79860 @@ -2355,12 +2373,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
79861 /* Make sure we get permanent strtab: don't use info->strtab. */
79862 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
79864 + pax_open_kernel();
79866 /* Set types up while we still have access to sections. */
79867 for (i = 0; i < mod->num_symtab; i++)
79868 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
79870 - mod->core_symtab = dst = mod->module_core + info->symoffs;
79871 - mod->core_strtab = s = mod->module_core + info->stroffs;
79872 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
79873 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
79875 for (ndst = i = 0; i < mod->num_symtab; i++) {
79877 @@ -2372,6 +2392,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
79880 mod->core_num_syms = ndst;
79882 + pax_close_kernel();
79885 static inline void layout_symtab(struct module *mod, struct load_info *info)
79886 @@ -2405,17 +2427,33 @@ void * __weak module_alloc(unsigned long size)
79887 return vmalloc_exec(size);
79890 -static void *module_alloc_update_bounds(unsigned long size)
79891 +static void *module_alloc_update_bounds_rw(unsigned long size)
79893 void *ret = module_alloc(size);
79896 mutex_lock(&module_mutex);
79897 /* Update module bounds. */
79898 - if ((unsigned long)ret < module_addr_min)
79899 - module_addr_min = (unsigned long)ret;
79900 - if ((unsigned long)ret + size > module_addr_max)
79901 - module_addr_max = (unsigned long)ret + size;
79902 + if ((unsigned long)ret < module_addr_min_rw)
79903 + module_addr_min_rw = (unsigned long)ret;
79904 + if ((unsigned long)ret + size > module_addr_max_rw)
79905 + module_addr_max_rw = (unsigned long)ret + size;
79906 + mutex_unlock(&module_mutex);
79911 +static void *module_alloc_update_bounds_rx(unsigned long size)
79913 + void *ret = module_alloc_exec(size);
79916 + mutex_lock(&module_mutex);
79917 + /* Update module bounds. */
79918 + if ((unsigned long)ret < module_addr_min_rx)
79919 + module_addr_min_rx = (unsigned long)ret;
79920 + if ((unsigned long)ret + size > module_addr_max_rx)
79921 + module_addr_max_rx = (unsigned long)ret + size;
79922 mutex_unlock(&module_mutex);
79925 @@ -2691,8 +2729,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
79926 static int check_modinfo(struct module *mod, struct load_info *info, int flags)
79928 const char *modmagic = get_modinfo(info, "vermagic");
79929 + const char *license = get_modinfo(info, "license");
79932 +#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
79933 + if (!license || !license_is_gpl_compatible(license))
79937 if (flags & MODULE_INIT_IGNORE_VERMAGIC)
79940 @@ -2718,7 +2762,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
79943 /* Set up license info based on the info section */
79944 - set_license(mod, get_modinfo(info, "license"));
79945 + set_license(mod, license);
79949 @@ -2799,7 +2843,7 @@ static int move_module(struct module *mod, struct load_info *info)
79952 /* Do the allocs. */
79953 - ptr = module_alloc_update_bounds(mod->core_size);
79954 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
79956 * The pointer to this block is stored in the module structure
79957 * which is inside the block. Just mark it as not being a
79958 @@ -2809,11 +2853,11 @@ static int move_module(struct module *mod, struct load_info *info)
79962 - memset(ptr, 0, mod->core_size);
79963 - mod->module_core = ptr;
79964 + memset(ptr, 0, mod->core_size_rw);
79965 + mod->module_core_rw = ptr;
79967 - if (mod->init_size) {
79968 - ptr = module_alloc_update_bounds(mod->init_size);
79969 + if (mod->init_size_rw) {
79970 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
79972 * The pointer to this block is stored in the module structure
79973 * which is inside the block. This block doesn't need to be
79974 @@ -2822,13 +2866,45 @@ static int move_module(struct module *mod, struct load_info *info)
79976 kmemleak_ignore(ptr);
79978 - module_free(mod, mod->module_core);
79979 + module_free(mod, mod->module_core_rw);
79982 - memset(ptr, 0, mod->init_size);
79983 - mod->module_init = ptr;
79984 + memset(ptr, 0, mod->init_size_rw);
79985 + mod->module_init_rw = ptr;
79987 - mod->module_init = NULL;
79988 + mod->module_init_rw = NULL;
79990 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
79991 + kmemleak_not_leak(ptr);
79993 + if (mod->module_init_rw)
79994 + module_free(mod, mod->module_init_rw);
79995 + module_free(mod, mod->module_core_rw);
79999 + pax_open_kernel();
80000 + memset(ptr, 0, mod->core_size_rx);
80001 + pax_close_kernel();
80002 + mod->module_core_rx = ptr;
80004 + if (mod->init_size_rx) {
80005 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
80006 + kmemleak_ignore(ptr);
80007 + if (!ptr && mod->init_size_rx) {
80008 + module_free_exec(mod, mod->module_core_rx);
80009 + if (mod->module_init_rw)
80010 + module_free(mod, mod->module_init_rw);
80011 + module_free(mod, mod->module_core_rw);
80015 + pax_open_kernel();
80016 + memset(ptr, 0, mod->init_size_rx);
80017 + pax_close_kernel();
80018 + mod->module_init_rx = ptr;
80020 + mod->module_init_rx = NULL;
80022 /* Transfer each section which specifies SHF_ALLOC */
80023 pr_debug("final section addresses:\n");
80024 @@ -2839,16 +2915,45 @@ static int move_module(struct module *mod, struct load_info *info)
80025 if (!(shdr->sh_flags & SHF_ALLOC))
80028 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
80029 - dest = mod->module_init
80030 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
80032 - dest = mod->module_core + shdr->sh_entsize;
80033 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
80034 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
80035 + dest = mod->module_init_rw
80036 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
80038 + dest = mod->module_init_rx
80039 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
80041 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
80042 + dest = mod->module_core_rw + shdr->sh_entsize;
80044 + dest = mod->module_core_rx + shdr->sh_entsize;
80047 + if (shdr->sh_type != SHT_NOBITS) {
80049 +#ifdef CONFIG_PAX_KERNEXEC
80050 +#ifdef CONFIG_X86_64
80051 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
80052 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
80054 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
80055 + pax_open_kernel();
80056 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
80057 + pax_close_kernel();
80061 - if (shdr->sh_type != SHT_NOBITS)
80062 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
80064 /* Update sh_addr to point to copy in image. */
80065 - shdr->sh_addr = (unsigned long)dest;
80067 +#ifdef CONFIG_PAX_KERNEXEC
80068 + if (shdr->sh_flags & SHF_EXECINSTR)
80069 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
80073 + shdr->sh_addr = (unsigned long)dest;
80074 pr_debug("\t0x%lx %s\n",
80075 (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
80077 @@ -2905,12 +3010,12 @@ static void flush_module_icache(const struct module *mod)
80078 * Do it before processing of module parameters, so the module
80079 * can provide parameter accessor functions of its own.
80081 - if (mod->module_init)
80082 - flush_icache_range((unsigned long)mod->module_init,
80083 - (unsigned long)mod->module_init
80084 - + mod->init_size);
80085 - flush_icache_range((unsigned long)mod->module_core,
80086 - (unsigned long)mod->module_core + mod->core_size);
80087 + if (mod->module_init_rx)
80088 + flush_icache_range((unsigned long)mod->module_init_rx,
80089 + (unsigned long)mod->module_init_rx
80090 + + mod->init_size_rx);
80091 + flush_icache_range((unsigned long)mod->module_core_rx,
80092 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
80096 @@ -2977,8 +3082,10 @@ static int alloc_module_percpu(struct module *mod, struct load_info *info)
80097 static void module_deallocate(struct module *mod, struct load_info *info)
80099 percpu_modfree(mod);
80100 - module_free(mod, mod->module_init);
80101 - module_free(mod, mod->module_core);
80102 + module_free_exec(mod, mod->module_init_rx);
80103 + module_free_exec(mod, mod->module_core_rx);
80104 + module_free(mod, mod->module_init_rw);
80105 + module_free(mod, mod->module_core_rw);
80108 int __weak module_finalize(const Elf_Ehdr *hdr,
80109 @@ -2991,7 +3098,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
80110 static int post_relocation(struct module *mod, const struct load_info *info)
80112 /* Sort exception table now relocations are done. */
80113 + pax_open_kernel();
80114 sort_extable(mod->extable, mod->extable + mod->num_exentries);
80115 + pax_close_kernel();
80117 /* Copy relocated percpu area over. */
80118 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
80119 @@ -3045,16 +3154,16 @@ static int do_init_module(struct module *mod)
80120 MODULE_STATE_COMING, mod);
80122 /* Set RO and NX regions for core */
80123 - set_section_ro_nx(mod->module_core,
80124 - mod->core_text_size,
80125 - mod->core_ro_size,
80127 + set_section_ro_nx(mod->module_core_rx,
80128 + mod->core_size_rx,
80129 + mod->core_size_rx,
80130 + mod->core_size_rx);
80132 /* Set RO and NX regions for init */
80133 - set_section_ro_nx(mod->module_init,
80134 - mod->init_text_size,
80135 - mod->init_ro_size,
80137 + set_section_ro_nx(mod->module_init_rx,
80138 + mod->init_size_rx,
80139 + mod->init_size_rx,
80140 + mod->init_size_rx);
80143 /* Start the module */
80144 @@ -3116,11 +3225,12 @@ static int do_init_module(struct module *mod)
80145 mod->strtab = mod->core_strtab;
80147 unset_module_init_ro_nx(mod);
80148 - module_free(mod, mod->module_init);
80149 - mod->module_init = NULL;
80150 - mod->init_size = 0;
80151 - mod->init_ro_size = 0;
80152 - mod->init_text_size = 0;
80153 + module_free(mod, mod->module_init_rw);
80154 + module_free_exec(mod, mod->module_init_rx);
80155 + mod->module_init_rw = NULL;
80156 + mod->module_init_rx = NULL;
80157 + mod->init_size_rw = 0;
80158 + mod->init_size_rx = 0;
80159 mutex_unlock(&module_mutex);
80160 wake_up_all(&module_wq);
80162 @@ -3252,9 +3362,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
80166 + /* Now copy in args */
80167 + mod->args = strndup_user(uargs, ~0UL >> 1);
80168 + if (IS_ERR(mod->args)) {
80169 + err = PTR_ERR(mod->args);
80170 + goto free_unload;
80173 /* Set up MODINFO_ATTR fields */
80174 setup_modinfo(mod, info);
80176 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
80180 + if (strstr(mod->args, "grsec_modharden_netdev")) {
80181 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
80183 + goto free_modinfo;
80184 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
80185 + p += sizeof("grsec_modharden_normal") - 1;
80186 + p2 = strstr(p, "_");
80189 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
80193 + goto free_modinfo;
80198 /* Fix up syms, so that st_value is a pointer to location. */
80199 err = simplify_symbols(mod, info);
80201 @@ -3270,13 +3409,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
80203 flush_module_icache(mod);
80205 - /* Now copy in args */
80206 - mod->args = strndup_user(uargs, ~0UL >> 1);
80207 - if (IS_ERR(mod->args)) {
80208 - err = PTR_ERR(mod->args);
80209 - goto free_arch_cleanup;
80212 dynamic_debug_setup(info->debug, info->num_debug);
80214 /* Finally it's fully formed, ready to start executing. */
80215 @@ -3311,11 +3443,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
80217 dynamic_debug_remove(info->debug);
80218 synchronize_sched();
80219 - kfree(mod->args);
80220 - free_arch_cleanup:
80221 module_arch_cleanup(mod);
80224 + kfree(mod->args);
80226 module_unload_free(mod);
80228 @@ -3398,10 +3529,16 @@ static const char *get_ksymbol(struct module *mod,
80229 unsigned long nextval;
80231 /* At worse, next value is at end of module */
80232 - if (within_module_init(addr, mod))
80233 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
80234 + if (within_module_init_rx(addr, mod))
80235 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
80236 + else if (within_module_init_rw(addr, mod))
80237 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
80238 + else if (within_module_core_rx(addr, mod))
80239 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
80240 + else if (within_module_core_rw(addr, mod))
80241 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
80243 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
80246 /* Scan for closest preceding symbol, and next symbol. (ELF
80247 starts real symbols at 1). */
80248 @@ -3654,7 +3791,7 @@ static int m_show(struct seq_file *m, void *p)
80251 seq_printf(m, "%s %u",
80252 - mod->name, mod->init_size + mod->core_size);
80253 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
80254 print_unload_info(m, mod);
80256 /* Informative for users. */
80257 @@ -3663,7 +3800,7 @@ static int m_show(struct seq_file *m, void *p)
80258 mod->state == MODULE_STATE_COMING ? "Loading":
80260 /* Used by oprofile and other similar tools. */
80261 - seq_printf(m, " 0x%pK", mod->module_core);
80262 + seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
80266 @@ -3699,7 +3836,17 @@ static const struct file_operations proc_modules_operations = {
80268 static int __init proc_modules_init(void)
80270 +#ifndef CONFIG_GRKERNSEC_HIDESYM
80271 +#ifdef CONFIG_GRKERNSEC_PROC_USER
80272 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
80273 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
80274 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
80276 proc_create("modules", 0, NULL, &proc_modules_operations);
80279 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
80283 module_init(proc_modules_init);
80284 @@ -3760,14 +3907,14 @@ struct module *__module_address(unsigned long addr)
80286 struct module *mod;
80288 - if (addr < module_addr_min || addr > module_addr_max)
80289 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
80290 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
80293 list_for_each_entry_rcu(mod, &modules, list) {
80294 if (mod->state == MODULE_STATE_UNFORMED)
80296 - if (within_module_core(addr, mod)
80297 - || within_module_init(addr, mod))
80298 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
80302 @@ -3802,11 +3949,20 @@ bool is_module_text_address(unsigned long addr)
80304 struct module *__module_text_address(unsigned long addr)
80306 - struct module *mod = __module_address(addr);
80307 + struct module *mod;
80309 +#ifdef CONFIG_X86_32
80310 + addr = ktla_ktva(addr);
80313 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
80316 + mod = __module_address(addr);
80319 /* Make sure it's within the text section. */
80320 - if (!within(addr, mod->module_init, mod->init_text_size)
80321 - && !within(addr, mod->module_core, mod->core_text_size))
80322 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
80326 diff --git a/kernel/mutex-debug.c b/kernel/mutex-debug.c
80327 index 7e3443f..b2a1e6b 100644
80328 --- a/kernel/mutex-debug.c
80329 +++ b/kernel/mutex-debug.c
80330 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mutex_waiter *waiter)
80333 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
80334 - struct thread_info *ti)
80335 + struct task_struct *task)
80337 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
80339 /* Mark the current thread as blocked on the lock: */
80340 - ti->task->blocked_on = waiter;
80341 + task->blocked_on = waiter;
80344 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
80345 - struct thread_info *ti)
80346 + struct task_struct *task)
80348 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
80349 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
80350 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
80351 - ti->task->blocked_on = NULL;
80352 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
80353 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
80354 + task->blocked_on = NULL;
80356 list_del_init(&waiter->list);
80357 waiter->task = NULL;
80358 diff --git a/kernel/mutex-debug.h b/kernel/mutex-debug.h
80359 index 0799fd3..d06ae3b 100644
80360 --- a/kernel/mutex-debug.h
80361 +++ b/kernel/mutex-debug.h
80362 @@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(struct mutex *lock,
80363 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
80364 extern void debug_mutex_add_waiter(struct mutex *lock,
80365 struct mutex_waiter *waiter,
80366 - struct thread_info *ti);
80367 + struct task_struct *task);
80368 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
80369 - struct thread_info *ti);
80370 + struct task_struct *task);
80371 extern void debug_mutex_unlock(struct mutex *lock);
80372 extern void debug_mutex_init(struct mutex *lock, const char *name,
80373 struct lock_class_key *key);
80374 diff --git a/kernel/mutex.c b/kernel/mutex.c
80375 index ad53a66..f1bf8bc 100644
80376 --- a/kernel/mutex.c
80377 +++ b/kernel/mutex.c
80378 @@ -134,7 +134,7 @@ void mspin_lock(struct mspin_node **lock, struct mspin_node *node)
80382 - ACCESS_ONCE(prev->next) = node;
80383 + ACCESS_ONCE_RW(prev->next) = node;
80385 /* Wait until the lock holder passes the lock down */
80386 while (!ACCESS_ONCE(node->locked))
80387 @@ -155,7 +155,7 @@ static void mspin_unlock(struct mspin_node **lock, struct mspin_node *node)
80388 while (!(next = ACCESS_ONCE(node->next)))
80389 arch_mutex_cpu_relax();
80391 - ACCESS_ONCE(next->locked) = 1;
80392 + ACCESS_ONCE_RW(next->locked) = 1;
80396 @@ -341,7 +341,7 @@ slowpath:
80397 spin_lock_mutex(&lock->wait_lock, flags);
80399 debug_mutex_lock_common(lock, &waiter);
80400 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
80401 + debug_mutex_add_waiter(lock, &waiter, task);
80403 /* add waiting tasks to the end of the waitqueue (FIFO): */
80404 list_add_tail(&waiter.list, &lock->wait_list);
80405 @@ -371,8 +371,7 @@ slowpath:
80406 * TASK_UNINTERRUPTIBLE case.)
80408 if (unlikely(signal_pending_state(state, task))) {
80409 - mutex_remove_waiter(lock, &waiter,
80410 - task_thread_info(task));
80411 + mutex_remove_waiter(lock, &waiter, task);
80412 mutex_release(&lock->dep_map, 1, ip);
80413 spin_unlock_mutex(&lock->wait_lock, flags);
80415 @@ -391,7 +390,7 @@ slowpath:
80417 lock_acquired(&lock->dep_map, ip);
80418 /* got the lock - rejoice! */
80419 - mutex_remove_waiter(lock, &waiter, current_thread_info());
80420 + mutex_remove_waiter(lock, &waiter, task);
80421 mutex_set_owner(lock);
80423 /* set it to 0 if there are no waiters left: */
80424 diff --git a/kernel/notifier.c b/kernel/notifier.c
80425 index 2d5cc4c..d9ea600 100644
80426 --- a/kernel/notifier.c
80427 +++ b/kernel/notifier.c
80429 #include <linux/rcupdate.h>
80430 #include <linux/vmalloc.h>
80431 #include <linux/reboot.h>
80432 +#include <linux/mm.h>
80435 * Notifier list for kernel code which wants to be called
80436 @@ -24,10 +25,12 @@ static int notifier_chain_register(struct notifier_block **nl,
80437 while ((*nl) != NULL) {
80438 if (n->priority > (*nl)->priority)
80440 - nl = &((*nl)->next);
80441 + nl = (struct notifier_block **)&((*nl)->next);
80444 + pax_open_kernel();
80445 + *(const void **)&n->next = *nl;
80446 rcu_assign_pointer(*nl, n);
80447 + pax_close_kernel();
80451 @@ -39,10 +42,12 @@ static int notifier_chain_cond_register(struct notifier_block **nl,
80453 if (n->priority > (*nl)->priority)
80455 - nl = &((*nl)->next);
80456 + nl = (struct notifier_block **)&((*nl)->next);
80459 + pax_open_kernel();
80460 + *(const void **)&n->next = *nl;
80461 rcu_assign_pointer(*nl, n);
80462 + pax_close_kernel();
80466 @@ -51,10 +56,12 @@ static int notifier_chain_unregister(struct notifier_block **nl,
80468 while ((*nl) != NULL) {
80470 + pax_open_kernel();
80471 rcu_assign_pointer(*nl, n->next);
80472 + pax_close_kernel();
80475 - nl = &((*nl)->next);
80476 + nl = (struct notifier_block **)&((*nl)->next);
80480 diff --git a/kernel/panic.c b/kernel/panic.c
80481 index 167ec09..0dda5f9 100644
80482 --- a/kernel/panic.c
80483 +++ b/kernel/panic.c
80484 @@ -400,7 +400,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
80485 unsigned taint, struct slowpath_args *args)
80487 printk(KERN_WARNING "------------[ cut here ]------------\n");
80488 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
80489 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
80492 vprintk(args->fmt, args->args);
80493 @@ -453,7 +453,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
80495 void __stack_chk_fail(void)
80497 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
80499 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
80500 __builtin_return_address(0));
80502 EXPORT_SYMBOL(__stack_chk_fail);
80503 diff --git a/kernel/pid.c b/kernel/pid.c
80504 index 0db3e79..95b9dc2 100644
80508 #include <linux/rculist.h>
80509 #include <linux/bootmem.h>
80510 #include <linux/hash.h>
80511 +#include <linux/security.h>
80512 #include <linux/pid_namespace.h>
80513 #include <linux/init_task.h>
80514 #include <linux/syscalls.h>
80515 @@ -47,7 +48,7 @@ struct pid init_struct_pid = INIT_STRUCT_PID;
80517 int pid_max = PID_MAX_DEFAULT;
80519 -#define RESERVED_PIDS 300
80520 +#define RESERVED_PIDS 500
80522 int pid_max_min = RESERVED_PIDS + 1;
80523 int pid_max_max = PID_MAX_LIMIT;
80524 @@ -442,10 +443,18 @@ EXPORT_SYMBOL(pid_task);
80526 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
80528 + struct task_struct *task;
80530 rcu_lockdep_assert(rcu_read_lock_held(),
80531 "find_task_by_pid_ns() needs rcu_read_lock()"
80533 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
80535 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
80537 + if (gr_pid_is_chrooted(task))
80543 struct task_struct *find_task_by_vpid(pid_t vnr)
80544 @@ -453,6 +462,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
80545 return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
80548 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
80550 + rcu_lockdep_assert(rcu_read_lock_held(),
80551 + "find_task_by_pid_ns() needs rcu_read_lock()"
80553 + return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID);
80556 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
80559 diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
80560 index 6917e8e..9909aeb 100644
80561 --- a/kernel/pid_namespace.c
80562 +++ b/kernel/pid_namespace.c
80563 @@ -247,7 +247,7 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
80564 void __user *buffer, size_t *lenp, loff_t *ppos)
80566 struct pid_namespace *pid_ns = task_active_pid_ns(current);
80567 - struct ctl_table tmp = *table;
80568 + ctl_table_no_const tmp = *table;
80570 if (write && !ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN))
80572 diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
80573 index 42670e9..8719c2f 100644
80574 --- a/kernel/posix-cpu-timers.c
80575 +++ b/kernel/posix-cpu-timers.c
80576 @@ -1636,14 +1636,14 @@ struct k_clock clock_posix_cpu = {
80578 static __init int init_posix_cpu_timers(void)
80580 - struct k_clock process = {
80581 + static struct k_clock process = {
80582 .clock_getres = process_cpu_clock_getres,
80583 .clock_get = process_cpu_clock_get,
80584 .timer_create = process_cpu_timer_create,
80585 .nsleep = process_cpu_nsleep,
80586 .nsleep_restart = process_cpu_nsleep_restart,
80588 - struct k_clock thread = {
80589 + static struct k_clock thread = {
80590 .clock_getres = thread_cpu_clock_getres,
80591 .clock_get = thread_cpu_clock_get,
80592 .timer_create = thread_cpu_timer_create,
80593 diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
80594 index 424c2d4..679242f 100644
80595 --- a/kernel/posix-timers.c
80596 +++ b/kernel/posix-timers.c
80598 #include <linux/hash.h>
80599 #include <linux/posix-clock.h>
80600 #include <linux/posix-timers.h>
80601 +#include <linux/grsecurity.h>
80602 #include <linux/syscalls.h>
80603 #include <linux/wait.h>
80604 #include <linux/workqueue.h>
80605 @@ -122,7 +123,7 @@ static DEFINE_SPINLOCK(hash_lock);
80606 * which we beg off on and pass to do_sys_settimeofday().
80609 -static struct k_clock posix_clocks[MAX_CLOCKS];
80610 +static struct k_clock *posix_clocks[MAX_CLOCKS];
80613 * These ones are defined below.
80614 @@ -275,7 +276,7 @@ static int posix_get_tai(clockid_t which_clock, struct timespec *tp)
80616 static __init int init_posix_timers(void)
80618 - struct k_clock clock_realtime = {
80619 + static struct k_clock clock_realtime = {
80620 .clock_getres = hrtimer_get_res,
80621 .clock_get = posix_clock_realtime_get,
80622 .clock_set = posix_clock_realtime_set,
80623 @@ -287,7 +288,7 @@ static __init int init_posix_timers(void)
80624 .timer_get = common_timer_get,
80625 .timer_del = common_timer_del,
80627 - struct k_clock clock_monotonic = {
80628 + static struct k_clock clock_monotonic = {
80629 .clock_getres = hrtimer_get_res,
80630 .clock_get = posix_ktime_get_ts,
80631 .nsleep = common_nsleep,
80632 @@ -297,19 +298,19 @@ static __init int init_posix_timers(void)
80633 .timer_get = common_timer_get,
80634 .timer_del = common_timer_del,
80636 - struct k_clock clock_monotonic_raw = {
80637 + static struct k_clock clock_monotonic_raw = {
80638 .clock_getres = hrtimer_get_res,
80639 .clock_get = posix_get_monotonic_raw,
80641 - struct k_clock clock_realtime_coarse = {
80642 + static struct k_clock clock_realtime_coarse = {
80643 .clock_getres = posix_get_coarse_res,
80644 .clock_get = posix_get_realtime_coarse,
80646 - struct k_clock clock_monotonic_coarse = {
80647 + static struct k_clock clock_monotonic_coarse = {
80648 .clock_getres = posix_get_coarse_res,
80649 .clock_get = posix_get_monotonic_coarse,
80651 - struct k_clock clock_tai = {
80652 + static struct k_clock clock_tai = {
80653 .clock_getres = hrtimer_get_res,
80654 .clock_get = posix_get_tai,
80655 .nsleep = common_nsleep,
80656 @@ -319,7 +320,7 @@ static __init int init_posix_timers(void)
80657 .timer_get = common_timer_get,
80658 .timer_del = common_timer_del,
80660 - struct k_clock clock_boottime = {
80661 + static struct k_clock clock_boottime = {
80662 .clock_getres = hrtimer_get_res,
80663 .clock_get = posix_get_boottime,
80664 .nsleep = common_nsleep,
80665 @@ -531,7 +532,7 @@ void posix_timers_register_clock(const clockid_t clock_id,
80669 - posix_clocks[clock_id] = *new_clock;
80670 + posix_clocks[clock_id] = new_clock;
80672 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
80674 @@ -577,9 +578,9 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
80675 return (id & CLOCKFD_MASK) == CLOCKFD ?
80676 &clock_posix_dynamic : &clock_posix_cpu;
80678 - if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
80679 + if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
80681 - return &posix_clocks[id];
80682 + return posix_clocks[id];
80685 static int common_timer_create(struct k_itimer *new_timer)
80686 @@ -597,7 +598,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
80687 struct k_clock *kc = clockid_to_kclock(which_clock);
80688 struct k_itimer *new_timer;
80689 int error, new_timer_id;
80690 - sigevent_t event;
80691 + sigevent_t event = { };
80692 int it_id_set = IT_ID_NOT_SET;
80695 @@ -1011,6 +1012,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
80696 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
80699 + /* only the CLOCK_REALTIME clock can be set, all other clocks
80700 + have their clock_set fptr set to a nosettime dummy function
80701 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
80702 + call common_clock_set, which calls do_sys_settimeofday, which
80706 return kc->clock_set(which_clock, &new_tp);
80709 diff --git a/kernel/power/process.c b/kernel/power/process.c
80710 index 98088e0..aaf95c0 100644
80711 --- a/kernel/power/process.c
80712 +++ b/kernel/power/process.c
80713 @@ -33,6 +33,7 @@ static int try_to_freeze_tasks(bool user_only)
80714 u64 elapsed_csecs64;
80715 unsigned int elapsed_csecs;
80716 bool wakeup = false;
80717 + bool timedout = false;
80719 do_gettimeofday(&start);
80721 @@ -43,13 +44,20 @@ static int try_to_freeze_tasks(bool user_only)
80725 + if (time_after(jiffies, end_time))
80727 read_lock(&tasklist_lock);
80728 do_each_thread(g, p) {
80729 if (p == current || !freeze_task(p))
80732 - if (!freezer_should_skip(p))
80733 + if (!freezer_should_skip(p)) {
80736 + printk(KERN_ERR "Task refusing to freeze:\n");
80737 + sched_show_task(p);
80740 } while_each_thread(g, p);
80741 read_unlock(&tasklist_lock);
80743 @@ -58,7 +66,7 @@ static int try_to_freeze_tasks(bool user_only)
80747 - if (!todo || time_after(jiffies, end_time))
80748 + if (!todo || timedout)
80751 if (pm_wakeup_pending()) {
80752 diff --git a/kernel/printk.c b/kernel/printk.c
80753 index d37d45c..ab918b3 100644
80754 --- a/kernel/printk.c
80755 +++ b/kernel/printk.c
80756 @@ -390,6 +390,11 @@ static int check_syslog_permissions(int type, bool from_file)
80757 if (from_file && type != SYSLOG_ACTION_OPEN)
80760 +#ifdef CONFIG_GRKERNSEC_DMESG
80761 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
80765 if (syslog_action_restricted(type)) {
80766 if (capable(CAP_SYSLOG))
80768 diff --git a/kernel/profile.c b/kernel/profile.c
80769 index 0bf4007..6234708 100644
80770 --- a/kernel/profile.c
80771 +++ b/kernel/profile.c
80772 @@ -37,7 +37,7 @@ struct profile_hit {
80773 #define NR_PROFILE_HIT (PAGE_SIZE/sizeof(struct profile_hit))
80774 #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
80776 -static atomic_t *prof_buffer;
80777 +static atomic_unchecked_t *prof_buffer;
80778 static unsigned long prof_len, prof_shift;
80780 int prof_on __read_mostly;
80781 @@ -260,7 +260,7 @@ static void profile_flip_buffers(void)
80785 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
80786 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
80787 hits[i].hits = hits[i].pc = 0;
80790 @@ -321,9 +321,9 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
80791 * Add the current hit(s) and flush the write-queue out
80792 * to the global buffer:
80794 - atomic_add(nr_hits, &prof_buffer[pc]);
80795 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
80796 for (i = 0; i < NR_PROFILE_HIT; ++i) {
80797 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
80798 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
80799 hits[i].pc = hits[i].hits = 0;
80802 @@ -398,7 +398,7 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
80805 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
80806 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
80807 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
80809 #endif /* !CONFIG_SMP */
80811 @@ -494,7 +494,7 @@ read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos)
80813 buf++; p++; count--; read++;
80815 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
80816 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
80817 if (copy_to_user(buf, (void *)pnt, count))
80820 @@ -525,7 +525,7 @@ static ssize_t write_profile(struct file *file, const char __user *buf,
80823 profile_discard_flip_buffers();
80824 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
80825 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
80829 diff --git a/kernel/ptrace.c b/kernel/ptrace.c
80830 index 335a7ae..3bbbceb 100644
80831 --- a/kernel/ptrace.c
80832 +++ b/kernel/ptrace.c
80833 @@ -326,7 +326,7 @@ static int ptrace_attach(struct task_struct *task, long request,
80835 flags |= PT_SEIZED;
80837 - if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
80838 + if (ns_capable_nolog(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
80839 flags |= PT_PTRACE_CAP;
80841 task->ptrace = flags;
80842 @@ -537,7 +537,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
80846 - if (copy_to_user(dst, buf, retval))
80847 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
80851 @@ -805,7 +805,7 @@ int ptrace_request(struct task_struct *child, long request,
80852 bool seized = child->ptrace & PT_SEIZED;
80854 siginfo_t siginfo, *si;
80855 - void __user *datavp = (void __user *) data;
80856 + void __user *datavp = (__force void __user *) data;
80857 unsigned long __user *datalp = datavp;
80858 unsigned long flags;
80860 @@ -1011,14 +1011,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
80864 + if (gr_handle_ptrace(child, request)) {
80866 + goto out_put_task_struct;
80869 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
80870 ret = ptrace_attach(child, request, addr, data);
80872 * Some architectures need to do book-keeping after
80877 arch_ptrace_attach(child);
80878 + gr_audit_ptrace(child);
80880 goto out_put_task_struct;
80883 @@ -1046,7 +1053,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
80884 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
80885 if (copied != sizeof(tmp))
80887 - return put_user(tmp, (unsigned long __user *)data);
80888 + return put_user(tmp, (__force unsigned long __user *)data);
80891 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
80892 @@ -1140,7 +1147,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
80895 asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
80896 - compat_long_t addr, compat_long_t data)
80897 + compat_ulong_t addr, compat_ulong_t data)
80899 struct task_struct *child;
80901 @@ -1156,14 +1163,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
80905 + if (gr_handle_ptrace(child, request)) {
80907 + goto out_put_task_struct;
80910 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
80911 ret = ptrace_attach(child, request, addr, data);
80913 * Some architectures need to do book-keeping after
80918 arch_ptrace_attach(child);
80919 + gr_audit_ptrace(child);
80921 goto out_put_task_struct;
80924 diff --git a/kernel/rcupdate.c b/kernel/rcupdate.c
80925 index 48ab703..07561d4 100644
80926 --- a/kernel/rcupdate.c
80927 +++ b/kernel/rcupdate.c
80928 @@ -439,10 +439,10 @@ int rcu_jiffies_till_stall_check(void)
80929 * for CONFIG_RCU_CPU_STALL_TIMEOUT.
80931 if (till_stall_check < 3) {
80932 - ACCESS_ONCE(rcu_cpu_stall_timeout) = 3;
80933 + ACCESS_ONCE_RW(rcu_cpu_stall_timeout) = 3;
80934 till_stall_check = 3;
80935 } else if (till_stall_check > 300) {
80936 - ACCESS_ONCE(rcu_cpu_stall_timeout) = 300;
80937 + ACCESS_ONCE_RW(rcu_cpu_stall_timeout) = 300;
80938 till_stall_check = 300;
80940 return till_stall_check * HZ + RCU_STALL_DELAY_DELTA;
80941 diff --git a/kernel/rcutiny.c b/kernel/rcutiny.c
80942 index a0714a5..2ab5e34 100644
80943 --- a/kernel/rcutiny.c
80944 +++ b/kernel/rcutiny.c
80946 struct rcu_ctrlblk;
80947 static void invoke_rcu_callbacks(void);
80948 static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp);
80949 -static void rcu_process_callbacks(struct softirq_action *unused);
80950 +static void rcu_process_callbacks(void);
80951 static void __call_rcu(struct rcu_head *head,
80952 void (*func)(struct rcu_head *rcu),
80953 struct rcu_ctrlblk *rcp);
80954 @@ -312,7 +312,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp)
80955 rcu_is_callbacks_kthread()));
80958 -static void rcu_process_callbacks(struct softirq_action *unused)
80959 +static void rcu_process_callbacks(void)
80961 __rcu_process_callbacks(&rcu_sched_ctrlblk);
80962 __rcu_process_callbacks(&rcu_bh_ctrlblk);
80963 diff --git a/kernel/rcutiny_plugin.h b/kernel/rcutiny_plugin.h
80964 index 8a23300..4255818 100644
80965 --- a/kernel/rcutiny_plugin.h
80966 +++ b/kernel/rcutiny_plugin.h
80967 @@ -945,7 +945,7 @@ static int rcu_kthread(void *arg)
80968 have_rcu_kthread_work = morework;
80969 local_irq_restore(flags);
80971 - rcu_process_callbacks(NULL);
80972 + rcu_process_callbacks();
80973 schedule_timeout_interruptible(1); /* Leave CPU for others. */
80976 diff --git a/kernel/rcutorture.c b/kernel/rcutorture.c
80977 index e1f3a8c..42c94a2 100644
80978 --- a/kernel/rcutorture.c
80979 +++ b/kernel/rcutorture.c
80980 @@ -164,12 +164,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_count) =
80982 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
80984 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
80985 -static atomic_t n_rcu_torture_alloc;
80986 -static atomic_t n_rcu_torture_alloc_fail;
80987 -static atomic_t n_rcu_torture_free;
80988 -static atomic_t n_rcu_torture_mberror;
80989 -static atomic_t n_rcu_torture_error;
80990 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
80991 +static atomic_unchecked_t n_rcu_torture_alloc;
80992 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
80993 +static atomic_unchecked_t n_rcu_torture_free;
80994 +static atomic_unchecked_t n_rcu_torture_mberror;
80995 +static atomic_unchecked_t n_rcu_torture_error;
80996 static long n_rcu_torture_barrier_error;
80997 static long n_rcu_torture_boost_ktrerror;
80998 static long n_rcu_torture_boost_rterror;
80999 @@ -287,11 +287,11 @@ rcu_torture_alloc(void)
81001 spin_lock_bh(&rcu_torture_lock);
81002 if (list_empty(&rcu_torture_freelist)) {
81003 - atomic_inc(&n_rcu_torture_alloc_fail);
81004 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
81005 spin_unlock_bh(&rcu_torture_lock);
81008 - atomic_inc(&n_rcu_torture_alloc);
81009 + atomic_inc_unchecked(&n_rcu_torture_alloc);
81010 p = rcu_torture_freelist.next;
81012 spin_unlock_bh(&rcu_torture_lock);
81013 @@ -304,7 +304,7 @@ rcu_torture_alloc(void)
81015 rcu_torture_free(struct rcu_torture *p)
81017 - atomic_inc(&n_rcu_torture_free);
81018 + atomic_inc_unchecked(&n_rcu_torture_free);
81019 spin_lock_bh(&rcu_torture_lock);
81020 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
81021 spin_unlock_bh(&rcu_torture_lock);
81022 @@ -424,7 +424,7 @@ rcu_torture_cb(struct rcu_head *p)
81023 i = rp->rtort_pipe_count;
81024 if (i > RCU_TORTURE_PIPE_LEN)
81025 i = RCU_TORTURE_PIPE_LEN;
81026 - atomic_inc(&rcu_torture_wcount[i]);
81027 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
81028 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
81029 rp->rtort_mbtest = 0;
81030 rcu_torture_free(rp);
81031 @@ -472,7 +472,7 @@ static void rcu_sync_torture_deferred_free(struct rcu_torture *p)
81032 i = rp->rtort_pipe_count;
81033 if (i > RCU_TORTURE_PIPE_LEN)
81034 i = RCU_TORTURE_PIPE_LEN;
81035 - atomic_inc(&rcu_torture_wcount[i]);
81036 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
81037 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
81038 rp->rtort_mbtest = 0;
81039 list_del(&rp->rtort_free);
81040 @@ -990,7 +990,7 @@ rcu_torture_writer(void *arg)
81041 i = old_rp->rtort_pipe_count;
81042 if (i > RCU_TORTURE_PIPE_LEN)
81043 i = RCU_TORTURE_PIPE_LEN;
81044 - atomic_inc(&rcu_torture_wcount[i]);
81045 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
81046 old_rp->rtort_pipe_count++;
81047 cur_ops->deferred_free(old_rp);
81049 @@ -1076,7 +1076,7 @@ static void rcu_torture_timer(unsigned long unused)
81052 if (p->rtort_mbtest == 0)
81053 - atomic_inc(&n_rcu_torture_mberror);
81054 + atomic_inc_unchecked(&n_rcu_torture_mberror);
81055 spin_lock(&rand_lock);
81056 cur_ops->read_delay(&rand);
81057 n_rcu_torture_timers++;
81058 @@ -1146,7 +1146,7 @@ rcu_torture_reader(void *arg)
81061 if (p->rtort_mbtest == 0)
81062 - atomic_inc(&n_rcu_torture_mberror);
81063 + atomic_inc_unchecked(&n_rcu_torture_mberror);
81064 cur_ops->read_delay(&rand);
81066 pipe_count = p->rtort_pipe_count;
81067 @@ -1209,11 +1209,11 @@ rcu_torture_printk(char *page)
81068 rcu_torture_current,
81069 rcu_torture_current_version,
81070 list_empty(&rcu_torture_freelist),
81071 - atomic_read(&n_rcu_torture_alloc),
81072 - atomic_read(&n_rcu_torture_alloc_fail),
81073 - atomic_read(&n_rcu_torture_free));
81074 + atomic_read_unchecked(&n_rcu_torture_alloc),
81075 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
81076 + atomic_read_unchecked(&n_rcu_torture_free));
81077 cnt += sprintf(&page[cnt], "rtmbe: %d rtbke: %ld rtbre: %ld ",
81078 - atomic_read(&n_rcu_torture_mberror),
81079 + atomic_read_unchecked(&n_rcu_torture_mberror),
81080 n_rcu_torture_boost_ktrerror,
81081 n_rcu_torture_boost_rterror);
81082 cnt += sprintf(&page[cnt], "rtbf: %ld rtb: %ld nt: %ld ",
81083 @@ -1232,14 +1232,14 @@ rcu_torture_printk(char *page)
81084 n_barrier_attempts,
81085 n_rcu_torture_barrier_error);
81086 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
81087 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
81088 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
81089 n_rcu_torture_barrier_error != 0 ||
81090 n_rcu_torture_boost_ktrerror != 0 ||
81091 n_rcu_torture_boost_rterror != 0 ||
81092 n_rcu_torture_boost_failure != 0 ||
81094 cnt += sprintf(&page[cnt], "!!! ");
81095 - atomic_inc(&n_rcu_torture_error);
81096 + atomic_inc_unchecked(&n_rcu_torture_error);
81099 cnt += sprintf(&page[cnt], "Reader Pipe: ");
81100 @@ -1253,7 +1253,7 @@ rcu_torture_printk(char *page)
81101 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
81102 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
81103 cnt += sprintf(&page[cnt], " %d",
81104 - atomic_read(&rcu_torture_wcount[i]));
81105 + atomic_read_unchecked(&rcu_torture_wcount[i]));
81107 cnt += sprintf(&page[cnt], "\n");
81108 if (cur_ops->stats)
81109 @@ -1962,7 +1962,7 @@ rcu_torture_cleanup(void)
81111 rcu_torture_stats_print(); /* -After- the stats thread is stopped! */
81113 - if (atomic_read(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
81114 + if (atomic_read_unchecked(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
81115 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
81116 else if (n_online_successes != n_online_attempts ||
81117 n_offline_successes != n_offline_attempts)
81118 @@ -2031,18 +2031,18 @@ rcu_torture_init(void)
81120 rcu_torture_current = NULL;
81121 rcu_torture_current_version = 0;
81122 - atomic_set(&n_rcu_torture_alloc, 0);
81123 - atomic_set(&n_rcu_torture_alloc_fail, 0);
81124 - atomic_set(&n_rcu_torture_free, 0);
81125 - atomic_set(&n_rcu_torture_mberror, 0);
81126 - atomic_set(&n_rcu_torture_error, 0);
81127 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
81128 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
81129 + atomic_set_unchecked(&n_rcu_torture_free, 0);
81130 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
81131 + atomic_set_unchecked(&n_rcu_torture_error, 0);
81132 n_rcu_torture_barrier_error = 0;
81133 n_rcu_torture_boost_ktrerror = 0;
81134 n_rcu_torture_boost_rterror = 0;
81135 n_rcu_torture_boost_failure = 0;
81136 n_rcu_torture_boosts = 0;
81137 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
81138 - atomic_set(&rcu_torture_wcount[i], 0);
81139 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
81140 for_each_possible_cpu(cpu) {
81141 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
81142 per_cpu(rcu_torture_count, cpu)[i] = 0;
81143 diff --git a/kernel/rcutree.c b/kernel/rcutree.c
81144 index 3538001..e379e0b 100644
81145 --- a/kernel/rcutree.c
81146 +++ b/kernel/rcutree.c
81147 @@ -358,9 +358,9 @@ static void rcu_eqs_enter_common(struct rcu_dynticks *rdtp, long long oldval,
81148 rcu_prepare_for_idle(smp_processor_id());
81149 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
81150 smp_mb__before_atomic_inc(); /* See above. */
81151 - atomic_inc(&rdtp->dynticks);
81152 + atomic_inc_unchecked(&rdtp->dynticks);
81153 smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
81154 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
81155 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
81158 * It is illegal to enter an extended quiescent state while
81159 @@ -496,10 +496,10 @@ static void rcu_eqs_exit_common(struct rcu_dynticks *rdtp, long long oldval,
81162 smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
81163 - atomic_inc(&rdtp->dynticks);
81164 + atomic_inc_unchecked(&rdtp->dynticks);
81165 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
81166 smp_mb__after_atomic_inc(); /* See above. */
81167 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
81168 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
81169 rcu_cleanup_after_idle(smp_processor_id());
81170 trace_rcu_dyntick("End", oldval, rdtp->dynticks_nesting);
81171 if (!user && !is_idle_task(current)) {
81172 @@ -638,14 +638,14 @@ void rcu_nmi_enter(void)
81173 struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
81175 if (rdtp->dynticks_nmi_nesting == 0 &&
81176 - (atomic_read(&rdtp->dynticks) & 0x1))
81177 + (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
81179 rdtp->dynticks_nmi_nesting++;
81180 smp_mb__before_atomic_inc(); /* Force delay from prior write. */
81181 - atomic_inc(&rdtp->dynticks);
81182 + atomic_inc_unchecked(&rdtp->dynticks);
81183 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
81184 smp_mb__after_atomic_inc(); /* See above. */
81185 - WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
81186 + WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
81190 @@ -664,9 +664,9 @@ void rcu_nmi_exit(void)
81192 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
81193 smp_mb__before_atomic_inc(); /* See above. */
81194 - atomic_inc(&rdtp->dynticks);
81195 + atomic_inc_unchecked(&rdtp->dynticks);
81196 smp_mb__after_atomic_inc(); /* Force delay to next write. */
81197 - WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
81198 + WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
81202 @@ -680,7 +680,7 @@ int rcu_is_cpu_idle(void)
81206 - ret = (atomic_read(&__get_cpu_var(rcu_dynticks).dynticks) & 0x1) == 0;
81207 + ret = (atomic_read_unchecked(&__get_cpu_var(rcu_dynticks).dynticks) & 0x1) == 0;
81211 @@ -748,7 +748,7 @@ static int rcu_is_cpu_rrupt_from_idle(void)
81213 static int dyntick_save_progress_counter(struct rcu_data *rdp)
81215 - rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
81216 + rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
81217 return (rdp->dynticks_snap & 0x1) == 0;
81220 @@ -763,7 +763,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp)
81224 - curr = (unsigned int)atomic_add_return(0, &rdp->dynticks->dynticks);
81225 + curr = (unsigned int)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
81226 snap = (unsigned int)rdp->dynticks_snap;
81229 @@ -1440,9 +1440,9 @@ static int rcu_gp_init(struct rcu_state *rsp)
81230 rdp = this_cpu_ptr(rsp->rda);
81231 rcu_preempt_check_blocked_tasks(rnp);
81232 rnp->qsmask = rnp->qsmaskinit;
81233 - ACCESS_ONCE(rnp->gpnum) = rsp->gpnum;
81234 + ACCESS_ONCE_RW(rnp->gpnum) = rsp->gpnum;
81235 WARN_ON_ONCE(rnp->completed != rsp->completed);
81236 - ACCESS_ONCE(rnp->completed) = rsp->completed;
81237 + ACCESS_ONCE_RW(rnp->completed) = rsp->completed;
81238 if (rnp == rdp->mynode)
81239 rcu_start_gp_per_cpu(rsp, rnp, rdp);
81240 rcu_preempt_boost_start_gp(rnp);
81241 @@ -1524,7 +1524,7 @@ static void rcu_gp_cleanup(struct rcu_state *rsp)
81243 rcu_for_each_node_breadth_first(rsp, rnp) {
81244 raw_spin_lock_irq(&rnp->lock);
81245 - ACCESS_ONCE(rnp->completed) = rsp->gpnum;
81246 + ACCESS_ONCE_RW(rnp->completed) = rsp->gpnum;
81247 rdp = this_cpu_ptr(rsp->rda);
81248 if (rnp == rdp->mynode)
81249 __rcu_process_gp_end(rsp, rnp, rdp);
81250 @@ -1855,7 +1855,7 @@ rcu_send_cbs_to_orphanage(int cpu, struct rcu_state *rsp,
81251 rsp->qlen += rdp->qlen;
81252 rdp->n_cbs_orphaned += rdp->qlen;
81253 rdp->qlen_lazy = 0;
81254 - ACCESS_ONCE(rdp->qlen) = 0;
81255 + ACCESS_ONCE_RW(rdp->qlen) = 0;
81259 @@ -2101,7 +2101,7 @@ static void rcu_do_batch(struct rcu_state *rsp, struct rcu_data *rdp)
81261 smp_mb(); /* List handling before counting for rcu_barrier(). */
81262 rdp->qlen_lazy -= count_lazy;
81263 - ACCESS_ONCE(rdp->qlen) -= count;
81264 + ACCESS_ONCE_RW(rdp->qlen) -= count;
81265 rdp->n_cbs_invoked += count;
81267 /* Reinstate batch limit if we have worked down the excess. */
81268 @@ -2295,7 +2295,7 @@ __rcu_process_callbacks(struct rcu_state *rsp)
81270 * Do RCU core processing for the current CPU.
81272 -static void rcu_process_callbacks(struct softirq_action *unused)
81273 +static void rcu_process_callbacks(void)
81275 struct rcu_state *rsp;
81277 @@ -2419,7 +2419,7 @@ __call_rcu(struct rcu_head *head, void (*func)(struct rcu_head *rcu),
81278 local_irq_restore(flags);
81281 - ACCESS_ONCE(rdp->qlen)++;
81282 + ACCESS_ONCE_RW(rdp->qlen)++;
81286 @@ -2628,11 +2628,11 @@ void synchronize_sched_expedited(void)
81287 * counter wrap on a 32-bit system. Quite a few more CPUs would of
81288 * course be required on a 64-bit system.
81290 - if (ULONG_CMP_GE((ulong)atomic_long_read(&rsp->expedited_start),
81291 + if (ULONG_CMP_GE((ulong)atomic_long_read_unchecked(&rsp->expedited_start),
81292 (ulong)atomic_long_read(&rsp->expedited_done) +
81294 synchronize_sched();
81295 - atomic_long_inc(&rsp->expedited_wrap);
81296 + atomic_long_inc_unchecked(&rsp->expedited_wrap);
81300 @@ -2640,7 +2640,7 @@ void synchronize_sched_expedited(void)
81301 * Take a ticket. Note that atomic_inc_return() implies a
81302 * full memory barrier.
81304 - snap = atomic_long_inc_return(&rsp->expedited_start);
81305 + snap = atomic_long_inc_return_unchecked(&rsp->expedited_start);
81308 WARN_ON_ONCE(cpu_is_offline(raw_smp_processor_id()));
81309 @@ -2653,14 +2653,14 @@ void synchronize_sched_expedited(void)
81310 synchronize_sched_expedited_cpu_stop,
81311 NULL) == -EAGAIN) {
81313 - atomic_long_inc(&rsp->expedited_tryfail);
81314 + atomic_long_inc_unchecked(&rsp->expedited_tryfail);
81316 /* Check to see if someone else did our work for us. */
81317 s = atomic_long_read(&rsp->expedited_done);
81318 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
81319 /* ensure test happens before caller kfree */
81320 smp_mb__before_atomic_inc(); /* ^^^ */
81321 - atomic_long_inc(&rsp->expedited_workdone1);
81322 + atomic_long_inc_unchecked(&rsp->expedited_workdone1);
81326 @@ -2669,7 +2669,7 @@ void synchronize_sched_expedited(void)
81327 udelay(trycount * num_online_cpus());
81329 wait_rcu_gp(call_rcu_sched);
81330 - atomic_long_inc(&rsp->expedited_normal);
81331 + atomic_long_inc_unchecked(&rsp->expedited_normal);
81335 @@ -2678,7 +2678,7 @@ void synchronize_sched_expedited(void)
81336 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
81337 /* ensure test happens before caller kfree */
81338 smp_mb__before_atomic_inc(); /* ^^^ */
81339 - atomic_long_inc(&rsp->expedited_workdone2);
81340 + atomic_long_inc_unchecked(&rsp->expedited_workdone2);
81344 @@ -2690,10 +2690,10 @@ void synchronize_sched_expedited(void)
81345 * period works for us.
81348 - snap = atomic_long_read(&rsp->expedited_start);
81349 + snap = atomic_long_read_unchecked(&rsp->expedited_start);
81350 smp_mb(); /* ensure read is before try_stop_cpus(). */
81352 - atomic_long_inc(&rsp->expedited_stoppedcpus);
81353 + atomic_long_inc_unchecked(&rsp->expedited_stoppedcpus);
81356 * Everyone up to our most recent fetch is covered by our grace
81357 @@ -2702,16 +2702,16 @@ void synchronize_sched_expedited(void)
81358 * than we did already did their update.
81361 - atomic_long_inc(&rsp->expedited_done_tries);
81362 + atomic_long_inc_unchecked(&rsp->expedited_done_tries);
81363 s = atomic_long_read(&rsp->expedited_done);
81364 if (ULONG_CMP_GE((ulong)s, (ulong)snap)) {
81365 /* ensure test happens before caller kfree */
81366 smp_mb__before_atomic_inc(); /* ^^^ */
81367 - atomic_long_inc(&rsp->expedited_done_lost);
81368 + atomic_long_inc_unchecked(&rsp->expedited_done_lost);
81371 } while (atomic_long_cmpxchg(&rsp->expedited_done, s, snap) != s);
81372 - atomic_long_inc(&rsp->expedited_done_exit);
81373 + atomic_long_inc_unchecked(&rsp->expedited_done_exit);
81377 @@ -2893,7 +2893,7 @@ static void _rcu_barrier(struct rcu_state *rsp)
81378 * ACCESS_ONCE() to prevent the compiler from speculating
81379 * the increment to precede the early-exit check.
81381 - ACCESS_ONCE(rsp->n_barrier_done)++;
81382 + ACCESS_ONCE_RW(rsp->n_barrier_done)++;
81383 WARN_ON_ONCE((rsp->n_barrier_done & 0x1) != 1);
81384 _rcu_barrier_trace(rsp, "Inc1", -1, rsp->n_barrier_done);
81385 smp_mb(); /* Order ->n_barrier_done increment with below mechanism. */
81386 @@ -2943,7 +2943,7 @@ static void _rcu_barrier(struct rcu_state *rsp)
81388 /* Increment ->n_barrier_done to prevent duplicate work. */
81389 smp_mb(); /* Keep increment after above mechanism. */
81390 - ACCESS_ONCE(rsp->n_barrier_done)++;
81391 + ACCESS_ONCE_RW(rsp->n_barrier_done)++;
81392 WARN_ON_ONCE((rsp->n_barrier_done & 0x1) != 0);
81393 _rcu_barrier_trace(rsp, "Inc2", -1, rsp->n_barrier_done);
81394 smp_mb(); /* Keep increment before caller's subsequent code. */
81395 @@ -2988,10 +2988,10 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp)
81396 rdp->grpmask = 1UL << (cpu - rdp->mynode->grplo);
81397 init_callback_list(rdp);
81398 rdp->qlen_lazy = 0;
81399 - ACCESS_ONCE(rdp->qlen) = 0;
81400 + ACCESS_ONCE_RW(rdp->qlen) = 0;
81401 rdp->dynticks = &per_cpu(rcu_dynticks, cpu);
81402 WARN_ON_ONCE(rdp->dynticks->dynticks_nesting != DYNTICK_TASK_EXIT_IDLE);
81403 - WARN_ON_ONCE(atomic_read(&rdp->dynticks->dynticks) != 1);
81404 + WARN_ON_ONCE(atomic_read_unchecked(&rdp->dynticks->dynticks) != 1);
81407 rcu_boot_init_nocb_percpu_data(rdp);
81408 @@ -3024,8 +3024,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp, int preemptible)
81409 rdp->blimit = blimit;
81410 init_callback_list(rdp); /* Re-enable callbacks on this CPU. */
81411 rdp->dynticks->dynticks_nesting = DYNTICK_TASK_EXIT_IDLE;
81412 - atomic_set(&rdp->dynticks->dynticks,
81413 - (atomic_read(&rdp->dynticks->dynticks) & ~0x1) + 1);
81414 + atomic_set_unchecked(&rdp->dynticks->dynticks,
81415 + (atomic_read_unchecked(&rdp->dynticks->dynticks) & ~0x1) + 1);
81416 raw_spin_unlock(&rnp->lock); /* irqs remain disabled. */
81418 /* Add CPU to rcu_node bitmasks. */
81419 @@ -3120,7 +3120,7 @@ static int __init rcu_spawn_gp_kthread(void)
81420 struct task_struct *t;
81422 for_each_rcu_flavor(rsp) {
81423 - t = kthread_run(rcu_gp_kthread, rsp, rsp->name);
81424 + t = kthread_run(rcu_gp_kthread, rsp, "%s", rsp->name);
81426 rnp = rcu_get_root(rsp);
81427 raw_spin_lock_irqsave(&rnp->lock, flags);
81428 diff --git a/kernel/rcutree.h b/kernel/rcutree.h
81429 index 4df5034..5ee93f2 100644
81430 --- a/kernel/rcutree.h
81431 +++ b/kernel/rcutree.h
81432 @@ -87,7 +87,7 @@ struct rcu_dynticks {
81433 long long dynticks_nesting; /* Track irq/process nesting level. */
81434 /* Process level is worth LLONG_MAX/2. */
81435 int dynticks_nmi_nesting; /* Track NMI nesting level. */
81436 - atomic_t dynticks; /* Even value for idle, else odd. */
81437 + atomic_unchecked_t dynticks;/* Even value for idle, else odd. */
81438 #ifdef CONFIG_RCU_FAST_NO_HZ
81439 bool all_lazy; /* Are all CPU's CBs lazy? */
81440 unsigned long nonlazy_posted;
81441 @@ -414,17 +414,17 @@ struct rcu_state {
81442 /* _rcu_barrier(). */
81443 /* End of fields guarded by barrier_mutex. */
81445 - atomic_long_t expedited_start; /* Starting ticket. */
81446 - atomic_long_t expedited_done; /* Done ticket. */
81447 - atomic_long_t expedited_wrap; /* # near-wrap incidents. */
81448 - atomic_long_t expedited_tryfail; /* # acquisition failures. */
81449 - atomic_long_t expedited_workdone1; /* # done by others #1. */
81450 - atomic_long_t expedited_workdone2; /* # done by others #2. */
81451 - atomic_long_t expedited_normal; /* # fallbacks to normal. */
81452 - atomic_long_t expedited_stoppedcpus; /* # successful stop_cpus. */
81453 - atomic_long_t expedited_done_tries; /* # tries to update _done. */
81454 - atomic_long_t expedited_done_lost; /* # times beaten to _done. */
81455 - atomic_long_t expedited_done_exit; /* # times exited _done loop. */
81456 + atomic_long_unchecked_t expedited_start; /* Starting ticket. */
81457 + atomic_long_t expedited_done; /* Done ticket. */
81458 + atomic_long_unchecked_t expedited_wrap; /* # near-wrap incidents. */
81459 + atomic_long_unchecked_t expedited_tryfail; /* # acquisition failures. */
81460 + atomic_long_unchecked_t expedited_workdone1; /* # done by others #1. */
81461 + atomic_long_unchecked_t expedited_workdone2; /* # done by others #2. */
81462 + atomic_long_unchecked_t expedited_normal; /* # fallbacks to normal. */
81463 + atomic_long_unchecked_t expedited_stoppedcpus; /* # successful stop_cpus. */
81464 + atomic_long_unchecked_t expedited_done_tries; /* # tries to update _done. */
81465 + atomic_long_unchecked_t expedited_done_lost; /* # times beaten to _done. */
81466 + atomic_long_unchecked_t expedited_done_exit; /* # times exited _done loop. */
81468 unsigned long jiffies_force_qs; /* Time at which to invoke */
81469 /* force_quiescent_state(). */
81470 diff --git a/kernel/rcutree_plugin.h b/kernel/rcutree_plugin.h
81471 index 3db5a37..b395fb35 100644
81472 --- a/kernel/rcutree_plugin.h
81473 +++ b/kernel/rcutree_plugin.h
81474 @@ -903,7 +903,7 @@ void synchronize_rcu_expedited(void)
81476 /* Clean up and exit. */
81477 smp_mb(); /* ensure expedited GP seen before counter increment. */
81478 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
81479 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
81481 mutex_unlock(&sync_rcu_preempt_exp_mutex);
81483 @@ -1451,7 +1451,7 @@ static void rcu_boost_kthread_setaffinity(struct rcu_node *rnp, int outgoingcpu)
81484 free_cpumask_var(cm);
81487 -static struct smp_hotplug_thread rcu_cpu_thread_spec = {
81488 +static struct smp_hotplug_thread rcu_cpu_thread_spec __read_only = {
81489 .store = &rcu_cpu_kthread_task,
81490 .thread_should_run = rcu_cpu_kthread_should_run,
81491 .thread_fn = rcu_cpu_kthread,
81492 @@ -1916,7 +1916,7 @@ static void print_cpu_stall_info(struct rcu_state *rsp, int cpu)
81493 print_cpu_stall_fast_no_hz(fast_no_hz, cpu);
81494 printk(KERN_ERR "\t%d: (%lu %s) idle=%03x/%llx/%d softirq=%u/%u %s\n",
81495 cpu, ticks_value, ticks_title,
81496 - atomic_read(&rdtp->dynticks) & 0xfff,
81497 + atomic_read_unchecked(&rdtp->dynticks) & 0xfff,
81498 rdtp->dynticks_nesting, rdtp->dynticks_nmi_nesting,
81499 rdp->softirq_snap, kstat_softirqs_cpu(RCU_SOFTIRQ, cpu),
81501 @@ -2079,7 +2079,7 @@ static void __call_rcu_nocb_enqueue(struct rcu_data *rdp,
81503 /* Enqueue the callback on the nocb list and update counts. */
81504 old_rhpp = xchg(&rdp->nocb_tail, rhtp);
81505 - ACCESS_ONCE(*old_rhpp) = rhp;
81506 + ACCESS_ONCE_RW(*old_rhpp) = rhp;
81507 atomic_long_add(rhcount, &rdp->nocb_q_count);
81508 atomic_long_add(rhcount_lazy, &rdp->nocb_q_count_lazy);
81510 @@ -2219,12 +2219,12 @@ static int rcu_nocb_kthread(void *arg)
81511 * Extract queued callbacks, update counts, and wait
81512 * for a grace period to elapse.
81514 - ACCESS_ONCE(rdp->nocb_head) = NULL;
81515 + ACCESS_ONCE_RW(rdp->nocb_head) = NULL;
81516 tail = xchg(&rdp->nocb_tail, &rdp->nocb_head);
81517 c = atomic_long_xchg(&rdp->nocb_q_count, 0);
81518 cl = atomic_long_xchg(&rdp->nocb_q_count_lazy, 0);
81519 - ACCESS_ONCE(rdp->nocb_p_count) += c;
81520 - ACCESS_ONCE(rdp->nocb_p_count_lazy) += cl;
81521 + ACCESS_ONCE_RW(rdp->nocb_p_count) += c;
81522 + ACCESS_ONCE_RW(rdp->nocb_p_count_lazy) += cl;
81523 rcu_nocb_wait_gp(rdp);
81525 /* Each pass through the following loop invokes a callback. */
81526 @@ -2246,8 +2246,8 @@ static int rcu_nocb_kthread(void *arg)
81529 trace_rcu_batch_end(rdp->rsp->name, c, !!list, 0, 0, 1);
81530 - ACCESS_ONCE(rdp->nocb_p_count) -= c;
81531 - ACCESS_ONCE(rdp->nocb_p_count_lazy) -= cl;
81532 + ACCESS_ONCE_RW(rdp->nocb_p_count) -= c;
81533 + ACCESS_ONCE_RW(rdp->nocb_p_count_lazy) -= cl;
81534 rdp->n_nocbs_invoked += c;
81537 @@ -2274,7 +2274,7 @@ static void __init rcu_spawn_nocb_kthreads(struct rcu_state *rsp)
81538 t = kthread_run(rcu_nocb_kthread, rdp,
81539 "rcuo%c/%d", rsp->abbr, cpu);
81541 - ACCESS_ONCE(rdp->nocb_kthread) = t;
81542 + ACCESS_ONCE_RW(rdp->nocb_kthread) = t;
81546 diff --git a/kernel/rcutree_trace.c b/kernel/rcutree_trace.c
81547 index cf6c174..a8f4b50 100644
81548 --- a/kernel/rcutree_trace.c
81549 +++ b/kernel/rcutree_trace.c
81550 @@ -121,7 +121,7 @@ static void print_one_rcu_data(struct seq_file *m, struct rcu_data *rdp)
81551 ulong2long(rdp->completed), ulong2long(rdp->gpnum),
81552 rdp->passed_quiesce, rdp->qs_pending);
81553 seq_printf(m, " dt=%d/%llx/%d df=%lu",
81554 - atomic_read(&rdp->dynticks->dynticks),
81555 + atomic_read_unchecked(&rdp->dynticks->dynticks),
81556 rdp->dynticks->dynticks_nesting,
81557 rdp->dynticks->dynticks_nmi_nesting,
81558 rdp->dynticks_fqs);
81559 @@ -182,17 +182,17 @@ static int show_rcuexp(struct seq_file *m, void *v)
81560 struct rcu_state *rsp = (struct rcu_state *)m->private;
81562 seq_printf(m, "s=%lu d=%lu w=%lu tf=%lu wd1=%lu wd2=%lu n=%lu sc=%lu dt=%lu dl=%lu dx=%lu\n",
81563 - atomic_long_read(&rsp->expedited_start),
81564 + atomic_long_read_unchecked(&rsp->expedited_start),
81565 atomic_long_read(&rsp->expedited_done),
81566 - atomic_long_read(&rsp->expedited_wrap),
81567 - atomic_long_read(&rsp->expedited_tryfail),
81568 - atomic_long_read(&rsp->expedited_workdone1),
81569 - atomic_long_read(&rsp->expedited_workdone2),
81570 - atomic_long_read(&rsp->expedited_normal),
81571 - atomic_long_read(&rsp->expedited_stoppedcpus),
81572 - atomic_long_read(&rsp->expedited_done_tries),
81573 - atomic_long_read(&rsp->expedited_done_lost),
81574 - atomic_long_read(&rsp->expedited_done_exit));
81575 + atomic_long_read_unchecked(&rsp->expedited_wrap),
81576 + atomic_long_read_unchecked(&rsp->expedited_tryfail),
81577 + atomic_long_read_unchecked(&rsp->expedited_workdone1),
81578 + atomic_long_read_unchecked(&rsp->expedited_workdone2),
81579 + atomic_long_read_unchecked(&rsp->expedited_normal),
81580 + atomic_long_read_unchecked(&rsp->expedited_stoppedcpus),
81581 + atomic_long_read_unchecked(&rsp->expedited_done_tries),
81582 + atomic_long_read_unchecked(&rsp->expedited_done_lost),
81583 + atomic_long_read_unchecked(&rsp->expedited_done_exit));
81587 diff --git a/kernel/resource.c b/kernel/resource.c
81588 index d738698..5f8e60a 100644
81589 --- a/kernel/resource.c
81590 +++ b/kernel/resource.c
81591 @@ -152,8 +152,18 @@ static const struct file_operations proc_iomem_operations = {
81593 static int __init ioresources_init(void)
81595 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
81596 +#ifdef CONFIG_GRKERNSEC_PROC_USER
81597 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
81598 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
81599 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
81600 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
81601 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
81604 proc_create("ioports", 0, NULL, &proc_ioports_operations);
81605 proc_create("iomem", 0, NULL, &proc_iomem_operations);
81609 __initcall(ioresources_init);
81610 diff --git a/kernel/rtmutex-tester.c b/kernel/rtmutex-tester.c
81611 index 1d96dd0..994ff19 100644
81612 --- a/kernel/rtmutex-tester.c
81613 +++ b/kernel/rtmutex-tester.c
81615 #define MAX_RT_TEST_MUTEXES 8
81617 static spinlock_t rttest_lock;
81618 -static atomic_t rttest_event;
81619 +static atomic_unchecked_t rttest_event;
81621 struct test_thread_data {
81623 @@ -63,7 +63,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
81625 case RTTEST_LOCKCONT:
81626 td->mutexes[td->opdata] = 1;
81627 - td->event = atomic_add_return(1, &rttest_event);
81628 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81632 @@ -76,7 +76,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
81635 case RTTEST_RESETEVENT:
81636 - atomic_set(&rttest_event, 0);
81637 + atomic_set_unchecked(&rttest_event, 0);
81641 @@ -93,9 +93,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
81644 td->mutexes[id] = 1;
81645 - td->event = atomic_add_return(1, &rttest_event);
81646 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81647 rt_mutex_lock(&mutexes[id]);
81648 - td->event = atomic_add_return(1, &rttest_event);
81649 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81650 td->mutexes[id] = 4;
81653 @@ -106,9 +106,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
81656 td->mutexes[id] = 1;
81657 - td->event = atomic_add_return(1, &rttest_event);
81658 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81659 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
81660 - td->event = atomic_add_return(1, &rttest_event);
81661 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81662 td->mutexes[id] = ret ? 0 : 4;
81663 return ret ? -EINTR : 0;
81665 @@ -117,9 +117,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
81666 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
81669 - td->event = atomic_add_return(1, &rttest_event);
81670 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81671 rt_mutex_unlock(&mutexes[id]);
81672 - td->event = atomic_add_return(1, &rttest_event);
81673 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81674 td->mutexes[id] = 0;
81677 @@ -166,7 +166,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
81680 td->mutexes[dat] = 2;
81681 - td->event = atomic_add_return(1, &rttest_event);
81682 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81686 @@ -186,7 +186,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
81689 td->mutexes[dat] = 3;
81690 - td->event = atomic_add_return(1, &rttest_event);
81691 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81694 case RTTEST_LOCKNOWAIT:
81695 @@ -198,7 +198,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
81698 td->mutexes[dat] = 1;
81699 - td->event = atomic_add_return(1, &rttest_event);
81700 + td->event = atomic_add_return_unchecked(1, &rttest_event);
81704 diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
81705 index 64de5f8..7735e12 100644
81706 --- a/kernel/sched/auto_group.c
81707 +++ b/kernel/sched/auto_group.c
81710 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
81711 static struct autogroup autogroup_default;
81712 -static atomic_t autogroup_seq_nr;
81713 +static atomic_unchecked_t autogroup_seq_nr;
81715 void __init autogroup_init(struct task_struct *init_task)
81717 @@ -81,7 +81,7 @@ static inline struct autogroup *autogroup_create(void)
81719 kref_init(&ag->kref);
81720 init_rwsem(&ag->lock);
81721 - ag->id = atomic_inc_return(&autogroup_seq_nr);
81722 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
81724 #ifdef CONFIG_RT_GROUP_SCHED
81726 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
81727 index e8b3350..d83d44e 100644
81728 --- a/kernel/sched/core.c
81729 +++ b/kernel/sched/core.c
81730 @@ -3440,7 +3440,7 @@ EXPORT_SYMBOL(wait_for_completion_interruptible);
81731 * The return value is -ERESTARTSYS if interrupted, 0 if timed out,
81732 * positive (at least 1, or number of jiffies left till timeout) if completed.
81735 +long __sched __intentional_overflow(-1)
81736 wait_for_completion_interruptible_timeout(struct completion *x,
81737 unsigned long timeout)
81739 @@ -3457,7 +3457,7 @@ EXPORT_SYMBOL(wait_for_completion_interruptible_timeout);
81741 * The return value is -ERESTARTSYS if interrupted, 0 if completed.
81743 -int __sched wait_for_completion_killable(struct completion *x)
81744 +int __sched __intentional_overflow(-1) wait_for_completion_killable(struct completion *x)
81746 long t = wait_for_common(x, MAX_SCHEDULE_TIMEOUT, TASK_KILLABLE);
81747 if (t == -ERESTARTSYS)
81748 @@ -3478,7 +3478,7 @@ EXPORT_SYMBOL(wait_for_completion_killable);
81749 * The return value is -ERESTARTSYS if interrupted, 0 if timed out,
81750 * positive (at least 1, or number of jiffies left till timeout) if completed.
81753 +long __sched __intentional_overflow(-1)
81754 wait_for_completion_killable_timeout(struct completion *x,
81755 unsigned long timeout)
81757 @@ -3704,6 +3704,8 @@ int can_nice(const struct task_struct *p, const int nice)
81758 /* convert nice value [19,-20] to rlimit style value [1,40] */
81759 int nice_rlim = 20 - nice;
81761 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
81763 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
81764 capable(CAP_SYS_NICE));
81766 @@ -3737,7 +3739,8 @@ SYSCALL_DEFINE1(nice, int, increment)
81770 - if (increment < 0 && !can_nice(current, nice))
81771 + if (increment < 0 && (!can_nice(current, nice) ||
81772 + gr_handle_chroot_nice()))
81775 retval = security_task_setnice(current, nice);
81776 @@ -3891,6 +3894,7 @@ recheck:
81777 unsigned long rlim_rtprio =
81778 task_rlimit(p, RLIMIT_RTPRIO);
81780 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
81781 /* can't set/change the rt policy */
81782 if (policy != p->policy && !rlim_rtprio)
81784 @@ -4988,7 +4992,7 @@ static void migrate_tasks(unsigned int dead_cpu)
81786 #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
81788 -static struct ctl_table sd_ctl_dir[] = {
81789 +static ctl_table_no_const sd_ctl_dir[] __read_only = {
81791 .procname = "sched_domain",
81793 @@ -5005,17 +5009,17 @@ static struct ctl_table sd_ctl_root[] = {
81797 -static struct ctl_table *sd_alloc_ctl_entry(int n)
81798 +static ctl_table_no_const *sd_alloc_ctl_entry(int n)
81800 - struct ctl_table *entry =
81801 + ctl_table_no_const *entry =
81802 kcalloc(n, sizeof(struct ctl_table), GFP_KERNEL);
81807 -static void sd_free_ctl_entry(struct ctl_table **tablep)
81808 +static void sd_free_ctl_entry(ctl_table_no_const *tablep)
81810 - struct ctl_table *entry;
81811 + ctl_table_no_const *entry;
81814 * In the intermediate directories, both the child directory and
81815 @@ -5023,22 +5027,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
81816 * will always be set. In the lowest directory the names are
81817 * static strings and all have proc handlers.
81819 - for (entry = *tablep; entry->mode; entry++) {
81820 - if (entry->child)
81821 - sd_free_ctl_entry(&entry->child);
81822 + for (entry = tablep; entry->mode; entry++) {
81823 + if (entry->child) {
81824 + sd_free_ctl_entry(entry->child);
81825 + pax_open_kernel();
81826 + entry->child = NULL;
81827 + pax_close_kernel();
81829 if (entry->proc_handler == NULL)
81830 kfree(entry->procname);
81838 static int min_load_idx = 0;
81839 static int max_load_idx = CPU_LOAD_IDX_MAX-1;
81842 -set_table_entry(struct ctl_table *entry,
81843 +set_table_entry(ctl_table_no_const *entry,
81844 const char *procname, void *data, int maxlen,
81845 umode_t mode, proc_handler *proc_handler,
81847 @@ -5058,7 +5065,7 @@ set_table_entry(struct ctl_table *entry,
81848 static struct ctl_table *
81849 sd_alloc_ctl_domain_table(struct sched_domain *sd)
81851 - struct ctl_table *table = sd_alloc_ctl_entry(13);
81852 + ctl_table_no_const *table = sd_alloc_ctl_entry(13);
81856 @@ -5093,9 +5100,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
81860 -static ctl_table *sd_alloc_ctl_cpu_table(int cpu)
81861 +static ctl_table_no_const *sd_alloc_ctl_cpu_table(int cpu)
81863 - struct ctl_table *entry, *table;
81864 + ctl_table_no_const *entry, *table;
81865 struct sched_domain *sd;
81866 int domain_num = 0, i;
81868 @@ -5122,11 +5129,13 @@ static struct ctl_table_header *sd_sysctl_header;
81869 static void register_sched_domain_sysctl(void)
81871 int i, cpu_num = num_possible_cpus();
81872 - struct ctl_table *entry = sd_alloc_ctl_entry(cpu_num + 1);
81873 + ctl_table_no_const *entry = sd_alloc_ctl_entry(cpu_num + 1);
81876 WARN_ON(sd_ctl_dir[0].child);
81877 + pax_open_kernel();
81878 sd_ctl_dir[0].child = entry;
81879 + pax_close_kernel();
81883 @@ -5149,8 +5158,12 @@ static void unregister_sched_domain_sysctl(void)
81884 if (sd_sysctl_header)
81885 unregister_sysctl_table(sd_sysctl_header);
81886 sd_sysctl_header = NULL;
81887 - if (sd_ctl_dir[0].child)
81888 - sd_free_ctl_entry(&sd_ctl_dir[0].child);
81889 + if (sd_ctl_dir[0].child) {
81890 + sd_free_ctl_entry(sd_ctl_dir[0].child);
81891 + pax_open_kernel();
81892 + sd_ctl_dir[0].child = NULL;
81893 + pax_close_kernel();
81897 static void register_sched_domain_sysctl(void)
81898 @@ -5249,7 +5262,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
81899 * happens before everything else. This has to be lower priority than
81900 * the notifier in the perf_event subsystem, though.
81902 -static struct notifier_block __cpuinitdata migration_notifier = {
81903 +static struct notifier_block migration_notifier = {
81904 .notifier_call = migration_call,
81905 .priority = CPU_PRI_MIGRATION,
81907 diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
81908 index 03b73be..9422b9f 100644
81909 --- a/kernel/sched/fair.c
81910 +++ b/kernel/sched/fair.c
81911 @@ -831,7 +831,7 @@ void task_numa_fault(int node, int pages, bool migrated)
81913 static void reset_ptenuma_scan(struct task_struct *p)
81915 - ACCESS_ONCE(p->mm->numa_scan_seq)++;
81916 + ACCESS_ONCE_RW(p->mm->numa_scan_seq)++;
81917 p->mm->numa_scan_offset = 0;
81920 @@ -5687,7 +5687,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
81921 * run_rebalance_domains is triggered when needed from the scheduler tick.
81922 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
81924 -static void run_rebalance_domains(struct softirq_action *h)
81925 +static void run_rebalance_domains(void)
81927 int this_cpu = smp_processor_id();
81928 struct rq *this_rq = cpu_rq(this_cpu);
81929 diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
81930 index ce39224d..0e09343 100644
81931 --- a/kernel/sched/sched.h
81932 +++ b/kernel/sched/sched.h
81933 @@ -1009,7 +1009,7 @@ struct sched_class {
81934 #ifdef CONFIG_FAIR_GROUP_SCHED
81935 void (*task_move_group) (struct task_struct *p, int on_rq);
81940 #define sched_class_highest (&stop_sched_class)
81941 #define for_each_class(class) \
81942 diff --git a/kernel/signal.c b/kernel/signal.c
81943 index 113411b..20d0a99 100644
81944 --- a/kernel/signal.c
81945 +++ b/kernel/signal.c
81946 @@ -51,12 +51,12 @@ static struct kmem_cache *sigqueue_cachep;
81948 int print_fatal_signals __read_mostly;
81950 -static void __user *sig_handler(struct task_struct *t, int sig)
81951 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
81953 return t->sighand->action[sig - 1].sa.sa_handler;
81956 -static int sig_handler_ignored(void __user *handler, int sig)
81957 +static int sig_handler_ignored(__sighandler_t handler, int sig)
81959 /* Is it explicitly or implicitly ignored? */
81960 return handler == SIG_IGN ||
81961 @@ -65,7 +65,7 @@ static int sig_handler_ignored(void __user *handler, int sig)
81963 static int sig_task_ignored(struct task_struct *t, int sig, bool force)
81965 - void __user *handler;
81966 + __sighandler_t handler;
81968 handler = sig_handler(t, sig);
81970 @@ -369,6 +369,9 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t flags, int override_rlimi
81971 atomic_inc(&user->sigpending);
81974 + if (!override_rlimit)
81975 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
81977 if (override_rlimit ||
81978 atomic_read(&user->sigpending) <=
81979 task_rlimit(t, RLIMIT_SIGPENDING)) {
81980 @@ -496,7 +499,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
81982 int unhandled_signal(struct task_struct *tsk, int sig)
81984 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
81985 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
81986 if (is_global_init(tsk))
81988 if (handler != SIG_IGN && handler != SIG_DFL)
81989 @@ -816,6 +819,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
81993 + /* allow glibc communication via tgkill to other threads in our
81995 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
81996 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
81997 + && gr_handle_signal(t, sig))
82000 return security_task_kill(t, info, sig, 0);
82003 @@ -1199,7 +1209,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
82004 return send_signal(sig, info, p, 1);
82009 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
82011 return send_signal(sig, info, t, 0);
82012 @@ -1236,6 +1246,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
82013 unsigned long int flags;
82014 int ret, blocked, ignored;
82015 struct k_sigaction *action;
82016 + int is_unhandled = 0;
82018 spin_lock_irqsave(&t->sighand->siglock, flags);
82019 action = &t->sighand->action[sig-1];
82020 @@ -1250,9 +1261,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
82022 if (action->sa.sa_handler == SIG_DFL)
82023 t->signal->flags &= ~SIGNAL_UNKILLABLE;
82024 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
82025 + is_unhandled = 1;
82026 ret = specific_send_sig_info(sig, info, t);
82027 spin_unlock_irqrestore(&t->sighand->siglock, flags);
82029 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
82030 + normal operation */
82031 + if (is_unhandled) {
82032 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
82033 + gr_handle_crash(t, sig);
82039 @@ -1319,8 +1339,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
82040 ret = check_kill_permission(sig, info, p);
82044 + if (!ret && sig) {
82045 ret = do_send_sig_info(sig, info, p, true);
82047 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
82052 @@ -2926,7 +2949,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
82053 int error = -ESRCH;
82056 - p = find_task_by_vpid(pid);
82057 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
82058 + /* allow glibc communication via tgkill to other threads in our
82060 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
82061 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
82062 + p = find_task_by_vpid_unrestricted(pid);
82065 + p = find_task_by_vpid(pid);
82066 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
82067 error = check_kill_permission(sig, info, p);
82069 @@ -3219,6 +3250,16 @@ int __save_altstack(stack_t __user *uss, unsigned long sp)
82070 __put_user(t->sas_ss_size, &uss->ss_size);
82074 +void __save_altstack_ex(stack_t __user *uss, unsigned long sp)
82076 + struct task_struct *t = current;
82077 + put_user_ex((void __user *)t->sas_ss_sp, &uss->ss_sp);
82078 + put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
82079 + put_user_ex(t->sas_ss_size, &uss->ss_size);
82083 #ifdef CONFIG_COMPAT
82084 COMPAT_SYSCALL_DEFINE2(sigaltstack,
82085 const compat_stack_t __user *, uss_ptr,
82086 @@ -3240,8 +3281,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
82090 - ret = do_sigaltstack((stack_t __force __user *) (uss_ptr ? &uss : NULL),
82091 - (stack_t __force __user *) &uoss,
82092 + ret = do_sigaltstack((stack_t __force_user *) (uss_ptr ? &uss : NULL),
82093 + (stack_t __force_user *) &uoss,
82094 compat_user_stack_pointer());
82096 if (ret >= 0 && uoss_ptr) {
82097 @@ -3268,6 +3309,16 @@ int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp)
82098 __put_user(sas_ss_flags(sp), &uss->ss_flags) |
82099 __put_user(t->sas_ss_size, &uss->ss_size);
82103 +void __compat_save_altstack_ex(compat_stack_t __user *uss, unsigned long sp)
82105 + struct task_struct *t = current;
82106 + put_user_ex(ptr_to_compat((void __user *)t->sas_ss_sp), &uss->ss_sp);
82107 + put_user_ex(sas_ss_flags(sp), &uss->ss_flags);
82108 + put_user_ex(t->sas_ss_size, &uss->ss_size);
82113 #ifdef __ARCH_WANT_SYS_SIGPENDING
82114 diff --git a/kernel/smp.c b/kernel/smp.c
82115 index 4dba0f7..fe9f773 100644
82118 @@ -73,7 +73,7 @@ hotplug_cfd(struct notifier_block *nfb, unsigned long action, void *hcpu)
82122 -static struct notifier_block __cpuinitdata hotplug_cfd_notifier = {
82123 +static struct notifier_block hotplug_cfd_notifier = {
82124 .notifier_call = hotplug_cfd,
82127 diff --git a/kernel/smpboot.c b/kernel/smpboot.c
82128 index 02fc5c9..e54c335 100644
82129 --- a/kernel/smpboot.c
82130 +++ b/kernel/smpboot.c
82131 @@ -288,7 +288,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
82133 smpboot_unpark_thread(plug_thread, cpu);
82135 - list_add(&plug_thread->list, &hotplug_threads);
82136 + pax_list_add(&plug_thread->list, &hotplug_threads);
82138 mutex_unlock(&smpboot_threads_lock);
82140 @@ -305,7 +305,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
82143 mutex_lock(&smpboot_threads_lock);
82144 - list_del(&plug_thread->list);
82145 + pax_list_del(&plug_thread->list);
82146 smpboot_destroy_threads(plug_thread);
82147 mutex_unlock(&smpboot_threads_lock);
82149 diff --git a/kernel/softirq.c b/kernel/softirq.c
82150 index 3d6833f..da6d93d 100644
82151 --- a/kernel/softirq.c
82152 +++ b/kernel/softirq.c
82153 @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
82154 EXPORT_SYMBOL(irq_stat);
82157 -static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp;
82158 +static struct softirq_action softirq_vec[NR_SOFTIRQS] __read_only __aligned(PAGE_SIZE);
82160 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
82162 -char *softirq_to_name[NR_SOFTIRQS] = {
82163 +const char * const softirq_to_name[NR_SOFTIRQS] = {
82164 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
82165 "TASKLET", "SCHED", "HRTIMER", "RCU"
82167 @@ -250,7 +250,7 @@ restart:
82168 kstat_incr_softirqs_this_cpu(vec_nr);
82170 trace_softirq_entry(vec_nr);
82173 trace_softirq_exit(vec_nr);
82174 if (unlikely(prev_count != preempt_count())) {
82175 printk(KERN_ERR "huh, entered softirq %u %s %p"
82176 @@ -405,7 +405,7 @@ void __raise_softirq_irqoff(unsigned int nr)
82177 or_softirq_pending(1UL << nr);
82180 -void open_softirq(int nr, void (*action)(struct softirq_action *))
82181 +void __init open_softirq(int nr, void (*action)(void))
82183 softirq_vec[nr].action = action;
82185 @@ -461,7 +461,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
82187 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
82189 -static void tasklet_action(struct softirq_action *a)
82190 +static void tasklet_action(void)
82192 struct tasklet_struct *list;
82194 @@ -496,7 +496,7 @@ static void tasklet_action(struct softirq_action *a)
82198 -static void tasklet_hi_action(struct softirq_action *a)
82199 +static void tasklet_hi_action(void)
82201 struct tasklet_struct *list;
82203 @@ -730,7 +730,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
82207 -static struct notifier_block __cpuinitdata remote_softirq_cpu_notifier = {
82208 +static struct notifier_block remote_softirq_cpu_notifier = {
82209 .notifier_call = remote_softirq_cpu_notify,
82212 @@ -847,11 +847,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
82216 -static struct notifier_block __cpuinitdata cpu_nfb = {
82217 +static struct notifier_block cpu_nfb = {
82218 .notifier_call = cpu_callback
82221 -static struct smp_hotplug_thread softirq_threads = {
82222 +static struct smp_hotplug_thread softirq_threads __read_only = {
82223 .store = &ksoftirqd,
82224 .thread_should_run = ksoftirqd_should_run,
82225 .thread_fn = run_ksoftirqd,
82226 diff --git a/kernel/srcu.c b/kernel/srcu.c
82227 index 01d5ccb..cdcbee6 100644
82228 --- a/kernel/srcu.c
82229 +++ b/kernel/srcu.c
82230 @@ -300,9 +300,9 @@ int __srcu_read_lock(struct srcu_struct *sp)
82232 idx = ACCESS_ONCE(sp->completed) & 0x1;
82234 - ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->c[idx]) += 1;
82235 + ACCESS_ONCE_RW(this_cpu_ptr(sp->per_cpu_ref)->c[idx]) += 1;
82236 smp_mb(); /* B */ /* Avoid leaking the critical section. */
82237 - ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->seq[idx]) += 1;
82238 + ACCESS_ONCE_RW(this_cpu_ptr(sp->per_cpu_ref)->seq[idx]) += 1;
82242 diff --git a/kernel/sys.c b/kernel/sys.c
82243 index 2bbd9a7..0875671 100644
82246 @@ -163,6 +163,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
82251 + if (gr_handle_chroot_setpriority(p, niceval)) {
82256 no_nice = security_task_setnice(p, niceval);
82259 @@ -626,6 +632,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
82263 + if (gr_check_group_change(new->gid, new->egid, INVALID_GID))
82266 if (rgid != (gid_t) -1 ||
82267 (egid != (gid_t) -1 && !gid_eq(kegid, old->gid)))
82268 new->sgid = new->egid;
82269 @@ -661,6 +670,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
82270 old = current_cred();
82274 + if (gr_check_group_change(kgid, kgid, kgid))
82277 if (nsown_capable(CAP_SETGID))
82278 new->gid = new->egid = new->sgid = new->fsgid = kgid;
82279 else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
82280 @@ -678,7 +691,7 @@ error:
82282 * change the user struct in a credentials set to match the new UID
82284 -static int set_user(struct cred *new)
82285 +int set_user(struct cred *new)
82287 struct user_struct *new_user;
82289 @@ -758,6 +771,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
82293 + if (gr_check_user_change(new->uid, new->euid, INVALID_UID))
82296 if (!uid_eq(new->uid, old->uid)) {
82297 retval = set_user(new);
82299 @@ -808,6 +824,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
82300 old = current_cred();
82304 + if (gr_check_crash_uid(kuid))
82306 + if (gr_check_user_change(kuid, kuid, kuid))
82309 if (nsown_capable(CAP_SETUID)) {
82310 new->suid = new->uid = kuid;
82311 if (!uid_eq(kuid, old->uid)) {
82312 @@ -877,6 +899,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
82316 + if (gr_check_user_change(kruid, keuid, INVALID_UID))
82319 if (ruid != (uid_t) -1) {
82321 if (!uid_eq(kruid, old->uid)) {
82322 @@ -959,6 +984,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
82326 + if (gr_check_group_change(krgid, kegid, INVALID_GID))
82329 if (rgid != (gid_t) -1)
82331 if (egid != (gid_t) -1)
82332 @@ -1020,12 +1048,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
82333 uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) ||
82334 nsown_capable(CAP_SETUID)) {
82335 if (!uid_eq(kuid, old->fsuid)) {
82336 + if (gr_check_user_change(INVALID_UID, INVALID_UID, kuid))
82340 if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
82349 @@ -1058,12 +1090,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
82350 if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
82351 gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
82352 nsown_capable(CAP_SETGID)) {
82353 + if (gr_check_group_change(INVALID_GID, INVALID_GID, kgid))
82356 if (!gid_eq(kgid, old->fsgid)) {
82366 @@ -1432,19 +1468,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
82369 down_read(&uts_sem);
82370 - error = __copy_to_user(&name->sysname, &utsname()->sysname,
82371 + error = __copy_to_user(name->sysname, &utsname()->sysname,
82373 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
82374 - error |= __copy_to_user(&name->nodename, &utsname()->nodename,
82375 + error |= __copy_to_user(name->nodename, &utsname()->nodename,
82377 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
82378 - error |= __copy_to_user(&name->release, &utsname()->release,
82379 + error |= __copy_to_user(name->release, &utsname()->release,
82381 error |= __put_user(0, name->release + __OLD_UTS_LEN);
82382 - error |= __copy_to_user(&name->version, &utsname()->version,
82383 + error |= __copy_to_user(name->version, &utsname()->version,
82385 error |= __put_user(0, name->version + __OLD_UTS_LEN);
82386 - error |= __copy_to_user(&name->machine, &utsname()->machine,
82387 + error |= __copy_to_user(name->machine, &utsname()->machine,
82389 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
82391 @@ -1646,6 +1682,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
82393 new_rlim->rlim_cur = 1;
82395 + /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
82396 + is changed to a lower value. Since tasks can be created by the same
82397 + user in between this limit change and an execve by this task, force
82398 + a recheck only for this task by setting PF_NPROC_EXCEEDED
82400 + if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
82401 + tsk->flags |= PF_NPROC_EXCEEDED;
82405 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
82406 index 9edcf45..713c960 100644
82407 --- a/kernel/sysctl.c
82408 +++ b/kernel/sysctl.c
82412 #if defined(CONFIG_SYSCTL)
82414 /* External variables not in a header file. */
82415 extern int sysctl_overcommit_memory;
82416 extern int sysctl_overcommit_ratio;
82417 @@ -119,18 +118,18 @@ extern int blk_iopoll_enabled;
82419 /* Constants used for minimum and maximum */
82420 #ifdef CONFIG_LOCKUP_DETECTOR
82421 -static int sixty = 60;
82422 -static int neg_one = -1;
82423 +static int sixty __read_only = 60;
82427 -static int __maybe_unused one = 1;
82428 -static int __maybe_unused two = 2;
82429 -static int __maybe_unused three = 3;
82430 -static unsigned long one_ul = 1;
82431 -static int one_hundred = 100;
82432 +static int neg_one __read_only = -1;
82433 +static int zero __read_only = 0;
82434 +static int __maybe_unused one __read_only = 1;
82435 +static int __maybe_unused two __read_only = 2;
82436 +static int __maybe_unused three __read_only = 3;
82437 +static unsigned long one_ul __read_only = 1;
82438 +static int one_hundred __read_only = 100;
82439 #ifdef CONFIG_PRINTK
82440 -static int ten_thousand = 10000;
82441 +static int ten_thousand __read_only = 10000;
82444 /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
82445 @@ -177,10 +176,8 @@ static int proc_taint(struct ctl_table *table, int write,
82446 void __user *buffer, size_t *lenp, loff_t *ppos);
82449 -#ifdef CONFIG_PRINTK
82450 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
82451 void __user *buffer, size_t *lenp, loff_t *ppos);
82454 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
82455 void __user *buffer, size_t *lenp, loff_t *ppos);
82456 @@ -211,6 +208,8 @@ static int sysrq_sysctl_handler(ctl_table *table, int write,
82460 +extern struct ctl_table grsecurity_table[];
82462 static struct ctl_table kern_table[];
82463 static struct ctl_table vm_table[];
82464 static struct ctl_table fs_table[];
82465 @@ -225,6 +224,20 @@ extern struct ctl_table epoll_table[];
82466 int sysctl_legacy_va_layout;
82469 +#ifdef CONFIG_PAX_SOFTMODE
82470 +static ctl_table pax_table[] = {
82472 + .procname = "softmode",
82473 + .data = &pax_softmode,
82474 + .maxlen = sizeof(unsigned int),
82476 + .proc_handler = &proc_dointvec,
82483 /* The default sysctl tables: */
82485 static struct ctl_table sysctl_base_table[] = {
82486 @@ -273,6 +286,22 @@ static int max_extfrag_threshold = 1000;
82489 static struct ctl_table kern_table[] = {
82490 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
82492 + .procname = "grsecurity",
82494 + .child = grsecurity_table,
82498 +#ifdef CONFIG_PAX_SOFTMODE
82500 + .procname = "pax",
82502 + .child = pax_table,
82507 .procname = "sched_child_runs_first",
82508 .data = &sysctl_sched_child_runs_first,
82509 @@ -607,7 +636,7 @@ static struct ctl_table kern_table[] = {
82510 .data = &modprobe_path,
82511 .maxlen = KMOD_PATH_LEN,
82513 - .proc_handler = proc_dostring,
82514 + .proc_handler = proc_dostring_modpriv,
82517 .procname = "modules_disabled",
82518 @@ -774,16 +803,20 @@ static struct ctl_table kern_table[] = {
82524 .procname = "kptr_restrict",
82525 .data = &kptr_restrict,
82526 .maxlen = sizeof(int),
82528 .proc_handler = proc_dointvec_minmax_sysadmin,
82529 +#ifdef CONFIG_GRKERNSEC_HIDESYM
82538 .procname = "ngroups_max",
82539 .data = &ngroups_max,
82540 @@ -1025,10 +1058,17 @@ static struct ctl_table kern_table[] = {
82543 .procname = "perf_event_paranoid",
82544 - .data = &sysctl_perf_event_paranoid,
82545 - .maxlen = sizeof(sysctl_perf_event_paranoid),
82546 + .data = &sysctl_perf_event_legitimately_concerned,
82547 + .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
82549 - .proc_handler = proc_dointvec,
82550 + /* go ahead, be a hero */
82551 + .proc_handler = proc_dointvec_minmax_sysadmin,
82552 + .extra1 = &neg_one,
82553 +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
82554 + .extra2 = &three,
82560 .procname = "perf_event_mlock_kb",
82561 @@ -1282,6 +1322,13 @@ static struct ctl_table vm_table[] = {
82562 .proc_handler = proc_dointvec_minmax,
82566 + .procname = "heap_stack_gap",
82567 + .data = &sysctl_heap_stack_gap,
82568 + .maxlen = sizeof(sysctl_heap_stack_gap),
82570 + .proc_handler = proc_doulongvec_minmax,
82574 .procname = "nr_trim_pages",
82575 @@ -1746,6 +1793,16 @@ int proc_dostring(struct ctl_table *table, int write,
82576 buffer, lenp, ppos);
82579 +int proc_dostring_modpriv(struct ctl_table *table, int write,
82580 + void __user *buffer, size_t *lenp, loff_t *ppos)
82582 + if (write && !capable(CAP_SYS_MODULE))
82585 + return _proc_do_string(table->data, table->maxlen, write,
82586 + buffer, lenp, ppos);
82589 static size_t proc_skip_spaces(char **buf)
82592 @@ -1851,6 +1908,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
82596 + if (len > sizeof(tmp))
82597 + len = sizeof(tmp);
82598 if (copy_to_user(*buf, tmp, len))
82601 @@ -2015,7 +2074,7 @@ int proc_dointvec(struct ctl_table *table, int write,
82602 static int proc_taint(struct ctl_table *table, int write,
82603 void __user *buffer, size_t *lenp, loff_t *ppos)
82605 - struct ctl_table t;
82606 + ctl_table_no_const t;
82607 unsigned long tmptaint = get_taint();
82610 @@ -2043,7 +2102,6 @@ static int proc_taint(struct ctl_table *table, int write,
82614 -#ifdef CONFIG_PRINTK
82615 static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
82616 void __user *buffer, size_t *lenp, loff_t *ppos)
82618 @@ -2052,7 +2110,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
82620 return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
82624 struct do_proc_dointvec_minmax_conv_param {
82626 @@ -2199,8 +2256,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
82629 val = convdiv * (*i) / convmul;
82632 err = proc_put_char(&buffer, &left, '\t');
82636 err = proc_put_long(&buffer, &left, val, false);
82639 @@ -2592,6 +2652,12 @@ int proc_dostring(struct ctl_table *table, int write,
82643 +int proc_dostring_modpriv(struct ctl_table *table, int write,
82644 + void __user *buffer, size_t *lenp, loff_t *ppos)
82649 int proc_dointvec(struct ctl_table *table, int write,
82650 void __user *buffer, size_t *lenp, loff_t *ppos)
82652 @@ -2648,5 +2714,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
82653 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
82654 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
82655 EXPORT_SYMBOL(proc_dostring);
82656 +EXPORT_SYMBOL(proc_dostring_modpriv);
82657 EXPORT_SYMBOL(proc_doulongvec_minmax);
82658 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
82659 diff --git a/kernel/taskstats.c b/kernel/taskstats.c
82660 index 145bb4d..b2aa969 100644
82661 --- a/kernel/taskstats.c
82662 +++ b/kernel/taskstats.c
82664 #include <linux/fs.h>
82665 #include <linux/file.h>
82666 #include <linux/pid_namespace.h>
82667 +#include <linux/grsecurity.h>
82668 #include <net/genetlink.h>
82669 #include <linux/atomic.h>
82671 +extern int gr_is_taskstats_denied(int pid);
82674 * Maximum length of a cpumask that can be specified in
82675 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
82676 @@ -570,6 +573,9 @@ err:
82678 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
82680 + if (gr_is_taskstats_denied(current->pid))
82683 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
82684 return cmd_attr_register_cpumask(info);
82685 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
82686 diff --git a/kernel/time.c b/kernel/time.c
82687 index d3617db..c98bbe9 100644
82688 --- a/kernel/time.c
82689 +++ b/kernel/time.c
82690 @@ -172,6 +172,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
82694 + /* we log in do_settimeofday called below, so don't log twice
82697 + gr_log_timechange();
82700 update_vsyscall_tz();
82702 @@ -502,7 +507,7 @@ EXPORT_SYMBOL(usecs_to_jiffies);
82703 * The >> (NSEC_JIFFIE_SC - SEC_JIFFIE_SC) converts the scaled nsec
82704 * value to a scaled second value.
82707 +unsigned long __intentional_overflow(-1)
82708 timespec_to_jiffies(const struct timespec *value)
82710 unsigned long sec = value->tv_sec;
82711 diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
82712 index f11d83b..d016d91 100644
82713 --- a/kernel/time/alarmtimer.c
82714 +++ b/kernel/time/alarmtimer.c
82715 @@ -750,7 +750,7 @@ static int __init alarmtimer_init(void)
82716 struct platform_device *pdev;
82719 - struct k_clock alarm_clock = {
82720 + static struct k_clock alarm_clock = {
82721 .clock_getres = alarm_clock_getres,
82722 .clock_get = alarm_clock_get,
82723 .timer_create = alarm_timer_create,
82724 diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
82725 index baeeb5c..c22704a 100644
82726 --- a/kernel/time/timekeeping.c
82727 +++ b/kernel/time/timekeeping.c
82729 #include <linux/init.h>
82730 #include <linux/mm.h>
82731 #include <linux/sched.h>
82732 +#include <linux/grsecurity.h>
82733 #include <linux/syscore_ops.h>
82734 #include <linux/clocksource.h>
82735 #include <linux/jiffies.h>
82736 @@ -495,6 +496,8 @@ int do_settimeofday(const struct timespec *tv)
82737 if (!timespec_valid_strict(tv))
82740 + gr_log_timechange();
82742 raw_spin_lock_irqsave(&timekeeper_lock, flags);
82743 write_seqcount_begin(&timekeeper_seq);
82745 diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
82746 index 3bdf283..cc68d83 100644
82747 --- a/kernel/time/timer_list.c
82748 +++ b/kernel/time/timer_list.c
82749 @@ -45,12 +45,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases);
82751 static void print_name_offset(struct seq_file *m, void *sym)
82753 +#ifdef CONFIG_GRKERNSEC_HIDESYM
82754 + SEQ_printf(m, "<%p>", NULL);
82756 char symname[KSYM_NAME_LEN];
82758 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
82759 SEQ_printf(m, "<%pK>", sym);
82761 SEQ_printf(m, "%s", symname);
82766 @@ -119,7 +123,11 @@ next_one:
82768 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
82770 +#ifdef CONFIG_GRKERNSEC_HIDESYM
82771 + SEQ_printf(m, " .base: %p\n", NULL);
82773 SEQ_printf(m, " .base: %pK\n", base);
82775 SEQ_printf(m, " .index: %d\n",
82777 SEQ_printf(m, " .resolution: %Lu nsecs\n",
82778 @@ -355,7 +363,11 @@ static int __init init_timer_list_procfs(void)
82780 struct proc_dir_entry *pe;
82782 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
82783 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
82785 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
82790 diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
82791 index 0b537f2..40d6c20 100644
82792 --- a/kernel/time/timer_stats.c
82793 +++ b/kernel/time/timer_stats.c
82794 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
82795 static unsigned long nr_entries;
82796 static struct entry entries[MAX_ENTRIES];
82798 -static atomic_t overflow_count;
82799 +static atomic_unchecked_t overflow_count;
82802 * The entries are in a hash-table, for fast lookup:
82803 @@ -140,7 +140,7 @@ static void reset_entries(void)
82805 memset(entries, 0, sizeof(entries));
82806 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
82807 - atomic_set(&overflow_count, 0);
82808 + atomic_set_unchecked(&overflow_count, 0);
82811 static struct entry *alloc_entry(void)
82812 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
82816 - atomic_inc(&overflow_count);
82817 + atomic_inc_unchecked(&overflow_count);
82820 raw_spin_unlock_irqrestore(lock, flags);
82821 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
82823 static void print_name_offset(struct seq_file *m, unsigned long addr)
82825 +#ifdef CONFIG_GRKERNSEC_HIDESYM
82826 + seq_printf(m, "<%p>", NULL);
82828 char symname[KSYM_NAME_LEN];
82830 if (lookup_symbol_name(addr, symname) < 0)
82831 - seq_printf(m, "<%p>", (void *)addr);
82832 + seq_printf(m, "<%pK>", (void *)addr);
82834 seq_printf(m, "%s", symname);
82838 static int tstats_show(struct seq_file *m, void *v)
82839 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *m, void *v)
82841 seq_puts(m, "Timer Stats Version: v0.2\n");
82842 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
82843 - if (atomic_read(&overflow_count))
82844 + if (atomic_read_unchecked(&overflow_count))
82845 seq_printf(m, "Overflow: %d entries\n",
82846 - atomic_read(&overflow_count));
82847 + atomic_read_unchecked(&overflow_count));
82849 for (i = 0; i < nr_entries; i++) {
82850 entry = entries + i;
82851 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(void)
82853 struct proc_dir_entry *pe;
82855 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
82856 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
82858 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
82863 diff --git a/kernel/timer.c b/kernel/timer.c
82864 index 15bc1b4..32da49c 100644
82865 --- a/kernel/timer.c
82866 +++ b/kernel/timer.c
82867 @@ -1366,7 +1366,7 @@ void update_process_times(int user_tick)
82869 * This function runs timers and the timer-tq in bottom half context.
82871 -static void run_timer_softirq(struct softirq_action *h)
82872 +static void run_timer_softirq(void)
82874 struct tvec_base *base = __this_cpu_read(tvec_bases);
82876 @@ -1429,7 +1429,7 @@ static void process_timeout(unsigned long __data)
82878 * In all cases the return value is guaranteed to be non-negative.
82880 -signed long __sched schedule_timeout(signed long timeout)
82881 +signed long __sched __intentional_overflow(-1) schedule_timeout(signed long timeout)
82883 struct timer_list timer;
82884 unsigned long expire;
82885 @@ -1635,7 +1635,7 @@ static int __cpuinit timer_cpu_notify(struct notifier_block *self,
82889 -static struct notifier_block __cpuinitdata timers_nb = {
82890 +static struct notifier_block timers_nb = {
82891 .notifier_call = timer_cpu_notify,
82894 diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
82895 index b8b8560..75b1a09 100644
82896 --- a/kernel/trace/blktrace.c
82897 +++ b/kernel/trace/blktrace.c
82898 @@ -317,7 +317,7 @@ static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
82899 struct blk_trace *bt = filp->private_data;
82902 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
82903 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
82905 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
82907 @@ -375,7 +375,7 @@ static int blk_subbuf_start_callback(struct rchan_buf *buf, void *subbuf,
82910 bt = buf->chan->private_data;
82911 - atomic_inc(&bt->dropped);
82912 + atomic_inc_unchecked(&bt->dropped);
82916 @@ -476,7 +476,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
82920 - atomic_set(&bt->dropped, 0);
82921 + atomic_set_unchecked(&bt->dropped, 0);
82924 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
82925 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
82926 index 6c508ff..ee55a13 100644
82927 --- a/kernel/trace/ftrace.c
82928 +++ b/kernel/trace/ftrace.c
82929 @@ -1915,12 +1915,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
82930 if (unlikely(ftrace_disabled))
82933 + ret = ftrace_arch_code_modify_prepare();
82934 + FTRACE_WARN_ON(ret);
82938 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
82939 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
82941 ftrace_bug(ret, ip);
82945 + return ret ? 0 : 1;
82949 @@ -3931,8 +3936,10 @@ static int ftrace_process_locs(struct module *mod,
82953 + pax_open_kernel();
82954 sort(start, count, sizeof(*start),
82955 ftrace_cmp_ips, ftrace_swap_ips);
82956 + pax_close_kernel();
82958 start_pg = ftrace_allocate_pages(count);
82960 @@ -4655,8 +4662,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
82961 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
82963 static int ftrace_graph_active;
82964 -static struct notifier_block ftrace_suspend_notifier;
82966 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
82969 @@ -4800,6 +4805,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
82970 return NOTIFY_DONE;
82973 +static struct notifier_block ftrace_suspend_notifier = {
82974 + .notifier_call = ftrace_suspend_notifier_call
82977 int register_ftrace_graph(trace_func_graph_ret_t retfunc,
82978 trace_func_graph_ent_t entryfunc)
82980 @@ -4813,7 +4822,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
82984 - ftrace_suspend_notifier.notifier_call = ftrace_suspend_notifier_call;
82985 register_pm_notifier(&ftrace_suspend_notifier);
82987 ftrace_graph_active++;
82988 diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
82989 index e444ff8..438b8f4 100644
82990 --- a/kernel/trace/ring_buffer.c
82991 +++ b/kernel/trace/ring_buffer.c
82992 @@ -352,9 +352,9 @@ struct buffer_data_page {
82994 struct buffer_page {
82995 struct list_head list; /* list of buffer pages */
82996 - local_t write; /* index for next write */
82997 + local_unchecked_t write; /* index for next write */
82998 unsigned read; /* index for next read */
82999 - local_t entries; /* entries on this page */
83000 + local_unchecked_t entries; /* entries on this page */
83001 unsigned long real_end; /* real end of data */
83002 struct buffer_data_page *page; /* Actual data page */
83004 @@ -473,8 +473,8 @@ struct ring_buffer_per_cpu {
83005 unsigned long last_overrun;
83006 local_t entries_bytes;
83009 - local_t commit_overrun;
83010 + local_unchecked_t overrun;
83011 + local_unchecked_t commit_overrun;
83012 local_t dropped_events;
83013 local_t committing;
83015 @@ -992,8 +992,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
83017 * We add a counter to the write field to denote this.
83019 - old_write = local_add_return(RB_WRITE_INTCNT, &next_page->write);
83020 - old_entries = local_add_return(RB_WRITE_INTCNT, &next_page->entries);
83021 + old_write = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->write);
83022 + old_entries = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->entries);
83025 * Just make sure we have seen our old_write and synchronize
83026 @@ -1021,8 +1021,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
83027 * cmpxchg to only update if an interrupt did not already
83028 * do it for us. If the cmpxchg fails, we don't care.
83030 - (void)local_cmpxchg(&next_page->write, old_write, val);
83031 - (void)local_cmpxchg(&next_page->entries, old_entries, eval);
83032 + (void)local_cmpxchg_unchecked(&next_page->write, old_write, val);
83033 + (void)local_cmpxchg_unchecked(&next_page->entries, old_entries, eval);
83036 * No need to worry about races with clearing out the commit.
83037 @@ -1386,12 +1386,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
83039 static inline unsigned long rb_page_entries(struct buffer_page *bpage)
83041 - return local_read(&bpage->entries) & RB_WRITE_MASK;
83042 + return local_read_unchecked(&bpage->entries) & RB_WRITE_MASK;
83045 static inline unsigned long rb_page_write(struct buffer_page *bpage)
83047 - return local_read(&bpage->write) & RB_WRITE_MASK;
83048 + return local_read_unchecked(&bpage->write) & RB_WRITE_MASK;
83052 @@ -1486,7 +1486,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
83053 * bytes consumed in ring buffer from here.
83054 * Increment overrun to account for the lost events.
83056 - local_add(page_entries, &cpu_buffer->overrun);
83057 + local_add_unchecked(page_entries, &cpu_buffer->overrun);
83058 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
83061 @@ -2063,7 +2063,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
83062 * it is our responsibility to update
83065 - local_add(entries, &cpu_buffer->overrun);
83066 + local_add_unchecked(entries, &cpu_buffer->overrun);
83067 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
83070 @@ -2213,7 +2213,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
83071 if (tail == BUF_PAGE_SIZE)
83072 tail_page->real_end = 0;
83074 - local_sub(length, &tail_page->write);
83075 + local_sub_unchecked(length, &tail_page->write);
83079 @@ -2248,7 +2248,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
83080 rb_event_set_padding(event);
83082 /* Set the write back to the previous setting */
83083 - local_sub(length, &tail_page->write);
83084 + local_sub_unchecked(length, &tail_page->write);
83088 @@ -2260,7 +2260,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
83090 /* Set write to end of buffer */
83091 length = (tail + length) - BUF_PAGE_SIZE;
83092 - local_sub(length, &tail_page->write);
83093 + local_sub_unchecked(length, &tail_page->write);
83097 @@ -2286,7 +2286,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
83100 if (unlikely(next_page == commit_page)) {
83101 - local_inc(&cpu_buffer->commit_overrun);
83102 + local_inc_unchecked(&cpu_buffer->commit_overrun);
83106 @@ -2342,7 +2342,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
83107 cpu_buffer->tail_page) &&
83108 (cpu_buffer->commit_page ==
83109 cpu_buffer->reader_page))) {
83110 - local_inc(&cpu_buffer->commit_overrun);
83111 + local_inc_unchecked(&cpu_buffer->commit_overrun);
83115 @@ -2390,7 +2390,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
83116 length += RB_LEN_TIME_EXTEND;
83118 tail_page = cpu_buffer->tail_page;
83119 - write = local_add_return(length, &tail_page->write);
83120 + write = local_add_return_unchecked(length, &tail_page->write);
83122 /* set write to only the index of the write */
83123 write &= RB_WRITE_MASK;
83124 @@ -2407,7 +2407,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
83125 kmemcheck_annotate_bitfield(event, bitfield);
83126 rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
83128 - local_inc(&tail_page->entries);
83129 + local_inc_unchecked(&tail_page->entries);
83132 * If this is the first commit on the page, then update
83133 @@ -2440,7 +2440,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
83135 if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
83136 unsigned long write_mask =
83137 - local_read(&bpage->write) & ~RB_WRITE_MASK;
83138 + local_read_unchecked(&bpage->write) & ~RB_WRITE_MASK;
83139 unsigned long event_length = rb_event_length(event);
83141 * This is on the tail page. It is possible that
83142 @@ -2450,7 +2450,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
83144 old_index += write_mask;
83145 new_index += write_mask;
83146 - index = local_cmpxchg(&bpage->write, old_index, new_index);
83147 + index = local_cmpxchg_unchecked(&bpage->write, old_index, new_index);
83148 if (index == old_index) {
83149 /* update counters */
83150 local_sub(event_length, &cpu_buffer->entries_bytes);
83151 @@ -2842,7 +2842,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
83153 /* Do the likely case first */
83154 if (likely(bpage->page == (void *)addr)) {
83155 - local_dec(&bpage->entries);
83156 + local_dec_unchecked(&bpage->entries);
83160 @@ -2854,7 +2854,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
83163 if (bpage->page == (void *)addr) {
83164 - local_dec(&bpage->entries);
83165 + local_dec_unchecked(&bpage->entries);
83168 rb_inc_page(cpu_buffer, &bpage);
83169 @@ -3138,7 +3138,7 @@ static inline unsigned long
83170 rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
83172 return local_read(&cpu_buffer->entries) -
83173 - (local_read(&cpu_buffer->overrun) + cpu_buffer->read);
83174 + (local_read_unchecked(&cpu_buffer->overrun) + cpu_buffer->read);
83178 @@ -3227,7 +3227,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
83181 cpu_buffer = buffer->buffers[cpu];
83182 - ret = local_read(&cpu_buffer->overrun);
83183 + ret = local_read_unchecked(&cpu_buffer->overrun);
83187 @@ -3250,7 +3250,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
83190 cpu_buffer = buffer->buffers[cpu];
83191 - ret = local_read(&cpu_buffer->commit_overrun);
83192 + ret = local_read_unchecked(&cpu_buffer->commit_overrun);
83196 @@ -3335,7 +3335,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
83197 /* if you care about this being correct, lock the buffer */
83198 for_each_buffer_cpu(buffer, cpu) {
83199 cpu_buffer = buffer->buffers[cpu];
83200 - overruns += local_read(&cpu_buffer->overrun);
83201 + overruns += local_read_unchecked(&cpu_buffer->overrun);
83205 @@ -3511,8 +3511,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
83207 * Reset the reader page to size zero.
83209 - local_set(&cpu_buffer->reader_page->write, 0);
83210 - local_set(&cpu_buffer->reader_page->entries, 0);
83211 + local_set_unchecked(&cpu_buffer->reader_page->write, 0);
83212 + local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
83213 local_set(&cpu_buffer->reader_page->page->commit, 0);
83214 cpu_buffer->reader_page->real_end = 0;
83216 @@ -3546,7 +3546,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
83217 * want to compare with the last_overrun.
83220 - overwrite = local_read(&(cpu_buffer->overrun));
83221 + overwrite = local_read_unchecked(&(cpu_buffer->overrun));
83224 * Here's the tricky part.
83225 @@ -4116,8 +4116,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
83227 cpu_buffer->head_page
83228 = list_entry(cpu_buffer->pages, struct buffer_page, list);
83229 - local_set(&cpu_buffer->head_page->write, 0);
83230 - local_set(&cpu_buffer->head_page->entries, 0);
83231 + local_set_unchecked(&cpu_buffer->head_page->write, 0);
83232 + local_set_unchecked(&cpu_buffer->head_page->entries, 0);
83233 local_set(&cpu_buffer->head_page->page->commit, 0);
83235 cpu_buffer->head_page->read = 0;
83236 @@ -4127,14 +4127,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
83238 INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
83239 INIT_LIST_HEAD(&cpu_buffer->new_pages);
83240 - local_set(&cpu_buffer->reader_page->write, 0);
83241 - local_set(&cpu_buffer->reader_page->entries, 0);
83242 + local_set_unchecked(&cpu_buffer->reader_page->write, 0);
83243 + local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
83244 local_set(&cpu_buffer->reader_page->page->commit, 0);
83245 cpu_buffer->reader_page->read = 0;
83247 local_set(&cpu_buffer->entries_bytes, 0);
83248 - local_set(&cpu_buffer->overrun, 0);
83249 - local_set(&cpu_buffer->commit_overrun, 0);
83250 + local_set_unchecked(&cpu_buffer->overrun, 0);
83251 + local_set_unchecked(&cpu_buffer->commit_overrun, 0);
83252 local_set(&cpu_buffer->dropped_events, 0);
83253 local_set(&cpu_buffer->entries, 0);
83254 local_set(&cpu_buffer->committing, 0);
83255 @@ -4538,8 +4538,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
83256 rb_init_page(bpage);
83257 bpage = reader->page;
83258 reader->page = *data_page;
83259 - local_set(&reader->write, 0);
83260 - local_set(&reader->entries, 0);
83261 + local_set_unchecked(&reader->write, 0);
83262 + local_set_unchecked(&reader->entries, 0);
83264 *data_page = bpage;
83266 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
83267 index 06a5bce..53ad6e7 100644
83268 --- a/kernel/trace/trace.c
83269 +++ b/kernel/trace/trace.c
83270 @@ -3347,7 +3347,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
83274 -int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)
83275 +int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled)
83277 /* do nothing if flag is already set */
83278 if (!!(trace_flags & mask) == !!enabled)
83279 diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
83280 index 51b4448..7be601f 100644
83281 --- a/kernel/trace/trace.h
83282 +++ b/kernel/trace/trace.h
83283 @@ -1035,7 +1035,7 @@ extern const char *__stop___trace_bprintk_fmt[];
83284 void trace_printk_init_buffers(void);
83285 void trace_printk_start_comm(void);
83286 int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set);
83287 -int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled);
83288 +int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled);
83291 * Normal trace_printk() and friends allocates special buffers
83292 diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
83293 index 6953263..2004e16 100644
83294 --- a/kernel/trace/trace_events.c
83295 +++ b/kernel/trace/trace_events.c
83296 @@ -1748,10 +1748,6 @@ static LIST_HEAD(ftrace_module_file_list);
83297 struct ftrace_module_file_ops {
83298 struct list_head list;
83299 struct module *mod;
83300 - struct file_operations id;
83301 - struct file_operations enable;
83302 - struct file_operations format;
83303 - struct file_operations filter;
83306 static struct ftrace_module_file_ops *
83307 @@ -1792,17 +1788,12 @@ trace_create_file_ops(struct module *mod)
83309 file_ops->mod = mod;
83311 - file_ops->id = ftrace_event_id_fops;
83312 - file_ops->id.owner = mod;
83314 - file_ops->enable = ftrace_enable_fops;
83315 - file_ops->enable.owner = mod;
83317 - file_ops->filter = ftrace_event_filter_fops;
83318 - file_ops->filter.owner = mod;
83320 - file_ops->format = ftrace_event_format_fops;
83321 - file_ops->format.owner = mod;
83322 + pax_open_kernel();
83323 + mod->trace_id.owner = mod;
83324 + mod->trace_enable.owner = mod;
83325 + mod->trace_filter.owner = mod;
83326 + mod->trace_format.owner = mod;
83327 + pax_close_kernel();
83329 list_add(&file_ops->list, &ftrace_module_file_list);
83331 @@ -1895,8 +1886,8 @@ __trace_add_new_mod_event(struct ftrace_event_call *call,
83332 struct ftrace_module_file_ops *file_ops)
83334 return __trace_add_new_event(call, tr,
83335 - &file_ops->id, &file_ops->enable,
83336 - &file_ops->filter, &file_ops->format);
83337 + &file_ops->mod->trace_id, &file_ops->mod->trace_enable,
83338 + &file_ops->mod->trace_filter, &file_ops->mod->trace_format);
83342 diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
83343 index a5e8f48..a9690d2 100644
83344 --- a/kernel/trace/trace_mmiotrace.c
83345 +++ b/kernel/trace/trace_mmiotrace.c
83346 @@ -24,7 +24,7 @@ struct header_iter {
83347 static struct trace_array *mmio_trace_array;
83348 static bool overrun_detected;
83349 static unsigned long prev_overruns;
83350 -static atomic_t dropped_count;
83351 +static atomic_unchecked_t dropped_count;
83353 static void mmio_reset_data(struct trace_array *tr)
83355 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iterator *iter)
83357 static unsigned long count_overruns(struct trace_iterator *iter)
83359 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
83360 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
83361 unsigned long over = ring_buffer_overruns(iter->trace_buffer->buffer);
83363 if (over > prev_overruns)
83364 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct trace_array *tr,
83365 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
83366 sizeof(*entry), 0, pc);
83368 - atomic_inc(&dropped_count);
83369 + atomic_inc_unchecked(&dropped_count);
83372 entry = ring_buffer_event_data(event);
83373 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct trace_array *tr,
83374 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
83375 sizeof(*entry), 0, pc);
83377 - atomic_inc(&dropped_count);
83378 + atomic_inc_unchecked(&dropped_count);
83381 entry = ring_buffer_event_data(event);
83382 diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
83383 index bb922d9..2a54a257 100644
83384 --- a/kernel/trace/trace_output.c
83385 +++ b/kernel/trace/trace_output.c
83386 @@ -294,7 +294,7 @@ int trace_seq_path(struct trace_seq *s, const struct path *path)
83388 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
83390 - p = mangle_path(s->buffer + s->len, p, "\n");
83391 + p = mangle_path(s->buffer + s->len, p, "\n\\");
83393 s->len = p - s->buffer;
83395 @@ -893,14 +893,16 @@ int register_ftrace_event(struct trace_event *event)
83399 + pax_open_kernel();
83400 if (event->funcs->trace == NULL)
83401 - event->funcs->trace = trace_nop_print;
83402 + *(void **)&event->funcs->trace = trace_nop_print;
83403 if (event->funcs->raw == NULL)
83404 - event->funcs->raw = trace_nop_print;
83405 + *(void **)&event->funcs->raw = trace_nop_print;
83406 if (event->funcs->hex == NULL)
83407 - event->funcs->hex = trace_nop_print;
83408 + *(void **)&event->funcs->hex = trace_nop_print;
83409 if (event->funcs->binary == NULL)
83410 - event->funcs->binary = trace_nop_print;
83411 + *(void **)&event->funcs->binary = trace_nop_print;
83412 + pax_close_kernel();
83414 key = event->type & (EVENT_HASHSIZE - 1);
83416 diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
83417 index b20428c..4845a10 100644
83418 --- a/kernel/trace/trace_stack.c
83419 +++ b/kernel/trace/trace_stack.c
83420 @@ -68,7 +68,7 @@ check_stack(unsigned long ip, unsigned long *stack)
83423 /* we do not handle interrupt stacks yet */
83424 - if (!object_is_on_stack(stack))
83425 + if (!object_starts_on_stack(stack))
83428 local_irq_save(flags);
83429 diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
83430 index 9064b91..1f5d2f8 100644
83431 --- a/kernel/user_namespace.c
83432 +++ b/kernel/user_namespace.c
83433 @@ -82,6 +82,21 @@ int create_user_ns(struct cred *new)
83434 !kgid_has_mapping(parent_ns, group))
83437 +#ifdef CONFIG_GRKERNSEC
83439 + * This doesn't really inspire confidence:
83440 + * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
83441 + * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
83442 + * Increases kernel attack surface in areas developers
83443 + * previously cared little about ("low importance due
83444 + * to requiring "root" capability")
83445 + * To be removed when this code receives *proper* review
83447 + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
83448 + !capable(CAP_SETGID))
83452 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
83455 @@ -862,7 +877,7 @@ static int userns_install(struct nsproxy *nsproxy, void *ns)
83456 if (atomic_read(¤t->mm->mm_users) > 1)
83459 - if (current->fs->users != 1)
83460 + if (atomic_read(¤t->fs->users) != 1)
83463 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
83464 diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
83465 index 4f69f9a..7c6f8f8 100644
83466 --- a/kernel/utsname_sysctl.c
83467 +++ b/kernel/utsname_sysctl.c
83468 @@ -47,7 +47,7 @@ static void put_uts(ctl_table *table, int write, void *which)
83469 static int proc_do_uts_string(ctl_table *table, int write,
83470 void __user *buffer, size_t *lenp, loff_t *ppos)
83472 - struct ctl_table uts_table;
83473 + ctl_table_no_const uts_table;
83475 memcpy(&uts_table, table, sizeof(uts_table));
83476 uts_table.data = get_uts(table, write);
83477 diff --git a/kernel/watchdog.c b/kernel/watchdog.c
83478 index 05039e3..17490c7 100644
83479 --- a/kernel/watchdog.c
83480 +++ b/kernel/watchdog.c
83481 @@ -531,7 +531,7 @@ int proc_dowatchdog(struct ctl_table *table, int write,
83483 #endif /* CONFIG_SYSCTL */
83485 -static struct smp_hotplug_thread watchdog_threads = {
83486 +static struct smp_hotplug_thread watchdog_threads __read_only = {
83487 .store = &softlockup_watchdog,
83488 .thread_should_run = watchdog_should_run,
83489 .thread_fn = watchdog,
83490 diff --git a/kernel/workqueue.c b/kernel/workqueue.c
83491 index 6f01921..139869b 100644
83492 --- a/kernel/workqueue.c
83493 +++ b/kernel/workqueue.c
83494 @@ -4596,7 +4596,7 @@ static void rebind_workers(struct worker_pool *pool)
83495 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
83496 worker_flags |= WORKER_REBOUND;
83497 worker_flags &= ~WORKER_UNBOUND;
83498 - ACCESS_ONCE(worker->flags) = worker_flags;
83499 + ACCESS_ONCE_RW(worker->flags) = worker_flags;
83502 spin_unlock_irq(&pool->lock);
83503 diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
83504 index 74fdc5c..3310593 100644
83505 --- a/lib/Kconfig.debug
83506 +++ b/lib/Kconfig.debug
83507 @@ -549,7 +549,7 @@ config DEBUG_MUTEXES
83509 config DEBUG_LOCK_ALLOC
83510 bool "Lock debugging: detect incorrect freeing of live locks"
83511 - depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
83512 + depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
83513 select DEBUG_SPINLOCK
83514 select DEBUG_MUTEXES
83516 @@ -563,7 +563,7 @@ config DEBUG_LOCK_ALLOC
83518 config PROVE_LOCKING
83519 bool "Lock debugging: prove locking correctness"
83520 - depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
83521 + depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
83523 select DEBUG_SPINLOCK
83524 select DEBUG_MUTEXES
83525 @@ -614,7 +614,7 @@ config LOCKDEP
83528 bool "Lock usage statistics"
83529 - depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
83530 + depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
83532 select DEBUG_SPINLOCK
83533 select DEBUG_MUTEXES
83534 @@ -1282,6 +1282,7 @@ config LATENCYTOP
83535 depends on DEBUG_KERNEL
83536 depends on STACKTRACE_SUPPORT
83538 + depends on !GRKERNSEC_HIDESYM
83539 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND
83541 select KALLSYMS_ALL
83542 @@ -1298,7 +1299,7 @@ config ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
83543 config DEBUG_STRICT_USER_COPY_CHECKS
83544 bool "Strict user copy size checks"
83545 depends on ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
83546 - depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
83547 + depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW
83549 Enabling this option turns a certain set of sanity checks for user
83550 copy operations into compile time failures.
83551 @@ -1328,7 +1329,7 @@ config INTERVAL_TREE_TEST
83553 config PROVIDE_OHCI1394_DMA_INIT
83554 bool "Remote debugging over FireWire early on boot"
83555 - depends on PCI && X86
83556 + depends on PCI && X86 && !GRKERNSEC
83558 If you want to debug problems which hang or crash the kernel early
83559 on boot and the crashing machine has a FireWire port, you can use
83560 @@ -1357,7 +1358,7 @@ config PROVIDE_OHCI1394_DMA_INIT
83562 config FIREWIRE_OHCI_REMOTE_DMA
83563 bool "Remote debugging over FireWire with firewire-ohci"
83564 - depends on FIREWIRE_OHCI
83565 + depends on FIREWIRE_OHCI && !GRKERNSEC
83567 This option lets you use the FireWire bus for remote debugging
83568 with help of the firewire-ohci driver. It enables unfiltered
83569 diff --git a/lib/Makefile b/lib/Makefile
83570 index c55a037..fb46e3b 100644
83573 @@ -50,7 +50,7 @@ obj-$(CONFIG_GENERIC_HWEIGHT) += hweight.o
83575 obj-$(CONFIG_BTREE) += btree.o
83576 obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o
83577 -obj-$(CONFIG_DEBUG_LIST) += list_debug.o
83578 +obj-y += list_debug.o
83579 obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o
83581 ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
83582 diff --git a/lib/bitmap.c b/lib/bitmap.c
83583 index 06f7e4f..f3cf2b0 100644
83586 @@ -422,7 +422,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
83588 int c, old_c, totaldigits, ndigits, nchunks, nbits;
83590 - const char __user __force *ubuf = (const char __user __force *)buf;
83591 + const char __user *ubuf = (const char __force_user *)buf;
83593 bitmap_zero(maskp, nmaskbits);
83595 @@ -507,7 +507,7 @@ int bitmap_parse_user(const char __user *ubuf,
83597 if (!access_ok(VERIFY_READ, ubuf, ulen))
83599 - return __bitmap_parse((const char __force *)ubuf,
83600 + return __bitmap_parse((const char __force_kernel *)ubuf,
83601 ulen, 1, maskp, nmaskbits);
83604 @@ -598,7 +598,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
83607 int c, old_c, totaldigits;
83608 - const char __user __force *ubuf = (const char __user __force *)buf;
83609 + const char __user *ubuf = (const char __force_user *)buf;
83610 int exp_digit, in_range;
83612 totaldigits = c = 0;
83613 @@ -698,7 +698,7 @@ int bitmap_parselist_user(const char __user *ubuf,
83615 if (!access_ok(VERIFY_READ, ubuf, ulen))
83617 - return __bitmap_parselist((const char __force *)ubuf,
83618 + return __bitmap_parselist((const char __force_kernel *)ubuf,
83619 ulen, 1, maskp, nmaskbits);
83621 EXPORT_SYMBOL(bitmap_parselist_user);
83622 diff --git a/lib/bug.c b/lib/bug.c
83623 index 1686034..a9c00c8 100644
83626 @@ -134,6 +134,8 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs)
83627 return BUG_TRAP_TYPE_NONE;
83629 bug = find_bug(bugaddr);
83631 + return BUG_TRAP_TYPE_NONE;
83635 diff --git a/lib/debugobjects.c b/lib/debugobjects.c
83636 index 37061ed..da83f48 100644
83637 --- a/lib/debugobjects.c
83638 +++ b/lib/debugobjects.c
83639 @@ -286,7 +286,7 @@ static void debug_object_is_on_stack(void *addr, int onstack)
83643 - is_on_stack = object_is_on_stack(addr);
83644 + is_on_stack = object_starts_on_stack(addr);
83645 if (is_on_stack == onstack)
83648 diff --git a/lib/devres.c b/lib/devres.c
83649 index 8235331..5881053 100644
83652 @@ -81,7 +81,7 @@ EXPORT_SYMBOL(devm_ioremap_nocache);
83653 void devm_iounmap(struct device *dev, void __iomem *addr)
83655 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
83657 + (void __force *)addr));
83660 EXPORT_SYMBOL(devm_iounmap);
83661 @@ -224,7 +224,7 @@ void devm_ioport_unmap(struct device *dev, void __iomem *addr)
83663 ioport_unmap(addr);
83664 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
83665 - devm_ioport_map_match, (void *)addr));
83666 + devm_ioport_map_match, (void __force *)addr));
83668 EXPORT_SYMBOL(devm_ioport_unmap);
83669 #endif /* CONFIG_HAS_IOPORT */
83670 diff --git a/lib/div64.c b/lib/div64.c
83671 index a163b6c..9618fa5 100644
83674 @@ -59,7 +59,7 @@ uint32_t __attribute__((weak)) __div64_32(uint64_t *n, uint32_t base)
83675 EXPORT_SYMBOL(__div64_32);
83677 #ifndef div_s64_rem
83678 -s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
83679 +s64 __intentional_overflow(-1) div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
83683 @@ -90,7 +90,7 @@ EXPORT_SYMBOL(div_s64_rem);
83684 * 'http://www.hackersdelight.org/HDcode/newCode/divDouble.c.txt'
83687 -u64 div64_u64(u64 dividend, u64 divisor)
83688 +u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
83690 u32 high = divisor >> 32;
83692 diff --git a/lib/dma-debug.c b/lib/dma-debug.c
83693 index d87a17a..ac0d79a 100644
83694 --- a/lib/dma-debug.c
83695 +++ b/lib/dma-debug.c
83696 @@ -768,7 +768,7 @@ static int dma_debug_device_change(struct notifier_block *nb, unsigned long acti
83698 void dma_debug_add_bus(struct bus_type *bus)
83700 - struct notifier_block *nb;
83701 + notifier_block_no_const *nb;
83703 if (global_disable)
83705 @@ -945,7 +945,7 @@ static void check_unmap(struct dma_debug_entry *ref)
83707 static void check_for_stack(struct device *dev, void *addr)
83709 - if (object_is_on_stack(addr))
83710 + if (object_starts_on_stack(addr))
83711 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
83712 "stack [addr=%p]\n", addr);
83714 diff --git a/lib/inflate.c b/lib/inflate.c
83715 index 013a761..c28f3fc 100644
83716 --- a/lib/inflate.c
83717 +++ b/lib/inflate.c
83718 @@ -269,7 +269,7 @@ static void free(void *where)
83719 malloc_ptr = free_mem_ptr;
83722 -#define malloc(a) kmalloc(a, GFP_KERNEL)
83723 +#define malloc(a) kmalloc((a), GFP_KERNEL)
83724 #define free(a) kfree(a)
83727 diff --git a/lib/ioremap.c b/lib/ioremap.c
83728 index 0c9216c..863bd89 100644
83729 --- a/lib/ioremap.c
83730 +++ b/lib/ioremap.c
83731 @@ -38,7 +38,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
83732 unsigned long next;
83735 - pmd = pmd_alloc(&init_mm, pud, addr);
83736 + pmd = pmd_alloc_kernel(&init_mm, pud, addr);
83740 @@ -56,7 +56,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
83741 unsigned long next;
83744 - pud = pud_alloc(&init_mm, pgd, addr);
83745 + pud = pud_alloc_kernel(&init_mm, pgd, addr);
83749 diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
83750 index bd2bea9..6b3c95e 100644
83751 --- a/lib/is_single_threaded.c
83752 +++ b/lib/is_single_threaded.c
83753 @@ -22,6 +22,9 @@ bool current_is_single_threaded(void)
83754 struct task_struct *p, *t;
83760 if (atomic_read(&task->signal->live) != 1)
83763 diff --git a/lib/kobject.c b/lib/kobject.c
83764 index b7e29a6..2f3ca75 100644
83765 --- a/lib/kobject.c
83766 +++ b/lib/kobject.c
83767 @@ -805,7 +805,7 @@ static struct kset *kset_create(const char *name,
83768 kset = kzalloc(sizeof(*kset), GFP_KERNEL);
83771 - retval = kobject_set_name(&kset->kobj, name);
83772 + retval = kobject_set_name(&kset->kobj, "%s", name);
83776 @@ -859,9 +859,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add);
83779 static DEFINE_SPINLOCK(kobj_ns_type_lock);
83780 -static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES];
83781 +static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __read_only;
83783 -int kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
83784 +int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
83786 enum kobj_ns_type type = ops->type;
83788 diff --git a/lib/list_debug.c b/lib/list_debug.c
83789 index c24c2f7..06e070b 100644
83790 --- a/lib/list_debug.c
83791 +++ b/lib/list_debug.c
83793 #include <linux/bug.h>
83794 #include <linux/kernel.h>
83795 #include <linux/rculist.h>
83796 +#include <linux/mm.h>
83798 +#ifdef CONFIG_DEBUG_LIST
83800 * Insert a new entry between two known consecutive entries.
83802 @@ -19,21 +21,32 @@
83803 * the prev/next entries already!
83806 -void __list_add(struct list_head *new,
83807 - struct list_head *prev,
83808 - struct list_head *next)
83809 +static bool __list_add_debug(struct list_head *new,
83810 + struct list_head *prev,
83811 + struct list_head *next)
83813 - WARN(next->prev != prev,
83814 + if (WARN(next->prev != prev,
83815 "list_add corruption. next->prev should be "
83816 "prev (%p), but was %p. (next=%p).\n",
83817 - prev, next->prev, next);
83818 - WARN(prev->next != next,
83819 + prev, next->prev, next) ||
83820 + WARN(prev->next != next,
83821 "list_add corruption. prev->next should be "
83822 "next (%p), but was %p. (prev=%p).\n",
83823 - next, prev->next, prev);
83824 - WARN(new == prev || new == next,
83825 - "list_add double add: new=%p, prev=%p, next=%p.\n",
83826 - new, prev, next);
83827 + next, prev->next, prev) ||
83828 + WARN(new == prev || new == next,
83829 + "list_add double add: new=%p, prev=%p, next=%p.\n",
83830 + new, prev, next))
83835 +void __list_add(struct list_head *new,
83836 + struct list_head *prev,
83837 + struct list_head *next)
83839 + if (!__list_add_debug(new, prev, next))
83845 @@ -41,7 +54,7 @@ void __list_add(struct list_head *new,
83847 EXPORT_SYMBOL(__list_add);
83849 -void __list_del_entry(struct list_head *entry)
83850 +static bool __list_del_entry_debug(struct list_head *entry)
83852 struct list_head *prev, *next;
83854 @@ -60,9 +73,16 @@ void __list_del_entry(struct list_head *entry)
83855 WARN(next->prev != entry,
83856 "list_del corruption. next->prev should be %p, "
83857 "but was %p\n", entry, next->prev))
83862 +void __list_del_entry(struct list_head *entry)
83864 + if (!__list_del_entry_debug(entry))
83867 - __list_del(prev, next);
83868 + __list_del(entry->prev, entry->next);
83870 EXPORT_SYMBOL(__list_del_entry);
83872 @@ -86,15 +106,85 @@ EXPORT_SYMBOL(list_del);
83873 void __list_add_rcu(struct list_head *new,
83874 struct list_head *prev, struct list_head *next)
83876 - WARN(next->prev != prev,
83877 - "list_add_rcu corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
83878 - prev, next->prev, next);
83879 - WARN(prev->next != next,
83880 - "list_add_rcu corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
83881 - next, prev->next, prev);
83882 + if (!__list_add_debug(new, prev, next))
83887 rcu_assign_pointer(list_next_rcu(prev), new);
83890 EXPORT_SYMBOL(__list_add_rcu);
83893 +void __pax_list_add(struct list_head *new, struct list_head *prev, struct list_head *next)
83895 +#ifdef CONFIG_DEBUG_LIST
83896 + if (!__list_add_debug(new, prev, next))
83900 + pax_open_kernel();
83901 + next->prev = new;
83902 + new->next = next;
83903 + new->prev = prev;
83904 + prev->next = new;
83905 + pax_close_kernel();
83907 +EXPORT_SYMBOL(__pax_list_add);
83909 +void pax_list_del(struct list_head *entry)
83911 +#ifdef CONFIG_DEBUG_LIST
83912 + if (!__list_del_entry_debug(entry))
83916 + pax_open_kernel();
83917 + __list_del(entry->prev, entry->next);
83918 + entry->next = LIST_POISON1;
83919 + entry->prev = LIST_POISON2;
83920 + pax_close_kernel();
83922 +EXPORT_SYMBOL(pax_list_del);
83924 +void pax_list_del_init(struct list_head *entry)
83926 + pax_open_kernel();
83927 + __list_del(entry->prev, entry->next);
83928 + INIT_LIST_HEAD(entry);
83929 + pax_close_kernel();
83931 +EXPORT_SYMBOL(pax_list_del_init);
83933 +void __pax_list_add_rcu(struct list_head *new,
83934 + struct list_head *prev, struct list_head *next)
83936 +#ifdef CONFIG_DEBUG_LIST
83937 + if (!__list_add_debug(new, prev, next))
83941 + pax_open_kernel();
83942 + new->next = next;
83943 + new->prev = prev;
83944 + rcu_assign_pointer(list_next_rcu(prev), new);
83945 + next->prev = new;
83946 + pax_close_kernel();
83948 +EXPORT_SYMBOL(__pax_list_add_rcu);
83950 +void pax_list_del_rcu(struct list_head *entry)
83952 +#ifdef CONFIG_DEBUG_LIST
83953 + if (!__list_del_entry_debug(entry))
83957 + pax_open_kernel();
83958 + __list_del(entry->prev, entry->next);
83959 + entry->next = LIST_POISON1;
83960 + entry->prev = LIST_POISON2;
83961 + pax_close_kernel();
83963 +EXPORT_SYMBOL(pax_list_del_rcu);
83964 diff --git a/lib/radix-tree.c b/lib/radix-tree.c
83965 index e796429..6e38f9f 100644
83966 --- a/lib/radix-tree.c
83967 +++ b/lib/radix-tree.c
83968 @@ -92,7 +92,7 @@ struct radix_tree_preload {
83970 struct radix_tree_node *nodes[RADIX_TREE_PRELOAD_SIZE];
83972 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
83973 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
83975 static inline void *ptr_to_indirect(void *ptr)
83977 diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
83978 index bb2b201..46abaf9 100644
83979 --- a/lib/strncpy_from_user.c
83980 +++ b/lib/strncpy_from_user.c
83983 static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
83985 - const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
83986 + static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
83990 diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
83991 index a28df52..3d55877 100644
83992 --- a/lib/strnlen_user.c
83993 +++ b/lib/strnlen_user.c
83996 static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
83998 - const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
83999 + static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
84000 long align, res = 0;
84003 diff --git a/lib/swiotlb.c b/lib/swiotlb.c
84004 index d23762e..e21eab2 100644
84005 --- a/lib/swiotlb.c
84006 +++ b/lib/swiotlb.c
84007 @@ -664,7 +664,7 @@ EXPORT_SYMBOL(swiotlb_alloc_coherent);
84010 swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
84011 - dma_addr_t dev_addr)
84012 + dma_addr_t dev_addr, struct dma_attrs *attrs)
84014 phys_addr_t paddr = dma_to_phys(hwdev, dev_addr);
84016 diff --git a/lib/usercopy.c b/lib/usercopy.c
84017 index 4f5b1dd..7cab418 100644
84018 --- a/lib/usercopy.c
84019 +++ b/lib/usercopy.c
84020 @@ -7,3 +7,9 @@ void copy_from_user_overflow(void)
84021 WARN(1, "Buffer overflow detected!\n");
84023 EXPORT_SYMBOL(copy_from_user_overflow);
84025 +void copy_to_user_overflow(void)
84027 + WARN(1, "Buffer overflow detected!\n");
84029 +EXPORT_SYMBOL(copy_to_user_overflow);
84030 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
84031 index e149c64..24aa71a 100644
84032 --- a/lib/vsprintf.c
84033 +++ b/lib/vsprintf.c
84035 * - scnprintf and vscnprintf
84038 +#ifdef CONFIG_GRKERNSEC_HIDESYM
84039 +#define __INCLUDED_BY_HIDESYM 1
84041 #include <stdarg.h>
84042 #include <linux/module.h> /* for KSYM_SYMBOL_LEN */
84043 #include <linux/types.h>
84044 @@ -981,7 +984,11 @@ char *netdev_feature_string(char *buf, char *end, const u8 *addr,
84045 return number(buf, end, *(const netdev_features_t *)addr, spec);
84048 +#ifdef CONFIG_GRKERNSEC_HIDESYM
84049 +int kptr_restrict __read_mostly = 2;
84051 int kptr_restrict __read_mostly;
84055 * Show a '%p' thing. A kernel extension is that the '%p' is followed
84056 @@ -994,6 +1001,7 @@ int kptr_restrict __read_mostly;
84057 * - 'f' For simple symbolic function names without offset
84058 * - 'S' For symbolic direct pointers with offset
84059 * - 's' For symbolic direct pointers without offset
84060 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
84061 * - '[FfSs]R' as above with __builtin_extract_return_addr() translation
84062 * - 'B' For backtraced symbolic direct pointers with offset
84063 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
84064 @@ -1052,12 +1060,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
84066 if (!ptr && *fmt != 'K') {
84068 - * Print (null) with the same width as a pointer so it makes
84069 + * Print (nil) with the same width as a pointer so it makes
84070 * tabular output look nice.
84072 if (spec.field_width == -1)
84073 spec.field_width = default_width;
84074 - return string(buf, end, "(null)", spec);
84075 + return string(buf, end, "(nil)", spec);
84079 @@ -1067,6 +1075,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
84083 +#ifdef CONFIG_GRKERNSEC_HIDESYM
84086 + return symbol_string(buf, end, ptr, spec, fmt);
84090 return symbol_string(buf, end, ptr, spec, fmt);
84092 @@ -1107,6 +1121,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
84100 * %pK cannot be used in IRQ context because its test
84101 @@ -1136,6 +1152,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
84102 return number(buf, end,
84103 (unsigned long long) *((phys_addr_t *)ptr), spec);
84106 +#ifdef CONFIG_GRKERNSEC_HIDESYM
84107 + /* 'P' = approved pointers to copy to userland,
84108 + as in the /proc/kallsyms case, as we make it display nothing
84109 + for non-root users, and the real contents for root users
84110 + Also ignore 'K' pointers, since we force their NULLing for non-root users
84113 + if ((unsigned long)ptr > TASK_SIZE && *fmt != 'P' && *fmt != 'K' && is_usercopy_object(buf)) {
84114 + printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@grsecurity.net.\n");
84120 spec.flags |= SMALL;
84121 if (spec.field_width == -1) {
84122 spec.field_width = default_width;
84123 @@ -1857,11 +1888,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
84124 typeof(type) value; \
84125 if (sizeof(type) == 8) { \
84126 args = PTR_ALIGN(args, sizeof(u32)); \
84127 - *(u32 *)&value = *(u32 *)args; \
84128 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
84129 + *(u32 *)&value = *(const u32 *)args; \
84130 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
84132 args = PTR_ALIGN(args, sizeof(type)); \
84133 - value = *(typeof(type) *)args; \
84134 + value = *(const typeof(type) *)args; \
84136 args += sizeof(type); \
84138 @@ -1924,7 +1955,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
84139 case FORMAT_TYPE_STR: {
84140 const char *str_arg = args;
84141 args += strlen(str_arg) + 1;
84142 - str = string(str, end, (char *)str_arg, spec);
84143 + str = string(str, end, str_arg, spec);
84147 diff --git a/localversion-grsec b/localversion-grsec
84148 new file mode 100644
84149 index 0000000..7cd6065
84151 +++ b/localversion-grsec
84154 diff --git a/mm/Kconfig b/mm/Kconfig
84155 index e742d06..c56fdd8 100644
84158 @@ -317,10 +317,10 @@ config KSM
84159 root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
84161 config DEFAULT_MMAP_MIN_ADDR
84162 - int "Low address space to protect from user allocation"
84163 + int "Low address space to protect from user allocation"
84169 This is the portion of low virtual memory which should be protected
84170 from userspace allocation. Keeping a user from writing to low pages
84171 can help reduce the impact of kernel NULL pointer bugs.
84172 @@ -351,7 +351,7 @@ config MEMORY_FAILURE
84174 config HWPOISON_INJECT
84175 tristate "HWPoison pages injector"
84176 - depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS
84177 + depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS && !GRKERNSEC
84178 select PROC_PAGE_MONITOR
84180 config NOMMU_INITIAL_TRIM_EXCESS
84181 diff --git a/mm/backing-dev.c b/mm/backing-dev.c
84182 index 5025174..9d67dcd 100644
84183 --- a/mm/backing-dev.c
84184 +++ b/mm/backing-dev.c
84186 #include <linux/device.h>
84187 #include <trace/events/writeback.h>
84189 -static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
84190 +static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
84192 struct backing_dev_info default_backing_dev_info = {
84194 @@ -515,7 +515,6 @@ EXPORT_SYMBOL(bdi_destroy);
84195 int bdi_setup_and_register(struct backing_dev_info *bdi, char *name,
84202 @@ -524,8 +523,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name,
84206 - sprintf(tmp, "%.28s%s", name, "-%d");
84207 - err = bdi_register(bdi, NULL, tmp, atomic_long_inc_return(&bdi_seq));
84208 + err = bdi_register(bdi, NULL, "%.28s-%ld", name, atomic_long_inc_return_unchecked(&bdi_seq));
84212 diff --git a/mm/filemap.c b/mm/filemap.c
84213 index 7905fe7..e60faa8 100644
84216 @@ -1766,7 +1766,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
84217 struct address_space *mapping = file->f_mapping;
84219 if (!mapping->a_ops->readpage)
84222 file_accessed(file);
84223 vma->vm_ops = &generic_file_vm_ops;
84225 @@ -2106,6 +2106,7 @@ inline int generic_write_checks(struct file *file, loff_t *pos, size_t *count, i
84226 *pos = i_size_read(inode);
84228 if (limit != RLIM_INFINITY) {
84229 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
84230 if (*pos >= limit) {
84231 send_sig(SIGXFSZ, current, 0);
84233 diff --git a/mm/fremap.c b/mm/fremap.c
84234 index 87da359..3f41cb1 100644
84237 @@ -158,6 +158,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
84239 vma = find_vma(mm, start);
84241 +#ifdef CONFIG_PAX_SEGMEXEC
84242 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
84247 * Make sure the vma is shared, that it supports prefaulting,
84248 * and that the remapped range is valid and fully within
84249 diff --git a/mm/highmem.c b/mm/highmem.c
84250 index b32b70c..e512eb0 100644
84253 @@ -138,8 +138,9 @@ static void flush_all_zero_pkmaps(void)
84254 * So no dangers, even with speculative execution.
84256 page = pte_page(pkmap_page_table[i]);
84257 + pax_open_kernel();
84258 pte_clear(&init_mm, PKMAP_ADDR(i), &pkmap_page_table[i]);
84260 + pax_close_kernel();
84261 set_page_address(page, NULL);
84264 @@ -198,9 +199,11 @@ start:
84267 vaddr = PKMAP_ADDR(last_pkmap_nr);
84269 + pax_open_kernel();
84270 set_pte_at(&init_mm, vaddr,
84271 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
84273 + pax_close_kernel();
84274 pkmap_count[last_pkmap_nr] = 1;
84275 set_page_address(page, (void *)vaddr);
84277 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
84278 index 7c5eb85..5c01c2f 100644
84281 @@ -2022,15 +2022,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
84282 struct hstate *h = &default_hstate;
84285 + ctl_table_no_const hugetlb_table;
84287 tmp = h->max_huge_pages;
84289 if (write && h->order >= MAX_ORDER)
84292 - table->data = &tmp;
84293 - table->maxlen = sizeof(unsigned long);
84294 - ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
84295 + hugetlb_table = *table;
84296 + hugetlb_table.data = &tmp;
84297 + hugetlb_table.maxlen = sizeof(unsigned long);
84298 + ret = proc_doulongvec_minmax(&hugetlb_table, write, buffer, length, ppos);
84302 @@ -2087,15 +2089,17 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
84303 struct hstate *h = &default_hstate;
84306 + ctl_table_no_const hugetlb_table;
84308 tmp = h->nr_overcommit_huge_pages;
84310 if (write && h->order >= MAX_ORDER)
84313 - table->data = &tmp;
84314 - table->maxlen = sizeof(unsigned long);
84315 - ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
84316 + hugetlb_table = *table;
84317 + hugetlb_table.data = &tmp;
84318 + hugetlb_table.maxlen = sizeof(unsigned long);
84319 + ret = proc_doulongvec_minmax(&hugetlb_table, write, buffer, length, ppos);
84323 @@ -2545,6 +2549,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
84327 +#ifdef CONFIG_PAX_SEGMEXEC
84328 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
84330 + struct mm_struct *mm = vma->vm_mm;
84331 + struct vm_area_struct *vma_m;
84332 + unsigned long address_m;
84335 + vma_m = pax_find_mirror_vma(vma);
84339 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
84340 + address_m = address + SEGMEXEC_TASK_SIZE;
84341 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
84342 + get_page(page_m);
84343 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
84344 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
84349 * Hugetlb_cow() should be called with page lock of the original hugepage held.
84350 * Called with hugetlb_instantiation_mutex held and pte_page locked so we
84351 @@ -2663,6 +2688,11 @@ retry_avoidcopy:
84352 make_huge_pte(vma, new_page, 1));
84353 page_remove_rmap(old_page);
84354 hugepage_add_new_anon_rmap(new_page, vma, address);
84356 +#ifdef CONFIG_PAX_SEGMEXEC
84357 + pax_mirror_huge_pte(vma, address, new_page);
84360 /* Make the old page be freed below */
84361 new_page = old_page;
84363 @@ -2821,6 +2851,10 @@ retry:
84364 && (vma->vm_flags & VM_SHARED)));
84365 set_huge_pte_at(mm, address, ptep, new_pte);
84367 +#ifdef CONFIG_PAX_SEGMEXEC
84368 + pax_mirror_huge_pte(vma, address, page);
84371 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
84372 /* Optimization, do the COW without a second fault */
84373 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
84374 @@ -2850,6 +2884,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
84375 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
84376 struct hstate *h = hstate_vma(vma);
84378 +#ifdef CONFIG_PAX_SEGMEXEC
84379 + struct vm_area_struct *vma_m;
84382 address &= huge_page_mask(h);
84384 ptep = huge_pte_offset(mm, address);
84385 @@ -2863,6 +2901,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
84386 VM_FAULT_SET_HINDEX(hstate_index(h));
84389 +#ifdef CONFIG_PAX_SEGMEXEC
84390 + vma_m = pax_find_mirror_vma(vma);
84392 + unsigned long address_m;
84394 + if (vma->vm_start > vma_m->vm_start) {
84395 + address_m = address;
84396 + address -= SEGMEXEC_TASK_SIZE;
84398 + h = hstate_vma(vma);
84400 + address_m = address + SEGMEXEC_TASK_SIZE;
84402 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
84403 + return VM_FAULT_OOM;
84404 + address_m &= HPAGE_MASK;
84405 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
84409 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
84411 return VM_FAULT_OOM;
84412 diff --git a/mm/internal.h b/mm/internal.h
84413 index 8562de0..92b2073 100644
84414 --- a/mm/internal.h
84415 +++ b/mm/internal.h
84416 @@ -100,6 +100,7 @@ extern pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address);
84417 * in mm/page_alloc.c
84419 extern void __free_pages_bootmem(struct page *page, unsigned int order);
84420 +extern void free_compound_page(struct page *page);
84421 extern void prep_compound_page(struct page *page, unsigned long order);
84422 #ifdef CONFIG_MEMORY_FAILURE
84423 extern bool is_free_buddy_page(struct page *page);
84424 @@ -355,7 +356,7 @@ extern u32 hwpoison_filter_enable;
84426 extern unsigned long vm_mmap_pgoff(struct file *, unsigned long,
84427 unsigned long, unsigned long,
84428 - unsigned long, unsigned long);
84429 + unsigned long, unsigned long) __intentional_overflow(-1);
84431 extern void set_pageblock_order(void);
84432 unsigned long reclaim_clean_pages_from_list(struct zone *zone,
84433 diff --git a/mm/kmemleak.c b/mm/kmemleak.c
84434 index c8d7f31..2dbeffd 100644
84435 --- a/mm/kmemleak.c
84436 +++ b/mm/kmemleak.c
84437 @@ -363,7 +363,7 @@ static void print_unreferenced(struct seq_file *seq,
84439 for (i = 0; i < object->trace_len; i++) {
84440 void *ptr = (void *)object->trace[i];
84441 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
84442 + seq_printf(seq, " [<%pP>] %pA\n", ptr, ptr);
84446 @@ -1851,7 +1851,7 @@ static int __init kmemleak_late_init(void)
84450 - dentry = debugfs_create_file("kmemleak", S_IRUGO, NULL, NULL,
84451 + dentry = debugfs_create_file("kmemleak", S_IRUSR, NULL, NULL,
84454 pr_warning("Failed to create the debugfs kmemleak file\n");
84455 diff --git a/mm/maccess.c b/mm/maccess.c
84456 index d53adf9..03a24bf 100644
84459 @@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
84461 pagefault_disable();
84462 ret = __copy_from_user_inatomic(dst,
84463 - (__force const void __user *)src, size);
84464 + (const void __force_user *)src, size);
84465 pagefault_enable();
84468 @@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
84471 pagefault_disable();
84472 - ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
84473 + ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
84474 pagefault_enable();
84477 diff --git a/mm/madvise.c b/mm/madvise.c
84478 index 7055883..aafb1ed 100644
84481 @@ -51,6 +51,10 @@ static long madvise_behavior(struct vm_area_struct * vma,
84483 unsigned long new_flags = vma->vm_flags;
84485 +#ifdef CONFIG_PAX_SEGMEXEC
84486 + struct vm_area_struct *vma_m;
84489 switch (behavior) {
84491 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
84492 @@ -126,6 +130,13 @@ success:
84494 * vm_flags is protected by the mmap_sem held in write mode.
84497 +#ifdef CONFIG_PAX_SEGMEXEC
84498 + vma_m = pax_find_mirror_vma(vma);
84500 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
84503 vma->vm_flags = new_flags;
84506 @@ -274,6 +285,11 @@ static long madvise_dontneed(struct vm_area_struct * vma,
84507 struct vm_area_struct ** prev,
84508 unsigned long start, unsigned long end)
84511 +#ifdef CONFIG_PAX_SEGMEXEC
84512 + struct vm_area_struct *vma_m;
84516 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
84518 @@ -286,6 +302,21 @@ static long madvise_dontneed(struct vm_area_struct * vma,
84519 zap_page_range(vma, start, end - start, &details);
84521 zap_page_range(vma, start, end - start, NULL);
84523 +#ifdef CONFIG_PAX_SEGMEXEC
84524 + vma_m = pax_find_mirror_vma(vma);
84526 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
84527 + struct zap_details details = {
84528 + .nonlinear_vma = vma_m,
84529 + .last_index = ULONG_MAX,
84531 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
84533 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
84540 @@ -485,6 +516,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
84544 +#ifdef CONFIG_PAX_SEGMEXEC
84545 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
84546 + if (end > SEGMEXEC_TASK_SIZE)
84551 + if (end > TASK_SIZE)
84557 diff --git a/mm/memory-failure.c b/mm/memory-failure.c
84558 index ceb0c7f..b2b8e94 100644
84559 --- a/mm/memory-failure.c
84560 +++ b/mm/memory-failure.c
84561 @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
84563 int sysctl_memory_failure_recovery __read_mostly = 1;
84565 -atomic_long_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
84566 +atomic_long_unchecked_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
84568 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
84570 @@ -202,7 +202,7 @@ static int kill_proc(struct task_struct *t, unsigned long addr, int trapno,
84571 pfn, t->comm, t->pid);
84572 si.si_signo = SIGBUS;
84574 - si.si_addr = (void *)addr;
84575 + si.si_addr = (void __user *)addr;
84576 #ifdef __ARCH_SI_TRAPNO
84577 si.si_trapno = trapno;
84579 @@ -760,7 +760,7 @@ static struct page_state {
84582 int (*action)(struct page *p, unsigned long pfn);
84583 -} error_states[] = {
84584 +} __do_const error_states[] = {
84585 { reserved, reserved, "reserved kernel", me_kernel },
84587 * free pages are specially detected outside this table:
84588 @@ -1051,7 +1051,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
84589 nr_pages = 1 << compound_order(hpage);
84590 else /* normal page or thp */
84592 - atomic_long_add(nr_pages, &num_poisoned_pages);
84593 + atomic_long_add_unchecked(nr_pages, &num_poisoned_pages);
84596 * We need/can do nothing about count=0 pages.
84597 @@ -1081,7 +1081,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
84598 if (!PageHWPoison(hpage)
84599 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
84600 || (p != hpage && TestSetPageHWPoison(hpage))) {
84601 - atomic_long_sub(nr_pages, &num_poisoned_pages);
84602 + atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
84605 set_page_hwpoison_huge_page(hpage);
84606 @@ -1148,7 +1148,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
84608 if (hwpoison_filter(p)) {
84609 if (TestClearPageHWPoison(p))
84610 - atomic_long_sub(nr_pages, &num_poisoned_pages);
84611 + atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
84612 unlock_page(hpage);
84615 @@ -1350,7 +1350,7 @@ int unpoison_memory(unsigned long pfn)
84618 if (TestClearPageHWPoison(p))
84619 - atomic_long_sub(nr_pages, &num_poisoned_pages);
84620 + atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
84621 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
84624 @@ -1364,7 +1364,7 @@ int unpoison_memory(unsigned long pfn)
84626 if (TestClearPageHWPoison(page)) {
84627 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
84628 - atomic_long_sub(nr_pages, &num_poisoned_pages);
84629 + atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
84631 if (PageHuge(page))
84632 clear_page_hwpoison_huge_page(page);
84633 @@ -1491,7 +1491,7 @@ static int soft_offline_huge_page(struct page *page, int flags)
84635 set_page_hwpoison_huge_page(hpage);
84636 dequeue_hwpoisoned_huge_page(hpage);
84637 - atomic_long_add(1 << compound_trans_order(hpage),
84638 + atomic_long_add_unchecked(1 << compound_trans_order(hpage),
84639 &num_poisoned_pages);
84641 /* keep elevated page count for bad page */
84642 @@ -1552,11 +1552,11 @@ int soft_offline_page(struct page *page, int flags)
84643 if (PageHuge(page)) {
84644 set_page_hwpoison_huge_page(hpage);
84645 dequeue_hwpoisoned_huge_page(hpage);
84646 - atomic_long_add(1 << compound_trans_order(hpage),
84647 + atomic_long_add_unchecked(1 << compound_trans_order(hpage),
84648 &num_poisoned_pages);
84650 SetPageHWPoison(page);
84651 - atomic_long_inc(&num_poisoned_pages);
84652 + atomic_long_inc_unchecked(&num_poisoned_pages);
84655 /* keep elevated page count for bad page */
84656 @@ -1596,7 +1596,7 @@ static int __soft_offline_page(struct page *page, int flags)
84658 pr_info("soft_offline: %#lx: invalidated\n", pfn);
84659 SetPageHWPoison(page);
84660 - atomic_long_inc(&num_poisoned_pages);
84661 + atomic_long_inc_unchecked(&num_poisoned_pages);
84665 @@ -1626,7 +1626,7 @@ static int __soft_offline_page(struct page *page, int flags)
84668 SetPageHWPoison(page);
84669 - atomic_long_inc(&num_poisoned_pages);
84670 + atomic_long_inc_unchecked(&num_poisoned_pages);
84673 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n",
84674 diff --git a/mm/memory.c b/mm/memory.c
84675 index 5a35443..7c0340f 100644
84678 @@ -428,6 +428,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
84679 free_pte_range(tlb, pmd, addr);
84680 } while (pmd++, addr = next, addr != end);
84682 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
84686 @@ -442,6 +443,8 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
84687 pmd = pmd_offset(pud, start);
84689 pmd_free_tlb(tlb, pmd, start);
84694 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
84695 @@ -461,6 +464,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
84696 free_pmd_range(tlb, pud, addr, next, floor, ceiling);
84697 } while (pud++, addr = next, addr != end);
84699 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
84700 start &= PGDIR_MASK;
84703 @@ -475,6 +479,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
84704 pud = pud_offset(pgd, start);
84706 pud_free_tlb(tlb, pud, start);
84712 @@ -1644,12 +1650,6 @@ no_page_table:
84716 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
84718 - return stack_guard_page_start(vma, addr) ||
84719 - stack_guard_page_end(vma, addr+PAGE_SIZE);
84723 * __get_user_pages() - pin user pages in memory
84724 * @tsk: task_struct of target task
84725 @@ -1736,10 +1736,10 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
84730 + while (nr_pages) {
84731 struct vm_area_struct *vma;
84733 - vma = find_extend_vma(mm, start);
84734 + vma = find_vma(mm, start);
84735 if (!vma && in_gate_area(mm, start)) {
84736 unsigned long pg = start & PAGE_MASK;
84738 @@ -1788,7 +1788,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
84743 + if (!vma || start < vma->vm_start ||
84744 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
84745 !(vm_flags & vma->vm_flags))
84746 return i ? : -EFAULT;
84747 @@ -1817,11 +1817,6 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
84749 unsigned int fault_flags = 0;
84751 - /* For mlock, just skip the stack guard page. */
84752 - if (foll_flags & FOLL_MLOCK) {
84753 - if (stack_guard_page(vma, start))
84756 if (foll_flags & FOLL_WRITE)
84757 fault_flags |= FAULT_FLAG_WRITE;
84759 @@ -1901,7 +1896,7 @@ next_page:
84760 start += page_increm * PAGE_SIZE;
84761 nr_pages -= page_increm;
84762 } while (nr_pages && start < vma->vm_end);
84763 - } while (nr_pages);
84767 EXPORT_SYMBOL(__get_user_pages);
84768 @@ -2108,6 +2103,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
84769 page_add_file_rmap(page);
84770 set_pte_at(mm, addr, pte, mk_pte(page, prot));
84772 +#ifdef CONFIG_PAX_SEGMEXEC
84773 + pax_mirror_file_pte(vma, addr, page, ptl);
84777 pte_unmap_unlock(pte, ptl);
84779 @@ -2152,9 +2151,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
84780 if (!page_count(page))
84782 if (!(vma->vm_flags & VM_MIXEDMAP)) {
84784 +#ifdef CONFIG_PAX_SEGMEXEC
84785 + struct vm_area_struct *vma_m;
84788 BUG_ON(down_read_trylock(&vma->vm_mm->mmap_sem));
84789 BUG_ON(vma->vm_flags & VM_PFNMAP);
84790 vma->vm_flags |= VM_MIXEDMAP;
84792 +#ifdef CONFIG_PAX_SEGMEXEC
84793 + vma_m = pax_find_mirror_vma(vma);
84795 + vma_m->vm_flags |= VM_MIXEDMAP;
84799 return insert_page(vma, addr, page, vma->vm_page_prot);
84801 @@ -2237,6 +2248,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
84804 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
84805 + BUG_ON(vma->vm_mirror);
84807 if (addr < vma->vm_start || addr >= vma->vm_end)
84809 @@ -2484,7 +2496,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
84811 BUG_ON(pud_huge(*pud));
84813 - pmd = pmd_alloc(mm, pud, addr);
84814 + pmd = (mm == &init_mm) ?
84815 + pmd_alloc_kernel(mm, pud, addr) :
84816 + pmd_alloc(mm, pud, addr);
84820 @@ -2504,7 +2518,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
84821 unsigned long next;
84824 - pud = pud_alloc(mm, pgd, addr);
84825 + pud = (mm == &init_mm) ?
84826 + pud_alloc_kernel(mm, pgd, addr) :
84827 + pud_alloc(mm, pgd, addr);
84831 @@ -2592,6 +2608,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
84832 copy_user_highpage(dst, src, va, vma);
84835 +#ifdef CONFIG_PAX_SEGMEXEC
84836 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
84838 + struct mm_struct *mm = vma->vm_mm;
84840 + pte_t *pte, entry;
84842 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
84844 + if (!pte_present(entry)) {
84845 + if (!pte_none(entry)) {
84846 + BUG_ON(pte_file(entry));
84847 + free_swap_and_cache(pte_to_swp_entry(entry));
84848 + pte_clear_not_present_full(mm, address, pte, 0);
84851 + struct page *page;
84853 + flush_cache_page(vma, address, pte_pfn(entry));
84854 + entry = ptep_clear_flush(vma, address, pte);
84855 + BUG_ON(pte_dirty(entry));
84856 + page = vm_normal_page(vma, address, entry);
84858 + update_hiwater_rss(mm);
84859 + if (PageAnon(page))
84860 + dec_mm_counter_fast(mm, MM_ANONPAGES);
84862 + dec_mm_counter_fast(mm, MM_FILEPAGES);
84863 + page_remove_rmap(page);
84864 + page_cache_release(page);
84867 + pte_unmap_unlock(pte, ptl);
84870 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
84872 + * the ptl of the lower mapped page is held on entry and is not released on exit
84873 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
84875 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
84877 + struct mm_struct *mm = vma->vm_mm;
84878 + unsigned long address_m;
84879 + spinlock_t *ptl_m;
84880 + struct vm_area_struct *vma_m;
84882 + pte_t *pte_m, entry_m;
84884 + BUG_ON(!page_m || !PageAnon(page_m));
84886 + vma_m = pax_find_mirror_vma(vma);
84890 + BUG_ON(!PageLocked(page_m));
84891 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
84892 + address_m = address + SEGMEXEC_TASK_SIZE;
84893 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
84894 + pte_m = pte_offset_map(pmd_m, address_m);
84895 + ptl_m = pte_lockptr(mm, pmd_m);
84896 + if (ptl != ptl_m) {
84897 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
84898 + if (!pte_none(*pte_m))
84902 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
84903 + page_cache_get(page_m);
84904 + page_add_anon_rmap(page_m, vma_m, address_m);
84905 + inc_mm_counter_fast(mm, MM_ANONPAGES);
84906 + set_pte_at(mm, address_m, pte_m, entry_m);
84907 + update_mmu_cache(vma_m, address_m, pte_m);
84909 + if (ptl != ptl_m)
84910 + spin_unlock(ptl_m);
84911 + pte_unmap(pte_m);
84912 + unlock_page(page_m);
84915 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
84917 + struct mm_struct *mm = vma->vm_mm;
84918 + unsigned long address_m;
84919 + spinlock_t *ptl_m;
84920 + struct vm_area_struct *vma_m;
84922 + pte_t *pte_m, entry_m;
84924 + BUG_ON(!page_m || PageAnon(page_m));
84926 + vma_m = pax_find_mirror_vma(vma);
84930 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
84931 + address_m = address + SEGMEXEC_TASK_SIZE;
84932 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
84933 + pte_m = pte_offset_map(pmd_m, address_m);
84934 + ptl_m = pte_lockptr(mm, pmd_m);
84935 + if (ptl != ptl_m) {
84936 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
84937 + if (!pte_none(*pte_m))
84941 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
84942 + page_cache_get(page_m);
84943 + page_add_file_rmap(page_m);
84944 + inc_mm_counter_fast(mm, MM_FILEPAGES);
84945 + set_pte_at(mm, address_m, pte_m, entry_m);
84946 + update_mmu_cache(vma_m, address_m, pte_m);
84948 + if (ptl != ptl_m)
84949 + spin_unlock(ptl_m);
84950 + pte_unmap(pte_m);
84953 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
84955 + struct mm_struct *mm = vma->vm_mm;
84956 + unsigned long address_m;
84957 + spinlock_t *ptl_m;
84958 + struct vm_area_struct *vma_m;
84960 + pte_t *pte_m, entry_m;
84962 + vma_m = pax_find_mirror_vma(vma);
84966 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
84967 + address_m = address + SEGMEXEC_TASK_SIZE;
84968 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
84969 + pte_m = pte_offset_map(pmd_m, address_m);
84970 + ptl_m = pte_lockptr(mm, pmd_m);
84971 + if (ptl != ptl_m) {
84972 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
84973 + if (!pte_none(*pte_m))
84977 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
84978 + set_pte_at(mm, address_m, pte_m, entry_m);
84980 + if (ptl != ptl_m)
84981 + spin_unlock(ptl_m);
84982 + pte_unmap(pte_m);
84985 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
84987 + struct page *page_m;
84990 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
84994 + page_m = vm_normal_page(vma, address, entry);
84996 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
84997 + else if (PageAnon(page_m)) {
84998 + if (pax_find_mirror_vma(vma)) {
84999 + pte_unmap_unlock(pte, ptl);
85000 + lock_page(page_m);
85001 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
85002 + if (pte_same(entry, *pte))
85003 + pax_mirror_anon_pte(vma, address, page_m, ptl);
85005 + unlock_page(page_m);
85008 + pax_mirror_file_pte(vma, address, page_m, ptl);
85011 + pte_unmap_unlock(pte, ptl);
85016 * This routine handles present pages, when users try to write
85017 * to a shared page. It is done by copying the page to a new address
85018 @@ -2808,6 +3004,12 @@ gotten:
85020 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
85021 if (likely(pte_same(*page_table, orig_pte))) {
85023 +#ifdef CONFIG_PAX_SEGMEXEC
85024 + if (pax_find_mirror_vma(vma))
85025 + BUG_ON(!trylock_page(new_page));
85029 if (!PageAnon(old_page)) {
85030 dec_mm_counter_fast(mm, MM_FILEPAGES);
85031 @@ -2859,6 +3061,10 @@ gotten:
85032 page_remove_rmap(old_page);
85035 +#ifdef CONFIG_PAX_SEGMEXEC
85036 + pax_mirror_anon_pte(vma, address, new_page, ptl);
85039 /* Free the old page.. */
85040 new_page = old_page;
85041 ret |= VM_FAULT_WRITE;
85042 @@ -3134,6 +3340,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
85044 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
85045 try_to_free_swap(page);
85047 +#ifdef CONFIG_PAX_SEGMEXEC
85048 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
85052 if (page != swapcache) {
85054 @@ -3157,6 +3368,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
85056 /* No need to invalidate - it was non-present before */
85057 update_mmu_cache(vma, address, page_table);
85059 +#ifdef CONFIG_PAX_SEGMEXEC
85060 + pax_mirror_anon_pte(vma, address, page, ptl);
85064 pte_unmap_unlock(page_table, ptl);
85066 @@ -3176,40 +3392,6 @@ out_release:
85070 - * This is like a special single-page "expand_{down|up}wards()",
85071 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
85072 - * doesn't hit another vma.
85074 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
85076 - address &= PAGE_MASK;
85077 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
85078 - struct vm_area_struct *prev = vma->vm_prev;
85081 - * Is there a mapping abutting this one below?
85083 - * That's only ok if it's the same stack mapping
85084 - * that has gotten split..
85086 - if (prev && prev->vm_end == address)
85087 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
85089 - expand_downwards(vma, address - PAGE_SIZE);
85091 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
85092 - struct vm_area_struct *next = vma->vm_next;
85094 - /* As VM_GROWSDOWN but s/below/above/ */
85095 - if (next && next->vm_start == address + PAGE_SIZE)
85096 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
85098 - expand_upwards(vma, address + PAGE_SIZE);
85104 * We enter with non-exclusive mmap_sem (to exclude vma changes,
85105 * but allow concurrent faults), and pte mapped but not yet locked.
85106 * We return with mmap_sem still held, but pte unmapped and unlocked.
85107 @@ -3218,27 +3400,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
85108 unsigned long address, pte_t *page_table, pmd_t *pmd,
85109 unsigned int flags)
85111 - struct page *page;
85112 + struct page *page = NULL;
85116 - pte_unmap(page_table);
85118 - /* Check if we need to add a guard page to the stack */
85119 - if (check_stack_guard_page(vma, address) < 0)
85120 - return VM_FAULT_SIGBUS;
85122 - /* Use the zero-page for reads */
85123 if (!(flags & FAULT_FLAG_WRITE)) {
85124 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
85125 vma->vm_page_prot));
85126 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
85127 + ptl = pte_lockptr(mm, pmd);
85129 if (!pte_none(*page_table))
85134 /* Allocate our own private page. */
85135 + pte_unmap(page_table);
85137 if (unlikely(anon_vma_prepare(vma)))
85139 page = alloc_zeroed_user_highpage_movable(vma, address);
85140 @@ -3262,6 +3440,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
85141 if (!pte_none(*page_table))
85144 +#ifdef CONFIG_PAX_SEGMEXEC
85145 + if (pax_find_mirror_vma(vma))
85146 + BUG_ON(!trylock_page(page));
85149 inc_mm_counter_fast(mm, MM_ANONPAGES);
85150 page_add_new_anon_rmap(page, vma, address);
85152 @@ -3269,6 +3452,12 @@ setpte:
85154 /* No need to invalidate - it was non-present before */
85155 update_mmu_cache(vma, address, page_table);
85157 +#ifdef CONFIG_PAX_SEGMEXEC
85159 + pax_mirror_anon_pte(vma, address, page, ptl);
85163 pte_unmap_unlock(page_table, ptl);
85165 @@ -3412,6 +3601,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
85167 /* Only go through if we didn't race with anybody else... */
85168 if (likely(pte_same(*page_table, orig_pte))) {
85170 +#ifdef CONFIG_PAX_SEGMEXEC
85171 + if (anon && pax_find_mirror_vma(vma))
85172 + BUG_ON(!trylock_page(page));
85175 flush_icache_page(vma, page);
85176 entry = mk_pte(page, vma->vm_page_prot);
85177 if (flags & FAULT_FLAG_WRITE)
85178 @@ -3431,6 +3626,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
85180 /* no need to invalidate: a not-present page won't be cached */
85181 update_mmu_cache(vma, address, page_table);
85183 +#ifdef CONFIG_PAX_SEGMEXEC
85185 + pax_mirror_anon_pte(vma, address, page, ptl);
85187 + pax_mirror_file_pte(vma, address, page, ptl);
85192 mem_cgroup_uncharge_page(cow_page);
85193 @@ -3752,6 +3955,12 @@ int handle_pte_fault(struct mm_struct *mm,
85194 if (flags & FAULT_FLAG_WRITE)
85195 flush_tlb_fix_spurious_fault(vma, address);
85198 +#ifdef CONFIG_PAX_SEGMEXEC
85199 + pax_mirror_pte(vma, address, pte, pmd, ptl);
85204 pte_unmap_unlock(pte, ptl);
85206 @@ -3768,6 +3977,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
85210 +#ifdef CONFIG_PAX_SEGMEXEC
85211 + struct vm_area_struct *vma_m;
85214 __set_current_state(TASK_RUNNING);
85216 count_vm_event(PGFAULT);
85217 @@ -3779,6 +3992,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
85218 if (unlikely(is_vm_hugetlb_page(vma)))
85219 return hugetlb_fault(mm, vma, address, flags);
85221 +#ifdef CONFIG_PAX_SEGMEXEC
85222 + vma_m = pax_find_mirror_vma(vma);
85224 + unsigned long address_m;
85229 + if (vma->vm_start > vma_m->vm_start) {
85230 + address_m = address;
85231 + address -= SEGMEXEC_TASK_SIZE;
85234 + address_m = address + SEGMEXEC_TASK_SIZE;
85236 + pgd_m = pgd_offset(mm, address_m);
85237 + pud_m = pud_alloc(mm, pgd_m, address_m);
85239 + return VM_FAULT_OOM;
85240 + pmd_m = pmd_alloc(mm, pud_m, address_m);
85242 + return VM_FAULT_OOM;
85243 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
85244 + return VM_FAULT_OOM;
85245 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
85250 pgd = pgd_offset(mm, address);
85251 pud = pud_alloc(mm, pgd, address);
85252 @@ -3877,6 +4118,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
85253 spin_unlock(&mm->page_table_lock);
85257 +int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
85259 + pud_t *new = pud_alloc_one(mm, address);
85263 + smp_wmb(); /* See comment in __pte_alloc */
85265 + spin_lock(&mm->page_table_lock);
85266 + if (pgd_present(*pgd)) /* Another has populated it */
85267 + pud_free(mm, new);
85269 + pgd_populate_kernel(mm, pgd, new);
85270 + spin_unlock(&mm->page_table_lock);
85273 #endif /* __PAGETABLE_PUD_FOLDED */
85275 #ifndef __PAGETABLE_PMD_FOLDED
85276 @@ -3907,6 +4165,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
85277 spin_unlock(&mm->page_table_lock);
85281 +int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
85283 + pmd_t *new = pmd_alloc_one(mm, address);
85287 + smp_wmb(); /* See comment in __pte_alloc */
85289 + spin_lock(&mm->page_table_lock);
85290 +#ifndef __ARCH_HAS_4LEVEL_HACK
85291 + if (pud_present(*pud)) /* Another has populated it */
85292 + pmd_free(mm, new);
85294 + pud_populate_kernel(mm, pud, new);
85296 + if (pgd_present(*pud)) /* Another has populated it */
85297 + pmd_free(mm, new);
85299 + pgd_populate_kernel(mm, pud, new);
85300 +#endif /* __ARCH_HAS_4LEVEL_HACK */
85301 + spin_unlock(&mm->page_table_lock);
85304 #endif /* __PAGETABLE_PMD_FOLDED */
85306 #if !defined(__HAVE_ARCH_GATE_AREA)
85307 @@ -3920,7 +4202,7 @@ static int __init gate_vma_init(void)
85308 gate_vma.vm_start = FIXADDR_USER_START;
85309 gate_vma.vm_end = FIXADDR_USER_END;
85310 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
85311 - gate_vma.vm_page_prot = __P101;
85312 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
85316 @@ -4054,8 +4336,8 @@ out:
85320 -int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
85321 - void *buf, int len, int write)
85322 +ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
85323 + void *buf, size_t len, int write)
85325 resource_size_t phys_addr;
85326 unsigned long prot = 0;
85327 @@ -4080,8 +4362,8 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
85328 * Access another process' address space as given in mm. If non-NULL, use the
85329 * given task for page fault accounting.
85331 -static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
85332 - unsigned long addr, void *buf, int len, int write)
85333 +static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
85334 + unsigned long addr, void *buf, size_t len, int write)
85336 struct vm_area_struct *vma;
85337 void *old_buf = buf;
85338 @@ -4089,7 +4371,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
85339 down_read(&mm->mmap_sem);
85340 /* ignore errors, just check how much was successfully transferred */
85342 - int bytes, ret, offset;
85343 + ssize_t bytes, ret, offset;
85345 struct page *page = NULL;
85347 @@ -4148,8 +4430,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
85349 * The caller must hold a reference on @mm.
85351 -int access_remote_vm(struct mm_struct *mm, unsigned long addr,
85352 - void *buf, int len, int write)
85353 +ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
85354 + void *buf, size_t len, int write)
85356 return __access_remote_vm(NULL, mm, addr, buf, len, write);
85358 @@ -4159,11 +4441,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
85359 * Source/target buffer must be kernel space,
85360 * Do not walk the page table directly, use get_user_pages
85362 -int access_process_vm(struct task_struct *tsk, unsigned long addr,
85363 - void *buf, int len, int write)
85364 +ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr,
85365 + void *buf, size_t len, int write)
85367 struct mm_struct *mm;
85371 mm = get_task_mm(tsk);
85373 diff --git a/mm/mempolicy.c b/mm/mempolicy.c
85374 index 4baf12e..5497066 100644
85375 --- a/mm/mempolicy.c
85376 +++ b/mm/mempolicy.c
85377 @@ -708,6 +708,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
85378 unsigned long vmstart;
85379 unsigned long vmend;
85381 +#ifdef CONFIG_PAX_SEGMEXEC
85382 + struct vm_area_struct *vma_m;
85385 vma = find_vma(mm, start);
85386 if (!vma || vma->vm_start > start)
85388 @@ -751,6 +755,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
85389 err = vma_replace_policy(vma, new_pol);
85393 +#ifdef CONFIG_PAX_SEGMEXEC
85394 + vma_m = pax_find_mirror_vma(vma);
85396 + err = vma_replace_policy(vma_m, new_pol);
85405 @@ -1206,6 +1220,17 @@ static long do_mbind(unsigned long start, unsigned long len,
85410 +#ifdef CONFIG_PAX_SEGMEXEC
85411 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
85412 + if (end > SEGMEXEC_TASK_SIZE)
85417 + if (end > TASK_SIZE)
85423 @@ -1434,8 +1459,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
85425 tcred = __task_cred(task);
85426 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
85427 - !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
85428 - !capable(CAP_SYS_NICE)) {
85429 + !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
85433 @@ -1466,6 +1490,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
85437 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
85438 + if (mm != current->mm &&
85439 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
85446 err = do_migrate_pages(mm, old, new,
85447 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
85449 diff --git a/mm/migrate.c b/mm/migrate.c
85450 index 6f0c244..6d1ae32 100644
85453 @@ -1399,8 +1399,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
85455 tcred = __task_cred(task);
85456 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
85457 - !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
85458 - !capable(CAP_SYS_NICE)) {
85459 + !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
85463 diff --git a/mm/mlock.c b/mm/mlock.c
85464 index 79b7cf7..9944291 100644
85468 #include <linux/pagemap.h>
85469 #include <linux/mempolicy.h>
85470 #include <linux/syscalls.h>
85471 +#include <linux/security.h>
85472 #include <linux/sched.h>
85473 #include <linux/export.h>
85474 #include <linux/rmap.h>
85475 @@ -334,7 +335,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
85477 unsigned long nstart, end, tmp;
85478 struct vm_area_struct * vma, * prev;
85482 VM_BUG_ON(start & ~PAGE_MASK);
85483 VM_BUG_ON(len != PAGE_ALIGN(len));
85484 @@ -343,6 +344,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
85488 + if (end > TASK_SIZE)
85491 vma = find_vma(current->mm, start);
85492 if (!vma || vma->vm_start > start)
85494 @@ -354,6 +358,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
85495 for (nstart = start ; ; ) {
85496 vm_flags_t newflags;
85498 +#ifdef CONFIG_PAX_SEGMEXEC
85499 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
85503 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
85505 newflags = vma->vm_flags & ~VM_LOCKED;
85506 @@ -466,6 +475,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
85507 lock_limit >>= PAGE_SHIFT;
85509 /* check against resource limits */
85510 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
85511 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
85512 error = do_mlock(start, len, 1);
85513 up_write(¤t->mm->mmap_sem);
85514 @@ -500,6 +510,11 @@ static int do_mlockall(int flags)
85515 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
85516 vm_flags_t newflags;
85518 +#ifdef CONFIG_PAX_SEGMEXEC
85519 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
85523 newflags = vma->vm_flags & ~VM_LOCKED;
85524 if (flags & MCL_CURRENT)
85525 newflags |= VM_LOCKED;
85526 @@ -532,6 +547,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
85527 lock_limit >>= PAGE_SHIFT;
85530 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
85531 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
85532 capable(CAP_IPC_LOCK))
85533 ret = do_mlockall(flags);
85534 diff --git a/mm/mmap.c b/mm/mmap.c
85535 index 8d25fdc..bfb7626 100644
85539 #include <linux/sched/sysctl.h>
85540 #include <linux/notifier.h>
85541 #include <linux/memory.h>
85542 +#include <linux/random.h>
85544 #include <asm/uaccess.h>
85545 #include <asm/cacheflush.h>
85547 #define arch_rebalance_pgtables(addr, len) (addr)
85550 +static inline void verify_mm_writelocked(struct mm_struct *mm)
85552 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
85553 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
85554 + up_read(&mm->mmap_sem);
85560 static void unmap_region(struct mm_struct *mm,
85561 struct vm_area_struct *vma, struct vm_area_struct *prev,
85562 unsigned long start, unsigned long end);
85563 @@ -71,16 +82,25 @@ static void unmap_region(struct mm_struct *mm,
85564 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
85567 -pgprot_t protection_map[16] = {
85568 +pgprot_t protection_map[16] __read_only = {
85569 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
85570 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
85573 -pgprot_t vm_get_page_prot(unsigned long vm_flags)
85574 +pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
85576 - return __pgprot(pgprot_val(protection_map[vm_flags &
85577 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
85578 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
85579 pgprot_val(arch_vm_get_page_prot(vm_flags)));
85581 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
85582 + if (!(__supported_pte_mask & _PAGE_NX) &&
85583 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
85584 + (vm_flags & (VM_READ | VM_WRITE)))
85585 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
85590 EXPORT_SYMBOL(vm_get_page_prot);
85592 @@ -89,6 +109,7 @@ int sysctl_overcommit_ratio __read_mostly = 50; /* default is 50% */
85593 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
85594 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
85595 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
85596 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
85598 * Make sure vm_committed_as in one cacheline and not cacheline shared with
85599 * other variables. It can be updated by several CPUs frequently.
85600 @@ -247,6 +268,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
85601 struct vm_area_struct *next = vma->vm_next;
85604 + BUG_ON(vma->vm_mirror);
85605 if (vma->vm_ops && vma->vm_ops->close)
85606 vma->vm_ops->close(vma);
85608 @@ -291,6 +313,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
85609 * not page aligned -Ram Gupta
85611 rlim = rlimit(RLIMIT_DATA);
85612 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
85613 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
85614 (mm->end_data - mm->start_data) > rlim)
85616 @@ -933,6 +956,12 @@ static int
85617 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
85618 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
85621 +#ifdef CONFIG_PAX_SEGMEXEC
85622 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
85626 if (is_mergeable_vma(vma, file, vm_flags) &&
85627 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
85628 if (vma->vm_pgoff == vm_pgoff)
85629 @@ -952,6 +981,12 @@ static int
85630 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
85631 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
85634 +#ifdef CONFIG_PAX_SEGMEXEC
85635 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
85639 if (is_mergeable_vma(vma, file, vm_flags) &&
85640 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
85642 @@ -994,13 +1029,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
85643 struct vm_area_struct *vma_merge(struct mm_struct *mm,
85644 struct vm_area_struct *prev, unsigned long addr,
85645 unsigned long end, unsigned long vm_flags,
85646 - struct anon_vma *anon_vma, struct file *file,
85647 + struct anon_vma *anon_vma, struct file *file,
85648 pgoff_t pgoff, struct mempolicy *policy)
85650 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
85651 struct vm_area_struct *area, *next;
85654 +#ifdef CONFIG_PAX_SEGMEXEC
85655 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
85656 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
85658 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
85662 * We later require that vma->vm_flags == vm_flags,
85663 * so this tests vma->vm_flags & VM_SPECIAL, too.
85664 @@ -1016,6 +1058,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
85665 if (next && next->vm_end == end) /* cases 6, 7, 8 */
85666 next = next->vm_next;
85668 +#ifdef CONFIG_PAX_SEGMEXEC
85670 + prev_m = pax_find_mirror_vma(prev);
85672 + area_m = pax_find_mirror_vma(area);
85674 + next_m = pax_find_mirror_vma(next);
85678 * Can it merge with the predecessor?
85680 @@ -1035,9 +1086,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
85682 err = vma_adjust(prev, prev->vm_start,
85683 next->vm_end, prev->vm_pgoff, NULL);
85684 - } else /* cases 2, 5, 7 */
85686 +#ifdef CONFIG_PAX_SEGMEXEC
85687 + if (!err && prev_m)
85688 + err = vma_adjust(prev_m, prev_m->vm_start,
85689 + next_m->vm_end, prev_m->vm_pgoff, NULL);
85692 + } else { /* cases 2, 5, 7 */
85693 err = vma_adjust(prev, prev->vm_start,
85694 end, prev->vm_pgoff, NULL);
85696 +#ifdef CONFIG_PAX_SEGMEXEC
85697 + if (!err && prev_m)
85698 + err = vma_adjust(prev_m, prev_m->vm_start,
85699 + end_m, prev_m->vm_pgoff, NULL);
85705 khugepaged_enter_vma_merge(prev);
85706 @@ -1051,12 +1117,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
85707 mpol_equal(policy, vma_policy(next)) &&
85708 can_vma_merge_before(next, vm_flags,
85709 anon_vma, file, pgoff+pglen)) {
85710 - if (prev && addr < prev->vm_end) /* case 4 */
85711 + if (prev && addr < prev->vm_end) { /* case 4 */
85712 err = vma_adjust(prev, prev->vm_start,
85713 addr, prev->vm_pgoff, NULL);
85714 - else /* cases 3, 8 */
85716 +#ifdef CONFIG_PAX_SEGMEXEC
85717 + if (!err && prev_m)
85718 + err = vma_adjust(prev_m, prev_m->vm_start,
85719 + addr_m, prev_m->vm_pgoff, NULL);
85722 + } else { /* cases 3, 8 */
85723 err = vma_adjust(area, addr, next->vm_end,
85724 next->vm_pgoff - pglen, NULL);
85726 +#ifdef CONFIG_PAX_SEGMEXEC
85727 + if (!err && area_m)
85728 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
85729 + next_m->vm_pgoff - pglen, NULL);
85735 khugepaged_enter_vma_merge(area);
85736 @@ -1165,8 +1246,10 @@ none:
85737 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
85738 struct file *file, long pages)
85740 - const unsigned long stack_flags
85741 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
85743 +#ifdef CONFIG_PAX_RANDMMAP
85744 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
85747 mm->total_vm += pages;
85749 @@ -1174,7 +1257,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
85750 mm->shared_vm += pages;
85751 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
85752 mm->exec_vm += pages;
85753 - } else if (flags & stack_flags)
85754 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
85755 mm->stack_vm += pages;
85757 #endif /* CONFIG_PROC_FS */
85758 @@ -1213,7 +1296,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
85759 * (the exception is when the underlying filesystem is noexec
85760 * mounted, in which case we dont add PROT_EXEC.)
85762 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
85763 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
85764 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
85767 @@ -1239,7 +1322,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
85768 /* Obtain the address to map to. we verify (or select) it and ensure
85769 * that it represents a valid section of the address space.
85771 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
85772 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
85773 if (addr & ~PAGE_MASK)
85776 @@ -1250,6 +1333,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
85777 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
85778 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
85780 +#ifdef CONFIG_PAX_MPROTECT
85781 + if (mm->pax_flags & MF_PAX_MPROTECT) {
85783 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
85784 + if (file && !pgoff && (vm_flags & VM_EXEC) && mm->binfmt &&
85785 + mm->binfmt->handle_mmap)
85786 + mm->binfmt->handle_mmap(file);
85789 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
85790 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
85791 + gr_log_rwxmmap(file);
85793 +#ifdef CONFIG_PAX_EMUPLT
85794 + vm_flags &= ~VM_EXEC;
85801 + if (!(vm_flags & VM_EXEC))
85802 + vm_flags &= ~VM_MAYEXEC;
85804 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
85805 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
85808 + vm_flags &= ~VM_MAYWRITE;
85812 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
85813 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
85814 + vm_flags &= ~VM_PAGEEXEC;
85817 if (flags & MAP_LOCKED)
85818 if (!can_do_mlock())
85820 @@ -1261,6 +1381,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
85821 locked += mm->locked_vm;
85822 lock_limit = rlimit(RLIMIT_MEMLOCK);
85823 lock_limit >>= PAGE_SHIFT;
85824 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
85825 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
85828 @@ -1341,6 +1462,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
85829 vm_flags |= VM_NORESERVE;
85832 + if (!gr_acl_handle_mmap(file, prot))
85835 addr = mmap_region(file, addr, len, vm_flags, pgoff);
85836 if (!IS_ERR_VALUE(addr) &&
85837 ((vm_flags & VM_LOCKED) ||
85838 @@ -1432,7 +1556,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
85839 vm_flags_t vm_flags = vma->vm_flags;
85841 /* If it was private or non-writable, the write bit is already clear */
85842 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
85843 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
85846 /* The backer wishes to know when pages are first written to? */
85847 @@ -1480,7 +1604,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
85848 unsigned long charged = 0;
85849 struct inode *inode = file ? file_inode(file) : NULL;
85851 +#ifdef CONFIG_PAX_SEGMEXEC
85852 + struct vm_area_struct *vma_m = NULL;
85856 + * mm->mmap_sem is required to protect against another thread
85857 + * changing the mappings in case we sleep.
85859 + verify_mm_writelocked(mm);
85861 /* Check against address space limit. */
85863 +#ifdef CONFIG_PAX_RANDMMAP
85864 + if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
85867 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
85868 unsigned long nr_pages;
85870 @@ -1499,11 +1638,10 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
85872 /* Clear old maps */
85875 if (find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent)) {
85876 if (do_munmap(mm, addr, len))
85878 - goto munmap_back;
85879 + BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
85883 @@ -1534,6 +1672,16 @@ munmap_back:
85887 +#ifdef CONFIG_PAX_SEGMEXEC
85888 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
85889 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
85898 vma->vm_start = addr;
85899 vma->vm_end = addr + len;
85900 @@ -1558,6 +1706,13 @@ munmap_back:
85902 goto unmap_and_free_vma;
85904 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
85905 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
85906 + vma->vm_flags |= VM_PAGEEXEC;
85907 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
85911 /* Can addr have changed??
85913 * Answer: Yes, several device drivers can do it in their
85914 @@ -1596,6 +1751,11 @@ munmap_back:
85915 vma_link(mm, vma, prev, rb_link, rb_parent);
85916 file = vma->vm_file;
85918 +#ifdef CONFIG_PAX_SEGMEXEC
85920 + BUG_ON(pax_mirror_vma(vma_m, vma));
85923 /* Once vma denies write, undo our temporary denial count */
85924 if (correct_wcount)
85925 atomic_inc(&inode->i_writecount);
85926 @@ -1603,6 +1763,7 @@ out:
85927 perf_event_mmap(vma);
85929 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
85930 + track_exec_limit(mm, addr, addr + len, vm_flags);
85931 if (vm_flags & VM_LOCKED) {
85932 if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
85933 vma == get_gate_vma(current->mm)))
85934 @@ -1626,6 +1787,12 @@ unmap_and_free_vma:
85935 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
85939 +#ifdef CONFIG_PAX_SEGMEXEC
85941 + kmem_cache_free(vm_area_cachep, vma_m);
85944 kmem_cache_free(vm_area_cachep, vma);
85947 @@ -1633,7 +1800,63 @@ unacct_error:
85951 -unsigned long unmapped_area(struct vm_unmapped_area_info *info)
85952 +#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
85953 +unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
85955 + if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK))
85956 + return ((prandom_u32() & 0xFF) + 1) << PAGE_SHIFT;
85962 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset)
85965 +#ifdef CONFIG_STACK_GROWSUP
85966 + if (addr > sysctl_heap_stack_gap)
85967 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
85969 + vma = find_vma(current->mm, 0);
85970 + if (vma && (vma->vm_flags & VM_GROWSUP))
85976 + if (addr + len > vma->vm_start)
85979 + if (vma->vm_flags & VM_GROWSDOWN)
85980 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
85981 +#ifdef CONFIG_STACK_GROWSUP
85982 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
85983 + return addr - vma->vm_prev->vm_end >= sysctl_heap_stack_gap;
85986 + return offset <= vma->vm_start - addr - len;
85991 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset)
85993 + if (vma->vm_start < len)
85996 + if (!(vma->vm_flags & VM_GROWSDOWN)) {
85997 + if (offset <= vma->vm_start - len)
85998 + return vma->vm_start - len - offset;
86003 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
86004 + return vma->vm_start - len - sysctl_heap_stack_gap;
86008 +unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
86011 * We implement the search by looking for an rbtree node that
86012 @@ -1681,11 +1904,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
86016 - gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
86017 + gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
86019 /* Check if current node has a suitable gap */
86020 if (gap_start > high_limit)
86023 + if (gap_end - gap_start > info->threadstack_offset)
86024 + gap_start += info->threadstack_offset;
86026 + gap_start = gap_end;
86028 + if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
86029 + if (gap_end - gap_start > sysctl_heap_stack_gap)
86030 + gap_start += sysctl_heap_stack_gap;
86032 + gap_start = gap_end;
86034 + if (vma->vm_flags & VM_GROWSDOWN) {
86035 + if (gap_end - gap_start > sysctl_heap_stack_gap)
86036 + gap_end -= sysctl_heap_stack_gap;
86038 + gap_end = gap_start;
86040 if (gap_end >= low_limit && gap_end - gap_start >= length)
86043 @@ -1735,7 +1976,7 @@ found:
86047 -unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
86048 +unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
86050 struct mm_struct *mm = current->mm;
86051 struct vm_area_struct *vma;
86052 @@ -1789,6 +2030,24 @@ check_current:
86053 gap_end = vma->vm_start;
86054 if (gap_end < low_limit)
86057 + if (gap_end - gap_start > info->threadstack_offset)
86058 + gap_end -= info->threadstack_offset;
86060 + gap_end = gap_start;
86062 + if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
86063 + if (gap_end - gap_start > sysctl_heap_stack_gap)
86064 + gap_start += sysctl_heap_stack_gap;
86066 + gap_start = gap_end;
86068 + if (vma->vm_flags & VM_GROWSDOWN) {
86069 + if (gap_end - gap_start > sysctl_heap_stack_gap)
86070 + gap_end -= sysctl_heap_stack_gap;
86072 + gap_end = gap_start;
86074 if (gap_start <= high_limit && gap_end - gap_start >= length)
86077 @@ -1852,6 +2111,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
86078 struct mm_struct *mm = current->mm;
86079 struct vm_area_struct *vma;
86080 struct vm_unmapped_area_info info;
86081 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
86083 if (len > TASK_SIZE)
86085 @@ -1859,29 +2119,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
86086 if (flags & MAP_FIXED)
86089 +#ifdef CONFIG_PAX_RANDMMAP
86090 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
86094 addr = PAGE_ALIGN(addr);
86095 vma = find_vma(mm, addr);
86096 - if (TASK_SIZE - len >= addr &&
86097 - (!vma || addr + len <= vma->vm_start))
86098 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
86104 info.low_limit = TASK_UNMAPPED_BASE;
86106 +#ifdef CONFIG_PAX_RANDMMAP
86107 + if (mm->pax_flags & MF_PAX_RANDMMAP)
86108 + info.low_limit += mm->delta_mmap;
86111 info.high_limit = TASK_SIZE;
86112 info.align_mask = 0;
86113 + info.threadstack_offset = offset;
86114 return vm_unmapped_area(&info);
86118 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
86121 +#ifdef CONFIG_PAX_SEGMEXEC
86122 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
86127 * Is this a new hole at the lowest possible address?
86129 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache)
86130 + if (addr >= mm->mmap_base && addr < mm->free_area_cache)
86131 mm->free_area_cache = addr;
86134 @@ -1899,6 +2175,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
86135 struct mm_struct *mm = current->mm;
86136 unsigned long addr = addr0;
86137 struct vm_unmapped_area_info info;
86138 + unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
86140 /* requested length too big for entire address space */
86141 if (len > TASK_SIZE)
86142 @@ -1907,12 +2184,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
86143 if (flags & MAP_FIXED)
86146 +#ifdef CONFIG_PAX_RANDMMAP
86147 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
86150 /* requesting a specific address */
86152 addr = PAGE_ALIGN(addr);
86153 vma = find_vma(mm, addr);
86154 - if (TASK_SIZE - len >= addr &&
86155 - (!vma || addr + len <= vma->vm_start))
86156 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
86160 @@ -1921,6 +2201,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
86161 info.low_limit = PAGE_SIZE;
86162 info.high_limit = mm->mmap_base;
86163 info.align_mask = 0;
86164 + info.threadstack_offset = offset;
86165 addr = vm_unmapped_area(&info);
86168 @@ -1933,6 +2214,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
86169 VM_BUG_ON(addr != -ENOMEM);
86171 info.low_limit = TASK_UNMAPPED_BASE;
86173 +#ifdef CONFIG_PAX_RANDMMAP
86174 + if (mm->pax_flags & MF_PAX_RANDMMAP)
86175 + info.low_limit += mm->delta_mmap;
86178 info.high_limit = TASK_SIZE;
86179 addr = vm_unmapped_area(&info);
86181 @@ -1943,6 +2230,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
86183 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
86186 +#ifdef CONFIG_PAX_SEGMEXEC
86187 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
86192 * Is this a new hole at the highest possible address?
86194 @@ -1950,8 +2243,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
86195 mm->free_area_cache = addr;
86197 /* dont allow allocations above current base */
86198 - if (mm->free_area_cache > mm->mmap_base)
86199 + if (mm->free_area_cache > mm->mmap_base) {
86200 mm->free_area_cache = mm->mmap_base;
86201 + mm->cached_hole_size = ~0UL;
86206 @@ -2047,6 +2342,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
86210 +#ifdef CONFIG_PAX_SEGMEXEC
86211 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
86213 + struct vm_area_struct *vma_m;
86215 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
86216 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
86217 + BUG_ON(vma->vm_mirror);
86220 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
86221 + vma_m = vma->vm_mirror;
86222 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
86223 + BUG_ON(vma->vm_file != vma_m->vm_file);
86224 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
86225 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
86226 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
86227 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
86233 * Verify that the stack growth is acceptable and
86234 * update accounting. This is shared with both the
86235 @@ -2063,6 +2380,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
86238 /* Stack limit test */
86239 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
86240 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
86243 @@ -2073,6 +2391,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
86244 locked = mm->locked_vm + grow;
86245 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
86246 limit >>= PAGE_SHIFT;
86247 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
86248 if (locked > limit && !capable(CAP_IPC_LOCK))
86251 @@ -2102,37 +2421,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
86252 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
86253 * vma is the last one with address > vma->vm_end. Have to extend vma.
86255 +#ifndef CONFIG_IA64
86258 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
86263 if (!(vma->vm_flags & VM_GROWSUP))
86266 + /* Also guard against wrapping around to address 0. */
86267 + if (address < PAGE_ALIGN(address+1))
86268 + address = PAGE_ALIGN(address+1);
86273 * We must make sure the anon_vma is allocated
86274 * so that the anon_vma locking is not a noop.
86276 if (unlikely(anon_vma_prepare(vma)))
86278 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
86279 + if (locknext && anon_vma_prepare(vma->vm_next))
86281 vma_lock_anon_vma(vma);
86283 + vma_lock_anon_vma(vma->vm_next);
86286 * vma->vm_start/vm_end cannot change under us because the caller
86287 * is required to hold the mmap_sem in read mode. We need the
86288 - * anon_vma lock to serialize against concurrent expand_stacks.
86289 - * Also guard against wrapping around to address 0.
86290 + * anon_vma locks to serialize against concurrent expand_stacks
86291 + * and expand_upwards.
86293 - if (address < PAGE_ALIGN(address+4))
86294 - address = PAGE_ALIGN(address+4);
86296 - vma_unlock_anon_vma(vma);
86301 /* Somebody else might have raced and expanded it already */
86302 - if (address > vma->vm_end) {
86303 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
86305 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
86306 unsigned long size, grow;
86308 size = address - vma->vm_start;
86309 @@ -2167,6 +2497,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
86314 + vma_unlock_anon_vma(vma->vm_next);
86315 vma_unlock_anon_vma(vma);
86316 khugepaged_enter_vma_merge(vma);
86317 validate_mm(vma->vm_mm);
86318 @@ -2181,6 +2513,8 @@ int expand_downwards(struct vm_area_struct *vma,
86319 unsigned long address)
86322 + bool lockprev = false;
86323 + struct vm_area_struct *prev;
86326 * We must make sure the anon_vma is allocated
86327 @@ -2194,6 +2528,15 @@ int expand_downwards(struct vm_area_struct *vma,
86331 + prev = vma->vm_prev;
86332 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
86333 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
86335 + if (lockprev && anon_vma_prepare(prev))
86338 + vma_lock_anon_vma(prev);
86340 vma_lock_anon_vma(vma);
86343 @@ -2203,9 +2546,17 @@ int expand_downwards(struct vm_area_struct *vma,
86346 /* Somebody else might have raced and expanded it already */
86347 - if (address < vma->vm_start) {
86348 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
86350 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
86351 unsigned long size, grow;
86353 +#ifdef CONFIG_PAX_SEGMEXEC
86354 + struct vm_area_struct *vma_m;
86356 + vma_m = pax_find_mirror_vma(vma);
86359 size = vma->vm_end - address;
86360 grow = (vma->vm_start - address) >> PAGE_SHIFT;
86362 @@ -2230,13 +2581,27 @@ int expand_downwards(struct vm_area_struct *vma,
86363 vma->vm_pgoff -= grow;
86364 anon_vma_interval_tree_post_update_vma(vma);
86365 vma_gap_update(vma);
86367 +#ifdef CONFIG_PAX_SEGMEXEC
86369 + anon_vma_interval_tree_pre_update_vma(vma_m);
86370 + vma_m->vm_start -= grow << PAGE_SHIFT;
86371 + vma_m->vm_pgoff -= grow;
86372 + anon_vma_interval_tree_post_update_vma(vma_m);
86373 + vma_gap_update(vma_m);
86377 spin_unlock(&vma->vm_mm->page_table_lock);
86379 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
86380 perf_event_mmap(vma);
86384 vma_unlock_anon_vma(vma);
86386 + vma_unlock_anon_vma(prev);
86387 khugepaged_enter_vma_merge(vma);
86388 validate_mm(vma->vm_mm);
86390 @@ -2334,6 +2699,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
86392 long nrpages = vma_pages(vma);
86394 +#ifdef CONFIG_PAX_SEGMEXEC
86395 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
86396 + vma = remove_vma(vma);
86401 if (vma->vm_flags & VM_ACCOUNT)
86402 nr_accounted += nrpages;
86403 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
86404 @@ -2379,6 +2751,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
86405 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
86406 vma->vm_prev = NULL;
86409 +#ifdef CONFIG_PAX_SEGMEXEC
86410 + if (vma->vm_mirror) {
86411 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
86412 + vma->vm_mirror->vm_mirror = NULL;
86413 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
86414 + vma->vm_mirror = NULL;
86418 vma_rb_erase(vma, &mm->mm_rb);
86421 @@ -2410,14 +2792,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
86422 struct vm_area_struct *new;
86425 +#ifdef CONFIG_PAX_SEGMEXEC
86426 + struct vm_area_struct *vma_m, *new_m = NULL;
86427 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
86430 if (is_vm_hugetlb_page(vma) && (addr &
86431 ~(huge_page_mask(hstate_vma(vma)))))
86434 +#ifdef CONFIG_PAX_SEGMEXEC
86435 + vma_m = pax_find_mirror_vma(vma);
86438 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
86442 +#ifdef CONFIG_PAX_SEGMEXEC
86444 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
86446 + kmem_cache_free(vm_area_cachep, new);
86452 /* most fields are the same, copy all, and then fixup */
86455 @@ -2430,6 +2831,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
86456 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
86459 +#ifdef CONFIG_PAX_SEGMEXEC
86462 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
86463 + new_m->vm_mirror = new;
86464 + new->vm_mirror = new_m;
86467 + new_m->vm_end = addr_m;
86469 + new_m->vm_start = addr_m;
86470 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
86475 pol = mpol_dup(vma_policy(vma));
86477 err = PTR_ERR(pol);
86478 @@ -2452,6 +2869,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
86480 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
86482 +#ifdef CONFIG_PAX_SEGMEXEC
86483 + if (!err && vma_m) {
86484 + if (anon_vma_clone(new_m, vma_m))
86485 + goto out_free_mpol;
86488 + vma_set_policy(new_m, pol);
86490 + if (new_m->vm_file)
86491 + get_file(new_m->vm_file);
86493 + if (new_m->vm_ops && new_m->vm_ops->open)
86494 + new_m->vm_ops->open(new_m);
86497 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
86498 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
86500 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
86503 + if (new_m->vm_ops && new_m->vm_ops->close)
86504 + new_m->vm_ops->close(new_m);
86505 + if (new_m->vm_file)
86506 + fput(new_m->vm_file);
86515 @@ -2461,10 +2908,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
86516 new->vm_ops->close(new);
86518 fput(new->vm_file);
86519 - unlink_anon_vmas(new);
86524 +#ifdef CONFIG_PAX_SEGMEXEC
86526 + unlink_anon_vmas(new_m);
86527 + kmem_cache_free(vm_area_cachep, new_m);
86531 + unlink_anon_vmas(new);
86532 kmem_cache_free(vm_area_cachep, new);
86535 @@ -2477,6 +2932,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
86536 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
86537 unsigned long addr, int new_below)
86540 +#ifdef CONFIG_PAX_SEGMEXEC
86541 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
86542 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
86543 + if (mm->map_count >= sysctl_max_map_count-1)
86548 if (mm->map_count >= sysctl_max_map_count)
86551 @@ -2488,11 +2952,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
86552 * work. This now handles partial unmappings.
86553 * Jeremy Fitzhardinge <jeremy@goop.org>
86555 +#ifdef CONFIG_PAX_SEGMEXEC
86556 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
86558 + int ret = __do_munmap(mm, start, len);
86559 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
86562 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
86565 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
86567 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
86571 struct vm_area_struct *vma, *prev, *last;
86574 + * mm->mmap_sem is required to protect against another thread
86575 + * changing the mappings in case we sleep.
86577 + verify_mm_writelocked(mm);
86579 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
86582 @@ -2567,6 +3050,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
86583 /* Fix up all other VM information */
86584 remove_vma_list(mm, vma);
86586 + track_exec_limit(mm, start, end, 0UL);
86591 @@ -2575,6 +3060,13 @@ int vm_munmap(unsigned long start, size_t len)
86593 struct mm_struct *mm = current->mm;
86596 +#ifdef CONFIG_PAX_SEGMEXEC
86597 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
86598 + (len > SEGMEXEC_TASK_SIZE || start > SEGMEXEC_TASK_SIZE-len))
86602 down_write(&mm->mmap_sem);
86603 ret = do_munmap(mm, start, len);
86604 up_write(&mm->mmap_sem);
86605 @@ -2588,16 +3080,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
86606 return vm_munmap(addr, len);
86609 -static inline void verify_mm_writelocked(struct mm_struct *mm)
86611 -#ifdef CONFIG_DEBUG_VM
86612 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
86614 - up_read(&mm->mmap_sem);
86620 * this is really a simplified "do_mmap". it only handles
86621 * anonymous maps. eventually we may be able to do some
86622 @@ -2611,6 +3093,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
86623 struct rb_node ** rb_link, * rb_parent;
86624 pgoff_t pgoff = addr >> PAGE_SHIFT;
86626 + unsigned long charged;
86628 len = PAGE_ALIGN(len);
86630 @@ -2618,16 +3101,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
86632 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
86634 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
86635 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
86636 + flags &= ~VM_EXEC;
86638 +#ifdef CONFIG_PAX_MPROTECT
86639 + if (mm->pax_flags & MF_PAX_MPROTECT)
86640 + flags &= ~VM_MAYEXEC;
86646 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
86647 if (error & ~PAGE_MASK)
86650 + charged = len >> PAGE_SHIFT;
86653 * mlock MCL_FUTURE?
86655 if (mm->def_flags & VM_LOCKED) {
86656 unsigned long locked, lock_limit;
86657 - locked = len >> PAGE_SHIFT;
86658 + locked = charged;
86659 locked += mm->locked_vm;
86660 lock_limit = rlimit(RLIMIT_MEMLOCK);
86661 lock_limit >>= PAGE_SHIFT;
86662 @@ -2644,21 +3141,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
86664 * Clear old maps. this also does some error checking for us
86667 if (find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent)) {
86668 if (do_munmap(mm, addr, len))
86670 - goto munmap_back;
86671 + BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
86674 /* Check against address space limits *after* clearing old maps... */
86675 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
86676 + if (!may_expand_vm(mm, charged))
86679 if (mm->map_count > sysctl_max_map_count)
86682 - if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
86683 + if (security_vm_enough_memory_mm(mm, charged))
86686 /* Can we just expand an old private anonymous mapping? */
86687 @@ -2672,7 +3168,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
86689 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
86691 - vm_unacct_memory(len >> PAGE_SHIFT);
86692 + vm_unacct_memory(charged);
86696 @@ -2686,9 +3182,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
86697 vma_link(mm, vma, prev, rb_link, rb_parent);
86699 perf_event_mmap(vma);
86700 - mm->total_vm += len >> PAGE_SHIFT;
86701 + mm->total_vm += charged;
86702 if (flags & VM_LOCKED)
86703 - mm->locked_vm += (len >> PAGE_SHIFT);
86704 + mm->locked_vm += charged;
86705 + track_exec_limit(mm, addr, addr + len, flags);
86709 @@ -2750,6 +3247,7 @@ void exit_mmap(struct mm_struct *mm)
86711 if (vma->vm_flags & VM_ACCOUNT)
86712 nr_accounted += vma_pages(vma);
86713 + vma->vm_mirror = NULL;
86714 vma = remove_vma(vma);
86716 vm_unacct_memory(nr_accounted);
86717 @@ -2766,6 +3264,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
86718 struct vm_area_struct *prev;
86719 struct rb_node **rb_link, *rb_parent;
86721 +#ifdef CONFIG_PAX_SEGMEXEC
86722 + struct vm_area_struct *vma_m = NULL;
86725 + if (security_mmap_addr(vma->vm_start))
86729 * The vm_pgoff of a purely anonymous vma should be irrelevant
86730 * until its first write fault, when page's anon_vma and index
86731 @@ -2789,7 +3294,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
86732 security_vm_enough_memory_mm(mm, vma_pages(vma)))
86735 +#ifdef CONFIG_PAX_SEGMEXEC
86736 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
86737 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
86743 vma_link(mm, vma, prev, rb_link, rb_parent);
86745 +#ifdef CONFIG_PAX_SEGMEXEC
86747 + BUG_ON(pax_mirror_vma(vma_m, vma));
86753 @@ -2809,6 +3328,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
86754 struct mempolicy *pol;
86755 bool faulted_in_anon_vma = true;
86757 + BUG_ON(vma->vm_mirror);
86760 * If anonymous vma has not yet been faulted, update new pgoff
86761 * to match new location, to increase its chance of merging.
86762 @@ -2875,6 +3396,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
86766 +#ifdef CONFIG_PAX_SEGMEXEC
86767 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
86769 + struct vm_area_struct *prev_m;
86770 + struct rb_node **rb_link_m, *rb_parent_m;
86771 + struct mempolicy *pol_m;
86773 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
86774 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
86775 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
86777 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
86778 + if (anon_vma_clone(vma_m, vma))
86780 + pol_m = vma_policy(vma_m);
86782 + vma_set_policy(vma_m, pol_m);
86783 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
86784 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
86785 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
86786 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
86787 + if (vma_m->vm_file)
86788 + get_file(vma_m->vm_file);
86789 + if (vma_m->vm_ops && vma_m->vm_ops->open)
86790 + vma_m->vm_ops->open(vma_m);
86791 + BUG_ON(find_vma_links(vma->vm_mm, vma_m->vm_start, vma_m->vm_end, &prev_m, &rb_link_m, &rb_parent_m));
86792 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
86793 + vma_m->vm_mirror = vma;
86794 + vma->vm_mirror = vma_m;
86800 * Return true if the calling process may expand its vm space by the passed
86802 @@ -2886,6 +3440,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
86804 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
86806 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
86807 if (cur + npages > lim)
86810 @@ -2956,6 +3511,22 @@ int install_special_mapping(struct mm_struct *mm,
86811 vma->vm_start = addr;
86812 vma->vm_end = addr + len;
86814 +#ifdef CONFIG_PAX_MPROTECT
86815 + if (mm->pax_flags & MF_PAX_MPROTECT) {
86816 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
86817 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
86819 + if (!(vm_flags & VM_EXEC))
86820 + vm_flags &= ~VM_MAYEXEC;
86822 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
86823 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
86826 + vm_flags &= ~VM_MAYWRITE;
86830 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
86831 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
86833 diff --git a/mm/mprotect.c b/mm/mprotect.c
86834 index 94722a4..e661e29 100644
86835 --- a/mm/mprotect.c
86836 +++ b/mm/mprotect.c
86837 @@ -23,10 +23,18 @@
86838 #include <linux/mmu_notifier.h>
86839 #include <linux/migrate.h>
86840 #include <linux/perf_event.h>
86841 +#include <linux/sched/sysctl.h>
86843 +#ifdef CONFIG_PAX_MPROTECT
86844 +#include <linux/elf.h>
86845 +#include <linux/binfmts.h>
86848 #include <asm/uaccess.h>
86849 #include <asm/pgtable.h>
86850 #include <asm/cacheflush.h>
86851 #include <asm/tlbflush.h>
86852 +#include <asm/mmu_context.h>
86854 #ifndef pgprot_modify
86855 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
86856 @@ -233,6 +241,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
86860 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
86861 +/* called while holding the mmap semaphor for writing except stack expansion */
86862 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
86864 + unsigned long oldlimit, newlimit = 0UL;
86866 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
86869 + spin_lock(&mm->page_table_lock);
86870 + oldlimit = mm->context.user_cs_limit;
86871 + if ((prot & VM_EXEC) && oldlimit < end)
86872 + /* USER_CS limit moved up */
86874 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
86875 + /* USER_CS limit moved down */
86876 + newlimit = start;
86879 + mm->context.user_cs_limit = newlimit;
86883 + cpus_clear(mm->context.cpu_user_cs_mask);
86884 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
86887 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
86889 + spin_unlock(&mm->page_table_lock);
86890 + if (newlimit == end) {
86891 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
86893 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
86894 + if (is_vm_hugetlb_page(vma))
86895 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
86897 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma), 0);
86903 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
86904 unsigned long start, unsigned long end, unsigned long newflags)
86905 @@ -245,11 +295,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
86907 int dirty_accountable = 0;
86909 +#ifdef CONFIG_PAX_SEGMEXEC
86910 + struct vm_area_struct *vma_m = NULL;
86911 + unsigned long start_m, end_m;
86913 + start_m = start + SEGMEXEC_TASK_SIZE;
86914 + end_m = end + SEGMEXEC_TASK_SIZE;
86917 if (newflags == oldflags) {
86922 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
86923 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
86925 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
86928 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
86933 * If we make a private mapping writable we increase our commit;
86934 * but (without finer accounting) cannot reduce our commit if we
86935 @@ -266,6 +334,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
86939 +#ifdef CONFIG_PAX_SEGMEXEC
86940 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
86941 + if (start != vma->vm_start) {
86942 + error = split_vma(mm, vma, start, 1);
86945 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
86946 + *pprev = (*pprev)->vm_next;
86949 + if (end != vma->vm_end) {
86950 + error = split_vma(mm, vma, end, 0);
86955 + if (pax_find_mirror_vma(vma)) {
86956 + error = __do_munmap(mm, start_m, end_m - start_m);
86960 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
86965 + vma->vm_flags = newflags;
86966 + error = pax_mirror_vma(vma_m, vma);
86968 + vma->vm_flags = oldflags;
86976 * First try to merge with previous and/or next vma.
86978 @@ -296,9 +400,21 @@ success:
86979 * vm_flags and vm_page_prot are protected by the mmap_sem
86980 * held in write mode.
86983 +#ifdef CONFIG_PAX_SEGMEXEC
86984 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
86985 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
86988 vma->vm_flags = newflags;
86990 +#ifdef CONFIG_PAX_MPROTECT
86991 + if (mm->binfmt && mm->binfmt->handle_mprotect)
86992 + mm->binfmt->handle_mprotect(vma, newflags);
86995 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
86996 - vm_get_page_prot(newflags));
86997 + vm_get_page_prot(vma->vm_flags));
86999 if (vma_wants_writenotify(vma)) {
87000 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
87001 @@ -337,6 +453,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
87006 +#ifdef CONFIG_PAX_SEGMEXEC
87007 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
87008 + if (end > SEGMEXEC_TASK_SIZE)
87013 + if (end > TASK_SIZE)
87016 if (!arch_validate_prot(prot))
87019 @@ -344,7 +471,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
87021 * Does the application expect PROT_READ to imply PROT_EXEC:
87023 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
87024 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
87027 vm_flags = calc_vm_prot_bits(prot);
87028 @@ -376,6 +503,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
87029 if (start > vma->vm_start)
87032 +#ifdef CONFIG_PAX_MPROTECT
87033 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
87034 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
87037 for (nstart = start ; ; ) {
87038 unsigned long newflags;
87040 @@ -386,6 +518,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
87042 /* newflags >> 4 shift VM_MAY% in place of VM_% */
87043 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
87044 + if (prot & (PROT_WRITE | PROT_EXEC))
87045 + gr_log_rwxmprotect(vma);
87051 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
87055 @@ -400,6 +540,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
87056 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
87060 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
87064 if (nstart < prev->vm_end)
87065 diff --git a/mm/mremap.c b/mm/mremap.c
87066 index 463a257..c0c7a92 100644
87069 @@ -126,6 +126,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
87071 pte = ptep_get_and_clear(mm, old_addr, old_pte);
87072 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
87074 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
87075 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
87076 + pte = pte_exprotect(pte);
87079 set_pte_at(mm, new_addr, new_pte, pte);
87082 @@ -318,6 +324,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
87083 if (is_vm_hugetlb_page(vma))
87086 +#ifdef CONFIG_PAX_SEGMEXEC
87087 + if (pax_find_mirror_vma(vma))
87091 /* We can't remap across vm area boundaries */
87092 if (old_len > vma->vm_end - addr)
87094 @@ -373,20 +384,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
87095 unsigned long ret = -EINVAL;
87096 unsigned long charged = 0;
87097 unsigned long map_flags;
87098 + unsigned long pax_task_size = TASK_SIZE;
87100 if (new_addr & ~PAGE_MASK)
87103 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
87104 +#ifdef CONFIG_PAX_SEGMEXEC
87105 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
87106 + pax_task_size = SEGMEXEC_TASK_SIZE;
87109 + pax_task_size -= PAGE_SIZE;
87111 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
87114 /* Check if the location we're moving into overlaps the
87115 * old location at all, and fail if it does.
87117 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
87120 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
87121 + if (addr + old_len > new_addr && new_addr + new_len > addr)
87124 ret = do_munmap(mm, new_addr, new_len);
87125 @@ -455,6 +471,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
87126 unsigned long ret = -EINVAL;
87127 unsigned long charged = 0;
87128 bool locked = false;
87129 + unsigned long pax_task_size = TASK_SIZE;
87131 down_write(¤t->mm->mmap_sem);
87133 @@ -475,6 +492,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
87137 +#ifdef CONFIG_PAX_SEGMEXEC
87138 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
87139 + pax_task_size = SEGMEXEC_TASK_SIZE;
87142 + pax_task_size -= PAGE_SIZE;
87144 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
87145 + old_len > pax_task_size || addr > pax_task_size-old_len)
87148 if (flags & MREMAP_FIXED) {
87149 if (flags & MREMAP_MAYMOVE)
87150 ret = mremap_to(addr, old_len, new_addr, new_len,
87151 @@ -524,6 +552,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
87155 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
87159 @@ -547,7 +576,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
87163 + map_flags = vma->vm_flags;
87164 ret = move_vma(vma, addr, old_len, new_len, new_addr, &locked);
87165 + if (!(ret & ~PAGE_MASK)) {
87166 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
87167 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
87171 if (ret & ~PAGE_MASK)
87172 diff --git a/mm/nommu.c b/mm/nommu.c
87173 index 298884d..5f74980 100644
87176 @@ -65,7 +65,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
87177 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
87178 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
87179 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
87180 -int heap_stack_gap = 0;
87182 atomic_long_t mmap_pages_allocated;
87184 @@ -842,15 +841,6 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
87185 EXPORT_SYMBOL(find_vma);
87189 - * - we don't extend stack VMAs under NOMMU conditions
87191 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
87193 - return find_vma(mm, addr);
87197 * expand a stack to a given address
87198 * - not supported under NOMMU conditions
87200 @@ -1561,6 +1551,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
87202 /* most fields are the same, copy all, and then fixup */
87204 + INIT_LIST_HEAD(&new->anon_vma_chain);
87205 *region = *vma->vm_region;
87206 new->vm_region = region;
87208 @@ -1995,8 +1986,8 @@ int generic_file_remap_pages(struct vm_area_struct *vma, unsigned long addr,
87210 EXPORT_SYMBOL(generic_file_remap_pages);
87212 -static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
87213 - unsigned long addr, void *buf, int len, int write)
87214 +static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
87215 + unsigned long addr, void *buf, size_t len, int write)
87217 struct vm_area_struct *vma;
87219 @@ -2037,8 +2028,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
87221 * The caller must hold a reference on @mm.
87223 -int access_remote_vm(struct mm_struct *mm, unsigned long addr,
87224 - void *buf, int len, int write)
87225 +ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
87226 + void *buf, size_t len, int write)
87228 return __access_remote_vm(NULL, mm, addr, buf, len, write);
87230 @@ -2047,7 +2038,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
87231 * Access another process' address space.
87232 * - source/target buffer must be kernel space
87234 -int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
87235 +ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write)
87237 struct mm_struct *mm;
87239 diff --git a/mm/page-writeback.c b/mm/page-writeback.c
87240 index 4514ad7..92eaa1c 100644
87241 --- a/mm/page-writeback.c
87242 +++ b/mm/page-writeback.c
87243 @@ -659,7 +659,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty)
87244 * card's bdi_dirty may rush to many times higher than bdi_setpoint.
87245 * - the bdi dirty thresh drops quickly due to change of JBOD workload
87247 -static unsigned long bdi_position_ratio(struct backing_dev_info *bdi,
87248 +static unsigned long __intentional_overflow(-1) bdi_position_ratio(struct backing_dev_info *bdi,
87249 unsigned long thresh,
87250 unsigned long bg_thresh,
87251 unsigned long dirty,
87252 @@ -1634,7 +1634,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long action,
87256 -static struct notifier_block __cpuinitdata ratelimit_nb = {
87257 +static struct notifier_block ratelimit_nb = {
87258 .notifier_call = ratelimit_handler,
87261 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
87262 index 2ee0fd3..6e2edfb 100644
87263 --- a/mm/page_alloc.c
87264 +++ b/mm/page_alloc.c
87266 #include <linux/page-debug-flags.h>
87267 #include <linux/hugetlb.h>
87268 #include <linux/sched/rt.h>
87269 +#include <linux/random.h>
87271 #include <asm/tlbflush.h>
87272 #include <asm/div64.h>
87273 @@ -345,7 +346,7 @@ out:
87274 * This usage means that zero-order pages may not be compound.
87277 -static void free_compound_page(struct page *page)
87278 +void free_compound_page(struct page *page)
87280 __free_pages_ok(page, compound_order(page));
87282 @@ -702,6 +703,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
87286 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87287 + unsigned long index = 1UL << order;
87290 trace_mm_page_free(page, order);
87291 kmemcheck_free_shadow(page, order);
87293 @@ -717,6 +722,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
87294 debug_check_no_obj_freed(page_address(page),
87295 PAGE_SIZE << order);
87298 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87299 + for (; index; --index)
87300 + sanitize_highpage(page + index - 1);
87303 arch_free_page(page, order);
87304 kernel_map_pages(page, 1 << order, 0);
87306 @@ -739,6 +750,19 @@ static void __free_pages_ok(struct page *page, unsigned int order)
87307 local_irq_restore(flags);
87310 +#ifdef CONFIG_PAX_LATENT_ENTROPY
87311 +bool __meminitdata extra_latent_entropy;
87313 +static int __init setup_pax_extra_latent_entropy(char *str)
87315 + extra_latent_entropy = true;
87318 +early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
87320 +volatile u64 latent_entropy;
87324 * Read access to zone->managed_pages is safe because it's unsigned long,
87325 * but we still need to serialize writers. Currently all callers of
87326 @@ -761,6 +785,19 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order)
87327 set_page_count(p, 0);
87330 +#ifdef CONFIG_PAX_LATENT_ENTROPY
87331 + if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
87333 + size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
87334 + const u64 *data = lowmem_page_address(page);
87336 + for (index = 0; index < end; index++)
87337 + hash ^= hash + data[index];
87338 + latent_entropy ^= hash;
87339 + add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
87343 page_zone(page)->managed_pages += 1 << order;
87344 set_page_refcounted(page);
87345 __free_pages(page, order);
87346 @@ -870,8 +907,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
87347 arch_alloc_page(page, order);
87348 kernel_map_pages(page, 1 << order, 1);
87350 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
87351 if (gfp_flags & __GFP_ZERO)
87352 prep_zero_page(page, order, gfp_flags);
87355 if (order && (gfp_flags & __GFP_COMP))
87356 prep_compound_page(page, order);
87357 diff --git a/mm/page_io.c b/mm/page_io.c
87358 index a8a3ef4..7260a60 100644
87361 @@ -214,7 +214,7 @@ int __swap_writepage(struct page *page, struct writeback_control *wbc,
87362 struct file *swap_file = sis->swap_file;
87363 struct address_space *mapping = swap_file->f_mapping;
87364 struct iovec iov = {
87365 - .iov_base = kmap(page),
87366 + .iov_base = (void __force_user *)kmap(page),
87367 .iov_len = PAGE_SIZE,
87370 diff --git a/mm/percpu.c b/mm/percpu.c
87371 index 8c8e08f..73a5cda 100644
87374 @@ -122,7 +122,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
87375 static unsigned int pcpu_high_unit_cpu __read_mostly;
87377 /* the address of the first chunk which starts with the kernel static area */
87378 -void *pcpu_base_addr __read_mostly;
87379 +void *pcpu_base_addr __read_only;
87380 EXPORT_SYMBOL_GPL(pcpu_base_addr);
87382 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
87383 diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
87384 index fd26d04..0cea1b0 100644
87385 --- a/mm/process_vm_access.c
87386 +++ b/mm/process_vm_access.c
87388 #include <linux/uio.h>
87389 #include <linux/sched.h>
87390 #include <linux/highmem.h>
87391 +#include <linux/security.h>
87392 #include <linux/ptrace.h>
87393 #include <linux/slab.h>
87394 #include <linux/syscalls.h>
87395 @@ -258,19 +259,19 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
87396 size_t iov_l_curr_offset = 0;
87399 + return -ENOSYS; // PaX: until properly audited
87402 * Work out how many pages of struct pages we're going to need
87403 * when eventually calling get_user_pages
87405 for (i = 0; i < riovcnt; i++) {
87406 iov_len = rvec[i].iov_len;
87407 - if (iov_len > 0) {
87408 - nr_pages_iov = ((unsigned long)rvec[i].iov_base
87410 - / PAGE_SIZE - (unsigned long)rvec[i].iov_base
87412 - nr_pages = max(nr_pages, nr_pages_iov);
87414 + if (iov_len <= 0)
87416 + nr_pages_iov = ((unsigned long)rvec[i].iov_base + iov_len) / PAGE_SIZE -
87417 + (unsigned long)rvec[i].iov_base / PAGE_SIZE + 1;
87418 + nr_pages = max(nr_pages, nr_pages_iov);
87422 @@ -298,6 +299,11 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
87423 goto free_proc_pages;
87426 + if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
87428 + goto put_task_struct;
87431 mm = mm_access(task, PTRACE_MODE_ATTACH);
87432 if (!mm || IS_ERR(mm)) {
87433 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
87434 diff --git a/mm/rmap.c b/mm/rmap.c
87435 index 6280da8..b5c090e 100644
87438 @@ -163,6 +163,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
87439 struct anon_vma *anon_vma = vma->anon_vma;
87440 struct anon_vma_chain *avc;
87442 +#ifdef CONFIG_PAX_SEGMEXEC
87443 + struct anon_vma_chain *avc_m = NULL;
87447 if (unlikely(!anon_vma)) {
87448 struct mm_struct *mm = vma->vm_mm;
87449 @@ -172,6 +176,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
87453 +#ifdef CONFIG_PAX_SEGMEXEC
87454 + avc_m = anon_vma_chain_alloc(GFP_KERNEL);
87456 + goto out_enomem_free_avc;
87459 anon_vma = find_mergeable_anon_vma(vma);
87462 @@ -185,6 +195,18 @@ int anon_vma_prepare(struct vm_area_struct *vma)
87463 /* page_table_lock to protect against threads */
87464 spin_lock(&mm->page_table_lock);
87465 if (likely(!vma->anon_vma)) {
87467 +#ifdef CONFIG_PAX_SEGMEXEC
87468 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
87471 + BUG_ON(vma_m->anon_vma);
87472 + vma_m->anon_vma = anon_vma;
87473 + anon_vma_chain_link(vma_m, avc_m, anon_vma);
87478 vma->anon_vma = anon_vma;
87479 anon_vma_chain_link(vma, avc, anon_vma);
87481 @@ -195,12 +217,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
87483 if (unlikely(allocated))
87484 put_anon_vma(allocated);
87486 +#ifdef CONFIG_PAX_SEGMEXEC
87487 + if (unlikely(avc_m))
87488 + anon_vma_chain_free(avc_m);
87492 anon_vma_chain_free(avc);
87496 out_enomem_free_avc:
87498 +#ifdef CONFIG_PAX_SEGMEXEC
87500 + anon_vma_chain_free(avc_m);
87503 anon_vma_chain_free(avc);
87506 @@ -236,7 +270,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
87507 * Attach the anon_vmas from src to dst.
87508 * Returns 0 on success, -ENOMEM on failure.
87510 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
87511 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
87513 struct anon_vma_chain *avc, *pavc;
87514 struct anon_vma *root = NULL;
87515 @@ -269,7 +303,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
87516 * the corresponding VMA in the parent process is attached to.
87517 * Returns 0 on success, non-zero on failure.
87519 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
87520 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
87522 struct anon_vma_chain *avc;
87523 struct anon_vma *anon_vma;
87524 @@ -373,8 +407,10 @@ static void anon_vma_ctor(void *data)
87525 void __init anon_vma_init(void)
87527 anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
87528 - 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC, anon_vma_ctor);
87529 - anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain, SLAB_PANIC);
87530 + 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_NO_SANITIZE,
87532 + anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain,
87533 + SLAB_PANIC|SLAB_NO_SANITIZE);
87537 diff --git a/mm/shmem.c b/mm/shmem.c
87538 index 5e6a842..b41916e 100644
87542 #include <linux/swap.h>
87543 #include <linux/aio.h>
87545 -static struct vfsmount *shm_mnt;
87546 +struct vfsmount *shm_mnt;
87548 #ifdef CONFIG_SHMEM
87550 @@ -77,7 +77,7 @@ static struct vfsmount *shm_mnt;
87551 #define BOGO_DIRENT_SIZE 20
87553 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
87554 -#define SHORT_SYMLINK_LEN 128
87555 +#define SHORT_SYMLINK_LEN 64
87558 * shmem_fallocate and shmem_writepage communicate via inode->i_private
87559 @@ -2203,6 +2203,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
87560 static int shmem_xattr_validate(const char *name)
87562 struct { const char *prefix; size_t len; } arr[] = {
87564 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
87565 + { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN},
87568 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
87569 { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
87571 @@ -2258,6 +2263,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
87575 +#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
87576 + if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
87577 + if (strcmp(name, XATTR_NAME_PAX_FLAGS))
87578 + return -EOPNOTSUPP;
87584 return simple_xattr_set(&info->xattrs, name, value, size, flags);
87587 @@ -2570,8 +2584,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
87590 /* Round up to L1_CACHE_BYTES to resist false sharing */
87591 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
87592 - L1_CACHE_BYTES), GFP_KERNEL);
87593 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
87597 diff --git a/mm/slab.c b/mm/slab.c
87598 index bd88411..2d46fd6 100644
87601 @@ -366,10 +366,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
87602 if ((x)->max_freeable < i) \
87603 (x)->max_freeable = i; \
87605 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
87606 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
87607 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
87608 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
87609 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
87610 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
87611 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
87612 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
87613 +#define STATS_INC_SANITIZED(x) atomic_inc_unchecked(&(x)->sanitized)
87614 +#define STATS_INC_NOT_SANITIZED(x) atomic_inc_unchecked(&(x)->not_sanitized)
87616 #define STATS_INC_ACTIVE(x) do { } while (0)
87617 #define STATS_DEC_ACTIVE(x) do { } while (0)
87618 @@ -386,6 +388,8 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
87619 #define STATS_INC_ALLOCMISS(x) do { } while (0)
87620 #define STATS_INC_FREEHIT(x) do { } while (0)
87621 #define STATS_INC_FREEMISS(x) do { } while (0)
87622 +#define STATS_INC_SANITIZED(x) do { } while (0)
87623 +#define STATS_INC_NOT_SANITIZED(x) do { } while (0)
87627 @@ -477,7 +481,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct slab *slab,
87628 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
87630 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
87631 - const struct slab *slab, void *obj)
87632 + const struct slab *slab, const void *obj)
87634 u32 offset = (obj - slab->s_mem);
87635 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
87636 @@ -1384,7 +1388,7 @@ static int __cpuinit cpuup_callback(struct notifier_block *nfb,
87637 return notifier_from_errno(err);
87640 -static struct notifier_block __cpuinitdata cpucache_notifier = {
87641 +static struct notifier_block cpucache_notifier = {
87642 &cpuup_callback, NULL, 0
87645 @@ -1565,12 +1569,12 @@ void __init kmem_cache_init(void)
87648 kmalloc_caches[INDEX_AC] = create_kmalloc_cache("kmalloc-ac",
87649 - kmalloc_size(INDEX_AC), ARCH_KMALLOC_FLAGS);
87650 + kmalloc_size(INDEX_AC), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS);
87652 if (INDEX_AC != INDEX_NODE)
87653 kmalloc_caches[INDEX_NODE] =
87654 create_kmalloc_cache("kmalloc-node",
87655 - kmalloc_size(INDEX_NODE), ARCH_KMALLOC_FLAGS);
87656 + kmalloc_size(INDEX_NODE), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS);
87658 slab_early_init = 0;
87660 @@ -3583,6 +3587,21 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
87661 struct array_cache *ac = cpu_cache_get(cachep);
87665 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87666 + if (pax_sanitize_slab) {
87667 + if (!(cachep->flags & (SLAB_POISON | SLAB_NO_SANITIZE))) {
87668 + memset(objp, PAX_MEMORY_SANITIZE_VALUE, cachep->object_size);
87670 + if (cachep->ctor)
87671 + cachep->ctor(objp);
87673 + STATS_INC_SANITIZED(cachep);
87675 + STATS_INC_NOT_SANITIZED(cachep);
87679 kmemleak_free_recursive(objp, cachep->flags);
87680 objp = cache_free_debugcheck(cachep, objp, caller);
87682 @@ -3800,6 +3819,7 @@ void kfree(const void *objp)
87684 if (unlikely(ZERO_OR_NULL_PTR(objp)))
87686 + VM_BUG_ON(!virt_addr_valid(objp));
87687 local_irq_save(flags);
87688 kfree_debugcheck(objp);
87689 c = virt_to_cache(objp);
87690 @@ -4241,14 +4261,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)
87694 - unsigned long allochit = atomic_read(&cachep->allochit);
87695 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
87696 - unsigned long freehit = atomic_read(&cachep->freehit);
87697 - unsigned long freemiss = atomic_read(&cachep->freemiss);
87698 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
87699 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
87700 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
87701 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
87703 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
87704 allochit, allocmiss, freehit, freemiss);
87706 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87708 + unsigned long sanitized = atomic_read_unchecked(&cachep->sanitized);
87709 + unsigned long not_sanitized = atomic_read_unchecked(&cachep->not_sanitized);
87711 + seq_printf(m, " : pax %6lu %6lu", sanitized, not_sanitized);
87717 @@ -4476,13 +4504,71 @@ static const struct file_operations proc_slabstats_operations = {
87718 static int __init slab_proc_init(void)
87720 #ifdef CONFIG_DEBUG_SLAB_LEAK
87721 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
87722 + proc_create("slab_allocators", S_IRUSR, NULL, &proc_slabstats_operations);
87726 module_init(slab_proc_init);
87729 +bool is_usercopy_object(const void *ptr)
87731 + struct page *page;
87732 + struct kmem_cache *cachep;
87734 + if (ZERO_OR_NULL_PTR(ptr))
87737 + if (!slab_is_available())
87740 + if (!virt_addr_valid(ptr))
87743 + page = virt_to_head_page(ptr);
87745 + if (!PageSlab(page))
87748 + cachep = page->slab_cache;
87749 + return cachep->flags & SLAB_USERCOPY;
87752 +#ifdef CONFIG_PAX_USERCOPY
87753 +const char *check_heap_object(const void *ptr, unsigned long n)
87755 + struct page *page;
87756 + struct kmem_cache *cachep;
87757 + struct slab *slabp;
87758 + unsigned int objnr;
87759 + unsigned long offset;
87761 + if (ZERO_OR_NULL_PTR(ptr))
87764 + if (!virt_addr_valid(ptr))
87767 + page = virt_to_head_page(ptr);
87769 + if (!PageSlab(page))
87772 + cachep = page->slab_cache;
87773 + if (!(cachep->flags & SLAB_USERCOPY))
87774 + return cachep->name;
87776 + slabp = page->slab_page;
87777 + objnr = obj_to_index(cachep, slabp, ptr);
87778 + BUG_ON(objnr >= cachep->num);
87779 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
87780 + if (offset <= cachep->object_size && n <= cachep->object_size - offset)
87783 + return cachep->name;
87788 * ksize - get the actual amount of memory allocated for a given object
87789 * @objp: Pointer to the object
87790 diff --git a/mm/slab.h b/mm/slab.h
87791 index f96b49e..db1d204 100644
87794 @@ -32,6 +32,15 @@ extern struct list_head slab_caches;
87795 /* The slab cache that manages slab cache information */
87796 extern struct kmem_cache *kmem_cache;
87798 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87799 +#ifdef CONFIG_X86_64
87800 +#define PAX_MEMORY_SANITIZE_VALUE '\xfe'
87802 +#define PAX_MEMORY_SANITIZE_VALUE '\xff'
87804 +extern bool pax_sanitize_slab;
87807 unsigned long calculate_alignment(unsigned long flags,
87808 unsigned long align, unsigned long size);
87810 @@ -67,7 +76,8 @@ __kmem_cache_alias(struct mem_cgroup *memcg, const char *name, size_t size,
87812 /* Legal flag mask for kmem_cache_create(), for various configurations */
87813 #define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \
87814 - SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS )
87815 + SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS | \
87816 + SLAB_USERCOPY | SLAB_NO_SANITIZE)
87818 #if defined(CONFIG_DEBUG_SLAB)
87819 #define SLAB_DEBUG_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
87820 @@ -229,6 +239,9 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
87823 page = virt_to_head_page(x);
87825 + BUG_ON(!PageSlab(page));
87827 cachep = page->slab_cache;
87828 if (slab_equal_or_root(cachep, s))
87830 diff --git a/mm/slab_common.c b/mm/slab_common.c
87831 index 2d41450..4efe6ee 100644
87832 --- a/mm/slab_common.c
87833 +++ b/mm/slab_common.c
87834 @@ -22,11 +22,22 @@
87838 -enum slab_state slab_state;
87839 +enum slab_state slab_state __read_only;
87840 LIST_HEAD(slab_caches);
87841 DEFINE_MUTEX(slab_mutex);
87842 struct kmem_cache *kmem_cache;
87844 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87845 +bool pax_sanitize_slab __read_only = true;
87846 +static int __init pax_sanitize_slab_setup(char *str)
87848 + pax_sanitize_slab = !!simple_strtol(str, NULL, 0);
87849 + printk("%sabled PaX slab sanitization\n", pax_sanitize_slab ? "En" : "Dis");
87852 +__setup("pax_sanitize_slab=", pax_sanitize_slab_setup);
87855 #ifdef CONFIG_DEBUG_VM
87856 static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name,
87858 @@ -209,7 +220,7 @@ kmem_cache_create_memcg(struct mem_cgroup *memcg, const char *name, size_t size,
87860 err = __kmem_cache_create(s, flags);
87863 + atomic_set(&s->refcount, 1);
87864 list_add(&s->list, &slab_caches);
87865 memcg_cache_list_add(memcg, s);
87867 @@ -255,8 +266,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
87870 mutex_lock(&slab_mutex);
87872 - if (!s->refcount) {
87873 + if (atomic_dec_and_test(&s->refcount)) {
87874 list_del(&s->list);
87876 if (!__kmem_cache_shutdown(s)) {
87877 @@ -302,7 +312,7 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t siz
87878 panic("Creation of kmalloc slab %s size=%zu failed. Reason %d\n",
87881 - s->refcount = -1; /* Exempt from merging for now */
87882 + atomic_set(&s->refcount, -1); /* Exempt from merging for now */
87885 struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
87886 @@ -315,7 +325,7 @@ struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
87888 create_boot_cache(s, name, size, flags);
87889 list_add(&s->list, &slab_caches);
87891 + atomic_set(&s->refcount, 1);
87895 @@ -327,6 +337,11 @@ struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
87896 EXPORT_SYMBOL(kmalloc_dma_caches);
87899 +#ifdef CONFIG_PAX_USERCOPY_SLABS
87900 +struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
87901 +EXPORT_SYMBOL(kmalloc_usercopy_caches);
87905 * Conversion table for small slabs sizes / 8 to the index in the
87906 * kmalloc array. This is necessary for slabs < 192 since we have non power
87907 @@ -391,6 +406,13 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
87908 return kmalloc_dma_caches[index];
87912 +#ifdef CONFIG_PAX_USERCOPY_SLABS
87913 + if (unlikely((flags & GFP_USERCOPY)))
87914 + return kmalloc_usercopy_caches[index];
87918 return kmalloc_caches[index];
87921 @@ -447,7 +469,7 @@ void __init create_kmalloc_caches(unsigned long flags)
87922 for (i = KMALLOC_SHIFT_LOW; i <= KMALLOC_SHIFT_HIGH; i++) {
87923 if (!kmalloc_caches[i]) {
87924 kmalloc_caches[i] = create_kmalloc_cache(NULL,
87926 + 1 << i, SLAB_USERCOPY | flags);
87930 @@ -456,10 +478,10 @@ void __init create_kmalloc_caches(unsigned long flags)
87931 * earlier power of two caches
87933 if (KMALLOC_MIN_SIZE <= 32 && !kmalloc_caches[1] && i == 6)
87934 - kmalloc_caches[1] = create_kmalloc_cache(NULL, 96, flags);
87935 + kmalloc_caches[1] = create_kmalloc_cache(NULL, 96, SLAB_USERCOPY | flags);
87937 if (KMALLOC_MIN_SIZE <= 64 && !kmalloc_caches[2] && i == 7)
87938 - kmalloc_caches[2] = create_kmalloc_cache(NULL, 192, flags);
87939 + kmalloc_caches[2] = create_kmalloc_cache(NULL, 192, SLAB_USERCOPY | flags);
87942 /* Kmalloc array is now usable */
87943 @@ -492,6 +514,23 @@ void __init create_kmalloc_caches(unsigned long flags)
87948 +#ifdef CONFIG_PAX_USERCOPY_SLABS
87949 + for (i = 0; i <= KMALLOC_SHIFT_HIGH; i++) {
87950 + struct kmem_cache *s = kmalloc_caches[i];
87953 + int size = kmalloc_size(i);
87954 + char *n = kasprintf(GFP_NOWAIT,
87955 + "usercopy-kmalloc-%d", size);
87958 + kmalloc_usercopy_caches[i] = create_kmalloc_cache(n,
87959 + size, SLAB_USERCOPY | flags);
87965 #endif /* !CONFIG_SLOB */
87967 @@ -516,6 +555,9 @@ void print_slabinfo_header(struct seq_file *m)
87968 seq_puts(m, " : globalstat <listallocs> <maxobjs> <grown> <reaped> "
87969 "<error> <maxfreeable> <nodeallocs> <remotefrees> <alienoverflow>");
87970 seq_puts(m, " : cpustat <allochit> <allocmiss> <freehit> <freemiss>");
87971 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
87972 + seq_puts(m, " : pax <sanitized> <not_sanitized>");
87977 diff --git a/mm/slob.c b/mm/slob.c
87978 index eeed4a0..bb0e9ab 100644
87981 @@ -157,7 +157,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next)
87983 * Return the size of a slob block.
87985 -static slobidx_t slob_units(slob_t *s)
87986 +static slobidx_t slob_units(const slob_t *s)
87990 @@ -167,7 +167,7 @@ static slobidx_t slob_units(slob_t *s)
87992 * Return the next free slob block pointer after this one.
87994 -static slob_t *slob_next(slob_t *s)
87995 +static slob_t *slob_next(const slob_t *s)
87997 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
87999 @@ -182,14 +182,14 @@ static slob_t *slob_next(slob_t *s)
88001 * Returns true if s is the last free block in its page.
88003 -static int slob_last(slob_t *s)
88004 +static int slob_last(const slob_t *s)
88006 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
88009 -static void *slob_new_pages(gfp_t gfp, int order, int node)
88010 +static struct page *slob_new_pages(gfp_t gfp, unsigned int order, int node)
88013 + struct page *page;
88016 if (node != NUMA_NO_NODE)
88017 @@ -201,14 +201,18 @@ static void *slob_new_pages(gfp_t gfp, int order, int node)
88021 - return page_address(page);
88022 + __SetPageSlab(page);
88026 -static void slob_free_pages(void *b, int order)
88027 +static void slob_free_pages(struct page *sp, int order)
88029 if (current->reclaim_state)
88030 current->reclaim_state->reclaimed_slab += 1 << order;
88031 - free_pages((unsigned long)b, order);
88032 + __ClearPageSlab(sp);
88033 + page_mapcount_reset(sp);
88035 + __free_pages(sp, order);
88039 @@ -313,15 +317,15 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
88041 /* Not enough space: must allocate a new page */
88043 - b = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
88045 + sp = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
88048 - sp = virt_to_page(b);
88049 - __SetPageSlab(sp);
88050 + b = page_address(sp);
88052 spin_lock_irqsave(&slob_lock, flags);
88053 sp->units = SLOB_UNITS(PAGE_SIZE);
88056 INIT_LIST_HEAD(&sp->list);
88057 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
88058 set_slob_page_free(sp, slob_list);
88059 @@ -359,12 +363,15 @@ static void slob_free(void *block, int size)
88060 if (slob_page_free(sp))
88061 clear_slob_page_free(sp);
88062 spin_unlock_irqrestore(&slob_lock, flags);
88063 - __ClearPageSlab(sp);
88064 - page_mapcount_reset(sp);
88065 - slob_free_pages(b, 0);
88066 + slob_free_pages(sp, 0);
88070 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
88071 + if (pax_sanitize_slab)
88072 + memset(block, PAX_MEMORY_SANITIZE_VALUE, size);
88075 if (!slob_page_free(sp)) {
88076 /* This slob page is about to become partially free. Easy! */
88078 @@ -424,11 +431,10 @@ out:
88081 static __always_inline void *
88082 -__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
88083 +__do_kmalloc_node_align(size_t size, gfp_t gfp, int node, unsigned long caller, int align)
88086 - int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
88089 + void *ret = NULL;
88091 gfp &= gfp_allowed_mask;
88093 @@ -442,23 +448,41 @@ __do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
88098 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
88099 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
88100 + m[0].units = size;
88101 + m[1].units = align;
88102 ret = (void *)m + align;
88104 trace_kmalloc_node(caller, ret,
88105 size, size + align, gfp, node);
88107 unsigned int order = get_order(size);
88108 + struct page *page;
88112 - ret = slob_new_pages(gfp, order, node);
88113 + page = slob_new_pages(gfp, order, node);
88115 + ret = page_address(page);
88116 + page->private = size;
88119 trace_kmalloc_node(caller, ret,
88120 size, PAGE_SIZE << order, gfp, node);
88123 - kmemleak_alloc(ret, size, 1, gfp);
88127 +static __always_inline void *
88128 +__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
88130 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
88131 + void *ret = __do_kmalloc_node_align(size, gfp, node, caller, align);
88133 + if (!ZERO_OR_NULL_PTR(ret))
88134 + kmemleak_alloc(ret, size, 1, gfp);
88138 @@ -493,34 +517,112 @@ void kfree(const void *block)
88140 kmemleak_free(block);
88142 + VM_BUG_ON(!virt_addr_valid(block));
88143 sp = virt_to_page(block);
88144 - if (PageSlab(sp)) {
88145 + VM_BUG_ON(!PageSlab(sp));
88146 + if (!sp->private) {
88147 int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
88148 - unsigned int *m = (unsigned int *)(block - align);
88149 - slob_free(m, *m + align);
88151 + slob_t *m = (slob_t *)(block - align);
88152 + slob_free(m, m[0].units + align);
88154 + __ClearPageSlab(sp);
88155 + page_mapcount_reset(sp);
88157 __free_pages(sp, compound_order(sp));
88160 EXPORT_SYMBOL(kfree);
88162 +bool is_usercopy_object(const void *ptr)
88164 + if (!slab_is_available())
88172 +#ifdef CONFIG_PAX_USERCOPY
88173 +const char *check_heap_object(const void *ptr, unsigned long n)
88175 + struct page *page;
88176 + const slob_t *free;
88177 + const void *base;
88178 + unsigned long flags;
88180 + if (ZERO_OR_NULL_PTR(ptr))
88183 + if (!virt_addr_valid(ptr))
88186 + page = virt_to_head_page(ptr);
88187 + if (!PageSlab(page))
88190 + if (page->private) {
88192 + if (base <= ptr && n <= page->private - (ptr - base))
88197 + /* some tricky double walking to find the chunk */
88198 + spin_lock_irqsave(&slob_lock, flags);
88199 + base = (void *)((unsigned long)ptr & PAGE_MASK);
88200 + free = page->freelist;
88202 + while (!slob_last(free) && (void *)free <= ptr) {
88203 + base = free + slob_units(free);
88204 + free = slob_next(free);
88207 + while (base < (void *)free) {
88208 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
88209 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
88212 + if (ptr < base + align)
88215 + offset = ptr - base - align;
88216 + if (offset >= m) {
88221 + if (n > m - offset)
88224 + spin_unlock_irqrestore(&slob_lock, flags);
88228 + spin_unlock_irqrestore(&slob_lock, flags);
88233 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
88234 size_t ksize(const void *block)
88242 if (unlikely(block == ZERO_SIZE_PTR))
88245 sp = virt_to_page(block);
88246 - if (unlikely(!PageSlab(sp)))
88247 - return PAGE_SIZE << compound_order(sp);
88248 + VM_BUG_ON(!PageSlab(sp));
88250 + return sp->private;
88252 align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
88253 - m = (unsigned int *)(block - align);
88254 - return SLOB_UNITS(*m) * SLOB_UNIT;
88255 + m = (slob_t *)(block - align);
88256 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
88258 EXPORT_SYMBOL(ksize);
88260 @@ -536,23 +638,33 @@ int __kmem_cache_create(struct kmem_cache *c, unsigned long flags)
88262 void *kmem_cache_alloc_node(struct kmem_cache *c, gfp_t flags, int node)
88267 flags &= gfp_allowed_mask;
88269 lockdep_trace_alloc(flags);
88271 +#ifdef CONFIG_PAX_USERCOPY_SLABS
88272 + b = __do_kmalloc_node_align(c->size, flags, node, _RET_IP_, c->align);
88274 if (c->size < PAGE_SIZE) {
88275 b = slob_alloc(c->size, flags, c->align, node);
88276 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
88277 SLOB_UNITS(c->size) * SLOB_UNIT,
88280 - b = slob_new_pages(flags, get_order(c->size), node);
88283 + sp = slob_new_pages(flags, get_order(c->size), node);
88285 + b = page_address(sp);
88286 + sp->private = c->size;
88288 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
88289 PAGE_SIZE << get_order(c->size),
88296 @@ -564,10 +676,14 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
88298 static void __kmem_cache_free(void *b, int size)
88300 - if (size < PAGE_SIZE)
88303 + sp = virt_to_page(b);
88304 + BUG_ON(!PageSlab(sp));
88305 + if (!sp->private)
88306 slob_free(b, size);
88308 - slob_free_pages(b, get_order(size));
88309 + slob_free_pages(sp, get_order(size));
88312 static void kmem_rcu_free(struct rcu_head *head)
88313 @@ -580,17 +696,31 @@ static void kmem_rcu_free(struct rcu_head *head)
88315 void kmem_cache_free(struct kmem_cache *c, void *b)
88317 + int size = c->size;
88319 +#ifdef CONFIG_PAX_USERCOPY_SLABS
88320 + if (size + c->align < PAGE_SIZE) {
88321 + size += c->align;
88326 kmemleak_free_recursive(b, c->flags);
88327 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
88328 struct slob_rcu *slob_rcu;
88329 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
88330 - slob_rcu->size = c->size;
88331 + slob_rcu = b + (size - sizeof(struct slob_rcu));
88332 + slob_rcu->size = size;
88333 call_rcu(&slob_rcu->head, kmem_rcu_free);
88335 - __kmem_cache_free(b, c->size);
88336 + __kmem_cache_free(b, size);
88339 +#ifdef CONFIG_PAX_USERCOPY_SLABS
88340 + trace_kfree(_RET_IP_, b);
88342 trace_kmem_cache_free(_RET_IP_, b);
88346 EXPORT_SYMBOL(kmem_cache_free);
88348 diff --git a/mm/slub.c b/mm/slub.c
88349 index 57707f0..7857bd3 100644
88352 @@ -198,7 +198,7 @@ struct track {
88354 enum track_item { TRACK_ALLOC, TRACK_FREE };
88356 -#ifdef CONFIG_SYSFS
88357 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88358 static int sysfs_slab_add(struct kmem_cache *);
88359 static int sysfs_slab_alias(struct kmem_cache *, const char *);
88360 static void sysfs_slab_remove(struct kmem_cache *);
88361 @@ -519,7 +519,7 @@ static void print_track(const char *s, struct track *t)
88365 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
88366 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
88367 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
88368 #ifdef CONFIG_STACKTRACE
88370 @@ -2594,6 +2594,14 @@ static __always_inline void slab_free(struct kmem_cache *s,
88372 slab_free_hook(s, x);
88374 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
88375 + if (pax_sanitize_slab && !(s->flags & SLAB_NO_SANITIZE)) {
88376 + memset(x, PAX_MEMORY_SANITIZE_VALUE, s->object_size);
88384 * Determine the currently cpus per cpu slab.
88385 @@ -2661,7 +2669,7 @@ static int slub_min_objects;
88386 * Merge control. If this is set then no merging of slab caches will occur.
88387 * (Could be removed. This was introduced to pacify the merge skeptics.)
88389 -static int slub_nomerge;
88390 +static int slub_nomerge = 1;
88393 * Calculate the order of allocation given an slab object size.
88394 @@ -2938,6 +2946,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
88397 if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
88398 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
88399 + (pax_sanitize_slab && !(flags & SLAB_NO_SANITIZE)) ||
88403 * Relocate free pointer after the object if it is not
88404 @@ -3283,6 +3294,59 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node)
88405 EXPORT_SYMBOL(__kmalloc_node);
88408 +bool is_usercopy_object(const void *ptr)
88410 + struct page *page;
88411 + struct kmem_cache *s;
88413 + if (ZERO_OR_NULL_PTR(ptr))
88416 + if (!slab_is_available())
88419 + if (!virt_addr_valid(ptr))
88422 + page = virt_to_head_page(ptr);
88424 + if (!PageSlab(page))
88427 + s = page->slab_cache;
88428 + return s->flags & SLAB_USERCOPY;
88431 +#ifdef CONFIG_PAX_USERCOPY
88432 +const char *check_heap_object(const void *ptr, unsigned long n)
88434 + struct page *page;
88435 + struct kmem_cache *s;
88436 + unsigned long offset;
88438 + if (ZERO_OR_NULL_PTR(ptr))
88441 + if (!virt_addr_valid(ptr))
88444 + page = virt_to_head_page(ptr);
88446 + if (!PageSlab(page))
88449 + s = page->slab_cache;
88450 + if (!(s->flags & SLAB_USERCOPY))
88453 + offset = (ptr - page_address(page)) % s->size;
88454 + if (offset <= s->object_size && n <= s->object_size - offset)
88461 size_t ksize(const void *object)
88464 @@ -3347,6 +3411,7 @@ void kfree(const void *x)
88465 if (unlikely(ZERO_OR_NULL_PTR(x)))
88468 + VM_BUG_ON(!virt_addr_valid(x));
88469 page = virt_to_head_page(x);
88470 if (unlikely(!PageSlab(page))) {
88471 BUG_ON(!PageCompound(page));
88472 @@ -3652,7 +3717,7 @@ static int slab_unmergeable(struct kmem_cache *s)
88474 * We may have set a slab to be unmergeable during bootstrap.
88476 - if (s->refcount < 0)
88477 + if (atomic_read(&s->refcount) < 0)
88481 @@ -3710,7 +3775,7 @@ __kmem_cache_alias(struct mem_cgroup *memcg, const char *name, size_t size,
88483 s = find_mergeable(memcg, size, align, flags, name, ctor);
88486 + atomic_inc(&s->refcount);
88488 * Adjust the object sizes so that we clear
88489 * the complete object on kzalloc.
88490 @@ -3719,7 +3784,7 @@ __kmem_cache_alias(struct mem_cgroup *memcg, const char *name, size_t size,
88491 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
88493 if (sysfs_slab_alias(s, name)) {
88495 + atomic_dec(&s->refcount);
88499 @@ -3781,7 +3846,7 @@ static int __cpuinit slab_cpuup_callback(struct notifier_block *nfb,
88503 -static struct notifier_block __cpuinitdata slab_notifier = {
88504 +static struct notifier_block slab_notifier = {
88505 .notifier_call = slab_cpuup_callback
88508 @@ -3839,7 +3904,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
88512 -#ifdef CONFIG_SYSFS
88513 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88514 static int count_inuse(struct page *page)
88516 return page->inuse;
88517 @@ -4226,12 +4291,12 @@ static void resiliency_test(void)
88518 validate_slab_cache(kmalloc_caches[9]);
88521 -#ifdef CONFIG_SYSFS
88522 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88523 static void resiliency_test(void) {};
88527 -#ifdef CONFIG_SYSFS
88528 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88529 enum slab_stat_type {
88530 SL_ALL, /* All slabs */
88531 SL_PARTIAL, /* Only partially allocated slabs */
88532 @@ -4475,7 +4540,7 @@ SLAB_ATTR_RO(ctor);
88534 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
88536 - return sprintf(buf, "%d\n", s->refcount - 1);
88537 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
88539 SLAB_ATTR_RO(aliases);
88541 @@ -4563,6 +4628,14 @@ static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
88542 SLAB_ATTR_RO(cache_dma);
88545 +#ifdef CONFIG_PAX_USERCOPY_SLABS
88546 +static ssize_t usercopy_show(struct kmem_cache *s, char *buf)
88548 + return sprintf(buf, "%d\n", !!(s->flags & SLAB_USERCOPY));
88550 +SLAB_ATTR_RO(usercopy);
88553 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
88555 return sprintf(buf, "%d\n", !!(s->flags & SLAB_DESTROY_BY_RCU));
88556 @@ -4897,6 +4970,9 @@ static struct attribute *slab_attrs[] = {
88557 #ifdef CONFIG_ZONE_DMA
88558 &cache_dma_attr.attr,
88560 +#ifdef CONFIG_PAX_USERCOPY_SLABS
88561 + &usercopy_attr.attr,
88564 &remote_node_defrag_ratio_attr.attr,
88566 @@ -5128,6 +5204,7 @@ static char *create_unique_id(struct kmem_cache *s)
88570 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88571 static int sysfs_slab_add(struct kmem_cache *s)
88574 @@ -5151,7 +5228,7 @@ static int sysfs_slab_add(struct kmem_cache *s)
88577 s->kobj.kset = slab_kset;
88578 - err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, name);
88579 + err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
88581 kobject_put(&s->kobj);
88583 @@ -5185,6 +5262,7 @@ static void sysfs_slab_remove(struct kmem_cache *s)
88584 kobject_del(&s->kobj);
88585 kobject_put(&s->kobj);
88590 * Need to buffer aliases during bootup until sysfs becomes
88591 @@ -5198,6 +5276,7 @@ struct saved_alias {
88593 static struct saved_alias *alias_list;
88595 +#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
88596 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
88598 struct saved_alias *al;
88599 @@ -5220,6 +5299,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
88605 static int __init slab_sysfs_init(void)
88607 diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c
88608 index 27eeab3..7c3f7f2 100644
88609 --- a/mm/sparse-vmemmap.c
88610 +++ b/mm/sparse-vmemmap.c
88611 @@ -130,7 +130,7 @@ pud_t * __meminit vmemmap_pud_populate(pgd_t *pgd, unsigned long addr, int node)
88612 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
88615 - pud_populate(&init_mm, pud, p);
88616 + pud_populate_kernel(&init_mm, pud, p);
88620 @@ -142,7 +142,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node)
88621 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
88624 - pgd_populate(&init_mm, pgd, p);
88625 + pgd_populate_kernel(&init_mm, pgd, p);
88629 diff --git a/mm/sparse.c b/mm/sparse.c
88630 index 1c91f0d3..485470a 100644
88633 @@ -761,7 +761,7 @@ static void clear_hwpoisoned_pages(struct page *memmap, int nr_pages)
88635 for (i = 0; i < PAGES_PER_SECTION; i++) {
88636 if (PageHWPoison(&memmap[i])) {
88637 - atomic_long_sub(1, &num_poisoned_pages);
88638 + atomic_long_sub_unchecked(1, &num_poisoned_pages);
88639 ClearPageHWPoison(&memmap[i]);
88642 diff --git a/mm/swap.c b/mm/swap.c
88643 index dfd7d71..ccdf688 100644
88647 #include <linux/memcontrol.h>
88648 #include <linux/gfp.h>
88649 #include <linux/uio.h>
88650 +#include <linux/hugetlb.h>
88652 #include "internal.h"
88654 @@ -73,6 +74,8 @@ static void __put_compound_page(struct page *page)
88656 __page_cache_release(page);
88657 dtor = get_compound_page_dtor(page);
88658 + if (!PageHuge(page))
88659 + BUG_ON(dtor != free_compound_page);
88663 diff --git a/mm/swapfile.c b/mm/swapfile.c
88664 index 746af55b..7ac94ae 100644
88665 --- a/mm/swapfile.c
88666 +++ b/mm/swapfile.c
88667 @@ -66,7 +66,7 @@ static DEFINE_MUTEX(swapon_mutex);
88669 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
88670 /* Activity counter to indicate that a swapon or swapoff has occurred */
88671 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
88672 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
88674 static inline unsigned char swap_count(unsigned char ent)
88676 @@ -1684,7 +1684,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
88678 filp_close(swap_file, NULL);
88680 - atomic_inc(&proc_poll_event);
88681 + atomic_inc_unchecked(&proc_poll_event);
88682 wake_up_interruptible(&proc_poll_wait);
88685 @@ -1701,8 +1701,8 @@ static unsigned swaps_poll(struct file *file, poll_table *wait)
88687 poll_wait(file, &proc_poll_wait, wait);
88689 - if (seq->poll_event != atomic_read(&proc_poll_event)) {
88690 - seq->poll_event = atomic_read(&proc_poll_event);
88691 + if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
88692 + seq->poll_event = atomic_read_unchecked(&proc_poll_event);
88693 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
88696 @@ -1800,7 +1800,7 @@ static int swaps_open(struct inode *inode, struct file *file)
88699 seq = file->private_data;
88700 - seq->poll_event = atomic_read(&proc_poll_event);
88701 + seq->poll_event = atomic_read_unchecked(&proc_poll_event);
88705 @@ -2143,7 +2143,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
88706 (frontswap_map) ? "FS" : "");
88708 mutex_unlock(&swapon_mutex);
88709 - atomic_inc(&proc_poll_event);
88710 + atomic_inc_unchecked(&proc_poll_event);
88711 wake_up_interruptible(&proc_poll_wait);
88713 if (S_ISREG(inode->i_mode))
88714 diff --git a/mm/util.c b/mm/util.c
88715 index ab1424d..7c5bd5a 100644
88718 @@ -294,6 +294,12 @@ done:
88719 void arch_pick_mmap_layout(struct mm_struct *mm)
88721 mm->mmap_base = TASK_UNMAPPED_BASE;
88723 +#ifdef CONFIG_PAX_RANDMMAP
88724 + if (mm->pax_flags & MF_PAX_RANDMMAP)
88725 + mm->mmap_base += mm->delta_mmap;
88728 mm->get_unmapped_area = arch_get_unmapped_area;
88729 mm->unmap_area = arch_unmap_area;
88731 diff --git a/mm/vmalloc.c b/mm/vmalloc.c
88732 index d365724..6cae7c2 100644
88735 @@ -59,8 +59,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
88737 pte = pte_offset_kernel(pmd, addr);
88739 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
88740 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
88742 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
88743 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
88744 + BUG_ON(!pte_exec(*pte));
88745 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
88751 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
88752 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
88754 } while (pte++, addr += PAGE_SIZE, addr != end);
88757 @@ -120,16 +131,29 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
88758 pte = pte_alloc_kernel(pmd, addr);
88762 + pax_open_kernel();
88764 struct page *page = pages[*nr];
88766 - if (WARN_ON(!pte_none(*pte)))
88767 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
88768 + if (pgprot_val(prot) & _PAGE_NX)
88771 + if (!pte_none(*pte)) {
88772 + pax_close_kernel();
88775 - if (WARN_ON(!page))
88778 + pax_close_kernel();
88782 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
88784 } while (pte++, addr += PAGE_SIZE, addr != end);
88785 + pax_close_kernel();
88789 @@ -139,7 +163,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
88791 unsigned long next;
88793 - pmd = pmd_alloc(&init_mm, pud, addr);
88794 + pmd = pmd_alloc_kernel(&init_mm, pud, addr);
88798 @@ -156,7 +180,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
88800 unsigned long next;
88802 - pud = pud_alloc(&init_mm, pgd, addr);
88803 + pud = pud_alloc_kernel(&init_mm, pgd, addr);
88807 @@ -216,6 +240,12 @@ int is_vmalloc_or_module_addr(const void *x)
88808 if (addr >= MODULES_VADDR && addr < MODULES_END)
88812 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
88813 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
88817 return is_vmalloc_addr(x);
88820 @@ -236,8 +266,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
88822 if (!pgd_none(*pgd)) {
88823 pud_t *pud = pud_offset(pgd, addr);
88825 + if (!pud_large(*pud))
88827 if (!pud_none(*pud)) {
88828 pmd_t *pmd = pmd_offset(pud, addr);
88830 + if (!pmd_large(*pmd))
88832 if (!pmd_none(*pmd)) {
88835 @@ -339,7 +375,7 @@ static void purge_vmap_area_lazy(void);
88836 * Allocate a region of KVA of the specified size and alignment, within the
88839 -static struct vmap_area *alloc_vmap_area(unsigned long size,
88840 +static __size_overflow(1) struct vmap_area *alloc_vmap_area(unsigned long size,
88841 unsigned long align,
88842 unsigned long vstart, unsigned long vend,
88843 int node, gfp_t gfp_mask)
88844 @@ -1337,6 +1373,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
88845 struct vm_struct *area;
88847 BUG_ON(in_interrupt());
88849 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
88850 + if (flags & VM_KERNEXEC) {
88851 + if (start != VMALLOC_START || end != VMALLOC_END)
88853 + start = (unsigned long)MODULES_EXEC_VADDR;
88854 + end = (unsigned long)MODULES_EXEC_END;
88858 if (flags & VM_IOREMAP) {
88859 int bit = fls(size);
88861 @@ -1581,6 +1627,11 @@ void *vmap(struct page **pages, unsigned int count,
88862 if (count > totalram_pages)
88865 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
88866 + if (!(pgprot_val(prot) & _PAGE_NX))
88867 + flags |= VM_KERNEXEC;
88870 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
88871 __builtin_return_address(0));
88873 @@ -1682,6 +1733,13 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
88874 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
88877 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
88878 + if (!(pgprot_val(prot) & _PAGE_NX))
88879 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST | VM_KERNEXEC,
88880 + VMALLOC_START, VMALLOC_END, node, gfp_mask, caller);
88884 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
88885 start, end, node, gfp_mask, caller);
88887 @@ -1858,10 +1916,9 @@ EXPORT_SYMBOL(vzalloc_node);
88888 * For tight control over page level allocator and protection flags
88889 * use __vmalloc() instead.
88892 void *vmalloc_exec(unsigned long size)
88894 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
88895 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
88896 NUMA_NO_NODE, __builtin_return_address(0));
88899 @@ -2168,6 +2225,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
88900 unsigned long uaddr = vma->vm_start;
88901 unsigned long usize = vma->vm_end - vma->vm_start;
88903 + BUG_ON(vma->vm_mirror);
88905 if ((PAGE_SIZE-1) & (unsigned long)addr)
88908 @@ -2629,7 +2688,11 @@ static int s_show(struct seq_file *m, void *p)
88909 v->addr, v->addr + v->size, v->size);
88912 +#ifdef CONFIG_GRKERNSEC_HIDESYM
88913 + seq_printf(m, " %pK", v->caller);
88915 seq_printf(m, " %pS", v->caller);
88919 seq_printf(m, " pages=%d", v->nr_pages);
88920 diff --git a/mm/vmstat.c b/mm/vmstat.c
88921 index f42745e..62f8346 100644
88924 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
88926 * vm_stat contains the global counters
88928 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
88929 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
88930 EXPORT_SYMBOL(vm_stat);
88933 @@ -452,7 +452,7 @@ void refresh_cpu_vm_stats(int cpu)
88934 v = p->vm_stat_diff[i];
88935 p->vm_stat_diff[i] = 0;
88936 local_irq_restore(flags);
88937 - atomic_long_add(v, &zone->vm_stat[i]);
88938 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
88939 global_diff[i] += v;
88941 /* 3 seconds idle till flush */
88942 @@ -490,7 +490,7 @@ void refresh_cpu_vm_stats(int cpu)
88944 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
88945 if (global_diff[i])
88946 - atomic_long_add(global_diff[i], &vm_stat[i]);
88947 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
88951 @@ -505,8 +505,8 @@ void drain_zonestat(struct zone *zone, struct per_cpu_pageset *pset)
88952 if (pset->vm_stat_diff[i]) {
88953 int v = pset->vm_stat_diff[i];
88954 pset->vm_stat_diff[i] = 0;
88955 - atomic_long_add(v, &zone->vm_stat[i]);
88956 - atomic_long_add(v, &vm_stat[i]);
88957 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
88958 + atomic_long_add_unchecked(v, &vm_stat[i]);
88962 @@ -1226,7 +1226,7 @@ static int __cpuinit vmstat_cpuup_callback(struct notifier_block *nfb,
88966 -static struct notifier_block __cpuinitdata vmstat_notifier =
88967 +static struct notifier_block vmstat_notifier =
88968 { &vmstat_cpuup_callback, NULL, 0 };
88971 @@ -1241,10 +1241,20 @@ static int __init setup_vmstat(void)
88972 start_cpu_timer(cpu);
88974 #ifdef CONFIG_PROC_FS
88975 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
88976 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
88977 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
88978 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
88980 + mode_t gr_mode = S_IRUGO;
88981 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
88982 + gr_mode = S_IRUSR;
88984 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
88985 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
88986 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
88987 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
88989 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
88991 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
88996 diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
88997 index 9424f37..6aabf19 100644
88998 --- a/net/8021q/vlan.c
88999 +++ b/net/8021q/vlan.c
89000 @@ -469,7 +469,7 @@ out:
89001 return NOTIFY_DONE;
89004 -static struct notifier_block vlan_notifier_block __read_mostly = {
89005 +static struct notifier_block vlan_notifier_block = {
89006 .notifier_call = vlan_device_event,
89009 @@ -544,8 +544,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg)
89011 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
89013 - if ((args.u.name_type >= 0) &&
89014 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
89015 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
89016 struct vlan_net *vn;
89018 vn = net_generic(net, vlan_net_id);
89019 diff --git a/net/9p/mod.c b/net/9p/mod.c
89020 index 6ab36ae..6f1841b 100644
89023 @@ -84,7 +84,7 @@ static LIST_HEAD(v9fs_trans_list);
89024 void v9fs_register_trans(struct p9_trans_module *m)
89026 spin_lock(&v9fs_trans_lock);
89027 - list_add_tail(&m->list, &v9fs_trans_list);
89028 + pax_list_add_tail((struct list_head *)&m->list, &v9fs_trans_list);
89029 spin_unlock(&v9fs_trans_lock);
89031 EXPORT_SYMBOL(v9fs_register_trans);
89032 @@ -97,7 +97,7 @@ EXPORT_SYMBOL(v9fs_register_trans);
89033 void v9fs_unregister_trans(struct p9_trans_module *m)
89035 spin_lock(&v9fs_trans_lock);
89036 - list_del_init(&m->list);
89037 + pax_list_del_init((struct list_head *)&m->list);
89038 spin_unlock(&v9fs_trans_lock);
89040 EXPORT_SYMBOL(v9fs_unregister_trans);
89041 diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
89042 index 02efb25..41541a9 100644
89043 --- a/net/9p/trans_fd.c
89044 +++ b/net/9p/trans_fd.c
89045 @@ -425,7 +425,7 @@ static int p9_fd_write(struct p9_client *client, void *v, int len)
89048 /* The cast to a user pointer is valid due to the set_fs() */
89049 - ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
89050 + ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
89053 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
89054 diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
89055 index 876fbe8..8bbea9f 100644
89056 --- a/net/atm/atm_misc.c
89057 +++ b/net/atm/atm_misc.c
89058 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int truesize)
89059 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
89061 atm_return(vcc, truesize);
89062 - atomic_inc(&vcc->stats->rx_drop);
89063 + atomic_inc_unchecked(&vcc->stats->rx_drop);
89066 EXPORT_SYMBOL(atm_charge);
89067 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct atm_vcc *vcc, int pdu_size,
89070 atm_return(vcc, guess);
89071 - atomic_inc(&vcc->stats->rx_drop);
89072 + atomic_inc_unchecked(&vcc->stats->rx_drop);
89075 EXPORT_SYMBOL(atm_alloc_charge);
89076 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
89078 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
89080 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
89081 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
89083 #undef __HANDLE_ITEM
89085 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
89087 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
89089 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
89090 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
89092 #undef __HANDLE_ITEM
89094 diff --git a/net/atm/lec.h b/net/atm/lec.h
89095 index 4149db1..f2ab682 100644
89096 --- a/net/atm/lec.h
89097 +++ b/net/atm/lec.h
89098 @@ -48,7 +48,7 @@ struct lane2_ops {
89099 const u8 *tlvs, u32 sizeoftlvs);
89100 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
89101 const u8 *tlvs, u32 sizeoftlvs);
89106 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
89107 diff --git a/net/atm/proc.c b/net/atm/proc.c
89108 index bbb6461..cf04016 100644
89109 --- a/net/atm/proc.c
89110 +++ b/net/atm/proc.c
89111 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *seq, const char *aal,
89112 const struct k_atm_aal_stats *stats)
89114 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
89115 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
89116 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
89117 - atomic_read(&stats->rx_drop));
89118 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
89119 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
89120 + atomic_read_unchecked(&stats->rx_drop));
89123 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
89124 diff --git a/net/atm/resources.c b/net/atm/resources.c
89125 index 0447d5d..3cf4728 100644
89126 --- a/net/atm/resources.c
89127 +++ b/net/atm/resources.c
89128 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
89129 static void copy_aal_stats(struct k_atm_aal_stats *from,
89130 struct atm_aal_stats *to)
89132 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
89133 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
89135 #undef __HANDLE_ITEM
89137 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_aal_stats *from,
89138 static void subtract_aal_stats(struct k_atm_aal_stats *from,
89139 struct atm_aal_stats *to)
89141 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
89142 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
89144 #undef __HANDLE_ITEM
89146 diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
89147 index d5744b7..506bae3 100644
89148 --- a/net/ax25/sysctl_net_ax25.c
89149 +++ b/net/ax25/sysctl_net_ax25.c
89150 @@ -152,7 +152,7 @@ int ax25_register_dev_sysctl(ax25_dev *ax25_dev)
89152 char path[sizeof("net/ax25/") + IFNAMSIZ];
89154 - struct ctl_table *table;
89155 + ctl_table_no_const *table;
89157 table = kmemdup(ax25_param_table, sizeof(ax25_param_table), GFP_KERNEL);
89159 diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
89160 index f680ee1..97e3542 100644
89161 --- a/net/batman-adv/bat_iv_ogm.c
89162 +++ b/net/batman-adv/bat_iv_ogm.c
89163 @@ -79,7 +79,7 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
89165 /* randomize initial seqno to avoid collision */
89166 get_random_bytes(&random_seqno, sizeof(random_seqno));
89167 - atomic_set(&hard_iface->bat_iv.ogm_seqno, random_seqno);
89168 + atomic_set_unchecked(&hard_iface->bat_iv.ogm_seqno, random_seqno);
89170 hard_iface->bat_iv.ogm_buff_len = BATADV_OGM_HLEN;
89171 ogm_buff = kmalloc(hard_iface->bat_iv.ogm_buff_len, GFP_ATOMIC);
89172 @@ -627,9 +627,9 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
89173 batadv_ogm_packet = (struct batadv_ogm_packet *)(*ogm_buff);
89175 /* change sequence number to network order */
89176 - seqno = (uint32_t)atomic_read(&hard_iface->bat_iv.ogm_seqno);
89177 + seqno = (uint32_t)atomic_read_unchecked(&hard_iface->bat_iv.ogm_seqno);
89178 batadv_ogm_packet->seqno = htonl(seqno);
89179 - atomic_inc(&hard_iface->bat_iv.ogm_seqno);
89180 + atomic_inc_unchecked(&hard_iface->bat_iv.ogm_seqno);
89182 batadv_ogm_packet->ttvn = atomic_read(&bat_priv->tt.vn);
89183 batadv_ogm_packet->tt_crc = htons(bat_priv->tt.local_crc);
89184 @@ -1037,7 +1037,7 @@ static void batadv_iv_ogm_process(const struct ethhdr *ethhdr,
89187 /* could be changed by schedule_own_packet() */
89188 - if_incoming_seqno = atomic_read(&if_incoming->bat_iv.ogm_seqno);
89189 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->bat_iv.ogm_seqno);
89191 if (batadv_ogm_packet->flags & BATADV_DIRECTLINK)
89192 has_directlink_flag = 1;
89193 diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
89194 index de27b31..7058bfe 100644
89195 --- a/net/batman-adv/bridge_loop_avoidance.c
89196 +++ b/net/batman-adv/bridge_loop_avoidance.c
89197 @@ -1522,6 +1522,8 @@ out:
89198 * in these cases, the skb is further handled by this function and
89199 * returns 1, otherwise it returns 0 and the caller shall further
89202 + * This call might reallocate skb data.
89204 int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, short vid)
89206 diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
89207 index f105219..7614af3 100644
89208 --- a/net/batman-adv/gateway_client.c
89209 +++ b/net/batman-adv/gateway_client.c
89210 @@ -508,6 +508,7 @@ out:
89214 +/* this call might reallocate skb data */
89215 static bool batadv_is_type_dhcprequest(struct sk_buff *skb, int header_len)
89218 @@ -568,6 +569,7 @@ out:
89222 +/* this call might reallocate skb data */
89223 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
89225 struct ethhdr *ethhdr;
89226 @@ -619,6 +621,12 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
89228 if (!pskb_may_pull(skb, *header_len + sizeof(*udphdr)))
89231 + /* skb->data might have been reallocated by pskb_may_pull() */
89232 + ethhdr = (struct ethhdr *)skb->data;
89233 + if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
89234 + ethhdr = (struct ethhdr *)(skb->data + VLAN_HLEN);
89236 udphdr = (struct udphdr *)(skb->data + *header_len);
89237 *header_len += sizeof(*udphdr);
89239 @@ -634,12 +642,14 @@ bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len)
89243 +/* this call might reallocate skb data */
89244 bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
89245 - struct sk_buff *skb, struct ethhdr *ethhdr)
89246 + struct sk_buff *skb)
89248 struct batadv_neigh_node *neigh_curr = NULL, *neigh_old = NULL;
89249 struct batadv_orig_node *orig_dst_node = NULL;
89250 struct batadv_gw_node *curr_gw = NULL;
89251 + struct ethhdr *ethhdr;
89252 bool ret, out_of_range = false;
89253 unsigned int header_len = 0;
89254 uint8_t curr_tq_avg;
89255 @@ -648,6 +658,7 @@ bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
89259 + ethhdr = (struct ethhdr *)skb->data;
89260 orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source,
89262 if (!orig_dst_node)
89263 diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
89264 index 039902d..1037d75 100644
89265 --- a/net/batman-adv/gateway_client.h
89266 +++ b/net/batman-adv/gateway_client.h
89267 @@ -34,7 +34,6 @@ void batadv_gw_node_delete(struct batadv_priv *bat_priv,
89268 void batadv_gw_node_purge(struct batadv_priv *bat_priv);
89269 int batadv_gw_client_seq_print_text(struct seq_file *seq, void *offset);
89270 bool batadv_gw_is_dhcp_target(struct sk_buff *skb, unsigned int *header_len);
89271 -bool batadv_gw_out_of_range(struct batadv_priv *bat_priv,
89272 - struct sk_buff *skb, struct ethhdr *ethhdr);
89273 +bool batadv_gw_out_of_range(struct batadv_priv *bat_priv, struct sk_buff *skb);
89275 #endif /* _NET_BATMAN_ADV_GATEWAY_CLIENT_H_ */
89276 diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
89277 index 522243a..b48c0ef 100644
89278 --- a/net/batman-adv/hard-interface.c
89279 +++ b/net/batman-adv/hard-interface.c
89280 @@ -401,7 +401,7 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
89281 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
89282 dev_add_pack(&hard_iface->batman_adv_ptype);
89284 - atomic_set(&hard_iface->frag_seqno, 1);
89285 + atomic_set_unchecked(&hard_iface->frag_seqno, 1);
89286 batadv_info(hard_iface->soft_iface, "Adding interface: %s\n",
89287 hard_iface->net_dev->name);
89289 @@ -550,7 +550,7 @@ batadv_hardif_add_interface(struct net_device *net_dev)
89290 /* This can't be called via a bat_priv callback because
89291 * we have no bat_priv yet.
89293 - atomic_set(&hard_iface->bat_iv.ogm_seqno, 1);
89294 + atomic_set_unchecked(&hard_iface->bat_iv.ogm_seqno, 1);
89295 hard_iface->bat_iv.ogm_buff = NULL;
89298 diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
89299 index 819dfb0..226bacd 100644
89300 --- a/net/batman-adv/soft-interface.c
89301 +++ b/net/batman-adv/soft-interface.c
89302 @@ -180,6 +180,9 @@ static int batadv_interface_tx(struct sk_buff *skb,
89303 if (batadv_bla_tx(bat_priv, skb, vid))
89306 + /* skb->data might have been reallocated by batadv_bla_tx() */
89307 + ethhdr = (struct ethhdr *)skb->data;
89309 /* Register the client MAC in the transtable */
89310 if (!is_multicast_ether_addr(ethhdr->h_source))
89311 batadv_tt_local_add(soft_iface, ethhdr->h_source, skb->skb_iif);
89312 @@ -220,6 +223,10 @@ static int batadv_interface_tx(struct sk_buff *skb,
89317 + /* reminder: ethhdr might have become unusable from here on
89318 + * (batadv_gw_is_dhcp_target() might have reallocated skb data)
89322 /* ethernet packet should be broadcasted */
89323 @@ -253,7 +260,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
89324 primary_if->net_dev->dev_addr, ETH_ALEN);
89326 /* set broadcast sequence number */
89327 - seqno = atomic_inc_return(&bat_priv->bcast_seqno);
89328 + seqno = atomic_inc_return_unchecked(&bat_priv->bcast_seqno);
89329 bcast_packet->seqno = htonl(seqno);
89331 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
89332 @@ -266,7 +273,7 @@ static int batadv_interface_tx(struct sk_buff *skb,
89333 /* unicast packet */
89335 if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_OFF) {
89336 - ret = batadv_gw_out_of_range(bat_priv, skb, ethhdr);
89337 + ret = batadv_gw_out_of_range(bat_priv, skb);
89341 @@ -472,7 +479,7 @@ static int batadv_softif_init_late(struct net_device *dev)
89342 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
89344 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
89345 - atomic_set(&bat_priv->bcast_seqno, 1);
89346 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
89347 atomic_set(&bat_priv->tt.vn, 0);
89348 atomic_set(&bat_priv->tt.local_changes, 0);
89349 atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
89350 diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
89351 index aba8364..50fcbb8 100644
89352 --- a/net/batman-adv/types.h
89353 +++ b/net/batman-adv/types.h
89355 struct batadv_hard_iface_bat_iv {
89356 unsigned char *ogm_buff;
89358 - atomic_t ogm_seqno;
89359 + atomic_unchecked_t ogm_seqno;
89363 @@ -75,7 +75,7 @@ struct batadv_hard_iface {
89366 struct net_device *net_dev;
89367 - atomic_t frag_seqno;
89368 + atomic_unchecked_t frag_seqno;
89369 struct kobject *hardif_obj;
89371 struct packet_type batman_adv_ptype;
89372 @@ -558,7 +558,7 @@ struct batadv_priv {
89373 #ifdef CONFIG_BATMAN_ADV_DEBUG
89374 atomic_t log_level;
89376 - atomic_t bcast_seqno;
89377 + atomic_unchecked_t bcast_seqno;
89378 atomic_t bcast_queue_left;
89379 atomic_t batman_queue_left;
89381 diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
89382 index 0bb3b59..0e3052e 100644
89383 --- a/net/batman-adv/unicast.c
89384 +++ b/net/batman-adv/unicast.c
89385 @@ -270,7 +270,7 @@ int batadv_frag_send_skb(struct sk_buff *skb, struct batadv_priv *bat_priv,
89386 frag1->flags = BATADV_UNI_FRAG_HEAD | large_tail;
89387 frag2->flags = large_tail;
89389 - seqno = atomic_add_return(2, &hard_iface->frag_seqno);
89390 + seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
89391 frag1->seqno = htons(seqno - 1);
89392 frag2->seqno = htons(seqno);
89394 @@ -326,7 +326,9 @@ static bool batadv_unicast_push_and_fill_skb(struct sk_buff *skb, int hdr_size,
89395 * @skb: the skb containing the payload to encapsulate
89396 * @orig_node: the destination node
89398 - * Returns false if the payload could not be encapsulated or true otherwise
89399 + * Returns false if the payload could not be encapsulated or true otherwise.
89401 + * This call might reallocate skb data.
89403 static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
89404 struct batadv_orig_node *orig_node)
89405 @@ -343,7 +345,9 @@ static bool batadv_unicast_prepare_skb(struct sk_buff *skb,
89406 * @orig_node: the destination node
89407 * @packet_subtype: the batman 4addr packet subtype to use
89409 - * Returns false if the payload could not be encapsulated or true otherwise
89410 + * Returns false if the payload could not be encapsulated or true otherwise.
89412 + * This call might reallocate skb data.
89414 bool batadv_unicast_4addr_prepare_skb(struct batadv_priv *bat_priv,
89415 struct sk_buff *skb,
89416 @@ -401,7 +405,7 @@ int batadv_unicast_generic_send_skb(struct batadv_priv *bat_priv,
89417 struct batadv_neigh_node *neigh_node;
89418 int data_len = skb->len;
89419 int ret = NET_RX_DROP;
89420 - unsigned int dev_mtu;
89421 + unsigned int dev_mtu, header_len;
89423 /* get routing information */
89424 if (is_multicast_ether_addr(ethhdr->h_dest)) {
89425 @@ -429,10 +433,12 @@ find_router:
89426 switch (packet_type) {
89427 case BATADV_UNICAST:
89428 batadv_unicast_prepare_skb(skb, orig_node);
89429 + header_len = sizeof(struct batadv_unicast_packet);
89431 case BATADV_UNICAST_4ADDR:
89432 batadv_unicast_4addr_prepare_skb(bat_priv, skb, orig_node,
89434 + header_len = sizeof(struct batadv_unicast_4addr_packet);
89437 /* this function supports UNICAST and UNICAST_4ADDR only. It
89438 @@ -441,6 +447,7 @@ find_router:
89442 + ethhdr = (struct ethhdr *)(skb->data + header_len);
89443 unicast_packet = (struct batadv_unicast_packet *)skb->data;
89445 /* inform the destination node that we are still missing a correct route
89446 diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
89447 index ace5e55..a65a1c0 100644
89448 --- a/net/bluetooth/hci_core.c
89449 +++ b/net/bluetooth/hci_core.c
89450 @@ -2211,16 +2211,16 @@ int hci_register_dev(struct hci_dev *hdev)
89451 list_add(&hdev->list, &hci_dev_list);
89452 write_unlock(&hci_dev_list_lock);
89454 - hdev->workqueue = alloc_workqueue(hdev->name, WQ_HIGHPRI | WQ_UNBOUND |
89455 - WQ_MEM_RECLAIM, 1);
89456 + hdev->workqueue = alloc_workqueue("%s", WQ_HIGHPRI | WQ_UNBOUND |
89457 + WQ_MEM_RECLAIM, 1, hdev->name);
89458 if (!hdev->workqueue) {
89463 - hdev->req_workqueue = alloc_workqueue(hdev->name,
89464 + hdev->req_workqueue = alloc_workqueue("%s",
89465 WQ_HIGHPRI | WQ_UNBOUND |
89466 - WQ_MEM_RECLAIM, 1);
89467 + WQ_MEM_RECLAIM, 1, hdev->name);
89468 if (!hdev->req_workqueue) {
89469 destroy_workqueue(hdev->workqueue);
89471 diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
89472 index 9bd7d95..6c4884f 100644
89473 --- a/net/bluetooth/hci_sock.c
89474 +++ b/net/bluetooth/hci_sock.c
89475 @@ -934,7 +934,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
89476 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
89479 - len = min_t(unsigned int, len, sizeof(uf));
89480 + len = min((size_t)len, sizeof(uf));
89481 if (copy_from_user(&uf, optval, len)) {
89484 diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
89485 index 68843a2..30e9342 100644
89486 --- a/net/bluetooth/l2cap_core.c
89487 +++ b/net/bluetooth/l2cap_core.c
89488 @@ -3507,8 +3507,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
89491 case L2CAP_CONF_RFC:
89492 - if (olen == sizeof(rfc))
89493 - memcpy(&rfc, (void *)val, olen);
89494 + if (olen != sizeof(rfc))
89497 + memcpy(&rfc, (void *)val, olen);
89499 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
89500 rfc.mode != chan->mode)
89501 diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
89502 index 36fed40..be2eeb2 100644
89503 --- a/net/bluetooth/l2cap_sock.c
89504 +++ b/net/bluetooth/l2cap_sock.c
89505 @@ -485,7 +485,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
89506 struct sock *sk = sock->sk;
89507 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
89508 struct l2cap_options opts;
89509 - int len, err = 0;
89511 + size_t len = optlen;
89514 BT_DBG("sk %p", sk);
89515 @@ -507,7 +508,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
89516 opts.max_tx = chan->max_tx;
89517 opts.txwin_size = chan->tx_win;
89519 - len = min_t(unsigned int, sizeof(opts), optlen);
89520 + len = min(sizeof(opts), len);
89521 if (copy_from_user((char *) &opts, optval, len)) {
89524 @@ -587,7 +588,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
89525 struct bt_security sec;
89526 struct bt_power pwr;
89527 struct l2cap_conn *conn;
89528 - int len, err = 0;
89530 + size_t len = optlen;
89533 BT_DBG("sk %p", sk);
89534 @@ -610,7 +612,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
89536 sec.level = BT_SECURITY_LOW;
89538 - len = min_t(unsigned int, sizeof(sec), optlen);
89539 + len = min(sizeof(sec), len);
89540 if (copy_from_user((char *) &sec, optval, len)) {
89543 @@ -707,7 +709,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
89545 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
89547 - len = min_t(unsigned int, sizeof(pwr), optlen);
89548 + len = min(sizeof(pwr), len);
89549 if (copy_from_user((char *) &pwr, optval, len)) {
89552 diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
89553 index 30b3721..c1bd0a0 100644
89554 --- a/net/bluetooth/rfcomm/sock.c
89555 +++ b/net/bluetooth/rfcomm/sock.c
89556 @@ -666,7 +666,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
89557 struct sock *sk = sock->sk;
89558 struct bt_security sec;
89561 + size_t len = optlen;
89564 BT_DBG("sk %p", sk);
89565 @@ -688,7 +688,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
89567 sec.level = BT_SECURITY_LOW;
89569 - len = min_t(unsigned int, sizeof(sec), optlen);
89570 + len = min(sizeof(sec), len);
89571 if (copy_from_user((char *) &sec, optval, len)) {
89574 diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
89575 index b6e44ad..5b0d514 100644
89576 --- a/net/bluetooth/rfcomm/tty.c
89577 +++ b/net/bluetooth/rfcomm/tty.c
89578 @@ -309,7 +309,7 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev)
89579 BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
89581 spin_lock_irqsave(&dev->port.lock, flags);
89582 - if (dev->port.count > 0) {
89583 + if (atomic_read(&dev->port.count) > 0) {
89584 spin_unlock_irqrestore(&dev->port.lock, flags);
89587 @@ -659,10 +659,10 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
89590 BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
89591 - dev->channel, dev->port.count);
89592 + dev->channel, atomic_read(&dev->port.count));
89594 spin_lock_irqsave(&dev->port.lock, flags);
89595 - if (++dev->port.count > 1) {
89596 + if (atomic_inc_return(&dev->port.count) > 1) {
89597 spin_unlock_irqrestore(&dev->port.lock, flags);
89600 @@ -727,10 +727,10 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
89603 BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
89604 - dev->port.count);
89605 + atomic_read(&dev->port.count));
89607 spin_lock_irqsave(&dev->port.lock, flags);
89608 - if (!--dev->port.count) {
89609 + if (!atomic_dec_return(&dev->port.count)) {
89610 spin_unlock_irqrestore(&dev->port.lock, flags);
89611 if (dev->tty_dev->parent)
89612 device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
89613 diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
89614 index 3d110c4..4e1b2eb 100644
89615 --- a/net/bridge/netfilter/ebtables.c
89616 +++ b/net/bridge/netfilter/ebtables.c
89617 @@ -1525,7 +1525,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
89618 tmp.valid_hooks = t->table->valid_hooks;
89620 mutex_unlock(&ebt_mutex);
89621 - if (copy_to_user(user, &tmp, *len) != 0){
89622 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
89623 BUGPRINT("c2u Didn't work\n");
89626 @@ -2331,7 +2331,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
89628 tmp.valid_hooks = t->valid_hooks;
89630 - if (copy_to_user(user, &tmp, *len) != 0) {
89631 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
89635 @@ -2342,7 +2342,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
89636 tmp.entries_size = t->table->entries_size;
89637 tmp.valid_hooks = t->table->valid_hooks;
89639 - if (copy_to_user(user, &tmp, *len) != 0) {
89640 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
89644 diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
89645 index 2bd4b58..0dc30a1 100644
89646 --- a/net/caif/cfctrl.c
89647 +++ b/net/caif/cfctrl.c
89649 #include <linux/spinlock.h>
89650 #include <linux/slab.h>
89651 #include <linux/pkt_sched.h>
89652 +#include <linux/sched.h>
89653 #include <net/caif/caif_layer.h>
89654 #include <net/caif/cfpkt.h>
89655 #include <net/caif/cfctrl.h>
89656 @@ -43,8 +44,8 @@ struct cflayer *cfctrl_create(void)
89657 memset(&dev_info, 0, sizeof(dev_info));
89658 dev_info.id = 0xff;
89659 cfsrvl_init(&this->serv, 0, &dev_info, false);
89660 - atomic_set(&this->req_seq_no, 1);
89661 - atomic_set(&this->rsp_seq_no, 1);
89662 + atomic_set_unchecked(&this->req_seq_no, 1);
89663 + atomic_set_unchecked(&this->rsp_seq_no, 1);
89664 this->serv.layer.receive = cfctrl_recv;
89665 sprintf(this->serv.layer.name, "ctrl");
89666 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
89667 @@ -130,8 +131,8 @@ static void cfctrl_insert_req(struct cfctrl *ctrl,
89668 struct cfctrl_request_info *req)
89670 spin_lock_bh(&ctrl->info_list_lock);
89671 - atomic_inc(&ctrl->req_seq_no);
89672 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
89673 + atomic_inc_unchecked(&ctrl->req_seq_no);
89674 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
89675 list_add_tail(&req->list, &ctrl->list);
89676 spin_unlock_bh(&ctrl->info_list_lock);
89678 @@ -149,7 +150,7 @@ static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
89680 pr_warn("Requests are not received in order\n");
89682 - atomic_set(&ctrl->rsp_seq_no,
89683 + atomic_set_unchecked(&ctrl->rsp_seq_no,
89685 list_del(&p->list);
89687 diff --git a/net/can/af_can.c b/net/can/af_can.c
89688 index c4e5085..aa9efdf 100644
89689 --- a/net/can/af_can.c
89690 +++ b/net/can/af_can.c
89691 @@ -862,7 +862,7 @@ static const struct net_proto_family can_family_ops = {
89694 /* notifier block for netdevice event */
89695 -static struct notifier_block can_netdev_notifier __read_mostly = {
89696 +static struct notifier_block can_netdev_notifier = {
89697 .notifier_call = can_notifier,
89700 diff --git a/net/can/gw.c b/net/can/gw.c
89701 index 3ee690e..00d581b 100644
89704 @@ -80,7 +80,6 @@ MODULE_PARM_DESC(max_hops,
89705 "default: " __stringify(CGW_DEFAULT_HOPS) ")");
89707 static HLIST_HEAD(cgw_list);
89708 -static struct notifier_block notifier;
89710 static struct kmem_cache *cgw_cache __read_mostly;
89712 @@ -927,6 +926,10 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh)
89716 +static struct notifier_block notifier = {
89717 + .notifier_call = cgw_notifier
89720 static __init int cgw_module_init(void)
89722 /* sanitize given module parameter */
89723 @@ -942,7 +945,6 @@ static __init int cgw_module_init(void)
89727 - notifier.notifier_call = cgw_notifier;
89728 register_netdevice_notifier(¬ifier);
89730 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
89731 diff --git a/net/compat.c b/net/compat.c
89732 index f0a1ba6..0541331 100644
89735 @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
89736 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
89737 __get_user(kmsg->msg_flags, &umsg->msg_flags))
89739 - kmsg->msg_name = compat_ptr(tmp1);
89740 - kmsg->msg_iov = compat_ptr(tmp2);
89741 - kmsg->msg_control = compat_ptr(tmp3);
89742 + kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
89743 + kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
89744 + kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
89748 @@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
89750 if (kern_msg->msg_namelen) {
89751 if (mode == VERIFY_READ) {
89752 - int err = move_addr_to_kernel(kern_msg->msg_name,
89753 + int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name,
89754 kern_msg->msg_namelen,
89757 @@ -96,7 +96,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
89758 kern_msg->msg_name = NULL;
89760 tot_len = iov_from_user_compat_to_kern(kern_iov,
89761 - (struct compat_iovec __user *)kern_msg->msg_iov,
89762 + (struct compat_iovec __force_user *)kern_msg->msg_iov,
89763 kern_msg->msg_iovlen);
89765 kern_msg->msg_iov = kern_iov;
89766 @@ -116,20 +116,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
89768 #define CMSG_COMPAT_FIRSTHDR(msg) \
89769 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
89770 - (struct compat_cmsghdr __user *)((msg)->msg_control) : \
89771 + (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
89772 (struct compat_cmsghdr __user *)NULL)
89774 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
89775 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
89776 (ucmlen) <= (unsigned long) \
89777 ((mhdr)->msg_controllen - \
89778 - ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
89779 + ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
89781 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
89782 struct compat_cmsghdr __user *cmsg, int cmsg_len)
89784 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
89785 - if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
89786 + if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
89787 msg->msg_controllen)
89789 return (struct compat_cmsghdr __user *)ptr;
89790 @@ -219,7 +219,7 @@ Efault:
89792 int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
89794 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
89795 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
89796 struct compat_cmsghdr cmhdr;
89797 struct compat_timeval ctv;
89798 struct compat_timespec cts[3];
89799 @@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
89801 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
89803 - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
89804 + struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
89805 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
89806 int fdnum = scm->fp->count;
89807 struct file **fp = scm->fp->fp;
89808 @@ -363,7 +363,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
89812 - err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
89813 + err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
89817 @@ -424,7 +424,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
89818 len = sizeof(ktime);
89821 - err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
89822 + err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
89826 @@ -567,7 +567,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
89827 case MCAST_JOIN_GROUP:
89828 case MCAST_LEAVE_GROUP:
89830 - struct compat_group_req __user *gr32 = (void *)optval;
89831 + struct compat_group_req __user *gr32 = (void __user *)optval;
89832 struct group_req __user *kgr =
89833 compat_alloc_user_space(sizeof(struct group_req));
89835 @@ -588,7 +588,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
89836 case MCAST_BLOCK_SOURCE:
89837 case MCAST_UNBLOCK_SOURCE:
89839 - struct compat_group_source_req __user *gsr32 = (void *)optval;
89840 + struct compat_group_source_req __user *gsr32 = (void __user *)optval;
89841 struct group_source_req __user *kgsr = compat_alloc_user_space(
89842 sizeof(struct group_source_req));
89844 @@ -609,7 +609,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
89846 case MCAST_MSFILTER:
89848 - struct compat_group_filter __user *gf32 = (void *)optval;
89849 + struct compat_group_filter __user *gf32 = (void __user *)optval;
89850 struct group_filter __user *kgf;
89851 u32 interface, fmode, numsrc;
89853 @@ -647,7 +647,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
89854 char __user *optval, int __user *optlen,
89855 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
89857 - struct compat_group_filter __user *gf32 = (void *)optval;
89858 + struct compat_group_filter __user *gf32 = (void __user *)optval;
89859 struct group_filter __user *kgf;
89860 int __user *koptlen;
89861 u32 interface, fmode, numsrc;
89862 @@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
89864 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
89866 - if (copy_from_user(a, args, nas[call]))
89867 + if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
89871 diff --git a/net/core/datagram.c b/net/core/datagram.c
89872 index b71423d..0360434 100644
89873 --- a/net/core/datagram.c
89874 +++ b/net/core/datagram.c
89875 @@ -295,7 +295,7 @@ int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags)
89879 - atomic_inc(&sk->sk_drops);
89880 + atomic_inc_unchecked(&sk->sk_drops);
89881 sk_mem_reclaim_partial(sk);
89884 diff --git a/net/core/dev.c b/net/core/dev.c
89885 index 7ddbb31..3902452 100644
89886 --- a/net/core/dev.c
89887 +++ b/net/core/dev.c
89888 @@ -1649,7 +1649,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
89890 if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
89891 if (skb_copy_ubufs(skb, GFP_ATOMIC)) {
89892 - atomic_long_inc(&dev->rx_dropped);
89893 + atomic_long_inc_unchecked(&dev->rx_dropped);
89895 return NET_RX_DROP;
89897 @@ -1658,7 +1658,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
89900 if (unlikely(!is_skb_forwardable(dev, skb))) {
89901 - atomic_long_inc(&dev->rx_dropped);
89902 + atomic_long_inc_unchecked(&dev->rx_dropped);
89904 return NET_RX_DROP;
89906 @@ -2404,7 +2404,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
89908 struct dev_gso_cb {
89909 void (*destructor)(struct sk_buff *skb);
89913 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
89915 @@ -3139,7 +3139,7 @@ enqueue:
89917 local_irq_restore(flags);
89919 - atomic_long_inc(&skb->dev->rx_dropped);
89920 + atomic_long_inc_unchecked(&skb->dev->rx_dropped);
89922 return NET_RX_DROP;
89924 @@ -3211,7 +3211,7 @@ int netif_rx_ni(struct sk_buff *skb)
89926 EXPORT_SYMBOL(netif_rx_ni);
89928 -static void net_tx_action(struct softirq_action *h)
89929 +static void net_tx_action(void)
89931 struct softnet_data *sd = &__get_cpu_var(softnet_data);
89933 @@ -3545,7 +3545,7 @@ ncls:
89934 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
89937 - atomic_long_inc(&skb->dev->rx_dropped);
89938 + atomic_long_inc_unchecked(&skb->dev->rx_dropped);
89940 /* Jamal, now you will not able to escape explaining
89941 * me how you were going to use this. :-)
89942 @@ -4153,7 +4153,7 @@ void netif_napi_del(struct napi_struct *napi)
89944 EXPORT_SYMBOL(netif_napi_del);
89946 -static void net_rx_action(struct softirq_action *h)
89947 +static void net_rx_action(void)
89949 struct softnet_data *sd = &__get_cpu_var(softnet_data);
89950 unsigned long time_limit = jiffies + 2;
89951 @@ -5590,7 +5590,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
89953 netdev_stats_to_stats64(storage, &dev->stats);
89955 - storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
89956 + storage->rx_dropped += atomic_long_read_unchecked(&dev->rx_dropped);
89959 EXPORT_SYMBOL(dev_get_stats);
89960 diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
89961 index 5b7d0e1..cb960fc 100644
89962 --- a/net/core/dev_ioctl.c
89963 +++ b/net/core/dev_ioctl.c
89964 @@ -365,9 +365,13 @@ void dev_load(struct net *net, const char *name)
89965 if (no_module && capable(CAP_NET_ADMIN))
89966 no_module = request_module("netdev-%s", name);
89967 if (no_module && capable(CAP_SYS_MODULE)) {
89968 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
89969 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
89971 if (!request_module("%s", name))
89972 pr_warn("Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s instead.\n",
89977 EXPORT_SYMBOL(dev_load);
89978 diff --git a/net/core/ethtool.c b/net/core/ethtool.c
89979 index ce91766..3b71cdb 100644
89980 --- a/net/core/ethtool.c
89981 +++ b/net/core/ethtool.c
89982 @@ -1319,10 +1319,19 @@ static int ethtool_get_dump_data(struct net_device *dev,
89986 - len = (tmp.len > dump.len) ? dump.len : tmp.len;
89987 + len = min(tmp.len, dump.len);
89991 + /* Don't ever let the driver think there's more space available
89992 + * than it requested with .get_dump_flag().
89996 + /* Always allocate enough space to hold the whole thing so that the
89997 + * driver does not need to check the length and bother with partial
90000 data = vzalloc(tmp.len);
90003 @@ -1330,6 +1339,16 @@ static int ethtool_get_dump_data(struct net_device *dev,
90007 + /* There are two sane possibilities:
90008 + * 1. The driver's .get_dump_data() does not touch dump.len.
90009 + * 2. Or it may set dump.len to how much it really writes, which
90010 + * should be tmp.len (or len if it can do a partial dump).
90011 + * In any case respond to userspace with the actual length of data
90012 + * it's receiving.
90014 + WARN_ON(dump.len != len && dump.len != tmp.len);
90017 if (copy_to_user(useraddr, &dump, sizeof(dump))) {
90020 diff --git a/net/core/flow.c b/net/core/flow.c
90021 index 7102f16..146b4bd 100644
90022 --- a/net/core/flow.c
90023 +++ b/net/core/flow.c
90024 @@ -61,7 +61,7 @@ struct flow_cache {
90025 struct timer_list rnd_timer;
90028 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
90029 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
90030 EXPORT_SYMBOL(flow_cache_genid);
90031 static struct flow_cache flow_cache_global;
90032 static struct kmem_cache *flow_cachep __read_mostly;
90033 @@ -86,7 +86,7 @@ static void flow_cache_new_hashrnd(unsigned long arg)
90035 static int flow_entry_valid(struct flow_cache_entry *fle)
90037 - if (atomic_read(&flow_cache_genid) != fle->genid)
90038 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
90040 if (fle->object && !fle->object->ops->check(fle->object))
90042 @@ -258,7 +258,7 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
90043 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
90046 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
90047 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
90051 @@ -279,7 +279,7 @@ nocache:
90053 flo = resolver(net, key, family, dir, flo, ctx);
90055 - fle->genid = atomic_read(&flow_cache_genid);
90056 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
90060 diff --git a/net/core/iovec.c b/net/core/iovec.c
90061 index de178e4..1dabd8b 100644
90062 --- a/net/core/iovec.c
90063 +++ b/net/core/iovec.c
90064 @@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
90065 if (m->msg_namelen) {
90066 if (mode == VERIFY_READ) {
90067 void __user *namep;
90068 - namep = (void __user __force *) m->msg_name;
90069 + namep = (void __force_user *) m->msg_name;
90070 err = move_addr_to_kernel(namep, m->msg_namelen,
90073 @@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
90076 size = m->msg_iovlen * sizeof(struct iovec);
90077 - if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
90078 + if (copy_from_user(iov, (void __force_user *) m->msg_iov, size))
90082 diff --git a/net/core/neighbour.c b/net/core/neighbour.c
90083 index ce90b02..8752627 100644
90084 --- a/net/core/neighbour.c
90085 +++ b/net/core/neighbour.c
90086 @@ -2771,7 +2771,7 @@ static int proc_unres_qlen(ctl_table *ctl, int write, void __user *buffer,
90087 size_t *lenp, loff_t *ppos)
90090 - ctl_table tmp = *ctl;
90091 + ctl_table_no_const tmp = *ctl;
90093 tmp.extra1 = &zero;
90094 tmp.extra2 = &unres_qlen_max;
90095 diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
90096 index 569d355..79cf2d0 100644
90097 --- a/net/core/net-procfs.c
90098 +++ b/net/core/net-procfs.c
90099 @@ -271,8 +271,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
90101 seq_printf(seq, "%04x", ntohs(pt->type));
90103 +#ifdef CONFIG_GRKERNSEC_HIDESYM
90104 + seq_printf(seq, " %-8s %pf\n",
90105 + pt->dev ? pt->dev->name : "", NULL);
90107 seq_printf(seq, " %-8s %pf\n",
90108 pt->dev ? pt->dev->name : "", pt->func);
90113 diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
90114 index 981fed3..536af34 100644
90115 --- a/net/core/net-sysfs.c
90116 +++ b/net/core/net-sysfs.c
90117 @@ -1311,7 +1311,7 @@ void netdev_class_remove_file(struct class_attribute *class_attr)
90119 EXPORT_SYMBOL(netdev_class_remove_file);
90121 -int netdev_kobject_init(void)
90122 +int __init netdev_kobject_init(void)
90124 kobj_ns_type_register(&net_ns_type_operations);
90125 return class_register(&net_class);
90126 diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
90127 index f9765203..9feaef8 100644
90128 --- a/net/core/net_namespace.c
90129 +++ b/net/core/net_namespace.c
90130 @@ -443,7 +443,7 @@ static int __register_pernet_operations(struct list_head *list,
90132 LIST_HEAD(net_exit_list);
90134 - list_add_tail(&ops->list, list);
90135 + pax_list_add_tail((struct list_head *)&ops->list, list);
90136 if (ops->init || (ops->id && ops->size)) {
90137 for_each_net(net) {
90138 error = ops_init(ops, net);
90139 @@ -456,7 +456,7 @@ static int __register_pernet_operations(struct list_head *list,
90142 /* If I have an error cleanup all namespaces I initialized */
90143 - list_del(&ops->list);
90144 + pax_list_del((struct list_head *)&ops->list);
90145 ops_exit_list(ops, &net_exit_list);
90146 ops_free_list(ops, &net_exit_list);
90148 @@ -467,7 +467,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops)
90150 LIST_HEAD(net_exit_list);
90152 - list_del(&ops->list);
90153 + pax_list_del((struct list_head *)&ops->list);
90155 list_add_tail(&net->exit_list, &net_exit_list);
90156 ops_exit_list(ops, &net_exit_list);
90157 @@ -601,7 +601,7 @@ int register_pernet_device(struct pernet_operations *ops)
90158 mutex_lock(&net_mutex);
90159 error = register_pernet_operations(&pernet_list, ops);
90160 if (!error && (first_device == &pernet_list))
90161 - first_device = &ops->list;
90162 + first_device = (struct list_head *)&ops->list;
90163 mutex_unlock(&net_mutex);
90166 diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
90167 index a08bd2b..c59bd7c 100644
90168 --- a/net/core/rtnetlink.c
90169 +++ b/net/core/rtnetlink.c
90170 @@ -58,7 +58,7 @@ struct rtnl_link {
90171 rtnl_doit_func doit;
90172 rtnl_dumpit_func dumpit;
90173 rtnl_calcit_func calcit;
90177 static DEFINE_MUTEX(rtnl_mutex);
90179 @@ -299,10 +299,13 @@ int __rtnl_link_register(struct rtnl_link_ops *ops)
90180 if (rtnl_link_ops_get(ops->kind))
90183 - if (!ops->dellink)
90184 - ops->dellink = unregister_netdevice_queue;
90185 + if (!ops->dellink) {
90186 + pax_open_kernel();
90187 + *(void **)&ops->dellink = unregister_netdevice_queue;
90188 + pax_close_kernel();
90191 - list_add_tail(&ops->list, &link_ops);
90192 + pax_list_add_tail((struct list_head *)&ops->list, &link_ops);
90195 EXPORT_SYMBOL_GPL(__rtnl_link_register);
90196 @@ -349,7 +352,7 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
90197 for_each_net(net) {
90198 __rtnl_kill_links(net, ops);
90200 - list_del(&ops->list);
90201 + pax_list_del((struct list_head *)&ops->list);
90203 EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
90205 @@ -2374,7 +2377,7 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
90206 struct nlattr *extfilt;
90207 u32 filter_mask = 0;
90209 - extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct rtgenmsg),
90210 + extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
90213 filter_mask = nla_get_u32(extfilt);
90214 diff --git a/net/core/scm.c b/net/core/scm.c
90215 index 03795d0..eaf7368 100644
90216 --- a/net/core/scm.c
90217 +++ b/net/core/scm.c
90218 @@ -210,7 +210,7 @@ EXPORT_SYMBOL(__scm_send);
90219 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
90221 struct cmsghdr __user *cm
90222 - = (__force struct cmsghdr __user *)msg->msg_control;
90223 + = (struct cmsghdr __force_user *)msg->msg_control;
90224 struct cmsghdr cmhdr;
90225 int cmlen = CMSG_LEN(len);
90227 @@ -233,7 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
90229 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
90231 - if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
90232 + if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
90234 cmlen = CMSG_SPACE(len);
90235 if (msg->msg_controllen < cmlen)
90236 @@ -249,7 +249,7 @@ EXPORT_SYMBOL(put_cmsg);
90237 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
90239 struct cmsghdr __user *cm
90240 - = (__force struct cmsghdr __user*)msg->msg_control;
90241 + = (struct cmsghdr __force_user *)msg->msg_control;
90244 int fdnum = scm->fp->count;
90245 @@ -269,7 +269,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
90249 - for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
90250 + for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
90253 struct socket *sock;
90254 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
90255 index 1c1738c..4cab7f0 100644
90256 --- a/net/core/skbuff.c
90257 +++ b/net/core/skbuff.c
90258 @@ -3087,13 +3087,15 @@ void __init skb_init(void)
90259 skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
90260 sizeof(struct sk_buff),
90262 - SLAB_HWCACHE_ALIGN|SLAB_PANIC,
90263 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|
90264 + SLAB_NO_SANITIZE,
90266 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
90267 (2*sizeof(struct sk_buff)) +
90270 - SLAB_HWCACHE_ALIGN|SLAB_PANIC,
90271 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|
90272 + SLAB_NO_SANITIZE,
90276 diff --git a/net/core/sock.c b/net/core/sock.c
90277 index d6d024c..6ea7ab4 100644
90278 --- a/net/core/sock.c
90279 +++ b/net/core/sock.c
90280 @@ -390,7 +390,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
90281 struct sk_buff_head *list = &sk->sk_receive_queue;
90283 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
90284 - atomic_inc(&sk->sk_drops);
90285 + atomic_inc_unchecked(&sk->sk_drops);
90286 trace_sock_rcvqueue_full(sk, skb);
90289 @@ -400,7 +400,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
90292 if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
90293 - atomic_inc(&sk->sk_drops);
90294 + atomic_inc_unchecked(&sk->sk_drops);
90298 @@ -420,7 +420,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
90299 skb_dst_force(skb);
90301 spin_lock_irqsave(&list->lock, flags);
90302 - skb->dropcount = atomic_read(&sk->sk_drops);
90303 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
90304 __skb_queue_tail(list, skb);
90305 spin_unlock_irqrestore(&list->lock, flags);
90307 @@ -440,7 +440,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
90310 if (sk_rcvqueues_full(sk, skb, sk->sk_rcvbuf)) {
90311 - atomic_inc(&sk->sk_drops);
90312 + atomic_inc_unchecked(&sk->sk_drops);
90313 goto discard_and_relse;
90316 @@ -458,7 +458,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
90317 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
90318 } else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) {
90319 bh_unlock_sock(sk);
90320 - atomic_inc(&sk->sk_drops);
90321 + atomic_inc_unchecked(&sk->sk_drops);
90322 goto discard_and_relse;
90325 @@ -933,12 +933,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
90329 - int lv = sizeof(int);
90331 + unsigned int lv = sizeof(int);
90332 + unsigned int len;
90334 if (get_user(len, optlen))
90337 + if (len > INT_MAX)
90340 memset(&v, 0, sizeof(v));
90341 @@ -1090,11 +1090,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
90345 - char address[128];
90346 + char address[_K_SS_MAXSIZE];
90348 if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
90351 + if (lv < len || sizeof address < len)
90353 if (copy_to_user(optval, address, len))
90355 @@ -1161,7 +1161,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
90359 - if (copy_to_user(optval, &v, len))
90360 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
90363 if (put_user(len, optlen))
90364 @@ -2277,7 +2277,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
90367 atomic_set(&sk->sk_refcnt, 1);
90368 - atomic_set(&sk->sk_drops, 0);
90369 + atomic_set_unchecked(&sk->sk_drops, 0);
90371 EXPORT_SYMBOL(sock_init_data);
90373 diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
90374 index a0e9cf6..ef7f9ed 100644
90375 --- a/net/core/sock_diag.c
90376 +++ b/net/core/sock_diag.c
90378 #include <linux/inet_diag.h>
90379 #include <linux/sock_diag.h>
90381 -static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
90382 +static const struct sock_diag_handler *sock_diag_handlers[AF_MAX] __read_only;
90383 static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
90384 static DEFINE_MUTEX(sock_diag_table_mutex);
90386 int sock_diag_check_cookie(void *sk, __u32 *cookie)
90388 +#ifndef CONFIG_GRKERNSEC_HIDESYM
90389 if ((cookie[0] != INET_DIAG_NOCOOKIE ||
90390 cookie[1] != INET_DIAG_NOCOOKIE) &&
90391 ((u32)(unsigned long)sk != cookie[0] ||
90392 (u32)((((unsigned long)sk) >> 31) >> 1) != cookie[1]))
90398 EXPORT_SYMBOL_GPL(sock_diag_check_cookie);
90400 void sock_diag_save_cookie(void *sk, __u32 *cookie)
90402 +#ifdef CONFIG_GRKERNSEC_HIDESYM
90406 cookie[0] = (u32)(unsigned long)sk;
90407 cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
90410 EXPORT_SYMBOL_GPL(sock_diag_save_cookie);
90412 @@ -113,8 +120,11 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
90413 mutex_lock(&sock_diag_table_mutex);
90414 if (sock_diag_handlers[hndl->family])
90418 + pax_open_kernel();
90419 sock_diag_handlers[hndl->family] = hndl;
90420 + pax_close_kernel();
90422 mutex_unlock(&sock_diag_table_mutex);
90425 @@ -130,7 +140,9 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
90427 mutex_lock(&sock_diag_table_mutex);
90428 BUG_ON(sock_diag_handlers[family] != hnld);
90429 + pax_open_kernel();
90430 sock_diag_handlers[family] = NULL;
90431 + pax_close_kernel();
90432 mutex_unlock(&sock_diag_table_mutex);
90434 EXPORT_SYMBOL_GPL(sock_diag_unregister);
90435 diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
90436 index cfdb46a..cef55e1 100644
90437 --- a/net/core/sysctl_net_core.c
90438 +++ b/net/core/sysctl_net_core.c
90439 @@ -28,7 +28,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write,
90441 unsigned int orig_size, size;
90443 - ctl_table tmp = {
90444 + ctl_table_no_const tmp = {
90446 .maxlen = sizeof(size),
90447 .mode = table->mode
90448 @@ -211,13 +211,12 @@ static struct ctl_table netns_core_table[] = {
90450 static __net_init int sysctl_core_net_init(struct net *net)
90452 - struct ctl_table *tbl;
90453 + ctl_table_no_const *tbl = NULL;
90455 net->core.sysctl_somaxconn = SOMAXCONN;
90457 - tbl = netns_core_table;
90458 if (!net_eq(net, &init_net)) {
90459 - tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
90460 + tbl = kmemdup(netns_core_table, sizeof(netns_core_table), GFP_KERNEL);
90464 @@ -227,17 +226,16 @@ static __net_init int sysctl_core_net_init(struct net *net)
90465 if (net->user_ns != &init_user_ns) {
90466 tbl[0].procname = NULL;
90470 - net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
90471 + net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
90473 + net->core.sysctl_hdr = register_net_sysctl(net, "net/core", netns_core_table);
90474 if (net->core.sysctl_hdr == NULL)
90480 - if (tbl != netns_core_table)
90486 @@ -252,7 +250,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
90490 -static __net_initdata struct pernet_operations sysctl_core_ops = {
90491 +static __net_initconst struct pernet_operations sysctl_core_ops = {
90492 .init = sysctl_core_net_init,
90493 .exit = sysctl_core_net_exit,
90495 diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
90496 index c21f200..bc4565b 100644
90497 --- a/net/decnet/af_decnet.c
90498 +++ b/net/decnet/af_decnet.c
90499 @@ -465,6 +465,7 @@ static struct proto dn_proto = {
90500 .sysctl_rmem = sysctl_decnet_rmem,
90501 .max_header = DN_MAX_NSP_DATA_HEADER + 64,
90502 .obj_size = sizeof(struct dn_sock),
90503 + .slab_flags = SLAB_USERCOPY,
90506 static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gfp)
90507 diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
90508 index a55eecc..dd8428c 100644
90509 --- a/net/decnet/sysctl_net_decnet.c
90510 +++ b/net/decnet/sysctl_net_decnet.c
90511 @@ -174,7 +174,7 @@ static int dn_node_address_handler(ctl_table *table, int write,
90513 if (len > *lenp) len = *lenp;
90515 - if (copy_to_user(buffer, addr, len))
90516 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
90520 @@ -237,7 +237,7 @@ static int dn_def_dev_handler(ctl_table *table, int write,
90522 if (len > *lenp) len = *lenp;
90524 - if (copy_to_user(buffer, devname, len))
90525 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
90529 diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
90530 index d01be2a..8976537 100644
90531 --- a/net/ipv4/af_inet.c
90532 +++ b/net/ipv4/af_inet.c
90533 @@ -1703,13 +1703,9 @@ static int __init inet_init(void)
90535 BUILD_BUG_ON(sizeof(struct inet_skb_parm) > FIELD_SIZEOF(struct sk_buff, cb));
90537 - sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL);
90538 - if (!sysctl_local_reserved_ports)
90541 rc = proto_register(&tcp_prot, 1);
90543 - goto out_free_reserved_ports;
90546 rc = proto_register(&udp_prot, 1);
90548 @@ -1818,8 +1814,6 @@ out_unregister_udp_proto:
90549 proto_unregister(&udp_prot);
90550 out_unregister_tcp_proto:
90551 proto_unregister(&tcp_prot);
90552 -out_free_reserved_ports:
90553 - kfree(sysctl_local_reserved_ports);
90557 diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
90558 index 2e7f194..0fa4d6d 100644
90559 --- a/net/ipv4/ah4.c
90560 +++ b/net/ipv4/ah4.c
90561 @@ -420,7 +420,7 @@ static void ah4_err(struct sk_buff *skb, u32 info)
90564 if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
90565 - atomic_inc(&flow_cache_genid);
90566 + atomic_inc_unchecked(&flow_cache_genid);
90567 rt_genid_bump(net);
90569 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_AH, 0);
90570 diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
90571 index dfc39d4..0d4fa52 100644
90572 --- a/net/ipv4/devinet.c
90573 +++ b/net/ipv4/devinet.c
90574 @@ -771,7 +771,7 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh,
90575 ci = nla_data(tb[IFA_CACHEINFO]);
90576 if (!ci->ifa_valid || ci->ifa_prefered > ci->ifa_valid) {
90579 + goto errout_free;
90581 *pvalid_lft = ci->ifa_valid;
90582 *pprefered_lft = ci->ifa_prefered;
90583 @@ -779,6 +779,8 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh,
90588 + inet_free_ifa(ifa);
90590 return ERR_PTR(err);
90592 @@ -1529,7 +1531,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
90594 head = &net->dev_index_head[h];
90596 - cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
90597 + cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
90599 hlist_for_each_entry_rcu(dev, head, index_hlist) {
90601 @@ -1840,7 +1842,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb,
90603 head = &net->dev_index_head[h];
90605 - cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
90606 + cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
90608 hlist_for_each_entry_rcu(dev, head, index_hlist) {
90610 @@ -2065,7 +2067,7 @@ static int ipv4_doint_and_flush(ctl_table *ctl, int write,
90611 #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \
90612 DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush)
90614 -static struct devinet_sysctl_table {
90615 +static const struct devinet_sysctl_table {
90616 struct ctl_table_header *sysctl_header;
90617 struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX];
90618 } devinet_sysctl = {
90619 @@ -2183,7 +2185,7 @@ static __net_init int devinet_init_net(struct net *net)
90621 struct ipv4_devconf *all, *dflt;
90622 #ifdef CONFIG_SYSCTL
90623 - struct ctl_table *tbl = ctl_forward_entry;
90624 + ctl_table_no_const *tbl = NULL;
90625 struct ctl_table_header *forw_hdr;
90628 @@ -2201,7 +2203,7 @@ static __net_init int devinet_init_net(struct net *net)
90629 goto err_alloc_dflt;
90631 #ifdef CONFIG_SYSCTL
90632 - tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
90633 + tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
90635 goto err_alloc_ctl;
90637 @@ -2221,7 +2223,10 @@ static __net_init int devinet_init_net(struct net *net)
90641 - forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
90642 + if (!net_eq(net, &init_net))
90643 + forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
90645 + forw_hdr = register_net_sysctl(net, "net/ipv4", ctl_forward_entry);
90646 if (forw_hdr == NULL)
90648 net->ipv4.forw_hdr = forw_hdr;
90649 @@ -2237,8 +2242,7 @@ err_reg_ctl:
90651 __devinet_sysctl_unregister(all);
90653 - if (tbl != ctl_forward_entry)
90658 if (dflt != &ipv4_devconf_dflt)
90659 diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
90660 index 4cfe34d..d2fac8a 100644
90661 --- a/net/ipv4/esp4.c
90662 +++ b/net/ipv4/esp4.c
90663 @@ -477,7 +477,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
90666 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
90667 - net_adj) & ~(align - 1)) + (net_adj - 2);
90668 + net_adj) & ~(align - 1)) + net_adj - 2;
90671 static void esp4_err(struct sk_buff *skb, u32 info)
90672 @@ -503,7 +503,7 @@ static void esp4_err(struct sk_buff *skb, u32 info)
90675 if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
90676 - atomic_inc(&flow_cache_genid);
90677 + atomic_inc_unchecked(&flow_cache_genid);
90678 rt_genid_bump(net);
90680 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_ESP, 0);
90681 diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
90682 index c7629a2..b62d139 100644
90683 --- a/net/ipv4/fib_frontend.c
90684 +++ b/net/ipv4/fib_frontend.c
90685 @@ -1017,12 +1017,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
90686 #ifdef CONFIG_IP_ROUTE_MULTIPATH
90689 - atomic_inc(&net->ipv4.dev_addr_genid);
90690 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
90691 rt_cache_flush(dev_net(dev));
90694 fib_del_ifaddr(ifa, NULL);
90695 - atomic_inc(&net->ipv4.dev_addr_genid);
90696 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
90697 if (ifa->ifa_dev->ifa_list == NULL) {
90698 /* Last address was deleted from this interface.
90700 @@ -1058,7 +1058,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
90701 #ifdef CONFIG_IP_ROUTE_MULTIPATH
90704 - atomic_inc(&net->ipv4.dev_addr_genid);
90705 + atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
90706 rt_cache_flush(net);
90709 diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
90710 index 8f6cb7a..34507f9 100644
90711 --- a/net/ipv4/fib_semantics.c
90712 +++ b/net/ipv4/fib_semantics.c
90713 @@ -765,7 +765,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
90714 nh->nh_saddr = inet_select_addr(nh->nh_dev,
90716 nh->nh_parent->fib_scope);
90717 - nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
90718 + nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
90720 return nh->nh_saddr;
90722 diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
90723 index 49616fe..6e8a13d 100644
90724 --- a/net/ipv4/fib_trie.c
90725 +++ b/net/ipv4/fib_trie.c
90727 #include <linux/init.h>
90728 #include <linux/list.h>
90729 #include <linux/slab.h>
90730 -#include <linux/prefetch.h>
90731 #include <linux/export.h>
90732 #include <net/net_namespace.h>
90733 #include <net/ip.h>
90734 @@ -1761,10 +1760,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
90738 - if (IS_LEAF(c)) {
90739 - prefetch(rcu_dereference_rtnl(p->child[idx]));
90741 return (struct leaf *) c;
90744 /* Rescan start scanning in new node */
90745 p = (struct tnode *) c;
90746 diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
90747 index 6acb541..9ea617d 100644
90748 --- a/net/ipv4/inet_connection_sock.c
90749 +++ b/net/ipv4/inet_connection_sock.c
90750 @@ -37,7 +37,7 @@ struct local_ports sysctl_local_ports __read_mostly = {
90751 .range = { 32768, 61000 },
90754 -unsigned long *sysctl_local_reserved_ports;
90755 +unsigned long sysctl_local_reserved_ports[65536 / 8 / sizeof(unsigned long)];
90756 EXPORT_SYMBOL(sysctl_local_reserved_ports);
90758 void inet_get_local_port_range(int *low, int *high)
90759 diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
90760 index 6af375a..c493c74 100644
90761 --- a/net/ipv4/inet_hashtables.c
90762 +++ b/net/ipv4/inet_hashtables.c
90763 @@ -18,12 +18,15 @@
90764 #include <linux/sched.h>
90765 #include <linux/slab.h>
90766 #include <linux/wait.h>
90767 +#include <linux/security.h>
90769 #include <net/inet_connection_sock.h>
90770 #include <net/inet_hashtables.h>
90771 #include <net/secure_seq.h>
90772 #include <net/ip.h>
90774 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
90777 * Allocate and initialize a new local port bind bucket.
90778 * The bindhash mutex for snum's hash chain must be held here.
90779 @@ -554,6 +557,8 @@ ok:
90780 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
90781 spin_unlock(&head->lock);
90783 + gr_update_task_in_ip_table(current, inet_sk(sk));
90786 inet_twsk_deschedule(tw, death_row);
90788 diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
90789 index 000e3d2..5472da3 100644
90790 --- a/net/ipv4/inetpeer.c
90791 +++ b/net/ipv4/inetpeer.c
90792 @@ -503,8 +503,8 @@ relookup:
90795 atomic_set(&p->refcnt, 1);
90796 - atomic_set(&p->rid, 0);
90797 - atomic_set(&p->ip_id_count,
90798 + atomic_set_unchecked(&p->rid, 0);
90799 + atomic_set_unchecked(&p->ip_id_count,
90800 (daddr->family == AF_INET) ?
90801 secure_ip_id(daddr->addr.a4) :
90802 secure_ipv6_id(daddr->addr.a6));
90803 diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
90804 index b66910a..cfe416e 100644
90805 --- a/net/ipv4/ip_fragment.c
90806 +++ b/net/ipv4/ip_fragment.c
90807 @@ -282,7 +282,7 @@ static inline int ip_frag_too_far(struct ipq *qp)
90811 - end = atomic_inc_return(&peer->rid);
90812 + end = atomic_inc_return_unchecked(&peer->rid);
90815 rc = qp->q.fragments && (end - start) > max;
90816 @@ -759,12 +759,11 @@ static struct ctl_table ip4_frags_ctl_table[] = {
90818 static int __net_init ip4_frags_ns_ctl_register(struct net *net)
90820 - struct ctl_table *table;
90821 + ctl_table_no_const *table = NULL;
90822 struct ctl_table_header *hdr;
90824 - table = ip4_frags_ns_ctl_table;
90825 if (!net_eq(net, &init_net)) {
90826 - table = kmemdup(table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
90827 + table = kmemdup(ip4_frags_ns_ctl_table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
90831 @@ -775,9 +774,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
90832 /* Don't export sysctls to unprivileged users */
90833 if (net->user_ns != &init_user_ns)
90834 table[0].procname = NULL;
90836 + hdr = register_net_sysctl(net, "net/ipv4", table);
90838 + hdr = register_net_sysctl(net, "net/ipv4", ip4_frags_ns_ctl_table);
90840 - hdr = register_net_sysctl(net, "net/ipv4", table);
90844 @@ -785,8 +785,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
90848 - if (!net_eq(net, &init_net))
90854 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
90855 index 855004f..9644112 100644
90856 --- a/net/ipv4/ip_gre.c
90857 +++ b/net/ipv4/ip_gre.c
90858 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
90859 module_param(log_ecn_error, bool, 0644);
90860 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
90862 -static struct rtnl_link_ops ipgre_link_ops __read_mostly;
90863 +static struct rtnl_link_ops ipgre_link_ops;
90864 static int ipgre_tunnel_init(struct net_device *dev);
90866 static int ipgre_net_id __read_mostly;
90867 @@ -572,7 +572,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
90869 memcpy(&iph->daddr, daddr, 4);
90872 + return t->hlen + sizeof(*iph);
90874 return -(t->hlen + sizeof(*iph));
90876 @@ -919,7 +919,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
90877 [IFLA_GRE_PMTUDISC] = { .type = NLA_U8 },
90880 -static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
90881 +static struct rtnl_link_ops ipgre_link_ops = {
90883 .maxtype = IFLA_GRE_MAX,
90884 .policy = ipgre_policy,
90885 @@ -933,7 +933,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
90886 .fill_info = ipgre_fill_info,
90889 -static struct rtnl_link_ops ipgre_tap_ops __read_mostly = {
90890 +static struct rtnl_link_ops ipgre_tap_ops = {
90892 .maxtype = IFLA_GRE_MAX,
90893 .policy = ipgre_policy,
90894 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
90895 index d9c4f11..02b82dbc 100644
90896 --- a/net/ipv4/ip_sockglue.c
90897 +++ b/net/ipv4/ip_sockglue.c
90898 @@ -1152,7 +1152,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
90899 len = min_t(unsigned int, len, opt->optlen);
90900 if (put_user(len, optlen))
90902 - if (copy_to_user(optval, opt->__data, len))
90903 + if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
90904 + copy_to_user(optval, opt->__data, len))
90908 @@ -1283,7 +1284,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
90909 if (sk->sk_type != SOCK_STREAM)
90910 return -ENOPROTOOPT;
90912 - msg.msg_control = optval;
90913 + msg.msg_control = (void __force_kernel *)optval;
90914 msg.msg_controllen = len;
90915 msg.msg_flags = flags;
90917 diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
90918 index 17cc0ff..63856c4 100644
90919 --- a/net/ipv4/ip_vti.c
90920 +++ b/net/ipv4/ip_vti.c
90922 #define HASH_SIZE 16
90923 #define HASH(addr) (((__force u32)addr^((__force u32)addr>>4))&(HASH_SIZE-1))
90925 -static struct rtnl_link_ops vti_link_ops __read_mostly;
90926 +static struct rtnl_link_ops vti_link_ops;
90928 static int vti_net_id __read_mostly;
90930 @@ -840,7 +840,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
90931 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
90934 -static struct rtnl_link_ops vti_link_ops __read_mostly = {
90935 +static struct rtnl_link_ops vti_link_ops = {
90937 .maxtype = IFLA_VTI_MAX,
90938 .policy = vti_policy,
90939 diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
90940 index 59cb8c7..a72160c 100644
90941 --- a/net/ipv4/ipcomp.c
90942 +++ b/net/ipv4/ipcomp.c
90943 @@ -48,7 +48,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
90946 if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
90947 - atomic_inc(&flow_cache_genid);
90948 + atomic_inc_unchecked(&flow_cache_genid);
90949 rt_genid_bump(net);
90951 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_COMP, 0);
90952 diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
90953 index efa1138..20dbba0 100644
90954 --- a/net/ipv4/ipconfig.c
90955 +++ b/net/ipv4/ipconfig.c
90956 @@ -334,7 +334,7 @@ static int __init ic_devinet_ioctl(unsigned int cmd, struct ifreq *arg)
90958 mm_segment_t oldfs = get_fs();
90960 - res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
90961 + res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
90965 @@ -345,7 +345,7 @@ static int __init ic_dev_ioctl(unsigned int cmd, struct ifreq *arg)
90967 mm_segment_t oldfs = get_fs();
90969 - res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
90970 + res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
90974 @@ -356,7 +356,7 @@ static int __init ic_route_ioctl(unsigned int cmd, struct rtentry *arg)
90976 mm_segment_t oldfs = get_fs();
90978 - res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
90979 + res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
90983 diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
90984 index 7cfc456..e726868 100644
90985 --- a/net/ipv4/ipip.c
90986 +++ b/net/ipv4/ipip.c
90987 @@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
90988 static int ipip_net_id __read_mostly;
90990 static int ipip_tunnel_init(struct net_device *dev);
90991 -static struct rtnl_link_ops ipip_link_ops __read_mostly;
90992 +static struct rtnl_link_ops ipip_link_ops;
90994 static int ipip_err(struct sk_buff *skb, u32 info)
90996 @@ -406,7 +406,7 @@ static const struct nla_policy ipip_policy[IFLA_IPTUN_MAX + 1] = {
90997 [IFLA_IPTUN_PMTUDISC] = { .type = NLA_U8 },
91000 -static struct rtnl_link_ops ipip_link_ops __read_mostly = {
91001 +static struct rtnl_link_ops ipip_link_ops = {
91003 .maxtype = IFLA_IPTUN_MAX,
91004 .policy = ipip_policy,
91005 diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
91006 index 85a4f21..1beb1f5 100644
91007 --- a/net/ipv4/netfilter/arp_tables.c
91008 +++ b/net/ipv4/netfilter/arp_tables.c
91009 @@ -880,14 +880,14 @@ static int compat_table_info(const struct xt_table_info *info,
91012 static int get_info(struct net *net, void __user *user,
91013 - const int *len, int compat)
91014 + int len, int compat)
91016 char name[XT_TABLE_MAXNAMELEN];
91017 struct xt_table *t;
91020 - if (*len != sizeof(struct arpt_getinfo)) {
91021 - duprintf("length %u != %Zu\n", *len,
91022 + if (len != sizeof(struct arpt_getinfo)) {
91023 + duprintf("length %u != %Zu\n", len,
91024 sizeof(struct arpt_getinfo));
91027 @@ -924,7 +924,7 @@ static int get_info(struct net *net, void __user *user,
91028 info.size = private->size;
91029 strcpy(info.name, name);
91031 - if (copy_to_user(user, &info, *len) != 0)
91032 + if (copy_to_user(user, &info, len) != 0)
91036 @@ -1683,7 +1683,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
91039 case ARPT_SO_GET_INFO:
91040 - ret = get_info(sock_net(sk), user, len, 1);
91041 + ret = get_info(sock_net(sk), user, *len, 1);
91043 case ARPT_SO_GET_ENTRIES:
91044 ret = compat_get_entries(sock_net(sk), user, len);
91045 @@ -1728,7 +1728,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
91048 case ARPT_SO_GET_INFO:
91049 - ret = get_info(sock_net(sk), user, len, 0);
91050 + ret = get_info(sock_net(sk), user, *len, 0);
91053 case ARPT_SO_GET_ENTRIES:
91054 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
91055 index d23118d..6ad7277 100644
91056 --- a/net/ipv4/netfilter/ip_tables.c
91057 +++ b/net/ipv4/netfilter/ip_tables.c
91058 @@ -1068,14 +1068,14 @@ static int compat_table_info(const struct xt_table_info *info,
91061 static int get_info(struct net *net, void __user *user,
91062 - const int *len, int compat)
91063 + int len, int compat)
91065 char name[XT_TABLE_MAXNAMELEN];
91066 struct xt_table *t;
91069 - if (*len != sizeof(struct ipt_getinfo)) {
91070 - duprintf("length %u != %zu\n", *len,
91071 + if (len != sizeof(struct ipt_getinfo)) {
91072 + duprintf("length %u != %zu\n", len,
91073 sizeof(struct ipt_getinfo));
91076 @@ -1112,7 +1112,7 @@ static int get_info(struct net *net, void __user *user,
91077 info.size = private->size;
91078 strcpy(info.name, name);
91080 - if (copy_to_user(user, &info, *len) != 0)
91081 + if (copy_to_user(user, &info, len) != 0)
91085 @@ -1966,7 +1966,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
91088 case IPT_SO_GET_INFO:
91089 - ret = get_info(sock_net(sk), user, len, 1);
91090 + ret = get_info(sock_net(sk), user, *len, 1);
91092 case IPT_SO_GET_ENTRIES:
91093 ret = compat_get_entries(sock_net(sk), user, len);
91094 @@ -2013,7 +2013,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
91097 case IPT_SO_GET_INFO:
91098 - ret = get_info(sock_net(sk), user, len, 0);
91099 + ret = get_info(sock_net(sk), user, *len, 0);
91102 case IPT_SO_GET_ENTRIES:
91103 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
91104 index 7d93d62..cbbf2a3 100644
91105 --- a/net/ipv4/ping.c
91106 +++ b/net/ipv4/ping.c
91107 @@ -843,7 +843,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
91108 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
91110 atomic_read(&sp->sk_refcnt), sp,
91111 - atomic_read(&sp->sk_drops), len);
91112 + atomic_read_unchecked(&sp->sk_drops), len);
91115 static int ping_seq_show(struct seq_file *seq, void *v)
91116 diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
91117 index dd44e0a..06dcca4 100644
91118 --- a/net/ipv4/raw.c
91119 +++ b/net/ipv4/raw.c
91120 @@ -309,7 +309,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
91121 int raw_rcv(struct sock *sk, struct sk_buff *skb)
91123 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
91124 - atomic_inc(&sk->sk_drops);
91125 + atomic_inc_unchecked(&sk->sk_drops);
91127 return NET_RX_DROP;
91129 @@ -745,16 +745,20 @@ static int raw_init(struct sock *sk)
91131 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
91133 + struct icmp_filter filter;
91135 if (optlen > sizeof(struct icmp_filter))
91136 optlen = sizeof(struct icmp_filter);
91137 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
91138 + if (copy_from_user(&filter, optval, optlen))
91140 + raw_sk(sk)->filter = filter;
91144 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
91146 int len, ret = -EFAULT;
91147 + struct icmp_filter filter;
91149 if (get_user(len, optlen))
91151 @@ -764,8 +768,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
91152 if (len > sizeof(struct icmp_filter))
91153 len = sizeof(struct icmp_filter);
91155 - if (put_user(len, optlen) ||
91156 - copy_to_user(optval, &raw_sk(sk)->filter, len))
91157 + filter = raw_sk(sk)->filter;
91158 + if (put_user(len, optlen) || len > sizeof filter || copy_to_user(optval, &filter, len))
91162 @@ -994,7 +998,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
91164 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
91166 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
91167 + atomic_read(&sp->sk_refcnt), sp, atomic_read_unchecked(&sp->sk_drops));
91170 static int raw_seq_show(struct seq_file *seq, void *v)
91171 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
91172 index d35bbf0..faa3ab8 100644
91173 --- a/net/ipv4/route.c
91174 +++ b/net/ipv4/route.c
91175 @@ -2558,34 +2558,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
91176 .maxlen = sizeof(int),
91178 .proc_handler = ipv4_sysctl_rtcache_flush,
91179 + .extra1 = &init_net,
91184 static __net_init int sysctl_route_net_init(struct net *net)
91186 - struct ctl_table *tbl;
91187 + ctl_table_no_const *tbl = NULL;
91189 - tbl = ipv4_route_flush_table;
91190 if (!net_eq(net, &init_net)) {
91191 - tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL);
91192 + tbl = kmemdup(ipv4_route_flush_table, sizeof(ipv4_route_flush_table), GFP_KERNEL);
91196 /* Don't export sysctls to unprivileged users */
91197 if (net->user_ns != &init_user_ns)
91198 tbl[0].procname = NULL;
91200 - tbl[0].extra1 = net;
91201 + tbl[0].extra1 = net;
91202 + net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
91204 + net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", ipv4_route_flush_table);
91206 - net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
91207 if (net->ipv4.route_hdr == NULL)
91212 - if (tbl != ipv4_route_flush_table)
91218 @@ -2608,7 +2608,7 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
91220 static __net_init int rt_genid_init(struct net *net)
91222 - atomic_set(&net->rt_genid, 0);
91223 + atomic_set_unchecked(&net->rt_genid, 0);
91224 get_random_bytes(&net->ipv4.dev_addr_genid,
91225 sizeof(net->ipv4.dev_addr_genid));
91227 diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
91228 index 3f25e75..3ae0f4d 100644
91229 --- a/net/ipv4/sysctl_net_ipv4.c
91230 +++ b/net/ipv4/sysctl_net_ipv4.c
91231 @@ -57,7 +57,7 @@ static int ipv4_local_port_range(ctl_table *table, int write,
91235 - ctl_table tmp = {
91236 + ctl_table_no_const tmp = {
91238 .maxlen = sizeof(range),
91239 .mode = table->mode,
91240 @@ -110,7 +110,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write,
91244 - ctl_table tmp = {
91245 + ctl_table_no_const tmp = {
91247 .maxlen = sizeof(urange),
91248 .mode = table->mode,
91249 @@ -141,7 +141,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write,
91250 void __user *buffer, size_t *lenp, loff_t *ppos)
91252 char val[TCP_CA_NAME_MAX];
91253 - ctl_table tbl = {
91254 + ctl_table_no_const tbl = {
91256 .maxlen = TCP_CA_NAME_MAX,
91258 @@ -160,7 +160,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl,
91259 void __user *buffer, size_t *lenp,
91262 - ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
91263 + ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX, };
91266 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
91267 @@ -177,7 +177,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl,
91268 void __user *buffer, size_t *lenp,
91271 - ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
91272 + ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX };
91275 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
91276 @@ -203,15 +203,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
91277 struct mem_cgroup *memcg;
91280 - ctl_table tmp = {
91281 + ctl_table_no_const tmp = {
91283 .maxlen = sizeof(vec),
91288 - ctl->data = &net->ipv4.sysctl_tcp_mem;
91289 - return proc_doulongvec_minmax(ctl, write, buffer, lenp, ppos);
91290 + ctl_table_no_const tcp_mem = *ctl;
91292 + tcp_mem.data = &net->ipv4.sysctl_tcp_mem;
91293 + return proc_doulongvec_minmax(&tcp_mem, write, buffer, lenp, ppos);
91296 ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos);
91297 @@ -238,7 +240,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write,
91298 static int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer,
91299 size_t *lenp, loff_t *ppos)
91301 - ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
91302 + ctl_table_no_const tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
91303 struct tcp_fastopen_context *ctxt;
91305 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
91306 @@ -481,7 +483,7 @@ static struct ctl_table ipv4_table[] = {
91309 .procname = "ip_local_reserved_ports",
91310 - .data = NULL, /* initialized in sysctl_ipv4_init */
91311 + .data = sysctl_local_reserved_ports,
91314 .proc_handler = proc_do_large_bitmap,
91315 @@ -846,11 +848,10 @@ static struct ctl_table ipv4_net_table[] = {
91317 static __net_init int ipv4_sysctl_init_net(struct net *net)
91319 - struct ctl_table *table;
91320 + ctl_table_no_const *table = NULL;
91322 - table = ipv4_net_table;
91323 if (!net_eq(net, &init_net)) {
91324 - table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
91325 + table = kmemdup(ipv4_net_table, sizeof(ipv4_net_table), GFP_KERNEL);
91329 @@ -885,15 +886,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
91333 - net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
91334 + if (!net_eq(net, &init_net))
91335 + net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
91337 + net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", ipv4_net_table);
91338 if (net->ipv4.ipv4_hdr == NULL)
91344 - if (!net_eq(net, &init_net))
91350 @@ -915,16 +918,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
91351 static __init int sysctl_ipv4_init(void)
91353 struct ctl_table_header *hdr;
91354 - struct ctl_table *i;
91356 - for (i = ipv4_table; i->procname; i++) {
91357 - if (strcmp(i->procname, "ip_local_reserved_ports") == 0) {
91358 - i->data = sysctl_local_reserved_ports;
91362 - if (!i->procname)
91365 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
91367 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
91368 index 9c62257..651cc27 100644
91369 --- a/net/ipv4/tcp_input.c
91370 +++ b/net/ipv4/tcp_input.c
91371 @@ -4436,7 +4436,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
91375 -tcp_collapse(struct sock *sk, struct sk_buff_head *list,
91376 +__intentional_overflow(5,6) tcp_collapse(struct sock *sk, struct sk_buff_head *list,
91377 struct sk_buff *head, struct sk_buff *tail,
91378 u32 start, u32 end)
91380 @@ -5522,6 +5522,7 @@ discard:
91381 tcp_paws_reject(&tp->rx_opt, 0))
91382 goto discard_and_undo;
91384 +#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
91386 /* We see SYN without ACK. It is attempt of
91387 * simultaneous connect with crossed SYNs.
91388 @@ -5572,6 +5573,7 @@ discard:
91393 /* "fifth, if neither of the SYN or RST bits is set then
91394 * drop the segment and return."
91396 @@ -5616,7 +5618,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
91401 + if (th->fin || th->urg || th->psh)
91403 if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
91405 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
91406 index 7999fc5..c812f42 100644
91407 --- a/net/ipv4/tcp_ipv4.c
91408 +++ b/net/ipv4/tcp_ipv4.c
91409 @@ -90,6 +90,10 @@ int sysctl_tcp_low_latency __read_mostly;
91410 EXPORT_SYMBOL(sysctl_tcp_low_latency);
91413 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91414 +extern int grsec_enable_blackhole;
91417 #ifdef CONFIG_TCP_MD5SIG
91418 static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
91419 __be32 daddr, __be32 saddr, const struct tcphdr *th);
91420 @@ -1855,6 +1859,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
91424 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91425 + if (!grsec_enable_blackhole)
91427 tcp_v4_send_reset(rsk, skb);
91430 @@ -2000,12 +2007,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
91431 TCP_SKB_CB(skb)->sacked = 0;
91433 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
91436 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91439 goto no_tcp_socket;
91443 - if (sk->sk_state == TCP_TIME_WAIT)
91444 + if (sk->sk_state == TCP_TIME_WAIT) {
91445 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91451 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
91452 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
91453 @@ -2058,6 +2072,10 @@ csum_error:
91455 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
91457 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91458 + if (!grsec_enable_blackhole || (ret == 1 &&
91459 + (skb->dev->flags & IFF_LOOPBACK)))
91461 tcp_v4_send_reset(NULL, skb);
91464 diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
91465 index 0f01788..d52a859 100644
91466 --- a/net/ipv4/tcp_minisocks.c
91467 +++ b/net/ipv4/tcp_minisocks.c
91469 #include <net/inet_common.h>
91470 #include <net/xfrm.h>
91472 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91473 +extern int grsec_enable_blackhole;
91476 int sysctl_tcp_syncookies __read_mostly = 1;
91477 EXPORT_SYMBOL(sysctl_tcp_syncookies);
91479 @@ -717,7 +721,10 @@ embryonic_reset:
91480 * avoid becoming vulnerable to outside attack aiming at
91481 * resetting legit local connections.
91483 - req->rsk_ops->send_reset(sk, skb);
91484 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91485 + if (!grsec_enable_blackhole)
91487 + req->rsk_ops->send_reset(sk, skb);
91488 } else if (fastopen) { /* received a valid RST pkt */
91489 reqsk_fastopen_remove(sk, req, true);
91491 diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
91492 index d4943f6..e7a74a5 100644
91493 --- a/net/ipv4/tcp_probe.c
91494 +++ b/net/ipv4/tcp_probe.c
91495 @@ -204,7 +204,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
91496 if (cnt + width >= len)
91499 - if (copy_to_user(buf + cnt, tbuf, width))
91500 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
91504 diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
91505 index 4b85e6f..22f9ac9 100644
91506 --- a/net/ipv4/tcp_timer.c
91507 +++ b/net/ipv4/tcp_timer.c
91509 #include <linux/gfp.h>
91510 #include <net/tcp.h>
91512 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91513 +extern int grsec_lastack_retries;
91516 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
91517 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
91518 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
91519 @@ -185,6 +189,13 @@ static int tcp_write_timeout(struct sock *sk)
91523 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91524 + if ((sk->sk_state == TCP_LAST_ACK) &&
91525 + (grsec_lastack_retries > 0) &&
91526 + (grsec_lastack_retries < retry_until))
91527 + retry_until = grsec_lastack_retries;
91530 if (retransmits_timed_out(sk, retry_until,
91531 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
91532 /* Has it gone just too far? */
91533 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
91534 index 93b731d..5a2dd92 100644
91535 --- a/net/ipv4/udp.c
91536 +++ b/net/ipv4/udp.c
91538 #include <linux/types.h>
91539 #include <linux/fcntl.h>
91540 #include <linux/module.h>
91541 +#include <linux/security.h>
91542 #include <linux/socket.h>
91543 #include <linux/sockios.h>
91544 #include <linux/igmp.h>
91545 @@ -111,6 +112,10 @@
91546 #include <trace/events/skb.h>
91547 #include "udp_impl.h"
91549 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91550 +extern int grsec_enable_blackhole;
91553 struct udp_table udp_table __read_mostly;
91554 EXPORT_SYMBOL(udp_table);
91556 @@ -594,6 +599,9 @@ found:
91560 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
91561 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
91564 * This routine is called by the ICMP module when it gets some
91565 * sort of error condition. If err < 0 then the socket should
91566 @@ -890,9 +898,18 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
91567 dport = usin->sin_port;
91571 + err = gr_search_udp_sendmsg(sk, usin);
91575 if (sk->sk_state != TCP_ESTABLISHED)
91576 return -EDESTADDRREQ;
91578 + err = gr_search_udp_sendmsg(sk, NULL);
91582 daddr = inet->inet_daddr;
91583 dport = inet->inet_dport;
91584 /* Open fast path for connected socket.
91585 @@ -1136,7 +1153,7 @@ static unsigned int first_packet_length(struct sock *sk)
91587 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
91589 - atomic_inc(&sk->sk_drops);
91590 + atomic_inc_unchecked(&sk->sk_drops);
91591 __skb_unlink(skb, rcvq);
91592 __skb_queue_tail(&list_kill, skb);
91594 @@ -1222,6 +1239,10 @@ try_again:
91598 + err = gr_search_udp_recvmsg(sk, skb);
91602 ulen = skb->len - sizeof(struct udphdr);
91605 @@ -1255,7 +1276,7 @@ try_again:
91606 if (unlikely(err)) {
91607 trace_kfree_skb(skb, udp_recvmsg);
91609 - atomic_inc(&sk->sk_drops);
91610 + atomic_inc_unchecked(&sk->sk_drops);
91611 UDP_INC_STATS_USER(sock_net(sk),
91612 UDP_MIB_INERRORS, is_udplite);
91614 @@ -1542,7 +1563,7 @@ csum_error:
91615 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
91617 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
91618 - atomic_inc(&sk->sk_drops);
91619 + atomic_inc_unchecked(&sk->sk_drops);
91623 @@ -1561,7 +1582,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
91624 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
91627 - atomic_inc(&sk->sk_drops);
91628 + atomic_inc_unchecked(&sk->sk_drops);
91629 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
91631 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
91632 @@ -1730,6 +1751,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
91635 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
91636 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
91637 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
91639 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
91642 @@ -2160,7 +2184,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
91643 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
91645 atomic_read(&sp->sk_refcnt), sp,
91646 - atomic_read(&sp->sk_drops), len);
91647 + atomic_read_unchecked(&sp->sk_drops), len);
91650 int udp4_seq_show(struct seq_file *seq, void *v)
91651 diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
91652 index 9a459be..086b866 100644
91653 --- a/net/ipv4/xfrm4_policy.c
91654 +++ b/net/ipv4/xfrm4_policy.c
91655 @@ -264,19 +264,18 @@ static struct ctl_table xfrm4_policy_table[] = {
91657 static int __net_init xfrm4_net_init(struct net *net)
91659 - struct ctl_table *table;
91660 + ctl_table_no_const *table = NULL;
91661 struct ctl_table_header *hdr;
91663 - table = xfrm4_policy_table;
91664 if (!net_eq(net, &init_net)) {
91665 - table = kmemdup(table, sizeof(xfrm4_policy_table), GFP_KERNEL);
91666 + table = kmemdup(xfrm4_policy_table, sizeof(xfrm4_policy_table), GFP_KERNEL);
91670 table[0].data = &net->xfrm.xfrm4_dst_ops.gc_thresh;
91673 - hdr = register_net_sysctl(net, "net/ipv4", table);
91674 + hdr = register_net_sysctl(net, "net/ipv4", table);
91676 + hdr = register_net_sysctl(net, "net/ipv4", xfrm4_policy_table);
91680 @@ -284,8 +283,7 @@ static int __net_init xfrm4_net_init(struct net *net)
91684 - if (!net_eq(net, &init_net))
91690 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
91691 index fb8c94c..fb18024 100644
91692 --- a/net/ipv6/addrconf.c
91693 +++ b/net/ipv6/addrconf.c
91694 @@ -621,7 +621,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
91696 head = &net->dev_index_head[h];
91698 - cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^
91699 + cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^
91701 hlist_for_each_entry_rcu(dev, head, index_hlist) {
91703 @@ -2380,7 +2380,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
91705 p.iph.protocol = IPPROTO_IPV6;
91707 - ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
91708 + ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
91710 if (ops->ndo_do_ioctl) {
91711 mm_segment_t oldfs = get_fs();
91712 @@ -4002,7 +4002,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
91713 s_ip_idx = ip_idx = cb->args[2];
91716 - cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
91717 + cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
91718 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
91720 head = &net->dev_index_head[h];
91721 @@ -4587,7 +4587,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
91722 dst_free(&ifp->rt->dst);
91725 - atomic_inc(&net->ipv6.dev_addr_genid);
91726 + atomic_inc_unchecked(&net->ipv6.dev_addr_genid);
91729 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
91730 @@ -4607,7 +4607,7 @@ int addrconf_sysctl_forward(ctl_table *ctl, int write,
91731 int *valp = ctl->data;
91733 loff_t pos = *ppos;
91735 + ctl_table_no_const lctl;
91739 @@ -4689,7 +4689,7 @@ int addrconf_sysctl_disable(ctl_table *ctl, int write,
91740 int *valp = ctl->data;
91742 loff_t pos = *ppos;
91744 + ctl_table_no_const lctl;
91748 diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
91749 index 40ffd72..aeac0dc 100644
91750 --- a/net/ipv6/esp6.c
91751 +++ b/net/ipv6/esp6.c
91752 @@ -425,7 +425,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
91755 return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
91756 - net_adj) & ~(align - 1)) + (net_adj - 2);
91757 + net_adj) & ~(align - 1)) + net_adj - 2;
91760 static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
91761 diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
91762 index b4ff0a4..db9b764 100644
91763 --- a/net/ipv6/icmp.c
91764 +++ b/net/ipv6/icmp.c
91765 @@ -980,7 +980,7 @@ ctl_table ipv6_icmp_table_template[] = {
91767 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
91769 - struct ctl_table *table;
91770 + ctl_table_no_const *table;
91772 table = kmemdup(ipv6_icmp_table_template,
91773 sizeof(ipv6_icmp_table_template),
91774 diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
91775 index ecd6073..58162ae 100644
91776 --- a/net/ipv6/ip6_gre.c
91777 +++ b/net/ipv6/ip6_gre.c
91778 @@ -74,7 +74,7 @@ struct ip6gre_net {
91779 struct net_device *fb_tunnel_dev;
91782 -static struct rtnl_link_ops ip6gre_link_ops __read_mostly;
91783 +static struct rtnl_link_ops ip6gre_link_ops;
91784 static int ip6gre_tunnel_init(struct net_device *dev);
91785 static void ip6gre_tunnel_setup(struct net_device *dev);
91786 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
91787 @@ -1283,7 +1283,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
91791 -static struct inet6_protocol ip6gre_protocol __read_mostly = {
91792 +static struct inet6_protocol ip6gre_protocol = {
91793 .handler = ip6gre_rcv,
91794 .err_handler = ip6gre_err,
91795 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
91796 @@ -1617,7 +1617,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
91797 [IFLA_GRE_FLAGS] = { .type = NLA_U32 },
91800 -static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
91801 +static struct rtnl_link_ops ip6gre_link_ops = {
91803 .maxtype = IFLA_GRE_MAX,
91804 .policy = ip6gre_policy,
91805 @@ -1630,7 +1630,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
91806 .fill_info = ip6gre_fill_info,
91809 -static struct rtnl_link_ops ip6gre_tap_ops __read_mostly = {
91810 +static struct rtnl_link_ops ip6gre_tap_ops = {
91811 .kind = "ip6gretap",
91812 .maxtype = IFLA_GRE_MAX,
91813 .policy = ip6gre_policy,
91814 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
91815 index 1e55866..b398dab 100644
91816 --- a/net/ipv6/ip6_tunnel.c
91817 +++ b/net/ipv6/ip6_tunnel.c
91818 @@ -88,7 +88,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
91820 static int ip6_tnl_dev_init(struct net_device *dev);
91821 static void ip6_tnl_dev_setup(struct net_device *dev);
91822 -static struct rtnl_link_ops ip6_link_ops __read_mostly;
91823 +static struct rtnl_link_ops ip6_link_ops;
91825 static int ip6_tnl_net_id __read_mostly;
91826 struct ip6_tnl_net {
91827 @@ -1672,7 +1672,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
91828 [IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
91831 -static struct rtnl_link_ops ip6_link_ops __read_mostly = {
91832 +static struct rtnl_link_ops ip6_link_ops = {
91834 .maxtype = IFLA_IPTUN_MAX,
91835 .policy = ip6_tnl_policy,
91836 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
91837 index d1e2e8e..51c19ae 100644
91838 --- a/net/ipv6/ipv6_sockglue.c
91839 +++ b/net/ipv6/ipv6_sockglue.c
91840 @@ -991,7 +991,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
91841 if (sk->sk_type != SOCK_STREAM)
91842 return -ENOPROTOOPT;
91844 - msg.msg_control = optval;
91845 + msg.msg_control = (void __force_kernel *)optval;
91846 msg.msg_controllen = len;
91847 msg.msg_flags = flags;
91849 diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
91850 index 44400c2..8e11f52 100644
91851 --- a/net/ipv6/netfilter/ip6_tables.c
91852 +++ b/net/ipv6/netfilter/ip6_tables.c
91853 @@ -1078,14 +1078,14 @@ static int compat_table_info(const struct xt_table_info *info,
91856 static int get_info(struct net *net, void __user *user,
91857 - const int *len, int compat)
91858 + int len, int compat)
91860 char name[XT_TABLE_MAXNAMELEN];
91861 struct xt_table *t;
91864 - if (*len != sizeof(struct ip6t_getinfo)) {
91865 - duprintf("length %u != %zu\n", *len,
91866 + if (len != sizeof(struct ip6t_getinfo)) {
91867 + duprintf("length %u != %zu\n", len,
91868 sizeof(struct ip6t_getinfo));
91871 @@ -1122,7 +1122,7 @@ static int get_info(struct net *net, void __user *user,
91872 info.size = private->size;
91873 strcpy(info.name, name);
91875 - if (copy_to_user(user, &info, *len) != 0)
91876 + if (copy_to_user(user, &info, len) != 0)
91880 @@ -1976,7 +1976,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
91883 case IP6T_SO_GET_INFO:
91884 - ret = get_info(sock_net(sk), user, len, 1);
91885 + ret = get_info(sock_net(sk), user, *len, 1);
91887 case IP6T_SO_GET_ENTRIES:
91888 ret = compat_get_entries(sock_net(sk), user, len);
91889 @@ -2023,7 +2023,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
91892 case IP6T_SO_GET_INFO:
91893 - ret = get_info(sock_net(sk), user, len, 0);
91894 + ret = get_info(sock_net(sk), user, *len, 0);
91897 case IP6T_SO_GET_ENTRIES:
91898 diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
91899 index dffdc1a..ccc6678 100644
91900 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
91901 +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
91902 @@ -90,12 +90,11 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
91904 static int nf_ct_frag6_sysctl_register(struct net *net)
91906 - struct ctl_table *table;
91907 + ctl_table_no_const *table = NULL;
91908 struct ctl_table_header *hdr;
91910 - table = nf_ct_frag6_sysctl_table;
91911 if (!net_eq(net, &init_net)) {
91912 - table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
91913 + table = kmemdup(nf_ct_frag6_sysctl_table, sizeof(nf_ct_frag6_sysctl_table),
91917 @@ -103,9 +102,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
91918 table[0].data = &net->nf_frag.frags.timeout;
91919 table[1].data = &net->nf_frag.frags.low_thresh;
91920 table[2].data = &net->nf_frag.frags.high_thresh;
91923 - hdr = register_net_sysctl(net, "net/netfilter", table);
91924 + hdr = register_net_sysctl(net, "net/netfilter", table);
91926 + hdr = register_net_sysctl(net, "net/netfilter", nf_ct_frag6_sysctl_table);
91930 @@ -113,8 +112,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
91934 - if (!net_eq(net, &init_net))
91940 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
91941 index eedff8c..6e13a47 100644
91942 --- a/net/ipv6/raw.c
91943 +++ b/net/ipv6/raw.c
91944 @@ -378,7 +378,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
91946 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
91947 skb_checksum_complete(skb)) {
91948 - atomic_inc(&sk->sk_drops);
91949 + atomic_inc_unchecked(&sk->sk_drops);
91951 return NET_RX_DROP;
91953 @@ -406,7 +406,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
91954 struct raw6_sock *rp = raw6_sk(sk);
91956 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
91957 - atomic_inc(&sk->sk_drops);
91958 + atomic_inc_unchecked(&sk->sk_drops);
91960 return NET_RX_DROP;
91962 @@ -430,7 +430,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
91964 if (inet->hdrincl) {
91965 if (skb_checksum_complete(skb)) {
91966 - atomic_inc(&sk->sk_drops);
91967 + atomic_inc_unchecked(&sk->sk_drops);
91969 return NET_RX_DROP;
91971 @@ -602,7 +602,7 @@ out:
91975 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
91976 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
91977 struct flowi6 *fl6, struct dst_entry **dstp,
91978 unsigned int flags)
91980 @@ -914,12 +914,15 @@ do_confirm:
91981 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
91982 char __user *optval, int optlen)
91984 + struct icmp6_filter filter;
91987 case ICMPV6_FILTER:
91988 if (optlen > sizeof(struct icmp6_filter))
91989 optlen = sizeof(struct icmp6_filter);
91990 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
91991 + if (copy_from_user(&filter, optval, optlen))
91993 + raw6_sk(sk)->filter = filter;
91996 return -ENOPROTOOPT;
91997 @@ -932,6 +935,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
91998 char __user *optval, int __user *optlen)
92001 + struct icmp6_filter filter;
92004 case ICMPV6_FILTER:
92005 @@ -943,7 +947,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
92006 len = sizeof(struct icmp6_filter);
92007 if (put_user(len, optlen))
92009 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
92010 + filter = raw6_sk(sk)->filter;
92011 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
92015 @@ -1251,7 +1256,7 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
92016 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
92019 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
92020 + atomic_read(&sp->sk_refcnt), sp, atomic_read_unchecked(&sp->sk_drops));
92023 static int raw6_seq_show(struct seq_file *seq, void *v)
92024 diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
92025 index 790d9f4..68ae078 100644
92026 --- a/net/ipv6/reassembly.c
92027 +++ b/net/ipv6/reassembly.c
92028 @@ -621,12 +621,11 @@ static struct ctl_table ip6_frags_ctl_table[] = {
92030 static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
92032 - struct ctl_table *table;
92033 + ctl_table_no_const *table = NULL;
92034 struct ctl_table_header *hdr;
92036 - table = ip6_frags_ns_ctl_table;
92037 if (!net_eq(net, &init_net)) {
92038 - table = kmemdup(table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
92039 + table = kmemdup(ip6_frags_ns_ctl_table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
92043 @@ -637,9 +636,10 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
92044 /* Don't export sysctls to unprivileged users */
92045 if (net->user_ns != &init_user_ns)
92046 table[0].procname = NULL;
92048 + hdr = register_net_sysctl(net, "net/ipv6", table);
92050 + hdr = register_net_sysctl(net, "net/ipv6", ip6_frags_ns_ctl_table);
92052 - hdr = register_net_sysctl(net, "net/ipv6", table);
92056 @@ -647,8 +647,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
92060 - if (!net_eq(net, &init_net))
92066 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
92067 index bacce6c..9d1741a 100644
92068 --- a/net/ipv6/route.c
92069 +++ b/net/ipv6/route.c
92070 @@ -2903,7 +2903,7 @@ ctl_table ipv6_route_table_template[] = {
92072 struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
92074 - struct ctl_table *table;
92075 + ctl_table_no_const *table;
92077 table = kmemdup(ipv6_route_table_template,
92078 sizeof(ipv6_route_table_template),
92079 diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
92080 index 60df36d..f3ab7c8 100644
92081 --- a/net/ipv6/sit.c
92082 +++ b/net/ipv6/sit.c
92083 @@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
92084 static void ipip6_dev_free(struct net_device *dev);
92085 static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
92087 -static struct rtnl_link_ops sit_link_ops __read_mostly;
92088 +static struct rtnl_link_ops sit_link_ops;
92090 static int sit_net_id __read_mostly;
92092 @@ -1453,7 +1453,7 @@ static const struct nla_policy ipip6_policy[IFLA_IPTUN_MAX + 1] = {
92096 -static struct rtnl_link_ops sit_link_ops __read_mostly = {
92097 +static struct rtnl_link_ops sit_link_ops = {
92099 .maxtype = IFLA_IPTUN_MAX,
92100 .policy = ipip6_policy,
92101 diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
92102 index e85c48b..b8268d3 100644
92103 --- a/net/ipv6/sysctl_net_ipv6.c
92104 +++ b/net/ipv6/sysctl_net_ipv6.c
92105 @@ -40,7 +40,7 @@ static ctl_table ipv6_rotable[] = {
92107 static int __net_init ipv6_sysctl_net_init(struct net *net)
92109 - struct ctl_table *ipv6_table;
92110 + ctl_table_no_const *ipv6_table;
92111 struct ctl_table *ipv6_route_table;
92112 struct ctl_table *ipv6_icmp_table;
92114 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
92115 index 0a17ed9..2526cc3 100644
92116 --- a/net/ipv6/tcp_ipv6.c
92117 +++ b/net/ipv6/tcp_ipv6.c
92118 @@ -103,6 +103,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
92119 inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
92122 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92123 +extern int grsec_enable_blackhole;
92126 static void tcp_v6_hash(struct sock *sk)
92128 if (sk->sk_state != TCP_CLOSE) {
92129 @@ -1398,6 +1402,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
92133 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92134 + if (!grsec_enable_blackhole)
92136 tcp_v6_send_reset(sk, skb);
92139 @@ -1480,12 +1487,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
92140 TCP_SKB_CB(skb)->sacked = 0;
92142 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
92145 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92148 goto no_tcp_socket;
92152 - if (sk->sk_state == TCP_TIME_WAIT)
92153 + if (sk->sk_state == TCP_TIME_WAIT) {
92154 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92160 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
92161 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
92162 @@ -1536,6 +1551,10 @@ csum_error:
92164 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
92166 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92167 + if (!grsec_enable_blackhole || (ret == 1 &&
92168 + (skb->dev->flags & IFF_LOOPBACK)))
92170 tcp_v6_send_reset(NULL, skb);
92173 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
92174 index e7b28f9..d09c290 100644
92175 --- a/net/ipv6/udp.c
92176 +++ b/net/ipv6/udp.c
92178 #include <trace/events/skb.h>
92179 #include "udp_impl.h"
92181 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92182 +extern int grsec_enable_blackhole;
92185 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
92187 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
92188 @@ -419,7 +423,7 @@ try_again:
92189 if (unlikely(err)) {
92190 trace_kfree_skb(skb, udpv6_recvmsg);
92192 - atomic_inc(&sk->sk_drops);
92193 + atomic_inc_unchecked(&sk->sk_drops);
92195 UDP_INC_STATS_USER(sock_net(sk),
92197 @@ -665,7 +669,7 @@ csum_error:
92198 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
92200 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
92201 - atomic_inc(&sk->sk_drops);
92202 + atomic_inc_unchecked(&sk->sk_drops);
92206 @@ -723,7 +727,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
92207 if (likely(skb1 == NULL))
92208 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
92210 - atomic_inc(&sk->sk_drops);
92211 + atomic_inc_unchecked(&sk->sk_drops);
92212 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
92214 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
92215 @@ -860,6 +864,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
92218 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
92219 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
92220 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
92222 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
92225 @@ -1392,7 +1399,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
92228 atomic_read(&sp->sk_refcnt), sp,
92229 - atomic_read(&sp->sk_drops));
92230 + atomic_read_unchecked(&sp->sk_drops));
92233 int udp6_seq_show(struct seq_file *seq, void *v)
92234 diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
92235 index 23ed03d..465a71d 100644
92236 --- a/net/ipv6/xfrm6_policy.c
92237 +++ b/net/ipv6/xfrm6_policy.c
92238 @@ -324,19 +324,19 @@ static struct ctl_table xfrm6_policy_table[] = {
92240 static int __net_init xfrm6_net_init(struct net *net)
92242 - struct ctl_table *table;
92243 + ctl_table_no_const *table = NULL;
92244 struct ctl_table_header *hdr;
92246 - table = xfrm6_policy_table;
92247 if (!net_eq(net, &init_net)) {
92248 - table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
92249 + table = kmemdup(xfrm6_policy_table, sizeof(xfrm6_policy_table), GFP_KERNEL);
92253 table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
92255 + hdr = register_net_sysctl(net, "net/ipv6", table);
92257 + hdr = register_net_sysctl(net, "net/ipv6", xfrm6_policy_table);
92259 - hdr = register_net_sysctl(net, "net/ipv6", table);
92263 @@ -344,8 +344,7 @@ static int __net_init xfrm6_net_init(struct net *net)
92267 - if (!net_eq(net, &init_net))
92273 diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
92274 index 41ac7938..75e3bb1 100644
92275 --- a/net/irda/ircomm/ircomm_tty.c
92276 +++ b/net/irda/ircomm/ircomm_tty.c
92277 @@ -319,11 +319,11 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
92278 add_wait_queue(&port->open_wait, &wait);
92280 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
92281 - __FILE__, __LINE__, tty->driver->name, port->count);
92282 + __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
92284 spin_lock_irqsave(&port->lock, flags);
92285 if (!tty_hung_up_p(filp))
92287 + atomic_dec(&port->count);
92288 port->blocked_open++;
92289 spin_unlock_irqrestore(&port->lock, flags);
92291 @@ -358,7 +358,7 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
92294 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
92295 - __FILE__, __LINE__, tty->driver->name, port->count);
92296 + __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
92300 @@ -368,12 +368,12 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
92302 spin_lock_irqsave(&port->lock, flags);
92303 if (!tty_hung_up_p(filp))
92305 + atomic_inc(&port->count);
92306 port->blocked_open--;
92307 spin_unlock_irqrestore(&port->lock, flags);
92309 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
92310 - __FILE__, __LINE__, tty->driver->name, port->count);
92311 + __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
92314 port->flags |= ASYNC_NORMAL_ACTIVE;
92315 @@ -447,12 +447,12 @@ static int ircomm_tty_open(struct tty_struct *tty, struct file *filp)
92317 /* ++ is not atomic, so this should be protected - Jean II */
92318 spin_lock_irqsave(&self->port.lock, flags);
92319 - self->port.count++;
92320 + atomic_inc(&self->port.count);
92321 spin_unlock_irqrestore(&self->port.lock, flags);
92322 tty_port_tty_set(&self->port, tty);
92324 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
92325 - self->line, self->port.count);
92326 + self->line, atomic_read(&self->port.count));
92328 /* Not really used by us, but lets do it anyway */
92329 self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0;
92330 @@ -989,7 +989,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
92331 tty_kref_put(port->tty);
92335 + atomic_set(&port->count, 0);
92336 spin_unlock_irqrestore(&port->lock, flags);
92338 wake_up_interruptible(&port->open_wait);
92339 @@ -1346,7 +1346,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
92342 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
92343 - seq_printf(m, "Open count: %d\n", self->port.count);
92344 + seq_printf(m, "Open count: %d\n", atomic_read(&self->port.count));
92345 seq_printf(m, "Max data size: %d\n", self->max_data_size);
92346 seq_printf(m, "Max header size: %d\n", self->max_header_size);
92348 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
92349 index ae69165..c8b82d8 100644
92350 --- a/net/iucv/af_iucv.c
92351 +++ b/net/iucv/af_iucv.c
92352 @@ -773,10 +773,10 @@ static int iucv_sock_autobind(struct sock *sk)
92354 write_lock_bh(&iucv_sk_list.lock);
92356 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
92357 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
92358 while (__iucv_get_sock_by_name(name)) {
92359 sprintf(name, "%08x",
92360 - atomic_inc_return(&iucv_sk_list.autobind_name));
92361 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
92364 write_unlock_bh(&iucv_sk_list.lock);
92365 diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
92366 index 4fe76ff..426a904 100644
92367 --- a/net/iucv/iucv.c
92368 +++ b/net/iucv/iucv.c
92369 @@ -690,7 +690,7 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
92373 -static struct notifier_block __refdata iucv_cpu_notifier = {
92374 +static struct notifier_block iucv_cpu_notifier = {
92375 .notifier_call = iucv_cpu_notify,
92378 diff --git a/net/key/af_key.c b/net/key/af_key.c
92379 index ab8bd2c..cd2d641 100644
92380 --- a/net/key/af_key.c
92381 +++ b/net/key/af_key.c
92382 @@ -3048,10 +3048,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
92383 static u32 get_acqseq(void)
92386 - static atomic_t acqseq;
92387 + static atomic_unchecked_t acqseq;
92390 - res = atomic_inc_return(&acqseq);
92391 + res = atomic_inc_return_unchecked(&acqseq);
92395 diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
92396 index ae36f8e..09d42ac 100644
92397 --- a/net/mac80211/cfg.c
92398 +++ b/net/mac80211/cfg.c
92399 @@ -806,7 +806,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
92400 ret = ieee80211_vif_use_channel(sdata, chandef,
92401 IEEE80211_CHANCTX_EXCLUSIVE);
92403 - } else if (local->open_count == local->monitors) {
92404 + } else if (local_read(&local->open_count) == local->monitors) {
92405 local->_oper_chandef = *chandef;
92406 ieee80211_hw_config(local, 0);
92408 @@ -2922,7 +2922,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
92410 local->probe_req_reg--;
92412 - if (!local->open_count)
92413 + if (!local_read(&local->open_count))
92416 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
92417 @@ -3385,8 +3385,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
92418 if (chanctx_conf) {
92419 *chandef = chanctx_conf->def;
92421 - } else if (local->open_count > 0 &&
92422 - local->open_count == local->monitors &&
92423 + } else if (local_read(&local->open_count) > 0 &&
92424 + local_read(&local->open_count) == local->monitors &&
92425 sdata->vif.type == NL80211_IFTYPE_MONITOR) {
92426 if (local->use_chanctx)
92427 *chandef = local->monitor_chandef;
92428 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
92429 index 9ca8e32..48e4a9b 100644
92430 --- a/net/mac80211/ieee80211_i.h
92431 +++ b/net/mac80211/ieee80211_i.h
92433 #include <net/ieee80211_radiotap.h>
92434 #include <net/cfg80211.h>
92435 #include <net/mac80211.h>
92436 +#include <asm/local.h>
92438 #include "sta_info.h"
92440 @@ -891,7 +892,7 @@ struct ieee80211_local {
92441 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
92442 spinlock_t queue_stop_reason_lock;
92445 + local_t open_count;
92446 int monitors, cooked_mntrs;
92447 /* number of interfaces with corresponding FIF_ flags */
92448 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
92449 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
92450 index 514e90f..56f22bf 100644
92451 --- a/net/mac80211/iface.c
92452 +++ b/net/mac80211/iface.c
92453 @@ -502,7 +502,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
92457 - if (local->open_count == 0) {
92458 + if (local_read(&local->open_count) == 0) {
92459 res = drv_start(local);
92462 @@ -545,7 +545,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
92466 - if (local->monitors == 0 && local->open_count == 0) {
92467 + if (local->monitors == 0 && local_read(&local->open_count) == 0) {
92468 res = ieee80211_add_virtual_monitor(local);
92471 @@ -653,7 +653,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
92472 atomic_inc(&local->iff_promiscs);
92475 - local->open_count++;
92476 + local_inc(&local->open_count);
92478 if (hw_reconf_flags)
92479 ieee80211_hw_config(local, hw_reconf_flags);
92480 @@ -691,7 +691,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
92482 drv_remove_interface(local, sdata);
92484 - if (!local->open_count)
92485 + if (!local_read(&local->open_count))
92489 @@ -828,7 +828,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
92493 - local->open_count--;
92494 + local_dec(&local->open_count);
92496 switch (sdata->vif.type) {
92497 case NL80211_IFTYPE_AP_VLAN:
92498 @@ -895,7 +895,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
92500 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
92502 - if (local->open_count == 0)
92503 + if (local_read(&local->open_count) == 0)
92504 ieee80211_clear_tx_pending(local);
92507 @@ -931,7 +931,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
92509 ieee80211_recalc_ps(local, -1);
92511 - if (local->open_count == 0) {
92512 + if (local_read(&local->open_count) == 0) {
92513 ieee80211_stop_device(local);
92515 /* no reconfiguring after stop! */
92516 @@ -942,7 +942,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
92517 ieee80211_configure_filter(local);
92518 ieee80211_hw_config(local, hw_reconf_flags);
92520 - if (local->monitors == local->open_count)
92521 + if (local->monitors == local_read(&local->open_count))
92522 ieee80211_add_virtual_monitor(local);
92525 diff --git a/net/mac80211/main.c b/net/mac80211/main.c
92526 index 8a7bfc4..4407cd0 100644
92527 --- a/net/mac80211/main.c
92528 +++ b/net/mac80211/main.c
92529 @@ -181,7 +181,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
92530 changed &= ~(IEEE80211_CONF_CHANGE_CHANNEL |
92531 IEEE80211_CONF_CHANGE_POWER);
92533 - if (changed && local->open_count) {
92534 + if (changed && local_read(&local->open_count)) {
92535 ret = drv_config(local, changed);
92538 diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
92539 index 3401262..d5cd68d 100644
92540 --- a/net/mac80211/pm.c
92541 +++ b/net/mac80211/pm.c
92542 @@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
92543 struct ieee80211_sub_if_data *sdata;
92544 struct sta_info *sta;
92546 - if (!local->open_count)
92547 + if (!local_read(&local->open_count))
92550 ieee80211_scan_cancel(local);
92551 @@ -59,7 +59,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
92552 cancel_work_sync(&local->dynamic_ps_enable_work);
92553 del_timer_sync(&local->dynamic_ps_timer);
92555 - local->wowlan = wowlan && local->open_count;
92556 + local->wowlan = wowlan && local_read(&local->open_count);
92557 if (local->wowlan) {
92558 int err = drv_suspend(local, wowlan);
92560 @@ -116,7 +116,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
92561 WARN_ON(!list_empty(&local->chanctx_list));
92563 /* stop hardware - this must stop RX */
92564 - if (local->open_count)
92565 + if (local_read(&local->open_count))
92566 ieee80211_stop_device(local);
92569 diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
92570 index a02bef3..f2f38dd 100644
92571 --- a/net/mac80211/rate.c
92572 +++ b/net/mac80211/rate.c
92573 @@ -712,7 +712,7 @@ int ieee80211_init_rate_ctrl_alg(struct ieee80211_local *local,
92577 - if (local->open_count)
92578 + if (local_read(&local->open_count))
92581 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
92582 diff --git a/net/mac80211/rc80211_pid_debugfs.c b/net/mac80211/rc80211_pid_debugfs.c
92583 index c97a065..ff61928 100644
92584 --- a/net/mac80211/rc80211_pid_debugfs.c
92585 +++ b/net/mac80211/rc80211_pid_debugfs.c
92586 @@ -193,7 +193,7 @@ static ssize_t rate_control_pid_events_read(struct file *file, char __user *buf,
92588 spin_unlock_irqrestore(&events->lock, status);
92590 - if (copy_to_user(buf, pb, p))
92591 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
92595 diff --git a/net/mac80211/util.c b/net/mac80211/util.c
92596 index 72e6292..e6319eb 100644
92597 --- a/net/mac80211/util.c
92598 +++ b/net/mac80211/util.c
92599 @@ -1472,7 +1472,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
92602 /* everything else happens only if HW was up & running */
92603 - if (!local->open_count)
92604 + if (!local_read(&local->open_count))
92608 @@ -1696,7 +1696,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
92609 local->in_reconfig = false;
92612 - if (local->monitors == local->open_count && local->monitors > 0)
92613 + if (local->monitors == local_read(&local->open_count) && local->monitors > 0)
92614 ieee80211_add_virtual_monitor(local);
92617 diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
92618 index 56d22ca..87c778f 100644
92619 --- a/net/netfilter/Kconfig
92620 +++ b/net/netfilter/Kconfig
92621 @@ -958,6 +958,16 @@ config NETFILTER_XT_MATCH_ESP
92623 To compile it as a module, choose M here. If unsure, say N.
92625 +config NETFILTER_XT_MATCH_GRADM
92626 + tristate '"gradm" match support'
92627 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
92628 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
92630 + The gradm match allows to match on grsecurity RBAC being enabled.
92631 + It is useful when iptables rules are applied early on bootup to
92632 + prevent connections to the machine (except from a trusted host)
92633 + while the RBAC system is disabled.
92635 config NETFILTER_XT_MATCH_HASHLIMIT
92636 tristate '"hashlimit" match support'
92637 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
92638 diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
92639 index a1abf87..dbcb7ee 100644
92640 --- a/net/netfilter/Makefile
92641 +++ b/net/netfilter/Makefile
92642 @@ -112,6 +112,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
92643 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
92644 obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
92645 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
92646 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
92647 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
92648 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
92649 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
92650 diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
92651 index f771390..145b765 100644
92652 --- a/net/netfilter/ipset/ip_set_core.c
92653 +++ b/net/netfilter/ipset/ip_set_core.c
92654 @@ -1820,7 +1820,7 @@ done:
92658 -static struct nf_sockopt_ops so_set __read_mostly = {
92659 +static struct nf_sockopt_ops so_set = {
92661 .get_optmin = SO_IP_SET,
92662 .get_optmax = SO_IP_SET + 1,
92663 diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
92664 index a083bda..da661c3 100644
92665 --- a/net/netfilter/ipvs/ip_vs_conn.c
92666 +++ b/net/netfilter/ipvs/ip_vs_conn.c
92667 @@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
92668 /* Increase the refcnt counter of the dest */
92669 ip_vs_dest_hold(dest);
92671 - conn_flags = atomic_read(&dest->conn_flags);
92672 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
92673 if (cp->protocol != IPPROTO_UDP)
92674 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
92676 @@ -900,7 +900,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
92678 cp->control = NULL;
92679 atomic_set(&cp->n_control, 0);
92680 - atomic_set(&cp->in_pkts, 0);
92681 + atomic_set_unchecked(&cp->in_pkts, 0);
92683 cp->packet_xmit = NULL;
92685 @@ -1190,7 +1190,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
92687 /* Don't drop the entry if its number of incoming packets is not
92688 located in [0, 8] */
92689 - i = atomic_read(&cp->in_pkts);
92690 + i = atomic_read_unchecked(&cp->in_pkts);
92691 if (i > 8 || i < 0) return 0;
92693 if (!todrop_rate[i]) return 0;
92694 diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
92695 index 23b8eb5..48a8959 100644
92696 --- a/net/netfilter/ipvs/ip_vs_core.c
92697 +++ b/net/netfilter/ipvs/ip_vs_core.c
92698 @@ -559,7 +559,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
92699 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
92700 /* do not touch skb anymore */
92702 - atomic_inc(&cp->in_pkts);
92703 + atomic_inc_unchecked(&cp->in_pkts);
92704 ip_vs_conn_put(cp);
92707 @@ -1711,7 +1711,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
92708 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
92709 pkts = sysctl_sync_threshold(ipvs);
92711 - pkts = atomic_add_return(1, &cp->in_pkts);
92712 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
92714 if (ipvs->sync_state & IP_VS_STATE_MASTER)
92715 ip_vs_sync_conn(net, cp, pkts);
92716 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
92717 index 9e6c2a0..28552e2 100644
92718 --- a/net/netfilter/ipvs/ip_vs_ctl.c
92719 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
92720 @@ -789,7 +789,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
92722 ip_vs_rs_hash(ipvs, dest);
92724 - atomic_set(&dest->conn_flags, conn_flags);
92725 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
92727 /* bind the service */
92729 @@ -1657,7 +1657,7 @@ proc_do_sync_ports(ctl_table *table, int write,
92730 * align with netns init in ip_vs_control_net_init()
92733 -static struct ctl_table vs_vars[] = {
92734 +static ctl_table_no_const vs_vars[] __read_only = {
92736 .procname = "amemthresh",
92737 .maxlen = sizeof(int),
92738 @@ -2060,7 +2060,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
92739 " %-7s %-6d %-10d %-10d\n",
92742 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
92743 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
92744 atomic_read(&dest->weight),
92745 atomic_read(&dest->activeconns),
92746 atomic_read(&dest->inactconns));
92747 @@ -2071,7 +2071,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
92748 "%-7s %-6d %-10d %-10d\n",
92749 ntohl(dest->addr.ip),
92751 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
92752 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
92753 atomic_read(&dest->weight),
92754 atomic_read(&dest->activeconns),
92755 atomic_read(&dest->inactconns));
92756 @@ -2549,7 +2549,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
92758 entry.addr = dest->addr.ip;
92759 entry.port = dest->port;
92760 - entry.conn_flags = atomic_read(&dest->conn_flags);
92761 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
92762 entry.weight = atomic_read(&dest->weight);
92763 entry.u_threshold = dest->u_threshold;
92764 entry.l_threshold = dest->l_threshold;
92765 @@ -3092,7 +3092,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
92766 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
92767 nla_put_be16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
92768 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
92769 - (atomic_read(&dest->conn_flags) &
92770 + (atomic_read_unchecked(&dest->conn_flags) &
92771 IP_VS_CONN_F_FWD_MASK)) ||
92772 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
92773 atomic_read(&dest->weight)) ||
92774 @@ -3682,7 +3682,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
92777 struct netns_ipvs *ipvs = net_ipvs(net);
92778 - struct ctl_table *tbl;
92779 + ctl_table_no_const *tbl;
92781 atomic_set(&ipvs->dropentry, 0);
92782 spin_lock_init(&ipvs->dropentry_lock);
92783 diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
92784 index 5ea26bd..c9bc65f 100644
92785 --- a/net/netfilter/ipvs/ip_vs_lblc.c
92786 +++ b/net/netfilter/ipvs/ip_vs_lblc.c
92787 @@ -118,7 +118,7 @@ struct ip_vs_lblc_table {
92788 * IPVS LBLC sysctl table
92790 #ifdef CONFIG_SYSCTL
92791 -static ctl_table vs_vars_table[] = {
92792 +static ctl_table_no_const vs_vars_table[] __read_only = {
92794 .procname = "lblc_expiration",
92796 diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
92797 index 50123c2..067c773 100644
92798 --- a/net/netfilter/ipvs/ip_vs_lblcr.c
92799 +++ b/net/netfilter/ipvs/ip_vs_lblcr.c
92800 @@ -299,7 +299,7 @@ struct ip_vs_lblcr_table {
92801 * IPVS LBLCR sysctl table
92804 -static ctl_table vs_vars_table[] = {
92805 +static ctl_table_no_const vs_vars_table[] __read_only = {
92807 .procname = "lblcr_expiration",
92809 diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
92810 index f6046d9..4f10cfd 100644
92811 --- a/net/netfilter/ipvs/ip_vs_sync.c
92812 +++ b/net/netfilter/ipvs/ip_vs_sync.c
92813 @@ -596,7 +596,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp,
92816 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
92817 - pkts = atomic_add_return(1, &cp->in_pkts);
92818 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
92820 pkts = sysctl_sync_threshold(ipvs);
92821 ip_vs_sync_conn(net, cp->control, pkts);
92822 @@ -758,7 +758,7 @@ control:
92825 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
92826 - pkts = atomic_add_return(1, &cp->in_pkts);
92827 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
92829 pkts = sysctl_sync_threshold(ipvs);
92831 @@ -882,7 +882,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
92834 memcpy(&cp->in_seq, opt, sizeof(*opt));
92835 - atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
92836 + atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
92838 cp->old_state = cp->state;
92840 diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
92841 index b75ff64..0c51bbe 100644
92842 --- a/net/netfilter/ipvs/ip_vs_xmit.c
92843 +++ b/net/netfilter/ipvs/ip_vs_xmit.c
92844 @@ -1102,7 +1102,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
92847 /* do not touch skb anymore */
92848 - atomic_inc(&cp->in_pkts);
92849 + atomic_inc_unchecked(&cp->in_pkts);
92853 @@ -1194,7 +1194,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
92856 /* do not touch skb anymore */
92857 - atomic_inc(&cp->in_pkts);
92858 + atomic_inc_unchecked(&cp->in_pkts);
92862 diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
92863 index 2d3030a..7ba1c0a 100644
92864 --- a/net/netfilter/nf_conntrack_acct.c
92865 +++ b/net/netfilter/nf_conntrack_acct.c
92866 @@ -60,7 +60,7 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
92867 #ifdef CONFIG_SYSCTL
92868 static int nf_conntrack_acct_init_sysctl(struct net *net)
92870 - struct ctl_table *table;
92871 + ctl_table_no_const *table;
92873 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
92875 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
92876 index 0283bae..5febcb0 100644
92877 --- a/net/netfilter/nf_conntrack_core.c
92878 +++ b/net/netfilter/nf_conntrack_core.c
92879 @@ -1614,6 +1614,10 @@ void nf_conntrack_init_end(void)
92880 #define DYING_NULLS_VAL ((1<<30)+1)
92881 #define TEMPLATE_NULLS_VAL ((1<<30)+2)
92883 +#ifdef CONFIG_GRKERNSEC_HIDESYM
92884 +static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
92887 int nf_conntrack_init_net(struct net *net)
92890 @@ -1628,7 +1632,11 @@ int nf_conntrack_init_net(struct net *net)
92894 +#ifdef CONFIG_GRKERNSEC_HIDESYM
92895 + net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return_unchecked(&conntrack_cache_id));
92897 net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
92899 if (!net->ct.slabname) {
92902 diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
92903 index 1df1761..ce8b88a 100644
92904 --- a/net/netfilter/nf_conntrack_ecache.c
92905 +++ b/net/netfilter/nf_conntrack_ecache.c
92906 @@ -188,7 +188,7 @@ static struct nf_ct_ext_type event_extend __read_mostly = {
92907 #ifdef CONFIG_SYSCTL
92908 static int nf_conntrack_event_init_sysctl(struct net *net)
92910 - struct ctl_table *table;
92911 + ctl_table_no_const *table;
92913 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table),
92915 diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
92916 index 974a2a4..52cc6ff 100644
92917 --- a/net/netfilter/nf_conntrack_helper.c
92918 +++ b/net/netfilter/nf_conntrack_helper.c
92919 @@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = {
92921 static int nf_conntrack_helper_init_sysctl(struct net *net)
92923 - struct ctl_table *table;
92924 + ctl_table_no_const *table;
92926 table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
92928 diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
92929 index 0ab9636..cea3c6a 100644
92930 --- a/net/netfilter/nf_conntrack_proto.c
92931 +++ b/net/netfilter/nf_conntrack_proto.c
92932 @@ -52,7 +52,7 @@ nf_ct_register_sysctl(struct net *net,
92935 nf_ct_unregister_sysctl(struct ctl_table_header **header,
92936 - struct ctl_table **table,
92937 + ctl_table_no_const **table,
92938 unsigned int users)
92941 diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
92942 index a99b6c3..3841268 100644
92943 --- a/net/netfilter/nf_conntrack_proto_dccp.c
92944 +++ b/net/netfilter/nf_conntrack_proto_dccp.c
92945 @@ -457,7 +457,7 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
92947 if (LOG_INVALID(net, IPPROTO_DCCP))
92948 nf_log_packet(net, nf_ct_l3num(ct), 0, skb, NULL, NULL,
92950 + NULL, "%s", msg);
92954 @@ -614,7 +614,7 @@ static int dccp_error(struct net *net, struct nf_conn *tmpl,
92957 if (LOG_INVALID(net, IPPROTO_DCCP))
92958 - nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, msg);
92959 + nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL, "%s", msg);
92963 diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
92964 index 4d4d8f1..e0f9a32 100644
92965 --- a/net/netfilter/nf_conntrack_proto_tcp.c
92966 +++ b/net/netfilter/nf_conntrack_proto_tcp.c
92967 @@ -526,7 +526,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
92968 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
92969 __u32 seq, ack, sack, end, win, swin;
92970 s16 receiver_offset;
92972 + bool res, in_recv_win;
92975 * Get the required data from the packet.
92976 @@ -649,14 +649,18 @@ static bool tcp_in_window(const struct nf_conn *ct,
92977 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
92978 receiver->td_scale);
92980 + /* Is the ending sequence in the receive window (if available)? */
92981 + in_recv_win = !receiver->td_maxwin ||
92982 + after(end, sender->td_end - receiver->td_maxwin - 1);
92984 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
92985 before(seq, sender->td_maxend + 1),
92986 - after(end, sender->td_end - receiver->td_maxwin - 1),
92987 + (in_recv_win ? 1 : 0),
92988 before(sack, receiver->td_end + 1),
92989 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
92991 if (before(seq, sender->td_maxend + 1) &&
92992 - after(end, sender->td_end - receiver->td_maxwin - 1) &&
92994 before(sack, receiver->td_end + 1) &&
92995 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
92997 @@ -725,7 +729,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
92998 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
93000 before(seq, sender->td_maxend + 1) ?
93001 - after(end, sender->td_end - receiver->td_maxwin - 1) ?
93003 before(sack, receiver->td_end + 1) ?
93004 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG"
93005 : "ACK is under the lower bound (possible overly delayed ACK)"
93006 diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
93007 index bd700b4..4a3dc61 100644
93008 --- a/net/netfilter/nf_conntrack_standalone.c
93009 +++ b/net/netfilter/nf_conntrack_standalone.c
93010 @@ -471,7 +471,7 @@ static ctl_table nf_ct_netfilter_table[] = {
93012 static int nf_conntrack_standalone_init_sysctl(struct net *net)
93014 - struct ctl_table *table;
93015 + ctl_table_no_const *table;
93017 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
93019 diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
93020 index 902fb0a..87f7fdb 100644
93021 --- a/net/netfilter/nf_conntrack_timestamp.c
93022 +++ b/net/netfilter/nf_conntrack_timestamp.c
93023 @@ -42,7 +42,7 @@ static struct nf_ct_ext_type tstamp_extend __read_mostly = {
93024 #ifdef CONFIG_SYSCTL
93025 static int nf_conntrack_tstamp_init_sysctl(struct net *net)
93027 - struct ctl_table *table;
93028 + ctl_table_no_const *table;
93030 table = kmemdup(tstamp_sysctl_table, sizeof(tstamp_sysctl_table),
93032 diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
93033 index 3b18dd1..f79e0ca 100644
93034 --- a/net/netfilter/nf_log.c
93035 +++ b/net/netfilter/nf_log.c
93036 @@ -243,7 +243,7 @@ static const struct file_operations nflog_file_ops = {
93038 #ifdef CONFIG_SYSCTL
93039 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
93040 -static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
93041 +static ctl_table_no_const nf_log_sysctl_table[NFPROTO_NUMPROTO+1] __read_only;
93043 static int nf_log_proc_dostring(ctl_table *table, int write,
93044 void __user *buffer, size_t *lenp, loff_t *ppos)
93045 @@ -274,14 +274,16 @@ static int nf_log_proc_dostring(ctl_table *table, int write,
93046 rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
93047 mutex_unlock(&nf_log_mutex);
93049 + ctl_table_no_const nf_log_table = *table;
93051 mutex_lock(&nf_log_mutex);
93052 logger = rcu_dereference_protected(net->nf.nf_loggers[tindex],
93053 lockdep_is_held(&nf_log_mutex));
93055 - table->data = "NONE";
93056 + nf_log_table.data = "NONE";
93058 - table->data = logger->name;
93059 - r = proc_dostring(table, write, buffer, lenp, ppos);
93060 + nf_log_table.data = logger->name;
93061 + r = proc_dostring(&nf_log_table, write, buffer, lenp, ppos);
93062 mutex_unlock(&nf_log_mutex);
93065 diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
93066 index f042ae5..30ea486 100644
93067 --- a/net/netfilter/nf_sockopt.c
93068 +++ b/net/netfilter/nf_sockopt.c
93069 @@ -45,7 +45,7 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
93073 - list_add(®->list, &nf_sockopts);
93074 + pax_list_add((struct list_head *)®->list, &nf_sockopts);
93076 mutex_unlock(&nf_sockopt_mutex);
93078 @@ -55,7 +55,7 @@ EXPORT_SYMBOL(nf_register_sockopt);
93079 void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
93081 mutex_lock(&nf_sockopt_mutex);
93082 - list_del(®->list);
93083 + pax_list_del((struct list_head *)®->list);
93084 mutex_unlock(&nf_sockopt_mutex);
93086 EXPORT_SYMBOL(nf_unregister_sockopt);
93087 diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
93088 index 962e979..e46f350 100644
93089 --- a/net/netfilter/nfnetlink_log.c
93090 +++ b/net/netfilter/nfnetlink_log.c
93091 @@ -82,7 +82,7 @@ static int nfnl_log_net_id __read_mostly;
93092 struct nfnl_log_net {
93093 spinlock_t instances_lock;
93094 struct hlist_head instance_table[INSTANCE_BUCKETS];
93095 - atomic_t global_seq;
93096 + atomic_unchecked_t global_seq;
93099 static struct nfnl_log_net *nfnl_log_pernet(struct net *net)
93100 @@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log,
93101 nfmsg->version = NFNETLINK_V0;
93102 nfmsg->res_id = htons(inst->group_num);
93104 + memset(&pmsg, 0, sizeof(pmsg));
93105 pmsg.hw_protocol = skb->protocol;
93106 pmsg.hook = hooknum;
93108 @@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log,
93109 if (indev && skb->dev &&
93110 skb->mac_header != skb->network_header) {
93111 struct nfulnl_msg_packet_hw phw;
93112 - int len = dev_parse_header(skb, phw.hw_addr);
93115 + memset(&phw, 0, sizeof(phw));
93116 + len = dev_parse_header(skb, phw.hw_addr);
93118 phw.hw_addrlen = htons(len);
93119 if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw))
93120 @@ -559,7 +563,7 @@ __build_packet_message(struct nfnl_log_net *log,
93121 /* global sequence number */
93122 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
93123 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
93124 - htonl(atomic_inc_return(&log->global_seq))))
93125 + htonl(atomic_inc_return_unchecked(&log->global_seq))))
93126 goto nla_put_failure;
93129 diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
93130 index 5352b2d..e0083ce 100644
93131 --- a/net/netfilter/nfnetlink_queue_core.c
93132 +++ b/net/netfilter/nfnetlink_queue_core.c
93133 @@ -444,7 +444,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
93134 if (indev && entskb->dev &&
93135 entskb->mac_header != entskb->network_header) {
93136 struct nfqnl_msg_packet_hw phw;
93137 - int len = dev_parse_header(entskb, phw.hw_addr);
93140 + memset(&phw, 0, sizeof(phw));
93141 + len = dev_parse_header(entskb, phw.hw_addr);
93143 phw.hw_addrlen = htons(len);
93144 if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw))
93145 diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
93146 index 7011c71..6113cc7 100644
93147 --- a/net/netfilter/xt_TCPMSS.c
93148 +++ b/net/netfilter/xt_TCPMSS.c
93149 @@ -52,7 +52,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
93151 const struct xt_tcpmss_info *info = par->targinfo;
93152 struct tcphdr *tcph;
93153 - unsigned int tcplen, i;
93154 + int len, tcp_hdrlen;
93159 @@ -64,11 +65,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
93160 if (!skb_make_writable(skb, skb->len))
93163 - tcplen = skb->len - tcphoff;
93164 + len = skb->len - tcphoff;
93165 + if (len < (int)sizeof(struct tcphdr))
93168 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
93169 + tcp_hdrlen = tcph->doff * 4;
93171 - /* Header cannot be larger than the packet */
93172 - if (tcplen < tcph->doff*4)
93173 + if (len < tcp_hdrlen)
93176 if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
93177 @@ -87,9 +91,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
93178 newmss = info->mss;
93180 opt = (u_int8_t *)tcph;
93181 - for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
93182 - if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
93183 - opt[i+1] == TCPOLEN_MSS) {
93184 + for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) {
93185 + if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
93188 oldmss = (opt[i+2] << 8) | opt[i+3];
93189 @@ -112,9 +115,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
93192 /* There is data after the header so the option can't be added
93193 - without moving it, and doing so may make the SYN packet
93194 - itself too large. Accept the packet unmodified instead. */
93195 - if (tcplen > tcph->doff*4)
93196 + * without moving it, and doing so may make the SYN packet
93197 + * itself too large. Accept the packet unmodified instead.
93199 + if (len > tcp_hdrlen)
93203 @@ -143,10 +147,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
93204 newmss = min(newmss, (u16)1220);
93206 opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
93207 - memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
93208 + memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr));
93210 inet_proto_csum_replace2(&tcph->check, skb,
93211 - htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
93212 + htons(len), htons(len + TCPOLEN_MSS), 1);
93213 opt[0] = TCPOPT_MSS;
93214 opt[1] = TCPOLEN_MSS;
93215 opt[2] = (newmss & 0xff00) >> 8;
93216 diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
93217 index b68fa19..625fa1d 100644
93218 --- a/net/netfilter/xt_TCPOPTSTRIP.c
93219 +++ b/net/netfilter/xt_TCPOPTSTRIP.c
93220 @@ -38,7 +38,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
93221 struct tcphdr *tcph;
93225 + int len, tcp_hdrlen;
93227 /* This is a fragment, no TCP header is available */
93228 if (par->fragoff != 0)
93229 @@ -52,7 +52,9 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
93232 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
93233 - if (tcph->doff * 4 > len)
93234 + tcp_hdrlen = tcph->doff * 4;
93236 + if (len < tcp_hdrlen)
93239 opt = (u_int8_t *)tcph;
93240 @@ -61,10 +63,10 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
93241 * Walk through all TCP options - if we find some option to remove,
93242 * set all octets to %TCPOPT_NOP and adjust checksum.
93244 - for (i = sizeof(struct tcphdr); i < tcp_hdrlen(skb); i += optl) {
93245 + for (i = sizeof(struct tcphdr); i < tcp_hdrlen - 1; i += optl) {
93246 optl = optlen(opt, i);
93248 - if (i + optl > tcp_hdrlen(skb))
93249 + if (i + optl > tcp_hdrlen)
93252 if (!tcpoptstrip_test_bit(info->strip_bmap, opt[i]))
93253 diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
93254 new file mode 100644
93255 index 0000000..c566332
93257 +++ b/net/netfilter/xt_gradm.c
93260 + * gradm match for netfilter
93261 + * Copyright © Zbigniew Krzystolik, 2010
93263 + * This program is free software; you can redistribute it and/or modify
93264 + * it under the terms of the GNU General Public License; either version
93265 + * 2 or 3 as published by the Free Software Foundation.
93267 +#include <linux/module.h>
93268 +#include <linux/moduleparam.h>
93269 +#include <linux/skbuff.h>
93270 +#include <linux/netfilter/x_tables.h>
93271 +#include <linux/grsecurity.h>
93272 +#include <linux/netfilter/xt_gradm.h>
93275 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
93277 + const struct xt_gradm_mtinfo *info = par->matchinfo;
93278 + bool retval = false;
93279 + if (gr_acl_is_enabled())
93281 + return retval ^ info->invflags;
93284 +static struct xt_match gradm_mt_reg __read_mostly = {
93287 + .family = NFPROTO_UNSPEC,
93288 + .match = gradm_mt,
93289 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
93290 + .me = THIS_MODULE,
93293 +static int __init gradm_mt_init(void)
93295 + return xt_register_match(&gradm_mt_reg);
93298 +static void __exit gradm_mt_exit(void)
93300 + xt_unregister_match(&gradm_mt_reg);
93303 +module_init(gradm_mt_init);
93304 +module_exit(gradm_mt_exit);
93305 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
93306 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
93307 +MODULE_LICENSE("GPL");
93308 +MODULE_ALIAS("ipt_gradm");
93309 +MODULE_ALIAS("ip6t_gradm");
93310 diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
93311 index 4fe4fb4..87a89e5 100644
93312 --- a/net/netfilter/xt_statistic.c
93313 +++ b/net/netfilter/xt_statistic.c
93315 #include <linux/module.h>
93317 struct xt_statistic_priv {
93319 + atomic_unchecked_t count;
93320 } ____cacheline_aligned_in_smp;
93322 MODULE_LICENSE("GPL");
93323 @@ -42,9 +42,9 @@ statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
93325 case XT_STATISTIC_MODE_NTH:
93327 - oval = atomic_read(&info->master->count);
93328 + oval = atomic_read_unchecked(&info->master->count);
93329 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
93330 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
93331 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
93335 @@ -64,7 +64,7 @@ static int statistic_mt_check(const struct xt_mtchk_param *par)
93336 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
93337 if (info->master == NULL)
93339 - atomic_set(&info->master->count, info->u.nth.count);
93340 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
93344 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
93345 index 57ee84d..8b99cf5 100644
93346 --- a/net/netlink/af_netlink.c
93347 +++ b/net/netlink/af_netlink.c
93348 @@ -121,7 +121,7 @@ static void netlink_overrun(struct sock *sk)
93349 sk->sk_error_report(sk);
93352 - atomic_inc(&sk->sk_drops);
93353 + atomic_inc_unchecked(&sk->sk_drops);
93356 static void netlink_rcv_wake(struct sock *sk)
93357 @@ -2771,7 +2771,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
93358 sk_wmem_alloc_get(s),
93360 atomic_read(&s->sk_refcnt),
93361 - atomic_read(&s->sk_drops),
93362 + atomic_read_unchecked(&s->sk_drops),
93366 diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
93367 index 1076fe1..f190285 100644
93368 --- a/net/netlink/genetlink.c
93369 +++ b/net/netlink/genetlink.c
93370 @@ -310,18 +310,20 @@ int genl_register_ops(struct genl_family *family, struct genl_ops *ops)
93374 + pax_open_kernel();
93376 - ops->flags |= GENL_CMD_CAP_DUMP;
93377 + *(unsigned int *)&ops->flags |= GENL_CMD_CAP_DUMP;
93379 - ops->flags |= GENL_CMD_CAP_DO;
93380 + *(unsigned int *)&ops->flags |= GENL_CMD_CAP_DO;
93382 - ops->flags |= GENL_CMD_CAP_HASPOL;
93383 + *(unsigned int *)&ops->flags |= GENL_CMD_CAP_HASPOL;
93384 + pax_close_kernel();
93387 - list_add_tail(&ops->ops_list, &family->ops_list);
93388 + pax_list_add_tail((struct list_head *)&ops->ops_list, &family->ops_list);
93391 - genl_ctrl_event(CTRL_CMD_NEWOPS, ops);
93392 + genl_ctrl_event(CTRL_CMD_NEWOPS, (void *)ops);
93396 @@ -351,9 +353,9 @@ int genl_unregister_ops(struct genl_family *family, struct genl_ops *ops)
93398 list_for_each_entry(rc, &family->ops_list, ops_list) {
93400 - list_del(&ops->ops_list);
93401 + pax_list_del((struct list_head *)&ops->ops_list);
93403 - genl_ctrl_event(CTRL_CMD_DELOPS, ops);
93404 + genl_ctrl_event(CTRL_CMD_DELOPS, (void *)ops);
93408 diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
93409 index ec0c80f..41e1830 100644
93410 --- a/net/netrom/af_netrom.c
93411 +++ b/net/netrom/af_netrom.c
93412 @@ -850,7 +850,6 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr,
93413 *uaddr_len = sizeof(struct full_sockaddr_ax25);
93415 sax->fsa_ax25.sax25_family = AF_NETROM;
93416 - sax->fsa_ax25.sax25_ndigis = 0;
93417 sax->fsa_ax25.sax25_call = nr->source_addr;
93418 *uaddr_len = sizeof(struct sockaddr_ax25);
93420 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
93421 index 20a1bd0..bb8f1c1 100644
93422 --- a/net/packet/af_packet.c
93423 +++ b/net/packet/af_packet.c
93424 @@ -1681,7 +1681,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
93426 spin_lock(&sk->sk_receive_queue.lock);
93427 po->stats.stats1.tp_packets++;
93428 - skb->dropcount = atomic_read(&sk->sk_drops);
93429 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
93430 __skb_queue_tail(&sk->sk_receive_queue, skb);
93431 spin_unlock(&sk->sk_receive_queue.lock);
93432 sk->sk_data_ready(sk, skb->len);
93433 @@ -1690,7 +1690,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
93435 spin_lock(&sk->sk_receive_queue.lock);
93436 po->stats.stats1.tp_drops++;
93437 - atomic_inc(&sk->sk_drops);
93438 + atomic_inc_unchecked(&sk->sk_drops);
93439 spin_unlock(&sk->sk_receive_queue.lock);
93442 @@ -2640,6 +2640,7 @@ out:
93444 static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
93446 + struct sock_extended_err ee;
93447 struct sock_exterr_skb *serr;
93448 struct sk_buff *skb, *skb2;
93450 @@ -2661,8 +2662,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
93451 sock_recv_timestamp(msg, sk, skb);
93453 serr = SKB_EXT_ERR(skb);
93455 put_cmsg(msg, SOL_PACKET, PACKET_TX_TIMESTAMP,
93456 - sizeof(serr->ee), &serr->ee);
93459 msg->msg_flags |= MSG_ERRQUEUE;
93461 @@ -3281,7 +3283,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
93462 case PACKET_HDRLEN:
93463 if (len > sizeof(int))
93465 - if (copy_from_user(&val, optval, len))
93466 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
93470 @@ -3324,7 +3326,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
93472 if (put_user(len, optlen))
93474 - if (copy_to_user(optval, data, len))
93475 + if (len > sizeof(st) || copy_to_user(optval, data, len))
93479 diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
93480 index 5a940db..d6a502d 100644
93481 --- a/net/phonet/af_phonet.c
93482 +++ b/net/phonet/af_phonet.c
93483 @@ -469,7 +469,7 @@ int __init_or_module phonet_proto_register(unsigned int protocol,
93487 - if (protocol >= PHONET_NPROTO)
93488 + if (protocol < 0 || protocol >= PHONET_NPROTO)
93491 err = proto_register(pp->prot, 1);
93492 diff --git a/net/phonet/pep.c b/net/phonet/pep.c
93493 index e774117..900b8b7 100644
93494 --- a/net/phonet/pep.c
93495 +++ b/net/phonet/pep.c
93496 @@ -388,7 +388,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
93498 case PNS_PEP_CTRL_REQ:
93499 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
93500 - atomic_inc(&sk->sk_drops);
93501 + atomic_inc_unchecked(&sk->sk_drops);
93504 __skb_pull(skb, 4);
93505 @@ -409,7 +409,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
93508 if (pn->rx_credits == 0) {
93509 - atomic_inc(&sk->sk_drops);
93510 + atomic_inc_unchecked(&sk->sk_drops);
93514 @@ -580,7 +580,7 @@ static int pipe_handler_do_rcv(struct sock *sk, struct sk_buff *skb)
93517 if (pn->rx_credits == 0) {
93518 - atomic_inc(&sk->sk_drops);
93519 + atomic_inc_unchecked(&sk->sk_drops);
93523 diff --git a/net/phonet/socket.c b/net/phonet/socket.c
93524 index 1afd138..0b42453 100644
93525 --- a/net/phonet/socket.c
93526 +++ b/net/phonet/socket.c
93527 @@ -612,7 +612,7 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
93528 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk)),
93530 atomic_read(&sk->sk_refcnt), sk,
93531 - atomic_read(&sk->sk_drops), &len);
93532 + atomic_read_unchecked(&sk->sk_drops), &len);
93534 seq_printf(seq, "%*s\n", 127 - len, "");
93536 diff --git a/net/phonet/sysctl.c b/net/phonet/sysctl.c
93537 index d6bbbbd..61561e4 100644
93538 --- a/net/phonet/sysctl.c
93539 +++ b/net/phonet/sysctl.c
93540 @@ -67,7 +67,7 @@ static int proc_local_port_range(ctl_table *table, int write,
93543 int range[2] = {local_port_range[0], local_port_range[1]};
93544 - ctl_table tmp = {
93545 + ctl_table_no_const tmp = {
93547 .maxlen = sizeof(range),
93548 .mode = table->mode,
93549 diff --git a/net/rds/cong.c b/net/rds/cong.c
93550 index e5b65ac..f3b6fb7 100644
93551 --- a/net/rds/cong.c
93552 +++ b/net/rds/cong.c
93554 * finds that the saved generation number is smaller than the global generation
93555 * number, it wakes up the process.
93557 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
93558 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
93561 * Congestion monitoring
93562 @@ -233,7 +233,7 @@ void rds_cong_map_updated(struct rds_cong_map *map, uint64_t portmask)
93563 rdsdebug("waking map %p for %pI4\n",
93564 map, &map->m_addr);
93565 rds_stats_inc(s_cong_update_received);
93566 - atomic_inc(&rds_cong_generation);
93567 + atomic_inc_unchecked(&rds_cong_generation);
93568 if (waitqueue_active(&map->m_waitq))
93569 wake_up(&map->m_waitq);
93570 if (waitqueue_active(&rds_poll_waitq))
93571 @@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
93573 int rds_cong_updated_since(unsigned long *recent)
93575 - unsigned long gen = atomic_read(&rds_cong_generation);
93576 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
93578 if (likely(*recent == gen))
93580 diff --git a/net/rds/ib.h b/net/rds/ib.h
93581 index 7280ab8..e04f4ea 100644
93584 @@ -128,7 +128,7 @@ struct rds_ib_connection {
93586 unsigned long i_ack_flags;
93587 #ifdef KERNEL_HAS_ATOMIC64
93588 - atomic64_t i_ack_next; /* next ACK to send */
93589 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
93591 spinlock_t i_ack_lock; /* protect i_ack_next */
93592 u64 i_ack_next; /* next ACK to send */
93593 diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
93594 index 31b74f5..dc1fbfa 100644
93595 --- a/net/rds/ib_cm.c
93596 +++ b/net/rds/ib_cm.c
93597 @@ -717,7 +717,7 @@ void rds_ib_conn_shutdown(struct rds_connection *conn)
93598 /* Clear the ACK state */
93599 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
93600 #ifdef KERNEL_HAS_ATOMIC64
93601 - atomic64_set(&ic->i_ack_next, 0);
93602 + atomic64_set_unchecked(&ic->i_ack_next, 0);
93604 ic->i_ack_next = 0;
93606 diff --git a/net/rds/ib_recv.c b/net/rds/ib_recv.c
93607 index 8eb9501..0c386ff 100644
93608 --- a/net/rds/ib_recv.c
93609 +++ b/net/rds/ib_recv.c
93610 @@ -597,7 +597,7 @@ static u64 rds_ib_get_ack(struct rds_ib_connection *ic)
93611 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
93614 - atomic64_set(&ic->i_ack_next, seq);
93615 + atomic64_set_unchecked(&ic->i_ack_next, seq);
93616 if (ack_required) {
93617 smp_mb__before_clear_bit();
93618 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
93619 @@ -609,7 +609,7 @@ static u64 rds_ib_get_ack(struct rds_ib_connection *ic)
93620 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
93621 smp_mb__after_clear_bit();
93623 - return atomic64_read(&ic->i_ack_next);
93624 + return atomic64_read_unchecked(&ic->i_ack_next);
93628 diff --git a/net/rds/iw.h b/net/rds/iw.h
93629 index 04ce3b1..48119a6 100644
93632 @@ -134,7 +134,7 @@ struct rds_iw_connection {
93634 unsigned long i_ack_flags;
93635 #ifdef KERNEL_HAS_ATOMIC64
93636 - atomic64_t i_ack_next; /* next ACK to send */
93637 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
93639 spinlock_t i_ack_lock; /* protect i_ack_next */
93640 u64 i_ack_next; /* next ACK to send */
93641 diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
93642 index a91e1db..cf3053f 100644
93643 --- a/net/rds/iw_cm.c
93644 +++ b/net/rds/iw_cm.c
93645 @@ -663,7 +663,7 @@ void rds_iw_conn_shutdown(struct rds_connection *conn)
93646 /* Clear the ACK state */
93647 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
93648 #ifdef KERNEL_HAS_ATOMIC64
93649 - atomic64_set(&ic->i_ack_next, 0);
93650 + atomic64_set_unchecked(&ic->i_ack_next, 0);
93652 ic->i_ack_next = 0;
93654 diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c
93655 index 4503335..db566b4 100644
93656 --- a/net/rds/iw_recv.c
93657 +++ b/net/rds/iw_recv.c
93658 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_connection *ic)
93659 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
93662 - atomic64_set(&ic->i_ack_next, seq);
93663 + atomic64_set_unchecked(&ic->i_ack_next, seq);
93664 if (ack_required) {
93665 smp_mb__before_clear_bit();
93666 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
93667 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_connection *ic)
93668 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
93669 smp_mb__after_clear_bit();
93671 - return atomic64_read(&ic->i_ack_next);
93672 + return atomic64_read_unchecked(&ic->i_ack_next);
93676 diff --git a/net/rds/rds.h b/net/rds/rds.h
93677 index ec1d731..90a3a8d 100644
93678 --- a/net/rds/rds.h
93679 +++ b/net/rds/rds.h
93680 @@ -449,7 +449,7 @@ struct rds_transport {
93681 void (*sync_mr)(void *trans_private, int direction);
93682 void (*free_mr)(void *trans_private, int invalidate);
93683 void (*flush_mrs)(void);
93689 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
93690 index edac9ef..16bcb98 100644
93691 --- a/net/rds/tcp.c
93692 +++ b/net/rds/tcp.c
93693 @@ -59,7 +59,7 @@ void rds_tcp_nonagle(struct socket *sock)
93697 - sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __user *)&val,
93698 + sock->ops->setsockopt(sock, SOL_TCP, TCP_NODELAY, (char __force_user *)&val,
93702 diff --git a/net/rds/tcp_send.c b/net/rds/tcp_send.c
93703 index 81cf5a4..b5826ff 100644
93704 --- a/net/rds/tcp_send.c
93705 +++ b/net/rds/tcp_send.c
93706 @@ -43,7 +43,7 @@ static void rds_tcp_cork(struct socket *sock, int val)
93710 - sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __user *)&val,
93711 + sock->ops->setsockopt(sock, SOL_TCP, TCP_CORK, (char __force_user *)&val,
93715 diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
93716 index e61aa60..f07cc89 100644
93717 --- a/net/rxrpc/af_rxrpc.c
93718 +++ b/net/rxrpc/af_rxrpc.c
93719 @@ -40,7 +40,7 @@ static const struct proto_ops rxrpc_rpc_ops;
93720 __be32 rxrpc_epoch;
93722 /* current debugging ID */
93723 -atomic_t rxrpc_debug_id;
93724 +atomic_unchecked_t rxrpc_debug_id;
93726 /* count of skbs currently in use */
93727 atomic_t rxrpc_n_skbs;
93728 diff --git a/net/rxrpc/ar-ack.c b/net/rxrpc/ar-ack.c
93729 index e4d9cbc..b229649 100644
93730 --- a/net/rxrpc/ar-ack.c
93731 +++ b/net/rxrpc/ar-ack.c
93732 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_call *call)
93734 _enter("{%d,%d,%d,%d},",
93735 call->acks_hard, call->acks_unacked,
93736 - atomic_read(&call->sequence),
93737 + atomic_read_unchecked(&call->sequence),
93738 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
93741 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_call *call)
93743 /* each Tx packet has a new serial number */
93745 - htonl(atomic_inc_return(&call->conn->serial));
93746 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
93748 hdr = (struct rxrpc_header *) txb->head;
93749 hdr->serial = sp->hdr.serial;
93750 @@ -403,7 +403,7 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, u32 hard)
93752 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
93754 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
93755 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
93759 @@ -629,7 +629,7 @@ process_further:
93761 latest = ntohl(sp->hdr.serial);
93762 hard = ntohl(ack.firstPacket);
93763 - tx = atomic_read(&call->sequence);
93764 + tx = atomic_read_unchecked(&call->sequence);
93766 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
93768 @@ -1161,7 +1161,7 @@ void rxrpc_process_call(struct work_struct *work)
93769 goto maybe_reschedule;
93771 send_ACK_with_skew:
93772 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
93773 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
93774 ntohl(ack.serial));
93776 mtu = call->conn->trans->peer->if_mtu;
93777 @@ -1173,7 +1173,7 @@ send_ACK:
93778 ackinfo.rxMTU = htonl(5692);
93779 ackinfo.jumbo_max = htonl(4);
93781 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
93782 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
93783 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
93785 ntohs(ack.maxSkew),
93786 @@ -1191,7 +1191,7 @@ send_ACK:
93788 _debug("send message");
93790 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
93791 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
93792 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
93795 diff --git a/net/rxrpc/ar-call.c b/net/rxrpc/ar-call.c
93796 index a3bbb36..3341fb9 100644
93797 --- a/net/rxrpc/ar-call.c
93798 +++ b/net/rxrpc/ar-call.c
93799 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_call(gfp_t gfp)
93800 spin_lock_init(&call->lock);
93801 rwlock_init(&call->state_lock);
93802 atomic_set(&call->usage, 1);
93803 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
93804 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
93805 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
93807 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
93808 diff --git a/net/rxrpc/ar-connection.c b/net/rxrpc/ar-connection.c
93809 index 4106ca9..a338d7a 100644
93810 --- a/net/rxrpc/ar-connection.c
93811 +++ b/net/rxrpc/ar-connection.c
93812 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_alloc_connection(gfp_t gfp)
93813 rwlock_init(&conn->lock);
93814 spin_lock_init(&conn->state_lock);
93815 atomic_set(&conn->usage, 1);
93816 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
93817 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
93818 conn->avail_calls = RXRPC_MAXCALLS;
93819 conn->size_align = 4;
93820 conn->header_size = sizeof(struct rxrpc_header);
93821 diff --git a/net/rxrpc/ar-connevent.c b/net/rxrpc/ar-connevent.c
93822 index e7ed43a..6afa140 100644
93823 --- a/net/rxrpc/ar-connevent.c
93824 +++ b/net/rxrpc/ar-connevent.c
93825 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
93827 len = iov[0].iov_len + iov[1].iov_len;
93829 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
93830 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
93831 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
93833 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
93834 diff --git a/net/rxrpc/ar-input.c b/net/rxrpc/ar-input.c
93835 index 529572f..c758ca7 100644
93836 --- a/net/rxrpc/ar-input.c
93837 +++ b/net/rxrpc/ar-input.c
93838 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rxrpc_call *call, struct sk_buff *skb)
93839 /* track the latest serial number on this connection for ACK packet
93841 serial = ntohl(sp->hdr.serial);
93842 - hi_serial = atomic_read(&call->conn->hi_serial);
93843 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
93844 while (serial > hi_serial)
93845 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
93846 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
93849 /* request ACK generation for any ACK or DATA packet that requests
93850 diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
93851 index a693aca..81e7293 100644
93852 --- a/net/rxrpc/ar-internal.h
93853 +++ b/net/rxrpc/ar-internal.h
93854 @@ -272,8 +272,8 @@ struct rxrpc_connection {
93855 int error; /* error code for local abort */
93856 int debug_id; /* debug ID for printks */
93857 unsigned int call_counter; /* call ID counter */
93858 - atomic_t serial; /* packet serial number counter */
93859 - atomic_t hi_serial; /* highest serial number received */
93860 + atomic_unchecked_t serial; /* packet serial number counter */
93861 + atomic_unchecked_t hi_serial; /* highest serial number received */
93862 u8 avail_calls; /* number of calls available */
93863 u8 size_align; /* data size alignment (for security) */
93864 u8 header_size; /* rxrpc + security header size */
93865 @@ -346,7 +346,7 @@ struct rxrpc_call {
93867 rwlock_t state_lock; /* lock for state transition */
93869 - atomic_t sequence; /* Tx data packet sequence counter */
93870 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
93871 u32 abort_code; /* local/remote abort code */
93872 enum { /* current state of call */
93873 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
93874 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(struct rxrpc_call *call, u32 abort_code)
93876 extern atomic_t rxrpc_n_skbs;
93877 extern __be32 rxrpc_epoch;
93878 -extern atomic_t rxrpc_debug_id;
93879 +extern atomic_unchecked_t rxrpc_debug_id;
93880 extern struct workqueue_struct *rxrpc_workqueue;
93883 diff --git a/net/rxrpc/ar-local.c b/net/rxrpc/ar-local.c
93884 index 87f7135..74d3703 100644
93885 --- a/net/rxrpc/ar-local.c
93886 +++ b/net/rxrpc/ar-local.c
93887 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(struct sockaddr_rxrpc *srx)
93888 spin_lock_init(&local->lock);
93889 rwlock_init(&local->services_lock);
93890 atomic_set(&local->usage, 1);
93891 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
93892 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
93893 memcpy(&local->srx, srx, sizeof(*srx));
93896 diff --git a/net/rxrpc/ar-output.c b/net/rxrpc/ar-output.c
93897 index e1ac183..b43e10e 100644
93898 --- a/net/rxrpc/ar-output.c
93899 +++ b/net/rxrpc/ar-output.c
93900 @@ -682,9 +682,9 @@ static int rxrpc_send_data(struct kiocb *iocb,
93901 sp->hdr.cid = call->cid;
93902 sp->hdr.callNumber = call->call_id;
93904 - htonl(atomic_inc_return(&call->sequence));
93905 + htonl(atomic_inc_return_unchecked(&call->sequence));
93907 - htonl(atomic_inc_return(&conn->serial));
93908 + htonl(atomic_inc_return_unchecked(&conn->serial));
93909 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
93910 sp->hdr.userStatus = 0;
93911 sp->hdr.securityIndex = conn->security_ix;
93912 diff --git a/net/rxrpc/ar-peer.c b/net/rxrpc/ar-peer.c
93913 index bebaa43..2644591 100644
93914 --- a/net/rxrpc/ar-peer.c
93915 +++ b/net/rxrpc/ar-peer.c
93916 @@ -72,7 +72,7 @@ static struct rxrpc_peer *rxrpc_alloc_peer(struct sockaddr_rxrpc *srx,
93917 INIT_LIST_HEAD(&peer->error_targets);
93918 spin_lock_init(&peer->lock);
93919 atomic_set(&peer->usage, 1);
93920 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
93921 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
93922 memcpy(&peer->srx, srx, sizeof(*srx));
93924 rxrpc_assess_MTU_size(peer);
93925 diff --git a/net/rxrpc/ar-proc.c b/net/rxrpc/ar-proc.c
93926 index 38047f7..9f48511 100644
93927 --- a/net/rxrpc/ar-proc.c
93928 +++ b/net/rxrpc/ar-proc.c
93929 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v)
93930 atomic_read(&conn->usage),
93931 rxrpc_conn_states[conn->state],
93932 key_serial(conn->key),
93933 - atomic_read(&conn->serial),
93934 - atomic_read(&conn->hi_serial));
93935 + atomic_read_unchecked(&conn->serial),
93936 + atomic_read_unchecked(&conn->hi_serial));
93940 diff --git a/net/rxrpc/ar-transport.c b/net/rxrpc/ar-transport.c
93941 index 92df566..87ec1bf 100644
93942 --- a/net/rxrpc/ar-transport.c
93943 +++ b/net/rxrpc/ar-transport.c
93944 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_alloc_transport(struct rxrpc_local *local,
93945 spin_lock_init(&trans->client_lock);
93946 rwlock_init(&trans->conn_lock);
93947 atomic_set(&trans->usage, 1);
93948 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
93949 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
93951 if (peer->srx.transport.family == AF_INET) {
93952 switch (peer->srx.transport_type) {
93953 diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
93954 index f226709..0e735a8 100644
93955 --- a/net/rxrpc/rxkad.c
93956 +++ b/net/rxrpc/rxkad.c
93957 @@ -610,7 +610,7 @@ static int rxkad_issue_challenge(struct rxrpc_connection *conn)
93959 len = iov[0].iov_len + iov[1].iov_len;
93961 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
93962 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
93963 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
93965 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
93966 @@ -660,7 +660,7 @@ static int rxkad_send_response(struct rxrpc_connection *conn,
93968 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
93970 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
93971 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
93972 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
93974 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
93975 diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
93976 index 391a245..296b3d7 100644
93977 --- a/net/sctp/ipv6.c
93978 +++ b/net/sctp/ipv6.c
93979 @@ -981,7 +981,7 @@ static const struct inet6_protocol sctpv6_protocol = {
93980 .flags = INET6_PROTO_NOPOLICY | INET6_PROTO_FINAL,
93983 -static struct sctp_af sctp_af_inet6 = {
93984 +static struct sctp_af sctp_af_inet6 __read_only = {
93985 .sa_family = AF_INET6,
93986 .sctp_xmit = sctp_v6_xmit,
93987 .setsockopt = ipv6_setsockopt,
93988 @@ -1013,7 +1013,7 @@ static struct sctp_af sctp_af_inet6 = {
93992 -static struct sctp_pf sctp_pf_inet6 = {
93993 +static struct sctp_pf sctp_pf_inet6 __read_only = {
93994 .event_msgname = sctp_inet6_event_msgname,
93995 .skb_msgname = sctp_inet6_skb_msgname,
93996 .af_supported = sctp_inet6_af_supported,
93997 @@ -1038,7 +1038,7 @@ void sctp_v6_pf_init(void)
93999 void sctp_v6_pf_exit(void)
94001 - list_del(&sctp_af_inet6.list);
94002 + pax_list_del(&sctp_af_inet6.list);
94005 /* Initialize IPv6 support and register with socket layer. */
94006 diff --git a/net/sctp/proc.c b/net/sctp/proc.c
94007 index 4e45ee3..e66a031 100644
94008 --- a/net/sctp/proc.c
94009 +++ b/net/sctp/proc.c
94010 @@ -337,7 +337,8 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
94012 "%8pK %8pK %-3d %-3d %-2d %-4d "
94013 "%4d %8d %8d %7d %5lu %-5d %5d ",
94014 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
94016 + sctp_sk(sk)->type, sk->sk_state,
94017 assoc->state, hash,
94019 assoc->sndbuf_used,
94020 diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
94021 index eaee00c..97c0afd 100644
94022 --- a/net/sctp/protocol.c
94023 +++ b/net/sctp/protocol.c
94024 @@ -834,8 +834,10 @@ int sctp_register_af(struct sctp_af *af)
94028 + pax_open_kernel();
94029 INIT_LIST_HEAD(&af->list);
94030 - list_add_tail(&af->list, &sctp_address_families);
94031 + pax_close_kernel();
94032 + pax_list_add_tail(&af->list, &sctp_address_families);
94036 @@ -966,7 +968,7 @@ static inline int sctp_v4_xmit(struct sk_buff *skb,
94038 static struct sctp_af sctp_af_inet;
94040 -static struct sctp_pf sctp_pf_inet = {
94041 +static struct sctp_pf sctp_pf_inet __read_only = {
94042 .event_msgname = sctp_inet_event_msgname,
94043 .skb_msgname = sctp_inet_skb_msgname,
94044 .af_supported = sctp_inet_af_supported,
94045 @@ -1037,7 +1039,7 @@ static const struct net_protocol sctp_protocol = {
94048 /* IPv4 address related functions. */
94049 -static struct sctp_af sctp_af_inet = {
94050 +static struct sctp_af sctp_af_inet __read_only = {
94051 .sa_family = AF_INET,
94052 .sctp_xmit = sctp_v4_xmit,
94053 .setsockopt = ip_setsockopt,
94054 @@ -1122,7 +1124,7 @@ static void sctp_v4_pf_init(void)
94056 static void sctp_v4_pf_exit(void)
94058 - list_del(&sctp_af_inet.list);
94059 + pax_list_del(&sctp_af_inet.list);
94062 static int sctp_v4_protosw_init(void)
94063 diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
94064 index 8aab894..f6b7e7d 100644
94065 --- a/net/sctp/sm_sideeffect.c
94066 +++ b/net/sctp/sm_sideeffect.c
94067 @@ -447,7 +447,7 @@ static void sctp_generate_sack_event(unsigned long data)
94068 sctp_generate_timeout_event(asoc, SCTP_EVENT_TIMEOUT_SACK);
94071 -sctp_timer_event_t *sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES] = {
94072 +sctp_timer_event_t * const sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES] = {
94074 sctp_generate_t1_cookie_event,
94075 sctp_generate_t1_init_event,
94076 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
94077 index 6abb1ca..1678f8b 100644
94078 --- a/net/sctp/socket.c
94079 +++ b/net/sctp/socket.c
94080 @@ -2167,11 +2167,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
94082 struct sctp_association *asoc;
94083 struct sctp_ulpevent *event;
94084 + struct sctp_event_subscribe subscribe;
94086 if (optlen > sizeof(struct sctp_event_subscribe))
94088 - if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen))
94089 + if (copy_from_user(&subscribe, optval, optlen))
94091 + sctp_sk(sk)->subscribe = subscribe;
94094 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
94095 @@ -4222,13 +4224,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
94096 static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
94097 int __user *optlen)
94099 + struct sctp_event_subscribe subscribe;
94103 if (len > sizeof(struct sctp_event_subscribe))
94104 len = sizeof(struct sctp_event_subscribe);
94105 if (put_user(len, optlen))
94107 - if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
94108 + subscribe = sctp_sk(sk)->subscribe;
94109 + if (copy_to_user(optval, &subscribe, len))
94113 @@ -4246,6 +4251,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
94115 static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
94119 /* Applicable to UDP-style socket only */
94120 if (sctp_style(sk, TCP))
94121 return -EOPNOTSUPP;
94122 @@ -4254,7 +4261,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
94124 if (put_user(len, optlen))
94126 - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
94127 + autoclose = sctp_sk(sk)->autoclose;
94128 + if (copy_to_user(optval, &autoclose, sizeof(int)))
94132 @@ -4626,12 +4634,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
94134 static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
94136 + struct sctp_initmsg initmsg;
94138 if (len < sizeof(struct sctp_initmsg))
94140 len = sizeof(struct sctp_initmsg);
94141 if (put_user(len, optlen))
94143 - if (copy_to_user(optval, &sctp_sk(sk)->initmsg, len))
94144 + initmsg = sctp_sk(sk)->initmsg;
94145 + if (copy_to_user(optval, &initmsg, len))
94149 @@ -4672,6 +4683,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
94150 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
94151 if (space_left < addrlen)
94153 + if (addrlen > sizeof(temp) || addrlen < 0)
94155 if (copy_to_user(to, &temp, addrlen))
94158 diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
94159 index bf3c6e8..376d8d0 100644
94160 --- a/net/sctp/sysctl.c
94161 +++ b/net/sctp/sysctl.c
94162 @@ -307,7 +307,7 @@ static int proc_sctp_do_hmac_alg(ctl_table *ctl,
94164 struct net *net = current->nsproxy->net_ns;
94167 + ctl_table_no_const tbl;
94170 char *none = "none";
94171 @@ -350,7 +350,7 @@ static int proc_sctp_do_hmac_alg(ctl_table *ctl,
94173 int sctp_sysctl_net_register(struct net *net)
94175 - struct ctl_table *table;
94176 + ctl_table_no_const *table;
94179 table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
94180 diff --git a/net/sctp/transport.c b/net/sctp/transport.c
94181 index 098f1d5f..60da2f7 100644
94182 --- a/net/sctp/transport.c
94183 +++ b/net/sctp/transport.c
94184 @@ -178,12 +178,12 @@ static void sctp_transport_destroy(struct sctp_transport *transport)
94186 SCTP_ASSERT(transport->dead, "Transport is not dead", return);
94188 - call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
94190 sctp_packet_free(&transport->packet);
94192 if (transport->asoc)
94193 sctp_association_put(transport->asoc);
94195 + call_rcu(&transport->rcu, sctp_transport_destroy_rcu);
94198 /* Start T3_rtx timer if it is not already running and update the heartbeat
94199 diff --git a/net/socket.c b/net/socket.c
94200 index 4ca1526..df83e47 100644
94204 #include <linux/magic.h>
94205 #include <linux/slab.h>
94206 #include <linux/xattr.h>
94207 +#include <linux/in.h>
94209 #include <asm/uaccess.h>
94210 #include <asm/unistd.h>
94211 @@ -105,6 +106,8 @@
94212 #include <linux/sockios.h>
94213 #include <linux/atalk.h>
94215 +#include <linux/grsock.h>
94217 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
94218 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
94219 unsigned long nr_segs, loff_t pos);
94220 @@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
94221 &sockfs_dentry_operations, SOCKFS_MAGIC);
94224 -static struct vfsmount *sock_mnt __read_mostly;
94225 +struct vfsmount *sock_mnt __read_mostly;
94227 static struct file_system_type sock_fs_type = {
94229 @@ -1246,6 +1249,8 @@ int __sock_create(struct net *net, int family, int type, int protocol,
94230 return -EAFNOSUPPORT;
94231 if (type < 0 || type >= SOCK_MAX)
94233 + if (protocol < 0)
94238 @@ -1377,6 +1382,16 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
94239 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
94240 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
94242 + if(!gr_search_socket(family, type, protocol)) {
94243 + retval = -EACCES;
94247 + if (gr_handle_sock_all(family, type, protocol)) {
94248 + retval = -EACCES;
94252 retval = sock_create(family, type, protocol, &sock);
94255 @@ -1504,6 +1519,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
94257 err = move_addr_to_kernel(umyaddr, addrlen, &address);
94259 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
94263 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
94267 err = security_socket_bind(sock,
94268 (struct sockaddr *)&address,
94270 @@ -1512,6 +1535,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
94271 (struct sockaddr *)
94272 &address, addrlen);
94275 fput_light(sock->file, fput_needed);
94278 @@ -1535,10 +1559,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
94279 if ((unsigned int)backlog > somaxconn)
94280 backlog = somaxconn;
94282 + if (gr_handle_sock_server_other(sock->sk)) {
94287 + err = gr_search_listen(sock);
94291 err = security_socket_listen(sock, backlog);
94293 err = sock->ops->listen(sock, backlog);
94296 fput_light(sock->file, fput_needed);
94299 @@ -1582,6 +1616,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
94300 newsock->type = sock->type;
94301 newsock->ops = sock->ops;
94303 + if (gr_handle_sock_server_other(sock->sk)) {
94305 + sock_release(newsock);
94309 + err = gr_search_accept(sock);
94311 + sock_release(newsock);
94316 * We don't need try_module_get here, as the listening socket (sock)
94317 * has the protocol module (sock->ops->owner) held.
94318 @@ -1627,6 +1673,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
94319 fd_install(newfd, newfile);
94322 + gr_attach_curr_ip(newsock->sk);
94325 fput_light(sock->file, fput_needed);
94327 @@ -1659,6 +1707,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
94330 struct socket *sock;
94331 + struct sockaddr *sck;
94332 struct sockaddr_storage address;
94333 int err, fput_needed;
94335 @@ -1669,6 +1718,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
94339 + sck = (struct sockaddr *)&address;
94341 + if (gr_handle_sock_client(sck)) {
94346 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
94351 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
94353 @@ -1750,6 +1810,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
94357 +asmlinkage long sys_sendto(int, void *, size_t, unsigned, struct sockaddr *, int);
94359 SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
94360 unsigned int, flags, struct sockaddr __user *, addr,
94362 @@ -1816,7 +1878,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
94363 struct socket *sock;
94366 - struct sockaddr_storage address;
94367 + struct sockaddr_storage address = { };
94371 @@ -2023,7 +2085,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
94372 * checking falls down on this.
94374 if (copy_from_user(ctl_buf,
94375 - (void __user __force *)msg_sys->msg_control,
94376 + (void __force_user *)msg_sys->msg_control,
94379 msg_sys->msg_control = ctl_buf;
94380 @@ -2174,7 +2236,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
94381 int err, total_len, len;
94383 /* kernel mode address */
94384 - struct sockaddr_storage addr;
94385 + struct sockaddr_storage addr = { };
94387 /* user mode address pointers */
94388 struct sockaddr __user *uaddr;
94389 @@ -2202,7 +2264,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
94390 * kernel msghdr to use the kernel address space)
94393 - uaddr = (__force void __user *)msg_sys->msg_name;
94394 + uaddr = (void __force_user *)msg_sys->msg_name;
94395 uaddr_len = COMPAT_NAMELEN(msg);
94396 if (MSG_CMSG_COMPAT & flags) {
94397 err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
94398 @@ -2955,7 +3017,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
94401 err = dev_ioctl(net, cmd,
94402 - (struct ifreq __user __force *) &kifr);
94403 + (struct ifreq __force_user *) &kifr);
94407 @@ -3064,7 +3126,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
94411 - err = dev_ioctl(net, cmd, (void __user __force *)&ifr);
94412 + err = dev_ioctl(net, cmd, (void __force_user *)&ifr);
94415 if (cmd == SIOCGIFMAP && !err) {
94416 @@ -3169,7 +3231,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
94417 ret |= __get_user(rtdev, &(ur4->rt_dev));
94419 ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
94420 - r4.rt_dev = (char __user __force *)devname;
94421 + r4.rt_dev = (char __force_user *)devname;
94425 @@ -3395,8 +3457,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
94426 int __user *uoptlen;
94429 - uoptval = (char __user __force *) optval;
94430 - uoptlen = (int __user __force *) optlen;
94431 + uoptval = (char __force_user *) optval;
94432 + uoptlen = (int __force_user *) optlen;
94435 if (level == SOL_SOCKET)
94436 @@ -3416,7 +3478,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
94437 char __user *uoptval;
94440 - uoptval = (char __user __force *) optval;
94441 + uoptval = (char __force_user *) optval;
94444 if (level == SOL_SOCKET)
94445 diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
94446 index 426f8fc..1ef9c32 100644
94447 --- a/net/sunrpc/clnt.c
94448 +++ b/net/sunrpc/clnt.c
94449 @@ -1288,7 +1288,9 @@ call_start(struct rpc_task *task)
94450 (RPC_IS_ASYNC(task) ? "async" : "sync"));
94452 /* Increment call count */
94453 - task->tk_msg.rpc_proc->p_count++;
94454 + pax_open_kernel();
94455 + (*(unsigned int *)&task->tk_msg.rpc_proc->p_count)++;
94456 + pax_close_kernel();
94457 clnt->cl_stats->rpccnt++;
94458 task->tk_action = call_reserve;
94460 diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
94461 index 5356b12..c0f4c29 100644
94462 --- a/net/sunrpc/sched.c
94463 +++ b/net/sunrpc/sched.c
94464 @@ -261,9 +261,9 @@ static int rpc_wait_bit_killable(void *word)
94466 static void rpc_task_set_debuginfo(struct rpc_task *task)
94468 - static atomic_t rpc_pid;
94469 + static atomic_unchecked_t rpc_pid;
94471 - task->tk_pid = atomic_inc_return(&rpc_pid);
94472 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
94475 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
94476 diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
94477 index 89a588b..678ed90 100644
94478 --- a/net/sunrpc/svc.c
94479 +++ b/net/sunrpc/svc.c
94480 @@ -740,7 +740,7 @@ svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
94482 __module_get(serv->sv_module);
94483 task = kthread_create_on_node(serv->sv_function, rqstp,
94484 - node, serv->sv_name);
94485 + node, "%s", serv->sv_name);
94486 if (IS_ERR(task)) {
94487 error = PTR_ERR(task);
94488 module_put(serv->sv_module);
94489 @@ -1160,7 +1160,9 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
94490 svc_putnl(resv, RPC_SUCCESS);
94492 /* Bump per-procedure stats counter */
94493 - procp->pc_count++;
94494 + pax_open_kernel();
94495 + (*(unsigned int *)&procp->pc_count)++;
94496 + pax_close_kernel();
94498 /* Initialize storage for argp and resp */
94499 memset(rqstp->rq_argp, 0, procp->pc_argsize);
94500 diff --git a/net/sunrpc/xprtrdma/svc_rdma.c b/net/sunrpc/xprtrdma/svc_rdma.c
94501 index 8343737..677025e 100644
94502 --- a/net/sunrpc/xprtrdma/svc_rdma.c
94503 +++ b/net/sunrpc/xprtrdma/svc_rdma.c
94504 @@ -62,15 +62,15 @@ unsigned int svcrdma_max_req_size = RPCRDMA_MAX_REQ_SIZE;
94505 static unsigned int min_max_inline = 4096;
94506 static unsigned int max_max_inline = 65536;
94508 -atomic_t rdma_stat_recv;
94509 -atomic_t rdma_stat_read;
94510 -atomic_t rdma_stat_write;
94511 -atomic_t rdma_stat_sq_starve;
94512 -atomic_t rdma_stat_rq_starve;
94513 -atomic_t rdma_stat_rq_poll;
94514 -atomic_t rdma_stat_rq_prod;
94515 -atomic_t rdma_stat_sq_poll;
94516 -atomic_t rdma_stat_sq_prod;
94517 +atomic_unchecked_t rdma_stat_recv;
94518 +atomic_unchecked_t rdma_stat_read;
94519 +atomic_unchecked_t rdma_stat_write;
94520 +atomic_unchecked_t rdma_stat_sq_starve;
94521 +atomic_unchecked_t rdma_stat_rq_starve;
94522 +atomic_unchecked_t rdma_stat_rq_poll;
94523 +atomic_unchecked_t rdma_stat_rq_prod;
94524 +atomic_unchecked_t rdma_stat_sq_poll;
94525 +atomic_unchecked_t rdma_stat_sq_prod;
94527 /* Temporary NFS request map and context caches */
94528 struct kmem_cache *svc_rdma_map_cachep;
94529 @@ -110,7 +110,7 @@ static int read_reset_stat(ctl_table *table, int write,
94533 - if (len && copy_to_user(buffer, str_buf, len))
94534 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
94538 @@ -151,63 +151,63 @@ static ctl_table svcrdma_parm_table[] = {
94540 .procname = "rdma_stat_read",
94541 .data = &rdma_stat_read,
94542 - .maxlen = sizeof(atomic_t),
94543 + .maxlen = sizeof(atomic_unchecked_t),
94545 .proc_handler = read_reset_stat,
94548 .procname = "rdma_stat_recv",
94549 .data = &rdma_stat_recv,
94550 - .maxlen = sizeof(atomic_t),
94551 + .maxlen = sizeof(atomic_unchecked_t),
94553 .proc_handler = read_reset_stat,
94556 .procname = "rdma_stat_write",
94557 .data = &rdma_stat_write,
94558 - .maxlen = sizeof(atomic_t),
94559 + .maxlen = sizeof(atomic_unchecked_t),
94561 .proc_handler = read_reset_stat,
94564 .procname = "rdma_stat_sq_starve",
94565 .data = &rdma_stat_sq_starve,
94566 - .maxlen = sizeof(atomic_t),
94567 + .maxlen = sizeof(atomic_unchecked_t),
94569 .proc_handler = read_reset_stat,
94572 .procname = "rdma_stat_rq_starve",
94573 .data = &rdma_stat_rq_starve,
94574 - .maxlen = sizeof(atomic_t),
94575 + .maxlen = sizeof(atomic_unchecked_t),
94577 .proc_handler = read_reset_stat,
94580 .procname = "rdma_stat_rq_poll",
94581 .data = &rdma_stat_rq_poll,
94582 - .maxlen = sizeof(atomic_t),
94583 + .maxlen = sizeof(atomic_unchecked_t),
94585 .proc_handler = read_reset_stat,
94588 .procname = "rdma_stat_rq_prod",
94589 .data = &rdma_stat_rq_prod,
94590 - .maxlen = sizeof(atomic_t),
94591 + .maxlen = sizeof(atomic_unchecked_t),
94593 .proc_handler = read_reset_stat,
94596 .procname = "rdma_stat_sq_poll",
94597 .data = &rdma_stat_sq_poll,
94598 - .maxlen = sizeof(atomic_t),
94599 + .maxlen = sizeof(atomic_unchecked_t),
94601 .proc_handler = read_reset_stat,
94604 .procname = "rdma_stat_sq_prod",
94605 .data = &rdma_stat_sq_prod,
94606 - .maxlen = sizeof(atomic_t),
94607 + .maxlen = sizeof(atomic_unchecked_t),
94609 .proc_handler = read_reset_stat,
94611 diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
94612 index 0ce7552..d074459 100644
94613 --- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
94614 +++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
94615 @@ -501,7 +501,7 @@ next_sge:
94616 svc_rdma_put_context(ctxt, 0);
94619 - atomic_inc(&rdma_stat_read);
94620 + atomic_inc_unchecked(&rdma_stat_read);
94622 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
94623 chl_map->ch[ch_no].count -= read_wr.num_sge;
94624 @@ -611,7 +611,7 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
94626 list_del_init(&ctxt->dto_q);
94628 - atomic_inc(&rdma_stat_rq_starve);
94629 + atomic_inc_unchecked(&rdma_stat_rq_starve);
94630 clear_bit(XPT_DATA, &xprt->xpt_flags);
94633 @@ -631,7 +631,7 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
94634 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
94635 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
94636 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
94637 - atomic_inc(&rdma_stat_recv);
94638 + atomic_inc_unchecked(&rdma_stat_recv);
94640 /* Build up the XDR from the receive buffers. */
94641 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
94642 diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
94643 index c1d124d..acfc59e 100644
94644 --- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
94645 +++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
94646 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdma *xprt, struct svc_rqst *rqstp,
94647 write_wr.wr.rdma.remote_addr = to;
94650 - atomic_inc(&rdma_stat_write);
94651 + atomic_inc_unchecked(&rdma_stat_write);
94652 if (svc_rdma_send(xprt, &write_wr))
94655 diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
94656 index 62e4f9b..dd3f2d7 100644
94657 --- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
94658 +++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
94659 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
94662 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
94663 - atomic_inc(&rdma_stat_rq_poll);
94664 + atomic_inc_unchecked(&rdma_stat_rq_poll);
94666 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
94667 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
94668 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rdma *xprt)
94672 - atomic_inc(&rdma_stat_rq_prod);
94673 + atomic_inc_unchecked(&rdma_stat_rq_prod);
94675 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
94677 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
94680 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
94681 - atomic_inc(&rdma_stat_sq_poll);
94682 + atomic_inc_unchecked(&rdma_stat_sq_poll);
94683 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
94684 if (wc.status != IB_WC_SUCCESS)
94685 /* Close the transport */
94686 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rdma *xprt)
94690 - atomic_inc(&rdma_stat_sq_prod);
94691 + atomic_inc_unchecked(&rdma_stat_sq_prod);
94694 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
94695 @@ -1262,7 +1262,7 @@ int svc_rdma_send(struct svcxprt_rdma *xprt, struct ib_send_wr *wr)
94696 spin_lock_bh(&xprt->sc_lock);
94697 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
94698 spin_unlock_bh(&xprt->sc_lock);
94699 - atomic_inc(&rdma_stat_sq_starve);
94700 + atomic_inc_unchecked(&rdma_stat_sq_starve);
94702 /* See if we can opportunistically reap SQ WR to make room */
94704 diff --git a/net/sysctl_net.c b/net/sysctl_net.c
94705 index 9bc6db0..47ac8c0 100644
94706 --- a/net/sysctl_net.c
94707 +++ b/net/sysctl_net.c
94708 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ctl_table_header *head,
94709 kgid_t root_gid = make_kgid(net->user_ns, 0);
94711 /* Allow network administrator to have same access as root. */
94712 - if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
94713 + if (ns_capable_nolog(net->user_ns, CAP_NET_ADMIN) ||
94714 uid_eq(root_uid, current_uid())) {
94715 int mode = (table->mode >> 6) & 7;
94716 return (mode << 6) | (mode << 3) | mode;
94717 diff --git a/net/tipc/link.c b/net/tipc/link.c
94718 index a80feee..2bbbe70 100644
94719 --- a/net/tipc/link.c
94720 +++ b/net/tipc/link.c
94721 @@ -1201,7 +1201,7 @@ static int link_send_sections_long(struct tipc_port *sender,
94722 struct tipc_msg fragm_hdr;
94723 struct sk_buff *buf, *buf_chain, *prev;
94724 u32 fragm_crs, fragm_rest, hsz, sect_rest;
94725 - const unchar *sect_crs;
94726 + const unchar __user *sect_crs;
94730 @@ -1242,7 +1242,7 @@ again:
94733 sect_rest = msg_sect[++curr_sect].iov_len;
94734 - sect_crs = (const unchar *)msg_sect[curr_sect].iov_base;
94735 + sect_crs = (const unchar __user *)msg_sect[curr_sect].iov_base;
94738 if (sect_rest < fragm_rest)
94739 @@ -1261,7 +1261,7 @@ error:
94742 skb_copy_to_linear_data_offset(buf, fragm_crs,
94744 + (const void __force_kernel *)sect_crs, sz);
94748 diff --git a/net/tipc/msg.c b/net/tipc/msg.c
94749 index f2db8a8..9245aa4 100644
94750 --- a/net/tipc/msg.c
94751 +++ b/net/tipc/msg.c
94752 @@ -98,7 +98,7 @@ int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
94753 msg_sect[cnt].iov_len);
94755 skb_copy_to_linear_data_offset(*buf, pos,
94756 - msg_sect[cnt].iov_base,
94757 + (const void __force_kernel *)msg_sect[cnt].iov_base,
94758 msg_sect[cnt].iov_len);
94759 pos += msg_sect[cnt].iov_len;
94761 diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
94762 index 6b42d47..2ac24d5 100644
94763 --- a/net/tipc/subscr.c
94764 +++ b/net/tipc/subscr.c
94765 @@ -96,7 +96,7 @@ static void subscr_send_event(struct tipc_subscription *sub,
94767 struct iovec msg_sect;
94769 - msg_sect.iov_base = (void *)&sub->evt;
94770 + msg_sect.iov_base = (void __force_user *)&sub->evt;
94771 msg_sect.iov_len = sizeof(struct tipc_event);
94773 sub->evt.event = htohl(event, sub->swap);
94774 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
94775 index 826e099..4fa8c93 100644
94776 --- a/net/unix/af_unix.c
94777 +++ b/net/unix/af_unix.c
94778 @@ -783,6 +783,12 @@ static struct sock *unix_find_other(struct net *net,
94779 err = -ECONNREFUSED;
94780 if (!S_ISSOCK(inode->i_mode))
94783 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
94788 u = unix_find_socket_byinode(inode);
94791 @@ -803,6 +809,13 @@ static struct sock *unix_find_other(struct net *net,
94793 struct dentry *dentry;
94794 dentry = unix_sk(u)->path.dentry;
94796 + if (!gr_handle_chroot_unix(pid_vnr(u->sk_peer_pid))) {
94803 touch_atime(&unix_sk(u)->path);
94805 @@ -836,12 +849,18 @@ static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
94807 err = security_path_mknod(&path, dentry, mode, 0);
94809 + if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
94813 err = vfs_mknod(path.dentry->d_inode, dentry, mode, 0);
94815 res->mnt = mntget(path.mnt);
94816 res->dentry = dget(dentry);
94817 + gr_handle_create(dentry, path.mnt);
94821 done_path_create(&path, dentry);
94824 @@ -2324,9 +2343,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
94825 seq_puts(seq, "Num RefCount Protocol Flags Type St "
94828 - struct sock *s = v;
94829 + struct sock *s = v, *peer;
94830 struct unix_sock *u = unix_sk(s);
94831 unix_state_lock(s);
94832 + peer = unix_peer(s);
94833 + unix_state_unlock(s);
94835 + unix_state_double_lock(s, peer);
94837 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
94839 @@ -2353,8 +2376,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
94841 for ( ; i < len; i++)
94842 seq_putc(seq, u->addr->name->sun_path[i]);
94844 - unix_state_unlock(s);
94846 + seq_printf(seq, " P%lu", sock_i_ino(peer));
94848 + unix_state_double_unlock(s, peer);
94849 seq_putc(seq, '\n');
94852 diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
94853 index 8800604..0526440 100644
94854 --- a/net/unix/sysctl_net_unix.c
94855 +++ b/net/unix/sysctl_net_unix.c
94856 @@ -28,7 +28,7 @@ static ctl_table unix_table[] = {
94858 int __net_init unix_sysctl_register(struct net *net)
94860 - struct ctl_table *table;
94861 + ctl_table_no_const *table;
94863 table = kmemdup(unix_table, sizeof(unix_table), GFP_KERNEL);
94865 diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
94866 index 3f77f42..662d89b 100644
94867 --- a/net/vmw_vsock/af_vsock.c
94868 +++ b/net/vmw_vsock/af_vsock.c
94869 @@ -335,7 +335,7 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
94870 for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) {
94871 struct vsock_sock *vsk;
94872 list_for_each_entry(vsk, &vsock_connected_table[i],
94873 - connected_table);
94878 diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
94879 index c8717c1..08539f5 100644
94880 --- a/net/wireless/wext-core.c
94881 +++ b/net/wireless/wext-core.c
94882 @@ -748,8 +748,7 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
94885 /* Support for very large requests */
94886 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
94887 - (user_length > descr->max_tokens)) {
94888 + if (user_length > descr->max_tokens) {
94889 /* Allow userspace to GET more than max so
94890 * we can support any size GET requests.
94891 * There is still a limit : -ENOMEM.
94892 @@ -788,22 +787,6 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
94896 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
94898 - * If this is a GET, but not NOMAX, it means that the extra
94899 - * data is not bounded by userspace, but by max_tokens. Thus
94900 - * set the length to max_tokens. This matches the extra data
94902 - * The driver should fill it with the number of tokens it
94903 - * provided, and it may check iwp->length rather than having
94904 - * knowledge of max_tokens. If the driver doesn't change the
94905 - * iwp->length, this ioctl just copies back max_token tokens
94906 - * filled with zeroes. Hopefully the driver isn't claiming
94907 - * them to be valid data.
94909 - iwp->length = descr->max_tokens;
94912 err = handler(dev, info, (union iwreq_data *) iwp, extra);
94914 iwp->length += essid_compat;
94915 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
94916 index ea970b8..c68edb9f 100644
94917 --- a/net/xfrm/xfrm_policy.c
94918 +++ b/net/xfrm/xfrm_policy.c
94919 @@ -334,7 +334,7 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
94921 policy->walk.dead = 1;
94923 - atomic_inc(&policy->genid);
94924 + atomic_inc_unchecked(&policy->genid);
94926 del_timer(&policy->polq.hold_timer);
94927 xfrm_queue_purge(&policy->polq.hold_queue);
94928 @@ -659,7 +659,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
94929 hlist_add_head(&policy->bydst, chain);
94930 xfrm_pol_hold(policy);
94931 net->xfrm.policy_count[dir]++;
94932 - atomic_inc(&flow_cache_genid);
94933 + atomic_inc_unchecked(&flow_cache_genid);
94934 rt_genid_bump(net);
94936 xfrm_policy_requeue(delpol, policy);
94937 @@ -1629,7 +1629,7 @@ free_dst:
94943 xfrm_dst_alloc_copy(void **target, const void *src, int size)
94946 @@ -1641,7 +1641,7 @@ xfrm_dst_alloc_copy(void **target, const void *src, int size)
94952 xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
94954 #ifdef CONFIG_XFRM_SUB_POLICY
94955 @@ -1653,7 +1653,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
94961 xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
94963 #ifdef CONFIG_XFRM_SUB_POLICY
94964 @@ -1747,7 +1747,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
94966 xdst->num_pols = num_pols;
94967 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
94968 - xdst->policy_genid = atomic_read(&pols[0]->genid);
94969 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
94973 @@ -2618,7 +2618,7 @@ static int xfrm_bundle_ok(struct xfrm_dst *first)
94974 if (xdst->xfrm_genid != dst->xfrm->genid)
94976 if (xdst->num_pols > 0 &&
94977 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
94978 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
94981 mtu = dst_mtu(dst->child);
94982 @@ -2706,8 +2706,11 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
94983 dst_ops->link_failure = xfrm_link_failure;
94984 if (likely(dst_ops->neigh_lookup == NULL))
94985 dst_ops->neigh_lookup = xfrm_neigh_lookup;
94986 - if (likely(afinfo->garbage_collect == NULL))
94987 - afinfo->garbage_collect = xfrm_garbage_collect_deferred;
94988 + if (likely(afinfo->garbage_collect == NULL)) {
94989 + pax_open_kernel();
94990 + *(void **)&afinfo->garbage_collect = xfrm_garbage_collect_deferred;
94991 + pax_close_kernel();
94993 rcu_assign_pointer(xfrm_policy_afinfo[afinfo->family], afinfo);
94995 spin_unlock(&xfrm_policy_afinfo_lock);
94996 @@ -2761,7 +2764,9 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
94997 dst_ops->check = NULL;
94998 dst_ops->negative_advice = NULL;
94999 dst_ops->link_failure = NULL;
95000 - afinfo->garbage_collect = NULL;
95001 + pax_open_kernel();
95002 + *(void **)&afinfo->garbage_collect = NULL;
95003 + pax_close_kernel();
95007 @@ -3144,7 +3149,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
95008 sizeof(pol->xfrm_vec[i].saddr));
95009 pol->xfrm_vec[i].encap_family = mp->new_family;
95010 /* flush bundles */
95011 - atomic_inc(&pol->genid);
95012 + atomic_inc_unchecked(&pol->genid);
95016 diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
95017 index 78f66fa..9286768 100644
95018 --- a/net/xfrm/xfrm_state.c
95019 +++ b/net/xfrm/xfrm_state.c
95020 @@ -177,12 +177,14 @@ int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
95022 if (unlikely(afinfo == NULL))
95023 return -EAFNOSUPPORT;
95024 - typemap = afinfo->type_map;
95025 + typemap = (const struct xfrm_type **)afinfo->type_map;
95026 spin_lock_bh(&xfrm_type_lock);
95028 - if (likely(typemap[type->proto] == NULL))
95029 + if (likely(typemap[type->proto] == NULL)) {
95030 + pax_open_kernel();
95031 typemap[type->proto] = type;
95033 + pax_close_kernel();
95036 spin_unlock_bh(&xfrm_type_lock);
95037 xfrm_state_put_afinfo(afinfo);
95038 @@ -198,13 +200,16 @@ int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
95040 if (unlikely(afinfo == NULL))
95041 return -EAFNOSUPPORT;
95042 - typemap = afinfo->type_map;
95043 + typemap = (const struct xfrm_type **)afinfo->type_map;
95044 spin_lock_bh(&xfrm_type_lock);
95046 if (unlikely(typemap[type->proto] != type))
95050 + pax_open_kernel();
95051 typemap[type->proto] = NULL;
95052 + pax_close_kernel();
95054 spin_unlock_bh(&xfrm_type_lock);
95055 xfrm_state_put_afinfo(afinfo);
95057 @@ -214,7 +219,6 @@ EXPORT_SYMBOL(xfrm_unregister_type);
95058 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
95060 struct xfrm_state_afinfo *afinfo;
95061 - const struct xfrm_type **typemap;
95062 const struct xfrm_type *type;
95063 int modload_attempted = 0;
95065 @@ -222,9 +226,8 @@ retry:
95066 afinfo = xfrm_state_get_afinfo(family);
95067 if (unlikely(afinfo == NULL))
95069 - typemap = afinfo->type_map;
95071 - type = typemap[proto];
95072 + type = afinfo->type_map[proto];
95073 if (unlikely(type && !try_module_get(type->owner)))
95075 if (!type && !modload_attempted) {
95076 @@ -258,7 +261,7 @@ int xfrm_register_mode(struct xfrm_mode *mode, int family)
95077 return -EAFNOSUPPORT;
95080 - modemap = afinfo->mode_map;
95081 + modemap = (struct xfrm_mode **)afinfo->mode_map;
95082 spin_lock_bh(&xfrm_mode_lock);
95083 if (modemap[mode->encap])
95085 @@ -267,8 +270,10 @@ int xfrm_register_mode(struct xfrm_mode *mode, int family)
95086 if (!try_module_get(afinfo->owner))
95089 - mode->afinfo = afinfo;
95090 + pax_open_kernel();
95091 + *(const void **)&mode->afinfo = afinfo;
95092 modemap[mode->encap] = mode;
95093 + pax_close_kernel();
95097 @@ -292,10 +297,12 @@ int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
95098 return -EAFNOSUPPORT;
95101 - modemap = afinfo->mode_map;
95102 + modemap = (struct xfrm_mode **)afinfo->mode_map;
95103 spin_lock_bh(&xfrm_mode_lock);
95104 if (likely(modemap[mode->encap] == mode)) {
95105 + pax_open_kernel();
95106 modemap[mode->encap] = NULL;
95107 + pax_close_kernel();
95108 module_put(mode->afinfo->owner);
95111 diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
95112 index 05a6e3d..6716ec9 100644
95113 --- a/net/xfrm/xfrm_sysctl.c
95114 +++ b/net/xfrm/xfrm_sysctl.c
95115 @@ -42,7 +42,7 @@ static struct ctl_table xfrm_table[] = {
95117 int __net_init xfrm_sysctl_init(struct net *net)
95119 - struct ctl_table *table;
95120 + ctl_table_no_const *table;
95122 __xfrm_sysctl_init(net);
95124 diff --git a/scripts/Makefile.build b/scripts/Makefile.build
95125 index d5d859c..781cbcb 100644
95126 --- a/scripts/Makefile.build
95127 +++ b/scripts/Makefile.build
95128 @@ -111,7 +111,7 @@ endif
95131 # Do not include host rules unless needed
95132 -ifneq ($(hostprogs-y)$(hostprogs-m),)
95133 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m)$(hostcxxlibs-y)$(hostcxxlibs-m),)
95134 include scripts/Makefile.host
95137 diff --git a/scripts/Makefile.clean b/scripts/Makefile.clean
95138 index 686cb0d..9d653bf 100644
95139 --- a/scripts/Makefile.clean
95140 +++ b/scripts/Makefile.clean
95141 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subdir-ymn))
95142 __clean-files := $(extra-y) $(always) \
95143 $(targets) $(clean-files) \
95145 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
95146 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
95147 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
95149 __clean-files := $(filter-out $(no-clean-files), $(__clean-files))
95151 diff --git a/scripts/Makefile.host b/scripts/Makefile.host
95152 index 1ac414f..38575f7 100644
95153 --- a/scripts/Makefile.host
95154 +++ b/scripts/Makefile.host
95156 # Note: Shared libraries consisting of C++ files are not supported
95158 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
95159 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
95160 +__hostcxxlibs := $(sort $(hostcxxlibs-y) $(hostcxxlibs-m))
95163 # Executables compiled from a single .c file
95164 @@ -54,11 +56,15 @@ host-cxxobjs := $(sort $(foreach m,$(host-cxxmulti),$($(m)-cxxobjs)))
95165 # Shared libaries (only .c supported)
95166 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
95167 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
95168 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
95169 +host-cxxshlib := $(sort $(filter %.so, $(__hostcxxlibs)))
95170 # Remove .so files from "xxx-objs"
95171 host-cobjs := $(filter-out %.so,$(host-cobjs))
95172 +host-cxxobjs := $(filter-out %.so,$(host-cxxobjs))
95174 -#Object (.o) files used by the shared libaries
95175 +# Object (.o) files used by the shared libaries
95176 host-cshobjs := $(sort $(foreach m,$(host-cshlib),$($(m:.so=-objs))))
95177 +host-cxxshobjs := $(sort $(foreach m,$(host-cxxshlib),$($(m:.so=-objs))))
95179 # output directory for programs/.o files
95180 # hostprogs-y := tools/build may have been specified. Retrieve directory
95181 @@ -82,7 +88,9 @@ host-cobjs := $(addprefix $(obj)/,$(host-cobjs))
95182 host-cxxmulti := $(addprefix $(obj)/,$(host-cxxmulti))
95183 host-cxxobjs := $(addprefix $(obj)/,$(host-cxxobjs))
95184 host-cshlib := $(addprefix $(obj)/,$(host-cshlib))
95185 +host-cxxshlib := $(addprefix $(obj)/,$(host-cxxshlib))
95186 host-cshobjs := $(addprefix $(obj)/,$(host-cshobjs))
95187 +host-cxxshobjs := $(addprefix $(obj)/,$(host-cxxshobjs))
95188 host-objdirs := $(addprefix $(obj)/,$(host-objdirs))
95190 obj-dirs += $(host-objdirs)
95191 @@ -156,6 +164,13 @@ quiet_cmd_host-cshobjs = HOSTCC -fPIC $@
95192 $(host-cshobjs): $(obj)/%.o: $(src)/%.c FORCE
95193 $(call if_changed_dep,host-cshobjs)
95195 +# Compile .c file, create position independent .o file
95196 +# host-cxxshobjs -> .o
95197 +quiet_cmd_host-cxxshobjs = HOSTCXX -fPIC $@
95198 + cmd_host-cxxshobjs = $(HOSTCXX) $(hostcxx_flags) -fPIC -c -o $@ $<
95199 +$(host-cxxshobjs): $(obj)/%.o: $(src)/%.c FORCE
95200 + $(call if_changed_dep,host-cxxshobjs)
95202 # Link a shared library, based on position independent .o files
95203 # *.o -> .so shared library (host-cshlib)
95204 quiet_cmd_host-cshlib = HOSTLLD -shared $@
95205 @@ -165,6 +180,15 @@ quiet_cmd_host-cshlib = HOSTLLD -shared $@
95206 $(host-cshlib): $(obj)/%: $(host-cshobjs) FORCE
95207 $(call if_changed,host-cshlib)
95209 +# Link a shared library, based on position independent .o files
95210 +# *.o -> .so shared library (host-cxxshlib)
95211 +quiet_cmd_host-cxxshlib = HOSTLLD -shared $@
95212 + cmd_host-cxxshlib = $(HOSTCXX) $(HOSTLDFLAGS) -shared -o $@ \
95213 + $(addprefix $(obj)/,$($(@F:.so=-objs))) \
95214 + $(HOST_LOADLIBES) $(HOSTLOADLIBES_$(@F))
95215 +$(host-cxxshlib): $(obj)/%: $(host-cxxshobjs) FORCE
95216 + $(call if_changed,host-cxxshlib)
95218 targets += $(host-csingle) $(host-cmulti) $(host-cobjs)\
95219 - $(host-cxxmulti) $(host-cxxobjs) $(host-cshlib) $(host-cshobjs)
95220 + $(host-cxxmulti) $(host-cxxobjs) $(host-cshlib) $(host-cshobjs) $(host-cxxshlib) $(host-cxxshobjs)
95222 diff --git a/scripts/basic/fixdep.c b/scripts/basic/fixdep.c
95223 index 078fe1d..fbdb363 100644
95224 --- a/scripts/basic/fixdep.c
95225 +++ b/scripts/basic/fixdep.c
95226 @@ -161,7 +161,7 @@ static unsigned int strhash(const char *str, unsigned int sz)
95228 * Lookup a value in the configuration string.
95230 -static int is_defined_config(const char *name, int len, unsigned int hash)
95231 +static int is_defined_config(const char *name, unsigned int len, unsigned int hash)
95235 @@ -211,10 +211,10 @@ static void clear_config(void)
95237 * Record the use of a CONFIG_* word.
95239 -static void use_config(const char *m, int slen)
95240 +static void use_config(const char *m, unsigned int slen)
95242 unsigned int hash = strhash(m, slen);
95244 + unsigned int c, i;
95246 if (is_defined_config(m, slen, hash))
95248 @@ -235,9 +235,9 @@ static void use_config(const char *m, int slen)
95250 static void parse_config_file(const char *map, size_t len)
95252 - const int *end = (const int *) (map + len);
95253 + const unsigned int *end = (const unsigned int *) (map + len);
95254 /* start at +1, so that p can never be < map */
95255 - const int *m = (const int *) map + 1;
95256 + const unsigned int *m = (const unsigned int *) map + 1;
95259 for (; m < end; m++) {
95260 @@ -435,7 +435,7 @@ static void print_deps(void)
95261 static void traps(void)
95263 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
95264 - int *p = (int *)test;
95265 + unsigned int *p = (unsigned int *)test;
95267 if (*p != INT_CONF) {
95268 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianness? %#x\n",
95269 diff --git a/scripts/gcc-plugin.sh b/scripts/gcc-plugin.sh
95270 new file mode 100644
95271 index 0000000..5e0222d
95273 +++ b/scripts/gcc-plugin.sh
95276 +plugincc=`$1 -E -shared - -o /dev/null -I\`$3 -print-file-name=plugin\`/include 2>&1 <<EOF
95277 +#include "gcc-plugin.h"
95281 +#ifdef ENABLE_BUILD_WITH_CXX
95289 + [[ "$plugincc" =~ "$1" ]] && echo "$1"
95290 + [[ "$plugincc" =~ "$2" ]] && echo "$2"
95292 diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh
95293 index 643764f..6cc0137 100644
95294 --- a/scripts/headers_install.sh
95295 +++ b/scripts/headers_install.sh
95296 @@ -29,6 +29,7 @@ do
95297 FILE="$(basename "$i")"
95299 -e 's/([ \t(])(__user|__force|__iomem)[ \t]/\1/g' \
95300 + -e 's/__intentional_overflow\([- \t,0-9]*\)//g' \
95301 -e 's/__attribute_const__([ \t]|$)/\1/g' \
95302 -e 's@^#include <linux/compiler.h>@@' \
95303 -e 's/(^|[^a-zA-Z0-9])__packed([^a-zA-Z0-9_]|$)/\1__attribute__((packed))\2/g' \
95304 diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh
95305 index 0149949..d482a0d 100644
95306 --- a/scripts/link-vmlinux.sh
95307 +++ b/scripts/link-vmlinux.sh
95308 @@ -158,7 +158,7 @@ else
95311 # final build of init/
95312 -${MAKE} -f "${srctree}/scripts/Makefile.build" obj=init
95313 +${MAKE} -f "${srctree}/scripts/Makefile.build" obj=init GCC_PLUGINS_CFLAGS="${GCC_PLUGINS_CFLAGS}" GCC_PLUGINS_AFLAGS="${GCC_PLUGINS_AFLAGS}"
95316 kallsyms_vmlinux=""
95317 diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
95318 index 45f9a33..e4194b3 100644
95319 --- a/scripts/mod/file2alias.c
95320 +++ b/scripts/mod/file2alias.c
95321 @@ -140,7 +140,7 @@ static void device_id_check(const char *modname, const char *device_id,
95322 unsigned long size, unsigned long id_size,
95328 if (size % id_size || size < id_size) {
95329 fatal("%s: sizeof(struct %s_device_id)=%lu is not a modulo "
95330 @@ -168,7 +168,7 @@ static void device_id_check(const char *modname, const char *device_id,
95331 /* USB is special because the bcdDevice can be matched against a numeric range */
95332 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipNinN" */
95333 static void do_usb_entry(void *symval,
95334 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
95335 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
95336 unsigned char range_lo, unsigned char range_hi,
95337 unsigned char max, struct module *mod)
95339 @@ -278,7 +278,7 @@ static void do_usb_entry_multi(void *symval, struct module *mod)
95341 unsigned int devlo, devhi;
95342 unsigned char chi, clo, max;
95344 + unsigned int ndigits;
95346 DEF_FIELD(symval, usb_device_id, match_flags);
95347 DEF_FIELD(symval, usb_device_id, idVendor);
95348 @@ -531,7 +531,7 @@ static void do_pnp_device_entry(void *symval, unsigned long size,
95349 for (i = 0; i < count; i++) {
95350 DEF_FIELD_ADDR(symval + i*id_size, pnp_device_id, id);
95351 char acpi_id[sizeof(*id)];
95355 buf_printf(&mod->dev_table_buf,
95356 "MODULE_ALIAS(\"pnp:d%s*\");\n", *id);
95357 @@ -560,7 +560,7 @@ static void do_pnp_card_entries(void *symval, unsigned long size,
95359 for (j = 0; j < PNP_MAX_DEVICES; j++) {
95360 const char *id = (char *)(*devs)[j].id;
95362 + unsigned int i2, j2;
95366 @@ -586,7 +586,7 @@ static void do_pnp_card_entries(void *symval, unsigned long size,
95367 /* add an individual alias for every device entry */
95369 char acpi_id[PNP_ID_LEN];
95373 buf_printf(&mod->dev_table_buf,
95374 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
95375 @@ -938,7 +938,7 @@ static void dmi_ascii_filter(char *d, const char *s)
95376 static int do_dmi_entry(const char *filename, void *symval,
95380 + unsigned int i, j;
95381 DEF_FIELD_ADDR(symval, dmi_system_id, matches);
95382 sprintf(alias, "dmi*");
95384 diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
95385 index a4be8e1..6e8a5fb 100644
95386 --- a/scripts/mod/modpost.c
95387 +++ b/scripts/mod/modpost.c
95388 @@ -933,6 +933,7 @@ enum mismatch {
95389 ANY_INIT_TO_ANY_EXIT,
95390 ANY_EXIT_TO_ANY_INIT,
95391 EXPORT_TO_INIT_EXIT,
95395 struct sectioncheck {
95396 @@ -1047,6 +1048,12 @@ const struct sectioncheck sectioncheck[] = {
95397 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
95398 .mismatch = EXPORT_TO_INIT_EXIT,
95399 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
95401 +/* Do not reference code from writable data */
95403 + .fromsec = { DATA_SECTIONS, NULL },
95404 + .tosec = { TEXT_SECTIONS, NULL },
95405 + .mismatch = DATA_TO_TEXT
95409 @@ -1169,10 +1176,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
95411 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
95413 - if (sym->st_value == addr)
95415 /* Find a symbol nearby - addr are maybe negative */
95416 d = sym->st_value - addr;
95420 d = addr - sym->st_value;
95421 if (d < distance) {
95422 @@ -1451,6 +1458,14 @@ static void report_sec_mismatch(const char *modname,
95423 tosym, prl_to, prl_to, tosym);
95426 + case DATA_TO_TEXT:
95429 + "The %s %s:%s references\n"
95430 + "the %s %s:%s%s\n",
95431 + from, fromsec, fromsym, to, tosec, tosym, to_p);
95435 fprintf(stderr, "\n");
95437 @@ -1685,7 +1700,7 @@ static void section_rel(const char *modname, struct elf_info *elf,
95438 static void check_sec_ref(struct module *mod, const char *modname,
95439 struct elf_info *elf)
95443 Elf_Shdr *sechdrs = elf->sechdrs;
95445 /* Walk through all sections */
95446 @@ -1804,7 +1819,7 @@ void __attribute__((format(printf, 2, 3))) buf_printf(struct buffer *buf,
95450 -void buf_write(struct buffer *buf, const char *s, int len)
95451 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
95453 if (buf->size - buf->pos < len) {
95454 buf->size += len + SZ;
95455 @@ -2023,7 +2038,7 @@ static void write_if_changed(struct buffer *b, const char *fname)
95456 if (fstat(fileno(file), &st) < 0)
95459 - if (st.st_size != b->pos)
95460 + if (st.st_size != (off_t)b->pos)
95463 tmp = NOFAIL(malloc(b->pos));
95464 diff --git a/scripts/mod/modpost.h b/scripts/mod/modpost.h
95465 index 51207e4..f7d603d 100644
95466 --- a/scripts/mod/modpost.h
95467 +++ b/scripts/mod/modpost.h
95468 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *expr);
95474 + unsigned int pos;
95475 + unsigned int size;
95478 void __attribute__((format(printf, 2, 3)))
95479 buf_printf(struct buffer *buf, const char *fmt, ...);
95482 -buf_write(struct buffer *buf, const char *s, int len);
95483 +buf_write(struct buffer *buf, const char *s, unsigned int len);
95486 struct module *next;
95487 diff --git a/scripts/mod/sumversion.c b/scripts/mod/sumversion.c
95488 index 9dfcd6d..099068e 100644
95489 --- a/scripts/mod/sumversion.c
95490 +++ b/scripts/mod/sumversion.c
95491 @@ -470,7 +470,7 @@ static void write_version(const char *filename, const char *sum,
95495 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
95496 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
95497 warn("writing sum in %s failed: %s\n",
95498 filename, strerror(errno));
95500 diff --git a/scripts/package/builddeb b/scripts/package/builddeb
95501 index acb8650..b8c5f02 100644
95502 --- a/scripts/package/builddeb
95503 +++ b/scripts/package/builddeb
95504 @@ -246,6 +246,7 @@ fi
95505 (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl > "$objtree/debian/hdrsrcfiles")
95506 (cd $srctree; find arch/$SRCARCH/include include scripts -type f >> "$objtree/debian/hdrsrcfiles")
95507 (cd $objtree; find arch/$SRCARCH/include .config Module.symvers include scripts -type f >> "$objtree/debian/hdrobjfiles")
95508 +(cd $objtree; find tools/gcc -name \*.so >> "$objtree/debian/hdrobjfiles")
95509 destdir=$kernel_headers_dir/usr/src/linux-headers-$version
95510 mkdir -p "$destdir"
95511 (cd $srctree; tar -c -f - -T "$objtree/debian/hdrsrcfiles") | (cd $destdir; tar -xf -)
95512 diff --git a/scripts/pnmtologo.c b/scripts/pnmtologo.c
95513 index 68bb4ef..2f419e1 100644
95514 --- a/scripts/pnmtologo.c
95515 +++ b/scripts/pnmtologo.c
95516 @@ -244,14 +244,14 @@ static void write_header(void)
95517 fprintf(out, " * Linux logo %s\n", logoname);
95518 fputs(" */\n\n", out);
95519 fputs("#include <linux/linux_logo.h>\n\n", out);
95520 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
95521 + fprintf(out, "static unsigned char %s_data[] = {\n",
95525 static void write_footer(void)
95527 fputs("\n};\n\n", out);
95528 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
95529 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
95530 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
95531 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
95532 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
95533 @@ -381,7 +381,7 @@ static void write_logo_clut224(void)
95534 fputs("\n};\n\n", out);
95536 /* write logo clut */
95537 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
95538 + fprintf(out, "static unsigned char %s_clut[] = {\n",
95541 for (i = 0; i < logo_clutsize; i++) {
95542 diff --git a/scripts/sortextable.h b/scripts/sortextable.h
95543 index f5eb43d..1814de8 100644
95544 --- a/scripts/sortextable.h
95545 +++ b/scripts/sortextable.h
95546 @@ -106,9 +106,9 @@ do_func(Elf_Ehdr *ehdr, char const *const fname, table_sort_t custom_sort)
95547 const char *secstrtab;
95548 const char *strtab;
95550 - int extab_index = 0;
95553 + unsigned int extab_index = 0;
95555 + unsigned int idx;
95557 shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
95558 shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
95559 diff --git a/security/Kconfig b/security/Kconfig
95560 index e9c6ac7..3e3f362 100644
95561 --- a/security/Kconfig
95562 +++ b/security/Kconfig
95565 menu "Security options"
95569 + config ARCH_TRACK_EXEC_LIMIT
95572 + config PAX_KERNEXEC_PLUGIN
95575 + config PAX_PER_CPU_PGD
95578 + config TASK_SIZE_MAX_SHIFT
95580 + depends on X86_64
95581 + default 47 if !PAX_PER_CPU_PGD
95582 + default 42 if PAX_PER_CPU_PGD
95584 + config PAX_ENABLE_PAE
95586 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
95588 + config PAX_USERCOPY_SLABS
95592 + bool "Grsecurity"
95594 + select CRYPTO_SHA256
95596 + select STOP_MACHINE
95599 + If you say Y here, you will be able to configure many features
95600 + that will enhance the security of your system. It is highly
95601 + recommended that you say Y here and read through the help
95602 + for each option so that you fully understand the features and
95603 + can evaluate their usefulness for your machine.
95606 + prompt "Configuration Method"
95607 + depends on GRKERNSEC
95608 + default GRKERNSEC_CONFIG_CUSTOM
95611 +config GRKERNSEC_CONFIG_AUTO
95614 + If you choose this configuration method, you'll be able to answer a small
95615 + number of simple questions about how you plan to use this kernel.
95616 + The settings of grsecurity and PaX will be automatically configured for
95617 + the highest commonly-used settings within the provided constraints.
95619 + If you require additional configuration, custom changes can still be made
95620 + from the "custom configuration" menu.
95622 +config GRKERNSEC_CONFIG_CUSTOM
95625 + If you choose this configuration method, you'll be able to configure all
95626 + grsecurity and PaX settings manually. Via this method, no options are
95627 + automatically enabled.
95632 + prompt "Usage Type"
95633 + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
95634 + default GRKERNSEC_CONFIG_SERVER
95637 +config GRKERNSEC_CONFIG_SERVER
95640 + Choose this option if you plan to use this kernel on a server.
95642 +config GRKERNSEC_CONFIG_DESKTOP
95645 + Choose this option if you plan to use this kernel on a desktop.
95650 + prompt "Virtualization Type"
95651 + depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO)
95652 + default GRKERNSEC_CONFIG_VIRT_NONE
95655 +config GRKERNSEC_CONFIG_VIRT_NONE
95658 + Choose this option if this kernel will be run on bare metal.
95660 +config GRKERNSEC_CONFIG_VIRT_GUEST
95663 + Choose this option if this kernel will be run as a VM guest.
95665 +config GRKERNSEC_CONFIG_VIRT_HOST
95668 + Choose this option if this kernel will be run as a VM host.
95673 + prompt "Virtualization Hardware"
95674 + depends on (GRKERNSEC && X86 && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST))
95677 +config GRKERNSEC_CONFIG_VIRT_EPT
95678 + bool "EPT/RVI Processor Support"
95681 + Choose this option if your CPU supports the EPT or RVI features of 2nd-gen
95682 + hardware virtualization. This allows for additional kernel hardening protections
95683 + to operate without additional performance impact.
95685 + To see if your Intel processor supports EPT, see:
95686 + http://ark.intel.com/Products/VirtualizationTechnology
95687 + (Most Core i3/5/7 support EPT)
95689 + To see if your AMD processor supports RVI, see:
95690 + http://support.amd.com/us/kbarticles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx
95692 +config GRKERNSEC_CONFIG_VIRT_SOFT
95693 + bool "First-gen/No Hardware Virtualization"
95695 + Choose this option if you use an Atom/Pentium/Core 2 processor that either doesn't
95696 + support hardware virtualization or doesn't support the EPT/RVI extensions.
95701 + prompt "Virtualization Software"
95702 + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST))
95705 +config GRKERNSEC_CONFIG_VIRT_XEN
95708 + Choose this option if this kernel is running as a Xen guest or host.
95710 +config GRKERNSEC_CONFIG_VIRT_VMWARE
95713 + Choose this option if this kernel is running as a VMWare guest or host.
95715 +config GRKERNSEC_CONFIG_VIRT_KVM
95718 + Choose this option if this kernel is running as a KVM guest or host.
95720 +config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX
95721 + bool "VirtualBox"
95723 + Choose this option if this kernel is running as a VirtualBox guest or host.
95728 + prompt "Required Priorities"
95729 + depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
95730 + default GRKERNSEC_CONFIG_PRIORITY_PERF
95733 +config GRKERNSEC_CONFIG_PRIORITY_PERF
95734 + bool "Performance"
95736 + Choose this option if performance is of highest priority for this deployment
95737 + of grsecurity. Features like UDEREF on a 64bit kernel, kernel stack clearing,
95738 + clearing of structures intended for userland, and freed memory sanitizing will
95741 +config GRKERNSEC_CONFIG_PRIORITY_SECURITY
95744 + Choose this option if security is of highest priority for this deployment of
95745 + grsecurity. UDEREF, kernel stack clearing, clearing of structures intended
95746 + for userland, and freed memory sanitizing will be enabled for this kernel.
95747 + In a worst-case scenario, these features can introduce a 20% performance hit
95748 + (UDEREF on x64 contributing half of this hit).
95752 +menu "Default Special Groups"
95753 +depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
95755 +config GRKERNSEC_PROC_GID
95756 + int "GID exempted from /proc restrictions"
95759 + Setting this GID determines which group will be exempted from
95760 + grsecurity's /proc restrictions, allowing users of the specified
95761 + group to view network statistics and the existence of other users'
95762 + processes on the system. This GID may also be chosen at boot time
95763 + via "grsec_proc_gid=" on the kernel commandline.
95765 +config GRKERNSEC_TPE_UNTRUSTED_GID
95766 + int "GID for TPE-untrusted users"
95767 + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
95770 + Setting this GID determines which group untrusted users should
95771 + be added to. These users will be placed under grsecurity's Trusted Path
95772 + Execution mechanism, preventing them from executing their own binaries.
95773 + The users will only be able to execute binaries in directories owned and
95774 + writable only by the root user. If the sysctl option is enabled, a sysctl
95775 + option with name "tpe_gid" is created.
95777 +config GRKERNSEC_TPE_TRUSTED_GID
95778 + int "GID for TPE-trusted users"
95779 + depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
95782 + Setting this GID determines what group TPE restrictions will be
95783 + *disabled* for. If the sysctl option is enabled, a sysctl option
95784 + with name "tpe_gid" is created.
95786 +config GRKERNSEC_SYMLINKOWN_GID
95787 + int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
95788 + depends on GRKERNSEC_CONFIG_SERVER
95791 + Setting this GID determines what group kernel-enforced
95792 + SymlinksIfOwnerMatch will be enabled for. If the sysctl option
95793 + is enabled, a sysctl option with name "symlinkown_gid" is created.
95798 +menu "Customize Configuration"
95799 +depends on GRKERNSEC
95804 + bool "Enable various PaX features"
95805 + default y if GRKERNSEC_CONFIG_AUTO
95806 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
95808 + This allows you to enable various PaX features. PaX adds
95809 + intrusion prevention mechanisms to the kernel that reduce
95810 + the risks posed by exploitable memory corruption bugs.
95812 +menu "PaX Control"
95815 +config PAX_SOFTMODE
95816 + bool 'Support soft mode'
95818 + Enabling this option will allow you to run PaX in soft mode, that
95819 + is, PaX features will not be enforced by default, only on executables
95820 + marked explicitly. You must also enable PT_PAX_FLAGS or XATTR_PAX_FLAGS
95821 + support as they are the only way to mark executables for soft mode use.
95823 + Soft mode can be activated by using the "pax_softmode=1" kernel command
95824 + line option on boot. Furthermore you can control various PaX features
95825 + at runtime via the entries in /proc/sys/kernel/pax.
95828 + bool 'Use legacy ELF header marking'
95829 + default y if GRKERNSEC_CONFIG_AUTO
95831 + Enabling this option will allow you to control PaX features on
95832 + a per executable basis via the 'chpax' utility available at
95833 + http://pax.grsecurity.net/. The control flags will be read from
95834 + an otherwise reserved part of the ELF header. This marking has
95835 + numerous drawbacks (no support for soft-mode, toolchain does not
95836 + know about the non-standard use of the ELF header) therefore it
95837 + has been deprecated in favour of PT_PAX_FLAGS and XATTR_PAX_FLAGS
95840 + Note that if you enable PT_PAX_FLAGS or XATTR_PAX_FLAGS marking
95841 + support as well, they will override the legacy EI_PAX marks.
95843 + If you enable none of the marking options then all applications
95844 + will run with PaX enabled on them by default.
95846 +config PAX_PT_PAX_FLAGS
95847 + bool 'Use ELF program header marking'
95848 + default y if GRKERNSEC_CONFIG_AUTO
95850 + Enabling this option will allow you to control PaX features on
95851 + a per executable basis via the 'paxctl' utility available at
95852 + http://pax.grsecurity.net/. The control flags will be read from
95853 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
95854 + has the benefits of supporting both soft mode and being fully
95855 + integrated into the toolchain (the binutils patch is available
95856 + from http://pax.grsecurity.net).
95858 + Note that if you enable the legacy EI_PAX marking support as well,
95859 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
95861 + If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you
95862 + must make sure that the marks are the same if a binary has both marks.
95864 + If you enable none of the marking options then all applications
95865 + will run with PaX enabled on them by default.
95867 +config PAX_XATTR_PAX_FLAGS
95868 + bool 'Use filesystem extended attributes marking'
95869 + default y if GRKERNSEC_CONFIG_AUTO
95870 + select CIFS_XATTR if CIFS
95871 + select EXT2_FS_XATTR if EXT2_FS
95872 + select EXT3_FS_XATTR if EXT3_FS
95873 + select EXT4_FS_XATTR if EXT4_FS
95874 + select JFFS2_FS_XATTR if JFFS2_FS
95875 + select REISERFS_FS_XATTR if REISERFS_FS
95876 + select SQUASHFS_XATTR if SQUASHFS
95877 + select TMPFS_XATTR if TMPFS
95878 + select UBIFS_FS_XATTR if UBIFS_FS
95880 + Enabling this option will allow you to control PaX features on
95881 + a per executable basis via the 'setfattr' utility. The control
95882 + flags will be read from the user.pax.flags extended attribute of
95883 + the file. This marking has the benefit of supporting binary-only
95884 + applications that self-check themselves (e.g., skype) and would
95885 + not tolerate chpax/paxctl changes. The main drawback is that
95886 + extended attributes are not supported by some filesystems (e.g.,
95887 + isofs, udf, vfat) so copying files through such filesystems will
95888 + lose the extended attributes and these PaX markings.
95890 + Note that if you enable the legacy EI_PAX marking support as well,
95891 + the EI_PAX marks will be overridden by the XATTR_PAX_FLAGS marks.
95893 + If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you
95894 + must make sure that the marks are the same if a binary has both marks.
95896 + If you enable none of the marking options then all applications
95897 + will run with PaX enabled on them by default.
95900 + prompt 'MAC system integration'
95901 + default PAX_HAVE_ACL_FLAGS
95903 + Mandatory Access Control systems have the option of controlling
95904 + PaX flags on a per executable basis, choose the method supported
95905 + by your particular system.
95907 + - "none": if your MAC system does not interact with PaX,
95908 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
95909 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
95911 + NOTE: this option is for developers/integrators only.
95913 + config PAX_NO_ACL_FLAGS
95916 + config PAX_HAVE_ACL_FLAGS
95919 + config PAX_HOOK_ACL_FLAGS
95925 +menu "Non-executable pages"
95929 + bool "Enforce non-executable pages"
95930 + default y if GRKERNSEC_CONFIG_AUTO
95931 + depends on ALPHA || (ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86
95933 + By design some architectures do not allow for protecting memory
95934 + pages against execution or even if they do, Linux does not make
95935 + use of this feature. In practice this means that if a page is
95936 + readable (such as the stack or heap) it is also executable.
95938 + There is a well known exploit technique that makes use of this
95939 + fact and a common programming mistake where an attacker can
95940 + introduce code of his choice somewhere in the attacked program's
95941 + memory (typically the stack or the heap) and then execute it.
95943 + If the attacked program was running with different (typically
95944 + higher) privileges than that of the attacker, then he can elevate
95945 + his own privilege level (e.g. get a root shell, write to files for
95946 + which he does not have write access to, etc).
95948 + Enabling this option will let you choose from various features
95949 + that prevent the injection and execution of 'foreign' code in
95952 + This will also break programs that rely on the old behaviour and
95953 + expect that dynamically allocated memory via the malloc() family
95954 + of functions is executable (which it is not). Notable examples
95955 + are the XFree86 4.x server, the java runtime and wine.
95957 +config PAX_PAGEEXEC
95958 + bool "Paging based non-executable pages"
95959 + default y if GRKERNSEC_CONFIG_AUTO
95960 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
95961 + select ARCH_TRACK_EXEC_LIMIT if X86_32
95963 + This implementation is based on the paging feature of the CPU.
95964 + On i386 without hardware non-executable bit support there is a
95965 + variable but usually low performance impact, however on Intel's
95966 + P4 core based CPUs it is very high so you should not enable this
95967 + for kernels meant to be used on such CPUs.
95969 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
95970 + with hardware non-executable bit support there is no performance
95971 + impact, on ppc the impact is negligible.
95973 + Note that several architectures require various emulations due to
95974 + badly designed userland ABIs, this will cause a performance impact
95975 + but will disappear as soon as userland is fixed. For example, ppc
95976 + userland MUST have been built with secure-plt by a recent toolchain.
95978 +config PAX_SEGMEXEC
95979 + bool "Segmentation based non-executable pages"
95980 + default y if GRKERNSEC_CONFIG_AUTO
95981 + depends on PAX_NOEXEC && X86_32
95983 + This implementation is based on the segmentation feature of the
95984 + CPU and has a very small performance impact, however applications
95985 + will be limited to a 1.5 GB address space instead of the normal
95988 +config PAX_EMUTRAMP
95989 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
95990 + default y if PARISC
95992 + There are some programs and libraries that for one reason or
95993 + another attempt to execute special small code snippets from
95994 + non-executable memory pages. Most notable examples are the
95995 + signal handler return code generated by the kernel itself and
95996 + the GCC trampolines.
95998 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
95999 + such programs will no longer work under your kernel.
96001 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
96002 + utilities to enable trampoline emulation for the affected programs
96003 + yet still have the protection provided by the non-executable pages.
96005 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
96006 + your system will not even boot.
96008 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
96009 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
96010 + for the affected files.
96012 + NOTE: enabling this feature *may* open up a loophole in the
96013 + protection provided by non-executable pages that an attacker
96014 + could abuse. Therefore the best solution is to not have any
96015 + files on your system that would require this option. This can
96016 + be achieved by not using libc5 (which relies on the kernel
96017 + signal handler return code) and not using or rewriting programs
96018 + that make use of the nested function implementation of GCC.
96019 + Skilled users can just fix GCC itself so that it implements
96020 + nested function calls in a way that does not interfere with PaX.
96022 +config PAX_EMUSIGRT
96023 + bool "Automatically emulate sigreturn trampolines"
96024 + depends on PAX_EMUTRAMP && PARISC
96027 + Enabling this option will have the kernel automatically detect
96028 + and emulate signal return trampolines executing on the stack
96029 + that would otherwise lead to task termination.
96031 + This solution is intended as a temporary one for users with
96032 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
96033 + Modula-3 runtime, etc) or executables linked to such, basically
96034 + everything that does not specify its own SA_RESTORER function in
96035 + normal executable memory like glibc 2.1+ does.
96037 + On parisc you MUST enable this option, otherwise your system will
96040 + NOTE: this feature cannot be disabled on a per executable basis
96041 + and since it *does* open up a loophole in the protection provided
96042 + by non-executable pages, the best solution is to not have any
96043 + files on your system that would require this option.
96045 +config PAX_MPROTECT
96046 + bool "Restrict mprotect()"
96047 + default y if GRKERNSEC_CONFIG_AUTO
96048 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
96050 + Enabling this option will prevent programs from
96051 + - changing the executable status of memory pages that were
96052 + not originally created as executable,
96053 + - making read-only executable pages writable again,
96054 + - creating executable pages from anonymous memory,
96055 + - making read-only-after-relocations (RELRO) data pages writable again.
96057 + You should say Y here to complete the protection provided by
96058 + the enforcement of non-executable pages.
96060 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
96061 + this feature on a per file basis.
96063 +config PAX_MPROTECT_COMPAT
96064 + bool "Use legacy/compat protection demoting (read help)"
96065 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
96066 + depends on PAX_MPROTECT
96068 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
96069 + by sending the proper error code to the application. For some broken
96070 + userland, this can cause problems with Python or other applications. The
96071 + current implementation however allows for applications like clamav to
96072 + detect if JIT compilation/execution is allowed and to fall back gracefully
96073 + to an interpreter-based mode if it does not. While we encourage everyone
96074 + to use the current implementation as-is and push upstream to fix broken
96075 + userland (note that the RWX logging option can assist with this), in some
96076 + environments this may not be possible. Having to disable MPROTECT
96077 + completely on certain binaries reduces the security benefit of PaX,
96078 + so this option is provided for those environments to revert to the old
96081 +config PAX_ELFRELOCS
96082 + bool "Allow ELF text relocations (read help)"
96083 + depends on PAX_MPROTECT
96086 + Non-executable pages and mprotect() restrictions are effective
96087 + in preventing the introduction of new executable code into an
96088 + attacked task's address space. There remain only two venues
96089 + for this kind of attack: if the attacker can execute already
96090 + existing code in the attacked task then he can either have it
96091 + create and mmap() a file containing his code or have it mmap()
96092 + an already existing ELF library that does not have position
96093 + independent code in it and use mprotect() on it to make it
96094 + writable and copy his code there. While protecting against
96095 + the former approach is beyond PaX, the latter can be prevented
96096 + by having only PIC ELF libraries on one's system (which do not
96097 + need to relocate their code). If you are sure this is your case,
96098 + as is the case with all modern Linux distributions, then leave
96099 + this option disabled. You should say 'n' here.
96101 +config PAX_ETEXECRELOCS
96102 + bool "Allow ELF ET_EXEC text relocations"
96103 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
96104 + select PAX_ELFRELOCS
96107 + On some architectures there are incorrectly created applications
96108 + that require text relocations and would not work without enabling
96109 + this option. If you are an alpha, ia64 or parisc user, you should
96110 + enable this option and disable it once you have made sure that
96111 + none of your applications need it.
96114 + bool "Automatically emulate ELF PLT"
96115 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
96118 + Enabling this option will have the kernel automatically detect
96119 + and emulate the Procedure Linkage Table entries in ELF files.
96120 + On some architectures such entries are in writable memory, and
96121 + become non-executable leading to task termination. Therefore
96122 + it is mandatory that you enable this option on alpha, parisc,
96123 + sparc and sparc64, otherwise your system would not even boot.
96125 + NOTE: this feature *does* open up a loophole in the protection
96126 + provided by the non-executable pages, therefore the proper
96127 + solution is to modify the toolchain to produce a PLT that does
96128 + not need to be writable.
96130 +config PAX_DLRESOLVE
96131 + bool 'Emulate old glibc resolver stub'
96132 + depends on PAX_EMUPLT && SPARC
96135 + This option is needed if userland has an old glibc (before 2.4)
96136 + that puts a 'save' instruction into the runtime generated resolver
96137 + stub that needs special emulation.
96139 +config PAX_KERNEXEC
96140 + bool "Enforce non-executable kernel pages"
96141 + default y if GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_NONE || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_GUEST) || (GRKERNSEC_CONFIG_VIRT_EPT && GRKERNSEC_CONFIG_VIRT_KVM))
96142 + depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !(ARM_LPAE && MODULES))) && !XEN
96143 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
96144 + select PAX_KERNEXEC_PLUGIN if X86_64
96146 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
96147 + that is, enabling this option will make it harder to inject
96148 + and execute 'foreign' code in kernel memory itself.
96151 + prompt "Return Address Instrumentation Method"
96152 + default PAX_KERNEXEC_PLUGIN_METHOD_BTS
96153 + depends on PAX_KERNEXEC_PLUGIN
96155 + Select the method used to instrument function pointer dereferences.
96156 + Note that binary modules cannot be instrumented by this approach.
96158 + Note that the implementation requires a gcc with plugin support,
96159 + i.e., gcc 4.5 or newer. You may need to install the supporting
96160 + headers explicitly in addition to the normal gcc package.
96162 + config PAX_KERNEXEC_PLUGIN_METHOD_BTS
96165 + This method is compatible with binary only modules but has
96166 + a higher runtime overhead.
96168 + config PAX_KERNEXEC_PLUGIN_METHOD_OR
96170 + depends on !PARAVIRT
96172 + This method is incompatible with binary only modules but has
96173 + a lower runtime overhead.
96176 +config PAX_KERNEXEC_PLUGIN_METHOD
96178 + default "bts" if PAX_KERNEXEC_PLUGIN_METHOD_BTS
96179 + default "or" if PAX_KERNEXEC_PLUGIN_METHOD_OR
96182 +config PAX_KERNEXEC_MODULE_TEXT
96183 + int "Minimum amount of memory reserved for module code"
96184 + default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER)
96185 + default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
96186 + depends on PAX_KERNEXEC && X86_32
96188 + Due to implementation details the kernel must reserve a fixed
96189 + amount of memory for runtime allocated code (such as modules)
96190 + at compile time that cannot be changed at runtime. Here you
96191 + can specify the minimum amount in MB that will be reserved.
96192 + Due to the same implementation details this size will always
96193 + be rounded up to the next 2/4 MB boundary (depends on PAE) so
96194 + the actually available memory for runtime allocated code will
96195 + usually be more than this minimum.
96197 + The default 4 MB should be enough for most users but if you have
96198 + an excessive number of modules (e.g., most distribution configs
96199 + compile many drivers as modules) or use huge modules such as
96200 + nvidia's kernel driver, you will need to adjust this amount.
96201 + A good rule of thumb is to look at your currently loaded kernel
96202 + modules and add up their sizes.
96206 +menu "Address Space Layout Randomization"
96210 + bool "Address Space Layout Randomization"
96211 + default y if GRKERNSEC_CONFIG_AUTO
96213 + Many if not most exploit techniques rely on the knowledge of
96214 + certain addresses in the attacked program. The following options
96215 + will allow the kernel to apply a certain amount of randomization
96216 + to specific parts of the program thereby forcing an attacker to
96217 + guess them in most cases. Any failed guess will most likely crash
96218 + the attacked program which allows the kernel to detect such attempts
96219 + and react on them. PaX itself provides no reaction mechanisms,
96220 + instead it is strongly encouraged that you make use of Nergal's
96221 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
96222 + (http://www.grsecurity.net/) built-in crash detection features or
96223 + develop one yourself.
96225 + By saying Y here you can choose to randomize the following areas:
96226 + - top of the task's kernel stack
96227 + - top of the task's userland stack
96228 + - base address for mmap() requests that do not specify one
96229 + (this includes all libraries)
96230 + - base address of the main executable
96232 + It is strongly recommended to say Y here as address space layout
96233 + randomization has negligible impact on performance yet it provides
96234 + a very effective protection.
96236 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
96237 + this feature on a per file basis.
96239 +config PAX_RANDKSTACK
96240 + bool "Randomize kernel stack base"
96241 + default y if GRKERNSEC_CONFIG_AUTO && !(GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_VIRTUALBOX)
96242 + depends on X86_TSC && X86
96244 + By saying Y here the kernel will randomize every task's kernel
96245 + stack on every system call. This will not only force an attacker
96246 + to guess it but also prevent him from making use of possible
96247 + leaked information about it.
96249 + Since the kernel stack is a rather scarce resource, randomization
96250 + may cause unexpected stack overflows, therefore you should very
96251 + carefully test your system. Note that once enabled in the kernel
96252 + configuration, this feature cannot be disabled on a per file basis.
96254 +config PAX_RANDUSTACK
96255 + bool "Randomize user stack base"
96256 + default y if GRKERNSEC_CONFIG_AUTO
96257 + depends on PAX_ASLR
96259 + By saying Y here the kernel will randomize every task's userland
96260 + stack. The randomization is done in two steps where the second
96261 + one may apply a big amount of shift to the top of the stack and
96262 + cause problems for programs that want to use lots of memory (more
96263 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
96264 + For this reason the second step can be controlled by 'chpax' or
96265 + 'paxctl' on a per file basis.
96267 +config PAX_RANDMMAP
96268 + bool "Randomize mmap() base"
96269 + default y if GRKERNSEC_CONFIG_AUTO
96270 + depends on PAX_ASLR
96272 + By saying Y here the kernel will use a randomized base address for
96273 + mmap() requests that do not specify one themselves. As a result
96274 + all dynamically loaded libraries will appear at random addresses
96275 + and therefore be harder to exploit by a technique where an attacker
96276 + attempts to execute library code for his purposes (e.g. spawn a
96277 + shell from an exploited program that is running at an elevated
96278 + privilege level).
96280 + Furthermore, if a program is relinked as a dynamic ELF file, its
96281 + base address will be randomized as well, completing the full
96282 + randomization of the address space layout. Attacking such programs
96283 + becomes a guess game. You can find an example of doing this at
96284 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
96285 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
96287 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
96288 + feature on a per file basis.
96292 +menu "Miscellaneous hardening features"
96294 +config PAX_MEMORY_SANITIZE
96295 + bool "Sanitize all freed memory"
96296 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
96297 + depends on !HIBERNATION
96299 + By saying Y here the kernel will erase memory pages and slab objects
96300 + as soon as they are freed. This in turn reduces the lifetime of data
96301 + stored in them, making it less likely that sensitive information such
96302 + as passwords, cryptographic secrets, etc stay in memory for too long.
96304 + This is especially useful for programs whose runtime is short, long
96305 + lived processes and the kernel itself benefit from this as long as
96306 + they ensure timely freeing of memory that may hold sensitive
96309 + A nice side effect of the sanitization of slab objects is the
96310 + reduction of possible info leaks caused by padding bytes within the
96311 + leaky structures. Use-after-free bugs for structures containing
96312 + pointers can also be detected as dereferencing the sanitized pointer
96313 + will generate an access violation.
96315 + The tradeoff is performance impact, on a single CPU system kernel
96316 + compilation sees a 3% slowdown, other systems and workloads may vary
96317 + and you are advised to test this feature on your expected workload
96318 + before deploying it.
96320 + To reduce the performance penalty by sanitizing pages only, albeit
96321 + limiting the effectiveness of this feature at the same time, slab
96322 + sanitization can be disabled with the kernel commandline parameter
96323 + "pax_sanitize_slab=0".
96325 + Note that this feature does not protect data stored in live pages,
96326 + e.g., process memory swapped to disk may stay there for a long time.
96328 +config PAX_MEMORY_STACKLEAK
96329 + bool "Sanitize kernel stack"
96330 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
96333 + By saying Y here the kernel will erase the kernel stack before it
96334 + returns from a system call. This in turn reduces the information
96335 + that a kernel stack leak bug can reveal.
96337 + Note that such a bug can still leak information that was put on
96338 + the stack by the current system call (the one eventually triggering
96339 + the bug) but traces of earlier system calls on the kernel stack
96340 + cannot leak anymore.
96342 + The tradeoff is performance impact: on a single CPU system kernel
96343 + compilation sees a 1% slowdown, other systems and workloads may vary
96344 + and you are advised to test this feature on your expected workload
96345 + before deploying it.
96347 + Note that the full feature requires a gcc with plugin support,
96348 + i.e., gcc 4.5 or newer. You may need to install the supporting
96349 + headers explicitly in addition to the normal gcc package. Using
96350 + older gcc versions means that functions with large enough stack
96351 + frames may leave uninitialized memory behind that may be exposed
96352 + to a later syscall leaking the stack.
96354 +config PAX_MEMORY_STRUCTLEAK
96355 + bool "Forcibly initialize local variables copied to userland"
96356 + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
96358 + By saying Y here the kernel will zero initialize some local
96359 + variables that are going to be copied to userland. This in
96360 + turn prevents unintended information leakage from the kernel
96361 + stack should later code forget to explicitly set all parts of
96362 + the copied variable.
96364 + The tradeoff is less performance impact than PAX_MEMORY_STACKLEAK
96365 + at a much smaller coverage.
96367 + Note that the implementation requires a gcc with plugin support,
96368 + i.e., gcc 4.5 or newer. You may need to install the supporting
96369 + headers explicitly in addition to the normal gcc package.
96371 +config PAX_MEMORY_UDEREF
96372 + bool "Prevent invalid userland pointer dereference"
96373 + default y if GRKERNSEC_CONFIG_AUTO && !(X86_64 && GRKERNSEC_CONFIG_PRIORITY_PERF) && (GRKERNSEC_CONFIG_VIRT_NONE || GRKERNSEC_CONFIG_VIRT_EPT)
96374 + depends on (X86 || (ARM && (CPU_V6 || CPU_V6K || CPU_V7) && !ARM_LPAE)) && !UML_X86 && !XEN
96375 + select PAX_PER_CPU_PGD if X86_64
96377 + By saying Y here the kernel will be prevented from dereferencing
96378 + userland pointers in contexts where the kernel expects only kernel
96379 + pointers. This is both a useful runtime debugging feature and a
96380 + security measure that prevents exploiting a class of kernel bugs.
96382 + The tradeoff is that some virtualization solutions may experience
96383 + a huge slowdown and therefore you should not enable this feature
96384 + for kernels meant to run in such environments. Whether a given VM
96385 + solution is affected or not is best determined by simply trying it
96386 + out, the performance impact will be obvious right on boot as this
96387 + mechanism engages from very early on. A good rule of thumb is that
96388 + VMs running on CPUs without hardware virtualization support (i.e.,
96389 + the majority of IA-32 CPUs) will likely experience the slowdown.
96391 + On X86_64 the kernel will make use of PCID support when available
96392 + (Intel's Westmere, Sandy Bridge, etc) for better security (default)
96393 + or performance impact. Pass pax_weakuderef on the kernel command
96394 + line to choose the latter.
96396 +config PAX_REFCOUNT
96397 + bool "Prevent various kernel object reference counter overflows"
96398 + default y if GRKERNSEC_CONFIG_AUTO
96399 + depends on GRKERNSEC && ((ARM && (CPU_V6 || CPU_V6K || CPU_V7)) || SPARC64 || X86)
96401 + By saying Y here the kernel will detect and prevent overflowing
96402 + various (but not all) kinds of object reference counters. Such
96403 + overflows can normally occur due to bugs only and are often, if
96404 + not always, exploitable.
96406 + The tradeoff is that data structures protected by an overflowed
96407 + refcount will never be freed and therefore will leak memory. Note
96408 + that this leak also happens even without this protection but in
96409 + that case the overflow can eventually trigger the freeing of the
96410 + data structure while it is still being used elsewhere, resulting
96411 + in the exploitable situation that this feature prevents.
96413 + Since this has a negligible performance impact, you should enable
96416 +config PAX_CONSTIFY_PLUGIN
96417 + bool "Automatically constify eligible structures"
96419 + depends on !UML && PAX_KERNEXEC
96421 + By saying Y here the compiler will automatically constify a class
96422 + of types that contain only function pointers. This reduces the
96423 + kernel's attack surface and also produces a better memory layout.
96425 + Note that the implementation requires a gcc with plugin support,
96426 + i.e., gcc 4.5 or newer. You may need to install the supporting
96427 + headers explicitly in addition to the normal gcc package.
96429 + Note that if some code really has to modify constified variables
96430 + then the source code will have to be patched to allow it. Examples
96431 + can be found in PaX itself (the no_const attribute) and for some
96432 + out-of-tree modules at http://www.grsecurity.net/~paxguy1/ .
96434 +config PAX_USERCOPY
96435 + bool "Harden heap object copies between kernel and userland"
96436 + default y if GRKERNSEC_CONFIG_AUTO
96437 + depends on ARM || IA64 || PPC || SPARC || X86
96438 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
96439 + select PAX_USERCOPY_SLABS
96441 + By saying Y here the kernel will enforce the size of heap objects
96442 + when they are copied in either direction between the kernel and
96443 + userland, even if only a part of the heap object is copied.
96445 + Specifically, this checking prevents information leaking from the
96446 + kernel heap during kernel to userland copies (if the kernel heap
96447 + object is otherwise fully initialized) and prevents kernel heap
96448 + overflows during userland to kernel copies.
96450 + Note that the current implementation provides the strictest bounds
96451 + checks for the SLUB allocator.
96453 + Enabling this option also enables per-slab cache protection against
96454 + data in a given cache being copied into/out of via userland
96455 + accessors. Though the whitelist of regions will be reduced over
96456 + time, it notably protects important data structures like task structs.
96458 + If frame pointers are enabled on x86, this option will also restrict
96459 + copies into and out of the kernel stack to local variables within a
96462 + Since this has a negligible performance impact, you should enable
96465 +config PAX_USERCOPY_DEBUG
96467 + depends on X86 && PAX_USERCOPY
96470 +config PAX_SIZE_OVERFLOW
96471 + bool "Prevent various integer overflows in function size parameters"
96472 + default y if GRKERNSEC_CONFIG_AUTO
96475 + By saying Y here the kernel recomputes expressions of function
96476 + arguments marked by a size_overflow attribute with double integer
96477 + precision (DImode/TImode for 32/64 bit integer types).
96479 + The recomputed argument is checked against TYPE_MAX and an event
96480 + is logged on overflow and the triggering process is killed.
96482 + Homepage: http://www.grsecurity.net/~ephox/overflow_plugin/
96484 + Note that the implementation requires a gcc with plugin support,
96485 + i.e., gcc 4.5 or newer. You may need to install the supporting
96486 + headers explicitly in addition to the normal gcc package.
96488 +config PAX_LATENT_ENTROPY
96489 + bool "Generate some entropy during boot"
96490 + default y if GRKERNSEC_CONFIG_AUTO
96492 + By saying Y here the kernel will instrument early boot code to
96493 + extract some entropy from both original and artificially created
96494 + program state. This will help especially embedded systems where
96495 + there is little 'natural' source of entropy normally. The cost
96496 + is some slowdown of the boot process.
96498 + When pax_extra_latent_entropy is passed on the kernel command line,
96499 + entropy will be extracted from up to the first 4GB of RAM while the
96500 + runtime memory allocator is being initialized. This costs even more
96501 + slowdown of the boot process.
96503 + Note that the implementation requires a gcc with plugin support,
96504 + i.e., gcc 4.5 or newer. You may need to install the supporting
96505 + headers explicitly in addition to the normal gcc package.
96507 + Note that entropy extracted this way is not cryptographically
96514 +source grsecurity/Kconfig
96520 source security/keys/Kconfig
96522 config SECURITY_DMESG_RESTRICT
96523 @@ -103,7 +1056,7 @@ config INTEL_TXT
96524 config LSM_MMAP_MIN_ADDR
96525 int "Low address space for LSM to protect from user allocation"
96526 depends on SECURITY && SECURITY_SELINUX
96527 - default 32768 if ARM
96528 + default 32768 if ALPHA || ARM || PARISC || SPARC32
96531 This is the portion of low virtual memory which should be protected
96532 diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
96533 index 9b9013b..51ebf96 100644
96534 --- a/security/apparmor/Kconfig
96535 +++ b/security/apparmor/Kconfig
96536 @@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
96539 If you are unsure how to answer this question, answer 1.
96541 +config SECURITY_APPARMOR_COMPAT_24
96542 + bool "Enable AppArmor 2.4 compatability"
96543 + depends on SECURITY_APPARMOR
96546 + This option enables compatability with AppArmor 2.4. It is
96547 + recommended if compatability with older versions of AppArmor
96549 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
96550 index 16c15ec..42b7c9f 100644
96551 --- a/security/apparmor/apparmorfs.c
96552 +++ b/security/apparmor/apparmorfs.c
96553 @@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
96554 .release = single_release,
96557 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
96559 + * __next_namespace - find the next namespace to list
96560 + * @root: root namespace to stop search at (NOT NULL)
96561 + * @ns: current ns position (NOT NULL)
96563 + * Find the next namespace from @ns under @root and handle all locking needed
96564 + * while switching current namespace.
96566 + * Returns: next namespace or NULL if at last namespace under @root
96567 + * NOTE: will not unlock root->lock
96569 +static struct aa_namespace *__next_namespace(struct aa_namespace *root,
96570 + struct aa_namespace *ns)
96572 + struct aa_namespace *parent;
96574 + /* is next namespace a child */
96575 + if (!list_empty(&ns->sub_ns)) {
96576 + struct aa_namespace *next;
96577 + next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
96578 + read_lock(&next->lock);
96582 + /* check if the next ns is a sibling, parent, gp, .. */
96583 + parent = ns->parent;
96585 + read_unlock(&ns->lock);
96586 + list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
96587 + read_lock(&ns->lock);
96590 + if (parent == root)
96593 + parent = parent->parent;
96600 + * __first_profile - find the first profile in a namespace
96601 + * @root: namespace that is root of profiles being displayed (NOT NULL)
96602 + * @ns: namespace to start in (NOT NULL)
96604 + * Returns: unrefcounted profile or NULL if no profile
96606 +static struct aa_profile *__first_profile(struct aa_namespace *root,
96607 + struct aa_namespace *ns)
96609 + for ( ; ns; ns = __next_namespace(root, ns)) {
96610 + if (!list_empty(&ns->base.profiles))
96611 + return list_first_entry(&ns->base.profiles,
96612 + struct aa_profile, base.list);
96618 + * __next_profile - step to the next profile in a profile tree
96619 + * @profile: current profile in tree (NOT NULL)
96621 + * Perform a depth first taversal on the profile tree in a namespace
96623 + * Returns: next profile or NULL if done
96624 + * Requires: profile->ns.lock to be held
96626 +static struct aa_profile *__next_profile(struct aa_profile *p)
96628 + struct aa_profile *parent;
96629 + struct aa_namespace *ns = p->ns;
96631 + /* is next profile a child */
96632 + if (!list_empty(&p->base.profiles))
96633 + return list_first_entry(&p->base.profiles, typeof(*p),
96636 + /* is next profile a sibling, parent sibling, gp, subling, .. */
96637 + parent = p->parent;
96639 + list_for_each_entry_continue(p, &parent->base.profiles,
96643 + parent = parent->parent;
96646 + /* is next another profile in the namespace */
96647 + list_for_each_entry_continue(p, &ns->base.profiles, base.list)
96654 + * next_profile - step to the next profile in where ever it may be
96655 + * @root: root namespace (NOT NULL)
96656 + * @profile: current profile (NOT NULL)
96658 + * Returns: next profile or NULL if there isn't one
96660 +static struct aa_profile *next_profile(struct aa_namespace *root,
96661 + struct aa_profile *profile)
96663 + struct aa_profile *next = __next_profile(profile);
96667 + /* finished all profiles in namespace move to next namespace */
96668 + return __first_profile(root, __next_namespace(root, profile->ns));
96672 + * p_start - start a depth first traversal of profile tree
96673 + * @f: seq_file to fill
96674 + * @pos: current position
96676 + * Returns: first profile under current namespace or NULL if none found
96678 + * acquires first ns->lock
96680 +static void *p_start(struct seq_file *f, loff_t *pos)
96681 + __acquires(root->lock)
96683 + struct aa_profile *profile = NULL;
96684 + struct aa_namespace *root = aa_current_profile()->ns;
96686 + f->private = aa_get_namespace(root);
96689 + /* find the first profile */
96690 + read_lock(&root->lock);
96691 + profile = __first_profile(root, root);
96693 + /* skip to position */
96694 + for (; profile && l > 0; l--)
96695 + profile = next_profile(root, profile);
96701 + * p_next - read the next profile entry
96702 + * @f: seq_file to fill
96703 + * @p: profile previously returned
96704 + * @pos: current position
96706 + * Returns: next profile after @p or NULL if none
96708 + * may acquire/release locks in namespace tree as necessary
96710 +static void *p_next(struct seq_file *f, void *p, loff_t *pos)
96712 + struct aa_profile *profile = p;
96713 + struct aa_namespace *root = f->private;
96716 + return next_profile(root, profile);
96720 + * p_stop - stop depth first traversal
96721 + * @f: seq_file we are filling
96722 + * @p: the last profile writen
96724 + * Release all locking done by p_start/p_next on namespace tree
96726 +static void p_stop(struct seq_file *f, void *p)
96727 + __releases(root->lock)
96729 + struct aa_profile *profile = p;
96730 + struct aa_namespace *root = f->private, *ns;
96733 + for (ns = profile->ns; ns && ns != root; ns = ns->parent)
96734 + read_unlock(&ns->lock);
96736 + read_unlock(&root->lock);
96737 + aa_put_namespace(root);
96741 + * seq_show_profile - show a profile entry
96742 + * @f: seq_file to file
96743 + * @p: current position (profile) (NOT NULL)
96745 + * Returns: error on failure
96747 +static int seq_show_profile(struct seq_file *f, void *p)
96749 + struct aa_profile *profile = (struct aa_profile *)p;
96750 + struct aa_namespace *root = f->private;
96752 + if (profile->ns != root)
96753 + seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
96754 + seq_printf(f, "%s (%s)\n", profile->base.hname,
96755 + COMPLAIN_MODE(profile) ? "complain" : "enforce");
96760 +static const struct seq_operations aa_fs_profiles_op = {
96761 + .start = p_start,
96764 + .show = seq_show_profile,
96767 +static int profiles_open(struct inode *inode, struct file *file)
96769 + return seq_open(file, &aa_fs_profiles_op);
96772 +static int profiles_release(struct inode *inode, struct file *file)
96774 + return seq_release(inode, file);
96777 +const struct file_operations aa_fs_profiles_fops = {
96778 + .open = profiles_open,
96779 + .read = seq_read,
96780 + .llseek = seq_lseek,
96781 + .release = profiles_release,
96783 +#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
96785 /** Base file system setup **/
96787 static struct aa_fs_entry aa_fs_entry_file[] = {
96788 @@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
96789 AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
96790 AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
96791 AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
96792 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
96793 + AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
96795 AA_FS_DIR("features", aa_fs_entry_features),
96798 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
96799 index b21830e..a7d1a17 100644
96800 --- a/security/apparmor/lsm.c
96801 +++ b/security/apparmor/lsm.c
96802 @@ -614,7 +614,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
96806 -static struct security_operations apparmor_ops = {
96807 +static struct security_operations apparmor_ops __read_only = {
96808 .name = "apparmor",
96810 .ptrace_access_check = apparmor_ptrace_access_check,
96811 diff --git a/security/commoncap.c b/security/commoncap.c
96812 index c44b6fe..932df30 100644
96813 --- a/security/commoncap.c
96814 +++ b/security/commoncap.c
96815 @@ -424,6 +424,32 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
96820 + 1 for suid privilege
96821 + 2 for sgid privilege
96822 + 3 for fscap privilege
96824 +int is_privileged_binary(const struct dentry *dentry)
96826 + struct cpu_vfs_cap_data capdata;
96827 + struct inode *inode = dentry->d_inode;
96829 + if (!inode || S_ISDIR(inode->i_mode))
96832 + if (inode->i_mode & S_ISUID)
96834 + if ((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
96837 + if (!get_vfs_caps_from_disk(dentry, &capdata)) {
96838 + if (!cap_isclear(capdata.inheritable) || !cap_isclear(capdata.permitted))
96846 * Attempt to get the on-exec apply capability sets for an executable file from
96847 * its xattrs and, if present, apply them to the proposed credentials being
96848 @@ -592,6 +618,9 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
96849 const struct cred *cred = current_cred();
96850 kuid_t root_uid = make_kuid(cred->user_ns, 0);
96852 + if (gr_acl_enable_at_secure())
96855 if (!uid_eq(cred->uid, root_uid)) {
96856 if (bprm->cap_effective)
96858 diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
96859 index a41c9c1..83da6dd 100644
96860 --- a/security/integrity/ima/ima.h
96861 +++ b/security/integrity/ima/ima.h
96862 @@ -97,8 +97,8 @@ int ima_init_crypto(void);
96863 extern spinlock_t ima_queue_lock;
96865 struct ima_h_table {
96866 - atomic_long_t len; /* number of stored measurements in the list */
96867 - atomic_long_t violations;
96868 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
96869 + atomic_long_unchecked_t violations;
96870 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
96872 extern struct ima_h_table ima_htable;
96873 diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
96874 index 1c03e8f1..398a941 100644
96875 --- a/security/integrity/ima/ima_api.c
96876 +++ b/security/integrity/ima/ima_api.c
96877 @@ -79,7 +79,7 @@ void ima_add_violation(struct inode *inode, const unsigned char *filename,
96880 /* can overflow, only indicator */
96881 - atomic_long_inc(&ima_htable.violations);
96882 + atomic_long_inc_unchecked(&ima_htable.violations);
96884 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
96886 diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
96887 index 38477c9..87a60c7 100644
96888 --- a/security/integrity/ima/ima_fs.c
96889 +++ b/security/integrity/ima/ima_fs.c
96890 @@ -28,12 +28,12 @@
96891 static int valid_policy = 1;
96892 #define TMPBUFLEN 12
96893 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
96894 - loff_t *ppos, atomic_long_t *val)
96895 + loff_t *ppos, atomic_long_unchecked_t *val)
96897 char tmpbuf[TMPBUFLEN];
96900 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
96901 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
96902 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
96905 diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
96906 index ff63fe0..809cd96 100644
96907 --- a/security/integrity/ima/ima_queue.c
96908 +++ b/security/integrity/ima/ima_queue.c
96909 @@ -80,7 +80,7 @@ static int ima_add_digest_entry(struct ima_template_entry *entry)
96910 INIT_LIST_HEAD(&qe->later);
96911 list_add_tail_rcu(&qe->later, &ima_measurements);
96913 - atomic_long_inc(&ima_htable.len);
96914 + atomic_long_inc_unchecked(&ima_htable.len);
96915 key = ima_hash_key(entry->digest);
96916 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
96918 diff --git a/security/keys/compat.c b/security/keys/compat.c
96919 index d65fa7f..cbfe366 100644
96920 --- a/security/keys/compat.c
96921 +++ b/security/keys/compat.c
96922 @@ -44,7 +44,7 @@ static long compat_keyctl_instantiate_key_iov(
96924 goto no_payload_free;
96926 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
96927 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
96929 if (iov != iovstack)
96931 diff --git a/security/keys/internal.h b/security/keys/internal.h
96932 index d4f1468..cc52f92 100644
96933 --- a/security/keys/internal.h
96934 +++ b/security/keys/internal.h
96935 @@ -242,7 +242,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t,
96936 extern long keyctl_invalidate_key(key_serial_t);
96938 extern long keyctl_instantiate_key_common(key_serial_t,
96939 - const struct iovec *,
96940 + const struct iovec __user *,
96941 unsigned, size_t, key_serial_t);
96944 diff --git a/security/keys/key.c b/security/keys/key.c
96945 index 8fb7c7b..ba3610d 100644
96946 --- a/security/keys/key.c
96947 +++ b/security/keys/key.c
96948 @@ -284,7 +284,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
96950 atomic_set(&key->usage, 1);
96951 init_rwsem(&key->sem);
96952 - lockdep_set_class(&key->sem, &type->lock_class);
96953 + lockdep_set_class(&key->sem, (struct lock_class_key *)&type->lock_class);
96956 key->quotalen = quotalen;
96957 @@ -1032,7 +1032,9 @@ int register_key_type(struct key_type *ktype)
96958 struct key_type *p;
96961 - memset(&ktype->lock_class, 0, sizeof(ktype->lock_class));
96962 + pax_open_kernel();
96963 + memset((void *)&ktype->lock_class, 0, sizeof(ktype->lock_class));
96964 + pax_close_kernel();
96967 down_write(&key_types_sem);
96968 @@ -1044,7 +1046,7 @@ int register_key_type(struct key_type *ktype)
96971 /* store the type */
96972 - list_add(&ktype->link, &key_types_list);
96973 + pax_list_add((struct list_head *)&ktype->link, &key_types_list);
96975 pr_notice("Key type %s registered\n", ktype->name);
96977 @@ -1066,7 +1068,7 @@ EXPORT_SYMBOL(register_key_type);
96978 void unregister_key_type(struct key_type *ktype)
96980 down_write(&key_types_sem);
96981 - list_del_init(&ktype->link);
96982 + pax_list_del_init((struct list_head *)&ktype->link);
96983 downgrade_write(&key_types_sem);
96984 key_gc_keytype(ktype);
96985 pr_notice("Key type %s unregistered\n", ktype->name);
96986 @@ -1084,10 +1086,10 @@ void __init key_init(void)
96987 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
96989 /* add the special key types */
96990 - list_add_tail(&key_type_keyring.link, &key_types_list);
96991 - list_add_tail(&key_type_dead.link, &key_types_list);
96992 - list_add_tail(&key_type_user.link, &key_types_list);
96993 - list_add_tail(&key_type_logon.link, &key_types_list);
96994 + pax_list_add_tail((struct list_head *)&key_type_keyring.link, &key_types_list);
96995 + pax_list_add_tail((struct list_head *)&key_type_dead.link, &key_types_list);
96996 + pax_list_add_tail((struct list_head *)&key_type_user.link, &key_types_list);
96997 + pax_list_add_tail((struct list_head *)&key_type_logon.link, &key_types_list);
96999 /* record the root user tracking */
97000 rb_link_node(&root_key_user.node,
97001 diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
97002 index 33cfd27..842fc5a 100644
97003 --- a/security/keys/keyctl.c
97004 +++ b/security/keys/keyctl.c
97005 @@ -987,7 +987,7 @@ static int keyctl_change_reqkey_auth(struct key *key)
97007 * Copy the iovec data from userspace
97009 -static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
97010 +static long copy_from_user_iovec(void *buffer, const struct iovec __user *iov,
97013 for (; ioc > 0; ioc--) {
97014 @@ -1009,7 +1009,7 @@ static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
97015 * If successful, 0 will be returned.
97017 long keyctl_instantiate_key_common(key_serial_t id,
97018 - const struct iovec *payload_iov,
97019 + const struct iovec __user *payload_iov,
97022 key_serial_t ringid)
97023 @@ -1104,7 +1104,7 @@ long keyctl_instantiate_key(key_serial_t id,
97027 - return keyctl_instantiate_key_common(id, iov, 1, plen, ringid);
97028 + return keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, 1, plen, ringid);
97031 return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
97032 @@ -1137,7 +1137,7 @@ long keyctl_instantiate_key_iov(key_serial_t id,
97034 goto no_payload_free;
97036 - ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
97037 + ret = keyctl_instantiate_key_common(id, (const struct iovec __force_user *)iov, ioc, ret, ringid);
97039 if (iov != iovstack)
97041 diff --git a/security/keys/keyring.c b/security/keys/keyring.c
97042 index 6ece7f2..ecdb55c 100644
97043 --- a/security/keys/keyring.c
97044 +++ b/security/keys/keyring.c
97045 @@ -227,16 +227,16 @@ static long keyring_read(const struct key *keyring,
97048 for (loop = 0; loop < klist->nkeys; loop++) {
97049 + key_serial_t serial;
97050 key = rcu_deref_link_locked(klist, loop,
97052 + serial = key->serial;
97054 tmp = sizeof(key_serial_t);
97058 - if (copy_to_user(buffer,
97061 + if (copy_to_user(buffer, &serial, tmp))
97065 diff --git a/security/min_addr.c b/security/min_addr.c
97066 index f728728..6457a0c 100644
97067 --- a/security/min_addr.c
97068 +++ b/security/min_addr.c
97069 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
97071 static void update_mmap_min_addr(void)
97074 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
97075 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
97076 mmap_min_addr = dac_mmap_min_addr;
97077 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
97079 mmap_min_addr = dac_mmap_min_addr;
97085 diff --git a/security/security.c b/security/security.c
97086 index a3dce87..9ca1435 100644
97087 --- a/security/security.c
97088 +++ b/security/security.c
97090 #include <linux/ima.h>
97091 #include <linux/evm.h>
97092 #include <linux/fsnotify.h>
97093 +#include <linux/mm.h>
97094 #include <linux/mman.h>
97095 #include <linux/mount.h>
97096 #include <linux/personality.h>
97098 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
97099 CONFIG_DEFAULT_SECURITY;
97101 -static struct security_operations *security_ops;
97102 -static struct security_operations default_security_ops = {
97103 +static struct security_operations *security_ops __read_only;
97104 +static struct security_operations default_security_ops __read_only = {
97108 @@ -74,7 +75,9 @@ int __init security_init(void)
97110 void reset_security_ops(void)
97112 + pax_open_kernel();
97113 security_ops = &default_security_ops;
97114 + pax_close_kernel();
97117 /* Save user chosen LSM */
97118 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
97119 index 5c6f2cd..b4f945c 100644
97120 --- a/security/selinux/hooks.c
97121 +++ b/security/selinux/hooks.c
97124 #define NUM_SEL_MNT_OPTS 5
97126 -extern struct security_operations *security_ops;
97128 /* SECMARK reference count */
97129 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
97131 @@ -5529,7 +5527,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
97135 -static struct security_operations selinux_ops = {
97136 +static struct security_operations selinux_ops __read_only = {
97139 .ptrace_access_check = selinux_ptrace_access_check,
97140 diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
97141 index 65f67cb..3f141ef 100644
97142 --- a/security/selinux/include/xfrm.h
97143 +++ b/security/selinux/include/xfrm.h
97144 @@ -50,7 +50,7 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
97146 static inline void selinux_xfrm_notify_policyload(void)
97148 - atomic_inc(&flow_cache_genid);
97149 + atomic_inc_unchecked(&flow_cache_genid);
97150 rt_genid_bump(&init_net);
97153 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
97154 index d52c780..6431349 100644
97155 --- a/security/smack/smack_lsm.c
97156 +++ b/security/smack/smack_lsm.c
97157 @@ -3392,7 +3392,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
97161 -struct security_operations smack_ops = {
97162 +struct security_operations smack_ops __read_only = {
97165 .ptrace_access_check = smack_ptrace_access_check,
97166 diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
97167 index 390c646..f2f8db3 100644
97168 --- a/security/tomoyo/mount.c
97169 +++ b/security/tomoyo/mount.c
97170 @@ -118,6 +118,10 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r,
97171 type == tomoyo_mounts[TOMOYO_MOUNT_MOVE]) {
97172 need_dev = -1; /* dev_name is a directory */
97174 + if (!capable(CAP_SYS_ADMIN)) {
97178 fstype = get_fs_type(type);
97181 diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
97182 index f0b756e..b129202 100644
97183 --- a/security/tomoyo/tomoyo.c
97184 +++ b/security/tomoyo/tomoyo.c
97185 @@ -503,7 +503,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
97186 * tomoyo_security_ops is a "struct security_operations" which is used for
97187 * registering TOMOYO.
97189 -static struct security_operations tomoyo_security_ops = {
97190 +static struct security_operations tomoyo_security_ops __read_only = {
97192 .cred_alloc_blank = tomoyo_cred_alloc_blank,
97193 .cred_prepare = tomoyo_cred_prepare,
97194 diff --git a/security/yama/Kconfig b/security/yama/Kconfig
97195 index 20ef514..4182bed 100644
97196 --- a/security/yama/Kconfig
97197 +++ b/security/yama/Kconfig
97199 config SECURITY_YAMA
97200 bool "Yama support"
97201 - depends on SECURITY
97202 + depends on SECURITY && !GRKERNSEC
97204 select SECURITY_PATH
97206 diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
97207 index 13c88fbc..f8c115e 100644
97208 --- a/security/yama/yama_lsm.c
97209 +++ b/security/yama/yama_lsm.c
97210 @@ -365,7 +365,7 @@ int yama_ptrace_traceme(struct task_struct *parent)
97213 #ifndef CONFIG_SECURITY_YAMA_STACKED
97214 -static struct security_operations yama_ops = {
97215 +static struct security_operations yama_ops __read_only = {
97218 .ptrace_access_check = yama_ptrace_access_check,
97219 @@ -376,28 +376,24 @@ static struct security_operations yama_ops = {
97222 #ifdef CONFIG_SYSCTL
97223 +static int zero __read_only;
97224 +static int max_scope __read_only = YAMA_SCOPE_NO_ATTACH;
97226 static int yama_dointvec_minmax(struct ctl_table *table, int write,
97227 void __user *buffer, size_t *lenp, loff_t *ppos)
97230 + ctl_table_no_const yama_table;
97232 if (write && !capable(CAP_SYS_PTRACE))
97235 - rc = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
97239 + yama_table = *table;
97240 /* Lock the max value if it ever gets set. */
97241 - if (write && *(int *)table->data == *(int *)table->extra2)
97242 - table->extra1 = table->extra2;
97245 + if (ptrace_scope == max_scope)
97246 + yama_table.extra1 = &max_scope;
97247 + return proc_dointvec_minmax(&yama_table, write, buffer, lenp, ppos);
97251 -static int max_scope = YAMA_SCOPE_NO_ATTACH;
97253 struct ctl_path yama_sysctl_path[] = {
97254 { .procname = "kernel", },
97255 { .procname = "yama", },
97256 diff --git a/sound/aoa/codecs/onyx.c b/sound/aoa/codecs/onyx.c
97257 index 4cedc69..e59d8a3 100644
97258 --- a/sound/aoa/codecs/onyx.c
97259 +++ b/sound/aoa/codecs/onyx.c
97260 @@ -54,7 +54,7 @@ struct onyx {
97265 + local_t open_count;
97266 struct codec_info *codec_info;
97268 /* mutex serializes concurrent access to the device
97269 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_item *cii,
97270 struct onyx *onyx = cii->codec_data;
97272 mutex_lock(&onyx->mutex);
97273 - onyx->open_count++;
97274 + local_inc(&onyx->open_count);
97275 mutex_unlock(&onyx->mutex);
97278 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_item *cii,
97279 struct onyx *onyx = cii->codec_data;
97281 mutex_lock(&onyx->mutex);
97282 - onyx->open_count--;
97283 - if (!onyx->open_count)
97284 + if (local_dec_and_test(&onyx->open_count))
97285 onyx->spdif_locked = onyx->analog_locked = 0;
97286 mutex_unlock(&onyx->mutex);
97288 diff --git a/sound/aoa/codecs/onyx.h b/sound/aoa/codecs/onyx.h
97289 index ffd2025..df062c9 100644
97290 --- a/sound/aoa/codecs/onyx.h
97291 +++ b/sound/aoa/codecs/onyx.h
97293 #include <linux/i2c.h>
97294 #include <asm/pmac_low_i2c.h>
97295 #include <asm/prom.h>
97296 +#include <asm/local.h>
97298 /* PCM3052 register definitions */
97300 diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
97301 index 4c1cc51..16040040 100644
97302 --- a/sound/core/oss/pcm_oss.c
97303 +++ b/sound/core/oss/pcm_oss.c
97304 @@ -1189,10 +1189,10 @@ snd_pcm_sframes_t snd_pcm_oss_write3(struct snd_pcm_substream *substream, const
97307 fs = snd_enter_user();
97308 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
97309 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
97310 snd_leave_user(fs);
97312 - ret = snd_pcm_lib_write(substream, (void __force __user *)ptr, frames);
97313 + ret = snd_pcm_lib_write(substream, (void __force_user *)ptr, frames);
97315 if (ret != -EPIPE && ret != -ESTRPIPE)
97317 @@ -1234,10 +1234,10 @@ snd_pcm_sframes_t snd_pcm_oss_read3(struct snd_pcm_substream *substream, char *p
97320 fs = snd_enter_user();
97321 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
97322 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
97323 snd_leave_user(fs);
97325 - ret = snd_pcm_lib_read(substream, (void __force __user *)ptr, frames);
97326 + ret = snd_pcm_lib_read(substream, (void __force_user *)ptr, frames);
97328 if (ret == -EPIPE) {
97329 if (runtime->status->state == SNDRV_PCM_STATE_DRAINING) {
97330 @@ -1337,7 +1337,7 @@ static ssize_t snd_pcm_oss_write2(struct snd_pcm_substream *substream, const cha
97331 struct snd_pcm_plugin_channel *channels;
97332 size_t oss_frame_bytes = (runtime->oss.plugin_first->src_width * runtime->oss.plugin_first->src_format.channels) / 8;
97334 - if (copy_from_user(runtime->oss.buffer, (const char __force __user *)buf, bytes))
97335 + if (copy_from_user(runtime->oss.buffer, (const char __force_user *)buf, bytes))
97337 buf = runtime->oss.buffer;
97339 @@ -1407,7 +1407,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
97342 tmp = snd_pcm_oss_write2(substream,
97343 - (const char __force *)buf,
97344 + (const char __force_kernel *)buf,
97345 runtime->oss.period_bytes, 0);
97348 @@ -1433,7 +1433,7 @@ static ssize_t snd_pcm_oss_read2(struct snd_pcm_substream *substream, char *buf,
97349 struct snd_pcm_runtime *runtime = substream->runtime;
97350 snd_pcm_sframes_t frames, frames1;
97351 #ifdef CONFIG_SND_PCM_OSS_PLUGINS
97352 - char __user *final_dst = (char __force __user *)buf;
97353 + char __user *final_dst = (char __force_user *)buf;
97354 if (runtime->oss.plugin_first) {
97355 struct snd_pcm_plugin_channel *channels;
97356 size_t oss_frame_bytes = (runtime->oss.plugin_last->dst_width * runtime->oss.plugin_last->dst_format.channels) / 8;
97357 @@ -1495,7 +1495,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
97359 runtime->oss.buffer_used -= tmp;
97361 - tmp = snd_pcm_oss_read2(substream, (char __force *)buf,
97362 + tmp = snd_pcm_oss_read2(substream, (char __force_kernel *)buf,
97363 runtime->oss.period_bytes, 0);
97366 @@ -1663,7 +1663,7 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
97368 size1 /= runtime->channels; /* frames */
97369 fs = snd_enter_user();
97370 - snd_pcm_lib_write(substream, (void __force __user *)runtime->oss.buffer, size1);
97371 + snd_pcm_lib_write(substream, (void __force_user *)runtime->oss.buffer, size1);
97372 snd_leave_user(fs);
97374 } else if (runtime->access == SNDRV_PCM_ACCESS_RW_NONINTERLEAVED) {
97375 diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
97376 index af49721..e85058e 100644
97377 --- a/sound/core/pcm_compat.c
97378 +++ b/sound/core/pcm_compat.c
97379 @@ -31,7 +31,7 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream,
97382 fs = snd_enter_user();
97383 - err = snd_pcm_delay(substream, &delay);
97384 + err = snd_pcm_delay(substream, (snd_pcm_sframes_t __force_user *)&delay);
97385 snd_leave_user(fs);
97388 diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
97389 index f928181..33fb83d 100644
97390 --- a/sound/core/pcm_native.c
97391 +++ b/sound/core/pcm_native.c
97392 @@ -2819,11 +2819,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,
97393 switch (substream->stream) {
97394 case SNDRV_PCM_STREAM_PLAYBACK:
97395 result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
97396 - (void __user *)arg);
97397 + (void __force_user *)arg);
97399 case SNDRV_PCM_STREAM_CAPTURE:
97400 result = snd_pcm_capture_ioctl1(NULL, substream, cmd,
97401 - (void __user *)arg);
97402 + (void __force_user *)arg);
97406 diff --git a/sound/core/seq/seq_device.c b/sound/core/seq/seq_device.c
97407 index 040c60e..989a19a 100644
97408 --- a/sound/core/seq/seq_device.c
97409 +++ b/sound/core/seq/seq_device.c
97410 @@ -64,7 +64,7 @@ struct ops_list {
97411 int argsize; /* argument size */
97414 - struct snd_seq_dev_ops ops;
97415 + struct snd_seq_dev_ops *ops;
97417 /* registered devices */
97418 struct list_head dev_list; /* list of devices */
97419 @@ -333,7 +333,7 @@ int snd_seq_device_register_driver(char *id, struct snd_seq_dev_ops *entry,
97421 mutex_lock(&ops->reg_mutex);
97422 /* copy driver operators */
97423 - ops->ops = *entry;
97424 + ops->ops = entry;
97425 ops->driver |= DRIVER_LOADED;
97426 ops->argsize = argsize;
97428 @@ -463,7 +463,7 @@ static int init_device(struct snd_seq_device *dev, struct ops_list *ops)
97429 dev->name, ops->id, ops->argsize, dev->argsize);
97432 - if (ops->ops.init_device(dev) >= 0) {
97433 + if (ops->ops->init_device(dev) >= 0) {
97434 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
97435 ops->num_init_devices++;
97437 @@ -490,7 +490,7 @@ static int free_device(struct snd_seq_device *dev, struct ops_list *ops)
97438 dev->name, ops->id, ops->argsize, dev->argsize);
97441 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
97442 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
97443 dev->status = SNDRV_SEQ_DEVICE_FREE;
97444 dev->driver_data = NULL;
97445 ops->num_init_devices--;
97446 diff --git a/sound/core/sound.c b/sound/core/sound.c
97447 index f002bd9..c462985 100644
97448 --- a/sound/core/sound.c
97449 +++ b/sound/core/sound.c
97450 @@ -86,7 +86,7 @@ static void snd_request_other(int minor)
97451 case SNDRV_MINOR_TIMER: str = "snd-timer"; break;
97454 - request_module(str);
97455 + request_module("%s", str);
97458 #endif /* modular kernel */
97459 diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
97460 index 4e0dd22..7a1f32c 100644
97461 --- a/sound/drivers/mts64.c
97462 +++ b/sound/drivers/mts64.c
97464 #include <sound/initval.h>
97465 #include <sound/rawmidi.h>
97466 #include <sound/control.h>
97467 +#include <asm/local.h>
97469 #define CARD_NAME "Miditerminal 4140"
97470 #define DRIVER_NAME "MTS64"
97471 @@ -67,7 +68,7 @@ struct mts64 {
97472 struct pardevice *pardev;
97473 int pardev_claimed;
97476 + local_t open_count;
97477 int current_midi_output_port;
97478 int current_midi_input_port;
97479 u8 mode[MTS64_NUM_INPUT_PORTS];
97480 @@ -697,7 +698,7 @@ static int snd_mts64_rawmidi_open(struct snd_rawmidi_substream *substream)
97482 struct mts64 *mts = substream->rmidi->private_data;
97484 - if (mts->open_count == 0) {
97485 + if (local_read(&mts->open_count) == 0) {
97486 /* We don't need a spinlock here, because this is just called
97487 if the device has not been opened before.
97488 So there aren't any IRQs from the device */
97489 @@ -705,7 +706,7 @@ static int snd_mts64_rawmidi_open(struct snd_rawmidi_substream *substream)
97493 - ++(mts->open_count);
97494 + local_inc(&mts->open_count);
97498 @@ -715,8 +716,7 @@ static int snd_mts64_rawmidi_close(struct snd_rawmidi_substream *substream)
97499 struct mts64 *mts = substream->rmidi->private_data;
97500 unsigned long flags;
97502 - --(mts->open_count);
97503 - if (mts->open_count == 0) {
97504 + if (local_dec_return(&mts->open_count) == 0) {
97505 /* We need the spinlock_irqsave here because we can still
97506 have IRQs at this point */
97507 spin_lock_irqsave(&mts->lock, flags);
97508 @@ -725,8 +725,8 @@ static int snd_mts64_rawmidi_close(struct snd_rawmidi_substream *substream)
97512 - } else if (mts->open_count < 0)
97513 - mts->open_count = 0;
97514 + } else if (local_read(&mts->open_count) < 0)
97515 + local_set(&mts->open_count, 0);
97519 diff --git a/sound/drivers/opl4/opl4_lib.c b/sound/drivers/opl4/opl4_lib.c
97520 index b953fb4..1999c01 100644
97521 --- a/sound/drivers/opl4/opl4_lib.c
97522 +++ b/sound/drivers/opl4/opl4_lib.c
97523 @@ -29,7 +29,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@ladisch.de>");
97524 MODULE_DESCRIPTION("OPL4 driver");
97525 MODULE_LICENSE("GPL");
97527 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
97528 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
97531 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
97532 diff --git a/sound/drivers/portman2x4.c b/sound/drivers/portman2x4.c
97533 index 991018d..8984740 100644
97534 --- a/sound/drivers/portman2x4.c
97535 +++ b/sound/drivers/portman2x4.c
97537 #include <sound/initval.h>
97538 #include <sound/rawmidi.h>
97539 #include <sound/control.h>
97540 +#include <asm/local.h>
97542 #define CARD_NAME "Portman 2x4"
97543 #define DRIVER_NAME "portman"
97544 @@ -85,7 +86,7 @@ struct portman {
97545 struct pardevice *pardev;
97546 int pardev_claimed;
97549 + local_t open_count;
97550 int mode[PORTMAN_NUM_INPUT_PORTS];
97551 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
97553 diff --git a/sound/firewire/amdtp.c b/sound/firewire/amdtp.c
97554 index ea995af..f1bfa37 100644
97555 --- a/sound/firewire/amdtp.c
97556 +++ b/sound/firewire/amdtp.c
97557 @@ -389,7 +389,7 @@ static void queue_out_packet(struct amdtp_out_stream *s, unsigned int cycle)
97558 ptr = s->pcm_buffer_pointer + data_blocks;
97559 if (ptr >= pcm->runtime->buffer_size)
97560 ptr -= pcm->runtime->buffer_size;
97561 - ACCESS_ONCE(s->pcm_buffer_pointer) = ptr;
97562 + ACCESS_ONCE_RW(s->pcm_buffer_pointer) = ptr;
97564 s->pcm_period_pointer += data_blocks;
97565 if (s->pcm_period_pointer >= pcm->runtime->period_size) {
97566 @@ -557,7 +557,7 @@ EXPORT_SYMBOL(amdtp_out_stream_pcm_pointer);
97568 void amdtp_out_stream_update(struct amdtp_out_stream *s)
97570 - ACCESS_ONCE(s->source_node_id_field) =
97571 + ACCESS_ONCE_RW(s->source_node_id_field) =
97572 (fw_parent_device(s->unit)->card->node_id & 0x3f) << 24;
97574 EXPORT_SYMBOL(amdtp_out_stream_update);
97575 diff --git a/sound/firewire/amdtp.h b/sound/firewire/amdtp.h
97576 index b680c5e..061b7a0 100644
97577 --- a/sound/firewire/amdtp.h
97578 +++ b/sound/firewire/amdtp.h
97579 @@ -139,7 +139,7 @@ static inline bool amdtp_out_streaming_error(struct amdtp_out_stream *s)
97580 static inline void amdtp_out_stream_pcm_trigger(struct amdtp_out_stream *s,
97581 struct snd_pcm_substream *pcm)
97583 - ACCESS_ONCE(s->pcm) = pcm;
97584 + ACCESS_ONCE_RW(s->pcm) = pcm;
97587 static inline bool cip_sfc_is_base_44100(enum cip_sfc sfc)
97588 diff --git a/sound/firewire/isight.c b/sound/firewire/isight.c
97589 index d428ffe..751ef78 100644
97590 --- a/sound/firewire/isight.c
97591 +++ b/sound/firewire/isight.c
97592 @@ -96,7 +96,7 @@ static void isight_update_pointers(struct isight *isight, unsigned int count)
97594 if (ptr >= runtime->buffer_size)
97595 ptr -= runtime->buffer_size;
97596 - ACCESS_ONCE(isight->buffer_pointer) = ptr;
97597 + ACCESS_ONCE_RW(isight->buffer_pointer) = ptr;
97599 isight->period_counter += count;
97600 if (isight->period_counter >= runtime->period_size) {
97601 @@ -307,7 +307,7 @@ static int isight_hw_params(struct snd_pcm_substream *substream,
97605 - ACCESS_ONCE(isight->pcm_active) = true;
97606 + ACCESS_ONCE_RW(isight->pcm_active) = true;
97610 @@ -340,7 +340,7 @@ static int isight_hw_free(struct snd_pcm_substream *substream)
97612 struct isight *isight = substream->private_data;
97614 - ACCESS_ONCE(isight->pcm_active) = false;
97615 + ACCESS_ONCE_RW(isight->pcm_active) = false;
97617 mutex_lock(&isight->mutex);
97618 isight_stop_streaming(isight);
97619 @@ -433,10 +433,10 @@ static int isight_trigger(struct snd_pcm_substream *substream, int cmd)
97622 case SNDRV_PCM_TRIGGER_START:
97623 - ACCESS_ONCE(isight->pcm_running) = true;
97624 + ACCESS_ONCE_RW(isight->pcm_running) = true;
97626 case SNDRV_PCM_TRIGGER_STOP:
97627 - ACCESS_ONCE(isight->pcm_running) = false;
97628 + ACCESS_ONCE_RW(isight->pcm_running) = false;
97632 diff --git a/sound/firewire/scs1x.c b/sound/firewire/scs1x.c
97633 index 844a555..985ab83 100644
97634 --- a/sound/firewire/scs1x.c
97635 +++ b/sound/firewire/scs1x.c
97636 @@ -74,7 +74,7 @@ static void scs_output_trigger(struct snd_rawmidi_substream *stream, int up)
97638 struct scs *scs = stream->rmidi->private_data;
97640 - ACCESS_ONCE(scs->output) = up ? stream : NULL;
97641 + ACCESS_ONCE_RW(scs->output) = up ? stream : NULL;
97643 scs->output_idle = false;
97644 tasklet_schedule(&scs->tasklet);
97645 @@ -257,7 +257,7 @@ static void scs_input_trigger(struct snd_rawmidi_substream *stream, int up)
97647 struct scs *scs = stream->rmidi->private_data;
97649 - ACCESS_ONCE(scs->input) = up ? stream : NULL;
97650 + ACCESS_ONCE_RW(scs->input) = up ? stream : NULL;
97653 static void scs_input_escaped_byte(struct snd_rawmidi_substream *stream,
97654 @@ -457,8 +457,8 @@ static int scs_remove(struct device *dev)
97656 snd_card_disconnect(scs->card);
97658 - ACCESS_ONCE(scs->output) = NULL;
97659 - ACCESS_ONCE(scs->input) = NULL;
97660 + ACCESS_ONCE_RW(scs->output) = NULL;
97661 + ACCESS_ONCE_RW(scs->input) = NULL;
97663 wait_event(scs->idle_wait, scs->output_idle);
97665 diff --git a/sound/oss/sb_audio.c b/sound/oss/sb_audio.c
97666 index 048439a..3be9f6f 100644
97667 --- a/sound/oss/sb_audio.c
97668 +++ b/sound/oss/sb_audio.c
97669 @@ -904,7 +904,7 @@ sb16_copy_from_user(int dev,
97670 buf16 = (signed short *)(localbuf + localoffs);
97673 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
97674 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
97675 if (copy_from_user(lbuf8,
97676 userbuf+useroffs + p,
97678 diff --git a/sound/oss/swarm_cs4297a.c b/sound/oss/swarm_cs4297a.c
97679 index 7d8803a..559f8d0 100644
97680 --- a/sound/oss/swarm_cs4297a.c
97681 +++ b/sound/oss/swarm_cs4297a.c
97682 @@ -2621,7 +2621,6 @@ static int __init cs4297a_init(void)
97684 struct cs4297a_state *s;
97688 #ifndef CONFIG_BCM_CS4297A_CSWARM
97690 @@ -2711,22 +2710,23 @@ static int __init cs4297a_init(void)
97692 char *sb1250_duart_present;
97699 val = SOUND_MASK_LINE;
97700 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
97701 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
97702 val = initvol[i].vol;
97703 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
97706 // cs4297a_write_ac97(s, 0x18, 0x0808);
97708 // cs4297a_write_ac97(s, 0x5e, 0x180);
97709 cs4297a_write_ac97(s, 0x02, 0x0808);
97710 cs4297a_write_ac97(s, 0x18, 0x0808);
97714 list_add(&s->list, &cs4297a_devs);
97716 diff --git a/sound/pci/ymfpci/ymfpci.h b/sound/pci/ymfpci/ymfpci.h
97717 index 4631a23..001ae57 100644
97718 --- a/sound/pci/ymfpci/ymfpci.h
97719 +++ b/sound/pci/ymfpci/ymfpci.h
97720 @@ -358,7 +358,7 @@ struct snd_ymfpci {
97721 spinlock_t reg_lock;
97722 spinlock_t voice_lock;
97723 wait_queue_head_t interrupt_sleep;
97724 - atomic_t interrupt_sleep_count;
97725 + atomic_unchecked_t interrupt_sleep_count;
97726 struct snd_info_entry *proc_entry;
97727 const struct firmware *dsp_microcode;
97728 const struct firmware *controller_microcode;
97729 diff --git a/sound/pci/ymfpci/ymfpci_main.c b/sound/pci/ymfpci/ymfpci_main.c
97730 index 22056c5..25d3244 100644
97731 --- a/sound/pci/ymfpci/ymfpci_main.c
97732 +++ b/sound/pci/ymfpci/ymfpci_main.c
97733 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct snd_ymfpci *chip)
97734 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
97737 - if (atomic_read(&chip->interrupt_sleep_count)) {
97738 - atomic_set(&chip->interrupt_sleep_count, 0);
97739 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
97740 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
97741 wake_up(&chip->interrupt_sleep);
97744 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct snd_ymfpci *chip)
97746 init_waitqueue_entry(&wait, current);
97747 add_wait_queue(&chip->interrupt_sleep, &wait);
97748 - atomic_inc(&chip->interrupt_sleep_count);
97749 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
97750 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
97751 remove_wait_queue(&chip->interrupt_sleep, &wait);
97753 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(int irq, void *dev_id)
97754 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
97755 spin_unlock(&chip->reg_lock);
97757 - if (atomic_read(&chip->interrupt_sleep_count)) {
97758 - atomic_set(&chip->interrupt_sleep_count, 0);
97759 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
97760 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
97761 wake_up(&chip->interrupt_sleep);
97764 @@ -2421,7 +2421,7 @@ int snd_ymfpci_create(struct snd_card *card,
97765 spin_lock_init(&chip->reg_lock);
97766 spin_lock_init(&chip->voice_lock);
97767 init_waitqueue_head(&chip->interrupt_sleep);
97768 - atomic_set(&chip->interrupt_sleep_count, 0);
97769 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
97773 diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
97774 index 0f0bed6..c161e28 100644
97775 --- a/sound/soc/fsl/fsl_ssi.c
97776 +++ b/sound/soc/fsl/fsl_ssi.c
97777 @@ -657,7 +657,7 @@ static int fsl_ssi_probe(struct platform_device *pdev)
97779 struct fsl_ssi_private *ssi_private;
97781 - struct device_attribute *dev_attr = NULL;
97782 + device_attribute_no_const *dev_attr = NULL;
97783 struct device_node *np = pdev->dev.of_node;
97784 const char *p, *sprop;
97785 const uint32_t *iprop;
97786 diff --git a/sound/sound_core.c b/sound/sound_core.c
97787 index 359753f..45759f4 100644
97788 --- a/sound/sound_core.c
97789 +++ b/sound/sound_core.c
97790 @@ -292,7 +292,7 @@ retry:
97793 device_create(sound_class, dev, MKDEV(SOUND_MAJOR, s->unit_minor),
97794 - NULL, s->name+6);
97795 + NULL, "%s", s->name+6);
97796 return s->unit_minor;
97799 diff --git a/tools/gcc/.gitignore b/tools/gcc/.gitignore
97800 new file mode 100644
97801 index 0000000..50f2f2f
97803 +++ b/tools/gcc/.gitignore
97805 +size_overflow_hash.h
97806 diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile
97807 new file mode 100644
97808 index 0000000..144dbee
97810 +++ b/tools/gcc/Makefile
97813 +#PLUGIN_SOURCE_FILES := pax_plugin.c
97814 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
97815 +GCCPLUGINS_DIR := $(shell $(CC) -print-file-name=plugin)
97816 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W -std=gnu99
97818 +ifeq ($(PLUGINCC),$(HOSTCC))
97819 +HOSTLIBS := hostlibs
97820 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include -std=gnu99 -ggdb
97822 +HOSTLIBS := hostcxxlibs
97823 +HOST_EXTRACXXFLAGS += -I$(GCCPLUGINS_DIR)/include -std=gnu++98 -ggdb -Wno-unused-parameter
97826 +$(HOSTLIBS)-$(CONFIG_PAX_CONSTIFY_PLUGIN) := constify_plugin.so
97827 +$(HOSTLIBS)-$(CONFIG_PAX_MEMORY_STACKLEAK) += stackleak_plugin.so
97828 +$(HOSTLIBS)-$(CONFIG_KALLOCSTAT_PLUGIN) += kallocstat_plugin.so
97829 +$(HOSTLIBS)-$(CONFIG_PAX_KERNEXEC_PLUGIN) += kernexec_plugin.so
97830 +$(HOSTLIBS)-$(CONFIG_CHECKER_PLUGIN) += checker_plugin.so
97831 +$(HOSTLIBS)-y += colorize_plugin.so
97832 +$(HOSTLIBS)-$(CONFIG_PAX_SIZE_OVERFLOW) += size_overflow_plugin.so
97833 +$(HOSTLIBS)-$(CONFIG_PAX_LATENT_ENTROPY) += latent_entropy_plugin.so
97834 +$(HOSTLIBS)-$(CONFIG_PAX_MEMORY_STRUCTLEAK) += structleak_plugin.so
97836 +always := $($(HOSTLIBS)-y)
97838 +constify_plugin-objs := constify_plugin.o
97839 +stackleak_plugin-objs := stackleak_plugin.o
97840 +kallocstat_plugin-objs := kallocstat_plugin.o
97841 +kernexec_plugin-objs := kernexec_plugin.o
97842 +checker_plugin-objs := checker_plugin.o
97843 +colorize_plugin-objs := colorize_plugin.o
97844 +size_overflow_plugin-objs := size_overflow_plugin.o
97845 +latent_entropy_plugin-objs := latent_entropy_plugin.o
97846 +structleak_plugin-objs := structleak_plugin.o
97848 +$(obj)/size_overflow_plugin.o: $(objtree)/$(obj)/size_overflow_hash.h
97850 +quiet_cmd_build_size_overflow_hash = GENHASH $@
97851 + cmd_build_size_overflow_hash = \
97852 + $(CONFIG_SHELL) $(srctree)/$(src)/generate_size_overflow_hash.sh -d $< -o $@
97853 +$(objtree)/$(obj)/size_overflow_hash.h: $(src)/size_overflow_hash.data FORCE
97854 + $(call if_changed,build_size_overflow_hash)
97856 +targets += size_overflow_hash.h
97857 diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
97858 new file mode 100644
97859 index 0000000..22f03c0
97861 +++ b/tools/gcc/checker_plugin.c
97864 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
97865 + * Licensed under the GPL v2
97867 + * Note: the choice of the license means that the compilation process is
97868 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
97869 + * but for the kernel it doesn't matter since it doesn't link against
97870 + * any of the gcc libraries
97872 + * gcc plugin to implement various sparse (source code checker) features
97875 + * - define separate __iomem, __percpu and __rcu address spaces (lots of code to patch)
97880 +#include "gcc-plugin.h"
97881 +#include "config.h"
97882 +#include "system.h"
97883 +#include "coretypes.h"
97885 +#include "tree-pass.h"
97886 +#include "flags.h"
97888 +#include "toplev.h"
97889 +#include "plugin.h"
97890 +//#include "expr.h" where are you...
97891 +#include "diagnostic.h"
97892 +#include "plugin-version.h"
97894 +#include "function.h"
97895 +#include "basic-block.h"
97896 +#include "gimple.h"
97898 +#include "emit-rtl.h"
97899 +#include "tree-flow.h"
97900 +#include "target.h"
97902 +extern void c_register_addr_space (const char *str, addr_space_t as);
97903 +extern enum machine_mode default_addr_space_pointer_mode (addr_space_t);
97904 +extern enum machine_mode default_addr_space_address_mode (addr_space_t);
97905 +extern bool default_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as);
97906 +extern bool default_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as);
97907 +extern rtx default_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as);
97909 +extern void print_gimple_stmt(FILE *, gimple, int, int);
97910 +extern rtx emit_move_insn(rtx x, rtx y);
97912 +int plugin_is_GPL_compatible;
97914 +static struct plugin_info checker_plugin_info = {
97915 + .version = "201111150100",
97919 +#define ADDR_SPACE_KERNEL 0
97920 +#define ADDR_SPACE_FORCE_KERNEL 1
97921 +#define ADDR_SPACE_USER 2
97922 +#define ADDR_SPACE_FORCE_USER 3
97923 +#define ADDR_SPACE_IOMEM 0
97924 +#define ADDR_SPACE_FORCE_IOMEM 0
97925 +#define ADDR_SPACE_PERCPU 0
97926 +#define ADDR_SPACE_FORCE_PERCPU 0
97927 +#define ADDR_SPACE_RCU 0
97928 +#define ADDR_SPACE_FORCE_RCU 0
97930 +static enum machine_mode checker_addr_space_pointer_mode(addr_space_t addrspace)
97932 + return default_addr_space_pointer_mode(ADDR_SPACE_GENERIC);
97935 +static enum machine_mode checker_addr_space_address_mode(addr_space_t addrspace)
97937 + return default_addr_space_address_mode(ADDR_SPACE_GENERIC);
97940 +static bool checker_addr_space_valid_pointer_mode(enum machine_mode mode, addr_space_t as)
97942 + return default_addr_space_valid_pointer_mode(mode, as);
97945 +static bool checker_addr_space_legitimate_address_p(enum machine_mode mode, rtx mem, bool strict, addr_space_t as)
97947 + return default_addr_space_legitimate_address_p(mode, mem, strict, ADDR_SPACE_GENERIC);
97950 +static rtx checker_addr_space_legitimize_address(rtx x, rtx oldx, enum machine_mode mode, addr_space_t as)
97952 + return default_addr_space_legitimize_address(x, oldx, mode, as);
97955 +static bool checker_addr_space_subset_p(addr_space_t subset, addr_space_t superset)
97957 + if (subset == ADDR_SPACE_FORCE_KERNEL && superset == ADDR_SPACE_KERNEL)
97960 + if (subset == ADDR_SPACE_FORCE_USER && superset == ADDR_SPACE_USER)
97963 + if (subset == ADDR_SPACE_FORCE_IOMEM && superset == ADDR_SPACE_IOMEM)
97966 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_USER)
97969 + if (subset == ADDR_SPACE_KERNEL && superset == ADDR_SPACE_FORCE_IOMEM)
97972 + if (subset == ADDR_SPACE_USER && superset == ADDR_SPACE_FORCE_KERNEL)
97975 + if (subset == ADDR_SPACE_IOMEM && superset == ADDR_SPACE_FORCE_KERNEL)
97978 + return subset == superset;
97981 +static rtx checker_addr_space_convert(rtx op, tree from_type, tree to_type)
97983 +// addr_space_t from_as = TYPE_ADDR_SPACE(TREE_TYPE(from_type));
97984 +// addr_space_t to_as = TYPE_ADDR_SPACE(TREE_TYPE(to_type));
97989 +static void register_checker_address_spaces(void *event_data, void *data)
97991 + c_register_addr_space("__kernel", ADDR_SPACE_KERNEL);
97992 + c_register_addr_space("__force_kernel", ADDR_SPACE_FORCE_KERNEL);
97993 + c_register_addr_space("__user", ADDR_SPACE_USER);
97994 + c_register_addr_space("__force_user", ADDR_SPACE_FORCE_USER);
97995 +// c_register_addr_space("__iomem", ADDR_SPACE_IOMEM);
97996 +// c_register_addr_space("__force_iomem", ADDR_SPACE_FORCE_IOMEM);
97997 +// c_register_addr_space("__percpu", ADDR_SPACE_PERCPU);
97998 +// c_register_addr_space("__force_percpu", ADDR_SPACE_FORCE_PERCPU);
97999 +// c_register_addr_space("__rcu", ADDR_SPACE_RCU);
98000 +// c_register_addr_space("__force_rcu", ADDR_SPACE_FORCE_RCU);
98002 + targetm.addr_space.pointer_mode = checker_addr_space_pointer_mode;
98003 + targetm.addr_space.address_mode = checker_addr_space_address_mode;
98004 + targetm.addr_space.valid_pointer_mode = checker_addr_space_valid_pointer_mode;
98005 + targetm.addr_space.legitimate_address_p = checker_addr_space_legitimate_address_p;
98006 +// targetm.addr_space.legitimize_address = checker_addr_space_legitimize_address;
98007 + targetm.addr_space.subset_p = checker_addr_space_subset_p;
98008 + targetm.addr_space.convert = checker_addr_space_convert;
98011 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
98013 + const char * const plugin_name = plugin_info->base_name;
98014 + const int argc = plugin_info->argc;
98015 + const struct plugin_argument * const argv = plugin_info->argv;
98018 + if (!plugin_default_version_check(version, &gcc_version)) {
98019 + error(G_("incompatible gcc/plugin versions"));
98023 + register_callback(plugin_name, PLUGIN_INFO, NULL, &checker_plugin_info);
98025 + for (i = 0; i < argc; ++i)
98026 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
98028 + if (TARGET_64BIT == 0)
98031 + register_callback(plugin_name, PLUGIN_PRAGMAS, register_checker_address_spaces, NULL);
98035 diff --git a/tools/gcc/colorize_plugin.c b/tools/gcc/colorize_plugin.c
98036 new file mode 100644
98037 index 0000000..414fe5e
98039 +++ b/tools/gcc/colorize_plugin.c
98042 + * Copyright 2012-2013 by PaX Team <pageexec@freemail.hu>
98043 + * Licensed under the GPL v2
98045 + * Note: the choice of the license means that the compilation process is
98046 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
98047 + * but for the kernel it doesn't matter since it doesn't link against
98048 + * any of the gcc libraries
98050 + * gcc plugin to colorize diagnostic output
98054 +#include "gcc-plugin.h"
98055 +#include "config.h"
98056 +#include "system.h"
98057 +#include "coretypes.h"
98059 +#include "tree-pass.h"
98060 +#include "flags.h"
98062 +#include "toplev.h"
98063 +#include "plugin.h"
98064 +#include "diagnostic.h"
98065 +#include "plugin-version.h"
98068 +int plugin_is_GPL_compatible;
98070 +static struct plugin_info colorize_plugin_info = {
98071 + .version = "201302112000",
98075 +#define GREEN "\033[32m\033[2m"
98076 +#define LIGHTGREEN "\033[32m\033[1m"
98077 +#define YELLOW "\033[33m\033[2m"
98078 +#define LIGHTYELLOW "\033[33m\033[1m"
98079 +#define RED "\033[31m\033[2m"
98080 +#define LIGHTRED "\033[31m\033[1m"
98081 +#define BLUE "\033[34m\033[2m"
98082 +#define LIGHTBLUE "\033[34m\033[1m"
98083 +#define BRIGHT "\033[m\033[1m"
98084 +#define NORMAL "\033[m"
98086 +static diagnostic_starter_fn old_starter;
98087 +static diagnostic_finalizer_fn old_finalizer;
98089 +static void start_colorize(diagnostic_context *context, diagnostic_info *diagnostic)
98091 + const char *color;
98094 + switch (diagnostic->kind) {
98096 + color = LIGHTBLUE;
98101 + color = LIGHTYELLOW;
98107 + case DK_PERMERROR:
98109 + color = LIGHTRED;
98116 + old_starter(context, diagnostic);
98117 + if (-1 == asprintf(&newprefix, "%s%s" NORMAL, color, context->printer->prefix))
98119 + pp_destroy_prefix(context->printer);
98120 + pp_set_prefix(context->printer, newprefix);
98123 +static void finalize_colorize(diagnostic_context *context, diagnostic_info *diagnostic)
98125 + old_finalizer(context, diagnostic);
98128 +static void colorize_arm(void)
98130 + old_starter = diagnostic_starter(global_dc);
98131 + old_finalizer = diagnostic_finalizer(global_dc);
98133 + diagnostic_starter(global_dc) = start_colorize;
98134 + diagnostic_finalizer(global_dc) = finalize_colorize;
98137 +static unsigned int execute_colorize_rearm(void)
98139 + if (diagnostic_starter(global_dc) == start_colorize)
98146 +struct simple_ipa_opt_pass pass_ipa_colorize_rearm = {
98148 + .type = SIMPLE_IPA_PASS,
98149 + .name = "colorize_rearm",
98150 +#if BUILDING_GCC_VERSION >= 4008
98151 + .optinfo_flags = OPTGROUP_NONE,
98154 + .execute = execute_colorize_rearm,
98157 + .static_pass_number = 0,
98158 + .tv_id = TV_NONE,
98159 + .properties_required = 0,
98160 + .properties_provided = 0,
98161 + .properties_destroyed = 0,
98162 + .todo_flags_start = 0,
98163 + .todo_flags_finish = 0
98167 +static void colorize_start_unit(void *gcc_data, void *user_data)
98172 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
98174 + const char * const plugin_name = plugin_info->base_name;
98175 + struct register_pass_info colorize_rearm_pass_info = {
98176 + .pass = &pass_ipa_colorize_rearm.pass,
98177 + .reference_pass_name = "*free_lang_data",
98178 + .ref_pass_instance_number = 1,
98179 + .pos_op = PASS_POS_INSERT_AFTER
98182 + if (!plugin_default_version_check(version, &gcc_version)) {
98183 + error(G_("incompatible gcc/plugin versions"));
98187 + register_callback(plugin_name, PLUGIN_INFO, NULL, &colorize_plugin_info);
98188 + register_callback(plugin_name, PLUGIN_START_UNIT, &colorize_start_unit, NULL);
98189 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &colorize_rearm_pass_info);
98192 diff --git a/tools/gcc/constify_plugin.c b/tools/gcc/constify_plugin.c
98193 new file mode 100644
98194 index 0000000..c17312d
98196 +++ b/tools/gcc/constify_plugin.c
98199 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
98200 + * Copyright 2011-2013 by PaX Team <pageexec@freemail.hu>
98201 + * Licensed under the GPL v2, or (at your option) v3
98203 + * This gcc plugin constifies all structures which contain only function pointers or are explicitly marked for constification.
98206 + * http://www.grsecurity.net/~ephox/const_plugin/
98209 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
98210 + * $ gcc -fplugin=constify_plugin.so test.c -O2
98213 +#include "gcc-plugin.h"
98214 +#include "config.h"
98215 +#include "system.h"
98216 +#include "coretypes.h"
98218 +#include "tree-pass.h"
98219 +#include "flags.h"
98221 +#include "toplev.h"
98222 +#include "plugin.h"
98223 +#include "diagnostic.h"
98224 +#include "plugin-version.h"
98226 +#include "function.h"
98227 +#include "basic-block.h"
98228 +#include "gimple.h"
98230 +#include "emit-rtl.h"
98231 +#include "tree-flow.h"
98232 +#include "target.h"
98233 +#include "langhooks.h"
98235 +// should come from c-tree.h if only it were installed for gcc 4.5...
98236 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
98238 +// unused type flag in all versions 4.5-4.8
98239 +#define TYPE_CONSTIFY_VISITED(TYPE) TYPE_LANG_FLAG_4(TYPE)
98241 +int plugin_is_GPL_compatible;
98243 +static struct plugin_info const_plugin_info = {
98244 + .version = "201305231310",
98245 + .help = "no-constify\tturn off constification\n",
98249 + bool has_fptr_field;
98250 + bool has_writable_field;
98251 + bool has_do_const_field;
98252 + bool has_no_const_field;
98255 +static const_tree get_field_type(const_tree field)
98257 + return strip_array_types(TREE_TYPE(field));
98260 +static bool is_fptr(const_tree field)
98262 + const_tree ptr = get_field_type(field);
98264 + if (TREE_CODE(ptr) != POINTER_TYPE)
98267 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
98271 + * determine whether the given structure type meets the requirements for automatic constification,
98272 + * including the constification attributes on nested structure types
98274 +static void constifiable(const_tree node, constify_info *cinfo)
98276 + const_tree field;
98278 + gcc_assert(TREE_CODE(node) == RECORD_TYPE || TREE_CODE(node) == UNION_TYPE);
98280 + // e.g., pointer to structure fields while still constructing the structure type
98281 + if (TYPE_FIELDS(node) == NULL_TREE)
98284 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
98285 + const_tree type = get_field_type(field);
98286 + enum tree_code code = TREE_CODE(type);
98288 + if (node == type)
98291 + if (is_fptr(field))
98292 + cinfo->has_fptr_field = true;
98293 + else if (!TREE_READONLY(field))
98294 + cinfo->has_writable_field = true;
98296 + if (code == RECORD_TYPE || code == UNION_TYPE) {
98297 + if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
98298 + cinfo->has_do_const_field = true;
98299 + else if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
98300 + cinfo->has_no_const_field = true;
98302 + constifiable(type, cinfo);
98307 +static bool constified(const_tree node)
98309 + constify_info cinfo = {
98310 + .has_fptr_field = false,
98311 + .has_writable_field = false,
98312 + .has_do_const_field = false,
98313 + .has_no_const_field = false
98316 + gcc_assert(TREE_CODE(node) == RECORD_TYPE || TREE_CODE(node) == UNION_TYPE);
98318 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node))) {
98319 + gcc_assert(!TYPE_READONLY(node));
98323 + if (lookup_attribute("do_const", TYPE_ATTRIBUTES(node))) {
98324 + gcc_assert(TYPE_READONLY(node));
98328 + constifiable(node, &cinfo);
98329 + if ((!cinfo.has_fptr_field || cinfo.has_writable_field) && !cinfo.has_do_const_field)
98332 + return TYPE_READONLY(node);
98335 +static void deconstify_tree(tree node);
98337 +static void deconstify_type(tree type)
98341 + gcc_assert(TREE_CODE(type) == RECORD_TYPE || TREE_CODE(type) == UNION_TYPE);
98343 + for (field = TYPE_FIELDS(type); field; field = TREE_CHAIN(field)) {
98344 + const_tree fieldtype = get_field_type(field);
98346 + // special case handling of simple ptr-to-same-array-type members
98347 + if (TREE_CODE(TREE_TYPE(field)) == POINTER_TYPE) {
98348 + const_tree ptrtype = TREE_TYPE(TREE_TYPE(field));
98350 + if (TREE_CODE(ptrtype) != RECORD_TYPE && TREE_CODE(ptrtype) != UNION_TYPE)
98352 + if (TREE_TYPE(TREE_TYPE(field)) == type)
98354 + if (TYPE_MAIN_VARIANT(ptrtype) == TYPE_MAIN_VARIANT(type)) {
98355 + TREE_TYPE(field) = copy_node(TREE_TYPE(field));
98356 + TREE_TYPE(TREE_TYPE(field)) = type;
98360 + if (TREE_CODE(fieldtype) != RECORD_TYPE && TREE_CODE(fieldtype) != UNION_TYPE)
98362 + if (!constified(fieldtype))
98365 + deconstify_tree(field);
98366 + TREE_READONLY(field) = 0;
98368 + TYPE_READONLY(type) = 0;
98369 + C_TYPE_FIELDS_READONLY(type) = 0;
98370 + if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
98371 + TYPE_ATTRIBUTES(type) = remove_attribute("do_const", TYPE_ATTRIBUTES(type));
98374 +static void deconstify_tree(tree node)
98376 + tree old_type, new_type, field;
98378 + old_type = TREE_TYPE(node);
98379 + while (TREE_CODE(old_type) == ARRAY_TYPE && TREE_CODE(TREE_TYPE(old_type)) != ARRAY_TYPE) {
98380 + node = TREE_TYPE(node) = copy_node(old_type);
98381 + old_type = TREE_TYPE(old_type);
98384 + gcc_assert(TREE_CODE(old_type) == RECORD_TYPE || TREE_CODE(old_type) == UNION_TYPE);
98385 + gcc_assert(TYPE_READONLY(old_type) && (TYPE_QUALS(old_type) & TYPE_QUAL_CONST));
98387 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
98388 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
98389 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
98390 + DECL_FIELD_CONTEXT(field) = new_type;
98392 + deconstify_type(new_type);
98394 + TREE_TYPE(node) = new_type;
98397 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
98400 + constify_info cinfo = {
98401 + .has_fptr_field = false,
98402 + .has_writable_field = false,
98403 + .has_do_const_field = false,
98404 + .has_no_const_field = false
98407 + *no_add_attrs = true;
98408 + if (TREE_CODE(*node) == FUNCTION_DECL) {
98409 + error("%qE attribute does not apply to functions", name);
98410 + return NULL_TREE;
98413 + if (TREE_CODE(*node) == PARM_DECL) {
98414 + error("%qE attribute does not apply to function parameters", name);
98415 + return NULL_TREE;
98418 + if (TREE_CODE(*node) == VAR_DECL) {
98419 + error("%qE attribute does not apply to variables", name);
98420 + return NULL_TREE;
98423 + if (TYPE_P(*node)) {
98424 + *no_add_attrs = false;
98427 + gcc_assert(TREE_CODE(*node) == TYPE_DECL);
98428 + type = TREE_TYPE(*node);
98431 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
98432 + error("%qE attribute applies to struct and union types only", name);
98433 + return NULL_TREE;
98436 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
98437 + error("%qE attribute is already applied to the type", name);
98438 + return NULL_TREE;
98441 + if (TYPE_P(*node)) {
98442 + if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
98443 + error("%qE attribute is incompatible with 'do_const'", name);
98444 + return NULL_TREE;
98447 + constifiable(type, &cinfo);
98448 + if ((cinfo.has_fptr_field && !cinfo.has_writable_field) || lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
98449 + deconstify_tree(*node);
98450 + TYPE_CONSTIFY_VISITED(TREE_TYPE(*node)) = 1;
98451 + return NULL_TREE;
98454 + error("%qE attribute used on type that is not constified", name);
98455 + return NULL_TREE;
98458 +static void constify_type(tree type)
98460 + TYPE_READONLY(type) = 1;
98461 + C_TYPE_FIELDS_READONLY(type) = 1;
98462 + TYPE_CONSTIFY_VISITED(type) = 1;
98463 +// TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("do_const"), NULL_TREE, TYPE_ATTRIBUTES(type));
98466 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
98468 + *no_add_attrs = true;
98469 + if (!TYPE_P(*node)) {
98470 + error("%qE attribute applies to types only", name);
98471 + return NULL_TREE;
98474 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
98475 + error("%qE attribute applies to struct and union types only", name);
98476 + return NULL_TREE;
98479 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(*node))) {
98480 + error("%qE attribute is already applied to the type", name);
98481 + return NULL_TREE;
98484 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(*node))) {
98485 + error("%qE attribute is incompatible with 'no_const'", name);
98486 + return NULL_TREE;
98489 + *no_add_attrs = false;
98490 + return NULL_TREE;
98493 +static struct attribute_spec no_const_attr = {
98494 + .name = "no_const",
98497 + .decl_required = false,
98498 + .type_required = false,
98499 + .function_type_required = false,
98500 + .handler = handle_no_const_attribute,
98501 +#if BUILDING_GCC_VERSION >= 4007
98502 + .affects_type_identity = true
98506 +static struct attribute_spec do_const_attr = {
98507 + .name = "do_const",
98510 + .decl_required = false,
98511 + .type_required = false,
98512 + .function_type_required = false,
98513 + .handler = handle_do_const_attribute,
98514 +#if BUILDING_GCC_VERSION >= 4007
98515 + .affects_type_identity = true
98519 +static void register_attributes(void *event_data, void *data)
98521 + register_attribute(&no_const_attr);
98522 + register_attribute(&do_const_attr);
98525 +static void finish_type(void *event_data, void *data)
98527 + tree type = (tree)event_data;
98528 + constify_info cinfo = {
98529 + .has_fptr_field = false,
98530 + .has_writable_field = false,
98531 + .has_do_const_field = false,
98532 + .has_no_const_field = false
98535 + if (type == NULL_TREE || type == error_mark_node)
98538 + if (TYPE_FIELDS(type) == NULL_TREE || TYPE_CONSTIFY_VISITED(type))
98541 + constifiable(type, &cinfo);
98543 + if (TYPE_READONLY(type) && C_TYPE_FIELDS_READONLY(type)) {
98544 + if (!lookup_attribute("do_const", TYPE_ATTRIBUTES(type)))
98546 + if (cinfo.has_writable_field)
98548 + error("'do_const' attribute used on type that is%sconstified", cinfo.has_fptr_field ? " " : " not ");
98552 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type))) {
98553 + if ((cinfo.has_fptr_field && !cinfo.has_writable_field) || cinfo.has_do_const_field) {
98554 + deconstify_type(type);
98555 + TYPE_CONSTIFY_VISITED(type) = 1;
98557 + error("'no_const' attribute used on type that is not constified");
98561 + if (lookup_attribute("do_const", TYPE_ATTRIBUTES(type))) {
98562 + constify_type(type);
98566 + if (cinfo.has_fptr_field && !cinfo.has_writable_field) {
98567 + constify_type(type);
98571 + deconstify_type(type);
98572 + TYPE_CONSTIFY_VISITED(type) = 1;
98575 +static void check_global_variables(void)
98577 + struct varpool_node *node;
98579 +#if BUILDING_GCC_VERSION <= 4007
98580 + for (node = varpool_nodes; node; node = node->next) {
98581 + tree var = node->decl;
98583 + FOR_EACH_VARIABLE(node) {
98584 + tree var = node->symbol.decl;
98586 + tree type = TREE_TYPE(var);
98588 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
98591 + if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
98594 + if (!TYPE_CONSTIFY_VISITED(type))
98597 + if (DECL_EXTERNAL(var))
98600 + if (DECL_INITIAL(var))
98603 + // this works around a gcc bug/feature where uninitialized globals
98604 + // are moved into the .bss section regardless of any constification
98605 + DECL_INITIAL(var) = build_constructor(type, NULL);
98606 +// inform(DECL_SOURCE_LOCATION(var), "constified variable %qE moved into .rodata", var);
98610 +static unsigned int check_local_variables(void)
98612 + unsigned int ret = 0;
98615 +#if BUILDING_GCC_VERSION == 4005
98621 +#if BUILDING_GCC_VERSION == 4005
98622 + for (vars = cfun->local_decls; vars; vars = TREE_CHAIN(vars)) {
98623 + var = TREE_VALUE(vars);
98625 + FOR_EACH_LOCAL_DECL(cfun, i, var) {
98627 + tree type = TREE_TYPE(var);
98629 + gcc_assert(DECL_P(var));
98630 + if (is_global_var(var))
98633 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
98636 + if (!TYPE_READONLY(type) || !C_TYPE_FIELDS_READONLY(type))
98639 + if (!TYPE_CONSTIFY_VISITED(type))
98642 + error_at(DECL_SOURCE_LOCATION(var), "constified variable %qE cannot be local", var);
98648 +static unsigned int check_variables(void)
98650 + check_global_variables();
98651 + return check_local_variables();
98654 + unsigned int ret = 0;
98655 +static struct gimple_opt_pass pass_local_variable = {
98657 + .type = GIMPLE_PASS,
98658 + .name = "check_variables",
98659 +#if BUILDING_GCC_VERSION >= 4008
98660 + .optinfo_flags = OPTGROUP_NONE,
98663 + .execute = check_variables,
98666 + .static_pass_number = 0,
98667 + .tv_id = TV_NONE,
98668 + .properties_required = 0,
98669 + .properties_provided = 0,
98670 + .properties_destroyed = 0,
98671 + .todo_flags_start = 0,
98672 + .todo_flags_finish = 0
98677 + const char *name;
98678 + const char *asm_op;
98680 + {".init.rodata", "\t.section\t.init.rodata,\"a\""},
98681 + {".ref.rodata", "\t.section\t.ref.rodata,\"a\""},
98682 + {".devinit.rodata", "\t.section\t.devinit.rodata,\"a\""},
98683 + {".devexit.rodata", "\t.section\t.devexit.rodata,\"a\""},
98684 + {".cpuinit.rodata", "\t.section\t.cpuinit.rodata,\"a\""},
98685 + {".cpuexit.rodata", "\t.section\t.cpuexit.rodata,\"a\""},
98686 + {".meminit.rodata", "\t.section\t.meminit.rodata,\"a\""},
98687 + {".memexit.rodata", "\t.section\t.memexit.rodata,\"a\""},
98688 + {".data..read_only", "\t.section\t.data..read_only,\"a\""},
98691 +static unsigned int (*old_section_type_flags)(tree decl, const char *name, int reloc);
98693 +static unsigned int constify_section_type_flags(tree decl, const char *name, int reloc)
98697 + for (i = 0; i < ARRAY_SIZE(sections); i++)
98698 + if (!strcmp(sections[i].name, name))
98700 + return old_section_type_flags(decl, name, reloc);
98703 +static void constify_start_unit(void *gcc_data, void *user_data)
98707 +// for (i = 0; i < ARRAY_SIZE(sections); i++)
98708 +// sections[i].section = get_unnamed_section(0, output_section_asm_op, sections[i].asm_op);
98709 +// sections[i].section = get_section(sections[i].name, 0, NULL);
98711 + old_section_type_flags = targetm.section_type_flags;
98712 + targetm.section_type_flags = constify_section_type_flags;
98715 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
98717 + const char * const plugin_name = plugin_info->base_name;
98718 + const int argc = plugin_info->argc;
98719 + const struct plugin_argument * const argv = plugin_info->argv;
98721 + bool constify = true;
98723 + struct register_pass_info local_variable_pass_info = {
98724 + .pass = &pass_local_variable.pass,
98725 + .reference_pass_name = "ssa",
98726 + .ref_pass_instance_number = 1,
98727 + .pos_op = PASS_POS_INSERT_BEFORE
98730 + if (!plugin_default_version_check(version, &gcc_version)) {
98731 + error(G_("incompatible gcc/plugin versions"));
98735 + for (i = 0; i < argc; ++i) {
98736 + if (!(strcmp(argv[i].key, "no-constify"))) {
98737 + constify = false;
98740 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
98743 + if (strcmp(lang_hooks.name, "GNU C")) {
98744 + inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
98745 + constify = false;
98748 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
98750 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
98751 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
98752 + register_callback(plugin_name, PLUGIN_START_UNIT, constify_start_unit, NULL);
98754 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
98758 diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh
98759 new file mode 100644
98760 index 0000000..e518932
98762 +++ b/tools/gcc/generate_size_overflow_hash.sh
98766 +# This script generates the hash table (size_overflow_hash.h) for the size_overflow gcc plugin (size_overflow_plugin.c).
98768 +header1="size_overflow_hash.h"
98769 +database="size_overflow_hash.data"
98779 + -n hash array size
98787 + -h|--help) usage && exit 0;;
98788 + -n) n=$2; shift 2;;
98789 + -o) header1="$2"; shift 2;;
98790 + -d) database="$2"; shift 2;;
98791 + --) shift 1; break ;;
98796 +create_defines() {
98797 + for i in `seq 0 31`
98799 + echo -e "#define PARAM"$i" (1U << "$i")" >> "$header1"
98801 + echo >> "$header1"
98804 +create_structs() {
98809 + cat "$database" | while read data
98811 + data_array=($data)
98812 + struct_hash_name="${data_array[0]}"
98813 + funcn="${data_array[1]}"
98814 + params="${data_array[2]}"
98815 + next="${data_array[4]}"
98817 + echo "const struct size_overflow_hash $struct_hash_name = {" >> "$header1"
98819 + echo -e "\t.next\t= $next,\n\t.name\t= \"$funcn\"," >> "$header1"
98820 + echo -en "\t.param\t= " >> "$header1"
98822 + for param_num in ${params//-/ };
98824 + line="${line}PARAM"$param_num"|"
98827 + echo -e "${line%?},\n};\n" >> "$header1"
98831 +create_headers() {
98832 + echo "const struct size_overflow_hash * const size_overflow_hash[$n] = {" >> "$header1"
98835 +create_array_elements() {
98837 + grep -v "nohasharray" $database | sort -n -k 4 | while read data
98839 + data_array=($data)
98840 + i="${data_array[3]}"
98841 + hash="${data_array[0]}"
98842 + while [[ $index -lt $i ]]
98844 + echo -e "\t["$index"]\t= NULL," >> "$header1"
98845 + index=$(($index + 1))
98847 + index=$(($index + 1))
98848 + echo -e "\t["$i"]\t= &"$hash"," >> "$header1"
98850 + echo '};' >> $header1
98855 +create_array_elements
98858 diff --git a/tools/gcc/kallocstat_plugin.c b/tools/gcc/kallocstat_plugin.c
98859 new file mode 100644
98860 index 0000000..568b360
98862 +++ b/tools/gcc/kallocstat_plugin.c
98865 + * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu>
98866 + * Licensed under the GPL v2
98868 + * Note: the choice of the license means that the compilation process is
98869 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
98870 + * but for the kernel it doesn't matter since it doesn't link against
98871 + * any of the gcc libraries
98873 + * gcc plugin to find the distribution of k*alloc sizes
98880 +#include "gcc-plugin.h"
98881 +#include "config.h"
98882 +#include "system.h"
98883 +#include "coretypes.h"
98885 +#include "tree-pass.h"
98886 +#include "flags.h"
98888 +#include "toplev.h"
98889 +#include "plugin.h"
98890 +//#include "expr.h" where are you...
98891 +#include "diagnostic.h"
98892 +#include "plugin-version.h"
98894 +#include "function.h"
98895 +#include "basic-block.h"
98896 +#include "gimple.h"
98898 +#include "emit-rtl.h"
98900 +extern void print_gimple_stmt(FILE *, gimple, int, int);
98902 +int plugin_is_GPL_compatible;
98904 +static const char * const kalloc_functions[] = {
98910 + "kmalloc_order_trace",
98916 +static struct plugin_info kallocstat_plugin_info = {
98917 + .version = "201302112000",
98920 +static unsigned int execute_kallocstat(void);
98922 +static struct gimple_opt_pass kallocstat_pass = {
98924 + .type = GIMPLE_PASS,
98925 + .name = "kallocstat",
98926 +#if BUILDING_GCC_VERSION >= 4008
98927 + .optinfo_flags = OPTGROUP_NONE,
98930 + .execute = execute_kallocstat,
98933 + .static_pass_number = 0,
98934 + .tv_id = TV_NONE,
98935 + .properties_required = 0,
98936 + .properties_provided = 0,
98937 + .properties_destroyed = 0,
98938 + .todo_flags_start = 0,
98939 + .todo_flags_finish = 0
98943 +static bool is_kalloc(const char *fnname)
98947 + for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
98948 + if (!strcmp(fnname, kalloc_functions[i]))
98953 +static unsigned int execute_kallocstat(void)
98957 + // 1. loop through BBs and GIMPLE statements
98958 + FOR_EACH_BB(bb) {
98959 + gimple_stmt_iterator gsi;
98960 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
98962 + tree fndecl, size;
98963 + gimple call_stmt;
98964 + const char *fnname;
98967 + call_stmt = gsi_stmt(gsi);
98968 + if (!is_gimple_call(call_stmt))
98970 + fndecl = gimple_call_fndecl(call_stmt);
98971 + if (fndecl == NULL_TREE)
98973 + if (TREE_CODE(fndecl) != FUNCTION_DECL)
98976 + // is it a call to k*alloc
98977 + fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
98978 + if (!is_kalloc(fnname))
98981 + // is the size arg the result of a simple const assignment
98982 + size = gimple_call_arg(call_stmt, 0);
98985 + expanded_location xloc;
98988 + if (TREE_CODE(size) != SSA_NAME)
98990 + def_stmt = SSA_NAME_DEF_STMT(size);
98991 + if (!def_stmt || !is_gimple_assign(def_stmt))
98993 + if (gimple_num_ops(def_stmt) != 2)
98995 + size = gimple_assign_rhs1(def_stmt);
98996 + if (!TREE_CONSTANT(size))
98998 + xloc = expand_location(gimple_location(def_stmt));
99000 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
99001 + size_val = TREE_INT_CST_LOW(size);
99002 + fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
99005 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
99006 +//debug_tree(gimple_call_fn(call_stmt));
99007 +//print_node(stderr, "pax", fndecl, 4);
99014 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
99016 + const char * const plugin_name = plugin_info->base_name;
99017 + struct register_pass_info kallocstat_pass_info = {
99018 + .pass = &kallocstat_pass.pass,
99019 + .reference_pass_name = "ssa",
99020 + .ref_pass_instance_number = 1,
99021 + .pos_op = PASS_POS_INSERT_AFTER
99024 + if (!plugin_default_version_check(version, &gcc_version)) {
99025 + error(G_("incompatible gcc/plugin versions"));
99029 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
99030 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
99034 diff --git a/tools/gcc/kernexec_plugin.c b/tools/gcc/kernexec_plugin.c
99035 new file mode 100644
99036 index 0000000..0408e06
99038 +++ b/tools/gcc/kernexec_plugin.c
99041 + * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu>
99042 + * Licensed under the GPL v2
99044 + * Note: the choice of the license means that the compilation process is
99045 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
99046 + * but for the kernel it doesn't matter since it doesn't link against
99047 + * any of the gcc libraries
99049 + * gcc plugin to make KERNEXEC/amd64 almost as good as it is on i386
99056 +#include "gcc-plugin.h"
99057 +#include "config.h"
99058 +#include "system.h"
99059 +#include "coretypes.h"
99061 +#include "tree-pass.h"
99062 +#include "flags.h"
99064 +#include "toplev.h"
99065 +#include "plugin.h"
99066 +//#include "expr.h" where are you...
99067 +#include "diagnostic.h"
99068 +#include "plugin-version.h"
99070 +#include "function.h"
99071 +#include "basic-block.h"
99072 +#include "gimple.h"
99074 +#include "emit-rtl.h"
99075 +#include "tree-flow.h"
99077 +extern void print_gimple_stmt(FILE *, gimple, int, int);
99078 +extern rtx emit_move_insn(rtx x, rtx y);
99080 +#if BUILDING_GCC_VERSION <= 4006
99081 +#define ANY_RETURN_P(rtx) (GET_CODE(rtx) == RETURN)
99084 +#if BUILDING_GCC_VERSION >= 4008
99085 +#define TODO_dump_func 0
99088 +int plugin_is_GPL_compatible;
99090 +static struct plugin_info kernexec_plugin_info = {
99091 + .version = "201302112000",
99092 + .help = "method=[bts|or]\tinstrumentation method\n"
99095 +static unsigned int execute_kernexec_reload(void);
99096 +static unsigned int execute_kernexec_fptr(void);
99097 +static unsigned int execute_kernexec_retaddr(void);
99098 +static bool kernexec_cmodel_check(void);
99100 +static void (*kernexec_instrument_fptr)(gimple_stmt_iterator *);
99101 +static void (*kernexec_instrument_retaddr)(rtx);
99103 +static struct gimple_opt_pass kernexec_reload_pass = {
99105 + .type = GIMPLE_PASS,
99106 + .name = "kernexec_reload",
99107 +#if BUILDING_GCC_VERSION >= 4008
99108 + .optinfo_flags = OPTGROUP_NONE,
99110 + .gate = kernexec_cmodel_check,
99111 + .execute = execute_kernexec_reload,
99114 + .static_pass_number = 0,
99115 + .tv_id = TV_NONE,
99116 + .properties_required = 0,
99117 + .properties_provided = 0,
99118 + .properties_destroyed = 0,
99119 + .todo_flags_start = 0,
99120 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
99124 +static struct gimple_opt_pass kernexec_fptr_pass = {
99126 + .type = GIMPLE_PASS,
99127 + .name = "kernexec_fptr",
99128 +#if BUILDING_GCC_VERSION >= 4008
99129 + .optinfo_flags = OPTGROUP_NONE,
99131 + .gate = kernexec_cmodel_check,
99132 + .execute = execute_kernexec_fptr,
99135 + .static_pass_number = 0,
99136 + .tv_id = TV_NONE,
99137 + .properties_required = 0,
99138 + .properties_provided = 0,
99139 + .properties_destroyed = 0,
99140 + .todo_flags_start = 0,
99141 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa_no_phi
99145 +static struct rtl_opt_pass kernexec_retaddr_pass = {
99147 + .type = RTL_PASS,
99148 + .name = "kernexec_retaddr",
99149 +#if BUILDING_GCC_VERSION >= 4008
99150 + .optinfo_flags = OPTGROUP_NONE,
99152 + .gate = kernexec_cmodel_check,
99153 + .execute = execute_kernexec_retaddr,
99156 + .static_pass_number = 0,
99157 + .tv_id = TV_NONE,
99158 + .properties_required = 0,
99159 + .properties_provided = 0,
99160 + .properties_destroyed = 0,
99161 + .todo_flags_start = 0,
99162 + .todo_flags_finish = TODO_dump_func | TODO_ggc_collect
99166 +static bool kernexec_cmodel_check(void)
99170 + if (ix86_cmodel != CM_KERNEL)
99173 + section = lookup_attribute("section", DECL_ATTRIBUTES(current_function_decl));
99174 + if (!section || !TREE_VALUE(section))
99177 + section = TREE_VALUE(TREE_VALUE(section));
99178 + if (strncmp(TREE_STRING_POINTER(section), ".vsyscall_", 10))
99185 + * add special KERNEXEC instrumentation: reload %r10 after it has been clobbered
99187 +static void kernexec_reload_fptr_mask(gimple_stmt_iterator *gsi)
99189 + gimple asm_movabs_stmt;
99191 + // build asm volatile("movabs $0x8000000000000000, %%r10\n\t" : : : );
99192 + asm_movabs_stmt = gimple_build_asm_vec("movabs $0x8000000000000000, %%r10\n\t", NULL, NULL, NULL, NULL);
99193 + gimple_asm_set_volatile(asm_movabs_stmt, true);
99194 + gsi_insert_after(gsi, asm_movabs_stmt, GSI_CONTINUE_LINKING);
99195 + update_stmt(asm_movabs_stmt);
99199 + * find all asm() stmts that clobber r10 and add a reload of r10
99201 +static unsigned int execute_kernexec_reload(void)
99205 + // 1. loop through BBs and GIMPLE statements
99206 + FOR_EACH_BB(bb) {
99207 + gimple_stmt_iterator gsi;
99209 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
99210 + // gimple match: __asm__ ("" : : : "r10");
99212 + size_t nclobbers;
99214 + // is it an asm ...
99215 + asm_stmt = gsi_stmt(gsi);
99216 + if (gimple_code(asm_stmt) != GIMPLE_ASM)
99219 + // ... clobbering r10
99220 + nclobbers = gimple_asm_nclobbers(asm_stmt);
99221 + while (nclobbers--) {
99222 + tree op = gimple_asm_clobber_op(asm_stmt, nclobbers);
99223 + if (strcmp(TREE_STRING_POINTER(TREE_VALUE(op)), "r10"))
99225 + kernexec_reload_fptr_mask(&gsi);
99226 +//print_gimple_stmt(stderr, asm_stmt, 0, TDF_LINENO);
99236 + * add special KERNEXEC instrumentation: force MSB of fptr to 1, which will produce
99237 + * a non-canonical address from a userland ptr and will just trigger a GPF on dereference
99239 +static void kernexec_instrument_fptr_bts(gimple_stmt_iterator *gsi)
99241 + gimple assign_intptr, assign_new_fptr, call_stmt;
99242 + tree intptr, old_fptr, new_fptr, kernexec_mask;
99244 + call_stmt = gsi_stmt(*gsi);
99245 + old_fptr = gimple_call_fn(call_stmt);
99247 + // create temporary unsigned long variable used for bitops and cast fptr to it
99248 + intptr = create_tmp_var(long_unsigned_type_node, "kernexec_bts");
99249 +#if BUILDING_GCC_VERSION <= 4007
99250 + add_referenced_var(intptr);
99251 + mark_sym_for_renaming(intptr);
99253 + assign_intptr = gimple_build_assign(intptr, fold_convert(long_unsigned_type_node, old_fptr));
99254 + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
99255 + update_stmt(assign_intptr);
99257 + // apply logical or to temporary unsigned long and bitmask
99258 + kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0x8000000000000000LL);
99259 +// kernexec_mask = build_int_cstu(long_long_unsigned_type_node, 0xffffffff80000000LL);
99260 + assign_intptr = gimple_build_assign(intptr, fold_build2(BIT_IOR_EXPR, long_long_unsigned_type_node, intptr, kernexec_mask));
99261 + gsi_insert_before(gsi, assign_intptr, GSI_SAME_STMT);
99262 + update_stmt(assign_intptr);
99264 + // cast temporary unsigned long back to a temporary fptr variable
99265 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_fptr");
99266 +#if BUILDING_GCC_VERSION <= 4007
99267 + add_referenced_var(new_fptr);
99268 + mark_sym_for_renaming(new_fptr);
99270 + assign_new_fptr = gimple_build_assign(new_fptr, fold_convert(TREE_TYPE(old_fptr), intptr));
99271 + gsi_insert_before(gsi, assign_new_fptr, GSI_SAME_STMT);
99272 + update_stmt(assign_new_fptr);
99274 + // replace call stmt fn with the new fptr
99275 + gimple_call_set_fn(call_stmt, new_fptr);
99276 + update_stmt(call_stmt);
99279 +static void kernexec_instrument_fptr_or(gimple_stmt_iterator *gsi)
99281 + gimple asm_or_stmt, call_stmt;
99282 + tree old_fptr, new_fptr, input, output;
99283 +#if BUILDING_GCC_VERSION <= 4007
99284 + VEC(tree, gc) *inputs = NULL;
99285 + VEC(tree, gc) *outputs = NULL;
99287 + vec<tree, va_gc> *inputs = NULL;
99288 + vec<tree, va_gc> *outputs = NULL;
99291 + call_stmt = gsi_stmt(*gsi);
99292 + old_fptr = gimple_call_fn(call_stmt);
99294 + // create temporary fptr variable
99295 + new_fptr = create_tmp_var(TREE_TYPE(old_fptr), "kernexec_or");
99296 +#if BUILDING_GCC_VERSION <= 4007
99297 + add_referenced_var(new_fptr);
99298 + mark_sym_for_renaming(new_fptr);
99301 + // build asm volatile("orq %%r10, %0\n\t" : "=r"(new_fptr) : "0"(old_fptr));
99302 + input = build_tree_list(NULL_TREE, build_string(2, "0"));
99303 + input = chainon(NULL_TREE, build_tree_list(input, old_fptr));
99304 + output = build_tree_list(NULL_TREE, build_string(3, "=r"));
99305 + output = chainon(NULL_TREE, build_tree_list(output, new_fptr));
99306 +#if BUILDING_GCC_VERSION <= 4007
99307 + VEC_safe_push(tree, gc, inputs, input);
99308 + VEC_safe_push(tree, gc, outputs, output);
99310 + vec_safe_push(inputs, input);
99311 + vec_safe_push(outputs, output);
99313 + asm_or_stmt = gimple_build_asm_vec("orq %%r10, %0\n\t", inputs, outputs, NULL, NULL);
99314 + gimple_asm_set_volatile(asm_or_stmt, true);
99315 + gsi_insert_before(gsi, asm_or_stmt, GSI_SAME_STMT);
99316 + update_stmt(asm_or_stmt);
99318 + // replace call stmt fn with the new fptr
99319 + gimple_call_set_fn(call_stmt, new_fptr);
99320 + update_stmt(call_stmt);
99324 + * find all C level function pointer dereferences and forcibly set the highest bit of the pointer
99326 +static unsigned int execute_kernexec_fptr(void)
99330 + // 1. loop through BBs and GIMPLE statements
99331 + FOR_EACH_BB(bb) {
99332 + gimple_stmt_iterator gsi;
99334 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
99335 + // gimple match: h_1 = get_fptr (); D.2709_3 = h_1 (x_2(D));
99337 + gimple call_stmt;
99339 + // is it a call ...
99340 + call_stmt = gsi_stmt(gsi);
99341 + if (!is_gimple_call(call_stmt))
99343 + fn = gimple_call_fn(call_stmt);
99344 + if (TREE_CODE(fn) == ADDR_EXPR)
99346 + if (TREE_CODE(fn) != SSA_NAME)
99347 + gcc_unreachable();
99349 + // ... through a function pointer
99350 + if (SSA_NAME_VAR(fn) != NULL_TREE) {
99351 + fn = SSA_NAME_VAR(fn);
99352 + if (TREE_CODE(fn) != VAR_DECL && TREE_CODE(fn) != PARM_DECL) {
99354 + gcc_unreachable();
99357 + fn = TREE_TYPE(fn);
99358 + if (TREE_CODE(fn) != POINTER_TYPE)
99360 + fn = TREE_TYPE(fn);
99361 + if (TREE_CODE(fn) != FUNCTION_TYPE)
99364 + kernexec_instrument_fptr(&gsi);
99366 +//debug_tree(gimple_call_fn(call_stmt));
99367 +//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
99374 +// add special KERNEXEC instrumentation: btsq $63,(%rsp) just before retn
99375 +static void kernexec_instrument_retaddr_bts(rtx insn)
99378 + rtvec argvec, constraintvec, labelvec;
99381 + // create asm volatile("btsq $63,(%%rsp)":::)
99382 + argvec = rtvec_alloc(0);
99383 + constraintvec = rtvec_alloc(0);
99384 + labelvec = rtvec_alloc(0);
99385 + line = expand_location(RTL_LOCATION(insn)).line;
99386 + btsq = gen_rtx_ASM_OPERANDS(VOIDmode, "btsq $63,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
99387 + MEM_VOLATILE_P(btsq) = 1;
99388 +// RTX_FRAME_RELATED_P(btsq) = 1; // not for ASM_OPERANDS
99389 + emit_insn_before(btsq, insn);
99392 +// add special KERNEXEC instrumentation: orq %r10,(%rsp) just before retn
99393 +static void kernexec_instrument_retaddr_or(rtx insn)
99396 + rtvec argvec, constraintvec, labelvec;
99399 + // create asm volatile("orq %%r10,(%%rsp)":::)
99400 + argvec = rtvec_alloc(0);
99401 + constraintvec = rtvec_alloc(0);
99402 + labelvec = rtvec_alloc(0);
99403 + line = expand_location(RTL_LOCATION(insn)).line;
99404 + orq = gen_rtx_ASM_OPERANDS(VOIDmode, "orq %%r10,(%%rsp)", empty_string, 0, argvec, constraintvec, labelvec, line);
99405 + MEM_VOLATILE_P(orq) = 1;
99406 +// RTX_FRAME_RELATED_P(orq) = 1; // not for ASM_OPERANDS
99407 + emit_insn_before(orq, insn);
99411 + * find all asm level function returns and forcibly set the highest bit of the return address
99413 +static unsigned int execute_kernexec_retaddr(void)
99417 + // 1. find function returns
99418 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
99419 + // rtl match: (jump_insn 41 40 42 2 (return) fptr.c:42 634 {return_internal} (nil))
99420 + // (jump_insn 12 9 11 2 (parallel [ (return) (unspec [ (0) ] UNSPEC_REP) ]) fptr.c:46 635 {return_internal_long} (nil))
99421 + // (jump_insn 97 96 98 6 (simple_return) fptr.c:50 -1 (nil) -> simple_return)
99425 + if (!JUMP_P(insn))
99427 + body = PATTERN(insn);
99428 + if (GET_CODE(body) == PARALLEL)
99429 + body = XVECEXP(body, 0, 0);
99430 + if (!ANY_RETURN_P(body))
99432 + kernexec_instrument_retaddr(insn);
99435 +// print_simple_rtl(stderr, get_insns());
99436 +// print_rtl(stderr, get_insns());
99441 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
99443 + const char * const plugin_name = plugin_info->base_name;
99444 + const int argc = plugin_info->argc;
99445 + const struct plugin_argument * const argv = plugin_info->argv;
99447 + struct register_pass_info kernexec_reload_pass_info = {
99448 + .pass = &kernexec_reload_pass.pass,
99449 + .reference_pass_name = "ssa",
99450 + .ref_pass_instance_number = 1,
99451 + .pos_op = PASS_POS_INSERT_AFTER
99453 + struct register_pass_info kernexec_fptr_pass_info = {
99454 + .pass = &kernexec_fptr_pass.pass,
99455 + .reference_pass_name = "ssa",
99456 + .ref_pass_instance_number = 1,
99457 + .pos_op = PASS_POS_INSERT_AFTER
99459 + struct register_pass_info kernexec_retaddr_pass_info = {
99460 + .pass = &kernexec_retaddr_pass.pass,
99461 + .reference_pass_name = "pro_and_epilogue",
99462 + .ref_pass_instance_number = 1,
99463 + .pos_op = PASS_POS_INSERT_AFTER
99466 + if (!plugin_default_version_check(version, &gcc_version)) {
99467 + error(G_("incompatible gcc/plugin versions"));
99471 + register_callback(plugin_name, PLUGIN_INFO, NULL, &kernexec_plugin_info);
99473 + if (TARGET_64BIT == 0)
99476 + for (i = 0; i < argc; ++i) {
99477 + if (!strcmp(argv[i].key, "method")) {
99478 + if (!argv[i].value) {
99479 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
99482 + if (!strcmp(argv[i].value, "bts")) {
99483 + kernexec_instrument_fptr = kernexec_instrument_fptr_bts;
99484 + kernexec_instrument_retaddr = kernexec_instrument_retaddr_bts;
99485 + } else if (!strcmp(argv[i].value, "or")) {
99486 + kernexec_instrument_fptr = kernexec_instrument_fptr_or;
99487 + kernexec_instrument_retaddr = kernexec_instrument_retaddr_or;
99488 + fix_register("r10", 1, 1);
99490 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
99493 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
99495 + if (!kernexec_instrument_fptr || !kernexec_instrument_retaddr)
99496 + error(G_("no instrumentation method was selected via '-fplugin-arg-%s-method'"), plugin_name);
99498 + if (kernexec_instrument_fptr == kernexec_instrument_fptr_or)
99499 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_reload_pass_info);
99500 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_fptr_pass_info);
99501 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kernexec_retaddr_pass_info);
99505 diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
99506 new file mode 100644
99507 index 0000000..b5395ba
99509 +++ b/tools/gcc/latent_entropy_plugin.c
99512 + * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu>
99513 + * Licensed under the GPL v2
99515 + * Note: the choice of the license means that the compilation process is
99516 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
99517 + * but for the kernel it doesn't matter since it doesn't link against
99518 + * any of the gcc libraries
99520 + * gcc plugin to help generate a little bit of entropy from program state,
99521 + * used during boot in the kernel
99524 + * - add ipa pass to identify not explicitly marked candidate functions
99525 + * - mix in more program state (function arguments/return values, loop variables, etc)
99526 + * - more instrumentation control via attribute parameters
99529 + * - LTO needs -flto-partition=none for now
99531 +#include "gcc-plugin.h"
99532 +#include "config.h"
99533 +#include "system.h"
99534 +#include "coretypes.h"
99536 +#include "tree-pass.h"
99537 +#include "flags.h"
99539 +#include "toplev.h"
99540 +#include "plugin.h"
99541 +//#include "expr.h" where are you...
99542 +#include "diagnostic.h"
99543 +#include "plugin-version.h"
99545 +#include "function.h"
99546 +#include "basic-block.h"
99547 +#include "gimple.h"
99549 +#include "emit-rtl.h"
99550 +#include "tree-flow.h"
99551 +#include "langhooks.h"
99553 +#if BUILDING_GCC_VERSION >= 4008
99554 +#define TODO_dump_func 0
99557 +int plugin_is_GPL_compatible;
99559 +static tree latent_entropy_decl;
99561 +static struct plugin_info latent_entropy_plugin_info = {
99562 + .version = "201303102320",
99566 +static unsigned int execute_latent_entropy(void);
99567 +static bool gate_latent_entropy(void);
99569 +static struct gimple_opt_pass latent_entropy_pass = {
99571 + .type = GIMPLE_PASS,
99572 + .name = "latent_entropy",
99573 +#if BUILDING_GCC_VERSION >= 4008
99574 + .optinfo_flags = OPTGROUP_NONE,
99576 + .gate = gate_latent_entropy,
99577 + .execute = execute_latent_entropy,
99580 + .static_pass_number = 0,
99581 + .tv_id = TV_NONE,
99582 + .properties_required = PROP_gimple_leh | PROP_cfg,
99583 + .properties_provided = 0,
99584 + .properties_destroyed = 0,
99585 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
99586 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_update_ssa
99590 +static tree handle_latent_entropy_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
99592 + if (TREE_CODE(*node) != FUNCTION_DECL) {
99593 + *no_add_attrs = true;
99594 + error("%qE attribute only applies to functions", name);
99596 + return NULL_TREE;
99599 +static struct attribute_spec latent_entropy_attr = {
99600 + .name = "latent_entropy",
99603 + .decl_required = true,
99604 + .type_required = false,
99605 + .function_type_required = false,
99606 + .handler = handle_latent_entropy_attribute,
99607 +#if BUILDING_GCC_VERSION >= 4007
99608 + .affects_type_identity = false
99612 +static void register_attributes(void *event_data, void *data)
99614 + register_attribute(&latent_entropy_attr);
99617 +static bool gate_latent_entropy(void)
99619 + tree latent_entropy_attr;
99621 + latent_entropy_attr = lookup_attribute("latent_entropy", DECL_ATTRIBUTES(current_function_decl));
99622 + return latent_entropy_attr != NULL_TREE;
99625 +static unsigned HOST_WIDE_INT seed;
99626 +static unsigned HOST_WIDE_INT get_random_const(void)
99628 + seed = (seed >> 1U) ^ (-(seed & 1ULL) & 0xD800000000000000ULL);
99632 +static enum tree_code get_op(tree *rhs)
99634 + static enum tree_code op;
99635 + unsigned HOST_WIDE_INT random_const;
99637 + random_const = get_random_const();
99640 + case BIT_XOR_EXPR:
99646 + op = LROTATE_EXPR;
99647 + random_const &= HOST_BITS_PER_WIDE_INT - 1;
99651 + case LROTATE_EXPR:
99653 + op = BIT_XOR_EXPR;
99657 + *rhs = build_int_cstu(unsigned_intDI_type_node, random_const);
99661 +static void perturb_local_entropy(basic_block bb, tree local_entropy)
99663 + gimple_stmt_iterator gsi;
99665 + tree addxorrol, rhs;
99666 + enum tree_code op;
99668 + op = get_op(&rhs);
99669 + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, op, unsigned_intDI_type_node, local_entropy, rhs);
99670 + assign = gimple_build_assign(local_entropy, addxorrol);
99671 +#if BUILDING_GCC_VERSION <= 4007
99672 + find_referenced_vars_in(assign);
99675 + gsi = gsi_after_labels(bb);
99676 + gsi_insert_before(&gsi, assign, GSI_NEW_STMT);
99677 + update_stmt(assign);
99680 +static void perturb_latent_entropy(basic_block bb, tree rhs)
99682 + gimple_stmt_iterator gsi;
99684 + tree addxorrol, temp;
99686 + // 1. create temporary copy of latent_entropy
99687 + temp = create_tmp_var(unsigned_intDI_type_node, "temp_latent_entropy");
99688 +#if BUILDING_GCC_VERSION <= 4007
99689 + add_referenced_var(temp);
99690 + mark_sym_for_renaming(temp);
99694 + assign = gimple_build_assign(temp, latent_entropy_decl);
99695 +#if BUILDING_GCC_VERSION <= 4007
99696 + find_referenced_vars_in(assign);
99698 + gsi = gsi_after_labels(bb);
99699 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
99700 + update_stmt(assign);
99702 + // 3. ...modify...
99703 + addxorrol = fold_build2_loc(UNKNOWN_LOCATION, get_op(NULL), unsigned_intDI_type_node, temp, rhs);
99704 + assign = gimple_build_assign(temp, addxorrol);
99705 +#if BUILDING_GCC_VERSION <= 4007
99706 + find_referenced_vars_in(assign);
99708 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
99709 + update_stmt(assign);
99711 + // 4. ...write latent_entropy
99712 + assign = gimple_build_assign(latent_entropy_decl, temp);
99713 +#if BUILDING_GCC_VERSION <= 4007
99714 + find_referenced_vars_in(assign);
99716 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
99717 + update_stmt(assign);
99720 +static unsigned int execute_latent_entropy(void)
99724 + gimple_stmt_iterator gsi;
99725 + tree local_entropy;
99727 + if (!latent_entropy_decl) {
99728 + struct varpool_node *node;
99730 +#if BUILDING_GCC_VERSION <= 4007
99731 + for (node = varpool_nodes; node; node = node->next) {
99732 + tree var = node->decl;
99734 + FOR_EACH_VARIABLE(node) {
99735 + tree var = node->symbol.decl;
99737 + if (strcmp(IDENTIFIER_POINTER(DECL_NAME(var)), "latent_entropy"))
99739 + latent_entropy_decl = var;
99740 +// debug_tree(var);
99743 + if (!latent_entropy_decl) {
99744 +// debug_tree(current_function_decl);
99749 +//fprintf(stderr, "latent_entropy: %s\n", IDENTIFIER_POINTER(DECL_NAME(current_function_decl)));
99751 + // 1. create local entropy variable
99752 + local_entropy = create_tmp_var(unsigned_intDI_type_node, "local_entropy");
99753 +#if BUILDING_GCC_VERSION <= 4007
99754 + add_referenced_var(local_entropy);
99755 + mark_sym_for_renaming(local_entropy);
99758 + // 2. initialize local entropy variable
99759 + bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
99760 + if (dom_info_available_p(CDI_DOMINATORS))
99761 + set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR);
99762 + gsi = gsi_start_bb(bb);
99764 + assign = gimple_build_assign(local_entropy, build_int_cstu(unsigned_intDI_type_node, get_random_const()));
99765 +// gimple_set_location(assign, loc);
99766 +#if BUILDING_GCC_VERSION <= 4007
99767 + find_referenced_vars_in(assign);
99769 + gsi_insert_after(&gsi, assign, GSI_NEW_STMT);
99770 + update_stmt(assign);
99771 + bb = bb->next_bb;
99773 + // 3. instrument each BB with an operation on the local entropy variable
99774 + while (bb != EXIT_BLOCK_PTR) {
99775 + perturb_local_entropy(bb, local_entropy);
99776 + bb = bb->next_bb;
99779 + // 4. mix local entropy into the global entropy variable
99780 + perturb_latent_entropy(EXIT_BLOCK_PTR->prev_bb, local_entropy);
99784 +static void start_unit_callback(void *gcc_data, void *user_data)
99786 + tree latent_entropy_type;
99788 +#if BUILDING_GCC_VERSION >= 4007
99789 + seed = get_random_seed(false);
99791 + sscanf(get_random_seed(false), "%" HOST_WIDE_INT_PRINT "x", &seed);
99798 + // extern volatile u64 latent_entropy
99799 + gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64);
99800 + latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE);
99801 + latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type);
99803 + TREE_STATIC(latent_entropy_decl) = 1;
99804 + TREE_PUBLIC(latent_entropy_decl) = 1;
99805 + TREE_USED(latent_entropy_decl) = 1;
99806 + TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
99807 + DECL_EXTERNAL(latent_entropy_decl) = 1;
99808 + DECL_ARTIFICIAL(latent_entropy_decl) = 1;
99809 + DECL_INITIAL(latent_entropy_decl) = NULL;
99810 + lang_hooks.decls.pushdecl(latent_entropy_decl);
99811 +// DECL_ASSEMBLER_NAME(latent_entropy_decl);
99812 +// varpool_finalize_decl(latent_entropy_decl);
99813 +// varpool_mark_needed_node(latent_entropy_decl);
99816 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
99818 + const char * const plugin_name = plugin_info->base_name;
99819 + struct register_pass_info latent_entropy_pass_info = {
99820 + .pass = &latent_entropy_pass.pass,
99821 + .reference_pass_name = "optimized",
99822 + .ref_pass_instance_number = 1,
99823 + .pos_op = PASS_POS_INSERT_BEFORE
99826 + if (!plugin_default_version_check(version, &gcc_version)) {
99827 + error(G_("incompatible gcc/plugin versions"));
99831 + register_callback(plugin_name, PLUGIN_INFO, NULL, &latent_entropy_plugin_info);
99832 + register_callback ("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
99833 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &latent_entropy_pass_info);
99834 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
99838 diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data
99839 new file mode 100644
99840 index 0000000..b04803b
99842 +++ b/tools/gcc/size_overflow_hash.data
99844 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
99845 +batadv_orig_node_del_if_4 batadv_orig_node_del_if 2 4 NULL
99846 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
99847 +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
99848 +carl9170_alloc_27 carl9170_alloc 1 27 NULL
99849 +sel_read_policyvers_55 sel_read_policyvers 3 55 NULL nohasharray
99850 +padzero_55 padzero 1 55 &sel_read_policyvers_55
99851 +cfg80211_disconnected_57 cfg80211_disconnected 4 57 NULL
99852 +__skb_to_sgvec_72 __skb_to_sgvec 0 72 NULL
99853 +crypto_authenc_setkey_80 crypto_authenc_setkey 3 80 NULL
99854 +snd_korg1212_copy_to_92 snd_korg1212_copy_to 6 92 NULL
99855 +load_msg_95 load_msg 2 95 NULL
99856 +device_flush_iotlb_115 device_flush_iotlb 2-3 115 NULL
99857 +init_q_132 init_q 4 132 NULL
99858 +memstick_alloc_host_142 memstick_alloc_host 1 142 NULL
99859 +hva_to_gfn_memslot_149 hva_to_gfn_memslot 0-1 149 NULL
99860 +tracing_trace_options_write_153 tracing_trace_options_write 3 153 NULL
99861 +nvme_create_queue_170 nvme_create_queue 3 170 NULL
99862 +xfs_buf_item_get_format_189 xfs_buf_item_get_format 2 189 NULL
99863 +iscsi_session_setup_196 iscsi_session_setup 4-5 196 NULL
99864 +virtblk_add_req_197 virtblk_add_req 2-3 197 NULL
99865 +proc_scsi_write_proc_267 proc_scsi_write_proc 3 267 NULL
99866 +br_port_info_size_268 br_port_info_size 0 268 NULL
99867 +generic_file_direct_write_291 generic_file_direct_write 0 291 NULL
99868 +read_file_war_stats_292 read_file_war_stats 3 292 NULL
99869 +SYSC_connect_304 SYSC_connect 3 304 NULL
99870 +syslog_print_307 syslog_print 2 307 NULL
99871 +platform_device_add_data_310 platform_device_add_data 3 310 NULL
99872 +dn_setsockopt_314 dn_setsockopt 5 314 NULL
99873 +next_node_allowed_318 next_node_allowed 1 318 NULL
99874 +compat_sys_ioctl_333 compat_sys_ioctl 3 333 NULL
99875 +btmrvl_txdnldready_read_413 btmrvl_txdnldready_read 3 413 NULL
99876 +lbs_rdmac_read_418 lbs_rdmac_read 3 418 NULL
99877 +snd_ca0106_ptr_read_467 snd_ca0106_ptr_read 0 467 NULL
99878 +_alloc_get_attr_desc_470 _alloc_get_attr_desc 2 470 NULL
99879 +dccp_manip_pkt_476 dccp_manip_pkt 4 476 NULL
99880 +nvme_trans_modesel_data_488 nvme_trans_modesel_data 4 488 NULL
99881 +pidlist_resize_496 pidlist_resize 2 496 NULL
99882 +read_vbt_r0_503 read_vbt_r0 1 503 NULL
99883 +rx_rx_defrag_end_read_505 rx_rx_defrag_end_read 3 505 NULL
99884 +ocfs2_validate_meta_ecc_bhs_527 ocfs2_validate_meta_ecc_bhs 0 527 NULL
99885 +zlib_deflate_workspacesize_537 zlib_deflate_workspacesize 0 537 NULL
99886 +iwl_dbgfs_wowlan_sram_read_540 iwl_dbgfs_wowlan_sram_read 3 540 NULL
99887 +dle_count_543 dle_count 0 543 NULL
99888 +devres_alloc_551 devres_alloc 2 551 NULL
99889 +snd_aw2_saa7146_get_hw_ptr_playback_558 snd_aw2_saa7146_get_hw_ptr_playback 0 558 NULL
99890 +dev_hard_header_565 dev_hard_header 0 565 NULL nohasharray
99891 +start_isoc_chain_565 start_isoc_chain 2 565 &dev_hard_header_565
99892 +compat_sys_preadv_583 compat_sys_preadv 3 583 NULL
99893 +smk_write_load_self2_591 smk_write_load_self2 3 591 NULL
99894 +ni_gpct_device_construct_610 ni_gpct_device_construct 5 610 NULL
99895 +fuse_request_alloc_nofs_617 fuse_request_alloc_nofs 1 617 NULL
99896 +compat_sys_shmat_620 compat_sys_shmat 3 620 NULL
99897 +isp1760_register_628 isp1760_register 1-2 628 NULL
99898 +clone_split_bio_633 clone_split_bio 6 633 NULL
99899 +ceph_osdc_new_request_635 ceph_osdc_new_request 6 635 NULL
99900 +remap_to_cache_640 remap_to_cache 3 640 NULL
99901 +drbd_bm_find_next_643 drbd_bm_find_next 2 643 NULL
99902 +unlink_queued_645 unlink_queued 3-4 645 NULL
99903 +dtim_interval_read_654 dtim_interval_read 3 654 NULL
99904 +mem_rx_free_mem_blks_read_675 mem_rx_free_mem_blks_read 3 675 NULL
99905 +rtl8169_try_rx_copy_705 rtl8169_try_rx_copy 3 705 NULL
99906 +persistent_ram_vmap_709 persistent_ram_vmap 1-2 709 NULL
99907 +ipath_resize_cq_712 ipath_resize_cq 2 712 NULL
99908 +disk_max_parts_719 disk_max_parts 0 719 NULL
99909 +sctp_setsockopt_peer_addr_params_734 sctp_setsockopt_peer_addr_params 3 734 NULL
99910 +dvb_video_write_754 dvb_video_write 3 754 NULL
99911 +if_writecmd_815 if_writecmd 2 815 NULL
99912 +aac_change_queue_depth_825 aac_change_queue_depth 2 825 NULL
99913 +read_fifo_826 read_fifo 3 826 NULL
99914 +um_idi_read_850 um_idi_read 3 850 NULL
99915 +ieee80211_if_fmt_rc_rateidx_mcs_mask_5ghz_856 ieee80211_if_fmt_rc_rateidx_mcs_mask_5ghz 3 856 NULL
99916 +o2net_send_message_vec_879 o2net_send_message_vec 4 879 NULL nohasharray
99917 +iwl_dbgfs_fh_reg_read_879 iwl_dbgfs_fh_reg_read 3 879 &o2net_send_message_vec_879
99918 +snd_pcm_action_single_905 snd_pcm_action_single 0 905 NULL
99919 +btmrvl_hsstate_read_920 btmrvl_hsstate_read 3 920 NULL
99920 +carl9170_cmd_buf_950 carl9170_cmd_buf 3 950 NULL
99921 +get_ramdisk_size_954 get_ramdisk_size 0 954 NULL
99922 +__nodes_weight_956 __nodes_weight 2-0 956 NULL
99923 +sys_msgrcv_959 sys_msgrcv 3 959 NULL
99924 +pte_prefetch_gfn_to_pfn_997 pte_prefetch_gfn_to_pfn 2 997 NULL nohasharray
99925 +hdlcdev_rx_997 hdlcdev_rx 3 997 &pte_prefetch_gfn_to_pfn_997
99926 +dm_cache_set_dirty_1016 dm_cache_set_dirty 2 1016 NULL
99927 +_do_truncate_1019 _do_truncate 2 1019 NULL
99928 +smk_write_cipso2_1021 smk_write_cipso2 3 1021 NULL
99929 +gigaset_initdriver_1060 gigaset_initdriver 2 1060 NULL
99930 +Read_hfc16_1070 Read_hfc16 0 1070 NULL
99931 +mce_request_packet_1073 mce_request_packet 3 1073 NULL
99932 +agp_create_memory_1075 agp_create_memory 1 1075 NULL
99933 +_scsih_adjust_queue_depth_1083 _scsih_adjust_queue_depth 2 1083 NULL
99934 +nfs_pgarray_set_1085 nfs_pgarray_set 2 1085 NULL
99935 +llcp_sock_sendmsg_1092 llcp_sock_sendmsg 4 1092 NULL
99936 +nfs4_init_nonuniform_client_string_1097 nfs4_init_nonuniform_client_string 3 1097 NULL
99937 +sys_mremap_1107 sys_mremap 5-1-2 1107 NULL
99938 +cfg80211_report_obss_beacon_1133 cfg80211_report_obss_beacon 3 1133 NULL
99939 +vmalloc_32_1135 vmalloc_32 1 1135 NULL
99940 +dec_zcache_eph_zpages_1138 dec_zcache_eph_zpages 1 1138 NULL
99941 +i2400m_rx_ctl_1157 i2400m_rx_ctl 4 1157 NULL
99942 +ipc_alloc_1192 ipc_alloc 1 1192 NULL
99943 +ib_create_send_mad_1196 ib_create_send_mad 5 1196 NULL
99944 +i2400m_rx_ctl_ack_1199 i2400m_rx_ctl_ack 3 1199 NULL
99945 +dgrp_dpa_read_1204 dgrp_dpa_read 3 1204 NULL
99946 +i2cdev_read_1206 i2cdev_read 3 1206 NULL
99947 +ipw_packet_received_skb_1230 ipw_packet_received_skb 2 1230 NULL
99948 +acpi_battery_write_alarm_1240 acpi_battery_write_alarm 3 1240 NULL
99949 +nested_get_page_1252 nested_get_page 2 1252 NULL
99950 +ocfs2_extend_file_1266 ocfs2_extend_file 3 1266 NULL
99951 +qla4xxx_change_queue_depth_1268 qla4xxx_change_queue_depth 2 1268 NULL
99952 +ioctl_private_iw_point_1273 ioctl_private_iw_point 7 1273 NULL
99953 +batadv_tt_prepare_packet_buff_1280 batadv_tt_prepare_packet_buff 4 1280 NULL
99954 +tx_frag_in_process_called_read_1290 tx_frag_in_process_called_read 3 1290 NULL
99955 +wm_adsp_buf_alloc_1317 wm_adsp_buf_alloc 2 1317 NULL
99956 +compat_put_u64_1319 compat_put_u64 1 1319 NULL
99957 +ffs_1322 ffs 0 1322 NULL
99958 +qlcnic_pci_sriov_configure_1327 qlcnic_pci_sriov_configure 2 1327 NULL
99959 +carl9170_rx_stream_1334 carl9170_rx_stream 3 1334 NULL
99960 +btrfs_submit_compressed_write_1347 btrfs_submit_compressed_write 5 1347 NULL
99961 +gen_pool_best_fit_1348 gen_pool_best_fit 2-3-4 1348 NULL
99962 +io_mapping_create_wc_1354 io_mapping_create_wc 1-2 1354 NULL
99963 +snd_pcm_lib_write1_1358 snd_pcm_lib_write1 0-3 1358 NULL
99964 +ipx_sendmsg_1362 ipx_sendmsg 4 1362 NULL
99965 +iov_num_pages_1364 iov_num_pages 0 1364 NULL
99966 +fw_stats_raw_read_1369 fw_stats_raw_read 3 1369 NULL
99967 +ocfs2_prepare_inode_for_write_1372 ocfs2_prepare_inode_for_write 3 1372 NULL
99968 +sctp_setsockopt_initmsg_1383 sctp_setsockopt_initmsg 3 1383 NULL
99969 +do_msgsnd_1387 do_msgsnd 4 1387 NULL
99970 +zone_page_state_1393 zone_page_state 0 1393 NULL
99971 +file_read_actor_1401 file_read_actor 4 1401 NULL
99972 +vb2_dc_get_user_pages_1442 vb2_dc_get_user_pages 1-3 1442 NULL
99973 +stack_max_size_read_1445 stack_max_size_read 3 1445 NULL
99974 +tx_queue_len_read_1463 tx_queue_len_read 3 1463 NULL
99975 +xprt_alloc_1475 xprt_alloc 2 1475 NULL
99976 +SYSC_syslog_1477 SYSC_syslog 3 1477 NULL
99977 +sta_num_ps_buf_frames_read_1488 sta_num_ps_buf_frames_read 3 1488 NULL
99978 +posix_acl_permission_1495 posix_acl_permission 0 1495 NULL
99979 +tomoyo_round2_1518 tomoyo_round2 0 1518 NULL
99980 +__vfio_dma_map_1523 __vfio_dma_map 3 1523 NULL
99981 +alloc_perm_bits_1532 alloc_perm_bits 2 1532 NULL
99982 +ath6kl_init_get_fwcaps_1557 ath6kl_init_get_fwcaps 3 1557 NULL
99983 +ieee80211_if_read_dot11MeshHWMPnetDiameterTraversalTime_1589 ieee80211_if_read_dot11MeshHWMPnetDiameterTraversalTime 3 1589 NULL
99984 +fc_frame_alloc_1596 fc_frame_alloc 2 1596 NULL
99985 +packet_buffer_init_1607 packet_buffer_init 2 1607 NULL
99986 +btmrvl_hscmd_read_1614 btmrvl_hscmd_read 3 1614 NULL
99987 +v9fs_fid_xattr_get_1618 v9fs_fid_xattr_get 0 1618 NULL
99988 +btmrvl_hsmode_read_1647 btmrvl_hsmode_read 3 1647 NULL
99989 +ikconfig_read_current_1658 ikconfig_read_current 3 1658 NULL
99990 +mei_cl_recv_1665 mei_cl_recv 3 1665 NULL
99991 +netdev_feature_string_1667 netdev_feature_string 0 1667 NULL
99992 +compat_x25_ioctl_1674 compat_x25_ioctl 3 1674 NULL
99993 +rmap_add_1677 rmap_add 3 1677 NULL
99994 +configfs_read_file_1683 configfs_read_file 3 1683 NULL
99995 +coda_psdev_write_1711 coda_psdev_write 3 1711 NULL
99996 +btrfs_dir_data_len_1714 btrfs_dir_data_len 0 1714 NULL
99997 +dma_memcpy_pg_to_iovec_1725 dma_memcpy_pg_to_iovec 6 1725 NULL
99998 +tx_frag_called_read_1748 tx_frag_called_read 3 1748 NULL
99999 +compat_cdrom_generic_command_1756 compat_cdrom_generic_command 4 1756 NULL
100000 +ieee80211_new_mesh_header_1761 ieee80211_new_mesh_header 0 1761 NULL
100001 +ebt_size_mwt_1768 ebt_size_mwt 0 1768 NULL
100002 +cosa_write_1774 cosa_write 3 1774 NULL
100003 +update_macheader_1775 update_macheader 7 1775 NULL
100004 +dec_zcache_pers_zbytes_1779 dec_zcache_pers_zbytes 1 1779 NULL
100005 +fcoe_ctlr_device_add_1793 fcoe_ctlr_device_add 3 1793 NULL
100006 +__nodelist_scnprintf_1815 __nodelist_scnprintf 0-2-4 1815 NULL
100007 +alloc_pages_exact_1892 alloc_pages_exact 1 1892 NULL
100008 +rx_defrag_called_read_1897 rx_defrag_called_read 3 1897 NULL
100009 +nfs_parse_server_name_1899 nfs_parse_server_name 2 1899 NULL
100010 +SyS_add_key_1900 SyS_add_key 4 1900 NULL
100011 +isku_sysfs_write_keys_media_1910 isku_sysfs_write_keys_media 6 1910 NULL
100012 +tx_tx_retry_data_read_1926 tx_tx_retry_data_read 3 1926 NULL
100013 +memblock_alloc_base_1938 memblock_alloc_base 1-2 1938 NULL
100014 +cyttsp_probe_1940 cyttsp_probe 4 1940 NULL
100015 +ieee80211_if_fmt_dot11MeshConfirmTimeout_1945 ieee80211_if_fmt_dot11MeshConfirmTimeout 3 1945 NULL
100016 +read_swap_header_1957 read_swap_header 0 1957 NULL
100017 +ivtv_v4l2_read_1964 ivtv_v4l2_read 3 1964 NULL
100018 +sel_read_avc_hash_stats_1984 sel_read_avc_hash_stats 3 1984 NULL
100019 +__alloc_bootmem_node_1992 __alloc_bootmem_node 2-3 1992 NULL
100020 +atomic_read_unchecked_1995 atomic_read_unchecked 0 1995 NULL
100021 +batadv_tt_commit_changes_2008 batadv_tt_commit_changes 4 2008 NULL
100022 +sep_prepare_input_dma_table_2009 sep_prepare_input_dma_table 2-3 2009 NULL
100023 +rx_rx_defrag_read_2010 rx_rx_defrag_read 3 2010 NULL
100024 +ocfs2_global_qinit_alloc_2018 ocfs2_global_qinit_alloc 0 2018 NULL
100025 +write_flush_pipefs_2021 write_flush_pipefs 3 2021 NULL
100026 +BcmCopySection_2035 BcmCopySection 5 2035 NULL
100027 +devm_ioremap_nocache_2036 devm_ioremap_nocache 2-3 2036 NULL
100028 +ath6kl_fwlog_mask_read_2050 ath6kl_fwlog_mask_read 3 2050 NULL
100029 +ocfs2_expand_inline_dir_2063 ocfs2_expand_inline_dir 3 2063 NULL
100030 +subbuf_read_actor_2071 subbuf_read_actor 3 2071 NULL
100031 +iwl_dbgfs_current_sleep_command_read_2081 iwl_dbgfs_current_sleep_command_read 3 2081 NULL
100032 +idetape_chrdev_read_2097 idetape_chrdev_read 3 2097 NULL
100033 +audit_expand_2098 audit_expand 2 2098 NULL
100034 +num_pages_spanned_2105 num_pages_spanned 0 2105 NULL
100035 +iwl_dbgfs_log_event_read_2107 iwl_dbgfs_log_event_read 3 2107 NULL
100036 +ecryptfs_encrypt_and_encode_filename_2109 ecryptfs_encrypt_and_encode_filename 6 2109 NULL
100037 +__find_xattr_2117 __find_xattr 6 2117 NULL nohasharray
100038 +enable_read_2117 enable_read 3 2117 &__find_xattr_2117
100039 +pcf50633_write_block_2124 pcf50633_write_block 2-3 2124 NULL
100040 +check_load_and_stores_2143 check_load_and_stores 2 2143 NULL
100041 +lp_gpio_irq_map_2149 lp_gpio_irq_map 2 2149 NULL
100042 +mlx4_init_icm_table_2151 mlx4_init_icm_table 5-4 2151 NULL
100043 +iov_iter_count_2152 iov_iter_count 0 2152 NULL
100044 +_ore_get_io_state_2166 _ore_get_io_state 3-4-5 2166 NULL
100045 +bio_integrity_alloc_2194 bio_integrity_alloc 3 2194 NULL
100046 +ssb_bus_ssbbus_register_2217 ssb_bus_ssbbus_register 2 2217 NULL
100047 +mei_dbgfs_read_meclients_2219 mei_dbgfs_read_meclients 3 2219 NULL nohasharray
100048 +u32_array_read_2219 u32_array_read 3 2219 &mei_dbgfs_read_meclients_2219
100049 +vhci_write_2224 vhci_write 3 2224 NULL
100050 +efx_tsoh_page_count_2225 efx_tsoh_page_count 0 2225 NULL
100051 +lowpan_get_mac_header_length_2231 lowpan_get_mac_header_length 0 2231 NULL
100052 +ieee80211_if_read_dot11MeshHWMPRannInterval_2249 ieee80211_if_read_dot11MeshHWMPRannInterval 3 2249 NULL
100053 +netlbl_secattr_catmap_walk_2255 netlbl_secattr_catmap_walk 0-2 2255 NULL
100054 +sel_write_avc_cache_threshold_2256 sel_write_avc_cache_threshold 3 2256 NULL
100055 +do_update_counters_2259 do_update_counters 4 2259 NULL
100056 +ath6kl_wmi_bssinfo_event_rx_2275 ath6kl_wmi_bssinfo_event_rx 3 2275 NULL
100057 +debug_debug5_read_2291 debug_debug5_read 3 2291 NULL
100058 +kvm_clear_guest_page_2308 kvm_clear_guest_page 4-2 2308 NULL
100059 +intel_sdvo_set_value_2311 intel_sdvo_set_value 4 2311 NULL
100060 +picolcd_fb_write_2318 picolcd_fb_write 3 2318 NULL
100061 +gart_map_page_2325 gart_map_page 3-4 2325 NULL
100062 +__erst_read_to_erange_2341 __erst_read_to_erange 0 2341 NULL
100063 +zr364xx_read_2354 zr364xx_read 3 2354 NULL
100064 +viafb_iga2_odev_proc_write_2363 viafb_iga2_odev_proc_write 3 2363 NULL
100065 +SyS_mremap_2367 SyS_mremap 1-2-5 2367 NULL
100066 +xfs_buf_map_from_irec_2368 xfs_buf_map_from_irec 5 2368 NULL
100067 +il_dbgfs_sensitivity_read_2370 il_dbgfs_sensitivity_read 3 2370 NULL
100068 +rtl_port_map_2385 rtl_port_map 1-2 2385 NULL
100069 +rxpipe_rx_prep_beacon_drop_read_2403 rxpipe_rx_prep_beacon_drop_read 3 2403 NULL
100070 +SYSC_mlock_2415 SYSC_mlock 1 2415 NULL
100071 +isdn_v110_open_2418 isdn_v110_open 3 2418 NULL
100072 +raid1_size_2419 raid1_size 0-2 2419 NULL
100073 +roccat_common2_send_2422 roccat_common2_send 4 2422 NULL
100074 +hfcpci_empty_fifo_2427 hfcpci_empty_fifo 4 2427 NULL
100075 +ioremap_nocache_2439 ioremap_nocache 1-2 2439 NULL
100076 +tty_buffer_find_2443 tty_buffer_find 2 2443 NULL
100077 +ath6kl_usb_bmi_write_2454 ath6kl_usb_bmi_write 3 2454 NULL
100078 +b43legacy_debugfs_read_2473 b43legacy_debugfs_read 3 2473 NULL
100079 +update_pmkid_2481 update_pmkid 4 2481 NULL
100080 +wiphy_new_2482 wiphy_new 2 2482 NULL
100081 +bio_alloc_bioset_2484 bio_alloc_bioset 2 2484 NULL
100082 +lookup_cache_entry_2494 lookup_cache_entry 2 2494 NULL
100083 +squashfs_read_fragment_index_table_2506 squashfs_read_fragment_index_table 4 2506 NULL
100084 +dm_write_2513 dm_write 3 2513 NULL
100085 +v9fs_cached_file_read_2514 v9fs_cached_file_read 3 2514 NULL
100086 +ext4_get_inode_loc_2516 ext4_get_inode_loc 0 2516 NULL
100087 +gspca_dev_probe_2570 gspca_dev_probe 4 2570 NULL
100088 +i915_next_seqno_write_2572 i915_next_seqno_write 3 2572 NULL
100089 +pcm_sanity_check_2574 pcm_sanity_check 0 2574 NULL
100090 +slot_bytes_2609 slot_bytes 0 2609 NULL
100091 +smk_write_logging_2618 smk_write_logging 3 2618 NULL
100092 +kvm_gfn_to_hva_cache_init_2636 kvm_gfn_to_hva_cache_init 3 2636 NULL
100093 +lro_gen_skb_2644 lro_gen_skb 6 2644 NULL
100094 +nfc_llcp_send_ui_frame_2702 nfc_llcp_send_ui_frame 5 2702 NULL
100095 +memcpy_fromiovecend_2707 memcpy_fromiovecend 3-4 2707 NULL
100096 +__xip_file_write_2733 __xip_file_write 4-3 2733 NULL
100097 +hid_report_raw_event_2762 hid_report_raw_event 4 2762 NULL
100098 +mon_bin_ioctl_2771 mon_bin_ioctl 3 2771 NULL nohasharray
100099 +bictcp_update_2771 bictcp_update 2 2771 &mon_bin_ioctl_2771
100100 +__next_cpu_2782 __next_cpu 1 2782 NULL
100101 +set_msr_hyperv_pw_2785 set_msr_hyperv_pw 3 2785 NULL
100102 +sel_read_enforce_2828 sel_read_enforce 3 2828 NULL
100103 +vb2_dc_get_userptr_2829 vb2_dc_get_userptr 2-3 2829 NULL
100104 +wait_for_avail_2847 wait_for_avail 0 2847 NULL
100105 +ufs_free_fragments_2857 ufs_free_fragments 2 2857 NULL
100106 +sfq_alloc_2861 sfq_alloc 1 2861 NULL
100107 +move_addr_to_user_2868 move_addr_to_user 2 2868 NULL
100108 +mq_map_2871 mq_map 2 2871 NULL
100109 +nla_padlen_2883 nla_padlen 1 2883 NULL
100110 +cmm_write_2896 cmm_write 3 2896 NULL
100111 +alloc_page_cgroup_2919 alloc_page_cgroup 1 2919 NULL
100112 +xfs_trans_get_buf_map_2927 xfs_trans_get_buf_map 4 2927 NULL
100113 +nes_read_indexed_2946 nes_read_indexed 0 2946 NULL
100114 +tm6000_i2c_recv_regs16_2949 tm6000_i2c_recv_regs16 5 2949 NULL
100115 +set_fast_connectable_2952 set_fast_connectable 4 2952 NULL
100116 +ppp_cp_event_2965 ppp_cp_event 6 2965 NULL
100117 +do_strnlen_user_2976 do_strnlen_user 0-2 2976 NULL
100118 +p9_nr_pages_2992 p9_nr_pages 0-2 2992 NULL
100119 +do_dmabuf_dirty_sou_3017 do_dmabuf_dirty_sou 7 3017 NULL
100120 +depth_write_3021 depth_write 3 3021 NULL
100121 +snd_azf3328_codec_inl_3022 snd_azf3328_codec_inl 0 3022 NULL
100122 +xfrm_dst_alloc_copy_3034 xfrm_dst_alloc_copy 3 3034 NULL
100123 +iwl_dbgfs_sleep_level_override_read_3038 iwl_dbgfs_sleep_level_override_read 3 3038 NULL
100124 +nr_free_buffer_pages_3044 nr_free_buffer_pages 0 3044 NULL
100125 +il3945_ucode_rx_stats_read_3048 il3945_ucode_rx_stats_read 3 3048 NULL
100126 +qp_alloc_ppn_set_3068 qp_alloc_ppn_set 2-4 3068 NULL
100127 +__blk_end_bidi_request_3070 __blk_end_bidi_request 3-4 3070 NULL
100128 +dac960_user_command_proc_write_3071 dac960_user_command_proc_write 3 3071 NULL
100129 +free_coherent_3082 free_coherent 4-2 3082 NULL
100130 +clone_bio_3100 clone_bio 6 3100 NULL nohasharray
100131 +ttusb2_msg_3100 ttusb2_msg 4 3100 &clone_bio_3100
100132 +rb_alloc_3102 rb_alloc 1 3102 NULL
100133 +simple_write_to_buffer_3122 simple_write_to_buffer 5-2 3122 NULL
100134 +print_time_3132 print_time 0 3132 NULL
100135 +fill_write_buffer_3142 fill_write_buffer 3 3142 NULL
100136 +CIFSSMBSetPosixACL_3154 CIFSSMBSetPosixACL 5 3154 NULL
100137 +compat_sys_migrate_pages_3157 compat_sys_migrate_pages 2 3157 NULL
100138 +uv_num_possible_blades_3177 uv_num_possible_blades 0 3177 NULL
100139 +uvc_video_stats_dump_3181 uvc_video_stats_dump 3 3181 NULL
100140 +compat_do_ip6t_set_ctl_3184 compat_do_ip6t_set_ctl 4 3184 NULL
100141 +mempool_create_node_3191 mempool_create_node 1 3191 NULL
100142 +alloc_context_3194 alloc_context 1 3194 NULL
100143 +shmem_pread_slow_3198 shmem_pread_slow 3 3198 NULL
100144 +SyS_sendto_3219 SyS_sendto 6 3219 NULL
100145 +kimage_crash_alloc_3233 kimage_crash_alloc 3 3233 NULL
100146 +do_read_log_to_user_3236 do_read_log_to_user 4 3236 NULL
100147 +ext3_xattr_find_entry_3237 ext3_xattr_find_entry 0 3237 NULL
100148 +key_key_read_3241 key_key_read 3 3241 NULL
100149 +number_3243 number 0 3243 NULL
100150 +check_vendor_extension_3254 check_vendor_extension 1 3254 NULL
100151 +__ilog2_u64_3284 __ilog2_u64 0 3284 NULL
100152 +arvo_sysfs_write_3311 arvo_sysfs_write 6 3311 NULL
100153 +dbDiscardAG_3322 dbDiscardAG 3 3322 NULL
100154 +compat_sys_setsockopt_3326 compat_sys_setsockopt 5 3326 NULL
100155 +aac_rkt_ioremap_3333 aac_rkt_ioremap 2 3333 NULL
100156 +read_from_oldmem_3337 read_from_oldmem 2 3337 NULL
100157 +tty_port_register_device_attr_3341 tty_port_register_device_attr 3 3341 NULL
100158 +il_dbgfs_interrupt_read_3351 il_dbgfs_interrupt_read 3 3351 NULL
100159 +gsm_control_rls_3353 gsm_control_rls 3 3353 NULL
100160 +scnprintf_3360 scnprintf 0-2 3360 NULL
100161 +x86_emulate_instruction_3389 x86_emulate_instruction 2 3389 NULL
100162 +mtdchar_writeoob_3393 mtdchar_writeoob 4 3393 NULL
100163 +send_stream_3397 send_stream 4 3397 NULL
100164 +isdn_readbchan_3401 isdn_readbchan 0-5 3401 NULL
100165 +msix_map_region_3411 msix_map_region 3 3411 NULL
100166 +mei_io_cb_alloc_resp_buf_3414 mei_io_cb_alloc_resp_buf 2 3414 NULL
100167 +pci_add_cap_save_buffer_3426 pci_add_cap_save_buffer 3 3426 NULL
100168 +crystalhd_create_dio_pool_3427 crystalhd_create_dio_pool 2 3427 NULL
100169 +SyS_msgsnd_3436 SyS_msgsnd 3 3436 NULL
100170 +pipe_iov_copy_to_user_3447 pipe_iov_copy_to_user 3 3447 NULL
100171 +percpu_modalloc_3448 percpu_modalloc 2-3 3448 NULL
100172 +map_single_3449 map_single 0-2 3449 NULL
100173 +jffs2_acl_setxattr_3464 jffs2_acl_setxattr 4 3464 NULL nohasharray
100174 +snd_pcm_lib_readv_transfer_3464 snd_pcm_lib_readv_transfer 4-2-5 3464 &jffs2_acl_setxattr_3464
100175 +alloc_skb_fclone_3467 alloc_skb_fclone 1 3467 NULL
100176 +security_context_to_sid_default_3492 security_context_to_sid_default 2 3492 NULL
100177 +xfrm_migrate_msgsize_3496 xfrm_migrate_msgsize 1 3496 NULL
100178 +kvm_handle_bad_page_3503 kvm_handle_bad_page 2 3503 NULL
100179 +mem_tx_free_mem_blks_read_3521 mem_tx_free_mem_blks_read 3 3521 NULL nohasharray
100180 +ieee80211_wx_set_gen_ie_rsl_3521 ieee80211_wx_set_gen_ie_rsl 3 3521 &mem_tx_free_mem_blks_read_3521
100181 +SyS_readv_3539 SyS_readv 3 3539 NULL
100182 +btrfs_dir_name_len_3549 btrfs_dir_name_len 0 3549 NULL
100183 +b43legacy_read16_3561 b43legacy_read16 0 3561 NULL
100184 +alloc_smp_resp_3566 alloc_smp_resp 1 3566 NULL
100185 +evtchn_read_3569 evtchn_read 3 3569 NULL
100186 +vc_resize_3585 vc_resize 2-3 3585 NULL
100187 +compat_sys_semtimedop_3606 compat_sys_semtimedop 3 3606 NULL
100188 +sctp_getsockopt_events_3607 sctp_getsockopt_events 2 3607 NULL
100189 +edac_mc_alloc_3611 edac_mc_alloc 4 3611 NULL
100190 +tx_tx_starts_read_3617 tx_tx_starts_read 3 3617 NULL
100191 +aligned_kmalloc_3628 aligned_kmalloc 1 3628 NULL
100192 +x86_swiotlb_alloc_coherent_3649 x86_swiotlb_alloc_coherent 2 3649 NULL nohasharray
100193 +cm_copy_private_data_3649 cm_copy_private_data 2 3649 &x86_swiotlb_alloc_coherent_3649
100194 +ath6kl_disconnect_timeout_read_3650 ath6kl_disconnect_timeout_read 3 3650 NULL
100195 +i915_compat_ioctl_3656 i915_compat_ioctl 2 3656 NULL
100196 +snd_m3_assp_read_3703 snd_m3_assp_read 0 3703 NULL nohasharray
100197 +create_irq_3703 create_irq 0 3703 &snd_m3_assp_read_3703 nohasharray
100198 +btmrvl_psmode_write_3703 btmrvl_psmode_write 3 3703 &create_irq_3703
100199 +videobuf_pages_to_sg_3708 videobuf_pages_to_sg 2 3708 NULL
100200 +ci_ll_write_3740 ci_ll_write 4 3740 NULL nohasharray
100201 +ath6kl_mgmt_tx_3740 ath6kl_mgmt_tx 7 3740 &ci_ll_write_3740
100202 +sctp_setsockopt_auth_key_3793 sctp_setsockopt_auth_key 3 3793 NULL
100203 +ncp_file_write_3813 ncp_file_write 3 3813 NULL
100204 +read_file_tx_chainmask_3829 read_file_tx_chainmask 3 3829 NULL
100205 +stringify_nodemap_3842 stringify_nodemap 2 3842 NULL
100206 +ubi_eba_read_leb_3847 ubi_eba_read_leb 0 3847 NULL
100207 +create_one_cdev_3852 create_one_cdev 2 3852 NULL
100208 +smk_read_onlycap_3855 smk_read_onlycap 3 3855 NULL
100209 +get_fd_set_3866 get_fd_set 1 3866 NULL
100210 +garp_attr_create_3883 garp_attr_create 3 3883 NULL
100211 +uea_send_modem_cmd_3888 uea_send_modem_cmd 3 3888 NULL
100212 +efivarfs_file_read_3893 efivarfs_file_read 3 3893 NULL
100213 +nvram_write_3894 nvram_write 3 3894 NULL
100214 +pipeline_pre_proc_swi_read_3898 pipeline_pre_proc_swi_read 3 3898 NULL
100215 +comedi_buf_read_n_available_3899 comedi_buf_read_n_available 0 3899 NULL
100216 +vcs_write_3910 vcs_write 3 3910 NULL
100217 +brcmf_debugfs_fws_stats_read_3947 brcmf_debugfs_fws_stats_read 3 3947 NULL
100218 +atalk_compat_ioctl_3991 atalk_compat_ioctl 3 3991 NULL
100219 +do_add_counters_3992 do_add_counters 3 3992 NULL
100220 +userspace_status_4004 userspace_status 4 4004 NULL
100221 +mei_write_4005 mei_write 3 4005 NULL nohasharray
100222 +xfs_check_block_4005 xfs_check_block 4 4005 &mei_write_4005
100223 +snd_hdsp_capture_copy_4011 snd_hdsp_capture_copy 5 4011 NULL
100224 +mm_populate_4016 mm_populate 1 4016 NULL
100225 +blk_end_request_4024 blk_end_request 3 4024 NULL
100226 +ext4_xattr_find_entry_4025 ext4_xattr_find_entry 0 4025 NULL
100227 +usbnet_write_cmd_async_4035 usbnet_write_cmd_async 7 4035 NULL
100228 +read_file_queues_4078 read_file_queues 3 4078 NULL
100229 +fbcon_do_set_font_4079 fbcon_do_set_font 2-3 4079 NULL
100230 +da9052_free_irq_4090 da9052_free_irq 2 4090 NULL
100231 +C_SYSC_rt_sigpending_4114 C_SYSC_rt_sigpending 2 4114 NULL
100232 +ntb_netdev_change_mtu_4147 ntb_netdev_change_mtu 2 4147 NULL
100233 +tm6000_read_4151 tm6000_read 3 4151 NULL
100234 +mpt_raid_phys_disk_get_num_paths_4155 mpt_raid_phys_disk_get_num_paths 0 4155 NULL
100235 +msg_bits_4158 msg_bits 0-3-4 4158 NULL
100236 +get_alua_req_4166 get_alua_req 3 4166 NULL
100237 +blk_dropped_read_4168 blk_dropped_read 3 4168 NULL
100238 +read_file_bool_4180 read_file_bool 3 4180 NULL
100239 +f1x_determine_channel_4202 f1x_determine_channel 2 4202 NULL
100240 +_osd_req_list_objects_4204 _osd_req_list_objects 6 4204 NULL
100241 +__snd_gf1_read_addr_4210 __snd_gf1_read_addr 0 4210 NULL
100242 +goldfish_audio_write_4284 goldfish_audio_write 3 4284 NULL
100243 +paging32_page_fault_4288 paging32_page_fault 2 4288 NULL
100244 +xt_compat_add_offset_4289 xt_compat_add_offset 0 4289 NULL
100245 +__usbnet_read_cmd_4299 __usbnet_read_cmd 7 4299 NULL
100246 +dvb_ringbuffer_pkt_read_user_4303 dvb_ringbuffer_pkt_read_user 3-2-5 4303 NULL
100247 +nouveau_fifo_create__4327 nouveau_fifo_create_ 5-6 4327 NULL
100248 +snd_rawmidi_kernel_read_4328 snd_rawmidi_kernel_read 3 4328 NULL
100249 +__copy_from_user_inatomic_4365 __copy_from_user_inatomic 3 4365 NULL
100250 +sys_setdomainname_4373 sys_setdomainname 2 4373 NULL
100251 +irda_sendmsg_4388 irda_sendmsg 4 4388 NULL
100252 +access_process_vm_4412 access_process_vm 0-2-4 4412 NULL nohasharray
100253 +cxacru_cm_get_array_4412 cxacru_cm_get_array 4 4412 &access_process_vm_4412
100254 +libfc_vport_create_4415 libfc_vport_create 2 4415 NULL
100255 +do_pages_stat_4437 do_pages_stat 2 4437 NULL
100256 +memparse_4444 memparse 0 4444 NULL
100257 +at76_set_card_command_4471 at76_set_card_command 4 4471 NULL
100258 +snd_seq_expand_var_event_4481 snd_seq_expand_var_event 0-5 4481 NULL
100259 +sys_semtimedop_4486 sys_semtimedop 3 4486 NULL
100260 +vmbus_establish_gpadl_4495 vmbus_establish_gpadl 3 4495 NULL
100261 +set_link_security_4502 set_link_security 4 4502 NULL
100262 +dm_cache_remove_mapping_4513 dm_cache_remove_mapping 2 4513 NULL
100263 +__gfn_to_pfn_memslot_4530 __gfn_to_pfn_memslot 2 4530 NULL
100264 +sys_llistxattr_4532 sys_llistxattr 3 4532 NULL
100265 +da9052_group_write_4534 da9052_group_write 2-3 4534 NULL
100266 +tty_register_device_4544 tty_register_device 2 4544 NULL
100267 +videobuf_vmalloc_to_sg_4548 videobuf_vmalloc_to_sg 2 4548 NULL
100268 +btrfs_file_extent_inline_item_len_4575 btrfs_file_extent_inline_item_len 0 4575 NULL
100269 +xfs_buf_get_maps_4581 xfs_buf_get_maps 2 4581 NULL
100270 +bch_alloc_4593 bch_alloc 1 4593 NULL
100271 +__wb_force_remove_mapping_4622 __wb_force_remove_mapping 2 4622 NULL
100272 +iwl_dbgfs_tx_queue_read_4635 iwl_dbgfs_tx_queue_read 3 4635 NULL
100273 +skb_add_data_nocache_4682 skb_add_data_nocache 4 4682 NULL
100274 +cx18_read_pos_4683 cx18_read_pos 3 4683 NULL
100275 +short_retry_limit_read_4687 short_retry_limit_read 3 4687 NULL
100276 +kone_receive_4690 kone_receive 4 4690 NULL
100277 +round_pipe_size_4701 round_pipe_size 0 4701 NULL
100278 +cxgbi_alloc_big_mem_4707 cxgbi_alloc_big_mem 1 4707 NULL
100279 +konepure_sysfs_read_4709 konepure_sysfs_read 6 4709 NULL
100280 +btmrvl_gpiogap_read_4718 btmrvl_gpiogap_read 3 4718 NULL
100281 +ati_create_gatt_pages_4722 ati_create_gatt_pages 1 4722 NULL nohasharray
100282 +show_header_4722 show_header 3 4722 &ati_create_gatt_pages_4722
100283 +__find_free_cblock_4741 __find_free_cblock 2 4741 NULL
100284 +memblock_find_in_range_4759 memblock_find_in_range 3-4 4759 NULL
100285 +pwr_rcvd_bcns_cnt_read_4774 pwr_rcvd_bcns_cnt_read 3 4774 NULL
100286 +create_subvol_4791 create_subvol 4 4791 NULL
100287 +ncp__vol2io_4804 ncp__vol2io 5 4804 NULL
100288 +repair_io_failure_4815 repair_io_failure 4 4815 NULL
100289 +gigaset_if_receive_4861 gigaset_if_receive 3 4861 NULL
100290 +key_tx_spec_read_4862 key_tx_spec_read 3 4862 NULL
100291 +ocfs2_defrag_extent_4873 ocfs2_defrag_extent 3 4873 NULL
100292 +hid_register_field_4874 hid_register_field 2-3 4874 NULL
100293 +vga_arb_read_4886 vga_arb_read 3 4886 NULL
100294 +sys_ipc_4889 sys_ipc 3 4889 NULL
100295 +sys_process_vm_writev_4928 sys_process_vm_writev 3-5 4928 NULL
100296 +ntfs_rl_insert_4931 ntfs_rl_insert 2-4 4931 NULL
100297 +ieee80211_if_fmt_ave_beacon_4941 ieee80211_if_fmt_ave_beacon 3 4941 NULL
100298 +devm_kzalloc_4966 devm_kzalloc 2 4966 NULL
100299 +compat_rawv6_setsockopt_4967 compat_rawv6_setsockopt 5 4967 NULL
100300 +skb_network_header_len_4971 skb_network_header_len 0 4971 NULL
100301 +ieee80211_if_fmt_dot11MeshHWMPconfirmationInterval_4976 ieee80211_if_fmt_dot11MeshHWMPconfirmationInterval 3 4976 NULL
100302 +vmw_surface_define_size_4993 vmw_surface_define_size 0 4993 NULL
100303 +compat_SyS_ipc_5000 compat_SyS_ipc 3-4-5-6 5000 NULL
100304 +qla82xx_pci_mem_write_direct_5008 qla82xx_pci_mem_write_direct 2 5008 NULL
100305 +do_mincore_5018 do_mincore 0-1 5018 NULL
100306 +mtd_device_parse_register_5024 mtd_device_parse_register 5 5024 NULL
100307 +ocfs2_check_range_for_holes_5066 ocfs2_check_range_for_holes 2-3 5066 NULL
100308 +snd_mixart_BA1_read_5082 snd_mixart_BA1_read 5 5082 NULL
100309 +snd_emu10k1_ptr20_read_5087 snd_emu10k1_ptr20_read 0 5087 NULL
100310 +get_random_bytes_5091 get_random_bytes 2 5091 NULL nohasharray
100311 +kfifo_copy_from_user_5091 kfifo_copy_from_user 3 5091 &get_random_bytes_5091 nohasharray
100312 +blk_rq_sectors_5091 blk_rq_sectors 0 5091 &kfifo_copy_from_user_5091
100313 +mpol_to_str_5093 mpol_to_str 2 5093 NULL
100314 +sound_write_5102 sound_write 3 5102 NULL
100315 +clear_dirty_5105 clear_dirty 3 5105 NULL
100316 +ufs_add_fragments_5144 ufs_add_fragments 2 5144 NULL
100317 +compat_ptr_5159 compat_ptr 0-1 5159 NULL
100318 +__uwb_addr_print_5161 __uwb_addr_print 2 5161 NULL
100319 +iwl_dbgfs_status_read_5171 iwl_dbgfs_status_read 3 5171 NULL
100320 +acpi_pcc_get_sqty_5176 acpi_pcc_get_sqty 0 5176 NULL
100321 +sfi_map_memory_5183 sfi_map_memory 1-2 5183 NULL
100322 +skb_network_header_5203 skb_network_header 0 5203 NULL
100323 +pipe_set_size_5204 pipe_set_size 2 5204 NULL
100324 +ppp_cp_parse_cr_5214 ppp_cp_parse_cr 4 5214 NULL
100325 +dwc2_hcd_urb_alloc_5217 dwc2_hcd_urb_alloc 2 5217 NULL
100326 +ath6kl_debug_roam_tbl_event_5224 ath6kl_debug_roam_tbl_event 3 5224 NULL
100327 +ssb_ioremap_5228 ssb_ioremap 2 5228 NULL nohasharray
100328 +konepure_sysfs_write_5228 konepure_sysfs_write 6 5228 &ssb_ioremap_5228
100329 +isdn_ppp_skb_push_5236 isdn_ppp_skb_push 2 5236 NULL
100330 +do_atmif_sioc_5247 do_atmif_sioc 3 5247 NULL
100331 +gfn_to_hva_memslot_5265 gfn_to_hva_memslot 2 5265 NULL
100332 +alloc_cache_blocks_with_hash_5285 alloc_cache_blocks_with_hash 2 5285 NULL
100333 +__gfn_to_hva_memslot_5304 __gfn_to_hva_memslot 0-2 5304 NULL
100334 +sbc_get_write_same_sectors_5317 sbc_get_write_same_sectors 0 5317 NULL
100335 +pwr_elp_enter_read_5324 pwr_elp_enter_read 3 5324 NULL
100336 +allocate_cnodes_5329 allocate_cnodes 1 5329 NULL
100337 +ps_pspoll_utilization_read_5361 ps_pspoll_utilization_read 3 5361 NULL
100338 +cciss_allocate_sg_chain_blocks_5368 cciss_allocate_sg_chain_blocks 3-2 5368 NULL
100339 +kvm_pin_pages_5369 kvm_pin_pages 2 5369 NULL
100340 +bitmap_fold_5396 bitmap_fold 4 5396 NULL
100341 +nilfs_palloc_entries_per_group_5418 nilfs_palloc_entries_per_group 0 5418 NULL
100342 +sfi_map_table_5462 sfi_map_table 1 5462 NULL
100343 +xfs_efd_init_5463 xfs_efd_init 3 5463 NULL
100344 +xfs_efi_init_5476 xfs_efi_init 2 5476 NULL
100345 +ubi_leb_write_5478 ubi_leb_write 4-5 5478 NULL
100346 +cifs_security_flags_proc_write_5484 cifs_security_flags_proc_write 3 5484 NULL
100347 +tty_write_5494 tty_write 3 5494 NULL
100348 +tomoyo_update_domain_5498 tomoyo_update_domain 2 5498 NULL nohasharray
100349 +ieee80211_if_fmt_last_beacon_5498 ieee80211_if_fmt_last_beacon 3 5498 &tomoyo_update_domain_5498
100350 +__max_nr_grant_frames_5505 __max_nr_grant_frames 0 5505 NULL
100351 +spidev_message_5518 spidev_message 3 5518 NULL
100352 +ieee80211_if_fmt_auto_open_plinks_5534 ieee80211_if_fmt_auto_open_plinks 3 5534 NULL
100353 +get_entry_msg_len_5552 get_entry_msg_len 0 5552 NULL
100354 +brcmu_pkt_buf_get_skb_5556 brcmu_pkt_buf_get_skb 1 5556 NULL
100355 +le_readq_5557 le_readq 0 5557 NULL
100356 +inw_5558 inw 0 5558 NULL
100357 +fir16_create_5574 fir16_create 3 5574 NULL
100358 +bioset_create_5580 bioset_create 1 5580 NULL
100359 +oz_ep_alloc_5587 oz_ep_alloc 2 5587 NULL
100360 +usb_dump_device_descriptor_5599 usb_dump_device_descriptor 0 5599 NULL
100361 +ldm_frag_add_5611 ldm_frag_add 2 5611 NULL
100362 +compat_copy_entries_5617 compat_copy_entries 0 5617 NULL
100363 +SYSC_fsetxattr_5639 SYSC_fsetxattr 4 5639 NULL
100364 +ext4_xattr_get_5661 ext4_xattr_get 0 5661 NULL
100365 +posix_clock_register_5662 posix_clock_register 2 5662 NULL
100366 +mthca_map_reg_5664 mthca_map_reg 2-3 5664 NULL
100367 +__videobuf_alloc_vb_5665 __videobuf_alloc_vb 1 5665 NULL
100368 +wb_clear_dirty_5684 wb_clear_dirty 2 5684 NULL
100369 +get_arg_5694 get_arg 3 5694 NULL
100370 +subbuf_read_actor_5708 subbuf_read_actor 3 5708 NULL
100371 +vmw_kms_readback_5727 vmw_kms_readback 6 5727 NULL
100372 +reexecute_instruction_5733 reexecute_instruction 2 5733 NULL
100373 +rts51x_transfer_data_partial_5735 rts51x_transfer_data_partial 6 5735 NULL
100374 +ubi_cdev_compat_ioctl_5746 ubi_cdev_compat_ioctl 3 5746 NULL
100375 +sctp_setsockopt_autoclose_5775 sctp_setsockopt_autoclose 3 5775 NULL nohasharray
100376 +qlcnic_83xx_sysfs_flash_read_handler_5775 qlcnic_83xx_sysfs_flash_read_handler 6 5775 &sctp_setsockopt_autoclose_5775
100377 +compat_sys_writev_5784 compat_sys_writev 3 5784 NULL
100378 +__vxge_hw_blockpool_malloc_5786 __vxge_hw_blockpool_malloc 2 5786 NULL
100379 +skb_copy_datagram_iovec_5806 skb_copy_datagram_iovec 2-4 5806 NULL
100380 +nv50_disp_pioc_create__5812 nv50_disp_pioc_create_ 5 5812 NULL
100381 +ceph_x_encrypt_buflen_5829 ceph_x_encrypt_buflen 0-1 5829 NULL
100382 +autofs4_root_compat_ioctl_5838 autofs4_root_compat_ioctl 3 5838 NULL
100383 +ceph_msg_new_5846 ceph_msg_new 2 5846 NULL
100384 +ixgb_check_copybreak_5847 ixgb_check_copybreak 3 5847 NULL
100385 +setup_req_5848 setup_req 3 5848 NULL
100386 +rx_filter_max_arp_queue_dep_read_5851 rx_filter_max_arp_queue_dep_read 3 5851 NULL
100387 +compat_sys_move_pages_5861 compat_sys_move_pages 2 5861 NULL nohasharray
100388 +uinput_compat_ioctl_5861 uinput_compat_ioctl 3 5861 &compat_sys_move_pages_5861
100389 +paging64_walk_addr_5887 paging64_walk_addr 3 5887 NULL
100390 +port_show_regs_5904 port_show_regs 3 5904 NULL
100391 +rbd_segment_length_5907 rbd_segment_length 0-3-2 5907 NULL
100392 +uhci_debug_read_5911 uhci_debug_read 3 5911 NULL
100393 +qla82xx_pci_mem_read_2M_5912 qla82xx_pci_mem_read_2M 2 5912 NULL
100394 +ttm_bo_kmap_ttm_5922 ttm_bo_kmap_ttm 3 5922 NULL
100395 +lbs_highsnr_read_5931 lbs_highsnr_read 3 5931 NULL
100396 +ps_poll_ps_poll_timeouts_read_5934 ps_poll_ps_poll_timeouts_read 3 5934 NULL
100397 +edac_device_alloc_ctl_info_5941 edac_device_alloc_ctl_info 1 5941 NULL
100398 +tipc_subseq_alloc_5957 tipc_subseq_alloc 1 5957 NULL
100399 +__apu_get_register_5967 __apu_get_register 0 5967 NULL
100400 +ieee80211_if_fmt_rc_rateidx_mask_5ghz_5971 ieee80211_if_fmt_rc_rateidx_mask_5ghz 3 5971 NULL
100401 +native_pte_val_5978 native_pte_val 0 5978 NULL
100402 +SyS_semop_5980 SyS_semop 3 5980 NULL
100403 +ntfs_rl_append_6037 ntfs_rl_append 2-4 6037 NULL
100404 +da9052_request_irq_6058 da9052_request_irq 2 6058 NULL
100405 +sctp_setsockopt_connectx_6073 sctp_setsockopt_connectx 3 6073 NULL
100406 +rts51x_ms_rw_multi_sector_6076 rts51x_ms_rw_multi_sector 3-4 6076 NULL
100407 +md_trim_bio_6078 md_trim_bio 2 6078 NULL
100408 +ipmi_addr_length_6110 ipmi_addr_length 0 6110 NULL
100409 +dfs_global_file_write_6112 dfs_global_file_write 3 6112 NULL
100410 +matrix_keypad_build_keymap_6129 matrix_keypad_build_keymap 3 6129 NULL
100411 +nouveau_parent_create__6131 nouveau_parent_create_ 7 6131 NULL
100412 +ieee80211_if_fmt_beacon_timeout_6153 ieee80211_if_fmt_beacon_timeout 3 6153 NULL
100413 +ivtv_copy_buf_to_user_6159 ivtv_copy_buf_to_user 4 6159 NULL
100414 +vdma_mem_alloc_6171 vdma_mem_alloc 1 6171 NULL
100415 +wl1251_cmd_template_set_6172 wl1251_cmd_template_set 4 6172 NULL
100416 +paging64_walk_addr_generic_6180 paging64_walk_addr_generic 4 6180 NULL
100417 +qp_host_get_user_memory_6189 qp_host_get_user_memory 1-2 6189 NULL
100418 +mxt_show_instance_6207 mxt_show_instance 2-0 6207 NULL
100419 +v4l2_ctrl_new_std_menu_6221 v4l2_ctrl_new_std_menu 4 6221 NULL
100420 +mqueue_read_file_6228 mqueue_read_file 3 6228 NULL
100421 +f_hidg_read_6238 f_hidg_read 3 6238 NULL
100422 +fbcon_prepare_logo_6246 fbcon_prepare_logo 5 6246 NULL
100423 +pcpu_next_pop_6277 pcpu_next_pop 4 6277 NULL
100424 +tx_tx_start_null_frame_read_6281 tx_tx_start_null_frame_read 3 6281 NULL
100425 +snd_hda_override_conn_list_6282 snd_hda_override_conn_list 3 6282 NULL nohasharray
100426 +xenbus_file_write_6282 xenbus_file_write 3 6282 &snd_hda_override_conn_list_6282
100427 +posix_acl_fix_xattr_to_user_6283 posix_acl_fix_xattr_to_user 2 6283 NULL
100428 +paging64_gva_to_gpa_nested_6287 paging64_gva_to_gpa_nested 2 6287 NULL
100429 +nf_nat_ipv6_manip_pkt_6289 nf_nat_ipv6_manip_pkt 2 6289 NULL
100430 +nf_nat_sack_adjust_6297 nf_nat_sack_adjust 2 6297 NULL
100431 +mid_get_vbt_data_r10_6308 mid_get_vbt_data_r10 2 6308 NULL
100432 +qlcnic_sriov_alloc_bc_msg_6309 qlcnic_sriov_alloc_bc_msg 2 6309 NULL
100433 +SyS_mincore_6329 SyS_mincore 1 6329 NULL
100434 +fuse_get_req_for_background_6337 fuse_get_req_for_background 2 6337 NULL
100435 +ucs2_strnlen_6342 ucs2_strnlen 0 6342 NULL
100436 +mei_dbgfs_read_devstate_6352 mei_dbgfs_read_devstate 3 6352 NULL
100437 +_proc_do_string_6376 _proc_do_string 2 6376 NULL
100438 +osd_req_read_sg_kern_6378 osd_req_read_sg_kern 5 6378 NULL
100439 +isku_sysfs_write_light_6406 isku_sysfs_write_light 6 6406 NULL
100440 +posix_acl_fix_xattr_userns_6420 posix_acl_fix_xattr_userns 4 6420 NULL
100441 +ipr_change_queue_depth_6431 ipr_change_queue_depth 2 6431 NULL
100442 +__alloc_bootmem_node_nopanic_6432 __alloc_bootmem_node_nopanic 2-3 6432 NULL
100443 +paging32_gva_to_gpa_nested_6442 paging32_gva_to_gpa_nested 2 6442 NULL
100444 +mlx4_ib_reg_user_mr_6471 mlx4_ib_reg_user_mr 2-3 6471 NULL nohasharray
100445 +ext4_compat_ioctl_6471 ext4_compat_ioctl 3 6471 &mlx4_ib_reg_user_mr_6471
100446 +ieee80211_if_fmt_dot11MeshMaxRetries_6476 ieee80211_if_fmt_dot11MeshMaxRetries 3 6476 NULL
100447 +qp_memcpy_from_queue_6479 qp_memcpy_from_queue 4-5 6479 NULL
100448 +cipso_v4_map_lvl_hton_6490 cipso_v4_map_lvl_hton 0 6490 NULL
100449 +dbg_intr_buf_6501 dbg_intr_buf 2 6501 NULL
100450 +mei_read_6507 mei_read 3 6507 NULL
100451 +read_file_disable_ani_6536 read_file_disable_ani 3 6536 NULL
100452 +rndis_set_oid_6547 rndis_set_oid 4 6547 NULL
100453 +wdm_read_6549 wdm_read 3 6549 NULL
100454 +isku_sysfs_write_keys_easyzone_6553 isku_sysfs_write_keys_easyzone 6 6553 NULL
100455 +fb_alloc_cmap_6554 fb_alloc_cmap 2 6554 NULL
100456 +SyS_semtimedop_6563 SyS_semtimedop 3 6563 NULL
100457 +SyS_fcntl64_6582 SyS_fcntl64 3 6582 NULL
100458 +snmp_mib_init_6604 snmp_mib_init 2-3 6604 NULL
100459 +ecryptfs_filldir_6622 ecryptfs_filldir 3 6622 NULL
100460 +compat_SyS_shmat_6642 compat_SyS_shmat 2 6642 NULL
100461 +virtscsi_alloc_tgt_6643 virtscsi_alloc_tgt 2 6643 NULL
100462 +aac_srcv_ioremap_6659 aac_srcv_ioremap 2 6659 NULL
100463 +process_rcvd_data_6679 process_rcvd_data 3 6679 NULL
100464 +ql_process_mac_rx_skb_6689 ql_process_mac_rx_skb 4 6689 NULL
100465 +btrfs_lookup_csums_range_6696 btrfs_lookup_csums_range 2 6696 NULL
100466 +ps_pspoll_max_apturn_read_6699 ps_pspoll_max_apturn_read 3 6699 NULL
100467 +bnad_debugfs_write_regrd_6706 bnad_debugfs_write_regrd 3 6706 NULL
100468 +mpeg_read_6708 mpeg_read 3 6708 NULL
100469 +set_orig_insn_6712 set_orig_insn 3 6712 NULL
100470 +video_proc_write_6724 video_proc_write 3 6724 NULL
100471 +posix_acl_xattr_count_6725 posix_acl_xattr_count 0-1 6725 NULL
100472 +rds_rdma_pages_6735 rds_rdma_pages 0 6735 NULL
100473 +sfi_check_table_6772 sfi_check_table 1 6772 NULL
100474 +iwl_dbgfs_channels_read_6784 iwl_dbgfs_channels_read 3 6784 NULL
100475 +ieee80211_if_read_6785 ieee80211_if_read 3 6785 NULL
100476 +hdlcdrv_register_6792 hdlcdrv_register 2 6792 NULL
100477 +tx_tx_done_data_read_6799 tx_tx_done_data_read 3 6799 NULL
100478 +make_8259A_irq_6828 make_8259A_irq 1 6828 NULL
100479 +calc_pages_for_6838 calc_pages_for 0-1-2 6838 NULL
100480 +mon_bin_read_6841 mon_bin_read 3 6841 NULL
100481 +snd_cs4281_BA0_read_6847 snd_cs4281_BA0_read 5 6847 NULL
100482 +ieee80211_if_fmt_path_refresh_time_6888 ieee80211_if_fmt_path_refresh_time 3 6888 NULL nohasharray
100483 +raw_seticmpfilter_6888 raw_seticmpfilter 3 6888 &ieee80211_if_fmt_path_refresh_time_6888
100484 +dlmfs_file_write_6892 dlmfs_file_write 3 6892 NULL
100485 +spi_show_regs_6911 spi_show_regs 3 6911 NULL nohasharray
100486 +proc_sessionid_read_6911 proc_sessionid_read 3 6911 &spi_show_regs_6911 nohasharray
100487 +acm_alloc_minor_6911 acm_alloc_minor 0 6911 &proc_sessionid_read_6911
100488 +__kfifo_dma_in_finish_r_6913 __kfifo_dma_in_finish_r 2-3 6913 NULL
100489 +do_msgrcv_6921 do_msgrcv 3 6921 NULL
100490 +cache_do_downcall_6926 cache_do_downcall 3 6926 NULL
100491 +qsfp_cks_6945 qsfp_cks 0-2 6945 NULL
100492 +pch_uart_hal_read_6961 pch_uart_hal_read 0 6961 NULL
100493 +videobuf_dma_init_kernel_6963 videobuf_dma_init_kernel 3 6963 NULL
100494 +rsa_extract_mpi_6973 rsa_extract_mpi 5 6973 NULL
100495 +crypto_authenc_esn_setkey_6985 crypto_authenc_esn_setkey 3 6985 NULL
100496 +request_key_async_6990 request_key_async 4 6990 NULL
100497 +tpl_write_6998 tpl_write 3 6998 NULL
100498 +r871x_set_wpa_ie_7000 r871x_set_wpa_ie 3 7000 NULL
100499 +cipso_v4_gentag_enum_7006 cipso_v4_gentag_enum 0 7006 NULL
100500 +tracing_cpumask_read_7010 tracing_cpumask_read 3 7010 NULL
100501 +wimax_msg_7030 wimax_msg 4 7030 NULL
100502 +ipath_get_base_info_7043 ipath_get_base_info 3 7043 NULL
100503 +snd_pcm_oss_bytes_7051 snd_pcm_oss_bytes 2 7051 NULL
100504 +event_enable_read_7074 event_enable_read 3 7074 NULL
100505 +beacon_interval_read_7091 beacon_interval_read 3 7091 NULL
100506 +lp_compat_ioctl_7098 lp_compat_ioctl 3 7098 NULL
100507 +pipeline_enc_rx_stat_fifo_int_read_7107 pipeline_enc_rx_stat_fifo_int_read 3 7107 NULL
100508 +check_header_7108 check_header 0 7108 NULL
100509 +qlcnic_enable_msix_7144 qlcnic_enable_msix 2 7144 NULL
100510 +__alloc_objio_seg_7203 __alloc_objio_seg 1 7203 NULL
100511 +batadv_check_unicast_ttvn_7206 batadv_check_unicast_ttvn 3 7206 NULL
100512 +sys32_ipc_7238 sys32_ipc 3-5-6 7238 NULL
100513 +get_param_h_7247 get_param_h 0 7247 NULL
100514 +af_alg_make_sg_7254 af_alg_make_sg 3 7254 NULL
100515 +vm_mmap_pgoff_7259 vm_mmap_pgoff 0 7259 NULL
100516 +dma_ops_alloc_addresses_7272 dma_ops_alloc_addresses 3-4-5 7272 NULL
100517 +rx_rate_rx_frames_per_rates_read_7282 rx_rate_rx_frames_per_rates_read 3 7282 NULL
100518 +isku_sysfs_write_macro_7293 isku_sysfs_write_macro 6 7293 NULL
100519 +wb_remove_mapping_7307 wb_remove_mapping 2 7307 NULL
100520 +mgmt_control_7349 mgmt_control 3 7349 NULL
100521 +ext3_free_blocks_7362 ext3_free_blocks 3-4 7362 NULL
100522 +ieee80211_if_read_dot11MeshHWMPactivePathTimeout_7368 ieee80211_if_read_dot11MeshHWMPactivePathTimeout 3 7368 NULL
100523 +hweight_long_7388 hweight_long 0-1 7388 NULL
100524 +vhost_scsi_compat_ioctl_7393 vhost_scsi_compat_ioctl 3 7393 NULL
100525 +sl_change_mtu_7396 sl_change_mtu 2 7396 NULL
100526 +readb_7401 readb 0 7401 NULL
100527 +drm_property_create_blob_7414 drm_property_create_blob 2 7414 NULL
100528 +ip_options_get_alloc_7448 ip_options_get_alloc 1 7448 NULL
100529 +SYSC_setgroups_7454 SYSC_setgroups 1 7454 NULL
100530 +numa_emulation_7466 numa_emulation 2 7466 NULL
100531 +__mutex_lock_common_7469 __mutex_lock_common 0 7469 NULL
100532 +garp_request_join_7471 garp_request_join 4 7471 NULL
100533 +compat_sys_msgrcv_7482 compat_sys_msgrcv 2 7482 NULL
100534 +snd_pcm_lib_read1_7491 snd_pcm_lib_read1 0-3 7491 NULL
100535 +sdhci_alloc_host_7509 sdhci_alloc_host 2 7509 NULL nohasharray
100536 +ahash_instance_headroom_7509 ahash_instance_headroom 0 7509 &sdhci_alloc_host_7509
100537 +array_zalloc_7519 array_zalloc 1-2 7519 NULL
100538 +goal_in_my_reservation_7553 goal_in_my_reservation 3 7553 NULL
100539 +smk_read_mapped_7562 smk_read_mapped 3 7562 NULL
100540 +btrfs_block_rsv_add_7579 btrfs_block_rsv_add 3 7579 NULL
100541 +ext3_try_to_allocate_7590 ext3_try_to_allocate 5-3 7590 NULL
100542 +groups_alloc_7614 groups_alloc 1 7614 NULL
100543 +sg_virt_7616 sg_virt 0 7616 NULL
100544 +skb_copy_expand_7685 skb_copy_expand 2-3 7685 NULL nohasharray
100545 +acpi_ex_allocate_name_string_7685 acpi_ex_allocate_name_string 2-1 7685 &skb_copy_expand_7685
100546 +acpi_ns_get_pathname_length_7699 acpi_ns_get_pathname_length 0 7699 NULL
100547 +dev_write_7708 dev_write 3 7708 NULL
100548 +unmap_region_7709 unmap_region 1 7709 NULL
100549 +brcmf_sdcard_send_buf_7713 brcmf_sdcard_send_buf 6 7713 NULL
100550 +set_bypass_pwup_pfs_7742 set_bypass_pwup_pfs 3 7742 NULL
100551 +vxge_device_register_7752 vxge_device_register 4 7752 NULL
100552 +osdv2_attr_list_elem_size_7763 osdv2_attr_list_elem_size 0-1 7763 NULL
100553 +ubi_io_read_vid_hdr_7766 ubi_io_read_vid_hdr 0 7766 NULL
100554 +ioread32be_7773 ioread32be 0 7773 NULL
100555 +alloc_candev_7776 alloc_candev 1-2 7776 NULL
100556 +dfs_global_file_read_7787 dfs_global_file_read 3 7787 NULL
100557 +bnx2_nvram_write_7790 bnx2_nvram_write 4-2 7790 NULL
100558 +diva_os_copy_from_user_7792 diva_os_copy_from_user 4 7792 NULL
100559 +ubifs_leb_read_7828 ubifs_leb_read 0 7828 NULL
100560 +dvb_dmxdev_read_sec_7892 dvb_dmxdev_read_sec 4 7892 NULL
100561 +xfs_trans_get_efi_7898 xfs_trans_get_efi 2 7898 NULL
100562 +gfs2_tune_get_i_7903 gfs2_tune_get_i 0 7903 NULL
100563 +ext3_group_extend_7911 ext3_group_extend 3 7911 NULL
100564 +libfc_host_alloc_7917 libfc_host_alloc 2 7917 NULL
100565 +f_hidg_write_7932 f_hidg_write 3 7932 NULL
100566 +io_apic_setup_irq_pin_once_7934 io_apic_setup_irq_pin_once 1 7934 NULL
100567 +hash_netiface6_expire_7944 hash_netiface6_expire 3 7944 NULL
100568 +integrity_digsig_verify_7956 integrity_digsig_verify 3 7956 NULL
100569 +smk_write_load_self_7958 smk_write_load_self 3 7958 NULL
100570 +sys_mbind_7990 sys_mbind 5 7990 NULL
100571 +tt3650_ci_msg_locked_8013 tt3650_ci_msg_locked 4 8013 NULL
100572 +vcs_read_8017 vcs_read 3 8017 NULL
100573 +normalize_up_8037 normalize_up 0-1-2 8037 NULL
100574 +vhost_add_used_and_signal_n_8038 vhost_add_used_and_signal_n 4 8038 NULL
100575 +ms_read_multiple_pages_8052 ms_read_multiple_pages 5-4 8052 NULL
100576 +dgrp_mon_read_8065 dgrp_mon_read 3 8065 NULL
100577 +leb_read_lock_8070 leb_read_lock 0 8070 NULL
100578 +alloc_targets_8074 alloc_targets 2 8074 NULL nohasharray
100579 +qla4xxx_post_ping_evt_work_8074 qla4xxx_post_ping_evt_work 4 8074 &alloc_targets_8074
100580 +venus_lookup_8121 venus_lookup 4 8121 NULL
100581 +ieee80211_if_fmt_num_buffered_multicast_8127 ieee80211_if_fmt_num_buffered_multicast 3 8127 NULL
100582 +dma_map_area_8178 dma_map_area 5-2-3 8178 NULL
100583 +ore_truncate_8181 ore_truncate 3 8181 NULL
100584 +__sk_mem_schedule_8185 __sk_mem_schedule 2 8185 NULL
100585 +ieee80211_if_fmt_dot11MeshHoldingTimeout_8187 ieee80211_if_fmt_dot11MeshHoldingTimeout 3 8187 NULL
100586 +recent_mt_proc_write_8206 recent_mt_proc_write 3 8206 NULL
100587 +rt2x00debug_write_bbp_8212 rt2x00debug_write_bbp 3 8212 NULL
100588 +ad7879_spi_multi_read_8218 ad7879_spi_multi_read 3 8218 NULL
100589 +play_iframe_8219 play_iframe 3 8219 NULL
100590 +create_log_8225 create_log 2 8225 NULL nohasharray
100591 +kvm_mmu_page_set_gfn_8225 kvm_mmu_page_set_gfn 2 8225 &create_log_8225
100592 +sctp_ssnmap_size_8228 sctp_ssnmap_size 0-1-2 8228 NULL
100593 +ceph_sync_write_8233 ceph_sync_write 4 8233 NULL
100594 +bnx2x_iov_get_max_queue_count_8235 bnx2x_iov_get_max_queue_count 0 8235 NULL
100595 +check_xattr_ref_inode_8244 check_xattr_ref_inode 0 8244 NULL
100596 +add_rx_skb_8257 add_rx_skb 3 8257 NULL
100597 +t3_init_l2t_8261 t3_init_l2t 1 8261 NULL
100598 +init_cdev_8274 init_cdev 1 8274 NULL
100599 +rproc_recovery_write_8281 rproc_recovery_write 3 8281 NULL
100600 +qib_decode_7220_err_8315 qib_decode_7220_err 3 8315 NULL
100601 +construct_key_and_link_8321 construct_key_and_link 4 8321 NULL
100602 +ipwireless_send_packet_8328 ipwireless_send_packet 4 8328 NULL
100603 +tracing_entries_read_8345 tracing_entries_read 3 8345 NULL
100604 +ieee80211_if_fmt_ht_opmode_8347 ieee80211_if_fmt_ht_opmode 3 8347 NULL
100605 +isku_sysfs_write_talk_8360 isku_sysfs_write_talk 6 8360 NULL nohasharray
100606 +ping_getfrag_8360 ping_getfrag 4-3 8360 &isku_sysfs_write_talk_8360
100607 +uvc_v4l2_compat_ioctl32_8375 uvc_v4l2_compat_ioctl32 3 8375 NULL
100608 +xdi_copy_from_user_8395 xdi_copy_from_user 4 8395 NULL
100609 +zd_rf_scnprint_id_8406 zd_rf_scnprint_id 0-3 8406 NULL
100610 +smk_write_change_rule_8411 smk_write_change_rule 3 8411 NULL nohasharray
100611 +uvc_v4l2_ioctl_8411 uvc_v4l2_ioctl 2 8411 &smk_write_change_rule_8411
100612 +pca953x_gpio_to_irq_8424 pca953x_gpio_to_irq 2 8424 NULL
100613 +snd_usb_ctl_msg_8436 snd_usb_ctl_msg 8 8436 NULL
100614 +irq_create_mapping_8437 irq_create_mapping 2 8437 NULL
100615 +afs_cell_lookup_8482 afs_cell_lookup 2 8482 NULL
100616 +batadv_tt_len_8502 batadv_tt_len 0-1 8502 NULL
100617 +dev_config_8506 dev_config 3 8506 NULL
100618 +ACL_to_cifs_posix_8509 ACL_to_cifs_posix 3 8509 NULL
100619 +opticon_process_data_packet_8524 opticon_process_data_packet 3 8524 NULL
100620 +pnp_resource_len_8532 pnp_resource_len 0 8532 NULL
100621 +alloc_pg_vec_8533 alloc_pg_vec 2 8533 NULL
100622 +ocfs2_read_virt_blocks_8538 ocfs2_read_virt_blocks 2-3 8538 NULL
100623 +user_on_off_8552 user_on_off 2 8552 NULL
100624 +profile_remove_8556 profile_remove 3 8556 NULL
100625 +cache_slow_downcall_8570 cache_slow_downcall 2 8570 NULL
100626 +mga_ioremap_8571 mga_ioremap 1-2 8571 NULL
100627 +isr_dma0_done_read_8574 isr_dma0_done_read 3 8574 NULL
100628 +tower_write_8580 tower_write 3 8580 NULL
100629 +rtllib_MFIE_rate_len_8606 rtllib_MFIE_rate_len 0 8606 NULL
100630 +shash_setkey_unaligned_8620 shash_setkey_unaligned 3 8620 NULL
100631 +it821x_firmware_command_8628 it821x_firmware_command 3 8628 NULL
100632 +scsi_dma_map_8632 scsi_dma_map 0 8632 NULL
100633 +fuse_send_write_pages_8636 fuse_send_write_pages 0-5 8636 NULL
100634 +generic_acl_set_8658 generic_acl_set 4 8658 NULL
100635 +dio_bio_alloc_8677 dio_bio_alloc 5 8677 NULL
100636 +lbs_bcnmiss_read_8678 lbs_bcnmiss_read 3 8678 NULL
100637 +tc3589x_gpio_irq_unmap_8680 tc3589x_gpio_irq_unmap 2 8680 NULL
100638 +rproc_trace_read_8686 rproc_trace_read 3 8686 NULL
100639 +skb_frag_size_8695 skb_frag_size 0 8695 NULL
100640 +arcfb_write_8702 arcfb_write 3 8702 NULL
100641 +i_size_read_8703 i_size_read 0 8703 NULL nohasharray
100642 +init_header_8703 init_header 0 8703 &i_size_read_8703
100643 +ctrl_out_8712 ctrl_out 3-5 8712 NULL
100644 +jffs2_acl_count_8729 jffs2_acl_count 0-1 8729 NULL
100645 +f_dupfd_8730 f_dupfd 1 8730 NULL
100646 +__create_irqs_8733 __create_irqs 2-1 8733 NULL
100647 +pca953x_gpio_irq_map_8737 pca953x_gpio_irq_map 2 8737 NULL
100648 +tx_tx_exch_expiry_read_8749 tx_tx_exch_expiry_read 3 8749 NULL
100649 +joydev_compat_ioctl_8765 joydev_compat_ioctl 2 8765 NULL
100650 +sys_prctl_8766 sys_prctl 4 8766 NULL
100651 +x32_arch_ptrace_8767 x32_arch_ptrace 3-4 8767 NULL
100652 +paging32_prefetch_gpte_8783 paging32_prefetch_gpte 4 8783 NULL
100653 +ext4_try_to_write_inline_data_8785 ext4_try_to_write_inline_data 3-4 8785 NULL
100654 +__bitmap_weight_8796 __bitmap_weight 0-2 8796 NULL
100655 +cpuset_common_file_read_8800 cpuset_common_file_read 5 8800 NULL
100656 +metronomefb_write_8823 metronomefb_write 3 8823 NULL
100657 +icmpv6_manip_pkt_8833 icmpv6_manip_pkt 4 8833 NULL nohasharray
100658 +get_queue_depth_8833 get_queue_depth 0 8833 &icmpv6_manip_pkt_8833
100659 +dvb_ringbuffer_pkt_next_8834 dvb_ringbuffer_pkt_next 0-2 8834 NULL
100660 +usb_ep_queue_8839 usb_ep_queue 0 8839 NULL
100661 +clear_bitset_8840 clear_bitset 2 8840 NULL
100662 +debug_debug1_read_8856 debug_debug1_read 3 8856 NULL
100663 +wa_nep_queue_8858 wa_nep_queue 2 8858 NULL
100664 +compressed_bio_size_8887 compressed_bio_size 0-2 8887 NULL
100665 +tracing_max_lat_read_8890 tracing_max_lat_read 3 8890 NULL
100666 +sdio_max_byte_size_8907 sdio_max_byte_size 0 8907 NULL
100667 +layout_commit_8926 layout_commit 3 8926 NULL
100668 +adjust_priv_size_8935 adjust_priv_size 0-1 8935 NULL
100669 +driver_stats_read_8944 driver_stats_read 3 8944 NULL
100670 +read_file_tgt_stats_8959 read_file_tgt_stats 3 8959 NULL
100671 +seq_bitmap_list_8963 seq_bitmap_list 3 8963 NULL
100672 +usb_allocate_stream_buffers_8964 usb_allocate_stream_buffers 3 8964 NULL
100673 +qib_qsfp_dump_8966 qib_qsfp_dump 0-3 8966 NULL
100674 +venus_mkdir_8967 venus_mkdir 4 8967 NULL
100675 +vol_cdev_read_8968 vol_cdev_read 3 8968 NULL nohasharray
100676 +seq_open_net_8968 seq_open_net 4 8968 &vol_cdev_read_8968
100677 +bio_integrity_get_tag_8974 bio_integrity_get_tag 3 8974 NULL
100678 +btrfs_alloc_free_block_8986 btrfs_alloc_free_block 3 8986 NULL
100679 +snd_emu10k1_ptr_read_9026 snd_emu10k1_ptr_read 0-2 9026 NULL
100680 +__pskb_copy_9038 __pskb_copy 2 9038 NULL
100681 +nla_put_9042 nla_put 3 9042 NULL
100682 +snd_emu10k1_synth_copy_from_user_9061 snd_emu10k1_synth_copy_from_user 3-5 9061 NULL
100683 +snd_gus_dram_peek_9062 snd_gus_dram_peek 4 9062 NULL
100684 +fib_info_hash_alloc_9075 fib_info_hash_alloc 1 9075 NULL
100685 +string_9080 string 0 9080 NULL
100686 +create_queues_9088 create_queues 2-3 9088 NULL
100687 +ftdi_prepare_write_buffer_9093 ftdi_prepare_write_buffer 3 9093 NULL
100688 +caif_stream_sendmsg_9110 caif_stream_sendmsg 4 9110 NULL nohasharray
100689 +gfn_to_rmap_9110 gfn_to_rmap 2-3 9110 &caif_stream_sendmsg_9110
100690 +pmcraid_change_queue_depth_9116 pmcraid_change_queue_depth 2 9116 NULL
100691 +isku_sysfs_write_keys_macro_9120 isku_sysfs_write_keys_macro 6 9120 NULL
100692 +mq_remove_mapping_9124 mq_remove_mapping 2 9124 NULL
100693 +mlx4_alloc_resize_umem_9132 mlx4_alloc_resize_umem 3 9132 NULL
100694 +ext4_list_backups_9138 ext4_list_backups 0 9138 NULL
100695 +dbg_command_buf_9165 dbg_command_buf 2 9165 NULL
100696 +isr_irqs_read_9181 isr_irqs_read 3 9181 NULL
100697 +count_leading_zeros_9183 count_leading_zeros 0 9183 NULL
100698 +alloc_group_attrs_9194 alloc_group_attrs 2 9194 NULL nohasharray
100699 +altera_swap_ir_9194 altera_swap_ir 2 9194 &alloc_group_attrs_9194
100700 +gx1_gx_base_9198 gx1_gx_base 0 9198 NULL
100701 +snd_m3_get_pointer_9206 snd_m3_get_pointer 0 9206 NULL
100702 +get_pfn_9207 get_pfn 1 9207 NULL
100703 +virtqueue_add_9217 virtqueue_add 5-4 9217 NULL
100704 +tx_tx_prepared_descs_read_9221 tx_tx_prepared_descs_read 3 9221 NULL
100705 +sctp_getsockopt_delayed_ack_9232 sctp_getsockopt_delayed_ack 2 9232 NULL
100706 +ocfs2_clear_ext_refcount_9256 ocfs2_clear_ext_refcount 4 9256 NULL
100707 +tcf_csum_ipv4_icmp_9258 tcf_csum_ipv4_icmp 3 9258 NULL
100708 +sparse_early_usemaps_alloc_node_9269 sparse_early_usemaps_alloc_node 4 9269 NULL
100709 +hdpvr_read_9273 hdpvr_read 3 9273 NULL
100710 +flakey_status_9274 flakey_status 5 9274 NULL
100711 +qla82xx_pci_set_window_9303 qla82xx_pci_set_window 0-2 9303 NULL
100712 +iwl_dbgfs_stations_read_9309 iwl_dbgfs_stations_read 3 9309 NULL
100713 +ceph_sync_setxattr_9310 ceph_sync_setxattr 4 9310 NULL
100714 +memblock_find_in_range_node_9328 memblock_find_in_range_node 0-3-4 9328 NULL
100715 +ieee80211_if_fmt_txpower_9334 ieee80211_if_fmt_txpower 3 9334 NULL
100716 +nvme_trans_fmt_get_parm_header_9340 nvme_trans_fmt_get_parm_header 2 9340 NULL
100717 +ocfs2_orphan_for_truncate_9342 ocfs2_orphan_for_truncate 4 9342 NULL
100718 +sta_beacon_loss_count_read_9370 sta_beacon_loss_count_read 3 9370 NULL
100719 +virtqueue_add_outbuf_9395 virtqueue_add_outbuf 3 9395 NULL
100720 +read_9397 read 3 9397 NULL
100721 +nf_nat_sip_expect_9418 nf_nat_sip_expect 8 9418 NULL
100722 +bm_realloc_pages_9431 bm_realloc_pages 2 9431 NULL
100723 +ffs_ep0_write_9438 ffs_ep0_write 3 9438 NULL
100724 +kmalloc_array_9444 kmalloc_array 1-2 9444 NULL
100725 +ieee80211_if_fmt_fwded_unicast_9454 ieee80211_if_fmt_fwded_unicast 3 9454 NULL
100726 +mcs_unwrap_mir_9455 mcs_unwrap_mir 3 9455 NULL
100727 +ext3_xattr_set_acl_9467 ext3_xattr_set_acl 4 9467 NULL
100728 +agp_generic_alloc_user_9470 agp_generic_alloc_user 1 9470 NULL
100729 +__alloc_preds_9492 __alloc_preds 2 9492 NULL nohasharray
100730 +crypt_status_9492 crypt_status 5 9492 &__alloc_preds_9492
100731 +lp_write_9511 lp_write 3 9511 NULL
100732 +xen_remap_exchanged_ptes_9513 xen_remap_exchanged_ptes 1 9513 NULL
100733 +scsi_tgt_kspace_exec_9522 scsi_tgt_kspace_exec 8 9522 NULL
100734 +read_file_dma_9530 read_file_dma 3 9530 NULL
100735 +ext3_alloc_branch_9534 ext3_alloc_branch 5 9534 NULL
100736 +audit_log_n_untrustedstring_9548 audit_log_n_untrustedstring 3 9548 NULL
100737 +fw_node_create_9559 fw_node_create 2 9559 NULL
100738 +ipath_get_user_pages_9561 ipath_get_user_pages 1-2 9561 NULL
100739 +kobj_map_9566 kobj_map 2-3 9566 NULL
100740 +f2fs_read_data_pages_9574 f2fs_read_data_pages 4 9574 NULL
100741 +biovec_create_pools_9575 biovec_create_pools 2 9575 NULL
100742 +ieee80211_tdls_mgmt_9581 ieee80211_tdls_mgmt 8 9581 NULL
100743 +use_block_rsv_9597 use_block_rsv 3 9597 NULL
100744 +do_sync_9604 do_sync 1 9604 NULL
100745 +snd_emu10k1_fx8010_read_9605 snd_emu10k1_fx8010_read 5-6 9605 NULL
100746 +saa7164_buffer_alloc_user_9627 saa7164_buffer_alloc_user 2 9627 NULL
100747 +ceph_copy_user_to_page_vector_9635 ceph_copy_user_to_page_vector 4-3 9635 NULL
100748 +compat_sys_keyctl_9639 compat_sys_keyctl 4-2-3 9639 NULL
100749 +ocfs2_xattr_get_rec_9652 ocfs2_xattr_get_rec 0 9652 NULL
100750 +uvc_alloc_buffers_9656 uvc_alloc_buffers 2-3 9656 NULL
100751 +queue_received_packet_9657 queue_received_packet 5 9657 NULL
100752 +snd_opl4_mem_proc_write_9670 snd_opl4_mem_proc_write 5 9670 NULL
100753 +ks8842_read16_9676 ks8842_read16 0 9676 NULL nohasharray
100754 +dns_query_9676 dns_query 3 9676 &ks8842_read16_9676
100755 +qib_7322_handle_hwerrors_9678 qib_7322_handle_hwerrors 3 9678 NULL
100756 +__erst_read_from_storage_9690 __erst_read_from_storage 0 9690 NULL
100757 +is_hole_9694 is_hole 2 9694 NULL nohasharray
100758 +x25_asy_compat_ioctl_9694 x25_asy_compat_ioctl 4 9694 &is_hole_9694
100759 +fnb_9703 fnb 2-3 9703 NULL
100760 +fuse_iter_npages_9705 fuse_iter_npages 0 9705 NULL nohasharray
100761 +ieee80211_if_read_aid_9705 ieee80211_if_read_aid 3 9705 &fuse_iter_npages_9705
100762 +nla_get_u8_9736 nla_get_u8 0 9736 NULL
100763 +ieee80211_if_fmt_num_mcast_sta_9738 ieee80211_if_fmt_num_mcast_sta 3 9738 NULL
100764 +ddb_input_read_9743 ddb_input_read 3 9743 NULL
100765 +sta_last_ack_signal_read_9751 sta_last_ack_signal_read 3 9751 NULL
100766 +btrfs_super_root_9763 btrfs_super_root 0 9763 NULL
100767 +__alloc_percpu_9764 __alloc_percpu 1-2 9764 NULL
100768 +__blk_queue_init_tags_9778 __blk_queue_init_tags 2 9778 NULL
100769 +snd_mem_proc_write_9786 snd_mem_proc_write 3 9786 NULL
100770 +ttm_bo_fbdev_io_9805 ttm_bo_fbdev_io 4 9805 NULL
100771 +ieee80211_if_read_state_9813 ieee80211_if_read_state 3 9813 NULL
100772 +pnp_mem_start_9817 pnp_mem_start 0 9817 NULL
100773 +kernel_physical_mapping_init_9818 kernel_physical_mapping_init 0-2-1 9818 NULL
100774 +dvb_dvr_set_buffer_size_9840 dvb_dvr_set_buffer_size 2 9840 NULL
100775 +cfg80211_send_deauth_9862 cfg80211_send_deauth 3 9862 NULL
100776 +pmcraid_alloc_sglist_9864 pmcraid_alloc_sglist 1 9864 NULL
100777 +btrfs_free_reserved_extent_9867 btrfs_free_reserved_extent 2 9867 NULL
100778 +f1x_translate_sysaddr_to_cs_9868 f1x_translate_sysaddr_to_cs 2 9868 NULL
100779 +mlx4_bitmap_alloc_range_9876 mlx4_bitmap_alloc_range 2-3 9876 NULL
100780 +wil_read_file_ioblob_9878 wil_read_file_ioblob 3 9878 NULL
100781 +bm_register_write_9893 bm_register_write 3 9893 NULL nohasharray
100782 +snd_midi_event_new_9893 snd_midi_event_new 1 9893 &bm_register_write_9893
100783 +snd_gf1_pcm_playback_copy_9895 snd_gf1_pcm_playback_copy 3-5 9895 NULL
100784 +nonpaging_page_fault_9908 nonpaging_page_fault 2 9908 NULL
100785 +gen6_get_total_gtt_size_9913 gen6_get_total_gtt_size 0-1 9913 NULL
100786 +pstore_ftrace_knob_read_9947 pstore_ftrace_knob_read 3 9947 NULL
100787 +read_file_misc_9948 read_file_misc 3 9948 NULL
100788 +set_rxd_buffer_pointer_9950 set_rxd_buffer_pointer 8 9950 NULL
100789 +ext2_new_blocks_9954 ext2_new_blocks 2 9954 NULL
100790 +csum_partial_copy_fromiovecend_9957 csum_partial_copy_fromiovecend 3-4 9957 NULL
100791 +get_free_serial_index_9969 get_free_serial_index 0 9969 NULL
100792 +btrfs_add_link_9973 btrfs_add_link 5 9973 NULL
100793 +ath6kl_usb_submit_ctrl_out_9978 ath6kl_usb_submit_ctrl_out 6 9978 NULL
100794 +SYSC_move_pages_9986 SYSC_move_pages 2 9986 NULL
100795 +aat2870_dump_reg_10019 aat2870_dump_reg 0 10019 NULL
100796 +handle_request_10024 handle_request 9 10024 NULL
100797 +batadv_orig_hash_add_if_10033 batadv_orig_hash_add_if 2 10033 NULL
100798 +ieee80211_probereq_get_10040 ieee80211_probereq_get 4-5 10040 NULL
100799 +xen_destroy_contiguous_region_10054 xen_destroy_contiguous_region 1 10054 NULL
100800 +vfio_pci_write_10063 vfio_pci_write 3 10063 NULL
100801 +ieee80211_set_probe_resp_10077 ieee80211_set_probe_resp 3 10077 NULL
100802 +ufs_bitmap_search_10105 ufs_bitmap_search 0-3 10105 NULL
100803 +get_elem_size_10110 get_elem_size 0-2 10110 NULL nohasharray
100804 +dynamic_ps_timeout_read_10110 dynamic_ps_timeout_read 3 10110 &get_elem_size_10110
100805 +jbd_alloc_10112 jbd_alloc 0 10112 NULL nohasharray
100806 +gfs2_meta_read_10112 gfs2_meta_read 0 10112 &jbd_alloc_10112
100807 +offset_to_bit_10134 offset_to_bit 0 10134 NULL
100808 +aes_decrypt_packets_read_10155 aes_decrypt_packets_read 3 10155 NULL
100809 +rx_out_of_mem_read_10157 rx_out_of_mem_read 3 10157 NULL
100810 +hidg_alloc_ep_req_10159 hidg_alloc_ep_req 2 10159 NULL nohasharray
100811 +ol_chunk_entries_10159 ol_chunk_entries 0 10159 &hidg_alloc_ep_req_10159
100812 +stmpe_irq_unmap_10164 stmpe_irq_unmap 2 10164 NULL
100813 +asd_store_update_bios_10165 asd_store_update_bios 4 10165 NULL
100814 +proc_pid_attr_read_10173 proc_pid_attr_read 3 10173 NULL
100815 +jffs2_user_setxattr_10182 jffs2_user_setxattr 4 10182 NULL
100816 +do_ioctl_trans_10194 do_ioctl_trans 3 10194 NULL
100817 +cciss_proc_write_10259 cciss_proc_write 3 10259 NULL
100818 +__qlcnic_pci_sriov_enable_10281 __qlcnic_pci_sriov_enable 2 10281 NULL
100819 +snd_rme9652_capture_copy_10287 snd_rme9652_capture_copy 5 10287 NULL
100820 +ubi_leb_change_10289 ubi_leb_change 4 10289 NULL
100821 +read_emulate_10310 read_emulate 2-4 10310 NULL
100822 +read_file_spectral_count_10320 read_file_spectral_count 3 10320 NULL
100823 +ttm_object_device_init_10321 ttm_object_device_init 2 10321 NULL
100824 +ubi_leb_read_10328 ubi_leb_read 0 10328 NULL
100825 +tun_sendmsg_10337 tun_sendmsg 4 10337 NULL
100826 +get_dump_page_10338 get_dump_page 1 10338 NULL
100827 +ufx_alloc_urb_list_10349 ufx_alloc_urb_list 3 10349 NULL
100828 +dbAllocAny_10354 dbAllocAny 0 10354 NULL
100829 +ath6kl_listen_int_read_10355 ath6kl_listen_int_read 3 10355 NULL
100830 +ms_write_multiple_pages_10362 ms_write_multiple_pages 6-5 10362 NULL
100831 +sta_ht_capa_read_10366 sta_ht_capa_read 3 10366 NULL
100832 +ecryptfs_decode_and_decrypt_filename_10379 ecryptfs_decode_and_decrypt_filename 5 10379 NULL
100833 +do_compat_pselect_10398 do_compat_pselect 1 10398 NULL
100834 +fwtty_rx_10434 fwtty_rx 3 10434 NULL
100835 +event_phy_transmit_error_read_10471 event_phy_transmit_error_read 3 10471 NULL
100836 +ca91cx42_alloc_resource_10502 ca91cx42_alloc_resource 2 10502 NULL
100837 +qib_alloc_fast_reg_page_list_10507 qib_alloc_fast_reg_page_list 2 10507 NULL
100838 +sel_write_disable_10511 sel_write_disable 3 10511 NULL
100839 +osd_req_write_sg_kern_10514 osd_req_write_sg_kern 5 10514 NULL
100840 +rds_message_alloc_10517 rds_message_alloc 1 10517 NULL
100841 +qlcnic_pci_sriov_enable_10519 qlcnic_pci_sriov_enable 2 10519 NULL nohasharray
100842 +hash_netiface4_expire_10519 hash_netiface4_expire 3 10519 &qlcnic_pci_sriov_enable_10519
100843 +ocfs2_add_refcounted_extent_10526 ocfs2_add_refcounted_extent 6 10526 NULL
100844 +get_vm_area_caller_10527 get_vm_area_caller 1 10527 NULL
100845 +snd_pcm_lib_read_10536 snd_pcm_lib_read 0-3 10536 NULL
100846 +ieee80211_send_probe_req_10539 ieee80211_send_probe_req 4-6 10539 NULL
100847 +ext4_write_begin_10576 ext4_write_begin 3-4 10576 NULL
100848 +scrub_remap_extent_10588 scrub_remap_extent 2 10588 NULL
100849 +otp_read_10594 otp_read 2-4-5 10594 NULL
100850 +supply_map_read_file_10608 supply_map_read_file 3 10608 NULL
100851 +ima_show_htable_violations_10619 ima_show_htable_violations 3 10619 NULL
100852 +alloc_coherent_10632 alloc_coherent 2 10632 NULL
100853 +nfs_idmap_lookup_id_10660 nfs_idmap_lookup_id 2 10660 NULL
100854 +dtf_read_device_10663 dtf_read_device 3 10663 NULL
100855 +parport_write_10669 parport_write 0 10669 NULL
100856 +inl_10708 inl 0 10708 NULL nohasharray
100857 +selinux_inode_setxattr_10708 selinux_inode_setxattr 4 10708 &inl_10708
100858 +pvr2_ioread_read_10720 pvr2_ioread_read 3 10720 NULL nohasharray
100859 +shash_async_setkey_10720 shash_async_setkey 3 10720 &pvr2_ioread_read_10720
100860 +spi_sync_10731 spi_sync 0 10731 NULL
100861 +sctp_getsockopt_maxseg_10737 sctp_getsockopt_maxseg 2 10737 NULL nohasharray
100862 +apu_get_register_10737 apu_get_register 0 10737 &sctp_getsockopt_maxseg_10737
100863 +compat_sys_msgsnd_10738 compat_sys_msgsnd 2 10738 NULL
100864 +sys_syslog_10746 sys_syslog 3 10746 NULL
100865 +alloc_one_pg_vec_page_10747 alloc_one_pg_vec_page 1 10747 NULL
100866 +vhost_add_used_n_10760 vhost_add_used_n 3 10760 NULL
100867 +kvm_read_guest_atomic_10765 kvm_read_guest_atomic 4-2 10765 NULL
100868 +wb_set_dirty_10778 wb_set_dirty 2 10778 NULL
100869 +__qp_memcpy_to_queue_10779 __qp_memcpy_to_queue 2-4 10779 NULL
100870 +sys_bind_10799 sys_bind 3 10799 NULL
100871 +compat_put_int_10828 compat_put_int 1 10828 NULL
100872 +lbs_sleepparams_read_10840 lbs_sleepparams_read 3 10840 NULL
100873 +ida_get_new_above_10853 ida_get_new_above 2 10853 NULL
100874 +fuse_conn_max_background_read_10855 fuse_conn_max_background_read 3 10855 NULL
100875 +ol_chunk_blocks_10864 ol_chunk_blocks 0 10864 NULL
100876 +snd_pcm_oss_write1_10872 snd_pcm_oss_write1 3 10872 NULL
100877 +mid_get_vbt_data_r0_10876 mid_get_vbt_data_r0 2 10876 NULL
100878 +bl_mark_for_commit_10879 bl_mark_for_commit 2-3 10879 NULL
100879 +get_scq_10897 get_scq 2 10897 NULL
100880 +cgroup_write_string_10900 cgroup_write_string 5 10900 NULL
100881 +tifm_alloc_adapter_10903 tifm_alloc_adapter 1 10903 NULL
100882 +__copy_from_user_10918 __copy_from_user 3 10918 NULL
100883 +da9052_map_irq_10952 da9052_map_irq 2 10952 NULL
100884 +ci_port_test_write_10962 ci_port_test_write 3 10962 NULL
100885 +bm_entry_read_10976 bm_entry_read 3 10976 NULL
100886 +i915_min_freq_write_10981 i915_min_freq_write 3 10981 NULL
100887 +sched_autogroup_write_10984 sched_autogroup_write 3 10984 NULL
100888 +__hci_num_ctrl_10985 __hci_num_ctrl 0 10985 NULL
100889 +xfrm_hash_alloc_10997 xfrm_hash_alloc 1 10997 NULL
100890 +rx_filter_accum_arp_pend_requests_read_11003 rx_filter_accum_arp_pend_requests_read 3 11003 NULL
100891 +SetLineNumber_11023 SetLineNumber 0 11023 NULL
100892 +mb_find_next_bit_11037 mb_find_next_bit 2-3-0 11037 NULL
100893 +tda10048_writeregbulk_11050 tda10048_writeregbulk 4 11050 NULL
100894 +tcp_send_mss_11079 tcp_send_mss 0 11079 NULL
100895 +count_argc_11083 count_argc 0 11083 NULL
100896 +kvm_write_guest_cached_11106 kvm_write_guest_cached 4 11106 NULL
100897 +stmpe_gpio_to_irq_11110 stmpe_gpio_to_irq 2 11110 NULL
100898 +tw_change_queue_depth_11116 tw_change_queue_depth 2 11116 NULL
100899 +page_offset_11120 page_offset 0 11120 NULL
100900 +tracing_buffers_read_11124 tracing_buffers_read 3 11124 NULL nohasharray
100901 +cea_db_payload_len_11124 cea_db_payload_len 0 11124 &tracing_buffers_read_11124
100902 +alloc_alien_cache_11127 alloc_alien_cache 2 11127 NULL
100903 +acpi_os_map_memory_11161 acpi_os_map_memory 1-2 11161 NULL
100904 +ioat2_alloc_ring_11172 ioat2_alloc_ring 2 11172 NULL nohasharray
100905 +snd_gf1_pcm_playback_silence_11172 snd_gf1_pcm_playback_silence 3-4 11172 &ioat2_alloc_ring_11172
100906 +__swab16p_11220 __swab16p 0 11220 NULL
100907 +il_dbgfs_rx_queue_read_11221 il_dbgfs_rx_queue_read 3 11221 NULL
100908 +mmap_region_11247 mmap_region 0-2 11247 NULL
100909 +ubifs_write_node_11258 ubifs_write_node 5-3 11258 NULL
100910 +dm_cache_discard_bitset_resize_11262 dm_cache_discard_bitset_resize 3 11262 NULL
100911 +hugetlbfs_read_11268 hugetlbfs_read 3 11268 NULL
100912 +cru_detect_11272 cru_detect 1 11272 NULL
100913 +ext4_xattr_check_names_11314 ext4_xattr_check_names 0 11314 NULL
100914 +tcp_send_rcvq_11316 tcp_send_rcvq 3 11316 NULL
100915 +construct_key_11329 construct_key 3 11329 NULL nohasharray
100916 +__kfifo_out_peek_11329 __kfifo_out_peek 0-3 11329 &construct_key_11329
100917 +next_segment_11330 next_segment 0-2-1 11330 NULL
100918 +persistent_ram_buffer_map_11332 persistent_ram_buffer_map 1-2 11332 NULL
100919 +ext4_get_inline_size_11349 ext4_get_inline_size 0 11349 NULL
100920 +i915_max_freq_write_11350 i915_max_freq_write 3 11350 NULL
100921 +sel_write_create_11353 sel_write_create 3 11353 NULL
100922 +handle_unit_11355 handle_unit 0-1 11355 NULL
100923 +batadv_skb_head_push_11360 batadv_skb_head_push 2 11360 NULL
100924 +drm_vblank_init_11362 drm_vblank_init 2 11362 NULL
100925 +qib_get_base_info_11369 qib_get_base_info 3 11369 NULL
100926 +isku_sysfs_read_keys_capslock_11392 isku_sysfs_read_keys_capslock 6 11392 NULL
100927 +dev_irnet_write_11398 dev_irnet_write 3 11398 NULL
100928 +___alloc_bootmem_11410 ___alloc_bootmem 1-2 11410 NULL
100929 +str_to_user_11411 str_to_user 2 11411 NULL
100930 +mem_fw_gen_free_mem_blks_read_11413 mem_fw_gen_free_mem_blks_read 3 11413 NULL
100931 +ath6kl_wmi_test_rx_11414 ath6kl_wmi_test_rx 3 11414 NULL
100932 +adis16480_show_firmware_revision_11417 adis16480_show_firmware_revision 3 11417 NULL
100933 +trace_options_read_11419 trace_options_read 3 11419 NULL
100934 +xd_read_multiple_pages_11422 xd_read_multiple_pages 5-4 11422 NULL
100935 +prepare_image_11424 prepare_image 0 11424 NULL
100936 +vring_size_11426 vring_size 0-1-2 11426 NULL
100937 +bttv_read_11432 bttv_read 3 11432 NULL
100938 +create_zero_mask_11453 create_zero_mask 0-1 11453 NULL
100939 +swp_offset_11475 swp_offset 0 11475 NULL
100940 +sca3000_read_first_n_hw_rb_11479 sca3000_read_first_n_hw_rb 2 11479 NULL
100941 +xfs_file_buffered_aio_write_11492 xfs_file_buffered_aio_write 4 11492 NULL
100942 +sd_do_mode_sense_11507 sd_do_mode_sense 5 11507 NULL
100943 +kmem_zalloc_11510 kmem_zalloc 1 11510 NULL
100944 +twl_direction_in_11527 twl_direction_in 2 11527 NULL
100945 +setup_IO_APIC_irq_extra_11537 setup_IO_APIC_irq_extra 1 11537 NULL
100946 +skb_cow_data_11565 skb_cow_data 0-2 11565 NULL
100947 +mlx4_init_cmpt_table_11569 mlx4_init_cmpt_table 3 11569 NULL
100948 +oprofilefs_ulong_to_user_11582 oprofilefs_ulong_to_user 3 11582 NULL
100949 +snd_pcm_action_11589 snd_pcm_action 0 11589 NULL
100950 +fw_device_op_ioctl_11595 fw_device_op_ioctl 2 11595 NULL
100951 +SYSC_mq_timedsend_11607 SYSC_mq_timedsend 3 11607 NULL
100952 +add_new_bitmap_11644 add_new_bitmap 3 11644 NULL
100953 +sisusb_send_bridge_packet_11649 sisusb_send_bridge_packet 2 11649 NULL
100954 +nla_total_size_11658 nla_total_size 0-1 11658 NULL
100955 +ide_queue_pc_tail_11673 ide_queue_pc_tail 5 11673 NULL
100956 +compat_SyS_msgsnd_11675 compat_SyS_msgsnd 2-3 11675 NULL
100957 +btrfs_alloc_delayed_item_11678 btrfs_alloc_delayed_item 1 11678 NULL
100958 +dsp_buffer_alloc_11684 dsp_buffer_alloc 2 11684 NULL
100959 +sctp_setsockopt_hmac_ident_11687 sctp_setsockopt_hmac_ident 3 11687 NULL
100960 +split_11691 split 2 11691 NULL
100961 +snd_ctl_elem_user_tlv_11695 snd_ctl_elem_user_tlv 3 11695 NULL
100962 +blk_rq_cur_bytes_11723 blk_rq_cur_bytes 0 11723 NULL
100963 +tcf_csum_ipv6_icmp_11738 tcf_csum_ipv6_icmp 4 11738 NULL
100964 +nfsd4_get_drc_mem_11748 nfsd4_get_drc_mem 0-1-2 11748 NULL
100965 +dm_bio_prison_create_11749 dm_bio_prison_create 1 11749 NULL
100966 +iwl_dbgfs_qos_read_11753 iwl_dbgfs_qos_read 3 11753 NULL
100967 +ps_pspoll_timeouts_read_11776 ps_pspoll_timeouts_read 3 11776 NULL
100968 +ebt_buf_add_11779 ebt_buf_add 0 11779 NULL
100969 +btrfs_key_blockptr_11786 btrfs_key_blockptr 0 11786 NULL
100970 +pcpu_fc_alloc_11818 pcpu_fc_alloc 2-3 11818 NULL
100971 +zerocopy_sg_from_iovec_11828 zerocopy_sg_from_iovec 3 11828 NULL
100972 +sctp_setsockopt_maxseg_11829 sctp_setsockopt_maxseg 3 11829 NULL
100973 +rts51x_read_status_11830 rts51x_read_status 4 11830 NULL
100974 +unix_stream_connect_11844 unix_stream_connect 3 11844 NULL
100975 +nf_nat_sdp_media_11863 nf_nat_sdp_media 9 11863 NULL
100976 +ecryptfs_copy_filename_11868 ecryptfs_copy_filename 4 11868 NULL
100977 +ieee80211_rx_bss_info_11887 ieee80211_rx_bss_info 3 11887 NULL
100978 +kmalloc_slab_11917 kmalloc_slab 1 11917 NULL
100979 +fs_devrw_entry_11924 fs_devrw_entry 3 11924 NULL
100980 +bitmap_remap_11929 bitmap_remap 5 11929 NULL
100981 +atomic_sub_return_11939 atomic_sub_return 0-1 11939 NULL
100982 +dccp_feat_clone_sp_val_11942 dccp_feat_clone_sp_val 3 11942 NULL
100983 +f1x_swap_interleaved_region_11970 f1x_swap_interleaved_region 0-2 11970 NULL
100984 +atmel_read16_11981 atmel_read16 0 11981 NULL
100985 +read_and_add_raw_conns_11987 read_and_add_raw_conns 0 11987 NULL
100986 +ftdi_elan_total_command_size_12045 ftdi_elan_total_command_size 0 12045 NULL
100987 +ieee80211_if_read_user_power_level_12050 ieee80211_if_read_user_power_level 3 12050 NULL
100988 +il4965_ucode_tx_stats_read_12064 il4965_ucode_tx_stats_read 3 12064 NULL
100989 +ptc_proc_write_12076 ptc_proc_write 3 12076 NULL
100990 +ubifs_recover_log_leb_12079 ubifs_recover_log_leb 3 12079 NULL
100991 +pse36_gfn_delta_12087 pse36_gfn_delta 0-1 12087 NULL
100992 +alloc_bulk_urbs_generic_12127 alloc_bulk_urbs_generic 5 12127 NULL
100993 +set_powered_12129 set_powered 4 12129 NULL
100994 +nfs_writedata_alloc_12133 nfs_writedata_alloc 2 12133 NULL
100995 +ramoops_init_prz_12134 ramoops_init_prz 5 12134 NULL
100996 +xfs_handle_to_dentry_12135 xfs_handle_to_dentry 3 12135 NULL
100997 +batadv_add_packet_12136 batadv_add_packet 3 12136 NULL
100998 +rawv6_seticmpfilter_12137 rawv6_seticmpfilter 5 12137 NULL
100999 +vmw_fifo_reserve_12141 vmw_fifo_reserve 2 12141 NULL
101000 +get_idx_gc_leb_12148 get_idx_gc_leb 0 12148 NULL
101001 +btmrvl_sdio_host_to_card_12152 btmrvl_sdio_host_to_card 3 12152 NULL
101002 +vmbus_open_12154 vmbus_open 2-3 12154 NULL
101003 +wil_rxdesc_phy_length_12165 wil_rxdesc_phy_length 0 12165 NULL
101004 +dma_memcpy_to_iovec_12173 dma_memcpy_to_iovec 5 12173 NULL
101005 +ddp_make_gl_12179 ddp_make_gl 1 12179 NULL
101006 +compat_do_arpt_set_ctl_12184 compat_do_arpt_set_ctl 4 12184 NULL
101007 +ip_generic_getfrag_12187 ip_generic_getfrag 3-4 12187 NULL
101008 +bl_is_sector_init_12199 bl_is_sector_init 2 12199 NULL
101009 +scaled_div_12201 scaled_div 1-2 12201 NULL
101010 +free_initrd_mem_12203 free_initrd_mem 1 12203 NULL
101011 +receive_copy_12216 receive_copy 3 12216 NULL
101012 +snd_pcm_kernel_ioctl_12219 snd_pcm_kernel_ioctl 0 12219 NULL
101013 +fuse_get_req_12221 fuse_get_req 2 12221 NULL nohasharray
101014 +aat2870_reg_read_file_12221 aat2870_reg_read_file 3 12221 &fuse_get_req_12221
101015 +__alloc_bootmem_low_nopanic_12235 __alloc_bootmem_low_nopanic 1-2 12235 NULL
101016 +ib_uverbs_unmarshall_recv_12251 ib_uverbs_unmarshall_recv 5 12251 NULL
101017 +ath_descdma_setup_12257 ath_descdma_setup 5 12257 NULL
101018 +shash_compat_setkey_12267 shash_compat_setkey 3 12267 NULL
101019 +add_sctp_bind_addr_12269 add_sctp_bind_addr 3 12269 NULL
101020 +note_last_dentry_12285 note_last_dentry 3 12285 NULL
101021 +roundup_to_multiple_of_64_12288 roundup_to_multiple_of_64 0-1 12288 NULL nohasharray
101022 +il_dbgfs_nvm_read_12288 il_dbgfs_nvm_read 3 12288 &roundup_to_multiple_of_64_12288
101023 +vxge_get_num_vfs_12302 vxge_get_num_vfs 0 12302 NULL
101024 +wrap_min_12303 wrap_min 0-1-2 12303 NULL
101025 +tipc_msg_build_12326 tipc_msg_build 4 12326 NULL
101026 +pcbit_writecmd_12332 pcbit_writecmd 2 12332 NULL
101027 +mptctl_ioctl_12355 mptctl_ioctl 2 12355 NULL
101028 +paging32_walk_addr_12359 paging32_walk_addr 3 12359 NULL
101029 +__nf_ct_ext_add_length_12364 __nf_ct_ext_add_length 3 12364 NULL
101030 +xfs_iext_inline_to_direct_12384 xfs_iext_inline_to_direct 2 12384 NULL
101031 +btrfs_file_extent_ram_bytes_12391 btrfs_file_extent_ram_bytes 0 12391 NULL
101032 +hbucket_elem_add_12416 hbucket_elem_add 3 12416 NULL
101033 +ieee80211_if_read_num_mcast_sta_12419 ieee80211_if_read_num_mcast_sta 3 12419 NULL
101034 +skb_do_copy_data_nocache_12465 skb_do_copy_data_nocache 5 12465 NULL
101035 +qla4_82xx_pci_mem_write_direct_12479 qla4_82xx_pci_mem_write_direct 2 12479 NULL
101036 +x25_sendmsg_12487 x25_sendmsg 4 12487 NULL
101037 +rtllib_auth_challenge_12493 rtllib_auth_challenge 3 12493 NULL
101038 +fnic_trace_ctrl_read_12497 fnic_trace_ctrl_read 3 12497 NULL
101039 +nfs_readdir_make_qstr_12509 nfs_readdir_make_qstr 3 12509 NULL
101040 +qib_alloc_fast_reg_mr_12526 qib_alloc_fast_reg_mr 2 12526 NULL
101041 +kvm_setup_async_pf_12555 kvm_setup_async_pf 3 12555 NULL
101042 +ib_umem_get_12557 ib_umem_get 2-3 12557 NULL
101043 +hvc_alloc_12579 hvc_alloc 4 12579 NULL
101044 +snd_pcm_plugin_alloc_12580 snd_pcm_plugin_alloc 2 12580 NULL
101045 +macvtap_compat_ioctl_12587 macvtap_compat_ioctl 3 12587 NULL
101046 +pcpu_extend_area_map_12589 pcpu_extend_area_map 2 12589 NULL
101047 +ipv6_get_l4proto_12600 ipv6_get_l4proto 2 12600 NULL
101048 +vhci_put_user_12604 vhci_put_user 4 12604 NULL
101049 +fc_fcp_frame_alloc_12624 fc_fcp_frame_alloc 2 12624 NULL
101050 +pwr_rcvd_awake_bcns_cnt_read_12632 pwr_rcvd_awake_bcns_cnt_read 3 12632 NULL
101051 +ctrl_cdev_compat_ioctl_12634 ctrl_cdev_compat_ioctl 3 12634 NULL
101052 +pn_sendmsg_12640 pn_sendmsg 4 12640 NULL
101053 +dwc3_link_state_write_12641 dwc3_link_state_write 3 12641 NULL
101054 +wb_create_12651 wb_create 1 12651 NULL
101055 +ocfs2_read_block_12659 ocfs2_read_block 0 12659 NULL
101056 +sel_read_class_12669 sel_read_class 3 12669 NULL nohasharray
101057 +sparse_mem_maps_populate_node_12669 sparse_mem_maps_populate_node 4 12669 &sel_read_class_12669
101058 +ieee80211_if_read_num_buffered_multicast_12716 ieee80211_if_read_num_buffered_multicast 3 12716 NULL
101059 +ivtv_write_12721 ivtv_write 3 12721 NULL
101060 +key_rx_spec_read_12736 key_rx_spec_read 3 12736 NULL
101061 +__mei_cl_async_send_12737 __mei_cl_async_send 3 12737 NULL
101062 +__videobuf_alloc_cached_12740 __videobuf_alloc_cached 1 12740 NULL
101063 +ieee80211_if_read_dot11MeshMaxRetries_12756 ieee80211_if_read_dot11MeshMaxRetries 3 12756 NULL
101064 +listxattr_12769 listxattr 3 12769 NULL
101065 +sctp_ssnmap_init_12772 sctp_ssnmap_init 2-3 12772 NULL
101066 +ieee80211_rx_mgmt_beacon_12780 ieee80211_rx_mgmt_beacon 3 12780 NULL
101067 +platform_create_bundle_12785 platform_create_bundle 4-6 12785 NULL
101068 +btrfs_remove_free_space_12793 btrfs_remove_free_space 2 12793 NULL
101069 +scsi_adjust_queue_depth_12802 scsi_adjust_queue_depth 3 12802 NULL
101070 +xfs_inumbers_fmt_12817 xfs_inumbers_fmt 3 12817 NULL
101071 +readq_12825 readq 0 12825 NULL
101072 +TSS_authhmac_12839 TSS_authhmac 3 12839 NULL
101073 +spidev_sync_12842 spidev_sync 0 12842 NULL nohasharray
101074 +ath6kl_wmi_add_wow_pattern_cmd_12842 ath6kl_wmi_add_wow_pattern_cmd 4 12842 &spidev_sync_12842
101075 +spidev_ioctl_12846 spidev_ioctl 2 12846 NULL
101076 +get_leb_cnt_12892 get_leb_cnt 0-2 12892 NULL
101077 +ocfs2_hamming_encode_block_12904 ocfs2_hamming_encode_block 2 12904 NULL
101078 +get_virtual_node_size_12908 get_virtual_node_size 0 12908 NULL
101079 +rds_pages_in_vec_12922 rds_pages_in_vec 0 12922 NULL
101080 +ci_ll_init_12930 ci_ll_init 3 12930 NULL
101081 +do_inode_permission_12946 do_inode_permission 0 12946 NULL
101082 +bm_status_write_12964 bm_status_write 3 12964 NULL
101083 +_drbd_md_first_sector_12984 _drbd_md_first_sector 0 12984 NULL
101084 +raid56_parity_recover_12987 raid56_parity_recover 5 12987 NULL
101085 +acpi_tb_install_table_12988 acpi_tb_install_table 1 12988 NULL
101086 +TransmitTcb_12989 TransmitTcb 4 12989 NULL
101087 +sk_peek_offset_12991 sk_peek_offset 0 12991 NULL
101088 +subsystem_filter_write_13022 subsystem_filter_write 3 13022 NULL
101089 +generic_segment_checks_13041 generic_segment_checks 0 13041 NULL
101090 +ocfs2_write_begin_13045 ocfs2_write_begin 3-4 13045 NULL
101091 +__dn_setsockopt_13060 __dn_setsockopt 5 13060 NULL
101092 +biovec_create_pool_13079 biovec_create_pool 2 13079 NULL
101093 +irq_set_chip_and_handler_13088 irq_set_chip_and_handler 1 13088 NULL
101094 +xattr_getsecurity_13090 xattr_getsecurity 0 13090 NULL
101095 +blk_rq_map_sg_13092 blk_rq_map_sg 0 13092 NULL
101096 +mb_find_next_zero_bit_13100 mb_find_next_zero_bit 2-3 13100 NULL
101097 +ubifs_compat_ioctl_13108 ubifs_compat_ioctl 3 13108 NULL
101098 +snd_rme96_playback_copy_13111 snd_rme96_playback_copy 5 13111 NULL
101099 +xen_allocate_irq_dynamic_13116 xen_allocate_irq_dynamic 0 13116 NULL
101100 +bfad_debugfs_read_13119 bfad_debugfs_read 3 13119 NULL
101101 +blk_update_request_13146 blk_update_request 3 13146 NULL
101102 +caif_stream_recvmsg_13173 caif_stream_recvmsg 4 13173 NULL
101103 +pwr_disable_ps_read_13176 pwr_disable_ps_read 3 13176 NULL
101104 +ucs2_strlen_13178 ucs2_strlen 0 13178 NULL
101105 +dgrp_net_ioctl_13183 dgrp_net_ioctl 2 13183 NULL
101106 +create_trace_uprobe_13184 create_trace_uprobe 1 13184 NULL
101107 +compat_put_ulong_13186 compat_put_ulong 1 13186 NULL
101108 +__cmpxchg64_13187 __cmpxchg64 0 13187 NULL
101109 +comedi_read_13199 comedi_read 3 13199 NULL
101110 +mmc_ext_csd_read_13205 mmc_ext_csd_read 3 13205 NULL
101111 +__nodes_fold_13215 __nodes_fold 4 13215 NULL
101112 +svm_msrpm_offset_13220 svm_msrpm_offset 0-1 13220 NULL
101113 +fnic_trace_ctrl_write_13229 fnic_trace_ctrl_write 3 13229 NULL
101114 +asix_read_cmd_13245 asix_read_cmd 5 13245 NULL
101115 +fw_download_code_13249 fw_download_code 3 13249 NULL nohasharray
101116 +kvm_lapic_enable_pv_eoi_13249 kvm_lapic_enable_pv_eoi 2 13249 &fw_download_code_13249
101117 +init_tid_tabs_13252 init_tid_tabs 2-3-4 13252 NULL
101118 +hostap_80211_get_hdrlen_13255 hostap_80211_get_hdrlen 0 13255 NULL
101119 +bio_integrity_trim_13259 bio_integrity_trim 3 13259 NULL
101120 +c4iw_reg_user_mr_13269 c4iw_reg_user_mr 2-3 13269 NULL
101121 +carl9170_rx_13272 carl9170_rx 3 13272 NULL
101122 +pmcraid_notify_aen_13274 pmcraid_notify_aen 3 13274 NULL
101123 +il4965_stats_flag_13281 il4965_stats_flag 0-3 13281 NULL
101124 +lpfc_idiag_mbxacc_get_setup_13282 lpfc_idiag_mbxacc_get_setup 0 13282 NULL
101125 +platform_device_add_resources_13289 platform_device_add_resources 3 13289 NULL
101126 +i915_drop_caches_write_13308 i915_drop_caches_write 3 13308 NULL
101127 +reexecute_instruction_13321 reexecute_instruction 2 13321 NULL
101128 +us122l_ctl_msg_13330 us122l_ctl_msg 8 13330 NULL
101129 +__clone_and_map_data_bio_13334 __clone_and_map_data_bio 4-8 13334 NULL
101130 +kvm_read_nested_guest_page_13337 kvm_read_nested_guest_page 5-2 13337 NULL
101131 +cache_ctr_13364 cache_ctr 2 13364 NULL
101132 +mthca_alloc_mtt_range_13371 mthca_alloc_mtt_range 2 13371 NULL
101133 +iso_sched_alloc_13377 iso_sched_alloc 1 13377 NULL nohasharray
101134 +wep_key_not_found_read_13377 wep_key_not_found_read 3 13377 &iso_sched_alloc_13377
101135 +dis_bypass_write_13388 dis_bypass_write 3 13388 NULL
101136 +carl9170_rx_untie_data_13405 carl9170_rx_untie_data 3 13405 NULL
101137 +sky2_receive_13407 sky2_receive 2 13407 NULL
101138 +netxen_alloc_sds_rings_13417 netxen_alloc_sds_rings 2 13417 NULL
101139 +keyring_read_13438 keyring_read 3 13438 NULL
101140 +sctp_setsockopt_peer_primary_addr_13440 sctp_setsockopt_peer_primary_addr 3 13440 NULL nohasharray
101141 +set_tap_pwup_pfs_13440 set_tap_pwup_pfs 3 13440 &sctp_setsockopt_peer_primary_addr_13440
101142 +ath6kl_cfg80211_connect_event_13443 ath6kl_cfg80211_connect_event 8-9-7 13443 NULL
101143 +mthca_buddy_alloc_13454 mthca_buddy_alloc 2 13454 NULL
101144 +ocfs2_align_bytes_to_blocks_13512 ocfs2_align_bytes_to_blocks 2 13512 NULL
101145 +core_status_13515 core_status 4 13515 NULL
101146 +smk_write_mapped_13519 smk_write_mapped 3 13519 NULL
101147 +bm_init_13529 bm_init 2 13529 NULL
101148 +non_atomic_pte_lookup_13540 non_atomic_pte_lookup 2 13540 NULL nohasharray
101149 +SYSC_remap_file_pages_13540 SYSC_remap_file_pages 1 13540 &non_atomic_pte_lookup_13540
101150 +ieee80211_if_read_ap_power_level_13558 ieee80211_if_read_ap_power_level 3 13558 NULL
101151 +ubifs_get_idx_gc_leb_13566 ubifs_get_idx_gc_leb 0 13566 NULL
101152 +sys_madvise_13569 sys_madvise 1 13569 NULL
101153 +read_file_antenna_13574 read_file_antenna 3 13574 NULL
101154 +cache_write_13589 cache_write 3 13589 NULL
101155 +mpt_lan_receive_post_turbo_13592 mpt_lan_receive_post_turbo 2 13592 NULL
101156 +aac_sa_ioremap_13596 aac_sa_ioremap 2 13596 NULL nohasharray
101157 +irias_new_octseq_value_13596 irias_new_octseq_value 2 13596 &aac_sa_ioremap_13596
101158 +usb_dump_interface_descriptor_13603 usb_dump_interface_descriptor 0 13603 NULL
101159 +swap_cgroup_swapon_13614 swap_cgroup_swapon 2 13614 NULL
101160 +wm8994_bulk_write_13615 wm8994_bulk_write 2-3 13615 NULL
101161 +pmcraid_get_minor_13619 pmcraid_get_minor 0 13619 NULL
101162 +iio_device_add_event_sysfs_13627 iio_device_add_event_sysfs 0 13627 NULL
101163 +packet_snd_13634 packet_snd 3 13634 NULL
101164 +blk_msg_write_13655 blk_msg_write 3 13655 NULL
101165 +cache_downcall_13666 cache_downcall 3 13666 NULL
101166 +fw_iso_buffer_alloc_13704 fw_iso_buffer_alloc 2 13704 NULL
101167 +audit_unpack_string_13748 audit_unpack_string 3 13748 NULL
101168 +ufs_dtog_13750 ufs_dtog 0-2 13750 NULL
101169 +ieee802154_alloc_device_13767 ieee802154_alloc_device 1 13767 NULL
101170 +fb_sys_read_13778 fb_sys_read 3 13778 NULL
101171 +ath6kl_mgmt_powersave_ap_13791 ath6kl_mgmt_powersave_ap 6 13791 NULL
101172 +random_read_13815 random_read 3 13815 NULL
101173 +hsi_register_board_info_13820 hsi_register_board_info 2 13820 NULL
101174 +___mei_cl_send_13821 ___mei_cl_send 3 13821 NULL
101175 +evdev_ioctl_compat_13851 evdev_ioctl_compat 2-3 13851 NULL
101176 +compat_ip_setsockopt_13870 compat_ip_setsockopt 5 13870 NULL nohasharray
101177 +alloc_trace_uprobe_13870 alloc_trace_uprobe 3 13870 &compat_ip_setsockopt_13870
101178 +qp_memcpy_to_queue_13886 qp_memcpy_to_queue 2-5 13886 NULL
101179 +snd_pcm_aio_read_13900 snd_pcm_aio_read 3 13900 NULL
101180 +ext3_xattr_block_get_13936 ext3_xattr_block_get 0 13936 NULL
101181 +ieee80211_if_read_dot11MeshForwarding_13940 ieee80211_if_read_dot11MeshForwarding 3 13940 NULL nohasharray
101182 +ocfs2_xa_value_truncate_13940 ocfs2_xa_value_truncate 2 13940 &ieee80211_if_read_dot11MeshForwarding_13940
101183 +iwl_dbgfs_protection_mode_read_13943 iwl_dbgfs_protection_mode_read 3 13943 NULL
101184 +compat_chaninfo_13945 compat_chaninfo 2 13945 NULL
101185 +ieee80211_if_read_min_discovery_timeout_13946 ieee80211_if_read_min_discovery_timeout 3 13946 NULL
101186 +lpfc_idiag_queacc_read_13950 lpfc_idiag_queacc_read 3 13950 NULL
101187 +snd_pcm_plug_slave_size_13967 snd_pcm_plug_slave_size 0-2 13967 NULL
101188 +com90xx_found_13974 com90xx_found 3 13974 NULL
101189 +qcam_read_13977 qcam_read 3 13977 NULL
101190 +dsp_read_13980 dsp_read 2 13980 NULL
101191 +bm_block_bits_13981 bm_block_bits 0 13981 NULL nohasharray
101192 +dvb_demux_read_13981 dvb_demux_read 3 13981 &bm_block_bits_13981
101193 +btrfs_get_blocks_direct_14016 btrfs_get_blocks_direct 2 14016 NULL
101194 +dmi_format_ids_14018 dmi_format_ids 2 14018 NULL
101195 +_rtl92s_firmware_downloadcode_14021 _rtl92s_firmware_downloadcode 3 14021 NULL
101196 +iscsi_create_flashnode_conn_14022 iscsi_create_flashnode_conn 4 14022 NULL
101197 +dvb_usercopy_14036 dvb_usercopy 2 14036 NULL
101198 +read_def_modal_eeprom_14041 read_def_modal_eeprom 3 14041 NULL
101199 +ieee80211_if_fmt_aid_14055 ieee80211_if_fmt_aid 3 14055 NULL
101200 +sta_agg_status_read_14058 sta_agg_status_read 3 14058 NULL
101201 +i915_drop_caches_read_14060 i915_drop_caches_read 3 14060 NULL
101202 +do_proc_readlink_14096 do_proc_readlink 3 14096 NULL
101203 +compat_sys_pselect6_14105 compat_sys_pselect6 1 14105 NULL
101204 +nlmsg_len_14115 nlmsg_len 0 14115 NULL
101205 +vfio_fops_compat_ioctl_14130 vfio_fops_compat_ioctl 3 14130 NULL
101206 +ntfs_rl_replace_14136 ntfs_rl_replace 2-4 14136 NULL
101207 +isku_sysfs_read_light_14140 isku_sysfs_read_light 6 14140 NULL
101208 +em_canid_change_14150 em_canid_change 3 14150 NULL
101209 +gsm_dlci_data_14155 gsm_dlci_data 3 14155 NULL
101210 +print_input_mask_14168 print_input_mask 3-0 14168 NULL
101211 +ocfs2_xattr_value_truncate_14183 ocfs2_xattr_value_truncate 3 14183 NULL
101212 +alloc_async_14208 alloc_async 1 14208 NULL
101213 +sys_kexec_load_14222 sys_kexec_load 2 14222 NULL
101214 +ieee80211_if_write_uapsd_max_sp_len_14233 ieee80211_if_write_uapsd_max_sp_len 3 14233 NULL
101215 +dma_declare_coherent_memory_14244 dma_declare_coherent_memory 4-2 14244 NULL
101216 +snd_soc_hw_bulk_write_raw_14245 snd_soc_hw_bulk_write_raw 2-4 14245 NULL
101217 +reiserfs_compat_ioctl_14265 reiserfs_compat_ioctl 3 14265 NULL
101218 +ath6kl_connect_event_14267 ath6kl_connect_event 8-9-7 14267 NULL
101219 +add_numbered_child_14273 add_numbered_child 5 14273 NULL
101220 +OS_mem_token_alloc_14276 OS_mem_token_alloc 1 14276 NULL
101221 +snd_seq_oss_readq_new_14283 snd_seq_oss_readq_new 2 14283 NULL
101222 +rr_status_14293 rr_status 5 14293 NULL
101223 +read_default_ldt_14302 read_default_ldt 2 14302 NULL
101224 +oo_objects_14319 oo_objects 0 14319 NULL
101225 +p9_client_zc_rpc_14345 p9_client_zc_rpc 7 14345 NULL
101226 +scsi2int_14358 scsi2int 0 14358 NULL
101227 +snd_pcm_lib_readv_14363 snd_pcm_lib_readv 0-3 14363 NULL
101228 +acpi_get_override_irq_14381 acpi_get_override_irq 1 14381 NULL
101229 +ath6kl_regdump_read_14393 ath6kl_regdump_read 3 14393 NULL
101230 +smk_write_onlycap_14400 smk_write_onlycap 3 14400 NULL
101231 +mtd_concat_create_14416 mtd_concat_create 2 14416 NULL
101232 +get_kcore_size_14425 get_kcore_size 0 14425 NULL
101233 +check_lpt_crc_14442 check_lpt_crc 0 14442 NULL
101234 +block_size_14443 block_size 0 14443 NULL
101235 +ci13xxx_add_device_14456 ci13xxx_add_device 3 14456 NULL
101236 +snd_emu10k1_proc_spdif_status_14457 snd_emu10k1_proc_spdif_status 4-5 14457 NULL
101237 +udplite_getfrag_14479 udplite_getfrag 3-4 14479 NULL
101238 +ieee80211_if_read_dot11MeshGateAnnouncementProtocol_14486 ieee80211_if_read_dot11MeshGateAnnouncementProtocol 3 14486 NULL
101239 +ocfs2_debug_read_14507 ocfs2_debug_read 3 14507 NULL
101240 +dataflash_read_user_otp_14536 dataflash_read_user_otp 2-3 14536 NULL nohasharray
101241 +ep0_write_14536 ep0_write 3 14536 &dataflash_read_user_otp_14536
101242 +picolcd_debug_eeprom_read_14549 picolcd_debug_eeprom_read 3 14549 NULL
101243 +drm_vmalloc_dma_14550 drm_vmalloc_dma 1 14550 NULL
101244 +usb_dump_desc_14553 usb_dump_desc 0 14553 NULL
101245 +qp_host_alloc_queue_14566 qp_host_alloc_queue 1 14566 NULL
101246 +SyS_setdomainname_14569 SyS_setdomainname 2 14569 NULL
101247 +remap_to_origin_then_cache_14583 remap_to_origin_then_cache 3 14583 NULL
101248 +idmap_pipe_downcall_14591 idmap_pipe_downcall 3 14591 NULL
101249 +ceph_osdc_alloc_request_14597 ceph_osdc_alloc_request 3 14597 NULL
101250 +ocfs2_trim_group_14641 ocfs2_trim_group 4-3 14641 NULL
101251 +dbJoin_14644 dbJoin 0 14644 NULL
101252 +profile_replace_14652 profile_replace 3 14652 NULL
101253 +pipeline_enc_tx_stat_fifo_int_read_14680 pipeline_enc_tx_stat_fifo_int_read 3 14680 NULL
101254 +ieee80211_if_fmt_rc_rateidx_mask_2ghz_14683 ieee80211_if_fmt_rc_rateidx_mask_2ghz 3 14683 NULL
101255 +tsi148_master_set_14685 tsi148_master_set 4 14685 NULL
101256 +SyS_fsetxattr_14702 SyS_fsetxattr 4 14702 NULL
101257 +persistent_ram_ecc_string_14704 persistent_ram_ecc_string 0 14704 NULL
101258 +u_audio_playback_14709 u_audio_playback 3 14709 NULL
101259 +get_bio_block_14714 get_bio_block 0 14714 NULL
101260 +vfd_write_14717 vfd_write 3 14717 NULL
101261 +__blk_end_request_14729 __blk_end_request 3 14729 NULL
101262 +raid1_resize_14740 raid1_resize 2 14740 NULL
101263 +btrfs_inode_extref_name_len_14752 btrfs_inode_extref_name_len 0 14752 NULL
101264 +rx_rx_cmplt_read_14753 rx_rx_cmplt_read 3 14753 NULL
101265 +qla82xx_pci_mem_write_2M_14765 qla82xx_pci_mem_write_2M 2 14765 NULL
101266 +regmap_range_read_file_14775 regmap_range_read_file 3 14775 NULL
101267 +sta_dev_read_14782 sta_dev_read 3 14782 NULL
101268 +ext4_kvmalloc_14796 ext4_kvmalloc 1 14796 NULL
101269 +hpet_readl_14801 hpet_readl 0 14801 NULL nohasharray
101270 +snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 &hpet_readl_14801
101271 +bcma_scan_read32_14802 bcma_scan_read32 0 14802 NULL
101272 +do_tune_cpucache_14828 do_tune_cpucache 2 14828 NULL
101273 +__mutex_fastpath_lock_retval_14844 __mutex_fastpath_lock_retval 0 14844 NULL
101274 +mrp_attr_create_14853 mrp_attr_create 3 14853 NULL
101275 +lcd_write_14857 lcd_write 3 14857 NULL nohasharray
101276 +__krealloc_14857 __krealloc 2 14857 &lcd_write_14857
101277 +get_user_cpu_mask_14861 get_user_cpu_mask 2 14861 NULL
101278 +sriov_enable_migration_14889 sriov_enable_migration 2 14889 NULL
101279 +acpi_os_allocate_14892 acpi_os_allocate 1 14892 NULL
101280 +unifi_read_14899 unifi_read 3 14899 NULL
101281 +SYSC_readv_14901 SYSC_readv 3 14901 NULL
101282 +krealloc_14908 krealloc 2 14908 NULL
101283 +regmap_irq_get_virq_14910 regmap_irq_get_virq 2 14910 NULL
101284 +__arch_hweight64_14923 __arch_hweight64 0 14923 NULL nohasharray
101285 +qp_memcpy_to_queue_iov_14923 qp_memcpy_to_queue_iov 2-5 14923 &__arch_hweight64_14923
101286 +ocfs2_expand_nonsparse_inode_14936 ocfs2_expand_nonsparse_inode 3-4 14936 NULL
101287 +queue_cnt_14951 queue_cnt 0 14951 NULL
101288 +videobuf_read_stream_14956 videobuf_read_stream 3 14956 NULL
101289 +mce_flush_rx_buffer_14976 mce_flush_rx_buffer 2 14976 NULL
101290 +setkey_14987 setkey 3 14987 NULL nohasharray
101291 +gpio_twl4030_write_14987 gpio_twl4030_write 1 14987 &setkey_14987
101292 +xfs_dinode_size_14996 xfs_dinode_size 0 14996 NULL
101293 +vmap_15025 vmap 2 15025 NULL
101294 +blk_integrity_tuple_size_15027 blk_integrity_tuple_size 0 15027 NULL
101295 +irq_get_next_irq_15053 irq_get_next_irq 1 15053 NULL
101296 +cld_pipe_downcall_15058 cld_pipe_downcall 3 15058 NULL
101297 +ieee80211_if_read_uapsd_max_sp_len_15067 ieee80211_if_read_uapsd_max_sp_len 3 15067 NULL
101298 +nfs4_write_cached_acl_15070 nfs4_write_cached_acl 4 15070 NULL
101299 +ntfs_copy_from_user_15072 ntfs_copy_from_user 3-5 15072 NULL
101300 +compat_SyS_preadv_15105 compat_SyS_preadv 3 15105 NULL
101301 +hex_dump_to_buffer_15121 hex_dump_to_buffer 6 15121 NULL
101302 +start_port_15124 start_port 0 15124 NULL
101303 +memchr_15126 memchr 0 15126 NULL
101304 +ipwireless_ppp_mru_15153 ipwireless_ppp_mru 0 15153 NULL
101305 +self_check_not_bad_15175 self_check_not_bad 0 15175 NULL
101306 +SYSC_setdomainname_15180 SYSC_setdomainname 2 15180 NULL
101307 +iscsi_create_endpoint_15193 iscsi_create_endpoint 1 15193 NULL
101308 +reserve_resources_15194 reserve_resources 3 15194 NULL
101309 +bfad_debugfs_write_regrd_15218 bfad_debugfs_write_regrd 3 15218 NULL
101310 +il_dbgfs_rx_stats_read_15243 il_dbgfs_rx_stats_read 3 15243 NULL
101311 +div64_u64_15263 div64_u64 0-1-2 15263 NULL
101312 +compat_raw_ioctl_15290 compat_raw_ioctl 3 15290 NULL
101313 +sys_connect_15291 sys_connect 3 15291 NULL nohasharray
101314 +xlate_dev_mem_ptr_15291 xlate_dev_mem_ptr 1 15291 &sys_connect_15291
101315 +arch_enable_uv_irq_15294 arch_enable_uv_irq 2 15294 NULL
101316 +acpi_ev_create_gpe_block_15297 acpi_ev_create_gpe_block 5 15297 NULL
101317 +tpm_tis_init_15304 tpm_tis_init 2-3 15304 NULL
101318 +fcoe_ctlr_send_keep_alive_15308 fcoe_ctlr_send_keep_alive 3 15308 NULL
101319 +__ocfs2_remove_xattr_range_15330 __ocfs2_remove_xattr_range 4-5-3 15330 NULL
101320 +kovaplus_sysfs_read_15337 kovaplus_sysfs_read 6 15337 NULL
101321 +ioread16_15342 ioread16 0 15342 NULL
101322 +alloc_ring_15345 alloc_ring 2-4 15345 NULL
101323 +acpi_ut_create_string_object_15360 acpi_ut_create_string_object 1 15360 NULL
101324 +graph_depth_read_15371 graph_depth_read 3 15371 NULL
101325 +compat_sys_process_vm_readv_15374 compat_sys_process_vm_readv 3-5 15374 NULL
101326 +fq_codel_zalloc_15378 fq_codel_zalloc 1 15378 NULL
101327 +domain_flush_pages_15379 domain_flush_pages 2-3 15379 NULL
101328 +alloc_fddidev_15382 alloc_fddidev 1 15382 NULL
101329 +btrfs_level_size_15392 btrfs_level_size 0 15392 NULL
101330 +pipeline_csum_to_rx_xfer_swi_read_15403 pipeline_csum_to_rx_xfer_swi_read 3 15403 NULL
101331 +get_modalias_15406 get_modalias 2 15406 NULL
101332 +dm_cache_resize_15422 dm_cache_resize 2 15422 NULL
101333 +__videobuf_copy_to_user_15423 __videobuf_copy_to_user 4 15423 NULL
101334 +tcp_mtu_to_mss_15438 tcp_mtu_to_mss 2 15438 NULL
101335 +hpsa_change_queue_depth_15449 hpsa_change_queue_depth 2 15449 NULL
101336 +memweight_15450 memweight 2 15450 NULL
101337 +vmalloc_15464 vmalloc 1 15464 NULL
101338 +zd_chip_is_zd1211b_15518 zd_chip_is_zd1211b 0 15518 NULL
101339 +da9052_bat_irq_15533 da9052_bat_irq 1 15533 NULL
101340 +p9_check_zc_errors_15534 p9_check_zc_errors 4 15534 NULL
101341 +ql_process_mac_rx_page_15543 ql_process_mac_rx_page 4 15543 NULL
101342 +ieee80211_amsdu_to_8023s_15561 ieee80211_amsdu_to_8023s 5 15561 NULL
101343 +persistent_status_15574 persistent_status 4 15574 NULL
101344 +bnx2fc_process_unsol_compl_15576 bnx2fc_process_unsol_compl 2 15576 NULL
101345 +vme_user_write_15587 vme_user_write 3 15587 NULL
101346 +ocfs2_truncate_rec_15595 ocfs2_truncate_rec 7 15595 NULL
101347 +sx150x_install_irq_chip_15609 sx150x_install_irq_chip 3 15609 NULL
101348 +iommu_device_max_index_15620 iommu_device_max_index 0-3-2-1 15620 NULL nohasharray
101349 +compat_fillonedir_15620 compat_fillonedir 3 15620 &iommu_device_max_index_15620
101350 +set_dis_tap_pfs_15621 set_dis_tap_pfs 3 15621 NULL
101351 +proc_loginuid_read_15631 proc_loginuid_read 3 15631 NULL
101352 +tomoyo_scan_bprm_15642 tomoyo_scan_bprm 2-4 15642 NULL nohasharray
101353 +sk_memory_allocated_add_15642 sk_memory_allocated_add 2 15642 &tomoyo_scan_bprm_15642 nohasharray
101354 +pipeline_hs_tx_stat_fifo_int_read_15642 pipeline_hs_tx_stat_fifo_int_read 3 15642 &sk_memory_allocated_add_15642
101355 +fs_path_add_15648 fs_path_add 3 15648 NULL
101356 +xsd_read_15653 xsd_read 3 15653 NULL
101357 +compat_sys_fcntl_15654 compat_sys_fcntl 3 15654 NULL
101358 +unix_bind_15668 unix_bind 3 15668 NULL
101359 +dm_read_15674 dm_read 3 15674 NULL
101360 +pstore_mkfile_15675 pstore_mkfile 6 15675 NULL
101361 +uf_sme_queue_message_15697 uf_sme_queue_message 3 15697 NULL
101362 +ocfs2_split_tree_15716 ocfs2_split_tree 5 15716 NULL
101363 +HiSax_readstatus_15752 HiSax_readstatus 2 15752 NULL
101364 +bitmap_search_next_usable_block_15762 bitmap_search_next_usable_block 3-1 15762 NULL
101365 +do_test_15766 do_test 1 15766 NULL
101366 +set_std_nic_pfs_15792 set_std_nic_pfs 3 15792 NULL
101367 +smk_read_direct_15803 smk_read_direct 3 15803 NULL
101368 +snd_pcm_ioctl_compat_15804 snd_pcm_ioctl_compat 3 15804 NULL
101369 +gx1_read_conf_reg_15817 gx1_read_conf_reg 0 15817 NULL nohasharray
101370 +nameseq_list_15817 nameseq_list 3 15817 &gx1_read_conf_reg_15817 nohasharray
101371 +gnttab_expand_15817 gnttab_expand 1 15817 &nameseq_list_15817
101372 +afs_proc_rootcell_write_15822 afs_proc_rootcell_write 3 15822 NULL nohasharray
101373 +firmware_upload_15822 firmware_upload 3 15822 &afs_proc_rootcell_write_15822
101374 +brcmf_sdbrcm_died_dump_15841 brcmf_sdbrcm_died_dump 3 15841 NULL
101375 +table_size_15851 table_size 0-1-2 15851 NULL
101376 +ubi_io_write_15870 ubi_io_write 5-4 15870 NULL nohasharray
101377 +media_entity_init_15870 media_entity_init 2-4 15870 &ubi_io_write_15870
101378 +__mptctl_ioctl_15875 __mptctl_ioctl 2 15875 NULL
101379 +nfs_map_group_to_gid_15892 nfs_map_group_to_gid 3 15892 NULL
101380 +native_read_msr_15905 native_read_msr 0 15905 NULL
101381 +parse_audio_stream_data_15937 parse_audio_stream_data 3 15937 NULL
101382 +power_read_15939 power_read 3 15939 NULL
101383 +lpfc_idiag_drbacc_read_15948 lpfc_idiag_drbacc_read 3 15948 NULL
101384 +snd_pcm_lib_read_transfer_15952 snd_pcm_lib_read_transfer 4-2-5 15952 NULL
101385 +remap_pci_mem_15966 remap_pci_mem 1-2 15966 NULL
101386 +tfrc_calc_x_15975 tfrc_calc_x 1-2 15975 NULL
101387 +frame_alloc_15981 frame_alloc 4 15981 NULL
101388 +alloc_vm_area_15989 alloc_vm_area 1 15989 NULL
101389 +hdpvr_register_videodev_16010 hdpvr_register_videodev 3 16010 NULL
101390 +viafb_vt1636_proc_write_16018 viafb_vt1636_proc_write 3 16018 NULL
101391 +got_frame_16028 got_frame 2 16028 NULL
101392 +read_file_spectral_period_16057 read_file_spectral_period 3 16057 NULL
101393 +isr_tx_exch_complete_read_16103 isr_tx_exch_complete_read 3 16103 NULL
101394 +dma_tx_requested_read_16110 dma_tx_requested_read 3 16110 NULL nohasharray
101395 +isr_hw_pm_mode_changes_read_16110 isr_hw_pm_mode_changes_read 3 16110 &dma_tx_requested_read_16110
101396 +irq_set_chip_and_handler_name_16111 irq_set_chip_and_handler_name 1 16111 NULL
101397 +snd_dma_pointer_16126 snd_dma_pointer 0-2 16126 NULL
101398 +compat_sys_select_16131 compat_sys_select 1 16131 NULL
101399 +fsm_init_16134 fsm_init 2 16134 NULL
101400 +hysdn_rx_netpkt_16136 hysdn_rx_netpkt 3 16136 NULL
101401 +ext4_xattr_block_get_16148 ext4_xattr_block_get 0 16148 NULL
101402 +bnx2i_get_cid_num_16166 bnx2i_get_cid_num 0 16166 NULL
101403 +mapping_level_16188 mapping_level 2 16188 NULL
101404 +cipso_v4_map_cat_rng_hton_16203 cipso_v4_map_cat_rng_hton 0 16203 NULL
101405 +SyS_pselect6_16210 SyS_pselect6 1 16210 NULL
101406 +create_table_16213 create_table 2 16213 NULL
101407 +atomic_read_file_16227 atomic_read_file 3 16227 NULL
101408 +BcmGetSectionValStartOffset_16235 BcmGetSectionValStartOffset 0 16235 NULL
101409 +swiotlb_sync_single_for_device_16247 swiotlb_sync_single_for_device 2 16247 NULL nohasharray
101410 +btrfs_dev_extent_chunk_offset_16247 btrfs_dev_extent_chunk_offset 0 16247 &swiotlb_sync_single_for_device_16247
101411 +mark_written_sectors_16262 mark_written_sectors 2 16262 NULL
101412 +reiserfs_acl_count_16265 reiserfs_acl_count 0-1 16265 NULL
101413 +set_disc_pfs_16270 set_disc_pfs 3 16270 NULL
101414 +mq_force_mapping_16277 mq_force_mapping 2 16277 NULL
101415 +ocfs2_xattr_bucket_value_truncate_16279 ocfs2_xattr_bucket_value_truncate 4 16279 NULL
101416 +drbd_setsockopt_16280 drbd_setsockopt 5 16280 NULL nohasharray
101417 +nand_bch_init_16280 nand_bch_init 3-2 16280 &drbd_setsockopt_16280
101418 +account_16283 account 0-2-4 16283 NULL nohasharray
101419 +mirror_status_16283 mirror_status 5 16283 &account_16283
101420 +retry_instruction_16285 retry_instruction 2 16285 NULL
101421 +stk_allocate_buffers_16291 stk_allocate_buffers 2 16291 NULL
101422 +rbd_segment_offset_16293 rbd_segment_offset 0-2 16293 NULL
101423 +tfrc_invert_loss_event_rate_16295 tfrc_invert_loss_event_rate 1 16295 NULL
101424 +rsc_mgr_init_16299 rsc_mgr_init 3 16299 NULL
101425 +wb_map_16301 wb_map 2 16301 NULL
101426 +ext4_blocks_count_16320 ext4_blocks_count 0 16320 NULL
101427 +vmw_cursor_update_image_16332 vmw_cursor_update_image 3-4 16332 NULL
101428 +total_ps_buffered_read_16365 total_ps_buffered_read 3 16365 NULL
101429 +iscsi_tcp_conn_setup_16376 iscsi_tcp_conn_setup 2 16376 NULL
101430 +nl80211_send_unprot_deauth_16378 nl80211_send_unprot_deauth 4 16378 NULL
101431 +diva_os_malloc_16406 diva_os_malloc 2 16406 NULL
101432 +ieee80211_if_read_tsf_16420 ieee80211_if_read_tsf 3 16420 NULL
101433 +rxrpc_server_keyring_16431 rxrpc_server_keyring 3 16431 NULL
101434 +netlink_change_ngroups_16457 netlink_change_ngroups 2 16457 NULL
101435 +tracing_readme_read_16493 tracing_readme_read 3 16493 NULL
101436 +snd_interval_max_16529 snd_interval_max 0 16529 NULL
101437 +raid10_resize_16537 raid10_resize 2 16537 NULL
101438 +tcp_manip_pkt_16563 tcp_manip_pkt 4 16563 NULL
101439 +lpfc_debugfs_read_16566 lpfc_debugfs_read 3 16566 NULL
101440 +agp_allocate_memory_wrap_16576 agp_allocate_memory_wrap 1 16576 NULL
101441 +virt_to_scatterlist_16582 virt_to_scatterlist 2 16582 NULL
101442 +palmas_irq_get_virq_16613 palmas_irq_get_virq 2 16613 NULL
101443 +btrfs_get_token_32_16651 btrfs_get_token_32 0 16651 NULL
101444 +mfd_add_devices_16668 mfd_add_devices 4 16668 NULL
101445 +ax88179_write_cmd_async_16671 ax88179_write_cmd_async 5 16671 NULL
101446 +arcmsr_adjust_disk_queue_depth_16756 arcmsr_adjust_disk_queue_depth 2 16756 NULL
101447 +compat_blkdev_driver_ioctl_16769 compat_blkdev_driver_ioctl 4 16769 NULL
101448 +blk_rq_map_user_iov_16772 blk_rq_map_user_iov 5 16772 NULL
101449 +i2o_parm_issue_16790 i2o_parm_issue 0 16790 NULL
101450 +get_server_iovec_16804 get_server_iovec 2 16804 NULL
101451 +tipc_send2name_16809 tipc_send2name 6 16809 NULL
101452 +dm_vcalloc_16814 dm_vcalloc 1-2 16814 NULL
101453 +drm_malloc_ab_16831 drm_malloc_ab 1-2 16831 NULL
101454 +scsi_mode_sense_16835 scsi_mode_sense 5 16835 NULL
101455 +hfsplus_min_io_size_16859 hfsplus_min_io_size 0 16859 NULL
101456 +vfio_pci_rw_16861 vfio_pci_rw 3 16861 NULL
101457 +alloc_idx_lebs_16872 alloc_idx_lebs 2 16872 NULL
101458 +carl9170_debugfs_ampdu_state_read_16873 carl9170_debugfs_ampdu_state_read 3 16873 NULL
101459 +st_write_16874 st_write 3 16874 NULL
101460 +__kfifo_peek_n_16877 __kfifo_peek_n 0 16877 NULL
101461 +idx_to_pfn_16919 idx_to_pfn 0 16919 NULL
101462 +psb_unlocked_ioctl_16926 psb_unlocked_ioctl 2 16926 NULL nohasharray
101463 +snd_gf1_mem_proc_dump_16926 snd_gf1_mem_proc_dump 5 16926 &psb_unlocked_ioctl_16926
101464 +_sp2d_alloc_16944 _sp2d_alloc 1-2-3 16944 NULL
101465 +squashfs_read_table_16945 squashfs_read_table 3 16945 NULL
101466 +cfg80211_send_unprot_disassoc_16951 cfg80211_send_unprot_disassoc 3 16951 NULL
101467 +keyctl_instantiate_key_iov_16969 keyctl_instantiate_key_iov 3 16969 NULL
101468 +ceph_read_dir_17005 ceph_read_dir 3 17005 NULL
101469 +copy_counters_to_user_17027 copy_counters_to_user 5 17027 NULL
101470 +jffs2_trusted_setxattr_17048 jffs2_trusted_setxattr 4 17048 NULL
101471 +__arch_hweight32_17060 __arch_hweight32 0 17060 NULL
101472 +dvb_dvr_read_17073 dvb_dvr_read 3 17073 NULL
101473 +simple_transaction_read_17076 simple_transaction_read 3 17076 NULL
101474 +__kmalloc_reserve_17080 __kmalloc_reserve 1 17080 NULL
101475 +carl9170_debugfs_mem_usage_read_17084 carl9170_debugfs_mem_usage_read 3 17084 NULL
101476 +mac_address_string_17091 mac_address_string 0 17091 NULL
101477 +entry_length_17093 entry_length 0 17093 NULL
101478 +sys_preadv_17100 sys_preadv 3 17100 NULL
101479 +pvr2_hdw_state_report_17121 pvr2_hdw_state_report 3 17121 NULL
101480 +mwifiex_get_common_rates_17131 mwifiex_get_common_rates 3 17131 NULL
101481 +nouveau_instobj_create__17144 nouveau_instobj_create_ 4 17144 NULL
101482 +sep_read_17161 sep_read 3 17161 NULL
101483 +befs_nls2utf_17163 befs_nls2utf 3 17163 NULL
101484 +tx_tx_start_templates_read_17164 tx_tx_start_templates_read 3 17164 NULL
101485 +UniStrnlen_17169 UniStrnlen 0 17169 NULL
101486 +access_remote_vm_17189 access_remote_vm 0-2-4 17189 NULL
101487 +driver_state_read_17194 driver_state_read 3 17194 NULL nohasharray
101488 +iscsit_find_cmd_from_itt_or_dump_17194 iscsit_find_cmd_from_itt_or_dump 3 17194 &driver_state_read_17194
101489 +dn_recvmsg_17213 dn_recvmsg 4 17213 NULL
101490 +to_oblock_17254 to_oblock 0-1 17254 NULL
101491 +unpack_value_17259 unpack_value 1 17259 NULL
101492 +__be16_to_cpup_17261 __be16_to_cpup 0 17261 NULL
101493 +error_error_frame_cts_nul_flid_read_17262 error_error_frame_cts_nul_flid_read 3 17262 NULL
101494 +alloc_ep_17269 alloc_ep 1 17269 NULL
101495 +pg_read_17276 pg_read 3 17276 NULL
101496 +raw_recvmsg_17277 raw_recvmsg 4 17277 NULL
101497 +hmac_sha256_17278 hmac_sha256 2 17278 NULL
101498 +neigh_hash_grow_17283 neigh_hash_grow 2 17283 NULL
101499 +minstrel_stats_read_17290 minstrel_stats_read 3 17290 NULL
101500 +install_breakpoint_17292 install_breakpoint 4 17292 NULL
101501 +ieee80211_if_fmt_dot11MeshForwarding_17301 ieee80211_if_fmt_dot11MeshForwarding 3 17301 NULL
101502 +skb_pad_17302 skb_pad 2 17302 NULL
101503 +mb_cache_create_17307 mb_cache_create 2 17307 NULL
101504 +gnttab_map_frames_v2_17314 gnttab_map_frames_v2 2 17314 NULL
101505 +ata_host_alloc_pinfo_17325 ata_host_alloc_pinfo 3 17325 NULL
101506 +ieee80211_if_read_dot11MeshHWMPperrMinInterval_17346 ieee80211_if_read_dot11MeshHWMPperrMinInterval 3 17346 NULL
101507 +ath6kl_wmi_send_mgmt_cmd_17347 ath6kl_wmi_send_mgmt_cmd 7 17347 NULL
101508 +_fd_dma_mem_free_17406 _fd_dma_mem_free 1 17406 NULL
101509 +lpfc_debugfs_dif_err_write_17424 lpfc_debugfs_dif_err_write 3 17424 NULL
101510 +sta_connected_time_read_17435 sta_connected_time_read 3 17435 NULL
101511 +SYSC_fcntl_17441 SYSC_fcntl 3 17441 NULL
101512 +nla_get_u32_17455 nla_get_u32 0 17455 NULL
101513 +__ref_totlen_17461 __ref_totlen 0 17461 NULL
101514 +compat_cmd_17465 compat_cmd 2 17465 NULL
101515 +probe_bios_17467 probe_bios 1 17467 NULL
101516 +probe_kernel_write_17481 probe_kernel_write 3 17481 NULL
101517 +__alloc_session_17485 __alloc_session 2-1 17485 NULL
101518 +TSS_rawhmac_17486 TSS_rawhmac 3 17486 NULL
101519 +bitmap_pos_to_ord_17503 bitmap_pos_to_ord 3 17503 NULL
101520 +__copy_to_user_17551 __copy_to_user 0-3 17551 NULL
101521 +copy_from_user_17559 copy_from_user 3 17559 NULL
101522 +acpi_ut_create_package_object_17594 acpi_ut_create_package_object 1 17594 NULL
101523 +neigh_hash_alloc_17595 neigh_hash_alloc 1 17595 NULL
101524 +rts51x_write_mem_17598 rts51x_write_mem 4 17598 NULL
101525 +iwl_dump_nic_event_log_17601 iwl_dump_nic_event_log 0 17601 NULL
101526 +wm8994_gpio_to_irq_17604 wm8994_gpio_to_irq 2 17604 NULL
101527 +osst_execute_17607 osst_execute 7-6 17607 NULL
101528 +ocfs2_mark_extent_written_17615 ocfs2_mark_extent_written 6 17615 NULL
101529 +ieee80211_if_read_dot11MeshHWMPactivePathToRootTimeout_17618 ieee80211_if_read_dot11MeshHWMPactivePathToRootTimeout 3 17618 NULL
101530 +twl4030_set_gpio_direction_17645 twl4030_set_gpio_direction 1 17645 NULL
101531 +SYSC_migrate_pages_17657 SYSC_migrate_pages 2 17657 NULL
101532 +packet_setsockopt_17662 packet_setsockopt 5 17662 NULL nohasharray
101533 +ubi_io_read_data_17662 ubi_io_read_data 0 17662 &packet_setsockopt_17662
101534 +pwr_enable_ps_read_17686 pwr_enable_ps_read 3 17686 NULL
101535 +gfn_to_pfn_memslot_17693 gfn_to_pfn_memslot 2 17693 NULL
101536 +__einj_error_trigger_17707 __einj_error_trigger 1 17707 NULL nohasharray
101537 +venus_rename_17707 venus_rename 5-4 17707 &__einj_error_trigger_17707
101538 +isku_sysfs_write_keys_function_17726 isku_sysfs_write_keys_function 6 17726 NULL
101539 +exofs_read_lookup_dev_table_17733 exofs_read_lookup_dev_table 3 17733 NULL
101540 +sctpprobe_read_17741 sctpprobe_read 3 17741 NULL
101541 +mark_unsafe_pages_17759 mark_unsafe_pages 0 17759 NULL
101542 +brcmf_usb_attach_17766 brcmf_usb_attach 2-3 17766 NULL
101543 +dtf_read_run_17768 dtf_read_run 3 17768 NULL
101544 +brcmf_sdio_chip_verifynvram_17776 brcmf_sdio_chip_verifynvram 4 17776 NULL
101545 +hash_ipport6_expire_17784 hash_ipport6_expire 3 17784 NULL
101546 +perf_clock_17787 perf_clock 0 17787 NULL
101547 +ubifs_leb_change_17789 ubifs_leb_change 4 17789 NULL
101548 +_snd_pcm_lib_alloc_vmalloc_buffer_17820 _snd_pcm_lib_alloc_vmalloc_buffer 2 17820 NULL
101549 +gnet_stats_copy_app_17821 gnet_stats_copy_app 3 17821 NULL
101550 +cipso_v4_gentag_rbm_17836 cipso_v4_gentag_rbm 0 17836 NULL
101551 +count_leafs_17842 count_leafs 0 17842 NULL
101552 +sisusb_send_bulk_msg_17864 sisusb_send_bulk_msg 3 17864 NULL
101553 +alloc_sja1000dev_17868 alloc_sja1000dev 1 17868 NULL
101554 +ray_cs_essid_proc_write_17875 ray_cs_essid_proc_write 3 17875 NULL
101555 +orinoco_set_key_17878 orinoco_set_key 5-7 17878 NULL
101556 +init_per_cpu_17880 init_per_cpu 1 17880 NULL
101557 +ieee80211_if_fmt_dot11MeshMaxPeerLinks_17883 ieee80211_if_fmt_dot11MeshMaxPeerLinks 3 17883 NULL
101558 +compat_sys_pwritev_17886 compat_sys_pwritev 3 17886 NULL
101559 +ieee80211_if_fmt_dot11MeshHWMPRootMode_17890 ieee80211_if_fmt_dot11MeshHWMPRootMode 3 17890 NULL
101560 +ocfs2_clusters_to_blocks_17896 ocfs2_clusters_to_blocks 0-2 17896 NULL
101561 +recover_head_17904 recover_head 3 17904 NULL
101562 +dccp_feat_register_sp_17914 dccp_feat_register_sp 5 17914 NULL
101563 +xfs_buf_associate_memory_17915 xfs_buf_associate_memory 3 17915 NULL
101564 +srp_iu_pool_alloc_17920 srp_iu_pool_alloc 2 17920 NULL
101565 +scsi_bufflen_17933 scsi_bufflen 0 17933 NULL
101566 +ufs_free_blocks_17963 ufs_free_blocks 2-3 17963 NULL
101567 +calc_nr_buckets_17976 calc_nr_buckets 0 17976 NULL
101568 +smk_write_cipso_17989 smk_write_cipso 3 17989 NULL
101569 +gnttab_max_grant_frames_17993 gnttab_max_grant_frames 0 17993 NULL
101570 +ext4_num_overhead_clusters_18001 ext4_num_overhead_clusters 2 18001 NULL
101571 +pvr2_v4l2_read_18006 pvr2_v4l2_read 3 18006 NULL
101572 +alloc_rx_desc_ring_18016 alloc_rx_desc_ring 2 18016 NULL
101573 +fill_read_18019 fill_read 0 18019 NULL
101574 +o2hb_highest_node_18034 o2hb_highest_node 2 18034 NULL
101575 +cryptd_alloc_instance_18048 cryptd_alloc_instance 2-3 18048 NULL
101576 +find_next_inuse_18051 find_next_inuse 2-3 18051 NULL
101577 +ddebug_proc_write_18055 ddebug_proc_write 3 18055 NULL
101578 +lua_sysfs_read_18062 lua_sysfs_read 6 18062 NULL
101579 +hex_byte_pack_18064 hex_byte_pack 0 18064 NULL
101580 +packet_came_18072 packet_came 3 18072 NULL
101581 +kvm_read_guest_page_18074 kvm_read_guest_page 5-2 18074 NULL
101582 +SYSC_pselect6_18076 SYSC_pselect6 1 18076 NULL
101583 +get_vm_area_18080 get_vm_area 1 18080 NULL
101584 +SYSC_semtimedop_18091 SYSC_semtimedop 3 18091 NULL
101585 +mpi_alloc_18094 mpi_alloc 1 18094 NULL
101586 +dfs_file_read_18116 dfs_file_read 3 18116 NULL
101587 +svc_getnl_18120 svc_getnl 0 18120 NULL
101588 +paging32_gpte_to_gfn_lvl_18131 paging32_gpte_to_gfn_lvl 0-1-2 18131 NULL
101589 +vmw_surface_dma_size_18132 vmw_surface_dma_size 0 18132 NULL
101590 +selinux_inode_setsecurity_18148 selinux_inode_setsecurity 4 18148 NULL
101591 +_has_tag_18169 _has_tag 2 18169 NULL
101592 +pccard_store_cis_18176 pccard_store_cis 6 18176 NULL
101593 +orinoco_add_extscan_result_18207 orinoco_add_extscan_result 3 18207 NULL
101594 +gsm_control_message_18209 gsm_control_message 4 18209 NULL
101595 +do_ipv6_setsockopt_18215 do_ipv6_setsockopt 5 18215 NULL
101596 +gnttab_alloc_grant_references_18240 gnttab_alloc_grant_references 1 18240 NULL
101597 +alloc_trace_uprobe_18247 alloc_trace_uprobe 3 18247 NULL
101598 +snd_ctl_ioctl_compat_18250 snd_ctl_ioctl_compat 3 18250 NULL
101599 +qdisc_class_hash_alloc_18262 qdisc_class_hash_alloc 1 18262 NULL
101600 +gfs2_alloc_sort_buffer_18275 gfs2_alloc_sort_buffer 1 18275 NULL
101601 +alloc_ring_18278 alloc_ring 2-4 18278 NULL
101602 +find_dirty_idx_leb_18280 find_dirty_idx_leb 0 18280 NULL
101603 +nouveau_subdev_create__18281 nouveau_subdev_create_ 7 18281 NULL nohasharray
101604 +bio_phys_segments_18281 bio_phys_segments 0 18281 &nouveau_subdev_create__18281
101605 +ext4_readpages_18283 ext4_readpages 4 18283 NULL
101606 +mmc_send_bus_test_18285 mmc_send_bus_test 4 18285 NULL
101607 +um_idi_write_18293 um_idi_write 3 18293 NULL
101608 +nouveau_disp_create__18305 nouveau_disp_create_ 4-7 18305 NULL
101609 +ip6ip6_err_18308 ip6ip6_err 5 18308 NULL
101610 +vga_r_18310 vga_r 0 18310 NULL
101611 +ecryptfs_send_message_18322 ecryptfs_send_message 2 18322 NULL
101612 +bio_integrity_advance_18324 bio_integrity_advance 2 18324 NULL
101613 +pwr_power_save_off_read_18355 pwr_power_save_off_read 3 18355 NULL
101614 +xlbd_reserve_minors_18365 xlbd_reserve_minors 1-2 18365 NULL
101615 +SyS_process_vm_readv_18366 SyS_process_vm_readv 3-5 18366 NULL
101616 +ep_io_18367 ep_io 0 18367 NULL
101617 +qib_user_sdma_num_pages_18371 qib_user_sdma_num_pages 0 18371 NULL
101618 +ci_role_write_18388 ci_role_write 3 18388 NULL
101619 +__video_register_device_18399 __video_register_device 3 18399 NULL
101620 +hash_ip4_expire_18402 hash_ip4_expire 3 18402 NULL nohasharray
101621 +adis16136_show_serial_18402 adis16136_show_serial 3 18402 &hash_ip4_expire_18402
101622 +crystalhd_user_data_18407 crystalhd_user_data 3 18407 NULL
101623 +usbnet_write_cmd_nopm_18426 usbnet_write_cmd_nopm 7 18426 NULL
101624 +batadv_orig_node_add_if_18433 batadv_orig_node_add_if 2 18433 NULL nohasharray
101625 +iscsi_create_flashnode_sess_18433 iscsi_create_flashnode_sess 4 18433 &batadv_orig_node_add_if_18433
101626 +snd_hda_get_connections_18437 snd_hda_get_connections 0 18437 NULL
101627 +fuse_perform_write_18457 fuse_perform_write 4 18457 NULL
101628 +regset_tls_set_18459 regset_tls_set 4 18459 NULL
101629 +dma_alloc_from_contiguous_18466 dma_alloc_from_contiguous 3-2 18466 NULL
101630 +pci_vpd_lrdt_size_18479 pci_vpd_lrdt_size 0 18479 NULL
101631 +udpv6_setsockopt_18487 udpv6_setsockopt 5 18487 NULL
101632 +snd_gus_dram_poke_18525 snd_gus_dram_poke 4 18525 NULL
101633 +nouveau_fifo_channel_create__18530 nouveau_fifo_channel_create_ 5-6-9 18530 NULL
101634 +seq_copy_in_user_18543 seq_copy_in_user 3 18543 NULL
101635 +acpi_register_gsi_ioapic_18550 acpi_register_gsi_ioapic 2 18550 NULL
101636 +sas_change_queue_depth_18555 sas_change_queue_depth 2 18555 NULL
101637 +smk_write_rules_list_18565 smk_write_rules_list 3 18565 NULL
101638 +debug_output_18575 debug_output 3 18575 NULL
101639 +check_lpt_type_18577 check_lpt_type 0 18577 NULL
101640 +__netdev_alloc_skb_18595 __netdev_alloc_skb 2 18595 NULL
101641 +filemap_fdatawait_range_18600 filemap_fdatawait_range 0 18600 NULL nohasharray
101642 +slabinfo_write_18600 slabinfo_write 3 18600 &filemap_fdatawait_range_18600
101643 +iowarrior_write_18604 iowarrior_write 3 18604 NULL
101644 +batadv_arp_get_type_18609 batadv_arp_get_type 3 18609 NULL
101645 +from_buffer_18625 from_buffer 3 18625 NULL
101646 +snd_pcm_oss_write3_18657 snd_pcm_oss_write3 0-3 18657 NULL
101647 +ieee80211_if_fmt_rssi_threshold_18664 ieee80211_if_fmt_rssi_threshold 3 18664 NULL
101648 +unmap_page_18665 unmap_page 2-3 18665 NULL
101649 +xfs_iext_insert_18667 xfs_iext_insert 3 18667 NULL
101650 +replay_log_leb_18704 replay_log_leb 3 18704 NULL
101651 +unlocked_compat_ipmi_ioctl_18708 unlocked_compat_ipmi_ioctl 3 18708 NULL nohasharray
101652 +iwl_dbgfs_rx_handlers_read_18708 iwl_dbgfs_rx_handlers_read 3 18708 &unlocked_compat_ipmi_ioctl_18708
101653 +ceph_alloc_page_vector_18710 ceph_alloc_page_vector 1 18710 NULL
101654 +ocfs2_trim_extent_18711 ocfs2_trim_extent 4-3 18711 NULL
101655 +compat_SyS_writev_18712 compat_SyS_writev 3 18712 NULL
101656 +blk_rq_bytes_18715 blk_rq_bytes 0 18715 NULL
101657 +snd_als4k_gcr_read_addr_18741 snd_als4k_gcr_read_addr 0 18741 NULL
101658 +o2hb_debug_create_18744 o2hb_debug_create 4 18744 NULL
101659 +__erst_read_to_erange_from_nvram_18748 __erst_read_to_erange_from_nvram 0 18748 NULL
101660 +wep_packets_read_18751 wep_packets_read 3 18751 NULL
101661 +md_compat_ioctl_18764 md_compat_ioctl 4 18764 NULL
101662 +read_file_dump_nfcal_18766 read_file_dump_nfcal 3 18766 NULL
101663 +ffs_epfile_read_18775 ffs_epfile_read 3 18775 NULL
101664 +SyS_lsetxattr_18776 SyS_lsetxattr 4 18776 NULL
101665 +alloc_fcdev_18780 alloc_fcdev 1 18780 NULL
101666 +fat_compat_dir_ioctl_18800 fat_compat_dir_ioctl 3 18800 NULL
101667 +ieee80211_auth_challenge_18810 ieee80211_auth_challenge 3 18810 NULL
101668 +madvise_hwpoison_18812 madvise_hwpoison 2 18812 NULL
101669 +setup_ioapic_irq_18813 setup_ioapic_irq 1 18813 NULL
101670 +sys_modify_ldt_18824 sys_modify_ldt 3 18824 NULL
101671 +mtf_test_write_18844 mtf_test_write 3 18844 NULL
101672 +drm_ht_create_18853 drm_ht_create 2 18853 NULL
101673 +sctp_setsockopt_events_18862 sctp_setsockopt_events 3 18862 NULL
101674 +ieee80211_if_read_element_ttl_18869 ieee80211_if_read_element_ttl 3 18869 NULL
101675 +xlog_find_verify_log_record_18870 xlog_find_verify_log_record 2 18870 NULL
101676 +___alloc_bootmem_node_18882 ___alloc_bootmem_node 2-3 18882 NULL
101677 +width_to_agaw_18883 width_to_agaw 0-1 18883 NULL
101678 +ceph_setxattr_18913 ceph_setxattr 4 18913 NULL
101679 +mangle_packet_18920 mangle_packet 7-9 18920 NULL
101680 +snapshot_write_next_18937 snapshot_write_next 0 18937 NULL
101681 +regcache_sync_block_18963 regcache_sync_block 3-4 18963 NULL
101682 +__nla_reserve_18974 __nla_reserve 3 18974 NULL
101683 +gfn_to_pfn_atomic_18981 gfn_to_pfn_atomic 2 18981 NULL
101684 +find_dirtiest_idx_leb_19001 find_dirtiest_idx_leb 0 19001 NULL
101685 +layout_in_gaps_19006 layout_in_gaps 2 19006 NULL
101686 +huge_page_size_19008 huge_page_size 0 19008 NULL
101687 +usbdev_compat_ioctl_19026 usbdev_compat_ioctl 3 19026 NULL
101688 +prepare_highmem_image_19028 prepare_highmem_image 0 19028 NULL
101689 +revalidate_19043 revalidate 2 19043 NULL
101690 +drm_fb_helper_init_19044 drm_fb_helper_init 3-4 19044 NULL
101691 +create_gpadl_header_19064 create_gpadl_header 2 19064 NULL
101692 +ieee80211_key_alloc_19065 ieee80211_key_alloc 3 19065 NULL
101693 +msix_map_region_19072 msix_map_region 2 19072 NULL
101694 +ceph_create_snap_context_19082 ceph_create_snap_context 1 19082 NULL
101695 +sys_process_vm_readv_19090 sys_process_vm_readv 3-5 19090 NULL nohasharray
101696 +brcmf_usbdev_qinit_19090 brcmf_usbdev_qinit 2 19090 &sys_process_vm_readv_19090
101697 +sta_last_seq_ctrl_read_19106 sta_last_seq_ctrl_read 3 19106 NULL
101698 +cifs_readv_from_socket_19109 cifs_readv_from_socket 3 19109 NULL
101699 +skb_gro_offset_19123 skb_gro_offset 0 19123 NULL
101700 +ext4_inode_table_19125 ext4_inode_table 0 19125 NULL
101701 +snd_als4k_iobase_readl_19136 snd_als4k_iobase_readl 0 19136 NULL
101702 +alloc_irdadev_19140 alloc_irdadev 1 19140 NULL
101703 +sleep_auth_read_19159 sleep_auth_read 3 19159 NULL
101704 +smk_write_access2_19170 smk_write_access2 3 19170 NULL
101705 +iwl_dbgfs_reply_tx_error_read_19205 iwl_dbgfs_reply_tx_error_read 3 19205 NULL
101706 +vmw_unlocked_ioctl_19212 vmw_unlocked_ioctl 2 19212 NULL
101707 +__copy_to_user_inatomic_19214 __copy_to_user_inatomic 3 19214 NULL
101708 +dev_counters_read_19216 dev_counters_read 3 19216 NULL
101709 +wbcir_tx_19219 wbcir_tx 3 19219 NULL
101710 +gsi_to_irq_19220 gsi_to_irq 0-1 19220 NULL
101711 +snd_mask_max_19224 snd_mask_max 0 19224 NULL
101712 +bio_alloc_mddev_19238 bio_alloc_mddev 2 19238 NULL
101713 +sys_fcntl_19267 sys_fcntl 3 19267 NULL
101714 +il_dbgfs_rxon_filter_flags_read_19281 il_dbgfs_rxon_filter_flags_read 3 19281 NULL
101715 +io_mapping_map_wc_19284 io_mapping_map_wc 2 19284 NULL
101716 +qc_capture_19298 qc_capture 3 19298 NULL
101717 +ocfs2_prepare_inode_for_refcount_19303 ocfs2_prepare_inode_for_refcount 3-4 19303 NULL
101718 +event_tx_stuck_read_19305 event_tx_stuck_read 3 19305 NULL
101719 +gfn_to_gpa_19320 gfn_to_gpa 0-1 19320 NULL
101720 +debug_read_19322 debug_read 3 19322 NULL
101721 +cfg80211_inform_bss_19332 cfg80211_inform_bss 8 19332 NULL
101722 +closure_sub_19359 closure_sub 2 19359 NULL
101723 +read_zero_19366 read_zero 3 19366 NULL
101724 +interpret_user_input_19393 interpret_user_input 2 19393 NULL
101725 +sync_fill_pt_info_19397 sync_fill_pt_info 0 19397 NULL
101726 +get_n_events_by_type_19401 get_n_events_by_type 0 19401 NULL
101727 +dvbdmx_write_19423 dvbdmx_write 3 19423 NULL
101728 +__phys_addr_19434 __phys_addr 0 19434 NULL
101729 +SyS_sched_getaffinity_19444 SyS_sched_getaffinity 2 19444 NULL
101730 +xfrm_alg_auth_len_19454 xfrm_alg_auth_len 0 19454 NULL
101731 +hpet_compat_ioctl_19455 hpet_compat_ioctl 3 19455 NULL
101732 +gnet_stats_copy_19458 gnet_stats_copy 4 19458 NULL
101733 +sky2_read16_19475 sky2_read16 0 19475 NULL
101734 +efivar_create_sysfs_entry_19485 efivar_create_sysfs_entry 2 19485 NULL
101735 +ext4_add_new_descs_19509 ext4_add_new_descs 3 19509 NULL
101736 +skb_realloc_headroom_19516 skb_realloc_headroom 2 19516 NULL
101737 +dev_alloc_skb_19517 dev_alloc_skb 1 19517 NULL
101738 +nfc_llcp_build_tlv_19536 nfc_llcp_build_tlv 3 19536 NULL
101739 +gfn_to_index_19558 gfn_to_index 0-1-3-2 19558 NULL
101740 +ocfs2_control_message_19564 ocfs2_control_message 3 19564 NULL
101741 +ieee80211_if_read_tkip_mic_test_19565 ieee80211_if_read_tkip_mic_test 3 19565 NULL nohasharray
101742 +wlcore_hw_get_rx_packet_len_19565 wlcore_hw_get_rx_packet_len 0 19565 &ieee80211_if_read_tkip_mic_test_19565
101743 +nfsd_read_19568 nfsd_read 5 19568 NULL
101744 +cgroup_read_s64_19570 cgroup_read_s64 5 19570 NULL
101745 +bm_status_read_19583 bm_status_read 3 19583 NULL
101746 +batadv_tt_update_orig_19586 batadv_tt_update_orig 4 19586 NULL
101747 +load_xattr_datum_19594 load_xattr_datum 0 19594 NULL
101748 +__mei_cl_recv_19636 __mei_cl_recv 3 19636 NULL
101749 +usbvision_rvmalloc_19655 usbvision_rvmalloc 1 19655 NULL
101750 +LoadBitmap_19658 LoadBitmap 2 19658 NULL
101751 +usbnet_write_cmd_19679 usbnet_write_cmd 7 19679 NULL
101752 +bio_detain_19690 bio_detain 2 19690 NULL
101753 +mem_cgroup_swappiness_19718 mem_cgroup_swappiness 0 19718 NULL
101754 +read_reg_19723 read_reg 0 19723 NULL
101755 +wm8350_block_write_19727 wm8350_block_write 3-2 19727 NULL
101756 +memcpy_toiovecend_19736 memcpy_toiovecend 4-3 19736 NULL
101757 +snd_es1968_get_dma_ptr_19747 snd_es1968_get_dma_ptr 0 19747 NULL
101758 +p9_client_read_19750 p9_client_read 5 19750 NULL
101759 +pnpbios_proc_write_19758 pnpbios_proc_write 3 19758 NULL
101760 +ocfs2_readpages_19759 ocfs2_readpages 4 19759 NULL
101761 +jffs2_acl_from_medium_19762 jffs2_acl_from_medium 2 19762 NULL
101762 +__set_print_fmt_19776 __set_print_fmt 0 19776 NULL
101763 +saa7146_vmalloc_build_pgtable_19780 saa7146_vmalloc_build_pgtable 2 19780 NULL
101764 +irda_setsockopt_19824 irda_setsockopt 5 19824 NULL
101765 +pcpu_next_unpop_19831 pcpu_next_unpop 4 19831 NULL
101766 +vfs_getxattr_19832 vfs_getxattr 0 19832 NULL
101767 +security_context_to_sid_19839 security_context_to_sid 2 19839 NULL
101768 +crypt_alloc_buffer_19846 crypt_alloc_buffer 2 19846 NULL
101769 +cfg80211_mlme_register_mgmt_19852 cfg80211_mlme_register_mgmt 5 19852 NULL
101770 +__nla_put_19857 __nla_put 3 19857 NULL
101771 +ip6gre_err_19869 ip6gre_err 5 19869 NULL
101772 +mrp_request_join_19882 mrp_request_join 4 19882 NULL
101773 +aes_decrypt_interrupt_read_19910 aes_decrypt_interrupt_read 3 19910 NULL
101774 +ps_upsd_max_apturn_read_19918 ps_upsd_max_apturn_read 3 19918 NULL
101775 +cgroup_task_count_19930 cgroup_task_count 0 19930 NULL
101776 +iwl_dbgfs_rx_queue_read_19943 iwl_dbgfs_rx_queue_read 3 19943 NULL
101777 +attach_hdlc_protocol_19986 attach_hdlc_protocol 3 19986 NULL
101778 +diva_um_idi_read_20003 diva_um_idi_read 0 20003 NULL
101779 +SYSC_fgetxattr_20027 SYSC_fgetxattr 4 20027 NULL
101780 +split_scan_timeout_read_20029 split_scan_timeout_read 3 20029 NULL
101781 +alloc_ieee80211_20063 alloc_ieee80211 1 20063 NULL
101782 +btrfs_pin_extent_for_log_replay_20069 btrfs_pin_extent_for_log_replay 2 20069 NULL
101783 +rawv6_sendmsg_20080 rawv6_sendmsg 4 20080 NULL
101784 +fuse_conn_limit_read_20084 fuse_conn_limit_read 3 20084 NULL
101785 +team_options_register_20091 team_options_register 3 20091 NULL
101786 +qla2x00_adjust_sdev_qdepth_up_20097 qla2x00_adjust_sdev_qdepth_up 2 20097 NULL
101787 +hptiop_adjust_disk_queue_depth_20122 hptiop_adjust_disk_queue_depth 2 20122 NULL
101788 +tomoyo_commit_ok_20167 tomoyo_commit_ok 2 20167 NULL
101789 +read_flush_pipefs_20171 read_flush_pipefs 3 20171 NULL
101790 +wep_addr_key_count_read_20174 wep_addr_key_count_read 3 20174 NULL
101791 +create_trace_probe_20175 create_trace_probe 1 20175 NULL
101792 +crystalhd_map_dio_20181 crystalhd_map_dio 3 20181 NULL
101793 +udf_bitmap_new_block_20214 udf_bitmap_new_block 4 20214 NULL
101794 +pvr2_ctrl_value_to_sym_20229 pvr2_ctrl_value_to_sym 5 20229 NULL
101795 +rose_sendmsg_20249 rose_sendmsg 4 20249 NULL
101796 +tm6000_i2c_send_regs_20250 tm6000_i2c_send_regs 5 20250 NULL
101797 +pcpu_alloc_20255 pcpu_alloc 1-2 20255 NULL
101798 +_rtl92s_get_h2c_cmdlen_20312 _rtl92s_get_h2c_cmdlen 0 20312 NULL
101799 +tx_tx_burst_programmed_read_20320 tx_tx_burst_programmed_read 3 20320 NULL
101800 +snd_cs4281_BA1_read_20323 snd_cs4281_BA1_read 5 20323 NULL
101801 +gfs2_glock_nq_m_20347 gfs2_glock_nq_m 1 20347 NULL
101802 +handle_arr_calc_size_20355 handle_arr_calc_size 0-1 20355 NULL
101803 +qla82xx_pci_mem_read_direct_20368 qla82xx_pci_mem_read_direct 2 20368 NULL
101804 +smk_set_cipso_20379 smk_set_cipso 3 20379 NULL
101805 +u64_to_uptr_20384 u64_to_uptr 1 20384 NULL
101806 +snd_nm256_readl_20394 snd_nm256_readl 0 20394 NULL
101807 +__kfifo_from_user_20399 __kfifo_from_user 3 20399 NULL
101808 +xen_create_contiguous_region_20457 xen_create_contiguous_region 1 20457 NULL
101809 +nfs3_setxattr_20458 nfs3_setxattr 4 20458 NULL
101810 +dec_zcache_pers_zpages_20465 dec_zcache_pers_zpages 1 20465 NULL
101811 +compat_ipv6_setsockopt_20468 compat_ipv6_setsockopt 5 20468 NULL
101812 +read_buf_20469 read_buf 2 20469 NULL
101813 +btrfs_get_32_20476 btrfs_get_32 0 20476 NULL
101814 +fast_user_write_20494 fast_user_write 5 20494 NULL
101815 +ocfs2_db_frozen_trigger_20503 ocfs2_db_frozen_trigger 4 20503 NULL nohasharray
101816 +hidraw_report_event_20503 hidraw_report_event 3 20503 &ocfs2_db_frozen_trigger_20503
101817 +pcpu_alloc_area_20511 pcpu_alloc_area 0-3 20511 NULL
101818 +pcpu_depopulate_chunk_20517 pcpu_depopulate_chunk 2-3 20517 NULL
101819 +xfs_iext_realloc_direct_20521 xfs_iext_realloc_direct 2 20521 NULL
101820 +drbd_bm_resize_20522 drbd_bm_resize 2 20522 NULL
101821 +amd_create_gatt_pages_20537 amd_create_gatt_pages 1 20537 NULL
101822 +scsi_report_opcode_20551 scsi_report_opcode 3 20551 NULL
101823 +venus_create_20555 venus_create 4 20555 NULL
101824 +btrfs_super_log_root_20565 btrfs_super_log_root 0 20565 NULL
101825 +crypto_ahash_reqsize_20569 crypto_ahash_reqsize 0 20569 NULL
101826 +i915_max_freq_read_20581 i915_max_freq_read 3 20581 NULL
101827 +batadv_tt_append_diff_20588 batadv_tt_append_diff 4 20588 NULL
101828 +sync_timeline_create_20601 sync_timeline_create 2 20601 NULL
101829 +lirc_write_20604 lirc_write 3 20604 NULL
101830 +qib_qsfp_write_20614 qib_qsfp_write 0-4-2 20614 NULL
101831 +snd_pcm_oss_prepare_20641 snd_pcm_oss_prepare 0 20641 NULL
101832 +kfifo_copy_to_user_20646 kfifo_copy_to_user 3 20646 NULL
101833 +cpulist_scnprintf_20648 cpulist_scnprintf 0-2 20648 NULL
101834 +oz_add_farewell_20652 oz_add_farewell 5 20652 NULL
101835 +oz_cdev_read_20659 oz_cdev_read 3 20659 NULL
101836 +snd_hdsp_playback_copy_20676 snd_hdsp_playback_copy 5 20676 NULL
101837 +get_user_page_nowait_20682 get_user_page_nowait 3 20682 NULL nohasharray
101838 +dvb_dmxdev_buffer_read_20682 dvb_dmxdev_buffer_read 0-4 20682 &get_user_page_nowait_20682
101839 +cpumask_size_20683 cpumask_size 0 20683 NULL
101840 +btrfs_node_blockptr_20685 btrfs_node_blockptr 0 20685 NULL
101841 +gru_vtop_20689 gru_vtop 2 20689 NULL
101842 +read_file_tgt_int_stats_20697 read_file_tgt_int_stats 3 20697 NULL
101843 +__maestro_read_20700 __maestro_read 0 20700 NULL
101844 +cipso_v4_gentag_rng_20703 cipso_v4_gentag_rng 0 20703 NULL
101845 +pcpu_page_first_chunk_20712 pcpu_page_first_chunk 1 20712 NULL
101846 +ocfs2_read_xattr_bucket_20722 ocfs2_read_xattr_bucket 0 20722 NULL
101847 +security_context_to_sid_force_20724 security_context_to_sid_force 2 20724 NULL
101848 +vring_add_indirect_20737 vring_add_indirect 3-4 20737 NULL
101849 +io_apic_set_pci_routing_20740 io_apic_set_pci_routing 2 20740 NULL
101850 +vol_cdev_direct_write_20751 vol_cdev_direct_write 3 20751 NULL
101851 +ocfs2_align_bytes_to_clusters_20754 ocfs2_align_bytes_to_clusters 2 20754 NULL
101852 +brcmf_p2p_escan_20763 brcmf_p2p_escan 2 20763 NULL
101853 +ubi_io_read_20767 ubi_io_read 0 20767 NULL
101854 +ext4_r_blocks_count_20768 ext4_r_blocks_count 0 20768 NULL
101855 +fb_alloc_cmap_gfp_20792 fb_alloc_cmap_gfp 2 20792 NULL
101856 +iommu_range_alloc_20794 iommu_range_alloc 3 20794 NULL
101857 +iwl_dbgfs_rxon_flags_read_20795 iwl_dbgfs_rxon_flags_read 3 20795 NULL
101858 +sys_sendto_20809 sys_sendto 6 20809 NULL
101859 +cfv_alloc_and_copy_skb_20812 cfv_alloc_and_copy_skb 4 20812 NULL
101860 +strndup_user_20819 strndup_user 2 20819 NULL
101861 +calc_layout_20829 calc_layout 3 20829 NULL
101862 +dtf_read_channel_20831 dtf_read_channel 3 20831 NULL
101863 +wl1271_format_buffer_20834 wl1271_format_buffer 2 20834 NULL
101864 +uvc_alloc_entity_20836 uvc_alloc_entity 3-4 20836 NULL
101865 +snd_pcm_capture_avail_20867 snd_pcm_capture_avail 0 20867 NULL
101866 +ocfs2_bmap_20874 ocfs2_bmap 2 20874 NULL
101867 +skb_tail_pointer_20878 skb_tail_pointer 0 20878 NULL
101868 +sisusb_send_packet_20891 sisusb_send_packet 2 20891 NULL
101869 +key_icverrors_read_20895 key_icverrors_read 3 20895 NULL
101870 +vfio_msi_enable_20906 vfio_msi_enable 2 20906 NULL
101871 +compat_sys_readv_20911 compat_sys_readv 3 20911 NULL
101872 +htable_bits_20933 htable_bits 0 20933 NULL
101873 +altera_set_ir_post_20948 altera_set_ir_post 2 20948 NULL
101874 +rx_rx_phy_hdr_read_20950 rx_rx_phy_hdr_read 3 20950 NULL
101875 +nfs_map_name_to_uid_20962 nfs_map_name_to_uid 3 20962 NULL
101876 +snd_rme9652_playback_copy_20970 snd_rme9652_playback_copy 5 20970 NULL
101877 +brcmf_tx_frame_20978 brcmf_tx_frame 3 20978 NULL
101878 +alg_setsockopt_20985 alg_setsockopt 5 20985 NULL
101879 +ocfs2_free_clusters_21001 ocfs2_free_clusters 4 21001 NULL
101880 +ceph_osdc_new_request_21017 ceph_osdc_new_request 14-4 21017 NULL
101881 +btrfs_inode_ref_name_len_21024 btrfs_inode_ref_name_len 0 21024 NULL
101882 +rx_defrag_tkip_called_read_21031 rx_defrag_tkip_called_read 3 21031 NULL
101883 +lbs_threshold_read_21046 lbs_threshold_read 5 21046 NULL
101884 +proc_fault_inject_write_21058 proc_fault_inject_write 3 21058 NULL
101885 +event_calibration_read_21083 event_calibration_read 3 21083 NULL
101886 +compat_sock_ioctl_trans_21092 compat_sock_ioctl_trans 4 21092 NULL
101887 +multipath_status_21094 multipath_status 5 21094 NULL
101888 +__cfg80211_send_disassoc_21096 __cfg80211_send_disassoc 3 21096 NULL
101889 +ext2_valid_block_bitmap_21101 ext2_valid_block_bitmap 3 21101 NULL
101890 +ath6kl_send_go_probe_resp_21113 ath6kl_send_go_probe_resp 3 21113 NULL
101891 +bitset_size_in_bytes_21124 bitset_size_in_bytes 0-1 21124 NULL
101892 +i2400m_rx_trace_21127 i2400m_rx_trace 3 21127 NULL
101893 +tps6586x_irq_init_21144 tps6586x_irq_init 3 21144 NULL
101894 +ocfs2_block_check_validate_21149 ocfs2_block_check_validate 2 21149 NULL
101895 +alloc_pg_vec_21159 alloc_pg_vec 3 21159 NULL
101896 +cx18_v4l2_read_21196 cx18_v4l2_read 3 21196 NULL
101897 +ipc_rcu_alloc_21208 ipc_rcu_alloc 1 21208 NULL
101898 +scsi_execute_req_flags_21215 scsi_execute_req_flags 5 21215 NULL
101899 +_ocfs2_free_clusters_21220 _ocfs2_free_clusters 4 21220 NULL
101900 +get_numpages_21227 get_numpages 0-1-2 21227 NULL
101901 +SyS_mlock_21238 SyS_mlock 1 21238 NULL
101902 +input_ff_create_21240 input_ff_create 2 21240 NULL
101903 +cfg80211_notify_new_peer_candidate_21242 cfg80211_notify_new_peer_candidate 4 21242 NULL
101904 +ocfs2_blocks_for_bytes_21268 ocfs2_blocks_for_bytes 0-2 21268 NULL
101905 +ip_vs_icmp_xmit_21269 ip_vs_icmp_xmit 4 21269 NULL
101906 +make_alloc_exact_21279 make_alloc_exact 1-3 21279 NULL
101907 +vmw_gmr2_bind_21305 vmw_gmr2_bind 3 21305 NULL
101908 +do_msg_fill_21307 do_msg_fill 3 21307 NULL
101909 +add_res_range_21310 add_res_range 4 21310 NULL
101910 +get_zeroed_page_21322 get_zeroed_page 0 21322 NULL
101911 +ftrace_profile_read_21327 ftrace_profile_read 3 21327 NULL
101912 +gfs2_ea_get_copy_21353 gfs2_ea_get_copy 0 21353 NULL
101913 +max77693_irq_domain_map_21357 max77693_irq_domain_map 2 21357 NULL
101914 +alloc_orinocodev_21371 alloc_orinocodev 1 21371 NULL
101915 +SYSC_rt_sigpending_21379 SYSC_rt_sigpending 2 21379 NULL
101916 +video_ioctl2_21380 video_ioctl2 2 21380 NULL
101917 +diva_get_driver_dbg_mask_21399 diva_get_driver_dbg_mask 0 21399 NULL
101918 +snd_m3_inw_21406 snd_m3_inw 0 21406 NULL
101919 +snapshot_read_next_21426 snapshot_read_next 0 21426 NULL
101920 +tcp_bound_to_half_wnd_21429 tcp_bound_to_half_wnd 0-2 21429 NULL
101921 +tracing_saved_cmdlines_read_21434 tracing_saved_cmdlines_read 3 21434 NULL
101922 +aggr_size_tx_agg_vs_rate_read_21438 aggr_size_tx_agg_vs_rate_read 3 21438 NULL
101923 +__ertm_hdr_size_21450 __ertm_hdr_size 0 21450 NULL
101924 +concat_writev_21451 concat_writev 3 21451 NULL
101925 +mei_nfc_send_21477 mei_nfc_send 3 21477 NULL
101926 +read_file_xmit_21487 read_file_xmit 3 21487 NULL
101927 +mmc_alloc_sg_21504 mmc_alloc_sg 1 21504 NULL
101928 +btrfs_file_aio_write_21520 btrfs_file_aio_write 4 21520 NULL
101929 +il_dbgfs_stations_read_21532 il_dbgfs_stations_read 3 21532 NULL
101930 +cipso_v4_map_cat_enum_hton_21540 cipso_v4_map_cat_enum_hton 0 21540 NULL
101931 +rxrpc_send_data_21553 rxrpc_send_data 5 21553 NULL
101932 +rx_rx_beacon_early_term_read_21559 rx_rx_beacon_early_term_read 3 21559 NULL
101933 +xfs_buf_read_uncached_21585 xfs_buf_read_uncached 3 21585 NULL
101934 +ocfs2_acl_from_xattr_21604 ocfs2_acl_from_xattr 2 21604 NULL
101935 +compat_SyS_pwritev64_21606 compat_SyS_pwritev64 3 21606 NULL
101936 +__jfs_getxattr_21631 __jfs_getxattr 0 21631 NULL
101937 +validate_nnode_21638 validate_nnode 0 21638 NULL
101938 +__irq_alloc_descs_21639 __irq_alloc_descs 2-1-3 21639 NULL
101939 +carl9170_rx_copy_data_21656 carl9170_rx_copy_data 2 21656 NULL
101940 +atalk_sendmsg_21677 atalk_sendmsg 4 21677 NULL
101941 +ocfs2_xattr_get_nolock_21678 ocfs2_xattr_get_nolock 0 21678 NULL
101942 +regmap_register_patch_21681 regmap_register_patch 3 21681 NULL
101943 +rtllib_alloc_txb_21687 rtllib_alloc_txb 1-2 21687 NULL
101944 +evdev_ioctl_handler_21705 evdev_ioctl_handler 2 21705 NULL
101945 +reiserfs_allocate_list_bitmaps_21732 reiserfs_allocate_list_bitmaps 3 21732 NULL
101946 +vm_brk_21739 vm_brk 1 21739 NULL
101947 +__nf_nat_mangle_tcp_packet_21744 __nf_nat_mangle_tcp_packet 8-6 21744 NULL
101948 +mthca_alloc_init_21754 mthca_alloc_init 2 21754 NULL
101949 +gen_pool_add_21776 gen_pool_add 3 21776 NULL
101950 +xfs_da_grow_inode_int_21785 xfs_da_grow_inode_int 3 21785 NULL
101951 +__ioremap_caller_21800 __ioremap_caller 1-2 21800 NULL
101952 +min_odd_21802 min_odd 0 21802 NULL
101953 +dvb_generic_ioctl_21810 dvb_generic_ioctl 2 21810 NULL
101954 +wm8994_request_irq_21822 wm8994_request_irq 2 21822 NULL
101955 +oom_adj_read_21847 oom_adj_read 3 21847 NULL
101956 +acpi_tb_check_xsdt_21862 acpi_tb_check_xsdt 1 21862 NULL
101957 +lpfc_idiag_extacc_avail_get_21865 lpfc_idiag_extacc_avail_get 0-3 21865 NULL
101958 +brcms_debugfs_hardware_read_21867 brcms_debugfs_hardware_read 3 21867 NULL
101959 +sisusbcon_bmove_21873 sisusbcon_bmove 6-5-7 21873 NULL nohasharray
101960 +tcp_cookie_size_check_21873 tcp_cookie_size_check 0-1 21873 &sisusbcon_bmove_21873
101961 +xen_swiotlb_map_page_21886 xen_swiotlb_map_page 3 21886 NULL
101962 +__alloc_reserved_percpu_21895 __alloc_reserved_percpu 1-2 21895 NULL
101963 +rio_destid_first_21900 rio_destid_first 0 21900 NULL
101964 +dbAllocCtl_21911 dbAllocCtl 0 21911 NULL
101965 +qsfp_1_read_21915 qsfp_1_read 3 21915 NULL
101966 +security_mmap_addr_21970 security_mmap_addr 0 21970 NULL
101967 +alloc_ldt_21972 alloc_ldt 2 21972 NULL
101968 +SYSC_prctl_21980 SYSC_prctl 4 21980 NULL
101969 +rxpipe_descr_host_int_trig_rx_data_read_22001 rxpipe_descr_host_int_trig_rx_data_read 3 22001 NULL nohasharray
101970 +compat_rw_copy_check_uvector_22001 compat_rw_copy_check_uvector 0-3 22001 &rxpipe_descr_host_int_trig_rx_data_read_22001
101971 +regcache_sync_block_raw_flush_22021 regcache_sync_block_raw_flush 3-4 22021 NULL
101972 +btrfs_get_16_22023 btrfs_get_16 0 22023 NULL
101973 +_sp2d_min_pg_22032 _sp2d_min_pg 0 22032 NULL
101974 +zd_usb_read_fw_22049 zd_usb_read_fw 4 22049 NULL
101975 +ieee80211_if_fmt_dropped_frames_ttl_22054 ieee80211_if_fmt_dropped_frames_ttl 3 22054 NULL
101976 +btrfs_reloc_clone_csums_22077 btrfs_reloc_clone_csums 2 22077 NULL
101977 +write_opcode_22082 write_opcode 2 22082 NULL
101978 +mem_rw_22085 mem_rw 3 22085 NULL
101979 +is_swbp_at_addr_22089 is_swbp_at_addr 2 22089 NULL
101980 +lowpan_fragment_xmit_22095 lowpan_fragment_xmit 3-4 22095 NULL
101981 +sched_clock_cpu_22098 sched_clock_cpu 0 22098 NULL
101982 +qlcnic_sriov_pf_enable_22103 qlcnic_sriov_pf_enable 2 22103 NULL
101983 +sys_remap_file_pages_22124 sys_remap_file_pages 1 22124 NULL
101984 +__bitmap_size_22138 __bitmap_size 0 22138 NULL
101985 +compat_insn_22142 compat_insn 2 22142 NULL
101986 +do_tcp_sendpages_22155 do_tcp_sendpages 4 22155 NULL
101987 +__kfifo_alloc_22173 __kfifo_alloc 3 22173 NULL
101988 +fls_22210 fls 0 22210 NULL
101989 +mem_write_22232 mem_write 3 22232 NULL
101990 +p9_virtio_zc_request_22240 p9_virtio_zc_request 6-5 22240 NULL
101991 +atomic64_xchg_22246 atomic64_xchg 0 22246 NULL
101992 +compat_process_vm_rw_22254 compat_process_vm_rw 3-5 22254 NULL
101993 +__btrfs_direct_write_22273 __btrfs_direct_write 4 22273 NULL
101994 +queue_max_sectors_22280 queue_max_sectors 0 22280 NULL
101995 +pci_vpd_srdt_size_22300 pci_vpd_srdt_size 0 22300 NULL nohasharray
101996 +__tun_chr_ioctl_22300 __tun_chr_ioctl 4 22300 &pci_vpd_srdt_size_22300
101997 +extend_brk_22301 extend_brk 0 22301 NULL
101998 +mesh_table_alloc_22305 mesh_table_alloc 1 22305 NULL
101999 +C_SYSC_msgrcv_22320 C_SYSC_msgrcv 2-3 22320 NULL
102000 +get_segment_base_22324 get_segment_base 0 22324 NULL
102001 +radix_tree_find_next_bit_22334 radix_tree_find_next_bit 2-3 22334 NULL
102002 +atomic_read_22342 atomic_read 0 22342 NULL
102003 +mlx4_db_alloc_22358 mlx4_db_alloc 3 22358 NULL
102004 +irq_reserve_irq_22360 irq_reserve_irq 1 22360 NULL nohasharray
102005 +memcg_size_22360 memcg_size 0 22360 &irq_reserve_irq_22360
102006 +snd_pcm_alsa_frames_22363 snd_pcm_alsa_frames 2 22363 NULL
102007 +tps6586x_gpio_to_irq_22365 tps6586x_gpio_to_irq 2 22365 NULL
102008 +evdev_ioctl_22371 evdev_ioctl 2 22371 NULL
102009 +alloc_large_system_hash_22391 alloc_large_system_hash 2 22391 NULL
102010 +btmrvl_psmode_read_22395 btmrvl_psmode_read 3 22395 NULL
102011 +crash_shrink_memory_22401 crash_shrink_memory 1 22401 NULL
102012 +zoran_write_22404 zoran_write 3 22404 NULL
102013 +queue_reply_22416 queue_reply 3 22416 NULL
102014 +__set_enter_print_fmt_22431 __set_enter_print_fmt 0 22431 NULL
102015 +queue_max_segments_22441 queue_max_segments 0 22441 NULL
102016 +handle_received_packet_22457 handle_received_packet 3 22457 NULL
102017 +mem_cgroup_read_22461 mem_cgroup_read 5 22461 NULL
102018 +batadv_check_unicast_packet_22468 batadv_check_unicast_packet 3 22468 NULL
102019 +dtf_write_device_22471 dtf_write_device 3 22471 NULL
102020 +cache_write_procfs_22491 cache_write_procfs 3 22491 NULL
102021 +mp_find_ioapic_pin_22499 mp_find_ioapic_pin 0-2 22499 NULL
102022 +mutex_lock_interruptible_22505 mutex_lock_interruptible 0 22505 NULL
102023 +ip4_addr_string_22511 ip4_addr_string 0 22511 NULL
102024 +swiotlb_tbl_unmap_single_22522 swiotlb_tbl_unmap_single 2 22522 NULL nohasharray
102025 +usb_dump_config_descriptor_22522 usb_dump_config_descriptor 0 22522 &swiotlb_tbl_unmap_single_22522
102026 +pskb_may_pull_22546 pskb_may_pull 2 22546 NULL
102027 +ocfs2_read_extent_block_22550 ocfs2_read_extent_block 0 22550 NULL
102028 +atomic_long_read_unchecked_22551 atomic_long_read_unchecked 0 22551 NULL
102029 +agp_alloc_page_array_22554 agp_alloc_page_array 1 22554 NULL
102030 +dbFindCtl_22587 dbFindCtl 0 22587 NULL
102031 +snapshot_read_22601 snapshot_read 3 22601 NULL
102032 +remove_breakpoint_22628 remove_breakpoint 3 22628 NULL
102033 +sctp_setsockopt_connectx_old_22631 sctp_setsockopt_connectx_old 3 22631 NULL
102034 +ide_core_cp_entry_22636 ide_core_cp_entry 3 22636 NULL
102035 +wl1271_rx_filter_get_fields_size_22638 wl1271_rx_filter_get_fields_size 0 22638 NULL
102036 +pwr_wake_on_timer_exp_read_22640 pwr_wake_on_timer_exp_read 3 22640 NULL
102037 +iwl_dbgfs_calib_disabled_read_22649 iwl_dbgfs_calib_disabled_read 3 22649 NULL
102038 +compat_SyS_msgrcv_22661 compat_SyS_msgrcv 2-3 22661 NULL
102039 +ubifs_leb_write_22679 ubifs_leb_write 4-5 22679 NULL
102040 +qlcnic_83xx_sysfs_flash_write_handler_22680 qlcnic_83xx_sysfs_flash_write_handler 6 22680 NULL
102041 +ocfs2_get_block_22687 ocfs2_get_block 2 22687 NULL
102042 +compat_fd_ioctl_22694 compat_fd_ioctl 4 22694 NULL
102043 +map_22700 map 2 22700 NULL
102044 +alloc_libipw_22708 alloc_libipw 1 22708 NULL
102045 +brcmf_sdbrcm_read_control_22721 brcmf_sdbrcm_read_control 3 22721 NULL
102046 +cx18_copy_buf_to_user_22735 cx18_copy_buf_to_user 4 22735 NULL
102047 +ceph_decode_32_22738 ceph_decode_32 0 22738 NULL nohasharray
102048 +__mei_cl_send_22738 __mei_cl_send 3 22738 &ceph_decode_32_22738
102049 +iio_debugfs_write_reg_22742 iio_debugfs_write_reg 3 22742 NULL
102050 +qlcnic_sriov_init_22762 qlcnic_sriov_init 2 22762 NULL
102051 +print_frame_22769 print_frame 0 22769 NULL
102052 +ftrace_arch_read_dyn_info_22773 ftrace_arch_read_dyn_info 0 22773 NULL
102053 +compat_blkdev_ioctl_22841 compat_blkdev_ioctl 3 22841 NULL
102054 +clone_bio_integrity_22842 clone_bio_integrity 4 22842 NULL
102055 +read_file_rcstat_22854 read_file_rcstat 3 22854 NULL
102056 +do_atm_iobuf_22857 do_atm_iobuf 3 22857 NULL
102057 +create_attr_set_22861 create_attr_set 1 22861 NULL
102058 +vmw_execbuf_process_22885 vmw_execbuf_process 5 22885 NULL
102059 +usblp_new_writeurb_22894 usblp_new_writeurb 2 22894 NULL
102060 +mdc800_device_read_22896 mdc800_device_read 3 22896 NULL
102061 +policy_emit_config_values_22900 policy_emit_config_values 3 22900 NULL
102062 +pcpu_mem_zalloc_22948 pcpu_mem_zalloc 1 22948 NULL
102063 +alloc_sglist_22960 alloc_sglist 1-2-3 22960 NULL
102064 +caif_seqpkt_sendmsg_22961 caif_seqpkt_sendmsg 4 22961 NULL
102065 +vme_get_size_22964 vme_get_size 0 22964 NULL
102066 +tx_frag_key_not_found_read_22971 tx_frag_key_not_found_read 3 22971 NULL
102067 +page_table_range_init_count_22977 page_table_range_init_count 0 22977 NULL
102068 +usb_get_langid_22983 usb_get_langid 0 22983 NULL
102069 +set_msr_hyperv_22985 set_msr_hyperv 3 22985 NULL
102070 +remote_settings_file_write_22987 remote_settings_file_write 3 22987 NULL
102071 +brcmf_sdio_chip_exit_download_23001 brcmf_sdio_chip_exit_download 4 23001 NULL
102072 +viafb_dvp0_proc_write_23023 viafb_dvp0_proc_write 3 23023 NULL
102073 +cifs_local_to_utf16_bytes_23025 cifs_local_to_utf16_bytes 0 23025 NULL
102074 +st_status_23032 st_status 5 23032 NULL
102075 +nv50_disp_chan_create__23056 nv50_disp_chan_create_ 5 23056 NULL
102076 +reiserfs_add_entry_23062 reiserfs_add_entry 4 23062 NULL
102077 +mei_cl_send_23068 mei_cl_send 3 23068 NULL
102078 +kvm_mmu_gva_to_gpa_write_23075 kvm_mmu_gva_to_gpa_write 0 23075 NULL
102079 +vm_map_ram_23078 vm_map_ram 2 23078 NULL nohasharray
102080 +raw_sendmsg_23078 raw_sendmsg 4 23078 &vm_map_ram_23078
102081 +get_user_hdr_len_23079 get_user_hdr_len 0 23079 NULL
102082 +qla4_82xx_pci_mem_read_2M_23081 qla4_82xx_pci_mem_read_2M 2 23081 NULL
102083 +isr_tx_procs_read_23084 isr_tx_procs_read 3 23084 NULL
102084 +lnw_gpio_irq_map_23087 lnw_gpio_irq_map 2 23087 NULL
102085 +rt2x00debug_write_eeprom_23091 rt2x00debug_write_eeprom 3 23091 NULL
102086 +fls_long_23096 fls_long 0 23096 NULL
102087 +ntfs_ucstonls_23097 ntfs_ucstonls 3-5 23097 NULL
102088 +pipe_iov_copy_from_user_23102 pipe_iov_copy_from_user 3 23102 NULL
102089 +mwl8k_cmd_set_beacon_23110 mwl8k_cmd_set_beacon 4 23110 NULL
102090 +nl80211_send_rx_auth_23111 nl80211_send_rx_auth 4 23111 NULL
102091 +__clear_user_23118 __clear_user 0 23118 NULL
102092 +dm_write_async_23120 dm_write_async 3 23120 NULL
102093 +drm_mode_create_tv_properties_23122 drm_mode_create_tv_properties 2 23122 NULL
102094 +ca91cx42_master_set_23146 ca91cx42_master_set 4 23146 NULL
102095 +read_file_ani_23161 read_file_ani 3 23161 NULL
102096 +ioremap_23172 ioremap 1-2 23172 NULL
102097 +tg_get_cfs_quota_23176 tg_get_cfs_quota 0 23176 NULL
102098 +usblp_write_23178 usblp_write 3 23178 NULL
102099 +msnd_fifo_alloc_23179 msnd_fifo_alloc 2 23179 NULL
102100 +gss_pipe_downcall_23182 gss_pipe_downcall 3 23182 NULL
102101 +ieee80211_get_mesh_hdrlen_23183 ieee80211_get_mesh_hdrlen 0 23183 NULL
102102 +fix_unclean_leb_23188 fix_unclean_leb 3 23188 NULL
102103 +mpi_alloc_limb_space_23190 mpi_alloc_limb_space 1 23190 NULL
102104 +convert_ip_to_linear_23198 convert_ip_to_linear 0 23198 NULL
102105 +pm80x_free_irq_23210 pm80x_free_irq 2 23210 NULL nohasharray
102106 +compat_rawv6_ioctl_23210 compat_rawv6_ioctl 3 23210 &pm80x_free_irq_23210
102107 +tty_buffer_request_room_23228 tty_buffer_request_room 2 23228 NULL
102108 +xlog_get_bp_23229 xlog_get_bp 2 23229 NULL
102109 +rxrpc_client_sendmsg_23236 rxrpc_client_sendmsg 5 23236 NULL
102110 +__gfn_to_rmap_23240 __gfn_to_rmap 1-2 23240 NULL
102111 +uwb_dev_addr_print_23282 uwb_dev_addr_print 2 23282 NULL
102112 +ipv6_skip_exthdr_23283 ipv6_skip_exthdr 0-2 23283 NULL
102113 +doc_probe_23285 doc_probe 1 23285 NULL
102114 +diva_get_trace_filter_23286 diva_get_trace_filter 0 23286 NULL
102115 +perf_mmap_free_page_23302 perf_mmap_free_page 1 23302 NULL
102116 +i2cdev_write_23310 i2cdev_write 3 23310 NULL
102117 +mc13xxx_get_num_regulators_dt_23344 mc13xxx_get_num_regulators_dt 0 23344 NULL
102118 +page_readlink_23346 page_readlink 3 23346 NULL
102119 +get_dst_timing_23358 get_dst_timing 0 23358 NULL
102120 +fd_setup_write_same_buf_23369 fd_setup_write_same_buf 3 23369 NULL
102121 +iscsi_change_queue_depth_23416 iscsi_change_queue_depth 2 23416 NULL
102122 +vga_mm_r_23419 vga_mm_r 0 23419 NULL
102123 +vzalloc_node_23424 vzalloc_node 1 23424 NULL
102124 +ocfs2_zero_tail_23447 ocfs2_zero_tail 3 23447 NULL
102125 +hidraw_send_report_23449 hidraw_send_report 3 23449 NULL
102126 +linear_conf_23485 linear_conf 2 23485 NULL nohasharray
102127 +divasa_remap_pci_bar_23485 divasa_remap_pci_bar 3-4 23485 &linear_conf_23485
102128 +event_filter_read_23494 event_filter_read 3 23494 NULL
102129 +__gfn_to_hva_many_23508 __gfn_to_hva_many 0-2 23508 NULL
102130 +ima_show_measurements_count_23536 ima_show_measurements_count 3 23536 NULL
102131 +xen_allocate_irq_gsi_23546 xen_allocate_irq_gsi 1-0 23546 NULL
102132 +tcp_current_mss_23552 tcp_current_mss 0 23552 NULL
102133 +dbg_leb_change_23555 dbg_leb_change 4 23555 NULL
102134 +venus_symlink_23570 venus_symlink 4-6 23570 NULL
102135 +iwl_dbgfs_interrupt_read_23574 iwl_dbgfs_interrupt_read 3 23574 NULL
102136 +snd_interval_min_23590 snd_interval_min 0 23590 NULL
102137 +do_mmap_pgoff_23600 do_mmap_pgoff 0 23600 NULL
102138 +_alloc_cdb_cont_23609 _alloc_cdb_cont 2 23609 NULL
102139 +islpci_mgt_transaction_23610 islpci_mgt_transaction 5 23610 NULL
102140 +__i2400mu_send_barker_23652 __i2400mu_send_barker 3 23652 NULL
102141 +ext3_compat_ioctl_23659 ext3_compat_ioctl 3 23659 NULL
102142 +sInW_23663 sInW 0 23663 NULL
102143 +SyS_connect_23669 SyS_connect 3 23669 NULL
102144 +proc_ioctl_compat_23682 proc_ioctl_compat 2 23682 NULL
102145 +nftl_partscan_23688 nftl_partscan 0 23688 NULL
102146 +cx18_read_23699 cx18_read 3 23699 NULL
102147 +isku_sysfs_write_control_23718 isku_sysfs_write_control 6 23718 NULL
102148 +mp_config_acpi_gsi_23728 mp_config_acpi_gsi 2 23728 NULL
102149 +pack_sg_list_p_23739 pack_sg_list_p 0-2 23739 NULL
102150 +rx_rx_dropped_frame_read_23748 rx_rx_dropped_frame_read 3 23748 NULL
102151 +__kfifo_max_r_23768 __kfifo_max_r 0-2-1 23768 NULL
102152 +__build_packet_message_23778 __build_packet_message 10-4 23778 NULL
102153 +security_inode_getxattr_23781 security_inode_getxattr 0 23781 NULL
102154 +diva_alloc_dma_map_23798 diva_alloc_dma_map 2 23798 NULL
102155 +rx_path_reset_read_23801 rx_path_reset_read 3 23801 NULL
102156 +__earlyonly_bootmem_alloc_23824 __earlyonly_bootmem_alloc 2-3 23824 NULL
102157 +ceph_copy_page_vector_to_user_23829 ceph_copy_page_vector_to_user 3-4 23829 NULL
102158 +tfrc_binsearch_23833 tfrc_binsearch 0 23833 NULL
102159 +xfs_dir2_leaf_getdents_23841 xfs_dir2_leaf_getdents 3 23841 NULL
102160 +pgdat_end_pfn_23842 pgdat_end_pfn 0 23842 NULL
102161 +iwl_dbgfs_nvm_read_23845 iwl_dbgfs_nvm_read 3 23845 NULL
102162 +p54_init_common_23850 p54_init_common 1 23850 NULL
102163 +gart_alloc_coherent_23852 gart_alloc_coherent 2 23852 NULL
102164 +bin_to_hex_dup_23853 bin_to_hex_dup 2 23853 NULL
102165 +ocfs2_xattr_get_clusters_23857 ocfs2_xattr_get_clusters 0 23857 NULL
102166 +ieee80211_if_read_dot11MeshMaxPeerLinks_23878 ieee80211_if_read_dot11MeshMaxPeerLinks 3 23878 NULL
102167 +nes_alloc_resource_23891 nes_alloc_resource 3 23891 NULL
102168 +tipc_snprintf_23893 tipc_snprintf 2 23893 NULL
102169 +add_new_gdb_meta_bg_23911 add_new_gdb_meta_bg 3 23911 NULL nohasharray
102170 +ieee80211_if_read_hw_queues_23911 ieee80211_if_read_hw_queues 3 23911 &add_new_gdb_meta_bg_23911
102171 +f2fs_getxattr_23917 f2fs_getxattr 0 23917 NULL
102172 +ipath_reg_phys_mr_23918 ipath_reg_phys_mr 3 23918 NULL nohasharray
102173 +mpihelp_mul_karatsuba_case_23918 mpihelp_mul_karatsuba_case 5-3 23918 &ipath_reg_phys_mr_23918
102174 +kvm_read_guest_23928 kvm_read_guest 4-2 23928 NULL
102175 +__alloc_skb_23940 __alloc_skb 1 23940 NULL
102176 +uvc_endpoint_max_bpi_23944 uvc_endpoint_max_bpi 0 23944 NULL
102177 +cifs_setxattr_23957 cifs_setxattr 4 23957 NULL
102178 +zd_usb_iowrite16v_async_23984 zd_usb_iowrite16v_async 3 23984 NULL
102179 +cxgb_alloc_mem_24007 cxgb_alloc_mem 1 24007 NULL
102180 +dgrp_send_24028 dgrp_send 0-2 24028 NULL
102181 +ocfs2_mark_extent_refcounted_24035 ocfs2_mark_extent_refcounted 6 24035 NULL
102182 +adis16400_show_serial_number_24037 adis16400_show_serial_number 3 24037 NULL
102183 +afs_cell_alloc_24052 afs_cell_alloc 2 24052 NULL
102184 +brcmf_sdio_ramrw_24074 brcmf_sdio_ramrw 5 24074 NULL
102185 +blkcipher_copy_iv_24075 blkcipher_copy_iv 3 24075 NULL
102186 +vb2_fop_read_24080 vb2_fop_read 3 24080 NULL
102187 +pipeline_post_proc_swi_read_24108 pipeline_post_proc_swi_read 3 24108 NULL
102188 +request_key_auth_read_24109 request_key_auth_read 3 24109 NULL
102189 +mpu401_read_24126 mpu401_read 3 24126 NULL
102190 +irnet_ctrl_write_24139 irnet_ctrl_write 3 24139 NULL
102191 +trim_bitmaps_24158 trim_bitmaps 3 24158 NULL
102192 +set_discard_24162 set_discard 2 24162 NULL
102193 +adu_read_24177 adu_read 3 24177 NULL
102194 +safe_prepare_write_buffer_24187 safe_prepare_write_buffer 3 24187 NULL
102195 +ieee80211_if_read_dot11MeshHWMPpreqMinInterval_24208 ieee80211_if_read_dot11MeshHWMPpreqMinInterval 3 24208 NULL
102196 +efx_vf_size_24213 efx_vf_size 0 24213 NULL
102197 +tcpprobe_sprint_24222 tcpprobe_sprint 0-2 24222 NULL
102198 +pcpu_embed_first_chunk_24224 pcpu_embed_first_chunk 1-2-3 24224 NULL nohasharray
102199 +mei_amthif_read_24224 mei_amthif_read 4 24224 &pcpu_embed_first_chunk_24224
102200 +pci_num_vf_24235 pci_num_vf 0 24235 NULL
102201 +sel_read_bool_24236 sel_read_bool 3 24236 NULL
102202 +dm_cache_save_hint_24257 dm_cache_save_hint 2 24257 NULL
102203 +em28xx_alloc_urbs_24260 em28xx_alloc_urbs 4-6 24260 NULL
102204 +thin_status_24278 thin_status 5 24278 NULL
102205 +compat_sys_preadv64_24283 compat_sys_preadv64 3 24283 NULL
102206 +msg_size_24288 msg_size 0 24288 NULL
102207 +ext2_free_blocks_24292 ext2_free_blocks 2-3 24292 NULL
102208 +map_page_24298 map_page 3-4 24298 NULL
102209 +btmrvl_pscmd_read_24308 btmrvl_pscmd_read 3 24308 NULL
102210 +reserve_metadata_bytes_24313 reserve_metadata_bytes 3 24313 NULL
102211 +ath6kl_add_bss_if_needed_24317 ath6kl_add_bss_if_needed 6 24317 NULL
102212 +ocfs2_direct_IO_get_blocks_24333 ocfs2_direct_IO_get_blocks 2 24333 NULL
102213 +si476x_radio_read_acf_blob_24336 si476x_radio_read_acf_blob 3 24336 NULL
102214 +C_SYSC_pwritev_24345 C_SYSC_pwritev 3 24345 NULL
102215 +kzalloc_node_24352 kzalloc_node 1 24352 NULL
102216 +qla2x00_handle_queue_full_24365 qla2x00_handle_queue_full 2 24365 NULL
102217 +cfi_read_pri_24366 cfi_read_pri 3 24366 NULL
102218 +btrfs_item_size_nr_24367 btrfs_item_size_nr 0 24367 NULL
102219 +igetword_24373 igetword 0 24373 NULL
102220 +pvr2_v4l2_ioctl_24398 pvr2_v4l2_ioctl 2 24398 NULL nohasharray
102221 +getxattr_24398 getxattr 4 24398 &pvr2_v4l2_ioctl_24398
102222 +blk_update_bidi_request_24415 blk_update_bidi_request 3-4 24415 NULL
102223 +b43_debugfs_read_24425 b43_debugfs_read 3 24425 NULL
102224 +iwl_nvm_read_section_24438 iwl_nvm_read_section 0 24438 NULL
102225 +ixgbe_alloc_q_vector_24439 ixgbe_alloc_q_vector 4-6 24439 NULL
102226 +smk_user_access_24440 smk_user_access 3 24440 NULL
102227 +page_address_24444 page_address 0 24444 NULL
102228 +evdev_do_ioctl_24459 evdev_do_ioctl 2 24459 NULL
102229 +ocfs2_write_cluster_by_desc_24466 ocfs2_write_cluster_by_desc 5-6 24466 NULL
102230 +read_file_spec_scan_ctl_24491 read_file_spec_scan_ctl 3 24491 NULL
102231 +pd_video_read_24510 pd_video_read 3 24510 NULL
102232 +request_key_with_auxdata_24515 request_key_with_auxdata 4 24515 NULL
102233 +xfs_buf_get_map_24522 xfs_buf_get_map 3 24522 NULL
102234 +named_prepare_buf_24532 named_prepare_buf 2 24532 NULL
102235 +do_mpage_readpage_24536 do_mpage_readpage 3 24536 NULL
102236 +write_cache_pages_24562 write_cache_pages 0 24562 NULL
102237 +tsi148_alloc_resource_24563 tsi148_alloc_resource 2 24563 NULL
102238 +udf_compute_nr_groups_24594 udf_compute_nr_groups 0 24594 NULL
102239 +count_preds_24600 count_preds 0 24600 NULL
102240 +sensor_hub_get_physical_device_count_24605 sensor_hub_get_physical_device_count 0 24605 NULL
102241 +kvm_pv_enable_async_pf_24637 kvm_pv_enable_async_pf 2 24637 NULL
102242 +context_alloc_24645 context_alloc 3 24645 NULL
102243 +blk_rq_err_bytes_24650 blk_rq_err_bytes 0 24650 NULL
102244 +unifi_net_data_malloc_24716 unifi_net_data_malloc 3 24716 NULL
102245 +read_fs_24717 read_fs 0 24717 NULL
102246 +simple_attr_read_24738 simple_attr_read 3 24738 NULL
102247 +qla2x00_change_queue_depth_24742 qla2x00_change_queue_depth 2 24742 NULL
102248 +ath_rxbuf_alloc_24745 ath_rxbuf_alloc 2 24745 NULL
102249 +get_dma_residue_24749 get_dma_residue 0 24749 NULL
102250 +kgdb_hex2mem_24755 kgdb_hex2mem 3 24755 NULL
102251 +nfsd4_sanitize_slot_size_24756 nfsd4_sanitize_slot_size 0-1 24756 NULL
102252 +i915_cache_sharing_read_24775 i915_cache_sharing_read 3 24775 NULL
102253 +ocfs2_read_blocks_24777 ocfs2_read_blocks 0 24777 NULL
102254 +skb_make_writable_24783 skb_make_writable 2 24783 NULL
102255 +datablob_hmac_verify_24786 datablob_hmac_verify 4 24786 NULL
102256 +cache_read_24790 cache_read 3 24790 NULL
102257 +unpack_str_24798 unpack_str 0 24798 NULL
102258 +__next_cpu_nr_24805 __next_cpu_nr 1 24805 NULL
102259 +comedi_buf_alloc_24822 comedi_buf_alloc 3 24822 NULL
102260 +snd_als4k_gcr_read_24840 snd_als4k_gcr_read 0 24840 NULL
102261 +snd_pcm_lib_buffer_bytes_24865 snd_pcm_lib_buffer_bytes 0 24865 NULL
102262 +pnp_alloc_24869 pnp_alloc 1 24869 NULL nohasharray
102263 +l2cap_create_basic_pdu_24869 l2cap_create_basic_pdu 3 24869 &pnp_alloc_24869
102264 +setup_buffering_24872 setup_buffering 3 24872 NULL
102265 +bnx2fc_cmd_mgr_alloc_24873 bnx2fc_cmd_mgr_alloc 3-2 24873 NULL
102266 +queues_read_24877 queues_read 3 24877 NULL nohasharray
102267 +symbol_string_24877 symbol_string 0 24877 &queues_read_24877
102268 +codec_list_read_file_24910 codec_list_read_file 3 24910 NULL
102269 +v4l2_ctrl_new_24927 v4l2_ctrl_new 7 24927 NULL
102270 +next_token_24929 next_token 0 24929 NULL
102271 +uf_create_device_nodes_24948 uf_create_device_nodes 2 24948 NULL
102272 +ocfs2_fiemap_24949 ocfs2_fiemap 3-4 24949 NULL
102273 +packet_sendmsg_24954 packet_sendmsg 4 24954 NULL
102274 +sys_rt_sigpending_24961 sys_rt_sigpending 2 24961 NULL
102275 +ensure_wear_leveling_24971 ensure_wear_leveling 0 24971 NULL
102276 +twl_i2c_write_u8_24976 twl_i2c_write_u8 3 24976 NULL
102277 +nf_nat_sdp_port_24977 nf_nat_sdp_port 7 24977 NULL
102278 +llc_ui_sendmsg_24987 llc_ui_sendmsg 4 24987 NULL
102279 +key_conf_hw_key_idx_read_25003 key_conf_hw_key_idx_read 3 25003 NULL
102280 +il_dbgfs_channels_read_25005 il_dbgfs_channels_read 3 25005 NULL
102281 +ni_660x_num_counters_25031 ni_660x_num_counters 0 25031 NULL
102282 +nfs_dns_resolve_name_25036 nfs_dns_resolve_name 3 25036 NULL
102283 +gs_buf_alloc_25067 gs_buf_alloc 2 25067 NULL
102284 +SYSC_listxattr_25072 SYSC_listxattr 3 25072 NULL
102285 +ceph_osdc_writepages_25085 ceph_osdc_writepages 5 25085 NULL
102286 +snd_rawmidi_kernel_write_25106 snd_rawmidi_kernel_write 3 25106 NULL
102287 +sys_fgetxattr_25166 sys_fgetxattr 4 25166 NULL
102288 +ipath_init_qp_table_25167 ipath_init_qp_table 2 25167 NULL
102289 +sctp_getsockopt_local_addrs_25178 sctp_getsockopt_local_addrs 2 25178 NULL
102290 +ks8851_rdreg32_25187 ks8851_rdreg32 0 25187 NULL
102291 +ocfs2_block_check_compute_25223 ocfs2_block_check_compute 2 25223 NULL
102292 +free_memcg_kmem_pages_25228 free_memcg_kmem_pages 1 25228 NULL
102293 +dtf_write_string_25232 dtf_write_string 5 25232 NULL
102294 +mon_stat_read_25238 mon_stat_read 3 25238 NULL
102295 +tcf_csum_ipv6_udp_25241 tcf_csum_ipv6_udp 4 25241 NULL
102296 +nilfs_palloc_find_available_slot_25245 nilfs_palloc_find_available_slot 3-5 25245 NULL
102297 +stripe_status_25259 stripe_status 5 25259 NULL
102298 +snd_pcm_start_25273 snd_pcm_start 0 25273 NULL
102299 +crypto_alloc_instance2_25277 crypto_alloc_instance2 3 25277 NULL
102300 +vfs_writev_25278 vfs_writev 3 25278 NULL
102301 +l2tp_session_create_25286 l2tp_session_create 1 25286 NULL
102302 +snd_seq_ioctl_compat_25307 snd_seq_ioctl_compat 3 25307 NULL
102303 +help_25316 help 5 25316 NULL nohasharray
102304 +ath9k_debugfs_read_buf_25316 ath9k_debugfs_read_buf 3 25316 &help_25316
102305 +rng_buffer_size_25348 rng_buffer_size 0 25348 NULL
102306 +SYSC_kexec_load_25361 SYSC_kexec_load 2 25361 NULL
102307 +rio_destid_next_25368 rio_destid_next 2 25368 NULL nohasharray
102308 +unix_mkname_25368 unix_mkname 0-2 25368 &rio_destid_next_25368
102309 +sel_read_mls_25369 sel_read_mls 3 25369 NULL
102310 +tc3589x_gpio_to_irq_25371 tc3589x_gpio_to_irq 2 25371 NULL
102311 +ebt_buf_add_pad_25413 ebt_buf_add_pad 0 25413 NULL
102312 +dai_list_read_file_25421 dai_list_read_file 3 25421 NULL
102313 +ath6kl_wmi_beginscan_cmd_25462 ath6kl_wmi_beginscan_cmd 8 25462 NULL
102314 +generic_file_buffered_write_25464 generic_file_buffered_write 4 25464 NULL
102315 +crypto_hash_digestsize_25469 crypto_hash_digestsize 0 25469 NULL
102316 +ocfs2_hamming_encode_25501 ocfs2_hamming_encode 3 25501 NULL
102317 +ivtv_buf_copy_from_user_25502 ivtv_buf_copy_from_user 4 25502 NULL
102318 +snd_pcm_plugin_build_25505 snd_pcm_plugin_build 5 25505 NULL
102319 +sb_permission_25523 sb_permission 0 25523 NULL
102320 +ext3_get_inode_loc_25542 ext3_get_inode_loc 0 25542 NULL
102321 +ieee80211_if_read_path_refresh_time_25545 ieee80211_if_read_path_refresh_time 3 25545 NULL
102322 +wimax_addr_scnprint_25548 wimax_addr_scnprint 2 25548 NULL
102323 +ht_print_chan_25556 ht_print_chan 0 25556 NULL
102324 +skb_tailroom_25567 skb_tailroom 0 25567 NULL
102325 +find_extend_vma_25597 find_extend_vma 2 25597 NULL
102326 +__devres_alloc_25598 __devres_alloc 2 25598 NULL
102327 +copy_user_generic_25611 copy_user_generic 0 25611 NULL
102328 +proc_coredump_filter_write_25625 proc_coredump_filter_write 3 25625 NULL
102329 +__get_user_pages_25628 __get_user_pages 0-3-4 25628 NULL nohasharray
102330 +befs_utf2nls_25628 befs_utf2nls 3 25628 &__get_user_pages_25628
102331 +__direct_map_25647 __direct_map 5-6 25647 NULL
102332 +ext2_try_to_allocate_25667 ext2_try_to_allocate 4-2 25667 NULL
102333 +aircable_prepare_write_buffer_25669 aircable_prepare_write_buffer 3 25669 NULL
102334 +sta_inactive_ms_read_25690 sta_inactive_ms_read 3 25690 NULL
102335 +ebitmap_start_positive_25703 ebitmap_start_positive 0 25703 NULL
102336 +rx_filter_mc_filter_read_25712 rx_filter_mc_filter_read 3 25712 NULL
102337 +ibmasm_new_command_25714 ibmasm_new_command 2 25714 NULL
102338 +sel_write_context_25726 sel_write_context 3 25726 NULL nohasharray
102339 +__alloc_bootmem_low_node_25726 __alloc_bootmem_low_node 2-3 25726 &sel_write_context_25726
102340 +mcs_unwrap_fir_25733 mcs_unwrap_fir 3 25733 NULL
102341 +ext2_find_near_25734 ext2_find_near 0 25734 NULL
102342 +__set_clear_dirty_25744 __set_clear_dirty 2 25744 NULL
102343 +cxgbi_device_portmap_create_25747 cxgbi_device_portmap_create 3 25747 NULL
102344 +dtf_write_channel_25748 dtf_write_channel 3 25748 NULL
102345 +event_rx_pool_read_25792 event_rx_pool_read 3 25792 NULL
102346 +sg_read_25799 sg_read 3 25799 NULL
102347 +system_enable_read_25815 system_enable_read 3 25815 NULL
102348 +realloc_buffer_25816 realloc_buffer 2 25816 NULL
102349 +mthca_map_user_db_25823 mthca_map_user_db 5 25823 NULL
102350 +pwr_missing_bcns_read_25824 pwr_missing_bcns_read 3 25824 NULL
102351 +parport_read_25855 parport_read 0 25855 NULL
102352 +xfs_dir2_sf_hdr_size_25858 xfs_dir2_sf_hdr_size 0 25858 NULL
102353 +uf_ap_process_data_pdu_25860 uf_ap_process_data_pdu 7 25860 NULL
102354 +key_attr_size_25865 key_attr_size 0 25865 NULL
102355 +ath6kl_regread_read_25884 ath6kl_regread_read 3 25884 NULL
102356 +run_delalloc_nocow_25896 run_delalloc_nocow 3 25896 NULL
102357 +sisusbcon_scroll_area_25899 sisusbcon_scroll_area 4-3 25899 NULL
102358 +lpfc_change_queue_depth_25905 lpfc_change_queue_depth 2 25905 NULL
102359 +nvme_trans_mode_page_create_25908 nvme_trans_mode_page_create 7 25908 NULL
102360 +do_jffs2_setxattr_25910 do_jffs2_setxattr 5 25910 NULL
102361 +rcname_read_25919 rcname_read 3 25919 NULL
102362 +snd_es1938_capture_copy_25930 snd_es1938_capture_copy 5 25930 NULL
102363 +key_flags_read_25931 key_flags_read 3 25931 NULL
102364 +copy_play_buf_25932 copy_play_buf 3 25932 NULL
102365 +flush_25957 flush 2 25957 NULL
102366 +video_register_device_25971 video_register_device 3 25971 NULL
102367 +udp_setsockopt_25985 udp_setsockopt 5 25985 NULL
102368 +ebt_compat_entry_padsize_26001 ebt_compat_entry_padsize 0 26001 NULL
102369 +lpfc_sli_probe_sriov_nr_virtfn_26004 lpfc_sli_probe_sriov_nr_virtfn 2 26004 NULL
102370 +irq_create_strict_mappings_26025 irq_create_strict_mappings 2-4 26025 NULL
102371 +xfs_xattr_acl_set_26028 xfs_xattr_acl_set 4 26028 NULL
102372 +skb_mac_header_26034 skb_mac_header 0 26034 NULL
102373 +mptscsih_change_queue_depth_26036 mptscsih_change_queue_depth 2 26036 NULL
102374 +selinux_inode_post_setxattr_26037 selinux_inode_post_setxattr 4 26037 NULL
102375 +tun_do_read_26047 tun_do_read 5 26047 NULL
102376 +__alloc_memory_core_early_26053 __alloc_memory_core_early 2-3 26053 NULL
102377 +keyctl_update_key_26061 keyctl_update_key 3 26061 NULL
102378 +rx_rx_wa_density_dropped_frame_read_26095 rx_rx_wa_density_dropped_frame_read 3 26095 NULL
102379 +skb_cow_26138 skb_cow 2 26138 NULL
102380 +usb_dump_device_strings_26146 usb_dump_device_strings 0 26146 NULL
102381 +copy_oldmem_page_26164 copy_oldmem_page 3-1 26164 NULL
102382 +gfs2_xattr_acl_get_26166 gfs2_xattr_acl_get 0 26166 NULL nohasharray
102383 +ath6kl_roam_table_read_26166 ath6kl_roam_table_read 3 26166 &gfs2_xattr_acl_get_26166
102384 +perf_adjust_period_26168 perf_adjust_period 2-3 26168 NULL
102385 +mid_get_vbt_data_r1_26170 mid_get_vbt_data_r1 2 26170 NULL
102386 +disk_devt_26180 disk_devt 0 26180 NULL
102387 +get_registers_26187 get_registers 3 26187 NULL
102388 +cgroup_setxattr_26188 cgroup_setxattr 4 26188 NULL
102389 +ieee80211_if_fmt_dot11MeshTTL_26198 ieee80211_if_fmt_dot11MeshTTL 3 26198 NULL
102390 +xfs_idata_realloc_26199 xfs_idata_realloc 2 26199 NULL
102391 +mce_write_26201 mce_write 3 26201 NULL
102392 +_scsih_change_queue_depth_26230 _scsih_change_queue_depth 2 26230 NULL
102393 +bio_split_26235 bio_split 2 26235 NULL
102394 +crypto_ctxsize_26278 crypto_ctxsize 0 26278 NULL
102395 +wacom_set_device_mode_26280 wacom_set_device_mode 3 26280 NULL
102396 +ext2_find_goal_26306 ext2_find_goal 0 26306 NULL
102397 +snd_pcm_plug_client_channels_buf_26309 snd_pcm_plug_client_channels_buf 0-3 26309 NULL nohasharray
102398 +pax_get_random_long_26309 pax_get_random_long 0 26309 &snd_pcm_plug_client_channels_buf_26309
102399 +pwr_wake_on_host_read_26321 pwr_wake_on_host_read 3 26321 NULL
102400 +efx_rx_mk_skb_26342 efx_rx_mk_skb 5 26342 NULL
102401 +ocfs2_duplicate_clusters_by_page_26357 ocfs2_duplicate_clusters_by_page 5 26357 NULL
102402 +cifs_readdata_alloc_26360 cifs_readdata_alloc 1 26360 NULL
102403 +dup_to_netobj_26363 dup_to_netobj 3 26363 NULL
102404 +invalidate_inode_pages2_range_26403 invalidate_inode_pages2_range 0 26403 NULL
102405 +dma_declare_contiguous_26455 dma_declare_contiguous 2 26455 NULL
102406 +ib_alloc_device_26483 ib_alloc_device 1 26483 NULL
102407 +ulong_write_file_26485 ulong_write_file 3 26485 NULL
102408 +dvb_ca_en50221_io_ioctl_26490 dvb_ca_en50221_io_ioctl 2 26490 NULL
102409 +read_vmcore_26501 read_vmcore 3 26501 NULL
102410 +vfio_pci_set_msi_trigger_26507 vfio_pci_set_msi_trigger 3-4 26507 NULL
102411 +iwl_dbgfs_rf_reset_read_26512 iwl_dbgfs_rf_reset_read 3 26512 NULL
102412 +__vhost_add_used_n_26554 __vhost_add_used_n 3 26554 NULL
102413 +ip6_addr_string_26568 ip6_addr_string 0 26568 NULL
102414 +kvm_iommu_put_pages_26571 kvm_iommu_put_pages 2 26571 NULL
102415 +rts51x_read_mem_26577 rts51x_read_mem 4 26577 NULL nohasharray
102416 +batadv_receive_server_sync_packet_26577 batadv_receive_server_sync_packet 3 26577 &rts51x_read_mem_26577
102417 +cirrusfb_get_memsize_26597 cirrusfb_get_memsize 0 26597 NULL
102418 +regcache_set_reg_present_26598 regcache_set_reg_present 2 26598 NULL
102419 +__unmap_single_26604 __unmap_single 2-3 26604 NULL
102420 +iommu_alloc_26621 iommu_alloc 4 26621 NULL
102421 +pack_value_26625 pack_value 1 26625 NULL
102422 +pwr_fix_tsf_ps_read_26627 pwr_fix_tsf_ps_read 3 26627 NULL
102423 +irq_alloc_generic_chip_26650 irq_alloc_generic_chip 2 26650 NULL nohasharray
102424 +inb_p_26650 inb_p 0 26650 &irq_alloc_generic_chip_26650
102425 +cipso_v4_map_cat_rbm_hton_26680 cipso_v4_map_cat_rbm_hton 0 26680 NULL
102426 +__alloc_pred_stack_26687 __alloc_pred_stack 2 26687 NULL
102427 +rtllib_authentication_req_26713 rtllib_authentication_req 3 26713 NULL
102428 +aty_ld_le32_26720 aty_ld_le32 0 26720 NULL
102429 +nouveau_namedb_create__26732 nouveau_namedb_create_ 7 26732 NULL
102430 +SyS_fcntl_26737 SyS_fcntl 3 26737 NULL
102431 +pipeline_tcp_rx_stat_fifo_int_read_26745 pipeline_tcp_rx_stat_fifo_int_read 3 26745 NULL
102432 +srp_ring_alloc_26760 srp_ring_alloc 2 26760 NULL
102433 +snd_hda_get_raw_connections_26762 snd_hda_get_raw_connections 0 26762 NULL
102434 +qlcnic_alloc_sds_rings_26795 qlcnic_alloc_sds_rings 2 26795 NULL
102435 +cipso_v4_genopt_26812 cipso_v4_genopt 0 26812 NULL
102436 +iwl_trans_read_mem32_26825 iwl_trans_read_mem32 0 26825 NULL
102437 +smk_write_load_26829 smk_write_load 3 26829 NULL
102438 +sizeof_pwm_leds_priv_26830 sizeof_pwm_leds_priv 0-1 26830 NULL
102439 +slgt_compat_ioctl_26834 slgt_compat_ioctl 3 26834 NULL
102440 +__nodes_onto_26838 __nodes_onto 4 26838 NULL
102441 +scnprint_id_26842 scnprint_id 3 26842 NULL
102442 +ecryptfs_miscdev_write_26847 ecryptfs_miscdev_write 3 26847 NULL
102443 +netxen_nic_hw_read_wx_128M_26858 netxen_nic_hw_read_wx_128M 2 26858 NULL
102444 +svc_print_xprts_26881 svc_print_xprts 0 26881 NULL
102445 +ext2_compat_ioctl_26883 ext2_compat_ioctl 3 26883 NULL
102446 +slhc_uncompress_26905 slhc_uncompress 0-3 26905 NULL
102447 +x25_asy_change_mtu_26928 x25_asy_change_mtu 2 26928 NULL
102448 +compat_mtw_from_user_26932 compat_mtw_from_user 0 26932 NULL
102449 +scsi_tgt_copy_sense_26933 scsi_tgt_copy_sense 3 26933 NULL
102450 +pwr_ps_enter_read_26935 pwr_ps_enter_read 3 26935 NULL nohasharray
102451 +sctp_setsockopt_adaptation_layer_26935 sctp_setsockopt_adaptation_layer 3 26935 &pwr_ps_enter_read_26935
102452 +carl9170_handle_mpdu_26940 carl9170_handle_mpdu 3 26940 NULL nohasharray
102453 +create_bm_block_list_26940 create_bm_block_list 0 26940 &carl9170_handle_mpdu_26940
102454 +hecubafb_write_26942 hecubafb_write 3 26942 NULL
102455 +extract_entropy_user_26952 extract_entropy_user 3 26952 NULL nohasharray
102456 +do_trimming_26952 do_trimming 3 26952 &extract_entropy_user_26952
102457 +pcf857x_irq_domain_map_26998 pcf857x_irq_domain_map 2 26998 NULL
102458 +swiotlb_bounce_27046 swiotlb_bounce 2-1 27046 NULL
102459 +ufs_alloc_fragments_27059 ufs_alloc_fragments 3-0-2 27059 NULL
102460 +__videobuf_alloc_vb_27062 __videobuf_alloc_vb 1 27062 NULL
102461 +snd_pcm_lib_period_bytes_27071 snd_pcm_lib_period_bytes 0 27071 NULL
102462 +paravirt_read_msr_27077 paravirt_read_msr 0 27077 NULL
102463 +alloc_fdmem_27083 alloc_fdmem 1 27083 NULL
102464 +compat_SyS_rt_sigpending_27084 compat_SyS_rt_sigpending 2 27084 NULL
102465 +find_first_bit_27088 find_first_bit 0-2 27088 NULL
102466 +btmrvl_hscmd_write_27089 btmrvl_hscmd_write 3 27089 NULL
102467 +nes_reg_user_mr_27106 nes_reg_user_mr 2-3 27106 NULL
102468 +__devcgroup_inode_permission_27108 __devcgroup_inode_permission 0 27108 NULL
102469 +SYSC_ipc_27123 SYSC_ipc 3 27123 NULL
102470 +get_kernel_page_27133 get_kernel_page 0 27133 NULL
102471 +drbd_get_capacity_27141 drbd_get_capacity 0 27141 NULL
102472 +pms_capture_27142 pms_capture 4 27142 NULL
102473 +btmrvl_hscfgcmd_write_27143 btmrvl_hscfgcmd_write 3 27143 NULL
102474 +snd_compr_calc_avail_27165 snd_compr_calc_avail 0 27165 NULL
102475 +i2400m_net_rx_27170 i2400m_net_rx 5 27170 NULL
102476 +ieee80211_if_read_rc_rateidx_mask_5ghz_27183 ieee80211_if_read_rc_rateidx_mask_5ghz 3 27183 NULL
102477 +mmc_blk_compat_ioctl_27194 mmc_blk_compat_ioctl 4 27194 NULL
102478 +dbAllocAG_27228 dbAllocAG 0 27228 NULL
102479 +rxrpc_request_key_27235 rxrpc_request_key 3 27235 NULL
102480 +cfpkt_add_trail_27260 cfpkt_add_trail 3 27260 NULL
102481 +__dma_map_cont_27289 __dma_map_cont 5 27289 NULL
102482 +hpi_read_reg_27302 hpi_read_reg 0 27302 NULL
102483 +copy_from_buf_27308 copy_from_buf 4-2 27308 NULL
102484 +virtqueue_add_inbuf_27312 virtqueue_add_inbuf 3 27312 NULL nohasharray
102485 +ath6kl_wmi_test_cmd_27312 ath6kl_wmi_test_cmd 3 27312 &virtqueue_add_inbuf_27312
102486 +ocfs2_blocks_to_clusters_27327 ocfs2_blocks_to_clusters 0-2 27327 NULL
102487 +snd_pcm_oss_write2_27332 snd_pcm_oss_write2 3-0 27332 NULL
102488 +afs_cell_create_27346 afs_cell_create 2 27346 NULL
102489 +compat_SyS_semctl_27349 compat_SyS_semctl 4 27349 NULL
102490 +pcbit_stat_27364 pcbit_stat 2 27364 NULL
102491 +init_memory_mapping_27395 init_memory_mapping 0 27395 NULL
102492 +phys_pte_init_27411 phys_pte_init 0-3-2 27411 NULL
102493 +ib_dma_map_sg_27413 ib_dma_map_sg 0 27413 NULL
102494 +acpi_os_get_root_pointer_27416 acpi_os_get_root_pointer 0 27416 NULL nohasharray
102495 +ieee80211_if_read_smps_27416 ieee80211_if_read_smps 3 27416 &acpi_os_get_root_pointer_27416
102496 +pack_sg_list_27425 pack_sg_list 0-2 27425 NULL
102497 +ktime_to_us_27455 ktime_to_us 0 27455 NULL
102498 +v4l2_ctrl_new_std_menu_items_27487 v4l2_ctrl_new_std_menu_items 4 27487 NULL
102499 +set_tpl_pfs_27490 set_tpl_pfs 3 27490 NULL
102500 +hcd_buffer_alloc_27495 hcd_buffer_alloc 2 27495 NULL
102501 +qib_create_cq_27497 qib_create_cq 2 27497 NULL
102502 +ip_set_get_h32_27498 ip_set_get_h32 0 27498 NULL
102503 +btrfs_get_64_27499 btrfs_get_64 0 27499 NULL
102504 +__usbnet_write_cmd_27500 __usbnet_write_cmd 7 27500 NULL
102505 +garmin_read_process_27509 garmin_read_process 3 27509 NULL
102506 +ib_copy_to_udata_27525 ib_copy_to_udata 3 27525 NULL
102507 +snd_sonicvibes_getdmaa_27552 snd_sonicvibes_getdmaa 0 27552 NULL
102508 +SyS_fgetxattr_27571 SyS_fgetxattr 4 27571 NULL
102509 +libipw_alloc_txb_27579 libipw_alloc_txb 1-2-3 27579 NULL
102510 +read_flush_procfs_27642 read_flush_procfs 3 27642 NULL nohasharray
102511 +nl80211_send_connect_result_27642 nl80211_send_connect_result 5-7 27642 &read_flush_procfs_27642 nohasharray
102512 +ocfs2_xattr_ibody_get_27642 ocfs2_xattr_ibody_get 0 27642 &nl80211_send_connect_result_27642
102513 +add_new_gdb_27643 add_new_gdb 3 27643 NULL
102514 +qnx6_readpages_27657 qnx6_readpages 4 27657 NULL
102515 +cdrom_read_cdda_old_27664 cdrom_read_cdda_old 4 27664 NULL
102516 +set_bypass_pwoff_pfs_27669 set_bypass_pwoff_pfs 3 27669 NULL
102517 +qword_get_27670 qword_get 0 27670 NULL
102518 +ocfs2_extend_dir_27695 ocfs2_extend_dir 4 27695 NULL
102519 +fs_path_add_from_extent_buffer_27702 fs_path_add_from_extent_buffer 4 27702 NULL
102520 +inc_zcache_eph_zbytes_27704 inc_zcache_eph_zbytes 1 27704 NULL
102521 +evm_write_key_27715 evm_write_key 3 27715 NULL
102522 +ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol_27722 ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol 3 27722 NULL
102523 +reg_w_buf_27724 reg_w_buf 3 27724 NULL
102524 +xfs_dir2_block_sfsize_27727 xfs_dir2_block_sfsize 0 27727 NULL
102525 +a4t_cs_init_27734 a4t_cs_init 3 27734 NULL
102526 +SyS_setsockopt_27759 SyS_setsockopt 5 27759 NULL
102527 +kcalloc_27770 kcalloc 1-2 27770 NULL
102528 +twl4030_set_gpio_dataout_27792 twl4030_set_gpio_dataout 1 27792 NULL
102529 +DivaSTraceGetMemotyRequirement_27797 DivaSTraceGetMemotyRequirement 0-1 27797 NULL
102530 +ttm_object_file_init_27804 ttm_object_file_init 2 27804 NULL
102531 +mpihelp_mul_27805 mpihelp_mul 5-3 27805 NULL
102532 +fwtty_buffer_rx_27821 fwtty_buffer_rx 3 27821 NULL
102533 +init_header_complete_27833 init_header_complete 0 27833 NULL nohasharray
102534 +sys_listxattr_27833 sys_listxattr 3 27833 &init_header_complete_27833
102535 +read_profile_27859 read_profile 3 27859 NULL
102536 +sky2_pci_read16_27863 sky2_pci_read16 0 27863 NULL
102537 +ieee80211_if_read_dot11MeshHWMProotInterval_27873 ieee80211_if_read_dot11MeshHWMProotInterval 3 27873 NULL
102538 +unix_seqpacket_sendmsg_27893 unix_seqpacket_sendmsg 4 27893 NULL
102539 +gluebi_write_27905 gluebi_write 3 27905 NULL
102540 +SyS_ptrace_27924 SyS_ptrace 3-4 27924 NULL
102541 +bm_find_next_27929 bm_find_next 2 27929 NULL
102542 +tracing_clock_write_27961 tracing_clock_write 3 27961 NULL
102543 +tipc_media_addr_printf_27971 tipc_media_addr_printf 2 27971 NULL
102544 +mic_rx_pkts_read_27972 mic_rx_pkts_read 3 27972 NULL
102545 +f2fs_bio_alloc_27983 f2fs_bio_alloc 2 27983 NULL
102546 +edt_ft5x06_debugfs_raw_data_read_28002 edt_ft5x06_debugfs_raw_data_read 3 28002 NULL
102547 +snd_rawmidi_write_28008 snd_rawmidi_write 3 28008 NULL
102548 +serial8250_port_size_28019 serial8250_port_size 0 28019 NULL
102549 +alloc_one_pg_vec_page_28031 alloc_one_pg_vec_page 1 28031 NULL
102550 +sctp_setsockopt_maxburst_28041 sctp_setsockopt_maxburst 3 28041 NULL
102551 +rts51x_xd_rw_28046 rts51x_xd_rw 3-4 28046 NULL
102552 +cx231xx_init_vbi_isoc_28053 cx231xx_init_vbi_isoc 3-2 28053 NULL
102553 +pool_status_28055 pool_status 5 28055 NULL
102554 +lpfc_idiag_mbxacc_read_28061 lpfc_idiag_mbxacc_read 3 28061 NULL
102555 +tx_frag_bad_mblk_num_read_28064 tx_frag_bad_mblk_num_read 3 28064 NULL
102556 +ext4_read_block_bitmap_nowait_28078 ext4_read_block_bitmap_nowait 2 28078 NULL
102557 +GetRecvByte_28082 GetRecvByte 0 28082 NULL
102558 +platform_get_irq_28088 platform_get_irq 0 28088 NULL
102559 +gdth_init_isa_28091 gdth_init_isa 1 28091 NULL
102560 +mmc_test_alloc_mem_28102 mmc_test_alloc_mem 3-2 28102 NULL
102561 +rx_defrag_need_defrag_read_28117 rx_defrag_need_defrag_read 3 28117 NULL
102562 +vgacon_adjust_height_28124 vgacon_adjust_height 2 28124 NULL
102563 +video_read_28148 video_read 3 28148 NULL
102564 +snd_midi_channel_alloc_set_28153 snd_midi_channel_alloc_set 1 28153 NULL
102565 +stats_dot11FCSErrorCount_read_28154 stats_dot11FCSErrorCount_read 3 28154 NULL
102566 +vread_28173 vread 0 28173 NULL
102567 +macvtap_get_user_28185 macvtap_get_user 4 28185 NULL
102568 +d_path_28198 d_path 0 28198 NULL
102569 +nouveau_mxm_create__28200 nouveau_mxm_create_ 4 28200 NULL
102570 +__qp_memcpy_from_queue_28220 __qp_memcpy_from_queue 3-4 28220 NULL
102571 +line6_alloc_sysex_buffer_28225 line6_alloc_sysex_buffer 4 28225 NULL nohasharray
102572 +set_dis_disc_pfs_28225 set_dis_disc_pfs 3 28225 &line6_alloc_sysex_buffer_28225
102573 +amd_nb_num_28228 amd_nb_num 0 28228 NULL
102574 +ext4_validate_block_bitmap_28243 ext4_validate_block_bitmap 3 28243 NULL
102575 +usemap_size_28281 usemap_size 0 28281 NULL
102576 +dma_map_sg_attrs_28289 dma_map_sg_attrs 0 28289 NULL
102577 +acpi_register_gsi_xen_28305 acpi_register_gsi_xen 2 28305 NULL nohasharray
102578 +nouveau_compat_ioctl_28305 nouveau_compat_ioctl 2 28305 &acpi_register_gsi_xen_28305
102579 +__mlock_vma_pages_range_28315 __mlock_vma_pages_range 2-3 28315 NULL
102580 +snd_pcm_oss_read_28317 snd_pcm_oss_read 3 28317 NULL
102581 +bm_entry_write_28338 bm_entry_write 3 28338 NULL
102582 +snapshot_write_28351 snapshot_write 3 28351 NULL
102583 +sys_writev_28384 sys_writev 3 28384 NULL
102584 +dlmfs_file_read_28385 dlmfs_file_read 3 28385 NULL
102585 +tx_frag_cache_miss_read_28394 tx_frag_cache_miss_read 3 28394 NULL
102586 +set_bypass_pfs_28395 set_bypass_pfs 3 28395 NULL
102587 +bypass_pwup_write_28416 bypass_pwup_write 3 28416 NULL
102588 +subdev_ioctl_28417 subdev_ioctl 2 28417 NULL
102589 +__split_large_page_28429 __split_large_page 2 28429 NULL
102590 +mpage_readpages_28436 mpage_readpages 3 28436 NULL
102591 +set_memory_uc_28439 set_memory_uc 1 28439 NULL
102592 +snd_emu10k1_efx_read_28452 snd_emu10k1_efx_read 2 28452 NULL
102593 +key_mic_failures_read_28457 key_mic_failures_read 3 28457 NULL
102594 +alloc_irq_cpu_rmap_28459 alloc_irq_cpu_rmap 1 28459 NULL
102595 +vmw_du_crtc_cursor_set_28479 vmw_du_crtc_cursor_set 4-5 28479 NULL
102596 +ocfs2_backup_super_blkno_28484 ocfs2_backup_super_blkno 0-2 28484 NULL
102597 +max_response_pages_28492 max_response_pages 0 28492 NULL
102598 +clear_discard_28494 clear_discard 2 28494 NULL
102599 +ps_poll_upsd_utilization_read_28519 ps_poll_upsd_utilization_read 3 28519 NULL
102600 +__next_node_28521 __next_node 1 28521 NULL
102601 +i2400m_tx_stats_read_28527 i2400m_tx_stats_read 3 28527 NULL
102602 +sel_read_policycap_28544 sel_read_policycap 3 28544 NULL
102603 +run_delalloc_range_28545 run_delalloc_range 3 28545 NULL nohasharray
102604 +mptctl_getiocinfo_28545 mptctl_getiocinfo 2 28545 &run_delalloc_range_28545
102605 +b43legacy_debugfs_write_28556 b43legacy_debugfs_write 3 28556 NULL
102606 +asymmetric_verify_28567 asymmetric_verify 3 28567 NULL
102607 +phys_pud_init_28574 phys_pud_init 0-3-2 28574 NULL
102608 +cfg80211_send_rx_auth_28580 cfg80211_send_rx_auth 3 28580 NULL
102609 +oxygen_read32_28582 oxygen_read32 0 28582 NULL
102610 +ocfs2_read_dir_block_28587 ocfs2_read_dir_block 2 28587 NULL
102611 +extract_entropy_28604 extract_entropy 3-5 28604 NULL
102612 +kfifo_unused_28612 kfifo_unused 0 28612 NULL
102613 +mp_override_legacy_irq_28618 mp_override_legacy_irq 4 28618 NULL
102614 +snd_nm256_capture_copy_28622 snd_nm256_capture_copy 5-3 28622 NULL
102615 +_set_range_28627 _set_range 3 28627 NULL
102616 +v4l2_compat_ioctl32_28630 v4l2_compat_ioctl32 3 28630 NULL
102617 +setup_usemap_28636 setup_usemap 3-4 28636 NULL
102618 +blk_queue_resize_tags_28670 blk_queue_resize_tags 2 28670 NULL
102619 +__dev_alloc_skb_28681 __dev_alloc_skb 1 28681 NULL
102620 +nl80211_send_new_peer_candidate_28692 nl80211_send_new_peer_candidate 5 28692 NULL nohasharray
102621 +kvm_mmu_get_page_28692 kvm_mmu_get_page 2 28692 &nl80211_send_new_peer_candidate_28692
102622 +drm_plane_init_28731 drm_plane_init 6 28731 NULL
102623 +spi_execute_28736 spi_execute 5 28736 NULL
102624 +snd_pcm_aio_write_28738 snd_pcm_aio_write 3 28738 NULL nohasharray
102625 +phantom_compat_ioctl_28738 phantom_compat_ioctl 3 28738 &snd_pcm_aio_write_28738
102626 +read_file_btcoex_28743 read_file_btcoex 3 28743 NULL
102627 +max_hw_blocks_28748 max_hw_blocks 0 28748 NULL
102628 +ath6kl_get_num_reg_28780 ath6kl_get_num_reg 0 28780 NULL
102629 +dvb_net_sec_callback_28786 dvb_net_sec_callback 2 28786 NULL
102630 +btrfs_block_rsv_refill_28800 btrfs_block_rsv_refill 3 28800 NULL nohasharray
102631 +sel_write_member_28800 sel_write_member 3 28800 &btrfs_block_rsv_refill_28800
102632 +cgroup_file_read_28804 cgroup_file_read 3 28804 NULL
102633 +btrfs_ref_to_path_28809 btrfs_ref_to_path 0 28809 NULL
102634 +memory_bm_create_28814 memory_bm_create 0 28814 NULL
102635 +iwl_dbgfs_rxon_filter_flags_read_28832 iwl_dbgfs_rxon_filter_flags_read 3 28832 NULL
102636 +C_SYSC_shmat_28843 C_SYSC_shmat 2 28843 NULL
102637 +vp_request_msix_vectors_28849 vp_request_msix_vectors 2 28849 NULL
102638 +ipv6_renew_options_28867 ipv6_renew_options 5 28867 NULL
102639 +packet_sendmsg_spkt_28885 packet_sendmsg_spkt 4 28885 NULL
102640 +to_cblock_28899 to_cblock 0-1 28899 NULL
102641 +da9055_group_write_28904 da9055_group_write 2-3 28904 NULL
102642 +ps_upsd_timeouts_read_28924 ps_upsd_timeouts_read 3 28924 NULL
102643 +ocfs2_frozen_trigger_28929 ocfs2_frozen_trigger 4 28929 NULL
102644 +push_rx_28939 push_rx 3 28939 NULL
102645 +btrfs_trim_block_group_28963 btrfs_trim_block_group 3 28963 NULL
102646 +alloc_sched_domains_28972 alloc_sched_domains 1 28972 NULL
102647 +ext4_mb_add_groupinfo_28988 ext4_mb_add_groupinfo 2 28988 NULL
102648 +bin_uuid_28999 bin_uuid 3 28999 NULL
102649 +offset_to_bitmap_29004 offset_to_bitmap 2 29004 NULL
102650 +xz_dec_init_29029 xz_dec_init 2 29029 NULL
102651 +sys_fcntl64_29031 sys_fcntl64 3 29031 NULL
102652 +ieee80211_if_read_ht_opmode_29044 ieee80211_if_read_ht_opmode 3 29044 NULL
102653 +rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 NULL
102654 +iso_packets_buffer_init_29061 iso_packets_buffer_init 3-4 29061 NULL
102655 +lpfc_idiag_extacc_drivr_get_29067 lpfc_idiag_extacc_drivr_get 0-3 29067 NULL
102656 +memblock_alloc_base_nid_29072 memblock_alloc_base_nid 1-2 29072 NULL
102657 +sctp_getsockopt_assoc_stats_29074 sctp_getsockopt_assoc_stats 2 29074 NULL
102658 +mark_extents_written_29082 mark_extents_written 2 29082 NULL
102659 +i915_error_object_create_sized_29091 i915_error_object_create_sized 3 29091 NULL
102660 +isdn_ppp_write_29109 isdn_ppp_write 4 29109 NULL
102661 +snprintf_29125 snprintf 0 29125 NULL
102662 +iov_shorten_29130 iov_shorten 0 29130 NULL
102663 +proc_scsi_write_29142 proc_scsi_write 3 29142 NULL
102664 +reshape_ring_29147 reshape_ring 2 29147 NULL
102665 +alloc_irqs_from_29152 alloc_irqs_from 1-2 29152 NULL
102666 +drm_property_create_enum_29201 drm_property_create_enum 5 29201 NULL
102667 +wusb_prf_256_29203 wusb_prf_256 7 29203 NULL nohasharray
102668 +alloc_group_attrs_29203 alloc_group_attrs 3 29203 &wusb_prf_256_29203
102669 +__mm_populate_29204 __mm_populate 1 29204 NULL
102670 +comedi_alloc_subdevices_29207 comedi_alloc_subdevices 2 29207 NULL
102671 +do_shrinker_shrink_29208 do_shrinker_shrink 0 29208 NULL
102672 +iwl_dbgfs_temperature_read_29224 iwl_dbgfs_temperature_read 3 29224 NULL
102673 +nvme_trans_copy_from_user_29227 nvme_trans_copy_from_user 3 29227 NULL
102674 +devm_ioremap_29235 devm_ioremap 2-3 29235 NULL
102675 +irq_domain_add_linear_29236 irq_domain_add_linear 2 29236 NULL
102676 +recover_peb_29238 recover_peb 6-7 29238 NULL
102677 +security_context_to_sid_core_29248 security_context_to_sid_core 2 29248 NULL
102678 +block_div_29268 block_div 0-1-2 29268 NULL
102679 +prism2_set_genericelement_29277 prism2_set_genericelement 3 29277 NULL
102680 +bitmap_ord_to_pos_29279 bitmap_ord_to_pos 3 29279 NULL
102681 +sn9c102_read_29305 sn9c102_read 3 29305 NULL
102682 +__fuse_get_req_29315 __fuse_get_req 2 29315 NULL
102683 +lo_compat_ioctl_29336 lo_compat_ioctl 4 29336 NULL
102684 +tun_put_user_29337 tun_put_user 5 29337 NULL
102685 +__alloc_ei_netdev_29338 __alloc_ei_netdev 1 29338 NULL
102686 +alloc_and_copy_ftrace_hash_29368 alloc_and_copy_ftrace_hash 1 29368 NULL
102687 +ktime_us_delta_29375 ktime_us_delta 0 29375 NULL
102688 +mwifiex_cfg80211_mgmt_tx_29387 mwifiex_cfg80211_mgmt_tx 7 29387 NULL
102689 +pca953x_irq_setup_29407 pca953x_irq_setup 3 29407 NULL
102690 +mempool_create_29437 mempool_create 1 29437 NULL
102691 +crypto_ahash_alignmask_29445 crypto_ahash_alignmask 0 29445 NULL
102692 +apei_exec_ctx_get_output_29457 apei_exec_ctx_get_output 0 29457 NULL
102693 +validate_scan_freqs_29462 validate_scan_freqs 0 29462 NULL
102694 +SyS_flistxattr_29474 SyS_flistxattr 3 29474 NULL
102695 +do_register_entry_29478 do_register_entry 4 29478 NULL
102696 +simple_strtoul_29480 simple_strtoul 0 29480 NULL
102697 +sched_clock_local_29498 sched_clock_local 0 29498 NULL
102698 +btmrvl_pscmd_write_29504 btmrvl_pscmd_write 3 29504 NULL
102699 +btrfs_file_extent_disk_bytenr_29505 btrfs_file_extent_disk_bytenr 0 29505 NULL
102700 +atk_debugfs_ggrp_read_29522 atk_debugfs_ggrp_read 3 29522 NULL
102701 +_regmap_raw_write_29541 _regmap_raw_write 4-2 29541 NULL
102702 +set_brk_29551 set_brk 1 29551 NULL nohasharray
102703 +ftrace_write_29551 ftrace_write 3 29551 &set_brk_29551
102704 +idetape_queue_rw_tail_29562 idetape_queue_rw_tail 3 29562 NULL
102705 +leaf_dealloc_29566 leaf_dealloc 3 29566 NULL nohasharray
102706 +alloc_empty_pages_29566 alloc_empty_pages 2 29566 &leaf_dealloc_29566
102707 +lbs_lowsnr_read_29571 lbs_lowsnr_read 3 29571 NULL
102708 +pvr2_hdw_report_unlocked_29589 pvr2_hdw_report_unlocked 4 29589 NULL
102709 +slots_per_page_29601 slots_per_page 0 29601 NULL
102710 +qla4_82xx_pci_set_window_29605 qla4_82xx_pci_set_window 0-2 29605 NULL
102711 +alloc_low_pages_29623 alloc_low_pages 1 29623 NULL
102712 +nla_get_u16_29624 nla_get_u16 0 29624 NULL
102713 +tx_frag_cache_hit_read_29639 tx_frag_cache_hit_read 3 29639 NULL
102714 +lowmem_page_address_29649 lowmem_page_address 0 29649 NULL
102715 +sctp_make_abort_user_29654 sctp_make_abort_user 3 29654 NULL
102716 +br_send_bpdu_29669 br_send_bpdu 3 29669 NULL
102717 +sisusb_write_mem_bulk_29678 sisusb_write_mem_bulk 4 29678 NULL
102718 +sd_alloc_ctl_entry_29708 sd_alloc_ctl_entry 1 29708 NULL nohasharray
102719 +posix_acl_from_xattr_29708 posix_acl_from_xattr 3 29708 &sd_alloc_ctl_entry_29708
102720 +probes_write_29711 probes_write 3 29711 NULL
102721 +emi62_writememory_29731 emi62_writememory 4 29731 NULL
102722 +read_cis_cache_29735 read_cis_cache 4 29735 NULL
102723 +std_nic_write_29752 std_nic_write 3 29752 NULL
102724 +ip_vs_conn_fill_param_sync_29771 ip_vs_conn_fill_param_sync 6 29771 NULL
102725 +tcf_csum_ipv6_icmp_29777 tcf_csum_ipv6_icmp 3 29777 NULL
102726 +dbAlloc_29794 dbAlloc 0 29794 NULL
102727 +ext4_trim_all_free_29806 ext4_trim_all_free 4-3-2 29806 NULL
102728 +tcp_sendpage_29829 tcp_sendpage 4 29829 NULL
102729 +scan_bitmap_block_29840 scan_bitmap_block 4 29840 NULL
102730 +__probe_kernel_write_29842 __probe_kernel_write 3 29842 NULL
102731 +kvm_read_hva_atomic_29848 kvm_read_hva_atomic 3 29848 NULL
102732 +solo_enc_alloc_29860 solo_enc_alloc 3 29860 NULL
102733 +ipv6_setsockopt_29871 ipv6_setsockopt 5 29871 NULL
102734 +scsi_end_request_29876 scsi_end_request 3 29876 NULL
102735 +crypto_aead_alignmask_29885 crypto_aead_alignmask 0 29885 NULL
102736 +nfc_targets_found_29886 nfc_targets_found 3 29886 NULL
102737 +ext4_xattr_set_acl_29930 ext4_xattr_set_acl 4 29930 NULL
102738 +__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL
102739 +irias_add_octseq_attrib_29983 irias_add_octseq_attrib 4 29983 NULL nohasharray
102740 +diva_os_get_context_size_29983 diva_os_get_context_size 0 29983 &irias_add_octseq_attrib_29983
102741 +arch_setup_dmar_msi_29992 arch_setup_dmar_msi 1 29992 NULL
102742 +vmci_host_setup_notify_30002 vmci_host_setup_notify 2 30002 NULL
102743 +utf32_to_utf8_30028 utf32_to_utf8 0 30028 NULL
102744 +alloc_netdev_mqs_30030 alloc_netdev_mqs 1 30030 NULL
102745 +scsi_vpd_inquiry_30040 scsi_vpd_inquiry 4 30040 NULL
102746 +drp_wmove_30043 drp_wmove 4 30043 NULL
102747 +cxgbi_ddp_reserve_30091 cxgbi_ddp_reserve 4 30091 NULL
102748 +snd_midi_channel_init_set_30092 snd_midi_channel_init_set 1 30092 NULL
102749 +tg3_run_loopback_30093 tg3_run_loopback 2 30093 NULL
102750 +rx_filter_data_filter_read_30098 rx_filter_data_filter_read 3 30098 NULL nohasharray
102751 +dma_to_phys_30098 dma_to_phys 0-2 30098 &rx_filter_data_filter_read_30098
102752 +skb_pagelen_30113 skb_pagelen 0 30113 NULL
102753 +spi_async_locked_30117 spi_async_locked 0 30117 NULL
102754 +calgary_unmap_page_30130 calgary_unmap_page 2-3 30130 NULL
102755 +_osd_req_sizeof_alist_header_30134 _osd_req_sizeof_alist_header 0 30134 NULL
102756 +u_memcpya_30139 u_memcpya 2-3 30139 NULL
102757 +btrfs_start_transaction_lflush_30178 btrfs_start_transaction_lflush 2 30178 NULL
102758 +cx25821_video_ioctl_30188 cx25821_video_ioctl 2 30188 NULL
102759 +mempool_create_page_pool_30189 mempool_create_page_pool 1 30189 NULL
102760 +drm_property_create_bitmask_30195 drm_property_create_bitmask 5 30195 NULL
102761 +usblp_ioctl_30203 usblp_ioctl 2 30203 NULL
102762 +nfs_idmap_request_key_30208 nfs_idmap_request_key 3 30208 NULL
102763 +read_4k_modal_eeprom_30212 read_4k_modal_eeprom 3 30212 NULL
102764 +snd_ac97_pcm_assign_30218 snd_ac97_pcm_assign 2 30218 NULL
102765 +f2fs_compat_ioctl_30261 f2fs_compat_ioctl 3 30261 NULL
102766 +isr_pci_pm_read_30271 isr_pci_pm_read 3 30271 NULL
102767 +compat_readv_30273 compat_readv 3 30273 NULL
102768 +lapic_register_intr_30279 lapic_register_intr 1 30279 NULL
102769 +skcipher_sendmsg_30290 skcipher_sendmsg 4 30290 NULL
102770 +pipeline_sec_frag_swi_read_30294 pipeline_sec_frag_swi_read 3 30294 NULL
102771 +tcp_sendmsg_30296 tcp_sendmsg 4 30296 NULL
102772 +ext4_acl_from_disk_30320 ext4_acl_from_disk 2 30320 NULL
102773 +generic_ptrace_pokedata_30338 generic_ptrace_pokedata 2 30338 NULL
102774 +resource_from_user_30341 resource_from_user 3 30341 NULL
102775 +__vmalloc_node_flags_30352 __vmalloc_node_flags 1 30352 NULL
102776 +C_SYSC_readv_30369 C_SYSC_readv 3 30369 NULL
102777 +sys_get_mempolicy_30379 sys_get_mempolicy 3-4 30379 NULL
102778 +mangle_sdp_packet_30381 mangle_sdp_packet 10 30381 NULL
102779 +c4iw_init_resource_30393 c4iw_init_resource 2-3 30393 NULL
102780 +get_kernel_pages_30397 get_kernel_pages 0 30397 NULL
102781 +_drbd_bm_find_next_zero_30415 _drbd_bm_find_next_zero 2 30415 NULL
102782 +vb2_fop_write_30420 vb2_fop_write 3 30420 NULL
102783 +tx_tx_template_prepared_read_30424 tx_tx_template_prepared_read 3 30424 NULL
102784 +mq_create_30425 mq_create 1 30425 NULL
102785 +enable_write_30456 enable_write 3 30456 NULL
102786 +tx_tx_template_programmed_read_30461 tx_tx_template_programmed_read 3 30461 NULL
102787 +urandom_read_30462 urandom_read 3 30462 NULL
102788 +zoran_ioctl_30465 zoran_ioctl 2 30465 NULL
102789 +ocrdma_reg_user_mr_30474 ocrdma_reg_user_mr 2-3 30474 NULL
102790 +write_head_30481 write_head 4 30481 NULL
102791 +adu_write_30487 adu_write 3 30487 NULL
102792 +dwc3_testmode_write_30516 dwc3_testmode_write 3 30516 NULL
102793 +debug_debug2_read_30526 debug_debug2_read 3 30526 NULL
102794 +batadv_dat_snoop_incoming_arp_request_30548 batadv_dat_snoop_incoming_arp_request 3 30548 NULL
102795 +disk_expand_part_tbl_30561 disk_expand_part_tbl 2 30561 NULL
102796 +set_le_30581 set_le 4 30581 NULL
102797 +from_cblock_30582 from_cblock 0-1 30582 NULL
102798 +blk_init_tags_30592 blk_init_tags 1 30592 NULL
102799 +i2c_hid_get_report_length_30598 i2c_hid_get_report_length 0 30598 NULL
102800 +sgl_map_user_pages_30610 sgl_map_user_pages 2-3-4 30610 NULL
102801 +SyS_msgrcv_30611 SyS_msgrcv 3 30611 NULL
102802 +macvtap_sendmsg_30629 macvtap_sendmsg 4 30629 NULL
102803 +ieee80211_if_read_dot11MeshAwakeWindowDuration_30631 ieee80211_if_read_dot11MeshAwakeWindowDuration 3 30631 NULL
102804 +compat_raw_setsockopt_30634 compat_raw_setsockopt 5 30634 NULL
102805 +agp_remap_30665 agp_remap 2 30665 NULL
102806 +jffs2_flash_read_30667 jffs2_flash_read 0 30667 NULL
102807 +il_free_pages_30692 il_free_pages 2 30692 NULL
102808 +dccp_setsockopt_ccid_30701 dccp_setsockopt_ccid 4 30701 NULL
102809 +lbs_debugfs_read_30721 lbs_debugfs_read 3 30721 NULL
102810 +snd_nm256_playback_silence_30727 snd_nm256_playback_silence 4-3 30727 NULL
102811 +snapshot_status_30744 snapshot_status 5 30744 NULL
102812 +tcf_csum_ipv4_udp_30777 tcf_csum_ipv4_udp 4 30777 NULL
102813 +smk_read_doi_30813 smk_read_doi 3 30813 NULL
102814 +get_kobj_path_length_30831 get_kobj_path_length 0 30831 NULL
102815 +sctp_setsockopt_auth_chunk_30843 sctp_setsockopt_auth_chunk 3 30843 NULL
102816 +cfg80211_rx_mgmt_30844 cfg80211_rx_mgmt 5 30844 NULL
102817 +hda_hwdep_ioctl_compat_30847 hda_hwdep_ioctl_compat 4 30847 NULL
102818 +trace_probe_nr_files_30882 trace_probe_nr_files 0 30882 NULL
102819 +ieee80211_if_fmt_dropped_frames_no_route_30884 ieee80211_if_fmt_dropped_frames_no_route 3 30884 NULL
102820 +iommu_map_mmio_space_30919 iommu_map_mmio_space 1 30919 NULL
102821 +sctp_setsockopt_rtoinfo_30941 sctp_setsockopt_rtoinfo 3 30941 NULL
102822 +tty_insert_flip_string_flags_30969 tty_insert_flip_string_flags 4 30969 NULL
102823 +huge_page_mask_30981 huge_page_mask 0 30981 NULL
102824 +i2400mu_rx_size_grow_30989 i2400mu_rx_size_grow 0 30989 NULL
102825 +lbs_host_sleep_read_31013 lbs_host_sleep_read 3 31013 NULL
102826 +phys_pmd_init_31024 phys_pmd_init 0-3-2 31024 NULL
102827 +compat_sys_mq_timedsend_31060 compat_sys_mq_timedsend 3 31060 NULL
102828 +lbs_failcount_read_31063 lbs_failcount_read 3 31063 NULL
102829 +find_next_bit_le_31064 find_next_bit_le 0-2-3 31064 NULL
102830 +sys_mincore_31079 sys_mincore 1 31079 NULL
102831 +ttm_bo_ioremap_31082 ttm_bo_ioremap 2-3 31082 NULL
102832 +sctp_setsockopt_context_31091 sctp_setsockopt_context 3 31091 NULL
102833 +compat_sys_get_mempolicy_31109 compat_sys_get_mempolicy 3-4 31109 NULL
102834 +depth_read_31112 depth_read 3 31112 NULL
102835 +ssb_read16_31139 ssb_read16 0 31139 NULL
102836 +kimage_normal_alloc_31140 kimage_normal_alloc 3 31140 NULL
102837 +size_inside_page_31141 size_inside_page 0 31141 NULL
102838 +w9966_v4l_read_31148 w9966_v4l_read 3 31148 NULL
102839 +ch_do_scsi_31171 ch_do_scsi 4 31171 NULL
102840 +acpi_ex_system_memory_space_handler_31192 acpi_ex_system_memory_space_handler 2 31192 NULL
102841 +r592_read_fifo_pio_31198 r592_read_fifo_pio 3 31198 NULL
102842 +mtdchar_readoob_31200 mtdchar_readoob 4 31200 NULL
102843 +__btrfs_free_reserved_extent_31207 __btrfs_free_reserved_extent 2 31207 NULL
102844 +kvm_mmu_page_fault_31213 kvm_mmu_page_fault 2 31213 NULL
102845 +cpumask_weight_31215 cpumask_weight 0 31215 NULL
102846 +__read_reg_31216 __read_reg 0 31216 NULL
102847 +atm_get_addr_31221 atm_get_addr 3 31221 NULL
102848 +cyy_readb_31240 cyy_readb 0 31240 NULL
102849 +_create_sg_bios_31244 _create_sg_bios 4 31244 NULL
102850 +ieee80211_if_read_last_beacon_31257 ieee80211_if_read_last_beacon 3 31257 NULL
102851 +sctp_tsnmap_find_gap_ack_31272 sctp_tsnmap_find_gap_ack 3-2 31272 NULL
102852 +uvc_simplify_fraction_31303 uvc_simplify_fraction 3 31303 NULL
102853 +sisusbcon_scroll_31315 sisusbcon_scroll 5-2-3 31315 NULL
102854 +command_file_write_31318 command_file_write 3 31318 NULL
102855 +em28xx_init_usb_xfer_31337 em28xx_init_usb_xfer 4-6 31337 NULL
102856 +__cpu_to_node_31345 __cpu_to_node 0 31345 NULL
102857 +xprt_rdma_allocate_31372 xprt_rdma_allocate 2 31372 NULL
102858 +vb2_vmalloc_get_userptr_31374 vb2_vmalloc_get_userptr 3-2 31374 NULL
102859 +trace_parser_get_init_31379 trace_parser_get_init 2 31379 NULL
102860 +inb_31388 inb 0 31388 NULL
102861 +key_ifindex_read_31411 key_ifindex_read 3 31411 NULL
102862 +mcs7830_set_reg_31413 mcs7830_set_reg 3 31413 NULL
102863 +TSS_checkhmac1_31429 TSS_checkhmac1 5 31429 NULL
102864 +snd_aw2_saa7146_get_hw_ptr_capture_31431 snd_aw2_saa7146_get_hw_ptr_capture 0 31431 NULL
102865 +acpi_sci_ioapic_setup_31445 acpi_sci_ioapic_setup 4 31445 NULL
102866 +opera1_xilinx_rw_31453 opera1_xilinx_rw 5 31453 NULL
102867 +input_get_new_minor_31464 input_get_new_minor 1 31464 NULL
102868 +do_fcntl_31468 do_fcntl 3 31468 NULL
102869 +xfs_btree_get_numrecs_31477 xfs_btree_get_numrecs 0 31477 NULL
102870 +alg_setkey_31485 alg_setkey 3 31485 NULL
102871 +rds_message_map_pages_31487 rds_message_map_pages 2 31487 NULL
102872 +qsfp_2_read_31491 qsfp_2_read 3 31491 NULL
102873 +__alloc_bootmem_31498 __alloc_bootmem 1-2 31498 NULL
102874 +rmode_tss_base_31510 rmode_tss_base 0 31510 NULL
102875 +hidraw_write_31536 hidraw_write 3 31536 NULL
102876 +mtd_div_by_eb_31543 mtd_div_by_eb 0-1 31543 NULL
102877 +usbvision_read_31555 usbvision_read 3 31555 NULL
102878 +normalize_31566 normalize 0-1-2 31566 NULL
102879 +tx_frag_tkip_called_read_31575 tx_frag_tkip_called_read 3 31575 NULL
102880 +get_max_inline_xattr_value_size_31578 get_max_inline_xattr_value_size 0 31578 NULL
102881 +osst_write_31581 osst_write 3 31581 NULL
102882 +snd_compr_get_avail_31584 snd_compr_get_avail 0 31584 NULL
102883 +iwl_dbgfs_ucode_tx_stats_read_31611 iwl_dbgfs_ucode_tx_stats_read 3 31611 NULL
102884 +mtd_get_user_prot_info_31616 mtd_get_user_prot_info 0 31616 NULL
102885 +arvo_sysfs_read_31617 arvo_sysfs_read 6 31617 NULL
102886 +videobuf_read_one_31637 videobuf_read_one 3 31637 NULL
102887 +pod_alloc_sysex_buffer_31651 pod_alloc_sysex_buffer 3 31651 NULL
102888 +xfer_secondary_pool_31661 xfer_secondary_pool 2 31661 NULL
102889 +emulator_set_cr_31665 emulator_set_cr 3 31665 NULL
102890 +__lgread_31668 __lgread 4 31668 NULL
102891 +symbol_string_31670 symbol_string 0 31670 NULL
102892 +_usb_writeN_sync_31682 _usb_writeN_sync 4 31682 NULL
102893 +forced_ps_read_31685 forced_ps_read 3 31685 NULL
102894 +reiserfs_in_journal_31689 reiserfs_in_journal 3 31689 NULL
102895 +audit_log_n_string_31705 audit_log_n_string 3 31705 NULL
102896 +ath6kl_wmi_send_probe_response_cmd_31728 ath6kl_wmi_send_probe_response_cmd 6 31728 NULL nohasharray
102897 +gfn_to_hva_read_31728 gfn_to_hva_read 2 31728 &ath6kl_wmi_send_probe_response_cmd_31728
102898 +utf16s_to_utf8s_31735 utf16s_to_utf8s 0 31735 NULL
102899 +shmem_pwrite_slow_31741 shmem_pwrite_slow 3 31741 NULL
102900 +NCR_700_change_queue_depth_31742 NCR_700_change_queue_depth 2 31742 NULL nohasharray
102901 +input_abs_get_max_31742 input_abs_get_max 0 31742 &NCR_700_change_queue_depth_31742
102902 +muldiv64_31743 muldiv64 2-3 31743 NULL
102903 +bcm_char_read_31750 bcm_char_read 3 31750 NULL
102904 +snd_seq_device_new_31753 snd_seq_device_new 4 31753 NULL
102905 +set_memory_wb_31761 set_memory_wb 1 31761 NULL
102906 +usblp_cache_device_id_string_31790 usblp_cache_device_id_string 0 31790 NULL
102907 +get_count_order_31800 get_count_order 0 31800 NULL
102908 +ecryptfs_send_message_locked_31801 ecryptfs_send_message_locked 2 31801 NULL
102909 +isr_rx_procs_read_31804 isr_rx_procs_read 3 31804 NULL
102910 +strnlen_user_31815 strnlen_user 0-2 31815 NULL
102911 +sta_last_signal_read_31818 sta_last_signal_read 3 31818 NULL
102912 +drm_mode_crtc_set_gamma_size_31881 drm_mode_crtc_set_gamma_size 2 31881 NULL
102913 +ddb_output_write_31902 ddb_output_write 3 31902 NULL
102914 +xattr_permission_31907 xattr_permission 0 31907 NULL
102915 +new_dir_31919 new_dir 3 31919 NULL
102916 +kmem_alloc_31920 kmem_alloc 1 31920 NULL
102917 +guestwidth_to_adjustwidth_31937 guestwidth_to_adjustwidth 0-1 31937 NULL
102918 +SYSC_sethostname_31940 SYSC_sethostname 2 31940 NULL
102919 +iov_iter_copy_from_user_31942 iov_iter_copy_from_user 4 31942 NULL
102920 +vb2_write_31948 vb2_write 3 31948 NULL
102921 +pvr2_ctrl_get_valname_31951 pvr2_ctrl_get_valname 4 31951 NULL
102922 +regcache_rbtree_sync_31964 regcache_rbtree_sync 2 31964 NULL
102923 +copy_from_user_toio_31966 copy_from_user_toio 3 31966 NULL
102924 +mtd_add_partition_31971 mtd_add_partition 3 31971 NULL
102925 +find_next_zero_bit_31990 find_next_zero_bit 0-2-3 31990 NULL
102926 +default_setup_hpet_msi_31991 default_setup_hpet_msi 1 31991 NULL
102927 +tps6586x_irq_map_32002 tps6586x_irq_map 2 32002 NULL
102928 +calc_hmac_32010 calc_hmac 3 32010 NULL
102929 +vmcs_read64_32012 vmcs_read64 0 32012 NULL
102930 +aead_len_32021 aead_len 0 32021 NULL
102931 +ocfs2_remove_extent_32032 ocfs2_remove_extent 4-3 32032 NULL
102932 +posix_acl_set_32037 posix_acl_set 4 32037 NULL
102933 +stk_read_32038 stk_read 3 32038 NULL
102934 +vmw_cursor_update_dmabuf_32045 vmw_cursor_update_dmabuf 3-4 32045 NULL
102935 +sys_sched_setaffinity_32046 sys_sched_setaffinity 2 32046 NULL
102936 +SYSC_llistxattr_32061 SYSC_llistxattr 3 32061 NULL
102937 +proc_scsi_devinfo_write_32064 proc_scsi_devinfo_write 3 32064 NULL
102938 +cfg80211_send_unprot_deauth_32080 cfg80211_send_unprot_deauth 3 32080 NULL
102939 +bio_alloc_32095 bio_alloc 2 32095 NULL
102940 +alloc_pwms_32100 alloc_pwms 1-2 32100 NULL
102941 +ath6kl_fwlog_read_32101 ath6kl_fwlog_read 3 32101 NULL
102942 +disk_status_32120 disk_status 4 32120 NULL
102943 +venus_link_32165 venus_link 5 32165 NULL
102944 +do_writepages_32173 do_writepages 0 32173 NULL nohasharray
102945 +ntfs_rl_realloc_nofail_32173 ntfs_rl_realloc_nofail 3 32173 &do_writepages_32173
102946 +load_header_32183 load_header 0 32183 NULL
102947 +ubi_wl_scrub_peb_32196 ubi_wl_scrub_peb 0 32196 NULL
102948 +wusb_ccm_mac_32199 wusb_ccm_mac 7 32199 NULL
102949 +riva_get_cmap_len_32218 riva_get_cmap_len 0 32218 NULL
102950 +lbs_lowrssi_read_32242 lbs_lowrssi_read 3 32242 NULL
102951 +ocfs2_xattr_find_entry_32260 ocfs2_xattr_find_entry 0 32260 NULL
102952 +fb_compat_ioctl_32265 fb_compat_ioctl 3 32265 NULL
102953 +vmalloc_user_32308 vmalloc_user 1 32308 NULL
102954 +hex_string_32310 hex_string 0 32310 NULL
102955 +SyS_select_32319 SyS_select 1 32319 NULL
102956 +nouveau_bar_create__32332 nouveau_bar_create_ 4 32332 NULL
102957 +nl80211_send_mlme_event_32337 nl80211_send_mlme_event 4 32337 NULL
102958 +t4_alloc_mem_32342 t4_alloc_mem 1 32342 NULL
102959 +dispatch_ioctl_32357 dispatch_ioctl 2 32357 NULL
102960 +sel_read_initcon_32362 sel_read_initcon 3 32362 NULL
102961 +_drbd_bm_find_next_32372 _drbd_bm_find_next 2 32372 NULL
102962 +usbtmc_read_32377 usbtmc_read 3 32377 NULL
102963 +local_clock_32385 local_clock 0 32385 NULL
102964 +qla4_82xx_pci_mem_write_2M_32398 qla4_82xx_pci_mem_write_2M 2 32398 NULL
102965 +xfs_iext_add_indirect_multi_32400 xfs_iext_add_indirect_multi 3 32400 NULL
102966 +vmci_qp_alloc_32405 vmci_qp_alloc 3-5 32405 NULL
102967 +log_text_32428 log_text 0 32428 NULL
102968 +regmap_irq_map_32429 regmap_irq_map 2 32429 NULL
102969 +hid_input_report_32458 hid_input_report 4 32458 NULL
102970 +cache_status_32462 cache_status 5 32462 NULL
102971 +ieee80211_fill_mesh_addresses_32465 ieee80211_fill_mesh_addresses 0 32465 NULL
102972 +ide_driver_proc_write_32493 ide_driver_proc_write 3 32493 NULL
102973 +bypass_pwoff_write_32499 bypass_pwoff_write 3 32499 NULL
102974 +ctrl_std_val_to_sym_32516 ctrl_std_val_to_sym 5 32516 NULL
102975 +disconnect_32521 disconnect 4 32521 NULL
102976 +qsfp_read_32522 qsfp_read 0-4-2 32522 NULL
102977 +ilo_read_32531 ilo_read 3 32531 NULL
102978 +ieee80211_if_read_estab_plinks_32533 ieee80211_if_read_estab_plinks 3 32533 NULL
102979 +gnttab_set_unmap_op_32534 gnttab_set_unmap_op 2 32534 NULL
102980 +ieee80211_send_auth_32543 ieee80211_send_auth 6 32543 NULL
102981 +format_devstat_counter_32550 format_devstat_counter 3 32550 NULL
102982 +__first_node_32558 __first_node 0 32558 NULL
102983 +aes_encrypt_fail_read_32562 aes_encrypt_fail_read 3 32562 NULL
102984 +pnp_mem_len_32584 pnp_mem_len 0 32584 NULL
102985 +mem_swapout_entry_32586 mem_swapout_entry 3 32586 NULL
102986 +pipeline_tcp_tx_stat_fifo_int_read_32589 pipeline_tcp_tx_stat_fifo_int_read 3 32589 NULL
102987 +read_file_beacon_32595 read_file_beacon 3 32595 NULL
102988 +ieee80211_if_read_dropped_frames_congestion_32603 ieee80211_if_read_dropped_frames_congestion 3 32603 NULL
102989 +sys_set_mempolicy_32608 sys_set_mempolicy 3 32608 NULL
102990 +cfg80211_roamed_32632 cfg80211_roamed 5-7 32632 NULL
102991 +ieee80211_hdrlen_32637 ieee80211_hdrlen 0 32637 NULL
102992 +ite_decode_bytes_32642 ite_decode_bytes 3 32642 NULL
102993 +kvmalloc_32646 kvmalloc 1 32646 NULL
102994 +ib_sg_dma_len_32649 ib_sg_dma_len 0 32649 NULL
102995 +generic_readlink_32654 generic_readlink 3 32654 NULL
102996 +move_addr_to_kernel_32673 move_addr_to_kernel 2 32673 NULL
102997 +compat_SyS_pwritev_32680 compat_SyS_pwritev 3 32680 NULL
102998 +jfs_readpages_32702 jfs_readpages 4 32702 NULL
102999 +snd_hwdep_ioctl_compat_32736 snd_hwdep_ioctl_compat 3 32736 NULL
103000 +get_arg_page_32746 get_arg_page 2 32746 NULL
103001 +megasas_change_queue_depth_32747 megasas_change_queue_depth 2 32747 NULL
103002 +stats_read_ul_32751 stats_read_ul 3 32751 NULL
103003 +tty_compat_ioctl_32761 tty_compat_ioctl 3 32761 NULL
103004 +sctp_tsnmap_grow_32784 sctp_tsnmap_grow 2 32784 NULL
103005 +firmwareUpload_32794 firmwareUpload 3 32794 NULL
103006 +rproc_name_read_32805 rproc_name_read 3 32805 NULL
103007 +vga_rseq_32848 vga_rseq 0 32848 NULL
103008 +new_tape_buffer_32866 new_tape_buffer 2 32866 NULL
103009 +io_apic_setup_irq_pin_32868 io_apic_setup_irq_pin 1 32868 NULL
103010 +ath6kl_usb_submit_ctrl_in_32880 ath6kl_usb_submit_ctrl_in 6 32880 NULL nohasharray
103011 +cifs_writedata_alloc_32880 cifs_writedata_alloc 1 32880 &ath6kl_usb_submit_ctrl_in_32880
103012 +ath6kl_usb_post_recv_transfers_32892 ath6kl_usb_post_recv_transfers 2 32892 NULL
103013 +ext4_get_group_number_32899 ext4_get_group_number 0 32899 NULL
103014 +il_dbgfs_tx_stats_read_32913 il_dbgfs_tx_stats_read 3 32913 NULL
103015 +zlib_inflate_workspacesize_32927 zlib_inflate_workspacesize 0 32927 NULL
103016 +rmap_recycle_32938 rmap_recycle 3 32938 NULL
103017 +irq_reserve_irqs_32946 irq_reserve_irqs 1-2 32946 NULL
103018 +ext4_valid_block_bitmap_32958 ext4_valid_block_bitmap 3 32958 NULL
103019 +arch_ptrace_32981 arch_ptrace 3-4 32981 NULL
103020 +compat_filldir_32999 compat_filldir 3 32999 NULL
103021 +ext3_alloc_blocks_33007 ext3_alloc_blocks 3 33007 NULL nohasharray
103022 +SyS_syslog_33007 SyS_syslog 3 33007 &ext3_alloc_blocks_33007
103023 +SYSC_lgetxattr_33049 SYSC_lgetxattr 4 33049 NULL
103024 +pipeline_dec_packet_in_fifo_full_read_33052 pipeline_dec_packet_in_fifo_full_read 3 33052 NULL
103025 +ebt_compat_match_offset_33053 ebt_compat_match_offset 0-2 33053 NULL
103026 +bitmap_resize_33054 bitmap_resize 2 33054 NULL
103027 +stats_dot11RTSSuccessCount_read_33065 stats_dot11RTSSuccessCount_read 3 33065 NULL
103028 +sel_read_checkreqprot_33068 sel_read_checkreqprot 3 33068 NULL
103029 +alloc_tio_33077 alloc_tio 3 33077 NULL
103030 +acl_permission_check_33083 acl_permission_check 0 33083 NULL
103031 +ieee80211_fragment_33112 ieee80211_fragment 4 33112 NULL
103032 +write_node_33121 write_node 4 33121 NULL
103033 +calc_patch_size_33124 calc_patch_size 0 33124 NULL
103034 +fb_sys_write_33130 fb_sys_write 3 33130 NULL
103035 +__len_within_target_33132 __len_within_target 0 33132 NULL
103036 +debug_debug6_read_33168 debug_debug6_read 3 33168 NULL
103037 +dataflash_read_fact_otp_33204 dataflash_read_fact_otp 2-3 33204 NULL
103038 +pp_read_33210 pp_read 3 33210 NULL
103039 +xfs_file_aio_write_33234 xfs_file_aio_write 4 33234 NULL
103040 +build_completion_wait_33242 build_completion_wait 2 33242 NULL
103041 +snd_pcm_plug_client_size_33267 snd_pcm_plug_client_size 0-2 33267 NULL
103042 +sched_find_first_bit_33270 sched_find_first_bit 0 33270 NULL
103043 +cachefiles_cook_key_33274 cachefiles_cook_key 2 33274 NULL
103044 +mei_compat_ioctl_33275 mei_compat_ioctl 3 33275 NULL
103045 +sync_pt_create_33282 sync_pt_create 2 33282 NULL
103046 +mcs7830_get_reg_33308 mcs7830_get_reg 3 33308 NULL
103047 +isku_sysfs_read_keys_easyzone_33318 isku_sysfs_read_keys_easyzone 6 33318 NULL
103048 +ath6kl_usb_ctrl_msg_exchange_33327 ath6kl_usb_ctrl_msg_exchange 4 33327 NULL
103049 +gsm_mux_rx_netchar_33336 gsm_mux_rx_netchar 3 33336 NULL
103050 +joydev_ioctl_33343 joydev_ioctl 2 33343 NULL
103051 +create_xattr_datum_33356 create_xattr_datum 5 33356 NULL nohasharray
103052 +irq_pkt_threshold_read_33356 irq_pkt_threshold_read 3 33356 &create_xattr_datum_33356
103053 +read_file_regidx_33370 read_file_regidx 3 33370 NULL
103054 +ocfs2_quota_read_33382 ocfs2_quota_read 5 33382 NULL
103055 +ieee80211_if_read_dropped_frames_no_route_33383 ieee80211_if_read_dropped_frames_no_route 3 33383 NULL
103056 +scsi_varlen_cdb_length_33385 scsi_varlen_cdb_length 0 33385 NULL
103057 +tg_get_cfs_period_33390 tg_get_cfs_period 0 33390 NULL
103058 +ocfs2_allocate_unwritten_extents_33394 ocfs2_allocate_unwritten_extents 2-3 33394 NULL
103059 +ext4_meta_bg_first_block_no_33408 ext4_meta_bg_first_block_no 2 33408 NULL nohasharray
103060 +snd_pcm_capture_ioctl1_33408 snd_pcm_capture_ioctl1 0 33408 &ext4_meta_bg_first_block_no_33408
103061 +ufs_getfrag_block_33409 ufs_getfrag_block 2 33409 NULL
103062 +dis_tap_write_33426 dis_tap_write 3 33426 NULL
103063 +ubh_scanc_33436 ubh_scanc 0-4-3 33436 NULL
103064 +ovs_vport_alloc_33475 ovs_vport_alloc 1 33475 NULL
103065 +create_entry_33479 create_entry 2 33479 NULL
103066 +ip_setsockopt_33487 ip_setsockopt 5 33487 NULL nohasharray
103067 +elf_map_33487 elf_map 0-2 33487 &ip_setsockopt_33487
103068 +netxen_nic_hw_write_wx_128M_33488 netxen_nic_hw_write_wx_128M 2 33488 NULL
103069 +ol_dqblk_chunk_off_33489 ol_dqblk_chunk_off 2 33489 NULL
103070 +res_counter_read_33499 res_counter_read 4 33499 NULL
103071 +fb_read_33506 fb_read 3 33506 NULL
103072 +musb_test_mode_write_33518 musb_test_mode_write 3 33518 NULL
103073 +ahash_setkey_unaligned_33521 ahash_setkey_unaligned 3 33521 NULL
103074 +nes_alloc_fast_reg_page_list_33523 nes_alloc_fast_reg_page_list 2 33523 NULL
103075 +aggr_size_rx_size_read_33526 aggr_size_rx_size_read 3 33526 NULL
103076 +acpi_gsi_to_irq_33533 acpi_gsi_to_irq 1 33533 NULL
103077 +tomoyo_read_self_33539 tomoyo_read_self 3 33539 NULL
103078 +dup_array_33551 dup_array 3 33551 NULL
103079 +solo_enc_read_33553 solo_enc_read 3 33553 NULL
103080 +count_subheaders_33591 count_subheaders 0 33591 NULL
103081 +scsi_execute_33596 scsi_execute 5 33596 NULL
103082 +comedi_buf_write_n_allocated_33604 comedi_buf_write_n_allocated 0 33604 NULL
103083 +xt_compat_target_offset_33608 xt_compat_target_offset 0 33608 NULL nohasharray
103084 +ip6_find_1stfragopt_33608 ip6_find_1stfragopt 0 33608 &xt_compat_target_offset_33608
103085 +usb_gstrings_attach_33615 usb_gstrings_attach 3 33615 NULL nohasharray
103086 +il_dbgfs_qos_read_33615 il_dbgfs_qos_read 3 33615 &usb_gstrings_attach_33615
103087 +irq_blk_threshold_read_33666 irq_blk_threshold_read 3 33666 NULL
103088 +inw_p_33668 inw_p 0 33668 NULL
103089 +arp_hdr_len_33671 arp_hdr_len 0 33671 NULL
103090 +i2c_hid_alloc_buffers_33673 i2c_hid_alloc_buffers 2 33673 NULL
103091 +ath6kl_wmi_startscan_cmd_33674 ath6kl_wmi_startscan_cmd 8 33674 NULL
103092 +nv50_disp_dmac_create__33696 nv50_disp_dmac_create_ 6 33696 NULL
103093 +compat_insnlist_33706 compat_insnlist 2 33706 NULL
103094 +sys_keyctl_33708 sys_keyctl 4 33708 NULL nohasharray
103095 +netlink_sendmsg_33708 netlink_sendmsg 4 33708 &sys_keyctl_33708
103096 +tipc_link_stats_33716 tipc_link_stats 3 33716 NULL
103097 +pvr2_stream_buffer_count_33719 pvr2_stream_buffer_count 2 33719 NULL
103098 +ocfs2_extent_map_get_blocks_33720 ocfs2_extent_map_get_blocks 2 33720 NULL
103099 +__mutex_lock_interruptible_slowpath_33735 __mutex_lock_interruptible_slowpath 0 33735 NULL
103100 +Read_hfc_33755 Read_hfc 0 33755 NULL
103101 +vifs_state_read_33762 vifs_state_read 3 33762 NULL
103102 +hashtab_create_33769 hashtab_create 3 33769 NULL
103103 +midibuf_message_length_33770 midibuf_message_length 0 33770 NULL
103104 +if_sdio_read_rx_len_33800 if_sdio_read_rx_len 0 33800 NULL
103105 +find_next_offset_33804 find_next_offset 3 33804 NULL
103106 +sky2_rx_pad_33819 sky2_rx_pad 0 33819 NULL
103107 +sep_create_msgarea_context_33829 sep_create_msgarea_context 4 33829 NULL
103108 +scrub_setup_recheck_block_33831 scrub_setup_recheck_block 5-4 33831 NULL
103109 +udplite_manip_pkt_33832 udplite_manip_pkt 4 33832 NULL
103110 +usb_dump_endpoint_descriptor_33849 usb_dump_endpoint_descriptor 0 33849 NULL
103111 +calgary_alloc_coherent_33851 calgary_alloc_coherent 2 33851 NULL
103112 +oz_cdev_write_33852 oz_cdev_write 3 33852 NULL
103113 +cap_mmap_addr_33853 cap_mmap_addr 0 33853 NULL
103114 +get_user_pages_33908 get_user_pages 0-3-4 33908 NULL
103115 +queue_logical_block_size_33918 queue_logical_block_size 0 33918 NULL
103116 +sel_read_avc_cache_threshold_33942 sel_read_avc_cache_threshold 3 33942 NULL
103117 +lpfc_idiag_ctlacc_read_33943 lpfc_idiag_ctlacc_read 3 33943 NULL
103118 +read_file_tgt_rx_stats_33944 read_file_tgt_rx_stats 3 33944 NULL
103119 +vga_switcheroo_debugfs_write_33984 vga_switcheroo_debugfs_write 3 33984 NULL
103120 +__ntfs_malloc_34022 __ntfs_malloc 1 34022 NULL
103121 +ppp_write_34034 ppp_write 3 34034 NULL
103122 +tty_insert_flip_string_34042 tty_insert_flip_string 3 34042 NULL
103123 +__domain_flush_pages_34045 __domain_flush_pages 2-3 34045 NULL
103124 +is_trap_at_addr_34047 is_trap_at_addr 2 34047 NULL
103125 +acpi_dev_get_irqresource_34064 acpi_dev_get_irqresource 2 34064 NULL
103126 +memcg_update_all_caches_34068 memcg_update_all_caches 1 34068 NULL
103127 +read_file_ant_diversity_34071 read_file_ant_diversity 3 34071 NULL
103128 +compat_hdio_ioctl_34088 compat_hdio_ioctl 4 34088 NULL
103129 +pipeline_pipeline_fifo_full_read_34095 pipeline_pipeline_fifo_full_read 3 34095 NULL
103130 +proc_scsi_host_write_34107 proc_scsi_host_write 3 34107 NULL
103131 +is_discarded_oblock_34120 is_discarded_oblock 2 34120 NULL
103132 +islpci_mgt_transmit_34133 islpci_mgt_transmit 5 34133 NULL
103133 +ttm_dma_page_pool_free_34135 ttm_dma_page_pool_free 2 34135 NULL
103134 +cdc_mbim_process_dgram_34136 cdc_mbim_process_dgram 3 34136 NULL
103135 +ixgbe_dbg_netdev_ops_write_34141 ixgbe_dbg_netdev_ops_write 3 34141 NULL
103136 +shmem_pread_fast_34147 shmem_pread_fast 3 34147 NULL
103137 +skb_to_sgvec_34171 skb_to_sgvec 0 34171 NULL
103138 +ext4_da_write_begin_34215 ext4_da_write_begin 3-4 34215 NULL
103139 +bl_pipe_downcall_34264 bl_pipe_downcall 3 34264 NULL
103140 +pcf857x_to_irq_34273 pcf857x_to_irq 2 34273 NULL
103141 +zone_spanned_pages_in_node_34299 zone_spanned_pages_in_node 0 34299 NULL
103142 +iov_iter_single_seg_count_34326 iov_iter_single_seg_count 0 34326 NULL nohasharray
103143 +pcpu_need_to_extend_34326 pcpu_need_to_extend 0 34326 &iov_iter_single_seg_count_34326
103144 +__insert_34349 __insert 2-3 34349 NULL
103145 +crypto_ablkcipher_ivsize_34363 crypto_ablkcipher_ivsize 0 34363 NULL
103146 +rngapi_reset_34366 rngapi_reset 3 34366 NULL nohasharray
103147 +p54_alloc_skb_34366 p54_alloc_skb 3 34366 &rngapi_reset_34366
103148 +i2c_hid_get_raw_report_34376 i2c_hid_get_raw_report 0 34376 NULL
103149 +reiserfs_resize_34377 reiserfs_resize 2 34377 NULL
103150 +ea_read_34378 ea_read 0 34378 NULL
103151 +fuse_send_read_34379 fuse_send_read 4 34379 NULL
103152 +av7110_vbi_write_34384 av7110_vbi_write 3 34384 NULL
103153 +usbvision_v4l2_read_34386 usbvision_v4l2_read 3 34386 NULL
103154 +read_rbu_image_type_34387 read_rbu_image_type 6 34387 NULL
103155 +iwl_calib_set_34400 iwl_calib_set 3 34400 NULL nohasharray
103156 +ivtv_read_pos_34400 ivtv_read_pos 3 34400 &iwl_calib_set_34400
103157 +wd_exp_mode_write_34407 wd_exp_mode_write 3 34407 NULL
103158 +nl80211_send_disassoc_34424 nl80211_send_disassoc 4 34424 NULL
103159 +usbtest_alloc_urb_34446 usbtest_alloc_urb 3-5 34446 NULL
103160 +mwifiex_regrdwr_read_34472 mwifiex_regrdwr_read 3 34472 NULL
103161 +skcipher_sndbuf_34476 skcipher_sndbuf 0 34476 NULL
103162 +i2o_parm_field_get_34477 i2o_parm_field_get 5 34477 NULL
103163 +security_inode_permission_34488 security_inode_permission 0 34488 NULL
103164 +tracing_stats_read_34537 tracing_stats_read 3 34537 NULL
103165 +hugetlbfs_read_actor_34547 hugetlbfs_read_actor 0-2-5-4 34547 NULL
103166 +dbBackSplit_34561 dbBackSplit 0 34561 NULL
103167 +alloc_ieee80211_rsl_34564 alloc_ieee80211_rsl 1 34564 NULL
103168 +velocity_rx_copy_34583 velocity_rx_copy 2 34583 NULL
103169 +init_send_hfcd_34586 init_send_hfcd 1 34586 NULL
103170 +inet6_ifla6_size_34591 inet6_ifla6_size 0 34591 NULL
103171 +ceph_msgpool_init_34599 ceph_msgpool_init 4 34599 NULL
103172 +brcmf_cfg80211_mgmt_tx_34608 brcmf_cfg80211_mgmt_tx 7 34608 NULL
103173 +__jffs2_ref_totlen_34609 __jffs2_ref_totlen 0 34609 NULL
103174 +__cfg80211_disconnected_34622 __cfg80211_disconnected 3 34622 NULL
103175 +cnic_alloc_dma_34641 cnic_alloc_dma 3 34641 NULL
103176 +tomoyo_dump_page_34649 tomoyo_dump_page 2 34649 NULL
103177 +nf_nat_mangle_udp_packet_34661 nf_nat_mangle_udp_packet 8-6 34661 NULL
103178 +isr_fiqs_read_34687 isr_fiqs_read 3 34687 NULL
103179 +port_print_34704 port_print 3 34704 NULL
103180 +alloc_irq_and_cfg_at_34706 alloc_irq_and_cfg_at 1 34706 NULL
103181 +ieee80211_if_read_num_sta_ps_34722 ieee80211_if_read_num_sta_ps 3 34722 NULL
103182 +platform_list_read_file_34734 platform_list_read_file 3 34734 NULL
103183 +reg_w_ixbuf_34736 reg_w_ixbuf 4 34736 NULL
103184 +qib_cdev_init_34778 qib_cdev_init 1 34778 NULL
103185 +__copy_in_user_34790 __copy_in_user 3 34790 NULL
103186 +SYSC_keyctl_34800 SYSC_keyctl 4 34800 NULL
103187 +drbd_get_max_capacity_34804 drbd_get_max_capacity 0 34804 NULL
103188 +b43_debugfs_write_34838 b43_debugfs_write 3 34838 NULL
103189 +nl_portid_hash_zalloc_34843 nl_portid_hash_zalloc 1 34843 NULL
103190 +acpi_system_write_wakeup_device_34853 acpi_system_write_wakeup_device 3 34853 NULL
103191 +usb_serial_generic_prepare_write_buffer_34857 usb_serial_generic_prepare_write_buffer 3 34857 NULL
103192 +ieee80211_if_read_txpower_34871 ieee80211_if_read_txpower 3 34871 NULL
103193 +msg_print_text_34889 msg_print_text 0 34889 NULL
103194 +ieee80211_if_write_34894 ieee80211_if_write 3 34894 NULL
103195 +compat_put_uint_34905 compat_put_uint 1 34905 NULL
103196 +si476x_radio_read_rsq_primary_blob_34916 si476x_radio_read_rsq_primary_blob 3 34916 NULL
103197 +__inode_permission_34925 __inode_permission 0 34925 NULL nohasharray
103198 +btrfs_super_chunk_root_34925 btrfs_super_chunk_root 0 34925 &__inode_permission_34925
103199 +ceph_aio_write_34930 ceph_aio_write 4 34930 NULL
103200 +skb_gro_header_slow_34958 skb_gro_header_slow 2 34958 NULL nohasharray
103201 +i2c_transfer_34958 i2c_transfer 0 34958 &skb_gro_header_slow_34958
103202 +Realloc_34961 Realloc 2 34961 NULL
103203 +mq_lookup_34990 mq_lookup 2 34990 NULL
103204 +rx_rx_hdr_overflow_read_35002 rx_rx_hdr_overflow_read 3 35002 NULL
103205 +l2cap_skbuff_fromiovec_35003 l2cap_skbuff_fromiovec 4-3 35003 NULL
103206 +dm_cache_insert_mapping_35005 dm_cache_insert_mapping 2-3 35005 NULL
103207 +sisusb_copy_memory_35016 sisusb_copy_memory 4 35016 NULL
103208 +alloc_p2m_page_35025 alloc_p2m_page 0 35025 NULL
103209 +coda_psdev_read_35029 coda_psdev_read 3 35029 NULL
103210 +brcmf_sdio_chip_writenvram_35042 brcmf_sdio_chip_writenvram 4 35042 NULL
103211 +btmrvl_gpiogap_write_35053 btmrvl_gpiogap_write 3 35053 NULL
103212 +pwr_connection_out_of_sync_read_35061 pwr_connection_out_of_sync_read 3 35061 NULL
103213 +store_ifalias_35088 store_ifalias 4 35088 NULL
103214 +__kfifo_uint_must_check_helper_35097 __kfifo_uint_must_check_helper 0-1 35097 NULL
103215 +capi_write_35104 capi_write 3 35104 NULL nohasharray
103216 +tx_tx_done_template_read_35104 tx_tx_done_template_read 3 35104 &capi_write_35104
103217 +ide_settings_proc_write_35110 ide_settings_proc_write 3 35110 NULL
103218 +pointer_35138 pointer 0 35138 NULL
103219 +gntdev_alloc_map_35145 gntdev_alloc_map 2 35145 NULL
103220 +iscsi_conn_setup_35159 iscsi_conn_setup 2 35159 NULL
103221 +ieee80211_if_read_bssid_35161 ieee80211_if_read_bssid 3 35161 NULL
103222 +solo_v4l2_init_35179 solo_v4l2_init 2 35179 NULL
103223 +mlx4_ib_get_cq_umem_35184 mlx4_ib_get_cq_umem 5-6 35184 NULL
103224 +iwl_nvm_read_chunk_35198 iwl_nvm_read_chunk 0 35198 NULL
103225 +uprobe_get_swbp_addr_35201 uprobe_get_swbp_addr 0 35201 NULL
103226 +unix_stream_recvmsg_35210 unix_stream_recvmsg 4 35210 NULL
103227 +_osd_req_alist_elem_size_35216 _osd_req_alist_elem_size 0-2 35216 NULL
103228 +striped_read_35218 striped_read 0-2-8-3 35218 NULL nohasharray
103229 +security_key_getsecurity_35218 security_key_getsecurity 0 35218 &striped_read_35218
103230 +rx_rx_cmplt_task_read_35226 rx_rx_cmplt_task_read 3 35226 NULL nohasharray
103231 +video_register_device_no_warn_35226 video_register_device_no_warn 3 35226 &rx_rx_cmplt_task_read_35226
103232 +gfn_to_page_many_atomic_35234 gfn_to_page_many_atomic 2 35234 NULL
103233 +SYSC_madvise_35241 SYSC_madvise 1 35241 NULL
103234 +set_fd_set_35249 set_fd_set 1 35249 NULL
103235 +ioapic_setup_resources_35255 ioapic_setup_resources 1 35255 NULL
103236 +dis_disc_write_35265 dis_disc_write 3 35265 NULL
103237 +dma_show_regs_35266 dma_show_regs 3 35266 NULL
103238 +irda_recvmsg_stream_35280 irda_recvmsg_stream 4 35280 NULL
103239 +i2o_block_end_request_35282 i2o_block_end_request 3 35282 NULL
103240 +isr_rx_rdys_read_35283 isr_rx_rdys_read 3 35283 NULL
103241 +brcmf_sdio_forensic_read_35311 brcmf_sdio_forensic_read 3 35311 NULL nohasharray
103242 +__btrfs_buffered_write_35311 __btrfs_buffered_write 3 35311 &brcmf_sdio_forensic_read_35311
103243 +tracing_read_pipe_35312 tracing_read_pipe 3 35312 NULL
103244 +sys_setsockopt_35320 sys_setsockopt 5 35320 NULL
103245 +irq_domain_disassociate_many_35325 irq_domain_disassociate_many 2-3 35325 NULL
103246 +fallback_on_nodma_alloc_35332 fallback_on_nodma_alloc 2 35332 NULL
103247 +pskb_network_may_pull_35336 pskb_network_may_pull 2 35336 NULL
103248 +ieee80211_if_fmt_ap_power_level_35347 ieee80211_if_fmt_ap_power_level 3 35347 NULL
103249 +nouveau_devinit_create__35348 nouveau_devinit_create_ 4 35348 NULL
103250 +hpi_alloc_control_cache_35351 hpi_alloc_control_cache 1 35351 NULL
103251 +compat_filldir64_35354 compat_filldir64 3 35354 NULL
103252 +SyS_getxattr_35408 SyS_getxattr 4 35408 NULL
103253 +rawv6_send_hdrinc_35425 rawv6_send_hdrinc 3 35425 NULL
103254 +__set_test_and_free_35436 __set_test_and_free 2 35436 NULL
103255 +buffer_to_user_35439 buffer_to_user 3 35439 NULL
103256 +i915_wedged_read_35474 i915_wedged_read 3 35474 NULL
103257 +ecryptfs_get_zeroed_pages_35483 ecryptfs_get_zeroed_pages 0 35483 NULL
103258 +do_atm_ioctl_35519 do_atm_ioctl 3 35519 NULL
103259 +async_setkey_35521 async_setkey 3 35521 NULL
103260 +__filemap_fdatawrite_range_35528 __filemap_fdatawrite_range 0 35528 NULL
103261 +iwl_dbgfs_bt_traffic_read_35534 iwl_dbgfs_bt_traffic_read 3 35534 NULL
103262 +rxpipe_tx_xfr_host_int_trig_rx_data_read_35538 rxpipe_tx_xfr_host_int_trig_rx_data_read 3 35538 NULL
103263 +ibnl_put_attr_35541 ibnl_put_attr 3 35541 NULL
103264 +ieee80211_if_write_smps_35550 ieee80211_if_write_smps 3 35550 NULL
103265 +ext2_acl_from_disk_35580 ext2_acl_from_disk 2 35580 NULL
103266 +spk_msg_set_35586 spk_msg_set 3 35586 NULL
103267 +ReadZReg_35604 ReadZReg 0 35604 NULL
103268 +kernel_readv_35617 kernel_readv 3 35617 NULL
103269 +ixgbe_pci_sriov_configure_35624 ixgbe_pci_sriov_configure 2 35624 NULL
103270 +reiserfs_readpages_35629 reiserfs_readpages 4 35629 NULL
103271 +spi_register_board_info_35651 spi_register_board_info 2 35651 NULL
103272 +store_debug_level_35652 store_debug_level 3 35652 NULL
103273 +rdmaltWithLock_35669 rdmaltWithLock 0 35669 NULL
103274 +compat_sys_kexec_load_35674 compat_sys_kexec_load 2 35674 NULL
103275 +dm_table_create_35687 dm_table_create 3 35687 NULL
103276 +SYSC_pwritev_35690 SYSC_pwritev 3 35690 NULL
103277 +rds_page_copy_user_35691 rds_page_copy_user 4 35691 NULL
103278 +pci_enable_sriov_35745 pci_enable_sriov 2 35745 NULL
103279 +iwl_dbgfs_disable_ht40_read_35761 iwl_dbgfs_disable_ht40_read 3 35761 NULL
103280 +udf_alloc_i_data_35786 udf_alloc_i_data 2 35786 NULL
103281 +pvr2_hdw_cpufw_get_35824 pvr2_hdw_cpufw_get 0-4-2 35824 NULL
103282 +tx_tx_cmplt_read_35854 tx_tx_cmplt_read 3 35854 NULL
103283 +mthca_buf_alloc_35861 mthca_buf_alloc 2 35861 NULL
103284 +fls64_35862 fls64 0 35862 NULL
103285 +kvm_dirty_bitmap_bytes_35886 kvm_dirty_bitmap_bytes 0 35886 NULL
103286 +ieee80211_if_fmt_dot11MeshRetryTimeout_35890 ieee80211_if_fmt_dot11MeshRetryTimeout 3 35890 NULL
103287 +uwb_rc_cmd_done_35892 uwb_rc_cmd_done 4 35892 NULL
103288 +SyS_set_mempolicy_35909 SyS_set_mempolicy 3 35909 NULL
103289 +kernel_setsockopt_35913 kernel_setsockopt 5 35913 NULL
103290 +rbio_nr_pages_35916 rbio_nr_pages 0-1-2 35916 NULL
103291 +vol_cdev_compat_ioctl_35923 vol_cdev_compat_ioctl 3 35923 NULL
103292 +sctp_tsnmap_mark_35929 sctp_tsnmap_mark 2 35929 NULL
103293 +rx_defrag_init_called_read_35935 rx_defrag_init_called_read 3 35935 NULL
103294 +put_cmsg_compat_35937 put_cmsg_compat 4 35937 NULL
103295 +ext_rts51x_sd_execute_write_data_35971 ext_rts51x_sd_execute_write_data 9 35971 NULL
103296 +ceph_buffer_new_35974 ceph_buffer_new 1 35974 NULL
103297 +acl_alloc_35979 acl_alloc 1 35979 NULL
103298 +generic_file_aio_read_35987 generic_file_aio_read 0 35987 NULL
103299 +koneplus_sysfs_write_35993 koneplus_sysfs_write 6 35993 NULL
103300 +il3945_ucode_tx_stats_read_36016 il3945_ucode_tx_stats_read 3 36016 NULL
103301 +ubi_eba_write_leb_36029 ubi_eba_write_leb 5-6 36029 NULL
103302 +__videobuf_alloc_36031 __videobuf_alloc 1 36031 NULL
103303 +account_shadowed_36048 account_shadowed 2 36048 NULL
103304 +gpio_power_read_36059 gpio_power_read 3 36059 NULL
103305 +write_emulate_36065 write_emulate 2-4 36065 NULL
103306 +radeon_vm_num_pdes_36070 radeon_vm_num_pdes 0 36070 NULL
103307 +ieee80211_if_fmt_peer_36071 ieee80211_if_fmt_peer 3 36071 NULL
103308 +ext3_new_blocks_36073 ext3_new_blocks 3 36073 NULL
103309 +ieee80211_if_write_tsf_36077 ieee80211_if_write_tsf 3 36077 NULL
103310 +snd_pcm_plug_read_transfer_36080 snd_pcm_plug_read_transfer 0-3 36080 NULL
103311 +vga_arb_write_36112 vga_arb_write 3 36112 NULL
103312 +simple_xattr_alloc_36118 simple_xattr_alloc 2 36118 NULL
103313 +compat_ptrace_request_36131 compat_ptrace_request 3-4 36131 NULL
103314 +vmalloc_exec_36132 vmalloc_exec 1 36132 NULL
103315 +max8925_irq_domain_map_36133 max8925_irq_domain_map 2 36133 NULL
103316 +ext3_readpages_36144 ext3_readpages 4 36144 NULL
103317 +alloc_vm_area_36149 alloc_vm_area 1 36149 NULL
103318 +twl_set_36154 twl_set 2 36154 NULL
103319 +b1_alloc_card_36155 b1_alloc_card 1 36155 NULL
103320 +btrfs_file_extent_inline_len_36158 btrfs_file_extent_inline_len 0 36158 NULL
103321 +snd_korg1212_copy_from_36169 snd_korg1212_copy_from 6 36169 NULL
103322 +SyS_kexec_load_36176 SyS_kexec_load 2 36176 NULL
103323 +SYSC_sched_getaffinity_36208 SYSC_sched_getaffinity 2 36208 NULL
103324 +SYSC_process_vm_readv_36216 SYSC_process_vm_readv 3-5 36216 NULL
103325 +ubifs_read_nnode_36221 ubifs_read_nnode 0 36221 NULL
103326 +is_dirty_36223 is_dirty 2 36223 NULL
103327 +dma_alloc_attrs_36225 dma_alloc_attrs 0 36225 NULL
103328 +nfqnl_mangle_36226 nfqnl_mangle 4-2 36226 NULL
103329 +atomic_stats_read_36228 atomic_stats_read 3 36228 NULL
103330 +viafb_iga1_odev_proc_write_36241 viafb_iga1_odev_proc_write 3 36241 NULL
103331 +SYSC_getxattr_36242 SYSC_getxattr 4 36242 NULL
103332 +rproc_recovery_read_36245 rproc_recovery_read 3 36245 NULL
103333 +scrub_stripe_36248 scrub_stripe 5-4 36248 NULL
103334 +compat_sys_mbind_36256 compat_sys_mbind 5 36256 NULL
103335 +usb_buffer_alloc_36276 usb_buffer_alloc 2 36276 NULL
103336 +codec_reg_read_file_36280 codec_reg_read_file 3 36280 NULL
103337 +crypto_shash_digestsize_36284 crypto_shash_digestsize 0 36284 NULL
103338 +nouveau_cli_create_36293 nouveau_cli_create 3 36293 NULL
103339 +lpfc_debugfs_dif_err_read_36303 lpfc_debugfs_dif_err_read 3 36303 NULL
103340 +ad7879_spi_xfer_36311 ad7879_spi_xfer 3 36311 NULL
103341 +fuse_get_user_addr_36312 fuse_get_user_addr 0 36312 NULL
103342 +fat_compat_ioctl_filldir_36328 fat_compat_ioctl_filldir 3 36328 NULL
103343 +lc_create_36332 lc_create 4 36332 NULL
103344 +jbd2_journal_init_revoke_table_36336 jbd2_journal_init_revoke_table 1 36336 NULL
103345 +isku_sysfs_read_key_mask_36343 isku_sysfs_read_key_mask 6 36343 NULL
103346 +v9fs_file_readn_36353 v9fs_file_readn 4 36353 NULL nohasharray
103347 +xz_dec_lzma2_create_36353 xz_dec_lzma2_create 2 36353 &v9fs_file_readn_36353
103348 +to_sector_36361 to_sector 0-1 36361 NULL
103349 +tunables_read_36385 tunables_read 3 36385 NULL
103350 +afs_alloc_flat_call_36399 afs_alloc_flat_call 2-3 36399 NULL
103351 +SyS_sethostname_36417 SyS_sethostname 2 36417 NULL
103352 +sctp_tsnmap_init_36446 sctp_tsnmap_init 2 36446 NULL
103353 +alloc_etherdev_mqs_36450 alloc_etherdev_mqs 1 36450 NULL
103354 +tcf_csum_ipv6_udp_36457 tcf_csum_ipv6_udp 3 36457 NULL
103355 +SyS_process_vm_writev_36476 SyS_process_vm_writev 3-5 36476 NULL
103356 +b43_nphy_load_samples_36481 b43_nphy_load_samples 3 36481 NULL
103357 +tx_tx_checksum_result_read_36490 tx_tx_checksum_result_read 3 36490 NULL
103358 +__hwahc_op_set_ptk_36510 __hwahc_op_set_ptk 5 36510 NULL
103359 +mcam_v4l_read_36513 mcam_v4l_read 3 36513 NULL
103360 +get_param_l_36518 get_param_l 0 36518 NULL
103361 +ieee80211_if_read_fwded_frames_36520 ieee80211_if_read_fwded_frames 3 36520 NULL
103362 +lguest_setup_irq_36531 lguest_setup_irq 1 36531 NULL
103363 +crypto_aead_authsize_36537 crypto_aead_authsize 0 36537 NULL
103364 +cpu_type_read_36540 cpu_type_read 3 36540 NULL
103365 +get_entry_len_36549 get_entry_len 0 36549 NULL
103366 +__kfifo_to_user_36555 __kfifo_to_user 3 36555 NULL nohasharray
103367 +macvtap_do_read_36555 macvtap_do_read 4 36555 &__kfifo_to_user_36555
103368 +btrfs_get_token_64_36572 btrfs_get_token_64 0 36572 NULL
103369 +ssb_bus_scan_36578 ssb_bus_scan 2 36578 NULL
103370 +__erst_read_36579 __erst_read 0 36579 NULL
103371 +put_cmsg_36589 put_cmsg 4 36589 NULL
103372 +pcnet32_realloc_rx_ring_36598 pcnet32_realloc_rx_ring 3 36598 NULL
103373 +fat_ioctl_filldir_36621 fat_ioctl_filldir 3 36621 NULL
103374 +vxge_config_vpaths_36636 vxge_config_vpaths 0 36636 NULL
103375 +format_decode_36638 format_decode 0 36638 NULL
103376 +ced_ioctl_36647 ced_ioctl 2 36647 NULL
103377 +lpfc_idiag_extacc_alloc_get_36648 lpfc_idiag_extacc_alloc_get 0-3 36648 NULL
103378 +perf_calculate_period_36662 perf_calculate_period 3-2 36662 NULL
103379 +osd_req_list_collection_objects_36664 osd_req_list_collection_objects 5 36664 NULL
103380 +iscsi_host_alloc_36671 iscsi_host_alloc 2 36671 NULL
103381 +ptr_to_compat_36680 ptr_to_compat 0 36680 NULL
103382 +ext4_mb_discard_group_preallocations_36685 ext4_mb_discard_group_preallocations 2 36685 NULL
103383 +sched_clock_36717 sched_clock 0 36717 NULL
103384 +extract_icmp6_fields_36732 extract_icmp6_fields 2 36732 NULL
103385 +snd_rawmidi_kernel_read1_36740 snd_rawmidi_kernel_read1 4 36740 NULL
103386 +cxgbi_device_register_36746 cxgbi_device_register 1-2 36746 NULL
103387 +ps_poll_upsd_timeouts_read_36755 ps_poll_upsd_timeouts_read 3 36755 NULL
103388 +ip4ip6_err_36772 ip4ip6_err 5 36772 NULL
103389 +ptp_filter_init_36780 ptp_filter_init 2 36780 NULL
103390 +proc_fault_inject_read_36802 proc_fault_inject_read 3 36802 NULL
103391 +hiddev_ioctl_36816 hiddev_ioctl 2 36816 NULL
103392 +tcf_csum_ipv6_tcp_36822 tcf_csum_ipv6_tcp 3 36822 NULL
103393 +int_hardware_entry_36833 int_hardware_entry 3 36833 NULL
103394 +fc_change_queue_depth_36841 fc_change_queue_depth 2 36841 NULL
103395 +keyctl_describe_key_36853 keyctl_describe_key 3 36853 NULL
103396 +cm_write_36858 cm_write 3 36858 NULL
103397 +tx_tx_data_programmed_read_36871 tx_tx_data_programmed_read 3 36871 NULL
103398 +svc_setsockopt_36876 svc_setsockopt 5 36876 NULL
103399 +raid56_parity_write_36877 raid56_parity_write 5 36877 NULL
103400 +__btrfs_map_block_36883 __btrfs_map_block 3 36883 NULL
103401 +ib_ucm_alloc_data_36885 ib_ucm_alloc_data 3 36885 NULL
103402 +selinux_inode_notifysecctx_36896 selinux_inode_notifysecctx 3 36896 NULL
103403 +OS_kmalloc_36909 OS_kmalloc 1 36909 NULL
103404 +build_key_36931 build_key 1 36931 NULL
103405 +crypto_blkcipher_ivsize_36944 crypto_blkcipher_ivsize 0 36944 NULL
103406 +write_leb_36957 write_leb 5 36957 NULL
103407 +ntfs_external_attr_find_36963 ntfs_external_attr_find 0 36963 NULL
103408 +sparse_early_mem_maps_alloc_node_36971 sparse_early_mem_maps_alloc_node 4 36971 NULL
103409 +drbd_new_dev_size_36998 drbd_new_dev_size 0-3 36998 NULL
103410 +auok190xfb_write_37001 auok190xfb_write 3 37001 NULL
103411 +setxattr_37006 setxattr 4 37006 NULL
103412 +qp_broker_create_37053 qp_broker_create 6-5 37053 NULL nohasharray
103413 +ieee80211_if_read_drop_unencrypted_37053 ieee80211_if_read_drop_unencrypted 3 37053 &qp_broker_create_37053
103414 +SYSC_setxattr_37078 SYSC_setxattr 4 37078 NULL
103415 +parse_command_37079 parse_command 2 37079 NULL
103416 +pipeline_cs_rx_packet_in_read_37089 pipeline_cs_rx_packet_in_read 3 37089 NULL
103417 +tun_get_user_37094 tun_get_user 5 37094 NULL
103418 +has_wrprotected_page_37123 has_wrprotected_page 2-3 37123 NULL
103419 +snd_hda_get_conn_list_37132 snd_hda_get_conn_list 0 37132 NULL
103420 +msg_word_37164 msg_word 0 37164 NULL
103421 +can_set_xattr_37182 can_set_xattr 4 37182 NULL
103422 +crypto_shash_descsize_37212 crypto_shash_descsize 0 37212 NULL
103423 +regmap_access_read_file_37223 regmap_access_read_file 3 37223 NULL
103424 +__do_replace_37227 __do_replace 5 37227 NULL
103425 +rx_filter_dup_filter_read_37238 rx_filter_dup_filter_read 3 37238 NULL
103426 +prot_queue_del_37258 prot_queue_del 0 37258 NULL
103427 +ath6kl_wmi_set_ie_cmd_37260 ath6kl_wmi_set_ie_cmd 6 37260 NULL
103428 +exofs_max_io_pages_37263 exofs_max_io_pages 0-2 37263 NULL
103429 +nested_svm_map_37268 nested_svm_map 2 37268 NULL
103430 +c101_run_37279 c101_run 2 37279 NULL
103431 +srp_target_alloc_37288 srp_target_alloc 3 37288 NULL
103432 +isku_sysfs_write_talkfx_37298 isku_sysfs_write_talkfx 6 37298 NULL
103433 +ieee80211_if_read_power_mode_37305 ieee80211_if_read_power_mode 3 37305 NULL
103434 +jffs2_write_dirent_37311 jffs2_write_dirent 5 37311 NULL
103435 +send_msg_37323 send_msg 4 37323 NULL
103436 +brcmf_sdbrcm_membytes_37324 brcmf_sdbrcm_membytes 3-5 37324 NULL
103437 +l2cap_create_connless_pdu_37327 l2cap_create_connless_pdu 3 37327 NULL
103438 +scsi_mode_select_37330 scsi_mode_select 6 37330 NULL
103439 +rxrpc_server_sendmsg_37331 rxrpc_server_sendmsg 4 37331 NULL
103440 +security_inode_getsecurity_37354 security_inode_getsecurity 0 37354 NULL
103441 +iommu_num_pages_37391 iommu_num_pages 0-1-3-2 37391 NULL
103442 +sys_getxattr_37418 sys_getxattr 4 37418 NULL
103443 +hci_sock_sendmsg_37420 hci_sock_sendmsg 4 37420 NULL
103444 +acpi_os_allocate_zeroed_37422 acpi_os_allocate_zeroed 1 37422 NULL nohasharray
103445 +find_next_bit_37422 find_next_bit 0-2-3 37422 &acpi_os_allocate_zeroed_37422
103446 +tty_insert_flip_string_fixed_flag_37428 tty_insert_flip_string_fixed_flag 4 37428 NULL
103447 +iwl_print_last_event_logs_37433 iwl_print_last_event_logs 0-7-9 37433 NULL
103448 +tty_audit_log_37440 tty_audit_log 5 37440 NULL
103449 +tcp_established_options_37450 tcp_established_options 0 37450 NULL
103450 +brcmf_sdio_dump_console_37455 brcmf_sdio_dump_console 4 37455 NULL
103451 +__remove_37457 __remove 2 37457 NULL
103452 +ufs_data_ptr_to_cpu_37475 ufs_data_ptr_to_cpu 0 37475 NULL
103453 +get_est_timing_37484 get_est_timing 0 37484 NULL
103454 +kmem_realloc_37489 kmem_realloc 2 37489 NULL
103455 +kvm_vcpu_compat_ioctl_37500 kvm_vcpu_compat_ioctl 3 37500 NULL
103456 +vmalloc_32_user_37519 vmalloc_32_user 1 37519 NULL
103457 +fault_inject_read_37534 fault_inject_read 3 37534 NULL
103458 +hdr_size_37536 hdr_size 0 37536 NULL
103459 +a2p_37544 a2p 0-1 37544 NULL
103460 +sep_create_dcb_dmatables_context_37551 sep_create_dcb_dmatables_context 6 37551 NULL nohasharray
103461 +nf_nat_mangle_tcp_packet_37551 nf_nat_mangle_tcp_packet 6-8 37551 &sep_create_dcb_dmatables_context_37551
103462 +xhci_alloc_streams_37586 xhci_alloc_streams 5 37586 NULL
103463 +mlx4_get_mgm_entry_size_37607 mlx4_get_mgm_entry_size 0 37607 NULL
103464 +kvm_read_guest_page_mmu_37611 kvm_read_guest_page_mmu 6-3 37611 NULL
103465 +SYSC_mbind_37622 SYSC_mbind 5 37622 NULL
103466 +btrfs_calc_trans_metadata_size_37629 btrfs_calc_trans_metadata_size 0-2 37629 NULL nohasharray
103467 +policy_residency_37629 policy_residency 0 37629 &btrfs_calc_trans_metadata_size_37629
103468 +check_pt_base_37635 check_pt_base 3 37635 NULL
103469 +alloc_fd_37637 alloc_fd 1 37637 NULL
103470 +bio_copy_user_iov_37660 bio_copy_user_iov 4 37660 NULL
103471 +rfcomm_sock_sendmsg_37661 rfcomm_sock_sendmsg 4 37661 NULL nohasharray
103472 +vmw_framebuffer_dmabuf_dirty_37661 vmw_framebuffer_dmabuf_dirty 6 37661 &rfcomm_sock_sendmsg_37661
103473 +SYSC_get_mempolicy_37664 SYSC_get_mempolicy 4-3 37664 NULL
103474 +lnw_gpio_to_irq_37665 lnw_gpio_to_irq 2 37665 NULL
103475 +ieee80211_if_read_rc_rateidx_mcs_mask_2ghz_37675 ieee80211_if_read_rc_rateidx_mcs_mask_2ghz 3 37675 NULL
103476 +regmap_map_read_file_37685 regmap_map_read_file 3 37685 NULL
103477 +nametbl_header_37698 nametbl_header 2 37698 NULL
103478 +__le32_to_cpup_37702 __le32_to_cpup 0 37702 NULL
103479 +dm_thin_remove_block_37724 dm_thin_remove_block 2 37724 NULL
103480 +find_active_uprobe_37733 find_active_uprobe 1 37733 NULL
103481 +read_enabled_file_bool_37744 read_enabled_file_bool 3 37744 NULL
103482 +ocfs2_duplicate_clusters_by_jbd_37749 ocfs2_duplicate_clusters_by_jbd 6-4-5 37749 NULL
103483 +ocfs2_control_cfu_37750 ocfs2_control_cfu 2 37750 NULL
103484 +ipath_cdev_init_37752 ipath_cdev_init 1 37752 NULL
103485 +dccp_setsockopt_cscov_37766 dccp_setsockopt_cscov 2 37766 NULL
103486 +dma_pte_addr_37784 dma_pte_addr 0 37784 NULL
103487 +il4965_rs_sta_dbgfs_rate_scale_data_read_37792 il4965_rs_sta_dbgfs_rate_scale_data_read 3 37792 NULL
103488 +smk_read_logging_37804 smk_read_logging 3 37804 NULL
103489 +deny_write_access_37813 deny_write_access 0 37813 NULL
103490 +rx_decrypt_key_not_found_read_37820 rx_decrypt_key_not_found_read 3 37820 NULL
103491 +bitmap_find_next_zero_area_37827 bitmap_find_next_zero_area 2-3-5-4 37827 NULL
103492 +o2hb_debug_read_37851 o2hb_debug_read 3 37851 NULL
103493 +isku_sysfs_write_last_set_37868 isku_sysfs_write_last_set 6 37868 NULL nohasharray
103494 +xfs_dir2_block_to_sf_37868 xfs_dir2_block_to_sf 3 37868 &isku_sysfs_write_last_set_37868
103495 +sys_setxattr_37880 sys_setxattr 4 37880 NULL
103496 +dvb_net_sec_37884 dvb_net_sec 3 37884 NULL
103497 +max77686_irq_domain_map_37897 max77686_irq_domain_map 2 37897 NULL
103498 +compat_sys_rt_sigpending_37899 compat_sys_rt_sigpending 2 37899 NULL
103499 +tipc_link_send_sections_fast_37920 tipc_link_send_sections_fast 4 37920 NULL
103500 +pkt_alloc_packet_data_37928 pkt_alloc_packet_data 1 37928 NULL
103501 +read_rbu_packet_size_37939 read_rbu_packet_size 6 37939 NULL
103502 +fifo_alloc_37961 fifo_alloc 1 37961 NULL
103503 +ext3_free_blocks_sb_37967 ext3_free_blocks_sb 3-4 37967 NULL
103504 +rds_rdma_extra_size_37990 rds_rdma_extra_size 0 37990 NULL
103505 +persistent_ram_old_size_37997 persistent_ram_old_size 0 37997 NULL
103506 +vfs_readv_38011 vfs_readv 3 38011 NULL
103507 +aggr_recv_addba_req_evt_38037 aggr_recv_addba_req_evt 4 38037 NULL
103508 +klsi_105_prepare_write_buffer_38044 klsi_105_prepare_write_buffer 3 38044 NULL nohasharray
103509 +il_dbgfs_chain_noise_read_38044 il_dbgfs_chain_noise_read 3 38044 &klsi_105_prepare_write_buffer_38044
103510 +SyS_llistxattr_38048 SyS_llistxattr 3 38048 NULL
103511 +_xfs_buf_alloc_38058 _xfs_buf_alloc 3 38058 NULL nohasharray
103512 +is_discarded_38058 is_discarded 2 38058 &_xfs_buf_alloc_38058
103513 +nsm_create_handle_38060 nsm_create_handle 4 38060 NULL
103514 +alloc_ltalkdev_38071 alloc_ltalkdev 1 38071 NULL
103515 +xfs_buf_readahead_map_38081 xfs_buf_readahead_map 3 38081 NULL
103516 +uwb_mac_addr_print_38085 uwb_mac_addr_print 2 38085 NULL
103517 +tcf_csum_ipv4_udp_38089 tcf_csum_ipv4_udp 3 38089 NULL
103518 +request_key_auth_new_38092 request_key_auth_new 3 38092 NULL
103519 +proc_self_readlink_38094 proc_self_readlink 3 38094 NULL
103520 +ep0_read_38095 ep0_read 3 38095 NULL
103521 +sk_wmem_schedule_38096 sk_wmem_schedule 2 38096 NULL
103522 +rbd_obj_read_sync_38098 rbd_obj_read_sync 3-4 38098 NULL
103523 +snd_pcm_oss_write_38108 snd_pcm_oss_write 3 38108 NULL
103524 +vmw_kms_present_38130 vmw_kms_present 9 38130 NULL
103525 +__ntfs_copy_from_user_iovec_inatomic_38153 __ntfs_copy_from_user_iovec_inatomic 3-4 38153 NULL
103526 +kvm_clear_guest_38164 kvm_clear_guest 3-2 38164 NULL
103527 +cdev_add_38176 cdev_add 2-3 38176 NULL
103528 +brcmf_sdcard_recv_buf_38179 brcmf_sdcard_recv_buf 6 38179 NULL
103529 +rt2x00debug_write_rf_38195 rt2x00debug_write_rf 3 38195 NULL
103530 +get_ucode_user_38202 get_ucode_user 3 38202 NULL
103531 +ext3_new_block_38208 ext3_new_block 3 38208 NULL
103532 +stmpe_gpio_irq_map_38222 stmpe_gpio_irq_map 3 38222 NULL
103533 +osd_req_list_partition_collections_38223 osd_req_list_partition_collections 5 38223 NULL
103534 +palmas_gpio_to_irq_38235 palmas_gpio_to_irq 2 38235 NULL
103535 +vhost_net_compat_ioctl_38237 vhost_net_compat_ioctl 3 38237 NULL
103536 +_ipw_read_reg32_38245 _ipw_read_reg32 0 38245 NULL
103537 +from_dblock_38256 from_dblock 0-1 38256 NULL
103538 +vmci_qp_broker_set_page_store_38260 vmci_qp_broker_set_page_store 2-3 38260 NULL
103539 +ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 NULL nohasharray
103540 +SYSC_msgrcv_38268 SYSC_msgrcv 3 38268 &ieee80211_if_read_auto_open_plinks_38268 nohasharray
103541 +mthca_alloc_icm_table_38268 mthca_alloc_icm_table 4-3 38268 &SYSC_msgrcv_38268
103542 +xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 NULL nohasharray
103543 +xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 &xfs_bmbt_to_bmdr_38275
103544 +ftdi_process_packet_38281 ftdi_process_packet 4 38281 NULL nohasharray
103545 +swiotlb_sync_single_for_cpu_38281 swiotlb_sync_single_for_cpu 2 38281 &ftdi_process_packet_38281
103546 +gpa_to_gfn_38291 gpa_to_gfn 0-1 38291 NULL
103547 +zd_mac_rx_38296 zd_mac_rx 3 38296 NULL
103548 +isr_rx_headers_read_38325 isr_rx_headers_read 3 38325 NULL
103549 +ida_simple_get_38326 ida_simple_get 2 38326 NULL
103550 +__snd_gf1_look8_38333 __snd_gf1_look8 0 38333 NULL
103551 +pyra_sysfs_write_38370 pyra_sysfs_write 6 38370 NULL
103552 +dn_sendmsg_38390 dn_sendmsg 4 38390 NULL
103553 +get_valid_node_allowed_38412 get_valid_node_allowed 1-0 38412 NULL
103554 +ocfs2_which_cluster_group_38413 ocfs2_which_cluster_group 2 38413 NULL
103555 +ht_destroy_irq_38418 ht_destroy_irq 1 38418 NULL
103556 +ieee80211_if_read_dtim_count_38419 ieee80211_if_read_dtim_count 3 38419 NULL
103557 +asix_write_cmd_async_38420 asix_write_cmd_async 5 38420 NULL
103558 +pcnet32_realloc_tx_ring_38428 pcnet32_realloc_tx_ring 3 38428 NULL
103559 +pmcraid_copy_sglist_38431 pmcraid_copy_sglist 3 38431 NULL
103560 +kvm_write_guest_38454 kvm_write_guest 4-2 38454 NULL
103561 +i915_min_freq_read_38470 i915_min_freq_read 3 38470 NULL
103562 +kvm_arch_setup_async_pf_38481 kvm_arch_setup_async_pf 3 38481 NULL
103563 +blk_end_bidi_request_38482 blk_end_bidi_request 3-4 38482 NULL
103564 +cpu_to_mem_38501 cpu_to_mem 0 38501 NULL
103565 +dev_names_read_38509 dev_names_read 3 38509 NULL
103566 +iscsi_create_iface_38510 iscsi_create_iface 5 38510 NULL
103567 +event_rx_mismatch_read_38518 event_rx_mismatch_read 3 38518 NULL
103568 +set_queue_count_38519 set_queue_count 0 38519 NULL
103569 +mlx4_ib_db_map_user_38529 mlx4_ib_db_map_user 2 38529 NULL
103570 +ubifs_idx_node_sz_38546 ubifs_idx_node_sz 0-2 38546 NULL
103571 +btrfs_discard_extent_38547 btrfs_discard_extent 2 38547 NULL
103572 +cpu_to_node_38561 cpu_to_node 0 38561 NULL
103573 +irda_sendmsg_dgram_38563 irda_sendmsg_dgram 4 38563 NULL
103574 +il4965_rs_sta_dbgfs_scale_table_read_38564 il4965_rs_sta_dbgfs_scale_table_read 3 38564 NULL
103575 +_ipw_read32_38565 _ipw_read32 0 38565 NULL
103576 +snd_nm256_playback_copy_38567 snd_nm256_playback_copy 5-3 38567 NULL
103577 +copy_ctl_value_to_user_38587 copy_ctl_value_to_user 4 38587 NULL
103578 +cosa_net_setup_rx_38594 cosa_net_setup_rx 2 38594 NULL
103579 +compat_sys_ptrace_38595 compat_sys_ptrace 3-4 38595 NULL
103580 +icn_writecmd_38629 icn_writecmd 2 38629 NULL
103581 +ext2_readpages_38640 ext2_readpages 4 38640 NULL
103582 +cma_create_area_38642 cma_create_area 2 38642 NULL
103583 +audit_init_entry_38644 audit_init_entry 1 38644 NULL
103584 +qp_broker_alloc_38646 qp_broker_alloc 5-6 38646 NULL
103585 +mmc_send_cxd_data_38655 mmc_send_cxd_data 5 38655 NULL
103586 +nouveau_instmem_create__38664 nouveau_instmem_create_ 4 38664 NULL
103587 +skb_tnl_header_len_38669 skb_tnl_header_len 0 38669 NULL
103588 +cfg80211_send_disassoc_38678 cfg80211_send_disassoc 3 38678 NULL
103589 +iscsit_dump_data_payload_38683 iscsit_dump_data_payload 2 38683 NULL
103590 +ext4_wait_block_bitmap_38695 ext4_wait_block_bitmap 2 38695 NULL
103591 +rbio_add_io_page_38700 rbio_add_io_page 6 38700 NULL
103592 +find_next_usable_block_38716 find_next_usable_block 1-3 38716 NULL
103593 +alloc_trace_probe_38720 alloc_trace_probe 6 38720 NULL
103594 +phys_to_virt_38757 phys_to_virt 0-1 38757 NULL
103595 +udf_readpages_38761 udf_readpages 4 38761 NULL
103596 +iwl_dbgfs_thermal_throttling_read_38779 iwl_dbgfs_thermal_throttling_read 3 38779 NULL
103597 +snd_gus_dram_write_38784 snd_gus_dram_write 4 38784 NULL
103598 +err_decode_38804 err_decode 2 38804 NULL
103599 +ipv6_renew_option_38813 ipv6_renew_option 3 38813 NULL
103600 +sys_select_38827 sys_select 1 38827 NULL
103601 +b43_txhdr_size_38832 b43_txhdr_size 0 38832 NULL
103602 +direct_entry_38836 direct_entry 3 38836 NULL
103603 +compat_udp_setsockopt_38840 compat_udp_setsockopt 5 38840 NULL
103604 +interfaces_38859 interfaces 2 38859 NULL
103605 +pci_msix_table_size_38867 pci_msix_table_size 0 38867 NULL
103606 +sizeof_gpio_leds_priv_38882 sizeof_gpio_leds_priv 0-1 38882 NULL
103607 +dbgfs_state_38894 dbgfs_state 3 38894 NULL
103608 +f2fs_xattr_set_acl_38895 f2fs_xattr_set_acl 4 38895 NULL
103609 +process_bulk_data_command_38906 process_bulk_data_command 4 38906 NULL
103610 +ext3_trim_all_free_38929 ext3_trim_all_free 3-4-2 38929 NULL
103611 +sbp_count_se_tpg_luns_38943 sbp_count_se_tpg_luns 0 38943 NULL
103612 +__ath6kl_wmi_send_mgmt_cmd_38971 __ath6kl_wmi_send_mgmt_cmd 7 38971 NULL
103613 +C_SYSC_preadv64_38977 C_SYSC_preadv64 3 38977 NULL nohasharray
103614 +usb_maxpacket_38977 usb_maxpacket 0 38977 &C_SYSC_preadv64_38977
103615 +OSDSetBlock_38986 OSDSetBlock 4-2 38986 NULL
103616 +udf_new_block_38999 udf_new_block 4 38999 NULL
103617 +get_nodes_39012 get_nodes 3 39012 NULL
103618 +twl6030_interrupt_unmask_39013 twl6030_interrupt_unmask 2 39013 NULL
103619 +acpi_install_gpe_block_39031 acpi_install_gpe_block 4 39031 NULL
103620 +_zd_iowrite32v_async_locked_39034 _zd_iowrite32v_async_locked 3 39034 NULL
103621 +line6_midibuf_read_39067 line6_midibuf_read 0-3 39067 NULL
103622 +ext4_init_block_bitmap_39071 ext4_init_block_bitmap 3 39071 NULL
103623 +tomoyo_truncate_39105 tomoyo_truncate 0 39105 NULL
103624 +__kfifo_to_user_r_39123 __kfifo_to_user_r 3 39123 NULL
103625 +ea_foreach_39133 ea_foreach 0 39133 NULL
103626 +generic_permission_39150 generic_permission 0 39150 NULL
103627 +alloc_ring_39151 alloc_ring 2-4 39151 NULL
103628 +proc_coredump_filter_read_39153 proc_coredump_filter_read 3 39153 NULL
103629 +create_bounce_buffer_39155 create_bounce_buffer 3 39155 NULL
103630 +ext3_xattr_check_names_39174 ext3_xattr_check_names 0 39174 NULL
103631 +init_list_set_39188 init_list_set 2-3 39188 NULL
103632 +ubi_more_update_data_39189 ubi_more_update_data 4 39189 NULL
103633 +qcam_read_bytes_39205 qcam_read_bytes 0 39205 NULL
103634 +qla4_82xx_pci_mem_read_direct_39208 qla4_82xx_pci_mem_read_direct 2 39208 NULL
103635 +vfio_group_fops_compat_ioctl_39219 vfio_group_fops_compat_ioctl 3 39219 NULL
103636 +ivtv_v4l2_write_39226 ivtv_v4l2_write 3 39226 NULL
103637 +batadv_tt_response_fill_table_39236 batadv_tt_response_fill_table 1 39236 NULL
103638 +posix_acl_to_xattr_39237 posix_acl_to_xattr 0 39237 NULL
103639 +drm_order_39244 drm_order 0 39244 NULL
103640 +r128_compat_ioctl_39250 r128_compat_ioctl 2 39250 NULL nohasharray
103641 +pwr_cont_miss_bcns_spread_read_39250 pwr_cont_miss_bcns_spread_read 3 39250 &r128_compat_ioctl_39250
103642 +__skb_cow_39254 __skb_cow 2 39254 NULL
103643 +ath6kl_wmi_set_appie_cmd_39266 ath6kl_wmi_set_appie_cmd 5 39266 NULL
103644 +rx_filter_protection_filter_read_39282 rx_filter_protection_filter_read 3 39282 NULL
103645 +__vmalloc_node_39308 __vmalloc_node 1 39308 NULL
103646 +__cfg80211_connect_result_39326 __cfg80211_connect_result 4-6 39326 NULL
103647 +wimax_msg_alloc_39343 wimax_msg_alloc 4 39343 NULL
103648 +__cfg80211_send_deauth_39344 __cfg80211_send_deauth 3 39344 NULL
103649 +__copy_from_user_nocache_39351 __copy_from_user_nocache 3 39351 NULL
103650 +ide_complete_rq_39354 ide_complete_rq 3 39354 NULL
103651 +do_write_log_from_user_39362 do_write_log_from_user 3 39362 NULL
103652 +vortex_wtdma_getlinearpos_39371 vortex_wtdma_getlinearpos 0 39371 NULL
103653 +regmap_name_read_file_39379 regmap_name_read_file 3 39379 NULL
103654 +fnic_trace_debugfs_read_39380 fnic_trace_debugfs_read 3 39380 NULL
103655 +ps_poll_ps_poll_utilization_read_39383 ps_poll_ps_poll_utilization_read 3 39383 NULL
103656 +__send_to_port_39386 __send_to_port 3 39386 NULL
103657 +user_power_read_39414 user_power_read 3 39414 NULL
103658 +alloc_agpphysmem_i8xx_39427 alloc_agpphysmem_i8xx 1 39427 NULL
103659 +sys_semop_39457 sys_semop 3 39457 NULL
103660 +ptrace_peek_siginfo_39458 ptrace_peek_siginfo 3 39458 NULL
103661 +setkey_unaligned_39474 setkey_unaligned 3 39474 NULL
103662 +do_get_mempolicy_39485 do_get_mempolicy 3 39485 NULL
103663 +ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries_39499 ieee80211_if_fmt_dot11MeshHWMPmaxPREQretries 3 39499 NULL
103664 +atomic64_read_unchecked_39505 atomic64_read_unchecked 0 39505 NULL
103665 +int_proc_write_39542 int_proc_write 3 39542 NULL
103666 +pp_write_39554 pp_write 3 39554 NULL
103667 +ol_dqblk_block_39558 ol_dqblk_block 0-3-2 39558 NULL
103668 +datablob_format_39571 datablob_format 2 39571 NULL nohasharray
103669 +ieee80211_if_read_fwded_mcast_39571 ieee80211_if_read_fwded_mcast 3 39571 &datablob_format_39571
103670 +handle_response_icmp_39574 handle_response_icmp 7 39574 NULL
103671 +mtdchar_compat_ioctl_39602 mtdchar_compat_ioctl 3 39602 NULL
103672 +n_tty_compat_ioctl_helper_39605 n_tty_compat_ioctl_helper 4 39605 NULL
103673 +ext_depth_39607 ext_depth 0 39607 NULL
103674 +nfs_idmap_get_key_39616 nfs_idmap_get_key 2 39616 NULL
103675 +sdio_readb_39618 sdio_readb 0 39618 NULL
103676 +set_dev_class_39645 set_dev_class 4 39645 NULL nohasharray
103677 +dm_exception_table_init_39645 dm_exception_table_init 2 39645 &set_dev_class_39645
103678 +snd_rme32_capture_copy_39653 snd_rme32_capture_copy 5 39653 NULL
103679 +tcp_try_rmem_schedule_39657 tcp_try_rmem_schedule 3 39657 NULL nohasharray
103680 +prism2_info_hostscanresults_39657 prism2_info_hostscanresults 3 39657 &tcp_try_rmem_schedule_39657
103681 +kvm_read_guest_cached_39666 kvm_read_guest_cached 4 39666 NULL
103682 +v4l_stk_read_39672 v4l_stk_read 3 39672 NULL
103683 +hsc_msg_len_get_39673 hsc_msg_len_get 0 39673 NULL
103684 +do_surface_dirty_sou_39678 do_surface_dirty_sou 7 39678 NULL
103685 +ftrace_pid_write_39710 ftrace_pid_write 3 39710 NULL
103686 +tcf_csum_ipv4_tcp_39713 tcf_csum_ipv4_tcp 4 39713 NULL
103687 +remap_to_origin_clear_discard_39767 remap_to_origin_clear_discard 3 39767 NULL
103688 +ocfs2_pages_per_cluster_39790 ocfs2_pages_per_cluster 0 39790 NULL
103689 +crypto_ablkcipher_blocksize_39811 crypto_ablkcipher_blocksize 0 39811 NULL
103690 +security_inode_listsecurity_39812 security_inode_listsecurity 0 39812 NULL
103691 +snd_pcm_oss_writev3_39818 snd_pcm_oss_writev3 3 39818 NULL
103692 +sys_migrate_pages_39825 sys_migrate_pages 2 39825 NULL
103693 +get_priv_size_39828 get_priv_size 0-1 39828 NULL
103694 +pkt_add_39897 pkt_add 3 39897 NULL
103695 +read_file_modal_eeprom_39909 read_file_modal_eeprom 3 39909 NULL
103696 +gen_pool_add_virt_39913 gen_pool_add_virt 4 39913 NULL
103697 +dw210x_op_rw_39915 dw210x_op_rw 6 39915 NULL
103698 +aes_encrypt_interrupt_read_39919 aes_encrypt_interrupt_read 3 39919 NULL
103699 +exofs_read_kern_39921 exofs_read_kern 6 39921 NULL nohasharray
103700 +oom_score_adj_read_39921 oom_score_adj_read 3 39921 &exofs_read_kern_39921
103701 +__spi_async_39932 __spi_async 0 39932 NULL
103702 +__get_order_39935 __get_order 0 39935 NULL
103703 +error_error_frame_read_39947 error_error_frame_read 3 39947 NULL nohasharray
103704 +fwnet_pd_new_39947 fwnet_pd_new 4 39947 &error_error_frame_read_39947
103705 +tty_prepare_flip_string_39955 tty_prepare_flip_string 3 39955 NULL
103706 +dma_push_rx_39973 dma_push_rx 2 39973 NULL
103707 +vfio_pci_read_39975 vfio_pci_read 3 39975 NULL
103708 +broadsheetfb_write_39976 broadsheetfb_write 3 39976 NULL
103709 +mthca_array_init_39987 mthca_array_init 2 39987 NULL
103710 +xen_hvm_config_40018 xen_hvm_config 2 40018 NULL
103711 +nf_nat_icmpv6_reply_translation_40023 nf_nat_icmpv6_reply_translation 5 40023 NULL nohasharray
103712 +ivtvfb_write_40023 ivtvfb_write 3 40023 &nf_nat_icmpv6_reply_translation_40023
103713 +disc_pwup_write_40027 disc_pwup_write 3 40027 NULL
103714 +ea_foreach_i_40028 ea_foreach_i 0 40028 NULL
103715 +datablob_hmac_append_40038 datablob_hmac_append 3 40038 NULL
103716 +regmap_add_irq_chip_40042 regmap_add_irq_chip 4 40042 NULL
103717 +add_tty_40055 add_tty 1 40055 NULL nohasharray
103718 +l2cap_create_iframe_pdu_40055 l2cap_create_iframe_pdu 3 40055 &add_tty_40055
103719 +atomic_xchg_40070 atomic_xchg 0 40070 NULL
103720 +gen_pool_first_fit_40110 gen_pool_first_fit 2-3-4 40110 NULL
103721 +sctp_setsockopt_delayed_ack_40129 sctp_setsockopt_delayed_ack 3 40129 NULL
103722 +dwc2_max_desc_num_40132 dwc2_max_desc_num 0 40132 NULL
103723 +rx_rx_frame_checksum_read_40140 rx_rx_frame_checksum_read 3 40140 NULL
103724 +iwch_alloc_fastreg_pbl_40153 iwch_alloc_fastreg_pbl 2 40153 NULL
103725 +pt_write_40159 pt_write 3 40159 NULL
103726 +scsi_sg_count_40182 scsi_sg_count 0 40182 NULL
103727 +ipr_alloc_ucode_buffer_40199 ipr_alloc_ucode_buffer 1 40199 NULL nohasharray
103728 +devnode_find_40199 devnode_find 3-2 40199 &ipr_alloc_ucode_buffer_40199
103729 +allocate_probes_40204 allocate_probes 1 40204 NULL
103730 +compat_put_long_40214 compat_put_long 1 40214 NULL
103731 +au0828_v4l2_read_40220 au0828_v4l2_read 3 40220 NULL
103732 +osst_read_40237 osst_read 3 40237 NULL
103733 +lpage_info_slot_40243 lpage_info_slot 1-3 40243 NULL
103734 +ocfs2_zero_extend_get_range_40248 ocfs2_zero_extend_get_range 4 40248 NULL
103735 +of_get_child_count_40254 of_get_child_count 0 40254 NULL
103736 +rs_sta_dbgfs_scale_table_read_40262 rs_sta_dbgfs_scale_table_read 3 40262 NULL
103737 +usbnet_read_cmd_40275 usbnet_read_cmd 7 40275 NULL
103738 +rx_xfr_hint_trig_read_40283 rx_xfr_hint_trig_read 3 40283 NULL
103739 +_calc_trunk_info_40291 _calc_trunk_info 2 40291 NULL
103740 +crash_free_reserved_phys_range_40292 crash_free_reserved_phys_range 1 40292 NULL
103741 +ubi_io_write_data_40305 ubi_io_write_data 4-5 40305 NULL
103742 +batadv_tt_changes_fill_buff_40323 batadv_tt_changes_fill_buff 4 40323 NULL
103743 +ib_get_mad_data_offset_40336 ib_get_mad_data_offset 0 40336 NULL
103744 +mmio_read_40348 mmio_read 4 40348 NULL
103745 +usb_dump_interface_40353 usb_dump_interface 0 40353 NULL
103746 +ocfs2_release_clusters_40355 ocfs2_release_clusters 4 40355 NULL
103747 +event_rx_mem_empty_read_40363 event_rx_mem_empty_read 3 40363 NULL
103748 +ocfs2_check_range_for_refcount_40365 ocfs2_check_range_for_refcount 2-3 40365 NULL
103749 +fwnet_incoming_packet_40380 fwnet_incoming_packet 3 40380 NULL
103750 +brcmf_sdbrcm_get_image_40397 brcmf_sdbrcm_get_image 0-2 40397 NULL
103751 +atmel_rmem16_40450 atmel_rmem16 0 40450 NULL
103752 +tomoyo_update_policy_40458 tomoyo_update_policy 2 40458 NULL
103753 +zd_usb_scnprint_id_40459 zd_usb_scnprint_id 0-3 40459 NULL
103754 +batadv_hash_new_40491 batadv_hash_new 1 40491 NULL
103755 +devcgroup_inode_permission_40492 devcgroup_inode_permission 0 40492 NULL
103756 +tty_write_room_40495 tty_write_room 0 40495 NULL
103757 +persistent_ram_new_40501 persistent_ram_new 1-2 40501 NULL
103758 +sg_phys_40507 sg_phys 0 40507 NULL
103759 +TSS_checkhmac2_40520 TSS_checkhmac2 5-7 40520 NULL
103760 +ixgbe_dbg_reg_ops_read_40540 ixgbe_dbg_reg_ops_read 3 40540 NULL
103761 +ima_write_policy_40548 ima_write_policy 3 40548 NULL
103762 +esp_alloc_tmp_40558 esp_alloc_tmp 3-2 40558 NULL
103763 +ufs_inode_getfrag_40560 ufs_inode_getfrag 2-4 40560 NULL
103764 +bdev_sectors_40564 bdev_sectors 0 40564 NULL
103765 +lba_to_map_index_40580 lba_to_map_index 0-1 40580 NULL
103766 +skge_rx_get_40598 skge_rx_get 3 40598 NULL
103767 +get_priv_descr_and_size_40612 get_priv_descr_and_size 0 40612 NULL
103768 +bl_mark_sectors_init_40613 bl_mark_sectors_init 2-3 40613 NULL
103769 +cpuset_sprintf_cpulist_40627 cpuset_sprintf_cpulist 0 40627 NULL
103770 +twl4030_kpwrite_u8_40665 twl4030_kpwrite_u8 3 40665 NULL
103771 +__cfg80211_roamed_40668 __cfg80211_roamed 4-6 40668 NULL
103772 +pipeline_rx_complete_stat_fifo_int_read_40671 pipeline_rx_complete_stat_fifo_int_read 3 40671 NULL
103773 +fops_read_40672 fops_read 3 40672 NULL
103774 +alloc_rbio_40676 alloc_rbio 4 40676 NULL
103775 +videobuf_dma_init_user_locked_40678 videobuf_dma_init_user_locked 3 40678 NULL
103776 +nfc_hci_set_param_40697 nfc_hci_set_param 5 40697 NULL
103777 +vfio_pci_config_rw_40698 vfio_pci_config_rw 3 40698 NULL
103778 +__seq_open_private_40715 __seq_open_private 3 40715 NULL
103779 +fuse_readpages_40737 fuse_readpages 4 40737 NULL
103780 +xfs_iext_remove_direct_40744 xfs_iext_remove_direct 3 40744 NULL nohasharray
103781 +find_next_zero_bit_le_40744 find_next_zero_bit_le 0-2-3 40744 &xfs_iext_remove_direct_40744
103782 +security_inode_listxattr_40752 security_inode_listxattr 0 40752 NULL
103783 +fat_generic_compat_ioctl_40755 fat_generic_compat_ioctl 3 40755 NULL
103784 +card_send_command_40757 card_send_command 3 40757 NULL
103785 +ad1889_readl_40765 ad1889_readl 0 40765 NULL
103786 +pg_write_40766 pg_write 3 40766 NULL
103787 +show_list_40775 show_list 3 40775 NULL
103788 +calcu_metadata_size_40782 calcu_metadata_size 0 40782 NULL
103789 +kfifo_out_copy_r_40784 kfifo_out_copy_r 0-3 40784 NULL
103790 +bitmap_weight_40791 bitmap_weight 0-2 40791 NULL
103791 +pyra_sysfs_read_40795 pyra_sysfs_read 6 40795 NULL
103792 +netdev_alloc_skb_ip_align_40811 netdev_alloc_skb_ip_align 2 40811 NULL
103793 +nl80211_send_roamed_40825 nl80211_send_roamed 5-7 40825 NULL
103794 +SyS_mbind_40828 SyS_mbind 5 40828 NULL
103795 +__mlx4_qp_reserve_range_40847 __mlx4_qp_reserve_range 2-3 40847 NULL
103796 +isku_sysfs_write_keys_thumbster_40851 isku_sysfs_write_keys_thumbster 6 40851 NULL
103797 +ocfs2_zero_partial_clusters_40856 ocfs2_zero_partial_clusters 2-3 40856 NULL
103798 +v9fs_file_read_40858 v9fs_file_read 3 40858 NULL
103799 +read_file_queue_40895 read_file_queue 3 40895 NULL
103800 +waiters_read_40902 waiters_read 3 40902 NULL
103801 +isdn_add_channels_40905 isdn_add_channels 3 40905 NULL
103802 +gfs2_ea_find_40913 gfs2_ea_find 0 40913 NULL
103803 +vol_cdev_write_40915 vol_cdev_write 3 40915 NULL
103804 +snd_vx_create_40948 snd_vx_create 4 40948 NULL
103805 +skb_end_offset_40949 skb_end_offset 0 40949 NULL
103806 +wm8994_free_irq_40951 wm8994_free_irq 2 40951 NULL
103807 +rds_sendmsg_40976 rds_sendmsg 4 40976 NULL
103808 +il_dbgfs_fh_reg_read_40993 il_dbgfs_fh_reg_read 3 40993 NULL
103809 +mac80211_format_buffer_41010 mac80211_format_buffer 2 41010 NULL
103810 +mtd_block_isbad_41015 mtd_block_isbad 0 41015 NULL
103811 +_req_append_segment_41031 _req_append_segment 2 41031 NULL
103812 +mISDN_sock_sendmsg_41035 mISDN_sock_sendmsg 4 41035 NULL
103813 +ocfs2_xattr_index_block_find_41040 ocfs2_xattr_index_block_find 0 41040 NULL
103814 +vfs_listxattr_41062 vfs_listxattr 0 41062 NULL
103815 +cfg80211_inform_bss_frame_41078 cfg80211_inform_bss_frame 4 41078 NULL
103816 +roccat_read_41093 roccat_read 3 41093 NULL nohasharray
103817 +nvme_map_user_pages_41093 nvme_map_user_pages 3-4 41093 &roccat_read_41093
103818 +dma_attach_41094 dma_attach 5-6 41094 NULL
103819 +provide_user_output_41105 provide_user_output 3 41105 NULL
103820 +f_audio_buffer_alloc_41110 f_audio_buffer_alloc 1 41110 NULL
103821 +v4l2_ctrl_new_int_menu_41151 v4l2_ctrl_new_int_menu 4 41151 NULL
103822 +tx_frag_mpdu_alloc_failed_read_41167 tx_frag_mpdu_alloc_failed_read 3 41167 NULL
103823 +dvb_ca_write_41171 dvb_ca_write 3 41171 NULL
103824 +ol_quota_chunk_block_41177 ol_quota_chunk_block 0-2 41177 NULL
103825 +netif_get_num_default_rss_queues_41187 netif_get_num_default_rss_queues 0 41187 NULL
103826 +compat_sys_process_vm_writev_41194 compat_sys_process_vm_writev 3-5 41194 NULL
103827 +dfs_file_write_41196 dfs_file_write 3 41196 NULL
103828 +xfs_readdir_41200 xfs_readdir 3 41200 NULL
103829 +ocfs2_read_quota_block_41207 ocfs2_read_quota_block 2 41207 NULL
103830 +nfs_page_array_len_41219 nfs_page_array_len 0-2-1 41219 NULL
103831 +hiddev_compat_ioctl_41255 hiddev_compat_ioctl 2-3 41255 NULL
103832 +erst_read_41260 erst_read 0 41260 NULL
103833 +__fprog_create_41263 __fprog_create 2 41263 NULL
103834 +setup_cluster_bitmap_41270 setup_cluster_bitmap 4 41270 NULL
103835 +alloc_context_41283 alloc_context 1 41283 NULL
103836 +arch_gnttab_map_shared_41306 arch_gnttab_map_shared 3 41306 NULL
103837 +objio_alloc_io_state_41316 objio_alloc_io_state 6 41316 NULL
103838 +twl_change_queue_depth_41342 twl_change_queue_depth 2 41342 NULL
103839 +cnic_init_id_tbl_41354 cnic_init_id_tbl 2 41354 NULL
103840 +jbd2_alloc_41359 jbd2_alloc 1 41359 NULL
103841 +kmp_init_41373 kmp_init 2 41373 NULL
103842 +isr_commands_read_41398 isr_commands_read 3 41398 NULL
103843 +is_writethrough_io_41406 is_writethrough_io 3 41406 NULL
103844 +sys_flistxattr_41407 sys_flistxattr 3 41407 NULL
103845 +rx_defrag_decrypt_failed_read_41411 rx_defrag_decrypt_failed_read 3 41411 NULL
103846 +xfs_iext_add_41422 xfs_iext_add 3 41422 NULL
103847 +vsock_dev_compat_ioctl_41427 vsock_dev_compat_ioctl 3 41427 NULL
103848 +isdn_ppp_fill_rq_41428 isdn_ppp_fill_rq 2 41428 NULL
103849 +lbs_rdrf_read_41431 lbs_rdrf_read 3 41431 NULL
103850 +iio_device_alloc_41440 iio_device_alloc 1 41440 NULL
103851 +ntfs_file_buffered_write_41442 ntfs_file_buffered_write 4-6 41442 NULL
103852 +pcpu_build_alloc_info_41443 pcpu_build_alloc_info 1-2-3 41443 NULL
103853 +layout_leb_in_gaps_41470 layout_leb_in_gaps 0 41470 NULL
103854 +rt2x00debug_write_rfcsr_41473 rt2x00debug_write_rfcsr 3 41473 NULL
103855 +wep_interrupt_read_41492 wep_interrupt_read 3 41492 NULL
103856 +SyS_get_mempolicy_41495 SyS_get_mempolicy 3-4 41495 NULL
103857 +hpfs_translate_name_41497 hpfs_translate_name 3 41497 NULL
103858 +xfrm_hash_new_size_41505 xfrm_hash_new_size 0-1 41505 NULL
103859 +ldisc_receive_41516 ldisc_receive 4 41516 NULL
103860 +tx_tx_frame_checksum_read_41553 tx_tx_frame_checksum_read 3 41553 NULL
103861 +ath6kl_endpoint_stats_read_41554 ath6kl_endpoint_stats_read 3 41554 NULL
103862 +nr_status_frames_41559 nr_status_frames 0-1 41559 NULL
103863 +batadv_receive_client_update_packet_41578 batadv_receive_client_update_packet 3 41578 NULL
103864 +rng_dev_read_41581 rng_dev_read 3 41581 NULL
103865 +read_file_rx_chainmask_41605 read_file_rx_chainmask 3 41605 NULL
103866 +vga_io_r_41609 vga_io_r 0 41609 NULL
103867 +tcp_hdrlen_41610 tcp_hdrlen 0 41610 NULL
103868 +usb_endpoint_maxp_41613 usb_endpoint_maxp 0 41613 NULL
103869 +a2mp_send_41615 a2mp_send 4 41615 NULL
103870 +btrfs_calc_trunc_metadata_size_41626 btrfs_calc_trunc_metadata_size 0-2 41626 NULL
103871 +mempool_create_kmalloc_pool_41650 mempool_create_kmalloc_pool 1 41650 NULL
103872 +rx_rx_pre_complt_read_41653 rx_rx_pre_complt_read 3 41653 NULL
103873 +get_std_timing_41654 get_std_timing 0 41654 NULL
103874 +squashfs_cache_init_41656 squashfs_cache_init 2 41656 NULL
103875 +ieee80211_if_fmt_bssid_41677 ieee80211_if_fmt_bssid 3 41677 NULL
103876 +params_period_bytes_41683 params_period_bytes 0 41683 NULL
103877 +aac_src_ioremap_41688 aac_src_ioremap 2 41688 NULL
103878 +bdx_tx_db_init_41719 bdx_tx_db_init 2 41719 NULL
103879 +sys_pwritev_41722 sys_pwritev 3 41722 NULL
103880 +get_bios_ebda_41730 get_bios_ebda 0 41730 NULL
103881 +fillonedir_41746 fillonedir 3 41746 NULL
103882 +ocfs2_dx_dir_rebalance_41793 ocfs2_dx_dir_rebalance 7 41793 NULL
103883 +iwl_dbgfs_bt_notif_read_41794 iwl_dbgfs_bt_notif_read 3 41794 NULL
103884 +hsi_alloc_controller_41802 hsi_alloc_controller 1 41802 NULL
103885 +regcache_sync_block_raw_41803 regcache_sync_block_raw 3-4 41803 NULL
103886 +da9052_enable_irq_41814 da9052_enable_irq 2 41814 NULL
103887 +sco_send_frame_41815 sco_send_frame 3 41815 NULL
103888 +lp_gpio_to_irq_41822 lp_gpio_to_irq 2 41822 NULL
103889 +ixgbe_dbg_netdev_ops_read_41839 ixgbe_dbg_netdev_ops_read 3 41839 NULL
103890 +do_ip_setsockopt_41852 do_ip_setsockopt 5 41852 NULL
103891 +keyctl_instantiate_key_41855 keyctl_instantiate_key 3 41855 NULL
103892 +ieee80211_rx_radiotap_space_41870 ieee80211_rx_radiotap_space 0 41870 NULL
103893 +get_packet_41914 get_packet 3 41914 NULL
103894 +get_fdb_entries_41916 get_fdb_entries 3 41916 NULL
103895 +find_ge_pid_41918 find_ge_pid 1 41918 NULL
103896 +build_inv_iotlb_pages_41922 build_inv_iotlb_pages 4-5 41922 NULL
103897 +nfsd_getxattr_41934 nfsd_getxattr 0 41934 NULL
103898 +ext4_da_write_inline_data_begin_41935 ext4_da_write_inline_data_begin 3-4 41935 NULL
103899 +read_gssp_41947 read_gssp 3 41947 NULL
103900 +ocfs2_xattr_bucket_get_name_value_41949 ocfs2_xattr_bucket_get_name_value 0 41949 NULL
103901 +portnames_read_41958 portnames_read 3 41958 NULL
103902 +ubi_self_check_all_ff_41959 ubi_self_check_all_ff 4 41959 NULL
103903 +dst_mtu_41969 dst_mtu 0 41969 NULL
103904 +cx24116_writeregN_41975 cx24116_writeregN 4 41975 NULL
103905 +ubi_io_is_bad_41983 ubi_io_is_bad 0 41983 NULL
103906 +lguest_map_42008 lguest_map 1-2 42008 NULL
103907 +pool_allocate_42012 pool_allocate 3 42012 NULL
103908 +spidev_sync_read_42014 spidev_sync_read 0 42014 NULL
103909 +acpi_ut_create_buffer_object_42030 acpi_ut_create_buffer_object 1 42030 NULL
103910 +__hwahc_op_set_gtk_42038 __hwahc_op_set_gtk 4 42038 NULL
103911 +irda_sendmsg_ultra_42047 irda_sendmsg_ultra 4 42047 NULL
103912 +dma_generic_alloc_coherent_42048 dma_generic_alloc_coherent 2 42048 NULL nohasharray
103913 +jffs2_do_link_42048 jffs2_do_link 6 42048 &dma_generic_alloc_coherent_42048
103914 +ps_poll_upsd_max_ap_turn_read_42050 ps_poll_upsd_max_ap_turn_read 3 42050 NULL
103915 +InterfaceTransmitPacket_42058 InterfaceTransmitPacket 3 42058 NULL
103916 +alloc_bitset_42085 alloc_bitset 1 42085 NULL
103917 +scsi_execute_req_42088 scsi_execute_req 5 42088 NULL
103918 +sk_chk_filter_42095 sk_chk_filter 2 42095 NULL
103919 +submit_inquiry_42108 submit_inquiry 3 42108 NULL
103920 +sysfs_read_file_42113 sysfs_read_file 3 42113 NULL nohasharray
103921 +dw_dma_cyclic_prep_42113 dw_dma_cyclic_prep 3-4 42113 &sysfs_read_file_42113
103922 +Read_hfc16_stable_42131 Read_hfc16_stable 0 42131 NULL
103923 +mmc_align_data_size_42161 mmc_align_data_size 0-2 42161 NULL
103924 +read_file_base_eeprom_42168 read_file_base_eeprom 3 42168 NULL
103925 +iwl_mvm_send_cmd_42173 iwl_mvm_send_cmd 0 42173 NULL
103926 +oprofilefs_str_to_user_42182 oprofilefs_str_to_user 3 42182 NULL
103927 +get_znodes_to_commit_42201 get_znodes_to_commit 0 42201 NULL
103928 +btmrvl_hsmode_write_42252 btmrvl_hsmode_write 3 42252 NULL
103929 +rx_defrag_need_decrypt_read_42253 rx_defrag_need_decrypt_read 3 42253 NULL
103930 +netxen_nic_map_indirect_address_128M_42257 netxen_nic_map_indirect_address_128M 2 42257 NULL
103931 +savu_sysfs_write_42273 savu_sysfs_write 6 42273 NULL
103932 +snd_pcm_hw_param_value_max_42280 snd_pcm_hw_param_value_max 0 42280 NULL
103933 +sel_read_perm_42302 sel_read_perm 3 42302 NULL
103934 +sctp_setsockopt_del_key_42304 sctp_setsockopt_del_key 3 42304 NULL nohasharray
103935 +ulong_read_file_42304 ulong_read_file 3 42304 &sctp_setsockopt_del_key_42304
103936 +gfn_to_hva_42305 gfn_to_hva 0-2 42305 NULL
103937 +xfs_vm_readpages_42308 xfs_vm_readpages 4 42308 NULL
103938 +free_cblock_42318 free_cblock 2 42318 NULL
103939 +hysdn_conf_read_42324 hysdn_conf_read 3 42324 NULL
103940 +tcp_sync_mss_42330 tcp_sync_mss 0-2 42330 NULL
103941 +snd_pcm_plug_alloc_42339 snd_pcm_plug_alloc 2 42339 NULL
103942 +ide_raw_taskfile_42355 ide_raw_taskfile 4 42355 NULL
103943 +il_dbgfs_disable_ht40_read_42386 il_dbgfs_disable_ht40_read 3 42386 NULL
103944 +hash_ipportnet4_expire_42391 hash_ipportnet4_expire 3 42391 NULL
103945 +msnd_fifo_read_42406 msnd_fifo_read 0-3 42406 NULL
103946 +krng_get_random_42420 krng_get_random 3 42420 NULL
103947 +gsm_data_alloc_42437 gsm_data_alloc 3 42437 NULL
103948 +key_conf_keyidx_read_42443 key_conf_keyidx_read 3 42443 NULL
103949 +snd_pcm_action_group_42452 snd_pcm_action_group 0 42452 NULL
103950 +tcm_loop_change_queue_depth_42454 tcm_loop_change_queue_depth 2 42454 NULL
103951 +tc3589x_gpio_irq_get_virq_42457 tc3589x_gpio_irq_get_virq 2 42457 NULL
103952 +ext3_valid_block_bitmap_42459 ext3_valid_block_bitmap 3 42459 NULL
103953 +__simple_xattr_set_42474 __simple_xattr_set 4 42474 NULL
103954 +follow_hugetlb_page_42486 follow_hugetlb_page 0-7 42486 NULL
103955 +omfs_readpages_42490 omfs_readpages 4 42490 NULL
103956 +brcmf_sdbrcm_bus_txctl_42492 brcmf_sdbrcm_bus_txctl 3 42492 NULL
103957 +bypass_write_42498 bypass_write 3 42498 NULL
103958 +kvm_write_wall_clock_42520 kvm_write_wall_clock 2 42520 NULL
103959 +smk_write_netlbladdr_42525 smk_write_netlbladdr 3 42525 NULL
103960 +snd_emux_create_port_42533 snd_emux_create_port 3 42533 NULL
103961 +dbAllocNear_42546 dbAllocNear 0 42546 NULL
103962 +i915_ring_stop_read_42549 i915_ring_stop_read 3 42549 NULL nohasharray
103963 +ath6kl_wmi_proc_events_vif_42549 ath6kl_wmi_proc_events_vif 5 42549 &i915_ring_stop_read_42549
103964 +iwl_print_event_log_42566 iwl_print_event_log 0-5-7 42566 NULL
103965 +xfrm_new_hash_mask_42579 xfrm_new_hash_mask 0-1 42579 NULL
103966 +oom_score_adj_write_42594 oom_score_adj_write 3 42594 NULL
103967 +map_state_42602 map_state 1 42602 NULL nohasharray
103968 +__pskb_pull_42602 __pskb_pull 2 42602 &map_state_42602
103969 +nd_get_link_42603 nd_get_link 0 42603 NULL
103970 +sys_move_pages_42626 sys_move_pages 2 42626 NULL
103971 +resp_write_42628 resp_write 2 42628 NULL
103972 +ieee80211_if_fmt_dot11MeshHWMPactivePathTimeout_42635 ieee80211_if_fmt_dot11MeshHWMPactivePathTimeout 3 42635 NULL
103973 +scsi_activate_tcq_42640 scsi_activate_tcq 2 42640 NULL
103974 +br_mdb_rehash_42643 br_mdb_rehash 2 42643 NULL
103975 +l2tp_xmit_skb_42672 l2tp_xmit_skb 3 42672 NULL
103976 +request_key_and_link_42693 request_key_and_link 4 42693 NULL
103977 +acpi_dev_get_irqresource_42694 acpi_dev_get_irqresource 2 42694 NULL
103978 +vb2_read_42703 vb2_read 3 42703 NULL
103979 +sierra_net_send_cmd_42708 sierra_net_send_cmd 3 42708 NULL
103980 +__ocfs2_decrease_refcount_42717 __ocfs2_decrease_refcount 4 42717 NULL
103981 +dvb_demux_ioctl_42733 dvb_demux_ioctl 2 42733 NULL
103982 +set_aoe_iflist_42737 set_aoe_iflist 2 42737 NULL
103983 +ax25_setsockopt_42740 ax25_setsockopt 5 42740 NULL
103984 +xen_bind_pirq_gsi_to_irq_42750 xen_bind_pirq_gsi_to_irq 1 42750 NULL
103985 +snd_midi_event_decode_42780 snd_midi_event_decode 0 42780 NULL
103986 +cryptd_hash_setkey_42781 cryptd_hash_setkey 3 42781 NULL nohasharray
103987 +isku_sysfs_read_info_42781 isku_sysfs_read_info 6 42781 &cryptd_hash_setkey_42781
103988 +koneplus_sysfs_read_42792 koneplus_sysfs_read 6 42792 NULL
103989 +ntfs_attr_extend_allocation_42796 ntfs_attr_extend_allocation 0-2 42796 NULL
103990 +fw_device_op_compat_ioctl_42804 fw_device_op_compat_ioctl 2-3 42804 NULL
103991 +drm_ioctl_42813 drm_ioctl 2 42813 NULL
103992 +iwl_dbgfs_ucode_bt_stats_read_42820 iwl_dbgfs_ucode_bt_stats_read 3 42820 NULL
103993 +set_arg_42824 set_arg 3 42824 NULL
103994 +si476x_radio_read_rsq_blob_42827 si476x_radio_read_rsq_blob 3 42827 NULL
103995 +ocfs2_desc_bitmap_to_cluster_off_42831 ocfs2_desc_bitmap_to_cluster_off 2 42831 NULL
103996 +prandom_u32_42853 prandom_u32 0 42853 NULL
103997 +of_property_count_strings_42863 of_property_count_strings 0 42863 NULL
103998 +ocfs2_clusters_for_bytes_42872 ocfs2_clusters_for_bytes 0-2 42872 NULL
103999 +pskb_expand_head_42881 pskb_expand_head 2-3 42881 NULL
104000 +vt_compat_ioctl_42887 vt_compat_ioctl 3 42887 NULL
104001 +tipc_port_recv_sections_42890 tipc_port_recv_sections 4 42890 NULL
104002 +xpc_kmalloc_cacheline_aligned_42895 xpc_kmalloc_cacheline_aligned 1 42895 NULL
104003 +SendTxCommandPacket_42901 SendTxCommandPacket 3 42901 NULL
104004 +hd_end_request_42904 hd_end_request 2 42904 NULL
104005 +sta_last_rx_rate_read_42909 sta_last_rx_rate_read 3 42909 NULL
104006 +sctp_getsockopt_maxburst_42941 sctp_getsockopt_maxburst 2 42941 NULL
104007 +get_unmapped_area_42944 get_unmapped_area 0 42944 NULL
104008 +sys_sethostname_42962 sys_sethostname 2 42962 NULL
104009 +read_file_node_stat_42964 read_file_node_stat 3 42964 NULL
104010 +compat_udpv6_setsockopt_42981 compat_udpv6_setsockopt 5 42981 NULL
104011 +snd_timer_user_ioctl_compat_42985 snd_timer_user_ioctl_compat 3 42985 NULL
104012 +nfs_idmap_get_desc_42990 nfs_idmap_get_desc 4-2 42990 NULL
104013 +mlx4_qp_reserve_range_43000 mlx4_qp_reserve_range 2-3 43000 NULL
104014 +isr_rx_mem_overflow_read_43025 isr_rx_mem_overflow_read 3 43025 NULL
104015 +add_bytes_to_bitmap_43026 add_bytes_to_bitmap 0 43026 NULL
104016 +wep_default_key_count_read_43035 wep_default_key_count_read 3 43035 NULL
104017 +nouveau_gpuobj_create__43072 nouveau_gpuobj_create_ 9 43072 NULL
104018 +nfs_map_group_to_gid_43082 nfs_map_group_to_gid 3 43082 NULL
104019 +cpuset_sprintf_memlist_43088 cpuset_sprintf_memlist 0 43088 NULL
104020 +ieee80211_if_fmt_drop_unencrypted_43107 ieee80211_if_fmt_drop_unencrypted 3 43107 NULL
104021 +read_file_dfs_43145 read_file_dfs 3 43145 NULL nohasharray
104022 +i2c_hid_get_report_43145 i2c_hid_get_report 0 43145 &read_file_dfs_43145
104023 +uuid_string_43154 uuid_string 0 43154 NULL
104024 +usb_string_sub_43164 usb_string_sub 0 43164 NULL
104025 +il_dbgfs_power_save_status_read_43165 il_dbgfs_power_save_status_read 3 43165 NULL
104026 +ath6kl_set_assoc_req_ies_43185 ath6kl_set_assoc_req_ies 3 43185 NULL
104027 +process_measurement_43190 process_measurement 0 43190 NULL
104028 +ext4_xattr_ibody_get_43200 ext4_xattr_ibody_get 0 43200 NULL
104029 +uio_write_43202 uio_write 3 43202 NULL
104030 +iso_callback_43208 iso_callback 3 43208 NULL
104031 +f2fs_acl_from_disk_43210 f2fs_acl_from_disk 2 43210 NULL
104032 +atomic_long_add_return_43217 atomic_long_add_return 1 43217 NULL
104033 +comedi_compat_ioctl_43218 comedi_compat_ioctl 3 43218 NULL
104034 +vmemmap_alloc_block_43245 vmemmap_alloc_block 1 43245 NULL
104035 +fixup_leb_43256 fixup_leb 3 43256 NULL
104036 +ide_end_rq_43269 ide_end_rq 4 43269 NULL
104037 +evtchn_write_43278 evtchn_write 3 43278 NULL
104038 +filemap_write_and_wait_range_43279 filemap_write_and_wait_range 0 43279 NULL
104039 +mpage_alloc_43299 mpage_alloc 3 43299 NULL
104040 +get_nr_irqs_gsi_43315 get_nr_irqs_gsi 0 43315 NULL
104041 +mmu_set_spte_43327 mmu_set_spte 6-7 43327 NULL
104042 +__ext4_get_inode_loc_43332 __ext4_get_inode_loc 0 43332 NULL
104043 +kvm_host_page_size_43348 kvm_host_page_size 2 43348 NULL
104044 +gart_free_coherent_43362 gart_free_coherent 4-2 43362 NULL
104045 +hash_net4_expire_43378 hash_net4_expire 3 43378 NULL
104046 +__alloc_bootmem_low_43423 __alloc_bootmem_low 1-2 43423 NULL nohasharray
104047 +gdm_wimax_netif_rx_43423 gdm_wimax_netif_rx 3 43423 &__alloc_bootmem_low_43423
104048 +isku_sysfs_write_keys_capslock_43432 isku_sysfs_write_keys_capslock 6 43432 NULL
104049 +usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL
104050 +ucs2_strsize_43438 ucs2_strsize 0 43438 NULL
104051 +ath6kl_wmi_roam_tbl_event_rx_43440 ath6kl_wmi_roam_tbl_event_rx 3 43440 NULL
104052 +usemap_size_43443 usemap_size 0-2-1 43443 NULL nohasharray
104053 +usb_string_43443 usb_string 0 43443 &usemap_size_43443
104054 +alloc_new_reservation_43480 alloc_new_reservation 4 43480 NULL
104055 +tx_tx_data_prepared_read_43497 tx_tx_data_prepared_read 3 43497 NULL
104056 +ieee80211_if_fmt_dot11MeshHWMPnetDiameterTraversalTime_43505 ieee80211_if_fmt_dot11MeshHWMPnetDiameterTraversalTime 3 43505 NULL
104057 +do_readlink_43518 do_readlink 2 43518 NULL
104058 +dvb_ca_en50221_io_write_43533 dvb_ca_en50221_io_write 3 43533 NULL
104059 +cachefiles_daemon_write_43535 cachefiles_daemon_write 3 43535 NULL
104060 +tx_frag_failed_read_43540 tx_frag_failed_read 3 43540 NULL nohasharray
104061 +ufs_alloccg_block_43540 ufs_alloccg_block 3-0 43540 &tx_frag_failed_read_43540
104062 +ath_rx_init_43564 ath_rx_init 2 43564 NULL
104063 +_fc_frame_alloc_43568 _fc_frame_alloc 1 43568 NULL
104064 +rpc_malloc_43573 rpc_malloc 2 43573 NULL
104065 +lpfc_idiag_drbacc_read_reg_43606 lpfc_idiag_drbacc_read_reg 0-3 43606 NULL
104066 +proc_read_43614 proc_read 3 43614 NULL
104067 +bio_integrity_tag_43658 bio_integrity_tag 3 43658 NULL
104068 +ext4_acl_count_43659 ext4_acl_count 0-1 43659 NULL
104069 +dmam_declare_coherent_memory_43679 dmam_declare_coherent_memory 4-2 43679 NULL
104070 +calgary_map_page_43686 calgary_map_page 3-4 43686 NULL
104071 +max77693_bulk_write_43698 max77693_bulk_write 2-3 43698 NULL
104072 +drbd_md_first_sector_43729 drbd_md_first_sector 0 43729 NULL
104073 +snd_rme32_playback_copy_43732 snd_rme32_playback_copy 5 43732 NULL
104074 +ocfs2_replace_clusters_43733 ocfs2_replace_clusters 5 43733 NULL
104075 +osdv1_attr_list_elem_size_43747 osdv1_attr_list_elem_size 0-1 43747 NULL
104076 +__bm_find_next_43748 __bm_find_next 2 43748 NULL
104077 +gigaset_initcs_43753 gigaset_initcs 2 43753 NULL
104078 +sctp_setsockopt_active_key_43755 sctp_setsockopt_active_key 3 43755 NULL
104079 +ocfs2_xattr_get_value_outside_43787 ocfs2_xattr_get_value_outside 0 43787 NULL nohasharray
104080 +byte_pos_43787 byte_pos 0-2 43787 &ocfs2_xattr_get_value_outside_43787
104081 +btrfs_copy_from_user_43806 btrfs_copy_from_user 3-1 43806 NULL
104082 +ext4_read_block_bitmap_43814 ext4_read_block_bitmap 2 43814 NULL
104083 +div64_u64_safe_43815 div64_u64_safe 1-2 43815 NULL
104084 +ieee80211_if_fmt_element_ttl_43825 ieee80211_if_fmt_element_ttl 3 43825 NULL
104085 +ieee80211_alloc_hw_43829 ieee80211_alloc_hw 1 43829 NULL
104086 +p54_download_eeprom_43842 p54_download_eeprom 4 43842 NULL
104087 +read_flush_43851 read_flush 3 43851 NULL
104088 +ocfs2_block_group_find_clear_bits_43874 ocfs2_block_group_find_clear_bits 4 43874 NULL
104089 +pm860x_bulk_write_43875 pm860x_bulk_write 2-3 43875 NULL
104090 +prism2_sta_send_mgmt_43916 prism2_sta_send_mgmt 5 43916 NULL
104091 +SendString_43928 SendString 3 43928 NULL
104092 +xen_register_gsi_43946 xen_register_gsi 1-2 43946 NULL
104093 +stats_dot11RTSFailureCount_read_43948 stats_dot11RTSFailureCount_read 3 43948 NULL
104094 +__get_required_blob_size_43980 __get_required_blob_size 0-2-3 43980 NULL
104095 +nla_reserve_43984 nla_reserve 3 43984 NULL
104096 +__clkdev_alloc_43990 __clkdev_alloc 1 43990 NULL
104097 +scsi_command_size_43992 scsi_command_size 0 43992 NULL nohasharray
104098 +bcm_recvmsg_43992 bcm_recvmsg 4 43992 &scsi_command_size_43992
104099 +emit_flags_44006 emit_flags 4-3 44006 NULL
104100 +write_flush_procfs_44011 write_flush_procfs 3 44011 NULL
104101 +swiotlb_unmap_page_44063 swiotlb_unmap_page 2 44063 NULL
104102 +SYSC_add_key_44079 SYSC_add_key 4 44079 NULL
104103 +load_discard_44083 load_discard 3 44083 NULL
104104 +xlog_recover_add_to_cont_trans_44102 xlog_recover_add_to_cont_trans 4 44102 NULL
104105 +tracing_set_trace_read_44122 tracing_set_trace_read 3 44122 NULL
104106 +vmw_gmr_bind_44130 vmw_gmr_bind 3 44130 NULL
104107 +scsi_get_resid_44147 scsi_get_resid 0 44147 NULL
104108 +ubifs_find_dirty_idx_leb_44169 ubifs_find_dirty_idx_leb 0 44169 NULL
104109 +ocfs2_xattr_bucket_find_44174 ocfs2_xattr_bucket_find 0 44174 NULL
104110 +SYSC_set_mempolicy_44176 SYSC_set_mempolicy 3 44176 NULL
104111 +handle_eviocgbit_44193 handle_eviocgbit 3 44193 NULL
104112 +IO_APIC_get_PCI_irq_vector_44198 IO_APIC_get_PCI_irq_vector 0 44198 NULL
104113 +__set_free_44211 __set_free 2 44211 NULL
104114 +claim_ptd_buffers_44213 claim_ptd_buffers 3 44213 NULL
104115 +srp_alloc_iu_44227 srp_alloc_iu 2 44227 NULL
104116 +ioapic_register_intr_44238 ioapic_register_intr 1 44238 NULL
104117 +scsi_track_queue_full_44239 scsi_track_queue_full 2 44239 NULL
104118 +tc3589x_gpio_irq_map_44245 tc3589x_gpio_irq_map 2 44245 NULL
104119 +enlarge_skb_44248 enlarge_skb 2 44248 NULL
104120 +ufs_clusteracct_44293 ufs_clusteracct 3 44293 NULL
104121 +ocfs2_zero_range_for_truncate_44294 ocfs2_zero_range_for_truncate 3 44294 NULL
104122 +ath6kl_keepalive_read_44303 ath6kl_keepalive_read 3 44303 NULL
104123 +bitmap_scnprintf_44318 bitmap_scnprintf 2 44318 NULL
104124 +dispatch_proc_write_44320 dispatch_proc_write 3 44320 NULL
104125 +ubi_eba_write_leb_st_44343 ubi_eba_write_leb_st 5 44343 NULL
104126 +nfs_fscache_get_super_cookie_44355 nfs_fscache_get_super_cookie 3 44355 NULL nohasharray
104127 +blk_queue_init_tags_44355 blk_queue_init_tags 2 44355 &nfs_fscache_get_super_cookie_44355
104128 +__is_discarded_44359 __is_discarded 2 44359 NULL
104129 +rts_threshold_read_44384 rts_threshold_read 3 44384 NULL
104130 +aoedev_flush_44398 aoedev_flush 2 44398 NULL
104131 +drm_buffer_alloc_44405 drm_buffer_alloc 2 44405 NULL
104132 +osst_do_scsi_44410 osst_do_scsi 4 44410 NULL
104133 +check_user_page_hwpoison_44412 check_user_page_hwpoison 1 44412 NULL
104134 +ieee80211_if_read_rc_rateidx_mcs_mask_5ghz_44423 ieee80211_if_read_rc_rateidx_mcs_mask_5ghz 3 44423 NULL
104135 +prandom_u32_state_44445 prandom_u32_state 0 44445 NULL
104136 +___alloc_bootmem_node_nopanic_44461 ___alloc_bootmem_node_nopanic 2-3 44461 NULL
104137 +btrfs_chunk_item_size_44478 btrfs_chunk_item_size 0-1 44478 NULL
104138 +sdio_align_size_44489 sdio_align_size 0-2 44489 NULL
104139 +bio_advance_44496 bio_advance 2 44496 NULL
104140 +ieee80211_if_read_dropped_frames_ttl_44500 ieee80211_if_read_dropped_frames_ttl 3 44500 NULL
104141 +security_getprocattr_44505 security_getprocattr 0 44505 NULL nohasharray
104142 +iwl_dbgfs_sram_read_44505 iwl_dbgfs_sram_read 3 44505 &security_getprocattr_44505
104143 +spidev_write_44510 spidev_write 3 44510 NULL
104144 +sys_msgsnd_44537 sys_msgsnd 3 44537 NULL nohasharray
104145 +comm_write_44537 comm_write 3 44537 &sys_msgsnd_44537
104146 +hash_ipport4_expire_44564 hash_ipport4_expire 3 44564 NULL
104147 +dgrp_config_proc_write_44571 dgrp_config_proc_write 3 44571 NULL
104148 +snd_pcm_alloc_vmalloc_buffer_44595 snd_pcm_alloc_vmalloc_buffer 2 44595 NULL
104149 +slip_compat_ioctl_44599 slip_compat_ioctl 4 44599 NULL
104150 +brcmf_sdbrcm_glom_len_44618 brcmf_sdbrcm_glom_len 0 44618 NULL
104151 +cfpkt_add_body_44630 cfpkt_add_body 3 44630 NULL
104152 +ext2_new_block_44645 ext2_new_block 2 44645 NULL
104153 +alloc_ctrl_packet_44667 alloc_ctrl_packet 1 44667 NULL
104154 +mpi_resize_44674 mpi_resize 2 44674 NULL
104155 +ts_read_44687 ts_read 3 44687 NULL
104156 +qib_get_user_pages_44689 qib_get_user_pages 1-2 44689 NULL
104157 +xfer_to_user_44713 xfer_to_user 3 44713 NULL
104158 +_zd_iowrite32v_locked_44725 _zd_iowrite32v_locked 3 44725 NULL
104159 +clusterip_proc_write_44729 clusterip_proc_write 3 44729 NULL
104160 +fib_count_nexthops_44730 fib_count_nexthops 0 44730 NULL
104161 +key_tx_rx_count_read_44742 key_tx_rx_count_read 3 44742 NULL
104162 +WIL_GET_BITS_44747 WIL_GET_BITS 0-1-2-3 44747 NULL
104163 +set_brk_44749 set_brk 1 44749 NULL
104164 +tnode_new_44757 tnode_new 3 44757 NULL nohasharray
104165 +pty_write_44757 pty_write 3 44757 &tnode_new_44757
104166 +__videobuf_copy_stream_44769 __videobuf_copy_stream 4 44769 NULL
104167 +handsfree_ramp_44777 handsfree_ramp 2 44777 NULL
104168 +sctp_setsockopt_44788 sctp_setsockopt 5 44788 NULL
104169 +rx_dropped_read_44799 rx_dropped_read 3 44799 NULL
104170 +qla4xxx_alloc_work_44813 qla4xxx_alloc_work 2 44813 NULL
104171 +mei_cl_read_start_44824 mei_cl_read_start 2 44824 NULL
104172 +rmap_write_protect_44833 rmap_write_protect 2 44833 NULL
104173 +sisusb_write_44834 sisusb_write 3 44834 NULL
104174 +nl80211_send_unprot_disassoc_44846 nl80211_send_unprot_disassoc 4 44846 NULL
104175 +kvm_read_hva_44847 kvm_read_hva 3 44847 NULL
104176 +cubic_root_44848 cubic_root 1 44848 NULL
104177 +copydesc_user_44855 copydesc_user 3 44855 NULL
104178 +skb_availroom_44883 skb_availroom 0 44883 NULL
104179 +nf_bridge_encap_header_len_44890 nf_bridge_encap_header_len 0 44890 NULL
104180 +do_tty_write_44896 do_tty_write 5 44896 NULL
104181 +tx_queue_status_read_44978 tx_queue_status_read 3 44978 NULL
104182 +nf_nat_seq_adjust_44989 nf_nat_seq_adjust 4 44989 NULL
104183 +map_index_to_lba_44993 map_index_to_lba 0-1 44993 NULL
104184 +bytepos_delta_45017 bytepos_delta 0 45017 NULL
104185 +read_block_bitmap_45021 read_block_bitmap 2 45021 NULL nohasharray
104186 +ptrace_writedata_45021 ptrace_writedata 4-3 45021 &read_block_bitmap_45021
104187 +vhci_get_user_45039 vhci_get_user 3 45039 NULL
104188 +sel_write_user_45060 sel_write_user 3 45060 NULL
104189 +vmscan_swappiness_45062 vmscan_swappiness 0 45062 NULL
104190 +snd_mixart_BA0_read_45069 snd_mixart_BA0_read 5 45069 NULL nohasharray
104191 +do_video_ioctl_45069 do_video_ioctl 3 45069 &snd_mixart_BA0_read_45069
104192 +kvm_mmu_page_get_gfn_45110 kvm_mmu_page_get_gfn 0-2 45110 NULL
104193 +pwr_missing_bcns_cnt_read_45113 pwr_missing_bcns_cnt_read 3 45113 NULL
104194 +usbdev_read_45114 usbdev_read 3 45114 NULL
104195 +isku_sysfs_write_reset_45133 isku_sysfs_write_reset 6 45133 NULL
104196 +send_to_tty_45141 send_to_tty 3 45141 NULL
104197 +stmpe_irq_map_45146 stmpe_irq_map 2 45146 NULL
104198 +crypto_aead_blocksize_45148 crypto_aead_blocksize 0 45148 NULL
104199 +gen_bitmask_string_45149 gen_bitmask_string 6 45149 NULL
104200 +ocfs2_remove_inode_range_45156 ocfs2_remove_inode_range 3-4 45156 NULL nohasharray
104201 +device_write_45156 device_write 3 45156 &ocfs2_remove_inode_range_45156
104202 +ocfs2_dq_frozen_trigger_45159 ocfs2_dq_frozen_trigger 4 45159 NULL
104203 +tomoyo_write_self_45161 tomoyo_write_self 3 45161 NULL
104204 +sta_agg_status_write_45164 sta_agg_status_write 3 45164 NULL
104205 +snd_sb_csp_load_user_45190 snd_sb_csp_load_user 3 45190 NULL
104206 +num_clusters_in_group_45194 num_clusters_in_group 2 45194 NULL
104207 +add_child_45201 add_child 4 45201 NULL
104208 +iso_alloc_urb_45206 iso_alloc_urb 4-5 45206 NULL
104209 +spi_alloc_master_45223 spi_alloc_master 2 45223 NULL
104210 +__dirty_45228 __dirty 2 45228 NULL
104211 +ieee80211_if_read_peer_45233 ieee80211_if_read_peer 3 45233 NULL
104212 +prism2_pda_proc_read_45246 prism2_pda_proc_read 3 45246 NULL
104213 +input_mt_init_slots_45279 input_mt_init_slots 2 45279 NULL
104214 +vcc_compat_ioctl_45291 vcc_compat_ioctl 3 45291 NULL
104215 +snd_pcm_oss_sync1_45298 snd_pcm_oss_sync1 2 45298 NULL
104216 +pte_val_45313 pte_val 0 45313 NULL
104217 +__i2c_hid_command_45321 __i2c_hid_command 0 45321 NULL
104218 +copy_vm86_regs_from_user_45340 copy_vm86_regs_from_user 3 45340 NULL
104219 +lane2_associate_req_45398 lane2_associate_req 4 45398 NULL
104220 +keymap_store_45406 keymap_store 4 45406 NULL
104221 +paging64_gva_to_gpa_45421 paging64_gva_to_gpa 2 45421 NULL nohasharray
104222 +ieee80211_if_fmt_dot11MeshHWMProotInterval_45421 ieee80211_if_fmt_dot11MeshHWMProotInterval 3 45421 &paging64_gva_to_gpa_45421
104223 +tty_buffer_alloc_45437 tty_buffer_alloc 2 45437 NULL
104224 +intel_render_ring_init_dri_45446 intel_render_ring_init_dri 2-3 45446 NULL nohasharray
104225 +SYSC_mremap_45446 SYSC_mremap 5-1-2 45446 &intel_render_ring_init_dri_45446
104226 +__node_remap_45458 __node_remap 4 45458 NULL
104227 +rds_ib_set_wr_signal_state_45463 rds_ib_set_wr_signal_state 0 45463 NULL
104228 +udp_manip_pkt_45467 udp_manip_pkt 4 45467 NULL
104229 +tracing_read_dyn_info_45468 tracing_read_dyn_info 3 45468 NULL
104230 +arizona_init_fll_45503 arizona_init_fll 5 45503 NULL
104231 +rds_message_copy_from_user_45510 rds_message_copy_from_user 3 45510 NULL
104232 +sys_lgetxattr_45531 sys_lgetxattr 4 45531 NULL
104233 +cgroup_read_u64_45532 cgroup_read_u64 5 45532 NULL
104234 +copy_macs_45534 copy_macs 4 45534 NULL
104235 +nla_attr_size_45545 nla_attr_size 0-1 45545 NULL
104236 +v9fs_direct_read_45546 v9fs_direct_read 3 45546 NULL
104237 +cx18_copy_mdl_to_user_45549 cx18_copy_mdl_to_user 4 45549 NULL
104238 +atomic_long_sub_return_45551 atomic_long_sub_return 1 45551 NULL
104239 +ext3_group_first_block_no_45555 ext3_group_first_block_no 0-2 45555 NULL
104240 +stats_dot11ACKFailureCount_read_45558 stats_dot11ACKFailureCount_read 3 45558 NULL
104241 +_regmap_bus_raw_write_45559 _regmap_bus_raw_write 2 45559 NULL
104242 +posix_acl_xattr_size_45561 posix_acl_xattr_size 0-1 45561 NULL
104243 +venus_rmdir_45564 venus_rmdir 4 45564 NULL
104244 +ipath_create_cq_45586 ipath_create_cq 2 45586 NULL
104245 +rdma_set_ib_paths_45592 rdma_set_ib_paths 3 45592 NULL
104246 +hidraw_get_report_45609 hidraw_get_report 3 45609 NULL
104247 +audit_log_n_hex_45617 audit_log_n_hex 3 45617 NULL
104248 +ebitmap_next_positive_45651 ebitmap_next_positive 3 45651 NULL
104249 +dma_map_cont_45668 dma_map_cont 5 45668 NULL
104250 +compat_mpctl_ioctl_45671 compat_mpctl_ioctl 2 45671 NULL
104251 +dgram_sendmsg_45679 dgram_sendmsg 4 45679 NULL
104252 +smk_write_ambient_45691 smk_write_ambient 3 45691 NULL
104253 +dm_compat_ctl_ioctl_45692 dm_compat_ctl_ioctl 3 45692 NULL
104254 +unix_dgram_sendmsg_45699 unix_dgram_sendmsg 4 45699 NULL nohasharray
104255 +bscnl_emit_45699 bscnl_emit 2-5-0 45699 &unix_dgram_sendmsg_45699
104256 +dvb_ca_en50221_init_45718 dvb_ca_en50221_init 4 45718 NULL
104257 +snd_cs46xx_io_read_45734 snd_cs46xx_io_read 5 45734 NULL
104258 +rw_copy_check_uvector_45748 rw_copy_check_uvector 3 45748 NULL nohasharray
104259 +v4l2_ctrl_new_std_45748 v4l2_ctrl_new_std 5 45748 &rw_copy_check_uvector_45748
104260 +lkdtm_debugfs_read_45752 lkdtm_debugfs_read 3 45752 NULL
104261 +nilfs_compat_ioctl_45769 nilfs_compat_ioctl 3 45769 NULL
104262 +alloc_ts_config_45775 alloc_ts_config 1 45775 NULL
104263 +raw_setsockopt_45800 raw_setsockopt 5 45800 NULL
104264 +lbs_rdbbp_read_45805 lbs_rdbbp_read 3 45805 NULL
104265 +pcpu_alloc_alloc_info_45813 pcpu_alloc_alloc_info 1-2 45813 NULL
104266 +fm_v4l2_init_video_device_45821 fm_v4l2_init_video_device 2 45821 NULL
104267 +memcg_update_cache_size_45828 memcg_update_cache_size 2 45828 NULL
104268 +x509_process_extension_45854 x509_process_extension 5 45854 NULL
104269 +isdn_write_45863 isdn_write 3 45863 NULL
104270 +unpack_orig_pfns_45867 unpack_orig_pfns 0 45867 NULL
104271 +get_rdac_req_45882 get_rdac_req 3 45882 NULL
104272 +ocfs2_xattr_block_find_45891 ocfs2_xattr_block_find 0 45891 NULL
104273 +wm_adsp_region_to_reg_45915 wm_adsp_region_to_reg 0-2 45915 NULL
104274 +dbgfs_frame_45917 dbgfs_frame 3 45917 NULL
104275 +nf_nat_ftp_fmt_cmd_45926 nf_nat_ftp_fmt_cmd 0 45926 NULL
104276 +smp_scan_config_45934 smp_scan_config 1 45934 NULL
104277 +alloc_mr_45935 alloc_mr 1 45935 NULL
104278 +split_large_page_45941 split_large_page 2 45941 NULL
104279 +rb_simple_read_45972 rb_simple_read 3 45972 NULL
104280 +ezusb_writememory_45976 ezusb_writememory 4 45976 NULL
104281 +ioat2_dca_count_dca_slots_45984 ioat2_dca_count_dca_slots 0 45984 NULL
104282 +ore_calc_stripe_info_46023 ore_calc_stripe_info 2 46023 NULL
104283 +sierra_setup_urb_46029 sierra_setup_urb 5 46029 NULL
104284 +get_free_entries_46030 get_free_entries 1 46030 NULL
104285 +__access_remote_vm_46031 __access_remote_vm 0-5-3 46031 NULL
104286 +snd_emu10k1x_ptr_read_46049 snd_emu10k1x_ptr_read 0 46049 NULL
104287 +acpi_register_gsi_xen_hvm_46052 acpi_register_gsi_xen_hvm 2 46052 NULL
104288 +line6_midibuf_bytes_used_46059 line6_midibuf_bytes_used 0 46059 NULL
104289 +__ocfs2_move_extent_46060 __ocfs2_move_extent 5-6 46060 NULL nohasharray
104290 +dma_tx_errors_read_46060 dma_tx_errors_read 3 46060 &__ocfs2_move_extent_46060
104291 +slhc_toss_46066 slhc_toss 0 46066 NULL
104292 +sel_commit_bools_write_46077 sel_commit_bools_write 3 46077 NULL
104293 +vfio_config_do_rw_46091 vfio_config_do_rw 3 46091 NULL
104294 +ata_host_alloc_46094 ata_host_alloc 2 46094 NULL
104295 +arizona_set_irq_wake_46101 arizona_set_irq_wake 2 46101 NULL
104296 +pkt_ctl_compat_ioctl_46110 pkt_ctl_compat_ioctl 3 46110 NULL
104297 +memcg_update_array_size_46111 memcg_update_array_size 1 46111 NULL nohasharray
104298 +il3945_ucode_general_stats_read_46111 il3945_ucode_general_stats_read 3 46111 &memcg_update_array_size_46111
104299 +C_SYSC_writev_46113 C_SYSC_writev 3 46113 NULL
104300 +mlx4_ib_alloc_fast_reg_page_list_46119 mlx4_ib_alloc_fast_reg_page_list 2 46119 NULL
104301 +paging32_walk_addr_nested_46121 paging32_walk_addr_nested 3 46121 NULL
104302 +vb2_dma_sg_get_userptr_46146 vb2_dma_sg_get_userptr 2 46146 NULL
104303 +__netlink_change_ngroups_46156 __netlink_change_ngroups 2 46156 NULL
104304 +twl_direction_out_46182 twl_direction_out 2 46182 NULL
104305 +vxge_os_dma_malloc_46184 vxge_os_dma_malloc 2 46184 NULL
104306 +add_conn_list_46197 add_conn_list 3 46197 NULL
104307 +i2400m_op_msg_from_user_46213 i2400m_op_msg_from_user 4 46213 NULL
104308 +tm6000_i2c_recv_regs_46215 tm6000_i2c_recv_regs 5 46215 NULL
104309 +dsp_write_46218 dsp_write 2 46218 NULL
104310 +mpi_read_raw_data_46248 mpi_read_raw_data 2 46248 NULL
104311 +nf_nat_ftp_46265 nf_nat_ftp 6 46265 NULL
104312 +ReadReg_46277 ReadReg 0 46277 NULL
104313 +batadv_iv_ogm_queue_add_46319 batadv_iv_ogm_queue_add 3 46319 NULL
104314 +qlcnic_83xx_sysfs_flash_bulk_write_46320 qlcnic_83xx_sysfs_flash_bulk_write 4 46320 NULL
104315 +__hwahc_dev_set_key_46328 __hwahc_dev_set_key 5 46328 NULL
104316 +iwl_dbgfs_chain_noise_read_46355 iwl_dbgfs_chain_noise_read 3 46355 NULL
104317 +smk_write_direct_46363 smk_write_direct 3 46363 NULL
104318 +__iommu_calculate_agaw_46366 __iommu_calculate_agaw 2 46366 NULL
104319 +ubi_dump_flash_46381 ubi_dump_flash 4 46381 NULL
104320 +fuse_file_aio_write_46399 fuse_file_aio_write 4 46399 NULL
104321 +crypto_ablkcipher_reqsize_46411 crypto_ablkcipher_reqsize 0 46411 NULL
104322 +hash_ipportip6_expire_46443 hash_ipportip6_expire 3 46443 NULL
104323 +cp210x_set_config_46447 cp210x_set_config 4 46447 NULL
104324 +filldir64_46469 filldir64 3 46469 NULL
104325 +fill_in_write_vector_46498 fill_in_write_vector 0 46498 NULL
104326 +pin_code_reply_46510 pin_code_reply 4 46510 NULL
104327 +mthca_alloc_cq_buf_46512 mthca_alloc_cq_buf 3 46512 NULL
104328 +kmsg_read_46514 kmsg_read 3 46514 NULL
104329 +bdx_rxdb_create_46525 bdx_rxdb_create 1 46525 NULL
104330 +nl80211_send_rx_assoc_46538 nl80211_send_rx_assoc 4 46538 NULL
104331 +pm860x_irq_domain_map_46553 pm860x_irq_domain_map 2 46553 NULL
104332 +mv_get_hc_count_46554 mv_get_hc_count 0 46554 NULL
104333 +link_send_sections_long_46556 link_send_sections_long 4 46556 NULL
104334 +irq_domain_associate_46564 irq_domain_associate 2 46564 NULL
104335 +dn_current_mss_46574 dn_current_mss 0 46574 NULL
104336 +serverworks_create_gatt_pages_46582 serverworks_create_gatt_pages 1 46582 NULL
104337 +snd_compr_write_data_46592 snd_compr_write_data 3 46592 NULL
104338 +il3945_stats_flag_46606 il3945_stats_flag 0-3 46606 NULL
104339 +vscnprintf_46617 vscnprintf 0-2 46617 NULL
104340 +__kfifo_out_r_46623 __kfifo_out_r 0-3 46623 NULL
104341 +request_key_async_with_auxdata_46624 request_key_async_with_auxdata 4 46624 NULL
104342 +vfs_getxattr_alloc_46649 vfs_getxattr_alloc 0 46649 NULL
104343 +av7110_ipack_init_46655 av7110_ipack_init 2 46655 NULL
104344 +alloc_data_packet_46698 alloc_data_packet 1 46698 NULL
104345 +__ilog2_u32_46706 __ilog2_u32 0 46706 NULL
104346 +erst_dbg_write_46715 erst_dbg_write 3 46715 NULL
104347 +wl1271_rx_filter_alloc_field_46721 wl1271_rx_filter_alloc_field 5 46721 NULL
104348 +prepare_copy_46725 prepare_copy 2 46725 NULL
104349 +irq_domain_add_simple_46734 irq_domain_add_simple 2-3 46734 NULL
104350 +set_memory_wc_46747 set_memory_wc 1 46747 NULL
104351 +ext4_count_free_46754 ext4_count_free 2 46754 NULL nohasharray
104352 +pte_pfn_46754 pte_pfn 0 46754 &ext4_count_free_46754
104353 +hest_ghes_dev_register_46766 hest_ghes_dev_register 1 46766 NULL
104354 +int_hw_irq_en_46776 int_hw_irq_en 3 46776 NULL
104355 +regcache_lzo_sync_46777 regcache_lzo_sync 2 46777 NULL
104356 +_sys_packet_req_46793 _sys_packet_req 4 46793 NULL
104357 +_xfs_buf_get_pages_46811 _xfs_buf_get_pages 2 46811 NULL
104358 +xfs_iroot_realloc_46826 xfs_iroot_realloc 2 46826 NULL
104359 +shmem_pwrite_fast_46842 shmem_pwrite_fast 3 46842 NULL
104360 +spi_async_46857 spi_async 0 46857 NULL
104361 +vsnprintf_46863 vsnprintf 0 46863 NULL nohasharray
104362 +SyS_move_pages_46863 SyS_move_pages 2 46863 &vsnprintf_46863
104363 +nvme_alloc_queue_46865 nvme_alloc_queue 3 46865 NULL
104364 +sip_sprintf_addr_46872 sip_sprintf_addr 0 46872 NULL
104365 +rvmalloc_46873 rvmalloc 1 46873 NULL
104366 +qp_memcpy_from_queue_iov_46874 qp_memcpy_from_queue_iov 4-5 46874 NULL
104367 +hpi_read_word_nolock_46881 hpi_read_word_nolock 0 46881 NULL
104368 +stmpe_gpio_irq_unmap_46884 stmpe_gpio_irq_unmap 2 46884 NULL
104369 +ixgbe_dbg_reg_ops_write_46895 ixgbe_dbg_reg_ops_write 3 46895 NULL
104370 +sk_mem_pages_46896 sk_mem_pages 0-1 46896 NULL
104371 +ol_dqblk_off_46904 ol_dqblk_off 3-2 46904 NULL
104372 +ieee80211_if_fmt_power_mode_46906 ieee80211_if_fmt_power_mode 3 46906 NULL
104373 +wlcore_alloc_hw_46917 wlcore_alloc_hw 1 46917 NULL
104374 +fb_write_46924 fb_write 3 46924 NULL
104375 +btmrvl_curpsmode_read_46939 btmrvl_curpsmode_read 3 46939 NULL
104376 +kvm_register_read_46948 kvm_register_read 0 46948 NULL
104377 +__sctp_setsockopt_connectx_46949 __sctp_setsockopt_connectx 3 46949 NULL
104378 +qla4xxx_post_aen_work_46953 qla4xxx_post_aen_work 3 46953 NULL
104379 +crypto_tfm_alg_alignmask_46971 crypto_tfm_alg_alignmask 0 46971 NULL
104380 +mgmt_pending_add_46976 mgmt_pending_add 5 46976 NULL
104381 +gfs2_xattr_system_set_46996 gfs2_xattr_system_set 4 46996 NULL nohasharray
104382 +sel_write_bool_46996 sel_write_bool 3 46996 &gfs2_xattr_system_set_46996
104383 +ttm_bo_io_47000 ttm_bo_io 5 47000 NULL
104384 +blk_rq_map_kern_47004 blk_rq_map_kern 4 47004 NULL
104385 +add_free_space_entry_47005 add_free_space_entry 2 47005 NULL
104386 +__map_single_47020 __map_single 3-4-7 47020 NULL
104387 +cx231xx_init_bulk_47024 cx231xx_init_bulk 3-2 47024 NULL
104388 +swiotlb_sync_single_47031 swiotlb_sync_single 2 47031 NULL
104389 +set_dis_bypass_pfs_47038 set_dis_bypass_pfs 3 47038 NULL
104390 +fs_path_len_47060 fs_path_len 0 47060 NULL
104391 +ufs_new_fragments_47070 ufs_new_fragments 3-5-4 47070 NULL
104392 +pipeline_dec_packet_in_read_47076 pipeline_dec_packet_in_read 3 47076 NULL
104393 +scsi_deactivate_tcq_47086 scsi_deactivate_tcq 2 47086 NULL
104394 +iwl_dump_nic_event_log_47089 iwl_dump_nic_event_log 0 47089 NULL
104395 +mousedev_read_47123 mousedev_read 3 47123 NULL
104396 +ses_recv_diag_47143 ses_recv_diag 4 47143 NULL nohasharray
104397 +acpi_ut_initialize_buffer_47143 acpi_ut_initialize_buffer 2 47143 &ses_recv_diag_47143
104398 +persistent_ram_iomap_47156 persistent_ram_iomap 1-2 47156 NULL
104399 +mxms_headerlen_47161 mxms_headerlen 0 47161 NULL
104400 +rs_sta_dbgfs_rate_scale_data_read_47165 rs_sta_dbgfs_rate_scale_data_read 3 47165 NULL
104401 +rts51x_ms_rw_47171 rts51x_ms_rw 3-4 47171 NULL
104402 +svc_pool_map_alloc_arrays_47181 svc_pool_map_alloc_arrays 2 47181 NULL
104403 +can_set_system_xattr_47182 can_set_system_xattr 4 47182 NULL
104404 +ioremap_cache_47189 ioremap_cache 1-2 47189 NULL
104405 +gnttab_set_map_op_47206 gnttab_set_map_op 2 47206 NULL
104406 +l2headersize_47238 l2headersize 0 47238 NULL
104407 +options_write_47243 options_write 3 47243 NULL
104408 +portcntrs_1_read_47253 portcntrs_1_read 3 47253 NULL
104409 +da9052_disable_irq_nosync_47260 da9052_disable_irq_nosync 2 47260 NULL
104410 +ablkcipher_next_slow_47274 ablkcipher_next_slow 4-3 47274 NULL
104411 +tty_audit_log_47280 tty_audit_log 8 47280 NULL
104412 +gfs2_readpages_47285 gfs2_readpages 4 47285 NULL
104413 +vsnprintf_47291 vsnprintf 0 47291 NULL
104414 +SYSC_semop_47292 SYSC_semop 3 47292 NULL
104415 +tx_internal_desc_overflow_read_47300 tx_internal_desc_overflow_read 3 47300 NULL
104416 +SyS_madvise_47354 SyS_madvise 1 47354 NULL
104417 +ieee80211_if_read_dot11MeshHoldingTimeout_47356 ieee80211_if_read_dot11MeshHoldingTimeout 3 47356 NULL
104418 +avc_get_hash_stats_47359 avc_get_hash_stats 0 47359 NULL
104419 +find_first_zero_bit_le_47369 find_first_zero_bit_le 2 47369 NULL
104420 +__bio_map_kern_47379 __bio_map_kern 3 47379 NULL
104421 +nv_rd32_47390 nv_rd32 0 47390 NULL nohasharray
104422 +trace_options_core_read_47390 trace_options_core_read 3 47390 &nv_rd32_47390
104423 +nametbl_list_47391 nametbl_list 2 47391 NULL
104424 +dgrp_net_write_47392 dgrp_net_write 3 47392 NULL
104425 +pfkey_sendmsg_47394 pfkey_sendmsg 4 47394 NULL
104426 +gfn_to_pfn_prot_47398 gfn_to_pfn_prot 2 47398 NULL
104427 +ocfs2_resv_end_47408 ocfs2_resv_end 0 47408 NULL
104428 +sta_vht_capa_read_47409 sta_vht_capa_read 3 47409 NULL
104429 +crypto_ablkcipher_alignmask_47410 crypto_ablkcipher_alignmask 0 47410 NULL
104430 +vzalloc_47421 vzalloc 1 47421 NULL
104431 +hash_ipportip4_expire_47426 hash_ipportip4_expire 3 47426 NULL
104432 +posix_acl_from_disk_47445 posix_acl_from_disk 2 47445 NULL
104433 +__load_mapping_47460 __load_mapping 2 47460 NULL
104434 +nvme_trans_send_fw_cmd_47479 nvme_trans_send_fw_cmd 4 47479 NULL
104435 +wb_force_mapping_47485 wb_force_mapping 2 47485 NULL nohasharray
104436 +newpart_47485 newpart 6 47485 &wb_force_mapping_47485
104437 +core_sys_select_47494 core_sys_select 1 47494 NULL
104438 +alloc_arraycache_47505 alloc_arraycache 2 47505 NULL
104439 +unlink_simple_47506 unlink_simple 3 47506 NULL
104440 +ufs_inode_getblock_47512 ufs_inode_getblock 4 47512 NULL
104441 +vscnprintf_47533 vscnprintf 0-2 47533 NULL nohasharray
104442 +process_vm_rw_47533 process_vm_rw 3-5 47533 &vscnprintf_47533
104443 +oz_events_read_47535 oz_events_read 3 47535 NULL
104444 +ieee80211_if_fmt_min_discovery_timeout_47539 ieee80211_if_fmt_min_discovery_timeout 3 47539 NULL
104445 +read_ldt_47570 read_ldt 2 47570 NULL
104446 +_rtl_rx_get_padding_47572 _rtl_rx_get_padding 0 47572 NULL nohasharray
104447 +isku_sysfs_read_last_set_47572 isku_sysfs_read_last_set 6 47572 &_rtl_rx_get_padding_47572
104448 +pci_iomap_47575 pci_iomap 3 47575 NULL
104449 +rpipe_get_idx_47579 rpipe_get_idx 2 47579 NULL
104450 +SYSC_fcntl64_47581 SYSC_fcntl64 3 47581 NULL
104451 +ext4_kvzalloc_47605 ext4_kvzalloc 1 47605 NULL
104452 +sctp_ssnmap_new_47608 sctp_ssnmap_new 1-2 47608 NULL
104453 +uea_request_47613 uea_request 4 47613 NULL
104454 +cache_read_pipefs_47615 cache_read_pipefs 3 47615 NULL
104455 +twl4030_clear_set_47624 twl4030_clear_set 4 47624 NULL
104456 +irq_set_chip_47638 irq_set_chip 1 47638 NULL
104457 +__build_packet_message_47643 __build_packet_message 3-9 47643 NULL
104458 +global_rt_runtime_47712 global_rt_runtime 0 47712 NULL
104459 +save_microcode_47717 save_microcode 3 47717 NULL
104460 +bits_to_user_47733 bits_to_user 2-3 47733 NULL
104461 +carl9170_debugfs_read_47738 carl9170_debugfs_read 3 47738 NULL
104462 +ir_prepare_write_buffer_47747 ir_prepare_write_buffer 3 47747 NULL
104463 +mvumi_alloc_mem_resource_47750 mvumi_alloc_mem_resource 3 47750 NULL
104464 +ext3_find_near_47752 ext3_find_near 0 47752 NULL
104465 +alloc_sched_domains_47756 alloc_sched_domains 1 47756 NULL
104466 +i915_wedged_write_47771 i915_wedged_write 3 47771 NULL
104467 +uwb_ie_dump_hex_47774 uwb_ie_dump_hex 4 47774 NULL
104468 +SyS_setgroups16_47780 SyS_setgroups16 1 47780 NULL
104469 +error_error_numll_frame_cts_start_read_47781 error_error_numll_frame_cts_start_read 3 47781 NULL
104470 +posix_acl_fix_xattr_from_user_47793 posix_acl_fix_xattr_from_user 2 47793 NULL
104471 +stmmac_set_bfsize_47834 stmmac_set_bfsize 0 47834 NULL
104472 +KEY_SIZE_47855 KEY_SIZE 0 47855 NULL
104473 +ubifs_unpack_nnode_47866 ubifs_unpack_nnode 0 47866 NULL
104474 +vhci_read_47878 vhci_read 3 47878 NULL
104475 +keyctl_instantiate_key_common_47889 keyctl_instantiate_key_common 4 47889 NULL
104476 +load_mapping_47904 load_mapping 3 47904 NULL
104477 +osd_req_read_sg_47905 osd_req_read_sg 5 47905 NULL
104478 +comedi_write_47926 comedi_write 3 47926 NULL
104479 +nvme_trans_get_blk_desc_len_47946 nvme_trans_get_blk_desc_len 0-2 47946 NULL
104480 +lp8788_irq_map_47964 lp8788_irq_map 2 47964 NULL
104481 +iwl_dbgfs_ucode_tracing_read_47983 iwl_dbgfs_ucode_tracing_read 3 47983 NULL nohasharray
104482 +mempool_resize_47983 mempool_resize 2 47983 &iwl_dbgfs_ucode_tracing_read_47983
104483 +dbg_port_buf_47990 dbg_port_buf 2 47990 NULL
104484 +ib_umad_write_47993 ib_umad_write 3 47993 NULL
104485 +ffs_epfile_write_48014 ffs_epfile_write 3 48014 NULL
104486 +bio_integrity_set_tag_48035 bio_integrity_set_tag 3 48035 NULL
104487 +pppoe_sendmsg_48039 pppoe_sendmsg 4 48039 NULL
104488 +SYSC_writev_48040 SYSC_writev 3 48040 NULL
104489 +wpan_phy_alloc_48056 wpan_phy_alloc 1 48056 NULL
104490 +posix_acl_alloc_48063 posix_acl_alloc 1 48063 NULL
104491 +palmas_bulk_write_48068 palmas_bulk_write 2-3-5 48068 NULL
104492 +disc_write_48070 disc_write 3 48070 NULL
104493 +mmc_alloc_host_48097 mmc_alloc_host 1 48097 NULL
104494 +skb_copy_datagram_const_iovec_48102 skb_copy_datagram_const_iovec 4-2-5 48102 NULL
104495 +radio_isa_common_probe_48107 radio_isa_common_probe 3 48107 NULL
104496 +vmw_framebuffer_surface_dirty_48132 vmw_framebuffer_surface_dirty 6 48132 NULL
104497 +set_discoverable_48141 set_discoverable 4 48141 NULL
104498 +dn_fib_count_nhs_48145 dn_fib_count_nhs 0 48145 NULL
104499 +bitmap_onto_48152 bitmap_onto 4 48152 NULL
104500 +isr_dma1_done_read_48159 isr_dma1_done_read 3 48159 NULL
104501 +c4iw_id_table_alloc_48163 c4iw_id_table_alloc 3 48163 NULL
104502 +ocfs2_find_next_zero_bit_unaligned_48170 ocfs2_find_next_zero_bit_unaligned 2-3 48170 NULL nohasharray
104503 +rbd_obj_method_sync_48170 rbd_obj_method_sync 8 48170 &ocfs2_find_next_zero_bit_unaligned_48170
104504 +alloc_cc770dev_48186 alloc_cc770dev 1 48186 NULL
104505 +init_ipath_48187 init_ipath 1 48187 NULL
104506 +brcmf_sdio_chip_cm3_exitdl_48192 brcmf_sdio_chip_cm3_exitdl 4 48192 NULL
104507 +snd_seq_dump_var_event_48209 snd_seq_dump_var_event 0 48209 NULL
104508 +is_block_in_journal_48223 is_block_in_journal 3 48223 NULL
104509 +uv_blade_nr_possible_cpus_48226 uv_blade_nr_possible_cpus 0 48226 NULL
104510 +nilfs_readpages_48229 nilfs_readpages 4 48229 NULL
104511 +read_file_recv_48232 read_file_recv 3 48232 NULL
104512 +unaccount_shadowed_48233 unaccount_shadowed 2 48233 NULL
104513 +nfsctl_transaction_read_48250 nfsctl_transaction_read 3 48250 NULL
104514 +cache_write_pipefs_48270 cache_write_pipefs 3 48270 NULL
104515 +send_set_info_48288 send_set_info 7 48288 NULL
104516 +set_disc_pwup_pfs_48300 set_disc_pwup_pfs 3 48300 NULL
104517 +lpfc_idiag_extacc_read_48301 lpfc_idiag_extacc_read 3 48301 NULL
104518 +timblogiw_read_48305 timblogiw_read 3 48305 NULL
104519 +hash_setkey_48310 hash_setkey 3 48310 NULL
104520 +__alloc_fd_48356 __alloc_fd 2 48356 NULL
104521 +skb_add_data_48363 skb_add_data 3 48363 NULL
104522 +tx_frag_init_called_read_48377 tx_frag_init_called_read 3 48377 NULL
104523 +ixgbe_pci_sriov_enable_48410 ixgbe_pci_sriov_enable 2 48410 NULL
104524 +lbs_debugfs_write_48413 lbs_debugfs_write 3 48413 NULL
104525 +pwr_tx_without_ps_read_48423 pwr_tx_without_ps_read 3 48423 NULL
104526 +nfs4_alloc_pages_48426 nfs4_alloc_pages 1 48426 NULL
104527 +print_filtered_48442 print_filtered 2-0 48442 NULL
104528 +tun_recvmsg_48463 tun_recvmsg 4 48463 NULL
104529 +r8712_usbctrl_vendorreq_48489 r8712_usbctrl_vendorreq 6 48489 NULL
104530 +send_control_msg_48498 send_control_msg 6 48498 NULL
104531 +mlx4_en_create_tx_ring_48501 mlx4_en_create_tx_ring 4 48501 NULL
104532 +count_masked_bytes_48507 count_masked_bytes 0-1 48507 NULL
104533 +diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 NULL
104534 +brcmf_sdio_trap_info_48510 brcmf_sdio_trap_info 4 48510 NULL
104535 +phantom_get_free_48514 phantom_get_free 0 48514 NULL
104536 +wiimote_hid_send_48528 wiimote_hid_send 3 48528 NULL
104537 +ext3_splice_branch_48531 ext3_splice_branch 6 48531 NULL
104538 +named_distribute_48544 named_distribute 4 48544 NULL
104539 +raid10_size_48571 raid10_size 0-2-3 48571 NULL
104540 +ufs_dtogd_48616 ufs_dtogd 0-2 48616 NULL
104541 +do_ip_vs_set_ctl_48641 do_ip_vs_set_ctl 4 48641 NULL
104542 +mtd_read_48655 mtd_read 0 48655 NULL
104543 +aes_encrypt_packets_read_48666 aes_encrypt_packets_read 3 48666 NULL
104544 +ore_get_rw_state_48667 ore_get_rw_state 4 48667 NULL
104545 +sm501_create_subdev_48668 sm501_create_subdev 3-4 48668 NULL nohasharray
104546 +sys_setgroups_48668 sys_setgroups 1 48668 &sm501_create_subdev_48668
104547 +altera_drscan_48698 altera_drscan 2 48698 NULL
104548 +kvm_set_irq_routing_48704 kvm_set_irq_routing 3 48704 NULL
104549 +ath6kl_usb_bmi_read_48745 ath6kl_usb_bmi_read 3 48745 NULL
104550 +ath6kl_regwrite_read_48747 ath6kl_regwrite_read 3 48747 NULL
104551 +l2cap_segment_sdu_48772 l2cap_segment_sdu 4 48772 NULL
104552 +lua_sysfs_write_48797 lua_sysfs_write 6 48797 NULL
104553 +il3945_sta_dbgfs_stats_table_read_48802 il3945_sta_dbgfs_stats_table_read 3 48802 NULL
104554 +twa_change_queue_depth_48808 twa_change_queue_depth 2 48808 NULL
104555 +atomic_counters_read_48827 atomic_counters_read 3 48827 NULL
104556 +efi_memory_uc_48828 efi_memory_uc 1 48828 NULL
104557 +azx_get_position_48841 azx_get_position 0 48841 NULL
104558 +vc_do_resize_48842 vc_do_resize 3-4 48842 NULL
104559 +C_SYSC_pwritev64_48864 C_SYSC_pwritev64 3 48864 NULL nohasharray
104560 +viafb_dvp1_proc_write_48864 viafb_dvp1_proc_write 3 48864 &C_SYSC_pwritev64_48864
104561 +__ffs_ep0_read_events_48868 __ffs_ep0_read_events 3 48868 NULL
104562 +sys_setgroups16_48882 sys_setgroups16 1 48882 NULL
104563 +ext2_alloc_branch_48889 ext2_alloc_branch 4 48889 NULL
104564 +crypto_cipher_ctxsize_48890 crypto_cipher_ctxsize 0 48890 NULL
104565 +xdi_copy_to_user_48900 xdi_copy_to_user 4 48900 NULL
104566 +msg_hdr_sz_48908 msg_hdr_sz 0 48908 NULL
104567 +gdth_isa_probe_one_48925 gdth_isa_probe_one 1 48925 NULL
104568 +sep_crypto_dma_48937 sep_crypto_dma 0 48937 NULL
104569 +event_heart_beat_read_48961 event_heart_beat_read 3 48961 NULL
104570 +nand_ecc_test_run_48966 nand_ecc_test_run 1 48966 NULL
104571 +vmci_handle_arr_create_48971 vmci_handle_arr_create 1 48971 NULL
104572 +batadv_orig_hash_del_if_48972 batadv_orig_hash_del_if 2 48972 NULL
104573 +_alloc_set_attr_list_48991 _alloc_set_attr_list 4 48991 NULL
104574 +rds_rm_size_48996 rds_rm_size 0-2 48996 NULL
104575 +sel_write_enforce_48998 sel_write_enforce 3 48998 NULL
104576 +filemap_check_errors_49022 filemap_check_errors 0 49022 NULL
104577 +transient_status_49027 transient_status 4 49027 NULL
104578 +ipath_reg_user_mr_49038 ipath_reg_user_mr 2-3 49038 NULL
104579 +setup_msi_irq_49052 setup_msi_irq 3-4 49052 NULL
104580 +ubi_read_49061 ubi_read 0 49061 NULL
104581 +scsi_register_49094 scsi_register 2 49094 NULL
104582 +paging64_walk_addr_nested_49100 paging64_walk_addr_nested 3 49100 NULL
104583 +compat_do_readv_writev_49102 compat_do_readv_writev 4 49102 NULL
104584 +check_exists_49119 check_exists 2 49119 NULL nohasharray
104585 +xfrm_replay_state_esn_len_49119 xfrm_replay_state_esn_len 0 49119 &check_exists_49119
104586 +pt_read_49136 pt_read 3 49136 NULL
104587 +tipc_multicast_49144 tipc_multicast 5 49144 NULL
104588 +atyfb_setup_generic_49151 atyfb_setup_generic 3 49151 NULL
104589 +ipwireless_tty_received_49154 ipwireless_tty_received 3 49154 NULL
104590 +f2fs_acl_count_49155 f2fs_acl_count 0-1 49155 NULL
104591 +ipw_queue_tx_init_49161 ipw_queue_tx_init 3 49161 NULL
104592 +ext4_free_clusters_after_init_49174 ext4_free_clusters_after_init 2 49174 NULL
104593 +dvb_dvr_ioctl_49182 dvb_dvr_ioctl 2 49182 NULL
104594 +iwl_dbgfs_ucode_general_stats_read_49199 iwl_dbgfs_ucode_general_stats_read 3 49199 NULL
104595 +il4965_rs_sta_dbgfs_stats_table_read_49206 il4965_rs_sta_dbgfs_stats_table_read 3 49206 NULL
104596 +do_jffs2_getxattr_49210 do_jffs2_getxattr 0 49210 NULL
104597 +resp_write_same_49217 resp_write_same 2 49217 NULL
104598 +nouveau_therm_create__49228 nouveau_therm_create_ 4 49228 NULL
104599 +nouveau_i2c_port_create__49237 nouveau_i2c_port_create_ 6 49237 NULL
104600 +hugetlb_cgroup_read_49259 hugetlb_cgroup_read 5 49259 NULL
104601 +ieee80211_if_read_rssi_threshold_49260 ieee80211_if_read_rssi_threshold 3 49260 NULL
104602 +isku_sysfs_read_keys_media_49268 isku_sysfs_read_keys_media 6 49268 NULL
104603 +osd_req_add_get_attr_list_49278 osd_req_add_get_attr_list 3 49278 NULL
104604 +rx_filter_beacon_filter_read_49279 rx_filter_beacon_filter_read 3 49279 NULL
104605 +uio_read_49300 uio_read 3 49300 NULL
104606 +ocfs2_resmap_find_free_bits_49301 ocfs2_resmap_find_free_bits 3 49301 NULL
104607 +isku_sysfs_read_keys_macro_49312 isku_sysfs_read_keys_macro 6 49312 NULL
104608 +SYSC_mincore_49319 SYSC_mincore 1 49319 NULL
104609 +fwtty_port_handler_49327 fwtty_port_handler 9 49327 NULL
104610 +srpt_alloc_ioctx_ring_49330 srpt_alloc_ioctx_ring 2-3-4 49330 NULL
104611 +cfpkt_setlen_49343 cfpkt_setlen 2 49343 NULL
104612 +joydev_ioctl_common_49359 joydev_ioctl_common 2 49359 NULL
104613 +ocfs2_remove_btree_range_49370 ocfs2_remove_btree_range 4-5-3 49370 NULL
104614 +px_raw_event_49371 px_raw_event 4 49371 NULL
104615 +iscsi_alloc_session_49390 iscsi_alloc_session 3 49390 NULL
104616 +applesmc_create_nodes_49392 applesmc_create_nodes 2 49392 NULL
104617 +rx_streaming_always_read_49401 rx_streaming_always_read 3 49401 NULL
104618 +tnode_alloc_49407 tnode_alloc 1 49407 NULL
104619 +samples_to_bytes_49426 samples_to_bytes 0-2 49426 NULL
104620 +md_domain_init_49432 md_domain_init 2 49432 NULL
104621 +compat_do_msg_fill_49440 compat_do_msg_fill 3 49440 NULL
104622 +get_lru_size_49441 get_lru_size 0 49441 NULL
104623 +agp_3_5_isochronous_node_enable_49465 agp_3_5_isochronous_node_enable 3 49465 NULL
104624 +xfs_iformat_local_49472 xfs_iformat_local 4 49472 NULL
104625 +savu_sysfs_read_49473 savu_sysfs_read 6 49473 NULL
104626 +isr_decrypt_done_read_49490 isr_decrypt_done_read 3 49490 NULL
104627 +SyS_listxattr_49519 SyS_listxattr 3 49519 NULL
104628 +emulator_write_phys_49520 emulator_write_phys 2-4 49520 NULL
104629 +acpi_os_ioremap_49523 acpi_os_ioremap 1-2 49523 NULL
104630 +smk_write_access_49561 smk_write_access 3 49561 NULL
104631 +ntfs_malloc_nofs_49572 ntfs_malloc_nofs 1 49572 NULL
104632 +alloc_chunk_49575 alloc_chunk 1 49575 NULL
104633 +sctp_setsockopt_default_send_param_49578 sctp_setsockopt_default_send_param 3 49578 NULL
104634 +tap_write_49595 tap_write 3 49595 NULL
104635 +isr_wakeups_read_49607 isr_wakeups_read 3 49607 NULL
104636 +btrfs_mksubvol_49616 btrfs_mksubvol 3 49616 NULL
104637 +heap_init_49617 heap_init 2 49617 NULL
104638 +smk_write_doi_49621 smk_write_doi 3 49621 NULL
104639 +btrfsic_cmp_log_and_dev_bytenr_49628 btrfsic_cmp_log_and_dev_bytenr 2 49628 NULL
104640 +aa_simple_write_to_buffer_49683 aa_simple_write_to_buffer 3-4 49683 NULL
104641 +SyS_pwritev_49688 SyS_pwritev 3 49688 NULL
104642 +sys_gethostname_49698 sys_gethostname 2 49698 NULL
104643 +cx2341x_ctrl_new_menu_49700 cx2341x_ctrl_new_menu 3 49700 NULL
104644 +dm_thin_insert_block_49720 dm_thin_insert_block 2-3 49720 NULL
104645 +sep_create_dcb_dmatables_context_kernel_49728 sep_create_dcb_dmatables_context_kernel 6 49728 NULL
104646 +sys_fsetxattr_49736 sys_fsetxattr 4 49736 NULL
104647 +check_frame_49741 check_frame 0 49741 NULL
104648 +zd_usb_iowrite16v_49744 zd_usb_iowrite16v 3 49744 NULL
104649 +btrfs_chunk_num_stripes_49751 btrfs_chunk_num_stripes 0 49751 NULL
104650 +fuse_wr_pages_49753 fuse_wr_pages 0-1-2 49753 NULL
104651 +key_conf_keylen_read_49758 key_conf_keylen_read 3 49758 NULL
104652 +fuse_conn_waiting_read_49762 fuse_conn_waiting_read 3 49762 NULL
104653 +isku_sysfs_write_49767 isku_sysfs_write 6-5 49767 NULL
104654 +ceph_osdc_readpages_49789 ceph_osdc_readpages 10-4 49789 NULL
104655 +nfs4_acl_new_49806 nfs4_acl_new 1 49806 NULL
104656 +arch_gnttab_map_status_49812 arch_gnttab_map_status 3 49812 NULL
104657 +ntfs_copy_from_user_iovec_49829 ntfs_copy_from_user_iovec 3-6-0 49829 NULL
104658 +add_uuid_49831 add_uuid 4 49831 NULL
104659 +tcf_csum_ipv4_tcp_49834 tcf_csum_ipv4_tcp 3 49834 NULL
104660 +ath6kl_fwlog_block_read_49836 ath6kl_fwlog_block_read 3 49836 NULL
104661 +twl4030_write_49846 twl4030_write 2 49846 NULL
104662 +scsi_dispatch_cmd_entry_49848 scsi_dispatch_cmd_entry 3 49848 NULL
104663 +timeradd_entry_49850 timeradd_entry 3 49850 NULL
104664 +btrfs_subvolume_reserve_metadata_49859 btrfs_subvolume_reserve_metadata 3 49859 NULL
104665 +sctp_setsockopt_bindx_49870 sctp_setsockopt_bindx 3 49870 NULL
104666 +ceph_get_caps_49890 ceph_get_caps 0 49890 NULL
104667 +__cow_file_range_49901 __cow_file_range 5 49901 NULL
104668 +__copy_from_user_inatomic_nocache_49921 __copy_from_user_inatomic_nocache 3 49921 NULL
104669 +batadv_tt_realloc_packet_buff_49960 batadv_tt_realloc_packet_buff 4 49960 NULL
104670 +b43legacy_pio_read_49978 b43legacy_pio_read 0 49978 NULL
104671 +ieee80211_if_fmt_dtim_count_49987 ieee80211_if_fmt_dtim_count 3 49987 NULL
104672 +sta2x11_swiotlb_alloc_coherent_49994 sta2x11_swiotlb_alloc_coherent 2 49994 NULL
104673 +l2cap_chan_send_49995 l2cap_chan_send 3 49995 NULL
104674 +__module_alloc_50004 __module_alloc 1 50004 NULL
104675 +dn_mss_from_pmtu_50011 dn_mss_from_pmtu 0-2 50011 NULL
104676 +ptrace_readdata_50020 ptrace_readdata 2-4 50020 NULL
104677 +isdn_read_50021 isdn_read 3 50021 NULL
104678 +qp_alloc_queue_50028 qp_alloc_queue 1 50028 NULL
104679 +alloc_ebda_hpc_50046 alloc_ebda_hpc 1-2 50046 NULL
104680 +vmw_surface_destroy_size_50072 vmw_surface_destroy_size 0 50072 NULL
104681 +arch_setup_ht_irq_50073 arch_setup_ht_irq 1 50073 NULL
104682 +dev_set_alias_50084 dev_set_alias 3 50084 NULL
104683 +pcpu_get_vm_areas_50085 pcpu_get_vm_areas 3 50085 NULL
104684 +sock_setsockopt_50088 sock_setsockopt 5 50088 NULL
104685 +altera_swap_dr_50090 altera_swap_dr 2 50090 NULL
104686 +read_file_slot_50111 read_file_slot 3 50111 NULL
104687 +SYSC_preadv_50134 SYSC_preadv 3 50134 NULL
104688 +copy_items_50140 copy_items 6 50140 NULL
104689 +tx_frag_need_fragmentation_read_50153 tx_frag_need_fragmentation_read 3 50153 NULL
104690 +set_cmd_header_50155 set_cmd_header 0 50155 NULL
104691 +reiserfs_bmap_count_50160 reiserfs_bmap_count 0 50160 NULL
104692 +aac_nark_ioremap_50163 aac_nark_ioremap 2 50163 NULL nohasharray
104693 +kmalloc_node_50163 kmalloc_node 1 50163 &aac_nark_ioremap_50163
104694 +rx_filter_ibss_filter_read_50167 rx_filter_ibss_filter_read 3 50167 NULL
104695 +odev_update_50169 odev_update 2 50169 NULL
104696 +ieee80211_if_fmt_dot11MeshHWMPRannInterval_50172 ieee80211_if_fmt_dot11MeshHWMPRannInterval 3 50172 NULL nohasharray
104697 +ubi_resize_volume_50172 ubi_resize_volume 2 50172 &ieee80211_if_fmt_dot11MeshHWMPRannInterval_50172
104698 +ib_send_cm_drep_50186 ib_send_cm_drep 3 50186 NULL
104699 +cfg80211_roamed_bss_50198 cfg80211_roamed_bss 4-6 50198 NULL
104700 +rx_rx_timeout_wa_read_50204 rx_rx_timeout_wa_read 3 50204 NULL
104701 +ieee80211_skb_resize_50211 ieee80211_skb_resize 3 50211 NULL
104702 +mon_bin_compat_ioctl_50234 mon_bin_compat_ioctl 3 50234 NULL
104703 +sg_kmalloc_50240 sg_kmalloc 1 50240 NULL
104704 +afs_extract_data_50261 afs_extract_data 5 50261 NULL
104705 +rxrpc_setsockopt_50286 rxrpc_setsockopt 5 50286 NULL
104706 +soc_codec_reg_show_50302 soc_codec_reg_show 0 50302 NULL
104707 +SYSC_flistxattr_50307 SYSC_flistxattr 3 50307 NULL
104708 +SYSC_sched_setaffinity_50310 SYSC_sched_setaffinity 2 50310 NULL
104709 +soc_camera_read_50319 soc_camera_read 3 50319 NULL
104710 +do_launder_page_50329 do_launder_page 0 50329 NULL
104711 +nouveau_engine_create__50331 nouveau_engine_create_ 7 50331 NULL
104712 +lpfc_idiag_pcicfg_read_50334 lpfc_idiag_pcicfg_read 3 50334 NULL
104713 +ocfs2_block_to_cluster_group_50337 ocfs2_block_to_cluster_group 2 50337 NULL nohasharray
104714 +snd_pcm_lib_writev_50337 snd_pcm_lib_writev 0-3 50337 &ocfs2_block_to_cluster_group_50337
104715 +roccat_common2_send_with_status_50343 roccat_common2_send_with_status 4 50343 NULL
104716 +tpm_read_50344 tpm_read 3 50344 NULL
104717 +sched_clock_remote_50347 sched_clock_remote 0 50347 NULL
104718 +kvm_arch_create_memslot_50354 kvm_arch_create_memslot 2 50354 NULL
104719 +isdn_ppp_read_50356 isdn_ppp_read 4 50356 NULL
104720 +unpack_u16_chunk_50357 unpack_u16_chunk 0 50357 NULL
104721 +xfrm_send_migrate_50365 xfrm_send_migrate 5 50365 NULL
104722 +roccat_common2_receive_50369 roccat_common2_receive 4 50369 NULL
104723 +sl_alloc_bufs_50380 sl_alloc_bufs 2 50380 NULL
104724 +hash_ip6_expire_50390 hash_ip6_expire 3 50390 NULL
104725 +l2tp_ip_sendmsg_50411 l2tp_ip_sendmsg 4 50411 NULL
104726 +ceph_writepages_osd_request_50423 ceph_writepages_osd_request 5 50423 NULL
104727 +iscsi_create_conn_50425 iscsi_create_conn 2 50425 NULL
104728 +validate_acl_mac_addrs_50429 validate_acl_mac_addrs 0 50429 NULL
104729 +btrfs_error_discard_extent_50444 btrfs_error_discard_extent 2 50444 NULL
104730 +calc_csum_metadata_size_50448 calc_csum_metadata_size 0 50448 NULL
104731 +pgctrl_write_50453 pgctrl_write 3 50453 NULL
104732 +force_mapping_50464 force_mapping 2 50464 NULL
104733 +cdrom_read_cdda_50478 cdrom_read_cdda 4 50478 NULL
104734 +mei_io_cb_alloc_req_buf_50493 mei_io_cb_alloc_req_buf 2 50493 NULL
104735 +pwr_rcvd_awake_beacons_read_50505 pwr_rcvd_awake_beacons_read 3 50505 NULL
104736 +fwnet_receive_packet_50537 fwnet_receive_packet 9 50537 NULL
104737 +ath6kl_set_ap_probe_resp_ies_50539 ath6kl_set_ap_probe_resp_ies 3 50539 NULL
104738 +hme_read_desc32_50574 hme_read_desc32 0 50574 NULL
104739 +fat_readpages_50582 fat_readpages 4 50582 NULL
104740 +iwl_dbgfs_missed_beacon_read_50584 iwl_dbgfs_missed_beacon_read 3 50584 NULL
104741 +build_inv_iommu_pages_50589 build_inv_iommu_pages 2-3 50589 NULL
104742 +sge_rx_50594 sge_rx 3 50594 NULL
104743 +rx_rx_checksum_result_read_50617 rx_rx_checksum_result_read 3 50617 NULL
104744 +__ffs_50625 __ffs 0 50625 NULL
104745 +regcache_rbtree_write_50629 regcache_rbtree_write 2 50629 NULL
104746 +simple_transaction_get_50633 simple_transaction_get 3 50633 NULL
104747 +ath6kl_tm_rx_event_50664 ath6kl_tm_rx_event 3 50664 NULL nohasharray
104748 +sys_readv_50664 sys_readv 3 50664 &ath6kl_tm_rx_event_50664
104749 +bnad_debugfs_read_50665 bnad_debugfs_read 3 50665 NULL
104750 +ext2_try_to_allocate_with_rsv_50669 ext2_try_to_allocate_with_rsv 4-2 50669 NULL
104751 +btmrvl_psstate_read_50683 btmrvl_psstate_read 3 50683 NULL
104752 +swiotlb_free_coherent_50690 swiotlb_free_coherent 4 50690 NULL
104753 +paging32_gva_to_gpa_50696 paging32_gva_to_gpa 2 50696 NULL
104754 +xfs_growfs_get_hdr_buf_50697 xfs_growfs_get_hdr_buf 3 50697 NULL
104755 +blk_check_plugged_50736 blk_check_plugged 3 50736 NULL
104756 +__ext3_get_inode_loc_50744 __ext3_get_inode_loc 0 50744 NULL
104757 +skb_padto_50759 skb_padto 2 50759 NULL
104758 +ocfs2_xattr_block_get_50773 ocfs2_xattr_block_get 0 50773 NULL
104759 +tm6000_read_write_usb_50774 tm6000_read_write_usb 7 50774 NULL
104760 +bio_alloc_map_data_50782 bio_alloc_map_data 1-2 50782 NULL
104761 +tpm_write_50798 tpm_write 3 50798 NULL
104762 +write_flush_50803 write_flush 3 50803 NULL
104763 +dvb_play_50814 dvb_play 3 50814 NULL
104764 +dpcm_show_state_50827 dpcm_show_state 0 50827 NULL
104765 +acpi_ev_install_gpe_block_50829 acpi_ev_install_gpe_block 2 50829 NULL
104766 +SetArea_50835 SetArea 4 50835 NULL nohasharray
104767 +create_mem_extents_50835 create_mem_extents 0 50835 &SetArea_50835
104768 +videobuf_dma_init_user_50839 videobuf_dma_init_user 3 50839 NULL
104769 +self_check_write_50856 self_check_write 5 50856 NULL
104770 +carl9170_debugfs_write_50857 carl9170_debugfs_write 3 50857 NULL
104771 +SyS_lgetxattr_50889 SyS_lgetxattr 4 50889 NULL
104772 +netlbl_secattr_catmap_walk_rng_50894 netlbl_secattr_catmap_walk_rng 0-2 50894 NULL
104773 +osd_req_write_sg_50908 osd_req_write_sg 5 50908 NULL
104774 +xfs_iext_remove_50909 xfs_iext_remove 3 50909 NULL
104775 +blk_rq_cur_sectors_50910 blk_rq_cur_sectors 0 50910 NULL
104776 +hash_recvmsg_50924 hash_recvmsg 4 50924 NULL
104777 +chd_dec_fetch_cdata_50926 chd_dec_fetch_cdata 3 50926 NULL
104778 +ocfs2_add_refcount_flag_50952 ocfs2_add_refcount_flag 6 50952 NULL
104779 +SyS_setxattr_50957 SyS_setxattr 4 50957 NULL
104780 +iwl_statistics_flag_50981 iwl_statistics_flag 0-3 50981 NULL
104781 +timeout_write_50991 timeout_write 3 50991 NULL
104782 +wm831x_irq_map_50995 wm831x_irq_map 2 50995 NULL
104783 +proc_write_51003 proc_write 3 51003 NULL
104784 +snd_pcm_default_page_ops_51021 snd_pcm_default_page_ops 2 51021 NULL
104785 +lbs_dev_info_51023 lbs_dev_info 3 51023 NULL
104786 +ntfs_attr_find_51028 ntfs_attr_find 0 51028 NULL nohasharray
104787 +fuse_conn_congestion_threshold_read_51028 fuse_conn_congestion_threshold_read 3 51028 &ntfs_attr_find_51028
104788 +BcmGetSectionValEndOffset_51039 BcmGetSectionValEndOffset 0 51039 NULL
104789 +dump_midi_51040 dump_midi 3 51040 NULL
104790 +srpt_alloc_ioctx_51042 srpt_alloc_ioctx 2-3 51042 NULL
104791 +do_arpt_set_ctl_51053 do_arpt_set_ctl 4 51053 NULL
104792 +wusb_prf_64_51065 wusb_prf_64 7 51065 NULL
104793 +jbd2_journal_init_revoke_51088 jbd2_journal_init_revoke 2 51088 NULL
104794 +solo_enc_v4l2_init_51094 solo_enc_v4l2_init 2 51094 NULL
104795 +__ocfs2_find_path_51096 __ocfs2_find_path 0 51096 NULL
104796 +ti_recv_51110 ti_recv 3 51110 NULL
104797 +dgrp_net_read_51113 dgrp_net_read 3 51113 NULL
104798 +nfs_map_name_to_uid_51132 nfs_map_name_to_uid 3 51132 NULL
104799 +alloc_rtllib_51136 alloc_rtllib 1 51136 NULL
104800 +simple_xattr_set_51140 simple_xattr_set 4 51140 NULL
104801 +set_dirty_51144 set_dirty 3 51144 NULL
104802 +xfs_trans_get_efd_51148 xfs_trans_get_efd 3 51148 NULL
104803 +compat_sys_pwritev64_51151 compat_sys_pwritev64 3 51151 NULL
104804 +blk_bio_map_sg_51213 blk_bio_map_sg 0 51213 NULL
104805 +nf_ct_ext_create_51232 nf_ct_ext_create 3 51232 NULL
104806 +snd_pcm_write_51235 snd_pcm_write 3 51235 NULL
104807 +tipc_send_51238 tipc_send 4 51238 NULL
104808 +drm_property_create_51239 drm_property_create 4 51239 NULL
104809 +st_read_51251 st_read 3 51251 NULL
104810 +compat_dccp_setsockopt_51263 compat_dccp_setsockopt 5 51263 NULL
104811 +dvb_audio_write_51275 dvb_audio_write 3 51275 NULL
104812 +ipwireless_network_packet_received_51277 ipwireless_network_packet_received 4 51277 NULL
104813 +zone_reclaimable_pages_51283 zone_reclaimable_pages 0 51283 NULL
104814 +pvr2_std_id_to_str_51288 pvr2_std_id_to_str 2 51288 NULL
104815 +bnad_debugfs_read_regrd_51308 bnad_debugfs_read_regrd 3 51308 NULL
104816 +get_cell_51316 get_cell 2 51316 NULL
104817 +init_map_ipmac_51317 init_map_ipmac 4-3-5 51317 NULL
104818 +alloc_hippi_dev_51320 alloc_hippi_dev 1 51320 NULL
104819 +ext2_xattr_get_51327 ext2_xattr_get 0 51327 NULL
104820 +alloc_smp_req_51337 alloc_smp_req 1 51337 NULL nohasharray
104821 +compat_arch_ptrace_51337 compat_arch_ptrace 3-4 51337 &alloc_smp_req_51337
104822 +ipw_get_event_log_len_51341 ipw_get_event_log_len 0 51341 NULL
104823 +ieee80211_if_fmt_estab_plinks_51370 ieee80211_if_fmt_estab_plinks 3 51370 NULL
104824 +radeon_kms_compat_ioctl_51371 radeon_kms_compat_ioctl 2 51371 NULL
104825 +ieee80211_wx_set_gen_ie_51399 ieee80211_wx_set_gen_ie 3 51399 NULL
104826 +ceph_sync_read_51410 ceph_sync_read 3 51410 NULL
104827 +x86_swiotlb_free_coherent_51421 x86_swiotlb_free_coherent 4 51421 NULL
104828 +blk_register_region_51424 blk_register_region 1-2 51424 NULL
104829 +mwifiex_rdeeprom_read_51429 mwifiex_rdeeprom_read 3 51429 NULL
104830 +ieee80211_if_read_dot11MeshHWMPRootMode_51441 ieee80211_if_read_dot11MeshHWMPRootMode 3 51441 NULL
104831 +print_devstats_dot11ACKFailureCount_51443 print_devstats_dot11ACKFailureCount 3 51443 NULL
104832 +____alloc_ei_netdev_51475 ____alloc_ei_netdev 1 51475 NULL
104833 +xfs_buf_get_uncached_51477 xfs_buf_get_uncached 2 51477 NULL
104834 +vaddr_51480 vaddr 0 51480 NULL
104835 +skb_inner_mac_header_51482 skb_inner_mac_header 0 51482 NULL nohasharray
104836 +btrfs_find_space_cluster_51482 btrfs_find_space_cluster 5 51482 &skb_inner_mac_header_51482
104837 +__cpa_process_fault_51502 __cpa_process_fault 2 51502 NULL
104838 +ieee80211_if_write_uapsd_queues_51526 ieee80211_if_write_uapsd_queues 3 51526 NULL
104839 +load_pdptrs_51541 load_pdptrs 3 51541 NULL
104840 +__alloc_eip_netdev_51549 __alloc_eip_netdev 1 51549 NULL
104841 +icmp_manip_pkt_51560 icmp_manip_pkt 4 51560 NULL
104842 +ixgb_get_eeprom_len_51586 ixgb_get_eeprom_len 0 51586 NULL
104843 +aac_convert_sgraw2_51598 aac_convert_sgraw2 4 51598 NULL
104844 +raw_ioctl_51607 raw_ioctl 3 51607 NULL
104845 +table_size_to_number_of_entries_51613 table_size_to_number_of_entries 0-1 51613 NULL
104846 +gnttab_end_foreign_access_51617 gnttab_end_foreign_access 3 51617 NULL
104847 +dns_resolve_server_name_to_ip_51632 dns_resolve_server_name_to_ip 0 51632 NULL
104848 +sctp_auth_create_key_51641 sctp_auth_create_key 1 51641 NULL
104849 +iscsi_create_session_51647 iscsi_create_session 3 51647 NULL
104850 +get_new_cssid_51665 get_new_cssid 2 51665 NULL
104851 +ps_upsd_utilization_read_51669 ps_upsd_utilization_read 3 51669 NULL
104852 +sctp_setsockopt_associnfo_51684 sctp_setsockopt_associnfo 3 51684 NULL
104853 +sfi_sysfs_install_table_51688 sfi_sysfs_install_table 1 51688 NULL
104854 +host_mapping_level_51696 host_mapping_level 2 51696 NULL
104855 +sel_write_access_51704 sel_write_access 3 51704 NULL
104856 +tty_cdev_add_51714 tty_cdev_add 2-4 51714 NULL
104857 +v9fs_alloc_rdir_buf_51716 v9fs_alloc_rdir_buf 2 51716 NULL
104858 +drm_compat_ioctl_51717 drm_compat_ioctl 2 51717 NULL
104859 +sg_read_oxfer_51724 sg_read_oxfer 3 51724 NULL
104860 +hid_parse_report_51737 hid_parse_report 3 51737 NULL
104861 +get_user_pages_fast_51751 get_user_pages_fast 0-1-2 51751 NULL
104862 +ifx_spi_insert_flip_string_51752 ifx_spi_insert_flip_string 3 51752 NULL
104863 +if_write_51756 if_write 3 51756 NULL
104864 +ioremap_prot_51764 ioremap_prot 1-2 51764 NULL
104865 +iio_buffer_add_channel_sysfs_51766 iio_buffer_add_channel_sysfs 0 51766 NULL
104866 +to_ratio_51809 to_ratio 2-1 51809 NULL
104867 +qib_alloc_devdata_51819 qib_alloc_devdata 2 51819 NULL
104868 +buffer_from_user_51826 buffer_from_user 3 51826 NULL
104869 +ioread32_51847 ioread32 0 51847 NULL nohasharray
104870 +read_file_tgt_tx_stats_51847 read_file_tgt_tx_stats 3 51847 &ioread32_51847
104871 +do_readv_writev_51849 do_readv_writev 4 51849 NULL
104872 +SYSC_sendto_51852 SYSC_sendto 6 51852 NULL
104873 +pointer_size_read_51863 pointer_size_read 3 51863 NULL
104874 +mlx4_alloc_db_from_pgdir_51865 mlx4_alloc_db_from_pgdir 3 51865 NULL
104875 +get_indirect_ea_51869 get_indirect_ea 4 51869 NULL
104876 +user_read_51881 user_read 3 51881 NULL
104877 +memblock_alloc_51884 memblock_alloc 1-2 51884 NULL
104878 +dbAdjCtl_51888 dbAdjCtl 0 51888 NULL
104879 +virt_to_phys_51896 virt_to_phys 0 51896 NULL
104880 +wmi_set_ie_51919 wmi_set_ie 3 51919 NULL
104881 +dbg_status_buf_51930 dbg_status_buf 2 51930 NULL
104882 +__tcp_mtu_to_mss_51938 __tcp_mtu_to_mss 0-2 51938 NULL
104883 +xfrm_alg_len_51940 xfrm_alg_len 0 51940 NULL
104884 +irq_dispose_mapping_51941 irq_dispose_mapping 1 51941 NULL
104885 +scsi_get_vpd_page_51951 scsi_get_vpd_page 4 51951 NULL
104886 +arizona_free_irq_51969 arizona_free_irq 2 51969 NULL nohasharray
104887 +snd_mask_min_51969 snd_mask_min 0 51969 &arizona_free_irq_51969
104888 +ath6kl_sdio_alloc_prep_scat_req_51986 ath6kl_sdio_alloc_prep_scat_req 2 51986 NULL
104889 +dwc3_mode_write_51997 dwc3_mode_write 3 51997 NULL
104890 +skb_copy_datagram_from_iovec_52014 skb_copy_datagram_from_iovec 4-2-5 52014 NULL
104891 +rdmalt_52022 rdmalt 0 52022 NULL
104892 +vxge_rx_alloc_52024 vxge_rx_alloc 3 52024 NULL
104893 +override_release_52032 override_release 2 52032 NULL
104894 +end_port_52042 end_port 0 52042 NULL
104895 +dma_rx_errors_read_52045 dma_rx_errors_read 3 52045 NULL
104896 +msnd_fifo_write_52052 msnd_fifo_write 0-3 52052 NULL
104897 +dvb_ringbuffer_avail_52057 dvb_ringbuffer_avail 0 52057 NULL
104898 +__fuse_request_alloc_52060 __fuse_request_alloc 1 52060 NULL
104899 +isofs_readpages_52067 isofs_readpages 4 52067 NULL
104900 +nsm_get_handle_52089 nsm_get_handle 4 52089 NULL
104901 +o2net_debug_read_52105 o2net_debug_read 3 52105 NULL
104902 +smsdvb_stats_read_52114 smsdvb_stats_read 3 52114 NULL
104903 +retry_count_read_52129 retry_count_read 3 52129 NULL
104904 +zram_meta_alloc_52140 zram_meta_alloc 1 52140 NULL
104905 +hysdn_conf_write_52145 hysdn_conf_write 3 52145 NULL nohasharray
104906 +ext2_alloc_blocks_52145 ext2_alloc_blocks 2 52145 &hysdn_conf_write_52145
104907 +htable_size_52148 htable_size 0-1 52148 NULL
104908 +__le16_to_cpup_52155 __le16_to_cpup 0 52155 NULL nohasharray
104909 +smk_write_load2_52155 smk_write_load2 3 52155 &__le16_to_cpup_52155
104910 +alix_present_52165 alix_present 1 52165 NULL
104911 +ieee80211_if_read_dot11MeshRetryTimeout_52168 ieee80211_if_read_dot11MeshRetryTimeout 3 52168 NULL
104912 +mga_compat_ioctl_52170 mga_compat_ioctl 2 52170 NULL
104913 +print_prefix_52176 print_prefix 0 52176 NULL
104914 +proc_pid_readlink_52186 proc_pid_readlink 3 52186 NULL
104915 +vmci_qp_broker_alloc_52216 vmci_qp_broker_alloc 5-6 52216 NULL
104916 +do_dmabuf_dirty_ldu_52241 do_dmabuf_dirty_ldu 6 52241 NULL
104917 +fuse_request_alloc_52243 fuse_request_alloc 1 52243 NULL
104918 +pm80x_request_irq_52250 pm80x_request_irq 2 52250 NULL
104919 +mdiobus_alloc_size_52259 mdiobus_alloc_size 1 52259 NULL
104920 +shrink_slab_52261 shrink_slab 2-3 52261 NULL
104921 +hva_to_pfn_slow_52262 hva_to_pfn_slow 1 52262 NULL
104922 +sisusbcon_do_font_op_52271 sisusbcon_do_font_op 9 52271 NULL
104923 +atomic64_read_52300 atomic64_read 0 52300 NULL
104924 +ath6kl_wmi_get_new_buf_52304 ath6kl_wmi_get_new_buf 1 52304 NULL
104925 +read_file_reset_52310 read_file_reset 3 52310 NULL
104926 +request_asymmetric_key_52317 request_asymmetric_key 2-4 52317 NULL
104927 +hwflags_read_52318 hwflags_read 3 52318 NULL
104928 +ntfs_rl_split_52328 ntfs_rl_split 2-4 52328 NULL
104929 +test_unaligned_bulk_52333 test_unaligned_bulk 3 52333 NULL
104930 +compat_SyS_preadv64_52351 compat_SyS_preadv64 3 52351 NULL
104931 +bytes_to_frames_52362 bytes_to_frames 0-2 52362 NULL
104932 +copy_entries_to_user_52367 copy_entries_to_user 1 52367 NULL
104933 +mq_emit_config_values_52378 mq_emit_config_values 3 52378 NULL
104934 +isdn_writebuf_stub_52383 isdn_writebuf_stub 4 52383 NULL
104935 +jfs_setxattr_52389 jfs_setxattr 4 52389 NULL
104936 +aer_inject_write_52399 aer_inject_write 3 52399 NULL
104937 +aac_rx_ioremap_52410 aac_rx_ioremap 2 52410 NULL
104938 +cgroup_file_write_52417 cgroup_file_write 3 52417 NULL
104939 +line6_midibuf_init_52425 line6_midibuf_init 2 52425 NULL
104940 +delay_status_52431 delay_status 5 52431 NULL
104941 +ieee80211_if_fmt_num_sta_ps_52438 ieee80211_if_fmt_num_sta_ps 3 52438 NULL
104942 +nl80211_send_mgmt_tx_status_52445 nl80211_send_mgmt_tx_status 5 52445 NULL
104943 +ieee80211_alloc_txb_52477 ieee80211_alloc_txb 1-2 52477 NULL
104944 +ocfs2_extend_no_holes_52483 ocfs2_extend_no_holes 3-4 52483 NULL
104945 +fd_do_rw_52495 fd_do_rw 3 52495 NULL nohasharray
104946 +skb_cow_head_52495 skb_cow_head 2 52495 &fd_do_rw_52495
104947 +qib_user_sdma_pin_pages_52498 qib_user_sdma_pin_pages 3-5 52498 NULL
104948 +int_tasklet_entry_52500 int_tasklet_entry 3 52500 NULL
104949 +qlcnic_83xx_sysfs_flash_write_52507 qlcnic_83xx_sysfs_flash_write 4 52507 NULL
104950 +pm_qos_power_write_52513 pm_qos_power_write 3 52513 NULL
104951 +dup_variable_bug_52525 dup_variable_bug 3 52525 NULL
104952 +from_oblock_52546 from_oblock 0-1 52546 NULL
104953 +dccpprobe_read_52549 dccpprobe_read 3 52549 NULL
104954 +ocfs2_make_right_split_rec_52562 ocfs2_make_right_split_rec 3 52562 NULL
104955 +emit_code_52583 emit_code 0-3 52583 NULL
104956 +isku_sysfs_read_macro_52587 isku_sysfs_read_macro 6 52587 NULL
104957 +tps80031_writes_52638 tps80031_writes 3-4 52638 NULL
104958 +brcmf_sdio_assert_info_52653 brcmf_sdio_assert_info 4 52653 NULL
104959 +SYSC_gethostname_52677 SYSC_gethostname 2 52677 NULL
104960 +nvd0_disp_pioc_create__52693 nvd0_disp_pioc_create_ 5 52693 NULL
104961 +nouveau_client_create__52715 nouveau_client_create_ 5 52715 NULL
104962 +cx25840_ir_rx_read_52724 cx25840_ir_rx_read 3 52724 NULL
104963 +blkcipher_next_slow_52733 blkcipher_next_slow 3-4 52733 NULL
104964 +relay_alloc_page_array_52735 relay_alloc_page_array 1 52735 NULL
104965 +carl9170_debugfs_vif_dump_read_52755 carl9170_debugfs_vif_dump_read 3 52755 NULL
104966 +ieee80211_if_read_beacon_timeout_52756 ieee80211_if_read_beacon_timeout 3 52756 NULL
104967 +copy_ctr_args_52761 copy_ctr_args 2 52761 NULL
104968 +pwr_rcvd_beacons_read_52836 pwr_rcvd_beacons_read 3 52836 NULL
104969 +ext2_xattr_set_acl_52857 ext2_xattr_set_acl 4 52857 NULL
104970 +mon_bin_get_event_52863 mon_bin_get_event 4 52863 NULL
104971 +twlreg_write_52880 twlreg_write 3 52880 NULL
104972 +pvr2_ctrl_value_to_sym_internal_52881 pvr2_ctrl_value_to_sym_internal 5 52881 NULL
104973 +cache_read_procfs_52882 cache_read_procfs 3 52882 NULL
104974 +kvm_kvzalloc_52894 kvm_kvzalloc 1 52894 NULL
104975 +arizona_request_irq_52908 arizona_request_irq 2 52908 NULL
104976 +__kfifo_out_peek_r_52919 __kfifo_out_peek_r 3 52919 NULL
104977 +iblock_get_bio_52936 iblock_get_bio 3 52936 NULL nohasharray
104978 +__iio_device_attr_init_52936 __iio_device_attr_init 0 52936 &iblock_get_bio_52936
104979 +__nodes_remap_52951 __nodes_remap 5 52951 NULL
104980 +send_packet_52960 send_packet 4 52960 NULL
104981 +ieee80211_if_fmt_fwded_mcast_52961 ieee80211_if_fmt_fwded_mcast 3 52961 NULL
104982 +hx8357_spi_write_then_read_52964 hx8357_spi_write_then_read 3 52964 NULL nohasharray
104983 +compat_sock_ioctl_52964 compat_sock_ioctl 3 52964 &hx8357_spi_write_then_read_52964
104984 +tx_tx_exch_read_52986 tx_tx_exch_read 3 52986 NULL
104985 +num_node_state_52989 num_node_state 0 52989 NULL
104986 +batadv_check_management_packet_52993 batadv_check_management_packet 3 52993 NULL
104987 +efivarfs_file_write_53000 efivarfs_file_write 3 53000 NULL
104988 +btrfs_free_and_pin_reserved_extent_53016 btrfs_free_and_pin_reserved_extent 2 53016 NULL
104989 +tx_tx_exch_pending_read_53018 tx_tx_exch_pending_read 3 53018 NULL
104990 +ext4_meta_bg_first_group_53031 ext4_meta_bg_first_group 0-2 53031 NULL
104991 +bio_cur_bytes_53037 bio_cur_bytes 0 53037 NULL
104992 +regcache_lzo_block_count_53056 regcache_lzo_block_count 0 53056 NULL
104993 +cfi_read_query_53066 cfi_read_query 0 53066 NULL
104994 +mwifiex_debug_read_53074 mwifiex_debug_read 3 53074 NULL
104995 +qib_resize_cq_53090 qib_resize_cq 2 53090 NULL
104996 +verity_status_53120 verity_status 5 53120 NULL
104997 +brcmf_usb_dl_cmd_53130 brcmf_usb_dl_cmd 4 53130 NULL
104998 +ps_poll_ps_poll_max_ap_turn_read_53140 ps_poll_ps_poll_max_ap_turn_read 3 53140 NULL
104999 +ieee80211_bss_info_update_53170 ieee80211_bss_info_update 4 53170 NULL
105000 +btrfs_io_bio_alloc_53179 btrfs_io_bio_alloc 2 53179 NULL
105001 +clear_capture_buf_53192 clear_capture_buf 2 53192 NULL
105002 +mtdoops_erase_block_53206 mtdoops_erase_block 2 53206 NULL
105003 +fixup_user_fault_53210 fixup_user_fault 3 53210 NULL
105004 +tx_tx_start_data_read_53219 tx_tx_start_data_read 3 53219 NULL
105005 +rbd_obj_method_sync_53252 rbd_obj_method_sync 8 53252 NULL
105006 +xfs_trans_read_buf_map_53258 xfs_trans_read_buf_map 5 53258 NULL
105007 +wil_write_file_ssid_53266 wil_write_file_ssid 3 53266 NULL
105008 +btrfs_file_extent_num_bytes_53269 btrfs_file_extent_num_bytes 0 53269 NULL
105009 +isku_sysfs_write_key_mask_53305 isku_sysfs_write_key_mask 6 53305 NULL
105010 +batadv_interface_rx_53325 batadv_interface_rx 4 53325 NULL
105011 +gsm_control_reply_53333 gsm_control_reply 4 53333 NULL
105012 +vm_mmap_53339 vm_mmap 0 53339 NULL
105013 +sock_setbindtodevice_53369 sock_setbindtodevice 3 53369 NULL
105014 +get_random_bytes_arch_53370 get_random_bytes_arch 2 53370 NULL
105015 +iwl_pcie_txq_alloc_53413 iwl_pcie_txq_alloc 3 53413 NULL
105016 +isr_cmd_cmplt_read_53439 isr_cmd_cmplt_read 3 53439 NULL
105017 +mwifiex_info_read_53447 mwifiex_info_read 3 53447 NULL
105018 +apei_exec_run_optional_53452 apei_exec_run_optional 0 53452 NULL
105019 +acpi_tb_parse_root_table_53455 acpi_tb_parse_root_table 1 53455 NULL
105020 +n2_run_53459 n2_run 3 53459 NULL
105021 +paging64_prefetch_gpte_53468 paging64_prefetch_gpte 4 53468 NULL
105022 +rds_tcp_data_recv_53476 rds_tcp_data_recv 3 53476 NULL
105023 +iowarrior_read_53483 iowarrior_read 3 53483 NULL
105024 +osd_req_write_kern_53486 osd_req_write_kern 5 53486 NULL
105025 +do_verify_xattr_datum_53499 do_verify_xattr_datum 0 53499 NULL
105026 +snd_pcm_format_physical_width_53505 snd_pcm_format_physical_width 0 53505 NULL
105027 +dbAllocNext_53506 dbAllocNext 0 53506 NULL
105028 +ocfs2_xattr_set_acl_53508 ocfs2_xattr_set_acl 4 53508 NULL
105029 +check_acl_53512 check_acl 0 53512 NULL
105030 +alloc_pages_exact_nid_53515 alloc_pages_exact_nid 2 53515 NULL
105031 +SYSC_bind_53582 SYSC_bind 3 53582 NULL nohasharray
105032 +set_registers_53582 set_registers 3 53582 &SYSC_bind_53582
105033 +cifs_utf16_bytes_53593 cifs_utf16_bytes 0 53593 NULL
105034 +gfn_to_pfn_async_53597 gfn_to_pfn_async 2 53597 NULL
105035 +___alloc_bootmem_nopanic_53626 ___alloc_bootmem_nopanic 1-2 53626 NULL
105036 +xd_write_multiple_pages_53633 xd_write_multiple_pages 6-5 53633 NULL
105037 +ccid_getsockopt_builtin_ccids_53634 ccid_getsockopt_builtin_ccids 2 53634 NULL
105038 +nr_sendmsg_53656 nr_sendmsg 4 53656 NULL
105039 +_preload_range_53676 _preload_range 2-3 53676 NULL
105040 +lowpan_fragment_xmit_53680 lowpan_fragment_xmit 3-4 53680 NULL
105041 +fuse_fill_write_pages_53682 fuse_fill_write_pages 4 53682 NULL
105042 +v4l2_event_subscribe_53687 v4l2_event_subscribe 3 53687 NULL
105043 +bdev_logical_block_size_53690 bdev_logical_block_size 0 53690 NULL nohasharray
105044 +igb_alloc_q_vector_53690 igb_alloc_q_vector 4-6 53690 &bdev_logical_block_size_53690
105045 +find_overflow_devnum_53711 find_overflow_devnum 0 53711 NULL
105046 +bio_integrity_split_53714 bio_integrity_split 3 53714 NULL
105047 +__ocfs2_resv_find_window_53721 __ocfs2_resv_find_window 3 53721 NULL
105048 +wdm_write_53735 wdm_write 3 53735 NULL
105049 +ext3_try_to_allocate_with_rsv_53737 ext3_try_to_allocate_with_rsv 5-3 53737 NULL
105050 +da9052_disable_irq_53745 da9052_disable_irq 2 53745 NULL
105051 +lpfc_idiag_queacc_read_qe_53755 lpfc_idiag_queacc_read_qe 0-2 53755 NULL nohasharray
105052 +amdtp_out_stream_get_max_payload_53755 amdtp_out_stream_get_max_payload 0 53755 &lpfc_idiag_queacc_read_qe_53755
105053 +ext2_acl_count_53773 ext2_acl_count 0-1 53773 NULL
105054 +__kfifo_dma_in_prepare_r_53792 __kfifo_dma_in_prepare_r 4-5 53792 NULL
105055 +qp_alloc_host_work_53798 qp_alloc_host_work 3-5 53798 NULL
105056 +__tty_alloc_driver_53799 __tty_alloc_driver 1 53799 NULL
105057 +regmap_raw_write_53803 regmap_raw_write 2-4 53803 NULL
105058 +lpfc_idiag_ctlacc_read_reg_53809 lpfc_idiag_ctlacc_read_reg 0-3 53809 NULL
105059 +nls_nullsize_53815 nls_nullsize 0 53815 NULL
105060 +pms_read_53873 pms_read 3 53873 NULL
105061 +ieee80211_if_fmt_dropped_frames_congestion_53883 ieee80211_if_fmt_dropped_frames_congestion 3 53883 NULL
105062 +ocfs2_rm_xattr_cluster_53900 ocfs2_rm_xattr_cluster 5-4-3 53900 NULL nohasharray
105063 +SyS_setgroups_53900 SyS_setgroups 1 53900 &ocfs2_rm_xattr_cluster_53900
105064 +proc_file_read_53905 proc_file_read 3 53905 NULL
105065 +early_reserve_e820_53915 early_reserve_e820 1-2 53915 NULL
105066 +ocfs2_make_clusters_writable_53938 ocfs2_make_clusters_writable 4 53938 NULL
105067 +mthca_setup_cmd_doorbells_53954 mthca_setup_cmd_doorbells 2 53954 NULL
105068 +mlx4_num_eq_uar_53965 mlx4_num_eq_uar 0 53965 NULL
105069 +idetape_chrdev_write_53976 idetape_chrdev_write 3 53976 NULL
105070 +mthca_reg_user_mr_53980 mthca_reg_user_mr 2-3 53980 NULL
105071 +__ocfs2_xattr_set_value_outside_53981 __ocfs2_xattr_set_value_outside 5 53981 NULL
105072 +ieee80211_if_fmt_dot11MeshHWMPperrMinInterval_53998 ieee80211_if_fmt_dot11MeshHWMPperrMinInterval 3 53998 NULL
105073 +snd_pcm_lib_write_transfer_54018 snd_pcm_lib_write_transfer 4-2-5 54018 NULL
105074 +cmpk_message_handle_tx_54024 cmpk_message_handle_tx 4 54024 NULL
105075 +ipxrtr_route_packet_54036 ipxrtr_route_packet 4 54036 NULL
105076 +pipeline_dec_packet_out_read_54052 pipeline_dec_packet_out_read 3 54052 NULL
105077 +nl80211_send_disconnected_54056 nl80211_send_disconnected 5 54056 NULL
105078 +rproc_state_read_54057 rproc_state_read 3 54057 NULL
105079 +btrfs_start_transaction_54066 btrfs_start_transaction 2 54066 NULL
105080 +_malloc_54077 _malloc 1 54077 NULL
105081 +bitmap_bitremap_54096 bitmap_bitremap 4 54096 NULL
105082 +altera_set_ir_pre_54103 altera_set_ir_pre 2 54103 NULL
105083 +create_xattr_54106 create_xattr 5 54106 NULL
105084 +inc_zcache_pers_zbytes_54107 inc_zcache_pers_zbytes 1 54107 NULL
105085 +strn_len_54122 strn_len 0 54122 NULL
105086 +isku_receive_54130 isku_receive 4 54130 NULL
105087 +isr_host_acknowledges_read_54136 isr_host_acknowledges_read 3 54136 NULL
105088 +i2400m_zrealloc_2x_54166 i2400m_zrealloc_2x 3 54166 NULL nohasharray
105089 +memcpy_toiovec_54166 memcpy_toiovec 3 54166 &i2400m_zrealloc_2x_54166
105090 +nouveau_falcon_create__54169 nouveau_falcon_create_ 8 54169 NULL
105091 +acpi_os_read_memory_54186 acpi_os_read_memory 1-3 54186 NULL
105092 +SyS_ipc_54206 SyS_ipc 3 54206 NULL
105093 +__register_chrdev_54223 __register_chrdev 2-3 54223 NULL
105094 +_format_mac_addr_54229 _format_mac_addr 2-0 54229 NULL
105095 +pi_read_regr_54231 pi_read_regr 0 54231 NULL
105096 +reada_add_block_54247 reada_add_block 2 54247 NULL
105097 +xfs_dir2_sf_addname_hard_54254 xfs_dir2_sf_addname_hard 3 54254 NULL
105098 +ceph_msgpool_get_54258 ceph_msgpool_get 2 54258 NULL
105099 +wusb_prf_54261 wusb_prf 7 54261 NULL nohasharray
105100 +audio_write_54261 audio_write 4 54261 &wusb_prf_54261
105101 +mwifiex_getlog_read_54269 mwifiex_getlog_read 3 54269 NULL
105102 +ubi_calc_data_len_54279 ubi_calc_data_len 0-3 54279 NULL
105103 +altera_set_dr_post_54291 altera_set_dr_post 2 54291 NULL
105104 +dlm_alloc_pagevec_54296 dlm_alloc_pagevec 1 54296 NULL
105105 +get_iovec_page_array_54298 get_iovec_page_array 6 54298 NULL
105106 +sprintf_54306 sprintf 0 54306 NULL
105107 +irq_domain_associate_many_54307 irq_domain_associate_many 2 54307 NULL
105108 +br_fdb_fillbuf_54339 br_fdb_fillbuf 0 54339 NULL
105109 +__alloc_dev_table_54343 __alloc_dev_table 2 54343 NULL
105110 +__get_free_pages_54352 __get_free_pages 0 54352 NULL nohasharray
105111 +_osd_realloc_seg_54352 _osd_realloc_seg 3 54352 &__get_free_pages_54352
105112 +tcf_hash_create_54360 tcf_hash_create 4 54360 NULL
105113 +read_file_credit_dist_stats_54367 read_file_credit_dist_stats 3 54367 NULL
105114 +vfs_readlink_54368 vfs_readlink 3 54368 NULL
105115 +do_dccp_setsockopt_54377 do_dccp_setsockopt 5 54377 NULL nohasharray
105116 +intel_sdvo_write_cmd_54377 intel_sdvo_write_cmd 4 54377 &do_dccp_setsockopt_54377
105117 +ah_alloc_tmp_54378 ah_alloc_tmp 3-2 54378 NULL
105118 +gart_unmap_page_54379 gart_unmap_page 2-3 54379 NULL
105119 +snd_pcm_oss_read2_54387 snd_pcm_oss_read2 0-3 54387 NULL
105120 +i386_mmap_check_54388 i386_mmap_check 0 54388 NULL
105121 +__do_krealloc_54389 __do_krealloc 2 54389 NULL
105122 +iwl_dbgfs_power_save_status_read_54392 iwl_dbgfs_power_save_status_read 3 54392 NULL
105123 +copy_gadget_strings_54417 copy_gadget_strings 2-3 54417 NULL
105124 +swiotlb_tbl_sync_single_54486 swiotlb_tbl_sync_single 2 54486 NULL
105125 +simple_strtoull_54493 simple_strtoull 0 54493 NULL
105126 +swiotlb_tbl_map_single_54495 swiotlb_tbl_map_single 3-0 54495 NULL
105127 +btrfs_ordered_sum_size_54509 btrfs_ordered_sum_size 0-2 54509 NULL
105128 +cgroup_write_X64_54514 cgroup_write_X64 5 54514 NULL nohasharray
105129 +xen_bus_to_phys_54514 xen_bus_to_phys 0 54514 &cgroup_write_X64_54514
105130 +rfc4106_set_key_54519 rfc4106_set_key 3 54519 NULL
105131 +vmci_transport_dgram_enqueue_54525 vmci_transport_dgram_enqueue 4 54525 NULL
105132 +viacam_read_54526 viacam_read 3 54526 NULL
105133 +unix_dgram_connect_54535 unix_dgram_connect 3 54535 NULL
105134 +setsockopt_54539 setsockopt 5 54539 NULL
105135 +mwifiex_usb_submit_rx_urb_54558 mwifiex_usb_submit_rx_urb 2 54558 NULL
105136 +SYSC_setsockopt_54561 SYSC_setsockopt 5 54561 NULL
105137 +nfsd_vfs_write_54577 nfsd_vfs_write 6 54577 NULL
105138 +fw_iso_buffer_init_54582 fw_iso_buffer_init 3 54582 NULL
105139 +nvme_npages_54601 nvme_npages 0-1 54601 NULL
105140 +fwSendNullPacket_54618 fwSendNullPacket 2 54618 NULL
105141 +irq_timeout_read_54653 irq_timeout_read 3 54653 NULL
105142 +dns_resolver_read_54658 dns_resolver_read 3 54658 NULL
105143 +twl6030_interrupt_mask_54659 twl6030_interrupt_mask 2 54659 NULL
105144 +kvm_read_cr3_54662 kvm_read_cr3 0 54662 NULL
105145 +bio_kmalloc_54672 bio_kmalloc 2 54672 NULL
105146 +vring_new_virtqueue_54673 vring_new_virtqueue 2 54673 NULL
105147 +evm_read_key_54674 evm_read_key 3 54674 NULL
105148 +resource_string_54699 resource_string 0 54699 NULL
105149 +platform_get_irq_byname_54700 platform_get_irq_byname 0 54700 NULL
105150 +rfkill_fop_read_54711 rfkill_fop_read 3 54711 NULL nohasharray
105151 +compat_SyS_readv_54711 compat_SyS_readv 3 54711 &rfkill_fop_read_54711
105152 +_add_sg_continuation_descriptor_54721 _add_sg_continuation_descriptor 3 54721 NULL
105153 +ocfs2_control_write_54737 ocfs2_control_write 3 54737 NULL
105154 +kzalloc_54740 kzalloc 1 54740 NULL
105155 +wep_iv_read_54744 wep_iv_read 3 54744 NULL
105156 +iio_event_chrdev_read_54757 iio_event_chrdev_read 3 54757 NULL
105157 +batadv_iv_ogm_aggregate_new_54761 batadv_iv_ogm_aggregate_new 2 54761 NULL
105158 +adis16480_show_firmware_date_54762 adis16480_show_firmware_date 3 54762 NULL
105159 +flexcop_device_kmalloc_54793 flexcop_device_kmalloc 1 54793 NULL
105160 +domain_init_54797 domain_init 2 54797 NULL
105161 +ext3_find_goal_54801 ext3_find_goal 0 54801 NULL
105162 +get_dev_size_54807 get_dev_size 0 54807 NULL
105163 +nfsd_write_54809 nfsd_write 6 54809 NULL
105164 +aes_decrypt_fail_read_54815 aes_decrypt_fail_read 3 54815 NULL nohasharray
105165 +crypto_tfm_ctx_alignment_54815 crypto_tfm_ctx_alignment 0 54815 &aes_decrypt_fail_read_54815
105166 +generic_perform_write_54832 generic_perform_write 3 54832 NULL
105167 +write_rio_54837 write_rio 3 54837 NULL
105168 +nouveau_engctx_create__54839 nouveau_engctx_create_ 8 54839 NULL nohasharray
105169 +ext3_acl_from_disk_54839 ext3_acl_from_disk 2 54839 &nouveau_engctx_create__54839
105170 +ufx_ops_write_54848 ufx_ops_write 3 54848 NULL
105171 +printer_read_54851 printer_read 3 54851 NULL
105172 +qib_reg_user_mr_54858 qib_reg_user_mr 2-3 54858 NULL
105173 +alloc_ep_req_54860 alloc_ep_req 2 54860 NULL
105174 +broadsheet_spiflash_rewrite_sector_54864 broadsheet_spiflash_rewrite_sector 2 54864 NULL
105175 +prism_build_supp_rates_54865 prism_build_supp_rates 0 54865 NULL
105176 +tcf_csum_ipv6_tcp_54877 tcf_csum_ipv6_tcp 4 54877 NULL
105177 +iscsi_pool_init_54913 iscsi_pool_init 2-4 54913 NULL
105178 +btrfs_stack_chunk_num_stripes_54923 btrfs_stack_chunk_num_stripes 0 54923 NULL
105179 +mxms_structlen_54939 mxms_structlen 0 54939 NULL
105180 +add_port_54941 add_port 2 54941 NULL
105181 +virtblk_add_buf_wait_54943 virtblk_add_buf_wait 3-4 54943 NULL
105182 +wl12xx_cmd_build_probe_req_54946 wl12xx_cmd_build_probe_req 6-8 54946 NULL
105183 +ath9k_dump_btcoex_54949 ath9k_dump_btcoex 0 54949 NULL
105184 +c4_add_card_54968 c4_add_card 3 54968 NULL
105185 +iwl_pcie_dump_fh_54975 iwl_pcie_dump_fh 0 54975 NULL
105186 +__proc_file_read_54978 __proc_file_read 3 54978 NULL
105187 +ext3_xattr_get_54989 ext3_xattr_get 0 54989 NULL
105188 +Bus_to_Virtual_54991 Bus_to_Virtual 1 54991 NULL
105189 +mem_cgroup_get_lru_size_55008 mem_cgroup_get_lru_size 0 55008 NULL
105190 +cx231xx_v4l2_read_55014 cx231xx_v4l2_read 3 55014 NULL
105191 +paging32_get_level1_sp_gpa_55022 paging32_get_level1_sp_gpa 0 55022 NULL
105192 +error_error_null_Frame_tx_start_read_55024 error_error_null_Frame_tx_start_read 3 55024 NULL
105193 +__netdev_alloc_skb_ip_align_55067 __netdev_alloc_skb_ip_align 2 55067 NULL
105194 +apei_exec_run_55075 apei_exec_run 0 55075 NULL
105195 +bitmap_storage_alloc_55077 bitmap_storage_alloc 2 55077 NULL
105196 +hx8357_spi_write_array_55095 hx8357_spi_write_array 3 55095 NULL
105197 +rxpipe_beacon_buffer_thres_host_int_trig_rx_data_read_55106 rxpipe_beacon_buffer_thres_host_int_trig_rx_data_read 3 55106 NULL
105198 +corrupt_data_55120 corrupt_data 0 55120 NULL
105199 +crypto_ahash_setkey_55134 crypto_ahash_setkey 3 55134 NULL
105200 +ocfs2_prepare_refcount_change_for_del_55137 ocfs2_prepare_refcount_change_for_del 3 55137 NULL nohasharray
105201 +filldir_55137 filldir 3 55137 &ocfs2_prepare_refcount_change_for_del_55137
105202 +ocfs2_truncate_file_55148 ocfs2_truncate_file 3 55148 NULL
105203 +ieee80211_if_read_uapsd_queues_55150 ieee80211_if_read_uapsd_queues 3 55150 NULL
105204 +mtd_get_fact_prot_info_55186 mtd_get_fact_prot_info 0 55186 NULL
105205 +sel_write_relabel_55195 sel_write_relabel 3 55195 NULL
105206 +sched_feat_write_55202 sched_feat_write 3 55202 NULL
105207 +ht40allow_map_read_55209 ht40allow_map_read 3 55209 NULL
105208 +__kfifo_dma_out_prepare_r_55211 __kfifo_dma_out_prepare_r 4-5 55211 NULL
105209 +do_raw_setsockopt_55215 do_raw_setsockopt 5 55215 NULL
105210 +qxl_alloc_client_monitors_config_55216 qxl_alloc_client_monitors_config 2 55216 NULL
105211 +nouveau_mc_create__55217 nouveau_mc_create_ 4 55217 NULL
105212 +dump_command_55220 dump_command 1 55220 NULL
105213 +dbAllocDmap_55227 dbAllocDmap 0 55227 NULL
105214 +tipc_port_reject_sections_55229 tipc_port_reject_sections 5 55229 NULL
105215 +hash_netport6_expire_55232 hash_netport6_expire 3 55232 NULL
105216 +register_unifi_sdio_55239 register_unifi_sdio 2 55239 NULL
105217 +memcpy_fromiovec_55247 memcpy_fromiovec 3 55247 NULL
105218 +persistent_ram_new_55286 persistent_ram_new 1-2 55286 NULL
105219 +ptrace_request_55288 ptrace_request 3-4 55288 NULL
105220 +rx_streaming_interval_read_55291 rx_streaming_interval_read 3 55291 NULL
105221 +gsm_control_modem_55303 gsm_control_modem 3 55303 NULL
105222 +qp_alloc_guest_work_55305 qp_alloc_guest_work 3-5 55305 NULL nohasharray
105223 +__get_vm_area_node_55305 __get_vm_area_node 1 55305 &qp_alloc_guest_work_55305
105224 +do_shmat_55336 do_shmat 5 55336 NULL
105225 +vme_user_read_55338 vme_user_read 3 55338 NULL
105226 +sctp_datamsg_from_user_55342 sctp_datamsg_from_user 4 55342 NULL nohasharray
105227 +__wa_xfer_setup_sizes_55342 __wa_xfer_setup_sizes 0 55342 &sctp_datamsg_from_user_55342
105228 +__memblock_alloc_base_55359 __memblock_alloc_base 1-2 55359 NULL
105229 +acpi_system_read_event_55362 acpi_system_read_event 3 55362 NULL
105230 +nf_nat_ipv4_manip_pkt_55387 nf_nat_ipv4_manip_pkt 2 55387 NULL
105231 +iwl_dbgfs_plcp_delta_read_55407 iwl_dbgfs_plcp_delta_read 3 55407 NULL
105232 +si476x_radio_read_rds_blckcnt_blob_55427 si476x_radio_read_rds_blckcnt_blob 3 55427 NULL
105233 +alloc_skb_55439 alloc_skb 1 55439 NULL
105234 +__vxge_hw_channel_allocate_55462 __vxge_hw_channel_allocate 3 55462 NULL
105235 +isdnhdlc_decode_55466 isdnhdlc_decode 0 55466 NULL
105236 +cx23888_ir_rx_read_55473 cx23888_ir_rx_read 3 55473 NULL
105237 +batadv_unicast_push_and_fill_skb_55474 batadv_unicast_push_and_fill_skb 2 55474 NULL
105238 +snd_pcm_lib_write_55483 snd_pcm_lib_write 0-3 55483 NULL
105239 +i2o_pool_alloc_55485 i2o_pool_alloc 4 55485 NULL
105240 +ocfs2_rec_clusters_55501 ocfs2_rec_clusters 0 55501 NULL
105241 +ext4_flex_bg_size_55502 ext4_flex_bg_size 0 55502 NULL
105242 +cfpkt_pad_trail_55511 cfpkt_pad_trail 2 55511 NULL nohasharray
105243 +tx_tx_done_int_template_read_55511 tx_tx_done_int_template_read 3 55511 &cfpkt_pad_trail_55511
105244 +ea_get_55522 ea_get 0 55522 NULL
105245 +buffer_size_55534 buffer_size 0 55534 NULL
105246 +set_msr_interception_55538 set_msr_interception 2 55538 NULL
105247 +tty_port_register_device_55543 tty_port_register_device 3 55543 NULL
105248 +hash_netport4_expire_55584 hash_netport4_expire 3 55584 NULL
105249 +add_partition_55588 add_partition 2 55588 NULL
105250 +SyS_keyctl_55602 SyS_keyctl 4 55602 NULL
105251 +free_pages_55603 free_pages 1 55603 NULL
105252 +macvtap_put_user_55609 macvtap_put_user 4 55609 NULL
105253 +selinux_setprocattr_55611 selinux_setprocattr 4 55611 NULL
105254 +edge_tty_recv_55622 edge_tty_recv 3 55622 NULL
105255 +reiserfs_xattr_get_55628 reiserfs_xattr_get 0 55628 NULL nohasharray
105256 +pktgen_if_write_55628 pktgen_if_write 3 55628 &reiserfs_xattr_get_55628
105257 +dvb_dmxdev_set_buffer_size_55643 dvb_dmxdev_set_buffer_size 2 55643 NULL
105258 +mlx4_buddy_alloc_55647 mlx4_buddy_alloc 2 55647 NULL
105259 +xfs_bmbt_maxrecs_55649 xfs_bmbt_maxrecs 0-2 55649 NULL
105260 +ib_umad_compat_ioctl_55650 ib_umad_compat_ioctl 3 55650 NULL
105261 +cfg80211_send_rx_assoc_55651 cfg80211_send_rx_assoc 4 55651 NULL
105262 +read_oldmem_55658 read_oldmem 3 55658 NULL
105263 +lpfc_idiag_queinfo_read_55662 lpfc_idiag_queinfo_read 3 55662 NULL
105264 +il_dbgfs_tx_queue_read_55668 il_dbgfs_tx_queue_read 3 55668 NULL
105265 +get_info_55681 get_info 3 55681 NULL
105266 +wil_vring_alloc_skb_55703 wil_vring_alloc_skb 4 55703 NULL
105267 +__videobuf_alloc_uncached_55711 __videobuf_alloc_uncached 1 55711 NULL
105268 +pm8001_store_update_fw_55716 pm8001_store_update_fw 4 55716 NULL
105269 +mtdswap_init_55719 mtdswap_init 2 55719 NULL
105270 +tap_pwup_write_55723 tap_pwup_write 3 55723 NULL
105271 +__iio_allocate_kfifo_55738 __iio_allocate_kfifo 2 55738 NULL
105272 +set_local_name_55757 set_local_name 4 55757 NULL
105273 +strlen_55778 strlen 0 55778 NULL
105274 +set_spte_55783 set_spte 5-4 55783 NULL
105275 +req_bio_endio_55786 req_bio_endio 3 55786 NULL nohasharray
105276 +conf_read_55786 conf_read 3 55786 &req_bio_endio_55786
105277 +uwb_rc_neh_grok_event_55799 uwb_rc_neh_grok_event 3 55799 NULL
105278 +sb16_copy_from_user_55836 sb16_copy_from_user 10-6-7 55836 NULL
105279 +ip_hdrlen_55849 ip_hdrlen 0 55849 NULL
105280 +hcd_alloc_coherent_55862 hcd_alloc_coherent 5 55862 NULL
105281 +shmem_setxattr_55867 shmem_setxattr 4 55867 NULL
105282 +hsc_write_55875 hsc_write 3 55875 NULL
105283 +pm_qos_power_read_55891 pm_qos_power_read 3 55891 NULL
105284 +snd_pcm_hw_param_value_min_55917 snd_pcm_hw_param_value_min 0 55917 NULL
105285 +paging64_page_fault_55942 paging64_page_fault 2 55942 NULL
105286 +sel_read_policy_55947 sel_read_policy 3 55947 NULL
105287 +ceph_get_direct_page_vector_55956 ceph_get_direct_page_vector 2 55956 NULL
105288 +simple_read_from_buffer_55957 simple_read_from_buffer 2-5 55957 NULL
105289 +tx_tx_imm_resp_read_55964 tx_tx_imm_resp_read 3 55964 NULL
105290 +ssb_bus_pcmciabus_register_56020 ssb_bus_pcmciabus_register 3 56020 NULL
105291 +nvme_alloc_iod_56027 nvme_alloc_iod 1-2 56027 NULL
105292 +dccp_sendmsg_56058 dccp_sendmsg 4 56058 NULL
105293 +__set_discard_56081 __set_discard 2 56081 NULL
105294 +pscsi_get_bio_56103 pscsi_get_bio 1 56103 NULL
105295 +usb_alloc_stream_buffers_56123 usb_alloc_stream_buffers 3 56123 NULL
105296 +kmem_zalloc_large_56128 kmem_zalloc_large 1 56128 NULL
105297 +sel_read_handle_status_56139 sel_read_handle_status 3 56139 NULL
105298 +map_addr_56144 map_addr 7 56144 NULL
105299 +__i2c_transfer_56162 __i2c_transfer 0 56162 NULL
105300 +rawv6_setsockopt_56165 rawv6_setsockopt 5 56165 NULL
105301 +create_irq_nr_56180 create_irq_nr 1 56180 NULL
105302 +ath9k_dump_legacy_btcoex_56194 ath9k_dump_legacy_btcoex 0 56194 NULL
105303 +skb_headroom_56200 skb_headroom 0 56200 NULL
105304 +usb_dump_iad_descriptor_56204 usb_dump_iad_descriptor 0 56204 NULL
105305 +ncp_read_bounce_size_56221 ncp_read_bounce_size 0-1 56221 NULL
105306 +vring_add_indirect_56222 vring_add_indirect 4 56222 NULL
105307 +ocfs2_find_xe_in_bucket_56224 ocfs2_find_xe_in_bucket 0 56224 NULL
105308 +cp210x_get_config_56229 cp210x_get_config 4 56229 NULL
105309 +do_ipt_set_ctl_56238 do_ipt_set_ctl 4 56238 NULL
105310 +fd_copyin_56247 fd_copyin 3 56247 NULL
105311 +sk_rmem_schedule_56255 sk_rmem_schedule 3 56255 NULL
105312 +il4965_ucode_general_stats_read_56277 il4965_ucode_general_stats_read 3 56277 NULL
105313 +ieee80211_if_fmt_user_power_level_56283 ieee80211_if_fmt_user_power_level 3 56283 NULL
105314 +RESIZE_IF_NEEDED_56286 RESIZE_IF_NEEDED 2 56286 NULL
105315 +dvb_aplay_56296 dvb_aplay 3 56296 NULL
105316 +btmrvl_hscfgcmd_read_56303 btmrvl_hscfgcmd_read 3 56303 NULL
105317 +compat_cdrom_read_audio_56304 compat_cdrom_read_audio 4 56304 NULL
105318 +pipeline_pre_to_defrag_swi_read_56321 pipeline_pre_to_defrag_swi_read 3 56321 NULL
105319 +journal_init_revoke_table_56331 journal_init_revoke_table 1 56331 NULL
105320 +snd_rawmidi_read_56337 snd_rawmidi_read 3 56337 NULL
105321 +sixpack_compat_ioctl_56346 sixpack_compat_ioctl 4 56346 NULL
105322 +vxge_os_dma_malloc_async_56348 vxge_os_dma_malloc_async 3 56348 NULL
105323 +iov_iter_copy_from_user_atomic_56368 iov_iter_copy_from_user_atomic 4 56368 NULL
105324 +dev_read_56369 dev_read 3 56369 NULL
105325 +write_gssp_56404 write_gssp 3 56404 NULL
105326 +ocfs2_control_read_56405 ocfs2_control_read 3 56405 NULL
105327 +__get_vm_area_caller_56416 __get_vm_area_caller 1 56416 NULL nohasharray
105328 +acpi_os_write_memory_56416 acpi_os_write_memory 1-3 56416 &__get_vm_area_caller_56416
105329 +store_msg_56417 store_msg 3 56417 NULL
105330 +pppol2tp_sendmsg_56420 pppol2tp_sendmsg 4 56420 NULL
105331 +fl_create_56435 fl_create 5 56435 NULL
105332 +gnttab_map_56439 gnttab_map 2 56439 NULL
105333 +cx231xx_init_isoc_56453 cx231xx_init_isoc 3-2 56453 NULL
105334 +set_connectable_56458 set_connectable 4 56458 NULL
105335 +osd_req_list_partition_objects_56464 osd_req_list_partition_objects 5 56464 NULL
105336 +putused_user_56467 putused_user 3 56467 NULL
105337 +calc_linear_pos_56472 calc_linear_pos 0-3 56472 NULL
105338 +global_rt_period_56476 global_rt_period 0 56476 NULL
105339 +crypto_shash_alignmask_56486 crypto_shash_alignmask 0 56486 NULL
105340 +ieee80211_rx_mgmt_probe_beacon_56491 ieee80211_rx_mgmt_probe_beacon 3 56491 NULL
105341 +init_map_ip_56508 init_map_ip 5 56508 NULL
105342 +cfg80211_connect_result_56515 cfg80211_connect_result 4-6 56515 NULL
105343 +ip_options_get_56538 ip_options_get 4 56538 NULL
105344 +ocfs2_change_extent_flag_56549 ocfs2_change_extent_flag 5 56549 NULL
105345 +alloc_apertures_56561 alloc_apertures 1 56561 NULL
105346 +rs_sta_dbgfs_stats_table_read_56573 rs_sta_dbgfs_stats_table_read 3 56573 NULL
105347 +portcntrs_2_read_56586 portcntrs_2_read 3 56586 NULL
105348 +event_filter_write_56609 event_filter_write 3 56609 NULL
105349 +gather_array_56641 gather_array 3 56641 NULL
105350 +uvc_debugfs_stats_read_56651 uvc_debugfs_stats_read 3 56651 NULL
105351 +snd_gus_dram_read_56686 snd_gus_dram_read 4 56686 NULL nohasharray
105352 +da9055_gpio_to_irq_56686 da9055_gpio_to_irq 2 56686 &snd_gus_dram_read_56686
105353 +build_map_info_56696 build_map_info 2 56696 NULL
105354 +dvb_ringbuffer_read_user_56702 dvb_ringbuffer_read_user 3 56702 NULL
105355 +sta_flags_read_56710 sta_flags_read 3 56710 NULL
105356 +ipv6_getsockopt_sticky_56711 ipv6_getsockopt_sticky 5 56711 NULL
105357 +__wa_xfer_setup_segs_56725 __wa_xfer_setup_segs 2 56725 NULL
105358 +pcpu_populate_chunk_56741 pcpu_populate_chunk 2-3 56741 NULL
105359 +drm_agp_bind_pages_56748 drm_agp_bind_pages 3 56748 NULL
105360 +btrfsic_map_block_56751 btrfsic_map_block 2 56751 NULL
105361 +alloc_iommu_56778 alloc_iommu 2-3 56778 NULL
105362 +__carl9170_rx_56784 __carl9170_rx 3 56784 NULL
105363 +hash_lookup_56792 hash_lookup 2 56792 NULL
105364 +do_syslog_56807 do_syslog 3 56807 NULL
105365 +mtdchar_write_56831 mtdchar_write 3 56831 NULL nohasharray
105366 +ntfs_rl_realloc_56831 ntfs_rl_realloc 3 56831 &mtdchar_write_56831
105367 +snd_rawmidi_kernel_write1_56847 snd_rawmidi_kernel_write1 4 56847 NULL
105368 +si476x_radio_read_agc_blob_56849 si476x_radio_read_agc_blob 3 56849 NULL
105369 +wb_lookup_56858 wb_lookup 2 56858 NULL
105370 +ext3_xattr_ibody_get_56880 ext3_xattr_ibody_get 0 56880 NULL
105371 +pvr2_debugifc_print_status_56890 pvr2_debugifc_print_status 3 56890 NULL
105372 +debug_debug3_read_56894 debug_debug3_read 3 56894 NULL
105373 +batadv_tt_update_changes_56895 batadv_tt_update_changes 3 56895 NULL
105374 +strcspn_56913 strcspn 0 56913 NULL
105375 +__kfifo_out_56927 __kfifo_out 0-3 56927 NULL
105376 +check_header_56930 check_header 2 56930 NULL
105377 +journal_init_revoke_56933 journal_init_revoke 2 56933 NULL
105378 +diva_get_driver_info_56967 diva_get_driver_info 0 56967 NULL
105379 +nouveau_device_create__56984 nouveau_device_create_ 6 56984 NULL
105380 +vlsi_alloc_ring_57003 vlsi_alloc_ring 3-4 57003 NULL
105381 +btrfs_super_csum_size_57004 btrfs_super_csum_size 0 57004 NULL
105382 +aircable_process_packet_57027 aircable_process_packet 4 57027 NULL
105383 +skb_network_offset_57043 skb_network_offset 0 57043 NULL nohasharray
105384 +ieee80211_if_fmt_state_57043 ieee80211_if_fmt_state 3 57043 &skb_network_offset_57043
105385 +bytes_to_samples_57049 bytes_to_samples 0-2 57049 NULL
105386 +xfs_buf_read_map_57053 xfs_buf_read_map 3 57053 NULL
105387 +autofs_dev_ioctl_compat_57059 autofs_dev_ioctl_compat 3 57059 NULL
105388 +cx2341x_ctrl_new_std_57061 cx2341x_ctrl_new_std 4 57061 NULL
105389 +sca3000_read_data_57064 sca3000_read_data 4 57064 NULL
105390 +pcmcia_replace_cis_57066 pcmcia_replace_cis 3 57066 NULL
105391 +sis190_try_rx_copy_57069 sis190_try_rx_copy 3 57069 NULL
105392 +tracing_set_trace_write_57096 tracing_set_trace_write 3 57096 NULL
105393 +crypto_compress_ctxsize_57109 crypto_compress_ctxsize 0 57109 NULL
105394 +sysfs_write_file_57116 sysfs_write_file 3 57116 NULL
105395 +cipso_v4_gentag_loc_57119 cipso_v4_gentag_loc 0 57119 NULL
105396 +nl80211_send_deauth_57136 nl80211_send_deauth 4 57136 NULL nohasharray
105397 +rds_ib_sub_signaled_57136 rds_ib_sub_signaled 2 57136 &nl80211_send_deauth_57136 nohasharray
105398 +ima_show_htable_value_57136 ima_show_htable_value 2 57136 &rds_ib_sub_signaled_57136
105399 +snd_sonicvibes_getdmac_57140 snd_sonicvibes_getdmac 0 57140 NULL
105400 +udl_prime_create_57159 udl_prime_create 2 57159 NULL
105401 +__ipath_get_user_pages_57166 __ipath_get_user_pages 1-2 57166 NULL
105402 +stk_prepare_sio_buffers_57168 stk_prepare_sio_buffers 2 57168 NULL
105403 +rx_hw_stuck_read_57179 rx_hw_stuck_read 3 57179 NULL
105404 +tt3650_ci_msg_57219 tt3650_ci_msg 4 57219 NULL
105405 +dma_fifo_alloc_57236 dma_fifo_alloc 5-3-2 57236 NULL
105406 +flush_space_57241 flush_space 3 57241 NULL
105407 +ieee80211_if_fmt_tsf_57249 ieee80211_if_fmt_tsf 3 57249 NULL
105408 +oprofilefs_ulong_from_user_57251 oprofilefs_ulong_from_user 3 57251 NULL
105409 +alloc_flex_gd_57259 alloc_flex_gd 1 57259 NULL
105410 +security_mmap_file_57268 security_mmap_file 0 57268 NULL
105411 +pstore_file_read_57288 pstore_file_read 3 57288 NULL
105412 +snd_pcm_read_57289 snd_pcm_read 3 57289 NULL
105413 +ath6kl_buf_alloc_57304 ath6kl_buf_alloc 1 57304 NULL
105414 +fw_file_size_57307 fw_file_size 0 57307 NULL
105415 +ftdi_elan_write_57309 ftdi_elan_write 3 57309 NULL
105416 +__mxt_write_reg_57326 __mxt_write_reg 3 57326 NULL
105417 +ocfs2_xattr_shrink_size_57328 ocfs2_xattr_shrink_size 3 57328 NULL
105418 +check_mirror_57342 check_mirror 1-2 57342 NULL nohasharray
105419 +usblp_read_57342 usblp_read 3 57342 &check_mirror_57342
105420 +print_devstats_dot11RTSFailureCount_57347 print_devstats_dot11RTSFailureCount 3 57347 NULL
105421 +tipc_bclink_stats_57372 tipc_bclink_stats 2 57372 NULL
105422 +max8997_irq_domain_map_57375 max8997_irq_domain_map 2 57375 NULL
105423 +tty_register_device_attr_57381 tty_register_device_attr 2 57381 NULL
105424 +read_file_blob_57406 read_file_blob 3 57406 NULL
105425 +enclosure_register_57412 enclosure_register 3 57412 NULL
105426 +gre_manip_pkt_57416 gre_manip_pkt 4 57416 NULL
105427 +compat_keyctl_instantiate_key_iov_57431 compat_keyctl_instantiate_key_iov 3 57431 NULL nohasharray
105428 +alloc_ftrace_hash_57431 alloc_ftrace_hash 1 57431 &compat_keyctl_instantiate_key_iov_57431
105429 +copy_to_user_fromio_57432 copy_to_user_fromio 3 57432 NULL
105430 +sys_pselect6_57449 sys_pselect6 1 57449 NULL
105431 +ReadReg_57453 ReadReg 0 57453 NULL
105432 +__roundup_pow_of_two_57461 __roundup_pow_of_two 0 57461 NULL
105433 +crypto_tfm_alg_blocksize_57463 crypto_tfm_alg_blocksize 0 57463 NULL nohasharray
105434 +send_midi_async_57463 send_midi_async 3 57463 &crypto_tfm_alg_blocksize_57463
105435 +sisusb_clear_vram_57466 sisusb_clear_vram 3-2 57466 NULL
105436 +ieee80211_if_read_flags_57470 ieee80211_if_read_flags 3 57470 NULL nohasharray
105437 +sep_lock_user_pages_57470 sep_lock_user_pages 2-3 57470 &ieee80211_if_read_flags_57470
105438 +ocfs2_write_cluster_57483 ocfs2_write_cluster 8-2-9 57483 NULL
105439 +bnad_debugfs_write_regwr_57500 bnad_debugfs_write_regwr 3 57500 NULL
105440 +skb_headlen_57501 skb_headlen 0 57501 NULL
105441 +copy_in_user_57502 copy_in_user 3 57502 NULL
105442 +ks8842_read32_57505 ks8842_read32 0 57505 NULL nohasharray
105443 +ckhdid_printf_57505 ckhdid_printf 2 57505 &ks8842_read32_57505
105444 +init_tag_map_57515 init_tag_map 3 57515 NULL
105445 +wil_read_file_ssid_57517 wil_read_file_ssid 3 57517 NULL nohasharray
105446 +il_dbgfs_force_reset_read_57517 il_dbgfs_force_reset_read 3 57517 &wil_read_file_ssid_57517
105447 +inode_permission_57531 inode_permission 0 57531 NULL
105448 +acpi_dev_get_resources_57534 acpi_dev_get_resources 0 57534 NULL nohasharray
105449 +DoC_Probe_57534 DoC_Probe 1 57534 &acpi_dev_get_resources_57534
105450 +ext4_group_first_block_no_57559 ext4_group_first_block_no 0-2 57559 NULL
105451 +snd_pcm_playback_ioctl1_57569 snd_pcm_playback_ioctl1 0 57569 NULL
105452 +uio_find_mem_index_57584 uio_find_mem_index 0 57584 NULL
105453 +read_file_spectral_fft_period_57593 read_file_spectral_fft_period 3 57593 NULL
105454 +wm831x_gpio_to_irq_57614 wm831x_gpio_to_irq 2 57614 NULL
105455 +sk_stream_alloc_skb_57622 sk_stream_alloc_skb 2 57622 NULL
105456 +tx_tx_retry_template_read_57623 tx_tx_retry_template_read 3 57623 NULL
105457 +osdmap_set_max_osd_57630 osdmap_set_max_osd 2 57630 NULL nohasharray
105458 +sisusbcon_putcs_57630 sisusbcon_putcs 3 57630 &osdmap_set_max_osd_57630
105459 +mem_read_57631 mem_read 3 57631 NULL
105460 +tc3589x_irq_map_57639 tc3589x_irq_map 2 57639 NULL
105461 +sys_mq_timedsend_57661 sys_mq_timedsend 3 57661 NULL
105462 +r3964_write_57662 r3964_write 4 57662 NULL
105463 +proc_ns_readlink_57664 proc_ns_readlink 3 57664 NULL
105464 +__lgwrite_57669 __lgwrite 4 57669 NULL
105465 +ieee80211_MFIE_rate_len_57692 ieee80211_MFIE_rate_len 0 57692 NULL
105466 +f1x_match_to_this_node_57695 f1x_match_to_this_node 3 57695 NULL
105467 +check_prefree_segments_57702 check_prefree_segments 2 57702 NULL
105468 +i2400m_rx_stats_read_57706 i2400m_rx_stats_read 3 57706 NULL
105469 +ieee80211_if_read_dot11MeshHWMPconfirmationInterval_57722 ieee80211_if_read_dot11MeshHWMPconfirmationInterval 3 57722 NULL
105470 +nouveau_gpio_create__57735 nouveau_gpio_create_ 4-5 57735 NULL
105471 +compat_sys_set_mempolicy_57742 compat_sys_set_mempolicy 3 57742 NULL
105472 +ieee80211_if_fmt_dot11MeshHWMPpreqMinInterval_57762 ieee80211_if_fmt_dot11MeshHWMPpreqMinInterval 3 57762 NULL
105473 +SYSC_process_vm_writev_57776 SYSC_process_vm_writev 3-5 57776 NULL
105474 +ld2_57794 ld2 0 57794 NULL
105475 +ivtv_read_57796 ivtv_read 3 57796 NULL
105476 +generic_ptrace_peekdata_57806 generic_ptrace_peekdata 2 57806 NULL
105477 +ipath_user_sdma_num_pages_57813 ipath_user_sdma_num_pages 0 57813 NULL
105478 +usb_dump_config_57817 usb_dump_config 0 57817 NULL
105479 +bfad_debugfs_read_regrd_57830 bfad_debugfs_read_regrd 3 57830 NULL
105480 +copy_to_user_57835 copy_to_user 3 57835 NULL
105481 +flash_read_57843 flash_read 3 57843 NULL
105482 +xt_alloc_table_info_57903 xt_alloc_table_info 1 57903 NULL
105483 +emi26_writememory_57908 emi26_writememory 4 57908 NULL
105484 +iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 NULL
105485 +memcg_caches_array_size_57918 memcg_caches_array_size 0-1 57918 NULL
105486 +twl_i2c_write_57923 twl_i2c_write 4-3 57923 NULL
105487 +__snd_gf1_look16_57925 __snd_gf1_look16 0 57925 NULL
105488 +sel_read_handle_unknown_57933 sel_read_handle_unknown 3 57933 NULL
105489 +key_algorithm_read_57946 key_algorithm_read 3 57946 NULL
105490 +ip_set_alloc_57953 ip_set_alloc 1 57953 NULL nohasharray
105491 +ioat3_dca_count_dca_slots_57953 ioat3_dca_count_dca_slots 0 57953 &ip_set_alloc_57953
105492 +i915_cache_sharing_write_57961 i915_cache_sharing_write 3 57961 NULL
105493 +hfc_empty_fifo_57972 hfc_empty_fifo 2 57972 NULL
105494 +c2_reg_user_mr_57982 c2_reg_user_mr 2-3 57982 NULL
105495 +rx_reset_counter_read_58001 rx_reset_counter_read 3 58001 NULL
105496 +regcache_rbtree_insert_to_block_58009 regcache_rbtree_insert_to_block 5 58009 NULL
105497 +iwl_dbgfs_ucode_rx_stats_read_58023 iwl_dbgfs_ucode_rx_stats_read 3 58023 NULL
105498 +io_playback_transfer_58030 io_playback_transfer 4 58030 NULL
105499 +mce_async_out_58056 mce_async_out 3 58056 NULL
105500 +ocfs2_find_leaf_58065 ocfs2_find_leaf 0 58065 NULL
105501 +dt3155_alloc_coherent_58073 dt3155_alloc_coherent 2 58073 NULL
105502 +cm4040_write_58079 cm4040_write 3 58079 NULL
105503 +udi_log_event_58105 udi_log_event 3 58105 NULL
105504 +savemem_58129 savemem 3 58129 NULL
105505 +ipv6_flowlabel_opt_58135 ipv6_flowlabel_opt 3 58135 NULL nohasharray
105506 +slhc_init_58135 slhc_init 1-2 58135 &ipv6_flowlabel_opt_58135
105507 +garmin_write_bulk_58191 garmin_write_bulk 3 58191 NULL
105508 +asix_write_cmd_58192 asix_write_cmd 5 58192 NULL
105509 +ieee80211_if_fmt_flags_58205 ieee80211_if_fmt_flags 3 58205 NULL
105510 +hva_to_pfn_58241 hva_to_pfn 1 58241 NULL
105511 +btrfsic_create_link_to_next_block_58246 btrfsic_create_link_to_next_block 4 58246 NULL
105512 +read_file_debug_58256 read_file_debug 3 58256 NULL
105513 +cfg80211_mgmt_tx_status_58266 cfg80211_mgmt_tx_status 4 58266 NULL
105514 +profile_load_58267 profile_load 3 58267 NULL
105515 +acpi_ds_build_internal_package_obj_58271 acpi_ds_build_internal_package_obj 3 58271 NULL
105516 +r100_mm_rreg_58276 r100_mm_rreg 0 58276 NULL
105517 +iscsi_decode_text_input_58292 iscsi_decode_text_input 4 58292 NULL
105518 +ieee80211_if_read_dot11MeshTTL_58307 ieee80211_if_read_dot11MeshTTL 3 58307 NULL
105519 +tx_tx_start_int_templates_read_58324 tx_tx_start_int_templates_read 3 58324 NULL
105520 +pcim_iomap_58334 pcim_iomap 3 58334 NULL
105521 +diva_init_dma_map_58336 diva_init_dma_map 3 58336 NULL
105522 +next_pidmap_58347 next_pidmap 2 58347 NULL
105523 +SyS_migrate_pages_58348 SyS_migrate_pages 2 58348 NULL
105524 +vmalloc_to_sg_58354 vmalloc_to_sg 2 58354 NULL
105525 +save_hint_58359 save_hint 2 58359 NULL
105526 +brcmf_debugfs_sdio_counter_read_58369 brcmf_debugfs_sdio_counter_read 3 58369 NULL
105527 +hash_ipportnet6_expire_58379 hash_ipportnet6_expire 3 58379 NULL
105528 +il_dbgfs_status_read_58388 il_dbgfs_status_read 3 58388 NULL
105529 +kvm_mmu_write_protect_pt_masked_58406 kvm_mmu_write_protect_pt_masked 3 58406 NULL
105530 +i2400m_pld_size_58415 i2400m_pld_size 0 58415 NULL
105531 +__mlx4_alloc_mtt_range_58418 __mlx4_alloc_mtt_range 2 58418 NULL
105532 +__iio_add_chan_devattr_58451 __iio_add_chan_devattr 0 58451 NULL
105533 +capabilities_read_58457 capabilities_read 3 58457 NULL
105534 +batadv_iv_ogm_aggr_packet_58462 batadv_iv_ogm_aggr_packet 3 58462 NULL
105535 +lpfc_idiag_baracc_read_58466 lpfc_idiag_baracc_read 3 58466 NULL nohasharray
105536 +compat_do_ipt_set_ctl_58466 compat_do_ipt_set_ctl 4 58466 &lpfc_idiag_baracc_read_58466
105537 +snd_gf1_read_addr_58483 snd_gf1_read_addr 0 58483 NULL
105538 +snd_rme96_capture_copy_58484 snd_rme96_capture_copy 5 58484 NULL
105539 +batadv_bla_is_backbone_gw_58488 batadv_bla_is_backbone_gw 3 58488 NULL
105540 +memblock_alloc_try_nid_58493 memblock_alloc_try_nid 1-2 58493 NULL
105541 +rndis_add_response_58544 rndis_add_response 2 58544 NULL
105542 +__clear_discard_58546 __clear_discard 2 58546 NULL
105543 +wrap_max_58548 wrap_max 0-1-2 58548 NULL
105544 +wep_decrypt_fail_read_58567 wep_decrypt_fail_read 3 58567 NULL
105545 +sip_sprintf_addr_port_58574 sip_sprintf_addr_port 0 58574 NULL
105546 +scnprint_mac_oui_58578 scnprint_mac_oui 3-0 58578 NULL
105547 +ea_read_inline_58589 ea_read_inline 0 58589 NULL
105548 +isku_sysfs_read_keys_thumbster_58590 isku_sysfs_read_keys_thumbster 6 58590 NULL
105549 +xip_file_read_58592 xip_file_read 3 58592 NULL
105550 +gdth_search_isa_58595 gdth_search_isa 1 58595 NULL
105551 +ebt_buf_count_58607 ebt_buf_count 0 58607 NULL
105552 +skb_copy_to_page_nocache_58624 skb_copy_to_page_nocache 6 58624 NULL
105553 +module_alloc_update_bounds_rx_58634 module_alloc_update_bounds_rx 1 58634 NULL nohasharray
105554 +efi_ioremap_58634 efi_ioremap 1-2 58634 &module_alloc_update_bounds_rx_58634
105555 +tx_tx_start_fw_gen_read_58648 tx_tx_start_fw_gen_read 3 58648 NULL
105556 +ocfs2_block_to_cluster_start_58653 ocfs2_block_to_cluster_start 2 58653 NULL
105557 +__gfn_to_pfn_58671 __gfn_to_pfn 2 58671 NULL
105558 +iwl_trans_send_cmd_58681 iwl_trans_send_cmd 0 58681 NULL
105559 +find_zero_58685 find_zero 0-1 58685 NULL nohasharray
105560 +mcs7830_set_reg_async_58685 mcs7830_set_reg_async 3 58685 &find_zero_58685
105561 +uwb_bce_print_IEs_58686 uwb_bce_print_IEs 4 58686 NULL
105562 +pci_alloc_consistent_58688 pci_alloc_consistent 0 58688 NULL
105563 +tps6586x_writes_58689 tps6586x_writes 3-2 58689 NULL
105564 +vmalloc_node_58700 vmalloc_node 1 58700 NULL
105565 +acpi_map_58725 acpi_map 1-2 58725 NULL
105566 +da9052_gpio_to_irq_58729 da9052_gpio_to_irq 2 58729 NULL
105567 +csum_exist_in_range_58730 csum_exist_in_range 2 58730 NULL
105568 +frames_to_bytes_58741 frames_to_bytes 0-2 58741 NULL
105569 +ieee80211_if_write_tkip_mic_test_58748 ieee80211_if_write_tkip_mic_test 3 58748 NULL
105570 +agp_allocate_memory_58761 agp_allocate_memory 2 58761 NULL
105571 +oblock_to_dblock_58762 oblock_to_dblock 0-2 58762 NULL
105572 +__do_config_autodelink_58763 __do_config_autodelink 3 58763 NULL
105573 +regmap_calc_reg_len_58795 regmap_calc_reg_len 0 58795 NULL
105574 +raw_send_hdrinc_58803 raw_send_hdrinc 4 58803 NULL
105575 +isku_sysfs_read_58806 isku_sysfs_read 6-5 58806 NULL
105576 +ep_read_58813 ep_read 3 58813 NULL
105577 +command_write_58841 command_write 3 58841 NULL
105578 +ocfs2_truncate_log_append_58850 ocfs2_truncate_log_append 3 58850 NULL
105579 +ath6kl_wmi_send_action_cmd_58860 ath6kl_wmi_send_action_cmd 7 58860 NULL
105580 +gs_alloc_req_58883 gs_alloc_req 2 58883 NULL
105581 +cs553x_init_one_58886 cs553x_init_one 3 58886 NULL
105582 +raw_ctl_compat_ioctl_58905 raw_ctl_compat_ioctl 3 58905 NULL
105583 +print_devstats_dot11FCSErrorCount_58919 print_devstats_dot11FCSErrorCount 3 58919 NULL
105584 +tun_chr_compat_ioctl_58921 tun_chr_compat_ioctl 3 58921 NULL
105585 +pipeline_cs_rx_packet_out_read_58926 pipeline_cs_rx_packet_out_read 3 58926 NULL
105586 +st5481_isoc_flatten_58952 st5481_isoc_flatten 0 58952 NULL
105587 +ieee80211_if_fmt_dot11MeshHWMPactivePathToRootTimeout_58965 ieee80211_if_fmt_dot11MeshHWMPactivePathToRootTimeout 3 58965 NULL
105588 +idx_to_kaddr_58968 idx_to_kaddr 0 58968 NULL
105589 +crypto_aead_ivsize_58970 crypto_aead_ivsize 0 58970 NULL
105590 +remap_to_cache_dirty_58991 remap_to_cache_dirty 4-3 58991 NULL
105591 +handle_rx_packet_58993 handle_rx_packet 3 58993 NULL
105592 +edac_align_ptr_59003 edac_align_ptr 0 59003 NULL
105593 +ep_write_59008 ep_write 3 59008 NULL
105594 +i915_ring_stop_write_59010 i915_ring_stop_write 3 59010 NULL
105595 +SyS_preadv_59029 SyS_preadv 3 59029 NULL
105596 +init_pci_cap_msi_perm_59033 init_pci_cap_msi_perm 2 59033 NULL
105597 +selinux_transaction_write_59038 selinux_transaction_write 3 59038 NULL
105598 +crypto_aead_reqsize_59039 crypto_aead_reqsize 0 59039 NULL
105599 +regmap_bulk_write_59049 regmap_bulk_write 4-2 59049 NULL
105600 +vfio_device_fops_compat_ioctl_59111 vfio_device_fops_compat_ioctl 3 59111 NULL
105601 +mmc_sd_num_wr_blocks_59112 mmc_sd_num_wr_blocks 0 59112 NULL
105602 +scsi_io_completion_59122 scsi_io_completion 2 59122 NULL
105603 +nfc_llcp_send_i_frame_59130 nfc_llcp_send_i_frame 3 59130 NULL
105604 +__iio_add_event_config_attrs_59136 __iio_add_event_config_attrs 0 59136 NULL
105605 +print_devstats_dot11RTSSuccessCount_59145 print_devstats_dot11RTSSuccessCount 3 59145 NULL nohasharray
105606 +framebuffer_alloc_59145 framebuffer_alloc 1 59145 &print_devstats_dot11RTSSuccessCount_59145
105607 +radeon_compat_ioctl_59150 radeon_compat_ioctl 2 59150 NULL
105608 +pvr2_hdw_report_clients_59152 pvr2_hdw_report_clients 3 59152 NULL
105609 +setup_window_59178 setup_window 4-2-5-7 59178 NULL
105610 +ocfs2_move_extent_59187 ocfs2_move_extent 3 59187 NULL
105611 +xfs_iext_realloc_indirect_59211 xfs_iext_realloc_indirect 2 59211 NULL
105612 +fast_rx_path_59214 fast_rx_path 3 59214 NULL
105613 +inftl_partscan_59216 inftl_partscan 0 59216 NULL
105614 +skb_transport_header_59223 skb_transport_header 0 59223 NULL
105615 +dt3155_read_59226 dt3155_read 3 59226 NULL
105616 +paging64_gpte_to_gfn_lvl_59229 paging64_gpte_to_gfn_lvl 0-1-2 59229 NULL
105617 +tty_prepare_flip_string_flags_59240 tty_prepare_flip_string_flags 4 59240 NULL
105618 +solo_v4l2_read_59247 solo_v4l2_read 3 59247 NULL
105619 +nla_len_59258 nla_len 0 59258 NULL
105620 +btrfs_insert_dir_item_59304 btrfs_insert_dir_item 4 59304 NULL
105621 +fd_copyout_59323 fd_copyout 3 59323 NULL
105622 +read_9287_modal_eeprom_59327 read_9287_modal_eeprom 3 59327 NULL
105623 +rx_defrag_in_process_called_read_59338 rx_defrag_in_process_called_read 3 59338 NULL
105624 +paging64_get_level1_sp_gpa_59346 paging64_get_level1_sp_gpa 0 59346 NULL nohasharray
105625 +xfs_attrmulti_attr_set_59346 xfs_attrmulti_attr_set 4 59346 &paging64_get_level1_sp_gpa_59346
105626 +xfs_dir2_sf_entsize_59366 xfs_dir2_sf_entsize 0-2 59366 NULL
105627 +pvr2_debugifc_print_info_59380 pvr2_debugifc_print_info 3 59380 NULL
105628 +fc_frame_alloc_fill_59394 fc_frame_alloc_fill 2 59394 NULL
105629 +isku_sysfs_read_keys_function_59412 isku_sysfs_read_keys_function 6 59412 NULL
105630 +vxge_hw_ring_rxds_per_block_get_59425 vxge_hw_ring_rxds_per_block_get 0 59425 NULL
105631 +squashfs_read_data_59440 squashfs_read_data 6 59440 NULL
105632 +SyS_sched_setaffinity_59442 SyS_sched_setaffinity 2 59442 NULL
105633 +fs_path_ensure_buf_59445 fs_path_ensure_buf 2 59445 NULL
105634 +descriptor_loc_59446 descriptor_loc 3 59446 NULL
105635 +do_compat_semctl_59449 do_compat_semctl 4 59449 NULL
105636 +virtqueue_add_buf_59470 virtqueue_add_buf 3-4 59470 NULL
105637 +ib_copy_from_udata_59502 ib_copy_from_udata 3 59502 NULL
105638 +nfsd_nrpools_59503 nfsd_nrpools 0 59503 NULL
105639 +rds_pin_pages_59507 rds_pin_pages 0-1-2 59507 NULL
105640 +mpi_get_nbits_59551 mpi_get_nbits 0 59551 NULL
105641 +tunables_write_59563 tunables_write 3 59563 NULL
105642 +memdup_user_59590 memdup_user 2 59590 NULL
105643 +tps6586x_irq_get_virq_59601 tps6586x_irq_get_virq 2 59601 NULL
105644 +mem_fwlog_free_mem_blks_read_59616 mem_fwlog_free_mem_blks_read 3 59616 NULL
105645 +mtrr_write_59622 mtrr_write 3 59622 NULL
105646 +find_first_zero_bit_59636 find_first_zero_bit 0-2 59636 NULL
105647 +ubifs_setxattr_59650 ubifs_setxattr 4 59650 NULL nohasharray
105648 +hidraw_read_59650 hidraw_read 3 59650 &ubifs_setxattr_59650
105649 +v9fs_xattr_set_acl_59651 v9fs_xattr_set_acl 4 59651 NULL
105650 +paravirt_sched_clock_59660 paravirt_sched_clock 0 59660 NULL
105651 +__devcgroup_check_permission_59665 __devcgroup_check_permission 0 59665 NULL
105652 +iwl_dbgfs_mac_params_read_59666 iwl_dbgfs_mac_params_read 3 59666 NULL
105653 +alloc_dca_provider_59670 alloc_dca_provider 2 59670 NULL
105654 +can_nocow_odirect_59681 can_nocow_odirect 3 59681 NULL
105655 +sriov_enable_59689 sriov_enable 2 59689 NULL
105656 +mic_calc_failure_read_59700 mic_calc_failure_read 3 59700 NULL
105657 +prism2_info_scanresults_59729 prism2_info_scanresults 3 59729 NULL
105658 +ieee80211_if_read_fwded_unicast_59740 ieee80211_if_read_fwded_unicast 3 59740 NULL
105659 +qib_decode_7220_sdma_errs_59745 qib_decode_7220_sdma_errs 4 59745 NULL
105660 +strnlen_59746 strnlen 0 59746 NULL
105661 +sctp_manip_pkt_59749 sctp_manip_pkt 4 59749 NULL
105662 +ext3_acl_count_59754 ext3_acl_count 0-1 59754 NULL
105663 +long_retry_limit_read_59766 long_retry_limit_read 3 59766 NULL
105664 +venus_remove_59781 venus_remove 4 59781 NULL
105665 +mei_nfc_recv_59784 mei_nfc_recv 3 59784 NULL
105666 +C_SYSC_preadv_59801 C_SYSC_preadv 3 59801 NULL
105667 +ipw_write_59807 ipw_write 3 59807 NULL
105668 +rtllib_wx_set_gen_ie_59808 rtllib_wx_set_gen_ie 3 59808 NULL
105669 +scsi_init_shared_tag_map_59812 scsi_init_shared_tag_map 2 59812 NULL
105670 +ieee80211_if_read_dot11MeshHWMPmaxPREQretries_59829 ieee80211_if_read_dot11MeshHWMPmaxPREQretries 3 59829 NULL
105671 +gspca_dev_probe2_59833 gspca_dev_probe2 4 59833 NULL
105672 +regmap_raw_write_async_59849 regmap_raw_write_async 2-4 59849 NULL
105673 +pvr2_ioread_set_sync_key_59882 pvr2_ioread_set_sync_key 3 59882 NULL
105674 +shmem_zero_setup_59885 shmem_zero_setup 0 59885 NULL nohasharray
105675 +start_transaction_59885 start_transaction 2 59885 &shmem_zero_setup_59885
105676 +ffs_prepare_buffer_59892 ffs_prepare_buffer 2 59892 NULL
105677 +swiotlb_map_page_59909 swiotlb_map_page 3 59909 NULL
105678 +il_dbgfs_rxon_flags_read_59950 il_dbgfs_rxon_flags_read 3 59950 NULL nohasharray
105679 +dapm_widget_power_read_file_59950 dapm_widget_power_read_file 3 59950 &il_dbgfs_rxon_flags_read_59950
105680 +lookup_node_59953 lookup_node 2 59953 NULL
105681 +il_dbgfs_missed_beacon_read_59956 il_dbgfs_missed_beacon_read 3 59956 NULL nohasharray
105682 +compat_ipmi_ioctl_59956 compat_ipmi_ioctl 3 59956 &il_dbgfs_missed_beacon_read_59956
105683 +kvm_set_cr3_59965 kvm_set_cr3 2 59965 NULL
105684 +fb_getput_cmap_59971 fb_getput_cmap 3 59971 NULL
105685 +__arch_hweight16_59975 __arch_hweight16 0 59975 NULL
105686 +osd_req_read_kern_59990 osd_req_read_kern 5 59990 NULL
105687 +ghash_async_setkey_60001 ghash_async_setkey 3 60001 NULL
105688 +ieee80211_if_fmt_dot11MeshAwakeWindowDuration_60006 ieee80211_if_fmt_dot11MeshAwakeWindowDuration 3 60006 NULL
105689 +rawsock_sendmsg_60010 rawsock_sendmsg 4 60010 NULL
105690 +mthca_init_cq_60011 mthca_init_cq 2 60011 NULL
105691 +register_device_60015 register_device 2-3 60015 NULL
105692 +osd_req_list_dev_partitions_60027 osd_req_list_dev_partitions 4 60027 NULL
105693 +xlog_bread_offset_60030 xlog_bread_offset 3 60030 NULL
105694 +sys_sched_getaffinity_60033 sys_sched_getaffinity 2 60033 NULL
105695 +bio_integrity_hw_sectors_60039 bio_integrity_hw_sectors 0-2 60039 NULL
105696 +do_ip6t_set_ctl_60040 do_ip6t_set_ctl 4 60040 NULL
105697 +pin_2_irq_60050 pin_2_irq 0-3 60050 NULL nohasharray
105698 +vcs_size_60050 vcs_size 0 60050 &pin_2_irq_60050
105699 +gru_alloc_gts_60056 gru_alloc_gts 3-2 60056 NULL
105700 +compat_writev_60063 compat_writev 3 60063 NULL
105701 +ieee80211_build_probe_req_60064 ieee80211_build_probe_req 6-8 60064 NULL
105702 +c4iw_num_stags_60073 c4iw_num_stags 0 60073 NULL
105703 +mp_register_gsi_60079 mp_register_gsi 2 60079 NULL
105704 +rxrpc_kernel_send_data_60083 rxrpc_kernel_send_data 3 60083 NULL
105705 +ieee80211_if_fmt_fwded_frames_60103 ieee80211_if_fmt_fwded_frames 3 60103 NULL
105706 +SYSC_msgsnd_60113 SYSC_msgsnd 3 60113 NULL
105707 +ttm_bo_kmap_60118 ttm_bo_kmap 3-2 60118 NULL
105708 +jmb38x_ms_count_slots_60164 jmb38x_ms_count_slots 0 60164 NULL
105709 +init_state_60165 init_state 2 60165 NULL
105710 +sg_build_sgat_60179 sg_build_sgat 3 60179 NULL nohasharray
105711 +jffs2_alloc_full_dirent_60179 jffs2_alloc_full_dirent 1 60179 &sg_build_sgat_60179
105712 +fuse_async_req_send_60183 fuse_async_req_send 0-3 60183 NULL
105713 +rx_rx_tkip_replays_read_60193 rx_rx_tkip_replays_read 3 60193 NULL
105714 +svc_compat_ioctl_60194 svc_compat_ioctl 3 60194 NULL
105715 +ib_send_cm_mra_60202 ib_send_cm_mra 4 60202 NULL nohasharray
105716 +qib_reg_phys_mr_60202 qib_reg_phys_mr 3 60202 &ib_send_cm_mra_60202
105717 +set_tap_pfs_60203 set_tap_pfs 3 60203 NULL
105718 +ieee80211_mgmt_tx_60209 ieee80211_mgmt_tx 7 60209 NULL
105719 +btrfs_get_token_16_60220 btrfs_get_token_16 0 60220 NULL
105720 +arizona_map_irq_60230 arizona_map_irq 2 60230 NULL nohasharray
105721 +__phys_addr_nodebug_60230 __phys_addr_nodebug 0-1 60230 &arizona_map_irq_60230
105722 +wm831x_irq_60254 wm831x_irq 2 60254 NULL
105723 +compat_sys_fcntl64_60256 compat_sys_fcntl64 3 60256 NULL
105724 +printer_write_60276 printer_write 3 60276 NULL
105725 +__pskb_pull_tail_60287 __pskb_pull_tail 2 60287 NULL
105726 +do_xip_mapping_read_60297 do_xip_mapping_read 5 60297 NULL
105727 +getDataLength_60301 getDataLength 0 60301 NULL
105728 +ceph_parse_server_name_60318 ceph_parse_server_name 2 60318 NULL
105729 +__kfifo_from_user_r_60345 __kfifo_from_user_r 3-5 60345 NULL
105730 +dccp_setsockopt_60367 dccp_setsockopt 5 60367 NULL
105731 +ubi_eba_atomic_leb_change_60379 ubi_eba_atomic_leb_change 5 60379 NULL
105732 +instruction_pointer_60384 instruction_pointer 0 60384 NULL
105733 +drop_outstanding_extent_60390 drop_outstanding_extent 0 60390 NULL
105734 +mthca_alloc_resize_buf_60394 mthca_alloc_resize_buf 3 60394 NULL
105735 +ocfs2_zero_extend_60396 ocfs2_zero_extend 3 60396 NULL
105736 +driver_names_read_60399 driver_names_read 3 60399 NULL
105737 +paging32_walk_addr_generic_60415 paging32_walk_addr_generic 4 60415 NULL
105738 +simple_alloc_urb_60420 simple_alloc_urb 3 60420 NULL
105739 +excessive_retries_read_60425 excessive_retries_read 3 60425 NULL
105740 +tstats_write_60432 tstats_write 3 60432 NULL nohasharray
105741 +kmalloc_60432 kmalloc 1 60432 &tstats_write_60432
105742 +tipc_buf_acquire_60437 tipc_buf_acquire 1 60437 NULL
105743 +rx_data_60442 rx_data 4 60442 NULL nohasharray
105744 +scaled_div32_60442 scaled_div32 1-2 60442 &rx_data_60442
105745 +tcf_csum_ipv4_igmp_60446 tcf_csum_ipv4_igmp 3 60446 NULL
105746 +snd_hda_get_num_raw_conns_60462 snd_hda_get_num_raw_conns 0 60462 NULL
105747 +crypto_shash_setkey_60483 crypto_shash_setkey 3 60483 NULL
105748 +ath_tx_init_60515 ath_tx_init 2 60515 NULL
105749 +hysdn_sched_rx_60533 hysdn_sched_rx 3 60533 NULL
105750 +v9fs_fid_readn_60544 v9fs_fid_readn 4 60544 NULL
105751 +nonpaging_map_60551 nonpaging_map 4 60551 NULL
105752 +nfsd_hashsize_60562 nfsd_hashsize 0 60562 NULL
105753 +hash_net6_expire_60598 hash_net6_expire 3 60598 NULL
105754 +skb_transport_offset_60619 skb_transport_offset 0 60619 NULL
105755 +wl1273_fm_fops_write_60621 wl1273_fm_fops_write 3 60621 NULL
105756 +acl_alloc_stack_init_60630 acl_alloc_stack_init 1 60630 NULL
105757 +ubifs_recover_leb_60639 ubifs_recover_leb 3 60639 NULL
105758 +fb_get_fscreeninfo_60640 fb_get_fscreeninfo 3 60640 NULL
105759 +if_sdio_host_to_card_60666 if_sdio_host_to_card 4 60666 NULL
105760 +ieee80211_if_read_dot11MeshConfirmTimeout_60670 ieee80211_if_read_dot11MeshConfirmTimeout 3 60670 NULL
105761 +read_vbt_r10_60679 read_vbt_r10 1 60679 NULL
105762 +init_data_container_60709 init_data_container 1 60709 NULL
105763 +snd_ice1712_ds_read_60754 snd_ice1712_ds_read 0 60754 NULL
105764 +raid_status_60755 raid_status 5 60755 NULL
105765 +sel_write_checkreqprot_60774 sel_write_checkreqprot 3 60774 NULL
105766 +opticon_write_60775 opticon_write 4 60775 NULL
105767 +acl_alloc_num_60778 acl_alloc_num 1-2 60778 NULL
105768 +snd_pcm_oss_readv3_60792 snd_pcm_oss_readv3 3 60792 NULL
105769 +pwr_tx_with_ps_read_60851 pwr_tx_with_ps_read 3 60851 NULL
105770 +alloc_buf_60864 alloc_buf 3-2 60864 NULL
105771 +generic_writepages_60871 generic_writepages 0 60871 NULL
105772 +ext4_update_inline_data_60888 ext4_update_inline_data 3 60888 NULL
105773 +iio_debugfs_read_reg_60908 iio_debugfs_read_reg 3 60908 NULL
105774 +mgt_set_varlen_60916 mgt_set_varlen 4 60916 NULL
105775 +scrub_chunk_60926 scrub_chunk 5 60926 NULL
105776 +sys_mlock_60932 sys_mlock 1 60932 NULL
105777 +pti_char_write_60960 pti_char_write 3 60960 NULL
105778 +mwifiex_alloc_sdio_mpa_buffers_60961 mwifiex_alloc_sdio_mpa_buffers 2-3 60961 NULL
105779 +__a2mp_build_60987 __a2mp_build 3 60987 NULL
105780 +hsc_msg_alloc_60990 hsc_msg_alloc 1 60990 NULL
105781 +ath6kl_lrssi_roam_read_61022 ath6kl_lrssi_roam_read 3 61022 NULL
105782 +symtab_init_61050 symtab_init 2 61050 NULL
105783 +fuse_send_write_61053 fuse_send_write 0-4 61053 NULL
105784 +bitmap_scnlistprintf_61062 bitmap_scnlistprintf 0-4-2 61062 NULL
105785 +ahash_align_buffer_size_61070 ahash_align_buffer_size 0-1-2 61070 NULL
105786 +get_derived_key_61100 get_derived_key 4 61100 NULL
105787 +alloc_chrdev_region_61112 alloc_chrdev_region 0 61112 NULL
105788 +p80211_headerlen_61119 p80211_headerlen 0 61119 NULL nohasharray
105789 +__probe_kernel_read_61119 __probe_kernel_read 3 61119 &p80211_headerlen_61119
105790 +vmemmap_alloc_block_buf_61126 vmemmap_alloc_block_buf 1 61126 NULL
105791 +afs_proc_cells_write_61139 afs_proc_cells_write 3 61139 NULL
105792 +brcmf_sdio_chip_cr4_exitdl_61143 brcmf_sdio_chip_cr4_exitdl 4 61143 NULL
105793 +__vmalloc_61168 __vmalloc 1 61168 NULL
105794 +event_oom_late_read_61175 event_oom_late_read 3 61175 NULL nohasharray
105795 +pair_device_61175 pair_device 4 61175 &event_oom_late_read_61175
105796 +sys_lsetxattr_61177 sys_lsetxattr 4 61177 NULL
105797 +SyS_prctl_61202 SyS_prctl 4 61202 NULL
105798 +arch_hibernation_header_save_61212 arch_hibernation_header_save 0 61212 NULL
105799 +smk_read_ambient_61220 smk_read_ambient 3 61220 NULL
105800 +btrfs_bio_alloc_61270 btrfs_bio_alloc 3 61270 NULL
105801 +vortex_adbdma_getlinearpos_61283 vortex_adbdma_getlinearpos 0 61283 NULL
105802 +sys_add_key_61288 sys_add_key 4 61288 NULL nohasharray
105803 +nvme_trans_copy_to_user_61288 nvme_trans_copy_to_user 3 61288 &sys_add_key_61288
105804 +ext4_issue_discard_61305 ext4_issue_discard 2 61305 NULL
105805 +xfer_from_user_61307 xfer_from_user 3 61307 NULL
105806 +timespec_to_ns_61317 timespec_to_ns 0 61317 NULL
105807 +xfrm_user_sec_ctx_size_61320 xfrm_user_sec_ctx_size 0 61320 NULL
105808 +C_SYSC_msgsnd_61330 C_SYSC_msgsnd 2-3 61330 NULL
105809 +st5481_setup_isocpipes_61340 st5481_setup_isocpipes 6-4 61340 NULL
105810 +rx_rx_wa_ba_not_expected_read_61341 rx_rx_wa_ba_not_expected_read 3 61341 NULL
105811 +f1x_map_sysaddr_to_csrow_61344 f1x_map_sysaddr_to_csrow 2 61344 NULL
105812 +debug_debug4_read_61367 debug_debug4_read 3 61367 NULL
105813 +sys_ptrace_61369 sys_ptrace 3 61369 NULL
105814 +change_xattr_61390 change_xattr 5 61390 NULL
105815 +size_entry_mwt_61400 size_entry_mwt 0 61400 NULL
105816 +dma_ops_area_alloc_61440 dma_ops_area_alloc 3-4-5 61440 NULL
105817 +tc3589x_irq_unmap_61447 tc3589x_irq_unmap 2 61447 NULL
105818 +unix_stream_sendmsg_61455 unix_stream_sendmsg 4 61455 NULL
105819 +snd_pcm_lib_writev_transfer_61483 snd_pcm_lib_writev_transfer 4-2-5 61483 NULL
105820 +btrfs_item_size_61485 btrfs_item_size 0 61485 NULL
105821 +erst_errno_61526 erst_errno 0 61526 NULL
105822 +ntfs_attr_lookup_61539 ntfs_attr_lookup 0 61539 NULL
105823 +get_ohm_of_thermistor_61545 get_ohm_of_thermistor 2 61545 NULL
105824 +o2hb_pop_count_61553 o2hb_pop_count 2 61553 NULL
105825 +dvb_net_ioctl_61559 dvb_net_ioctl 2 61559 NULL
105826 +ieee80211_if_read_rc_rateidx_mask_2ghz_61570 ieee80211_if_read_rc_rateidx_mask_2ghz 3 61570 NULL
105827 +seq_open_private_61589 seq_open_private 3 61589 NULL
105828 +__get_vm_area_61599 __get_vm_area 1 61599 NULL
105829 +nfs4_init_uniform_client_string_61601 nfs4_init_uniform_client_string 3 61601 NULL
105830 +ncp_compat_ioctl_61608 ncp_compat_ioctl 3 61608 NULL
105831 +configfs_write_file_61621 configfs_write_file 3 61621 NULL
105832 +ieee80211_if_fmt_hw_queues_61629 ieee80211_if_fmt_hw_queues 3 61629 NULL
105833 +i2o_parm_table_get_61635 i2o_parm_table_get 6 61635 NULL
105834 +snd_pcm_oss_read3_61643 snd_pcm_oss_read3 0-3 61643 NULL
105835 +resize_stripes_61650 resize_stripes 2 61650 NULL
105836 +ttm_page_pool_free_61661 ttm_page_pool_free 2 61661 NULL
105837 +insert_one_name_61668 insert_one_name 7 61668 NULL
105838 +lock_loop_61681 lock_loop 1 61681 NULL
105839 +__do_tune_cpucache_61684 __do_tune_cpucache 2 61684 NULL
105840 +filter_read_61692 filter_read 3 61692 NULL
105841 +iov_length_61716 iov_length 0 61716 NULL
105842 +fragmentation_threshold_read_61718 fragmentation_threshold_read 3 61718 NULL
105843 +read_file_interrupt_61742 read_file_interrupt 3 61742 NULL nohasharray
105844 +read_file_regval_61742 read_file_regval 3 61742 &read_file_interrupt_61742
105845 +batadv_dat_snoop_incoming_arp_reply_61801 batadv_dat_snoop_incoming_arp_reply 3 61801 NULL
105846 +tps80031_irq_init_61830 tps80031_irq_init 3 61830 NULL
105847 +bfad_debugfs_write_regwr_61841 bfad_debugfs_write_regwr 3 61841 NULL
105848 +fs_path_prepare_for_add_61854 fs_path_prepare_for_add 2 61854 NULL
105849 +evdev_compute_buffer_size_61863 evdev_compute_buffer_size 0 61863 NULL
105850 +SYSC_lsetxattr_61869 SYSC_lsetxattr 4 61869 NULL
105851 +get_fw_name_61874 get_fw_name 3 61874 NULL
105852 +free_init_pages_61875 free_init_pages 2 61875 NULL
105853 +twl4030_sih_setup_61878 twl4030_sih_setup 3 61878 NULL
105854 +ieee80211_rtl_auth_challenge_61897 ieee80211_rtl_auth_challenge 3 61897 NULL
105855 +ax25_addr_size_61899 ax25_addr_size 0 61899 NULL nohasharray
105856 +cxgb4_pktgl_to_skb_61899 cxgb4_pktgl_to_skb 2 61899 &ax25_addr_size_61899
105857 +clear_refs_write_61904 clear_refs_write 3 61904 NULL
105858 +rx_filter_arp_filter_read_61914 rx_filter_arp_filter_read 3 61914 NULL
105859 +au0828_init_isoc_61917 au0828_init_isoc 3-2 61917 NULL
105860 +sctp_sendmsg_61919 sctp_sendmsg 4 61919 NULL
105861 +send_bulk_static_data_61932 send_bulk_static_data 3 61932 NULL
105862 +gfn_to_pfn_memslot_atomic_61947 gfn_to_pfn_memslot_atomic 2 61947 NULL
105863 +il4965_ucode_rx_stats_read_61948 il4965_ucode_rx_stats_read 3 61948 NULL
105864 +squashfs_read_id_index_table_61961 squashfs_read_id_index_table 4 61961 NULL
105865 +mlx4_alloc_mtt_range_61966 mlx4_alloc_mtt_range 2 61966 NULL
105866 +ocfs2_quota_write_61972 ocfs2_quota_write 5-4 61972 NULL
105867 +cow_file_range_61979 cow_file_range 3 61979 NULL
105868 +module_alloc_exec_61991 module_alloc_exec 1 61991 NULL
105869 +virtnet_send_command_61993 virtnet_send_command 5-6 61993 NULL
105870 +xt_compat_match_offset_62011 xt_compat_match_offset 0 62011 NULL
105871 +jffs2_do_unlink_62020 jffs2_do_unlink 4 62020 NULL
105872 +SYSC_select_62024 SYSC_select 1 62024 NULL
105873 +pmcraid_build_passthrough_ioadls_62034 pmcraid_build_passthrough_ioadls 2 62034 NULL
105874 +ppp_tx_cp_62044 ppp_tx_cp 5 62044 NULL
105875 +sctp_user_addto_chunk_62047 sctp_user_addto_chunk 2-3 62047 NULL
105876 +do_pselect_62061 do_pselect 1 62061 NULL
105877 +pcpu_alloc_bootmem_62074 pcpu_alloc_bootmem 2-3 62074 NULL
105878 +get_domain_for_dev_62099 get_domain_for_dev 2 62099 NULL
105879 +ipath_user_sdma_pin_pages_62100 ipath_user_sdma_pin_pages 3-5 62100 NULL
105880 +jffs2_security_setxattr_62107 jffs2_security_setxattr 4 62107 NULL
105881 +llc_ui_header_len_62131 llc_ui_header_len 0 62131 NULL
105882 +qib_diag_write_62133 qib_diag_write 3 62133 NULL
105883 +ql_status_62135 ql_status 5 62135 NULL
105884 +video_usercopy_62151 video_usercopy 2 62151 NULL
105885 +prism54_wpa_bss_ie_get_62173 prism54_wpa_bss_ie_get 0 62173 NULL
105886 +alloc_upcall_62186 alloc_upcall 2 62186 NULL
105887 +btrfs_xattr_acl_set_62203 btrfs_xattr_acl_set 4 62203 NULL
105888 +sock_kmalloc_62205 sock_kmalloc 2 62205 NULL
105889 +SYSC_setgroups16_62232 SYSC_setgroups16 1 62232 NULL
105890 +nfsd_read_file_62241 nfsd_read_file 6 62241 NULL
105891 +allocate_partition_62245 allocate_partition 4 62245 NULL
105892 +__qib_get_user_pages_62287 __qib_get_user_pages 1-2 62287 NULL
105893 +il_dbgfs_sram_read_62296 il_dbgfs_sram_read 3 62296 NULL
105894 +sparse_early_usemaps_alloc_pgdat_section_62304 sparse_early_usemaps_alloc_pgdat_section 2 62304 NULL
105895 +subsystem_filter_read_62310 subsystem_filter_read 3 62310 NULL
105896 +udf_sb_alloc_partition_maps_62313 udf_sb_alloc_partition_maps 2 62313 NULL
105897 +Wb35Reg_BurstWrite_62327 Wb35Reg_BurstWrite 4 62327 NULL
105898 +subseq_list_62332 subseq_list 3-0 62332 NULL
105899 +flash_write_62354 flash_write 3 62354 NULL
105900 +set_wd_exp_mode_pfs_62372 set_wd_exp_mode_pfs 3 62372 NULL
105901 +twl_get_num_slaves_62386 twl_get_num_slaves 0 62386 NULL
105902 +rx_rx_timeout_read_62389 rx_rx_timeout_read 3 62389 NULL
105903 +altera_irscan_62396 altera_irscan 2 62396 NULL
105904 +set_ssp_62411 set_ssp 4 62411 NULL
105905 +unmap_single_62423 unmap_single 2 62423 NULL
105906 +netdev_alloc_skb_62437 netdev_alloc_skb 2 62437 NULL
105907 +e1000_check_copybreak_62448 e1000_check_copybreak 3 62448 NULL
105908 +ip_vs_icmp_xmit_v6_62477 ip_vs_icmp_xmit_v6 4 62477 NULL
105909 +ceph_dns_resolve_name_62488 ceph_dns_resolve_name 2 62488 NULL
105910 +remove_mapping_62491 remove_mapping 2 62491 NULL
105911 +mlx4_en_create_rx_ring_62498 mlx4_en_create_rx_ring 3 62498 NULL
105912 +ext_rts51x_sd_execute_read_data_62501 ext_rts51x_sd_execute_read_data 9 62501 NULL
105913 +pep_sendmsg_62524 pep_sendmsg 4 62524 NULL nohasharray
105914 +i915_next_seqno_read_62524 i915_next_seqno_read 3 62524 &pep_sendmsg_62524
105915 +test_iso_queue_62534 test_iso_queue 5 62534 NULL
105916 +debugfs_read_62535 debugfs_read 3 62535 NULL
105917 +sco_sock_sendmsg_62542 sco_sock_sendmsg 4 62542 NULL
105918 +qib_refresh_qsfp_cache_62547 qib_refresh_qsfp_cache 0 62547 NULL
105919 +xfrm_user_policy_62573 xfrm_user_policy 4 62573 NULL
105920 +get_subdir_62581 get_subdir 3 62581 NULL
105921 +prism2_send_mgmt_62605 prism2_send_mgmt 4 62605 NULL nohasharray
105922 +nfsd_vfs_read_62605 nfsd_vfs_read 6 62605 &prism2_send_mgmt_62605
105923 +iommu_area_alloc_62619 iommu_area_alloc 2-3-4-7 62619 NULL
105924 +ems_pcmcia_add_card_62627 ems_pcmcia_add_card 2 62627 NULL
105925 +compat_rangeinfo_62630 compat_rangeinfo 2 62630 NULL
105926 +lpfc_sli4_queue_alloc_62646 lpfc_sli4_queue_alloc 3 62646 NULL
105927 +memblock_alloc_nid_62652 memblock_alloc_nid 1-2 62652 NULL
105928 +ima_file_mmap_62663 ima_file_mmap 0 62663 NULL
105929 +write_62671 write 3 62671 NULL
105930 +printer_req_alloc_62687 printer_req_alloc 2 62687 NULL
105931 +qla4_83xx_rd_reg_62693 qla4_83xx_rd_reg 0 62693 NULL
105932 +ioremap_wc_62695 ioremap_wc 1-2 62695 NULL
105933 +bioset_integrity_create_62708 bioset_integrity_create 2 62708 NULL
105934 +rdm_62719 rdm 0 62719 NULL
105935 +key_replays_read_62746 key_replays_read 3 62746 NULL
105936 +init_chip_wc_pat_62768 init_chip_wc_pat 2 62768 NULL
105937 +ax25_sendmsg_62770 ax25_sendmsg 4 62770 NULL
105938 +page_key_alloc_62771 page_key_alloc 0 62771 NULL
105939 +C_SYSC_ipc_62776 C_SYSC_ipc 5-3-6-4 62776 NULL
105940 +tracing_total_entries_read_62817 tracing_total_entries_read 3 62817 NULL
105941 +__rounddown_pow_of_two_62836 __rounddown_pow_of_two 0 62836 NULL
105942 +bio_get_nr_vecs_62838 bio_get_nr_vecs 0 62838 NULL
105943 +xlog_recover_add_to_trans_62839 xlog_recover_add_to_trans 4 62839 NULL
105944 +rx_fcs_err_read_62844 rx_fcs_err_read 3 62844 NULL
105945 +set_swbp_62853 set_swbp 3 62853 NULL
105946 +hpi_read_word_62862 hpi_read_word 0 62862 NULL
105947 +aoechr_write_62883 aoechr_write 3 62883 NULL
105948 +resize_info_buffer_62889 resize_info_buffer 2 62889 NULL
105949 +if_spi_host_to_card_62890 if_spi_host_to_card 4 62890 NULL
105950 +mempool_create_slab_pool_62907 mempool_create_slab_pool 1 62907 NULL
105951 +getdqbuf_62908 getdqbuf 1 62908 NULL
105952 +try_async_pf_62914 try_async_pf 3 62914 NULL nohasharray
105953 +SyS_remap_file_pages_62914 SyS_remap_file_pages 1 62914 &try_async_pf_62914
105954 +agp_create_user_memory_62955 agp_create_user_memory 1 62955 NULL
105955 +__vb2_perform_fileio_63033 __vb2_perform_fileio 3 63033 NULL
105956 +pipeline_defrag_to_csum_swi_read_63037 pipeline_defrag_to_csum_swi_read 3 63037 NULL
105957 +scsi_host_alloc_63041 scsi_host_alloc 2 63041 NULL
105958 +gso_pskb_expand_head_63052 gso_pskb_expand_head 2 63052 NULL
105959 +unlink1_63059 unlink1 3 63059 NULL
105960 +xen_set_nslabs_63066 xen_set_nslabs 0 63066 NULL
105961 +ocfs2_decrease_refcount_63078 ocfs2_decrease_refcount 3 63078 NULL
105962 +sep_prepare_input_output_dma_table_in_dcb_63087 sep_prepare_input_output_dma_table_in_dcb 4-5-2-3 63087 NULL
105963 +iwl_dbgfs_sensitivity_read_63116 iwl_dbgfs_sensitivity_read 3 63116 NULL
105964 +alloc_cblock_63133 alloc_cblock 2 63133 NULL
105965 +ib_send_cm_rtu_63138 ib_send_cm_rtu 3 63138 NULL
105966 +xen_zap_pfn_range_63149 xen_zap_pfn_range 1 63149 NULL
105967 +smk_write_revoke_subj_63173 smk_write_revoke_subj 3 63173 NULL
105968 +vme_master_read_63221 vme_master_read 0 63221 NULL
105969 +SyS_gethostname_63227 SyS_gethostname 2 63227 NULL
105970 +module_alloc_update_bounds_rw_63233 module_alloc_update_bounds_rw 1 63233 NULL
105971 +ptp_read_63251 ptp_read 4 63251 NULL
105972 +raid5_resize_63306 raid5_resize 2 63306 NULL
105973 +proc_info_read_63344 proc_info_read 3 63344 NULL
105974 +ps_upsd_max_sptime_read_63362 ps_upsd_max_sptime_read 3 63362 NULL
105975 +idmouse_read_63374 idmouse_read 3 63374 NULL
105976 +edac_pci_alloc_ctl_info_63388 edac_pci_alloc_ctl_info 1 63388 NULL nohasharray
105977 +usbnet_read_cmd_nopm_63388 usbnet_read_cmd_nopm 7 63388 &edac_pci_alloc_ctl_info_63388
105978 +rxpipe_missed_beacon_host_int_trig_rx_data_read_63405 rxpipe_missed_beacon_host_int_trig_rx_data_read 3 63405 NULL
105979 +nouveau_event_create_63411 nouveau_event_create 1 63411 NULL
105980 +l2cap_sock_sendmsg_63427 l2cap_sock_sendmsg 4 63427 NULL
105981 +sep_prepare_input_output_dma_table_63429 sep_prepare_input_output_dma_table 2-4-3 63429 NULL
105982 +kone_send_63435 kone_send 4 63435 NULL
105983 +gfn_to_hva_many_63437 gfn_to_hva_many 0-2 63437 NULL
105984 +nfsd_symlink_63442 nfsd_symlink 6 63442 NULL
105985 +ipv6_is_mld_63461 ipv6_is_mld 3 63461 NULL
105986 +snd_info_entry_write_63474 snd_info_entry_write 3 63474 NULL
105987 +reada_find_extent_63486 reada_find_extent 2 63486 NULL
105988 +read_kcore_63488 read_kcore 3 63488 NULL
105989 +save_hint_63497 save_hint 2 63497 NULL
105990 +snd_pcm_plug_write_transfer_63503 snd_pcm_plug_write_transfer 0-3 63503 NULL
105991 +ubi_more_leb_change_data_63534 ubi_more_leb_change_data 4 63534 NULL
105992 +if_sdio_read_scratch_63540 if_sdio_read_scratch 0 63540 NULL
105993 +append_to_buffer_63550 append_to_buffer 3 63550 NULL
105994 +dbg_leb_write_63555 dbg_leb_write 4-5 63555 NULL nohasharray
105995 +kvm_write_guest_page_63555 kvm_write_guest_page 5-2 63555 &dbg_leb_write_63555
105996 +ubifs_lpt_scan_nolock_63572 ubifs_lpt_scan_nolock 0 63572 NULL
105997 +iwch_reg_user_mr_63575 iwch_reg_user_mr 2-3 63575 NULL
105998 +ocfs2_calc_trunc_pos_63576 ocfs2_calc_trunc_pos 4 63576 NULL
105999 +rproc_alloc_63577 rproc_alloc 5 63577 NULL
106000 +ext3_clear_blocks_63597 ext3_clear_blocks 4-5 63597 NULL
106001 +module_alloc_63630 module_alloc 1 63630 NULL
106002 +ntfs_malloc_nofs_nofail_63631 ntfs_malloc_nofs_nofail 1 63631 NULL
106003 +symbol_build_supp_rates_63634 symbol_build_supp_rates 0 63634 NULL
106004 +_ubh_find_next_zero_bit__63640 _ubh_find_next_zero_bit_ 4-5-3 63640 NULL
106005 +proc_loginuid_write_63648 proc_loginuid_write 3 63648 NULL
106006 +ValidateDSDParamsChecksum_63654 ValidateDSDParamsChecksum 3 63654 NULL
106007 +hidraw_ioctl_63658 hidraw_ioctl 2 63658 NULL
106008 +vbi_read_63673 vbi_read 3 63673 NULL nohasharray
106009 +xen_register_pirq_63673 xen_register_pirq 1-2 63673 &vbi_read_63673
106010 +alloc_tty_driver_63681 alloc_tty_driver 1 63681 NULL
106011 +mkiss_compat_ioctl_63686 mkiss_compat_ioctl 4 63686 NULL
106012 +arizona_irq_map_63709 arizona_irq_map 2 63709 NULL
106013 +nouveau_object_create__63715 nouveau_object_create_ 5 63715 NULL
106014 +btrfs_insert_delayed_dir_index_63720 btrfs_insert_delayed_dir_index 4 63720 NULL
106015 +selinux_secctx_to_secid_63744 selinux_secctx_to_secid 2 63744 NULL
106016 +snd_pcm_oss_read1_63771 snd_pcm_oss_read1 3 63771 NULL
106017 +snd_opl4_mem_proc_read_63774 snd_opl4_mem_proc_read 5 63774 NULL
106018 +spidev_compat_ioctl_63778 spidev_compat_ioctl 2-3 63778 NULL
106019 +snapshot_compat_ioctl_63792 snapshot_compat_ioctl 3 63792 NULL
106020 +kovaplus_sysfs_write_63795 kovaplus_sysfs_write 6 63795 NULL
106021 +mwifiex_11n_create_rx_reorder_tbl_63806 mwifiex_11n_create_rx_reorder_tbl 4 63806 NULL
106022 +copy_nodes_to_user_63807 copy_nodes_to_user 2 63807 NULL
106023 +dec_zcache_eph_zbytes_63817 dec_zcache_eph_zbytes 1 63817 NULL
106024 +prepare_copy_63826 prepare_copy 2 63826 NULL
106025 +sel_write_load_63830 sel_write_load 3 63830 NULL
106026 +proc_pid_attr_write_63845 proc_pid_attr_write 3 63845 NULL
106027 +init_map_ipmac_63896 init_map_ipmac 4-3 63896 NULL
106028 +divas_write_63901 divas_write 3 63901 NULL
106029 +xhci_alloc_stream_info_63902 xhci_alloc_stream_info 3 63902 NULL
106030 +uvc_alloc_urb_buffers_63922 uvc_alloc_urb_buffers 0-3-2 63922 NULL
106031 +snd_compr_write_63923 snd_compr_write 3 63923 NULL
106032 +acpi_ev_get_gpe_xrupt_block_63924 acpi_ev_get_gpe_xrupt_block 1 63924 NULL
106033 +tipc_send2port_63935 tipc_send2port 5 63935 NULL
106034 +afs_send_simple_reply_63940 afs_send_simple_reply 3 63940 NULL
106035 +__team_options_register_63941 __team_options_register 3 63941 NULL
106036 +macvtap_recvmsg_63949 macvtap_recvmsg 4 63949 NULL
106037 +ieee80211_if_fmt_rc_rateidx_mcs_mask_2ghz_63968 ieee80211_if_fmt_rc_rateidx_mcs_mask_2ghz 3 63968 NULL
106038 +ieee80211_authentication_req_63973 ieee80211_authentication_req 3 63973 NULL
106039 +diva_xdi_write_63975 diva_xdi_write 4 63975 NULL
106040 +read_file_frameerrors_64001 read_file_frameerrors 3 64001 NULL
106041 +kmemdup_64015 kmemdup 2 64015 NULL
106042 +SyS_rt_sigpending_64018 SyS_rt_sigpending 2 64018 NULL
106043 +offset_to_vaddr_64025 offset_to_vaddr 0-2 64025 NULL nohasharray
106044 +tcf_csum_skb_nextlayer_64025 tcf_csum_skb_nextlayer 3 64025 &offset_to_vaddr_64025
106045 +dbAllocDmapLev_64030 dbAllocDmapLev 0 64030 NULL
106046 +resize_async_buffer_64031 resize_async_buffer 4 64031 NULL
106047 +sep_lli_table_secure_dma_64042 sep_lli_table_secure_dma 2-3 64042 NULL
106048 +tfrc_calc_x_reverse_lookup_64057 tfrc_calc_x_reverse_lookup 0 64057 NULL
106049 +get_u8_64076 get_u8 0 64076 NULL
106050 +sl_realloc_bufs_64086 sl_realloc_bufs 2 64086 NULL
106051 +vmci_handle_arr_get_size_64088 vmci_handle_arr_get_size 0 64088 NULL
106052 +lbs_highrssi_read_64089 lbs_highrssi_read 3 64089 NULL
106053 +SyS_mq_timedsend_64107 SyS_mq_timedsend 3 64107 NULL
106054 +do_load_xattr_datum_64118 do_load_xattr_datum 0 64118 NULL
106055 +ol_quota_entries_per_block_64122 ol_quota_entries_per_block 0 64122 NULL
106056 +ext4_prepare_inline_data_64124 ext4_prepare_inline_data 3 64124 NULL
106057 +init_bch_64130 init_bch 1-2 64130 NULL
106058 +SYSC_ptrace_64136 SYSC_ptrace 3-4 64136 NULL
106059 +uea_idma_write_64139 uea_idma_write 3 64139 NULL
106060 +ablkcipher_copy_iv_64140 ablkcipher_copy_iv 3 64140 NULL
106061 +dlfb_ops_write_64150 dlfb_ops_write 3 64150 NULL
106062 +__comedi_buf_alloc_64155 __comedi_buf_alloc 3 64155 NULL
106063 +cpumask_scnprintf_64170 cpumask_scnprintf 2 64170 NULL
106064 +read_pulse_64227 read_pulse 0-3 64227 NULL
106065 +header_len_64232 header_len 0 64232 NULL
106066 +redrat3_transmit_ir_64244 redrat3_transmit_ir 3 64244 NULL
106067 +io_capture_transfer_64276 io_capture_transfer 4 64276 NULL
106068 +btrfs_file_extent_offset_64278 btrfs_file_extent_offset 0 64278 NULL
106069 +sta_current_tx_rate_read_64286 sta_current_tx_rate_read 3 64286 NULL
106070 +event_id_read_64288 event_id_read 3 64288 NULL nohasharray
106071 +xfs_dir_cilookup_result_64288 xfs_dir_cilookup_result 3 64288 &event_id_read_64288
106072 +ocfs2_block_check_validate_bhs_64302 ocfs2_block_check_validate_bhs 0 64302 NULL
106073 +error_error_bar_retry_read_64305 error_error_bar_retry_read 3 64305 NULL
106074 +ffz_64324 ffz 0 64324 NULL
106075 +map_region_64328 map_region 1 64328 NULL
106076 +sisusbcon_clear_64329 sisusbcon_clear 4-3-5 64329 NULL
106077 +ts_write_64336 ts_write 3 64336 NULL
106078 +usbtmc_write_64340 usbtmc_write 3 64340 NULL
106079 +do_write_orph_node_64343 do_write_orph_node 2 64343 NULL
106080 +ft1000_read_reg_64352 ft1000_read_reg 0 64352 NULL
106081 +bnx2x_vfop_mcast_cmd_64354 bnx2x_vfop_mcast_cmd 5 64354 NULL
106082 +wlc_phy_loadsampletable_nphy_64367 wlc_phy_loadsampletable_nphy 3 64367 NULL
106083 +ilo_write_64378 ilo_write 3 64378 NULL
106084 +btrfs_map_block_64379 btrfs_map_block 3 64379 NULL
106085 +vmcs_readl_64381 vmcs_readl 0 64381 NULL
106086 +nilfs_alloc_seg_bio_64383 nilfs_alloc_seg_bio 3 64383 NULL
106087 +ir_lirc_transmit_ir_64403 ir_lirc_transmit_ir 3 64403 NULL
106088 +pidlist_allocate_64404 pidlist_allocate 1 64404 NULL
106089 +rx_hdr_overflow_read_64407 rx_hdr_overflow_read 3 64407 NULL
106090 +snd_card_create_64418 snd_card_create 4 64418 NULL nohasharray
106091 +keyctl_get_security_64418 keyctl_get_security 3 64418 &snd_card_create_64418
106092 +nl80211_send_mgmt_64419 nl80211_send_mgmt 7 64419 NULL
106093 +oom_adj_write_64428 oom_adj_write 3 64428 NULL
106094 +ext4_trim_extent_64431 ext4_trim_extent 4 64431 NULL nohasharray
106095 +read_file_spectral_short_repeat_64431 read_file_spectral_short_repeat 3 64431 &ext4_trim_extent_64431
106096 +cap_capable_64462 cap_capable 0 64462 NULL
106097 +ip_vs_create_timeout_table_64478 ip_vs_create_timeout_table 2 64478 NULL
106098 +single_open_size_64483 single_open_size 4 64483 NULL
106099 +p54_parse_rssical_64493 p54_parse_rssical 3 64493 NULL
106100 +msg_data_sz_64503 msg_data_sz 0 64503 NULL
106101 +remove_uuid_64505 remove_uuid 4 64505 NULL nohasharray
106102 +handle_abnormal_pfn_64505 handle_abnormal_pfn 3 64505 &remove_uuid_64505
106103 +crypto_blkcipher_alignmask_64520 crypto_blkcipher_alignmask 0 64520 NULL
106104 +opera1_usb_i2c_msgxfer_64521 opera1_usb_i2c_msgxfer 4 64521 NULL
106105 +ses_send_diag_64527 ses_send_diag 4 64527 NULL
106106 +prctl_set_mm_64538 prctl_set_mm 3 64538 NULL
106107 +SyS_bind_64544 SyS_bind 3 64544 NULL
106108 +rbd_obj_read_sync_64554 rbd_obj_read_sync 3-4 64554 NULL
106109 +__spi_sync_64561 __spi_sync 0 64561 NULL
106110 +__apei_exec_run_64563 __apei_exec_run 0 64563 NULL
106111 +fanotify_write_64623 fanotify_write 3 64623 NULL
106112 +to_dblock_64655 to_dblock 0-1 64655 NULL
106113 +regmap_read_debugfs_64658 regmap_read_debugfs 5 64658 NULL
106114 +ocfs2_read_xattr_block_64661 ocfs2_read_xattr_block 0 64661 NULL nohasharray
106115 +tlbflush_read_file_64661 tlbflush_read_file 3 64661 &ocfs2_read_xattr_block_64661
106116 +efx_tsoh_get_buffer_64664 efx_tsoh_get_buffer 3 64664 NULL
106117 +rx_rx_out_of_mpdu_nodes_read_64668 rx_rx_out_of_mpdu_nodes_read 3 64668 NULL
106118 +nr_free_zone_pages_64680 nr_free_zone_pages 0 64680 NULL
106119 +sec_bulk_write_64691 sec_bulk_write 2-3 64691 NULL
106120 +__feat_register_sp_64712 __feat_register_sp 6 64712 NULL
106121 +snd_pcm_oss_capture_position_fixup_64713 snd_pcm_oss_capture_position_fixup 0 64713 NULL
106122 +dapm_bias_read_file_64715 dapm_bias_read_file 3 64715 NULL
106123 +atomic_add_return_64720 atomic_add_return 0-1 64720 NULL
106124 +i2400m_msg_to_dev_64722 i2400m_msg_to_dev 3 64722 NULL
106125 +squashfs_read_inode_lookup_table_64739 squashfs_read_inode_lookup_table 4 64739 NULL
106126 +bio_map_kern_64751 bio_map_kern 3 64751 NULL
106127 +rt2x00debug_write_csr_64753 rt2x00debug_write_csr 3 64753 NULL
106128 +isr_low_rssi_read_64789 isr_low_rssi_read 3 64789 NULL
106129 +regmap_reg_ranges_read_file_64798 regmap_reg_ranges_read_file 3 64798 NULL
106130 +nfsctl_transaction_write_64800 nfsctl_transaction_write 3 64800 NULL
106131 +megaraid_change_queue_depth_64815 megaraid_change_queue_depth 2 64815 NULL
106132 +ecryptfs_send_miscdev_64816 ecryptfs_send_miscdev 2 64816 NULL
106133 +vaddr_get_pfn_64818 vaddr_get_pfn 1 64818 NULL
106134 +gfn_to_page_64826 gfn_to_page 2 64826 NULL
106135 +do_kimage_alloc_64827 do_kimage_alloc 3 64827 NULL
106136 +altera_set_dr_pre_64862 altera_set_dr_pre 2 64862 NULL
106137 +gfn_to_pfn_64870 gfn_to_pfn 2 64870 NULL
106138 +ffs_epfile_io_64886 ffs_epfile_io 3 64886 NULL
106139 +ieee80211_if_read_ave_beacon_64924 ieee80211_if_read_ave_beacon 3 64924 NULL
106140 +ubifs_wbuf_write_nolock_64946 ubifs_wbuf_write_nolock 3 64946 NULL
106141 +snd_rawmidi_ioctl_compat_64954 snd_rawmidi_ioctl_compat 3 64954 NULL
106142 +ip_options_get_from_user_64958 ip_options_get_from_user 4 64958 NULL
106143 +acpi_os_install_interrupt_handler_64968 acpi_os_install_interrupt_handler 1 64968 NULL
106144 +traceprobe_probes_write_64969 traceprobe_probes_write 3 64969 NULL
106145 +suspend_dtim_interval_read_64971 suspend_dtim_interval_read 3 64971 NULL
106146 +ext2_group_first_block_no_64972 ext2_group_first_block_no 0-2 64972 NULL
106147 +pskb_pull_65005 pskb_pull 2 65005 NULL
106148 +unifi_write_65012 unifi_write 3 65012 NULL
106149 +crypto_ahash_digestsize_65014 crypto_ahash_digestsize 0 65014 NULL
106150 +nfs_readdata_alloc_65015 nfs_readdata_alloc 2 65015 NULL
106151 +insert_dent_65034 insert_dent 7 65034 NULL
106152 +compat_put_ushort_65040 compat_put_ushort 1 65040 NULL
106153 +brcmf_sdcard_rwdata_65041 brcmf_sdcard_rwdata 5 65041 NULL
106154 +tty_audit_log_65043 tty_audit_log 8 65043 NULL
106155 +compat_cmdtest_65064 compat_cmdtest 2 65064 NULL
106156 +count_run_65072 count_run 0-2-4 65072 NULL nohasharray
106157 +bnx2fc_process_l2_frame_compl_65072 bnx2fc_process_l2_frame_compl 3 65072 &count_run_65072
106158 +__alloc_bootmem_node_high_65076 __alloc_bootmem_node_high 2-3 65076 NULL
106159 +ocfs2_truncate_cluster_pages_65086 ocfs2_truncate_cluster_pages 2 65086 NULL
106160 +ath9k_dump_mci_btcoex_65090 ath9k_dump_mci_btcoex 0 65090 NULL
106161 +C_SYSC_semctl_65091 C_SYSC_semctl 4 65091 NULL
106162 +ssb_bus_register_65183 ssb_bus_register 3 65183 NULL
106163 +rx_rx_done_read_65217 rx_rx_done_read 3 65217 NULL
106164 +print_endpoint_stat_65232 print_endpoint_stat 3-4-0 65232 NULL
106165 +whci_n_caps_65247 whci_n_caps 0 65247 NULL
106166 +atomic_long_read_65263 atomic_long_read 0 65263 NULL
106167 +kmem_zalloc_greedy_65268 kmem_zalloc_greedy 3-2 65268 NULL
106168 +kmalloc_parameter_65279 kmalloc_parameter 1 65279 NULL
106169 +compat_core_sys_select_65285 compat_core_sys_select 1 65285 NULL
106170 +mpi_set_buffer_65294 mpi_set_buffer 3 65294 NULL
106171 +redirected_tty_write_65297 redirected_tty_write 3 65297 NULL
106172 +get_var_len_65304 get_var_len 0 65304 NULL
106173 +unpack_array_65318 unpack_array 0 65318 NULL
106174 +pci_vpd_find_tag_65325 pci_vpd_find_tag 0-2 65325 NULL
106175 +dccp_setsockopt_service_65336 dccp_setsockopt_service 4 65336 NULL
106176 +init_list_set_65351 init_list_set 2-3 65351 NULL
106177 +dma_rx_requested_read_65354 dma_rx_requested_read 3 65354 NULL
106178 +batadv_tt_save_orig_buffer_65361 batadv_tt_save_orig_buffer 4 65361 NULL
106179 +alloc_cpu_rmap_65363 alloc_cpu_rmap 1 65363 NULL
106180 +__ext4_new_inode_65370 __ext4_new_inode 5 65370 NULL
106181 +strchr_65372 strchr 0 65372 NULL nohasharray
106182 +SyS_writev_65372 SyS_writev 3 65372 &strchr_65372
106183 +__alloc_bootmem_nopanic_65397 __alloc_bootmem_nopanic 1-2 65397 NULL
106184 +trace_seq_to_user_65398 trace_seq_to_user 3 65398 NULL
106185 +mtd_get_device_size_65400 mtd_get_device_size 0 65400 NULL
106186 +iio_device_add_channel_sysfs_65406 iio_device_add_channel_sysfs 0 65406 NULL
106187 +ocfs2_write_begin_nolock_65410 ocfs2_write_begin_nolock 3-4 65410 NULL
106188 +drm_calloc_large_65421 drm_calloc_large 1-2 65421 NULL
106189 +xpc_kzalloc_cacheline_aligned_65433 xpc_kzalloc_cacheline_aligned 1 65433 NULL
106190 +usb_alloc_coherent_65444 usb_alloc_coherent 2 65444 NULL
106191 +ath_rx_edma_init_65483 ath_rx_edma_init 2 65483 NULL
106192 +dpcm_state_read_file_65489 dpcm_state_read_file 3 65489 NULL
106193 +alloc_dr_65495 alloc_dr 2 65495 NULL
106194 diff --git a/tools/gcc/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin.c
106198 +++ b/tools/gcc/size_overflow_plugin.c
106201 + * Copyright 2011, 2012, 2013 by Emese Revfy <re.emese@gmail.com>
106202 + * Licensed under the GPL v2, or (at your option) v3
106205 + * http://www.grsecurity.net/~ephox/overflow_plugin/
106208 + * http://forums.grsecurity.net/viewtopic.php?f=7&t=3043
106210 + * This plugin recomputes expressions of function arguments marked by a size_overflow attribute
106211 + * with double integer precision (DImode/TImode for 32/64 bit integer types).
106212 + * The recomputed argument is checked against TYPE_MAX and an event is logged on overflow and the triggering process is killed.
106215 + * $ gcc -I`gcc -print-file-name=plugin`/include/c-family -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -ggdb -Wall -W -o size_overflow_plugin.so size_overflow_plugin.c
106216 + * $ gcc -fplugin=size_overflow_plugin.so test.c -O2
106219 +#include "gcc-plugin.h"
106222 +#include "coretypes.h"
106224 +#include "tree-pass.h"
106226 +#include "plugin-version.h"
106230 +#include "tree-flow.h"
106233 +#include "diagnostic.h"
106236 +#if BUILDING_GCC_VERSION >= 4008
106237 +#define TODO_dump_func 0
106240 +struct size_overflow_hash {
106241 + const struct size_overflow_hash * const next;
106242 + const char * const name;
106243 + const unsigned int param;
106246 +#include "size_overflow_hash.h"
106249 + MARK_NO, MARK_YES, MARK_NOT_INTENTIONAL, MARK_TURN_OFF
106252 +enum err_code_conditions {
106253 + CAST_ONLY, FROM_CONST
106256 +static unsigned int call_count = 0;
106258 +#define __unused __attribute__((__unused__))
106259 +#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node))
106260 +#define NAME_LEN(node) IDENTIFIER_LENGTH(DECL_NAME(node))
106261 +#define BEFORE_STMT true
106262 +#define AFTER_STMT false
106263 +#define CREATE_NEW_VAR NULL_TREE
106264 +#define CODES_LIMIT 32
106266 +#define MY_STMT GF_PLF_1
106267 +#define NO_CAST_CHECK GF_PLF_2
106269 +#define FROM_RET false
106271 +#if BUILDING_GCC_VERSION == 4005
106272 +#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE)))
106275 +int plugin_is_GPL_compatible;
106276 +void debug_gimple_stmt(gimple gs);
106278 +static tree expand(struct pointer_set_t *visited, tree lhs);
106279 +static enum mark pre_expand(struct pointer_set_t *visited, bool *search_err_code, const_tree lhs);
106280 +static tree report_size_overflow_decl;
106281 +static const_tree const_char_ptr_type_node;
106282 +static unsigned int handle_function(void);
106283 +static void check_size_overflow(gimple stmt, tree size_overflow_type, tree cast_rhs, tree rhs, bool before);
106284 +static tree get_size_overflow_type(gimple stmt, const_tree node);
106285 +static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, const_tree node, tree rhs1, tree rhs2, tree __unused rhs3);
106286 +static void print_missing_msg(tree func, unsigned int argnum);
106288 +static struct plugin_info size_overflow_plugin_info = {
106289 + .version = "20130410beta",
106290 + .help = "no-size-overflow\tturn off size overflow checking\n",
106293 +static tree handle_size_overflow_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs)
106295 + unsigned int arg_count;
106296 + enum tree_code code = TREE_CODE(*node);
106300 + arg_count = type_num_arguments(TREE_TYPE(*node));
106304 + arg_count = type_num_arguments(*node);
106307 + *no_add_attrs = true;
106308 + error("%s: %qE attribute only applies to functions", __func__, name);
106312 + for (; args; args = TREE_CHAIN(args)) {
106313 + tree position = TREE_VALUE(args);
106314 + if (TREE_CODE(position) != INTEGER_CST || TREE_INT_CST_LOW(position) > arg_count ) {
106315 + error("%s: parameter %u is outside range.", __func__, (unsigned int)TREE_INT_CST_LOW(position));
106316 + *no_add_attrs = true;
106322 +static const char* get_asm_name(tree node)
106324 + return IDENTIFIER_POINTER(DECL_ASSEMBLER_NAME(node));
106327 +static tree handle_intentional_overflow_attribute(tree *node, tree __unused name, tree args, int __unused flags, bool *no_add_attrs)
106329 + unsigned int arg_count, arg_num;
106330 + enum tree_code code = TREE_CODE(*node);
106334 + arg_count = type_num_arguments(TREE_TYPE(*node));
106338 + arg_count = type_num_arguments(*node);
106341 + arg_num = TREE_INT_CST_LOW(TREE_VALUE(args));
106343 + *no_add_attrs = true;
106344 + error("%s: %qE attribute parameter can only be 0 in structure fields", __func__, name);
106348 + *no_add_attrs = true;
106349 + error("%qE attribute only applies to functions", name);
106353 + if (TREE_INT_CST_HIGH(TREE_VALUE(args)) != 0)
106356 + for (; args; args = TREE_CHAIN(args)) {
106357 + tree position = TREE_VALUE(args);
106358 + if (TREE_CODE(position) != INTEGER_CST || TREE_INT_CST_LOW(position) > arg_count ) {
106359 + error("%s: parameter %u is outside range.", __func__, (unsigned int)TREE_INT_CST_LOW(position));
106360 + *no_add_attrs = true;
106366 +static struct attribute_spec size_overflow_attr = {
106367 + .name = "size_overflow",
106370 + .decl_required = true,
106371 + .type_required = false,
106372 + .function_type_required = false,
106373 + .handler = handle_size_overflow_attribute,
106374 +#if BUILDING_GCC_VERSION >= 4007
106375 + .affects_type_identity = false
106379 +static struct attribute_spec intentional_overflow_attr = {
106380 + .name = "intentional_overflow",
106383 + .decl_required = true,
106384 + .type_required = false,
106385 + .function_type_required = false,
106386 + .handler = handle_intentional_overflow_attribute,
106387 +#if BUILDING_GCC_VERSION >= 4007
106388 + .affects_type_identity = false
106392 +static void register_attributes(void __unused *event_data, void __unused *data)
106394 + register_attribute(&size_overflow_attr);
106395 + register_attribute(&intentional_overflow_attr);
106398 +// http://www.team5150.com/~andrew/noncryptohashzoo2~/CrapWow.html
106399 +static unsigned int CrapWow(const char *key, unsigned int len, unsigned int seed)
106401 +#define cwfold( a, b, lo, hi ) { p = (unsigned int)(a) * (unsigned long long)(b); lo ^= (unsigned int)p; hi ^= (unsigned int)(p >> 32); }
106402 +#define cwmixa( in ) { cwfold( in, m, k, h ); }
106403 +#define cwmixb( in ) { cwfold( in, n, h, k ); }
106405 + unsigned int m = 0x57559429;
106406 + unsigned int n = 0x5052acdb;
106407 + const unsigned int *key4 = (const unsigned int *)key;
106408 + unsigned int h = len;
106409 + unsigned int k = len + seed + n;
106410 + unsigned long long p;
106413 + cwmixb(key4[0]) cwmixa(key4[1]) key4 += 2;
106417 + cwmixb(key4[0]) key4 += 1;
106421 + cwmixa(key4[0] & ((1 << (len * 8)) - 1 ));
106430 +static inline unsigned int get_hash_num(const char *fndecl, const char *tree_codes, unsigned int len, unsigned int seed)
106432 + unsigned int fn = CrapWow(fndecl, strlen(fndecl), seed) & 0xffff;
106433 + unsigned int codes = CrapWow(tree_codes, len, seed) & 0xffff;
106437 +static inline tree get_original_function_decl(tree fndecl)
106439 + if (DECL_ABSTRACT_ORIGIN(fndecl))
106440 + return DECL_ABSTRACT_ORIGIN(fndecl);
106444 +static inline gimple get_def_stmt(const_tree node)
106446 + gcc_assert(node != NULL_TREE);
106447 + if (TREE_CODE(node) != SSA_NAME)
106449 + return SSA_NAME_DEF_STMT(node);
106452 +static unsigned char get_tree_code(const_tree type)
106454 + switch (TREE_CODE(type)) {
106484 + debug_tree((tree)type);
106489 +static size_t add_type_codes(const_tree type, unsigned char *tree_codes, size_t len)
106491 + gcc_assert(type != NULL_TREE);
106493 + while (type && len < CODES_LIMIT) {
106494 + tree_codes[len] = get_tree_code(type);
106496 + type = TREE_TYPE(type);
106501 +static unsigned int get_function_decl(const_tree fndecl, unsigned char *tree_codes)
106503 + const_tree arg, result, arg_field, type = TREE_TYPE(fndecl);
106504 + enum tree_code code = TREE_CODE(type);
106507 + gcc_assert(code == FUNCTION_TYPE || code == METHOD_TYPE);
106509 + arg = TYPE_ARG_TYPES(type);
106510 + // skip builtins __builtin_constant_p
106511 + if (!arg && DECL_BUILT_IN(fndecl))
106514 + if (TREE_CODE_CLASS(code) == tcc_type)
106517 + result = DECL_RESULT(fndecl);
106519 + gcc_assert(result != NULL_TREE);
106520 + len = add_type_codes(TREE_TYPE(result), tree_codes, len);
106522 + if (arg == NULL_TREE) {
106523 + gcc_assert(CODE_CONTAINS_STRUCT(TREE_CODE(fndecl), TS_DECL_NON_COMMON));
106524 + arg_field = DECL_ARGUMENT_FLD(fndecl);
106525 + if (arg_field == NULL_TREE)
106527 + arg = TREE_TYPE(arg_field);
106528 + len = add_type_codes(arg, tree_codes, len);
106529 + gcc_assert(len != 0);
106533 + gcc_assert(arg != NULL_TREE && TREE_CODE(arg) == TREE_LIST);
106534 + while (arg && len < CODES_LIMIT) {
106535 + len = add_type_codes(TREE_VALUE(arg), tree_codes, len);
106536 + arg = TREE_CHAIN(arg);
106539 + gcc_assert(len != 0);
106543 +static const struct size_overflow_hash *get_function_hash(tree fndecl)
106546 + const struct size_overflow_hash *entry;
106547 + unsigned char tree_codes[CODES_LIMIT];
106549 + const char *func_name;
106551 + fndecl = get_original_function_decl(fndecl);
106552 + len = get_function_decl(fndecl, tree_codes);
106556 + func_name = get_asm_name(fndecl);
106557 + hash = get_hash_num(func_name, (const char*) tree_codes, len, 0);
106559 + entry = size_overflow_hash[hash];
106561 + if (!strcmp(entry->name, func_name))
106569 +static bool is_bool(const_tree node)
106573 + if (node == NULL_TREE)
106576 + type = TREE_TYPE(node);
106577 + if (!INTEGRAL_TYPE_P(type))
106579 + if (TREE_CODE(type) == BOOLEAN_TYPE)
106581 + if (TYPE_PRECISION(type) == 1)
106586 +static bool skip_types(const_tree var)
106590 + if (is_gimple_constant(var))
106593 + switch (TREE_CODE(var)) {
106595 +#if BUILDING_GCC_VERSION >= 4006
106611 + gcc_assert(TREE_CODE(var) == SSA_NAME);
106613 + type = TREE_TYPE(var);
106614 + switch (TREE_CODE(type)) {
106624 + gcc_assert(TREE_CODE(type) == POINTER_TYPE);
106626 + type = TREE_TYPE(type);
106627 + gcc_assert(type != NULL_TREE);
106628 + switch (TREE_CODE(type)) {
106641 + debug_tree((tree)var);
106645 +static unsigned int find_arg_number(const_tree arg, tree func)
106648 + unsigned int argnum = 1;
106650 + if (TREE_CODE(arg) == SSA_NAME)
106651 + arg = SSA_NAME_VAR(arg);
106653 + for (var = DECL_ARGUMENTS(func); var; var = TREE_CHAIN(var), argnum++) {
106654 + if (!operand_equal_p(arg, var, 0) && strcmp(NAME(var), NAME(arg)))
106656 + if (!skip_types(var))
106663 +static tree create_new_var(tree type)
106665 + tree new_var = create_tmp_var(type, "cicus");
106667 +#if BUILDING_GCC_VERSION <= 4007
106668 + add_referenced_var(new_var);
106669 + mark_sym_for_renaming(new_var);
106674 +static gimple create_binary_assign(enum tree_code code, gimple stmt, tree rhs1, tree rhs2)
106677 + gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
106678 + tree type = TREE_TYPE(rhs1);
106679 + tree lhs = create_new_var(type);
106681 + gcc_assert(types_compatible_p(type, TREE_TYPE(rhs2)));
106682 + assign = gimple_build_assign_with_ops(code, lhs, rhs1, rhs2);
106683 + gimple_set_lhs(assign, make_ssa_name(lhs, assign));
106685 + gsi_insert_before(&gsi, assign, GSI_NEW_STMT);
106687 + gimple_set_plf(assign, MY_STMT, true);
106691 +static tree cast_a_tree(tree type, tree var)
106693 + gcc_assert(type != NULL_TREE);
106694 + gcc_assert(var != NULL_TREE);
106695 + gcc_assert(fold_convertible_p(type, var));
106697 + return fold_convert(type, var);
106700 +static tree get_lhs(const_gimple stmt)
106702 + switch (gimple_code(stmt)) {
106704 + return gimple_get_lhs(stmt);
106706 + return gimple_phi_result(stmt);
106708 + return gimple_call_lhs(stmt);
106714 +static bool skip_cast(tree dst_type, const_tree rhs, bool force)
106716 + const_gimple def_stmt = get_def_stmt(rhs);
106721 + if (is_gimple_constant(rhs))
106724 + if (!def_stmt || gimple_code(def_stmt) == GIMPLE_NOP)
106727 + if (!types_compatible_p(dst_type, TREE_TYPE(rhs)))
106730 + // DI type can be on 32 bit (from create_assign) but overflow type stays DI
106731 + if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode))
106737 +static gimple build_cast_stmt(tree dst_type, tree rhs, tree lhs, gimple_stmt_iterator *gsi, bool before, bool force)
106739 + gimple assign, def_stmt;
106741 + gcc_assert(dst_type != NULL_TREE && rhs != NULL_TREE);
106742 + if (gsi_end_p(*gsi) && before == AFTER_STMT)
106745 + def_stmt = get_def_stmt(rhs);
106746 + if (skip_cast(dst_type, rhs, force) && gimple_plf(def_stmt, MY_STMT))
106749 + if (lhs == CREATE_NEW_VAR)
106750 + lhs = create_new_var(dst_type);
106752 + assign = gimple_build_assign(lhs, cast_a_tree(dst_type, rhs));
106754 + if (!gsi_end_p(*gsi)) {
106755 + location_t loc = gimple_location(gsi_stmt(*gsi));
106756 + gimple_set_location(assign, loc);
106759 + gimple_set_lhs(assign, make_ssa_name(lhs, assign));
106762 + gsi_insert_before(gsi, assign, GSI_NEW_STMT);
106764 + gsi_insert_after(gsi, assign, GSI_NEW_STMT);
106766 + gimple_set_plf(assign, MY_STMT, true);
106771 +static tree cast_to_new_size_overflow_type(gimple stmt, tree rhs, tree size_overflow_type, bool before)
106773 + gimple_stmt_iterator gsi;
106775 + const_gimple new_stmt;
106777 + if (rhs == NULL_TREE)
106780 + gsi = gsi_for_stmt(stmt);
106781 + new_stmt = build_cast_stmt(size_overflow_type, rhs, CREATE_NEW_VAR, &gsi, before, false);
106783 + lhs = get_lhs(new_stmt);
106784 + gcc_assert(lhs != NULL_TREE);
106788 +static tree cast_to_TI_type(gimple stmt, tree node)
106790 + gimple_stmt_iterator gsi;
106792 + tree type = TREE_TYPE(node);
106794 + if (types_compatible_p(type, intTI_type_node))
106797 + gsi = gsi_for_stmt(stmt);
106798 + cast_stmt = build_cast_stmt(intTI_type_node, node, CREATE_NEW_VAR, &gsi, BEFORE_STMT, false);
106799 + return gimple_get_lhs(cast_stmt);
106802 +static void check_function_hash(const_gimple stmt)
106805 + const struct size_overflow_hash *hash;
106807 + if (gimple_code(stmt) != GIMPLE_CALL)
106810 + func = gimple_call_fndecl(stmt);
106811 + //fs/xattr.c D.34222_15 = D.34219_14 (dentry_3(D), name_7(D), 0B, 0);
106812 + if (func == NULL_TREE)
106815 + hash = get_function_hash(func);
106817 + print_missing_msg(func, 0);
106820 +static tree create_assign(struct pointer_set_t *visited, gimple oldstmt, tree rhs1, bool before)
106823 + gimple_stmt_iterator gsi;
106825 + if (rhs1 == NULL_TREE) {
106826 + debug_gimple_stmt(oldstmt);
106827 + error("%s: rhs1 is NULL_TREE", __func__);
106831 + switch (gimple_code(oldstmt)) {
106836 + lhs = gimple_call_lhs(oldstmt);
106839 + lhs = gimple_get_lhs(oldstmt);
106842 + debug_gimple_stmt(oldstmt);
106846 + gsi = gsi_for_stmt(oldstmt);
106847 + pointer_set_insert(visited, oldstmt);
106848 + if (lookup_stmt_eh_lp(oldstmt) != 0) {
106849 + basic_block next_bb, cur_bb;
106852 + gcc_assert(before == false);
106853 + gcc_assert(stmt_can_throw_internal(oldstmt));
106854 + gcc_assert(gimple_code(oldstmt) == GIMPLE_CALL);
106855 + gcc_assert(!gsi_end_p(gsi));
106857 + cur_bb = gimple_bb(oldstmt);
106858 + next_bb = cur_bb->next_bb;
106859 + e = find_edge(cur_bb, next_bb);
106860 + gcc_assert(e != NULL);
106861 + gcc_assert(e->flags & EDGE_FALLTHRU);
106863 + gsi = gsi_after_labels(next_bb);
106864 + gcc_assert(!gsi_end_p(gsi));
106867 + oldstmt = gsi_stmt(gsi);
106870 + new_lhs = cast_to_new_size_overflow_type(oldstmt, rhs1, get_size_overflow_type(oldstmt, lhs), before);
106874 +static tree dup_assign(struct pointer_set_t *visited, gimple oldstmt, const_tree node, tree rhs1, tree rhs2, tree __unused rhs3)
106877 + gimple_stmt_iterator gsi;
106878 + tree size_overflow_type, new_var, lhs = gimple_get_lhs(oldstmt);
106880 + if (gimple_plf(oldstmt, MY_STMT))
106883 + if (gimple_num_ops(oldstmt) != 4 && rhs1 == NULL_TREE) {
106884 + rhs1 = gimple_assign_rhs1(oldstmt);
106885 + rhs1 = create_assign(visited, oldstmt, rhs1, BEFORE_STMT);
106887 + if (gimple_num_ops(oldstmt) == 3 && rhs2 == NULL_TREE) {
106888 + rhs2 = gimple_assign_rhs2(oldstmt);
106889 + rhs2 = create_assign(visited, oldstmt, rhs2, BEFORE_STMT);
106892 + stmt = gimple_copy(oldstmt);
106893 + gimple_set_location(stmt, gimple_location(oldstmt));
106894 + gimple_set_plf(stmt, MY_STMT, true);
106896 + if (gimple_assign_rhs_code(oldstmt) == WIDEN_MULT_EXPR)
106897 + gimple_assign_set_rhs_code(stmt, MULT_EXPR);
106899 + size_overflow_type = get_size_overflow_type(oldstmt, node);
106901 + new_var = create_new_var(size_overflow_type);
106902 + new_var = make_ssa_name(new_var, stmt);
106903 + gimple_set_lhs(stmt, new_var);
106905 + if (rhs1 != NULL_TREE)
106906 + gimple_assign_set_rhs1(stmt, rhs1);
106908 + if (rhs2 != NULL_TREE)
106909 + gimple_assign_set_rhs2(stmt, rhs2);
106910 +#if BUILDING_GCC_VERSION >= 4007
106911 + if (rhs3 != NULL_TREE)
106912 + gimple_assign_set_rhs3(stmt, rhs3);
106914 + gimple_set_vuse(stmt, gimple_vuse(oldstmt));
106915 + gimple_set_vdef(stmt, gimple_vdef(oldstmt));
106917 + gsi = gsi_for_stmt(oldstmt);
106918 + gsi_insert_after(&gsi, stmt, GSI_SAME_STMT);
106920 + pointer_set_insert(visited, oldstmt);
106921 + return gimple_get_lhs(stmt);
106924 +static tree cast_parm_decl(tree phi_ssa_name, tree arg, tree size_overflow_type)
106926 + basic_block first_bb;
106928 + gimple_stmt_iterator gsi;
106930 + first_bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
106931 + gcc_assert(dom_info_available_p(CDI_DOMINATORS));
106932 + set_immediate_dominator(CDI_DOMINATORS, first_bb, ENTRY_BLOCK_PTR);
106934 + gsi = gsi_start_bb(first_bb);
106935 + assign = build_cast_stmt(size_overflow_type, arg, phi_ssa_name, &gsi, BEFORE_STMT, false);
106936 + return gimple_get_lhs(assign);
106939 +static tree use_phi_ssa_name(tree phi_ssa_name, tree new_arg)
106941 + gimple_stmt_iterator gsi;
106943 + gimple def_stmt = get_def_stmt(new_arg);
106945 + if (gimple_code(def_stmt) == GIMPLE_PHI) {
106946 + gsi = gsi_after_labels(gimple_bb(def_stmt));
106947 + assign = build_cast_stmt(TREE_TYPE(new_arg), new_arg, phi_ssa_name, &gsi, BEFORE_STMT, true);
106949 + gsi = gsi_for_stmt(def_stmt);
106950 + assign = build_cast_stmt(TREE_TYPE(new_arg), new_arg, phi_ssa_name, &gsi, AFTER_STMT, true);
106953 + return gimple_get_lhs(assign);
106956 +static tree cast_visited_phi_arg(tree phi_ssa_name, tree arg, tree size_overflow_type)
106959 + gimple_stmt_iterator gsi;
106960 + const_gimple assign, def_stmt;
106962 + def_stmt = get_def_stmt(arg);
106963 + bb = gimple_bb(def_stmt);
106964 + gcc_assert(bb->index != 0);
106965 + gsi = gsi_after_labels(bb);
106967 + assign = build_cast_stmt(size_overflow_type, arg, phi_ssa_name, &gsi, BEFORE_STMT, false);
106968 + return gimple_get_lhs(assign);
106971 +static tree create_new_phi_arg(tree phi_ssa_name, tree new_arg, tree arg, gimple oldstmt)
106973 + tree size_overflow_type;
106974 + const_gimple def_stmt = get_def_stmt(arg);
106976 + if (phi_ssa_name != NULL_TREE)
106977 + phi_ssa_name = SSA_NAME_VAR(phi_ssa_name);
106979 + size_overflow_type = get_size_overflow_type(oldstmt, arg);
106981 + if (new_arg != NULL_TREE) {
106982 + gcc_assert(types_compatible_p(TREE_TYPE(new_arg), size_overflow_type));
106983 + return use_phi_ssa_name(phi_ssa_name, new_arg);
106986 + switch(gimple_code(def_stmt)) {
106988 + return cast_visited_phi_arg(phi_ssa_name, arg, size_overflow_type);
106990 + return cast_parm_decl(phi_ssa_name, arg, size_overflow_type);
106992 + debug_gimple_stmt((gimple)def_stmt);
106997 +static gimple overflow_create_phi_node(gimple oldstmt, tree result)
107002 + gimple_stmt_iterator gsi = gsi_for_stmt(oldstmt);
107006 + phi = create_phi_node(result, bb);
107007 + gimple_phi_set_result(phi, make_ssa_name(result, phi));
107010 + gsi_remove(&gsi, false);
107012 + gsi = gsi_for_stmt(oldstmt);
107013 + gsi_insert_after(&gsi, phi, GSI_NEW_STMT);
107014 + gimple_set_bb(phi, bb);
107015 + gimple_set_plf(phi, MY_STMT, true);
107019 +static tree handle_phi(struct pointer_set_t *visited, tree orig_result)
107021 + gimple new_phi = NULL;
107022 + gimple oldstmt = get_def_stmt(orig_result);
107023 + tree phi_ssa_name = NULL_TREE;
107026 + pointer_set_insert(visited, oldstmt);
107027 + for (i = 0; i < gimple_phi_num_args(oldstmt); i++) {
107030 + arg = gimple_phi_arg_def(oldstmt, i);
107032 + new_arg = expand(visited, arg);
107033 + new_arg = create_new_phi_arg(phi_ssa_name, new_arg, arg, oldstmt);
107035 + phi_ssa_name = new_arg;
107036 + new_phi = overflow_create_phi_node(oldstmt, SSA_NAME_VAR(phi_ssa_name));
107039 + gcc_assert(new_phi != NULL);
107040 + add_phi_arg(new_phi, new_arg, gimple_phi_arg_edge(oldstmt, i), gimple_location(oldstmt));
107043 + gcc_assert(new_phi != NULL);
107044 + update_stmt(new_phi);
107045 + return gimple_phi_result(new_phi);
107048 +static tree change_assign_rhs(gimple stmt, const_tree orig_rhs, tree new_rhs)
107051 + gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
107052 + tree origtype = TREE_TYPE(orig_rhs);
107054 + gcc_assert(gimple_code(stmt) == GIMPLE_ASSIGN);
107056 + assign = build_cast_stmt(origtype, new_rhs, CREATE_NEW_VAR, &gsi, BEFORE_STMT, false);
107057 + return gimple_get_lhs(assign);
107060 +static bool is_a_cast_and_const_overflow(const_tree no_const_rhs)
107062 + const_tree rhs1, lhs, rhs1_type, lhs_type;
107063 + enum machine_mode lhs_mode, rhs_mode;
107064 + gimple def_stmt = get_def_stmt(no_const_rhs);
107066 + if (!gimple_assign_cast_p(def_stmt))
107069 + rhs1 = gimple_assign_rhs1(def_stmt);
107070 + lhs = gimple_get_lhs(def_stmt);
107071 + rhs1_type = TREE_TYPE(rhs1);
107072 + lhs_type = TREE_TYPE(lhs);
107073 + rhs_mode = TYPE_MODE(rhs1_type);
107074 + lhs_mode = TYPE_MODE(lhs_type);
107075 + if (TYPE_UNSIGNED(lhs_type) == TYPE_UNSIGNED(rhs1_type) || lhs_mode != rhs_mode)
107081 +static tree create_cast_assign(struct pointer_set_t *visited, gimple stmt)
107083 + tree rhs1 = gimple_assign_rhs1(stmt);
107084 + tree lhs = gimple_get_lhs(stmt);
107085 + const_tree rhs1_type = TREE_TYPE(rhs1);
107086 + const_tree lhs_type = TREE_TYPE(lhs);
107088 + if (TYPE_UNSIGNED(rhs1_type) == TYPE_UNSIGNED(lhs_type))
107089 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107091 + return create_assign(visited, stmt, rhs1, AFTER_STMT);
107094 +static bool no_uses(tree node)
107096 + imm_use_iterator imm_iter;
107099 + FOR_EACH_IMM_USE_FAST(use_p, imm_iter, node) {
107100 + const_gimple use_stmt = USE_STMT(use_p);
107101 + if (use_stmt == NULL)
107103 + if (is_gimple_debug(use_stmt))
107105 + if (!(gimple_bb(use_stmt)->flags & BB_REACHABLE))
107112 +// 3.8.5 mm/page-writeback.c __ilog2_u64(): ret, uint + uintmax; uint -> int; int max
107113 +static bool is_const_plus_unsigned_signed_truncation(const_tree lhs)
107115 + tree rhs1, lhs_type, rhs_type, rhs2, not_const_rhs;
107116 + gimple def_stmt = get_def_stmt(lhs);
107118 + if (!def_stmt || !gimple_assign_cast_p(def_stmt))
107121 + rhs1 = gimple_assign_rhs1(def_stmt);
107122 + rhs_type = TREE_TYPE(rhs1);
107123 + lhs_type = TREE_TYPE(lhs);
107124 + if (TYPE_UNSIGNED(lhs_type) || !TYPE_UNSIGNED(rhs_type))
107126 + if (TYPE_MODE(lhs_type) != TYPE_MODE(rhs_type))
107129 + def_stmt = get_def_stmt(rhs1);
107130 + if (!def_stmt || gimple_code(def_stmt) != GIMPLE_ASSIGN || gimple_num_ops(def_stmt) != 3)
107133 + if (gimple_assign_rhs_code(def_stmt) != PLUS_EXPR)
107136 + rhs1 = gimple_assign_rhs1(def_stmt);
107137 + rhs2 = gimple_assign_rhs2(def_stmt);
107138 + if (!is_gimple_constant(rhs1) && !is_gimple_constant(rhs2))
107141 + if (is_gimple_constant(rhs2))
107142 + not_const_rhs = rhs1;
107144 + not_const_rhs = rhs2;
107146 + return no_uses(not_const_rhs);
107149 +static bool skip_lhs_cast_check(const_gimple stmt)
107151 + const_tree rhs = gimple_assign_rhs1(stmt);
107152 + const_gimple def_stmt = get_def_stmt(rhs);
107154 + // 3.8.2 kernel/futex_compat.c compat_exit_robust_list(): get_user() 64 ulong -> int (compat_long_t), int max
107155 + if (gimple_code(def_stmt) == GIMPLE_ASM)
107158 + if (is_const_plus_unsigned_signed_truncation(rhs))
107164 +static tree create_cast_overflow_check(struct pointer_set_t *visited, tree new_rhs1, gimple stmt)
107166 + bool cast_lhs, cast_rhs;
107167 + tree lhs = gimple_get_lhs(stmt);
107168 + tree rhs = gimple_assign_rhs1(stmt);
107169 + const_tree lhs_type = TREE_TYPE(lhs);
107170 + const_tree rhs_type = TREE_TYPE(rhs);
107171 + enum machine_mode lhs_mode = TYPE_MODE(lhs_type);
107172 + enum machine_mode rhs_mode = TYPE_MODE(rhs_type);
107173 + unsigned int lhs_size = GET_MODE_BITSIZE(lhs_mode);
107174 + unsigned int rhs_size = GET_MODE_BITSIZE(rhs_mode);
107176 + static bool check_lhs[3][4] = {
107178 + { false, true, true, false }, // lhs > rhs
107179 + { false, false, false, false }, // lhs = rhs
107180 + { true, true, true, true }, // lhs < rhs
107183 + static bool check_rhs[3][4] = {
107185 + { true, false, true, true }, // lhs > rhs
107186 + { true, false, true, true }, // lhs = rhs
107187 + { true, false, true, true }, // lhs < rhs
107190 + // skip lhs check on signed SI -> HI cast or signed SI -> QI cast !!!!
107191 + if (rhs_mode == SImode && !TYPE_UNSIGNED(rhs_type) && (lhs_mode == HImode || lhs_mode == QImode))
107192 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107194 + if (lhs_size > rhs_size) {
107195 + cast_lhs = check_lhs[0][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107196 + cast_rhs = check_rhs[0][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107197 + } else if (lhs_size == rhs_size) {
107198 + cast_lhs = check_lhs[1][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107199 + cast_rhs = check_rhs[1][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107201 + cast_lhs = check_lhs[2][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107202 + cast_rhs = check_rhs[2][TYPE_UNSIGNED(rhs_type) + 2 * TYPE_UNSIGNED(lhs_type)];
107205 + if (!cast_lhs && !cast_rhs)
107206 + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
107208 + if (cast_lhs && !skip_lhs_cast_check(stmt))
107209 + check_size_overflow(stmt, TREE_TYPE(new_rhs1), new_rhs1, lhs, BEFORE_STMT);
107212 + check_size_overflow(stmt, TREE_TYPE(new_rhs1), new_rhs1, rhs, BEFORE_STMT);
107214 + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
107217 +static tree handle_unary_rhs(struct pointer_set_t *visited, gimple stmt)
107219 + tree rhs1, new_rhs1, lhs = gimple_get_lhs(stmt);
107221 + if (gimple_plf(stmt, MY_STMT))
107224 + rhs1 = gimple_assign_rhs1(stmt);
107225 + if (TREE_CODE(TREE_TYPE(rhs1)) == POINTER_TYPE)
107226 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107228 + new_rhs1 = expand(visited, rhs1);
107230 + if (new_rhs1 == NULL_TREE)
107231 + return create_cast_assign(visited, stmt);
107233 + if (gimple_plf(stmt, NO_CAST_CHECK))
107234 + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
107236 + if (gimple_assign_rhs_code(stmt) == BIT_NOT_EXPR) {
107237 + tree size_overflow_type = get_size_overflow_type(stmt, rhs1);
107239 + new_rhs1 = cast_to_new_size_overflow_type(stmt, new_rhs1, size_overflow_type, BEFORE_STMT);
107240 + check_size_overflow(stmt, size_overflow_type, new_rhs1, rhs1, BEFORE_STMT);
107241 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107244 + if (!gimple_assign_cast_p(stmt))
107245 + return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
107247 + return create_cast_overflow_check(visited, new_rhs1, stmt);
107250 +static tree handle_unary_ops(struct pointer_set_t *visited, gimple stmt)
107252 + tree rhs1, lhs = gimple_get_lhs(stmt);
107253 + gimple def_stmt = get_def_stmt(lhs);
107255 + gcc_assert(gimple_code(def_stmt) != GIMPLE_NOP);
107256 + rhs1 = gimple_assign_rhs1(def_stmt);
107258 + if (is_gimple_constant(rhs1))
107259 + return create_assign(visited, def_stmt, lhs, AFTER_STMT);
107261 + switch (TREE_CODE(rhs1)) {
107263 + return handle_unary_rhs(visited, def_stmt);
107269 +#if BUILDING_GCC_VERSION >= 4006
107273 + return create_assign(visited, def_stmt, lhs, AFTER_STMT);
107276 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107279 + debug_gimple_stmt(def_stmt);
107285 +static void insert_cond(basic_block cond_bb, tree arg, enum tree_code cond_code, tree type_value)
107288 + gimple_stmt_iterator gsi = gsi_last_bb(cond_bb);
107290 + cond_stmt = gimple_build_cond(cond_code, arg, type_value, NULL_TREE, NULL_TREE);
107291 + gsi_insert_after(&gsi, cond_stmt, GSI_CONTINUE_LINKING);
107292 + update_stmt(cond_stmt);
107295 +static tree create_string_param(tree string)
107298 + const int length = TREE_STRING_LENGTH(string);
107300 + gcc_assert(length > 0);
107302 + i_type = build_index_type(build_int_cst(NULL_TREE, length - 1));
107303 + a_type = build_array_type(char_type_node, i_type);
107305 + TREE_TYPE(string) = a_type;
107306 + TREE_CONSTANT(string) = 1;
107307 + TREE_READONLY(string) = 1;
107309 + return build1(ADDR_EXPR, ptr_type_node, string);
107312 +static void insert_cond_result(basic_block bb_true, const_gimple stmt, const_tree arg, bool min)
107315 + const_gimple def_stmt;
107317 + tree loc_file, ssa_name, current_func;
107318 + expanded_location xloc;
107321 + gimple_stmt_iterator gsi = gsi_start_bb(bb_true);
107323 + def_stmt = get_def_stmt(arg);
107324 + xloc = expand_location(gimple_location(def_stmt));
107326 + if (!gimple_has_location(def_stmt)) {
107327 + xloc = expand_location(gimple_location(stmt));
107328 + if (!gimple_has_location(stmt))
107329 + xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
107332 + loc_line = build_int_cstu(unsigned_type_node, xloc.line);
107334 + loc_file = build_string(strlen(xloc.file) + 1, xloc.file);
107335 + loc_file = create_string_param(loc_file);
107337 + current_func = build_string(NAME_LEN(current_function_decl) + 1, NAME(current_function_decl));
107338 + current_func = create_string_param(current_func);
107340 + gcc_assert(DECL_NAME(SSA_NAME_VAR(arg)) != NULL);
107342 + len = asprintf(&ssa_name_buf, "%s_%u %s, count: %u\n", NAME(SSA_NAME_VAR(arg)), SSA_NAME_VERSION(arg), min ? "min" : "max", call_count);
107344 + ssa_name = build_string(len + 1, ssa_name_buf);
107346 + ssa_name = create_string_param(ssa_name);
107348 + // void report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
107349 + func_stmt = gimple_build_call(report_size_overflow_decl, 4, loc_file, loc_line, current_func, ssa_name);
107351 + gsi_insert_after(&gsi, func_stmt, GSI_CONTINUE_LINKING);
107354 +static void __unused print_the_code_insertions(const_gimple stmt)
107356 + location_t loc = gimple_location(stmt);
107358 + inform(loc, "Integer size_overflow check applied here.");
107361 +static void insert_check_size_overflow(gimple stmt, enum tree_code cond_code, tree arg, tree type_value, bool before, bool min)
107363 + basic_block cond_bb, join_bb, bb_true;
107365 + gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
107367 + cond_bb = gimple_bb(stmt);
107371 + e = split_block_after_labels(cond_bb);
107373 + e = split_block(cond_bb, gsi_stmt(gsi));
107376 + e->flags = EDGE_FALSE_VALUE;
107377 + e->probability = REG_BR_PROB_BASE;
107379 + bb_true = create_empty_bb(cond_bb);
107380 + make_edge(cond_bb, bb_true, EDGE_TRUE_VALUE);
107381 + make_edge(cond_bb, join_bb, EDGE_FALSE_VALUE);
107382 + make_edge(bb_true, join_bb, EDGE_FALLTHRU);
107384 + gcc_assert(dom_info_available_p(CDI_DOMINATORS));
107385 + set_immediate_dominator(CDI_DOMINATORS, bb_true, cond_bb);
107386 + set_immediate_dominator(CDI_DOMINATORS, join_bb, cond_bb);
107388 + if (current_loops != NULL) {
107389 + gcc_assert(cond_bb->loop_father == join_bb->loop_father);
107390 + add_bb_to_loop(bb_true, cond_bb->loop_father);
107393 + insert_cond(cond_bb, arg, cond_code, type_value);
107394 + insert_cond_result(bb_true, stmt, arg, min);
107396 +// print_the_code_insertions(stmt);
107399 +static void check_size_overflow(gimple stmt, tree size_overflow_type, tree cast_rhs, tree rhs, bool before)
107401 + const_tree rhs_type = TREE_TYPE(rhs);
107402 + tree cast_rhs_type, type_max_type, type_min_type, type_max, type_min;
107404 + gcc_assert(rhs_type != NULL_TREE);
107405 + if (TREE_CODE(rhs_type) == POINTER_TYPE)
107408 + gcc_assert(TREE_CODE(rhs_type) == INTEGER_TYPE || TREE_CODE(rhs_type) == ENUMERAL_TYPE);
107410 + if (is_const_plus_unsigned_signed_truncation(rhs))
107413 + type_max = cast_a_tree(size_overflow_type, TYPE_MAX_VALUE(rhs_type));
107414 + // typemax (-1) < typemin (0)
107415 + if (TREE_OVERFLOW(type_max))
107418 + type_min = cast_a_tree(size_overflow_type, TYPE_MIN_VALUE(rhs_type));
107420 + cast_rhs_type = TREE_TYPE(cast_rhs);
107421 + type_max_type = TREE_TYPE(type_max);
107422 + type_min_type = TREE_TYPE(type_min);
107423 + gcc_assert(types_compatible_p(cast_rhs_type, type_max_type));
107424 + gcc_assert(types_compatible_p(type_max_type, type_min_type));
107426 + insert_check_size_overflow(stmt, GT_EXPR, cast_rhs, type_max, before, false);
107427 + insert_check_size_overflow(stmt, LT_EXPR, cast_rhs, type_min, before, true);
107430 +static bool is_a_constant_overflow(const_gimple stmt, const_tree rhs)
107432 + if (gimple_assign_rhs_code(stmt) == MIN_EXPR)
107434 + if (!is_gimple_constant(rhs))
107439 +static tree get_def_stmt_rhs(const_tree var)
107441 + tree rhs1, def_stmt_rhs1;
107442 + gimple rhs1_def_stmt, def_stmt_rhs1_def_stmt, def_stmt;
107444 + def_stmt = get_def_stmt(var);
107445 + gcc_assert(gimple_code(def_stmt) != GIMPLE_NOP && gimple_plf(def_stmt, MY_STMT) && gimple_assign_cast_p(def_stmt));
107447 + rhs1 = gimple_assign_rhs1(def_stmt);
107448 + rhs1_def_stmt = get_def_stmt(rhs1);
107449 + if (!gimple_assign_cast_p(rhs1_def_stmt))
107452 + def_stmt_rhs1 = gimple_assign_rhs1(rhs1_def_stmt);
107453 + def_stmt_rhs1_def_stmt = get_def_stmt(def_stmt_rhs1);
107455 + switch (gimple_code(def_stmt_rhs1_def_stmt)) {
107460 + return def_stmt_rhs1;
107464 + debug_gimple_stmt(def_stmt_rhs1_def_stmt);
107469 +static tree handle_intentional_overflow(struct pointer_set_t *visited, bool check_overflow, gimple stmt, tree change_rhs, tree new_rhs2)
107471 + tree new_rhs, orig_rhs;
107472 + void (*gimple_assign_set_rhs)(gimple, tree);
107473 + tree rhs1 = gimple_assign_rhs1(stmt);
107474 + tree rhs2 = gimple_assign_rhs2(stmt);
107475 + tree lhs = gimple_get_lhs(stmt);
107478 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107480 + if (change_rhs == NULL_TREE)
107481 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107483 + if (new_rhs2 == NULL_TREE) {
107485 + gimple_assign_set_rhs = &gimple_assign_set_rhs1;
107488 + gimple_assign_set_rhs = &gimple_assign_set_rhs2;
107491 + check_size_overflow(stmt, TREE_TYPE(change_rhs), change_rhs, orig_rhs, BEFORE_STMT);
107493 + new_rhs = change_assign_rhs(stmt, orig_rhs, change_rhs);
107494 + gimple_assign_set_rhs(stmt, new_rhs);
107497 + return create_assign(visited, stmt, lhs, AFTER_STMT);
107500 +static bool is_subtraction_special(const_gimple stmt)
107502 + gimple rhs1_def_stmt, rhs2_def_stmt;
107503 + const_tree rhs1_def_stmt_rhs1, rhs2_def_stmt_rhs1, rhs1_def_stmt_lhs, rhs2_def_stmt_lhs;
107504 + enum machine_mode rhs1_def_stmt_rhs1_mode, rhs2_def_stmt_rhs1_mode, rhs1_def_stmt_lhs_mode, rhs2_def_stmt_lhs_mode;
107505 + const_tree rhs1 = gimple_assign_rhs1(stmt);
107506 + const_tree rhs2 = gimple_assign_rhs2(stmt);
107508 + if (is_gimple_constant(rhs1) || is_gimple_constant(rhs2))
107511 + gcc_assert(TREE_CODE(rhs1) == SSA_NAME && TREE_CODE(rhs2) == SSA_NAME);
107513 + if (gimple_assign_rhs_code(stmt) != MINUS_EXPR)
107516 + rhs1_def_stmt = get_def_stmt(rhs1);
107517 + rhs2_def_stmt = get_def_stmt(rhs2);
107518 + if (!gimple_assign_cast_p(rhs1_def_stmt) || !gimple_assign_cast_p(rhs2_def_stmt))
107521 + rhs1_def_stmt_rhs1 = gimple_assign_rhs1(rhs1_def_stmt);
107522 + rhs2_def_stmt_rhs1 = gimple_assign_rhs1(rhs2_def_stmt);
107523 + rhs1_def_stmt_lhs = gimple_get_lhs(rhs1_def_stmt);
107524 + rhs2_def_stmt_lhs = gimple_get_lhs(rhs2_def_stmt);
107525 + rhs1_def_stmt_rhs1_mode = TYPE_MODE(TREE_TYPE(rhs1_def_stmt_rhs1));
107526 + rhs2_def_stmt_rhs1_mode = TYPE_MODE(TREE_TYPE(rhs2_def_stmt_rhs1));
107527 + rhs1_def_stmt_lhs_mode = TYPE_MODE(TREE_TYPE(rhs1_def_stmt_lhs));
107528 + rhs2_def_stmt_lhs_mode = TYPE_MODE(TREE_TYPE(rhs2_def_stmt_lhs));
107529 + if (GET_MODE_BITSIZE(rhs1_def_stmt_rhs1_mode) <= GET_MODE_BITSIZE(rhs1_def_stmt_lhs_mode))
107531 + if (GET_MODE_BITSIZE(rhs2_def_stmt_rhs1_mode) <= GET_MODE_BITSIZE(rhs2_def_stmt_lhs_mode))
107534 + gimple_set_plf(rhs1_def_stmt, NO_CAST_CHECK, true);
107535 + gimple_set_plf(rhs2_def_stmt, NO_CAST_CHECK, true);
107539 +static tree handle_integer_truncation(struct pointer_set_t *visited, const_tree lhs)
107541 + tree new_rhs1, new_rhs2;
107542 + tree new_rhs1_def_stmt_rhs1, new_rhs2_def_stmt_rhs1, new_lhs;
107543 + gimple assign, stmt = get_def_stmt(lhs);
107544 + tree rhs1 = gimple_assign_rhs1(stmt);
107545 + tree rhs2 = gimple_assign_rhs2(stmt);
107547 + if (!is_subtraction_special(stmt))
107550 + new_rhs1 = expand(visited, rhs1);
107551 + new_rhs2 = expand(visited, rhs2);
107553 + new_rhs1_def_stmt_rhs1 = get_def_stmt_rhs(new_rhs1);
107554 + new_rhs2_def_stmt_rhs1 = get_def_stmt_rhs(new_rhs2);
107556 + if (!types_compatible_p(TREE_TYPE(new_rhs1_def_stmt_rhs1), TREE_TYPE(new_rhs2_def_stmt_rhs1))) {
107557 + new_rhs1_def_stmt_rhs1 = cast_to_TI_type(stmt, new_rhs1_def_stmt_rhs1);
107558 + new_rhs2_def_stmt_rhs1 = cast_to_TI_type(stmt, new_rhs2_def_stmt_rhs1);
107561 + assign = create_binary_assign(MINUS_EXPR, stmt, new_rhs1_def_stmt_rhs1, new_rhs2_def_stmt_rhs1);
107562 + new_lhs = gimple_get_lhs(assign);
107563 + check_size_overflow(assign, TREE_TYPE(new_lhs), new_lhs, rhs1, AFTER_STMT);
107565 + return dup_assign(visited, stmt, lhs, new_rhs1, new_rhs2, NULL_TREE);
107568 +static bool is_a_neg_overflow(const_gimple stmt, const_tree rhs)
107570 + const_gimple def_stmt;
107572 + if (TREE_CODE(rhs) != SSA_NAME)
107575 + if (gimple_assign_rhs_code(stmt) != PLUS_EXPR)
107578 + def_stmt = get_def_stmt(rhs);
107579 + if (gimple_code(def_stmt) != GIMPLE_ASSIGN || gimple_assign_rhs_code(def_stmt) != BIT_NOT_EXPR)
107585 +static tree handle_binary_ops(struct pointer_set_t *visited, tree lhs)
107587 + tree rhs1, rhs2, new_lhs;
107588 + gimple def_stmt = get_def_stmt(lhs);
107589 + tree new_rhs1 = NULL_TREE;
107590 + tree new_rhs2 = NULL_TREE;
107592 + rhs1 = gimple_assign_rhs1(def_stmt);
107593 + rhs2 = gimple_assign_rhs2(def_stmt);
107595 + /* no DImode/TImode division in the 32/64 bit kernel */
107596 + switch (gimple_assign_rhs_code(def_stmt)) {
107607 + case POINTER_PLUS_EXPR:
107609 + return create_assign(visited, def_stmt, lhs, AFTER_STMT);
107614 + new_lhs = handle_integer_truncation(visited, lhs);
107615 + if (new_lhs != NULL_TREE)
107618 + if (TREE_CODE(rhs1) == SSA_NAME)
107619 + new_rhs1 = expand(visited, rhs1);
107620 + if (TREE_CODE(rhs2) == SSA_NAME)
107621 + new_rhs2 = expand(visited, rhs2);
107623 + if (is_a_neg_overflow(def_stmt, rhs2))
107624 + return handle_intentional_overflow(visited, true, def_stmt, new_rhs1, NULL_TREE);
107625 + if (is_a_neg_overflow(def_stmt, rhs1))
107626 + return handle_intentional_overflow(visited, true, def_stmt, new_rhs2, new_rhs2);
107629 + if (is_a_constant_overflow(def_stmt, rhs2))
107630 + return handle_intentional_overflow(visited, !is_a_cast_and_const_overflow(rhs1), def_stmt, new_rhs1, NULL_TREE);
107631 + if (is_a_constant_overflow(def_stmt, rhs1))
107632 + return handle_intentional_overflow(visited, !is_a_cast_and_const_overflow(rhs2), def_stmt, new_rhs2, new_rhs2);
107634 + return dup_assign(visited, def_stmt, lhs, new_rhs1, new_rhs2, NULL_TREE);
107637 +#if BUILDING_GCC_VERSION >= 4007
107638 +static tree get_new_rhs(struct pointer_set_t *visited, tree size_overflow_type, tree rhs)
107640 + if (is_gimple_constant(rhs))
107641 + return cast_a_tree(size_overflow_type, rhs);
107642 + if (TREE_CODE(rhs) != SSA_NAME)
107644 + return expand(visited, rhs);
107647 +static tree handle_ternary_ops(struct pointer_set_t *visited, tree lhs)
107649 + tree rhs1, rhs2, rhs3, new_rhs1, new_rhs2, new_rhs3, size_overflow_type;
107650 + gimple def_stmt = get_def_stmt(lhs);
107652 + size_overflow_type = get_size_overflow_type(def_stmt, lhs);
107654 + rhs1 = gimple_assign_rhs1(def_stmt);
107655 + rhs2 = gimple_assign_rhs2(def_stmt);
107656 + rhs3 = gimple_assign_rhs3(def_stmt);
107657 + new_rhs1 = get_new_rhs(visited, size_overflow_type, rhs1);
107658 + new_rhs2 = get_new_rhs(visited, size_overflow_type, rhs2);
107659 + new_rhs3 = get_new_rhs(visited, size_overflow_type, rhs3);
107661 + return dup_assign(visited, def_stmt, lhs, new_rhs1, new_rhs2, new_rhs3);
107665 +static tree get_size_overflow_type(gimple stmt, const_tree node)
107670 + gcc_assert(node != NULL_TREE);
107672 + type = TREE_TYPE(node);
107674 + if (gimple_plf(stmt, MY_STMT))
107675 + return TREE_TYPE(node);
107677 + switch (TYPE_MODE(type)) {
107679 + new_type = intHI_type_node;
107682 + new_type = intSI_type_node;
107685 + new_type = intDI_type_node;
107688 + if (LONG_TYPE_SIZE == GET_MODE_BITSIZE(SImode))
107689 + new_type = intDI_type_node;
107691 + new_type = intTI_type_node;
107694 + debug_tree((tree)node);
107695 + error("%s: unsupported gcc configuration.", __func__);
107699 + if (TYPE_QUALS(type) != 0)
107700 + return build_qualified_type(new_type, TYPE_QUALS(type));
107704 +static tree expand_visited(gimple def_stmt)
107706 + const_gimple next_stmt;
107707 + gimple_stmt_iterator gsi;
107708 + enum gimple_code code = gimple_code(def_stmt);
107710 + if (code == GIMPLE_ASM)
107713 + gsi = gsi_for_stmt(def_stmt);
107716 + if (gimple_code(def_stmt) == GIMPLE_PHI && gsi_end_p(gsi))
107718 + gcc_assert(!gsi_end_p(gsi));
107719 + next_stmt = gsi_stmt(gsi);
107721 + if (gimple_code(def_stmt) == GIMPLE_PHI && !gimple_plf((gimple)next_stmt, MY_STMT))
107723 + gcc_assert(gimple_plf((gimple)next_stmt, MY_STMT));
107725 + return get_lhs(next_stmt);
107728 +static tree expand(struct pointer_set_t *visited, tree lhs)
107735 + def_stmt = get_def_stmt(lhs);
107737 + if (!def_stmt || gimple_code(def_stmt) == GIMPLE_NOP)
107740 + if (gimple_plf(def_stmt, MY_STMT))
107743 + if (pointer_set_contains(visited, def_stmt))
107744 + return expand_visited(def_stmt);
107746 + switch (gimple_code(def_stmt)) {
107748 + return handle_phi(visited, lhs);
107751 + return create_assign(visited, def_stmt, lhs, AFTER_STMT);
107753 + switch (gimple_num_ops(def_stmt)) {
107755 + return handle_unary_ops(visited, def_stmt);
107757 + return handle_binary_ops(visited, lhs);
107758 +#if BUILDING_GCC_VERSION >= 4007
107760 + return handle_ternary_ops(visited, lhs);
107764 + debug_gimple_stmt(def_stmt);
107765 + error("%s: unknown gimple code", __func__);
107770 +static tree get_new_tree(gimple stmt, const_tree orig_node, tree new_node)
107773 + tree orig_type = TREE_TYPE(orig_node);
107774 + gimple_stmt_iterator gsi = gsi_for_stmt(stmt);
107776 + assign = build_cast_stmt(orig_type, new_node, CREATE_NEW_VAR, &gsi, BEFORE_STMT, false);
107777 + return gimple_get_lhs(assign);
107780 +static void change_function_arg(gimple stmt, const_tree orig_arg, unsigned int argnum, tree new_arg)
107782 + gimple_call_set_arg(stmt, argnum, get_new_tree(stmt, orig_arg, new_arg));
107786 +static void change_function_return(gimple stmt, const_tree orig_ret, tree new_ret)
107788 + gimple_return_set_retval(stmt, get_new_tree(stmt, orig_ret, new_ret));
107792 +static bool get_function_arg(unsigned int* argnum, const_tree fndecl)
107797 + if (!DECL_ABSTRACT_ORIGIN(fndecl))
107800 + origarg = DECL_ARGUMENTS(DECL_ABSTRACT_ORIGIN(fndecl));
107801 + while (origarg && *argnum) {
107803 + origarg = TREE_CHAIN(origarg);
107806 + gcc_assert(*argnum == 0);
107808 + gcc_assert(origarg != NULL_TREE);
107810 + for (arg = DECL_ARGUMENTS(fndecl); arg; arg = TREE_CHAIN(arg), (*argnum)++)
107811 + if (operand_equal_p(origarg, arg, 0) || !strcmp(NAME(origarg), NAME(arg)))
107816 +static enum mark walk_phi(struct pointer_set_t *visited, bool *search_err_code, const_tree result)
107818 + gimple phi = get_def_stmt(result);
107819 + unsigned int i, n = gimple_phi_num_args(phi);
107824 + pointer_set_insert(visited, phi);
107825 + for (i = 0; i < n; i++) {
107827 + const_tree arg = gimple_phi_arg_def(phi, i);
107828 + marked = pre_expand(visited, search_err_code, arg);
107829 + if (marked != MARK_NO)
107835 +static enum mark walk_unary_ops(struct pointer_set_t *visited, bool *search_err_code, const_tree lhs)
107837 + gimple def_stmt = get_def_stmt(lhs);
107843 + rhs = gimple_assign_rhs1(def_stmt);
107845 + def_stmt = get_def_stmt(rhs);
107846 + if (is_gimple_constant(rhs))
107847 + search_err_code[FROM_CONST] = true;
107849 + return pre_expand(visited, search_err_code, rhs);
107852 +static enum mark walk_binary_ops(struct pointer_set_t *visited, bool *search_err_code, const_tree lhs)
107854 + gimple def_stmt = get_def_stmt(lhs);
107855 + const_tree rhs1, rhs2;
107861 + search_err_code[CAST_ONLY] = false;
107863 + rhs1 = gimple_assign_rhs1(def_stmt);
107864 + rhs2 = gimple_assign_rhs2(def_stmt);
107865 + marked = pre_expand(visited, search_err_code, rhs1);
107866 + if (marked != MARK_NO)
107868 + return pre_expand(visited, search_err_code, rhs2);
107871 +static const_tree search_field_decl(const_tree comp_ref)
107873 + const_tree field = NULL_TREE;
107874 + unsigned int i, len = TREE_OPERAND_LENGTH(comp_ref);
107876 + for (i = 0; i < len; i++) {
107877 + field = TREE_OPERAND(comp_ref, i);
107878 + if (TREE_CODE(field) == FIELD_DECL)
107881 + gcc_assert(TREE_CODE(field) == FIELD_DECL);
107885 +static enum mark mark_status(const_tree fndecl, unsigned int argnum)
107889 + // mm/filemap.c D.35286_51 = D.35283_46 (file_10(D), mapping_11, pos_1, D.35273_50, D.35285_49, page.14_48, fsdata.15_47);
107890 + if (fndecl == NULL_TREE)
107893 + attr = lookup_attribute("intentional_overflow", DECL_ATTRIBUTES(fndecl));
107894 + if (!attr || !TREE_VALUE(attr))
107897 + p = TREE_VALUE(attr);
107898 + if (TREE_INT_CST_HIGH(TREE_VALUE(p)) == -1)
107899 + return MARK_TURN_OFF;
107900 + if (!TREE_INT_CST_LOW(TREE_VALUE(p)))
107901 + return MARK_NOT_INTENTIONAL;
107903 + gcc_assert(current_function_decl == fndecl);
107908 + if (argnum == TREE_INT_CST_LOW(TREE_VALUE(p)))
107916 +static void print_missing_msg(tree func, unsigned int argnum)
107918 + unsigned int new_hash;
107920 + unsigned char tree_codes[CODES_LIMIT];
107924 + func = get_original_function_decl(func);
107925 + loc = DECL_SOURCE_LOCATION(func);
107926 + curfunc = get_asm_name(func);
107928 + len = get_function_decl(func, tree_codes);
107929 + new_hash = get_hash_num(curfunc, (const char *) tree_codes, len, 0);
107930 + inform(loc, "Function %s is missing from the size_overflow hash table +%s+%u+%u+", curfunc, curfunc, argnum, new_hash);
107933 +static unsigned int search_missing_attribute(const_tree arg)
107936 + const struct size_overflow_hash *hash;
107937 + const_tree type = TREE_TYPE(arg);
107938 + tree func = get_original_function_decl(current_function_decl);
107940 + gcc_assert(TREE_CODE(arg) != COMPONENT_REF);
107942 + if (TREE_CODE(type) == POINTER_TYPE)
107945 + argnum = find_arg_number(arg, func);
107949 + if (lookup_attribute("size_overflow", DECL_ATTRIBUTES(func)))
107952 + hash = get_function_hash(func);
107953 + if (!hash || !(hash->param & (1U << argnum))) {
107954 + print_missing_msg(func, argnum);
107960 +static enum mark is_already_marked(const_tree lhs)
107965 + argnum = search_missing_attribute(lhs);
107966 + fndecl = get_original_function_decl(current_function_decl);
107967 + if (argnum && mark_status(fndecl, argnum) == MARK_YES)
107972 +static enum mark pre_expand(struct pointer_set_t *visited, bool *search_err_code, const_tree lhs)
107974 + const_gimple def_stmt;
107979 + if (TREE_CODE(lhs) == PARM_DECL)
107980 + return is_already_marked(lhs);
107982 + if (TREE_CODE(lhs) == COMPONENT_REF) {
107983 + const_tree field, attr;
107985 + field = search_field_decl(lhs);
107986 + attr = lookup_attribute("intentional_overflow", DECL_ATTRIBUTES(field));
107987 + if (!attr || !TREE_VALUE(attr))
107992 + def_stmt = get_def_stmt(lhs);
107997 + if (pointer_set_contains(visited, def_stmt))
108000 + switch (gimple_code(def_stmt)) {
108002 + if (TREE_CODE(SSA_NAME_VAR(lhs)) == PARM_DECL)
108003 + return is_already_marked(lhs);
108006 + return walk_phi(visited, search_err_code, lhs);
108008 + if (mark_status((gimple_call_fndecl(def_stmt)), 0) == MARK_TURN_OFF)
108009 + return MARK_TURN_OFF;
108010 + check_function_hash(def_stmt);
108013 + search_err_code[CAST_ONLY] = false;
108016 + switch (gimple_num_ops(def_stmt)) {
108018 + return walk_unary_ops(visited, search_err_code, lhs);
108020 + return walk_binary_ops(visited, search_err_code, lhs);
108023 + debug_gimple_stmt((gimple)def_stmt);
108024 + error("%s: unknown gimple code", __func__);
108029 +// e.g., 3.8.2, 64, arch/x86/ia32/ia32_signal.c copy_siginfo_from_user32(): compat_ptr() u32 max
108030 +static bool skip_asm(const_tree arg)
108032 + gimple def_stmt = get_def_stmt(arg);
108034 + if (!def_stmt || !gimple_assign_cast_p(def_stmt))
108037 + def_stmt = get_def_stmt(gimple_assign_rhs1(def_stmt));
108038 + return def_stmt && gimple_code(def_stmt) == GIMPLE_ASM;
108042 +0</MARK_YES: no dup, search attributes (so, int)
108043 +0/MARK_NOT_INTENTIONAL: no dup, search attribute (int)
108044 +-1/MARK_TURN_OFF: no dup, no search, current_function_decl -> no dup
108047 +static bool search_attributes(tree fndecl, const_tree arg, unsigned int argnum, bool where)
108049 + struct pointer_set_t *visited;
108050 + enum mark is_marked, is_found;
108052 + bool search_err_code[2] = {true, false};
108054 + is_marked = mark_status(current_function_decl, 0);
108055 + if (is_marked == MARK_TURN_OFF)
108058 + is_marked = mark_status(fndecl, argnum + 1);
108059 + if (is_marked == MARK_TURN_OFF || is_marked == MARK_NOT_INTENTIONAL)
108062 + visited = pointer_set_create();
108063 + is_found = pre_expand(visited, search_err_code, arg);
108064 + pointer_set_destroy(visited);
108066 + if (where == FROM_RET && search_err_code[CAST_ONLY] && search_err_code[FROM_CONST])
108069 + if (where == FROM_ARG && skip_asm(arg))
108072 + if (is_found == MARK_TURN_OFF)
108075 + if ((is_found == MARK_YES && is_marked == MARK_YES))
108078 + if (is_found == MARK_YES) {
108079 + loc = DECL_SOURCE_LOCATION(fndecl);
108080 + inform(loc, "The intentional_overflow attribute is missing from +%s+%u+", get_asm_name(fndecl), argnum + 1);
108086 +static void handle_function_arg(gimple stmt, tree fndecl, unsigned int argnum)
108088 + struct pointer_set_t *visited;
108097 + match = get_function_arg(&argnum, fndecl);
108100 + gcc_assert(gimple_call_num_args(stmt) > argnum);
108101 + arg = gimple_call_arg(stmt, argnum);
108102 + if (arg == NULL_TREE)
108108 + if (search_attributes(fndecl, arg, argnum, FROM_ARG))
108111 + visited = pointer_set_create();
108112 + new_arg = expand(visited, arg);
108113 + pointer_set_destroy(visited);
108115 + if (new_arg == NULL_TREE)
108118 + change_function_arg(stmt, arg, argnum, new_arg);
108119 + check_size_overflow(stmt, TREE_TYPE(new_arg), new_arg, arg, BEFORE_STMT);
108122 +static void handle_function_by_attribute(gimple stmt, const_tree attr, tree fndecl)
108124 + tree p = TREE_VALUE(attr);
108126 + handle_function_arg(stmt, fndecl, TREE_INT_CST_LOW(TREE_VALUE(p)));
108131 +static void handle_function_by_hash(gimple stmt, tree fndecl)
108134 + const struct size_overflow_hash *hash;
108136 + hash = get_function_hash(fndecl);
108140 + for (num = 0; num <= MAX_PARAM; num++)
108141 + if (hash->param & (1U << num))
108142 + handle_function_arg(stmt, fndecl, num);
108145 +static bool check_return_value(void)
108147 + const struct size_overflow_hash *hash;
108149 + hash = get_function_hash(current_function_decl);
108150 + if (!hash || !(hash->param & 1U << 0))
108156 +static void handle_return_value(gimple ret_stmt)
108158 + struct pointer_set_t *visited;
108161 + if (gimple_code(ret_stmt) != GIMPLE_RETURN)
108164 + ret = gimple_return_retval(ret_stmt);
108169 + if (search_attributes(current_function_decl, ret, 0, FROM_RET))
108172 + visited = pointer_set_create();
108173 + new_ret = expand(visited, ret);
108174 + pointer_set_destroy(visited);
108176 + change_function_return(ret_stmt, ret, new_ret);
108177 + check_size_overflow(ret_stmt, TREE_TYPE(new_ret), new_ret, ret, BEFORE_STMT);
108180 +static void set_plf_false(void)
108185 + gimple_stmt_iterator si;
108187 + for (si = gsi_start_bb(bb); !gsi_end_p(si); gsi_next(&si))
108188 + gimple_set_plf(gsi_stmt(si), MY_STMT, false);
108189 + for (si = gsi_start_phis(bb); !gsi_end_p(si); gsi_next(&si))
108190 + gimple_set_plf(gsi_stmt(si), MY_STMT, false);
108194 +static unsigned int handle_function(void)
108196 + basic_block next, bb = ENTRY_BLOCK_PTR->next_bb;
108201 + check_ret = check_return_value();
108204 + gimple_stmt_iterator gsi;
108207 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
108209 + gimple stmt = gsi_stmt(gsi);
108212 + handle_return_value(stmt);
108214 + if (!(is_gimple_call(stmt)))
108216 + fndecl = gimple_call_fndecl(stmt);
108217 + if (fndecl == NULL_TREE)
108219 + if (gimple_call_num_args(stmt) == 0)
108221 + attr = lookup_attribute("size_overflow", DECL_ATTRIBUTES(fndecl));
108222 + if (!attr || !TREE_VALUE(attr))
108223 + handle_function_by_hash(stmt, fndecl);
108225 + handle_function_by_attribute(stmt, attr, fndecl);
108226 + gsi = gsi_for_stmt(stmt);
108227 + next = gimple_bb(stmt)->next_bb;
108234 +static struct gimple_opt_pass size_overflow_pass = {
108237 + .name = "size_overflow",
108238 +#if BUILDING_GCC_VERSION >= 4008
108239 + .optinfo_flags = OPTGROUP_NONE,
108242 + .execute = handle_function,
108245 + .static_pass_number = 0,
108247 + .properties_required = PROP_cfg,
108248 + .properties_provided = 0,
108249 + .properties_destroyed = 0,
108250 + .todo_flags_start = 0,
108251 + .todo_flags_finish = TODO_dump_func | TODO_verify_ssa | TODO_verify_stmts | TODO_remove_unused_locals | TODO_update_ssa_no_phi | TODO_cleanup_cfg | TODO_ggc_collect | TODO_verify_flow
108255 +static void start_unit_callback(void __unused *gcc_data, void __unused *user_data)
108259 + const_char_ptr_type_node = build_pointer_type(build_type_variant(char_type_node, 1, 0));
108261 + // void report_size_overflow(const char *loc_file, unsigned int loc_line, const char *current_func, const char *ssa_var)
108262 + fntype = build_function_type_list(void_type_node,
108263 + const_char_ptr_type_node,
108265 + const_char_ptr_type_node,
108266 + const_char_ptr_type_node,
108268 + report_size_overflow_decl = build_fn_decl("report_size_overflow", fntype);
108270 + DECL_ASSEMBLER_NAME(report_size_overflow_decl);
108271 + TREE_PUBLIC(report_size_overflow_decl) = 1;
108272 + DECL_EXTERNAL(report_size_overflow_decl) = 1;
108273 + DECL_ARTIFICIAL(report_size_overflow_decl) = 1;
108274 + TREE_THIS_VOLATILE(report_size_overflow_decl) = 1;
108277 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
108280 + const char * const plugin_name = plugin_info->base_name;
108281 + const int argc = plugin_info->argc;
108282 + const struct plugin_argument * const argv = plugin_info->argv;
108285 + struct register_pass_info size_overflow_pass_info = {
108286 + .pass = &size_overflow_pass.pass,
108287 + .reference_pass_name = "ssa",
108288 + .ref_pass_instance_number = 1,
108289 + .pos_op = PASS_POS_INSERT_AFTER
108292 + if (!plugin_default_version_check(version, &gcc_version)) {
108293 + error(G_("incompatible gcc/plugin versions"));
108297 + for (i = 0; i < argc; ++i) {
108298 + if (!strcmp(argv[i].key, "no-size-overflow")) {
108302 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
108305 + register_callback(plugin_name, PLUGIN_INFO, NULL, &size_overflow_plugin_info);
108307 + register_callback("start_unit", PLUGIN_START_UNIT, &start_unit_callback, NULL);
108308 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &size_overflow_pass_info);
108310 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
108314 diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
108318 +++ b/tools/gcc/stackleak_plugin.c
108321 + * Copyright 2011-2013 by the PaX Team <pageexec@freemail.hu>
108322 + * Licensed under the GPL v2
108324 + * Note: the choice of the license means that the compilation process is
108325 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
108326 + * but for the kernel it doesn't matter since it doesn't link against
108327 + * any of the gcc libraries
108329 + * gcc plugin to help implement various PaX features
108331 + * - track lowest stack pointer
108334 + * - initialize all local variables
108339 +#include "gcc-plugin.h"
108342 +#include "coretypes.h"
108344 +#include "tree-pass.h"
108349 +//#include "expr.h" where are you...
108350 +#include "diagnostic.h"
108351 +#include "plugin-version.h"
108354 +#include "basic-block.h"
108359 +#if BUILDING_GCC_VERSION >= 4008
108360 +#define TODO_dump_func 0
108363 +extern void print_gimple_stmt(FILE *, gimple, int, int);
108365 +int plugin_is_GPL_compatible;
108367 +static int track_frame_size = -1;
108368 +static const char track_function[] = "pax_track_stack";
108369 +static const char check_function[] = "pax_check_alloca";
108370 +static bool init_locals;
108372 +static struct plugin_info stackleak_plugin_info = {
108373 + .version = "201302112000",
108374 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
108375 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
108378 +static bool gate_stackleak_track_stack(void);
108379 +static unsigned int execute_stackleak_tree_instrument(void);
108380 +static unsigned int execute_stackleak_final(void);
108382 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
108385 + .name = "stackleak_tree_instrument",
108386 +#if BUILDING_GCC_VERSION >= 4008
108387 + .optinfo_flags = OPTGROUP_NONE,
108389 + .gate = gate_stackleak_track_stack,
108390 + .execute = execute_stackleak_tree_instrument,
108393 + .static_pass_number = 0,
108395 + .properties_required = PROP_gimple_leh | PROP_cfg,
108396 + .properties_provided = 0,
108397 + .properties_destroyed = 0,
108398 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
108399 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_update_ssa
108403 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
108406 + .name = "stackleak_final",
108407 +#if BUILDING_GCC_VERSION >= 4008
108408 + .optinfo_flags = OPTGROUP_NONE,
108410 + .gate = gate_stackleak_track_stack,
108411 + .execute = execute_stackleak_final,
108414 + .static_pass_number = 0,
108416 + .properties_required = 0,
108417 + .properties_provided = 0,
108418 + .properties_destroyed = 0,
108419 + .todo_flags_start = 0,
108420 + .todo_flags_finish = TODO_dump_func
108424 +static bool gate_stackleak_track_stack(void)
108426 + return track_frame_size >= 0;
108429 +static void stackleak_check_alloca(gimple_stmt_iterator *gsi)
108432 + tree fntype, fndecl, alloca_size;
108434 + fntype = build_function_type_list(void_type_node, long_unsigned_type_node, NULL_TREE);
108435 + fndecl = build_fn_decl(check_function, fntype);
108436 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
108438 + // insert call to void pax_check_alloca(unsigned long size)
108439 + alloca_size = gimple_call_arg(gsi_stmt(*gsi), 0);
108440 + check_alloca = gimple_build_call(fndecl, 1, alloca_size);
108441 + gsi_insert_before(gsi, check_alloca, GSI_SAME_STMT);
108444 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi)
108449 + fntype = build_function_type_list(void_type_node, NULL_TREE);
108450 + fndecl = build_fn_decl(track_function, fntype);
108451 + DECL_ASSEMBLER_NAME(fndecl); // for LTO
108453 + // insert call to void pax_track_stack(void)
108454 + track_stack = gimple_build_call(fndecl, 0);
108455 + gsi_insert_after(gsi, track_stack, GSI_CONTINUE_LINKING);
108458 +#if BUILDING_GCC_VERSION == 4005
108459 +static bool gimple_call_builtin_p(gimple stmt, enum built_in_function code)
108463 + if (!is_gimple_call(stmt))
108465 + fndecl = gimple_call_fndecl(stmt);
108468 + if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
108470 +// print_node(stderr, "pax", fndecl, 4);
108471 + return DECL_FUNCTION_CODE(fndecl) == code;
108475 +static bool is_alloca(gimple stmt)
108477 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA))
108480 +#if BUILDING_GCC_VERSION >= 4007
108481 + if (gimple_call_builtin_p(stmt, BUILT_IN_ALLOCA_WITH_ALIGN))
108488 +static unsigned int execute_stackleak_tree_instrument(void)
108490 + basic_block bb, entry_bb;
108491 + bool prologue_instrumented = false, is_leaf = true;
108493 + entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
108495 + // 1. loop through BBs and GIMPLE statements
108497 + gimple_stmt_iterator gsi;
108499 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
108502 + stmt = gsi_stmt(gsi);
108504 + if (is_gimple_call(stmt))
108507 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
108508 + if (!is_alloca(stmt))
108511 + // 2. insert stack overflow check before each __builtin_alloca call
108512 + stackleak_check_alloca(&gsi);
108514 + // 3. insert track call after each __builtin_alloca call
108515 + stackleak_add_instrumentation(&gsi);
108517 + prologue_instrumented = true;
108521 + // special cases for some bad linux code: taking the address of static inline functions will materialize them
108522 + // but we mustn't instrument some of them as the resulting stack alignment required by the function call ABI
108523 + // will break other assumptions regarding the expected (but not otherwise enforced) register clobbering ABI.
108524 + // case in point: native_save_fl on amd64 when optimized for size clobbers rdx if it were instrumented here.
108525 + if (is_leaf && !TREE_PUBLIC(current_function_decl) && DECL_DECLARED_INLINE_P(current_function_decl))
108527 + if (is_leaf && !strncmp(IDENTIFIER_POINTER(DECL_NAME(current_function_decl)), "_paravirt_", 10))
108530 + // 4. insert track call at the beginning
108531 + if (!prologue_instrumented) {
108532 + gimple_stmt_iterator gsi;
108534 + bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
108535 + if (dom_info_available_p(CDI_DOMINATORS))
108536 + set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR);
108537 + gsi = gsi_start_bb(bb);
108538 + stackleak_add_instrumentation(&gsi);
108544 +static unsigned int execute_stackleak_final(void)
108548 + if (cfun->calls_alloca)
108551 + // keep calls only if function frame is big enough
108552 + if (get_frame_size() >= track_frame_size)
108555 + // 1. find pax_track_stack calls
108556 + for (insn = get_insns(); insn; insn = next) {
108557 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
108560 + next = NEXT_INSN(insn);
108563 + body = PATTERN(insn);
108564 + if (GET_CODE(body) != CALL)
108566 + body = XEXP(body, 0);
108567 + if (GET_CODE(body) != MEM)
108569 + body = XEXP(body, 0);
108570 + if (GET_CODE(body) != SYMBOL_REF)
108572 + if (strcmp(XSTR(body, 0), track_function))
108574 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
108576 + delete_insn_and_edges(insn);
108577 +#if BUILDING_GCC_VERSION >= 4007
108578 + if (GET_CODE(next) == NOTE && NOTE_KIND(next) == NOTE_INSN_CALL_ARG_LOCATION) {
108580 + next = NEXT_INSN(insn);
108581 + delete_insn_and_edges(insn);
108586 +// print_simple_rtl(stderr, get_insns());
108587 +// print_rtl(stderr, get_insns());
108588 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
108593 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
108595 + const char * const plugin_name = plugin_info->base_name;
108596 + const int argc = plugin_info->argc;
108597 + const struct plugin_argument * const argv = plugin_info->argv;
108599 + struct register_pass_info stackleak_tree_instrument_pass_info = {
108600 + .pass = &stackleak_tree_instrument_pass.pass,
108601 +// .reference_pass_name = "tree_profile",
108602 + .reference_pass_name = "optimized",
108603 + .ref_pass_instance_number = 1,
108604 + .pos_op = PASS_POS_INSERT_BEFORE
108606 + struct register_pass_info stackleak_final_pass_info = {
108607 + .pass = &stackleak_final_rtl_opt_pass.pass,
108608 + .reference_pass_name = "final",
108609 + .ref_pass_instance_number = 1,
108610 + .pos_op = PASS_POS_INSERT_BEFORE
108613 + if (!plugin_default_version_check(version, &gcc_version)) {
108614 + error(G_("incompatible gcc/plugin versions"));
108618 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
108620 + for (i = 0; i < argc; ++i) {
108621 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
108622 + if (!argv[i].value) {
108623 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
108626 + track_frame_size = atoi(argv[i].value);
108627 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
108628 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
108631 + if (!strcmp(argv[i].key, "initialize-locals")) {
108633 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
108639 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
108642 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
108643 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
108647 diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
108651 +++ b/tools/gcc/structleak_plugin.c
108654 + * Copyright 2013 by PaX Team <pageexec@freemail.hu>
108655 + * Licensed under the GPL v2
108657 + * Note: the choice of the license means that the compilation process is
108658 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
108659 + * but for the kernel it doesn't matter since it doesn't link against
108660 + * any of the gcc libraries
108662 + * gcc plugin to forcibly initialize certain local variables that could
108663 + * otherwise leak kernel stack to userland if they aren't properly initialized
108666 + * Homepage: http://pax.grsecurity.net/
108669 + * $ # for 4.5/4.6/C based 4.7
108670 + * $ gcc -I`gcc -print-file-name=plugin`/include -I`gcc -print-file-name=plugin`/include/c-family -fPIC -shared -O2 -o structleak_plugin.so structleak_plugin.c
108671 + * $ # for C++ based 4.7/4.8+
108672 + * $ g++ -I`g++ -print-file-name=plugin`/include -I`g++ -print-file-name=plugin`/include/c-family -fPIC -shared -O2 -o structleak_plugin.so structleak_plugin.c
108673 + * $ gcc -fplugin=./structleak_plugin.so test.c -O2
108675 + * TODO: eliminate redundant initializers
108676 + * increase type coverage
108679 +#include "gcc-plugin.h"
108682 +#include "coretypes.h"
108684 +#include "tree-pass.h"
108686 +#include "plugin-version.h"
108690 +#include "tree-flow.h"
108693 +#include "diagnostic.h"
108695 +#include "langhooks.h"
108697 +#if BUILDING_GCC_VERSION >= 4008
108698 +#define TODO_dump_func 0
108701 +#define NAME(node) IDENTIFIER_POINTER(DECL_NAME(node))
108703 +// unused type flag in all versions 4.5-4.8
108704 +#define TYPE_USERSPACE(TYPE) TYPE_LANG_FLAG_3(TYPE)
108706 +int plugin_is_GPL_compatible;
108707 +void debug_gimple_stmt(gimple gs);
108709 +static struct plugin_info structleak_plugin_info = {
108710 + .version = "201304082245",
108711 + .help = "disable\tdo not activate plugin\n",
108714 +static tree handle_user_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
108716 + *no_add_attrs = true;
108718 + // check for types? for now accept everything linux has to offer
108719 + if (TREE_CODE(*node) != FIELD_DECL)
108722 + *no_add_attrs = false;
108726 +static struct attribute_spec user_attr = {
108730 + .decl_required = false,
108731 + .type_required = false,
108732 + .function_type_required = false,
108733 + .handler = handle_user_attribute,
108734 +#if BUILDING_GCC_VERSION >= 4007
108735 + .affects_type_identity = true
108739 +static void register_attributes(void *event_data, void *data)
108741 + register_attribute(&user_attr);
108742 +// register_attribute(&force_attr);
108745 +static tree get_field_type(tree field)
108747 + return strip_array_types(TREE_TYPE(field));
108750 +static bool is_userspace_type(tree type)
108754 + for (field = TYPE_FIELDS(type); field; field = TREE_CHAIN(field)) {
108755 + tree fieldtype = get_field_type(field);
108756 + enum tree_code code = TREE_CODE(fieldtype);
108758 + if (code == RECORD_TYPE || code == UNION_TYPE)
108759 + if (is_userspace_type(fieldtype))
108762 + if (lookup_attribute("user", DECL_ATTRIBUTES(field)))
108768 +static void finish_type(void *event_data, void *data)
108770 + tree type = (tree)event_data;
108772 + if (TYPE_USERSPACE(type))
108775 + if (is_userspace_type(type))
108776 + TYPE_USERSPACE(type) = 1;
108779 +static void initialize(tree var)
108782 + gimple_stmt_iterator gsi;
108786 + // this is the original entry bb before the forced split
108787 + // TODO: check further BBs in case more splits occured before us
108788 + bb = ENTRY_BLOCK_PTR->next_bb->next_bb;
108790 + // first check if the variable is already initialized, warn otherwise
108791 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
108792 + gimple stmt = gsi_stmt(gsi);
108795 + // we're looking for an assignment of a single rhs...
108796 + if (!gimple_assign_single_p(stmt))
108798 + rhs1 = gimple_assign_rhs1(stmt);
108799 +#if BUILDING_GCC_VERSION >= 4007
108800 + // ... of a non-clobbering expression...
108801 + if (TREE_CLOBBER_P(rhs1))
108804 + // ... to our variable...
108805 + if (gimple_get_lhs(stmt) != var)
108807 + // if it's an initializer then we're good
108808 + if (TREE_CODE(rhs1) == CONSTRUCTOR)
108812 + // these aren't the 0days you're looking for
108813 +// inform(DECL_SOURCE_LOCATION(var), "userspace variable will be forcibly initialized");
108815 + // build the initializer expression
108816 + initializer = build_constructor(TREE_TYPE(var), NULL);
108818 + // build the initializer stmt
108819 + init_stmt = gimple_build_assign(var, initializer);
108820 + gsi = gsi_start_bb(ENTRY_BLOCK_PTR->next_bb);
108821 + gsi_insert_before(&gsi, init_stmt, GSI_NEW_STMT);
108822 + update_stmt(init_stmt);
108825 +static unsigned int handle_function(void)
108828 + unsigned int ret = 0;
108831 +#if BUILDING_GCC_VERSION == 4005
108837 + // split the first bb where we can put the forced initializers
108838 + bb = split_block_after_labels(ENTRY_BLOCK_PTR)->dest;
108839 + if (dom_info_available_p(CDI_DOMINATORS))
108840 + set_immediate_dominator(CDI_DOMINATORS, bb, ENTRY_BLOCK_PTR);
108842 + // enumarate all local variables and forcibly initialize our targets
108843 +#if BUILDING_GCC_VERSION == 4005
108844 + for (vars = cfun->local_decls; vars; vars = TREE_CHAIN(vars)) {
108845 + var = TREE_VALUE(vars);
108847 + FOR_EACH_LOCAL_DECL(cfun, i, var) {
108849 + tree type = TREE_TYPE(var);
108851 + gcc_assert(DECL_P(var));
108852 + if (!auto_var_in_fn_p(var, current_function_decl))
108855 + // only care about structure types
108856 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
108859 + // if the type is of interest, examine the variable
108860 + if (TYPE_USERSPACE(type))
108867 +static struct gimple_opt_pass structleak_pass = {
108870 + .name = "structleak",
108871 +#if BUILDING_GCC_VERSION >= 4008
108872 + .optinfo_flags = OPTGROUP_NONE,
108875 + .execute = handle_function,
108878 + .static_pass_number = 0,
108880 + .properties_required = PROP_cfg,
108881 + .properties_provided = 0,
108882 + .properties_destroyed = 0,
108883 + .todo_flags_start = 0,
108884 + .todo_flags_finish = TODO_verify_ssa | TODO_verify_stmts | TODO_dump_func | TODO_remove_unused_locals | TODO_update_ssa | TODO_ggc_collect | TODO_verify_flow
108888 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
108891 + const char * const plugin_name = plugin_info->base_name;
108892 + const int argc = plugin_info->argc;
108893 + const struct plugin_argument * const argv = plugin_info->argv;
108896 + struct register_pass_info structleak_pass_info = {
108897 + .pass = &structleak_pass.pass,
108898 + .reference_pass_name = "ssa",
108899 + .ref_pass_instance_number = 1,
108900 + .pos_op = PASS_POS_INSERT_AFTER
108903 + if (!plugin_default_version_check(version, &gcc_version)) {
108904 + error(G_("incompatible gcc/plugin versions"));
108908 + if (strcmp(lang_hooks.name, "GNU C")) {
108909 + inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
108913 + for (i = 0; i < argc; ++i) {
108914 + if (!strcmp(argv[i].key, "disable")) {
108918 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
108921 + register_callback(plugin_name, PLUGIN_INFO, NULL, &structleak_plugin_info);
108923 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &structleak_pass_info);
108924 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
108926 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
108930 diff --git a/tools/lib/lk/Makefile b/tools/lib/lk/Makefile
108931 index 926cbf3..b8403e0 100644
108932 --- a/tools/lib/lk/Makefile
108933 +++ b/tools/lib/lk/Makefile
108934 @@ -10,7 +10,7 @@ LIB_OBJS += $(OUTPUT)debugfs.o
108938 -CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC
108939 +CFLAGS = -ggdb3 -Wall -Wextra -std=gnu99 -Werror -O6 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $(EXTRA_WARNINGS) $(EXTRA_CFLAGS) -fPIC
108940 EXTLIBS = -lpthread -lrt -lelf -lm
108941 ALL_CFLAGS = $(CFLAGS) $(BASIC_CFLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
108942 ALL_LDFLAGS = $(LDFLAGS)
108943 diff --git a/tools/perf/Makefile b/tools/perf/Makefile
108944 index b0f164b..63c9f7d 100644
108945 --- a/tools/perf/Makefile
108946 +++ b/tools/perf/Makefile
108947 @@ -188,7 +188,7 @@ endif
108950 ifeq ($(call try-cc,$(SOURCE_HELLO),$(CFLAGS) -D_FORTIFY_SOURCE=2,-D_FORTIFY_SOURCE=2),y)
108951 - CFLAGS := $(CFLAGS) -D_FORTIFY_SOURCE=2
108952 + CFLAGS := $(CFLAGS) -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
108956 diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h
108957 index 6789d78..4afd019e 100644
108958 --- a/tools/perf/util/include/asm/alternative-asm.h
108959 +++ b/tools/perf/util/include/asm/alternative-asm.h
108962 #define altinstruction_entry #
108964 + .macro pax_force_retaddr rip=0, reload=0
108968 diff --git a/tools/perf/util/include/linux/compiler.h b/tools/perf/util/include/linux/compiler.h
108969 index 96b919d..c49bb74 100644
108970 --- a/tools/perf/util/include/linux/compiler.h
108971 +++ b/tools/perf/util/include/linux/compiler.h
108976 +#ifndef __size_overflow
108977 +# define __size_overflow(...)
108980 +#ifndef __intentional_overflow
108981 +# define __intentional_overflow(...)
108985 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
108986 index 302681c..3bde377 100644
108987 --- a/virt/kvm/kvm_main.c
108988 +++ b/virt/kvm/kvm_main.c
108989 @@ -75,12 +75,17 @@ LIST_HEAD(vm_list);
108991 static cpumask_var_t cpus_hardware_enabled;
108992 static int kvm_usage_count = 0;
108993 -static atomic_t hardware_enable_failed;
108994 +static atomic_unchecked_t hardware_enable_failed;
108996 struct kmem_cache *kvm_vcpu_cache;
108997 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
108999 -static __read_mostly struct preempt_ops kvm_preempt_ops;
109000 +static void kvm_sched_in(struct preempt_notifier *pn, int cpu);
109001 +static void kvm_sched_out(struct preempt_notifier *pn, struct task_struct *next);
109002 +static struct preempt_ops kvm_preempt_ops = {
109003 + .sched_in = kvm_sched_in,
109004 + .sched_out = kvm_sched_out,
109007 struct dentry *kvm_debugfs_dir;
109009 @@ -766,7 +771,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
109010 /* We can read the guest memory with __xxx_user() later on. */
109011 if ((mem->slot < KVM_USER_MEM_SLOTS) &&
109012 ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
109013 - !access_ok(VERIFY_WRITE,
109014 + !__access_ok(VERIFY_WRITE,
109015 (void __user *)(unsigned long)mem->userspace_addr,
109018 @@ -1878,7 +1883,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
109022 -static struct file_operations kvm_vcpu_fops = {
109023 +static file_operations_no_const kvm_vcpu_fops __read_only = {
109024 .release = kvm_vcpu_release,
109025 .unlocked_ioctl = kvm_vcpu_ioctl,
109027 @@ -2561,7 +2566,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma)
109031 -static struct file_operations kvm_vm_fops = {
109032 +static file_operations_no_const kvm_vm_fops __read_only = {
109033 .release = kvm_vm_release,
109034 .unlocked_ioctl = kvm_vm_ioctl,
109036 @@ -2662,7 +2667,7 @@ out:
109040 -static struct file_operations kvm_chardev_ops = {
109041 +static file_operations_no_const kvm_chardev_ops __read_only = {
109042 .unlocked_ioctl = kvm_dev_ioctl,
109043 .compat_ioctl = kvm_dev_ioctl,
109045 @@ -2688,7 +2693,7 @@ static void hardware_enable_nolock(void *junk)
109048 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
109049 - atomic_inc(&hardware_enable_failed);
109050 + atomic_inc_unchecked(&hardware_enable_failed);
109051 printk(KERN_INFO "kvm: enabling virtualization on "
109052 "CPU%d failed\n", cpu);
109054 @@ -2742,10 +2747,10 @@ static int hardware_enable_all(void)
109057 if (kvm_usage_count == 1) {
109058 - atomic_set(&hardware_enable_failed, 0);
109059 + atomic_set_unchecked(&hardware_enable_failed, 0);
109060 on_each_cpu(hardware_enable_nolock, NULL, 1);
109062 - if (atomic_read(&hardware_enable_failed)) {
109063 + if (atomic_read_unchecked(&hardware_enable_failed)) {
109064 hardware_disable_all_nolock();
109067 @@ -3099,7 +3104,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
109068 kvm_arch_vcpu_put(vcpu);
109071 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
109072 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
109076 @@ -3146,7 +3151,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
109078 vcpu_align = __alignof__(struct kvm_vcpu);
109079 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
109081 + SLAB_USERCOPY, NULL);
109085 @@ -3156,9 +3161,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
109090 kvm_chardev_ops.owner = module;
109091 kvm_vm_fops.owner = module;
109092 kvm_vcpu_fops.owner = module;
109095 r = misc_register(&kvm_dev);
109097 @@ -3168,9 +3175,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
109099 register_syscore_ops(&kvm_syscore_ops);
109101 - kvm_preempt_ops.sched_in = kvm_sched_in;
109102 - kvm_preempt_ops.sched_out = kvm_sched_out;
109106 printk(KERN_ERR "kvm: create debugfs files failed\n");
projects / people / teissler / ipfire-2.x.git / blob